Friday, May 30, 2008

Quote of the day

Quote of the day

Do not spoil what you have by desiring what you have not; remember that what you now have was once among the things you only hoped for.

New IT Term of the day

New IT Term of the day


A secret series of characters that enables a user to access a file, computer, or program. On multi-user systems, each user must enter his or her password before the computer will respond to commands. The password helps ensure that unauthorized users do not access the computer. In addition, data files and programs may require a password.

Ideally, the password should be something that nobody could guess. In practice, most people choose a password that is easy to remember, such as their name or their initials. This is one reason it is relatively easy to break into most computer systems.

Russian nuclear power websites attacked amid accident rumors

GAMES : Russian nuclear power websites attacked amid accident rumors

23/ 05/ 2008


MOSCOW, May 23 (RIA Novosti) - Hackers attacked Russian nuclear power websites that allow users to check radiation background amid false rumors of a nuclear accident in northwest Russia, a nuclear industry official said on Friday.

On Tuesday and Wednesday, several Internet forums carried reports of radioactive emissions from the Leningrad Nuclear Power Plant near St. Petersburg, and of a planned evacuation of local residents.

A spokesman for the Rosatom state nuclear corporation said the cyber attacks had been planned and coincided with the release of the reports.

"People who stand to lose out from the Russian nuclear power industry's development have an incentive to spread false rumors of an accident at the nuclear plant," he said.

"This was a planned action by hackers, which has brought down almost all sites providing access to the Automatic Radiation Environment Control System (ASKRO), including the Leningrad NPP site, the rosatom.ru site, and others. For several hours users were unable to reach the sites and obtain reliable information on the situation at the plant."

ASKRO is part of a permanent environment and sanitary control system, one of whose functions is to inform the population on radiation security. Access to the system is open to all visitors on a number of Russian nuclear industry websites. The system works in real-time.

Access to ASKRO data has now been fully restored, the spokesman said.

He said this was not the first incident of its kind in Russia. Last year, after similar false reports of an accident at the Volgodonsk nuclear plant, several dozen people, believing they could offset radiation damage by consuming large amounts of iodine, fell ill after poisoning themselves.

Banks not reporting cybercrime to protect image : Police

SHY : Banks not reporting cybercrime to protect image : Police

The Canadian press

28 May 2008


MONTREAL — Online banking and other Internet transactions may not be as secure as many Canadians believe, say law-enforcement officials who accuse financial institutions of under-reporting cybercrime.

Fraud investigators say they are worried publicity-shy private-sector organizations like banks avoid telling police when cybercriminals strike.

"Banks are often victims and we know that they only declare very few of the crimes committed against them," said Yves Francoeur, who heads the Montreal police brotherhood.

The RCMP's anti-fraud centre has tried to push the financial sector to be more up front with authorities.

But they claim the major players in the industry fear their reputations will be tarnished by having embarrassing cases such as identity theft exposed in public.

"It's all about image," said Cpl. Louis Robertson. "It's not in their best interests to do this."

The Mounties believe the $35 million of mass-market fraud reported in 2007 represents at most 10 per cent of all incidents.

"If we extrapolate, we are looking at, minimum, $500 million a year," Robertson said, noting the figure does not include losses stemming from identity theft.

"It's really hard to give a definite picture of the problem to our MPs and the powers in Ottawa when you don't even have a clear picture yourself."

Criminals make use of phishing e-mails and other forms of social engineering technology to steal personal information, which can in turn be used to defraud retailers and financial institutions.

Social engineering fraudsters work from the belief that its easier to trick someone into giving up information than to steal it from them.

Phishing, for example, fools consumers into providing sensitive information by making an e-mail seem to come from a bank or credit card company.

The Canadian Bankers Association denies its members have been reticent to reports such incidents to police.

"We have to all work together to fight a lot of this crime," said association spokeswoman Maura Drew-Lytle. "Banks co-operate with police across the country."

Yet the problem of under-reporting cybercrime is considered serious enough that the Canadian Association of Police Boards has approached the bankers association about developing an anonymous reporting mechanism.

"Even companies that aren't reporting said we need a confidential mechanism to report," said Canadian Association of Police Boards president Ian Wilms.

"What they told us is that reputational risk is their biggest concern."

A recent report on cybercrime by the association of police boards cited the need for mandatory reporting of economic cyber-security incidents.

Without an accurate handle on the extent to which financial institutions are victimized, few police forces are willing to dedicate the resources needed to fight financial forms of cybercrime.

Of the 62,000 police officers in Canada, only about 250 are tasked with cybercrime, usually with a focus on child pornography.

"We have priorities and if we look at the order of these priorities, financial institutions are at the bottom," said Christian Emond, an officer with the Montreal police's economic crimes unit.

Street gangs, organized crime and terrorism top the force's list of eight priorities.

"When you get the eighth spot, the resources accorded are going to be limited," Emond said.

And yet there are several indications that electronic forms of bank fraud and identity theft are getting worse.

Interac, which links bank machines and debit terminals across Canada, pegged 2007 losses from debit card skimming at $106.8 million, up from $94.6 million a year earlier and $44 million in 2003.

"Certainly the losses are increasing, but so are our efforts to fight it," Drew-Lytle said.

Most consumers have been shielded from the effects of increased cybercrime thanks to client-friendly policies at many banks. The $106.8 million taken from debit-card users last year was all reimbursed.

But some wonder how much longer financial institutions will be able to absorb these costs given rapidly rising rates of cybercriminality.

"Those industries that have been hit are sucking up their losses as the cost of doing business," Wilms said.

"As this grows, perhaps you'll see a behavioural change, and you'll be responsible for your own account."

Hacker takes $50,000 a few cents at a time

SALAMI : Hacker takes $50,000 a few cents at a time

28th May 2008


A hacker has used a loophole to collect more than $50,000 from Google Checkout and online brokerage firms, a few cents at a time.

When opening an online brokering account it is common practice for companies such as E-trade and Schwab to send a tiny payment - ranging from only a few cents to a couple of dollars - to verify that the user has access to the bank account listed. Services such as Google Checkout and Paypal use a similar tactic to verify credit and debit cards linked to accounts.

According to court documents, Californian Michael Largent used an automated script to open 58,000 such accounts, collecting many thousands of these small payments into a few personal bank accounts.

Largent also performed the same trick with Google's Checkout service, cashing more than $8,000 alone from the service.

He is currently free on bail pending a court judgement on charges of wire, bank and mail fraud

for his antics with the online brokerage sites, although his similar approach to getting cash out of Google has not been pursued by police as of this time.

When his bank contacted him about the thousands of small payments, Largent explained that he had read the terms of service of the sites he was targeting, and believed he was doing nothing wrong, claiming that he needed the money to pay off debts.

However, Largent used false names, including cartoon characters, as well as false addresses and social security numbers, which opened him to conviction under laws on mail, bank and wire fraud.

Co-operation and Education is Key

CeCOS II : Co-operation and Education is Key

by Geok Meng Ong

May 28, 2008


I was at the APWG CeCOS II conference in Akasaka, Tokyo, Japan the last two days. It was encouraging to see many members from not only academics, security vendors, and anti-phishing groups but also many law enforcement agencies including Interpol, Kyoto Prefacture Police amongst others. There were also several presentators from the Online Gaming community.

Having such a diverse turn-out certainly helps push the greater awareness of a multinude of cyber crime issues. It was very encouraging to see everyone are agreeing on better co-operation in shutting down rogue sites, tracking the bad guys and protecting the users. There was also the video crew from NHK, to bring the CeCOS message across to Japanese TV viewers.

Dr. Uchida-san from The Institute of Information Security and Steve Sheng from Carnegie Mellon University (CMU) also presented a different angle of the issue, from the psychological and educational aspects. Both of which compliment the policy and technology countermeasures.

Shinsuke Honjo and I gave a presentation on Monday to highlight on how malware authors are now going all out to attack on victims from all cultures. They can craft spam, phishing sites or malware to target diverse cultures and groups of Internet users in the Asia Pacific region. It was interesting for us to have our research corroborated with data from other speakers at the event. Terence Park, researcher from KrCERT/CC, in particularly demonstrated how a Korean document viewer was used as a bait, to install a password stealer. This was another classic example of how malware authors, can be using different localized techniques to get their victims.

Overall, the message that seems to be very consistent throughout are - co-operation and education. In tackling a global issue like cyber crime, these are both important factors not only in tracking and prosecuting the criminals, but also in better protecting Internet businesses and users.

Editor’s comments -

CeCOS II was a well organized summit. The organizing team especially Peter Cassidy, Foy Shiver and Kana deserve big applause from all speakers and participants.

Wednesday, May 28, 2008

Quote of the Day

Quote of the day

You create your opportunities by asking for them.

New IT Term of the day

New IT Term of the day


Similar to a password it a collection of words made up of any number of characters and also contains blank spaces. Passphrases are commonly used for authentication in security programs and cryptographic systems. A passphrase is also used to authenticate both sides of a connection when pairing Bluetooth devices.

Societe Generale discovers second insider

FOLLOW-UP : Societe Generale discovers second insider

Now bolsters internal controls

By Robert Westervelt, News Editor

27 May 2008



French banking giant Societe Generale issued a report Friday into how a rogue trader carried out more than $7 billion in fraud and ways the bank is bolstering security and internal control procedures to prevent future problems.

The Societe Generale report, written by PricewaterhouseCoopers and a special committee of the bank's board of directors, found that security system upgrades and new procedures were being deployed on schedule. The design phase of the program is nearly complete and the upgrades are expected to be rolled out over the course of two to three years.

Societe Generale acknowledged in January that Jerome Kerviel, a 31-year-old trader, used his knowledge of the bank's processing and control procedures to conduct fraudulent trades that wound up costing the bank more than $7 billion. Kerviel allegedly used stolen passwords and other means to conceal his illegal activity.

The bank's investigation also found that Kerviel had an assistant who entered a large number of fraudulent trades into the bank's systems. The bank calls the assistant a "middle office operational assistant," and said that the person entered at least 15% of Kerviel's fraudulent trades. The person had knowledge of the bank's operations division and was able to turn off any triggered alerts as a result of Kerviel's trades. An email message between Kerviel and his assistant was also discovered referring to the fraudulent trades.

Since the discovery of the fraud in January, the bank began bolstering its internal controls starting with security training for traders and support staff. The bank is also revoking traders' write-access rights to middle office IT applications.

According to the report, Kerviel's fraudulent activity began in 2005 and took on massive proportions beginning in March 2007. The report characterizes oversight by Kervie's trading manager and direct supervisor as "weak," resulting in little accountability of all the trades he conducted.

"His new manager did not carry out any detailed analysis of the earnings generated by his trades or of their positions, thereby failing to fulfill one of the main tasks expected from a trading manager," according to the committee's findings.

In addition to internal processes, the bank said it was making "significant investments" in IT security to bolster applications and network infrastructure to detect problems and track actions carried out by the end-user. The bank will roll out a system designed to control and monitor the consistency of a user and the workstation used in a given day. A flaw discovered in the bank's Equities division transactional system is also being patched.

End-users have too many passwords for various applications and systems, according to the report. Some users were saving their passwords within spreadsheets and automatically logging into systems. The IT department will bolster management of user accounts and deploy a new authentication system to address the security gap. To reduce the number of passwords that one person needs to access sensitive applications, a software package will be rolled out and in place by 2009 so users can save their passwords securely.

A Societe Generale board of directors concluded that the bank's IT department would be under great pressure to implement internal control procedures and deploy security technologies.

"The capacity of the information technology department to respond to all of the demands will be a determining factor in the program's success," the committee said. "The bank will therefore have to recruit, train and integrate experienced employees."

Latest phishing schemes target Apple

FRONTIERS : Latest phishing schemes target Apple

Sue Marquette Poremba

May 27 2008


Apple's increasing popularity is leading to the company's users being targeted by phishing schemes, experts say.

Last week, users of Apple's iTunes received messages stating problems with their accounts, but when users responded they were sent to a site asking for personal information such Social Security numbers. And on Saturday, Sunbelt Software's blog posted a screen shot of a phony Apple Store billing page.

The increasing use of Apple in phishing scams is yet another sign of how much the company has grown, Andrew Lochart, vice president of product marketing at email security firm Proofpoint told SCMagazineUS.com on Tuesday.

“The scammers are pretty smart people, and they don't waste their time on scams with companies that aren't widely used,” Lochart said. “It's why you see the big guys like eBay being used. There are a large number of people who can be tricked about their account. Apple is at the point now where their corporate identity is useful to the bad guys.”

Lochart also speculated that these phishers are targeting a specific demographic: young adults who have grown up with the internet and have a tendency to engage in risky online behavior, like posting personal information.

“This is something we're going to be watching,” Lochart said. “Is it easier to get younger people to give their personal information?”

Alex Eckelberry, president of anti-spyware company Sunbelt Software said he doesn't think these phishing schemes are that sophisticated.

“I don't think this is specifically targeting Apple, per se,” he told SCMagazineUS.com on Tuesday. “The bad guys are running out of places to phish.”

In his opinion, he added, this is a circular trend.

“There's definitely a trend for Apple, no doubt about it,” he said, “but this is nothing but a hunger for money and looking for new places to find opportunities to get it.”

Apple did not respond to a request for comment.

Deutsche Telekom investigate call data abuse

INVESTIGATE : Deutsche Telekom investigate call data abuse

By Peter Sayer

IDG News Service



Deutsche Telekom has asked the public prosecutor in Bonn to investigate allegations that its security staff misused call data records on a number of occasions in order to track contacts between board members and journalists, according to company sources.

The misused records, of who called whom, when and for how long, relate to calls that took place in 2005 and 2006, according to the sources.

Such records are routinely kept by telecommunications operators about all their clients, as they are essential to the billing process, but details of the calls made on a particular line are usually only made available to the bill payer.

Hewlett-Packard hit the headlines in 2006 when it admitted that investigators working for the company had obtained the call data records of nine journalists without their permission, part of an operation at the company to plug boardroom leaks. In that case, the investigators contacted telecommunications providers pretending to be the journalists in order to obtain their records, a process that became known as pretexting.

Deutsche Telekom first became aware that call records had been misused in the middle of last year, after an internal tip-off. An internal investigation lead to changes in procedure and a reorganization of the security team, the company said Saturday.

However, Deutsche Telekom said that on April 28 it received a letter containing renewed and more serious allegations from someone outside the company claiming to have been involved in the incidents at the request of a member of the company's security department.

After studying those allegations, the company filed charges with the public prosecutor's office on May 14. Staff at the public prosecutor's office were aware of the dossier, but would not comment further.

"We ... will support them in their full investigation of these allegations," CEO René Obermann said in a prepared statement.

"By taking this approach we want to ensure the greatest possible level of transparency and allow criminal prosecutors to bring those responsible to justice," he said.

The HP pretexting case ultimately cost Chairman Patricia Dunn her job, but Deutsche Telekom's senior executives should be safe.

"We are talking about incidents in 2005 and 2006 which were under the jurisdiction of the former management team," said company spokesman Mark Nierwetberg.

Obermann was named head of Deutsche Telekom in November 2006, having previously led its mobile subsidiary T-Mobile. Chairman of the board Ulrich Lehner was only appointed on April 17, just before the current round of allegations broke.

Social Network Sites 'reveal hidden messages'

RISK : Social Network Sites 'reveal hidden messages'

By staff writers

May 22, 2008


IF you're changing your Facebook status every five minutes there is a good chance the only thing people will notice is that you're an attention-seeking extrovert.

Social networking analyst Laurel Papworth says there are hidden messages behind the overt displays of self-promotion on websites like Facebook or MySpace.

Status updates can show if someone is an extrovert or fishing for sympathy, she claims.

"The extrovert, they are always going to be updating because the world revolves around them and one can assume that means the world needs to know how they are feeling from minute to minute," Ms Papworth told NEWS.com.au.

"There's a lot of passive-aggressive behaviour in social networks and some interesting statuses — I'm mad at my boss, I'm mad at my mum, my teacher.

Related video

"We're expecting our good friends to come and commiserate and give presents on our page or leave comments on our page presumably in support of our emotional state."

Conor Woods, a 32-year-old executive and Facebook fan, said he sometimes catches himself thinking in short, descriptive phrases for his next status update.

He said his updates were mostly attempts at humour but knew others who were trying to carve out a better image online than they enjoy in reality.

"We live in a time where everybody is really conscious of branding and advertising and everyone is really media literate… (people) know how to shape their identity online to give the best image of themselves," Mr Woods said.

Ms Papworth claims people who think in terms of visuals will update their photographs more often because that is what appeals to them.

But Mr Woods has his own ideas on this.

"I don't like it when people use a photo that's not them, using something like a rock star. It seems to me like they're hiding away, like they don't want to face who they are," he said.

"The ones where you see couples, just in case you didn't see in the relationship status that they're in a relationship with that person, that's the person they have their arms around. Now I get it, it's too much."

And if that relationship breaks down then a "no longer in a relationship" update lets your friends, and sometimes your ex, know right away.

"I know one girl who found out her boyfriend had broken up with her because he changed his Facebook status update," Ms Papworth said.

"She rang him and said 'You've changed the update, what's happened?' And he said 'Can't you guess?'

"Every generation guys find a way of copping out of doing the right thing, using different communication tools, and women do as well. This is just the newest way of breaking hearts."

Ms Papworth claims for all the possibilities of public humiliation and secrets revealed, people will continue to use the sites as they provide a sense of community.

"We're reaching out to people we can connect with online and have them show that they care and we care about them," she said.

Monday, May 26, 2008

Quote of the day

Quote of the day

The true secret of giving advice is, after you have honestly given it, to be perfectly indifferent whether it is taken or not and never persist in trying to set people right.

New IT Term of the day

New IT Term of the day

passive reconnaissance

The process of collecting information about an intended target of a malicious hack without the target knowing what is occurring. Typical passive reconnaissance can include physical observation of an enterprise’s building, sorting through discarded computer equipment in an attempt to find equipment that contains data or discarded paper with usernames and passwords, eavesdropping on employee conversations, researching the target through common Internet tools such as Whois, impersonating an employee in an attempt to collect information, and packet sniffing.

Cyber Crime Becoming #1 Crime in North America

TOPPER : Cyber Crime Becoming #1 Crime in North America

21 May 2008


CALGARY, May 21 /CNW Telbec/ - Cyber crime is now the most significant challenge facing law enforcement organizations in Canada. The results of a nationwide Deloitte survey, commissioned by the Canadian Association of Police Boards (CAPB) to determine the magnitude and impact of cyber crime on Canadians, has indicated that cyber crime is a much more serious threat than previously believed. CAPB considers the results of this survey to represent a "call to action".

"We knew that many law enforcement agencies were seeing impacts but, without good numbers, it was hard to get a true sense of how significant the threat was," says Ian Wilms, chair of the Canadian Association of Police Boards. "We now know, thanks to our survey and the efforts of other organizations, that cyber crime is surpassing drug trafficking and is very close to becoming the #1 crime in the nation."

"As a result, the average citizen is now more likely to be a victim of crime through the Internet than on the street or in their home," says Wilms. "Even if they don't own a computer, their information may be on someone else's computer or with a business that uses the Internet which can put them at risk."

"And, just like drug trafficking, cyber crime has a very real impact on victims...unfortunately, it is an invisible threat to many Canadians," he adds.

Combining the results of the CAPB Cyber Crime in Canada survey with other studies, Wilms says agencies are now realizing that the crime forecast looks grim. With a huge upswing in malicious cyber attacks reported, Wilms says the "landscape of law enforcement has changed dramatically."

"Right now, the criminals have all the advantages and we are struggling to keep up and every day we fall further behind," he says. "The pool of victims grows larger every day while the pool of perpetrators also gets larger, younger and more sophisticated...this is a new era for police, fighting a new type of criminal."

With little funding and already-overworked officers, the fight against cyber crime "has to be shared," says Wilms. "This is now a global, societal problem that will require a coordinated, intelligent and powerful response."

"Technology crime units can no longer be viewed as 'nice to have' within our police services," he says. Instead, Wilms says these units must become an integral, key component of any police service strategy including supplying the appropriate resources for computer forensics, cyber crime investigations and cyber crime prevention."

One of the key recommendations from the CAPB survey is the establishment of a dedicated Canadian centre where law enforcement and various agencies can work together to combat cyber crime.

"Canada has many leading experts...ultimately, this is an opportunity for our country to assume a leadership role by helping to become peacekeepers of the Internet," Wilms says.

The CAPB survey was funded by Public Safety Canada, the Government of Alberta Solicitor General and Public Security and the City of Calgary.

Attachments to this release include a fast facts backgrounder and a copy of the report's key recommen- dations. A full copy of the survey report is available for download at www.capb.ca

Fast Facts

In January 2008, the Canadian Association of Police Boards (CAPB) commissioned a survey to determine the magnitude and impact of cyber crime on Canadians. The survey, conducted by Deloitte LLP, consisted of three components; an Ipsos Reid market research survey of 587 Canadians, an extensive interview process with 63 key contacts throughout law enforcement, prosecutions, government, academia and industry and an analysis of open source survey data. The following statistics are provided from a number of sources, including this survey report.

Key findings of the CAPB Cyber Crime in Canada report:

ü 49% of respondents have been a victim of cyber crime (cyber crimes include computer viruses, banking and personal information being lost or stolen through the Internet, children being bullied or sexually abused through online contact, businesses being hacked and held for ransom, identity theft and interference with critical infrastructure such as power grids, water systems or telephone services).

ü 70% of victims of cyber crime have not reported the crime as they were unsure who to report to or did not think any justice would occur.

ü 86% of respondents indicate that cyber crime has become a concern.

ü 95% of respondents believe they are being targeted for cyber crime (most respondents believe the greatest threats are identity theft, financial fraud and computer viruses).

ü 89% of respondents believe that preventing cyber crime should be a priority of government and law enforcement agencies.

Additional supporting statistics:

o According to a 2007 Symantec study, Canada ranks ninth as a country targeted for malicious cyber activities while the U.S. holds the #1 position. This same study discovered more than 700,000 new malicious code threats for 2007, up from only 125,000 in 2006.

o A 2006 estimate by the Canadian Council of Better Business Bureaus indicates that identity theft is costing consumers, banks, credit card firms and stores $2 billion annually.

o According to the U.S. Dept. of Justice statistics, identity theft is passing drug trafficking as the number one crime in the nation - approx. one new victim every two seconds.

o Internet child pornography has become a $2.6 billion industry (NCMEC). The latest RCMP estimates indicate there are 60,000 identified IP addresses in Canada accessing child pornography.

o In a recent IBM survey of healthcare, financial, retail and manufacturing industries, nearly 60% of businesses believe that cyber crime is more costly to them than physical crime.

o In 2006, FBI statistics showed a loss of $70 million in bank robberies compared to $220 million lost in due to Rock phishing. Currently the most popular phishing kit, Rock phish allows non-technical individuals to create and carry out phishing attacks.

o 2007 research from the U.S. Cyber Consequences Unit shows that the destruction from a single wave of cyber attacks on critical infrastructures could exceed $700 billion - the equivalent of 50 major hurricanes hitting U.S. soil at once.

Report Recommendations

In January 2008, the Canadian Association of Police Boards (CAPB) commissioned a survey to determine the magnitude and impact of cyber crime on Canadians. CAPB considers the results of this survey to represent a "call to action." The survey suggested a number of recommendations to address cyber crime activities - now considered the most significant challenge facing law enforcement in Canada. A top priority recommendation is the establishment of a dedicated centre where law enforcement, government, the private sector and academia can co-ordinate the fight against cyber crime.

"It is incumbent upon police boards/commissions to work with government to find the resources necessary to protect our communities from cyber crime," says Calgary Police Commission chair Denis Painchaud.

"Having said that, police services cannot work in isolation...we need laws that support the prevention and detection of crime perpetuated over the Internet and we need a national, coordi- nated effort between government, law enforcement, the private sector and academia to get on top of the fastest growing crime in the world," he adds.

Other key recommendations of the CAPB Cyber Crime in Canada survey:

ü The implementation of the legislation as proposed in August 2002 with respect to the lawful access provisions of the criminal code.

ü Changes to existing legislation that would enable information sharing with law enforcement with lower judicial standards than those now applied to search and seizure warrants.

ü Changes to the Canada Evidence Act that would improve on the existing Mutual Legal Assistance treaty's ability to enable the admission of documents held in the normal course of business in another country.

ü Increased resourcing and funding for law enforcement and crown prosecutors related to cyber crime investigations and prosecutions.

ü The need for a central mechanism for the mandatory reporting of designated cyber security incidents to enable quantification of the potential damage to the Canadian economy.

ü New legislation making spamming an offence and the adoption of recommendations made by the Spam Task Force in 2005.

ü Mandatory reporting requirements for child pornography.

ü Increased cyber crime awareness and prevention programs to be introduced into school curriculums as part of educating children on the issues of cyber crime.

“Phlashing" attacks could destroy hardware

PHLASHING : “Phlashing" attacks could destroy hardware

By Joel Hruska

May 20, 2008


Most computer security coverage focuses on the PC realm, but Rich Smith, head of HP's Systems Security Lab, has identified a potential security flaw within a network's physical hardware rather than a typical desktop or server system. Smith's report focuses on a class of devices he refers to as Network Enabled Embedded Devices (NEEDS for short), and how such systems could be attacked at the firmware level through a process he refers to as "phlashing."

Attacking system firmware isn't a new tactic—the CIH/Chernobyl virus was capable of overwriting BIOS firmware back in 1998—but focusing such attacks on network hardware would be an unusual step, and could prove quite successful in at least the short term. According to Smith, the ongoing war between security vendors and malware authors will inevitably drive exploration into new, non-PC-centric attack vectors as loopholes within the PC ecosystem become increasingly harder to exploit. NEEDS could therefore become a future target of opportunity, especially considering the poor default security state most of these systems ship with.

Currently, NEEDS are treated as part of a network's topology rather than as individual devices requiring their own set of security procedures and practices. As a result, such devices may present a nearly unguarded attack vector, particularly if the remote management software for any given unit has bugs of its own. The "phlashing" attack vector Smith plans to discuss at EUSectWest next week involves exploiting these security flaws to launch what he refers to as a Permanent Denial of Service, or PDOS attack.

Such an attack would be launched by uploading a purposefully corrupted BIOS into a device, causing the system to crash. Depending on the configuration of the network in question, strategically crashing a small handful of routers could bring down a network or business. What's worse, Smith argues, is that the company or organization under attack would have no effective way of fighting back or repairing the damage short of replacing the hardware in question.

As Dark Reading's article on the subject points out, however, the question of whether or not hackers would even launch such attacks is open to debate. Commercial malware campaigns have historically been far more interested in utilizing systems for profit than in destroying them, and the ability to compromise a router or another embedded system's firmware would likely result in a number of attacks that sought to capitalize on this capability rather than destroy it.

There's also a significant level of risk associated with actively destroying a legitimate company's network hardware. Today, malware, and the need to protect from it, is an accepted part of IT security. Phishers and scammers of all types are certainly pursued, but the big law enforcement guns are typically reserved for high-profile cases where a great deal of money is actively changing hands. Destroying or crippling a company's network hardware is one of the fastest ways to draw attention to yourself, and most criminal organizations prefer to stay off the radar, not dance on top of it in an aluminum monkey suit.

PDOS attacks may never become a major threat, but Smith has a point when he talks about the ever-widening scope of malware. The criminal software industry has proven itself to be exceptionally adroit at adopting new and different attack vectors, and could conceivably shift its focus (or at least open a front) against an entirely different target. Strengthening network security by focusing on devices rather than PCs certainly wouldn't hurt anything, and it could provide protection against headaches down the road.

TJX employee fired for exposing shoddy security

WHISTLE-BLOWER :TJX employee fired for exposing shoddy security

By Dan Goodin in San Francisco

23rd May 2008


TJX Companies, the mammoth US retailer whose substandard security led to the world's biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

"I was basically hitting a glass wall," said Benson, a 23-year-old freshman at the University of Kansas who worked at TJ Maxx beginning in October 2005. "Not one single thing was done. My store manager even posted the password and username on a post-it note. I told her not to do that."

So last August, Benson took to Sla.ckers.org, a website dedicated to web application security, and began anonymously reporting the shoddy practices in this user forum. Over the next nine months, he left eight posts in which he chafed at the password policy and what he should do about it.

"I am not sure if this is just an isolated incident within this specific store, but it goes to show that you can't trust a company to protect your information, especially TJX," Benson wrote under the moniker CrYpTiC_MauleR. "Today was a very sad day for me =o("

A TJX spokeswoman declined to comment for this story and turned down our request to discuss the company's policies for passwords and other security matters.

Benson's May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company's network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

The posts eventually caught up to Benson. On Wednesday, while marking down items on the TJ Maxx retail floor, he was summoned to the store office. Inside, a regional loss prevention manager told him his critiques had come to the attention of the company hired to monitor internet postings about the retailing giant. The manager told Benson he was being fired for disclosing confidential company information.

No one at Sla.ckers.org was willing to defend TJX or the shoddy security practices it is accused of following, but some have questioned Benson's decision to speak so openly.

"I would assume your disclosure of your company's inner server workings on the internet means that they can't trust employees to protect their information?" one forum participant wrote in a response to Benson's posts.

But critiques like that seem to overreach. Benson's disclosures weren't specific enough to give attackers information needed to successfully breach TJX's networks. And when you consider the right of TJX's customers and employees to know that their data may be at risk, it's not unreasonable to call him a whistleblower.

The account has us wondering if other TJX employees have tales similar to Benson's. If so, please contact your reporter using this link (Anonymity assured.)

For Benson's part, he has no regrets. "They're telling the public they're PCI compliant," he said, referring to so-called payment card industry security rules governing businesses that accept credit and debit cards. "That I think is unethical."

But he says his actions were also fueled by a healthy dose of self-interest.

"My information is still on that server," he continued, referring to the machine that sits in an office at the TJ Maxx where he once worked. "So if their network is insecure, then my information is insecure. I'd prefer they get it fixed."

Health Record Breach on Rise

RISE : Health Record Breach on Rise

Proliferating HIPAA complaints and medical record breaches

Sue Marquette Poremba

May 23 2008


The number of complaints regarding violations of the U.S. Health Insurance Portability and Accountability Act (HIPAA) continue to increase each year in tandem with an increase in breaches of medical records, according to one security professional.

In addition, a growing number of these complaints are going unresolved.

The protected health information (PHI) security and privacy goals of HIPAA in spirit and intent are good, Herold, leader of the Realtime IT Compliance Community, told SCMagazineUS.com on Friday. The regulatory oversight of the U.S. Department of Health and Human Services (HSS), however, has been underwhelming, she said.

The statistics provided about Privacy Rule complaints clearly show the numbers increasing on an annual basis, she added. This is a result not only of the growing numbers of privacy breaches, but also of the public's growing awareness of the risks involved with PHI breaches, and the fact that covered entities clearly have a law requiring them to protect PHI, but it is a law that is not being enforced.

Over the past five years, there were over 32,000 reports of complaint about HIPAA to the Office of Civil Rights (OCR), Herold said. Approximately 25,500 of these have been resolved.

“It is also important to point out that the same four issues have been the top issues where complaints were received every single year,” said Herold.

Those issues are impermissible uses and disclosures, safeguards, access, and minimum necessary.

“These categories of vulnerabilities are significant contributors to privacy breaches,” she said.

The health care sector continues to be an industry that suffers from large numbers of data breaches, Doug Pollack, chief marketing officer of ID Experts told SCMagazineUS.com.

“This can be partially attributed to the essential need for access to confidential patient information on a real time basis by medical professionals,” he said. “While they may not correlate directly, it isn't surprising that there is an increase in both the number of data breaches and the number of HIPPA violation complaints. While there is no simple answer to substantially reducing the risks that lead to data breaches in the medical community, a large number of breaches in healthcare are caused by loss or theft of physical files or laptops, and so more rigorous physical security policies and data encryption standards for laptops may be a very good place to start.”

This Day in History

Thanks for your Visit