Pay Pal is a service that allows a person to send and receive payments online. Through Pay Pal, one can shop online, send money to another account (with international transfer capabilities), request money, and fundraise. Two of the most attractive features of Pay Pal are its convenience and security. For example, once the user signs up for their accounts using his name, address, email address, and telephone number, he can store his payment information on his Pay Pal account. When paying for a purchase online, the user chooses Pay Pal as the payment method, then logs into his Pay Pal account using his username and password. Thus, the retailer never sees the user’s bank or credit card information. Pay Pal offers the user an option to put funds into his Pay Pal account so that purchases or transfers simply come out of his existing balance. Otherwise, the user can link his credit or debit card so his bank account is used to cover the purchase or transfer.
Pay Pal’s executive team should be concerned with all three goals of security. Confidentiality is important because the Pay Pal system is full of sensitive data, especially financial information. Each user’s account should be protected in such a way that keeps the information private to unauthorized eyes. This can be done by using a secure website that properly protects the millions of accounts from hackers. Integrity can be protected by giving the user the ability to change the appropriate inputs (contact, login, and card/bank information, payment amounts, payment acceptance, etc.). In terms of availability, Pay Pal must ensure that the users can access their accounts whenever they need to make a purchase or deal with a money transfer. The account should be available only to the people the user authorizes. For people looking to create an account, the site itself should be available at all times.
A hacker trying to exploit the Pay Pal system will attempt to defeat the three security goals above. By solving the decryption key or finding a way around the site and account protection, a hacker can disclose all the account and financial information stored in the Pay Pal database. Once the attacker obtains credit card numbers, he can use those accounts for his benefit. The hacker can also change the user inputs; perhaps the most appealing one is the ability to control how much money goes to a particular user account (the attacker, for example). The ability for the hacker to alter the login details and email address can deny the owner access to his account. This would result in the hacker in control of the account owner’s Pay Pal account, which is linked to his bank account.
I believe the most notable weakness is not with the Pay Pal system, but rather that users are not properly protecting their accounts. Hackers have their methods of guessing passwords, and if users choose a simple, easy-to-guess password, their accounts can easily be accessed by anyone who tries. Another method of attack is sending out phony emails trying to obtain account information from the users themselves. We have seen this method before (Monster job accounts, bank information, etc), so unfortunately it could be effective, especially if users are not careful.
Pay Pal prides itself in its secure system: it implements anti-fraud technology and protects payments by using an encrypted site. However, Pay Pal did experience an outage within the last week. The site was down for an hour and a half, and problems persisted a few hours after. Pay Pal has not provided a reason for the outage yet, but intends to share what went wrong at a later time. It will be interesting to see what exactly happened. Perhaps the system is not as invincible as it claims to be.
As mentioned earlier, the Pay Pal database contains much sensitive information. There are 87 million active Pay Pal accounts, and we can assume that most of those accounts are linked to credit or debit card accounts. Based on the asset’s high value alone, I think there will likely be many attempted attacks on the system. The vulnerabilities lie with the user, not necessarily with the entire database. Therefore, I think there is a high risk of few accounts being compromised, but I do not foresee a successful attack that compromises the entire Pay Pal system given the emphasis on security and protecting user information.
I would recommend a risk mitigation strategy to the Pay Pal executive team. It seems like management values information security, so as long as it continues to keep up with the most up-to-date protection measures, the system will be protected from hackers. I also suggest that there should be guidelines on creating strong passwords to prevent attackers from guessing user passwords. Along these same lines, there should be constant reminders, as banks do, that there is no reason to give login information through an email. This reduces the chance that users inadvertently disclose their information to unwanted parties.
Sunday, October 31, 2010
Friday, October 29, 2010
One Reason Indiana is Better Than Hawaii
Okay, maybe there's still something to this whole college thing. But former students at the University of Hawaii may be feeling otherwise.
The Social Security numbers, grades, disabilities, names, phone numbers and other personal information of more than 40,000 University of Hawaii students who attended from 1990-1998 and in 2001 were posted online for nearly a year before being removed this week.
A whole year? Yes. And the guilty party happens to be a member of the faculty.
The currently retired faculty member inadvertently uploaded files containing the information to an unprotected server on November 30, 2009. He was using the data to study the success rates of Manoa students. Well, if any of them were victims of identity theft and lost money, I think he might need to go back through his data and control for a certain extraneous variable- himself- before publishing any results. In his defense, he said he thought the server was secure.
Again, just like we saw in the CareGroup case study, someone with just enough information and knowledge to do damage caused a disaster. But unlike Halamka, the University of Hawaii doesn't seem to be willing to adopt new standards and make the investments necessary to prevent these kinds of disasters from happening again: "The incident is the third major information breach in the UH system since last year. Each time, university officials promised it was strengthening its network systems and working to identify other potential security risks," according to the Associated Press.
Aaron Titus, the information privacy director of Liberty Coalition, a Washington-based policy isntitute was the one who notified UH of the exposed files on October 18th. On the University's response to the disaster, Titus argues the university's claim that it has no evidence of the malicious misuse of the personal information is misleading, "Of course they don't have any evidence of misuse, because the bad guys wouldn't tell them if they had."
I'm curious to see what we hear from the victims of this "accidental disclosure." I wonder what the damage will be as these former UH students come forward.
The Social Security numbers, grades, disabilities, names, phone numbers and other personal information of more than 40,000 University of Hawaii students who attended from 1990-1998 and in 2001 were posted online for nearly a year before being removed this week.
A whole year? Yes. And the guilty party happens to be a member of the faculty.
The currently retired faculty member inadvertently uploaded files containing the information to an unprotected server on November 30, 2009. He was using the data to study the success rates of Manoa students. Well, if any of them were victims of identity theft and lost money, I think he might need to go back through his data and control for a certain extraneous variable- himself- before publishing any results. In his defense, he said he thought the server was secure.
Again, just like we saw in the CareGroup case study, someone with just enough information and knowledge to do damage caused a disaster. But unlike Halamka, the University of Hawaii doesn't seem to be willing to adopt new standards and make the investments necessary to prevent these kinds of disasters from happening again: "The incident is the third major information breach in the UH system since last year. Each time, university officials promised it was strengthening its network systems and working to identify other potential security risks," according to the Associated Press.
Aaron Titus, the information privacy director of Liberty Coalition, a Washington-based policy isntitute was the one who notified UH of the exposed files on October 18th. On the University's response to the disaster, Titus argues the university's claim that it has no evidence of the malicious misuse of the personal information is misleading, "Of course they don't have any evidence of misuse, because the bad guys wouldn't tell them if they had."
I'm curious to see what we hear from the victims of this "accidental disclosure." I wonder what the damage will be as these former UH students come forward.
Thursday, October 28, 2010
Security Review: USB Flash Drives
Almost everyone knows what a USB flash drive is, and it would be extremely unusual for a college student not to have used one at some point or another. USB flash drives, which are so named because they write to flash memory and can be plugged into your computer’s USB port, offer a quick and easy way to store data. Because of their small size they are sometimes called “thumb drives,” and this small size makes them portable and convenient. Flash drives give users the ability to carry data with them wherever they go, and access their data wherever they have access to a computer. Flash drives have a variety of different storage sizes and come with many different features, making them valuable tools for business professionals, students, and any other type of computer user.
The USB drive itself is an asset, as well as all of the information that is stored on it. My USB drive is a valuable asset to me because it gives me the ability to easily store and transport my data. The information stored on my flash drive is valuable to me because it includes files that I need for classes and other important data that I want to save. Because the flash drive and the information stored on it are so valuable, it is extremely important that a USB flash drive is properly secured. As the owner of a USB flash drive, I want to be sure that the data that I store on my flash drive is confidential so that no one besides me will be able to see the files that I have saved on the flash drive. I also want the data on my flash drive to have integrity. Since I frequently use my flash drive to store homework and papers, I want to be sure that my work does not get unintentionally altered in any way. I also want to make sure that the files on my flash drive are available. It is important that the data I save on my flash drive is still there when I go to load my flash drive again.
For an attacker attempting to exploit a USB hard drive, the main goal would probably be to gain access to the information that is stored on it (disclosure). A hacker may also compromise the integrity of data stored on a flash drive by changing it. He or she could prevent the data from being available to its owner by deleting it or stealing the flash drive (or both!). Unfortunately there will always be these threats because there will always be people looking to steal information in any way that they can, and insecure flash drives give hackers a perfect opportunity to do this.
Insecure flash drives have a number of vulnerabilities. If a flash drive is not password protected, anyone that has the flash drive can load it onto their computer and view the files that it contains. If there is no data encryption, a hacker can read everything on a flash drive, effectively accomplishing the goal of disclosure. Once a hacker gets access to the files on an insecure flash drive it is usually pretty easy to change or delete them as well. Flash drives are also vulnerable because of their small size. It is easy to forget about a flash drive and accidentally leave it plugged into a public computer, where anyone could come across it. It is also easy for a flash drive to fall out of a pocket or purse. Flash drives are especially vulnerable in a business setting because of the type of information they contain. A survey conducted by Sandisk revealed that 25% of business people with a personal flash drive used it to store personal records, 17% had stored company financial information, and 13% stored employee data. 12% of people surveyed reported that they had found a personal flash drive in a public place, and 55% stated that they would look at the stored data if they found one.
It is easy to see how this could become a recipe for disaster. If a business person had an insecure personal flash drive that contained this kind of sensitive information in his or her pocket and it fell out at some point during the course of the day, it could easily be picked up by anyone that happened to come across it. An insecure flash drive can therefore put a company’s financial information, personal employee information, and the personal information of all of its customers at risk. These types of risks will always be present as long as such sensitive information is stored on personal flash drives. This kind of risk came into play recently when 2 Medicaid insurance companies in Pennsylvania discovered that a flash drive containing medical and personal records for 280,000 patients had gone missing from a corporate office. There is also the risk of a hacker putting harmful information onto a flash drive that could hurt the unsuspecting user’s computer when the infected flash drive is plugged in. This kind of risk was demonstrated in 2008 when a flash drive that contained malware was put into a laptop at a US military base in the Middle East. The malware spread to other computers and was able to retrieve data from these computers and send it to the hacker. This is described as one of the worst military breaches in history.
Although risks will still be present, a flash drive user can significantly mitigate risks by buying a flash drive with a variety of secure features. Flash drives on the market today boast a myriad of these features. Some of these features include password protection, data encryption, finger print identification, keypads to enter a PIN on the outside of the drive, and antivirus software. Some even feature switches that change the flash drive to read only (preserving integrity) and some have separate portions for protected data and unprotected data. Of course, an expert hacker could probably find a way to get past many of these features. Companies can mitigate the risk of important business information being leaked by establishing clear guidelines about when personal flash drives are allowed to be used by employees and what kind of information they are allowed to take. Some companies have even completely prohibited the use of personal flash drives or glued USB ports on computers shut so that employees can’t use them. A user could avoid the risks that come with using a flash drive by using other methods to store and transport data, such as email attachments or an external hard drives, but these methods come with risks as well. One could also just accept the risk, especially if there is not sensitive information stored on the flash drive.
I think that the best plan of action for flash drive users right now is to 1) limit the amount and type of sensitive information that is placed on a flash drive 2) make sure that the flash drive is stored in a secure place and 3) invest in a flash drive that incorporates security features such as the ones mentioned above. Some examples of secure flash drives are the IronKey, Corsair Survivor, Kingston DataTraveler Secure-Privacy Edition, and the SanDisk Cruzer Professional. These are just a few examples; there are many flash drives available today that offer a variety of different security options. Hopefully these flash drives will enable users to feel confident that the data stored on their personal flash drives is properly secure.
References:
http://it.med.miami.edu/x1129.xml
http://www.everythingusb.com/flash-drives.html
Wednesday, October 27, 2010
Current Event – Cisco CSO John Stewart on fending off Cyber attacks
Cisco CSO John Stewart was talking about the influence that the computer worm, Stuxnet, has had on corporate networks and how to protect against it. The Stuxnet worm does not try to go after problems that a computer or network already has. It tries to create new problems by targeting the way a system should work and it is able to disrupt an entire operation. Though it wasn’t designed to target a specific problem within a computer or network it was designed to target a particular computer system, the SCADA System.
SCADA systems control different types of infrastructures, including water, gas, and oil valves as well as street and stop lights and the power grid or cities. The main problem with Stuxnet is that it has been placed on computer systems through USB drives, which Stewart says that Cisco does not control against its workers using USB drives.
He compared protecting a network to protecting a house in saying that minor viruses are like a house getting egged and then a Stuxnet virus is like a sniper shooting someone through the house. With the egging, it is fast and easy to repair but the sniper is much harder to fix because someone usually gets hurt. He says attacks occur nearly every second of every day on most companies and the hard part is figuring out if it is a minor virus or a big problem like Stuxnet, which even major companies have trouble protecting against.
Protecting a computer is a difficult task and it is very annoying because it seems like it takes so much time, money and effort to protect a computer or a computer network. On top of that it is even more discouraging because even with all of the time and money put into it, a network can still get a virus that completely ruins it.
For most individual computer users we probably don’t have to worry too much because the people who are smart enough to get a virus on a major company’s network won’t waste their time with individuals. However we do have to worry about a company, maybe a bank that we use getting viruses from people smart enough to ruin big networks. For instance our banks network could be down at a time we really need money. Even worse, if these worms can attack infrastructures then we have to worry about people who want to do harm to many people because if they wanted they could cause some serious damage to the infrastructures that run through most of our everyday lives.
http://www.businessweek.com/the_thread/techbeat/archives/2010/10/cisco_cso_john_stewart_on_fending_off_cyber_attacks.html
SCADA systems control different types of infrastructures, including water, gas, and oil valves as well as street and stop lights and the power grid or cities. The main problem with Stuxnet is that it has been placed on computer systems through USB drives, which Stewart says that Cisco does not control against its workers using USB drives.
He compared protecting a network to protecting a house in saying that minor viruses are like a house getting egged and then a Stuxnet virus is like a sniper shooting someone through the house. With the egging, it is fast and easy to repair but the sniper is much harder to fix because someone usually gets hurt. He says attacks occur nearly every second of every day on most companies and the hard part is figuring out if it is a minor virus or a big problem like Stuxnet, which even major companies have trouble protecting against.
Protecting a computer is a difficult task and it is very annoying because it seems like it takes so much time, money and effort to protect a computer or a computer network. On top of that it is even more discouraging because even with all of the time and money put into it, a network can still get a virus that completely ruins it.
For most individual computer users we probably don’t have to worry too much because the people who are smart enough to get a virus on a major company’s network won’t waste their time with individuals. However we do have to worry about a company, maybe a bank that we use getting viruses from people smart enough to ruin big networks. For instance our banks network could be down at a time we really need money. Even worse, if these worms can attack infrastructures then we have to worry about people who want to do harm to many people because if they wanted they could cause some serious damage to the infrastructures that run through most of our everyday lives.
http://www.businessweek.com/the_thread/techbeat/archives/2010/10/cisco_cso_john_stewart_on_fending_off_cyber_attacks.html
Should Obama Have an Internet 'Kill Switch'?
Cyber warfare may seem more the focus of science fiction movies and relatively obscure Congressional panels, but a new survey indicates most Americans take the threat of cyber attacks seriously.
In the latest Unisys (NYSE: UIS) Security Index released Wednesday, 61 percent of Americans surveyed said they would support giving the government the authority to use an Internet "kill switch" that would cut off access to the Internet in response to a cyber attack.
While certain IP addresses have been cut off in the course of criminal investigations, development of an actual kill switch to shut down significant portions of the Internet would be a significant undertaking, according to Patricia Titus, vice president and chief information security officer at Unisys.
"I've talked to Homeland Security officials about it and given where the relationship between the legislature and ISPs stands today, a lot of hurdles would have to be crossed before you could turn off significant segments of the Internet," Titus told InternetNews.com.
"The other component is that a whole lot of people need to sit at the table to determine what constitutes cyberwar versus cyber espionage," she added.
The Unisys Security Index is conducted twice a year and surveys consumers in the U.S. and ten other countries on security issues. Over a thousand U.S. consumers responded to the survey.
A specific breakout
U.S. responses shows most consumers have adopted security and other measures to guard against identify theft, but fall short in some key areas.
For example, 80 percent of those surveyed said they regularly limit access to personal information posted to social media sites and also make use of privacy settings. Almost three-quarters (73 percent) said they regularly update antivirus software to keep their systems protected.
But the results indicate most are taking less than thorough security measures when it comes to mobile devices. For example, only 37 percent said they regularly use and update passwords on their mobile devices. Also, only 46 percent said they regularly update "hard-to-guess" passwords on their computers.
Earlier surveys by security firms have highlighted the need for better password protection, noting the frequent use of password terms like "password" and the user's last name that are easy to figure out.
A wake up call to enterprises?
"As millions of consumer devices, such as mobile phones continue to penetrate the workplace, the survey’s finding on consumers’ inattention to securing mobile devices should serve as a wake-up call for consumers and enterprises to actively pursue measures to protect the information exchanged with and residing on these devices," Mark Cohn, vice president of enterprise security at Unisys, said in a statement. "Enterprises, as well as the manufacturers of mobile devices, should take steps to ensure that sensitive data protection is enabled by default and is as simple and convenient as possible."
U.S. consumer's concerns related to some areas of cybersecurity actually show a decline. For example, 34 percent said they were "not concerned" about computer security issues related to viruses and spam, the highest percentage since the first Index was release in 2007.
Titus said that while software security vendors generally do a good job, it's a mistake for consumers to think that just because they have a security package or service running that they're immune from attack.
"The green light and indicators that say everything is working can provide a false sense of security," she said, admitting it's hard to guard against what's proved to be an evolving series of security threats.
"If you ask me what keeps me awake at night, one of the things is advances in quantum computing that have the ability to break all our encryption," said Titus.
The percentage of consumers concerned with online shopping and banking online also dropped significantly. Only 34 percent said they were "seriously concerned" about the security of banking and shopping online -- that's down from 43 percent in February.
David Needle is the West Coast bureau chief at InternetNews.com, the news service of Internet.com, the network for technology professionals.
Keep up with all the latest cybersecurity news--follow eSecurityPlanet on Twitter @e
In the latest Unisys (NYSE: UIS) Security Index released Wednesday, 61 percent of Americans surveyed said they would support giving the government the authority to use an Internet "kill switch" that would cut off access to the Internet in response to a cyber attack.
While certain IP addresses have been cut off in the course of criminal investigations, development of an actual kill switch to shut down significant portions of the Internet would be a significant undertaking, according to Patricia Titus, vice president and chief information security officer at Unisys.
"I've talked to Homeland Security officials about it and given where the relationship between the legislature and ISPs stands today, a lot of hurdles would have to be crossed before you could turn off significant segments of the Internet," Titus told InternetNews.com.
"The other component is that a whole lot of people need to sit at the table to determine what constitutes cyberwar versus cyber espionage," she added.
The Unisys Security Index is conducted twice a year and surveys consumers in the U.S. and ten other countries on security issues. Over a thousand U.S. consumers responded to the survey.
A specific breakout
U.S. responses shows most consumers have adopted security and other measures to guard against identify theft, but fall short in some key areas.
For example, 80 percent of those surveyed said they regularly limit access to personal information posted to social media sites and also make use of privacy settings. Almost three-quarters (73 percent) said they regularly update antivirus software to keep their systems protected.
But the results indicate most are taking less than thorough security measures when it comes to mobile devices. For example, only 37 percent said they regularly use and update passwords on their mobile devices. Also, only 46 percent said they regularly update "hard-to-guess" passwords on their computers.
Earlier surveys by security firms have highlighted the need for better password protection, noting the frequent use of password terms like "password" and the user's last name that are easy to figure out.
A wake up call to enterprises?
"As millions of consumer devices, such as mobile phones continue to penetrate the workplace, the survey’s finding on consumers’ inattention to securing mobile devices should serve as a wake-up call for consumers and enterprises to actively pursue measures to protect the information exchanged with and residing on these devices," Mark Cohn, vice president of enterprise security at Unisys, said in a statement. "Enterprises, as well as the manufacturers of mobile devices, should take steps to ensure that sensitive data protection is enabled by default and is as simple and convenient as possible."
U.S. consumer's concerns related to some areas of cybersecurity actually show a decline. For example, 34 percent said they were "not concerned" about computer security issues related to viruses and spam, the highest percentage since the first Index was release in 2007.
Titus said that while software security vendors generally do a good job, it's a mistake for consumers to think that just because they have a security package or service running that they're immune from attack.
"The green light and indicators that say everything is working can provide a false sense of security," she said, admitting it's hard to guard against what's proved to be an evolving series of security threats.
"If you ask me what keeps me awake at night, one of the things is advances in quantum computing that have the ability to break all our encryption," said Titus.
The percentage of consumers concerned with online shopping and banking online also dropped significantly. Only 34 percent said they were "seriously concerned" about the security of banking and shopping online -- that's down from 43 percent in February.
David Needle is the West Coast bureau chief at InternetNews.com, the news service of Internet.com, the network for technology professionals.
Keep up with all the latest cybersecurity news--follow eSecurityPlanet on Twitter @e
Security Review of Samsung's Windows Phone 7
Windows Phone 7 is Microsoft’s new mobile operating system. While it looks eerily similar to Apple’s iphone, Samsung is producing the new smart phone. The display on the Windows Phone 7 is very appealing with its colorful “tile-based interface” (Chen). There are four different software stores where you can purchase third party applications, games, and music. There is also a separate store selling applications specifically made by Samsung (Chen). The tile interface also blends contact lists with a user’s facebook account. Therefore, when a user calls another individual, their personal information such as address, email, picture and phone number appear on the interface (Chen). The e-mail service also has a similar setup. The user enters their login information, and the inbox tile appears on the home screen. Next, all the user has to do is tap the inbox tile and all of their messages are available. Also, the user doesn’t have to re-enter their password (Chen). While the Window’s Phone 7 is very appealing and technologically advanced, I feel some of these features can put the user’s personal information at risk.
I believe that the security goals for the phone should be to protect all of the personal information stored on the device. Email and contact information on the phone is readily accessible; therefore, protecting each application with a password should be a top priority. Password protection will also protect the integrity of the information, preventing unauthorized users from make changes to accounts that shouldn’t be adjusted. In terms of availability of the information, the user should be able to access all stored data. A password will allow user accessibility to the account, without being too strict or not protective enough.
If I was an attacker, I think stealing the phone would be the easiest way to infiltrate the user’s personal information. Because the inbox tile is accessible with the touch of a finger, all the attacker has to do is click. The attacker now has access to personal messages, bank statements, credit card numbers, and other confidential information that might be stored in email messages. Some applications available on the phone come from third parties. An attacker can infiltrate the device by creating a malicious program. When the user downloads it, the malicious program might be able to gain access to their information and even deny the user entrance to their personal accounts. I think the easy accessibility to personal information, such as email and contact lists; make the phone extremely vulnerable to attackers.
It is crucial that the creators of this phone take the necessary steps to manage the security risks of Windows Phone 7. The company needs to find a way to mitigate the risks, without making the information on the phone difficult to access for the authorized user. I think the best way to protect the information, while maintaining the availability of data is to use login Ids and passwords every time the phone is turned on and whenever the user attempts to check email. I would also avoid the risk of having personal contact information stolen by eliminating the call feature that displays such details. I find this feature unnecessary, as it only increases the chances that personal contact information can be compromised.
While the Windows Phone 7 is extremely unique and provides new and exciting applications for users, I believe these phones are security risks. They contain the user’s confidential information through email and contact lists. The risk that this information is compromised cannot be avoided. Therefore, I believe it is necessary to use Ids and password to protect all portals to such data.
Chen , Brian . "Samsung's Windows Phone 7 Packs Intuitive, Visual Punch ." Wired Magazine 20 October 2010: n. pag. Web. 27 Oct 2010.
Tuesday, October 26, 2010
Security Review of Notre Dame Building Entrance Systems
Everyday when I enter my dorm, I swipe my ID card and type in my birthday. The door then opens for me, and I am permitted to enter the building. This system uses two-factor authentication in deciding whether to allow a person to enter. One must have a Notre Dame identification card with him, and he must also know his own birthday. When a person swipes his card, the technology reads the magnetic strip on the back of the card and identifies who the person is. This person is matched with a specific four number code (his or her birthday) that must then be entered. If the correct number is entered, the system authorizes the user for entry and unlocks the door. The holder of the card who knows the birthday of the person is then permitted to enter the dorm.
If I were the owner of such a system, Notre Dame, I would have very specific security goals for it. The major goal would be to keep authorized persons out of the dorm. In order to protect the confidentiality and integrity of any information or possessions that students keep in their dorm rooms, persons who are not cleared to enter the building should not be allowed inside. There may be information the needs to stay confidential, and items removed without reason would challenge the integrity. The other goal of these systems is to always allow access to those that should have access to the building, ensuring availiability. By using a system where a person must have the card and know the number, Notre Dame attempts to achieve both of these goals. In reference to the goal of denying access, the system makes it more difficult for intruders. They must obtain a resident's ID card and also learn his or her birthday. On the other hand, this system where the resident must swipe a card and type in a birthday (a fact that ND assumes all people know about themselves) verifies the identity so that residents of the dorm have access to the building at all times.
Looking at the system from another perspective, an intruder would also have goals when attempting to gain access to a building. By entering a dorm or room, the intruder would aim to alter the contents of the room by stealing items that should be inside or disclose protected information from the room. These go against two of the three items included in the DAD triad, disclosure and alteration. By another look, it is possible to see that an attacker could also deny access to people through a system such as this. The person needs their identification card to enter. If a intruder gains possession of the card in some way, the resident no longer has it and therefore does not have free access to the building. The intruder could attack this technology system and fulfill any one or combination of these goals depending on what kind of damage he or she aims to do.
The weaknesses within this system can be traced to the card being an easy thing to gain possession of and the ease of learning someone's birthday or other necessary personal information. Students do not protect their identification cards like they do their credit or debit cards. People leave them on tables, shove them in pockets, and drop them places all the time. It would be difficult to pick up a lost card. At the same time, people often search high and low for their IDs before paying the $30 fee to replace them. Once the card is replaced, the lost one is no longer active. With the amount of time people wait, there is a window for intruders to use the card to gain access. Once an ID is obtained, figuring out what dorm a person lives in is available on InsideND and finding a birthday can be simple. A birthday is not something people work to protect, and with technology today like Facebook and MySpace a birthday is not hard to find. These vulnerabilities in the system are open for people to attack.
The inherent risks based upon the value of the assets depends upon the items that may reside unprotected within a dorm or in a resident's room. I believe that the risk for attacks like this are higher because of the items that students bring to school such as laptops, cell phones, and iPods. The threats that exist are real. At least once a month, the students at Notre Dame receive an e-mail about various criminal activity on campus. At the same time, there are vulnerabilities within the technology that are able to be exploited by these threats. This creates risks for the owners, risks for Notre Dame to deal with. These risks must be dealt with as the group, Notre Dame, sees fit.
I believe that these problems can be dealt with through risk mitigation, risk transference, or risk acceptance. I do not believe that the risk can be avoided. Students in college needed technological items such as laptops and cellular phones. Not having these would avoid the risk but it is not a possible occurrence. By encouraging safety techniques such as urging residents to lock their doors and keep their possessions safe the risk can be mitigated. The risk can also be mitigated by creating a system where the number needed for entrance is chosen by the resident, like a PIN. This number may be more difficult to figure out and the resident has more reason to protect it. The risk can be transfered by buying insurance for stolen items. Finally, I believe that realistically the risk must be accepted. There is always a risk for stolen items, and by being vigilant we can deal with it.
Sunday, October 24, 2010
Facebook tackles latest privacy slip with encryption
Facebook is in the news, once again, regarding its attempt to resolve the issues posed by some its recent security slips. This article talks about Facebook's direct response to the problems PK posted about nearly two weeks ago regarding some of Facebook's most popular apps (Farmville, Frontierville, Texas HoldEm Poker, etc.). These apps have been sending users' personal information to dozens of advertising and internet monitoring companies and compromising Facebook user IDs in the process. And perhaps the most concerning thing is that not only are the users of these apps at risk of their personal information being leaked, but the friends of affected users are also at risk.
As PK pointed out, the blame can be distributed both ways when trying to pinpoint who is at fault for Facebook's continued security issues. On the one hand, it is easy to see why Facebook (as the world's largest social networking host) should withhold the only the most important information of its users. In addition, Facebook should adequately protect this information and certainly not make it available to any third parties. After all, one has to wonder why Facebook hasn't been encrypting the user IDs for its users all along. On the other hand, it is easy to see why Facebook users need to be more cognizant of what they are putting online and on Facebook. It is important for people to realize that even though a website may ask for said amount of information, it does not necessarily mean one has to give all of that information. Often, people are unaware of the risks they face by putting themselves out on the internet on a daily basis.
An easy solution for this whole problem would be for Facebook to stop transmitting user ID's and personal information, but that is unrealistic. Facebook is able to function due to its ability to sell user information. Asking them to stop obtaining that would simply be a waste of time. However, I do believe that using encryption of the Facebook UIDs (unique user IDs) is a step in the right direction. As the article points out, Facebook has been able to save face by responding to this problem so quickly. If Facebook continues to try to protect the information that it promises to protect with encryption, then users will have less to complain about with these security breaches. The responsibility then falls on Facebook users to be aware of what information they are displaying on the internet, as well as how that information could be transmitted and used.
http://www.computerworld.com/s/article/9192638/Facebook_tackles_latest_privacy_slip_with_encryption?taxonomyId=17
http://www.computerworld.com/s/article/9191662/Facebook_battles_another_privacy_firestorm
John Daly - Current Event
Typically, the name John Daly would not be associated with information security. Daly is a well known professional golfer that is known for his ability to hit the golf ball far, as well as his attitude on the course. But it is the new trend for athletes to run social networking profiles in order to garner interest from fans (and potentially acquire endorsements, etc.). Recently, a hacker gained access to Daly's email, twitter, and Facebook accounts.
Daly recently spoke to the Golf Channel's Rex Hoggard and made this statement : "(Daly's girlfriend Anna Cladakis) got on Facebook and the guy was talking to her and says, "If you want this back you know what to do. I will get you and I will get your daughters. I'll steal their identity." Daly also said that other things were said that, "scared him to death".
The FBI is currently conducting an investigation into the entire situation.
I guess I should not be surprised based on all of the other cases we have studied, but this seems so twisted. I cannot believe that somebody out there spend their time breaking into a professional golfer's personal sites in order to threaten them. It is hard to say what the hacker's real motivation was/is because Daly did not release that information.
A possible reason that the hacker was able to gain access to Daly's accounts is weak and repetitive passwords (using the same password for multiple accounts). Daly already shut down all of the accounts that were compromised, which was the smart thing for him to do. But I would advise all people to strengthen their passwords by using uppercase and lowercase letters, numbers, and a symbol. I would also suggest a password of 8 characters or more. Additionally, I think it is necessary to use different passwords for every account.
All people should be alert and constantly monitor their e-mail and social network accounts, especially famous people. Be careful where you keep and who you give sensitive information, such as your address, social security number, full name, etc.
http://sports.yahoo.com/golf/blog/devil_ball_golf/post/John-Daly-has-Facebook-Twitter-email-hacked?urn=golf-279335
Friday, October 22, 2010
Hackers Hits Kaspersky website
In recent news, hackers found a way to tap in the Kaspersky website. They were able to find a bug in the web program, and then reprogram it to trick users into downloading a bogus product. As a result of the attack, users were taken to a malicious site that offered to run a fake virus scan that actually installed malware on the user's PC. This attack caused Kaspersky to do a complete audit of its web program to make sure all codes were up-to-date and running properly.
A flaw in the company's web program was not officially identified, but the company claims the attack was through a "third-party application". Hackers are constantly developing new ways to find errors in web programs and codes and are able to use these codes maliciously and cause problems to all the users of the website. Its difficult to understand the joy hackers get out of attacking a website and being able to spread malicious malware to users of the website. If you are not a computer genius it may be hard to understand how it feels to crack into a company's web program and discover flaws within the code. It may be an unexplainable rush to know that you are capable of doing such a thing.
If companies want to avoid this problem, constantly checking or updating code in web programs must be a necessity! I agree with the security experts' statement in the article that the best thing to do as users when faced with a fake anti-virus message, is to shut down the entire browser. As for recommendations for the company, auditing must be done too, just to make sure things are running smoothly. If not, attacks like this will keep occurring. Then the company will be forced to send a message to all of their users stating, "there was a breach of security, your personal identity may be at risk!" (Something I definitely do not want to see as a user.) In fact, this was not the first attack of Kaspersky's website, in 2009 hackers were able to get in their U.S. support site after discovering a flaw in the web programming again. It is not fair for users to be worried about their personal information being stolen by hackers due to improper web programming.
As I stated before hackers are continuously developing new ways to hack into websites and alter their code to carry out malicious attacks. Companies need to understand that with the technology present in this world (especially the kind used by hackers) they must do the difficult task of constantly staying one step ahead of the hackers. And that means checking for errors in computer code and making sure their protection is updated.
Wednesday, October 20, 2010
Information security products and services market to surpass $125 billion by 2015
The global market for information security products and services is expected to exceed $125 billion by 2015, according to a new report by Global Industry Analysts.
The demand for information security products and services will be fuelled by increasing frequency and intensity of cyber attacks against enterprises, government institutions, and consumers, as well as by the need of companies to comply with industry and government mandates.
The United States and Europe are expected to account for the lion’s share of the revenues in the global market, according to Information Security Products and Services: A Global Strategic Business Report, which profiles 482 companies.
Despite the recession, companies have continued to spend on information security, which has insulated the market from the downturn. The need to adhere to compliance requirements, growing risk of hackers and data breaches, and increased threat from laid off employees are compelling companies to continue investing in security solutions.
The market for security and vulnerability management products is expected to see the fastest growth among all information security software segments. Email security and security information and event management (SIEM) segments offer the maximum growth opportunity for the market, while enterprise anti-virus and web access management (WAM) segments will grow at a relatively slower rate.
While North America and Western Europe are leading markets, Eastern Europe, Middle East and Africa, Asia-Pacific and Latin America are expected to witness the fastest growth.
Growth in the information security services segment, the largest segment of the market, will be driven by demand for application and wireless security solutions, which include implementation, assessment, and architecture design. The rise in third-party service providers for various managed security services, application testing, and strategy planning is expected to be another key market driver.
The demand for information security products and services will be fuelled by increasing frequency and intensity of cyber attacks against enterprises, government institutions, and consumers, as well as by the need of companies to comply with industry and government mandates.
The United States and Europe are expected to account for the lion’s share of the revenues in the global market, according to Information Security Products and Services: A Global Strategic Business Report, which profiles 482 companies.
Despite the recession, companies have continued to spend on information security, which has insulated the market from the downturn. The need to adhere to compliance requirements, growing risk of hackers and data breaches, and increased threat from laid off employees are compelling companies to continue investing in security solutions.
The market for security and vulnerability management products is expected to see the fastest growth among all information security software segments. Email security and security information and event management (SIEM) segments offer the maximum growth opportunity for the market, while enterprise anti-virus and web access management (WAM) segments will grow at a relatively slower rate.
While North America and Western Europe are leading markets, Eastern Europe, Middle East and Africa, Asia-Pacific and Latin America are expected to witness the fastest growth.
Growth in the information security services segment, the largest segment of the market, will be driven by demand for application and wireless security solutions, which include implementation, assessment, and architecture design. The rise in third-party service providers for various managed security services, application testing, and strategy planning is expected to be another key market driver.
Wednesday, October 13, 2010
Two million US PCs recruited to botnets
More than 2.2 million US PCs were found to be part of botnets, networks of hijacked home computers, in the first six months of 2010, it said.
Compiled by Microsoft, the research revealed that Brazil had the second highest level of infections at 550,000.
Infections were highest in South Korea where 14.6 out of every 1000 machines were found to be enrolled in botnets.
The 240-page Microsoft report took an in-depth look at botnets which, said Cliff Evans, head of security and identity at Microsoft UK, now sat at the centre of many cybercrime operations.
The research was undertaken, he said, to alert people to the growing danger from the malicious networks.
Malicious herder
Continue reading the main story
Related stories
Breaking the butterfly botnet
Spammers survive botnet shutdowns
Botnet shutdown divides experts
"Most people have this idea of a virus and how it used to announce itself," he said. "Few people know about botnets."
Hi-tech criminals use botnets to send out spam, phishing e-mails and launch attacks on websites. Owners of botnets also scour infected machines for information that can be sold on the underground auction sites and markets found online.
Botnets start when a virus infects a computer, either through spam or an infected web page. The virus puts the Windows machine under the control of a botnet herder.
"Once they have control of the machine they have the potential to put any kind of malicious code on there," said Mr Evans. "It becomes a distributed computing resource they then sell on to others."
Some, he said, were being worked very hard by their owners.
Continue reading the main story
“
Start Quote
With the significant number of holes identified on the same day, businesses will be racing against time to fix them all,”
Alan Bentley
senior vice-president, Lumension
Microsoft's research revealed that a botnet called Lethic sent out 56% of all botnet spam sent between March and June even though it was only on 8.3% of all known botnet IP addresses.
"It's phenomenal the amount of grip that thing has," said Mr Evans.
Evidence of how botnets were growing, he said, could be found in the number of infected machines Microsoft was freeing from the clutches of botnets.
In the three months between April and June 2010, Microsoft cleaned up more than 6.5 million infections, he said, which is twice as much as the same period in 2009.
The statistics in the report were gathered from the 600 million machines that are enrolled in Microsoft's various update services or use its Essentials and Defender security packages.
Despite the large number of people being caught out, Mr Evans said that defending against malware was straightforward.
He said people should sign up for automatic updates, make sure the applications they use are regularly patched, use anti-virus software and run a firewall.
Microsoft has just issued its largest ever list of fixes for flaws in Windows, Internet Explorer and a range of other software.
This month's update issued patches for 49 vulnerabilities, including one that plugs a hole exploited by Stuxnet, the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.
"With the significant number of holes identified on the same day, businesses will be racing against time to fix them all," said Alan Bentley, senior vice president at security firm Lumension.
"Not only is this Microsoft's largest patch load on record, but 23 of the vulnerabilities are rated at the most severe level," he added.
http://www.bbc.co.uk/news/technology-11531657
Compiled by Microsoft, the research revealed that Brazil had the second highest level of infections at 550,000.
Infections were highest in South Korea where 14.6 out of every 1000 machines were found to be enrolled in botnets.
The 240-page Microsoft report took an in-depth look at botnets which, said Cliff Evans, head of security and identity at Microsoft UK, now sat at the centre of many cybercrime operations.
The research was undertaken, he said, to alert people to the growing danger from the malicious networks.
Malicious herder
Continue reading the main story
Related stories
Breaking the butterfly botnet
Spammers survive botnet shutdowns
Botnet shutdown divides experts
"Most people have this idea of a virus and how it used to announce itself," he said. "Few people know about botnets."
Hi-tech criminals use botnets to send out spam, phishing e-mails and launch attacks on websites. Owners of botnets also scour infected machines for information that can be sold on the underground auction sites and markets found online.
Botnets start when a virus infects a computer, either through spam or an infected web page. The virus puts the Windows machine under the control of a botnet herder.
"Once they have control of the machine they have the potential to put any kind of malicious code on there," said Mr Evans. "It becomes a distributed computing resource they then sell on to others."
Some, he said, were being worked very hard by their owners.
Continue reading the main story
“
Start Quote
With the significant number of holes identified on the same day, businesses will be racing against time to fix them all,”
Alan Bentley
senior vice-president, Lumension
Microsoft's research revealed that a botnet called Lethic sent out 56% of all botnet spam sent between March and June even though it was only on 8.3% of all known botnet IP addresses.
"It's phenomenal the amount of grip that thing has," said Mr Evans.
Evidence of how botnets were growing, he said, could be found in the number of infected machines Microsoft was freeing from the clutches of botnets.
In the three months between April and June 2010, Microsoft cleaned up more than 6.5 million infections, he said, which is twice as much as the same period in 2009.
The statistics in the report were gathered from the 600 million machines that are enrolled in Microsoft's various update services or use its Essentials and Defender security packages.
Despite the large number of people being caught out, Mr Evans said that defending against malware was straightforward.
He said people should sign up for automatic updates, make sure the applications they use are regularly patched, use anti-virus software and run a firewall.
Microsoft has just issued its largest ever list of fixes for flaws in Windows, Internet Explorer and a range of other software.
This month's update issued patches for 49 vulnerabilities, including one that plugs a hole exploited by Stuxnet, the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.
"With the significant number of holes identified on the same day, businesses will be racing against time to fix them all," said Alan Bentley, senior vice president at security firm Lumension.
"Not only is this Microsoft's largest patch load on record, but 23 of the vulnerabilities are rated at the most severe level," he added.
http://www.bbc.co.uk/news/technology-11531657
Tuesday, October 12, 2010
Business of Security slides
The slides from the Business of Security discussion are available at the link below:
Monday, October 11, 2010
Security Review: Beware of Facebook's Koobface
In recent news Facebook has been taking on a lot of criticism for its lack of security, and considering its massive presence on the Internet, this is a very pressing issue. Facebook has recently responded to some of these complaints with some security changes, hoping to solve many of its security weak points. Although some progress is being recognized, there is still a huge security threat present. Facebook, similar to most social networks, has its biggest security flaws not in its technology but rather how people perceive the technology.
I am sure that Facebook needs no real introduction due to its presence as the worlds largest social networking website. Facebook has grown from a simple single-college social website where pictures were posted with corresponding captions and posts to a worldwide social networking website with thousand of applications available. Attached to every Facebook account are pictures, a profile, videos, messages, and possibly many other applications that any user can subscribe to and use. Users update their information on Facebook every day; all of this information is available (by default) to your “friends,” although individuals can adjust their preferences to limit what information is available to different people.
From a security standpoint, it would be my goal to have my information available to only the people that I specify. It is also important to be to only one that is in control the information that is associated with my profile, so that other people do not have unauthorized access to my profile. Additionally, my information should always be available to be change or deleted by me and only me.
There are security threats present that many users do not consider while logging onto Facebook on a daily basis. Many Facebook users put a lot of personal information onto their accounts without really considering who has access to this information. By default all of your Facebook “friends” have access to any information that you put onto your account, which often includes where you are from, your birthday, contact information, and pictures of you. Often people do not take the necessary precautions and have hundreds or thousands of “friends” that can range from family to mere acquaintances or even people that you do not know. Not only does Facebook provide the medium for too much information being available for too many people, but also Facebook has become another effective way for hackers to attack their victims. The two main goals that attackers have when using Facebook is the theft of data directly through the site and using Facebook to hack onto users computers through applications and phishing. An example of this was the Koobface virus, which sent messages and wallposts to the victims friends prompting them to click a link which led to malware disguised as an adobe download. Viruses such as this are uniquely effective since users usually trust their virtual friends. Some Facebook applications such as ‘Secret Crush’ work the same way. There is also a vulnerability to phishing, which is similar to how these scams manipulate email accounts as we have previously studied.
Allow the technology is not necessarily completely at fault (rather it is the user’s misunderstanding and lack of a security mindset), Facebook easily provides the circumstances for attacks to take place. The risks and potential threat that this security flaw poses is nearly immeasurable, with too many people unaware of the risk and blatantly exploiting themselves. Successful attacks via Facebook not only have the potential to compromise information such as your email and personal profile, but also these attacks can lead to malware attacks that can compromise your credit card numbers, social security numbers, and any other data that your personal computer may have stored.
My recommendation is simple; do not put any information on Facebook that you would not want to share with the public and be constantly aware of potential attacks. It is better to be suspicious when dealing with messages and posts that contain any sort of link or that look unordinary. It is important to not get to comfortable in virtual networks and to always be aware of the security threats that are present.
http://www.computerworld.com/s/article/9189981/Facebook_takes_on_privacy_with_new_tools?taxonomyId=17
http://www.h-desk.com/articles/5_Facebook_Security_Threats_a53_f0.html
Sunday, October 10, 2010
Stuxnet 'a game changer for malware defence'
The Stuxnet malware is a game changer for critical information infrastructure protection, an EU security agency has warned.
ENISA (European Network and Information Security Agency) warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future.
The worm, whose primary method of entry into systems is infected USBs, essentially ignores vulnerable Windows boxes but aggressively attacks industrial control (SCADA) systems from Siemens, establishing a rootkit as well as a backdoor connection to two (now disconnected) command and control servers in Malaysia and Denmark.
PLC controllers of SCADA systems infected with the worm might be programmed to establish destructive over/under pressure conditions by running pumps at different frequencies, for example. There's no evidence either way as to whether this has actually happened, but what is clear is that the malware has caused a great deal of concern and inconvenience. India, Indonesia and Iran have recorded the most incidents of the worm, according to analysis of infected IP addresses by security firms.
Incidents of infection were first recorded in Malaysia, but the appearance of the malware in Iran has been the focus of comment and attention. Plant officials at the controversial Bushehr nuclear plant in Iran have admitted that the malware has infected laptops. However government ministers, while blaming the attack on nuclear spies, had downplayed the impact of the attack and denied it has anything to do with a recently announced two-month delay in bringing the reactor online.
Dr Udo Helmbrecht, executive director of ENISA, commented: "Stuxnet is a new class and dimension of malware. Not only for its complexity and sophistication (eg by the combination of exploiting four different vulnerabilities in Windows, and by using two stolen certificates) and from there attacking complex Siemens SCADA systems. The attackers have invested a substantial amount of time and money to build such a complex attack tool."
"The fact that perpetrators activated such an attack tool, can be considered as the 'first strike' against major industrial resources. This has tremendous effect on how to protect national (CIIP) in the future," he added.
Ilias Chantzos, director of government relations at Symantec, told a meeting at the Symantec Vision conference in Barcelona this week that millions had been spent developing the malware.
"Stuxnet would have involved a team of between 5-10 people, six months research and access to SCADA systems. The motive behind the malware was to spy and re-program industrial control systems.
Chantzos declined to enter into speculation about who created the malware or its intended target beyond saying "only a well-funded criminal organisation or nation state would have the resources to develop the malware".
Steve Purser of ENISA told journalists that Stuxnet has taught security experts nothing they didn't already know. "What is significant is its target and impact. We have to prepare for a future Stuxnet."
Critical protection methodologies and best practices will have to be reassessed in the wake of Stuxnet, according to ENISA.
Large scale attacks on critical infrastructure require a coordinated international response. No Member State, hardware/software vendor, CERT or law enforcement agency can successfully mitigate sophisticated attacks like Stuxnet on their own. ENISA plans to support these efforts by helping to devise revised best practices for securing SCADA systems.
In addition, ENISA, in co-operation with all EU Member States and three EFTA countries, plan to mount the first pan-Europe cyber-security exercise in early November. Cyber Europe 2010 will set out to test member states' plans, policies and procedures for responding to potential critical information infrastructure crises or incidents, such as those posed by Stuxnet. The scheme is similar and smaller than the Cyber-Storm program in the US.
ENISA, which was established in 2004, was granted a five-year extenuation to its responsibilities last month. The agency's analysis of Stuxnet and links to other resources can be found here. ®
http://www.theregister.co.uk/2010/10/09/stuxnet_enisa_response/
ENISA (European Network and Information Security Agency) warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future.
The worm, whose primary method of entry into systems is infected USBs, essentially ignores vulnerable Windows boxes but aggressively attacks industrial control (SCADA) systems from Siemens, establishing a rootkit as well as a backdoor connection to two (now disconnected) command and control servers in Malaysia and Denmark.
PLC controllers of SCADA systems infected with the worm might be programmed to establish destructive over/under pressure conditions by running pumps at different frequencies, for example. There's no evidence either way as to whether this has actually happened, but what is clear is that the malware has caused a great deal of concern and inconvenience. India, Indonesia and Iran have recorded the most incidents of the worm, according to analysis of infected IP addresses by security firms.
Incidents of infection were first recorded in Malaysia, but the appearance of the malware in Iran has been the focus of comment and attention. Plant officials at the controversial Bushehr nuclear plant in Iran have admitted that the malware has infected laptops. However government ministers, while blaming the attack on nuclear spies, had downplayed the impact of the attack and denied it has anything to do with a recently announced two-month delay in bringing the reactor online.
Dr Udo Helmbrecht, executive director of ENISA, commented: "Stuxnet is a new class and dimension of malware. Not only for its complexity and sophistication (eg by the combination of exploiting four different vulnerabilities in Windows, and by using two stolen certificates) and from there attacking complex Siemens SCADA systems. The attackers have invested a substantial amount of time and money to build such a complex attack tool."
"The fact that perpetrators activated such an attack tool, can be considered as the 'first strike' against major industrial resources. This has tremendous effect on how to protect national (CIIP) in the future," he added.
Ilias Chantzos, director of government relations at Symantec, told a meeting at the Symantec Vision conference in Barcelona this week that millions had been spent developing the malware.
"Stuxnet would have involved a team of between 5-10 people, six months research and access to SCADA systems. The motive behind the malware was to spy and re-program industrial control systems.
Chantzos declined to enter into speculation about who created the malware or its intended target beyond saying "only a well-funded criminal organisation or nation state would have the resources to develop the malware".
Steve Purser of ENISA told journalists that Stuxnet has taught security experts nothing they didn't already know. "What is significant is its target and impact. We have to prepare for a future Stuxnet."
Critical protection methodologies and best practices will have to be reassessed in the wake of Stuxnet, according to ENISA.
Large scale attacks on critical infrastructure require a coordinated international response. No Member State, hardware/software vendor, CERT or law enforcement agency can successfully mitigate sophisticated attacks like Stuxnet on their own. ENISA plans to support these efforts by helping to devise revised best practices for securing SCADA systems.
In addition, ENISA, in co-operation with all EU Member States and three EFTA countries, plan to mount the first pan-Europe cyber-security exercise in early November. Cyber Europe 2010 will set out to test member states' plans, policies and procedures for responding to potential critical information infrastructure crises or incidents, such as those posed by Stuxnet. The scheme is similar and smaller than the Cyber-Storm program in the US.
ENISA, which was established in 2004, was granted a five-year extenuation to its responsibilities last month. The agency's analysis of Stuxnet and links to other resources can be found here. ®
http://www.theregister.co.uk/2010/10/09/stuxnet_enisa_response/
Friday, October 8, 2010
10 of the Top Data Breaches of the Decade
I found this article really interesting, especially since a few of our cases in class actually appear on the list. It also demonstrates how vulnerable so many people are and the immensity of the hacks. These are large scale hacks which culminate in millions of people losing the security and protection of their private, sensitive information. Here are the top ten with brief descriptions of the hacks:
1. Heartland Payment Systems (2009) more than 130 million people had their credit and debit card numbers stolen and transactions processed against them. It is considered the largest breach in credit card history.
2. TJX (2005) as discussed in class 45 million customers had their customer records hacked and sensitive information stolen from them.
3. US Dept. of Veteran Affairs (2009) a different case than the one we discussed in class. Here a defective hard drive was sent off for repairs and recycling without being erased. 76 million veterans were affected in the security breach.
4. Card System (2005) 40 million card users had their card information stolen and used by hackers 100,000 were Visa users and 68,000 MC
5. US Dept of Veteran Affairs (2006) This is the case we discussed in class where a laptop was stolen. In return for losing the data, the VA monitored credit for all veterans affected for a year costing $160.5M
6. Bank of New York Medallion (2008) data tapes, en route, were lost/stolen from the Bank. 12.5 million people were affected. Most of the tapes included social security numbers as well as back account numbers.
7. Certegy (2007) an employee stole customer records amounting to 8.5 million people. The employee is in jail now and paying off a multi-million dollar fine.
8. TD Ameritrade (2007) a database was hacked compromising the data on 6.3 million customers
9. CheckFree (2008) hackers hacked onto the site stealing domain names. This allowed them to transfer customers to their webpage which installed malware on to their computer. 5 million people were affected.
10. Hannaford Bros. Chain (2009) 4.2 million people were affected when hackers broke into the computer system and stole credit and debit card numbers.
What I find a little disturbing is that the oldest year listed is only 2005, 5 years ago. This shows that hackers are finding ways in that cause more harm to more people. It shows how much potential this threat has and that security measures are just not holding up anymore. Companies are going to need to begin taking security measures seriously and focusing more on the potential future litigation losses and how their customer base may be affected than the bottom line costs of implementation.
http://abcnews.go.com/print?id=10905634
1. Heartland Payment Systems (2009) more than 130 million people had their credit and debit card numbers stolen and transactions processed against them. It is considered the largest breach in credit card history.
2. TJX (2005) as discussed in class 45 million customers had their customer records hacked and sensitive information stolen from them.
3. US Dept. of Veteran Affairs (2009) a different case than the one we discussed in class. Here a defective hard drive was sent off for repairs and recycling without being erased. 76 million veterans were affected in the security breach.
4. Card System (2005) 40 million card users had their card information stolen and used by hackers 100,000 were Visa users and 68,000 MC
5. US Dept of Veteran Affairs (2006) This is the case we discussed in class where a laptop was stolen. In return for losing the data, the VA monitored credit for all veterans affected for a year costing $160.5M
6. Bank of New York Medallion (2008) data tapes, en route, were lost/stolen from the Bank. 12.5 million people were affected. Most of the tapes included social security numbers as well as back account numbers.
7. Certegy (2007) an employee stole customer records amounting to 8.5 million people. The employee is in jail now and paying off a multi-million dollar fine.
8. TD Ameritrade (2007) a database was hacked compromising the data on 6.3 million customers
9. CheckFree (2008) hackers hacked onto the site stealing domain names. This allowed them to transfer customers to their webpage which installed malware on to their computer. 5 million people were affected.
10. Hannaford Bros. Chain (2009) 4.2 million people were affected when hackers broke into the computer system and stole credit and debit card numbers.
What I find a little disturbing is that the oldest year listed is only 2005, 5 years ago. This shows that hackers are finding ways in that cause more harm to more people. It shows how much potential this threat has and that security measures are just not holding up anymore. Companies are going to need to begin taking security measures seriously and focusing more on the potential future litigation losses and how their customer base may be affected than the bottom line costs of implementation.
http://abcnews.go.com/print?id=10905634
Thursday, October 7, 2010
Online Voting System Hacked
Recently, the local election board in Washington D.C. developed an online voting systems so that its residents who are abroad or serving in the military would be able to vote online. This would improve the efficiency of the elections, so that the board would not need to mail ballots abroad and then have to wait for the ballots to be returned by mail. Given the security concerns around the need for integrity of data concerning elections, the board made the decision to publish its source code and server setup information to the public, thereby allowing the public to test the system for vulnerabilities.
While the majority of the feedback the board received were from Mac users with usability concerns, by the end of the week, a group of University of Michigan students had hacked the server, modifying the site to play the school's fight song. This prompted the board to take down the online voting capabilities. The replacement: downloadable ballots that are to be printed out and mailed back to the board. At least they've managed to cut down their postage costs.
This hack sheds light on the issue of computer security as more areas move toward electronic voting. In addition, this public vulnerability test could come back to haunt the Washington DC board later. If they decide to bring online voting back (as they claim they will for 2011) and the voting system is based on the code they released, attackers could be able to determine other vulnerabilities from the code that were not identified in this trial. Furthermore, posting downloadable ballots may not be a fully appropriate solution without additional safeguards put in place server-side, as an attacker could modify the files that are downloaded - for example, removing or adding candidates to the ballot.
Source: http://www.washingtontimes.com/news/2010/oct/5/students-hack-dc-online-voting-system/
While the majority of the feedback the board received were from Mac users with usability concerns, by the end of the week, a group of University of Michigan students had hacked the server, modifying the site to play the school's fight song. This prompted the board to take down the online voting capabilities. The replacement: downloadable ballots that are to be printed out and mailed back to the board. At least they've managed to cut down their postage costs.
This hack sheds light on the issue of computer security as more areas move toward electronic voting. In addition, this public vulnerability test could come back to haunt the Washington DC board later. If they decide to bring online voting back (as they claim they will for 2011) and the voting system is based on the code they released, attackers could be able to determine other vulnerabilities from the code that were not identified in this trial. Furthermore, posting downloadable ballots may not be a fully appropriate solution without additional safeguards put in place server-side, as an attacker could modify the files that are downloaded - for example, removing or adding candidates to the ballot.
Source: http://www.washingtontimes.com/news/2010/oct/5/students-hack-dc-online-voting-system/
PCI DSS
In the report for the TJX case that we are currently studying in class, it mentions that TJX had not complied with 9 out of 12 components of the Payment Card Industry Data Security Standard (PCI DSS). Coincidentally, I came across the article that I posted below, which explains that there seems to be a direct relationship between security breaches and non compliance with the PCI standard.
Verizon recently came out with their 2010 Payment Card Industry Compliance Report, in which they evaluated how well various organizations met the PCI standard. One of their main findings was that organizations who had suffered from a security breach were 50% more likely to not be in compliance. This makes perfect sense, since an organization that doesn’t comply with these standards is missing major components of a complete security system.
The 12 requirements of the PCI DSS are:
1) Install and maintain a firewall configuration to protect data.
2) Do not use vendor-supplied defaults for system passwords and other security parameters
3) Protect stored data
4) Encrypt transmission of cardholder data and sensitive
information across public networks
5) Use and regularly update anti-virus software
6) Develop and maintain secure systems and applications
7) Restrict access to data by business need-to-know
8) Assign a unique ID to each person with computer access
9) Restrict physical access to cardholder data
10) Track and monitor all access to network resources and
cardholder data
11) Regularly test security systems and processes
12) Maintain a policy that addresses information security
In the organizations assessed by Verizon’s report, requirements 3, 10, and 11 were the least implemented. Only 43% of organizations properly protected stored data, only 39% tracked and monitored access to network resources and cardholder data, and only 38% regularly tested security systems and processes. This information is a little unsettling to me as a credit card user. Also alarming is the fact that only 22% of organizations met all of the requirements and 11% did not even met half of them. This means that when you pay with your credit card, there is almost an 80% chance that your personal information will not be secure. Hopefully the data presented in this report will convince organizations of the importance of PCI standard compliance and they will make an effort to improve their payment card security so that we will be able to use our credit cards without fear of our personal information being compromised.
Verizon recently came out with their 2010 Payment Card Industry Compliance Report, in which they evaluated how well various organizations met the PCI standard. One of their main findings was that organizations who had suffered from a security breach were 50% more likely to not be in compliance. This makes perfect sense, since an organization that doesn’t comply with these standards is missing major components of a complete security system.
The 12 requirements of the PCI DSS are:
1) Install and maintain a firewall configuration to protect data.
2) Do not use vendor-supplied defaults for system passwords and other security parameters
3) Protect stored data
4) Encrypt transmission of cardholder data and sensitive
information across public networks
5) Use and regularly update anti-virus software
6) Develop and maintain secure systems and applications
7) Restrict access to data by business need-to-know
8) Assign a unique ID to each person with computer access
9) Restrict physical access to cardholder data
10) Track and monitor all access to network resources and
cardholder data
11) Regularly test security systems and processes
12) Maintain a policy that addresses information security
In the organizations assessed by Verizon’s report, requirements 3, 10, and 11 were the least implemented. Only 43% of organizations properly protected stored data, only 39% tracked and monitored access to network resources and cardholder data, and only 38% regularly tested security systems and processes. This information is a little unsettling to me as a credit card user. Also alarming is the fact that only 22% of organizations met all of the requirements and 11% did not even met half of them. This means that when you pay with your credit card, there is almost an 80% chance that your personal information will not be secure. Hopefully the data presented in this report will convince organizations of the importance of PCI standard compliance and they will make an effort to improve their payment card security so that we will be able to use our credit cards without fear of our personal information being compromised.
Subscribe to:
Posts (Atom)
Posts
