A surprising amount and range of confidential information was compromised at Pamlico Community College as the result of the hacking of its system. Reportedly, a single hacker was able to crack the password of a patron and infiltrate the database of library patrons, who may or may not have had their social security and driver's license numbers stored on the library's systems. 51,000 library patrons from 25 community colleges will be notified of the attack and the possibility that their information was compromised. In the notification letters, individuals will be notified as to whether or not their SSN or license numbers were stored on the system, and therefore possibly compromised.
As stated, the hacker decoded a patron's account to hack the system. After doing this, it sounds as though he was easily able to infiltrate the system further, accessing the information of other patrons. This is likely evidence of a weak encryption system at the library.
In reflecting on how this situation could have been prevented, one question stands out in my mind - why did a library have such confidential information on its patrons? The library has now stated that it has removed such information from its systems, proving that it was not serving any particular purpose there in the first place. In examining one's systems, an organization should be sure that it is not holding unnecessary information on its clients; this is an easy step in ensuring that it can not be compromised. In addition to this, the library should strengthen general information security as it appears the hacker had no trouble delving into their system.
Source:
http://www.enctoday.com/news/college-50645-nbsj-security-library.html
Saturday, December 19, 2009
Security Review: Motorola Droid.
Droid does. That is the slogan marking the release of the Motorola Droid, which utilizes the Verizon 3G network and Google's Android 2.0 software. With a rich web experience, sharp photos, Google search with voice and so on, the question a person might actually have is what doesn't the Droid do? One sad but realistic answer - security.
The Droid is a smart phone created for basically one purpose, to compete with Apple's iPhone. To describe it is to describe the latter device. It is a phone, but users will primarily utilize its 3G network to access the internet, download applications, use GPS, and so on.
As a user, I would want the device to be physically safe: this means password protection when the phone is not in use, to keep others from viewing personal information, such as contacts, calendars, notes, etc. Basically keeping my information confidential. Apart from this, I want a safe 3G experience, where I can access the internet, my e-mail, and so on, without fearing that my phone could be hacked or infected with a virus.
To analyze what an attacker might want to exploit in the Droid, one can simply reverse the security goals I mentioned above. Attackers would likely seek to view my personal information, infect my system, start phishing or similar schemes within my e-mail, or similar malicious acts.
As a new device which accessing the internet, it is obviously vulnerable to the multitude of threats inherent in using the internet. The fact that business people will likely want to use the phone for business e-mail and other purposes is one reason it needs to be secure. However, Droid has not taken these concerns to heart. Basic password provisions are limited, lacking strength requirements and lock-out after a specific number of failed entry attempts, seemingly obvious implementations. In addition to this, it lacks management capabilities. Droid also lacks on-device encryption and fails to meet standards for Exchange, preventing connection to company e-mail for most businesses.
As the use of smart phones and 3G networks increases, the entry of hackers and others with malicious intent is increasing, so one must be careful to ensure that their device is ready for the attack. After researching, I would say the Motorola Droid has a ways to go, especially for business users, who I would advise to stick with Blackberries. It is clear that newer versions of the Droid should have bigger priorities than difficulty with the manual keyboard or weight issues.
Source:
http://www.pcworld.com/businesscenter/article/182822-1/can_droid_phones_take_care_of_business.html
http://www.pcworld.com/reviews/product/324707/review/droid.html
The Droid is a smart phone created for basically one purpose, to compete with Apple's iPhone. To describe it is to describe the latter device. It is a phone, but users will primarily utilize its 3G network to access the internet, download applications, use GPS, and so on.
As a user, I would want the device to be physically safe: this means password protection when the phone is not in use, to keep others from viewing personal information, such as contacts, calendars, notes, etc. Basically keeping my information confidential. Apart from this, I want a safe 3G experience, where I can access the internet, my e-mail, and so on, without fearing that my phone could be hacked or infected with a virus.
To analyze what an attacker might want to exploit in the Droid, one can simply reverse the security goals I mentioned above. Attackers would likely seek to view my personal information, infect my system, start phishing or similar schemes within my e-mail, or similar malicious acts.
As a new device which accessing the internet, it is obviously vulnerable to the multitude of threats inherent in using the internet. The fact that business people will likely want to use the phone for business e-mail and other purposes is one reason it needs to be secure. However, Droid has not taken these concerns to heart. Basic password provisions are limited, lacking strength requirements and lock-out after a specific number of failed entry attempts, seemingly obvious implementations. In addition to this, it lacks management capabilities. Droid also lacks on-device encryption and fails to meet standards for Exchange, preventing connection to company e-mail for most businesses.
As the use of smart phones and 3G networks increases, the entry of hackers and others with malicious intent is increasing, so one must be careful to ensure that their device is ready for the attack. After researching, I would say the Motorola Droid has a ways to go, especially for business users, who I would advise to stick with Blackberries. It is clear that newer versions of the Droid should have bigger priorities than difficulty with the manual keyboard or weight issues.
Source:
http://www.pcworld.com/businesscenter/article/182822-1/can_droid_phones_take_care_of_business.html
http://www.pcworld.com/reviews/product/324707/review/droid.html
SSL Socked.
Secure websites may not be as secure as one would hope. In fact, they could be at great risk. A security hole was discovered somewhat recently in SSL, or Secure Sockets Layer, which is used to protect Web traffic for online banking, shopping, and any other https connection. The hole allows hackers the opportunity to introduce malicious commands into the aforementioned sites. Though these hackers cannot directly get at the encrypted data of these sites through this hole, they can surely cause a great deal of damage with malicious scripts and commands.
Specifically, a gap in the authentication process of "secure" sites provides a window for hackers to introduce malicious commands, in what is called a "man-in-the-middle" attack.
SSL users are pretty limited in what can be done in response to this discovery. Basically, a patch must be implemented to address the hole. Software vendors of secure sites will need to update their software to support revisions involved in the patch, and users must be sure to update their personal systems as patches become available. As these patches are still being developed, this problem is on-going.
Source:
http://www.pcworld.com/article/181514/ssl_hole_cracks_open_secured_web_traffic.html
http://www.phonefactor.com/sslgap/
Specifically, a gap in the authentication process of "secure" sites provides a window for hackers to introduce malicious commands, in what is called a "man-in-the-middle" attack.
SSL users are pretty limited in what can be done in response to this discovery. Basically, a patch must be implemented to address the hole. Software vendors of secure sites will need to update their software to support revisions involved in the patch, and users must be sure to update their personal systems as patches become available. As these patches are still being developed, this problem is on-going.
Source:
http://www.pcworld.com/article/181514/ssl_hole_cracks_open_secured_web_traffic.html
http://www.phonefactor.com/sslgap/
Twitter Troubled by Hackers
Earlier this morning, hackers calling themselves the "Iranian Cyber Army" were successfully able to redirect Twitter's normal Web traffic to another site. Visitors expecting the Twitter homepage instead found the following:
"a black screen with an image of a green flag and Arabic writing. The defaced site also included a message that said, 'This site has been hacked by Iranian Cyber Army,' and an e-mail address."
The hackers were able to do this by changing Domain Name System (DNS) records, redirecting traffic intended for Twitter to this dummy site. Twitter has restored the proper DNS records but is still working to identify the cause of this problem. One account of the story from Twitter claims that Twitter's systems may have never been compromised at all; instead, it lays blame on Dyn, the DNS service provider managing the site.
In this sort of attack, hackers are somehow able to infiltrate firewalls and other defenses to switch IP addresses and domains. DNS occurs at the network layer of the OSI model, so attacks can come from wireless security weaknesses as well. It is the trustworthy nature of the DNS protocol that allows such attacks to occur, listening to commands whether or not they are authentic.
While information security specialists have attempted to patch the problem with DNS, the fact that it is inherent in DNS protocol makes it difficult. One way to ensure one is heading to the right site, or for a business to make sure things are as they should be, is to use software to monitor the domain. This software can notify if a change has been made in relation to the IP address of the server. Also, one can make sure they are connected to an authentic, protected DNS server, such as OpenDNS.
Sources:
http://www.pcworld.com/businesscenter/article/185058/hackers_take_twitter_offline.html
http://www.embracingchaos.com/2008/07/how-to-protect.html
http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky
"a black screen with an image of a green flag and Arabic writing. The defaced site also included a message that said, 'This site has been hacked by Iranian Cyber Army,' and an e-mail address."
The hackers were able to do this by changing Domain Name System (DNS) records, redirecting traffic intended for Twitter to this dummy site. Twitter has restored the proper DNS records but is still working to identify the cause of this problem. One account of the story from Twitter claims that Twitter's systems may have never been compromised at all; instead, it lays blame on Dyn, the DNS service provider managing the site.
In this sort of attack, hackers are somehow able to infiltrate firewalls and other defenses to switch IP addresses and domains. DNS occurs at the network layer of the OSI model, so attacks can come from wireless security weaknesses as well. It is the trustworthy nature of the DNS protocol that allows such attacks to occur, listening to commands whether or not they are authentic.
While information security specialists have attempted to patch the problem with DNS, the fact that it is inherent in DNS protocol makes it difficult. One way to ensure one is heading to the right site, or for a business to make sure things are as they should be, is to use software to monitor the domain. This software can notify if a change has been made in relation to the IP address of the server. Also, one can make sure they are connected to an authentic, protected DNS server, such as OpenDNS.
Sources:
http://www.pcworld.com/businesscenter/article/185058/hackers_take_twitter_offline.html
http://www.embracingchaos.com/2008/07/how-to-protect.html
http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky
Friday, December 18, 2009
Voicemail Hackability
Voicemail Hackability
If you haven’t noticed, cell phone voicemails have changed dramatically over the years. It went from calling your direct mailbox and entering your entire phone number and a password, to entering a simple five digit code, to calling directly from your phone without any authorization besides for the cell phone number checks, to even storing messages directly to your phone. Still, many mobile phones' have voicemail systems that are based on the caller ID of the incoming caller. This is how it works: If the owner of a cell phone decided to check his voicemail directly from his cellular phone, the caller id would recognize his number and give him direct access to his voicemails, no questions asked. There was only one problem with this, if anyone could spoof your caller ID, they could access your voicemail. After a few high profile voicemail attacks through this vulnerability, mobile operators have began urging customers to change their voicemail preferences to require a pass code. Still, there were some operations out there that went under names like SpoofCard, Love Detect and Liar Card, that would spoof a caller ID to get access to a voicemail box. The company behind them has been fined, but what may be more interesting is that T-Mobile and AT&T were also both fined for apparently being misleading about their susceptibility to the hack.
I always wonder about the security of voicemails. I remember times when I would be able to call my friends’ or family’s cell phones, push the pound key, and then enter the generic 9999 pass code and gain access to all of their voicemails (they knew of course). Thinking back to my discovery, I wondered if others discovered this same “hack and took it further. I was not surprised to see find a hack used to enter voicemail boxes but I was surprised to see AT&T and T-Mobile being fined over it. My only logical explanation for this is the fact that AT&T and T-Mobile did not take the necessary precautions to maintain the integrity and confidentiality of their customers.
Hacking a Coke Machine
Hacking a Coke Machine
Hasn’t the increased soda prices from vending machines annoyed you? Don’t you wish you could change the price back from 1.85 to .75 cents? What’s stopping you? With everyone depending on the use of technology to increase cost efficiency, hacks are bound to result. As you may have noticed, coke machines have officially gone LED. A message slowly scrolls by enticing you to enjoy an ice cold coke. Although it is a nice gesture, the real reason these screens have been created is to give the soda companies the ability to easily change prices and count revenue totals. Rather than implement authorization checks, any person can access a coke machines hard drive and lower the prices as much as 0 dollars! After punching in a few numbers in a specific order, a manager screen arises where people can see the total revenue the machine as brought in to how much money is actually in it at the current moment. With technology growing with the future, what is to come of these “little” hacks?
United States Drone Hacked by Iraqi’s with a 26 Dollar Program
United States Drone Hacked by Iraqi’s with a 26 Dollar Program
The technology I will be discussing in this post is the General Atomics MQ-1 Predator,an unmanned aerial vehicle (UAV) used by the United States military. This five million dollar vehicle is not only a fully functional unmanned plane but it can fire two hellfire missiles, travels over 2,000 miles in one trip, and, most importantly, projects a live video feed of the ground it flies 25,000 feet above. This is a huge asset to our government and has played a pivotal in our recent battles against Iran and Afghanistan.
Another technology that is relevant to this topic is an offline satellite internet downloader called “SkyGrabber”. SkyGrabber was written by a Russian programmer in Ukraine. SkyGrabber is a simple enough concept: grab the signals that spill from a satellite broadcast (or even narrowcast), aimed from a satellite towards a specific location, and turn them into TV feeds you can look at. Or as the website puts it: "You don't have to keep an online internet connection. Just customize your satellite dish to a selected satellite provider and start grabbing."
Having an asset such has the drone, there are many goals our country should expect and ensure. Confidentiality in the drone so that no one else can access its information or controls, accessibility so we, the United States, can access the drones collected data, and Integrity of the data the drone may collect to ensure proper analysis of foreign countries and possible threats. Maybe no one could’ve imagined the United States defense being infiltrated but we failed to recognize the threats of hackers.
It was recently reported that militants in Iraq used this $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations. It is obvious that the goal of the militants is to disclose the information to their people, alter the feeds seen by their enemy, or even denial of service to the United States at all. Although the droid is a huge benefit to our country, it could be a huge hit if it were to be used against us.
US drones send their video up to a US military satellite (the "uplink") that cannot be intercepted. The signal is then beamed by that satellite or a linked down to the controllers – who might be in Afghanistan or Iraq. Although it sounds difficult, the signal was completely UNENCRYPTED! Basically anyone with a satellite dish and the right frequency and location could pick up the signal. Although only the video link was intercepted, experts say that taking control of the plane from an outside signal is not much more difficult than intercepting the video feed. It is vital that the United States encrypt all their data, no matter what the cost.
U.S. Reported Ready To Join U.N. Cyberattack Talks
With the growing threat of a cyber attack on the Us, President Obama has agreed to begin negotiations with the U.N. in defending against cyberwar. This has come in response to recent attacks on the US infrastrcture including banks and the government itself.
Cybercrime has the ability to cripple a nations economy, as we have seen in the case of Estonia, and taking action to defend against it should be of utmost importance. The attackers were the same attackers in the TJX case, who were finally indicted .
Negotiations between Russia and the US are at a standstill because as the US wants to prosecute cyber criminals from Russia, the Russian government wants to protect its sovereignty against cyberattacks that have taken place from within. This is the major issue in regarding the cyber attacks because it does help Russia, but it does not help the US defend against these attacks, while Russia remains to stay on the fence about helping.
Cybercrime has the ability to cripple a nations economy, as we have seen in the case of Estonia, and taking action to defend against it should be of utmost importance. The attackers were the same attackers in the TJX case, who were finally indicted .
Negotiations between Russia and the US are at a standstill because as the US wants to prosecute cyber criminals from Russia, the Russian government wants to protect its sovereignty against cyberattacks that have taken place from within. This is the major issue in regarding the cyber attacks because it does help Russia, but it does not help the US defend against these attacks, while Russia remains to stay on the fence about helping.
Trademark Issues with "Bing"
The Microsoft Company is recently getting sued by a smaller Missouri company for using the name "Bing" to brand Microsoft's new search engine. They are filing on unfair competition and trademark infringement from Microsoft's "big business" pressure and reputation. Bing Information Design filed this case through a circuit court in Missouri, asking for paid advertising that would distinguish between the two companies. Bing, the design company, had been using the name since 2000 and attempt to apply for trademark but was initially refused. Their trademark would have used "Bing!" with an exclamation point. Microsoft had also applied for trademark around this time without the exclamation point. Microsoft is aware of the complaint, but they do not believe it is a serious issue or lawsuit with merit.
Source: http://www.computerworld.com/s/article/9142459/Design_company_Bing_sues_Microsoft_over_trademark?taxonomyId=17
Security Review: Kindle
The Kindle is a portable, electronic, wireless source that allows its users to purchase and read a multitude of books. Books can be purchased online through Amazon.com. Along with these features, The Kindle can also access the Internet. Throughout the past two years, the Kindle has become a very hot item for individuals of all ages because of its convenient and portable nature.
Considering The Kindle is portable and can easily be stolen, I would want it to have a pass code entry. Immediately after turning The Kindle to the on position, a password should be required. Also, if The Kindle goes idle, a password should be necessary. In order to purchase a book on a Kindle, the user must click on the “Buy” tab. The user’s credit card information “is linked to Amazon’s One-Click purchase capability. Therefore, if someone were to steal the Kindle, he/she could obtain personal and financial account information. As well as a locked entry, there should be certain security measures taken because it is a wireless device. Just like any other wireless device, it is possible for a hacker to find a vulnerability in the system and gain personal information.
If I were attempting to find the Kindle user’s credit card information, I would simply need to steal the device and attempt to buy a book. Considering there is no password required to start the device, a hacker would not need to break a code. There is most likely a place to account settings, and the hacker could then easily gain the user’s credit card information.
I believe the owner of the system should accept the risk and continue selling The Kindle. As of now, there have been no major security breaches involving The Kindle. Also, a hacker stealing one device would only allow that hacker to gain one person’s private information. Most advanced hackers are going to hack on a much larger scale than this.
Source: http://rationalsecurity.typepad.com/blog/2009/02/amazons-kindle-some-interesting-security-thoughts.html
Considering The Kindle is portable and can easily be stolen, I would want it to have a pass code entry. Immediately after turning The Kindle to the on position, a password should be required. Also, if The Kindle goes idle, a password should be necessary. In order to purchase a book on a Kindle, the user must click on the “Buy” tab. The user’s credit card information “is linked to Amazon’s One-Click purchase capability. Therefore, if someone were to steal the Kindle, he/she could obtain personal and financial account information. As well as a locked entry, there should be certain security measures taken because it is a wireless device. Just like any other wireless device, it is possible for a hacker to find a vulnerability in the system and gain personal information.
If I were attempting to find the Kindle user’s credit card information, I would simply need to steal the device and attempt to buy a book. Considering there is no password required to start the device, a hacker would not need to break a code. There is most likely a place to account settings, and the hacker could then easily gain the user’s credit card information.
I believe the owner of the system should accept the risk and continue selling The Kindle. As of now, there have been no major security breaches involving The Kindle. Also, a hacker stealing one device would only allow that hacker to gain one person’s private information. Most advanced hackers are going to hack on a much larger scale than this.
Source: http://rationalsecurity.typepad.com/blog/2009/02/amazons-kindle-some-interesting-security-thoughts.html
Twitter Virus
As already described a multitude of times on this blog, numerous viruses are floating around social networking sites like Facebook, MySpace, and Twitter. These sites have had to improve their security measures in order to keep up to speed with social networking hackers. In the article, “Viruses that Leave Victims Red in the Facebook”, Matt Marques, a public relations employee, tells of when his Twitter account sent out an abundant of messages containing a virus. The message offered the reader a gift card worth $500 to Victoria’s Secret. When Marques was informed that his Twitter account was sending out messages about underwear, he became embarrassed and wondered how many people this message had reached. He acted as if he lost some of his pride due to the content of this message, even though the receivers of the message eventually found out the message was a virus.
Although Marques might have felt ashamed of the message that was being sent to his Twitter followers, he should have been more ashamed of his password. Marques revealed his password was “abc123”. As we described in class, an easily breakable password takes little time for a hacker to infiltrate. Had he used a password mixed with upper case and lower case letters, numbers, and symbols, the chances of this happening would have decreased significantly. It is baffling that an employed, educated man working in public relations would have such a weak password. This goes to show that all individuals need to be informed of password security and the important of password strength.
Source: http://www.nytimes.com/2009/12/14/technology/internet/14virus.html?_r=1
Although Marques might have felt ashamed of the message that was being sent to his Twitter followers, he should have been more ashamed of his password. Marques revealed his password was “abc123”. As we described in class, an easily breakable password takes little time for a hacker to infiltrate. Had he used a password mixed with upper case and lower case letters, numbers, and symbols, the chances of this happening would have decreased significantly. It is baffling that an employed, educated man working in public relations would have such a weak password. This goes to show that all individuals need to be informed of password security and the important of password strength.
Source: http://www.nytimes.com/2009/12/14/technology/internet/14virus.html?_r=1
Blackberry E-mail Outage
According to Research in Motion Ltd., a company that manufactures Blackberry devices, Blackberry users experienced a delay in receiving emails on Wednesday, December 16. The amount of time in which e-mails were delayed is not known for sure yet, but Blackberry users are not happy about the situation, myself included. According to the previous blog post titled “Sprint Text Messaging Outage”, Sprint also had a problem with text message failure and delays. Considering I am a Sprint customer who owns a Blackberry handheld device, both of these outages upset and worry me.
This is upsetting because Blackberrys are expensive devices that claim to provide a reliable and instant way to receive text, picture, voice, and e-mail messages from a variety of social networks. Also, in order to have a Blackberry device, a Sprint user must sign a specific contract including data, which also costs a great deal more per month. I am willing to pay a substantial amount of money for these services because they are convenient and beneficial while being in college; however, I am only willing to pay for services that work. Within one night, I was denied text messaging and e-mail due to two different company failures.
Although one night without texting and email might not seem like a problem, it occurred during finals week. Throughout the time that I did not receive e-mails or texts, I missed a variety of important e-mails and text messages. Unfortunately, technological problems like this occur on numerous devices; however, I hold Sprint and Blackberry to a high standard due to the amount of time and money I have invested in them. I, as well as others who experienced the same problem, rely on Sprint and Blackberry to provide extraordinary services.
These problems worry me because Sprint does not seem to know the problem and Blackberry claims their problem has been fixed. No further information has been released to the public, which makes me wonder whether something more serious occurred in both cases. In class, we frequently discussed what we would do in a situation similar to this. As the owner of the company, I would want to figure out the problem and then inform customers; however, being the customer in this situation changes my perspective. If there is a vulnerability in my network or device, I would like to know about it. That way, I would begin taking the proper steps to secure my mobile device.
Source: http://www.kansas.com/news/breaking/v-print/story/1102455.html
This is upsetting because Blackberrys are expensive devices that claim to provide a reliable and instant way to receive text, picture, voice, and e-mail messages from a variety of social networks. Also, in order to have a Blackberry device, a Sprint user must sign a specific contract including data, which also costs a great deal more per month. I am willing to pay a substantial amount of money for these services because they are convenient and beneficial while being in college; however, I am only willing to pay for services that work. Within one night, I was denied text messaging and e-mail due to two different company failures.
Although one night without texting and email might not seem like a problem, it occurred during finals week. Throughout the time that I did not receive e-mails or texts, I missed a variety of important e-mails and text messages. Unfortunately, technological problems like this occur on numerous devices; however, I hold Sprint and Blackberry to a high standard due to the amount of time and money I have invested in them. I, as well as others who experienced the same problem, rely on Sprint and Blackberry to provide extraordinary services.
These problems worry me because Sprint does not seem to know the problem and Blackberry claims their problem has been fixed. No further information has been released to the public, which makes me wonder whether something more serious occurred in both cases. In class, we frequently discussed what we would do in a situation similar to this. As the owner of the company, I would want to figure out the problem and then inform customers; however, being the customer in this situation changes my perspective. If there is a vulnerability in my network or device, I would like to know about it. That way, I would begin taking the proper steps to secure my mobile device.
Source: http://www.kansas.com/news/breaking/v-print/story/1102455.html
Sprint Text Messaging Outage
Last night, on December 16, after attempting to send three text messages from my Blackberry device through the Sprint Network, I received three text messages stating “The message could not be delivered due to a network setup error. Please Contact Customer Care. Error 2112” Considering I got a new phone yesterday, I thought it was a setup error on my part; however, I tried contacting Customer Care by telephone. Immediately, I was directed to a recording stating that all Customer Care lines were unavailable at the time. This made me wonder whether other Sprint users were having a similar problem. Then, I Google searched the message content and a blog post appeared on Yahoo! Answers. The blog immediately started filling up with angered Sprint customers full of questions.
Individuals from all over the country were explaining similar stories. Sprint users could not send outgoing text messages, but could receive them. I began looking for trends in the message content posted. Most individuals commenting on the blog posted their location, phone type, and time in which text messages stopped being sent. With this information, I was trying to come up with a solution as to what might have happened and whether it was a regional, or possibly even worldwide, problem.
At first, I noticed a trend in the phone type. The majority of phones listed were smartphones, including Blacckberry, Palm, and HTC handhelds. Therefore, I automatically believed the problem was only associated with smartphones, but I was wrong. Other phones, such as the LG Rumor, were also unable to send text messages during that time. The text messaging outage lasted a few hours before texting activities were back to normal. After looking at comments left by users who had talked to a Sprint Customer Care Associate, it was apparent that part of Sprint’s nationwide network went down and disabled all outgoing text messages.
Considering this occurred last night, Sprint claims they will keep their customers informed as they find out more information as to what happened; however, people are demanding answers now. Should Sprint users be worried that this was more than just an accident or temporary problem? I retyped “Sprint Error 2112” after reading the blog and noticed that this was not the first instance. This problem occurred earlier in the year, yet there are no solutions given by Sprint, or any other source. It seems that this is a serious problem that must be fixed and explained to Sprint customers soon.
Individuals from all over the country were explaining similar stories. Sprint users could not send outgoing text messages, but could receive them. I began looking for trends in the message content posted. Most individuals commenting on the blog posted their location, phone type, and time in which text messages stopped being sent. With this information, I was trying to come up with a solution as to what might have happened and whether it was a regional, or possibly even worldwide, problem.
At first, I noticed a trend in the phone type. The majority of phones listed were smartphones, including Blacckberry, Palm, and HTC handhelds. Therefore, I automatically believed the problem was only associated with smartphones, but I was wrong. Other phones, such as the LG Rumor, were also unable to send text messages during that time. The text messaging outage lasted a few hours before texting activities were back to normal. After looking at comments left by users who had talked to a Sprint Customer Care Associate, it was apparent that part of Sprint’s nationwide network went down and disabled all outgoing text messages.
Considering this occurred last night, Sprint claims they will keep their customers informed as they find out more information as to what happened; however, people are demanding answers now. Should Sprint users be worried that this was more than just an accident or temporary problem? I retyped “Sprint Error 2112” after reading the blog and noticed that this was not the first instance. This problem occurred earlier in the year, yet there are no solutions given by Sprint, or any other source. It seems that this is a serious problem that must be fixed and explained to Sprint customers soon.
Thursday, December 17, 2009
iPhone's First Worm
The weekend before November 8, 2009 the first active iPhone worm was found by researchers at cybersecurity firms Sophos and F-Secure. The worm was spreading among iPhone users in Australia. The worm would infect an iPhone and change the wallpaper settings to a picture of Rick Astley, and contain the words "ikee is never gonna give you up" (ikex is the name of the hacker who perpetrated this worm attack)
The only users affected by this attack are those who failed to change their default password and "jailbroke" their iPhones, making them available to run applications not authorized by Apple. About 4 million users have implemented this "jailbreak" feature, but a small fraction of these individuals haven't changed their default password.
The message left enbedded in the code suggests the hacker used this attack as a joke, or even a warning to showe weaknesses in the iPhone. No matter what his intensions, the weakness has been revealed.
I think the cause of this event is driven entirely by the iPhone's growing popularity. A small niche product is most likely not going to be targeted by cyber criminals, but the more users an application or product has the more profitable a successful hack can be for the criminal. I think ikex truly used this as a warning for those responsible for iPhone security, and wants to see a solution in security (similar to our case study earlier in the semester), and I think that this needs to be taken seriously. Apple has always flaunted it's "no virus" aspect, but with this increased popularity they will become targets of more and more cyber criminals.
Source: http://www.forbes.com/2009/11/08/iphone-virus-attack-technology-security-rickrolling-cybersecurity.html?feed=rss_popstories
The only users affected by this attack are those who failed to change their default password and "jailbroke" their iPhones, making them available to run applications not authorized by Apple. About 4 million users have implemented this "jailbreak" feature, but a small fraction of these individuals haven't changed their default password.
The message left enbedded in the code suggests the hacker used this attack as a joke, or even a warning to showe weaknesses in the iPhone. No matter what his intensions, the weakness has been revealed.
I think the cause of this event is driven entirely by the iPhone's growing popularity. A small niche product is most likely not going to be targeted by cyber criminals, but the more users an application or product has the more profitable a successful hack can be for the criminal. I think ikex truly used this as a warning for those responsible for iPhone security, and wants to see a solution in security (similar to our case study earlier in the semester), and I think that this needs to be taken seriously. Apple has always flaunted it's "no virus" aspect, but with this increased popularity they will become targets of more and more cyber criminals.
Source: http://www.forbes.com/2009/11/08/iphone-virus-attack-technology-security-rickrolling-cybersecurity.html?feed=rss_popstories
Monday, December 14, 2009
Cash a Check, Go to Jail
With unemployment at an all-time high, people are searching for work in the most remote places. One them being, online. According to MSN Money, fake-check scams have become one of the number one fraud reported to the National Consumers League.
Because U.S. law requires the dispensation of funds from a check within five business days, banks are losing out on more and more money. Five days is usually not enough time to determine whether or not a check is fraudalent. However, the bank can not legally hold the funds until they determine the legality of the check. Rather, they must cash the check. Then, request compensation later. These scammers draw up real checks from actual accounts, but the printing is homemade. The scam artist then instructs their victim to go the bank and cash the check, keep a portion of the proceeds, then wire the remaining balance to a designated account.
This particular form of fraud strikes me as odd that some people could actually fall for this. First of all, why is someone sending you a check endorsed to someone else. Second, why would someone have you wire them a portion of the check when they could have cashed the check themselves and kept the entire amount. The reasons underlying this scam is because the scammers choose to keep their names away from government scrutiny. Because their victim actually cashed the check, even though they did wire a portion of the check to the scammer, they are the ones at fault.
My advice is never to cash a check that is not endorsed to you. Second, most get-rich schemes are what they are: schemes. So stay away. Third, have common sense.
http://articles.moneycentral.msn.com/Banking/FinancialPrivacy/cash-a-check-maybe-go-to-jail.aspx
Because U.S. law requires the dispensation of funds from a check within five business days, banks are losing out on more and more money. Five days is usually not enough time to determine whether or not a check is fraudalent. However, the bank can not legally hold the funds until they determine the legality of the check. Rather, they must cash the check. Then, request compensation later. These scammers draw up real checks from actual accounts, but the printing is homemade. The scam artist then instructs their victim to go the bank and cash the check, keep a portion of the proceeds, then wire the remaining balance to a designated account.
This particular form of fraud strikes me as odd that some people could actually fall for this. First of all, why is someone sending you a check endorsed to someone else. Second, why would someone have you wire them a portion of the check when they could have cashed the check themselves and kept the entire amount. The reasons underlying this scam is because the scammers choose to keep their names away from government scrutiny. Because their victim actually cashed the check, even though they did wire a portion of the check to the scammer, they are the ones at fault.
My advice is never to cash a check that is not endorsed to you. Second, most get-rich schemes are what they are: schemes. So stay away. Third, have common sense.
http://articles.moneycentral.msn.com/Banking/FinancialPrivacy/cash-a-check-maybe-go-to-jail.aspx
Debit Cards
I personally use my debit card much more than my credit card. I like the idea of spending my money, opposed to charging it and having to pay for it later. However, I never really realized the continuous risks involved with using them, opposed to credit cards.
Debit cards are usually linked to your checking account. Therefore, when purchases are made, the money comes directly from that specific account, without dispute. It seems to replace the hassle of writing a check. Rather, you make the purchase, swipe, and the transaction is complete. Visa calls their debit card the "VISA Check Card" and Mastercard calls their's the "Mastermoney Card." Whoever the carrier, the debit cards function the same way.
Debit cards pose great risks, in terms of security. With checks, they require a photo ID, your license number, phone number, address, and signature. All you need to access the checking account associated with the debit card is their four-digit pin number. No questions are asked after that. And now, banks are coming out with a new debit card that does not even require a pin number! No signatures. No ID. Nothing. It seems that confidentiality for access to this account could be breached with four simple numbers, which would be entered electronically.
If I were an attacker, all I would have to do is stand behind someone close enough to see what numbers they select. If those four numbers hold the key to their checking accounts, obtaining those numbers would disclose all of their information on that account, not to mention all of the money in the account. Most receipts from debit card transactions contain the account numbers and sometimes the pin numbers. If I was an attacker, all I would have to do is watch out when people throw away receipts when leaving a store. I would then pretend I dropped something in the garbage, retrieve the receipt, go online and go shopping galore.
Clearly, the vulnerabilities of the card have been exhausted. It seems that newer technologies are making it easier and easier for black hat hackers. All they need is a receipt to drain your checking account?! That seems absurd. No photo ID. No signatures. Not even a pin number in some cases.
The value of a thin, plastic card carries the weight of an entire checking account. Because ID's and pin numbers can be stolen and altered, it seems like a difficult task to ensure the confidentiality of financial information. However, these threats will continue to exist as long as society uses cards to purchase goods, opposed to actual cash.
Because debit cards are this risky, I would definitely recommend using credit cards more often. If you lose your debit card or if someone hacks into your checking account, you lose your money and oftentimes have to go through extensive measures to retrieve that money from the bank. However, if you use your credit card, you are using the bank's money. That way, you can dispute the charges before you spend your own money. In the case that no wrongful charges have been charged, you could just pay the entire balance at the end of the month. Credit cards definitely seem like the better way to go.
http://www.pirg.org/consumer/banks/debit/fact.htm
Debit cards are usually linked to your checking account. Therefore, when purchases are made, the money comes directly from that specific account, without dispute. It seems to replace the hassle of writing a check. Rather, you make the purchase, swipe, and the transaction is complete. Visa calls their debit card the "VISA Check Card" and Mastercard calls their's the "Mastermoney Card." Whoever the carrier, the debit cards function the same way.
Debit cards pose great risks, in terms of security. With checks, they require a photo ID, your license number, phone number, address, and signature. All you need to access the checking account associated with the debit card is their four-digit pin number. No questions are asked after that. And now, banks are coming out with a new debit card that does not even require a pin number! No signatures. No ID. Nothing. It seems that confidentiality for access to this account could be breached with four simple numbers, which would be entered electronically.
If I were an attacker, all I would have to do is stand behind someone close enough to see what numbers they select. If those four numbers hold the key to their checking accounts, obtaining those numbers would disclose all of their information on that account, not to mention all of the money in the account. Most receipts from debit card transactions contain the account numbers and sometimes the pin numbers. If I was an attacker, all I would have to do is watch out when people throw away receipts when leaving a store. I would then pretend I dropped something in the garbage, retrieve the receipt, go online and go shopping galore.
Clearly, the vulnerabilities of the card have been exhausted. It seems that newer technologies are making it easier and easier for black hat hackers. All they need is a receipt to drain your checking account?! That seems absurd. No photo ID. No signatures. Not even a pin number in some cases.
The value of a thin, plastic card carries the weight of an entire checking account. Because ID's and pin numbers can be stolen and altered, it seems like a difficult task to ensure the confidentiality of financial information. However, these threats will continue to exist as long as society uses cards to purchase goods, opposed to actual cash.
Because debit cards are this risky, I would definitely recommend using credit cards more often. If you lose your debit card or if someone hacks into your checking account, you lose your money and oftentimes have to go through extensive measures to retrieve that money from the bank. However, if you use your credit card, you are using the bank's money. That way, you can dispute the charges before you spend your own money. In the case that no wrongful charges have been charged, you could just pay the entire balance at the end of the month. Credit cards definitely seem like the better way to go.
http://www.pirg.org/consumer/banks/debit/fact.htm
The Hidden Cost of Identity Theft
A couple, Debra and Robert Guenterberg, experienced one of the worst types of financial disasters: identity theft. This couple alludes their experiences to those of a horror film, something that continously comes back to haunt them, day after day after day.
They first noticed that something was wrong when the couple tried to purchase a Ford truck, only to be rejected on the grounds of poor credit. The couple knew they had good credit in the past and pondered on this new phase of rejection. Soon after that incident, they applied for a home loan and a credit card, only to be rejected again. Collection agencies began calling their house, asking for money. Tha's when they realized that two men had stolen their social security numbers and had been making purchases under their identity. Now, when they go in to open checking accounts or make large purchases on credit, they are declined.
The sad thing about this situation is that it could potentially happen to anyone. Because many business transactions are conducted on the internet, it makes it hard to ward off criminals and keep personal information safe in cyberspace. That's why antivirus software is extremely important. Also, you should not release your social security number to anyone unless you absolutely have to. Also, you could purchase the identity theft programs through several credit check bureaus to get regular updates on purchases and accounts opened under your name.
http://www.cnn.com/2009/TECH/12/07/identity.theft.costs/index.html?iref=allsearch
They first noticed that something was wrong when the couple tried to purchase a Ford truck, only to be rejected on the grounds of poor credit. The couple knew they had good credit in the past and pondered on this new phase of rejection. Soon after that incident, they applied for a home loan and a credit card, only to be rejected again. Collection agencies began calling their house, asking for money. Tha's when they realized that two men had stolen their social security numbers and had been making purchases under their identity. Now, when they go in to open checking accounts or make large purchases on credit, they are declined.
The sad thing about this situation is that it could potentially happen to anyone. Because many business transactions are conducted on the internet, it makes it hard to ward off criminals and keep personal information safe in cyberspace. That's why antivirus software is extremely important. Also, you should not release your social security number to anyone unless you absolutely have to. Also, you could purchase the identity theft programs through several credit check bureaus to get regular updates on purchases and accounts opened under your name.
http://www.cnn.com/2009/TECH/12/07/identity.theft.costs/index.html?iref=allsearch
Cyber Crimes Poses Threat to E-Commerce
Technology critics have evaluated this past year, in relationship to internet trafficking. These critics assert that this year posed a major threat to the future of e-commerce, based on their findings of the detrimental effects cyber crime has committed against our economy. Statistics place spam mail at all-time high of 87% of email traffic. This ultimately means that almost 9 out of every 10 emails that you receive will be spam mail. This poses a threat because more people are choosing antivirus software to ward off the viruses from their computers. However, malicious software, like malware and scareware, are harboring these viruses and waiting for the right time to attack these computer systems. Critics fear that people will ultimately lose faith in their computers, which poses an ever larger danger, since a large portion of business transactions are conducted over the internet.
Although confidentiality seems merely impossible on the internet, there are ways to ward off viruses. For example, although you cannot stop spam mail from being sent to your email account, you do not have to open the mail. As annoying as it may be, simply deleting the mail, rather than opening it and following links, would ward off a lot more viruses. Another tactic would be through purchasing antivirus software. Most laptops or computer systems run around several hundreds of dollars. As with any valuable asset, you would like insurance to keep viruses away and your product safe from danger.
However, as with any attacker, they learn how to get around the loopholes and get into your devices anyway. These critics fear hackers invading business transactions and finding out financial information and sensitive data. All they would have to do is get you to open the spammed email and click on a link. This would offer them disclosure of personal information, which would ultimately alter the integrity of bank statements, financial information, and other personal data.
One of the most striking concepts of the internet is that you are facing a computer screen. No one can see you and identify your actual identity. As long as you possess the correct information to forge the data and receive other information, then no questions will be asked. This poses a large threat to the future of e-commerce because no matter how much you restrict data and pose walls, some black hat hacker will come in and easily walk through them.
The only recommendation that I could make would be to keep people abreast of the newest advancements of security and ways in which they can protect themselves and their devices.
http://www.cnn.com/2009/TECH/12/13/cybercrime.2009.review/index.html
Although confidentiality seems merely impossible on the internet, there are ways to ward off viruses. For example, although you cannot stop spam mail from being sent to your email account, you do not have to open the mail. As annoying as it may be, simply deleting the mail, rather than opening it and following links, would ward off a lot more viruses. Another tactic would be through purchasing antivirus software. Most laptops or computer systems run around several hundreds of dollars. As with any valuable asset, you would like insurance to keep viruses away and your product safe from danger.
However, as with any attacker, they learn how to get around the loopholes and get into your devices anyway. These critics fear hackers invading business transactions and finding out financial information and sensitive data. All they would have to do is get you to open the spammed email and click on a link. This would offer them disclosure of personal information, which would ultimately alter the integrity of bank statements, financial information, and other personal data.
One of the most striking concepts of the internet is that you are facing a computer screen. No one can see you and identify your actual identity. As long as you possess the correct information to forge the data and receive other information, then no questions will be asked. This poses a large threat to the future of e-commerce because no matter how much you restrict data and pose walls, some black hat hacker will come in and easily walk through them.
The only recommendation that I could make would be to keep people abreast of the newest advancements of security and ways in which they can protect themselves and their devices.
http://www.cnn.com/2009/TECH/12/13/cybercrime.2009.review/index.html
Sunday, December 13, 2009
Current event: TSA document exposed
Recently, a document of the Transportation Security Administration was inadvertently exposed through a private contractor of the cabinet department while consolidating. The process of redaction, when an organization consolidates literature into a more concise overview, can pose a security threat when this information is published. The final overview also needs to be more heavily guarded, because it contains more information in one location.
The scenario unfolded like this: An employee of contracted company was going through the Transportation Security literature, which directed TSA employees on the proper procedure for screening protocols used at more than 450 U.S airports, was posted on the Federal Businesses Opportunity website. It was posted in part of a TSA contract solicitation bid. A blogger discovered the document and passed it on to website administrators of anti-secrecy site Cryptome.org. They publicized the document and the confidential information began to spread across the web.
The problem in this case was a simple human error; the employee posted information that should have been kept confidential. The publishing of redacted information, however, goes much further than human errors however. The overarching issue causing this problems with redacted information is that organizations do not have a good understanding of the difference between redacted information in print, documents that are physically sent through the organization, and digital reacted information, sent or published electronically. In one case involving the department of defense, a document was published with the name of a Special Forces soldier that had been killed in Iraq that had been blacked out. The name was simply copy and pasted, and then the font was change. In the past, a marker could do a lot to redact a document. Today, however, technology has made it much easier to discover the information that has been disguised. Another common problem is that information that has been deleted or made indiscernible is the information has been already been recorded in the metadata of the file. In a case involving pharmaceutical giant Merck, information that had been simply deleted from a word document was later recovered through the metadata of the file.
Companies and government organizations (especially those subjected to the freedom of information act) are in a constant struggle between publishing information to the public and retaining information deemed private to the organization. The process of redaction in the new virtual world has made the struggle that much harder. Today, companies such as Redact-IT are selling software to remove confidential information from company documents. Even with these tools, redaction will continue to pose a threat to company struggling to be both private and public.
http://www.computerworld.com/s/article/9142141/Analysis_TSA_document_release_show_pitfalls_of_electronic_redaction?taxonomyId=17&pageNumber=2
The scenario unfolded like this: An employee of contracted company was going through the Transportation Security literature, which directed TSA employees on the proper procedure for screening protocols used at more than 450 U.S airports, was posted on the Federal Businesses Opportunity website. It was posted in part of a TSA contract solicitation bid. A blogger discovered the document and passed it on to website administrators of anti-secrecy site Cryptome.org. They publicized the document and the confidential information began to spread across the web.
The problem in this case was a simple human error; the employee posted information that should have been kept confidential. The publishing of redacted information, however, goes much further than human errors however. The overarching issue causing this problems with redacted information is that organizations do not have a good understanding of the difference between redacted information in print, documents that are physically sent through the organization, and digital reacted information, sent or published electronically. In one case involving the department of defense, a document was published with the name of a Special Forces soldier that had been killed in Iraq that had been blacked out. The name was simply copy and pasted, and then the font was change. In the past, a marker could do a lot to redact a document. Today, however, technology has made it much easier to discover the information that has been disguised. Another common problem is that information that has been deleted or made indiscernible is the information has been already been recorded in the metadata of the file. In a case involving pharmaceutical giant Merck, information that had been simply deleted from a word document was later recovered through the metadata of the file.
Companies and government organizations (especially those subjected to the freedom of information act) are in a constant struggle between publishing information to the public and retaining information deemed private to the organization. The process of redaction in the new virtual world has made the struggle that much harder. Today, companies such as Redact-IT are selling software to remove confidential information from company documents. Even with these tools, redaction will continue to pose a threat to company struggling to be both private and public.
http://www.computerworld.com/s/article/9142141/Analysis_TSA_document_release_show_pitfalls_of_electronic_redaction?taxonomyId=17&pageNumber=2
Friday, December 11, 2009
Cloud Computing
In general, cloud computing customers do not own the physical infrastructure, instead avoiding capital expenditure by renting usage from a third-party provider. They consume resources as a service and pay only for resources that they use. Many cloud-computing offerings employ the utility computing model, which is analogous to how traditional utility services (such as electricity) are consumed, whereas others bill on a subscription basis. Sharing "perishable and intangible" computing power among multiple tenants can improve utilization rates, as servers are not unnecessarily left idle (which can reduce costs significantly while increasing the speed of application development). A side-effect of this approach is that overall computer usage rises dramatically, as customers do not have to engineer for peak load limits. In addition, "increased high-speed bandwidth" makes it possible to receive the same response times from centralized infrastructure at other sites.
The majority of cloud computing infrastructure, as of 2009, consists of reliable services delivered through data centers and built on servers with different levels ofvirtualization technologies. The services are accessible anywhere that provides access to networking infrastructure. Clouds often appear as single points of access for all consumers' computing needs. Commercial offerings are generally expected to meet quality of service (QoS) requirements of customers and typically offer SLAs. Open standards are critical to the growth of cloud computing, and open source software has provided the foundation for many cloud computing implementations.
What happens when the cloud gets hacked? Google claims that could computing is the next "big thing" that they will attempt to use to drive their stock price up. On paper the concept seems simple and efficient but I just hope that security is the main priority. If a hacker gets access to the cloud they have free reign to anything and everything that is stored in the cloud. There is a lot a stake and like I said earlier I hope that the proper measures are taken to ensure that the integrity of its users information.
-source http://en.wikipedia.org/wiki/Cloud_computing
Senate Committee Passes Data Breach Laws
The U.S. Senate Judiciary Committee passes two bills that establish federal guidelines for data breach notifications.
Two sweeping bills that would set new standards for data breach notifications made their way out of the Senate Judiciary Committee Nov. 5.
The committee voted yes on the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139). The vote means the bills are now headed to the full Senate for its stamp of approval.
The Personal Data Privacy and Security Act of 2009 establishes guidelines for performing risk assessments and vulnerability testing and controlling and logging access to sensitive information. There are also provisions tied to protecting data in transit and at rest, and a set of rules for notifying law enforcement, credit reporting agencies and individuals affected by a breach.
In addition, the bill creates the Office of Federal Identity Protection inside the Federal Trade Commission.
The committee also gave the thumbs up to the Data Breach Notification Act, which requires U.S. agencies and corporations involved in interstate commerce to notify anyone whose personal information either was or may have been accessed or acquired in a breach.
Agree?
source-http://www.eweek.com/c/a/Security/Senate-Committee-Passes-Data-Breach-Laws-590570/
New Federal Data Breach Notification Law Passes House
While discussing the majority of our cases in class, a frequent question always revolved around whether or not customers should be notified of a data breach. If the new law that passed the House this week gets signed into law, this will no longer be an issue. Currently any laws requiring disclosure are made individually by the states. However, it is starting to look like this will no longer be the case. The law states that if there is a breach of security for any person who is involved in interstate commerce and electronically holds personal information of others that two things must take place:
Ultimately, it appears that the legislation is trying to make information security an important topic for the people. It is obvious that data breaches are going to occur, and people need guidance about how to respond to these breaches. This law will help with that. A federal mandate requiring all those affected to be notified when a breach occurs will help ensure that people are aware when their information is at stake.
Source: http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1376407,00.html
- "notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security; and
- notify the Federal Trade Commission."
Ultimately, it appears that the legislation is trying to make information security an important topic for the people. It is obvious that data breaches are going to occur, and people need guidance about how to respond to these breaches. This law will help with that. A federal mandate requiring all those affected to be notified when a breach occurs will help ensure that people are aware when their information is at stake.
Source: http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1376407,00.html
HSBC Data Theft
HSBC, the world's largest banking group, has confirmed that data theft by a former employee occurred at the company between 2006 and 2007. While only about 10 records were taken, the underlying problem of data theft by employees. The employee has been charged in the theft. It appears that the employee took the data in hopes of selling it for profit. The data eventually ended up in the hands of the French Government, who had been investigating tax dodgers. The French Government insists they received the information to assess its validity, but did not pay for the data.
The main problem with this breach was that the employee in question was a part of the Information Technology department and therefore seems to have had legitimate access to the data which was stolen. It becomes tricky to deal with these situations because on the one hand, protecting your client's data is of the utmost importance, while on the other hand your IT group needs to be able to access a large amount of information in order to perform the tasks of their job effectively. The company needs to of course perform thorough background checks prior to hiring anyone who works closely with this sensitive data. Really though, it comes down to the managers keeping a close eye on what their employees are doing in their work.
http://www.computerworld.com/s/article/9142139/HSBC_confirms_data_theft_by_former_employee?taxonomyId=17
The main problem with this breach was that the employee in question was a part of the Information Technology department and therefore seems to have had legitimate access to the data which was stolen. It becomes tricky to deal with these situations because on the one hand, protecting your client's data is of the utmost importance, while on the other hand your IT group needs to be able to access a large amount of information in order to perform the tasks of their job effectively. The company needs to of course perform thorough background checks prior to hiring anyone who works closely with this sensitive data. Really though, it comes down to the managers keeping a close eye on what their employees are doing in their work.
http://www.computerworld.com/s/article/9142139/HSBC_confirms_data_theft_by_former_employee?taxonomyId=17
Cyber Crime Hits Businesses Through Social Media
I know that in class we had discussed how social networking sites tend to put a lot of us as individuals at risk for being exploited by hackers. I think that most of us have received those suspicious Facebook messages with a like attached to it, with the message saying something like "Is that you in this picture?", or something to that effect. However, this article that I came across goes into the detail of how social networking sites also have an impact on small-to-medium size businesses (according to Cisco Systems Inc.'s annual report on network security). A large portion of the US population is registered to some form of a networking site, such as Facebook, Myspace, LinkedIn, etc.; this is especially applicable to our generation, as we grew up with these services, and I think that we will transition to the corporate world without disabling our Facebook accounts. Most of these social networks tend to be useful in allowing us to remain in contact with friends and acquaintances, and especially as people tend to grow apart, these applications do provide a convenient way to try to reconnect with those people.
However, the problematic situation involving social networking sites affecting businesses arises when people, particularly those getting ready to enter into the corporate world, tend to mix their professional and social aspects of their life together. For example, according to the article, some businesses do try to ban employees from accessing these sites while at the workplace (and therefore connected to the company's network); unfortunately, this seems like an impractical scenario, since it is becoming more and more common for colleagues to contact each other using the messaging tools on these networking sites. Additionally, as we discussed in class, some business also are realizing the value of using social networking sites to discover more information about prospective employees, which further blurs the lines between social and professional areas. Knowing this, attackers are finding more creative ways to try to exploit business vulnerabilities through social networking sites. Because most social networking users do not take necessary precautions to protect themselves while on these sites (such as not opening suspicious emails and links that are sent from 'friends'), this facilitates a hacker's task to access the company's network, whether this be with a virus, trojans, keylogging programs, or other malware contained in the message sent to the individual employee.
I think that one obvious solution that companies could try to implement would be to simply ban the use of social networking sites completely, but as stated before, it seems impractical given how commonly/frequently it is used by most people nowadays. Frankly, I think that the most that companies can do is enforce precaution, and to educate it's employees on the dangers that are available through social networking sites. Companies should also conduct routine security checks/scans on their individual machines, as well as the company's system, in order to check for any malware that may have installed itself after a particular message was opened. While these recommendations will prolly not completely prevent businesses from being exploited, they should certainly mitigate the chances of these events happening.
Source: http://news.thomasnet.com/IMT/archives/2009/12/cyber-crime-hits-businesses-through-social-networking-media-security-vulnerabilities.html
However, the problematic situation involving social networking sites affecting businesses arises when people, particularly those getting ready to enter into the corporate world, tend to mix their professional and social aspects of their life together. For example, according to the article, some businesses do try to ban employees from accessing these sites while at the workplace (and therefore connected to the company's network); unfortunately, this seems like an impractical scenario, since it is becoming more and more common for colleagues to contact each other using the messaging tools on these networking sites. Additionally, as we discussed in class, some business also are realizing the value of using social networking sites to discover more information about prospective employees, which further blurs the lines between social and professional areas. Knowing this, attackers are finding more creative ways to try to exploit business vulnerabilities through social networking sites. Because most social networking users do not take necessary precautions to protect themselves while on these sites (such as not opening suspicious emails and links that are sent from 'friends'), this facilitates a hacker's task to access the company's network, whether this be with a virus, trojans, keylogging programs, or other malware contained in the message sent to the individual employee.
I think that one obvious solution that companies could try to implement would be to simply ban the use of social networking sites completely, but as stated before, it seems impractical given how commonly/frequently it is used by most people nowadays. Frankly, I think that the most that companies can do is enforce precaution, and to educate it's employees on the dangers that are available through social networking sites. Companies should also conduct routine security checks/scans on their individual machines, as well as the company's system, in order to check for any malware that may have installed itself after a particular message was opened. While these recommendations will prolly not completely prevent businesses from being exploited, they should certainly mitigate the chances of these events happening.
Source: http://news.thomasnet.com/IMT/archives/2009/12/cyber-crime-hits-businesses-through-social-networking-media-security-vulnerabilities.html
Security Review: Cellphones (in general)
I think it's safe to say that cellphones have become a rather common part of our daily life, and that nowadays, getting a cellphone is sort of like a rite of passage; it is not uncommon to see the average fifth grader walking around with a small, compact, and handy cellphone today (whereas when I was in fifth grade, having a cellphone was still that bulky thing with a long antenna that your parents carried with them). I hardly ever walk out the door without my phone with me, and if I happen to forget it, I feel a little out of the loop and disconnected from everyone else, as it has become a primary mode of communication for me. Granted that I only really use it for text messaging and making phone calls, but these little actions have become very routine in my life, as I'm sure it has for most people, as well.
Another feature of cellphones is that they become highly personalized, and not just another item to the user: we choose our wallpapers, customize ringtones for our friends, use nicknames for our contacts. Though these little customizations make our user experience more enjoyable and more convenient, they also so present some inherit security flaws as well. For example, if you happened to lose your phone, or worse, if it was stolen, what's to say that someone would not try to exploit this vulnerability? A lot of cellphones nowadays (whether they be as basic as my Samsung phone to as powerful as a Blackberry or iPhone) have some security features in an attempt to keep access restricted to only the user, such as PIN numbers or passwords. However, I know that there are also several people who don't use these password features, probably for mostly convenience purposes. So what risks are there to these users?
With regards to security goals, I think that cellphone users intend to be the only ones using their cellphones. As I pointed out, cellphones generally do include certain security features such as PIN numbers and passwords that can be changed and customized as the user wants to. Users would use this security feature in order to maintain a level of confidentiality: users want to keep their voicemails private, and may not want others to be looking through their text message inboxes without their consent. The media, and even within our circle of friends, gives us instances where some unfriendly spats result from a friend looking through another friend's cellphone messages, whether it was done out of curiosity of malice. Users may also want cellphone security features in order to keep the integrity of information that they receive through it, too. If someone accessed your cellphone without your knowledge, they pose as you and contact your friends and family for certain information, or they could change certain features within your cellphone, making it less usable (changing names of contacts, etc.). With regards to accessibility, users use cellphone security features in order to make sure that the right people (the user, and those to whom the user gives permission) are able to use the cellphone and access the information inside of it.
If I were an attacker trying to exploit this technology, there are several goals that I could have. With regards to disclosure, I could easily look through a cellphone's messages, and then spread around any personal information that I may find from that search, or use it to my advantage. I could go through the cellphone and change the names/phone numbers of contacts, or maybe delete certain text messages or voicemails that the user may find to be important, which would be a goal involving alteration. I could also just change the password of the phone and just make it unusable for the user, which in turn would just present additional frustrations to the victim.
I think that if users don't use the cellphone security features (i.e. PIN numbers and passwords), they do put themselves at great risk to being exploited by attackers. Having your cellphone stolen is another vulnerabilty that users face with cellphones; since they are rather small and compact, there is not really a great deal of effort involved in picking up a phone that may be left unattended on a desk or table. However, there is also another aspect of cellphones that I think go unnoticed as a vulnerability. As I mentioned before, we tend to customize our cellphones in order to make them more convenient for us to use. For example, instead of wanting to write out proper names of our contacts (First name, Last name, etc.), we may want to use nicknames, like "Mom", "Dad", and the likes. Take a lot less writing, and we know exactly who we are referring to by using those nicknames. Unfortunately, attackers may also try to take advantage of this convenience. My roommate recently got an email from her dad that described a woman's phone being stolen, and then the attacker text messaged her husband asking for some sensitive information (like Social Security Numbers). The woman's husband responded quickly with the information, which thus resulted in the theft of the woman's identity. How did the attacker know which contact number belonged to the woman's husband? Well, he was listed under "Hubby", short for "Husband". In this scenario, not only was the cellphone not protected with any password, but she also listed her contacts based on her relationship with the individuals, which made it easier for the attacker to steal her information.
I think that as cellphone users, we generally take for granted that we think it's not very likely that our phones will be lost/stolen, or that people that we are around won't try to sift through our message inboxes looking for information. Therefore, we don't feel a great need to protect ourselves as well as we should. Not until something bad happens, anyways.
Just because there are inherit risks, however, this does not mean that users will stop using this technology, as they do provide a great deal of usefulness and convenience to our daily lives. I think that there are a variety of approaches that a user can take with regards to using cellphones and dealing with the risks. First, as I did just mention, though there are risks to having a cellphone, I highly doubt that people will forgo using them all together, because the benefits of a cellphone (in my opinion) tend to outweight the disadvantages. As a result, a user inevitably has to accept certain risks that come with owning a cellphone. For example, because cellphones are so compact, they are rather easy to steal at any time, whether the theft is as easy as just swiping the cell off of a desktop, or pickpocketing off of an unsuspecting individual. However, users can also try to mitigate the amount of damage that could arise from an attacker trying to use the cellphone without permission. A user can make their cellphone password protected, and while this is not completely fool-proof, it may be somewhat effective in dissuading an attacker from trying to "break in". A user could also make sure to not list their phone contacts according to the nature of their relationships. For instance, list people by their fullnames, as opposed to nicknames such as Mom, Dad, Hubby, etc. Names that suggest personal relationships could present opportunities for someone trying to steal information about you. Also, I would recommend not texting or leaving voicemails containing sensitive information such as Social Security numbers, passwords, or credit card numbers. It is a simple task to listen to a few messages, or look through a text message inbox, though the results of having such information in the hands of the wrong people is very damaging.
Another feature of cellphones is that they become highly personalized, and not just another item to the user: we choose our wallpapers, customize ringtones for our friends, use nicknames for our contacts. Though these little customizations make our user experience more enjoyable and more convenient, they also so present some inherit security flaws as well. For example, if you happened to lose your phone, or worse, if it was stolen, what's to say that someone would not try to exploit this vulnerability? A lot of cellphones nowadays (whether they be as basic as my Samsung phone to as powerful as a Blackberry or iPhone) have some security features in an attempt to keep access restricted to only the user, such as PIN numbers or passwords. However, I know that there are also several people who don't use these password features, probably for mostly convenience purposes. So what risks are there to these users?
With regards to security goals, I think that cellphone users intend to be the only ones using their cellphones. As I pointed out, cellphones generally do include certain security features such as PIN numbers and passwords that can be changed and customized as the user wants to. Users would use this security feature in order to maintain a level of confidentiality: users want to keep their voicemails private, and may not want others to be looking through their text message inboxes without their consent. The media, and even within our circle of friends, gives us instances where some unfriendly spats result from a friend looking through another friend's cellphone messages, whether it was done out of curiosity of malice. Users may also want cellphone security features in order to keep the integrity of information that they receive through it, too. If someone accessed your cellphone without your knowledge, they pose as you and contact your friends and family for certain information, or they could change certain features within your cellphone, making it less usable (changing names of contacts, etc.). With regards to accessibility, users use cellphone security features in order to make sure that the right people (the user, and those to whom the user gives permission) are able to use the cellphone and access the information inside of it.
If I were an attacker trying to exploit this technology, there are several goals that I could have. With regards to disclosure, I could easily look through a cellphone's messages, and then spread around any personal information that I may find from that search, or use it to my advantage. I could go through the cellphone and change the names/phone numbers of contacts, or maybe delete certain text messages or voicemails that the user may find to be important, which would be a goal involving alteration. I could also just change the password of the phone and just make it unusable for the user, which in turn would just present additional frustrations to the victim.
I think that if users don't use the cellphone security features (i.e. PIN numbers and passwords), they do put themselves at great risk to being exploited by attackers. Having your cellphone stolen is another vulnerabilty that users face with cellphones; since they are rather small and compact, there is not really a great deal of effort involved in picking up a phone that may be left unattended on a desk or table. However, there is also another aspect of cellphones that I think go unnoticed as a vulnerability. As I mentioned before, we tend to customize our cellphones in order to make them more convenient for us to use. For example, instead of wanting to write out proper names of our contacts (First name, Last name, etc.), we may want to use nicknames, like "Mom", "Dad", and the likes. Take a lot less writing, and we know exactly who we are referring to by using those nicknames. Unfortunately, attackers may also try to take advantage of this convenience. My roommate recently got an email from her dad that described a woman's phone being stolen, and then the attacker text messaged her husband asking for some sensitive information (like Social Security Numbers). The woman's husband responded quickly with the information, which thus resulted in the theft of the woman's identity. How did the attacker know which contact number belonged to the woman's husband? Well, he was listed under "Hubby", short for "Husband". In this scenario, not only was the cellphone not protected with any password, but she also listed her contacts based on her relationship with the individuals, which made it easier for the attacker to steal her information.
I think that as cellphone users, we generally take for granted that we think it's not very likely that our phones will be lost/stolen, or that people that we are around won't try to sift through our message inboxes looking for information. Therefore, we don't feel a great need to protect ourselves as well as we should. Not until something bad happens, anyways.
Just because there are inherit risks, however, this does not mean that users will stop using this technology, as they do provide a great deal of usefulness and convenience to our daily lives. I think that there are a variety of approaches that a user can take with regards to using cellphones and dealing with the risks. First, as I did just mention, though there are risks to having a cellphone, I highly doubt that people will forgo using them all together, because the benefits of a cellphone (in my opinion) tend to outweight the disadvantages. As a result, a user inevitably has to accept certain risks that come with owning a cellphone. For example, because cellphones are so compact, they are rather easy to steal at any time, whether the theft is as easy as just swiping the cell off of a desktop, or pickpocketing off of an unsuspecting individual. However, users can also try to mitigate the amount of damage that could arise from an attacker trying to use the cellphone without permission. A user can make their cellphone password protected, and while this is not completely fool-proof, it may be somewhat effective in dissuading an attacker from trying to "break in". A user could also make sure to not list their phone contacts according to the nature of their relationships. For instance, list people by their fullnames, as opposed to nicknames such as Mom, Dad, Hubby, etc. Names that suggest personal relationships could present opportunities for someone trying to steal information about you. Also, I would recommend not texting or leaving voicemails containing sensitive information such as Social Security numbers, passwords, or credit card numbers. It is a simple task to listen to a few messages, or look through a text message inbox, though the results of having such information in the hands of the wrong people is very damaging.
Thursday, December 10, 2009
Security Review: Gift Cards
The holiday season is upon us. Besides spending time with family and friends, we also find ourselves searching high and low for the perfect gift for those special ones in our lives. Many times, we believe a gift card will do the trick. However, what if the person receiving this gift card from you was unable to use it? What if the credit on the gift card has already been used? This is a likely and realistic scenario in the current age of hacking.
Gift card security is a topic of recent concern amongst a number of popular corporations including Best Buy, Starbucks, and Toys R Us. Originally, gift cards were simple cards with a serial number on the back of the card. Once purchased, the serial number and the credit associated with the card is activated. Although the most logical approach, this technique of activation has become very vulnerable to theft. Gift card hacking has become a common enterprise and corporations are feeling the consequences. Individuals will go to the counter, write down the serial numbers on the card, and periodically check online as to whether the card has been activated or not. Once activated, the hacker will go on a online shopping spree with no trace of who they are. Neither the owner of the card nor the company has any control. Obviously, something needs to be done.
This holiday season, new and improved activation techniques are in place to ensure the right people are using these gift cards. Stores are investing into various mitigation techniques to reduce the risk of theft. One precaution taken by virtually all stores is selling the cards behind the counter- enhancing security. Another mitigation technique that is being used is coating the back of the gift card. The coating is to then be scratched off to access the serial number before being able to purchase any desired products. Yet another procedure being initiated by stores is passwords attributed to specific gift cards so that the purchaser has the sole ability to use it. All in all, small steps are being taken to avoid the risk of gift card theft.
Overall, in my opinion, the whole gift card industry is a very high-risk enterprise. Individuals who chose to circumvent the law will find ways to acquire gift card information. I do believe mitigating the risk within the stores is the first and most important step that needs to be taken. An idea I have not heard much about is sealing the entire gift card with an envelope of sorts. Another idea would be to have an activation code in order to access the serial number on the card. Finally, another idea would be instituting identity checks when using the card. Signatures and photo identification could be useful with in store purchases while social security numbers and other personal information be required for online purchases. All these minor mitigation techniques might seem small in the overall picture but if enough hurdles are presented to hackers, the risk of the gift card will be lessened.
Source: http://www.schneier.com/blog/archives/2006/12/gift_card_hack.html
Gift card security is a topic of recent concern amongst a number of popular corporations including Best Buy, Starbucks, and Toys R Us. Originally, gift cards were simple cards with a serial number on the back of the card. Once purchased, the serial number and the credit associated with the card is activated. Although the most logical approach, this technique of activation has become very vulnerable to theft. Gift card hacking has become a common enterprise and corporations are feeling the consequences. Individuals will go to the counter, write down the serial numbers on the card, and periodically check online as to whether the card has been activated or not. Once activated, the hacker will go on a online shopping spree with no trace of who they are. Neither the owner of the card nor the company has any control. Obviously, something needs to be done.
This holiday season, new and improved activation techniques are in place to ensure the right people are using these gift cards. Stores are investing into various mitigation techniques to reduce the risk of theft. One precaution taken by virtually all stores is selling the cards behind the counter- enhancing security. Another mitigation technique that is being used is coating the back of the gift card. The coating is to then be scratched off to access the serial number before being able to purchase any desired products. Yet another procedure being initiated by stores is passwords attributed to specific gift cards so that the purchaser has the sole ability to use it. All in all, small steps are being taken to avoid the risk of gift card theft.
Overall, in my opinion, the whole gift card industry is a very high-risk enterprise. Individuals who chose to circumvent the law will find ways to acquire gift card information. I do believe mitigating the risk within the stores is the first and most important step that needs to be taken. An idea I have not heard much about is sealing the entire gift card with an envelope of sorts. Another idea would be to have an activation code in order to access the serial number on the card. Finally, another idea would be instituting identity checks when using the card. Signatures and photo identification could be useful with in store purchases while social security numbers and other personal information be required for online purchases. All these minor mitigation techniques might seem small in the overall picture but if enough hurdles are presented to hackers, the risk of the gift card will be lessened.
Source: http://www.schneier.com/blog/archives/2006/12/gift_card_hack.html
Are you friends with a rubber duck?
As discussed with the case study today in class, people are becoming far too laid back when it comes to social networking sites. When these sites were initially created, it was simply a way to share information with your friends. Now, these sites are a wealth of information for hackers. A recent study done by Sophos showed that even today, when security should be growing, people still don't hesitate to give out their information to complete strangers. In 2009, Sophos created fake Facebook accounts and friend-requested random strangers to see if they would accept. Two different accounts were made. One for a 21-year old single woman and one for a 56-year old married woman. The 21-year old requested 100 people in a group of 20-something year olds, and the 56-year old was in a group of 50-something year olds. 46% of the people contacted accepted these friend requests. This number has actually increased from what it was the last time this test was conducted. In 2007, only 41% responded to a request from a man named "Freddi Staur". The funny thing about both of these tests, though, is that the only pictures shown for the profiles of these accounts was a toy frog in 2007 and a rubber duck in 2009. Oftentimes you hear about fake accounts being created with a picture of a hot, young girl saying she met you last night at a party. In this case, the picture was of a toy, and yet almost half of the population still accepted these friend requests. Even more astonishingly, the numbers have increased in the last 2 years. An opposite effect has occurred with privacy settings, however. Facebook has been increasing their privacy settings substantially as of late because of hacking. The problem is even if you have very strict privacy settings, as soon as you accept a friend request, your friends have access to all of your information. This study showed that people who accepted the friend request gave away information such as their full birthdays, email address, and even phone numbers. As it was pointed out in the article, ten years ago, it would have taken hackers weeks to find this type of information on people by using private investigators, digging up information, even fishing in garbage cans. Now, people make it available for the entire world to see. The moral of the story is only post necessary information on your Facebook page, make your information heavily protected by privacy settings, and don't accept people you don't know as your friends.
http://www.computerworld.com/s/article/9141913/Facebook_users_fall_for_rubber_duck_s_friend_request?taxonomyId=82
http://www.computerworld.com/s/article/9141913/Facebook_users_fall_for_rubber_duck_s_friend_request?taxonomyId=82
Internet Explorer Under Attack
According to Computer World, a problem with Internet Explorer has recently emerged. Last month, a code was posted to the Bugtraq mailing list by an unknown hacker that could maliciously affect Internet Explorer versions 6 and 7. The code was confirmed to affect IE 6 and 7 by security analysts. The code apparently exploits flaws in the way in which IE 6 and 7 retrieves objects from CSS (cascading style sheets). If a hacker can lure a victim to a particular website while using IE 6 or 7, the code can be used to install malicious software on the users computer when they are using the website. This code is very valuable to hackers. IE 6 and 7 currently hold 40% of the market share for internet providers. That is a potentially huge market of internet users for hackers to exploit. Also, if a code could be made for versions 6 and 7 of Internet Explorer, it's possible that a code be created for Microsoft's most recent version, IE8, which could be even more dangerous if in the hands of hackers. Microsoft must be on the lookout for hackers to exploit these weaknesses in Internet Explorer and be prepared to create patches to fix the problems.
An article posted today on Computer World contained updates pertaining to Microsoft's handling of this potential security breach. According to the article, Microsoft immediately issued a patch just 18 days after the code was leaked publicly. New information, though, reveals that Microsoft may have known about the potential problem 6 months before the code was leaked. The vulnerability was apparently reported to Microsoft in June, but it wasn't until the code was leaked that Microsoft jumped to do anything. They report that Microsoft confirmed the vulnerability 3 days after the code was made public, and issued a patch shortly after. Microsoft was applauded for their quick response to the problem, but it was because they were so much faster than usual that people began to suspect that they may have known for longer. No attacks using the code have actually surfaced yet, though, so Microsoft isn't facing any recourse for not revealing the vulnerability when they first found out about it. Because the patch is out there and the problem can be fixed before the problem is too big, Microsoft may be in the clear.
http://www.computerworld.com/s/article/9141278/New_attack_fells_Internet_Explorer
http://www.computerworld.com/s/article/9142078/Microsoft_knew_of_just_patched_IE_zero_day_for_months
An article posted today on Computer World contained updates pertaining to Microsoft's handling of this potential security breach. According to the article, Microsoft immediately issued a patch just 18 days after the code was leaked publicly. New information, though, reveals that Microsoft may have known about the potential problem 6 months before the code was leaked. The vulnerability was apparently reported to Microsoft in June, but it wasn't until the code was leaked that Microsoft jumped to do anything. They report that Microsoft confirmed the vulnerability 3 days after the code was made public, and issued a patch shortly after. Microsoft was applauded for their quick response to the problem, but it was because they were so much faster than usual that people began to suspect that they may have known for longer. No attacks using the code have actually surfaced yet, though, so Microsoft isn't facing any recourse for not revealing the vulnerability when they first found out about it. Because the patch is out there and the problem can be fixed before the problem is too big, Microsoft may be in the clear.
http://www.computerworld.com/s/article/9141278/New_attack_fells_Internet_Explorer
http://www.computerworld.com/s/article/9142078/Microsoft_knew_of_just_patched_IE_zero_day_for_months
Android Technology: Security Review
Android is the operating system created by Google in 2005 to be used for its new wave of Google smart phones. One of its biggest contrasts to the other systems being used by popular names such as Iphone and BlackBerry is that it allows technology developers to freely create applications that can become available on the Android Market.
The benefits of this are that it fosters creativity and gives users a platform for exposure and profit. However it also poses many threats because there is the possibility of downloading corrupted files and damaging your phone because of viruses or malfunctions that could be passed on from the developers computer and/or phone.
Therefore, Android must take increased precautions and security procedures in order to protect their users. Otherwise, Google is leaving phone owners exposed to security threats through mobile web just as a regular computer. The more our phones become like desktops and laptops, the greater enhancements are needed to insure security. Therefore, Google has looked to inter net security in order to devise ways to protect their operating system. Android is currently taking steps to reduce the possibility of attacks such as implementing software that blocks one android application user from another. It also blocks an application from accessing other programs on the phone such as pictures and media software.
Android is a new technology and Google seems to be very conscience of their responsibility in protecting users. However as in many security issues, potential victims must also be accountable when using the technology. I personally have Android and Android Market on my Google HTC Hero and I enjoy looking through the Apps for games and other programs. But I am very cautious when downloading/installing. I look at the reviews and make sure that there are no glitches which could effect my phone. I also searched for an antivirus program which was recommended by my phone carrier. I use this program to scan my phone about once a week to be sure that no malicious software (malware) or viruses. I am also cautious when browsing my mobile web just as if I am using my laptop because I know that many of the same risks apply.
It is almost impossible to have a perfectly secure operating system, especially one that also allows the free and convenient communication that its users that have come to expect in our technology driven era. The responsibly lies with Android, the phone carrier, and also the phone users to make sure that their their mobile devices remain as safe and secure as possible.
References:
The benefits of this are that it fosters creativity and gives users a platform for exposure and profit. However it also poses many threats because there is the possibility of downloading corrupted files and damaging your phone because of viruses or malfunctions that could be passed on from the developers computer and/or phone.
Therefore, Android must take increased precautions and security procedures in order to protect their users. Otherwise, Google is leaving phone owners exposed to security threats through mobile web just as a regular computer. The more our phones become like desktops and laptops, the greater enhancements are needed to insure security. Therefore, Google has looked to inter net security in order to devise ways to protect their operating system. Android is currently taking steps to reduce the possibility of attacks such as implementing software that blocks one android application user from another. It also blocks an application from accessing other programs on the phone such as pictures and media software.
Android is a new technology and Google seems to be very conscience of their responsibility in protecting users. However as in many security issues, potential victims must also be accountable when using the technology. I personally have Android and Android Market on my Google HTC Hero and I enjoy looking through the Apps for games and other programs. But I am very cautious when downloading/installing. I look at the reviews and make sure that there are no glitches which could effect my phone. I also searched for an antivirus program which was recommended by my phone carrier. I use this program to scan my phone about once a week to be sure that no malicious software (malware) or viruses. I am also cautious when browsing my mobile web just as if I am using my laptop because I know that many of the same risks apply.
It is almost impossible to have a perfectly secure operating system, especially one that also allows the free and convenient communication that its users that have come to expect in our technology driven era. The responsibly lies with Android, the phone carrier, and also the phone users to make sure that their their mobile devices remain as safe and secure as possible.
References:
Apple Removes 1,000 Apps After Scam
On December 9, Apple removed over 1,000 applications from the iTunes store following complaints of suspicious programs. The Chinese application development company, Molinker will no longer be allowed to sell software on Apple’s online store.
Most of Molinker’s products were low quality copies of well known applications already available on iTunes. Nevertheless, Molinker was able to keep its programs on the most popular and even staff’s pick lists. The programs consistently had very favorable ratings in reviews. Apple officials now believe that Molinker had offered promotional codes and even free copies of apps to those who willing to write 5-star favorable reviews in return.
iPhoneography, an independent blog group that offers reviews on iPhone photo applications was the first to become suspicious and contact Apple. They noticed that reviews often offered little or poorly written text. In addition, mostly 5-star ratings were posted, with no middle range views, and a few poor reviews from legitimate users. Tracking the usernames, iPhoneography discovered that the reviews were only written for Molinker applications, an unusual trend.
In response, Apple quietly removed all of Molinker’s applications. There is no word on whether refunds will be given to scammed users, seeing that Apple receives a considerable percent of iTunes purchases.
The root of the problem is similar to frauds taking place on Facebook and MySpace which allow outside software developers. Often, the extensive volume of applications does not undergo extensive review. Without quality controls in place, users can easily become victims purchasing applications from reputable sites such as iTunes
Apple would be wise to establish review criteria for new and existing applications.
Rather than allow ratings to determine software legitimacy, it should ensure proper contact channels to report suspicious or low-quality knockoff software.
Users should also be vigilant before purchasing online software. Ratings can provide useful information, but they are not always credible. Molinker was successful in a form of social engineering, luring new customers with seemingly favorable reviews. Even large sites such as the iTunes store are subject to scam by the very nature of their setup.
Apple expels 1,000 apps after store scam
http://www.cnn.com/2009/TECH/12/09/wired.apple.apps/index.html
Most of Molinker’s products were low quality copies of well known applications already available on iTunes. Nevertheless, Molinker was able to keep its programs on the most popular and even staff’s pick lists. The programs consistently had very favorable ratings in reviews. Apple officials now believe that Molinker had offered promotional codes and even free copies of apps to those who willing to write 5-star favorable reviews in return.
iPhoneography, an independent blog group that offers reviews on iPhone photo applications was the first to become suspicious and contact Apple. They noticed that reviews often offered little or poorly written text. In addition, mostly 5-star ratings were posted, with no middle range views, and a few poor reviews from legitimate users. Tracking the usernames, iPhoneography discovered that the reviews were only written for Molinker applications, an unusual trend.
In response, Apple quietly removed all of Molinker’s applications. There is no word on whether refunds will be given to scammed users, seeing that Apple receives a considerable percent of iTunes purchases.
The root of the problem is similar to frauds taking place on Facebook and MySpace which allow outside software developers. Often, the extensive volume of applications does not undergo extensive review. Without quality controls in place, users can easily become victims purchasing applications from reputable sites such as iTunes
Apple would be wise to establish review criteria for new and existing applications.
Rather than allow ratings to determine software legitimacy, it should ensure proper contact channels to report suspicious or low-quality knockoff software.
Users should also be vigilant before purchasing online software. Ratings can provide useful information, but they are not always credible. Molinker was successful in a form of social engineering, luring new customers with seemingly favorable reviews. Even large sites such as the iTunes store are subject to scam by the very nature of their setup.
Apple expels 1,000 apps after store scam
http://www.cnn.com/2009/TECH/12/09/wired.apple.apps/index.html
H1N1 Phishing Scam
We all know that there are a variety of phishing scams that can be used to target personal information and other personal data to compromise both someone’s identity and any other information that can be used on personal accounts. The newest phishing scam has come about with one of the newest diseases that have struck our nation. Illinois residents are being warned by Dr. Damon Arnold, director of the Illinois Department of Public Health, to be on the lookout for phishing scams asking for personal information in order to qualify for the H1N1 vaccination being offered.
These e-mails are targeting Illinois residents and are claiming to be from the U.S. Center for Disease Control and Prevention. In the e-mail it states, “that anyone 18 years or older has to create the personal vaccination profile on the CDC Web site. The Illinois Department of Public Health has issued a statement informing residents to delete these e-mails and that no program has been set up to implement a vaccination program through registration. Likewise, anyone who receives the e-mail and clicks the link is subjecting himself or herself to malicious code being entered onto their computers.
As we know, there are steps that can be used to remove yourself from any situation that might be a phishing scam. Only reading e-mails from users, people, or programs that you know is vital in keeping your personal information away from risk. Also, when clicking links, know the websites you are accessing and do not enter information on any website that is not secure. These are a few steps at marinating your identity and not becoming a victim to identity thieves.
Source:
http://www.nwherald.com/articles/2009/12/07/r_eiirenekrs6vnw8upmlgq/index.xml
Yahoo Login Credentials are Subject to New Phishing Scam
A statement issued by Trusteer Inc. claims that a new phishing scam is targeting customers who “use content management systems rub by Yahoo and other service providers.” Trusteer Inc. is, according to its website, “a privately held corporation founded by senior Internet security industry executives with specific expertise in enterprise and consumer desktop security.” Yahoo customers are receiving phony e-mails that are asking these users to confirm their account information, and in the process putting their account at risk. These phishing e-mails ask for sensitive information and data that compromise the Yahoo accounts. Defined by Wikipedia, “Phishing scams are fraudulent processes that attempt to acquire sensitive information.” After receiving this information, the cybercriminals use the stolen account to set up fake bank websites to steal funds from other Internet users.
Along with setting up fake websites these hackers are using malicious code to cause havoc on the Internet and are uploading this through the stolen info, all which is received through the phishing scam. Due to legit logins that are done through the content management website, these hackers go undetected and a breach is almost impossible to detect until it is too late.
Trusteer Inc. can’t figure out where these emails are originating and are having a difficult time detecting where the hackers who set these fake websites up are residing. Likewise, in September researchers noted that attackers were using brute force attacks and scripts to bypass the original login requirements. People are researching these logins and are monitoring such actions as well.
I know we discuss these types of attacks all of the time and we make sure that we don’t reveal any personal or login information to a specific website without knowing who is asking for it. We see activities like this happening all of the time including our own Notre Dame Federal Credit Union. We will continue to see phishing scams and as in this specific example see different ways in which phishing scams are fulfilled.
Sources:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1376209,00.html
Wednesday, December 9, 2009
United States Census Bureau Concerned with Privacy on the Internet
Come the New Year, the federal government will be completing its periodic population census. The United States Census Bureau is telling Americans not to expect any e-mails from the Bureau in light of the recent age of e-mail scams and phishing attacks. No personal information such as PIN numbers, passwords, social security numbers, credit card numbers, bank account numbers, or any other financial account information will be requested via the Internet. Cybercriminals would most definitely target any website or email service receiving and storing such valuable data. The consequences of such a hack would be astronomical if a system containing every American’s personal information were to be infiltrated into.
Identity theft is becoming more and more of a problem in today’s society. And finally the federal government is beginning to take action. So many different networks and websites ask for personal information and store such data. The Identity Theft Resource Center has reported 379 data beaches affecting more than 13 million individual records as of September 22, 2009. More than 13 million? That is a significant number of people. Once again it must be recognized as to how much of a serious concern and security threat this is. Data and information security is becoming more and more vulnerable than ever before. Hackers are engineering new and innovative ways to access and infiltrate even the most secure networks.
Some of the ways to protect your personal information, which is stored on certain websites or just simply stored on your computer, are in actuality very user friendly. Make sure your Internet browser’s operating system has updated virus and spyware protection. Firewalls are especially useful in avoiding unwanted access to your computer’s network. Site advisors can be useful when trying to detect unwanted intruders. Throughout this semester, and this blog for that matter, it has been maintained that personal information across the World Wide Web is becoming more and more available to cybercriminals. Organizations, like the U.S. Census Bureau, need to continue taking the necessary security measures to ensure identity theft does not occur. If there is one thing I have taken away from this course, it has been the need and attention one must give in securing their personal information and identity. People must have the mindset that privacy on the Internet is virtually impossible.
Source: http://www.cnn.com/2009/TECH/09/28/online.security.tactics/index.html
Identity theft is becoming more and more of a problem in today’s society. And finally the federal government is beginning to take action. So many different networks and websites ask for personal information and store such data. The Identity Theft Resource Center has reported 379 data beaches affecting more than 13 million individual records as of September 22, 2009. More than 13 million? That is a significant number of people. Once again it must be recognized as to how much of a serious concern and security threat this is. Data and information security is becoming more and more vulnerable than ever before. Hackers are engineering new and innovative ways to access and infiltrate even the most secure networks.
Some of the ways to protect your personal information, which is stored on certain websites or just simply stored on your computer, are in actuality very user friendly. Make sure your Internet browser’s operating system has updated virus and spyware protection. Firewalls are especially useful in avoiding unwanted access to your computer’s network. Site advisors can be useful when trying to detect unwanted intruders. Throughout this semester, and this blog for that matter, it has been maintained that personal information across the World Wide Web is becoming more and more available to cybercriminals. Organizations, like the U.S. Census Bureau, need to continue taking the necessary security measures to ensure identity theft does not occur. If there is one thing I have taken away from this course, it has been the need and attention one must give in securing their personal information and identity. People must have the mindset that privacy on the Internet is virtually impossible.
Source: http://www.cnn.com/2009/TECH/09/28/online.security.tactics/index.html
Fake Fingerprint Surgery
A Chinese woman, Lin Rong, has been deported from Japan for overstaying her visa. To get back into the counter she had plastic surgery to alter her fingerprints. In doing so she illegally entered Japan by fooling immigration controls. The plastic surgery cost $15,000 to have the surgery in China where the doctors switched her fingerprints from her left hand to her right hand. In doing so she was able to fool the fingerprint scanners. According to the police it is the first case of biometric fraud and is becoming a more widespread and common practice. She was eventually caught on a separate charge when she was faking a marriage with a Japanese man. The police noticed unnatural scars on her fingers and later concluded she had surgery to fool immigration fingerprint scanners.
This case shows the ability of illegal immigration into controls that have hi-tech controls. $15,000 is really that much when you consider how much it means to gain access to a country like the United States. The root cause of this intrusion is we rely on technology to identify persons. We talked in class about different authentication practices and how one could fool a fingerprint scanner by cutting someone's finger off and scanning it. This seemed unreasonable at the time, but who knows now? There may be a black market for people to give up their finger prints to illegal immigrants so that they can gain access to the United States and other countries.
To combat this there needs to be other forms of authentication to identify illegal immigrants other than fingerprinting. I'm not sure how it works for the US, but in countries like Japan new measures need to be adopted to deter surgeries like swapping fingerprints. It creates a black market of unnecessary surgeries.
source: http://news.bbc.co.uk/2/hi/asia-pacific/8400222.stm
This case shows the ability of illegal immigration into controls that have hi-tech controls. $15,000 is really that much when you consider how much it means to gain access to a country like the United States. The root cause of this intrusion is we rely on technology to identify persons. We talked in class about different authentication practices and how one could fool a fingerprint scanner by cutting someone's finger off and scanning it. This seemed unreasonable at the time, but who knows now? There may be a black market for people to give up their finger prints to illegal immigrants so that they can gain access to the United States and other countries.
To combat this there needs to be other forms of authentication to identify illegal immigrants other than fingerprinting. I'm not sure how it works for the US, but in countries like Japan new measures need to be adopted to deter surgeries like swapping fingerprints. It creates a black market of unnecessary surgeries.
source: http://news.bbc.co.uk/2/hi/asia-pacific/8400222.stm
Apartment Security System- Security Review
For the sake of safety, I will not mention the apartment complex by name, but one familiar to students has recently installed security systems in all of the apartments. The system is very basic in nature, and consists of a sensor on both the main door to each apartment, as well as on the doorframe. If the system is enabled and the connection between these sensors is broken (and whoever enters the apartment does not enter the code on the keypad) an alarm will sound. Also, if the resident pays a monthly fee the alarm will dial out to the police that someone has broken into the residence.
The three goals of security can all be applied to this device. First, concerning confidentiality, the system attempts to keep people who are unwanted out of the apartment. This is enabled by alerting others if a break-in occurs. Integrity is maintained in a very similar fashion to confidentiality. The alarm system notifies others if an unauthorized person enters the apartment. Hopefully, this will prevent the unauthorized person from being able to steal or destroy anything in the apartment. Finally, the alarm system is able to apply to availability. If a person is supposed to have access to the apartment, they will know the alarm code. This will prevent alerts that would go off even if authorized people enter the apartment. An attacker, in attempting to thwart the alarm system has the goals of disclosure and alteration. Once inside, they have access to areas that they should not. They will also be able to steal or destroy things in the apartment, which constitutes alteration.
There is a serious vulnerability in the security system that has been installed. First, there are no sensors on windows or the sliding glass door in each apartment. This means that unauthorized persons can force entry through these points without ever setting off the alarm. Additionally, there are no motion sensors within the apartments themselves. These would be able to detect if an unauthorized person was inside the apartment even if they had entered through some other point. Therefore, I feel that the apartment management's best choice is to mitigate risk by installing the aforementioned motion sensors. These will help detect intruders, and will help achieve the goal they had when they chose to install an alarm system.
The three goals of security can all be applied to this device. First, concerning confidentiality, the system attempts to keep people who are unwanted out of the apartment. This is enabled by alerting others if a break-in occurs. Integrity is maintained in a very similar fashion to confidentiality. The alarm system notifies others if an unauthorized person enters the apartment. Hopefully, this will prevent the unauthorized person from being able to steal or destroy anything in the apartment. Finally, the alarm system is able to apply to availability. If a person is supposed to have access to the apartment, they will know the alarm code. This will prevent alerts that would go off even if authorized people enter the apartment. An attacker, in attempting to thwart the alarm system has the goals of disclosure and alteration. Once inside, they have access to areas that they should not. They will also be able to steal or destroy things in the apartment, which constitutes alteration.
There is a serious vulnerability in the security system that has been installed. First, there are no sensors on windows or the sliding glass door in each apartment. This means that unauthorized persons can force entry through these points without ever setting off the alarm. Additionally, there are no motion sensors within the apartments themselves. These would be able to detect if an unauthorized person was inside the apartment even if they had entered through some other point. Therefore, I feel that the apartment management's best choice is to mitigate risk by installing the aforementioned motion sensors. These will help detect intruders, and will help achieve the goal they had when they chose to install an alarm system.
Tuesday, December 8, 2009
Skype Security
In recent months I have begun to turn to Skype more and more in my daily communications. Whenever I want to call home or talk to a friend abroad I turn to this VoIP system. In addition to using the Skype for computer to computer conversation, I also purchase small amounts of Skype dollars regularly to call landline and cellular phones from my computer so that I can check my email or work on an outline while I am on hold with a bank or something along those lines. My increasing usage of Skype leads me to question its security.
According to Skype.com, Skype uses encryption (256 bit), as well as digital certificates to protect customers’ Skype identities. The digital certificates prevent third parties from impersonating Skype users. These digital certificates supplement a customer’s Skype user name and password. In addition to keeping customers’ Skype identities safe, Skype also operates so that users’ computers are not made vulnerable to security threats by leaving the firewalls on a user’s network untouched. Skype also prevents adware, spyware, and malware from being installed on their customers’ computers.
While all of these measures that Skype takes to prevent creating vulnerabilities in their system, other sources claim that there are ways to hack into conversations and identities through Skype. For example, while it is not possible in all known circumstances to monitor an actual Skype conversation as a third party, it is possible to view call initiation as a third party on the Skype network. Also, Skype has a default “History” file that it saves on users’ computers that keeps a record of all of the conversations that that user has participated in. A hacker could easily find and compromise this file by using spyware to hack into a user’s computer.
Skype has responded to some, but not all, of these vulnerabilities with security patches and a security blog that warns users about scams, and attacks. It is for the individual user to decide whether or not the efforts that Skype takes to secure his or her information and privacy is thorough enough to convince him or her to continue using Skype.
Sources:
www.skype.com/security
en.wikipedia.org/wiki/Skype_security
According to Skype.com, Skype uses encryption (256 bit), as well as digital certificates to protect customers’ Skype identities. The digital certificates prevent third parties from impersonating Skype users. These digital certificates supplement a customer’s Skype user name and password. In addition to keeping customers’ Skype identities safe, Skype also operates so that users’ computers are not made vulnerable to security threats by leaving the firewalls on a user’s network untouched. Skype also prevents adware, spyware, and malware from being installed on their customers’ computers.
While all of these measures that Skype takes to prevent creating vulnerabilities in their system, other sources claim that there are ways to hack into conversations and identities through Skype. For example, while it is not possible in all known circumstances to monitor an actual Skype conversation as a third party, it is possible to view call initiation as a third party on the Skype network. Also, Skype has a default “History” file that it saves on users’ computers that keeps a record of all of the conversations that that user has participated in. A hacker could easily find and compromise this file by using spyware to hack into a user’s computer.
Skype has responded to some, but not all, of these vulnerabilities with security patches and a security blog that warns users about scams, and attacks. It is for the individual user to decide whether or not the efforts that Skype takes to secure his or her information and privacy is thorough enough to convince him or her to continue using Skype.
Sources:
www.skype.com/security
en.wikipedia.org/wiki/Skype_security
Monday, December 7, 2009
PC Tab Alarm System- Security Review
If you travel to any of the computer clusters located around campus, you will notice on the back of the towers a small, black tab with two wires plugged in and the words “PC Tab” and “Security” written on them. I decided to investigate these devices and assess the value of them. The PC Tab Alarm System consists of sensing devices physically located on the PC and a central alarm panel comparable to one found in a home. The sensors are held to the tower with a powerful adhesive. The idea behind these devices is that if anyone (or anything) attempts to move the tower, remove the sensor or disconnect the wires leading into the sensor, an alarm will go off and alert a designated party (most likely a security department) of a potential theft. All of the wires are connected in series to the central alarm panel, which obviously needs to be located in a protected area, such as a locked network closet.
The University logically invested in this technology because they believe people will attempt to steal PCs. This system is not terribly cheap (around $50 per PC), but if you consider the potential loss if PCs were easier to steal, the cost most likely would be worth the investment. The system however does not appear to be flawless. For instance, if the central alarm is disabled, then thieves could disconnect the wires without alerting the designated party about a potential intrusion. That is why keeping the central alarm out of the reach of unauthorized personnel is so critical. Also, since the wires apparently form a connection inside the sensors, one would think it would be possible to simply connect the two wires prior to reaching the sensor and be able to take the sensor out of the circuit all together. Finally, while the tab itself cannot be removed without setting off an alarm, the area around the tab could be removed from the tower. This could be plausible if the tab is foolishly placed on say a removable part of the tower. The issue with most of these is if the security devices are located in an area with people around, it would be difficult to do any of these without attracting attention.
Overall, this seems to be an adequate technology for the goal of protecting PCs in clusters from physical theft. As long as the central alarm has proper access controls and there is some oversight over the PCs to make sure people do not disrupt the system, it seems like there is little an intruder can do to break the system.
http://www.computersecurity.com/pctab/index.html?id=1
Subscribe to:
Posts (Atom)
Posts
