Monday, September 1, 2008

Cyber Crime Updates

HACKED : US Homeland Security Phones Hacked

FEMA phones hacked; calls made to Mideast, Asia


Aug. 20, 2008


WASHINGTON (AP) — A hacker broke into a Homeland Security Department telephone system over the weekend and racked up about $12,000 in calls to the Middle East and Asia.

The hacker made more than 400 calls on a Federal Emergency Management Agency voicemail system in Emmitsburg, Md., on Saturday and Sunday, according to FEMA spokesman Tom Olshanski.

FEMA is part of Homeland Security, which in 2003 put out a warning about this very vulnerability.

The voicemail system is new and recently was installed. It is a Private Branch Exchange, or PBX, a traditional corporate phone network that is used in thousands of companies and government offices. Many companies are moving to a higher tech version, known as Voice Over Internet Telephony.

This type of hacking is very low-tech and "old school," said John Jackson, a St. Louis-based security consultant. It was popular 10 to 15 years ago. Telecommunications security administrators now know to configure security settings, such as having individual users create unique passwords and not continue to use the password assigned to users in the initial setup.

"In this case it's sort of embarrassing that it happened to FEMA themselves — FEMA being a child of DHS, with calls going to the Middle East," Johnson said.

Afghanistan, Saudi Arabia, India and Yemen are among the countries calls were made to, Olshanski said. Most of the calls were about three minutes long, but some were as long as 10 minutes.

Sprint caught the fraud over the weekend and halted all outgoing long-distance calls from FEMA's National Emergency Training Center in Emmitsburg.

FEMA's chief information officer is investigating who hacked into the system and where exactly the calls were placed to. At this point it appears a "hole" was left open by the contractor when the voicemail system was being upgraded, Olshanski said. Olshanski did not know who the contractor was or what hole specifically was left open, but he assured the hole has since been closed.

In 2003, Homeland Security and the FBI investigated multiple reports about private industry being breached by these types of hackers.

"This illegal activity enables unauthorized individuals anywhere in the world to communicate via compromised U.S. phone systems in a way that is difficult to trace," according to a department information bulletin from June 3, 2003.


DISHONOR : UK Govt Lost 29 million Personal Data in One Year

Sensitive data for more than four million people was lost by Government departments in the past year, on top of the high profile loss of child benefit records.

By Christopher Hope, Home Affairs Editor

20 Aug 2008


Following the loss of details for 25 million child benefit claimants in November, Whitehall departments have begun including information on personal information losses in their annual financial statements.

Analysis shows that beyond the child benefit fiasco, Government departments were last year losing data at the rate of more than 300,000 people's details a month in the year to April it emerged last night.

Among the losses were the National Insurance numbers of 17,000 people and the theft of a laptop with encrypted details of 17,000 Sats markers, the BBC reported.

Several of the data losses described in the annual reports have been previously unreported.

The disclosures show that in five separate cases, the Foreign Office lost information affecting about 190 people.

There were also six occasions when the Department for Transport misplaced personal data, including three million records of driving-test candidates in May 2007.

The Ministry of Defence lost an unencrypted laptop, a matter on which Defence Secretary Des Brown reported to the Commons in January.

The computer contained 620,000 personal records, including bank account and National Insurance numbers.

It also held limited information on 450,000 people named as referees or next-of-kin by would-be servicemen and women.

As revealed in The Daily Telegraph last week, the Ministry of Justice lost information affecting more than 45,000 people, in some cases revealing their criminal records and credit histories, in the 12 month period.

The Home Office lost the personal details of 3,000 seasonal agricultural workers – including their passport numbers – when two CDs went missing in the post.

The Tories' shadow Cabinet Office minister Francis Maude said: "This shows that the government cannot be trusted to protect people's personal details.

"Ministers should think again about its even more risky and intrusive projects such as the identity card database, the all-encompassing children's database and the property database for the council tax revaluation.

"Tougher safeguards are needed to protect the privacy of law-abiding citizens from the government."

A Cabinet Office spokesman said: "The cabinet secretary's review of data handling, published at the end of June, put in place mandatory safeguards to make our information assurance as robust as possible and improve transparency.

"Departments are taking intensive action to improve data security, including extra training for hundreds of thousands of staff, and the problems reported in recently published resource accounts were made public as a result of this new approach."

The two lost child benefit data CDs have never been recovered.

An inquiry into the loss found there were "serious institutional deficiencies'' at HM Revenue and Customs and a "muddle-through ethos''.

The investigation found "no evidence whatsoever'' of misconduct or criminality by any member of HMRC and instead it blamed institutional problems "symptomatic of a wider problem''.


RISK : Facebook, MySpace users warned of cyber crime risk

August 20, 2008


The Victorian Government in Australia has warned users of social networking sites not to post private information online.

The Government has released a list of security tips for users of social networking sites such as Facebook and MySpace in response to the emergence of cyber crime, such as identity theft.

Tips include urging users to think twice before posting private information such as addresses and phone numbers online.

Attorney-General Rob Hulls says while these sites are fun to use, people need to be aware of the risks involved.

"There are obviously some privacy risks, including identity theft, also obviously not being able to effectively control who has access to that information that people post online," he said.

"Certainly social networking sites are a fast-growing phenomenon, but just be aware."

Mr Hulls says cyber crime such as identity theft is on the rise.

"Facebook users, social networking users need to realise that information and photos they put into cyberspace in some cases can be seen by others and can leave a digital tattoo that can be very difficult to erase," he said.


BUGS : Nokia admits security flaws in Series 40 OS
Widely used operating system could allow activation of stealth applications
Jeremy Kirk
IDG News Service

August 21, 2008


Nokia Corp. confirmed today that its widely used Series 40 operating system has security vulnerabilities that could allow stealth installation and activation of applications.

But the company was evasive on whether it paid nearly $30,000 to researcher Adam Gowdiak of Security Explorations, who wanted payment for effort spent finding the flaws.

"For obvious reasons of security, we will not comment further on the detail of our activities with Security Explorations," wrote Nokia spokeswoman Kaisa Hirvensalo, in an e-mail.

Gowdiak, a researcher in Poland, said earlier this month he had found problems with Java 2 Micro Edition (J2ME), an application framework for mobile devices, as well as the Series 40 OS. Nokia claims Series 40 is the mostly widely used mobile device platform.

Gowdiak has done research on the Java Virtual Machine and wrote on his Web site that he worked at one time for its developer, Sun Microsystems Inc.

Vendors typically steer clear of paying researchers for vulnerability information and alternatively encourage what they term is "responsible disclosure," or a discrete notification before vulnerability information is made public. Otherwise, users of a particular software are at risk while a vendor tries to develop a patch.

Nokia said some of its Series 40 products are vulnerable to an attack that could result in the secret installation of applications. The company said it has also found earlier versions of J2ME could allow privilege escalation or access to phone functions that should be restricted.

"Our testing has been concentrating on products that might have both of the claims present," according to a Nokia statement.

Nokia said it isn't aware of attacks against Series 40 devices, and the problems do not represent a "significant risk."

While details on the vulnerabilities are limited, Gowdiak has said an attack could be mounted by sending maliciously crafted messages to a particular phone number.

Gowdiak could not be immediately reached for comment.


New IT Term of the day

remote attack

Any malicious attack that targets any computer other than the computer the attacker is currently logged on to. For example, the attacker can log on to a system but actually attack any computer or server on the same network.


Quote of the day

Integrity is telling myself the truth. And honesty is telling the truth to other people.

Spencer Johnson

No comments:

This Day in History

Thanks for your Visit