Thursday, December 16, 2010

Security Review: Valve Software's Steam Platform

Digital distribution has become a more and more popular method of receiving items in modern days, and when it comes to PC games, look no farther than Steam. With an estimated 70% share in the PC game digital distribution market, it's easily the biggest and most well-known provider today.

Steam began when Valve, a Seattle-based game PC game publisher started by former Microsoft employee Gabe Newell, was having issues constantly keeping their online games (like the wildly popular FPS, Counter-Strike). Patches would ripple through the community, leaving large parts of the user-base disconnected from others if version weren't matching. The decided to make a platform that would update games automatically and provide anti-piracy measures. It was publicly released in 2003, and by 2005, was selling third-party games as well. Today, in 2010, the Steam library has over 1,200 games (both from boxed games and from digital distributed games), and services over 30 million active users. It also has social-networking functions, and a friend-list service with IM to allow users to create games and talk with other users all within the platform itself.

Since it has become such a big seller in the PC game market, and since games can be bought directly through the client itself, multiple security measures need to be enacted to keep the accounts of legitimate users safe from phishing scams and data leaks.

First off, Steam handles credit cards, which means they must comply with basic credit card safety procedures. They do not reveal much about the workings of their company, but their privacy policy does say
"Personally identifiable information will be processed and stored by Valve in databases hosted in the United States. Valve has taken reasonable steps to protect the information users share with us, including, but not limited to, setup of processes, equipment and software to avoid unauthorized access or disclosure of this information."
This, vague as it is, does seem to generally meet the needs that something like PCI-DSS would call for, and therefore seems to show that they are taking proper steps to secure credit card and all other user data. Additionally, they allow payments through third-party vendors, like PayPal, which has well-established security measures as well.

But the more likely threat with a platform like Steam, is account phishing. Since someone's account holds all their game licenses, scammers are always looking for ways to steal someones info and hijack their account for their own use. One of the most notable measures against scamming comes built into the IM service. Whenever a chat window is opened, a reminder to "Never tell your password to anyone" with a link to an account security page comes up. This helps stop scammers who pose as Valve employees and ask for account details through the IM service. In addition, to change any account info, even an email address, one must verify their current email and retrieve an verification code that allows users to make the changes they desire. This measure helps the real user retrieve his account even if he loses his information, as it is likely that he will be the only one that can access his email (provided they have diversified passwords). Steam also allows a user to be signed in at one location at a time, which can be helpful in locking out a scammer if they have account details--though this is double-edged sword, as it could allow a scammer to lock out legitimate user. And lastly, if all else fails, steam has a support system which focuses heavily on account recovery. If one loses their account, the support team will work quickly on recovering it for the valid user (which can only be proved by credit card ownership or the serial of any boxed game owned), and will restore any damage done to accounts (fraudulant purchases, removals of currently owned games) so that the user can have their account as it was before hijacking.

So, overall, Steam experiences many of the threats that any large online distributor will, but it seems to manage them very securely. It meets standards for purchases, and has many safeguards (and blatant reminders) in place to provide multiple levels of security for user accounts. Is there room for improvement? Always. But Valve is doing a thorough job of protecting its users regardless.

Wednesday, December 15, 2010

Pen Testing Software

Core Security has recently launched new software named Core Insight Enterprise that can help keep a company’s computer systems more secure. Called penetration testing software, this product is designed to detect potential risks to computer systems by attempting to gain access to them. The company claims that this product will be better than the current scanners and security products that are on the market today because of the amount and quality of information that it will provide. As Core Security CEO Mark Hatton said, “You're not just going out and hiring a crazy guy with earrings to do pen tests anymore. We're giving you actionable information and solving that disconnect between what security teams are doing and what the business side wants them to do."

The Insight software will give users detailed information through a dashboard which will display a system’s basic security status and the progress of current penetration tests as well as store this information over time. The device will get this information by, like a white hat hacker, checking for access points to sensitive data in the system. If a path to the data is found, the dashboard will display the steps that were taken by the software to steal the data, hopefully giving the company the information that they need to fix the problem. As Hatton explained, the “tool was designed to make it easier for security professionals to create understandable metrics out of vulnerability data for executives and auditors.” Core Security hopes that their software will be able to detect more than the average scanner, checking things such as network configuration and server connections.

In the future, Core Security hopes that their software will be able to work together with information from security logs and vulnerability and patching data from other vendors. It will be interesting to see how this software fares in the market and if it really does have a significant impact on the security of computer systems.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1525167,00.html

Tuesday, December 14, 2010

WikiLeaks scandal leads to fear-mongering over information security

“The recent response of the White House’s Office of Management and Budget (OMB) to the WikiLeaks document dump gives us a peek at the sometimes surreal standards for dealing with classified information and at the fear-mongering in which some government officials are engaging,” says Kathleen Clark, JD, professor of law at Washington University in St. Louis School of Law.

Clark teaches and writes about government ethics, national security law, legal ethics and whistleblowing.

According to CNN, on Dec. 3, the OMB instructed executive branch agencies to notify all government employees and contractors that they should not view any documents that are marked as classified using their work computers that access the web via non-classified government systems.

The OMB distinguished “documents that are marked classified” from “news reports . . . that . . . discuss the classified material.” Apparently, employees are permitted to use non-classified government systems to access news reports that include classified information, but must not use those systems to access the classified documents themselves.

“This distinction might seem silly to an outsider, but the government imposes special security measures for its computers that store classified documents, and takes pains to ensure that its computers without these security measures do not have any classified documents,” Clark says. “This system of segregating classified documents is complicated and costly. But so far, so good.”

She notes that the OMB also suggested, somewhat ambiguously, that federal employees and contractors without the proper clearances and the “need to know” the information should not access Wikileaks’ classified information.

Additionally, at least one agency has gone further, asserting that government employees ― and prospective employees ― should not access WikiLeaks classified documents even from their home computers. According to Democracy Now, the State Department instructed employees of the U.S. Agency for International Development as follows: “Accessing the Wikileaks website from any computer may be viewed as a violation of the SF-312 agreement (a non-disclosure agreement)”

Clark says that it is not at all clear how accessing the WikiLeaks documents on a personal home computer would constitute a violation of an agreement not to disclose classified information.

“This does not appear to be a one-off mistake by an overzealous State Department official since at least one government contractor similarly warned its employees against accessing WikiLeaks both on company-issued and on personal equipment,” she says.

“Indeed, Career Services offices at Columbia University and Boston University also reportedly warned students and alumni about the risks of posting links to the documents and/or commenting on them through social media.

“Are these just over-reactions by people who are not familiar with the government’s information security standards?” Clark asks. “Or do these warnings reflect a concerted effort to prevent Americans from accessing and discussing the WikiLeaks documents that are now available on the web?

“I sincerely hope that someone in government will provide some clarification ― and some sanity ― on this issue soon.”

3 more companies hacked! How secure is your online information?

In a sign that cyber security needs rapid quality improvements, two more U.S. companies, McDonald's Corp and Walgreen Co, said they had been hacked in the past week, along with U.S. media company, Gawker.

After reports of Mastercard and Visa being hacked last week by a pro-Wikileaks group, which called itself 'Anonymous,' McDonald's said its system had been breached and customers' "email and other contact information, birthdates and other specifics" had been compromised on Monday.

Much of this information was supposedly provided by a customer when they were signing up for online promotions or subscriptions.

The fast food company did not specify how many accounts had been compromised.

On Friday, Walgreens said hackers had gained access to its customers' email database and spammed these accounts with instructions to enter personal information on other websites.

Though the recent bouts of hacking are unrelated to the Mastercard, Visa and Paypal breaches, these new hackings seem to be forming a chain reaction through information gained from a previous breach.

Twitter said hackers broke into an unspecified number of users' accounts and sent spam promoting acai berry drink, according to an AP

The passwords used to gain access to these accounts were apparently taken from the breach on Sunday at Gawker Media, the parent company of Gawker, Gizmodo and Jezebel.

McDonald's and Walgreens stated that no personal information, data related to finances or social security numbers had been compromised.

While this is a relief, it is unsettling that most companies are still scrambling to figure out how their security systems were breached.

Many security experts are proving various commentaries about how to make your accounts more secure - including using complicated passwords with a combination of alphabets and numerals, or changing the passwords at regular intervals.

McDonald's stated that it is working with its business partner, Arc Worldwide, an email database management firm whose system was breached, to figure out the breach.

Anonymous, the group responsible for bringing down a part of Mastercard and Visa's website, used a simple software to flood these websites. Initially, supporters had to download a particular software to launch the attack.

But the group soon created an online page that would turn one's browser into an attack tool.

The webpage would repeatedly and rapidly ask the target's webserver for a given file, maybe a large image, once a user pressed the attack button, Wired.com repeated.

"The tool's author is unknown and a quick perusal of the JavaScript shows that it is a fairly basic bit of programming," the website reported.

Most companies initially ignore the warning signs of a possible breach.

About 63 percent of organizations reported experiencing at least one security incident or breach during the last 12 months, according to the Global Information Security Trends study by the Computing Technology Industry Association, a nonprofit trade group, the LATimes reported.

For instance, Gawker has only itself to blame for the attack, according to some media reports.

The online blog, known for bringing gossip nuggets about celebrities, had apparently seen some 'suspicious' activity during November but 'did nothing'.

Emails and passwords from the hacking over the weekend were posted on PirateBay by Gnosis, a group that claimed responsibility for the attack.

"We went after Gawker because of their outright arrogance. It took us a few hours to find a way to dump all their source code and a bit longer to find a way into their database," the group told the website Medialite.

Security Review: Microsoft December 2010 patches

Microsoft December 2010 patches

Today, the December 201 Bulletins for Microsoft will be launched. The 17 bulletins will patch 40 flaws in various versions of Microsoft Windows and Office, Internet Explorer versions 6, 7 and 8 as well as SharePoint server and Exchange. Of the 17 bulletins, two are rated “critical”, while 14 are rated “important” and 1 rated as “moderate.” These patches are addressing a variety of important and moderate-level remote code-execution, denial-of-service and privilege-escalation problems.

From Microsoft’s point of view, the goals behind releasing these bulletins are fairly obvious. After studying the Microsoft Response Center case study, we all saw the importance of handling security vulnerabilities in its software and operating systems (especially for a company under constant attack like Microsoft). Not only is it important for Microsoft customers to be able to access their information when they need to, but it is also of the utmost importance for the people running Microsoft software to have confidentiality and integrity.

As a black hat hacker, I would meet this slight increase in Microsoft vulnerability reports with open arms. After including these 17 bulletins, 2010 will mark a record-breaking 106 patches released by Microsoft this year alone. A hacker might want to expose a Microsoft software user web site, server, etc. Another tactic could be to find a hole and change the data of the Microsoft users. Finally, a hacker could perform DoS attacks on these users or take over their systems.

There are inherent vulnerabilities within Microsoft’s software, which is why they are constantly coming out with these patches. There is no overarching solution to this problem because there will always be holes that need to be fixed. Therefore, there will always be hackers (like CyP in the Microsoft Response Center case study) who are trying to stay one step ahead of the Microsoft engineers and exploit these vulnerabilities. Microsoft engineers have been and need to continue to meet the challenges posed by these outside threats.

As I mentioned before, Microsoft simply needs to mitigate the risks posed to their operating systems by hackers. Microsoft Security Response Center blog writer Mike Reavy said, "Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports." With technology constantly changing, the best thing Microsoft can do is continue to meet the demands of the customers and stay one step ahead of those looking to exploit vulnerabilities.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1524889,00.html

see also: http://blogs.technet.com/b/msrc/

Monday, December 13, 2010

Amazon European Outage and More WikiLeaks Controversy

Amazon.com's European websites went down last night for about a half hour, which Amazon claimed was a result of a hardware failure in a European data center, and not a result of a hacking DoS attack, as some have suggested.

The hacking theory comes from the recent Wikileaks controversy, where Amazon servers--which had originally been hosting the site for some time--decided to stop providing cloud service for the popular information leak site. Because of the controversy, many claims that "hacktivists" in support of Wikileaks--the group "Anonymous"--were behind a DoS attack that brought down the website for a brief time last night. However, the plans and claims to attack Amazon by the group were reported as abandoned, due to lack of resources (Amazon is a highly visited website, one can imagine that it would be quite difficult to cause a DoS attack).

The worry that Amazon had been effected by a DDoS attack also comes from the recent attacks against Mastercard, Visa, and PayPal for also abandoning WikiLeaks (which someone has already detailed in this blog ). However the group has more plans, such as attempting to access the diplomatic cables which were unpublished in the recent leak, and distribute the most dramatic ones across the internet

But again, the resulting downtime was only due to a hardware failure in the main European Data center, and Amazon's UK, German, Spanish, and French sites were all restored less than 30 minutes after the failure.

Sunday, December 12, 2010

NASA Sold Computers with Sensitive Data

Though it is hard to imagine world class organizations being unable to handle the security tasks appointed to them, NASA has recently identified 10 computers that have been sold with sensitive material still on them. The standard procedure for disposing of computers is to remove the hard drive with the sensitive data on it. This leaves the computer relatively harmless. However, because of complications and misinformation, these computers were sold with the information still on them. Examine this excerpt from the article, “Specifically, the audit discovered that 10 computers from the Kennedy Center were released to the public even though they still contained sensitive NASA data and had failed verification testing as part of their disposal process. Another four computers with data were confiscated before they were sold.” The fact that these computers failed the process yet were still sold highlights a lack of understanding of security within the organization.

It is unfair to accuse the entire organization of lacking in security. I would imagine that NASA has one of the most strict and redundant security measures in the world. However, it only takes one mistake, one security measure forgotten or one plan that is outdated for a catastrophe to happen. In this case, the article highlights a number of employees who were ill informed of proper security measure as well as a number of the measures being outdated. As mentioned before, I would imagine that NASA has some of the strictest and most redundant measures in the world but this means little if they are outdated or no longer apply to the current level of technology.

NASA’s inability to appropriately protect its confidential information is perhaps a sign of its current underfunded situation. This can perhaps be linked to the fact that many of its supporters no longer see space as a noble venture for humanity. Nevertheless, the security administration at NASA has an obligation to make sure that there are as few security breaches as possible. This goal was not accomplished with the most recent breach of confidential information. As such, NASA must take steps to secure its information from potentially malicious users. This involves updating its security policies to better cope with the technology and vulnerabilities of the current era. This also involves the education and continued testing of its entire staff that has access to information that would be considered confidential. Unless adequate measures are taken to secure its information, NASA may have an unfortunate future of breaches and security violations in its future.

In addition to these breaches NASA has also released a backdoor that could allow people with malicious intentions into their system, “Further, computers at the Kennedy Center's disposal facility being prepped for sale displayed NASA IP (Internet protocol) information, which could easily give a hacker a way to break into a NASA network.” As discussed in class, this information could allow a hacker to bypass the firewall protocols and give them access to NASA’s system. This is a more pressing problem as a hacker could have already breached NASA’s system and made off with a great deal of confidential information. I believe that the best option for NASA now would be to find out which IP’s were lost and block them as each computer must have been given an independent IP that can be brought up and blocked. However, this does not address the problem of information already lost. Truthfully, I see no possible way to account for this lost information.

NASA currently faces a potentially massive security situation on its hands. "Our review found serious breaches in NASA's IT security practices that could lead to the improper release of sensitive information related to the Space Shuttle and other NASA programs, NASA Inspector General Paul Martin said in a statement.” This statement adequately highlights the situation that NASA currently faces. However, it should be noted that, because of releases of information and statements such as these, NASA is currently on a short time-line to get its system secure. Because the knowledge of a vulnerable system has been released, it will only be a matter of time before hackers are actively attacking the system looking for vulnerabilities to exploit. It may already be too late yet, it is better to minimize the damages done. However, continuing statements in the article that highlight lax standards may only add to the number of problems that NASA is facing with its system.

http://news.cnet.com/8301-13639_3-20025161-42.html

Wisconsin bungles another data breach and ID theft threat to 60,000

The State of Wisconsin has a history of mishandling data breaches, this time by the University of Wisconsin System. Last Thursday evening UW-Madison disclosed that a campus database containing Social Security numbers of 60,000 former students and staff had been repeatedly hacked or accessed since 2008. A University Website and the letter sent to victims of the breach assert there is no evidence that anyone's information was retrieved. The statement implies there is no risk of ID theft although all the University releases were careful not to use the words "identity theft" in any of the text.

The State of Wisconsin bungled major data breaches in 2007 and again in 2008 involving Social Security numbers. The 2007 incident involved 171,000 Wisconsin taxpayers who were mailed tax forms with their Social Security Number printed on the mailing label. In 2008, 260,000 recipients of state health care benefits were mailed a brochure with their Social Security number printed on the mailing label. The management of both breaches was bungled by prematurely announcing that the mail, which had not been delivered to recipients, contained Social Security numbers. The premature press releases exacerbated the breach by putting identity thieves on notice to steal the mail. In both cases, the State provided credit-monitoring services to the victims upon request.

Now, the University of Wisconsin is denying victims credit monitoring services because the University contends that they have no evidence that Social Security numbers were retrieved by the hackers. Critics argue that conversely, the University has no evidence that Social Security numbers were not retrieved over the two-year period by hackers. To add to the mishandling of their public relations, the University has declined to comment on camera.

Although the University of Wisconsin determined that the recent hacking incident began in 2008, they did not detect the breach until October 26, 2010. The database contained 60,000 pre-2008 university photo identifications that included Social Security numbers. They notified victims by mail in a letter dated November 30. This author first noticed the release on the evening of December 9 on Madison.com although the date stamp on that article now shows December 10.

This author also has an early University faculty/staff picture identification card last validated in December 1993. I have not received a letter either because my ID card information was not included in breached files or because the University does not have my current mailing address. The limited information provided on the University's Incident Website makes it impossible for would-be victims like me to know if my picture ID contain my Social Security number was part of the breach.

The University appears to be downplaying the significance and threat of the breach to the public. They are also being cautious in their statements and have declined on camera interviews. It is not easy to find the letter they sent to victims or the incident Website through online searches or through the University Website. Information is difficult to find unless you know where to look for it. It is not consumer friendly.

The incident Website states, "We wanted to make you aware of the incident and let you know what we have done to prevent this from happening in the future." The statement on the Website and letter make it appear that the University is voluntarily providing notification to victims. However, under law, the University is required to notify victims of the breach.

Breach notification laws have been enacted by Wisconsin and 45 other states, the District of Columbia, Puerto Rico and the Virgin Islands. These laws require notification of victims if a breach occurs that involves residents of their state or territory. Each of the 49 laws differs in compliance requirements and penalties for noncompliance. It is likely that the 60,000 victims of the recent UW breach reside in many, if not all, of the 49 U.S. jurisdictions that have a breach notification law. The University is required to comply with the laws of each state or territory in which a victim of the breach currently resides.

It is not clear that the University met the compliance requirements for each breach notification law. For example, while the Wisconsin law requires notification of victims within 45 days of learning of a breach, the Illinois law requires notification in the "Most expedient time possible without unreasonable delay." Some states exempt notification of victims if the electronic information accessed was encrypted.

It is standard procedure to encrypt sensitive information that is stored electronically regardless if it is facing the internet, secured behind a firewall, or offline. Encryption software is inexpensive and commonplace even on home and business computer systems. For example, Microsoft Vista and Windows 7 operating systems have turnkey solutions for data encryption--bitlocker. It is a reasonable consumer expectation that a leading research university, such as the University of Wisconsin-Madison would have standard security practices in place to protect sensitive student, staff and faculty information through encryption and other commonly available security measures.

The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to protect student information including Social Security numbers. Penalties for violation include the loss of federal funds.

Amendments to FERPA published in December 2008 recommend that educational institutions adopt standard security practices to protect electronic information. The FERPA refers to several National Institute of Standards and Technology (NIST) Information Security Standards.

For example, an excerpt from NIST Special Publication 800-53 says, "The use of encryption by the organization reduces the probability of unauthorized disclosure of information and can also detect unauthorized changes to information."

It appears that the University of Wisconsin has not adopted the FERPA recommendations on information security standards.

This is not the first time UW-Madison computers were hacked. A year ago, the University determined that computers in the Chemistry Department were hacked over a several year period potentially compromising the names and Social Security numbers of nearly 3,000 people on campus.

A leading study on data breaches published in 2009 that we authored included the following findings:

Education-related organizations account for nearly one-third of all the data breach incidents reported in the U.S.
Colleges and universities account for 78% of all education-related breach incidents.
Over a third of all educational sector data breaches occur by hacking.
Encryption would have prevented 60% of all data breaches and the compromise of over 90% of all consumer profiles.
The University Incident Website provides limited information to victims, avoids addressing identity theft and denies victims of complimentary credit monitoring services. University statements emphasize that there is no evidence that information was taken, however, they provide no assurance that information was not retrieved manually, photographically or by other means transparent to their admittedly weak information systems security.

Victims that are concerned about identity theft should take preventive measures immediately. Victims of identity theft often do not see clues of identity theft until over a year after thieves misuse their information.

While financial fraud is easily detected by credit monitoring, other types of identity theft such as medical identity theft, employment fraud, Social Security and benefits fraud can take years to detect. Then it can take years for victims to restore their good name after spending hundreds of hours and thousands of dollars.

Today, anyone with a computer, desktop publishing and a printer can counterfeit a Social Security card with your name and Social Security number. Counterfeit cards can be sold over and over again compounding the identity theft problem with victims. A counterfeit Social security card and a counterfeit birth certificate opens the door to getting employment, a driver's license and a bank account.

Victims of the UW breach can request that an initial 90-day fraud alert be placed on all three credit reports by contacting any one of the three major credit reporting agencies, Equifax, Experian or TransUnion, listed below. The credit reporting agencies will also provide a credit report as part of the process.

Equifax (800-525-6285) - online or phone for placing fraud alert
Experian (888-397-3742) - online or phone for placing fraud alert
TransUnion (800-680-7289) - online or phone for placing fraud alert
Consumers may also obtain a free credit report from each of the three credit reporting agencies annually. We recommend that consumers stagger their requests for credit reports from each of the three credit reporting agencies by four months in order to increase the frequency of credit report monitoring. This is no substitute for a credit monitoring service, which continuously monitors all three reports. The Federal Trade Commission Website given below also provides high quality information to consumers and victims about preventing, detecting and reporting identity theft.

AnnualCreditReport.com Online or 1-877-322-8228
Federal Trade Commission--Identity theft site
Consumers that see value in more comprehensive identity theft risk mitigation services should consider purchasing such services on their own, regardless if they have been a victim of a breach or not. We have recommended high-value services in other articles.

As a service to the Madison Community, we are providing free telephone consultations to victims of the University of Wisconsin data breach. We will provide answers to questions about identity theft, a free informational guide on how to protect you against identity theft, and recommendations on high-value identity theft risk mitigation services for consumers. We can be contacted by email or by telephone (608-241-3500).

Discover Account Security Review

With the recent news that the hacking group Anonymous will launch attacks against Visa, Mastercard, and PayPal, I have decided to do my security review on Discover. I currently have a Discover credit card and frequently use discover.com. Although we have learned that credit cards may not carry as big of a risk as debit cards, any type of business that holds records of user's names, addresses, phone numbers, social security #'s, and bank account numbers are susceptible to attacks from hackers. Discover offers the option to control your account online. Users can manage their account, make payments, withdraw cash, and view their statements on the Discover website.

As an owner of a Discover Credit Card and user of the online "Account Center", I have a few worries about the security that Discover uses.The CIA triad is extremely important to protect Discover users. I think that is absolutely imperative that user's account information, including name, birth date, address, user name, and password, are kept confidential. In addition to the fear of identify theft, I believe it a must that credit card number, expiration date, and validation code stay private (only available to the user). Integrity is also important. Discover has to make sure that when a user makes a payment or changes their account in any sort of way, the user's changes are not compromised by a hacker. Additionally, it is important the card holder's username and password are never changed by hackers. Finally, availability may be the most important aspect. As a user, I expect that I will always be able to access my account over the internet as well as always be able to use my card.

If I were a hacker, I would view Discover as a source for a lot of information. First, user information is valuable in today's day and age. Disclosing account holders' names and other personal information could be profitable if other businesses would pay for the information. But the obvious goal of a hacker would be to disclose the card information and bank account information (common on users' account center because it is a common method of payment) in order to use the accounts for themselves. With a similar goal in mind, a hacker may try to alter users' information and change it to their own. This way they would have access to a card that could potentially have their own name attached to it. As we have learned from this course, hacking isn't always about personal gain. Hackers could overload the discover online site to deny access to users, simply to be a pain (or potentially as a distraction for another attack).

Although these threats arise when running a sensitive business, I believe that Discover has done a great job of implementing security measures to mitigate attacks. Users must have a user name, password, and answer to a security question to access their account. Additionally, when a user logs in, the site prompts them with the question "Is this a Shared Computer?" -- a precaution against leaving your account up on a public computer. As soon as you get to your account center, you see that the web site is secure. Clicking on the lock in the top corner of my browser, I have learned that Discover is protected with a 112 bit 3DES encryption. It carries a Verisign Class 3 Extended Validation.

A potential threat is in the "Cash Now" section of the web site, because a hacker's goal would most likely be money. But this section requires another security measure, both the expiration date and validation code on the credit card. Finally, the last security measure I noticed was the automatic logoff. After 5 minutes of inactivity the website automatically logs the user out.

I think that the security is very good on the Discover online Account Center, but the only thing that worries me is all of the access controls are "something you know". I would recommend adding another access control - either "what you are" or "something you have". I think that a card scanner (possibly in the future) on computers would allow users to log on to their account with two access controls. A different option would be to implement the finger print scanners that are already on some laptops. If Discover somehow required you to scan your index finger to log on, it would make it even more difficult for hackers to access your account.

Two Major Ad Networks Found Serving Malicious Ads

Two major online ad networks, DoubleClick and MSN, were found to be serving malware over the past week. Experts say that this is a result of a group of attackers who tricked the two networks by pretending to be ad providers.

The attackers registered the domain name ADShufffle.com, one letter off from ADShuffle.com, which is an online advertising group, to trick the two ad networks into accepting the ads they had infected with malware. If a user visited a website that was displaying the infected ads, a malicious javascript code in the ad started a drive-by download process which installed malware like "HDD Plus" onto the users machine. Simply visiting the page (not clicking on an ad), infected the visitor.

Some big sites infected by the attack were MSN Real Estate, MSNBC.com, and Windows Live Mail.

A spokesman for Google (owners of DoubleClick), said that the ads only ran for a short amount of time, and that DoubleClick's malware filters picked up on the ads as well.

Incidents like this show the danger of browsing through the internet without any protection. Even without directly interacting with elements on a webpage, this event shows how malicious code can run simply by visiting a webpage. This highlights the importance of using script or ad blockers on website, as they can prevent covert attacks like this from installing malware on a computer.

Thursday, December 9, 2010

Security Review on Cross-site scripting (XSS)

Cross-site scripting (XSS) is a security vulnerability in web applications which allows client side scripts to be injected into web pages to attack users who view these web pages (similar to SQL injections in my last blog post). Recently, XSS attacks have surpassed buffer overflow attacks to become the most popular security vulnerability. Over 80% of all website attacks on the internet are XSS exploits and researchers claim that up to 68% of all websites on the internet are vulnerable to this type of attack. Facebook, MySpace, Twitter, and other top websites on the internet today have been compromised by XSS attacks.

XSS exploits focus on attacking the client side and are very effective at bypassing client side security mechanisms. There are two types of XSS attacks: non-persistent and persistent. I will discuss the traditional non-persistent and persistent attacks as well as the newer DOM-based vulnerabilities exploited by XSS.

The most common type of XSS attack is a non-persistent one. Typically in this attack, a website will present a submission form to a user where they are allowed to type text and the server will immediately process the text and display it on a resulting page. If the user crafts HTML code properly and the server does not properly escape these HTML control characters, an XSS vulnerability has been found and can be exploited by the attacker. An example of this attack is typing a string of text into a search engine, which will process the text and usually display it on the resulting page. This example will not be of harm to anyone but the user who typed in the HTML code, but if they had injected this code into a URL link to a valid website with an XSS vulnerability and had somebody else click the link, they could steal the victim's information. If the victim is currently logged into an account on the valid website, the hacker could gain full access to their account session by stealing their session cookie.

Persistent XSS attacks are more severe and indirect than non-persistent attacks. When a server takes input from a user and permanently stores that submitted information on a web page (such as a Facebook profile or forum online where users are allowed to input HTML segments), users who visit that web page are subject to an attack if the website did not properly handle the escaping of HTML control characters. The attacker could steal the victims cookie and gain full access to their session.

In recent years, Web 2.0 applications which can dynamically generate web page information without users having to hit the refresh button in their browsers have been subject to DOM-based XSS vulnerabilities. DOM stands for "Document Object Model" and is basically a way to interact with objects in HTML. JavaScript is a client side scripting language for websites. Asynchronous JavaScript (known as Ajax) can retrieve data asynchronously from the server in the background of the web page by using the HTML object known as XmlHttpRequest which can make HTML requests and server queries without updating the web page the user is currently on. Attackers can exploit DOM-based XSS vulnerabilities to essentially gain access to this object and steal information.

There are a few steps that users and website developers can take to defend themselves from XSS attacks. The first thing is that website developers can make sure to properly escape HTML input from users. If the website's function is to allow users to input HTML (such as for formatting their profile page on MySpace) then the website developers must run this untrusted HTML input through an HTML policy engine to check for XSS. Another thing that website developers can do to avoid their user's accounts and information being stolen through XSS attacks is to attach the IP address of the user logged in to their session cookie. This way, if an attacker successfully steals a session cookie from a logged in user on a website through XSS, they will not be able to use the cookie unless they are within the same network as the victim.

One thing users can do to prevent themselves from XSS is to disable the use of scripts in their browsers. They may also add lists of trusted or untrusted domains into a list in their browser where they would like scripting enabled/disabled depending on the domain they are visiting. This approach is not entirely useful, however, due to the fact that many websites across the internet require the use of scripts to function properly.

Looking into the future, scanning technologies are emerging which scan websites for possible XSS attacks and allow website developers to patch the holes before they are exploited by attackers. These scanning technologies are not perfect and cannot find every single vulnerability in the website.

If you are a website developer, it is important to know the risks and understand how XSS works so that you can help secure your website as much as possible. Set up a sandbox website and test your skills! If you are completely new to XSS you can read up about some basics HERE. If you are familiar with XSS you should go HERE to learn about some more advanced tricks of XSS.

Sources:
http://www.ihtb.org/security/xss_hacking_exposed.txt
http://en.wikipedia.org/wiki/Cross-site_scripting
http://ha.ckers.org/xss.html

Cyber Warfare as the Growing Battle Many is Unprepared for…

When the term warfare is used it is often related to desolate fields, charging armies and exploding bombs. Historically this is largely true. Modern society, however, has become so incredibly interconnected through technology that it is difficult to really imagine a time without it. Many of the financial transactions that take place are now virtual and the credit systems, on which countries thrive, are completely digital. It is this interconnectivity that brings rise to a new form of warfare, which exists only in cyberspace, that is designed to attack and disrupt these transactions on a large scale. Cyber Warfare is a term used to reflect a large scale attack directed at disrupting the functions of a complex system. It can affect a single individual or an entire nation. However, one thing that has become a growing concern of many nations over the globe is how prepared they are for a dedicated assault from a foreign or even a local source.

The PDF written by a retire General Eugene E. Habiger highlights the need for the United States to prepare for the growing inevitability of a cyber attack on a large scale. Vulnerabilities can be seen today with group like Anonymous who are capable of launching crippling DOS attacks on major corporations almost on a whim while coordinating these attacks through instant chat services like Twitter. The internet has largely become a battlefield with the only safes zones being the areas that go unnoticed by the larger society. Cyber attacks happen everyday and happen with very little warning. They can install monitoring devices, access databases, crash entire networks and steal confidential information. This begs the question as to why, with so much evidence of their lethality, proper security measures have not been taken to protect against such attacks.

There are two reasons that are often held to be the cause of the general perceived apathy toward cyber attacks. There first reason is that unlike warships and bombs, the internet has such a broad range of uses and, as such, is not a visible sign of destructive potential. The internet is used for so many things in modern society that it is often elevated as the greatest of human achievements. These ideas are compounded with the fact that, while major attacks happen everyday, they are often downplayed or go unmentioned. This creates an aura of misinformation on how devastating or how compromising these attacks can be. The second reason is that there is simply no way to really prevent them, only defend against them. Much of modern security doesn’t directly target an attacker but only defends against the potential of attack. When the idea is brought forward it usually sounds like “not only is there a small chance to get the attacker but we can’t really even predict what type of attack could be next. Only defend against what we already know exists and take measures so that if something bad happens we won’t be completely crippled…” This has a dangerous habit of leading to a “deal with it when it happens” mentality that can sow the seeds of major disaster. This is not to say that there are not steps that can be taken to make a system more secure, it’s that they usually aren’t taken to the degree that they need to be. In order to adequately prepare for the growing war, countries and companies alike need to start taking steps to design security measures that will protect against potential attacks. As impossible as it seems, it is either work toward controlling these attacks or simply letting them happen.

http://cybersecureinstitute.org/docs/whitepapers/Habiger_2_1_10.pdf

WikiLeaks 'revenge attacks' target Mastercard and Visa

Computer hackers, called "Anonymous" have taken it upon themselves to hack into businesses, personal accounts, and even popular websites that have censored or spoken out against WikiLeaks. Most prominently MaterCard, Visa, and PayPal, who previously have stated they will not support donations made to the anti-secrecy group, have all announced being hit by DoS attacks last night. This Anonymous group has also been credited with hacking onto Sarah Palin's personal website and tampering with her and her husbands personal credit cards and most recently has been targeting Amazon who withdrew server space WikiLeaks was using. Anonymous has threatened to attack anyone who tries to censor WikiLeaks. MasterCard has said some customers experienced complete loss of service, but they are working to restore service to their customers. Recently, Anonymous has threatened Twitter who has been accused of monitoring and deleting posts centering around WikiLeaks.

Obviously the attack occurred when Anonymous hit the different servers enough to shut down service on multiple servers for multiple customers. They also encouraged other pro WikiLeakers to down load a program that would temporarily take over their PCs in order to assist in the DOS attacks. Because the companies were not quick enough in responding to the attack, they were experiencing some serious server issues. Since the attacks, the companies have been able to begin restructuring and bringing service back to all customers.

Companies should first and foremost make sure that none of their customer's personal data was breached and that all information was kept safe. In the case that information was leaked, then customers need to be notified immediately and accounts should be monitored. Companies should also be more aware of the situation surrounding these events and realize that these hackers are not going to stop. By being more aware, the attacks may not be as problematic as they were this time, and could possibly even be stopped. As WikiLeaks becomes a bigger issue, companies who openly disagree, must realize they have put themselves in the line of fire from these hackers and seek to make sure all security measures are put into place. If the government is pressuring some companies to alter themselves, they should also be helping to ensure as much protection is granted to these companies as possible.

http://www.telegraph.co.uk/news/worldnews/wikileaks/8190421/WikiLeaks-revenge-attacks-target-Mastercard-and-Visa.html

Wednesday, December 8, 2010

Low Orbit Ion Cannon

Sometimes questionable tech blog Gizmodo described the Low Orbit Ion Cannon attack software in a feature today. The software was used by Anonymous to perform their Distributed Denial of Service attacks on those companies that had stopped supporting WikiLeaks.

The software, developed by the infamous image forum 4Chan, works essentially like any Denial of Service attack - it floods the target with dummy requests so that legitimate attempts to connect to the server are dropped. The software, which is cross-platform compatible, provides a user interface, simplifying the process of conducting a DoS attack to only needing a URL or IP address.

Another feature, called "Hivemind," allows users of computers running the program to turn over control of the program to a central user who can direct all the connected computers to attack a single site. This is essentially how a standard DDoS attack works - except that in this case, the owners of the computers on the botnet intentionally grant permission to use their computer in the attack.

The software is also fully open-source, which means that the generally technology-savvy users of the attack networks can review the code to know that the Hivemind feature does only what it says it's supposed to and nothing more. And, being open-source, it could be more difficult to eliminate the program from the Internet as anyone with the code can adapt and/or compile it.

Source: http://gizmodo.com/5709630/what-is-loic

Compliance burdens hamper vulnerability management processes, survey finds

I saw this article and thought about our discussions in class regarding the -to be frank - impossibility of maintaining PCI DSS compliance.

Written by Robert Westervelt, the News Director at SearchSecurity.com, the article cites a new survey that found many organizations are struggling to deal with patch and configuration management issues and are often lacking efficient processes to deploy patches to stytems and applications in a timely manner.

"According to eEye's "2011 Vulnerability and Management Trends Report," 85% of those surveyed indicated that their IT staff is overburdened with regulatory compliance issues. About half of those surveyed said regulatory compliance initiatives take up to 50% of their work weeks," (Westervelt) and this is at the expense of actual vulnerability management.

Larry Whiteside, CISO at the Visiting Nurse Services of New York said, "I don't know any company in the world that doesn't have patching issues," Whiteside said. "The time to prioritize and test can make staying on top of the patching cycle very difficult."

In addition, the rising use of smartphones and other mobile devices is straining the ability of IT teams to ensure systems are up to date. The survey found that 31% of professionals indicated they don't have enough personnel to handle increased patching demands. In addition, keeping track of browser component vulnerabilities, Flash updates, and other third-party client software updates is an issue at many enterprises.

"There's definitely a lack of visibility, especially as it relates to non-Microsoft software," Maiffret said.

What's so special about Microsoft?

If you can recall from our case study, Microsoft's process for handling threats involves bulletins and notification. This article makes a point of mentioning them as a company that does a good job of "identifying and addressing vulnerabilities in other applications wrapped in one product." Microsoft's huge market share lets it do this, in my opinion. Therefore it seems that the majority of companies without the huge presence that Microsoft has are hampered by the issues brought up in this article, such as iPremier, Flayton's and TJX.



Tuesday, December 7, 2010

Israel Takes Steps to Tighten Information Security in Wake of Wikileaks

Despite advances in technology, no system is immune

The flood of internal U.S. State Department cables uploaded onto the Wikileaks website has heightened efforts in Israel to better secure information in a country, which has seen its ability to censor secret information deemed vital to national security wane in the digital era.

Following the recent furor surrounding the transfer of hundreds of thousands of documents to the Wikileaks web site, the Israel Defense Forces (IDF) announced it was taking more measures to track top secret data and alert to unusual access into army computers. The IDF was embarrassed by a small-scale leak earlier this year when an army secretary, Anat Kamm, is alleged to have copied over 2,000 classified documents and passed them on to a journalist.

The Israel army has installed a system that follows the trail of documents moving from one place to another, and records who prints them and who burns them onto compact disks. It also sets off alarms when disk-on-key devices are inserted into IDF computers.

It also prevents top secret documents from being transferred to someone without the proper security clearance. Brig.-Gen. Ayala Hakim, head of the army division that manages computers and communications systems, said the army was constantly enhancing measures to secure classified information.

“There’s no leak-proof network,” said the head of the Israel Army’s C4I Technology Division. “But through a combination of discipline, technology, training and procedures that compartmentalize sources of information, we’ve enhanced our operational security and are coming as close as possible to 100% protection,” Hakim told reporters at a recent press conference that the army

Besides thorough background checks of soldiers serving in sensitive positions, the Israeli military has also reportedly increased the number of polygraph tests it conducts on soldiers and officers by 50% in the past year.

The recent revelation of hundreds of thousands of classified documents on Wikileaks has also brought to fore the potential of serious data loss prevention (DLP) systems, which are designed to detect and prevent the unauthorized use and transmission of confidential information. Israel is home to a large number of information security companies, which sell software designed to spot and stop suspicious behavior on computers.

Eli Hizkiyev, chief executive officer of Cryptzone, an Israeli company dealing with preventing information security, said user-monitoring software was one of the main instruments used to catch possible theft of data. The software is usually designed to sound alarms when it detects users downloading large quantities of data or certain type of data, such as credit card numbers. It is widely used in the private sector and many government offices.

But Hizkiyev said that ultimately technology and censorship weren’t enough to prevent leaks and information theft.

“This is an issue of awareness. You can install the most sophisticated measures, but if people don’t have awareness then nothing can help,” Hizkiyev told The Media Line.

Aiding the wall against leaks is MALMAB, the security arm of the Israel Defense Ministry, which is more powerful and more secretive than the Israel military censor. Officially, MALMAB is responsible for the security of defense installations, but in fact the unit is mainly concerned with preventing any leaks regarding Israel’s alleged arsenal of nuclear weapons and top secret data about the country.

A request by The Media Line to interview the head of MALMAB, Amir Keen, was flatly rejected.

Amir Rappaport, a senior military analyst at the Begin-Sadat Center for Strategic Studies, said had a double-barreled apparatus in place to prevent leaks from reaching the public. The first was MALMAB and the IDF’s Information Security arms, whose purpose is to prevent data from being leaked. The second is the media censorship of information that has already been leaked. All media outlets in Israel and the foreign media must agree to abide by the terms of laws imposed by the British when they ruled Palestine to prevent publication of information deemed harmful to state security.

“The problem with all this is that while MALMAB and the censor may be serious bodies, they are restricted to the defense establishment. They have no control over the Foreign Ministry for example,” Rappaport told The Media Line.

Following the latest leaks of diplomatic cables, the U.S. State Department entered self protection mode and restricted the access of classified information from being shared with other U.S. agencies.

Before the 9/11 attacks on the World Trade Center, .the United States employed much stricter “need-to-know” classifications on confidential documents. Ironically, that helped the terrorists to move forward with their plot because government officials couldn’t easily share information.

Subsequently, the U.S. let down some of its secrecy guard to allow better communication among various intelligence bodies. Some half a million people employed in the U.S. military and government agencies have access to the Secret Internet Protocol Router Network, or SIPRNet, the worldwide web of the intelligence world.

Stung by Wikileaks several times, the U.S. is now engaged in a shift away from information sharing is the price to be paid for that post 9/11 openness. But a top official of the North Atlantic Treaty Organization (NATO) reacted by cautioning against a heavy roll back on information sharing.

If the U.S. failed somewhere, “it is not in sharing, but in implementing the appropriate safeguards to detect this volume of downloading,” Canadian Army Maj. Gen. Glynne Hines, who oversees the alliance’s information sharing policy as director of the NATO command, control and consultation staff in Brussels, was quoted as saying by Defense News.

Unlike Israel, in the U.S., user-monitoring software capable of sounding alarms when users download large amounts of date isn’t yet in place, according to Defense News.

Monday, December 6, 2010

Twitter Trojans

Holiay hackers are taking advantage of holiday themes on Twitter to trick users into clicking and opening malware on their computers. They are writing tweets like “Nobody cares about Hanukkah” or “Shocking video of the Grinch” and when users click on them, they end up at a fake codec site which leads to a malicious Trojan downloader. The hackers literally flood twitter with these massages and sit back and watch their victims download the malicious Trojans. Recently, 300 Twitter accounts have been identified as targeting various trending topics on the website.
The actual cause of this event is people who like to create problems for naïve people. These people have nothing better to do during the holiday season than creating malware and viruses and sending them around the World Wide Web and watching people accidentally download their viruses.
First of all everyone should have anti-virus on their computers and hopefully when someone unknowingly clicks on this Trojan downloader, that the anti-virus will catch it. If not the person is out of luck because they should be smart enough to not click on anything that looks suspicious. Just as we are told not to open an email if we do not know who it is from, we should not click on links on Twitter, or any website for that matter, if we don’t know the person who put the link there from the beginning. It is awful that people always need to be on their guard when browsing their computer but there are awful people in this world who have made this necessary.


http://www.esecurityplanet.com/features/article.php/3915636/Holiday-Twitter-Topics-Concealing-Malware.htm

Smart Grids: Security Review

In the quest for cleaner and more efficient energy, smart grid technology has slowly been upgrading the world's power infrastructure, especially here in the United States. A smart grid is essentially a form of electricity networking that utilizes digital technology as a way of addressing energy independence, global warming, and emergency resilience issues. Using two-way digital communications, a smart grid can deliver electricity from a supplier to a consumer, and allows the control of appliances at consumers' homes. This saves energy, reduces costs, and increases reliability and transparency. What makes a smart grid so amazing is that it overlays an ordinary electrical grid, rather than replaces it. The smart grid supplies the original electrical grid with an information and net metering system. The communication of information about grid conditions makes it possible to have dynamic response to these conditions. For example, when power is least or most expensive, appliances and factory machines can be turned on or off respectively to cut costs. What really puts a smart grid over the top is that it is capable of integrating renewable energy, such as solar or wind, into the system.

The goal of such smart grids is to route power efficiently to respond to a wide variety of changing conditions. While smart grids appear to be a simple upgrade from old centralized power distribution, the technology behind them is extremely complex. A smart grid employs the use of integrated communications, intricate sensors and meters, and advanced components and controls supported by constantly improving standards and support groups. With all these highly technological components and the wide scope of a single smart grid's influence, protecting theses smart grids is not only of utmost importance, but a difficult challenge as well. The most important security goal when dealing with a smart grid is keeping communications operating. The communication process between the power supplier and the consumer is at risk of having the confidentiality, integrity, or availability of that data being compromised. If terrorists or any enemies of the state were to gain access to the communications in a smart gird, they could potentially shut off power to massive portions of the nation. Someone with malicious intentions could even gain access to smart grid communications and overload power to one specific area causing serious overloads. If communications were to be interrupted in any way, a lot of people could be out of power. On a less sever note, anyone with malicious intent could tamper with meters and cause power to be redirected in such a way that they essentially receive free power.

Unfortunately for these great systems, smart grids have been found to be frighteningly vulnerable to security attacks. During a 2009 Black Hat security conference in Las Vegas, it was revealed that these smart grids have some weaknesses in their smart meters. This problem was brought to light after reports of attackers targeting U.S. power grids. The problem lies within more and more companies electing to use the remote control features on the meters and switches provided by smart grids. This gives companies the ability to shut off utilities when bills aren't paid and turn them back on when bills are paid. While this provides rapid reaction, it makes these meters and switches high level target. A potential attack on these smart meters could lead to significant harm of the infrastructure of our nation. If power were to be shut off to military areas, it would be difficult to get back up and running fast. Of course these risks are inherent in any smart system such as the smart grid. No matter how much security is provided hackers and attackers alike with malicious intent will find new ways to exploit a system that is meant to better the country and the world. With smart grids starting to run more and more power throughout the country and the world, they will become larger targets for those intending to do evil and attempts to compromise its security is inevitable.

Thankfully, countries such as the U.S. have been developing security protocols to protect this great technological asset. For example, the National Institute of Standards and Technology has already released a three-phase plan for developing standards for the technology. While this is a good first step, some believe the standards will face some of the same security concerns that surround PCI DSS. In the pursuit to secure smart grids, reports predict that between 2010 and 2015 the U.S. will spend about 15% of all smart grid investments on cybersecurity. That's close to $1.5 billion. The rest of the world is looking to do the same and is predicted to spend a combined $20 billion in smart grid cybersecurity. I would recommend that countries continue to invest in smart grid technology, and to also continue investment in securing these smart grids. While smart grid technology provides a great improvement to any nation's infrastructure, it is important that the technology is well protected and understood. Any standards that are developed should be carefully drawn out and vigilantly enforced. If my company we to employ the use of a smart grid, I would recommend trained teams for emergency response and strict adherence to any guideline. By keeping security a top priority, smart grid technology can be a great thing for the world.

http://www.eweek.com/c/a/Security/Smart-Grid-Security-in-the-Spotlight-at-Black-Hat-252301/
http://news.cnet.com/8301-11128_3-20008552-54.html
http://en.wikipedia.org/wiki/Smart_grid

Sunday, December 5, 2010

Smart Phone Security Helps Catch Theives

On December 1, Stalin Guzman had his car stolen with his smart phone inside. Guzman called the police and then got online on his home PC. On his Android phone, Guzman had the Lookout mobile security application, a free, downloadable phone ap which has a variety of different uses. The free version of the app protects against viruses and back ups files. There is a premium version of the Lookout for $29.99 a year which offers location tracking, a locator "scream," and remote lock/data wiping. Guzman, being a premium member, was able to get online and access the Lookout site to track where his car was. He informed authorities and just seven minutes later, police cars surrounded his stolen car with the thief inside.

Virtually everyone has some form of a mobile device. With new technology like the Lookout app being installed on more advanced devices, smart phones are becoming a security tool by their users. Most smart phones contain their user's personal information. Apps like Lookout have security measures that can lock a user's data remotely in the event the phone is lost or stolen. Now with technology that can locate the phone remotely if it's stolen, security is even stronger not only for the phone but, like in Guzman's case, wherever the phone may be. More mobile devices should have security applications that have the diversity and effectiveness like Lookout. As the technology advances, more and more applications like Lookout will exist. The only problem with Lookout is that the cost might prevent some users from buying the premium version, which provides the most security. Unfortunately it seems that the only way to have the best kind of security is to spend a little money. When it comes to security, spending $29.99 a year is reasonable for the types of services provided and should be purchased by anyone with an Android phone. With more smart phones and improving security technology more crimes can be stopped just like with Guzman's car.

http://www.cnn.com/2010/TECH/mobile/12/03/mobile.app.carjacker/index.html

Thursday, December 2, 2010

Hackers Issue Bogus Amber Alert

Over the weekend Iowa's Amber Alert and Accident Report websites were hacked through use of offshore computers. Investigators are looking into the attack, but it currently does not look like any sensitive data such as Social Security Numbers were compromised. The attack was not particularly disruptive, and merely re-issued an Alert from February 2009. However, the websites have been down for four days in order to do the investigation. Although the Amber Alert website was down, alerts still could be released through the National Weather Service, the Emergency Alert Service, and the media. The interesting point is that this is not the first time that the Amber Alert website has been attacked. In 2009 they were the victim of a flood of fake Alerts. Representatives refused to comment if other applications from the same service were also attacked, an e-government service provider known as NIC. There is no word when the websites will be restored, but the service is working to get them running again and to fix problems that could lead to future problems.

The vulnerability that lead to the attack was found in a Web-based application built by Iowa Interactive, a subsidiary of NIC. The state server that hosted the application, however, was not compromised in the attack. The scale of the problem is able to grow if other similar NIC applications were or could also be attacked. NIC counts more that 3,000 state, local, and federal government agencies as clients, and in the last year they processed more than $11.4 billion in secure payments. The cause of the problem may have been in this one web application, but if there were problems in others the problem could grow even larger.

First of all, I believe that NIC and Iowa Interactive need to go through and check every system they provide. They need to check for the hole that caused the problem as well as double checking for other holes that could cause problems. Second, I believe the state of Iowa needs to go through it's systems for failures. Lastly, it fall on the systems that were compromised. This was not the first time that the Amber Alert had been victim of an attack. This fact proves that the systems have flaws. The systems and application must be check and double checked to insure that everything is in working order and secure. Perhaps, issues from the first attack were never fixed or perhaps new ones had been exploited. The role of all the groups involved, NIC, the state, and the Amber Alert and Accident Alert systems, is to check everything for security. This attack was relatively innocent, but it could have been much worse. It is the job of these groups to protect against something worse occurring next.

SECURITY REVIEW: XBOX LIVE

Xbox Live: Security Review

Xbox Live is an online multiplayer gaming and digital media delivery service created by Microsoft Corporation. It charges users a fee to play multiplayer gaming. With Microsoft's new mobile operating system, Windows Phone 7, Xbox Live will be integrated into new Windows Phones. Furthermore the system has been integrated into social networking sites to find friends you played online with. To pay for your online gaming experience users enter their data and credit card information through their console into the Xbox Live network. Xbox Live features include: marketplace for downloads, instant massagers, friends’ lists, personal bio, Netflix account link, MSN portal, personal gaming settings, social media linkups, gaming location, and a voice/video mod.
There are a number of security risks with Xbox Live spanning the entire CIA Triad. An attack on the system seems to be a likely risk as the online gaming community is technologically intelligent. An unintended user could target an Xbox Live account in order to steal personal information and credit card data. They could also target the accessibility and make it so that an account holder is not able to access their own account or even pose as a real user. And finally the attacker could target the accounts integrity by changing the account holders bio, friends list, preferences, etc. Further security risks include entry into social media sites, Netflix accounts, MSN portals, and cell phone operating systems all through the Xbox Live account. This is all a risk on Xbox Live because if you can obtain a users gamertag and password you can access their account and modify it. From accessing the Xbox Live account you can enter into other Microsoft applications with ease. It would be harder to enter social media and Netflix sites because further passwords are necessary. However, just knowing one password greatly increases the likelihood that you can hack into others. Again, an advanced hacker may be able to skim credit card information from future downloads and even steal card information or completely hijack the account once accessed.
If I were an attacker I would definitely target the broad step of stealing accounts temporarily. Gamertags (usernames) are not protected and are visible to all people with an Xbox and internet connection. However, if I was able to steal passwords for these gamertags I could renew subscriptions, transfer account details, change cardholder information, alter the bio, alter the friend list, and deny the original user access. Furthermore, an attacker could easily hack an account and disclosure the real user’s home address and other information to the online community. I believe that this is the real weakness and probable attack. I have personally accessed my friends Xbox Live accounts before and I can see how easy it would be to copy their information, alter its integrity, and disclose it to a vast amount of people.
I think that Xbox Live technology has the basic weaknesses that we have been talking about in class that go along with all sites and delivery services. Whenever you are assuming an online identity the risks for theft and alteration greatly increase. We have talked a lot about credit card theft and I think this is a real threat if an account is hacked. Additionally, in much the same way social media works, Xbox Live presents the opportunity for an attacker to alter and disclose personal information on a wide level. This is because you are basically leaving a digital footprint and also creating an online identity that many people with internet access can view and get close to. This is an inherent threat with this type of technology.
My recommendation to Microsoft regarding the security risks of Xbox live would be to mitigate the risk and to transfer some of the liability. Xbox Live accounts contain a wide array of personal information, credit card data, and links to other sites that the user would have personal records. This variety and amount of information must be protected by Microsoft and Xbox. They need to consistently be on top of the hackers and always practicing the most up-to-date technologies and mitigation techniques that prevent illegal attacks. Furthermore, Microsoft needs to make all of their users away of the treats that accompany adding friends and also in keeping their passwords protected. Microsoft also needs to remind users that all their passwords (Live account, Netflix, social media) should be different from each other as to stop an attacker from totally hijacking an online identity. Finally, Microsoft should transfer some of this risk through purchasing a large insurance package against potential hacking into accounts.