Information Security at Notre Dame

Security Review: Valve Software's Steam Platform

2010-12-16T12:19:00.002-05:00

Digital distribution has become a more and more popular method of receiving items in modern days, and when it comes to PC games, look no farther than Steam. With an estimated 70% share in the PC game digital distribution market, it's easily the biggest and most well-known provider today.

Steam began when Valve, a Seattle-based game PC game publisher started by former Microsoft employee Gabe Newell, was having issues constantly keeping their online games (like the wildly popular FPS, Counter-Strike). Patches would ripple through the community, leaving large parts of the user-base disconnected from others if version weren't matching. The decided to make a platform that would update games automatically and provide anti-piracy measures. It was publicly released in 2003, and by 2005, was selling third-party games as well. Today, in 2010, the Steam library has over 1,200 games (both from boxed games and from digital distributed games), and services over 30 million active users. It also has social-networking functions, and a friend-list service with IM to allow users to create games and talk with other users all within the platform itself.

Since it has become such a big seller in the PC game market, and since games can be bought directly through the client itself, multiple security measures need to be enacted to keep the accounts of legitimate users safe from phishing scams and data leaks.

First off, Steam handles credit cards, which means they must comply with basic credit card safety procedures. They do not reveal much about the workings of their company, but their privacy policy does say

"Personally identifiable information will be processed and stored by Valve in databases hosted in the United States. Valve has taken reasonable steps to protect the information users share with us, including, but not limited to, setup of processes, equipment and software to avoid unauthorized access or disclosure of this information."

This, vague as it is, does seem to generally meet the needs that something like PCI-DSS would call for, and therefore seems to show that they are taking proper steps to secure credit card and all other user data. Additionally, they allow payments through third-party vendors, like PayPal, which has well-established security measures as well.

But the more likely threat with a platform like Steam, is account phishing. Since someone's account holds all their game licenses, scammers are always looking for ways to steal someones info and hijack their account for their own use. One of the most notable measures against scamming comes built into the IM service. Whenever a chat window is opened, a reminder to "Never tell your password to anyone" with a link to an account security page comes up. This helps stop scammers who pose as Valve employees and ask for account details through the IM service. In addition, to change any account info, even an email address, one must verify their current email and retrieve an verification code that allows users to make the changes they desire. This measure helps the real user retrieve his account even if he loses his information, as it is likely that he will be the only one that can access his email (provided they have diversified passwords). Steam also allows a user to be signed in at one location at a time, which can be helpful in locking out a scammer if they have account details--though this is double-edged sword, as it could allow a scammer to lock out legitimate user. And lastly, if all else fails, steam has a support system which focuses heavily on account recovery. If one loses their account, the support team will work quickly on recovering it for the valid user (which can only be proved by credit card ownership or the serial of any boxed game owned), and will restore any damage done to accounts (fraudulant purchases, removals of currently owned games) so that the user can have their account as it was before hijacking.

So, overall, Steam experiences many of the threats that any large online distributor will, but it seems to manage them very securely. It meets standards for purchases, and has many safeguards (and blatant reminders) in place to provide multiple levels of security for user accounts. Is there room for improvement? Always. But Valve is doing a thorough job of protecting its users regardless.

Pen Testing Software

2010-12-15T17:37:00.001-05:00

Core Security has recently launched new software named Core Insight Enterprise that can help keep a company’s computer systems more secure. Called penetration testing software, this product is designed to detect potential risks to computer systems by attempting to gain access to them. The company claims that this product will be better than the current scanners and security products that are on the market today because of the amount and quality of information that it will provide. As Core Security CEO Mark Hatton said, “You're not just going out and hiring a crazy guy with earrings to do pen tests anymore. We're giving you actionable information and solving that disconnect between what security teams are doing and what the business side wants them to do."

The Insight software will give users detailed information through a dashboard which will display a system’s basic security status and the progress of current penetration tests as well as store this information over time. The device will get this information by, like a white hat hacker, checking for access points to sensitive data in the system. If a path to the data is found, the dashboard will display the steps that were taken by the software to steal the data, hopefully giving the company the information that they need to fix the problem. As Hatton explained, the “tool was designed to make it easier for security professionals to create understandable metrics out of vulnerability data for executives and auditors.” Core Security hopes that their software will be able to detect more than the average scanner, checking things such as network configuration and server connections.

In the future, Core Security hopes that their software will be able to work together with information from security logs and vulnerability and patching data from other vendors. It will be interesting to see how this software fares in the market and if it really does have a significant impact on the security of computer systems.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1525167,00.html

WikiLeaks scandal leads to fear-mongering over information security

2010-12-14T21:09:00.001-05:00

“The recent response of the White House’s Office of Management and Budget (OMB) to the WikiLeaks document dump gives us a peek at the sometimes surreal standards for dealing with classified information and at the fear-mongering in which some government officials are engaging,” says Kathleen Clark, JD, professor of law at Washington University in St. Louis School of Law.

Clark teaches and writes about government ethics, national security law, legal ethics and whistleblowing.

According to CNN, on Dec. 3, the OMB instructed executive branch agencies to notify all government employees and contractors that they should not view any documents that are marked as classified using their work computers that access the web via non-classified government systems.

The OMB distinguished “documents that are marked classified” from “news reports . . . that . . . discuss the classified material.” Apparently, employees are permitted to use non-classified government systems to access news reports that include classified information, but must not use those systems to access the classified documents themselves.

“This distinction might seem silly to an outsider, but the government imposes special security measures for its computers that store classified documents, and takes pains to ensure that its computers without these security measures do not have any classified documents,” Clark says. “This system of segregating classified documents is complicated and costly. But so far, so good.”

She notes that the OMB also suggested, somewhat ambiguously, that federal employees and contractors without the proper clearances and the “need to know” the information should not access Wikileaks’ classified information.

Additionally, at least one agency has gone further, asserting that government employees ― and prospective employees ― should not access WikiLeaks classified documents even from their home computers. According to Democracy Now, the State Department instructed employees of the U.S. Agency for International Development as follows: “Accessing the Wikileaks website from any computer may be viewed as a violation of the SF-312 agreement (a non-disclosure agreement)”

Clark says that it is not at all clear how accessing the WikiLeaks documents on a personal home computer would constitute a violation of an agreement not to disclose classified information.

“This does not appear to be a one-off mistake by an overzealous State Department official since at least one government contractor similarly warned its employees against accessing WikiLeaks both on company-issued and on personal equipment,” she says.

“Indeed, Career Services offices at Columbia University and Boston University also reportedly warned students and alumni about the risks of posting links to the documents and/or commenting on them through social media.

“Are these just over-reactions by people who are not familiar with the government’s information security standards?” Clark asks. “Or do these warnings reflect a concerted effort to prevent Americans from accessing and discussing the WikiLeaks documents that are now available on the web?

“I sincerely hope that someone in government will provide some clarification ― and some sanity ― on this issue soon.”

3 more companies hacked! How secure is your online information?

2010-12-14T21:00:00.000-05:00

In a sign that cyber security needs rapid quality improvements, two more U.S. companies, McDonald's Corp and Walgreen Co, said they had been hacked in the past week, along with U.S. media company, Gawker.

After reports of Mastercard and Visa being hacked last week by a pro-Wikileaks group, which called itself 'Anonymous,' McDonald's said its system had been breached and customers' "email and other contact information, birthdates and other specifics" had been compromised on Monday.

Much of this information was supposedly provided by a customer when they were signing up for online promotions or subscriptions.

The fast food company did not specify how many accounts had been compromised.

On Friday, Walgreens said hackers had gained access to its customers' email database and spammed these accounts with instructions to enter personal information on other websites.

Though the recent bouts of hacking are unrelated to the Mastercard, Visa and Paypal breaches, these new hackings seem to be forming a chain reaction through information gained from a previous breach.

Twitter said hackers broke into an unspecified number of users' accounts and sent spam promoting acai berry drink, according to an AP

The passwords used to gain access to these accounts were apparently taken from the breach on Sunday at Gawker Media, the parent company of Gawker, Gizmodo and Jezebel.

McDonald's and Walgreens stated that no personal information, data related to finances or social security numbers had been compromised.

While this is a relief, it is unsettling that most companies are still scrambling to figure out how their security systems were breached.

Many security experts are proving various commentaries about how to make your accounts more secure - including using complicated passwords with a combination of alphabets and numerals, or changing the passwords at regular intervals.

McDonald's stated that it is working with its business partner, Arc Worldwide, an email database management firm whose system was breached, to figure out the breach.

Anonymous, the group responsible for bringing down a part of Mastercard and Visa's website, used a simple software to flood these websites. Initially, supporters had to download a particular software to launch the attack.

But the group soon created an online page that would turn one's browser into an attack tool.

The webpage would repeatedly and rapidly ask the target's webserver for a given file, maybe a large image, once a user pressed the attack button, Wired.com repeated.

"The tool's author is unknown and a quick perusal of the JavaScript shows that it is a fairly basic bit of programming," the website reported.

Most companies initially ignore the warning signs of a possible breach.

About 63 percent of organizations reported experiencing at least one security incident or breach during the last 12 months, according to the Global Information Security Trends study by the Computing Technology Industry Association, a nonprofit trade group, the LATimes reported.

For instance, Gawker has only itself to blame for the attack, according to some media reports.

The online blog, known for bringing gossip nuggets about celebrities, had apparently seen some 'suspicious' activity during November but 'did nothing'.

Emails and passwords from the hacking over the weekend were posted on PirateBay by Gnosis, a group that claimed responsibility for the attack.

"We went after Gawker because of their outright arrogance. It took us a few hours to find a way to dump all their source code and a bit longer to find a way into their database," the group told the website Medialite.

Security Review: Microsoft December 2010 patches

2010-12-14T13:21:00.002-05:00

Microsoft December 2010 patches

Today, the December 201 Bulletins for Microsoft will be launched. The 17 bulletins will patch 40 flaws in various versions of Microsoft Windows and Office, Internet Explorer versions 6, 7 and 8 as well as SharePoint server and Exchange. Of the 17 bulletins, two are rated “critical”, while 14 are rated “important” and 1 rated as “moderate.” These patches are addressing a variety of important and moderate-level remote code-execution, denial-of-service and privilege-escalation problems.

From Microsoft’s point of view, the goals behind releasing these bulletins are fairly obvious. After studying the Microsoft Response Center case study, we all saw the importance of handling security vulnerabilities in its software and operating systems (especially for a company under constant attack like Microsoft). Not only is it important for Microsoft customers to be able to access their information when they need to, but it is also of the utmost importance for the people running Microsoft software to have confidentiality and integrity.

As a black hat hacker, I would meet this slight increase in Microsoft vulnerability reports with open arms. After including these 17 bulletins, 2010 will mark a record-breaking 106 patches released by Microsoft this year alone. A hacker might want to expose a Microsoft software user web site, server, etc. Another tactic could be to find a hole and change the data of the Microsoft users. Finally, a hacker could perform DoS attacks on these users or take over their systems.

There are inherent vulnerabilities within Microsoft’s software, which is why they are constantly coming out with these patches. There is no overarching solution to this problem because there will always be holes that need to be fixed. Therefore, there will always be hackers (like CyP in the Microsoft Response Center case study) who are trying to stay one step ahead of the Microsoft engineers and exploit these vulnerabilities. Microsoft engineers have been and need to continue to meet the challenges posed by these outside threats.

As I mentioned before, Microsoft simply needs to mitigate the risks posed to their operating systems by hackers. Microsoft Security Response Center blog writer Mike Reavy said, "Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports." With technology constantly changing, the best thing Microsoft can do is continue to meet the demands of the customers and stay one step ahead of those looking to exploit vulnerabilities.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1524889,00.html

see also: http://blogs.technet.com/b/msrc/

Amazon European Outage and More WikiLeaks Controversy

2010-12-13T11:25:00.003-05:00

Amazon.com's European websites went down last night for about a half hour, which Amazon claimed was a result of a hardware failure in a European data center, and not a result of a hacking DoS attack, as some have suggested.

The hacking theory comes from the recent Wikileaks controversy, where Amazon servers--which had originally been hosting the site for some time--decided to stop providing cloud service for the popular information leak site. Because of the controversy, many claims that "hacktivists" in support of Wikileaks--the group "Anonymous"--were behind a DoS attack that brought down the website for a brief time last night. However, the plans and claims to attack Amazon by the group were reported as abandoned, due to lack of resources (Amazon is a highly visited website, one can imagine that it would be quite difficult to cause a DoS attack).

The worry that Amazon had been effected by a DDoS attack also comes from the recent attacks against Mastercard, Visa, and PayPal for also abandoning WikiLeaks (which someone has already detailed in this blog ). However the group has more plans, such as attempting to access the diplomatic cables which were unpublished in the recent leak, and distribute the most dramatic ones across the internet

But again, the resulting downtime was only due to a hardware failure in the main European Data center, and Amazon's UK, German, Spanish, and French sites were all restored less than 30 minutes after the failure.

NASA Sold Computers with Sensitive Data

2010-12-12T21:49:00.002-05:00

Though it is hard to imagine world class organizations being unable to handle the security tasks appointed to them, NASA has recently identified 10 computers that have been sold with sensitive material still on them. The standard procedure for disposing of computers is to remove the hard drive with the sensitive data on it. This leaves the computer relatively harmless. However, because of complications and misinformation, these computers were sold with the information still on them. Examine this excerpt from the article, “Specifically, the audit discovered that 10 computers from the Kennedy Center were released to the public even though they still contained sensitive NASA data and had failed verification testing as part of their disposal process. Another four computers with data were confiscated before they were sold.” The fact that these computers failed the process yet were still sold highlights a lack of understanding of security within the organization.

It is unfair to accuse the entire organization of lacking in security. I would imagine that NASA has one of the most strict and redundant security measures in the world. However, it only takes one mistake, one security measure forgotten or one plan that is outdated for a catastrophe to happen. In this case, the article highlights a number of employees who were ill informed of proper security measure as well as a number of the measures being outdated. As mentioned before, I would imagine that NASA has some of the strictest and most redundant measures in the world but this means little if they are outdated or no longer apply to the current level of technology.

NASA’s inability to appropriately protect its confidential information is perhaps a sign of its current underfunded situation. This can perhaps be linked to the fact that many of its supporters no longer see space as a noble venture for humanity. Nevertheless, the security administration at NASA has an obligation to make sure that there are as few security breaches as possible. This goal was not accomplished with the most recent breach of confidential information. As such, NASA must take steps to secure its information from potentially malicious users. This involves updating its security policies to better cope with the technology and vulnerabilities of the current era. This also involves the education and continued testing of its entire staff that has access to information that would be considered confidential. Unless adequate measures are taken to secure its information, NASA may have an unfortunate future of breaches and security violations in its future.

In addition to these breaches NASA has also released a backdoor that could allow people with malicious intentions into their system, “Further, computers at the Kennedy Center's disposal facility being prepped for sale displayed NASA IP (Internet protocol) information, which could easily give a hacker a way to break into a NASA network.” As discussed in class, this information could allow a hacker to bypass the firewall protocols and give them access to NASA’s system. This is a more pressing problem as a hacker could have already breached NASA’s system and made off with a great deal of confidential information. I believe that the best option for NASA now would be to find out which IP’s were lost and block them as each computer must have been given an independent IP that can be brought up and blocked. However, this does not address the problem of information already lost. Truthfully, I see no possible way to account for this lost information.

NASA currently faces a potentially massive security situation on its hands. "Our review found serious breaches in NASA's IT security practices that could lead to the improper release of sensitive information related to the Space Shuttle and other NASA programs, NASA Inspector General Paul Martin said in a statement.” This statement adequately highlights the situation that NASA currently faces. However, it should be noted that, because of releases of information and statements such as these, NASA is currently on a short time-line to get its system secure. Because the knowledge of a vulnerable system has been released, it will only be a matter of time before hackers are actively attacking the system looking for vulnerabilities to exploit. It may already be too late yet, it is better to minimize the damages done. However, continuing statements in the article that highlight lax standards may only add to the number of problems that NASA is facing with its system.

http://news.cnet.com/8301-13639_3-20025161-42.html

Wisconsin bungles another data breach and ID theft threat to 60,000

2010-12-12T19:23:00.001-05:00

The State of Wisconsin has a history of mishandling data breaches, this time by the University of Wisconsin System. Last Thursday evening UW-Madison disclosed that a campus database containing Social Security numbers of 60,000 former students and staff had been repeatedly hacked or accessed since 2008. A University Website and the letter sent to victims of the breach assert there is no evidence that anyone's information was retrieved. The statement implies there is no risk of ID theft although all the University releases were careful not to use the words "identity theft" in any of the text.

The State of Wisconsin bungled major data breaches in 2007 and again in 2008 involving Social Security numbers. The 2007 incident involved 171,000 Wisconsin taxpayers who were mailed tax forms with their Social Security Number printed on the mailing label. In 2008, 260,000 recipients of state health care benefits were mailed a brochure with their Social Security number printed on the mailing label. The management of both breaches was bungled by prematurely announcing that the mail, which had not been delivered to recipients, contained Social Security numbers. The premature press releases exacerbated the breach by putting identity thieves on notice to steal the mail. In both cases, the State provided credit-monitoring services to the victims upon request.

Now, the University of Wisconsin is denying victims credit monitoring services because the University contends that they have no evidence that Social Security numbers were retrieved by the hackers. Critics argue that conversely, the University has no evidence that Social Security numbers were not retrieved over the two-year period by hackers. To add to the mishandling of their public relations, the University has declined to comment on camera.

Although the University of Wisconsin determined that the recent hacking incident began in 2008, they did not detect the breach until October 26, 2010. The database contained 60,000 pre-2008 university photo identifications that included Social Security numbers. They notified victims by mail in a letter dated November 30. This author first noticed the release on the evening of December 9 on Madison.com although the date stamp on that article now shows December 10.

This author also has an early University faculty/staff picture identification card last validated in December 1993. I have not received a letter either because my ID card information was not included in breached files or because the University does not have my current mailing address. The limited information provided on the University's Incident Website makes it impossible for would-be victims like me to know if my picture ID contain my Social Security number was part of the breach.

The University appears to be downplaying the significance and threat of the breach to the public. They are also being cautious in their statements and have declined on camera interviews. It is not easy to find the letter they sent to victims or the incident Website through online searches or through the University Website. Information is difficult to find unless you know where to look for it. It is not consumer friendly.

The incident Website states, "We wanted to make you aware of the incident and let you know what we have done to prevent this from happening in the future." The statement on the Website and letter make it appear that the University is voluntarily providing notification to victims. However, under law, the University is required to notify victims of the breach.

Breach notification laws have been enacted by Wisconsin and 45 other states, the District of Columbia, Puerto Rico and the Virgin Islands. These laws require notification of victims if a breach occurs that involves residents of their state or territory. Each of the 49 laws differs in compliance requirements and penalties for noncompliance. It is likely that the 60,000 victims of the recent UW breach reside in many, if not all, of the 49 U.S. jurisdictions that have a breach notification law. The University is required to comply with the laws of each state or territory in which a victim of the breach currently resides.

It is not clear that the University met the compliance requirements for each breach notification law. For example, while the Wisconsin law requires notification of victims within 45 days of learning of a breach, the Illinois law requires notification in the "Most expedient time possible without unreasonable delay." Some states exempt notification of victims if the electronic information accessed was encrypted.

It is standard procedure to encrypt sensitive information that is stored electronically regardless if it is facing the internet, secured behind a firewall, or offline. Encryption software is inexpensive and commonplace even on home and business computer systems. For example, Microsoft Vista and Windows 7 operating systems have turnkey solutions for data encryption--bitlocker. It is a reasonable consumer expectation that a leading research university, such as the University of Wisconsin-Madison would have standard security practices in place to protect sensitive student, staff and faculty information through encryption and other commonly available security measures.

The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to protect student information including Social Security numbers. Penalties for violation include the loss of federal funds.

Amendments to FERPA published in December 2008 recommend that educational institutions adopt standard security practices to protect electronic information. The FERPA refers to several National Institute of Standards and Technology (NIST) Information Security Standards.

For example, an excerpt from NIST Special Publication 800-53 says, "The use of encryption by the organization reduces the probability of unauthorized disclosure of information and can also detect unauthorized changes to information."

It appears that the University of Wisconsin has not adopted the FERPA recommendations on information security standards.

This is not the first time UW-Madison computers were hacked. A year ago, the University determined that computers in the Chemistry Department were hacked over a several year period potentially compromising the names and Social Security numbers of nearly 3,000 people on campus.

A leading study on data breaches published in 2009 that we authored included the following findings:

Education-related organizations account for nearly one-third of all the data breach incidents reported in the U.S.
Colleges and universities account for 78% of all education-related breach incidents.
Over a third of all educational sector data breaches occur by hacking.
Encryption would have prevented 60% of all data breaches and the compromise of over 90% of all consumer profiles.
The University Incident Website provides limited information to victims, avoids addressing identity theft and denies victims of complimentary credit monitoring services. University statements emphasize that there is no evidence that information was taken, however, they provide no assurance that information was not retrieved manually, photographically or by other means transparent to their admittedly weak information systems security.

Victims that are concerned about identity theft should take preventive measures immediately. Victims of identity theft often do not see clues of identity theft until over a year after thieves misuse their information.

While financial fraud is easily detected by credit monitoring, other types of identity theft such as medical identity theft, employment fraud, Social Security and benefits fraud can take years to detect. Then it can take years for victims to restore their good name after spending hundreds of hours and thousands of dollars.

Today, anyone with a computer, desktop publishing and a printer can counterfeit a Social Security card with your name and Social Security number. Counterfeit cards can be sold over and over again compounding the identity theft problem with victims. A counterfeit Social security card and a counterfeit birth certificate opens the door to getting employment, a driver's license and a bank account.

Victims of the UW breach can request that an initial 90-day fraud alert be placed on all three credit reports by contacting any one of the three major credit reporting agencies, Equifax, Experian or TransUnion, listed below. The credit reporting agencies will also provide a credit report as part of the process.

Equifax (800-525-6285) - online or phone for placing fraud alert
Experian (888-397-3742) - online or phone for placing fraud alert
TransUnion (800-680-7289) - online or phone for placing fraud alert
Consumers may also obtain a free credit report from each of the three credit reporting agencies annually. We recommend that consumers stagger their requests for credit reports from each of the three credit reporting agencies by four months in order to increase the frequency of credit report monitoring. This is no substitute for a credit monitoring service, which continuously monitors all three reports. The Federal Trade Commission Website given below also provides high quality information to consumers and victims about preventing, detecting and reporting identity theft.

AnnualCreditReport.com Online or 1-877-322-8228
Federal Trade Commission--Identity theft site
Consumers that see value in more comprehensive identity theft risk mitigation services should consider purchasing such services on their own, regardless if they have been a victim of a breach or not. We have recommended high-value services in other articles.

As a service to the Madison Community, we are providing free telephone consultations to victims of the University of Wisconsin data breach. We will provide answers to questions about identity theft, a free informational guide on how to protect you against identity theft, and recommendations on high-value identity theft risk mitigation services for consumers. We can be contacted by email or by telephone (608-241-3500).

Discover Account Security Review

2010-12-12T16:27:00.003-05:00

With the recent news that the hacking group Anonymous will launch attacks against Visa, Mastercard, and PayPal, I have decided to do my security review on Discover. I currently have a Discover credit card and frequently use discover.com. Although we have learned that credit cards may not carry as big of a risk as debit cards, any type of business that holds records of user's names, addresses, phone numbers, social security #'s, and bank account numbers are susceptible to attacks from hackers. Discover offers the option to control your account online. Users can manage their account, make payments, withdraw cash, and view their statements on the Discover website.

As an owner of a Discover Credit Card and user of the online "Account Center", I have a few worries about the security that Discover uses.The CIA triad is extremely important to protect Discover users. I think that is absolutely imperative that user's account information, including name, birth date, address, user name, and password, are kept confidential. In addition to the fear of identify theft, I believe it a must that credit card number, expiration date, and validation code stay private (only available to the user). Integrity is also important. Discover has to make sure that when a user makes a payment or changes their account in any sort of way, the user's changes are not compromised by a hacker. Additionally, it is important the card holder's username and password are never changed by hackers. Finally, availability may be the most important aspect. As a user, I expect that I will always be able to access my account over the internet as well as always be able to use my card.

If I were a hacker, I would view Discover as a source for a lot of information. First, user information is valuable in today's day and age. Disclosing account holders' names and other personal information could be profitable if other businesses would pay for the information. But the obvious goal of a hacker would be to disclose the card information and bank account information (common on users' account center because it is a common method of payment) in order to use the accounts for themselves. With a similar goal in mind, a hacker may try to alter users' information and change it to their own. This way they would have access to a card that could potentially have their own name attached to it. As we have learned from this course, hacking isn't always about personal gain. Hackers could overload the discover online site to deny access to users, simply to be a pain (or potentially as a distraction for another attack).

Although these threats arise when running a sensitive business, I believe that Discover has done a great job of implementing security measures to mitigate attacks. Users must have a user name, password, and answer to a security question to access their account. Additionally, when a user logs in, the site prompts them with the question "Is this a Shared Computer?" -- a precaution against leaving your account up on a public computer. As soon as you get to your account center, you see that the web site is secure. Clicking on the lock in the top corner of my browser, I have learned that Discover is protected with a 112 bit 3DES encryption. It carries a Verisign Class 3 Extended Validation.

A potential threat is in the "Cash Now" section of the web site, because a hacker's goal would most likely be money. But this section requires another security measure, both the expiration date and validation code on the credit card. Finally, the last security measure I noticed was the automatic logoff. After 5 minutes of inactivity the website automatically logs the user out.

I think that the security is very good on the Discover online Account Center, but the only thing that worries me is all of the access controls are "something you know". I would recommend adding another access control - either "what you are" or "something you have". I think that a card scanner (possibly in the future) on computers would allow users to log on to their account with two access controls. A different option would be to implement the finger print scanners that are already on some laptops. If Discover somehow required you to scan your index finger to log on, it would make it even more difficult for hackers to access your account.

Two Major Ad Networks Found Serving Malicious Ads

2010-12-12T01:19:00.000-05:00

Two major online ad networks, DoubleClick and MSN, were found to be serving malware over the past week. Experts say that this is a result of a group of attackers who tricked the two networks by pretending to be ad providers.

The attackers registered the domain name ADShufffle.com, one letter off from ADShuffle.com, which is an online advertising group, to trick the two ad networks into accepting the ads they had infected with malware. If a user visited a website that was displaying the infected ads, a malicious javascript code in the ad started a drive-by download process which installed malware like "HDD Plus" onto the users machine. Simply visiting the page (not clicking on an ad), infected the visitor.

Some big sites infected by the attack were MSN Real Estate, MSNBC.com, and Windows Live Mail.

A spokesman for Google (owners of DoubleClick), said that the ads only ran for a short amount of time, and that DoubleClick's malware filters picked up on the ads as well.

Incidents like this show the danger of browsing through the internet without any protection. Even without directly interacting with elements on a webpage, this event shows how malicious code can run simply by visiting a webpage. This highlights the importance of using script or ad blockers on website, as they can prevent covert attacks like this from installing malware on a computer.

Security Review on Cross-site scripting (XSS)

2010-12-09T13:40:00.000-05:00

Cross-site scripting (XSS) is a security vulnerability in web applications which allows client side scripts to be injected into web pages to attack users who view these web pages (similar to SQL injections in my last blog post). Recently, XSS attacks have surpassed buffer overflow attacks to become the most popular security vulnerability. Over 80% of all website attacks on the internet are XSS exploits and researchers claim that up to 68% of all websites on the internet are vulnerable to this type of attack. Facebook, MySpace, Twitter, and other top websites on the internet today have been compromised by XSS attacks.

XSS exploits focus on attacking the client side and are very effective at bypassing client side security mechanisms. There are two types of XSS attacks: non-persistent and persistent. I will discuss the traditional non-persistent and persistent attacks as well as the newer DOM-based vulnerabilities exploited by XSS.

The most common type of XSS attack is a non-persistent one. Typically in this attack, a website will present a submission form to a user where they are allowed to type text and the server will immediately process the text and display it on a resulting page. If the user crafts HTML code properly and the server does not properly escape these HTML control characters, an XSS vulnerability has been found and can be exploited by the attacker. An example of this attack is typing a string of text into a search engine, which will process the text and usually display it on the resulting page. This example will not be of harm to anyone but the user who typed in the HTML code, but if they had injected this code into a URL link to a valid website with an XSS vulnerability and had somebody else click the link, they could steal the victim's information. If the victim is currently logged into an account on the valid website, the hacker could gain full access to their account session by stealing their session cookie.

Persistent XSS attacks are more severe and indirect than non-persistent attacks. When a server takes input from a user and permanently stores that submitted information on a web page (such as a Facebook profile or forum online where users are allowed to input HTML segments), users who visit that web page are subject to an attack if the website did not properly handle the escaping of HTML control characters. The attacker could steal the victims cookie and gain full access to their session.

In recent years, Web 2.0 applications which can dynamically generate web page information without users having to hit the refresh button in their browsers have been subject to DOM-based XSS vulnerabilities. DOM stands for "Document Object Model" and is basically a way to interact with objects in HTML. JavaScript is a client side scripting language for websites. Asynchronous JavaScript (known as Ajax) can retrieve data asynchronously from the server in the background of the web page by using the HTML object known as XmlHttpRequest which can make HTML requests and server queries without updating the web page the user is currently on. Attackers can exploit DOM-based XSS vulnerabilities to essentially gain access to this object and steal information.

There are a few steps that users and website developers can take to defend themselves from XSS attacks. The first thing is that website developers can make sure to properly escape HTML input from users. If the website's function is to allow users to input HTML (such as for formatting their profile page on MySpace) then the website developers must run this untrusted HTML input through an HTML policy engine to check for XSS. Another thing that website developers can do to avoid their user's accounts and information being stolen through XSS attacks is to attach the IP address of the user logged in to their session cookie. This way, if an attacker successfully steals a session cookie from a logged in user on a website through XSS, they will not be able to use the cookie unless they are within the same network as the victim.

One thing users can do to prevent themselves from XSS is to disable the use of scripts in their browsers. They may also add lists of trusted or untrusted domains into a list in their browser where they would like scripting enabled/disabled depending on the domain they are visiting. This approach is not entirely useful, however, due to the fact that many websites across the internet require the use of scripts to function properly.

Looking into the future, scanning technologies are emerging which scan websites for possible XSS attacks and allow website developers to patch the holes before they are exploited by attackers. These scanning technologies are not perfect and cannot find every single vulnerability in the website.

If you are a website developer, it is important to know the risks and understand how XSS works so that you can help secure your website as much as possible. Set up a sandbox website and test your skills! If you are completely new to XSS you can read up about some basics HERE. If you are familiar with XSS you should go HERE to learn about some more advanced tricks of XSS.

Sources:
http://www.ihtb.org/security/xss_hacking_exposed.txt
http://en.wikipedia.org/wiki/Cross-site_scripting
http://ha.ckers.org/xss.html

Cyber Warfare as the Growing Battle Many is Unprepared for…

2010-12-09T12:54:00.002-05:00

When the term warfare is used it is often related to desolate fields, charging armies and exploding bombs. Historically this is largely true. Modern society, however, has become so incredibly interconnected through technology that it is difficult to really imagine a time without it. Many of the financial transactions that take place are now virtual and the credit systems, on which countries thrive, are completely digital. It is this interconnectivity that brings rise to a new form of warfare, which exists only in cyberspace, that is designed to attack and disrupt these transactions on a large scale. Cyber Warfare is a term used to reflect a large scale attack directed at disrupting the functions of a complex system. It can affect a single individual or an entire nation. However, one thing that has become a growing concern of many nations over the globe is how prepared they are for a dedicated assault from a foreign or even a local source.

The PDF written by a retire General Eugene E. Habiger highlights the need for the United States to prepare for the growing inevitability of a cyber attack on a large scale. Vulnerabilities can be seen today with group like Anonymous who are capable of launching crippling DOS attacks on major corporations almost on a whim while coordinating these attacks through instant chat services like Twitter. The internet has largely become a battlefield with the only safes zones being the areas that go unnoticed by the larger society. Cyber attacks happen everyday and happen with very little warning. They can install monitoring devices, access databases, crash entire networks and steal confidential information. This begs the question as to why, with so much evidence of their lethality, proper security measures have not been taken to protect against such attacks.

There are two reasons that are often held to be the cause of the general perceived apathy toward cyber attacks. There first reason is that unlike warships and bombs, the internet has such a broad range of uses and, as such, is not a visible sign of destructive potential. The internet is used for so many things in modern society that it is often elevated as the greatest of human achievements. These ideas are compounded with the fact that, while major attacks happen everyday, they are often downplayed or go unmentioned. This creates an aura of misinformation on how devastating or how compromising these attacks can be. The second reason is that there is simply no way to really prevent them, only defend against them. Much of modern security doesn’t directly target an attacker but only defends against the potential of attack. When the idea is brought forward it usually sounds like “not only is there a small chance to get the attacker but we can’t really even predict what type of attack could be next. Only defend against what we already know exists and take measures so that if something bad happens we won’t be completely crippled…” This has a dangerous habit of leading to a “deal with it when it happens” mentality that can sow the seeds of major disaster. This is not to say that there are not steps that can be taken to make a system more secure, it’s that they usually aren’t taken to the degree that they need to be. In order to adequately prepare for the growing war, countries and companies alike need to start taking steps to design security measures that will protect against potential attacks. As impossible as it seems, it is either work toward controlling these attacks or simply letting them happen.

http://cybersecureinstitute.org/docs/whitepapers/Habiger_2_1_10.pdf

WikiLeaks 'revenge attacks' target Mastercard and Visa

2010-12-09T00:12:00.002-05:00

Computer hackers, called "Anonymous" have taken it upon themselves to hack into businesses, personal accounts, and even popular websites that have censored or spoken out against WikiLeaks. Most prominently MaterCard, Visa, and PayPal, who previously have stated they will not support donations made to the anti-secrecy group, have all announced being hit by DoS attacks last night. This Anonymous group has also been credited with hacking onto Sarah Palin's personal website and tampering with her and her husbands personal credit cards and most recently has been targeting Amazon who withdrew server space WikiLeaks was using. Anonymous has threatened to attack anyone who tries to censor WikiLeaks. MasterCard has said some customers experienced complete loss of service, but they are working to restore service to their customers. Recently, Anonymous has threatened Twitter who has been accused of monitoring and deleting posts centering around WikiLeaks.

Obviously the attack occurred when Anonymous hit the different servers enough to shut down service on multiple servers for multiple customers. They also encouraged other pro WikiLeakers to down load a program that would temporarily take over their PCs in order to assist in the DOS attacks. Because the companies were not quick enough in responding to the attack, they were experiencing some serious server issues. Since the attacks, the companies have been able to begin restructuring and bringing service back to all customers.

Companies should first and foremost make sure that none of their customer's personal data was breached and that all information was kept safe. In the case that information was leaked, then customers need to be notified immediately and accounts should be monitored. Companies should also be more aware of the situation surrounding these events and realize that these hackers are not going to stop. By being more aware, the attacks may not be as problematic as they were this time, and could possibly even be stopped. As WikiLeaks becomes a bigger issue, companies who openly disagree, must realize they have put themselves in the line of fire from these hackers and seek to make sure all security measures are put into place. If the government is pressuring some companies to alter themselves, they should also be helping to ensure as much protection is granted to these companies as possible.

http://www.telegraph.co.uk/news/worldnews/wikileaks/8190421/WikiLeaks-revenge-attacks-target-Mastercard-and-Visa.html

Low Orbit Ion Cannon

2010-12-08T21:44:00.004-05:00

Sometimes questionable tech blog Gizmodo described the Low Orbit Ion Cannon attack software in a feature today. The software was used by Anonymous to perform their Distributed Denial of Service attacks on those companies that had stopped supporting WikiLeaks.

The software, developed by the infamous image forum 4Chan, works essentially like any Denial of Service attack - it floods the target with dummy requests so that legitimate attempts to connect to the server are dropped. The software, which is cross-platform compatible, provides a user interface, simplifying the process of conducting a DoS attack to only needing a URL or IP address.

Another feature, called "Hivemind," allows users of computers running the program to turn over control of the program to a central user who can direct all the connected computers to attack a single site. This is essentially how a standard DDoS attack works - except that in this case, the owners of the computers on the botnet intentionally grant permission to use their computer in the attack.

The software is also fully open-source, which means that the generally technology-savvy users of the attack networks can review the code to know that the Hivemind feature does only what it says it's supposed to and nothing more. And, being open-source, it could be more difficult to eliminate the program from the Internet as anyone with the code can adapt and/or compile it.

Source: http://gizmodo.com/5709630/what-is-loic

Compliance burdens hamper vulnerability management processes, survey finds

2010-12-08T07:53:00.002-05:00

I saw this article and thought about our discussions in class regarding the -to be frank - impossibility of maintaining PCI DSS compliance.

Written by Robert Westervelt, the News Director at SearchSecurity.com, the article cites a new survey that found many organizations are struggling to deal with patch and configuration management issues and are often lacking efficient processes to deploy patches to stytems and applications in a timely manner.

"According to eEye's "2011 Vulnerability and Management Trends Report," 85% of those surveyed indicated that their IT staff is overburdened with regulatory compliance issues. About half of those surveyed said regulatory compliance initiatives take up to 50% of their work weeks," (Westervelt) and this is at the expense of actual vulnerability management.

Larry Whiteside, CISO at the Visiting Nurse Services of New York said, "I don't know any company in the world that doesn't have patching issues," Whiteside said. "The time to prioritize and test can make staying on top of the patching cycle very difficult."

In addition, the rising use of smartphones and other mobile devices is straining the ability of IT teams to ensure systems are up to date. The survey found that 31% of professionals indicated they don't have enough personnel to handle increased patching demands. In addition, keeping track of browser component vulnerabilities, Flash updates, and other third-party client software updates is an issue at many enterprises.

"There's definitely a lack of visibility, especially as it relates to non-Microsoft software," Maiffret said.

What's so special about Microsoft?

If you can recall from our case study, Microsoft's process for handling threats involves bulletins and notification. This article makes a point of mentioning them as a company that does a good job of "identifying and addressing vulnerabilities in other applications wrapped in one product." Microsoft's huge market share lets it do this, in my opinion. Therefore it seems that the majority of companies without the huge presence that Microsoft has are hampered by the issues brought up in this article, such as iPremier, Flayton's and TJX.

Israel Takes Steps to Tighten Information Security in Wake of Wikileaks

2010-12-07T14:34:00.000-05:00

Despite advances in technology, no system is immune

The flood of internal U.S. State Department cables uploaded onto the Wikileaks website has heightened efforts in Israel to better secure information in a country, which has seen its ability to censor secret information deemed vital to national security wane in the digital era.

Following the recent furor surrounding the transfer of hundreds of thousands of documents to the Wikileaks web site, the Israel Defense Forces (IDF) announced it was taking more measures to track top secret data and alert to unusual access into army computers. The IDF was embarrassed by a small-scale leak earlier this year when an army secretary, Anat Kamm, is alleged to have copied over 2,000 classified documents and passed them on to a journalist.

The Israel army has installed a system that follows the trail of documents moving from one place to another, and records who prints them and who burns them onto compact disks. It also sets off alarms when disk-on-key devices are inserted into IDF computers.

It also prevents top secret documents from being transferred to someone without the proper security clearance. Brig.-Gen. Ayala Hakim, head of the army division that manages computers and communications systems, said the army was constantly enhancing measures to secure classified information.

“There’s no leak-proof network,” said the head of the Israel Army’s C4I Technology Division. “But through a combination of discipline, technology, training and procedures that compartmentalize sources of information, we’ve enhanced our operational security and are coming as close as possible to 100% protection,” Hakim told reporters at a recent press conference that the army

Besides thorough background checks of soldiers serving in sensitive positions, the Israeli military has also reportedly increased the number of polygraph tests it conducts on soldiers and officers by 50% in the past year.

The recent revelation of hundreds of thousands of classified documents on Wikileaks has also brought to fore the potential of serious data loss prevention (DLP) systems, which are designed to detect and prevent the unauthorized use and transmission of confidential information. Israel is home to a large number of information security companies, which sell software designed to spot and stop suspicious behavior on computers.

Eli Hizkiyev, chief executive officer of Cryptzone, an Israeli company dealing with preventing information security, said user-monitoring software was one of the main instruments used to catch possible theft of data. The software is usually designed to sound alarms when it detects users downloading large quantities of data or certain type of data, such as credit card numbers. It is widely used in the private sector and many government offices.

But Hizkiyev said that ultimately technology and censorship weren’t enough to prevent leaks and information theft.

“This is an issue of awareness. You can install the most sophisticated measures, but if people don’t have awareness then nothing can help,” Hizkiyev told The Media Line.

Aiding the wall against leaks is MALMAB, the security arm of the Israel Defense Ministry, which is more powerful and more secretive than the Israel military censor. Officially, MALMAB is responsible for the security of defense installations, but in fact the unit is mainly concerned with preventing any leaks regarding Israel’s alleged arsenal of nuclear weapons and top secret data about the country.

A request by The Media Line to interview the head of MALMAB, Amir Keen, was flatly rejected.

Amir Rappaport, a senior military analyst at the Begin-Sadat Center for Strategic Studies, said had a double-barreled apparatus in place to prevent leaks from reaching the public. The first was MALMAB and the IDF’s Information Security arms, whose purpose is to prevent data from being leaked. The second is the media censorship of information that has already been leaked. All media outlets in Israel and the foreign media must agree to abide by the terms of laws imposed by the British when they ruled Palestine to prevent publication of information deemed harmful to state security.

“The problem with all this is that while MALMAB and the censor may be serious bodies, they are restricted to the defense establishment. They have no control over the Foreign Ministry for example,” Rappaport told The Media Line.

Following the latest leaks of diplomatic cables, the U.S. State Department entered self protection mode and restricted the access of classified information from being shared with other U.S. agencies.

Before the 9/11 attacks on the World Trade Center, .the United States employed much stricter “need-to-know” classifications on confidential documents. Ironically, that helped the terrorists to move forward with their plot because government officials couldn’t easily share information.

Subsequently, the U.S. let down some of its secrecy guard to allow better communication among various intelligence bodies. Some half a million people employed in the U.S. military and government agencies have access to the Secret Internet Protocol Router Network, or SIPRNet, the worldwide web of the intelligence world.

Stung by Wikileaks several times, the U.S. is now engaged in a shift away from information sharing is the price to be paid for that post 9/11 openness. But a top official of the North Atlantic Treaty Organization (NATO) reacted by cautioning against a heavy roll back on information sharing.

If the U.S. failed somewhere, “it is not in sharing, but in implementing the appropriate safeguards to detect this volume of downloading,” Canadian Army Maj. Gen. Glynne Hines, who oversees the alliance’s information sharing policy as director of the NATO command, control and consultation staff in Brussels, was quoted as saying by Defense News.

Unlike Israel, in the U.S., user-monitoring software capable of sounding alarms when users download large amounts of date isn’t yet in place, according to Defense News.

Twitter Trojans

2010-12-06T17:29:00.000-05:00

Holiay hackers are taking advantage of holiday themes on Twitter to trick users into clicking and opening malware on their computers. They are writing tweets like “Nobody cares about Hanukkah” or “Shocking video of the Grinch” and when users click on them, they end up at a fake codec site which leads to a malicious Trojan downloader. The hackers literally flood twitter with these massages and sit back and watch their victims download the malicious Trojans. Recently, 300 Twitter accounts have been identified as targeting various trending topics on the website.
The actual cause of this event is people who like to create problems for naïve people. These people have nothing better to do during the holiday season than creating malware and viruses and sending them around the World Wide Web and watching people accidentally download their viruses.
First of all everyone should have anti-virus on their computers and hopefully when someone unknowingly clicks on this Trojan downloader, that the anti-virus will catch it. If not the person is out of luck because they should be smart enough to not click on anything that looks suspicious. Just as we are told not to open an email if we do not know who it is from, we should not click on links on Twitter, or any website for that matter, if we don’t know the person who put the link there from the beginning. It is awful that people always need to be on their guard when browsing their computer but there are awful people in this world who have made this necessary.

http://www.esecurityplanet.com/features/article.php/3915636/Holiday-Twitter-Topics-Concealing-Malware.htm

Smart Grids: Security Review

2010-12-06T17:20:00.023-05:00

In the quest for cleaner and more efficient energy, smart grid technology has slowly been upgrading the world's power infrastructure, especially here in the United States. A smart grid is essentially a form of electricity networking that utilizes digital technology as a way of addressing energy independence, global warming, and emergency resilience issues. Using two-way digital communications, a smart grid can deliver electricity from a supplier to a consumer, and allows the control of appliances at consumers' homes. This saves energy, reduces costs, and increases reliability and transparency. What makes a smart grid so amazing is that it overlays an ordinary electrical grid, rather than replaces it. The smart grid supplies the original electrical grid with an information and net metering system. The communication of information about grid conditions makes it possible to have dynamic response to these conditions. For example, when power is least or most expensive, appliances and factory machines can be turned on or off respectively to cut costs. What really puts a smart grid over the top is that it is capable of integrating renewable energy, such as solar or wind, into the system.

The goal of such smart grids is to route power efficiently to respond to a wide variety of changing conditions. While smart grids appear to be a simple upgrade from old centralized power distribution, the technology behind them is extremely complex. A smart grid employs the use of integrated communications, intricate sensors and meters, and advanced components and controls supported by constantly improving standards and support groups. With all these highly technological components and the wide scope of a single smart grid's influence, protecting theses smart grids is not only of utmost importance, but a difficult challenge as well. The most important security goal when dealing with a smart grid is keeping communications operating. The communication process between the power supplier and the consumer is at risk of having the confidentiality, integrity, or availability of that data being compromised. If terrorists or any enemies of the state were to gain access to the communications in a smart gird, they could potentially shut off power to massive portions of the nation. Someone with malicious intentions could even gain access to smart grid communications and overload power to one specific area causing serious overloads. If communications were to be interrupted in any way, a lot of people could be out of power. On a less sever note, anyone with malicious intent could tamper with meters and cause power to be redirected in such a way that they essentially receive free power.

Unfortunately for these great systems, smart grids have been found to be frighteningly vulnerable to security attacks. During a 2009 Black Hat security conference in Las Vegas, it was revealed that these smart grids have some weaknesses in their smart meters. This problem was brought to light after reports of attackers targeting U.S. power grids. The problem lies within more and more companies electing to use the remote control features on the meters and switches provided by smart grids. This gives companies the ability to shut off utilities when bills aren't paid and turn them back on when bills are paid. While this provides rapid reaction, it makes these meters and switches high level target. A potential attack on these smart meters could lead to significant harm of the infrastructure of our nation. If power were to be shut off to military areas, it would be difficult to get back up and running fast. Of course these risks are inherent in any smart system such as the smart grid. No matter how much security is provided hackers and attackers alike with malicious intent will find new ways to exploit a system that is meant to better the country and the world. With smart grids starting to run more and more power throughout the country and the world, they will become larger targets for those intending to do evil and attempts to compromise its security is inevitable.

Thankfully, countries such as the U.S. have been developing security protocols to protect this great technological asset. For example, the National Institute of Standards and Technology has already released a three-phase plan for developing standards for the technology. While this is a good first step, some believe the standards will face some of the same security concerns that surround PCI DSS. In the pursuit to secure smart grids, reports predict that between 2010 and 2015 the U.S. will spend about 15% of all smart grid investments on cybersecurity. That's close to $1.5 billion. The rest of the world is looking to do the same and is predicted to spend a combined $20 billion in smart grid cybersecurity. I would recommend that countries continue to invest in smart grid technology, and to also continue investment in securing these smart grids. While smart grid technology provides a great improvement to any nation's infrastructure, it is important that the technology is well protected and understood. Any standards that are developed should be carefully drawn out and vigilantly enforced. If my company we to employ the use of a smart grid, I would recommend trained teams for emergency response and strict adherence to any guideline. By keeping security a top priority, smart grid technology can be a great thing for the world.

http://www.eweek.com/c/a/Security/Smart-Grid-Security-in-the-Spotlight-at-Black-Hat-252301/
http://news.cnet.com/8301-11128_3-20008552-54.html
http://en.wikipedia.org/wiki/Smart_grid

Smart Phone Security Helps Catch Theives

2010-12-05T14:07:00.002-05:00

On December 1, Stalin Guzman had his car stolen with his smart phone inside. Guzman called the police and then got online on his home PC. On his Android phone, Guzman had the Lookout mobile security application, a free, downloadable phone ap which has a variety of different uses. The free version of the app protects against viruses and back ups files. There is a premium version of the Lookout for $29.99 a year which offers location tracking, a locator "scream," and remote lock/data wiping. Guzman, being a premium member, was able to get online and access the Lookout site to track where his car was. He informed authorities and just seven minutes later, police cars surrounded his stolen car with the thief inside.

Virtually everyone has some form of a mobile device. With new technology like the Lookout app being installed on more advanced devices, smart phones are becoming a security tool by their users. Most smart phones contain their user's personal information. Apps like Lookout have security measures that can lock a user's data remotely in the event the phone is lost or stolen. Now with technology that can locate the phone remotely if it's stolen, security is even stronger not only for the phone but, like in Guzman's case, wherever the phone may be. More mobile devices should have security applications that have the diversity and effectiveness like Lookout. As the technology advances, more and more applications like Lookout will exist. The only problem with Lookout is that the cost might prevent some users from buying the premium version, which provides the most security. Unfortunately it seems that the only way to have the best kind of security is to spend a little money. When it comes to security, spending $29.99 a year is reasonable for the types of services provided and should be purchased by anyone with an Android phone. With more smart phones and improving security technology more crimes can be stopped just like with Guzman's car.

http://www.cnn.com/2010/TECH/mobile/12/03/mobile.app.carjacker/index.html

Hackers Issue Bogus Amber Alert

2010-12-02T22:00:00.003-05:00

Over the weekend Iowa's Amber Alert and Accident Report websites were hacked through use of offshore computers. Investigators are looking into the attack, but it currently does not look like any sensitive data such as Social Security Numbers were compromised. The attack was not particularly disruptive, and merely re-issued an Alert from February 2009. However, the websites have been down for four days in order to do the investigation. Although the Amber Alert website was down, alerts still could be released through the National Weather Service, the Emergency Alert Service, and the media. The interesting point is that this is not the first time that the Amber Alert website has been attacked. In 2009 they were the victim of a flood of fake Alerts. Representatives refused to comment if other applications from the same service were also attacked, an e-government service provider known as NIC. There is no word when the websites will be restored, but the service is working to get them running again and to fix problems that could lead to future problems.

The vulnerability that lead to the attack was found in a Web-based application built by Iowa Interactive, a subsidiary of NIC. The state server that hosted the application, however, was not compromised in the attack. The scale of the problem is able to grow if other similar NIC applications were or could also be attacked. NIC counts more that 3,000 state, local, and federal government agencies as clients, and in the last year they processed more than $11.4 billion in secure payments. The cause of the problem may have been in this one web application, but if there were problems in others the problem could grow even larger.

First of all, I believe that NIC and Iowa Interactive need to go through and check every system they provide. They need to check for the hole that caused the problem as well as double checking for other holes that could cause problems. Second, I believe the state of Iowa needs to go through it's systems for failures. Lastly, it fall on the systems that were compromised. This was not the first time that the Amber Alert had been victim of an attack. This fact proves that the systems have flaws. The systems and application must be check and double checked to insure that everything is in working order and secure. Perhaps, issues from the first attack were never fixed or perhaps new ones had been exploited. The role of all the groups involved, NIC, the state, and the Amber Alert and Accident Alert systems, is to check everything for security. This attack was relatively innocent, but it could have been much worse. It is the job of these groups to protect against something worse occurring next.

SECURITY REVIEW: XBOX LIVE

2010-12-02T11:04:00.000-05:00

Xbox Live: Security Review

Xbox Live is an online multiplayer gaming and digital media delivery service created by Microsoft Corporation. It charges users a fee to play multiplayer gaming. With Microsoft's new mobile operating system, Windows Phone 7, Xbox Live will be integrated into new Windows Phones. Furthermore the system has been integrated into social networking sites to find friends you played online with. To pay for your online gaming experience users enter their data and credit card information through their console into the Xbox Live network. Xbox Live features include: marketplace for downloads, instant massagers, friends’ lists, personal bio, Netflix account link, MSN portal, personal gaming settings, social media linkups, gaming location, and a voice/video mod.
There are a number of security risks with Xbox Live spanning the entire CIA Triad. An attack on the system seems to be a likely risk as the online gaming community is technologically intelligent. An unintended user could target an Xbox Live account in order to steal personal information and credit card data. They could also target the accessibility and make it so that an account holder is not able to access their own account or even pose as a real user. And finally the attacker could target the accounts integrity by changing the account holders bio, friends list, preferences, etc. Further security risks include entry into social media sites, Netflix accounts, MSN portals, and cell phone operating systems all through the Xbox Live account. This is all a risk on Xbox Live because if you can obtain a users gamertag and password you can access their account and modify it. From accessing the Xbox Live account you can enter into other Microsoft applications with ease. It would be harder to enter social media and Netflix sites because further passwords are necessary. However, just knowing one password greatly increases the likelihood that you can hack into others. Again, an advanced hacker may be able to skim credit card information from future downloads and even steal card information or completely hijack the account once accessed.
If I were an attacker I would definitely target the broad step of stealing accounts temporarily. Gamertags (usernames) are not protected and are visible to all people with an Xbox and internet connection. However, if I was able to steal passwords for these gamertags I could renew subscriptions, transfer account details, change cardholder information, alter the bio, alter the friend list, and deny the original user access. Furthermore, an attacker could easily hack an account and disclosure the real user’s home address and other information to the online community. I believe that this is the real weakness and probable attack. I have personally accessed my friends Xbox Live accounts before and I can see how easy it would be to copy their information, alter its integrity, and disclose it to a vast amount of people.
I think that Xbox Live technology has the basic weaknesses that we have been talking about in class that go along with all sites and delivery services. Whenever you are assuming an online identity the risks for theft and alteration greatly increase. We have talked a lot about credit card theft and I think this is a real threat if an account is hacked. Additionally, in much the same way social media works, Xbox Live presents the opportunity for an attacker to alter and disclose personal information on a wide level. This is because you are basically leaving a digital footprint and also creating an online identity that many people with internet access can view and get close to. This is an inherent threat with this type of technology.
My recommendation to Microsoft regarding the security risks of Xbox live would be to mitigate the risk and to transfer some of the liability. Xbox Live accounts contain a wide array of personal information, credit card data, and links to other sites that the user would have personal records. This variety and amount of information must be protected by Microsoft and Xbox. They need to consistently be on top of the hackers and always practicing the most up-to-date technologies and mitigation techniques that prevent illegal attacks. Furthermore, Microsoft needs to make all of their users away of the treats that accompany adding friends and also in keeping their passwords protected. Microsoft also needs to remind users that all their passwords (Live account, Netflix, social media) should be different from each other as to stop an attacker from totally hijacking an online identity. Finally, Microsoft should transfer some of this risk through purchasing a large insurance package against potential hacking into accounts.

Dangerous Encryption?

2010-12-01T22:52:00.005-05:00

I had always thought of encryption as a tool for security, never a tool for hackers. That changed when I came across this recent article about Ransomware, a Trojan that gains access to a user’s files and encrypts them against their will, essentially denying a user access to their own media and Microsoft Office files. This Trojan is so named because it asks for a $120 ransom in exchange for decrypting the files. Once the Trojan is installed, the wallpaper on the victim’s computer turns into a ransom note, reading "All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders. There is no possibility to decrypt these files without a special decrypt program. Nobody can help you - even don't try to find another method or tell anybody."

Victims of this Trojan have acquired it from a defective pdf file, named Troj/PDFJS-ML, which downloads and installs the Ransomware. The article that I posted below states that this Trojan has the capability of encrypting a number of different types of files, including jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx, but that it usually only encrypts the first 10% of a file.

The article does not, however, offer much advice as to what one should do if faced with this type of attack, other than that you should not pay the ransom. All computer users should prevent this kind of attack by making sure to install all software updates (especially for Adobe Acrobat) and by backing up their files in case they do become inaccessible.

http://www.esecurityplanet.com/trends/article.php/3914811/Ransomware-Scams-Take-Your-Data-Hostage.htm

Security Review: SugarSync

2010-12-01T19:44:00.002-05:00

The use of multiple “smart” technology devices by an individual has increased dramatically over the past couple of years. Individuals are now using laptops, ipads, smart phones, and every gadget imaginable for work or school. A problem with the use of multiple devices is: how are you able to access a specific document on your laptop when the device is not accessible? The answer is a data backup company. SugarSync is an online data backup company that allows users to backup, share and access personal files from any computer, smart phone or other device with internet access (SugarSync.com). A user simply uploads the information from any device into the secure SugarSync “cloud” storage. When a user makes a change to a specific document already stored in SugarSync, the document is automatically updated (SugarSync.com). If a user is working on a project with a group, the individual can share the files with the other group members. SugarSync is a convenient way to have access to every file stored on the many devices a person owns.

It is imperative that the owner of SugarSync has many security goals in order to protect the vast amount of customer information stored by the company. It is essential that SugarSync maintain the confidentiality of a customer’s documents. Many businesses use SugarSync to backup their information. Therefore, there is personal data that, if compromised, could financially injure a company. Encrypting this data would prevent a hacker from being able to access personal information. SugarSync uses SSL encryption during the file uploading process and the files stored are protected by 128-bit AES technology. The combination of these two technologies protects the confidentiality and integrity of the customer’s information. It is also important that the company prevent anyone from making unauthorized changes to a user’s data. The files must be available to the individuals with authority to access them, while preventing unauthorized users from gaining access. SugarSync does this by password protecting the information, and then using multi-level security. The multi-level security gives higher-cleared individuals the option to provide access to files to other people, or prevent access.

A hacker would be able to exploit the technology of SugarSync by solving a decryption key. By solving the decryption key, the hacker would be able to steal the files in the SugarSync network. Gaining access to these files would allow the hacker to compromise any information that the user stored on the SugarSync network. The hacker could also alter the information being stored on SugarSync after he or she gained access. By gaining access to a file on SugarSync, the hacker could adjust the login name and password, which would prevent the owner from being able to access their files.

Because SugarSync can be accessed from a phone, I find this to be the easiest way for an attacker to enter personal files. SugarSync recently added more security to the Android App that allows a user to protect their files with a pin. However, the user can shut this mode off. A hacker could potentially steal the phone and access the files. Then they could change the password to prevent the authorized user from accessing their files.

As stated before, SugarSync is one of the most secure data backup servers. They run their company by the highest security standards; therefore, I believe the greatest risk with using the technology is in the user’s hands. Most people don’t want to enter a pin every time they access SugarSync on their mobile device. Because of this, I believe many will deactivate the pin security system. I can’t see a major breach in the SugarSync system because of their rigorous security standards, but I can picture a smaller number of breaches into individual files because a user doesn’t password protect their information.

SugarSync already has very rigid security guidelines that protect the customer’s information on the main server. They also back up the files in two state of the art data centers. This prevents total data loss if one of the data centers crashes. Because of the actions they have taken to secure customer data, I think the best recommendation I can give the company is to make sure everything is up to date. This will require the company to research new ways to stay ahead of hackers who attempt to breach their system. I would also recommend that the company make pin codes mandatory on devices such as the android. This would mitigate the risk that unauthorized users access files.

www.sugarsync.com

Course Slides

2010-12-01T08:02:00.009-05:00

Here are links to all of the slides used in the course:

Two Students Charged in Hacking - Current Event

2010-11-30T15:21:00.002-05:00

Two former students, Joseph Camp and Daniel Fowler, at the University of Central Missouri have been indicted on the charges of breaking into university databases. They acquired over personal information on 90,000 students, faculty, staff, and alumni and attempted to sell the data. The students launched a virus on the UCM computer system and attempted to steal funds from the university.

The duo completed the attacks during last year's fall semester while they were both students at the school. They used a dorm room as the "home" of their attacks. They used a virus to infect the system - the source was typically a USB drive that they convinced people to insert into their computers. Another way they launched their virus was through enticing links in e-mails.

The virus allowed them to monitor all happenings on the network - including keystrokes, steal data, etc. It seems as if their main motivation was money because they attempted to sell the data they stole and add money to their student accounts.

I think that the cause of the event was fairly obvious. The users that allowed Camp and Fowler to gain access to their systems by either inserting a USB drive into their computer or clicking on a link in an e-mail.

I think it is necessary for everybody to become as educated on information security as possible. It is obvious that some education could have prevented this attack. If individuals would have known that the links were not safe to click on and to not load a USB onto their computer then it could have been prevented. Every user needs to be cautious all the time because there could always be somebody attempting to gain access to your computer (and personal information). On a larger scale, I think that the university needs to protect their students. I think that they could involve some sort of data encryption (possibly a hash function or triple DES) for very personal information. Although it would take more time and money to retrieve the data, the school could be certain that their students' information is protected.

http://www.computerworld.com/s/article/9197884/Two_former_students_charged_in_university_hack_in_Mo.?taxonomyId=17

Security Review: Notre Dame ID Cards

2010-11-28T15:42:00.002-05:00

Your student ID card may not be as secure as you may think. The magnetic strip on your ID card contains your card number (your 90 ndID number, sans the first 9 and with a two digit number appended to the end, identifying which card you’re on – so if your ndID was 901234 and you’re on your second card, then your card number would be 0123402). The school has made an attempt to secure the magnetic strip by obscuring the card number in a string of random numbers. However, if you know the pattern and have access to just one student ID card, it is possible to identify the pattern and figure out how to extract data from the card.

As the user of a student ID card, I would want the card to be as secure as possible. In terms of confidentiality however, it is unreasonable to assume that the ID number will be confidential because it must be decrypted to be read by card scanners. Instead, confidentiality should be achieved through alternate means, namely a PIN. The University recognizes that it is not possible to fully protect the ID number by making it a non-sensitive internal ID number, one that has little significance outside the organization. In terms of integrity, very light protection is provided by printing the card number on the face of the card so it can verified against what is encoded on the magnetic strip. However, this is easily overcome by simply printing one’s own card that looks like a Notre Dame ID card with matching card numbers printed on the front and on the magnetic strip. The Notre Dame ID card system’s availability depends on whatever the system the card is being used to access – this could be the Registrar’s computer system/Banner, the dorm/University locksmith systems, or another system that utilizes an ID card for access.

The primary vulnerability in the ID card system, then, is the potential for an attacker to create their own ID card by simply acquiring a student ID number through social engineering and writing it to blank card, which they could make (if necessary) look like a legitimate ID card. While attackers could always skim the data off a card’s magnetic strip by swiping it through an illegitimate card reader that copies the data, attackers could also obtain the card data through social engineering. Because the University views the ND ID number as a non-sensitive identifier, it appears all over the place – on most Banner pages (including course schedules) and some professors use it to post grades. Thus, the primary threat here is a threat of disclosure.

Someone could then, in theory, generate their own ID cards to either gain access to dormitories or steal meal plans. The attacker should ideally target freshmen. This is because of two reasons: freshmen are more likely to print out their schedules at the beginning of a semester – and this schedule has both their names and student ID numbers printed on it. Secondly, freshmen are more likely than any other class to be on their first ID card, making it safer to assume that their ID card number ends in 01. As you move up through the classes, there is greater variance as people move onto their second or third (or more) card. All an attacker needs to do is to obtain the student’s schedule printout which they can do through social engineering techniques or just dumpster diving. Armed with the student ID number, an attacker simply needs to strip off the leading 9, append an 01 to the end, and add the requisite number of leading and ending random digits. With a convincingly printed card, an attacker could use the card to steal the person’s meal plan. And, with the owner’s name printed on the schedule, a quick Facebook search can reveal the person’s birth date, and thus their access code into a dormitory.

This, of course, assumes that card readers simply remove the random digits, and append a 9 to derive the student’s ID number, from which they perform a database lookup. A more secure method of encoding an ID card would be not to use random leading and ending digits for obfuscation, but to make these digits derived from other static but not too common information. For example, the random numbers could be replaced with a truncated (first 5 characters) hash of the last four digits of the person’s (freshman year) phone number. Hashing the data keeps it secure, while using the last four digits of their phone number allows for greater variance among the student body. If ZIP code or area code were to be used, for example, there would be a lot of repetition among the student body given that a lot of people come from the same (Chicagoland) areas. Finally, the freshman year phone number is used to avoid the need to issue a new ID card every time the student’s contact information changes.

This system would be more secure because when the card readers derive the student’s ID number and make their database lookup, they should also lookup the student’s freshman year phone number, hash the last four digits, and truncate the hash to just its first five characters – then compare these characters to the leading digits on the ID card. If they match, then we can have greater assurance that the ID card is legitimate and not a socially engineered fake. However, the phone number can also be socially engineered (though the task of getting more information increases the “cost” of creating fake ID cards) and this solution does not eliminate the issue of skimmed/copied ID cards.

Human, technology key to security defense

2010-11-23T11:15:00.000-05:00

SINGAPORE--Security experts are calling for greater emphasis on human factors in dealing with IT security risks and reiterating the need for technology to be the last line of defense.

Speaking at the Enterprise Information Security 2010 conference held here Tuesday, Fuller Yu, vice president of resiliency and IT risk management at JP Morgan Hong Kong, said the key to protecting sensitive data is to inculcate an environment where employees are educated and aware about potential risks. He revealed that the financial services company requires all its staff, as well as third-party vendors that have access to JP Morgan's data, to undergo IT security training.

Yu explained: "The training is to ensure staff members take responsibility in maintaining data security. You will take very good care of your mobile phone and money, so this applies to data at work. If there is no proper training, people may shirk responsibility and say this information does not belong to me."

He also urged senior IT executives to start similar training programs as education is a "multi-investment and most effective way" of keeping the organization's sensitive data and transactions at bay. It is not enough to simply rely on technology alone, he said.

Muhammed Dawud Saifullah, head of IT infrastructure at Celcom Axiata, concurred. He acknowledged that while most organizations would have to work within a limited amount of resources, they should evaluate the feasibility of increasing efforts on training staff members to better handle security matters.

Also a speaker at the conference, Saifullah suggested using branding and marketing tactics, such as corporate wallpaper with a one-sentence reminder highlighting "safety" best practices to drive home the message. Such "motivation" efforts are especially relevant in combating security attacks which carry a sociological element, he said.

He pointed to Kevin Mitnick, the infamous IT hacker who, among other crimes he committed, was able to obtain the source codes of a Motorola mobile phone simply by speaking to a staff member and "dropping names".

Saifullah said studies have shown that it is human nature to respond to familiarity and form relationships, and Mitnick took advantage of this trait and deployed social engineering to gain sensitive information.

"For you to secure the infrastructure, you need to look at what motivates people to act the way they do, then come up with initiatives such as slogans or mascots. With greater understanding comes better security behavior," he said.

However, he cautioned against implementing tough penalties on any breach of security protocols as it is proven that security effectiveness is inversely proportionate to the severity of the punishment. "Whereas, if employees buy-in [to the idea], then it becomes a motivational factor [to comply with the protocols]," he said.

Deepak Rout, chief information security officer at Uninor, added that if IT departments feel the need to implement "penalty" for policy breaches, these should be linked to HR (human resource) policies to ensure effective results.

UAE faces government challenge

While enterprises today are faced with multitudinal security issues in the workplace, those operating in United Arab Emirates (UAE) have more issues to address, according to Samir Abdullah, director of fixed and core network security at du, a telecommunication services provider based in the UAE.

Samir, who also spoke at the conference, explained that operators in the local telecom industry have to comply strictly with regulatory guidelines and need extra manpower to monitor certain applications such as Skype.

"You always keep a certain percentage [of the budget] dedicated for security, and enterprises have to be mindful that this is an expense that they have to consider," he explained.

"Don't Fight the Cloud"

2010-11-22T19:11:00.000-05:00

Cloud computing has been in recent news as the next big evolutionary change in the computing world. What is all this hype about? More importantly, what is cloud computing? Cloud computing does not have one establish and widely agreed upon definition, but it is accepted as a relatively new concept of computing outside of servers. It “is Internet-base computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid.”

John Thompson, a chairman for the Symantec Corp., compares cloud computing to any natural evolutionary process under which it is inevitably going to be a significant part of our future. He continues to argue that we should, therefore, embrace it and take advantage of the benefits that it can offer the computer world. However, as with every new technology, the security concerns must be addressed.

Many believe that computing on the cloud, and therefore having sensitive information available on the cloud, is a significant concern. Inherently it is believed that this information is safer when handled internally. John Thompson argues that these insecurities can be managed. Security focuses would no longer be focus on hardware and infrastructures; rather the focus would switch to purely information-based. This would require constant monitoring, however these are concerns are being addressed by the Cloud Security alliance, a nonprofit dedicated to promoting security assurance in cloud-based computing. Furthermore, people need to take the time to understand the technology that they are dealing with; John Thompson recommends easing into the technology, starting with little amount of insignificant information being moved to the cloud and work from there.

Ultimately, I am interested to see what role the Cloud will play in our computing future. This new idea definitely has its perks of convenience, speed, centralization of information, and other distinguishing features, but with new security issues (such as not have the ability to physically remove malware, like can be done on a server) it is absolutely necessary for the success of this technology that the proper security conditions are implemented to protect information on the Cloud.

Recent Hacking of The Federal Reserve and Other Corporations

2010-11-21T13:04:00.002-05:00

Prosecutors recently arrested Lin Mun Poo, a 32-year-old Malaysian man for hacking into major U.S. corporations. Some of the corporations the man hacked include the U.S. Federal Reserve Bank of Cleveland and FedComp, a corporation that processes financial transactions for credit unions.

Apparently, Lin Mun Poo sold 1,000 dollars worth of stolen credit card numbers before U.S. officials arrested him. However, this amount was only a small portion of his business, as when The Secret Service searched his laptop, they found more than 400,000 account numbers from credit and debit cards. It is of the belief that the man obtained this sensitive information by hacking into various computer systems of financial institutions.

Poo informed investigators that he traveled to the United States in order to meet with an unidentified individual who regularly provides him with stolen credit card information. However, this was not his only method for compromising personal information. Prosecutors say he was able to compromise at least 10 computers at the Federal Reserve Bank of Cleveland and accessed more personal data belonging to members of the Fireman’s Association of the State of New York Federal Credit Union and the Mercer County New Jersey Teachers’ Federal Credit Union by hacking into FedComp. Aside from the U.S, Lin Mun Poo also admitted to hacking the computer networks of international banks and companies. Poo’s tactics for compromising data were very original. He simply accessed the information by finding and exploiting network vulnerabilities.

If I were an executive for one of the hacked companies, such as FedComp or the U.S. Federal Reserve Bank of Cleveland, I would immediately notify my customers. As we read about in the ChoicePoint case, it is extremely important to inform customers of the situation in order for them to attempt to mitigate any damage. Also, I would set up free credit monitoring for customers, which would determine if one’s information was being breached. Each company could also use free credit monitoring as a brand restoration strategy. It is also important to implement new security procedures. If Lin Mun Poo was exploiting network vulnerabilities, I think it is important to increase the security standards of the customer’s information. If I had accounts in the corporations that were hacked by Lin Mun Poo, I would most certainly utilize the free credit card monitoring by the company. Monitoring the information would allow an individual to see if their account had been breached and if any money was stolen.

http://news.yahoo.com/s/pcworld/20101118/tc_pcworld/malaysianchargedwithhackingfederalreserveothers_1

The Great Cyberheist

2010-11-19T13:32:00.002-05:00

As Prof. Chapple mentioned in class on Tuesday, the NY Times put out an article on November 10th talking about the mastermind behind numerous cybercrimes, including the TJX case we studied earlier in the semester. It's a long article, but well worth reading if you have 20-25 minutes of spare time.

The article goes into great depth about the progression of Albert Gonzalez, a black hat hacker out of Miami who was essentially the brains behind the crimes on Marshall's/TJX and a number of other large corporations. It begins by going into Gonzalez's first run in with the law and how this led to him becoming an informant for the Justice Department in "Operation Firewall". The goal of this operation was to take down a number of black hat hackers who gathered together on this web site called Shadowcrew, which served as an eBay/Monster/Myspace for black hat hackers. As a rising star in the world of cybercrime, Gonzalez became an irreplaceable piece of the puzzle in taking down dozens of these hackers.

As many people say, however, once a criminal, always a criminal. The case is no different for Albert Gonzalez. Like many black hat hackers, his original motives were purely monetary. But as his actions snowballed from 2003-2007, Gonzalez found himself performing these crimes purely out of greed and stubbornness. While working for the government, Gonzalez and his crew of Jonathan James, Patrick Toey, Christopher Scott, Jonathan Williams, and Maksym Yastremskiy were able to gain access to roughly 180 million payment card accounts from Office Max, BJ's wholesale club, Dave & Busters, TJ Maxx and Marshalls, Target, Barnes & Noble, JC Penney, Sports Authority, Boston Market and 7/11. In the words of Gonzalez's chief prosecutor, "The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled."

After becoming bored with Operation Firewall, Gonzalez began working on business wi-fi networks by the end of 2004. Because of the rush for companies to get online and adjust to the payment card industry, Gonzalez saw a number of vulnerabilities in their networks and protection of data. Gonzalez was able to get Christopher Scott and Jonathan James to do a lot of the grunt work in terms of sitting outside the stores with the antennas and laptops.

Originally, Gonzalez was running into the problem of companies like TJX storing expired credit card information (since they held data for so long). Soon, however, he was able to find a way to find the most recently used credit cards and have that uploaded directly to his computer. It was his ability to breach point-of-scale terminals at stores that enabled him to get cards right after the customers used them. This method of attack was first tried on JC Penney, Wet Seal, Hannaford Brothers grocery chain and Dave & Busters. This was ultimately what led to such a great hit on TJX's databases. By the end of 2006, they had legitimate credit card information for over 40 million users.

Gonzalez went through an intricate process of setting up fake businesses, laundering money and using his international connections to hide and obtain his money. He went completely undetected in these actions, but it was his selling of personal information to Yastremskiy, a Ukranian hacker, that ultimately led to his demise. Gonzalez had been providing credit card information for Yastremskiy to sell over the web and it just so happened that an undercover cop in San Diego had been buying information from Yastremskiy for two years. Once TJX and Heartland Payment Systems (a credit card processing company), reported these breaches, this cop was able to provide a lead in what seemed like an unsolvable case. Once they raided Yastremskiy they were only able to find Gonzalez's IM address, which initially gave no lead to the hackers identity. Once they were able to obtain the IM registration info, however, they saw one piece of information: an email address. Listed as soupnazi@efnet.ru, those who knew Gonzalez from Operation Firewall knew immediately that it was Gonzalez providing the credit card information.

In the end, it was estimated that Gonzalez and his team cost TJX, Heartland and other companies roughly 400 million in reimbursements and forensic and legal fees. The number could be much, much higher, however. The article goes into much more detail about the whole process and how Gonzalez was able to do what he did. I encourage you to read it if you have the time.

http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?pagewanted=all

Security Awareness Strategy: Weighing Optimism vs. Pragmatism

2010-11-19T11:22:00.003-05:00

In a recent article from SearchSecurity.com, the methods and "merits" of spreading security awareness are examined. Is it up to the end user to keep themesleves safe through updated knowledge and understanding of threats? Or is it the responsibility of governments, ISPs, vendors and enterprises to jointly protect the ignorant consumer?

Tony Neate, managing director of U.K-based Get Safe Online, a joint public-private security education initiative aimed at individuals and small companies, is a passionate proponent of security awareness initiatives. In a time when more than three-quarters of the U.S. population and three-fifths of the U.K. population use the Internet regularly, he believes governments, ISPs, vendors and enterprises have a joint responsibility to teach the public not only how to protect themselves and their companies, but also about the increasingly complex ways in which they can be victimized.

Neate argues the public should know as much about how vulnerable they are to phishing and hacking as they know about robbery and burglary.

Neat's organization uses the typical strategies for boosting awareness: events, competition, public outreach, and even the institution of the recent National Cybersecurity Awareness Month. And Neate calls for companies to spend more resources on expert speakers, statistics and research, attack scenarios and behavioral training. However, here, the article mentions, is where the debate around security awareness becomes contentious.

In many organizations, the security staff is already stretched too thin, the budget for security awareness training is nonexistent, and even when security awareness programs are implemented, they are often ineffective because, as Lance Spitzner writes in the October 2010 issue of Information Security, "Nothing is more boring to employees then having to sit through hours of training, and being told what they can and cannot do for the benefit of the company." Ah, realism. Refreshing. Here are several points made by people interviewed in the article that serve as the alternatives to Neate's plan.

1. Scare the awareness into them.

"A lot of day-to-day security professionals think security awareness is a waste of time," said Mike Rothman, analyst and president at Phoenix-based security research and advisory firm Securosis LLC and author. "These folks need to take a step back and have the awareness to do [security awareness] correctly; it can minimize the percentage of people who do stupid things, which allows you, the security professional, to focus on the minority of people who are going to do stupid things no matter how much you train them not to."

Rothman advocates a pointed security awareness strategy for enterprises that shuns formal training and instead focuses on tests for individuals or groups of users that mimic the real-world risk scenarios users often face when sensitive personal or business data may be at risk.

"By running an internal phishing experiment, for instance, when users [fall prey] to it, then you have the opportunity to educate them on how they can identify those messages," Rothman said. "Those kinds of awareness programs are an order of magnitude more effective than a sign by the bathroom or a four-hour training once a year."

2. Make it about helping the individual, not the corporation.

Almost as controversial as security awareness training methods is the question of whether enterprises should train employees on how to keep their personal data safe. Neate said a large organization he has worked with in the U.K., after finding traditional security awareness training ineffective, decided to instead focus their training sessions on teaching users how to use the Internet securely at home.

"They got droves of people to attend because people realized it was going to be useful to them at home, but it works both ways, at home and at work," Neate said.

Similarly, Rothman said companies should worry about how employees conduct themselves online when they are not on the clock. Clicking on a malicious Facebook app while using a company laptop, after all, can still put sensitive enterprise data at risk. Rothman also noted that if parents know how to act securely online, they'll pass that knowledge to their kids.

"How do we protect this next generation of kids who have all these tools at their disposal so they grow up knowing how to use them responsibly?" Rothman asked. "That's one of the most significant issues we have in today's tech-enabled society."

My Take

I knew it was Cybersecurity Awareness Month in October, but that was about the extent of how it affected me. It seemed the media didn't really care, and while security-savvy blogs and professionals probably learned one or two new things in honor of the special time of year, people like you or me probably didn't do or learn anything different than usual because frankly, most people don't see what personal benefit would come from knowing more about IS threats, nor do they have the fear of the consequences of a lack of awareness.

I would argue for a combination of both the first and second strategies, and ditch Neate's altogether. There's something to this idea of appealing to people's interest in protecting themselves over the corporation. Human nature is tuned for self-preservation. Companies can hope that through the transitive property, teaching employees how to be safe online at home will generate safer behavior online at work. Further, the training will be more effective in the first place because its about the individual, not the corporation.

Finally, who hasn't heard someone say "Man, ever since X happened, I never do Y anymore"? I think it would be pretty interesting (although perhaps unethical) to do some white hat hacking and run phishing schemes on employees. Much like in airport screening points, the person who monitors the baggage X-Ray is shown an image of a bag with a bomb that isn't really in the machine, and is supposed to alert their superior. The superior knows when this test is going to happen and to whom, so if he or she is never notified, that employee can be seen as a threat to the airport's security.

And frankly, that employee will probably become more diligent after making that mistake. I think things would operate quite similarly with members of a company when "put to the test." Of course, this might raise some legal and ethical issues, but given the ends, I tend to think the means make sense.

In summary, my ideal IS awareness and training strategy would incorporate the proliferation of fear and exploit our self-interested human nature. Does that make me a jerk?

Security Review: Eye-Fi

2010-11-11T00:06:00.004-05:00

Eye-fi is a new memory card for digital cameras that uses wireless internet to upload photos directly from your camera. The user sets up to 32 preferred wireless networks and upload destinations to initialize the memory card. There are multiple variations of the card with different memory limits. The card also allows for the "endless memory option" where the oldest information is uploaded and deleted as the card fills - therefore giving off the idea of being an endless supply of memory. The card is compatible with almost any digital cameras from any company, and can upload to any type of portal from email to facebook to flicker, to iphoto etc.

As an owner of such technology I would want to ensure that my pictures and other media stored on this device are only being uploaded to my specified locations on my specified networks. I would also want to make sure that I am aware of when these uploads are occurring and what is being removed from the device when the upload occurs. I would also want to make sure that if I have chosen to upload directly to a public networking site, that I have control over which pictures are automatically uploaded and which are kept for personal use. There is also the idea of knowing if an upload fails that I do not lose any of my media. Lastly, I would want to also have the option of uploading directly to my computer via some other technology than wireless networks if I am in an unsecured location.

As a hacker I would be looking to exploit the use of wireless networks as a means to usurp media from one of these cards. This could be anything from capturing the upload as it is in progress to retain the media rather than the user or deleting the media without consent of the user. I would look to possible delete data or disable an upload as it occurs, possibly confusing the system into removing the media without proper back up support. I would also potentially look to disable or circumvent personalized settings to either upload to a different portal (ie facebook instead of iphoto) or even circumvent security measures as to which photos/videos get uploaded with or without owners consent.

Some of the vulnerabilities that exist is the reliance of this device on wireless networks. Though many now are secure, older networks are not as protected as they could be. This could allow hackers easy access to disrupting or intercepting uploads. It could also allow hackers to penetrate the Eye-fi's settings and alter them for their personal benefit. Eye-fi has also had problems with failed uploads. Normally uploads are backed up with something called, "Relayed photos" which are photos/ videos that get stored on Eye-fi servers in case of failure or extended Endless Memory issues. If these servers are not securely protected, then hackers could potential enter them stealing media from all Eye-fi users. Lastly, the vulnerability also exists with this being a new technology. As this is the first of its kind, the bugs and issues are coming up while it is in its early life cycle stages. Though Eye-fi has had one of the fastest turn around times with patches for known problems, it is still in the infant stages looking to grow.

Though wireless networks are becoming more and more secure, there is still and always will be the potential hacker looking to exploit a vulnerability. The dependence on wireless networks by eye-fi will always be a risk that the device relies heavily on. The device also relies on users having the ability to set their personal settings and controls on the device. Many users do not realize either how to do this or even how to set limitations on the networks they allow their Eye-fi to operate on. There is always room for human error. Another inherent risk is the risk of media loss. Though Eye-fi has put in place many back up systems, there are risks from nature or unforeseen accidents that could pose threats to the servers, data center, or even the transfer of data from the device to the suggested portal.

In order to mitigate risks, I would first always alert users to use protected networks and to manage their personal settings. There is a need for the user to understand that their media has the possibility of being intercepted if using an un-secure connection. I would also require passwords for any change to personal settings, beyond the passwords required of the different upload portals. This could help in authenticating users. There should also be a survey of risks to servers and data centers from threats such as mother nature, to begin discussion on further backup procedures. As Eye-fi gains market share in the memory card industry there will be more and more exploited holes in their system, as long as Eye-fi continues its quick patch fixes to problems I believe it will begin to become an even more sought after good.

http://www.eye.fi/

Access Controls for the Internet?

2010-11-11T00:04:00.002-05:00

Microsoft is now considering a new way to keep internet users safe as they surf the web: an Internet wide network access control. Such an access control would scan computers before they go online and would only allow internet access if they were clean and free from all viruses and malware. If a computer was infected, it would be cleaned through a restricted Internet connection. In his paper Collective Defense, Scott Charney (a Microsoft executive) argues that a global health model should be applied to the internet saying, “To improve the security of the Internet, governments and industry could similarly engage in more methodical and systematic activities to improve and maintain the health of the population of devices in the computing ecosystem by promoting preventative measures, detecting infected devices, notifying affected users, enabling those users to treat devices that are infected with malware, and taking additional action to ensure that infected computers do not put other systems at risk.”

While this idea is definitely interesting, critics have cited many possible problems. First of all it would be hard to determine who had the power and authority to implement such a control (the government? Internet Service Providers?), and how they would be able to do so. There is also the issue that it is impossible to protect against something if we don’t know that it exists. Therefore, hackers may design new types of viruses and malware that might be able to bypass the access control. There is also always the risk of the access control itself being hacked.

Despite these issues, I still think that a network wide access control is an interesting possible solution to the problem of increasing malware and viruses. It is definitely something to keep an eye on for the future.

http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1522386,00.html

Barracuda Bounty Hunters

2010-11-10T23:35:00.001-05:00

Barracuda Networks is an internet security company that offers industry leading protection for hundreds of thousands of internet users a day. They offer spam and virus protection, firewalls and web filters. They recently began a program that offers bounty’s to users who can find harmful bugs and vulnerabilities in their products. The price of the bounty ranges from $500 to $3,000, depending on the severity of the issue, for anyone who can find an issue with their system. Barracuda is the first internet security provider to offer a bounty for an issue related with their own software. Other groups and companies have offered bounties on other company’s software but not for their own.

The actual cause of these bounty offerings is that Barracuda wants to enable its users to search for problems within their own software. This gives the information technology professionals at Barracuda another viewpoint, other than their own when researching their own technology. Another cause of this issue is that a lot of bugs may have been reported with the Barracuda security and they can be fixed in a more timely manner by offering bounties to fix them. A typical user who comes across a bug will probably just avoid just the software all together or they will find a way around the bug and not report it to the manufacturer. I know when I come across an issue in my browser or security system and it asks me to report it I always decline because it takes too long. However, if the users know that they will be paid money for reporting the bug to Barracuda then they are much more likely to report it to them.

The best scenario would be for a network security company to offer a security package that does not have any bugs in it. Obviously that is usually not ever the case because people come up with new ways to create viruses and problems with a network system almost daily. The security company cannot always respond very quickly because they don’t really know until someone reports it. Thus, offering users a reward for reporting the bug is a great idea.

Burma hit by massive net attack ahead of election

2010-11-04T10:44:00.000-04:00

An ongoing computer attack has knocked Burma off the internet, just days ahead of its first election in 20 years.

The attack started in late October but has grown in the last few days to overwhelm the nation's link to the net, said security firm Arbor Networks.

Reports from Burma say the disruption is ongoing.

The attack, which is believed to have started on 25 October, comes ahead of closely-watched national elections on 7 November.

International observers and foreign journalists are not being allowed into the country to cover the polls - which many Western leaders have said will not be free or fair.

It will raise suspicions that Burma's military authorities could be trying to restrict the flow of information over the election period.
Cyber attack

The Distributed Denial of Service (DDoS) attack, as it is known, works by flooding a target with too much data for it to handle.
The "distributed" element of it means that it involves PCs spread all over the world. These networks of enslaved computers - known as "botnets" - are typically hijacked home computers that have been compromised by a virus.

They are typically rented out by cyber criminals for various means, including web attacks. They can be called into action and controlled from across the internet.

Burma links to the wider net via cables and satellites that, at most, can support data transfers of 45 megabits of data per second.

At its height, the attack was pummelling Burma's connections to the wider net with about 10-15 gigabits of data every second.

Writing about the attack, Dr Craig Labovitz from Arbor Networks said the gigabits of traffic was "several hundred times more than enough" to swamp these links.

The result, said Dr Labovitz, had disrupted network traffic in and out of the nation.

He said the attack was sophisticated in that it rolled together several different types of DDoS attacks and traffic was coming from many different sources.

At time of writing attempts to contact IP addresses in the block owned by Burma and its telecoms firms timed out, suggesting the attack is still underway.

"Our technicians have been trying to prevent cyber attacks from other countries," a spokesperson from Yatanarpon Teleport told AFP.

"We still do not know whether access will be good on the election day."

Mr Labovitz said that he did not know the motivation for the attack but said that analysis of similar events in the past had found motives that ran the gamut "from politically motivated DDoS, government censorship, extortion and stock manipulation."

He also noted that the current wave of traffic was "significantly larger" than high profile attacks against Georgia and Estonia in 2007.

Security Review on Web Servers and Back-end Databases

2010-11-03T18:37:00.000-04:00

MySQL (pronounced “My Sequel” or “My S-Q-L”) is a relational database management system that runs as a server to provide multi-user access to databases of information. MySQL is a very common database system used in web applications and is even used by websites such as Facebook, Google, and Youtube. One popular scripting language used in conjunction with MySQL to produce dynamic web pages is PHP (Hypertext Preprocessor). Website developers embed PHP code into a standard HTML page and it is interpreted by a web server with a PHP module which generates the final web page filled with dynamic content.

When developing a website which can be accessed by hundreds of millions of people, securing sensitive data on your server is crucial. If your website allows users to register an account and submit personal information to the database, you need to be sure that the data remains confidential and safe from unauthorized tampering. Attackers will try any method they can to expose a flaw in the system to gain access.

MySQL can be a very secure system if set up correctly and used appropriately by web programmers. The server administrator must protect the system from a number of attacks including: denial of service, altering, playback, and eavesdropping. Access Control Lists are used to secure all connections, queries, and other user-performed operations. SSL-encrypted connections between the MySQL server and clients can also help secure information. In the end, most security risks are caused either by the administrator of the server who fails to set things up correctly or by web programmers who unintentionally allow SQL injections in their code.

Two very simple examples of tasks the administrator should perform when setting up a secure MySQL server are to put the server behind a firewall and block untrusted connections on the port MySQL is running on and to encrypt user passwords within the database using hash encryption algorithms such as MD5 or SHA1. MySQL provides administrators and programmers these functions to easily encrypt data on the fly. Most administrators will put a firewall between the internet and the web server which is known as the Demilitarized zone (DMZ). They will then put a back-end database within their internal network that is protected from outside access. In order for this database to communicate with the web server in the DMZ, information needs to be passed back and forth between the firewall which can compromise security if the traffic on the open ports on the firewall is not carefully monitored. Aside from various technical details, this is a simple way to describe how most network administrators organize their web servers and databases.

One of the most common attacks on any SQL server is an attack known as injection. SQL injection is when a user enters a special sequence of characters into an input such as a website form and if the web programmers do not handle the input correctly, the MySQL server could recognize the user input as a command rather than just plaintext input. I will not dive into the specifics but if you are curious there is a great wiki explaining the basics of SQL injection that can be found here: http://en.wikipedia.org/wiki/SQL_injection. If a hacker finds a way to use SQL injection on your website, they can compromise the CIA security model (confidentiality, integrity, and availability). Failure to pay attention to minor details when dealing with user input on a web server can result not only in information being stolen but can result in the loss of the whole database.

If the administrator and programmers of the web server are meticulous and aware of potential security flaws it is possible to have a very secure web server for users to use safely but as we all know quite well, no system is completely secure. Until a new attack is discovered, administrators and programmers can defend themselves against known attacks to cover as much as possible.

Sources:

http://dev.mysql.com/doc/refman/5.0/en/security-guidelines.html
http://www.softpanorama.org/DB/Mysql/mysql_security.shtml

Identity Theft and the Increase in Technology

2010-11-01T00:09:00.002-04:00

This article highlights a growing, almost unstoppable, problem with the advancement of technology today. It describes how the increase in technological advantages makes it more difficult to prevent the misuse of information on the internet. Identity theft was a highlighted crime in this situation as it has become easier to exploit this type of crime. “Identities are sold around the world quickly after they are stolen through online auction sites operated by organized crime or hackers, and they are used for a number of purposes -- most of which do not need a personal presence where a retina scan might be used.” This clip from the article highlights two critical problems with the current technological situation as well as revealing a potential problem with the proposed solution, which is physical identification.

The first problem is the availability of internet sources that make a profit selling and buying personal information. These sites are capable of quickly and discretely selling information such as credit card numbers, phone numbers, social security numbers and complete names to buyers across the world for a simple transfer of funds and an email. Considering the nature of this crime and its potential for easy money, it is no surprise that identity theft has become such a growing crime. Once the information has been stolen or purchased, it can be used to create false duplicate identities of a person on the internet. This can result in several false purchases of various products in another person’s name. However, it should be noted that these purchases are rarely sent to, or identified with, the person who had stole the information. It makes sense as a criminal would not want to identify themselves with the crime that they had just committed. An analogy was used that described a theft using a stolen credit card at an ATM. They would eventually be caught as many ATMs have cameras that watch and monitor the transactions. However, the internet does not have such a monitoring device which leads to the second problem.

The second problem is the lack of identity on the internet. Because a computer only recognizes a person as a series of inputs it is possible to become anyone on a computer as long as you possess the necessary inputs. If a person has the inputs necessary than they can essentially become anyone that they wish to and the computer will not have the ability to distinguish the difference. This allows hackers and identity thieves to pass as anyone they want to as long as they have the necessary information to do so. This includes bank accounts, paypals, credit companies and online businesses. And because of the lack of identity given by the internet, it becomes increasingly more difficult to trace someone back to the crime.

This has led many to suggest physical identification in the form of retina scanners and even fingerprint scanners. While this is just the tip of the suggestions offered, they seem to be the ones that are gaining ground in protection of information. However, the solution has some potential problems. By giving users a “physical” presence on the internet it infringes on the freedom offered by internet autonomy. This freedom will be lessened if everyone is given a traceable presence on the internet. This is one of the reasons that the article at hand suggests that a “physical” solution would be made impossible by the people who would reject it. Another problem is the implausibility of physical identification. While it is possible in the office places as well as in a few other places where information is publically accessible, it is not plausible on something as vast and flowing as the internet. I am at a loss as to how a system like this could be applied to any of the online business. Would they need direct access to a user’s personal computer to be able to gain access to the information needed? How much permission must outside sources be given in order for a system like this to function? Is it possible for hackers to scam a user into giving out their fingerprints and sensitive information?

While I see potential application to closed systems which are designed to function in a manner that allows physical identification, the internet has grown too far in complexity. So much so that it is often impossible to propose a single encompassing solution to fix an overall problem which leaves independent organizations to come up with their own solution. However, because these solutions often lack a physical way of identifying one person from another, they are often exposed to potential unauthorized access and possible identity theft. The article itself delves into the topic but its difficult to imagine that anyone is capable of understanding the problem to the depth that is needed in order to fix it.

http://www.physorg.com/news185121642.html

Other Sources

http://usgovinfo.about.com/cs/consumer/a/aaspoofing.html

http://www.privacyrights.org/fs/fs17-it.html

http://articles.winferno.com/computer-fraud/internet-identity-theft/

Security Review: Pay Pal

2010-10-31T20:15:00.000-04:00

Pay Pal is a service that allows a person to send and receive payments online. Through Pay Pal, one can shop online, send money to another account (with international transfer capabilities), request money, and fundraise. Two of the most attractive features of Pay Pal are its convenience and security. For example, once the user signs up for their accounts using his name, address, email address, and telephone number, he can store his payment information on his Pay Pal account. When paying for a purchase online, the user chooses Pay Pal as the payment method, then logs into his Pay Pal account using his username and password. Thus, the retailer never sees the user’s bank or credit card information. Pay Pal offers the user an option to put funds into his Pay Pal account so that purchases or transfers simply come out of his existing balance. Otherwise, the user can link his credit or debit card so his bank account is used to cover the purchase or transfer.

Pay Pal’s executive team should be concerned with all three goals of security. Confidentiality is important because the Pay Pal system is full of sensitive data, especially financial information. Each user’s account should be protected in such a way that keeps the information private to unauthorized eyes. This can be done by using a secure website that properly protects the millions of accounts from hackers. Integrity can be protected by giving the user the ability to change the appropriate inputs (contact, login, and card/bank information, payment amounts, payment acceptance, etc.). In terms of availability, Pay Pal must ensure that the users can access their accounts whenever they need to make a purchase or deal with a money transfer. The account should be available only to the people the user authorizes. For people looking to create an account, the site itself should be available at all times.

A hacker trying to exploit the Pay Pal system will attempt to defeat the three security goals above. By solving the decryption key or finding a way around the site and account protection, a hacker can disclose all the account and financial information stored in the Pay Pal database. Once the attacker obtains credit card numbers, he can use those accounts for his benefit. The hacker can also change the user inputs; perhaps the most appealing one is the ability to control how much money goes to a particular user account (the attacker, for example). The ability for the hacker to alter the login details and email address can deny the owner access to his account. This would result in the hacker in control of the account owner’s Pay Pal account, which is linked to his bank account.

I believe the most notable weakness is not with the Pay Pal system, but rather that users are not properly protecting their accounts. Hackers have their methods of guessing passwords, and if users choose a simple, easy-to-guess password, their accounts can easily be accessed by anyone who tries. Another method of attack is sending out phony emails trying to obtain account information from the users themselves. We have seen this method before (Monster job accounts, bank information, etc), so unfortunately it could be effective, especially if users are not careful.

Pay Pal prides itself in its secure system: it implements anti-fraud technology and protects payments by using an encrypted site. However, Pay Pal did experience an outage within the last week. The site was down for an hour and a half, and problems persisted a few hours after. Pay Pal has not provided a reason for the outage yet, but intends to share what went wrong at a later time. It will be interesting to see what exactly happened. Perhaps the system is not as invincible as it claims to be.

As mentioned earlier, the Pay Pal database contains much sensitive information. There are 87 million active Pay Pal accounts, and we can assume that most of those accounts are linked to credit or debit card accounts. Based on the asset’s high value alone, I think there will likely be many attempted attacks on the system. The vulnerabilities lie with the user, not necessarily with the entire database. Therefore, I think there is a high risk of few accounts being compromised, but I do not foresee a successful attack that compromises the entire Pay Pal system given the emphasis on security and protecting user information.

I would recommend a risk mitigation strategy to the Pay Pal executive team. It seems like management values information security, so as long as it continues to keep up with the most up-to-date protection measures, the system will be protected from hackers. I also suggest that there should be guidelines on creating strong passwords to prevent attackers from guessing user passwords. Along these same lines, there should be constant reminders, as banks do, that there is no reason to give login information through an email. This reduces the chance that users inadvertently disclose their information to unwanted parties.

One Reason Indiana is Better Than Hawaii

2010-10-29T11:20:00.005-04:00

Okay, maybe there's still something to this whole college thing. But former students at the University of Hawaii may be feeling otherwise.

The Social Security numbers, grades, disabilities, names, phone numbers and other personal information of more than 40,000 University of Hawaii students who attended from 1990-1998 and in 2001 were posted online for nearly a year before being removed this week.

A whole year? Yes. And the guilty party happens to be a member of the faculty.

The currently retired faculty member inadvertently uploaded files containing the information to an unprotected server on November 30, 2009. He was using the data to study the success rates of Manoa students. Well, if any of them were victims of identity theft and lost money, I think he might need to go back through his data and control for a certain extraneous variable- himself- before publishing any results. In his defense, he said he thought the server was secure.

Again, just like we saw in the CareGroup case study, someone with just enough information and knowledge to do damage caused a disaster. But unlike Halamka, the University of Hawaii doesn't seem to be willing to adopt new standards and make the investments necessary to prevent these kinds of disasters from happening again: "The incident is the third major information breach in the UH system since last year. Each time, university officials promised it was strengthening its network systems and working to identify other potential security risks," according to the Associated Press.

Aaron Titus, the information privacy director of Liberty Coalition, a Washington-based policy isntitute was the one who notified UH of the exposed files on October 18th. On the University's response to the disaster, Titus argues the university's claim that it has no evidence of the malicious misuse of the personal information is misleading, "Of course they don't have any evidence of misuse, because the bad guys wouldn't tell them if they had."

I'm curious to see what we hear from the victims of this "accidental disclosure." I wonder what the damage will be as these former UH students come forward.

Security Review: USB Flash Drives

2010-10-28T01:56:00.000-04:00

Almost everyone knows what a USB flash drive is, and it would be extremely unusual for a college student not to have used one at some point or another. USB flash drives, which are so named because they write to flash memory and can be plugged into your computer’s USB port, offer a quick and easy way to store data. Because of their small size they are sometimes called “thumb drives,” and this small size makes them portable and convenient. Flash drives give users the ability to carry data with them wherever they go, and access their data wherever they have access to a computer. Flash drives have a variety of different storage sizes and come with many different features, making them valuable tools for business professionals, students, and any other type of computer user.

The USB drive itself is an asset, as well as all of the information that is stored on it. My USB drive is a valuable asset to me because it gives me the ability to easily store and transport my data. The information stored on my flash drive is valuable to me because it includes files that I need for classes and other important data that I want to save. Because the flash drive and the information stored on it are so valuable, it is extremely important that a USB flash drive is properly secured. As the owner of a USB flash drive, I want to be sure that the data that I store on my flash drive is confidential so that no one besides me will be able to see the files that I have saved on the flash drive. I also want the data on my flash drive to have integrity. Since I frequently use my flash drive to store homework and papers, I want to be sure that my work does not get unintentionally altered in any way. I also want to make sure that the files on my flash drive are available. It is important that the data I save on my flash drive is still there when I go to load my flash drive again.

For an attacker attempting to exploit a USB hard drive, the main goal would probably be to gain access to the information that is stored on it (disclosure). A hacker may also compromise the integrity of data stored on a flash drive by changing it. He or she could prevent the data from being available to its owner by deleting it or stealing the flash drive (or both!). Unfortunately there will always be these threats because there will always be people looking to steal information in any way that they can, and insecure flash drives give hackers a perfect opportunity to do this.

Insecure flash drives have a number of vulnerabilities. If a flash drive is not password protected, anyone that has the flash drive can load it onto their computer and view the files that it contains. If there is no data encryption, a hacker can read everything on a flash drive, effectively accomplishing the goal of disclosure. Once a hacker gets access to the files on an insecure flash drive it is usually pretty easy to change or delete them as well. Flash drives are also vulnerable because of their small size. It is easy to forget about a flash drive and accidentally leave it plugged into a public computer, where anyone could come across it. It is also easy for a flash drive to fall out of a pocket or purse. Flash drives are especially vulnerable in a business setting because of the type of information they contain. A survey conducted by Sandisk revealed that 25% of business people with a personal flash drive used it to store personal records, 17% had stored company financial information, and 13% stored employee data. 12% of people surveyed reported that they had found a personal flash drive in a public place, and 55% stated that they would look at the stored data if they found one.

It is easy to see how this could become a recipe for disaster. If a business person had an insecure personal flash drive that contained this kind of sensitive information in his or her pocket and it fell out at some point during the course of the day, it could easily be picked up by anyone that happened to come across it. An insecure flash drive can therefore put a company’s financial information, personal employee information, and the personal information of all of its customers at risk. These types of risks will always be present as long as such sensitive information is stored on personal flash drives. This kind of risk came into play recently when 2 Medicaid insurance companies in Pennsylvania discovered that a flash drive containing medical and personal records for 280,000 patients had gone missing from a corporate office. There is also the risk of a hacker putting harmful information onto a flash drive that could hurt the unsuspecting user’s computer when the infected flash drive is plugged in. This kind of risk was demonstrated in 2008 when a flash drive that contained malware was put into a laptop at a US military base in the Middle East. The malware spread to other computers and was able to retrieve data from these computers and send it to the hacker. This is described as one of the worst military breaches in history.

Although risks will still be present, a flash drive user can significantly mitigate risks by buying a flash drive with a variety of secure features. Flash drives on the market today boast a myriad of these features. Some of these features include password protection, data encryption, finger print identification, keypads to enter a PIN on the outside of the drive, and antivirus software. Some even feature switches that change the flash drive to read only (preserving integrity) and some have separate portions for protected data and unprotected data. Of course, an expert hacker could probably find a way to get past many of these features. Companies can mitigate the risk of important business information being leaked by establishing clear guidelines about when personal flash drives are allowed to be used by employees and what kind of information they are allowed to take. Some companies have even completely prohibited the use of personal flash drives or glued USB ports on computers shut so that employees can’t use them. A user could avoid the risks that come with using a flash drive by using other methods to store and transport data, such as email attachments or an external hard drives, but these methods come with risks as well. One could also just accept the risk, especially if there is not sensitive information stored on the flash drive.

I think that the best plan of action for flash drive users right now is to 1) limit the amount and type of sensitive information that is placed on a flash drive 2) make sure that the flash drive is stored in a secure place and 3) invest in a flash drive that incorporates security features such as the ones mentioned above. Some examples of secure flash drives are the IronKey, Corsair Survivor, Kingston DataTraveler Secure-Privacy Edition, and the SanDisk Cruzer Professional. These are just a few examples; there are many flash drives available today that offer a variety of different security options. Hopefully these flash drives will enable users to feel confident that the data stored on their personal flash drives is properly secure.

References:

http://it.med.miami.edu/x1129.xml

http://www.everythingusb.com/flash-drives.html

http://news.cnet.com/8301-27080_3-20014732-245.htm

http://www.philly.com/inquirer/business/20101021_Medical-data_breach_said_to_be_major.html?page=1&c=y

Current Event – Cisco CSO John Stewart on fending off Cyber attacks

2010-10-27T21:46:00.001-04:00

Cisco CSO John Stewart was talking about the influence that the computer worm, Stuxnet, has had on corporate networks and how to protect against it. The Stuxnet worm does not try to go after problems that a computer or network already has. It tries to create new problems by targeting the way a system should work and it is able to disrupt an entire operation. Though it wasn’t designed to target a specific problem within a computer or network it was designed to target a particular computer system, the SCADA System.
SCADA systems control different types of infrastructures, including water, gas, and oil valves as well as street and stop lights and the power grid or cities. The main problem with Stuxnet is that it has been placed on computer systems through USB drives, which Stewart says that Cisco does not control against its workers using USB drives.
He compared protecting a network to protecting a house in saying that minor viruses are like a house getting egged and then a Stuxnet virus is like a sniper shooting someone through the house. With the egging, it is fast and easy to repair but the sniper is much harder to fix because someone usually gets hurt. He says attacks occur nearly every second of every day on most companies and the hard part is figuring out if it is a minor virus or a big problem like Stuxnet, which even major companies have trouble protecting against.
Protecting a computer is a difficult task and it is very annoying because it seems like it takes so much time, money and effort to protect a computer or a computer network. On top of that it is even more discouraging because even with all of the time and money put into it, a network can still get a virus that completely ruins it.
For most individual computer users we probably don’t have to worry too much because the people who are smart enough to get a virus on a major company’s network won’t waste their time with individuals. However we do have to worry about a company, maybe a bank that we use getting viruses from people smart enough to ruin big networks. For instance our banks network could be down at a time we really need money. Even worse, if these worms can attack infrastructures then we have to worry about people who want to do harm to many people because if they wanted they could cause some serious damage to the infrastructures that run through most of our everyday lives.
http://www.businessweek.com/the_thread/techbeat/archives/2010/10/cisco_cso_john_stewart_on_fending_off_cyber_attacks.html

Should Obama Have an Internet 'Kill Switch'?

2010-10-27T19:43:00.000-04:00

Cyber warfare may seem more the focus of science fiction movies and relatively obscure Congressional panels, but a new survey indicates most Americans take the threat of cyber attacks seriously.

In the latest Unisys (NYSE: UIS) Security Index released Wednesday, 61 percent of Americans surveyed said they would support giving the government the authority to use an Internet "kill switch" that would cut off access to the Internet in response to a cyber attack.

While certain IP addresses have been cut off in the course of criminal investigations, development of an actual kill switch to shut down significant portions of the Internet would be a significant undertaking, according to Patricia Titus, vice president and chief information security officer at Unisys.

"I've talked to Homeland Security officials about it and given where the relationship between the legislature and ISPs stands today, a lot of hurdles would have to be crossed before you could turn off significant segments of the Internet," Titus told InternetNews.com.

"The other component is that a whole lot of people need to sit at the table to determine what constitutes cyberwar versus cyber espionage," she added.

The Unisys Security Index is conducted twice a year and surveys consumers in the U.S. and ten other countries on security issues. Over a thousand U.S. consumers responded to the survey.

A specific breakout
U.S. responses shows most consumers have adopted security and other measures to guard against identify theft, but fall short in some key areas.

For example, 80 percent of those surveyed said they regularly limit access to personal information posted to social media sites and also make use of privacy settings. Almost three-quarters (73 percent) said they regularly update antivirus software to keep their systems protected.

But the results indicate most are taking less than thorough security measures when it comes to mobile devices. For example, only 37 percent said they regularly use and update passwords on their mobile devices. Also, only 46 percent said they regularly update "hard-to-guess" passwords on their computers.

Earlier surveys by security firms have highlighted the need for better password protection, noting the frequent use of password terms like "password" and the user's last name that are easy to figure out.

A wake up call to enterprises?
"As millions of consumer devices, such as mobile phones continue to penetrate the workplace, the survey’s finding on consumers’ inattention to securing mobile devices should serve as a wake-up call for consumers and enterprises to actively pursue measures to protect the information exchanged with and residing on these devices," Mark Cohn, vice president of enterprise security at Unisys, said in a statement. "Enterprises, as well as the manufacturers of mobile devices, should take steps to ensure that sensitive data protection is enabled by default and is as simple and convenient as possible."

U.S. consumer's concerns related to some areas of cybersecurity actually show a decline. For example, 34 percent said they were "not concerned" about computer security issues related to viruses and spam, the highest percentage since the first Index was release in 2007.

Titus said that while software security vendors generally do a good job, it's a mistake for consumers to think that just because they have a security package or service running that they're immune from attack.

"The green light and indicators that say everything is working can provide a false sense of security," she said, admitting it's hard to guard against what's proved to be an evolving series of security threats.

"If you ask me what keeps me awake at night, one of the things is advances in quantum computing that have the ability to break all our encryption," said Titus.

The percentage of consumers concerned with online shopping and banking online also dropped significantly. Only 34 percent said they were "seriously concerned" about the security of banking and shopping online -- that's down from 43 percent in February.

David Needle is the West Coast bureau chief at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Keep up with all the latest cybersecurity news--follow eSecurityPlanet on Twitter @e

Security Review of Samsung's Windows Phone 7

2010-10-27T10:16:00.003-04:00

Windows Phone 7 is Microsoft’s new mobile operating system. While it looks eerily similar to Apple’s iphone, Samsung is producing the new smart phone. The display on the Windows Phone 7 is very appealing with its colorful “tile-based interface” (Chen). There are four different software stores where you can purchase third party applications, games, and music. There is also a separate store selling applications specifically made by Samsung (Chen). The tile interface also blends contact lists with a user’s facebook account. Therefore, when a user calls another individual, their personal information such as address, email, picture and phone number appear on the interface (Chen). The e-mail service also has a similar setup. The user enters their login information, and the inbox tile appears on the home screen. Next, all the user has to do is tap the inbox tile and all of their messages are available. Also, the user doesn’t have to re-enter their password (Chen). While the Window’s Phone 7 is very appealing and technologically advanced, I feel some of these features can put the user’s personal information at risk.

I believe that the security goals for the phone should be to protect all of the personal information stored on the device. Email and contact information on the phone is readily accessible; therefore, protecting each application with a password should be a top priority. Password protection will also protect the integrity of the information, preventing unauthorized users from make changes to accounts that shouldn’t be adjusted. In terms of availability of the information, the user should be able to access all stored data. A password will allow user accessibility to the account, without being too strict or not protective enough.

If I was an attacker, I think stealing the phone would be the easiest way to infiltrate the user’s personal information. Because the inbox tile is accessible with the touch of a finger, all the attacker has to do is click. The attacker now has access to personal messages, bank statements, credit card numbers, and other confidential information that might be stored in email messages. Some applications available on the phone come from third parties. An attacker can infiltrate the device by creating a malicious program. When the user downloads it, the malicious program might be able to gain access to their information and even deny the user entrance to their personal accounts. I think the easy accessibility to personal information, such as email and contact lists; make the phone extremely vulnerable to attackers.

It is crucial that the creators of this phone take the necessary steps to manage the security risks of Windows Phone 7. The company needs to find a way to mitigate the risks, without making the information on the phone difficult to access for the authorized user. I think the best way to protect the information, while maintaining the availability of data is to use login Ids and passwords every time the phone is turned on and whenever the user attempts to check email. I would also avoid the risk of having personal contact information stolen by eliminating the call feature that displays such details. I find this feature unnecessary, as it only increases the chances that personal contact information can be compromised.

While the Windows Phone 7 is extremely unique and provides new and exciting applications for users, I believe these phones are security risks. They contain the user’s confidential information through email and contact lists. The risk that this information is compromised cannot be avoided. Therefore, I believe it is necessary to use Ids and password to protect all portals to such data.

Chen , Brian . "Samsung's Windows Phone 7 Packs Intuitive, Visual Punch ." Wired Magazine 20 October 2010: n. pag. Web. 27 Oct 2010.

Security Review of Notre Dame Building Entrance Systems

2010-10-26T18:01:00.004-04:00

Everyday when I enter my dorm, I swipe my ID card and type in my birthday. The door then opens for me, and I am permitted to enter the building. This system uses two-factor authentication in deciding whether to allow a person to enter. One must have a Notre Dame identification card with him, and he must also know his own birthday. When a person swipes his card, the technology reads the magnetic strip on the back of the card and identifies who the person is. This person is matched with a specific four number code (his or her birthday) that must then be entered. If the correct number is entered, the system authorizes the user for entry and unlocks the door. The holder of the card who knows the birthday of the person is then permitted to enter the dorm.

If I were the owner of such a system, Notre Dame, I would have very specific security goals for it. The major goal would be to keep authorized persons out of the dorm. In order to protect the confidentiality and integrity of any information or possessions that students keep in their dorm rooms, persons who are not cleared to enter the building should not be allowed inside. There may be information the needs to stay confidential, and items removed without reason would challenge the integrity. The other goal of these systems is to always allow access to those that should have access to the building, ensuring availiability. By using a system where a person must have the card and know the number, Notre Dame attempts to achieve both of these goals. In reference to the goal of denying access, the system makes it more difficult for intruders. They must obtain a resident's ID card and also learn his or her birthday. On the other hand, this system where the resident must swipe a card and type in a birthday (a fact that ND assumes all people know about themselves) verifies the identity so that residents of the dorm have access to the building at all times.

Looking at the system from another perspective, an intruder would also have goals when attempting to gain access to a building. By entering a dorm or room, the intruder would aim to alter the contents of the room by stealing items that should be inside or disclose protected information from the room. These go against two of the three items included in the DAD triad, disclosure and alteration. By another look, it is possible to see that an attacker could also deny access to people through a system such as this. The person needs their identification card to enter. If a intruder gains possession of the card in some way, the resident no longer has it and therefore does not have free access to the building. The intruder could attack this technology system and fulfill any one or combination of these goals depending on what kind of damage he or she aims to do.

The weaknesses within this system can be traced to the card being an easy thing to gain possession of and the ease of learning someone's birthday or other necessary personal information. Students do not protect their identification cards like they do their credit or debit cards. People leave them on tables, shove them in pockets, and drop them places all the time. It would be difficult to pick up a lost card. At the same time, people often search high and low for their IDs before paying the $30 fee to replace them. Once the card is replaced, the lost one is no longer active. With the amount of time people wait, there is a window for intruders to use the card to gain access. Once an ID is obtained, figuring out what dorm a person lives in is available on InsideND and finding a birthday can be simple. A birthday is not something people work to protect, and with technology today like Facebook and MySpace a birthday is not hard to find. These vulnerabilities in the system are open for people to attack.

The inherent risks based upon the value of the assets depends upon the items that may reside unprotected within a dorm or in a resident's room. I believe that the risk for attacks like this are higher because of the items that students bring to school such as laptops, cell phones, and iPods. The threats that exist are real. At least once a month, the students at Notre Dame receive an e-mail about various criminal activity on campus. At the same time, there are vulnerabilities within the technology that are able to be exploited by these threats. This creates risks for the owners, risks for Notre Dame to deal with. These risks must be dealt with as the group, Notre Dame, sees fit.

I believe that these problems can be dealt with through risk mitigation, risk transference, or risk acceptance. I do not believe that the risk can be avoided. Students in college needed technological items such as laptops and cellular phones. Not having these would avoid the risk but it is not a possible occurrence. By encouraging safety techniques such as urging residents to lock their doors and keep their possessions safe the risk can be mitigated. The risk can also be mitigated by creating a system where the number needed for entrance is chosen by the resident, like a PIN. This number may be more difficult to figure out and the resident has more reason to protect it. The risk can be transfered by buying insurance for stolen items. Finally, I believe that realistically the risk must be accepted. There is always a risk for stolen items, and by being vigilant we can deal with it.

Facebook tackles latest privacy slip with encryption

2010-10-24T22:38:00.002-04:00

Facebook is in the news, once again, regarding its attempt to resolve the issues posed by some its recent security slips. This article talks about Facebook's direct response to the problems PK posted about nearly two weeks ago regarding some of Facebook's most popular apps (Farmville, Frontierville, Texas HoldEm Poker, etc.). These apps have been sending users' personal information to dozens of advertising and internet monitoring companies and compromising Facebook user IDs in the process. And perhaps the most concerning thing is that not only are the users of these apps at risk of their personal information being leaked, but the friends of affected users are also at risk.

As PK pointed out, the blame can be distributed both ways when trying to pinpoint who is at fault for Facebook's continued security issues. On the one hand, it is easy to see why Facebook (as the world's largest social networking host) should withhold the only the most important information of its users. In addition, Facebook should adequately protect this information and certainly not make it available to any third parties. After all, one has to wonder why Facebook hasn't been encrypting the user IDs for its users all along. On the other hand, it is easy to see why Facebook users need to be more cognizant of what they are putting online and on Facebook. It is important for people to realize that even though a website may ask for said amount of information, it does not necessarily mean one has to give all of that information. Often, people are unaware of the risks they face by putting themselves out on the internet on a daily basis.

An easy solution for this whole problem would be for Facebook to stop transmitting user ID's and personal information, but that is unrealistic. Facebook is able to function due to its ability to sell user information. Asking them to stop obtaining that would simply be a waste of time. However, I do believe that using encryption of the Facebook UIDs (unique user IDs) is a step in the right direction. As the article points out, Facebook has been able to save face by responding to this problem so quickly. If Facebook continues to try to protect the information that it promises to protect with encryption, then users will have less to complain about with these security breaches. The responsibility then falls on Facebook users to be aware of what information they are displaying on the internet, as well as how that information could be transmitted and used.

http://www.computerworld.com/s/article/9192638/Facebook_tackles_latest_privacy_slip_with_encryption?taxonomyId=17

http://www.computerworld.com/s/article/9191662/Facebook_battles_another_privacy_firestorm

John Daly - Current Event

2010-10-24T17:16:00.004-04:00

Typically, the name John Daly would not be associated with information security. Daly is a well known professional golfer that is known for his ability to hit the golf ball far, as well as his attitude on the course. But it is the new trend for athletes to run social networking profiles in order to garner interest from fans (and potentially acquire endorsements, etc.). Recently, a hacker gained access to Daly's email, twitter, and Facebook accounts.

Daly recently spoke to the Golf Channel's Rex Hoggard and made this statement : "(Daly's girlfriend Anna Cladakis) got on Facebook and the guy was talking to her and says, "If you want this back you know what to do. I will get you and I will get your daughters. I'll steal their identity." Daly also said that other things were said that, "scared him to death".

The FBI is currently conducting an investigation into the entire situation.

I guess I should not be surprised based on all of the other cases we have studied, but this seems so twisted. I cannot believe that somebody out there spend their time breaking into a professional golfer's personal sites in order to threaten them. It is hard to say what the hacker's real motivation was/is because Daly did not release that information.

A possible reason that the hacker was able to gain access to Daly's accounts is weak and repetitive passwords (using the same password for multiple accounts). Daly already shut down all of the accounts that were compromised, which was the smart thing for him to do. But I would advise all people to strengthen their passwords by using uppercase and lowercase letters, numbers, and a symbol. I would also suggest a password of 8 characters or more. Additionally, I think it is necessary to use different passwords for every account.

All people should be alert and constantly monitor their e-mail and social network accounts, especially famous people. Be careful where you keep and who you give sensitive information, such as your address, social security number, full name, etc.

http://sports.yahoo.com/golf/blog/devil_ball_golf/post/John-Daly-has-Facebook-Twitter-email-hacked?urn=golf-279335

Slides

2010-10-22T16:40:00.003-04:00

Here are links to all of the slides so far in the course:

Hackers Hits Kaspersky website

2010-10-22T11:23:00.005-04:00

In recent news, hackers found a way to tap in the Kaspersky website. They were able to find a bug in the web program, and then reprogram it to trick users into downloading a bogus product. As a result of the attack, users were taken to a malicious site that offered to run a fake virus scan that actually installed malware on the user's PC. This attack caused Kaspersky to do a complete audit of its web program to make sure all codes were up-to-date and running properly.

A flaw in the company's web program was not officially identified, but the company claims the attack was through a "third-party application". Hackers are constantly developing new ways to find errors in web programs and codes and are able to use these codes maliciously and cause problems to all the users of the website. Its difficult to understand the joy hackers get out of attacking a website and being able to spread malicious malware to users of the website. If you are not a computer genius it may be hard to understand how it feels to crack into a company's web program and discover flaws within the code. It may be an unexplainable rush to know that you are capable of doing such a thing.

If companies want to avoid this problem, constantly checking or updating code in web programs must be a necessity! I agree with the security experts' statement in the article that the best thing to do as users when faced with a fake anti-virus message, is to shut down the entire browser. As for recommendations for the company, auditing must be done too, just to make sure things are running smoothly. If not, attacks like this will keep occurring. Then the company will be forced to send a message to all of their users stating, "there was a breach of security, your personal identity may be at risk!" (Something I definitely do not want to see as a user.) In fact, this was not the first attack of Kaspersky's website, in 2009 hackers were able to get in their U.S. support site after discovering a flaw in the web programming again. It is not fair for users to be worried about their personal information being stolen by hackers due to improper web programming.

As I stated before hackers are continuously developing new ways to hack into websites and alter their code to carry out malicious attacks. Companies need to understand that with the technology present in this world (especially the kind used by hackers) they must do the difficult task of constantly staying one step ahead of the hackers. And that means checking for errors in computer code and making sure their protection is updated.

http://www.computerworld.com/s/article/9191921/Hacker_hits_Kaspersky_website?taxonomyId=17

Information security products and services market to surpass $125 billion by 2015

2010-10-20T17:36:00.000-04:00

The global market for information security products and services is expected to exceed $125 billion by 2015, according to a new report by Global Industry Analysts.

The demand for information security products and services will be fuelled by increasing frequency and intensity of cyber attacks against enterprises, government institutions, and consumers, as well as by the need of companies to comply with industry and government mandates.

The United States and Europe are expected to account for the lion’s share of the revenues in the global market, according to Information Security Products and Services: A Global Strategic Business Report, which profiles 482 companies.

Despite the recession, companies have continued to spend on information security, which has insulated the market from the downturn. The need to adhere to compliance requirements, growing risk of hackers and data breaches, and increased threat from laid off employees are compelling companies to continue investing in security solutions.

The market for security and vulnerability management products is expected to see the fastest growth among all information security software segments. Email security and security information and event management (SIEM) segments offer the maximum growth opportunity for the market, while enterprise anti-virus and web access management (WAM) segments will grow at a relatively slower rate.

While North America and Western Europe are leading markets, Eastern Europe, Middle East and Africa, Asia-Pacific and Latin America are expected to witness the fastest growth.

Growth in the information security services segment, the largest segment of the market, will be driven by demand for application and wireless security solutions, which include implementation, assessment, and architecture design. The rise in third-party service providers for various managed security services, application testing, and strategy planning is expected to be another key market driver.

Two million US PCs recruited to botnets

2010-10-13T15:46:00.000-04:00

More than 2.2 million US PCs were found to be part of botnets, networks of hijacked home computers, in the first six months of 2010, it said.

Compiled by Microsoft, the research revealed that Brazil had the second highest level of infections at 550,000.

Infections were highest in South Korea where 14.6 out of every 1000 machines were found to be enrolled in botnets.

The 240-page Microsoft report took an in-depth look at botnets which, said Cliff Evans, head of security and identity at Microsoft UK, now sat at the centre of many cybercrime operations.

The research was undertaken, he said, to alert people to the growing danger from the malicious networks.

Malicious herder

Continue reading the main story
Related stories

Breaking the butterfly botnet
Spammers survive botnet shutdowns
Botnet shutdown divides experts
"Most people have this idea of a virus and how it used to announce itself," he said. "Few people know about botnets."

Hi-tech criminals use botnets to send out spam, phishing e-mails and launch attacks on websites. Owners of botnets also scour infected machines for information that can be sold on the underground auction sites and markets found online.

Botnets start when a virus infects a computer, either through spam or an infected web page. The virus puts the Windows machine under the control of a botnet herder.

"Once they have control of the machine they have the potential to put any kind of malicious code on there," said Mr Evans. "It becomes a distributed computing resource they then sell on to others."

Some, he said, were being worked very hard by their owners.

Continue reading the main story
“
Start Quote

With the significant number of holes identified on the same day, businesses will be racing against time to fix them all,”

Alan Bentley
senior vice-president, Lumension
Microsoft's research revealed that a botnet called Lethic sent out 56% of all botnet spam sent between March and June even though it was only on 8.3% of all known botnet IP addresses.

"It's phenomenal the amount of grip that thing has," said Mr Evans.

Evidence of how botnets were growing, he said, could be found in the number of infected machines Microsoft was freeing from the clutches of botnets.

In the three months between April and June 2010, Microsoft cleaned up more than 6.5 million infections, he said, which is twice as much as the same period in 2009.

The statistics in the report were gathered from the 600 million machines that are enrolled in Microsoft's various update services or use its Essentials and Defender security packages.

Despite the large number of people being caught out, Mr Evans said that defending against malware was straightforward.

He said people should sign up for automatic updates, make sure the applications they use are regularly patched, use anti-virus software and run a firewall.

Microsoft has just issued its largest ever list of fixes for flaws in Windows, Internet Explorer and a range of other software.

This month's update issued patches for 49 vulnerabilities, including one that plugs a hole exploited by Stuxnet, the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.

"With the significant number of holes identified on the same day, businesses will be racing against time to fix them all," said Alan Bentley, senior vice president at security firm Lumension.

"Not only is this Microsoft's largest patch load on record, but 23 of the vulnerabilities are rated at the most severe level," he added.

http://www.bbc.co.uk/news/technology-11531657

Business of Security slides

2010-10-12T12:32:00.002-04:00

The slides from the Business of Security discussion are available at the link below:

Business of Security

Security Review: Beware of Facebook's Koobface

2010-10-11T19:07:00.001-04:00

In recent news Facebook has been taking on a lot of criticism for its lack of security, and considering its massive presence on the Internet, this is a very pressing issue. Facebook has recently responded to some of these complaints with some security changes, hoping to solve many of its security weak points. Although some progress is being recognized, there is still a huge security threat present. Facebook, similar to most social networks, has its biggest security flaws not in its technology but rather how people perceive the technology.

I am sure that Facebook needs no real introduction due to its presence as the worlds largest social networking website. Facebook has grown from a simple single-college social website where pictures were posted with corresponding captions and posts to a worldwide social networking website with thousand of applications available. Attached to every Facebook account are pictures, a profile, videos, messages, and possibly many other applications that any user can subscribe to and use. Users update their information on Facebook every day; all of this information is available (by default) to your “friends,” although individuals can adjust their preferences to limit what information is available to different people.

From a security standpoint, it would be my goal to have my information available to only the people that I specify. It is also important to be to only one that is in control the information that is associated with my profile, so that other people do not have unauthorized access to my profile. Additionally, my information should always be available to be change or deleted by me and only me.

There are security threats present that many users do not consider while logging onto Facebook on a daily basis. Many Facebook users put a lot of personal information onto their accounts without really considering who has access to this information. By default all of your Facebook “friends” have access to any information that you put onto your account, which often includes where you are from, your birthday, contact information, and pictures of you. Often people do not take the necessary precautions and have hundreds or thousands of “friends” that can range from family to mere acquaintances or even people that you do not know. Not only does Facebook provide the medium for too much information being available for too many people, but also Facebook has become another effective way for hackers to attack their victims. The two main goals that attackers have when using Facebook is the theft of data directly through the site and using Facebook to hack onto users computers through applications and phishing. An example of this was the Koobface virus, which sent messages and wallposts to the victims friends prompting them to click a link which led to malware disguised as an adobe download. Viruses such as this are uniquely effective since users usually trust their virtual friends. Some Facebook applications such as ‘Secret Crush’ work the same way. There is also a vulnerability to phishing, which is similar to how these scams manipulate email accounts as we have previously studied.

Allow the technology is not necessarily completely at fault (rather it is the user’s misunderstanding and lack of a security mindset), Facebook easily provides the circumstances for attacks to take place. The risks and potential threat that this security flaw poses is nearly immeasurable, with too many people unaware of the risk and blatantly exploiting themselves. Successful attacks via Facebook not only have the potential to compromise information such as your email and personal profile, but also these attacks can lead to malware attacks that can compromise your credit card numbers, social security numbers, and any other data that your personal computer may have stored.

My recommendation is simple; do not put any information on Facebook that you would not want to share with the public and be constantly aware of potential attacks. It is better to be suspicious when dealing with messages and posts that contain any sort of link or that look unordinary. It is important to not get to comfortable in virtual networks and to always be aware of the security threats that are present.

http://www.computerworld.com/s/article/9189981/Facebook_takes_on_privacy_with_new_tools?taxonomyId=17

http://www.h-desk.com/articles/5_Facebook_Security_Threats_a53_f0.html

Stuxnet 'a game changer for malware defence'

2010-10-10T14:56:00.000-04:00

The Stuxnet malware is a game changer for critical information infrastructure protection, an EU security agency has warned.

ENISA (European Network and Information Security Agency) warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future.

The worm, whose primary method of entry into systems is infected USBs, essentially ignores vulnerable Windows boxes but aggressively attacks industrial control (SCADA) systems from Siemens, establishing a rootkit as well as a backdoor connection to two (now disconnected) command and control servers in Malaysia and Denmark.

PLC controllers of SCADA systems infected with the worm might be programmed to establish destructive over/under pressure conditions by running pumps at different frequencies, for example. There's no evidence either way as to whether this has actually happened, but what is clear is that the malware has caused a great deal of concern and inconvenience. India, Indonesia and Iran have recorded the most incidents of the worm, according to analysis of infected IP addresses by security firms.

Incidents of infection were first recorded in Malaysia, but the appearance of the malware in Iran has been the focus of comment and attention. Plant officials at the controversial Bushehr nuclear plant in Iran have admitted that the malware has infected laptops. However government ministers, while blaming the attack on nuclear spies, had downplayed the impact of the attack and denied it has anything to do with a recently announced two-month delay in bringing the reactor online.

Dr Udo Helmbrecht, executive director of ENISA, commented: "Stuxnet is a new class and dimension of malware. Not only for its complexity and sophistication (eg by the combination of exploiting four different vulnerabilities in Windows, and by using two stolen certificates) and from there attacking complex Siemens SCADA systems. The attackers have invested a substantial amount of time and money to build such a complex attack tool."

"The fact that perpetrators activated such an attack tool, can be considered as the 'first strike' against major industrial resources. This has tremendous effect on how to protect national (CIIP) in the future," he added.

Ilias Chantzos, director of government relations at Symantec, told a meeting at the Symantec Vision conference in Barcelona this week that millions had been spent developing the malware.

"Stuxnet would have involved a team of between 5-10 people, six months research and access to SCADA systems. The motive behind the malware was to spy and re-program industrial control systems.

Chantzos declined to enter into speculation about who created the malware or its intended target beyond saying "only a well-funded criminal organisation or nation state would have the resources to develop the malware".

Steve Purser of ENISA told journalists that Stuxnet has taught security experts nothing they didn't already know. "What is significant is its target and impact. We have to prepare for a future Stuxnet."

Critical protection methodologies and best practices will have to be reassessed in the wake of Stuxnet, according to ENISA.

Large scale attacks on critical infrastructure require a coordinated international response. No Member State, hardware/software vendor, CERT or law enforcement agency can successfully mitigate sophisticated attacks like Stuxnet on their own. ENISA plans to support these efforts by helping to devise revised best practices for securing SCADA systems.

In addition, ENISA, in co-operation with all EU Member States and three EFTA countries, plan to mount the first pan-Europe cyber-security exercise in early November. Cyber Europe 2010 will set out to test member states' plans, policies and procedures for responding to potential critical information infrastructure crises or incidents, such as those posed by Stuxnet. The scheme is similar and smaller than the Cyber-Storm program in the US.

ENISA, which was established in 2004, was granted a five-year extenuation to its responsibilities last month. The agency's analysis of Stuxnet and links to other resources can be found here. ®

http://www.theregister.co.uk/2010/10/09/stuxnet_enisa_response/

10 of the Top Data Breaches of the Decade

2010-10-08T00:36:00.003-04:00

I found this article really interesting, especially since a few of our cases in class actually appear on the list. It also demonstrates how vulnerable so many people are and the immensity of the hacks. These are large scale hacks which culminate in millions of people losing the security and protection of their private, sensitive information. Here are the top ten with brief descriptions of the hacks:

1. Heartland Payment Systems (2009) more than 130 million people had their credit and debit card numbers stolen and transactions processed against them. It is considered the largest breach in credit card history.

2. TJX (2005) as discussed in class 45 million customers had their customer records hacked and sensitive information stolen from them.

3. US Dept. of Veteran Affairs (2009) a different case than the one we discussed in class. Here a defective hard drive was sent off for repairs and recycling without being erased. 76 million veterans were affected in the security breach.

4. Card System (2005) 40 million card users had their card information stolen and used by hackers 100,000 were Visa users and 68,000 MC

5. US Dept of Veteran Affairs (2006) This is the case we discussed in class where a laptop was stolen. In return for losing the data, the VA monitored credit for all veterans affected for a year costing $160.5M

6. Bank of New York Medallion (2008) data tapes, en route, were lost/stolen from the Bank. 12.5 million people were affected. Most of the tapes included social security numbers as well as back account numbers.

7. Certegy (2007) an employee stole customer records amounting to 8.5 million people. The employee is in jail now and paying off a multi-million dollar fine.

8. TD Ameritrade (2007) a database was hacked compromising the data on 6.3 million customers

9. CheckFree (2008) hackers hacked onto the site stealing domain names. This allowed them to transfer customers to their webpage which installed malware on to their computer. 5 million people were affected.

10. Hannaford Bros. Chain (2009) 4.2 million people were affected when hackers broke into the computer system and stole credit and debit card numbers.

What I find a little disturbing is that the oldest year listed is only 2005, 5 years ago. This shows that hackers are finding ways in that cause more harm to more people. It shows how much potential this threat has and that security measures are just not holding up anymore. Companies are going to need to begin taking security measures seriously and focusing more on the potential future litigation losses and how their customer base may be affected than the bottom line costs of implementation.

http://abcnews.go.com/print?id=10905634

Online Voting System Hacked

2010-10-07T18:57:00.003-04:00

Recently, the local election board in Washington D.C. developed an online voting systems so that its residents who are abroad or serving in the military would be able to vote online. This would improve the efficiency of the elections, so that the board would not need to mail ballots abroad and then have to wait for the ballots to be returned by mail. Given the security concerns around the need for integrity of data concerning elections, the board made the decision to publish its source code and server setup information to the public, thereby allowing the public to test the system for vulnerabilities.

While the majority of the feedback the board received were from Mac users with usability concerns, by the end of the week, a group of University of Michigan students had hacked the server, modifying the site to play the school's fight song. This prompted the board to take down the online voting capabilities. The replacement: downloadable ballots that are to be printed out and mailed back to the board. At least they've managed to cut down their postage costs.

This hack sheds light on the issue of computer security as more areas move toward electronic voting. In addition, this public vulnerability test could come back to haunt the Washington DC board later. If they decide to bring online voting back (as they claim they will for 2011) and the voting system is based on the code they released, attackers could be able to determine other vulnerabilities from the code that were not identified in this trial. Furthermore, posting downloadable ballots may not be a fully appropriate solution without additional safeguards put in place server-side, as an attacker could modify the files that are downloaded - for example, removing or adding candidates to the ballot.

Source: http://www.washingtontimes.com/news/2010/oct/5/students-hack-dc-online-voting-system/

PCI DSS

2010-10-07T02:27:00.001-04:00

In the report for the TJX case that we are currently studying in class, it mentions that TJX had not complied with 9 out of 12 components of the Payment Card Industry Data Security Standard (PCI DSS). Coincidentally, I came across the article that I posted below, which explains that there seems to be a direct relationship between security breaches and non compliance with the PCI standard.

Verizon recently came out with their 2010 Payment Card Industry Compliance Report, in which they evaluated how well various organizations met the PCI standard. One of their main findings was that organizations who had suffered from a security breach were 50% more likely to not be in compliance. This makes perfect sense, since an organization that doesn’t comply with these standards is missing major components of a complete security system.

The 12 requirements of the PCI DSS are:
1) Install and maintain a firewall configuration to protect data.
2) Do not use vendor-supplied defaults for system passwords and other security parameters
3) Protect stored data
4) Encrypt transmission of cardholder data and sensitive
information across public networks
5) Use and regularly update anti-virus software
6) Develop and maintain secure systems and applications
7) Restrict access to data by business need-to-know
8) Assign a unique ID to each person with computer access
9) Restrict physical access to cardholder data
10) Track and monitor all access to network resources and
cardholder data
11) Regularly test security systems and processes
12) Maintain a policy that addresses information security

In the organizations assessed by Verizon’s report, requirements 3, 10, and 11 were the least implemented. Only 43% of organizations properly protected stored data, only 39% tracked and monitored access to network resources and cardholder data, and only 38% regularly tested security systems and processes. This information is a little unsettling to me as a credit card user. Also alarming is the fact that only 22% of organizations met all of the requirements and 11% did not even met half of them. This means that when you pay with your credit card, there is almost an 80% chance that your personal information will not be secure. Hopefully the data presented in this report will convince organizations of the importance of PCI standard compliance and they will make an effort to improve their payment card security so that we will be able to use our credit cards without fear of our personal information being compromised.

Zeus "Mitmo" Attack

2010-09-29T02:30:00.002-04:00

It seems that hackers have found a way to get around yet another security measure. The hackers behind the infamous Zeus trojan have been able to successfully exploit text messages that banks send to users as a second form of authentication for account transactions. In order for this to work, the Zeus trojan must first invade a user’s PC. Then, users are led to a website that advertises a security update for their cell phone. In order to receive this supposed update, the user then enters their cell phone number, model, and vendor.

Zeus uses this information to send a text message to the person’s phone that contains a link to their “security certificate.” Once the user clicks on the link to download this “certificate,” the mobile version of Zeus is installed on their phone. This allows Zeus to monitor any incoming messages and installs a “backdoor” to accept and carry out commands received through text messages.

Once all of this occurs, the hacker has all he/she needs to make transactions with the user’s bank account. They simply have to log in using the stolen username and password and command the user’s mobile phone to send them the authentication text message so they can fill it in. This is sometimes referred to as a “Mitmo” or “Man in the Mobile” attack, and so far it has only affected Blackberry and Symbian phones.

I think that it is extremely important for users of online banking services to frequently monitor their account transactions and report anything that does not look familiar. Users should also be extremely wary about entering any kind of information (such as their phone model and number) into a website. If a website claims to be offering a security update for your phone, it would probably be wise to contact the phone company first to make sure that it is a valid update.

As for the phone companies, I think it would be helpful if they followed Apple’s lead in requiring all extra installations and applications to go directly through Apple (via iTunes) instead of any outside sources. As the article mentions, this has protected the iPhone from many of these kinds of problems. It is also important for banks to continue to create new and more secure ways of authentication for transactions in order to remain one step ahead of the hackers.

http://www.h-online.com/security/news/item/Banking-trojan-ZeuS-homes-in-on-SMS-TAN-process-1097104.html
http://www.scmagazineuk.com/mobiles-used-by-zeus-as-sms-messages-are-used-to-deliver-one-time-passwords/article/179764/

Stuxnet worm 'targeted high-value Iranian assets'

2010-09-23T09:42:00.001-04:00

One of the most sophisticated pieces of malware ever detected was probably targeting "high value" infrastructure in Iran, experts have told the BBC.

Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed.

It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.

It was first detected in June and has been intensely studied ever since.

"The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it," Liam O'Murchu of security firm Symantec, who has tracked the worm since it was first detected, told BBC News.

Some have speculated that it could have been aimed at disrupting Iran's Bushehr nuclear power plant or the uranium enrichment plant at Natanz.

However, Mr O'Murchu and others, such as security expert Bruce Schneier, have said that there was currently not enough evidence to draw conclusions about what its intended target was or who had written it.

India and Indonesia have also seen relatively high infection rates, according to Symantec.

'Rare package'

Stuxnet was first detected in June by a security firm based in Belarus, but may have been circulating since 2009.

Unlike most viruses, the worm targets systems that are traditionally not connected to the internet for security reasons.

Instead it infects Windows machines via USB keys - commonly used to move files around - infected with malware.

Once it has infected a machine on a firm's internal network, it seeks out a specific configuration of industrial control software made by Siemens.
Siemens factory The worm searches out industrial systems made by Siemens

Once hijacked, the code can reprogram so-called PLC (programmable logic control) software to give attached industrial machinery new instructions.

"[PLCs] turn on and off motors, monitor temperature, turn on coolers if a gauge goes over a certain temperature," said Mr O'Murchu.

"Those have never been attacked before that we have seen."

If it does not find the specific configuration, the virus remains relatively benign.

However, the worm has also raised eyebrows because of the complexity of the code used and the fact that it bundled so many different techniques into one payload.

"There are a lot of new, unknown techniques being used that we have never seen before," he said These include tricks to hide itself on PLCs and USB sticks as well as up to six different methods that allowed it to spread.

In addition, it exploited several previously unknown and unpatched vulnerabilities in Windows, known as zero-day exploits.

"It is rare to see an attack using one zero-day exploit," Mikko Hypponen, chief research officer at security firm F-Secure, told BBC News. "Stuxnet used not one, not two, but four."

He said cybercriminals and "everyday hackers" valued zero-day exploits and would not "waste" them by bundling so many together.

Microsoft has so far patched two of the flaws.

'Nation state'

Mr O'Murchu agreed and said that his analysis suggested that whoever had created the worm had put a "huge effort" into it.

"It is a very big project, it is very well planned, it is very well funded," he said. "It has an incredible amount of code just to infect those machines."

"There have been no instances where production operations have been influenced or where a plant has failed” Siemen's spokesperson

His analysis is backed up by other research done by security firms and computer experts.

"With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge," said Ralph Langer, an industrial computer expert in an analysis he published on the web.

"This is not some hacker sitting in the basement of his parents' house. To me, it seems that the resources needed to stage this attack point to a nation state," he wrote.

Mr Langer, who declined to be interviewed by the BBC, has drawn a lot of attention for suggesting that Stuxnet could have been targeting the Bushehr nuclear plant.

In particular, he has highlighted a photograph reportedly taken inside the plant that suggests it used the targeted control systems, although they were "not properly licensed and configured".

Mr O'Murchu said no firm conclusions could be drawn.

However, he hopes that will change when he releases his analysis at a conference in Vancouver next week.

"We are not familiar with what configurations are used in different industries," he said.

Instead, he hopes that other experts will be able to pore over their research and pinpoint the exact configuration needed and where that is used.

'Limited success'

A spokesperson for Siemens, the maker of the targeted systems, said it would not comment on "speculations about the target of the virus".

He said that Iran's nuclear power plant had been built with help from a Russian contractor and that Siemens was not involved.

"Siemens was neither involved in the reconstruction of Bushehr or any nuclear plant construction in Iran, nor delivered any software or control system," he said. "Siemens left the country nearly 30 years ago."

Siemens said that it was only aware of 15 infections that had made their way on to control systems in factories, mostly in Germany. Symantec's geographical analysis of the worm's spread also looked at infected PCs.

"There have been no instances where production operations have been influenced or where a plant has failed," the Siemens spokesperson said. "The virus has been removed in all the cases known to us."

He also said that according to global security standards, Microsoft software "may not be used to operate critical processes in plants".

It is not the first time that malware has been found that affects critical infrastructure, although most incidents occur accidentally, said Mr O'Murchu, when a virus intended to infect another system accidently wreaked havoc with real-world systems.

In 2009 the US government admitted that software had been found that could shut down the nation's power grid.

And Mr Hypponen said that he was aware of an attack - launched by infected USB sticks - against the military systems of a Nato country.

"Whether the attacker was successful, we don't know," he said.

http://www.bbc.co.uk/news/technology-11388018

Twitter Worm Bug

2010-09-21T21:10:00.004-04:00

On Tuesday, a worm that had been previously fixed resurfaced on Twitter's website. This was a serious bug that led to many fast-spreading worms on the website. While the bug was contained later the same day, it caused havoc while it ran loose sending either a blacked-out message or Japanese pornography to all a user's followers. The bug managed to do such a great deal of damage because users did not need to click a link to spread the worm. Rather, they merely needed to hover their mouse over a specially written link in a Twitter message. This action executed a malicious code that spread the bug. Reports claim that one hundred thousand people, including Sarah Brown, former British Prime Minister Gordon Brown's wife, and White House Press Secretary Robert Gibbs, were affected by the bug.

This is not the first time that Twitter has fallen victim to a worm. Last year, a seventeen year old boy released a worm on the site. This time, a Japanese hacker discovered the problem. He attempted to contact Twitter for several days regarding the issue, but ended up deciding to test the problem with a worm code. The worm was then copied by many others. Representatives from Twitter report that the majority of the worms fell under prank or promotional categories, and there is no reason to believe that the problem could cause damage to users accounts or computers. They claim that there is no need to change passwords because account information was not compromised in the attack.

The cause of this event is two-fold. First, the worm was able to get through because there existed a basic Web programming error that allowed users to add JavaScript to their tweets. The problem could have been avoided if the corporation had noticed the problem itself, or listened to the Japanese hacker when he discovered the problem. The second cause was that a recent site update uncovered the previously discovered and fixed problem. The issue had been public knowledge since August 23 and had been fixed. However, the update uncovered the issue once more. Had Twitter looked into the update and what was happening they could have side-stepped the problems. Monitoring of the website could also have discovered the issue, as the Japanese hacker did.

Because of the lack of confidentiality, integrity, or availability breaches related to the worm, there is no action that Twitter users need to take in order to respond to the bug. However, if they are worried about future issues related to the site, they may want to contact Twitter directly or cancel their subscription to the site. The corporation, on the other hand, needs to respond by solving the problems that were listed above. This attack may not have compromised any sensitive data but a future attack may. By solving the problems of users having the ability to add JavaScript to tweets and issues from the update going unnoticed, Twitter can avoid future security breaches of this nature.

Google's New 2-Factor Authentication Feature

2010-09-20T09:58:00.003-04:00

I was pretty shocked when I read this article and realized that I understood something that Google was doing, and why they were doing it, at least generally.

Four hours ago, Jason Kinkaid wrote, about two factor authentication, that "Today, Google is announcing that it’s bringing the security feature to its millions of users: the feature will be rolling out first for Google Apps Premiere, Education, and Government edition customers, with plans to bring it to all Google users (even those who aren’t using its Apps suite) in the next few months." The article incorporates some explanation of what "this new security feature" can offer users, like greater protection against phishing scams and having a password hacked.

I applaud Google for taking this step toward a higher level of security in their authentication process, but is it really going to do what it claims?

What Google says it will do is circumvent the inherently expensive existing methods of 2-factor authentication implemented primarily by major corporations and let the everyday person experience an increased sense of protection from the myriad internet scams and crimes out there. But in order to make 2-factor authentication something that doesn't compromise the high number of Google accounts, Google may be taking a risk in terms of the viability of their 2-factor authentication system. What word(s) stand out to you in the following description of the system?

"Google’s system doesn’t require a physical keycard. Instead, it relies on your mobile phone. First, you need to activate the optional feature from your settings page (...only available to certain Google Apps customers at first). Then, when you go to sign in to your Google account, you’ll first be asked to enter your password as usual. Next, you’ll be brought to a screen asking for a verification code [that] comes from your mobile phone, which you’ve previously linked up to your Google Account."

For me, the word "optional" makes this whole 2-factor authentication "system" more like a feature. It doesn't make using GMail safer. For example, say you use 2-factor authentication because you are smarter than the average bear, but your buddy doesn't know any better. What happens to you when your buddy's email account is hacked and you suddenly get some serious malware on your computer because you opened a link from an e-mail source you trusted? Not all Google accounts are safer. In fact not even the people who use 2-factor authentication are necessarily "safer."

Of course, it makes sense that the feature is optional, since it doesn't seem like Google has a way to ensure that users without smart phones or even mobile phones can pull this off. I think of my poor Grandmother. Kinkaid's article did say, however, that Google would give your landline a ring with the authentication code if you don't have a cell phone. But who is going to do that? And what about people who don't have phones (they're out there... think of people without the resources to afford a phone but were able to set up their own GMail accounts at a library computer, for example).

All in all, I'd say this 2-factor authentication from Google isn't all its cracked up to be.

VA's New Security Measures

2010-09-18T17:57:00.001-04:00

This article outlines the software applications and data scanning tools the Department of Veteran Affairs is implementing. This comes as an effort to “get visibility on every device on our network” and “have a complete view of the vulnerabilities in our enterprise,” says VA CIO Roger Baker. The systems, which cost about $50 million, will be able to identify laptops that exist on the network that are not encrypted, as well as enable security operations managers to monitor the status of hardware and software patches on all department computers. Additionally, the VA can then obtain electronic evidence when there are security breaches and automatically fix compromises when applicable. There are also increased security measures for contracting companies that help the VA provide healthcare and benefits. These include encryption and other policies that limit who can access veterans’ sensitive data.

The department has been under scrutiny over recent years because of several security breaches. The most notable is the one we discussed in class: in 2006, a laptop theft left the personal information of 26 million veterans in jeopardy. This year, six computers were reported lost in June and July, and in August, ten laptops were missing from the VA’s inventory. A handful of these had been encrypted, but some had not. The number, not to mention severity, of the incidents seems to be a red flag indicating something needs to be done to heighten security in order to prevent future problems. The new security measures that widen visibility in the whole department are steps in the right direction for the VA.

Of course this is easier said than done, but it seems like the VA has taken too long in implementing such measures. It has been four years since we first learned about the department’s vulnerabilities, so it seems like they would have done more to address this issue sooner. After the visibility software is in place, it is also important that managers and department officials monitor and appropriately deal with the software’s findings. It would be useless if the system identifies vulnerable computers, but managers do nothing about the threats. Also, the article suggests that the “sprawling, decentralized structure” of the VA contributes to the difficulty in effectively imposing security across the entire department. We read about the organizational problems of the VA in our case study, and perhaps there is a larger structural issue that the department needs to fix first.

Article cited:
http://www.govhealthit.com/newsitem.aspx?nid=74675

Also used:
http://www.nextgov.com/nextgov/ng_20100917_6367.php?oref=topstory

Outage for JPMorgan Chase

2010-09-18T11:10:00.002-04:00

On September 14th, news broke that JPMorgan was suffering from "technical difficulties", and there was an outage affecting customers' ability to access their account online. When a user tried to log on, he/she would encounter a simple message, "Log on Later." The online access was disabled Monday night and remained offline all of Tuesday. Some users even reported problems through Wednesday. Consumers have gotten accustomed to their ability to bank online, and any outage could cause unrest among the bank's customers.

JPMorgan, the second largest bank in America, said that the outage was due to a, "third party database company's software." They also stated that the problems were due to a failure in their authentication process. The bank claims that no customers' information has been compromised.

Although no sensitive information was leaked during the outage, the fact that accessibility was compromised is important. The exact cause of the break down is not exactly clear, but blaming a third party company for a authentication problem seems odd. I agree with Mr. Monash in the article when he says, "It's hard to imagine that they would outsource authentication - it's too core." Authentication is a very important step in access controls, especially for online banking.

JPMorgan needs to take action with respect to this event. Although the precise source of the outage is not clear, if this third party company has anything to do with it, I would strongly reconsider the relationship with them. If I were in charge of JPMorgan I would attempt to change the authentication process to our control. Then, if for some reason there were another outage, we would be able to get the system back online faster than 2 days.

JPMorgan's clients expect 100% accessibility of their own accounts, whether it is online, at an ATM, or even in the bank. If I were a customer, and this happened again, I would definitely be worried about the security of my bank and most likely change banks.

http://www.computerworld.com/s/article/9186238/JPMorgan_Chase_deposits_blame_sort_of_for_outage_?taxonomyId=17

http://www.computerworld.com/s/article/9185420/JPMorgan_Chase_s_online_banking_site_crashes?taxonomyId=17

Stuxnet: The best of the worst

2010-09-17T10:34:00.003-04:00

The Stuxnet worm is a recently found worm that has been labeled as "groundbreaking" by many antivirus professionals. This malware targets Windows machines that contain "supervisory control and data acquisition software" (SCADA). SCADA software is used to manage large, industrial systems of varyings sorts. Traced back as far as June of 2009, Stuxnet was a very sophisticated, precise, and impressive malware program. When the worm was first recognized, a patch was developed for the "zero-day" vulnerability that was found. A "zero-day" threats are simply malware code that exploits unpatched holes in software that software companies are not aware of. In the past month and a half the Stuxnet has been rediscovered and antivisus companies have found THREE more zero-day threats. This is unprecedented and is a first in the history of malware.

Using a USB to deliver the worm, Stuxnet contained a print spooler bug, two elevation of privilege (EoP) bugs, and a bug that exposed the same vulnerability as the familiar Conflicker worm (attacking the computer's usernames and passwords). In conjunction with all of these bugs, "the attack code seemed legitimate because the people behind Stuxnet had stolen at least two signed digital certificates." It is also believed that the code was so specific that the programmers would have needed the same hardware as the SCADA machines that they were targeting, and they also must have had knowledge about the specifics of the operations of the factory floor. The hackers also took efforts to minimize the risk of their discovery by creating counters so that the different infected USBs could not spread to more than three machines. This also ensured that the bug only spread to the necessary target machines.

The resources and financial backing that must have been necessary to support this attack indicate that this was too large scale to be a private attack. Similarly, there was no intention of stealing information, which also implies that this was not a private attack from some sort of competitor. The attack was targeted at Iran with the intention of controlling the machinery against the real operator's control. It appears to be above simple "industrial espionage."

The cause was a security breach via USB that compromised the authority to control the SCADA program on the targeted machines. In order to recovery and respond from this attack, I would recommended getting the patch updates that the antivirus companies produced for all four of the zer0-day attacks. Furthermore, if it is feasible, I would consider some stricter security software with more authentication processes. This particular case could have been avoided also if there was also a stricter policy regarding the use of the USB drive. In the future, it is important for these companies, and all companies, to be very aware of the potential for malware attacks. Although this high-tech and very intelligent attack is difficult to detect, it is always good to consistently update antivirus software and regularly test your major computer software.

http://www.computerworld.com/s/article/9185919/Is_Stuxnet_the_best_malware_ever_?taxonomyId=17&pageNumber=1

New Hacking tool targets Microsoft Applications

2010-09-16T14:47:00.002-04:00

Recently, a new hacking tool has been created that targets faulty AES encryptions in Microsoft ASP.Net applications. The hackers can view encrypted cookies that contain different personal information, like social security numbers and banking information. It was actually developed by two researchers, Juliano Rizzo and Thai Dong. Basically a hacker can decrypt cookies without knowing the encryption keys. This hacing tool automates the process of finding unprotected website cookies and then decrypts them. Many websites contain unprotected cookies to gather information about the user, luckily for most people, the majority of banks have protected cookies and require some other type of access code, like the jumbled letters and numbers, to get into their website after typing in your user name and password.

This is a disheartening article and simply makes online users feel even more unsafe on the internet. The developers said that the vulnerabilities exploited affect the famework used by 25 % of the internet's websites. Also by releasing this information, it gives people with bad intentions an opportunity to figure out how to use this tool and then implement it on unsafe web users.

I recommend that internet users do not browse without having some type of antivirus even though that probably won't protect them 100 %. I suggest that they be very cautious about what websites they are putting their valuable information into and really to not trust any site that seems like it could be easily hacked.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1520252,00.html

Facebook Security Improving

2010-09-16T00:36:00.007-04:00

Anyone who has a Facebook knows that spam is commonplace. It is not unusual to log in and find that a “friend” who you never talk to has posted a link on your wall saying “Check out these pictures!,” or that you’ve received a message from a random person telling you to try out a product for free. In fact, we are so used to this spam that most of the time we just ignore it.

After almost 7 years since Facebook was founded, it seems that its owners are finally recognizing more of its security problems and are trying to fix them. The newest improvement allows users to see when and where their accounts are being accessed. Facebook uses information from a users’ IP address to report the operating system, browser, and approximate time and place of a login. A user can view this information by logging on to Facebook and going to the Account Security section under the Account tab. Then, if there was an unauthorized login to the account, they can click “deactivate” to stop this activity.

This control is very useful because it not only gives you a way to stop spammers that have developed ways to log into your account and send hundreds of unwanted messages and wall posts to your friends, but it also enables you to log out of accounts that you’ve accidentally left open. The only major problem that I see with this security control is that it can also be used by the hackers themselves. If someone was already able to log into your account, they could easily go to your account settings and end your activity, making it impossible for you to access your own account. So while this is a significant improvement in Facebook’s security, it still has a long way to go.

I think that requiring users to set complicated passwords and change these passwords every so often would be a good step to make Facebook more secure. Another option would be to use CAPTCHAs (distorted words) to prevent hackers from programming computers to automatically log in to Facebook accounts. These are just a few suggestions, but Facebook is going to need to do a lot more to keep its users secure. This is especially true because of the nature of the site. Few websites have as much information about so many people as Facebook does, and users need to be assured that the information that they put up on this social networking site is safe.

http://www.computerworlduk.com/news/security/3238073/facebook-introduces-new-security-measures-that-kicks-out-spammers/

Here You Have

2010-09-13T00:15:00.002-04:00

Sep 10 2010 2:06AM GMT

Posted by: Marcia Savage

An old-style email worm was spreading Thursday, antivirus vendors reported. The malware, named “Here you have” for the message it carries in the subject line, includes a link that appears to be a PDF file but instead is a malicious program, according to McAfee.

If someone clicks on the link, the malware sends itself to all the contacts in the recipient’s address book and tries to disable security software. The worm harkens back to the "I LOVE YOU" virus that inundated email boxes 10 years ago. In fact, the Anna Kournikova mass-mailer from 2001 also used “Here you have” in its subject line.

ABC News reported that it was hit by the new worm, along with NASA, Wells Fargo, Comcast and Disney.

McAfee rated the malware as a medium risk.

http://itknowledgeexchange.techtarget.com/security-bytes/here-you-have-email-worm-spreads/

Cryptography Slides

2010-09-09T16:36:00.001-04:00

The slides on cryptography are available at:

Cryptography

Asymmetric Cryptography

DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY PROGRAMS NOT SO SECURE

2010-09-09T11:11:00.000-04:00

by Mickey McCarter
Thursday, 09 September 2010

DHS cyber wing could boost its own security, IG says

The cybersecurity division of the Department of Homeland Security (DHS) could itself improve the security posture of its information systems, the DHS inspector general (IG) reported Wednesday.

While the National Cybersecurity Division (NCSD) has instituted adequate physical and logistical security measures over the computer systems it uses to monitor the security of civilian government systems and to disseminate security information, the division could take further steps to ensure its defenses are as robust as they should be, said the IG report, DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems.

"To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures," the IG report stated.

The IG office focused 10 specific recommendations on the systems used by the US Computer Emergency Readiness Team (US-CERT) to monitor the dot-gov Internet domain and to provide alerts to public and private users of the Internet.

US-CERT holds responsibility for compiling, analyzing, and distributing information on cybersecurity incidents. It also provides technical assistance to federal agencies that require help in defending against cyber attacks. US-CERT also facilitates information sharing between international, federal, state, and local authorities as well as the private sector.

But the very systems US-CERT relies upon at the NCSD to do its job are not as secure as they should be, the IG report warned.

To improve the security of NCSD systems, the IG Office provided its recommendations to the National Protection and Programs Directorate (NPPD), which houses the cybersecurity wing.

The recommendations advised NCSD to address vulnerabilities in the operating systems and applications deployed on its Mission Operating Environment (MOE) network. It should further implement a software management solution that will patch its operations systems and applications automatically to forestall future vulnerabilities.

The NCSD lacks a plan of action and identifiable milestones for addressing known security vulnerabilities, so it should produce them, the IG report suggested. Moreover, the division needs a training program to provide security awareness and specific guidance on roles to its systems personnel.

The IG report further indicated that NCSD should review and approve program and system documentation for its cybersecurity program and update self-assessments for its cybersecurity systems according to DHS requirements.

The division must further conduct and document firewall testing on a quarterly basis to ensure adequate protection by unauthorized users to cybersecurity program information. The cybersecurity unit could do more to implement baseline configurations prescribed by DHS for protecting its routers, servers, and workstations for its activities as well.

NCSD also must conduct inspections of its offices and housing equipment to verify their physical security as per DHS specifications, the report said. Finally, it should set policy and follow-on procedures for protecting its equipment from temperature or humidity fluctuations.

In a written response to the IG findings, NPPD Undersecretary Rand Beers agreed with all ten recommendations, noting that NCSD has taken proactive steps to fulfill quite a few of them even before the completion of the report.

For example, NCSD already had purchased a software management solution and deployed it on June 30. NCSD demonstrated the system to the IG Office to make certain it fulfilled the recommendation to deploy such a system for implementing patches.

In fulfillment of another recommendation, NCSD previously had stepped up its self-assessments as well to validate its security measures.

"As required, NCSD's annual assessments for all National Cybersecurity Protection System (NCPS) systems, which include the MOE, Einstein, the US-CERT, and the Homeland Security Information Network Portals, and US-CERT's public Web site, were approved and validated by the end of February 2010. NCSD however will update its system self-assessments to include missing system information and completed appendices," Beers
wrote.

http://www.hstoday.us/content/view/14648/128/

Month of Bugs

2010-09-06T00:05:00.002-04:00

Adobe Systems, Microsoft, Mozilla, Apple, HP, Novel and other vendors are being tested by the Abyssec Security Team this month. This team will be tackling a detailed binary analysis as well as a zero-day flaw. Both of these issues have been constantly disrupting older versions of Adobe Reader and cPanel. The Security Team tests the programs by attempting to penetrate them in addition to using binary code. Abbysec strongly encourages computer users to download the latest and newest editions of security updates to prevent damages.
The main purpose for "Month of Bug" is to draw attention to lax security procedures. This motivates software makers to edit their programs quickly to adapt to the constantly changing dangerous virtual world. Month of Bug has been growing in popularity, however the last campaign took place a year ago. Some people argue if Month of Bugs have an impact on software vendors. Charlie Miller, a principal analyst security researcher, says, "If you can find so many problems with a product that you can release one a day for a month, there are some serious issues." Miller also stated,"The only thing I can see is it is a tool to highlight the skills of the Abysssec guys, which is fine, but I don't think there is a general security principal they are trying to make, or at least I don't get it."

I think Month of Bugs are a good way to point out inefficiencies. As a programmer, I would much rather have the Abyssec Team point something out to me then finding out after my programs have been infiltrated and risking the possibility of having the integrity or confidentiality of my program tampered. However, I feel like a programmer should be continuously finding ways to make their programs stronger.

Microsoft DLL Vulnerabilities

2010-09-05T21:55:00.000-04:00

On August 23, 2010, Microsoft released a new security tool that could prevent the loading of unsafe DLLs on the Windows operating system. DLLs, short for Dynamic-Link libraries, are libraries which contain functions and/or data that can be used by Windows Applications. A well-known way to gain access to a user's computer operating on a windows machine is an attack known as DLL Hijacking. Many programs will load a malicious DLL that could be used to gain access to your machine and all of the data stored on it.

The problem is not new however. Many years ago when Microsoft was designing the search paths for DLLs, they included the current working directory in the list of directories that Windows will search in for a DLL. Thus you could trick an application into loading a wrong copy of a DLL that was located in your current working directory.

Microsoft has recently released an update explaining that there is an ongoing investigation into DLL preloading vulnerabilities on the Windows operating system. Microsoft admits that in some cases an update to an infected application is impossible and to most applications it may take quite some time to update. With this in mind, Microsoft released a new security tool that "provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block unsafe DLL loading." The Security Research and Defense team for Microsoft released a blog on August 31, 2010 to help users enable the recommended settings of the new tool which blocks most network-based attack vectors.

The blog can be found here:

http://blogs.technet.com/b/srd/archive/2010/08/23/an-update-on-the-dll-preloading-remote-attack-vector.aspx.

Sources:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1519514,00.html
http://www.webopedia.com/TERM/D/dll.html
http://threatpost.com/en_us/blogs/dll-hijacking-facts-and-fiction-082610
http://blogs.technet.com/b/msrc/archive/2010/08/31/update-on-security-advisory-2269673.aspx

Google, Skype targeted in India security crackdown

2010-09-05T20:22:00.006-04:00

Recently, India has been widening its security measures by asking all companies that provide encrypted communications, such as Google, Skype, and BlackBerry, to install servers in India so that its government can more easily obtain users' data. While this may seem like a threat to our privacy, India's push for increased security review comes as a result of the 2008 terrorist attack in Mumbai where terrorists coordinated using cell phones, satellite phones, and Internet calls. With access to data, India will be able to better patrol and protect such data. This sweeping internet security reform also comes at a time where officials are focused on avoiding trouble at the Commonwealth Games, a major sporting event held in New Delhi in October.

The main issue with India's call for companies with encrypted communications to install a server in India is that these companies are concerned with the balance of privacy and security. While it seems that easier access to this data would mean a higher level of protection from encrypted threats such as organized terrorist attacks or malware, the security of personal information for the users must also be strongly considered. Companies with encrypted communications data would have to decide if security is a better choice than privacy. India has made its stance clear through Rajesh Chharia, president of the Internet Service Providers Association of India, saying "national security is supreme over privacy." While Indian officials claim that access to encrypted communications data is for the sole purpose of cracking down on security, I am skeptical that alternate motives are not in place.

In India's battle for direct server access to encrypted data, companies are facing heavy pressures to concede to India's request. BlackBerry, for example, is considering installing a server in India in response to the threat of a two month ban of BlackBerry service. For those companies who have not installed servers in India, there are a few ways they can handle this information security and privacy dilemma. Either the companies give in to India's request for a server and risk data privacy, deny the request for a server and possibly suffer a ban, or try to work out a limited negotiation in which server access does not mean free domain over all encrypted communications data. In my personal opinion, working out a compromise halfway seems to make the most sense and would allow for the greatest balance of security and privacy.

http://www.google.com/hostednews/ap/article/ALeqM5it_73CxzMozqkSOODLh2r7aCIlLwD9HVV8CO1

Cyberwar

2010-09-04T10:45:00.001-04:00

A hot topic in information security is cyberwar, which is the result of attacks in cyberspace. Cyberspace does not only include the Internet, but basically any kind of electronic transaction where information is exchanged. In their book Cyber War: The Next Threat to National Security and What to Do About It, Richard Clarke and Robert Knake suggest that the cyberwar has the potential to shift world military balance, therefore fundamentally changing political and economic relations. However, unlike traditional war with militaries and weapons, cyberwar is much more unpredictable and difficult to track who is attacking. Experts are considering different policies to effectively deter cyber attacks; one option the Pentagon has considered is the offensive strategy. This means preemptive strikes on presumed threats. With this strategy come two challenges: technological competency and legal authority. Of course, today’s technological capabilities will be broadened within months, but experts have pointed out the difficulties in knowing the precise configuration of the enemies’ computer from a remote location. There is added difficultly in targeting one exact computer without affecting others connected to it and therefore arousing suspicion. Another important roadblock in the offense strategy is international law. Does the U.S. have the legal authority to interfere with another country’s networks if it is not at war with that country? There is much debate revolving around the lines of national sovereignty and “covertness” of operations like preemptive strikes. Perhaps the offensive approach is not the best, but it should be interesting to see how the deterrence policy develops from here.

I also found Kim S. Nash's response to the Cyber War book noteworthy. Nash says that it is not only the federal government that should be concerned with cyber attacks, but also the corporations. Oftentimes, businesses simply rely on security software and programs that counter lower level threats. However, industries such as financial services, utilities, and telecommunications, which are the foundations of the United States’ infrastructure, should make additional investments in protecting against more devastating cyber attacks. Nash also argues that many executives have a lax mindset when it comes to matters of security. Until an attack is made and sensitive information is lost, they are not as concerned about such things. This is a critical mistake, and it would be worthwhile to protect the information the company values most, just to be safe. The task then becomes weighing the risks and determining how much protection is necessary and realistic.

Sources:

http://www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803849_2.html
http://www.newsweek.com/blogs/we-read-it/2010/04/26/cyber-war-the-next-threat-to-national-security-and-what-to-do-about-it.html
http://www.computerworld.com/s/article/9182783/Richard_Clarke_Preparing_For_A_Future_Cyberwar?taxonomyId=17&pageNumber=1

Security Breaches of Past and Present Years Has Many Concerned

2010-09-02T00:24:00.008-04:00

In 2010 alone the Identity Theft Resource Center (ITRC) has calculated over 400 total security breaches that has resulted in over 13 million records being compromised. The breach of these records over the years, containing vast amounts of personal information such as social security numbers, addresses, names and numbers, has prompted ITRC to push for stricter enforcement of current security policies to prevent potential incidents from occurring as frequently. These incidents include "data on the move" breaches, accidental exposure, insider theft, and hacking.

A complete list of breaches can be found here:
http://www.idtheftcenter.org/ITRC Breach Stats Report 2010.pdf

A "data on the move" breach, usually applies to potable devices, such as usbs, laptops or smartphones, that have access to or have the ability to obtain confidential information. The difficulty in securing this type of breach is that the data or devices are not necessarily secure at all times as they are not within a secure area but are instead in the hands of an individual who is traveling. Leaving a laptop for only a few minutes can result in a potential breach of confidential information for a company which can then lead to serious legal and financial problems. There have even been cases where data has been copied from these portable devices. In order to guard against this, business often use encryption and password systems to protect the information. This is not a fool-proof system however, as loss or unintentional revelation of passwords can render encryption useless.

Accidental Exposure and Insider Theft involve confidential information being exposed to those who are not authorized to use it. While accidental is just that, insider theft involves someone inside an organization actively giving our confidential information. Accidental Exposure is typically prevented by educating employees of security policies. Insider Theft is more difficult to prevent by the fact that the thief is a trusted employee. In many cases business will limit who is allowed to do what with certain kinds of information as well as limit certain users abilities and permissions within a system. However, this is not always successful such as the 2009 security breach involving Bank of America and Countrywide Financial.

http://www.databreaches.net/?p=3447

Hacking is the unauthorized use of computers and network resources. A "hacker" will often take advantage of a system lack of integrity. This can include poor configurations, weak passwords, unpatched systems or disabled security controls. Wade Baker, Director of Research and Intelligence, Verizon Business states, "The majority of breaches occur on the Windows platform, but it is certainly not exclusive. Based on our experience, most breaches do not exploit patchable vulnerabilities but rather poor configuration. When we do see vulnerability exploits, they aren't 'zero days' and, in fact, the patch has usually been available for over a year. The above is especially true for the larger breaches." Hacking is often prevented by making sure systems, passwords and configurations are up to security standards.

The inherent problem of breaches still remains, the most current examples being the facebook breaches and the Wikileaks scandal. When individuals are no longer in charge of their own personal information, they are putting a tremendous amount of trust into the hands of a person they have probably never met. These people could have malicious intentions or honorable ones. Nevertheless this situation has the potential to lead to confidential information being released into the hands of those who will misuse it or potentially expose it to others. It should also be noted that exact numbers of confidential reports released from these security breaches are never completely reported. In this case the numbers could be lower or potentially higher than estimated. The distressing issue behind these security breaches is that a great majority of them are due either to the lax security policies of the businesses involved or to an individual who exposed the information to another party. This type of breach is concerning as more and more information is being stored as digital media and put into the hands of a third party. This lack of ability to personally attest to the security of one's information has many experts concerned and has put many people on edge.

While it cannot be said for certain if the number of breaches are increasing, as a large majority are never discovered or never revealed, it can be said that the release or loss of millions of records containing confidential information is concerning. Currently there is no way to completely state how much information is being illegally accessed or sold to others with malicious intents. We cannot even say how much information was being access before any of the announced breaches were discovered. Because the information is digital and not physical, acquisition can be as simple as copying the data, logging onto a machine or sending an email.

Sources: http://www.examiner.com/information-security-in-boston/almost-13-million-records-breached-2010-so-far?cid=oneriot
http://www.networkworld.com/community/node/63960
http://www.databreaches.net/?p=3447
http://www.idtheftcenter.org/ITRC Breach Stats Report 2010.pdf
http://www.idtheftcenter.org/

Data security breaches often triggered by carelessness

2010-09-01T22:22:00.001-04:00

Often the biggest threat to your practice and patient data is not an outside hacker or a snooping employee -- it's somebody's forgetfulness.

As technology becomes smaller and more portable, it becomes easier to lose. Surveys from a data protection solutions company in 2009 found that in a six-month period, 12,500 mobile devices were left in taxis, and 4,500 USB memory sticks were left in pockets of pants sent to dry cleaners.

Most people -- including those in the security business -- are not protecting the data on their mobile devices. So if the device is lost, the data could be accessed.

"I'm always surprised at the cowboy attitude," said Harry Rhodes, director of practice leadership for the American Health Information Management Assn. "You've got these people who think, 'What are the odds of that happening to me?' And then when it's happening to you, it's too late to do anything."

Just having your phone drop out of your pocket could launch a time-consuming and expensive nightmare of reconstructing data and adhering to fixes mandated under the Health Insurance Portability and Accountability Act.
One-third of health professionals store patient data on laptops, smartphones and USB memory sticks.
Provisions in the federal stimulus package have tightened HIPAA notification and enforcement regulations and have made HIPAA violations more costly. For example, the maximum civil penalty from the Dept. of Health and Human Services for a data breach occurring after Feb. 18, 2009, rose from $25,000 to $1.5 million.

So how you do protect yourself from an accidental loss of a device containing sensitive data? Experts recommend two strategies. One is to find a way to handle or store your mobile technology so you can't lose it easily. The other is to make sure the device has security and encryption features that make it next to impossible to access by anyone who happens to find it.

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, said he has seen a recent increase of health information breaches because of the use of mobile devices. Privacy Rights, a San Diego-based consumer advocacy group focused on educating the public on how technology impacts privacy, is developing a database of all known data breaches in the United States to analyze how each breach occurred, Stephens said.

Credant Technologies, a Dallas-based data protection solutions company, noted in a 2008 survey that although more than a third of health care professionals store patient data on laptops, smartphones and USB memory sticks, most do not adequately secure the data.

Sean Glynn, vice president of product marketing at Credant, said the company surveyed smartphone users at a commuter train stop in 2009. When asked if the data on their phones were encrypted, few said yes. When the same survey was conducted among data security professionals at a trade show, the results were nearly identical.

Credant also performed the studies about mobile devices left in taxis and at dry cleaners. Those covered all devices, not just those owned by health care professionals.

Only 39% of health care organizations encrypt data on mobile devices.
People "might well protect their traditional desktop or laptop PC, but they are always buying these [portable] devices and bringing them in as their own personal devices," Glynn said.

Encrypting the data can eliminate the HIPAA obligation to notify patients of a lost device, under a provision that allows an exception if the data cannot be accessed. But in most cases, encryption is not being done.

The Healthcare Information and Management Systems Society, in a survey released in November 2009, found that despite the strengthening of HIPAA regulations, health care organizations have made relatively few changes to their security policies and procedures. For example, only 39% reported using mobile device encryption.

Rhodes likened people's attitudes towards data security to those of home security systems -- no one thinks it's necessary until something happens.

The Veterans Health Administration, for instance, now requires encryption of all mobile devices and has banned the use of thumb drives after the theft of one from an employee's home in 2006. Rhodes has seen other organizations block USB ports on desktop computers with a plug-in device or a super glue product, preventing data from being exported onto a thumb or flash drive.

He said there also are software packages that can be downloaded onto PDAs or smartphones that allow the users, in the event the device is lost or stolen, to call a phone number that automatically will erase everything from the device. There also are downloadable GPS systems that can help locate a lost device.

Smartphone and thumb-drive users also should use password protection on the devices, experts said. Use of a password to enter the system is just an additional line of defense that should be coupled with encryption -- the most effective means of protection available, they said.

Rhodes said mobile devices often are lost when people are traveling, so simply being more vigilant and aware in places like an airport can help prevent many cases of data loss. For instance, sometimes people set down a laptop bag while flagging a taxi. A thief can run by, grab the bag, then throw it into a waiting car that speeds off. "Always keep the bags on your shoulder," he said.

Laptops also can disappear from security belts at airports, he said, not necessarily from theft but because many computer cases look alike. Experts suggest attaching a business card to the outside of the case.

Another line of defense is to limit the amount of data on a mobile device.

For example, Stephens of Privacy Rights Clearinghouse said he has seen cases of employees who carry an entire company database around with them. One momentary lapse of good judgment, he said, could become an expensive teaching moment.

http://www.ama-assn.org/amednews/2010/02/22/bil20222.htm

Smudge Attacks

2010-09-01T20:20:00.002-04:00

A recent paper from the University of Pennsylvania examined the issue of "smudge attacks" - a decidedly low tech security weakness with touchscreen cellphones - particularly Android phones.

Android phones feature a pattern lock screen, where instead of a PIN or password, a user traces a preset pattern to unlock their phone. However, the researchers were able to bypass the lock screen by simply taking photos of the phone (with the screen off) under a light, and then adjusting the photo in an image editing program to show finger smudges which revealed the pattern to unlock the lock screen.

The researchers found that even when a phone was wiped using clothing after entering the lock pattern, almost all of the smudge pattern remained.

This has implications for non-Android phone users as well. Consider the iPhone - if smudges are left in areas where there is frequent area, there are likely to be smudges over the numbers used to when entering an iPhone's PIN. And given that the iPhone PIN length is known (it's always four numbers), it wouldn't take very long to guess the correct number combination once when you know the numbers involved.

Gaining access to phones, particularly corporate and government phones, is a security weakness. An unauthorized user could look up the owner's contacts - which could reveal information about a company's clients, for example. An unlocked phone could also be used in social engineering attacks. An attacker could use the phone to send a text message to a colleague of the owner claiming to have forgotten a passcode or something.

Solutions to the issue could be as simple as entering tracing an incorrect pattern each time after unlocking the phone to create other smudge patterns to confuse or obfuscate the unlock pattern. Frequently changing password patterns could also reduce the issue. And finally, choosing more secure lock patterns can also reduce the likelihood of smudge attacks. For example, an open ended pattern, such as an L shape, would only have two possible combinations - upper left corner down to lower right corner or vice versa. But a pattern with intersecting lines and closed shapes (such as squares) can make it much more difficult to tell the start and end points of the pattern, as well as the direction of the pattern.

Over the summer, a friend and I took a lot of trips in his car. He owns a Motorola Droid, which we used as a GPS as well. Frequently, I had to unlock the phone's screen for him, and I was able to successful guess his password using smudge marks simply by holding the phone up so the sun reflected off the screen - and revealed the smudge marks in the unlock pattern. So a smudge attack doesn't even require the photography equipment used by the researchers in the above paper.

Source: http://www.usenix.org/events/woot10/tech/full_papers/Aviv.pdf; http://www.engadget.com/2010/08/16/shocker-touchscreen-smudge-may-give-away-your-android-password/

In The Future, Not Even A Name Change Will Protect Your Past

2010-09-01T18:24:00.005-04:00

In an article written about 2 weeks ago Google CEO Eric Schmidt was quoted saying, "I don't believe society understands what happens when everything is available, knowable and recorded by everyone all the time." The article is citing an interview the Wall Street Journal had with Schmidt, which eventually led to Schmidt declaring that "every young person one day will be entitled automatically to change his or her name on reaching adulthood in order to disown youthful hijinks stored on their friends' social media sites."

Is this truly the future of search on the internet? The article, written by Jason Kincaid for TechCrunch, says even changing our names would be pointless, citing the possibility that an entire industry would emerge just to help companies or our prospective employers of the future find out our original names. But then anyone could access that service.

Possibly rendering this extra industry innert is the fact that Google can now recognize an individual with only fourteen photos. And this is present day. My question is, how will our practices regarding personal (or embarrassing...) information that we put on the internet come back to haunt us? This information isn't private, and it won't be able to be made private in the future.

We won't even be able to hide from our past by changing our names, according to this article, given the permanence of social media information. So what happens when you slip up and there's a picture with you in your car with the license plates visible? When there's a picture of you at the gas station holding your debit card? Or when a friend posts "Happy birthday!" on your wall even when you don't have that information available to the public (its just a good friend that happens to know your birthday). It's a little scary to think about the fact that piece by piece we are constructing shrines for ourselves... these memorials of who we were that offer too much information, possibly, about who we are to people we don't want knowing about us.

Essentially, given the permanence of social media, we should be careful we aren't giving up personal information in those embarrassing pictures or letting those dated "happy birthday" posts remain up on our walls...