It seems that hackers have found a way to get around yet another security measure. The hackers behind the infamous Zeus trojan have been able to successfully exploit text messages that banks send to users as a second form of authentication for account transactions. In order for this to work, the Zeus trojan must first invade a user’s PC. Then, users are led to a website that advertises a security update for their cell phone. In order to receive this supposed update, the user then enters their cell phone number, model, and vendor.
Zeus uses this information to send a text message to the person’s phone that contains a link to their “security certificate.” Once the user clicks on the link to download this “certificate,” the mobile version of Zeus is installed on their phone. This allows Zeus to monitor any incoming messages and installs a “backdoor” to accept and carry out commands received through text messages.
Once all of this occurs, the hacker has all he/she needs to make transactions with the user’s bank account. They simply have to log in using the stolen username and password and command the user’s mobile phone to send them the authentication text message so they can fill it in. This is sometimes referred to as a “Mitmo” or “Man in the Mobile” attack, and so far it has only affected Blackberry and Symbian phones.
I think that it is extremely important for users of online banking services to frequently monitor their account transactions and report anything that does not look familiar. Users should also be extremely wary about entering any kind of information (such as their phone model and number) into a website. If a website claims to be offering a security update for your phone, it would probably be wise to contact the phone company first to make sure that it is a valid update.
As for the phone companies, I think it would be helpful if they followed Apple’s lead in requiring all extra installations and applications to go directly through Apple (via iTunes) instead of any outside sources. As the article mentions, this has protected the iPhone from many of these kinds of problems. It is also important for banks to continue to create new and more secure ways of authentication for transactions in order to remain one step ahead of the hackers.
http://www.h-online.com/security/news/item/Banking-trojan-ZeuS-homes-in-on-SMS-TAN-process-1097104.html
http://www.scmagazineuk.com/mobiles-used-by-zeus-as-sms-messages-are-used-to-deliver-one-time-passwords/article/179764/
Wednesday, September 29, 2010
Thursday, September 23, 2010
Stuxnet worm 'targeted high-value Iranian assets'
One of the most sophisticated pieces of malware ever detected was probably targeting "high value" infrastructure in Iran, experts have told the BBC.
Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed.
It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.
It was first detected in June and has been intensely studied ever since.
"The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it," Liam O'Murchu of security firm Symantec, who has tracked the worm since it was first detected, told BBC News.
Some have speculated that it could have been aimed at disrupting Iran's Bushehr nuclear power plant or the uranium enrichment plant at Natanz.
However, Mr O'Murchu and others, such as security expert Bruce Schneier, have said that there was currently not enough evidence to draw conclusions about what its intended target was or who had written it.
India and Indonesia have also seen relatively high infection rates, according to Symantec.
'Rare package'
Stuxnet was first detected in June by a security firm based in Belarus, but may have been circulating since 2009.
Unlike most viruses, the worm targets systems that are traditionally not connected to the internet for security reasons.
Instead it infects Windows machines via USB keys - commonly used to move files around - infected with malware.
Once it has infected a machine on a firm's internal network, it seeks out a specific configuration of industrial control software made by Siemens.
Siemens factory The worm searches out industrial systems made by Siemens
Once hijacked, the code can reprogram so-called PLC (programmable logic control) software to give attached industrial machinery new instructions.
"[PLCs] turn on and off motors, monitor temperature, turn on coolers if a gauge goes over a certain temperature," said Mr O'Murchu.
"Those have never been attacked before that we have seen."
If it does not find the specific configuration, the virus remains relatively benign.
However, the worm has also raised eyebrows because of the complexity of the code used and the fact that it bundled so many different techniques into one payload.
"There are a lot of new, unknown techniques being used that we have never seen before," he said These include tricks to hide itself on PLCs and USB sticks as well as up to six different methods that allowed it to spread.
In addition, it exploited several previously unknown and unpatched vulnerabilities in Windows, known as zero-day exploits.
"It is rare to see an attack using one zero-day exploit," Mikko Hypponen, chief research officer at security firm F-Secure, told BBC News. "Stuxnet used not one, not two, but four."
He said cybercriminals and "everyday hackers" valued zero-day exploits and would not "waste" them by bundling so many together.
Microsoft has so far patched two of the flaws.
'Nation state'
Mr O'Murchu agreed and said that his analysis suggested that whoever had created the worm had put a "huge effort" into it.
"It is a very big project, it is very well planned, it is very well funded," he said. "It has an incredible amount of code just to infect those machines."
"There have been no instances where production operations have been influenced or where a plant has failed” Siemen's spokesperson
His analysis is backed up by other research done by security firms and computer experts.
"With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge," said Ralph Langer, an industrial computer expert in an analysis he published on the web.
"This is not some hacker sitting in the basement of his parents' house. To me, it seems that the resources needed to stage this attack point to a nation state," he wrote.
Mr Langer, who declined to be interviewed by the BBC, has drawn a lot of attention for suggesting that Stuxnet could have been targeting the Bushehr nuclear plant.
In particular, he has highlighted a photograph reportedly taken inside the plant that suggests it used the targeted control systems, although they were "not properly licensed and configured".
Mr O'Murchu said no firm conclusions could be drawn.
However, he hopes that will change when he releases his analysis at a conference in Vancouver next week.
"We are not familiar with what configurations are used in different industries," he said.
Instead, he hopes that other experts will be able to pore over their research and pinpoint the exact configuration needed and where that is used.
'Limited success'
A spokesperson for Siemens, the maker of the targeted systems, said it would not comment on "speculations about the target of the virus".
He said that Iran's nuclear power plant had been built with help from a Russian contractor and that Siemens was not involved.
"Siemens was neither involved in the reconstruction of Bushehr or any nuclear plant construction in Iran, nor delivered any software or control system," he said. "Siemens left the country nearly 30 years ago."
Siemens said that it was only aware of 15 infections that had made their way on to control systems in factories, mostly in Germany. Symantec's geographical analysis of the worm's spread also looked at infected PCs.
"There have been no instances where production operations have been influenced or where a plant has failed," the Siemens spokesperson said. "The virus has been removed in all the cases known to us."
He also said that according to global security standards, Microsoft software "may not be used to operate critical processes in plants".
It is not the first time that malware has been found that affects critical infrastructure, although most incidents occur accidentally, said Mr O'Murchu, when a virus intended to infect another system accidently wreaked havoc with real-world systems.
In 2009 the US government admitted that software had been found that could shut down the nation's power grid.
And Mr Hypponen said that he was aware of an attack - launched by infected USB sticks - against the military systems of a Nato country.
"Whether the attacker was successful, we don't know," he said.
http://www.bbc.co.uk/news/technology-11388018
Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed.
It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.
It was first detected in June and has been intensely studied ever since.
"The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it," Liam O'Murchu of security firm Symantec, who has tracked the worm since it was first detected, told BBC News.
Some have speculated that it could have been aimed at disrupting Iran's Bushehr nuclear power plant or the uranium enrichment plant at Natanz.
However, Mr O'Murchu and others, such as security expert Bruce Schneier, have said that there was currently not enough evidence to draw conclusions about what its intended target was or who had written it.
India and Indonesia have also seen relatively high infection rates, according to Symantec.
'Rare package'
Stuxnet was first detected in June by a security firm based in Belarus, but may have been circulating since 2009.
Unlike most viruses, the worm targets systems that are traditionally not connected to the internet for security reasons.
Instead it infects Windows machines via USB keys - commonly used to move files around - infected with malware.
Once it has infected a machine on a firm's internal network, it seeks out a specific configuration of industrial control software made by Siemens.
Siemens factory The worm searches out industrial systems made by Siemens
Once hijacked, the code can reprogram so-called PLC (programmable logic control) software to give attached industrial machinery new instructions.
"[PLCs] turn on and off motors, monitor temperature, turn on coolers if a gauge goes over a certain temperature," said Mr O'Murchu.
"Those have never been attacked before that we have seen."
If it does not find the specific configuration, the virus remains relatively benign.
However, the worm has also raised eyebrows because of the complexity of the code used and the fact that it bundled so many different techniques into one payload.
"There are a lot of new, unknown techniques being used that we have never seen before," he said These include tricks to hide itself on PLCs and USB sticks as well as up to six different methods that allowed it to spread.
In addition, it exploited several previously unknown and unpatched vulnerabilities in Windows, known as zero-day exploits.
"It is rare to see an attack using one zero-day exploit," Mikko Hypponen, chief research officer at security firm F-Secure, told BBC News. "Stuxnet used not one, not two, but four."
He said cybercriminals and "everyday hackers" valued zero-day exploits and would not "waste" them by bundling so many together.
Microsoft has so far patched two of the flaws.
'Nation state'
Mr O'Murchu agreed and said that his analysis suggested that whoever had created the worm had put a "huge effort" into it.
"It is a very big project, it is very well planned, it is very well funded," he said. "It has an incredible amount of code just to infect those machines."
"There have been no instances where production operations have been influenced or where a plant has failed” Siemen's spokesperson
His analysis is backed up by other research done by security firms and computer experts.
"With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge," said Ralph Langer, an industrial computer expert in an analysis he published on the web.
"This is not some hacker sitting in the basement of his parents' house. To me, it seems that the resources needed to stage this attack point to a nation state," he wrote.
Mr Langer, who declined to be interviewed by the BBC, has drawn a lot of attention for suggesting that Stuxnet could have been targeting the Bushehr nuclear plant.
In particular, he has highlighted a photograph reportedly taken inside the plant that suggests it used the targeted control systems, although they were "not properly licensed and configured".
Mr O'Murchu said no firm conclusions could be drawn.
However, he hopes that will change when he releases his analysis at a conference in Vancouver next week.
"We are not familiar with what configurations are used in different industries," he said.
Instead, he hopes that other experts will be able to pore over their research and pinpoint the exact configuration needed and where that is used.
'Limited success'
A spokesperson for Siemens, the maker of the targeted systems, said it would not comment on "speculations about the target of the virus".
He said that Iran's nuclear power plant had been built with help from a Russian contractor and that Siemens was not involved.
"Siemens was neither involved in the reconstruction of Bushehr or any nuclear plant construction in Iran, nor delivered any software or control system," he said. "Siemens left the country nearly 30 years ago."
Siemens said that it was only aware of 15 infections that had made their way on to control systems in factories, mostly in Germany. Symantec's geographical analysis of the worm's spread also looked at infected PCs.
"There have been no instances where production operations have been influenced or where a plant has failed," the Siemens spokesperson said. "The virus has been removed in all the cases known to us."
He also said that according to global security standards, Microsoft software "may not be used to operate critical processes in plants".
It is not the first time that malware has been found that affects critical infrastructure, although most incidents occur accidentally, said Mr O'Murchu, when a virus intended to infect another system accidently wreaked havoc with real-world systems.
In 2009 the US government admitted that software had been found that could shut down the nation's power grid.
And Mr Hypponen said that he was aware of an attack - launched by infected USB sticks - against the military systems of a Nato country.
"Whether the attacker was successful, we don't know," he said.
http://www.bbc.co.uk/news/technology-11388018
Tuesday, September 21, 2010
Twitter Worm Bug
On Tuesday, a worm that had been previously fixed resurfaced on Twitter's website. This was a serious bug that led to many fast-spreading worms on the website. While the bug was contained later the same day, it caused havoc while it ran loose sending either a blacked-out message or Japanese pornography to all a user's followers. The bug managed to do such a great deal of damage because users did not need to click a link to spread the worm. Rather, they merely needed to hover their mouse over a specially written link in a Twitter message. This action executed a malicious code that spread the bug. Reports claim that one hundred thousand people, including Sarah Brown, former British Prime Minister Gordon Brown's wife, and White House Press Secretary Robert Gibbs, were affected by the bug.
This is not the first time that Twitter has fallen victim to a worm. Last year, a seventeen year old boy released a worm on the site. This time, a Japanese hacker discovered the problem. He attempted to contact Twitter for several days regarding the issue, but ended up deciding to test the problem with a worm code. The worm was then copied by many others. Representatives from Twitter report that the majority of the worms fell under prank or promotional categories, and there is no reason to believe that the problem could cause damage to users accounts or computers. They claim that there is no need to change passwords because account information was not compromised in the attack.
The cause of this event is two-fold. First, the worm was able to get through because there existed a basic Web programming error that allowed users to add JavaScript to their tweets. The problem could have been avoided if the corporation had noticed the problem itself, or listened to the Japanese hacker when he discovered the problem. The second cause was that a recent site update uncovered the previously discovered and fixed problem. The issue had been public knowledge since August 23 and had been fixed. However, the update uncovered the issue once more. Had Twitter looked into the update and what was happening they could have side-stepped the problems. Monitoring of the website could also have discovered the issue, as the Japanese hacker did.
Because of the lack of confidentiality, integrity, or availability breaches related to the worm, there is no action that Twitter users need to take in order to respond to the bug. However, if they are worried about future issues related to the site, they may want to contact Twitter directly or cancel their subscription to the site. The corporation, on the other hand, needs to respond by solving the problems that were listed above. This attack may not have compromised any sensitive data but a future attack may. By solving the problems of users having the ability to add JavaScript to tweets and issues from the update going unnoticed, Twitter can avoid future security breaches of this nature.
Monday, September 20, 2010
Google's New 2-Factor Authentication Feature
I was pretty shocked when I read this article and realized that I understood something that Google was doing, and why they were doing it, at least generally.
Four hours ago, Jason Kinkaid wrote, about two factor authentication, that "Today, Google is announcing that it’s bringing the security feature to its millions of users: the feature will be rolling out first for Google Apps Premiere, Education, and Government edition customers, with plans to bring it to all Google users (even those who aren’t using its Apps suite) in the next few months." The article incorporates some explanation of what "this new security feature" can offer users, like greater protection against phishing scams and having a password hacked.
I applaud Google for taking this step toward a higher level of security in their authentication process, but is it really going to do what it claims?
What Google says it will do is circumvent the inherently expensive existing methods of 2-factor authentication implemented primarily by major corporations and let the everyday person experience an increased sense of protection from the myriad internet scams and crimes out there. But in order to make 2-factor authentication something that doesn't compromise the high number of Google accounts, Google may be taking a risk in terms of the viability of their 2-factor authentication system. What word(s) stand out to you in the following description of the system?
"Google’s system doesn’t require a physical keycard. Instead, it relies on your mobile phone. First, you need to activate the optional feature from your settings page (...only available to certain Google Apps customers at first). Then, when you go to sign in to your Google account, you’ll first be asked to enter your password as usual. Next, you’ll be brought to a screen asking for a verification code [that] comes from your mobile phone, which you’ve previously linked up to your Google Account."
For me, the word "optional" makes this whole 2-factor authentication "system" more like a feature. It doesn't make using GMail safer. For example, say you use 2-factor authentication because you are smarter than the average bear, but your buddy doesn't know any better. What happens to you when your buddy's email account is hacked and you suddenly get some serious malware on your computer because you opened a link from an e-mail source you trusted? Not all Google accounts are safer. In fact not even the people who use 2-factor authentication are necessarily "safer."
Of course, it makes sense that the feature is optional, since it doesn't seem like Google has a way to ensure that users without smart phones or even mobile phones can pull this off. I think of my poor Grandmother. Kinkaid's article did say, however, that Google would give your landline a ring with the authentication code if you don't have a cell phone. But who is going to do that? And what about people who don't have phones (they're out there... think of people without the resources to afford a phone but were able to set up their own GMail accounts at a library computer, for example).
All in all, I'd say this 2-factor authentication from Google isn't all its cracked up to be.
Saturday, September 18, 2010
VA's New Security Measures
This article outlines the software applications and data scanning tools the Department of Veteran Affairs is implementing. This comes as an effort to “get visibility on every device on our network” and “have a complete view of the vulnerabilities in our enterprise,” says VA CIO Roger Baker. The systems, which cost about $50 million, will be able to identify laptops that exist on the network that are not encrypted, as well as enable security operations managers to monitor the status of hardware and software patches on all department computers. Additionally, the VA can then obtain electronic evidence when there are security breaches and automatically fix compromises when applicable. There are also increased security measures for contracting companies that help the VA provide healthcare and benefits. These include encryption and other policies that limit who can access veterans’ sensitive data.
The department has been under scrutiny over recent years because of several security breaches. The most notable is the one we discussed in class: in 2006, a laptop theft left the personal information of 26 million veterans in jeopardy. This year, six computers were reported lost in June and July, and in August, ten laptops were missing from the VA’s inventory. A handful of these had been encrypted, but some had not. The number, not to mention severity, of the incidents seems to be a red flag indicating something needs to be done to heighten security in order to prevent future problems. The new security measures that widen visibility in the whole department are steps in the right direction for the VA.
Of course this is easier said than done, but it seems like the VA has taken too long in implementing such measures. It has been four years since we first learned about the department’s vulnerabilities, so it seems like they would have done more to address this issue sooner. After the visibility software is in place, it is also important that managers and department officials monitor and appropriately deal with the software’s findings. It would be useless if the system identifies vulnerable computers, but managers do nothing about the threats. Also, the article suggests that the “sprawling, decentralized structure” of the VA contributes to the difficulty in effectively imposing security across the entire department. We read about the organizational problems of the VA in our case study, and perhaps there is a larger structural issue that the department needs to fix first.
Article cited:
http://www.govhealthit.com/newsitem.aspx?nid=74675
Also used:
http://www.nextgov.com/nextgov/ng_20100917_6367.php?oref=topstory
The department has been under scrutiny over recent years because of several security breaches. The most notable is the one we discussed in class: in 2006, a laptop theft left the personal information of 26 million veterans in jeopardy. This year, six computers were reported lost in June and July, and in August, ten laptops were missing from the VA’s inventory. A handful of these had been encrypted, but some had not. The number, not to mention severity, of the incidents seems to be a red flag indicating something needs to be done to heighten security in order to prevent future problems. The new security measures that widen visibility in the whole department are steps in the right direction for the VA.
Of course this is easier said than done, but it seems like the VA has taken too long in implementing such measures. It has been four years since we first learned about the department’s vulnerabilities, so it seems like they would have done more to address this issue sooner. After the visibility software is in place, it is also important that managers and department officials monitor and appropriately deal with the software’s findings. It would be useless if the system identifies vulnerable computers, but managers do nothing about the threats. Also, the article suggests that the “sprawling, decentralized structure” of the VA contributes to the difficulty in effectively imposing security across the entire department. We read about the organizational problems of the VA in our case study, and perhaps there is a larger structural issue that the department needs to fix first.
Article cited:
http://www.govhealthit.com/newsitem.aspx?nid=74675
Also used:
http://www.nextgov.com/nextgov/ng_20100917_6367.php?oref=topstory
Outage for JPMorgan Chase
On September 14th, news broke that JPMorgan was suffering from "technical difficulties", and there was an outage affecting customers' ability to access their account online. When a user tried to log on, he/she would encounter a simple message, "Log on Later." The online access was disabled Monday night and remained offline all of Tuesday. Some users even reported problems through Wednesday. Consumers have gotten accustomed to their ability to bank online, and any outage could cause unrest among the bank's customers.
JPMorgan, the second largest bank in America, said that the outage was due to a, "third party database company's software." They also stated that the problems were due to a failure in their authentication process. The bank claims that no customers' information has been compromised.
Although no sensitive information was leaked during the outage, the fact that accessibility was compromised is important. The exact cause of the break down is not exactly clear, but blaming a third party company for a authentication problem seems odd. I agree with Mr. Monash in the article when he says, "It's hard to imagine that they would outsource authentication - it's too core." Authentication is a very important step in access controls, especially for online banking.
JPMorgan needs to take action with respect to this event. Although the precise source of the outage is not clear, if this third party company has anything to do with it, I would strongly reconsider the relationship with them. If I were in charge of JPMorgan I would attempt to change the authentication process to our control. Then, if for some reason there were another outage, we would be able to get the system back online faster than 2 days.
JPMorgan's clients expect 100% accessibility of their own accounts, whether it is online, at an ATM, or even in the bank. If I were a customer, and this happened again, I would definitely be worried about the security of my bank and most likely change banks.
http://www.computerworld.com/s/article/9186238/JPMorgan_Chase_deposits_blame_sort_of_for_outage_?taxonomyId=17
http://www.computerworld.com/s/article/9185420/JPMorgan_Chase_s_online_banking_site_crashes?taxonomyId=17
Friday, September 17, 2010
Stuxnet: The best of the worst
The Stuxnet worm is a recently found worm that has been labeled as "groundbreaking" by many antivirus professionals. This malware targets Windows machines that contain "supervisory control and data acquisition software" (SCADA). SCADA software is used to manage large, industrial systems of varyings sorts. Traced back as far as June of 2009, Stuxnet was a very sophisticated, precise, and impressive malware program. When the worm was first recognized, a patch was developed for the "zero-day" vulnerability that was found. A "zero-day" threats are simply malware code that exploits unpatched holes in software that software companies are not aware of. In the past month and a half the Stuxnet has been rediscovered and antivisus companies have found THREE more zero-day threats. This is unprecedented and is a first in the history of malware.
Using a USB to deliver the worm, Stuxnet contained a print spooler bug, two elevation of privilege (EoP) bugs, and a bug that exposed the same vulnerability as the familiar Conflicker worm (attacking the computer's usernames and passwords). In conjunction with all of these bugs, "the attack code seemed legitimate because the people behind Stuxnet had stolen at least two signed digital certificates." It is also believed that the code was so specific that the programmers would have needed the same hardware as the SCADA machines that they were targeting, and they also must have had knowledge about the specifics of the operations of the factory floor. The hackers also took efforts to minimize the risk of their discovery by creating counters so that the different infected USBs could not spread to more than three machines. This also ensured that the bug only spread to the necessary target machines.
The resources and financial backing that must have been necessary to support this attack indicate that this was too large scale to be a private attack. Similarly, there was no intention of stealing information, which also implies that this was not a private attack from some sort of competitor. The attack was targeted at Iran with the intention of controlling the machinery against the real operator's control. It appears to be above simple "industrial espionage."
The cause was a security breach via USB that compromised the authority to control the SCADA program on the targeted machines. In order to recovery and respond from this attack, I would recommended getting the patch updates that the antivirus companies produced for all four of the zer0-day attacks. Furthermore, if it is feasible, I would consider some stricter security software with more authentication processes. This particular case could have been avoided also if there was also a stricter policy regarding the use of the USB drive. In the future, it is important for these companies, and all companies, to be very aware of the potential for malware attacks. Although this high-tech and very intelligent attack is difficult to detect, it is always good to consistently update antivirus software and regularly test your major computer software.
http://www.computerworld.com/s/article/9185919/Is_Stuxnet_the_best_malware_ever_?taxonomyId=17&pageNumber=1
Thursday, September 16, 2010
New Hacking tool targets Microsoft Applications
Recently, a new hacking tool has been created that targets faulty AES encryptions in Microsoft ASP.Net applications. The hackers can view encrypted cookies that contain different personal information, like social security numbers and banking information. It was actually developed by two researchers, Juliano Rizzo and Thai Dong. Basically a hacker can decrypt cookies without knowing the encryption keys. This hacing tool automates the process of finding unprotected website cookies and then decrypts them. Many websites contain unprotected cookies to gather information about the user, luckily for most people, the majority of banks have protected cookies and require some other type of access code, like the jumbled letters and numbers, to get into their website after typing in your user name and password.
This is a disheartening article and simply makes online users feel even more unsafe on the internet. The developers said that the vulnerabilities exploited affect the famework used by 25 % of the internet's websites. Also by releasing this information, it gives people with bad intentions an opportunity to figure out how to use this tool and then implement it on unsafe web users.
I recommend that internet users do not browse without having some type of antivirus even though that probably won't protect them 100 %. I suggest that they be very cautious about what websites they are putting their valuable information into and really to not trust any site that seems like it could be easily hacked.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1520252,00.html
This is a disheartening article and simply makes online users feel even more unsafe on the internet. The developers said that the vulnerabilities exploited affect the famework used by 25 % of the internet's websites. Also by releasing this information, it gives people with bad intentions an opportunity to figure out how to use this tool and then implement it on unsafe web users.
I recommend that internet users do not browse without having some type of antivirus even though that probably won't protect them 100 %. I suggest that they be very cautious about what websites they are putting their valuable information into and really to not trust any site that seems like it could be easily hacked.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1520252,00.html
Facebook Security Improving
Anyone who has a Facebook knows that spam is commonplace. It is not unusual to log in and find that a “friend” who you never talk to has posted a link on your wall saying “Check out these pictures!,” or that you’ve received a message from a random person telling you to try out a product for free. In fact, we are so used to this spam that most of the time we just ignore it.
After almost 7 years since Facebook was founded, it seems that its owners are finally recognizing more of its security problems and are trying to fix them. The newest improvement allows users to see when and where their accounts are being accessed. Facebook uses information from a users’ IP address to report the operating system, browser, and approximate time and place of a login. A user can view this information by logging on to Facebook and going to the Account Security section under the Account tab. Then, if there was an unauthorized login to the account, they can click “deactivate” to stop this activity.
This control is very useful because it not only gives you a way to stop spammers that have developed ways to log into your account and send hundreds of unwanted messages and wall posts to your friends, but it also enables you to log out of accounts that you’ve accidentally left open. The only major problem that I see with this security control is that it can also be used by the hackers themselves. If someone was already able to log into your account, they could easily go to your account settings and end your activity, making it impossible for you to access your own account. So while this is a significant improvement in Facebook’s security, it still has a long way to go.
I think that requiring users to set complicated passwords and change these passwords every so often would be a good step to make Facebook more secure. Another option would be to use CAPTCHAs (distorted words) to prevent hackers from programming computers to automatically log in to Facebook accounts. These are just a few suggestions, but Facebook is going to need to do a lot more to keep its users secure. This is especially true because of the nature of the site. Few websites have as much information about so many people as Facebook does, and users need to be assured that the information that they put up on this social networking site is safe.
http://www.computerworlduk.com/news/security/3238073/facebook-introduces-new-security-measures-that-kicks-out-spammers/
Monday, September 13, 2010
Here You Have
Sep 10 2010 2:06AM GMT
An old-style email worm was spreading Thursday, antivirus vendors reported. The malware, named “Here you have” for the message it carries in the subject line, includes a link that appears to be a PDF file but instead is a malicious program, according to McAfee.
If someone clicks on the link, the malware sends itself to all the contacts in the recipient’s address book and tries to disable security software. The worm harkens back to the "I LOVE YOU" virus that inundated email boxes 10 years ago. In fact, the Anna Kournikova mass-mailer from 2001 also used “Here you have” in its subject line.
ABC News reported that it was hit by the new worm, along with NASA, Wells Fargo, Comcast and Disney.
McAfee rated the malware as a medium risk.
http://itknowledgeexchange.techtarget.com/security-bytes/here-you-have-email-worm-spreads/
Thursday, September 9, 2010
DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY PROGRAMS NOT SO SECURE
by Mickey McCarter
Thursday, 09 September 2010
DHS cyber wing could boost its own security, IG says
The cybersecurity division of the Department of Homeland Security (DHS) could itself improve the security posture of its information systems, the DHS inspector general (IG) reported Wednesday.
While the National Cybersecurity Division (NCSD) has instituted adequate physical and logistical security measures over the computer systems it uses to monitor the security of civilian government systems and to disseminate security information, the division could take further steps to ensure its defenses are as robust as they should be, said the IG report, DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems.
"To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures," the IG report stated.
The IG office focused 10 specific recommendations on the systems used by the US Computer Emergency Readiness Team (US-CERT) to monitor the dot-gov Internet domain and to provide alerts to public and private users of the Internet.
US-CERT holds responsibility for compiling, analyzing, and distributing information on cybersecurity incidents. It also provides technical assistance to federal agencies that require help in defending against cyber attacks. US-CERT also facilitates information sharing between international, federal, state, and local authorities as well as the private sector.
But the very systems US-CERT relies upon at the NCSD to do its job are not as secure as they should be, the IG report warned.
To improve the security of NCSD systems, the IG Office provided its recommendations to the National Protection and Programs Directorate (NPPD), which houses the cybersecurity wing.
The recommendations advised NCSD to address vulnerabilities in the operating systems and applications deployed on its Mission Operating Environment (MOE) network. It should further implement a software management solution that will patch its operations systems and applications automatically to forestall future vulnerabilities.
The NCSD lacks a plan of action and identifiable milestones for addressing known security vulnerabilities, so it should produce them, the IG report suggested. Moreover, the division needs a training program to provide security awareness and specific guidance on roles to its systems personnel.
The IG report further indicated that NCSD should review and approve program and system documentation for its cybersecurity program and update self-assessments for its cybersecurity systems according to DHS requirements.
The division must further conduct and document firewall testing on a quarterly basis to ensure adequate protection by unauthorized users to cybersecurity program information. The cybersecurity unit could do more to implement baseline configurations prescribed by DHS for protecting its routers, servers, and workstations for its activities as well.
NCSD also must conduct inspections of its offices and housing equipment to verify their physical security as per DHS specifications, the report said. Finally, it should set policy and follow-on procedures for protecting its equipment from temperature or humidity fluctuations.
In a written response to the IG findings, NPPD Undersecretary Rand Beers agreed with all ten recommendations, noting that NCSD has taken proactive steps to fulfill quite a few of them even before the completion of the report.
For example, NCSD already had purchased a software management solution and deployed it on June 30. NCSD demonstrated the system to the IG Office to make certain it fulfilled the recommendation to deploy such a system for implementing patches.
In fulfillment of another recommendation, NCSD previously had stepped up its self-assessments as well to validate its security measures.
"As required, NCSD's annual assessments for all National Cybersecurity Protection System (NCPS) systems, which include the MOE, Einstein, the US-CERT, and the Homeland Security Information Network Portals, and US-CERT's public Web site, were approved and validated by the end of February 2010. NCSD however will update its system self-assessments to include missing system information and completed appendices," Beers
wrote.
http://www.hstoday.us/content/view/14648/128/
Thursday, 09 September 2010
DHS cyber wing could boost its own security, IG says
The cybersecurity division of the Department of Homeland Security (DHS) could itself improve the security posture of its information systems, the DHS inspector general (IG) reported Wednesday.
While the National Cybersecurity Division (NCSD) has instituted adequate physical and logistical security measures over the computer systems it uses to monitor the security of civilian government systems and to disseminate security information, the division could take further steps to ensure its defenses are as robust as they should be, said the IG report, DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems.
"To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures," the IG report stated.
The IG office focused 10 specific recommendations on the systems used by the US Computer Emergency Readiness Team (US-CERT) to monitor the dot-gov Internet domain and to provide alerts to public and private users of the Internet.
US-CERT holds responsibility for compiling, analyzing, and distributing information on cybersecurity incidents. It also provides technical assistance to federal agencies that require help in defending against cyber attacks. US-CERT also facilitates information sharing between international, federal, state, and local authorities as well as the private sector.
But the very systems US-CERT relies upon at the NCSD to do its job are not as secure as they should be, the IG report warned.
To improve the security of NCSD systems, the IG Office provided its recommendations to the National Protection and Programs Directorate (NPPD), which houses the cybersecurity wing.
The recommendations advised NCSD to address vulnerabilities in the operating systems and applications deployed on its Mission Operating Environment (MOE) network. It should further implement a software management solution that will patch its operations systems and applications automatically to forestall future vulnerabilities.
The NCSD lacks a plan of action and identifiable milestones for addressing known security vulnerabilities, so it should produce them, the IG report suggested. Moreover, the division needs a training program to provide security awareness and specific guidance on roles to its systems personnel.
The IG report further indicated that NCSD should review and approve program and system documentation for its cybersecurity program and update self-assessments for its cybersecurity systems according to DHS requirements.
The division must further conduct and document firewall testing on a quarterly basis to ensure adequate protection by unauthorized users to cybersecurity program information. The cybersecurity unit could do more to implement baseline configurations prescribed by DHS for protecting its routers, servers, and workstations for its activities as well.
NCSD also must conduct inspections of its offices and housing equipment to verify their physical security as per DHS specifications, the report said. Finally, it should set policy and follow-on procedures for protecting its equipment from temperature or humidity fluctuations.
In a written response to the IG findings, NPPD Undersecretary Rand Beers agreed with all ten recommendations, noting that NCSD has taken proactive steps to fulfill quite a few of them even before the completion of the report.
For example, NCSD already had purchased a software management solution and deployed it on June 30. NCSD demonstrated the system to the IG Office to make certain it fulfilled the recommendation to deploy such a system for implementing patches.
In fulfillment of another recommendation, NCSD previously had stepped up its self-assessments as well to validate its security measures.
"As required, NCSD's annual assessments for all National Cybersecurity Protection System (NCPS) systems, which include the MOE, Einstein, the US-CERT, and the Homeland Security Information Network Portals, and US-CERT's public Web site, were approved and validated by the end of February 2010. NCSD however will update its system self-assessments to include missing system information and completed appendices," Beers
wrote.
http://www.hstoday.us/content/view/14648/128/
Monday, September 6, 2010
Month of Bugs
Adobe Systems, Microsoft, Mozilla, Apple, HP, Novel and other vendors are being tested by the Abyssec Security Team this month. This team will be tackling a detailed binary analysis as well as a zero-day flaw. Both of these issues have been constantly disrupting older versions of Adobe Reader and cPanel. The Security Team tests the programs by attempting to penetrate them in addition to using binary code. Abbysec strongly encourages computer users to download the latest and newest editions of security updates to prevent damages.
The main purpose for "Month of Bug" is to draw attention to lax security procedures. This motivates software makers to edit their programs quickly to adapt to the constantly changing dangerous virtual world. Month of Bug has been growing in popularity, however the last campaign took place a year ago. Some people argue if Month of Bugs have an impact on software vendors. Charlie Miller, a principal analyst security researcher, says, "If you can find so many problems with a product that you can release one a day for a month, there are some serious issues." Miller also stated,"The only thing I can see is it is a tool to highlight the skills of the Abysssec guys, which is fine, but I don't think there is a general security principal they are trying to make, or at least I don't get it."
I think Month of Bugs are a good way to point out inefficiencies. As a programmer, I would much rather have the Abyssec Team point something out to me then finding out after my programs have been infiltrated and risking the possibility of having the integrity or confidentiality of my program tampered. However, I feel like a programmer should be continuously finding ways to make their programs stronger.
The main purpose for "Month of Bug" is to draw attention to lax security procedures. This motivates software makers to edit their programs quickly to adapt to the constantly changing dangerous virtual world. Month of Bug has been growing in popularity, however the last campaign took place a year ago. Some people argue if Month of Bugs have an impact on software vendors. Charlie Miller, a principal analyst security researcher, says, "If you can find so many problems with a product that you can release one a day for a month, there are some serious issues." Miller also stated,"The only thing I can see is it is a tool to highlight the skills of the Abysssec guys, which is fine, but I don't think there is a general security principal they are trying to make, or at least I don't get it."
I think Month of Bugs are a good way to point out inefficiencies. As a programmer, I would much rather have the Abyssec Team point something out to me then finding out after my programs have been infiltrated and risking the possibility of having the integrity or confidentiality of my program tampered. However, I feel like a programmer should be continuously finding ways to make their programs stronger.
Sunday, September 5, 2010
Microsoft DLL Vulnerabilities
On August 23, 2010, Microsoft released a new security tool that could prevent the loading of unsafe DLLs on the Windows operating system. DLLs, short for Dynamic-Link libraries, are libraries which contain functions and/or data that can be used by Windows Applications. A well-known way to gain access to a user's computer operating on a windows machine is an attack known as DLL Hijacking. Many programs will load a malicious DLL that could be used to gain access to your machine and all of the data stored on it.
The problem is not new however. Many years ago when Microsoft was designing the search paths for DLLs, they included the current working directory in the list of directories that Windows will search in for a DLL. Thus you could trick an application into loading a wrong copy of a DLL that was located in your current working directory.
Microsoft has recently released an update explaining that there is an ongoing investigation into DLL preloading vulnerabilities on the Windows operating system. Microsoft admits that in some cases an update to an infected application is impossible and to most applications it may take quite some time to update. With this in mind, Microsoft released a new security tool that "provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block unsafe DLL loading." The Security Research and Defense team for Microsoft released a blog on August 31, 2010 to help users enable the recommended settings of the new tool which blocks most network-based attack vectors.
The blog can be found here:
http://blogs.technet.com/b/srd/archive/2010/08/23/an-update-on-the-dll-preloading-remote-attack-vector.aspx.
Sources:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1519514,00.html
http://www.webopedia.com/TERM/D/dll.html
http://threatpost.com/en_us/blogs/dll-hijacking-facts-and-fiction-082610
http://blogs.technet.com/b/msrc/archive/2010/08/31/update-on-security-advisory-2269673.aspx
The problem is not new however. Many years ago when Microsoft was designing the search paths for DLLs, they included the current working directory in the list of directories that Windows will search in for a DLL. Thus you could trick an application into loading a wrong copy of a DLL that was located in your current working directory.
Microsoft has recently released an update explaining that there is an ongoing investigation into DLL preloading vulnerabilities on the Windows operating system. Microsoft admits that in some cases an update to an infected application is impossible and to most applications it may take quite some time to update. With this in mind, Microsoft released a new security tool that "provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block unsafe DLL loading." The Security Research and Defense team for Microsoft released a blog on August 31, 2010 to help users enable the recommended settings of the new tool which blocks most network-based attack vectors.
The blog can be found here:
http://blogs.technet.com/b/srd/archive/2010/08/23/an-update-on-the-dll-preloading-remote-attack-vector.aspx.
Sources:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1519514,00.html
http://www.webopedia.com/TERM/D/dll.html
http://threatpost.com/en_us/blogs/dll-hijacking-facts-and-fiction-082610
http://blogs.technet.com/b/msrc/archive/2010/08/31/update-on-security-advisory-2269673.aspx
Google, Skype targeted in India security crackdown
Recently, India has been widening its security measures by asking all companies that provide encrypted communications, such as Google, Skype, and BlackBerry, to install servers in India so that its government can more easily obtain users' data. While this may seem like a threat to our privacy, India's push for increased security review comes as a result of the 2008 terrorist attack in Mumbai where terrorists coordinated using cell phones, satellite phones, and Internet calls. With access to data, India will be able to better patrol and protect such data. This sweeping internet security reform also comes at a time where officials are focused on avoiding trouble at the Commonwealth Games, a major sporting event held in New Delhi in October.
The main issue with India's call for companies with encrypted communications to install a server in India is that these companies are concerned with the balance of privacy and security. While it seems that easier access to this data would mean a higher level of protection from encrypted threats such as organized terrorist attacks or malware, the security of personal information for the users must also be strongly considered. Companies with encrypted communications data would have to decide if security is a better choice than privacy. India has made its stance clear through Rajesh Chharia, president of the Internet Service Providers Association of India, saying "national security is supreme over privacy." While Indian officials claim that access to encrypted communications data is for the sole purpose of cracking down on security, I am skeptical that alternate motives are not in place.
In India's battle for direct server access to encrypted data, companies are facing heavy pressures to concede to India's request. BlackBerry, for example, is considering installing a server in India in response to the threat of a two month ban of BlackBerry service. For those companies who have not installed servers in India, there are a few ways they can handle this information security and privacy dilemma. Either the companies give in to India's request for a server and risk data privacy, deny the request for a server and possibly suffer a ban, or try to work out a limited negotiation in which server access does not mean free domain over all encrypted communications data. In my personal opinion, working out a compromise halfway seems to make the most sense and would allow for the greatest balance of security and privacy.
Saturday, September 4, 2010
Cyberwar
A hot topic in information security is cyberwar, which is the result of attacks in cyberspace. Cyberspace does not only include the Internet, but basically any kind of electronic transaction where information is exchanged. In their book Cyber War: The Next Threat to National Security and What to Do About It, Richard Clarke and Robert Knake suggest that the cyberwar has the potential to shift world military balance, therefore fundamentally changing political and economic relations. However, unlike traditional war with militaries and weapons, cyberwar is much more unpredictable and difficult to track who is attacking. Experts are considering different policies to effectively deter cyber attacks; one option the Pentagon has considered is the offensive strategy. This means preemptive strikes on presumed threats. With this strategy come two challenges: technological competency and legal authority. Of course, today’s technological capabilities will be broadened within months, but experts have pointed out the difficulties in knowing the precise configuration of the enemies’ computer from a remote location. There is added difficultly in targeting one exact computer without affecting others connected to it and therefore arousing suspicion. Another important roadblock in the offense strategy is international law. Does the U.S. have the legal authority to interfere with another country’s networks if it is not at war with that country? There is much debate revolving around the lines of national sovereignty and “covertness” of operations like preemptive strikes. Perhaps the offensive approach is not the best, but it should be interesting to see how the deterrence policy develops from here.
I also found Kim S. Nash's response to the Cyber War book noteworthy. Nash says that it is not only the federal government that should be concerned with cyber attacks, but also the corporations. Oftentimes, businesses simply rely on security software and programs that counter lower level threats. However, industries such as financial services, utilities, and telecommunications, which are the foundations of the United States’ infrastructure, should make additional investments in protecting against more devastating cyber attacks. Nash also argues that many executives have a lax mindset when it comes to matters of security. Until an attack is made and sensitive information is lost, they are not as concerned about such things. This is a critical mistake, and it would be worthwhile to protect the information the company values most, just to be safe. The task then becomes weighing the risks and determining how much protection is necessary and realistic.
Sources:
http://www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803849_2.html
http://www.newsweek.com/blogs/we-read-it/2010/04/26/cyber-war-the-next-threat-to-national-security-and-what-to-do-about-it.html
http://www.computerworld.com/s/article/9182783/Richard_Clarke_Preparing_For_A_Future_Cyberwar?taxonomyId=17&pageNumber=1
Thursday, September 2, 2010
Security Breaches of Past and Present Years Has Many Concerned
In 2010 alone the Identity Theft Resource Center (ITRC) has calculated over 400 total security breaches that has resulted in over 13 million records being compromised. The breach of these records over the years, containing vast amounts of personal information such as social security numbers, addresses, names and numbers, has prompted ITRC to push for stricter enforcement of current security policies to prevent potential incidents from occurring as frequently. These incidents include "data on the move" breaches, accidental exposure, insider theft, and hacking.
A complete list of breaches can be found here:
http://www.idtheftcenter.org/ITRC Breach Stats Report 2010.pdf
A "data on the move" breach, usually applies to potable devices, such as usbs, laptops or smartphones, that have access to or have the ability to obtain confidential information. The difficulty in securing this type of breach is that the data or devices are not necessarily secure at all times as they are not within a secure area but are instead in the hands of an individual who is traveling. Leaving a laptop for only a few minutes can result in a potential breach of confidential information for a company which can then lead to serious legal and financial problems. There have even been cases where data has been copied from these portable devices. In order to guard against this, business often use encryption and password systems to protect the information. This is not a fool-proof system however, as loss or unintentional revelation of passwords can render encryption useless.
Accidental Exposure and Insider Theft involve confidential information being exposed to those who are not authorized to use it. While accidental is just that, insider theft involves someone inside an organization actively giving our confidential information. Accidental Exposure is typically prevented by educating employees of security policies. Insider Theft is more difficult to prevent by the fact that the thief is a trusted employee. In many cases business will limit who is allowed to do what with certain kinds of information as well as limit certain users abilities and permissions within a system. However, this is not always successful such as the 2009 security breach involving Bank of America and Countrywide Financial.
http://www.databreaches.net/?p=3447
Hacking is the unauthorized use of computers and network resources. A "hacker" will often take advantage of a system lack of integrity. This can include poor configurations, weak passwords, unpatched systems or disabled security controls. Wade Baker, Director of Research and Intelligence, Verizon Business states, "The majority of breaches occur on the Windows platform, but it is certainly not exclusive. Based on our experience, most breaches do not exploit patchable vulnerabilities but rather poor configuration. When we do see vulnerability exploits, they aren't 'zero days' and, in fact, the patch has usually been available for over a year. The above is especially true for the larger breaches." Hacking is often prevented by making sure systems, passwords and configurations are up to security standards.
The inherent problem of breaches still remains, the most current examples being the facebook breaches and the Wikileaks scandal. When individuals are no longer in charge of their own personal information, they are putting a tremendous amount of trust into the hands of a person they have probably never met. These people could have malicious intentions or honorable ones. Nevertheless this situation has the potential to lead to confidential information being released into the hands of those who will misuse it or potentially expose it to others. It should also be noted that exact numbers of confidential reports released from these security breaches are never completely reported. In this case the numbers could be lower or potentially higher than estimated. The distressing issue behind these security breaches is that a great majority of them are due either to the lax security policies of the businesses involved or to an individual who exposed the information to another party. This type of breach is concerning as more and more information is being stored as digital media and put into the hands of a third party. This lack of ability to personally attest to the security of one's information has many experts concerned and has put many people on edge.
While it cannot be said for certain if the number of breaches are increasing, as a large majority are never discovered or never revealed, it can be said that the release or loss of millions of records containing confidential information is concerning. Currently there is no way to completely state how much information is being illegally accessed or sold to others with malicious intents. We cannot even say how much information was being access before any of the announced breaches were discovered. Because the information is digital and not physical, acquisition can be as simple as copying the data, logging onto a machine or sending an email.
Sources: http://www.examiner.com/information-security-in-boston/almost-13-million-records-breached-2010-so-far?cid=oneriot
http://www.networkworld.com/community/node/63960
http://www.databreaches.net/?p=3447
http://www.idtheftcenter.org/ITRC Breach Stats Report 2010.pdf
http://www.idtheftcenter.org/
A complete list of breaches can be found here:
http://www.idtheftcenter.org/ITRC Breach Stats Report 2010.pdf
A "data on the move" breach, usually applies to potable devices, such as usbs, laptops or smartphones, that have access to or have the ability to obtain confidential information. The difficulty in securing this type of breach is that the data or devices are not necessarily secure at all times as they are not within a secure area but are instead in the hands of an individual who is traveling. Leaving a laptop for only a few minutes can result in a potential breach of confidential information for a company which can then lead to serious legal and financial problems. There have even been cases where data has been copied from these portable devices. In order to guard against this, business often use encryption and password systems to protect the information. This is not a fool-proof system however, as loss or unintentional revelation of passwords can render encryption useless.
Accidental Exposure and Insider Theft involve confidential information being exposed to those who are not authorized to use it. While accidental is just that, insider theft involves someone inside an organization actively giving our confidential information. Accidental Exposure is typically prevented by educating employees of security policies. Insider Theft is more difficult to prevent by the fact that the thief is a trusted employee. In many cases business will limit who is allowed to do what with certain kinds of information as well as limit certain users abilities and permissions within a system. However, this is not always successful such as the 2009 security breach involving Bank of America and Countrywide Financial.
http://www.databreaches.net/?p=3447
Hacking is the unauthorized use of computers and network resources. A "hacker" will often take advantage of a system lack of integrity. This can include poor configurations, weak passwords, unpatched systems or disabled security controls. Wade Baker, Director of Research and Intelligence, Verizon Business states, "The majority of breaches occur on the Windows platform, but it is certainly not exclusive. Based on our experience, most breaches do not exploit patchable vulnerabilities but rather poor configuration. When we do see vulnerability exploits, they aren't 'zero days' and, in fact, the patch has usually been available for over a year. The above is especially true for the larger breaches." Hacking is often prevented by making sure systems, passwords and configurations are up to security standards.
The inherent problem of breaches still remains, the most current examples being the facebook breaches and the Wikileaks scandal. When individuals are no longer in charge of their own personal information, they are putting a tremendous amount of trust into the hands of a person they have probably never met. These people could have malicious intentions or honorable ones. Nevertheless this situation has the potential to lead to confidential information being released into the hands of those who will misuse it or potentially expose it to others. It should also be noted that exact numbers of confidential reports released from these security breaches are never completely reported. In this case the numbers could be lower or potentially higher than estimated. The distressing issue behind these security breaches is that a great majority of them are due either to the lax security policies of the businesses involved or to an individual who exposed the information to another party. This type of breach is concerning as more and more information is being stored as digital media and put into the hands of a third party. This lack of ability to personally attest to the security of one's information has many experts concerned and has put many people on edge.
While it cannot be said for certain if the number of breaches are increasing, as a large majority are never discovered or never revealed, it can be said that the release or loss of millions of records containing confidential information is concerning. Currently there is no way to completely state how much information is being illegally accessed or sold to others with malicious intents. We cannot even say how much information was being access before any of the announced breaches were discovered. Because the information is digital and not physical, acquisition can be as simple as copying the data, logging onto a machine or sending an email.
Sources: http://www.examiner.com/information-security-in-boston/almost-13-million-records-breached-2010-so-far?cid=oneriot
http://www.networkworld.com/community/node/63960
http://www.databreaches.net/?p=3447
http://www.idtheftcenter.org/ITRC Breach Stats Report 2010.pdf
http://www.idtheftcenter.org/
Wednesday, September 1, 2010
Data security breaches often triggered by carelessness
Often the biggest threat to your practice and patient data is not an outside hacker or a snooping employee -- it's somebody's forgetfulness.
As technology becomes smaller and more portable, it becomes easier to lose. Surveys from a data protection solutions company in 2009 found that in a six-month period, 12,500 mobile devices were left in taxis, and 4,500 USB memory sticks were left in pockets of pants sent to dry cleaners.
Most people -- including those in the security business -- are not protecting the data on their mobile devices. So if the device is lost, the data could be accessed.
"I'm always surprised at the cowboy attitude," said Harry Rhodes, director of practice leadership for the American Health Information Management Assn. "You've got these people who think, 'What are the odds of that happening to me?' And then when it's happening to you, it's too late to do anything."
Just having your phone drop out of your pocket could launch a time-consuming and expensive nightmare of reconstructing data and adhering to fixes mandated under the Health Insurance Portability and Accountability Act.
One-third of health professionals store patient data on laptops, smartphones and USB memory sticks.
Provisions in the federal stimulus package have tightened HIPAA notification and enforcement regulations and have made HIPAA violations more costly. For example, the maximum civil penalty from the Dept. of Health and Human Services for a data breach occurring after Feb. 18, 2009, rose from $25,000 to $1.5 million.
So how you do protect yourself from an accidental loss of a device containing sensitive data? Experts recommend two strategies. One is to find a way to handle or store your mobile technology so you can't lose it easily. The other is to make sure the device has security and encryption features that make it next to impossible to access by anyone who happens to find it.
Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, said he has seen a recent increase of health information breaches because of the use of mobile devices. Privacy Rights, a San Diego-based consumer advocacy group focused on educating the public on how technology impacts privacy, is developing a database of all known data breaches in the United States to analyze how each breach occurred, Stephens said.
Credant Technologies, a Dallas-based data protection solutions company, noted in a 2008 survey that although more than a third of health care professionals store patient data on laptops, smartphones and USB memory sticks, most do not adequately secure the data.
Sean Glynn, vice president of product marketing at Credant, said the company surveyed smartphone users at a commuter train stop in 2009. When asked if the data on their phones were encrypted, few said yes. When the same survey was conducted among data security professionals at a trade show, the results were nearly identical.
Credant also performed the studies about mobile devices left in taxis and at dry cleaners. Those covered all devices, not just those owned by health care professionals.
Only 39% of health care organizations encrypt data on mobile devices.
People "might well protect their traditional desktop or laptop PC, but they are always buying these [portable] devices and bringing them in as their own personal devices," Glynn said.
Encrypting the data can eliminate the HIPAA obligation to notify patients of a lost device, under a provision that allows an exception if the data cannot be accessed. But in most cases, encryption is not being done.
The Healthcare Information and Management Systems Society, in a survey released in November 2009, found that despite the strengthening of HIPAA regulations, health care organizations have made relatively few changes to their security policies and procedures. For example, only 39% reported using mobile device encryption.
Rhodes likened people's attitudes towards data security to those of home security systems -- no one thinks it's necessary until something happens.
The Veterans Health Administration, for instance, now requires encryption of all mobile devices and has banned the use of thumb drives after the theft of one from an employee's home in 2006. Rhodes has seen other organizations block USB ports on desktop computers with a plug-in device or a super glue product, preventing data from being exported onto a thumb or flash drive.
He said there also are software packages that can be downloaded onto PDAs or smartphones that allow the users, in the event the device is lost or stolen, to call a phone number that automatically will erase everything from the device. There also are downloadable GPS systems that can help locate a lost device.
Smartphone and thumb-drive users also should use password protection on the devices, experts said. Use of a password to enter the system is just an additional line of defense that should be coupled with encryption -- the most effective means of protection available, they said.
Rhodes said mobile devices often are lost when people are traveling, so simply being more vigilant and aware in places like an airport can help prevent many cases of data loss. For instance, sometimes people set down a laptop bag while flagging a taxi. A thief can run by, grab the bag, then throw it into a waiting car that speeds off. "Always keep the bags on your shoulder," he said.
Laptops also can disappear from security belts at airports, he said, not necessarily from theft but because many computer cases look alike. Experts suggest attaching a business card to the outside of the case.
Another line of defense is to limit the amount of data on a mobile device.
For example, Stephens of Privacy Rights Clearinghouse said he has seen cases of employees who carry an entire company database around with them. One momentary lapse of good judgment, he said, could become an expensive teaching moment.
http://www.ama-assn.org/amednews/2010/02/22/bil20222.htm
As technology becomes smaller and more portable, it becomes easier to lose. Surveys from a data protection solutions company in 2009 found that in a six-month period, 12,500 mobile devices were left in taxis, and 4,500 USB memory sticks were left in pockets of pants sent to dry cleaners.
Most people -- including those in the security business -- are not protecting the data on their mobile devices. So if the device is lost, the data could be accessed.
"I'm always surprised at the cowboy attitude," said Harry Rhodes, director of practice leadership for the American Health Information Management Assn. "You've got these people who think, 'What are the odds of that happening to me?' And then when it's happening to you, it's too late to do anything."
Just having your phone drop out of your pocket could launch a time-consuming and expensive nightmare of reconstructing data and adhering to fixes mandated under the Health Insurance Portability and Accountability Act.
One-third of health professionals store patient data on laptops, smartphones and USB memory sticks.
Provisions in the federal stimulus package have tightened HIPAA notification and enforcement regulations and have made HIPAA violations more costly. For example, the maximum civil penalty from the Dept. of Health and Human Services for a data breach occurring after Feb. 18, 2009, rose from $25,000 to $1.5 million.
So how you do protect yourself from an accidental loss of a device containing sensitive data? Experts recommend two strategies. One is to find a way to handle or store your mobile technology so you can't lose it easily. The other is to make sure the device has security and encryption features that make it next to impossible to access by anyone who happens to find it.
Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, said he has seen a recent increase of health information breaches because of the use of mobile devices. Privacy Rights, a San Diego-based consumer advocacy group focused on educating the public on how technology impacts privacy, is developing a database of all known data breaches in the United States to analyze how each breach occurred, Stephens said.
Credant Technologies, a Dallas-based data protection solutions company, noted in a 2008 survey that although more than a third of health care professionals store patient data on laptops, smartphones and USB memory sticks, most do not adequately secure the data.
Sean Glynn, vice president of product marketing at Credant, said the company surveyed smartphone users at a commuter train stop in 2009. When asked if the data on their phones were encrypted, few said yes. When the same survey was conducted among data security professionals at a trade show, the results were nearly identical.
Credant also performed the studies about mobile devices left in taxis and at dry cleaners. Those covered all devices, not just those owned by health care professionals.
Only 39% of health care organizations encrypt data on mobile devices.
People "might well protect their traditional desktop or laptop PC, but they are always buying these [portable] devices and bringing them in as their own personal devices," Glynn said.
Encrypting the data can eliminate the HIPAA obligation to notify patients of a lost device, under a provision that allows an exception if the data cannot be accessed. But in most cases, encryption is not being done.
The Healthcare Information and Management Systems Society, in a survey released in November 2009, found that despite the strengthening of HIPAA regulations, health care organizations have made relatively few changes to their security policies and procedures. For example, only 39% reported using mobile device encryption.
Rhodes likened people's attitudes towards data security to those of home security systems -- no one thinks it's necessary until something happens.
The Veterans Health Administration, for instance, now requires encryption of all mobile devices and has banned the use of thumb drives after the theft of one from an employee's home in 2006. Rhodes has seen other organizations block USB ports on desktop computers with a plug-in device or a super glue product, preventing data from being exported onto a thumb or flash drive.
He said there also are software packages that can be downloaded onto PDAs or smartphones that allow the users, in the event the device is lost or stolen, to call a phone number that automatically will erase everything from the device. There also are downloadable GPS systems that can help locate a lost device.
Smartphone and thumb-drive users also should use password protection on the devices, experts said. Use of a password to enter the system is just an additional line of defense that should be coupled with encryption -- the most effective means of protection available, they said.
Rhodes said mobile devices often are lost when people are traveling, so simply being more vigilant and aware in places like an airport can help prevent many cases of data loss. For instance, sometimes people set down a laptop bag while flagging a taxi. A thief can run by, grab the bag, then throw it into a waiting car that speeds off. "Always keep the bags on your shoulder," he said.
Laptops also can disappear from security belts at airports, he said, not necessarily from theft but because many computer cases look alike. Experts suggest attaching a business card to the outside of the case.
Another line of defense is to limit the amount of data on a mobile device.
For example, Stephens of Privacy Rights Clearinghouse said he has seen cases of employees who carry an entire company database around with them. One momentary lapse of good judgment, he said, could become an expensive teaching moment.
http://www.ama-assn.org/amednews/2010/02/22/bil20222.htm
Smudge Attacks
A recent paper from the University of Pennsylvania examined the issue of "smudge attacks" - a decidedly low tech security weakness with touchscreen cellphones - particularly Android phones.
Android phones feature a pattern lock screen, where instead of a PIN or password, a user traces a preset pattern to unlock their phone. However, the researchers were able to bypass the lock screen by simply taking photos of the phone (with the screen off) under a light, and then adjusting the photo in an image editing program to show finger smudges which revealed the pattern to unlock the lock screen.
The researchers found that even when a phone was wiped using clothing after entering the lock pattern, almost all of the smudge pattern remained.
This has implications for non-Android phone users as well. Consider the iPhone - if smudges are left in areas where there is frequent area, there are likely to be smudges over the numbers used to when entering an iPhone's PIN. And given that the iPhone PIN length is known (it's always four numbers), it wouldn't take very long to guess the correct number combination once when you know the numbers involved.
Gaining access to phones, particularly corporate and government phones, is a security weakness. An unauthorized user could look up the owner's contacts - which could reveal information about a company's clients, for example. An unlocked phone could also be used in social engineering attacks. An attacker could use the phone to send a text message to a colleague of the owner claiming to have forgotten a passcode or something.
Solutions to the issue could be as simple as entering tracing an incorrect pattern each time after unlocking the phone to create other smudge patterns to confuse or obfuscate the unlock pattern. Frequently changing password patterns could also reduce the issue. And finally, choosing more secure lock patterns can also reduce the likelihood of smudge attacks. For example, an open ended pattern, such as an L shape, would only have two possible combinations - upper left corner down to lower right corner or vice versa. But a pattern with intersecting lines and closed shapes (such as squares) can make it much more difficult to tell the start and end points of the pattern, as well as the direction of the pattern.
Over the summer, a friend and I took a lot of trips in his car. He owns a Motorola Droid, which we used as a GPS as well. Frequently, I had to unlock the phone's screen for him, and I was able to successful guess his password using smudge marks simply by holding the phone up so the sun reflected off the screen - and revealed the smudge marks in the unlock pattern. So a smudge attack doesn't even require the photography equipment used by the researchers in the above paper.
In The Future, Not Even A Name Change Will Protect Your Past
In an article written about 2 weeks ago Google CEO Eric Schmidt was quoted saying, "I don't believe society understands what happens when everything is available, knowable and recorded by everyone all the time." The article is citing an interview the Wall Street Journal had with Schmidt, which eventually led to Schmidt declaring that "every young person one day will be entitled automatically to change his or her name on reaching adulthood in order to disown youthful hijinks stored on their friends' social media sites."
Is this truly the future of search on the internet? The article, written by Jason Kincaid for TechCrunch, says even changing our names would be pointless, citing the possibility that an entire industry would emerge just to help companies or our prospective employers of the future find out our original names. But then anyone could access that service.
Possibly rendering this extra industry innert is the fact that Google can now recognize an individual with only fourteen photos. And this is present day. My question is, how will our practices regarding personal (or embarrassing...) information that we put on the internet come back to haunt us? This information isn't private, and it won't be able to be made private in the future.
We won't even be able to hide from our past by changing our names, according to this article, given the permanence of social media information. So what happens when you slip up and there's a picture with you in your car with the license plates visible? When there's a picture of you at the gas station holding your debit card? Or when a friend posts "Happy birthday!" on your wall even when you don't have that information available to the public (its just a good friend that happens to know your birthday). It's a little scary to think about the fact that piece by piece we are constructing shrines for ourselves... these memorials of who we were that offer too much information, possibly, about who we are to people we don't want knowing about us.
Essentially, given the permanence of social media, we should be careful we aren't giving up personal information in those embarrassing pictures or letting those dated "happy birthday" posts remain up on our walls...
Is this truly the future of search on the internet? The article, written by Jason Kincaid for TechCrunch, says even changing our names would be pointless, citing the possibility that an entire industry would emerge just to help companies or our prospective employers of the future find out our original names. But then anyone could access that service.
Possibly rendering this extra industry innert is the fact that Google can now recognize an individual with only fourteen photos. And this is present day. My question is, how will our practices regarding personal (or embarrassing...) information that we put on the internet come back to haunt us? This information isn't private, and it won't be able to be made private in the future.
We won't even be able to hide from our past by changing our names, according to this article, given the permanence of social media information. So what happens when you slip up and there's a picture with you in your car with the license plates visible? When there's a picture of you at the gas station holding your debit card? Or when a friend posts "Happy birthday!" on your wall even when you don't have that information available to the public (its just a good friend that happens to know your birthday). It's a little scary to think about the fact that piece by piece we are constructing shrines for ourselves... these memorials of who we were that offer too much information, possibly, about who we are to people we don't want knowing about us.
Essentially, given the permanence of social media, we should be careful we aren't giving up personal information in those embarrassing pictures or letting those dated "happy birthday" posts remain up on our walls...
USB Drive responsible for '08 Military Network Breach
Since 2008, the United States military has banned the use of USB drives. It has caused great speculation as to why, but at the time the military prohibited these devices, the Pentagon said the decision to ban USB drives was related to concerns of a malware program called Agent.btz. However, on August 25, 2010, U.S. Deputy defense Secretary William Lynn, confirmed that a data breach in the U.S. defense network in 2008 was in fact the real reason the military prohibits the use of USB drives.
Lynn explained that a USB drive carrying a malicious code was inserted into a laptop computer at a United States military base in the Middle East by a foreign intelligence agency in 2008. The malware was uploaded and began spreading to classified and unclassified material. According to Lynn, as the program continued to spread silently through the network, it set up a “digital breachhead”. This means that the data obtained by the program could be transferred to foreign intelligence agencies’ servers. While Lynn refused to answer questions surrounding any stolen data, he described the network infiltration as the “most significant breach of U.S. military computers ever”.
Besides responding to the event by banning the use of USB drives, the Pentagon also took action by creating a mission designed to prevent such instances of occurring in U.S. Military networks again; “Operation Buckshot Yankee”. The operation attempts to "purge" infected systems of malware in order to create more security.
Due to the Military’s large amount of extremely confidential information, I believe the necessary measures were taken in order to create a more secure network. If the problem stemmed from the use of a USB drive, then bolstering the network security must begin there. Consequentially, the military happened to take those measures by banning USB devices. Lynn explained that the big issue wasn’t the security breach, but the chance that information was at risk of being leaked. Besides prohibiting USB drives, I believe it was necessary to launch a campaign similar to “Operation Buckshot Yankee” that continually checks for security threats within a computer network to protect important documents.
http://www.computerworld.com/s/article/9181939/Infected_USB_drive_blamed_for_08_military_cyber_breach?taxonomyId=82
Rubrics
As I mentioned in class yesterday, I will be using rubrics to grade both your written assignments and your case study presentations. In order to help you understand how I will arrive at your grades, I wanted to share these with you in advance:
Security Breach of Apple's iPad
All eyes were on Apple last April during the much anticipated release of their new tablet computer, the iPad. This device, which has capabilities for email, movies, music, internet, photos, online books, maps, and much more, enjoyed great initial success, with 300,000 sold in just the first day. Unfortunately, excitement for the iPad dimmed just a few months later when it was discovered on
This glitch was found by a group called Goatse Security, who discovered that through a certain script on the AT&T website, they could enter the number that identifies someone’s iPad on the AT&T network and in turn receive the person’s email address. The members of this group could be classified as grey hat hackers because although they purposely tried to get information that they were not authorized to have, they seemed to be doing it for the right reasons. They notified AT&T so that the problem could be fixed and released their finding to the public, so that users would be aware that their information was compromised. Unfortunately, while Goatse Security felt that they were doing a service to the public, AT&T didn’t see it quite the same way, calling them “unauthorized computer ‘hackers’ that maliciously exploited” the website.
Part of the reason why this weakness in the AT&T website is such a big deal is because of the people it involved. Since the cost of the standard iPad is $499, it is not a product that the majority of middle class people own. It is not surprising that many of the iPad owners whose information was compromised are famous and well known. Some of the most recognizable names on the list are Chief of Staff Rahm Emanuel and ABC New’s Diane Sawyer. This glitch is also important because it involves two big name companies: AT&T and Apple. While the fault seems to lie with AT&T since the problem was with their website, Apple also has responsibility because they need to be sure to protect the information that they collect from users of their product.
AT&T has since repaired this glitch in their website, but the full extent of the damage of this breach is unknown. It is impossible to tell how many users’ data was compromised and if it was accessed by anyone other than Goatse Security. If possible, I think the best way to handle this other than fixing the website is to assign new identification numbers to the users. AT&T has stated that users “can continue to use [their] AT&T 3G service on [their] iPad with confidence.”
I think the main cause of this incident was an oversight by AT&T and maybe a sense of complacency about security on Apple’s part. I think that AT&T needs to better monitor their websites for potential security threats, but Apple also needs to follow through and make sure that anyone to whom they give customer information is properly protecting it. It will be interesting to see how the relationship between these two companies is affected by this security breach. Ideally they will join together to prevent such a breach of security from happening again and gain back the trust of their customers.
http://www.usatoday.com/money/industries/technology/2010-04-04-apple-ipad-sales_N.htm
http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed
http://bits.blogs.nytimes.com/2010/06/13/att-explains-ipad-security-breach/
Protecting your Daily In-Home Activity Information from a Wireless Snooping Attack
Because of a side channel attack known as the FATS (Fingerprint and Timing-Based Snooping) attack a snooper could detect, with undeniable accuracy, the private actions occurring in a home, residential environment, or assisted living community. All a snooper would need are the timestamp and the wireless fingerprint from a wireless sensor. This information is available even on a sensor that is encrypted. The multi-tier nature of this attack can lead to predictions about the number of people in a home and, ultimately, the length of time cooking or showering. Luckily, there are ways to protect against this gross invasion of privacy.
In Tier 0 of the attack the snooper only has access to the timestamps, and as a result only general activities such as occupancy or sleeping can be detected. Tier I is the stage in which the adversary has access to the fingerprints and can get more specific in their detection. By using sensors from various rooms, the snoop can find out how many occupants the home has. Starting in Tier III the adversary can begin to detect how many times each resident visits the bathroom or the kitchen. It can even be focused to recognize differences in actions like cooking different types of food, showering or grooming. By testing the technology on houses of various layouts and numbers of occupants, the researches can be confident in the accuracy of the tests. While the accuracy of the predictions for multiple occupant homes declines, it is still well above the statistics of random guessing. By believing that encryption was all that was necessary to protect the privacy of homes, systems have been left open to attacks of this sort. Luckily, there are ways to protect systems from a FATS attack.
There are various guidelines that can help to enhance privacy in wireless sensor systems such as these. First, signal attenuators can be placed in rooms to mask the activity in these rooms. Next, random delay in transmissions, especially in places like the bathroom where there are short visits, can mask these actions. In rooms where durations of stay are longer, however, periodic transmission of signals can keep activities more secret. The fourth way of protecting is fingerprint masking. This is a system that should be used in areas where the other guidelines are implausible or unacceptable because of the types of sensors. The final guideline is spurious or fake transmissions. These should be combined with real transmissions in sensors that can afford the high-energy cost from the transmissions. In reality, however, the best protection would be a combination of these guidelines.
There is no way to say what a person should do if they are victim of such an attack. While the loss of privacy from such a snooper would be uncomfortable and even costly for a company, there is no way to truly recover information that might have been lost in such a situation. I believe that the way to proceed after a FATS attack would be to employ the guidelines for protection from above and hope that such an attack does not happen in the future.
Subscribe to:
Posts (Atom)
Posts
