A surprising amount and range of confidential information was compromised at Pamlico Community College as the result of the hacking of its system. Reportedly, a single hacker was able to crack the password of a patron and infiltrate the database of library patrons, who may or may not have had their social security and driver's license numbers stored on the library's systems. 51,000 library patrons from 25 community colleges will be notified of the attack and the possibility that their information was compromised. In the notification letters, individuals will be notified as to whether or not their SSN or license numbers were stored on the system, and therefore possibly compromised.
As stated, the hacker decoded a patron's account to hack the system. After doing this, it sounds as though he was easily able to infiltrate the system further, accessing the information of other patrons. This is likely evidence of a weak encryption system at the library.
In reflecting on how this situation could have been prevented, one question stands out in my mind - why did a library have such confidential information on its patrons? The library has now stated that it has removed such information from its systems, proving that it was not serving any particular purpose there in the first place. In examining one's systems, an organization should be sure that it is not holding unnecessary information on its clients; this is an easy step in ensuring that it can not be compromised. In addition to this, the library should strengthen general information security as it appears the hacker had no trouble delving into their system.
Source:
http://www.enctoday.com/news/college-50645-nbsj-security-library.html
Saturday, December 19, 2009
Security Review: Motorola Droid.
Droid does. That is the slogan marking the release of the Motorola Droid, which utilizes the Verizon 3G network and Google's Android 2.0 software. With a rich web experience, sharp photos, Google search with voice and so on, the question a person might actually have is what doesn't the Droid do? One sad but realistic answer - security.
The Droid is a smart phone created for basically one purpose, to compete with Apple's iPhone. To describe it is to describe the latter device. It is a phone, but users will primarily utilize its 3G network to access the internet, download applications, use GPS, and so on.
As a user, I would want the device to be physically safe: this means password protection when the phone is not in use, to keep others from viewing personal information, such as contacts, calendars, notes, etc. Basically keeping my information confidential. Apart from this, I want a safe 3G experience, where I can access the internet, my e-mail, and so on, without fearing that my phone could be hacked or infected with a virus.
To analyze what an attacker might want to exploit in the Droid, one can simply reverse the security goals I mentioned above. Attackers would likely seek to view my personal information, infect my system, start phishing or similar schemes within my e-mail, or similar malicious acts.
As a new device which accessing the internet, it is obviously vulnerable to the multitude of threats inherent in using the internet. The fact that business people will likely want to use the phone for business e-mail and other purposes is one reason it needs to be secure. However, Droid has not taken these concerns to heart. Basic password provisions are limited, lacking strength requirements and lock-out after a specific number of failed entry attempts, seemingly obvious implementations. In addition to this, it lacks management capabilities. Droid also lacks on-device encryption and fails to meet standards for Exchange, preventing connection to company e-mail for most businesses.
As the use of smart phones and 3G networks increases, the entry of hackers and others with malicious intent is increasing, so one must be careful to ensure that their device is ready for the attack. After researching, I would say the Motorola Droid has a ways to go, especially for business users, who I would advise to stick with Blackberries. It is clear that newer versions of the Droid should have bigger priorities than difficulty with the manual keyboard or weight issues.
Source:
http://www.pcworld.com/businesscenter/article/182822-1/can_droid_phones_take_care_of_business.html
http://www.pcworld.com/reviews/product/324707/review/droid.html
The Droid is a smart phone created for basically one purpose, to compete with Apple's iPhone. To describe it is to describe the latter device. It is a phone, but users will primarily utilize its 3G network to access the internet, download applications, use GPS, and so on.
As a user, I would want the device to be physically safe: this means password protection when the phone is not in use, to keep others from viewing personal information, such as contacts, calendars, notes, etc. Basically keeping my information confidential. Apart from this, I want a safe 3G experience, where I can access the internet, my e-mail, and so on, without fearing that my phone could be hacked or infected with a virus.
To analyze what an attacker might want to exploit in the Droid, one can simply reverse the security goals I mentioned above. Attackers would likely seek to view my personal information, infect my system, start phishing or similar schemes within my e-mail, or similar malicious acts.
As a new device which accessing the internet, it is obviously vulnerable to the multitude of threats inherent in using the internet. The fact that business people will likely want to use the phone for business e-mail and other purposes is one reason it needs to be secure. However, Droid has not taken these concerns to heart. Basic password provisions are limited, lacking strength requirements and lock-out after a specific number of failed entry attempts, seemingly obvious implementations. In addition to this, it lacks management capabilities. Droid also lacks on-device encryption and fails to meet standards for Exchange, preventing connection to company e-mail for most businesses.
As the use of smart phones and 3G networks increases, the entry of hackers and others with malicious intent is increasing, so one must be careful to ensure that their device is ready for the attack. After researching, I would say the Motorola Droid has a ways to go, especially for business users, who I would advise to stick with Blackberries. It is clear that newer versions of the Droid should have bigger priorities than difficulty with the manual keyboard or weight issues.
Source:
http://www.pcworld.com/businesscenter/article/182822-1/can_droid_phones_take_care_of_business.html
http://www.pcworld.com/reviews/product/324707/review/droid.html
SSL Socked.
Secure websites may not be as secure as one would hope. In fact, they could be at great risk. A security hole was discovered somewhat recently in SSL, or Secure Sockets Layer, which is used to protect Web traffic for online banking, shopping, and any other https connection. The hole allows hackers the opportunity to introduce malicious commands into the aforementioned sites. Though these hackers cannot directly get at the encrypted data of these sites through this hole, they can surely cause a great deal of damage with malicious scripts and commands.
Specifically, a gap in the authentication process of "secure" sites provides a window for hackers to introduce malicious commands, in what is called a "man-in-the-middle" attack.
SSL users are pretty limited in what can be done in response to this discovery. Basically, a patch must be implemented to address the hole. Software vendors of secure sites will need to update their software to support revisions involved in the patch, and users must be sure to update their personal systems as patches become available. As these patches are still being developed, this problem is on-going.
Source:
http://www.pcworld.com/article/181514/ssl_hole_cracks_open_secured_web_traffic.html
http://www.phonefactor.com/sslgap/
Specifically, a gap in the authentication process of "secure" sites provides a window for hackers to introduce malicious commands, in what is called a "man-in-the-middle" attack.
SSL users are pretty limited in what can be done in response to this discovery. Basically, a patch must be implemented to address the hole. Software vendors of secure sites will need to update their software to support revisions involved in the patch, and users must be sure to update their personal systems as patches become available. As these patches are still being developed, this problem is on-going.
Source:
http://www.pcworld.com/article/181514/ssl_hole_cracks_open_secured_web_traffic.html
http://www.phonefactor.com/sslgap/
Twitter Troubled by Hackers
Earlier this morning, hackers calling themselves the "Iranian Cyber Army" were successfully able to redirect Twitter's normal Web traffic to another site. Visitors expecting the Twitter homepage instead found the following:
"a black screen with an image of a green flag and Arabic writing. The defaced site also included a message that said, 'This site has been hacked by Iranian Cyber Army,' and an e-mail address."
The hackers were able to do this by changing Domain Name System (DNS) records, redirecting traffic intended for Twitter to this dummy site. Twitter has restored the proper DNS records but is still working to identify the cause of this problem. One account of the story from Twitter claims that Twitter's systems may have never been compromised at all; instead, it lays blame on Dyn, the DNS service provider managing the site.
In this sort of attack, hackers are somehow able to infiltrate firewalls and other defenses to switch IP addresses and domains. DNS occurs at the network layer of the OSI model, so attacks can come from wireless security weaknesses as well. It is the trustworthy nature of the DNS protocol that allows such attacks to occur, listening to commands whether or not they are authentic.
While information security specialists have attempted to patch the problem with DNS, the fact that it is inherent in DNS protocol makes it difficult. One way to ensure one is heading to the right site, or for a business to make sure things are as they should be, is to use software to monitor the domain. This software can notify if a change has been made in relation to the IP address of the server. Also, one can make sure they are connected to an authentic, protected DNS server, such as OpenDNS.
Sources:
http://www.pcworld.com/businesscenter/article/185058/hackers_take_twitter_offline.html
http://www.embracingchaos.com/2008/07/how-to-protect.html
http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky
"a black screen with an image of a green flag and Arabic writing. The defaced site also included a message that said, 'This site has been hacked by Iranian Cyber Army,' and an e-mail address."
The hackers were able to do this by changing Domain Name System (DNS) records, redirecting traffic intended for Twitter to this dummy site. Twitter has restored the proper DNS records but is still working to identify the cause of this problem. One account of the story from Twitter claims that Twitter's systems may have never been compromised at all; instead, it lays blame on Dyn, the DNS service provider managing the site.
In this sort of attack, hackers are somehow able to infiltrate firewalls and other defenses to switch IP addresses and domains. DNS occurs at the network layer of the OSI model, so attacks can come from wireless security weaknesses as well. It is the trustworthy nature of the DNS protocol that allows such attacks to occur, listening to commands whether or not they are authentic.
While information security specialists have attempted to patch the problem with DNS, the fact that it is inherent in DNS protocol makes it difficult. One way to ensure one is heading to the right site, or for a business to make sure things are as they should be, is to use software to monitor the domain. This software can notify if a change has been made in relation to the IP address of the server. Also, one can make sure they are connected to an authentic, protected DNS server, such as OpenDNS.
Sources:
http://www.pcworld.com/businesscenter/article/185058/hackers_take_twitter_offline.html
http://www.embracingchaos.com/2008/07/how-to-protect.html
http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky
Friday, December 18, 2009
Voicemail Hackability
Voicemail Hackability
If you haven’t noticed, cell phone voicemails have changed dramatically over the years. It went from calling your direct mailbox and entering your entire phone number and a password, to entering a simple five digit code, to calling directly from your phone without any authorization besides for the cell phone number checks, to even storing messages directly to your phone. Still, many mobile phones' have voicemail systems that are based on the caller ID of the incoming caller. This is how it works: If the owner of a cell phone decided to check his voicemail directly from his cellular phone, the caller id would recognize his number and give him direct access to his voicemails, no questions asked. There was only one problem with this, if anyone could spoof your caller ID, they could access your voicemail. After a few high profile voicemail attacks through this vulnerability, mobile operators have began urging customers to change their voicemail preferences to require a pass code. Still, there were some operations out there that went under names like SpoofCard, Love Detect and Liar Card, that would spoof a caller ID to get access to a voicemail box. The company behind them has been fined, but what may be more interesting is that T-Mobile and AT&T were also both fined for apparently being misleading about their susceptibility to the hack.
I always wonder about the security of voicemails. I remember times when I would be able to call my friends’ or family’s cell phones, push the pound key, and then enter the generic 9999 pass code and gain access to all of their voicemails (they knew of course). Thinking back to my discovery, I wondered if others discovered this same “hack and took it further. I was not surprised to see find a hack used to enter voicemail boxes but I was surprised to see AT&T and T-Mobile being fined over it. My only logical explanation for this is the fact that AT&T and T-Mobile did not take the necessary precautions to maintain the integrity and confidentiality of their customers.
Hacking a Coke Machine
Hacking a Coke Machine
Hasn’t the increased soda prices from vending machines annoyed you? Don’t you wish you could change the price back from 1.85 to .75 cents? What’s stopping you? With everyone depending on the use of technology to increase cost efficiency, hacks are bound to result. As you may have noticed, coke machines have officially gone LED. A message slowly scrolls by enticing you to enjoy an ice cold coke. Although it is a nice gesture, the real reason these screens have been created is to give the soda companies the ability to easily change prices and count revenue totals. Rather than implement authorization checks, any person can access a coke machines hard drive and lower the prices as much as 0 dollars! After punching in a few numbers in a specific order, a manager screen arises where people can see the total revenue the machine as brought in to how much money is actually in it at the current moment. With technology growing with the future, what is to come of these “little” hacks?
United States Drone Hacked by Iraqi’s with a 26 Dollar Program
United States Drone Hacked by Iraqi’s with a 26 Dollar Program
The technology I will be discussing in this post is the General Atomics MQ-1 Predator,an unmanned aerial vehicle (UAV) used by the United States military. This five million dollar vehicle is not only a fully functional unmanned plane but it can fire two hellfire missiles, travels over 2,000 miles in one trip, and, most importantly, projects a live video feed of the ground it flies 25,000 feet above. This is a huge asset to our government and has played a pivotal in our recent battles against Iran and Afghanistan.
Another technology that is relevant to this topic is an offline satellite internet downloader called “SkyGrabber”. SkyGrabber was written by a Russian programmer in Ukraine. SkyGrabber is a simple enough concept: grab the signals that spill from a satellite broadcast (or even narrowcast), aimed from a satellite towards a specific location, and turn them into TV feeds you can look at. Or as the website puts it: "You don't have to keep an online internet connection. Just customize your satellite dish to a selected satellite provider and start grabbing."
Having an asset such has the drone, there are many goals our country should expect and ensure. Confidentiality in the drone so that no one else can access its information or controls, accessibility so we, the United States, can access the drones collected data, and Integrity of the data the drone may collect to ensure proper analysis of foreign countries and possible threats. Maybe no one could’ve imagined the United States defense being infiltrated but we failed to recognize the threats of hackers.
It was recently reported that militants in Iraq used this $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations. It is obvious that the goal of the militants is to disclose the information to their people, alter the feeds seen by their enemy, or even denial of service to the United States at all. Although the droid is a huge benefit to our country, it could be a huge hit if it were to be used against us.
US drones send their video up to a US military satellite (the "uplink") that cannot be intercepted. The signal is then beamed by that satellite or a linked down to the controllers – who might be in Afghanistan or Iraq. Although it sounds difficult, the signal was completely UNENCRYPTED! Basically anyone with a satellite dish and the right frequency and location could pick up the signal. Although only the video link was intercepted, experts say that taking control of the plane from an outside signal is not much more difficult than intercepting the video feed. It is vital that the United States encrypt all their data, no matter what the cost.
Subscribe to:
Comments (Atom)
Posts
