GDT::Security::Watchdog::Archive::Year 2005

Security Watchdog

Sober Worm Expected To Return Early 2006
It appears as though the Sober worm will reappear early in 2006.
   "The next planned widespread of 2005's most prolific 
    e-mail worm, Sober, is scheduled to start on 
    January 5, 2006 based on commands hard-coded 
    within the worm. The attack date coincides 
    with the 87th anniversary of the Nazi party."

ITObserver.com:: Sober is scheduled to Attack on January 2006

[28 December 2005, top]
Google Desktop Exploited Thanks To Windows
It appears Microsoft's Internet Explorer browser is defective when it comes to processing Cascading Style Sheet (CSS) rules. Although the defect was demonstrated using Google Desktop, it is a defect with Internet Explorer and not Google Desktop. Testing indicated that the Firefox and Opera web browsers did not suffer this defect. Until the defect is patched, it was suggested that users disable JavaScript in IE.

[side-issue] Many think the finder of this IE defect was wrong to document the defect without there being any readily available patch.

ZDNet.com:: IE flaw lets intruders into Google Desktop

[Update::2005.12.05] Google was able to change their software so users could not exploit Microsoft's defective CSS processing. Kudos to Google. {News.Yahoo.com:: Google Fixes Desktop Search Loophole}

[28 December 2005, top]
Computer Cracker Gets Away With Cracking
Somebody was accused of sending five million email messages to an ex-employer and a legal system said that was okay.
   "A British teenager has been cleared of launching a 
    denial-of-service attack against his former employer."

The law that was being used was written in 1990 and as the judge acknowledged a lot has changed in the computing world since then.

ZDNet.com:: British teen cleared in 'e-mail bomb' case

[28 December 2005, top]
Credit Report Provider TransUnion Cracked
The public is constantly being told to get a credit report, yet how can we be sure the credit report generators are trustworthy?
   "Social Security numbers and other information about more than 
    3,000 consumers were stolen recently from TransUnion LLC, one 
    of three U.S. companies that maintain credit histories on 
    individuals.  The data were housed in a desktop computer 
    that was stolen last month from a regional sales office 
    in California, TransUnion said."

TransUnion should be shutdown.

   "Colleen Tunney, vice president of corporate affairs for 
    Chicago-based TransUnion, said the computer was probably 
    the object of the burglary, not the data. She said the 
    information on the computer required a password to access."

I don't like reading stuff like this that contains the words like probably. In this case, probably implies they don't know.

   "Tunney said the company is investigating why such information 
    would be stored on an individual computer in a regional office 
    rather than on a secure corporate network."

In this particular case, "better late than never" is not acceptable.

InformationWeek.com:: PC Containing Consumer Credit Data Stolen

[28 December 2005, top]
SANS Does Cybersecurity Education
Becoming a computer security guru probably offers a great long-term career, but only if you are good. Getting a graduate degree certified by SANS will not be easy, but then nothing's easy.

GCN.com:: SANS to offer graduate degrees in cybersecurity

[28 December 2005, top]
Loudeye To Sell Overpeer
This news item introduced the term clogger. Initially, I thought a clogger was a spammer of blogs, but in this case it was a spammer of P2P networks.
   "A company that tried to limit illegal file trading by flooding P2P
    networks with junk files is being shut down and put up for sale.
    Overpeer, which is owned by Loudeye, contracted with record companies
    and movie studios to place thousands of bogus versions of songs and
    movies on P2P services. When users searched for and downloaded those
    files, they would get garbage or advertisements rather than the desired
    files. Since late 2002, when Overpeer was at its height, a number of
    strategies have been developed to allow file traders and the services
    they use to make reasonably good guesses about files and to filter out
    the bogus ones. Officials from Loudeye said revenues had fallen
    significantly and that the division would cease operations immediately.
    Loudeye will attempt to sell Overpeer's assets."

ZDNet.com:: Clogger of P2P networks to shut down

[28 December 2005, top]
There Is More To Wire-Tapping Than Wire-Tapping
There has been lots of news at the end of 2005 about wire-tapping. This is an especially important issue given the Internet. If systems are modified to allow wire-tapping, then how do the providers of the systems ensure these "features" cannot be exploited by others? In other words, we assume wire-tapping will be enabled by law enforcement, but given today's state of computer security it is unclear if these systems cannot be cracked.

Crypto.com:: Signaling Vulnerabilities in Wiretapping Systems

[28 December 2005, top]
Crackers Crack White-Wolf.com
White Wolf Publishing Inc., a company responsible for some of the most popular role-playing game brands, shut down operations after crackers cracked their system and stole user data that included user names, e-mail addresses and encrypted passwords. Following the crack, the Stone Mountain, Georgia, company, said the crackers "attempted to extort money by threatening to post the potentially sensitive user data on the Internet."

White-Wolf.com:: White Wolf Was the Target of an Attack by Hackers

[24 December 2005, top]
Let's Not Let Our Guard Down
It is dangerous to draw conclusions based upon headlines seen on the Internet, but the following headlines may indicated a dangerous trend.
   "Experts Debate Whether Cybercrime Profits Surpass Drug Trafficking"
   "Rampant software piracy stifles growth: survey"
   "Fears over identity theft overblown: US study"
   "Internet terror attack unlikely, FBI says"

What is the potentially dangerous trend?

These headlines may imply we are starting to "let up our guard" when it comes to security issues.

Cybercrime, cyberterrorism, and identity theft are serious issues and just because we may be okay now, means nothing when it comes to tomorrow or the next day or the next day. For criminals, patience may be the key to their success.

Here is a quote from 9 December 2005.

   "The company suggests, for instance, that companies 
    shouldn't always notify consumers of data breaches 
    because they may be unnecessarily alarming people 
    who stand little chance of being victimized."

As long as "little chance" is not "zero chance," then consumers must be notified when systems containing any data about them are cracked.

[17 December 2005, top]
EFF Sues N. Carolina Over Voting Systems
It appears North Carolina may not be effective at learning from its mistakes. The state "experienced one of the most serious malfunctions of e-voting systems in the 2004 presidential election when over 4,500 ballots were lost in a voting system provided by e-voting vendor UniLect Corp." Now they have certified some voting systems without doing a strict code review.
   "North Carolina law requires the Board of Elections 
    to rigorously review all voting system code 'prior 
    to certification.' Ignoring this requirement, the 
    Board of Elections on December 1st certified voting 
    systems offered by Diebold Election Systems, Sequoia 
    Voting Systems, and Election Systems and Software 
    without having first obtained - let alone reviewed 
    - the system code."

EFF.org:: North Carolina Sued for Illegally Certifying Voting Equipment

[10 December 2005, top]
Cyber Crime Pays; Cyber Terrorism Concern
It is common knowledge that lots of money can be made dealing illegal drugs, but it appears more money can be made performing criminal activities over the Internet.
   "Last year was the first year that proceeds from cybercrime 
    were greater than proceeds from the sale of illegal drugs, 
    and that was, I believe, over $105 billion.  Cybercrime 
    is moving at such a high speed that law enforcement cannot 
    catch up with it."

News.Yahoo.com:: Cybercrime yields more cash than drugs

[update::2005.12.09] Time-out... it appears some people disagree that cybercrime is more lucrative than illegal drug trafficking.

News.Yahoo.com:: Experts Debate Whether Cybercrime Profits Surpass Drug Trafficking

[Extra] From a homeland security perspective, the following news reported from Financial Times is bothersome. {FT.com:: US 'relying on private companies to counter cyber-terrorism' }

[03 December 2005, top]
Hollywood Does BitTorrent
When you think Hollywood these days, think MPAA (Motion Picture Association of America). The MPAA has lots of money and money makes all the difference in the world when it comes to getting political leaders to pass (or not pass) laws when it comes to how people use their computers. Every change that occurs to protect Hollywood introduces a potential "hole" in our computer world that can be exploited by crackers (or potentially abused by our government via stuff like the Patriot Act).

NewsFactor.com:: Hollywood, BitTorrent Reach Agreement

[Extra] It may be the end of P2P as we know it. The RIAA is the music industry's version of the MPAA.

   "This settlement brings to a close an incredibly significant 
    chapter in the story of digital music.  This is a chapter that 
    ends on a high note for the recording industry, the tech community 
    and music fans and consumers everywhere."
    -- Mitch Bainwol, RIAA chairman and chief executive
[26 November 2005, top]
The Sony Rootkit Saga Continue
It is difficult not to read the "rest of the story" when the story is authored by Bruce Schneier and it starts with the following.
	"The only thing that makes this rootkit legitimate 
	 is that a multinational corporation put it on your 
	 computer, not a criminal organization."

In a nutshell, Schneier questions if big computer security companies knew about the Sony's malware and opted to ignore it because the malware came from a mega-company like Sony.

Wired.com:: Real Story of the Rogue Rootkit

[Extra] It is nice to see the Electronic Frontier Foundation stepping up to the plate on this issue. {EFF.org:: EFF Files Class Action Lawsuit Against Sony BMG}

[Extra] Texas Attorney General filed a civil lawsuit on against Sony BMG Music Entertainment for "hiding 'spyware' software on its compact discs in a bid to thwart music copying." Can more states do this? {TX.us:: Attorney General Abbott Brings First Enforcement Action In Nation Against Sony Bmg For Spyware Violations}

[Extra] What's a rootkit? A rootkit is a "set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system." What's malware? Malware is "malicious software" designed to "take over and/or damage a computer user's operating system, without his or her knowledge or approval."

[26 November 2005, top]
Indiana University Cracked; TransUnion Cracked
Indiana University discovered "'malicious' software on the computer of a faculty member at the Kelley School of Business." The school reported that the cracked computer could have been used to access "personal information of about 5,300 current and former students at the university." IU students have been instructed to keep an eye on their credit reports.

FortWayne.com:: IU finds 'malicious' software

[Extra] Did Indiana University warn students about using TransUnion? I doubt it.

   "Social Security numbers and other information about more than 
    3,000 consumers were stolen recently from TransUnion LLC, one 
    of three U.S. companies that maintain credit histories on 
    individuals.  The data were housed in a desktop computer 
    that was stolen last month from a regional sales office 
    in California, TransUnion said."

With Identity Theft such a growing concern, I don't why credit reports are not obtained using a dot-gov website. [ditto for filing taxes online]

   "Colleen Tunney, vice president of corporate affairs for 
    Chicago-based TransUnion, said the computer was probably 
    the object of the burglary, not the data. She said the 
    information on the computer required a password to access."

I don't derive any comfort with somebody saying the computer was "probably the object of the burglary, not the data." Now the burgler knows they have some valuable data. And the computer requiring a password is a moot point because the password may be something simple like "transunion."

   "Tunney said the company is investigating why such information 
    would be stored on an individual computer in a regional office 
    rather than on a secure corporate network."

I sure hope they are. Physical security is a critical variable in securing computer systems and protecting data.

InformationWeek.com:: PC Containing Consumer Credit Data Stolen

[19 November 2005, top]
Bruce Schneier Writes About Fatal RFID Defect
Bruce Schneier is one of the leading computer security gurus in the world; therefore, when Schneier speaks about security issues, it is often wise to pay attention to his words.

Schneier claims there are problems with using RFID in passports. He starts his essay with the following general concerns when it comes to RFID usage.

   "RFID chips are passive, and broadcast information to any 
    reader that queries the chip. So critics, myself included, 
    were worried that the new passports would reveal your identity 
    without your consent or even your knowledge. Thieves could 
    collect the personal data of people as they walk down a street, 
    criminals could scan passports looking for Westerners to kidnap 
    or rob and terrorists could rig bombs to explode only when four 
    Americans are nearby. The police could use the chips to conduct 
    surveillance on an individual; stores could use the technology 
    to identify customers without their knowledge."

Schneier explains the problem with how RFIDs will be used in passports and the technical details are beyond the scope of this posting. In a nutshell, he claims that RFID chips can be "uniquely identified by their radio behavior." He ended his essay with the following paragraph.

   "The State Department's plan to issue RFID passports by 
    October 2006 is both precipitous and risky. It made a 
    mistake designing this behind closed doors. There needs 
    to be some pretty serious quality assurance and testing 
    before deploying this system, and this includes careful 
    security evaluations by independent security experts. 
    Right now the State Department has no intention of doing 
    that; it's already committed to a scheme before knowing 
    if it even works or if it protects privacy."

Wired.com:: Fatal Flaw Weakens RFID Passports

[12 November 2005, top]
From CASPIAN to SpyChips.com
CASPIAN stands for Consumers Against Supermarket Privacy Invasion and Numbering. The CASPIAN website contains a hyperlink to SpyChips.com use the following phrase on their homepage.
   "How major corporations and government 
    plan to track your every move with RFID."

SpyChips.com has a FAQ (Frequently Asked Questions) list that contains some interesting questions.

   What do I do if I find an RFID chip? Can I kill or disable it?
   Are there some products that can't be RFID chipped? 
   Can chips in clothing survive the washer and dryer?
   How can I tell if there's an RFID chip in my ____? 
   Can I microwave products to kill RFID tags? 
   Does U.S. currency contain RFID chips? 
   Will a magnet erase an RFID chip? 

SpyChips.com
NoCards.org

[05 November 2005, top]
Microsoft Has Spawned a Computer Security Industry
Microsoft's "just good enough" software (that morphs into "just bad enough" software when connected to the Internet) has spawned and supports a lucrative "computer security" industry. Microsoft itself makes lots of money providing patches to is defective software. To an extent the business model is as follows: buy our software, but you have to pay extra to secure it. In a nutshell, this is wrong, yet we don't do anything about it. Kudos to Microsoft.

PCMag.com:: The Microsoft Protection Racket

[29 October 2005, top]
Color Printers Printing Yellow Dots Encoding Information
The Electronic Frontier Foundation (EFF) has discovered that tiny dots can be printed that "show where and when you made your print." Needless to say this is a privacy issue. The EFF claims the "U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters." The EFF tells us "the dots are yellow, less than one millimeter in diameter, and are typically repeated over each page of a document. In order to see the pattern, you need a blue light, a magnifying glass, or a microscope."

EFF.org:: Secret Code in Color Printers Lets Government Track You

[22 October 2005, top]
U.S. Cybersecurity Like FEMA; Spyware May Be Illegal
After Hurrican Katrina, the FEMA (Federal Emergency Management Agency) had undergone significant ridicule. In a nutshell, many think FEMA is joke. Declan McCullagh equates the current state of computer security with FEMA. Declan, we'd be better off if computer security was on par with FEMA.

CNET News.com:: U.S. cybersecurity due for FEMA-like calamity? [by Declan McCullagh]

[Extra] Eric J. Sinrod was correct when he wrote: "Information technology has advanced at warp speed with the law struggling to keep up." You can take Sinrod's words and replace "law" with "political system."

   "In Sotelo v. DirectRevenue, the plaintiff filed a complaint 
    against various defendants alleging that, without his consent, 
    the defendants caused spyware to be downloaded onto his computer. 
    In a nutshell, the plaintiff alleged that the spyware tracked his 
    Internet use, invaded his privacy, and caused damage to his computer."

USAToday.com:: Spyware can constitute illegal trespass on home computers

[15 October 2005, top]
University of Georgia System Cracked
YAAISC--Yet Another Academic Instititution System Cracked-- and this time it is the University of Georgia. The Atlanta Journal-Constitution newspaper reported the following.
   "The University of Georgia has revealed that a hacker was able 
    to access a computer system that contained personal information 
    for employees of the College of Agricultural and Environmental 
    Sciences as well as people who are paid from that department. 
    Social Security numbers were in the accessed database, though 
    no credit card information was exposed. In all, 2,400 Social 
    Security numbers for about 1,600 people were compromised, and 
    the university is working to contact those affected. 

The newspaper needs to learn that the University of Georgia system was accessed by a cracker and not a hacker.

UGA.edu:: UGA investigating illegal computer intrusion

[08 October 2005, top]
Online Banking Popular But Not Growing
Online banking is a great tool because you can check account balances and transfer funds without physically going to the bank. But, the current state of computer security doesn't make many of us feel safe when executing such transactions.
   "A new survey by Ipsos Insight shows that the number of 
    people who use the Internet for banking has reached a 
    plateau, but that those who do their banking online are 
    conducting growing numbers of transactions. According to 
    the survey, roughly 39 percent of Americans use the Internet 
    for personal banking."

CNET News.com:: Hacking fears bog down online banking growth

[side-bar] It would be nice if the headline read "Cracking fears bog down online banking growth."

[01 October 2005, top]
Protection Against Getting Photo Blogged
Digital cameras are getting smaller and smaller. Cell phones can take digital pictures. Many people don't like to get their pictures taken; therefore, technology is being developed to help people defend themselves against digital cameras.
   "The technology they've devised detects the presence of 
    a digital camera up to 33 feet away and can then shoot 
    a targeted beam of light at the lens."
CNET News.com:: Crave privacy? New tech knocks out digital cameras [24 September 2005, top]
MiamiU Ohio Cracked; Paris Hilton's Phone Cracked
Miami University, Ohio is "notifying all students who attended Miami during the fall 2002 semester that a report containing their names, Social Security numbers and grades had been inadvertently placed in a file accessible through the Internet." Miami U. had a fall 2002 enrollment of 21,762 students. {MUOhio.edu:: Miami notifying students, alumni of privacy breach }

[Extra] A 17-year-old criminal was "sentenced to 11 months detention at a juvenile facility for a string of crimes that include the online posting of revealing photos and celebrity contact numbers from Paris Hilton's phone. As an adult, he will then undergo two years of supervised release in which he will be barred from possessing or using any computer, cell phone or other electronic equipment capable of accessing the Internet." {WashingtonPost.com:: Teen Pleads Guilty to Hacking Paris Hilton's Phone }

The WashingtonPost.com headline should have read: "Teen Pleads Guilty to Cracking Paris Hilton's Phone."

[17 September 2005, top]
U.S. Army Concerned About Blogging Soldiers
Blogging is "hot" these days, but bloggers must be careful what they blog. Example: The U.S. Army is concerned about what soldiers are blogging about. They claim that some blogs (and websites) contain information and photographs that "exposes classified or sensitive information." Army leaders claim "The enemy is actively searching the unclassified networks for information, especially sensitive photos." If I were the enemy, I'd do the same.

FCW.com:: Army to better monitor blogs, Web sites

[03 September 2005, top]
MPAA Goes After More P2P Users
The MPAA (Motion Picture Association of America) has filed another 286 lawsuits against individuals for using the Internet to trade movies. The MPAA used peer-to-peer (P2P) log files to find alledged criminals (i.e. pirates).

BitTorrent is a popular P2P file distribution tool that is widely used to exchange large files containing stuff such as software, movies, music, and so on.

The following was copied from a ZDNet posting about the MPAA's recent legal activities.

   "BitTorrent creator Bram Cohen has warned in the past that 
    using his technology to distribute material illegally is 
    a 'dumb idea,' because the file-swapping tool is not designed 
    to hide the identity of anyone using it."

Today's computer users should assume that the days of annonymous Internet usage are history.

  1. ZDNet.com:: Studios mine P2P logs to sue swappers
  2. MPAA.org:: Press Releases
  3. Wikipedia.org:: BitTorrent
[27 August 2005, top]
Electronic Passports Coming Soon
The U.S. Department of State announced the e-passports will start being used by the end of 2005, with all passports being electronic by 3rd-quarter of 2006. The department's Media Note said, "the new passport will combine facial recognition and contactless chip technology and that the chip will be embedded in the cover of the passport." The Media note also indicated that "a digital signature will protect the stored data from alteration and mitigate the threat of photo substitution" and that anti-skimming technology will be included in each passport. {State.gov:: The Department of State to Begin Issuance of an Electronic Passport } [20 August 2005, top]
Cisco Cracked; Univ. of Colorado Cracked
Cisco is one of the largest computer companies in the world and their equipment plays a major role in the daily operations of the Internet. Lately, Cisco has been having some computer security issues.

[Extra] Academic institutions are starting to stop using Social Security numbers as student identifiers.

	"A hacker last week broke into files containing Social Security 
	 numbers, names and photographs of 29,000 students, some former 
	 students and up to 7,000 staffers. The files related to CU's 
	 Buff OneCards, which students use for after-hours access to 
	 some campus buildings and to buy meals and snacks."

	[...]

	"CU took Social Security numbers off all Buff OneCards last 
    spring, replacing them with a student-ID number. The file that 
    was hacked was used in the transition and listed people's ID 
    numbers and Social Security numbers."

DenverPost.com:: CU seeking help to evaluate hacked system

[06 August 2005, top]
Cisco VoIP Cracked; Zimmermann Secures VoIP
Kudos to Internet Security Systems, Inc. for discovering defects with Cisco's VoIP (Voice over IP) implementation. [Note: Internet Security Systems is part of the GDT::Portfolio.] {ISS.net:: Cisco VoIP Call Manager Remote Compromise }

[Extra] There will be a future Security Watchdog posting about Phil Zimmermann and secure telephone over the Internet using Zfone. {eWeek.com:: Privacy Pioneer Promises Secure VoIP}

[30 July 2005, top]
Say YES to K-12 Cyber Awareness Program
Somebody posted a message the AZIPA (Arizona Internet Professionals Association) about how Arizona should abandon biotech and focus on e-learning. The writer of the posting was motivated upon news of an Arizona school district that was going to do away with text books and use computers exclusively for instruction. I was going to reply, but the subject matter is just too painful to think about. Just because somebody can use a computer does not make them computer-literate. Timely news from the CSIA... {Biz.Yahoo.com:: Cyber Security Industry Alliance Calls for a National K-12 Cyber Awareness Program } [23 July 2005, top]
London and Biometrics; Zlib Defect; USC Cracked
Terrorist attacks always respark interest in biometric tools that can be used for security. In London, Tube riders may be subjected to full-body scans that may be installed at 270 underground Tube entrances. Passengers will not have to be stopped in order to be scanned. The scans work by "measuring the solar radiation reflected by people's bodies." {TimesOnline.co.uk:: Body Scan Machines to be Used on Tube Passengers }

[Extra::Zlib Defect] Zlib is a popular data compression library and it contains a 'buffer overflow' defect. The Whitedust Security Portals says "one example attack would be for an attacker to create a corrupted PNG file containing arbitrary code. If that image was placed somewhere on the web, a victim could be persuaded to view it, causing the application to crash or leave the system open to being compromised." {Whitedust.net:: Zlib Security Flaw Exposes Swath of Programs }

[Extra::USC Cracked] Yet another academic computer network has been cracked. {TheRegister.co.uk:: USC Admissions Site Cracked Wide Open }

[16 July 2005, top]
Supreme Court Ruling Helps Make Coding a Crime
On 27 June 2005, the Supreme Court of the United States of America made the RIAA and MPAA happy by "making coding a potential criminal activity." In a nutshell, P2P (Peer-to-Peer) produces can be held liable for the copying of copyrighted material. A keyword from the decision: intent. The EFF says, "Perhaps more important, the threat of legal costs may lead technology companies to modify their products to please Hollywood instead of consumers." Hurrah for Hollywood... not!

EFF.org:: Supreme Court Ruling Will Chill Technology Innovation

[09 July 2005, top]
University of Connecticut Computers Cracked
University computer systems continue to be a great source of data for computer crackers as evidenced by the following crack at the University of Connecticut.
   "UConn has notified 72,000 students, staff, and faculty as 
    a precaution after officials found a computer-hacking program 
    in a server at the school."

Note to UConn: You found a computer-cracking program, not a computer-hacking program.

   "The server contains names, Social Security numbers, dates of 
    birth, phone numbers, and addresses for anyone with an account 
    that allows access to the school's computer network. The personal 
    information was not in a readable format."

I guess since the information was "not in a readable format," it was encrypted data. This is a good thing; however, we are not told what type of encryption was employed.

   "Results of our examination reveal no indication that any 
    personal information was accessed or extracted."

More good news, but UConn better hope their computer "forensics" are 100% accurate.

   "Even though we believe this incident puts users of 
    University technology at low risk of identity theft, 
    we felt it was essential to notify them of the incident."

Since UConn only "believes" all is well, it was "essential" they notify UConn network users.

   "The breach occurred on October 26, 2003.   It was 
    detected on June 20, 2005."

Defective computer system was used for more than a year and half.

UConn.edu:: UConn Server May Have Been Breached

[27 June 2005, top]
Most Users Want a Secure Internet
The Cyber Security Industry Alliance (CSIA) did a survey and found that "most" Internet users want a safer Internet. I'm not sure why the word "most" is not the word "all."
	"More than 90 percent of voters see identity theft and 
	 spyware as serious problems with 71 percent believing 
	 new laws from Congress are required to protect consumer 
	 security.  Today, CSIA released the results of a nationwide 
	 survey of voters dedicated to Internet safety issues."
[21 June 2005, top]
Data About Motorola Employees Stolen
Computer security takes on many forms and once again the risks associated with weak "physical" security have been realized. Reuters reported that two computers containing employee data for Motorola workers were stolen from Motorola's Human Resources provider (some company named Affiliated Computer Services. It appears that the employee data, which contained names and social security numbers, may have been encrypted. {Reuters.com:: Two computers stolen with Motorola staff data }

[Extra] Spam email messages about a Michael Jackson suicide attempt are floating around the Internet. The spam is serious because it contains a "Trojan horse that infects a system if a user clicks on a link to find out more about the singer's alleged self-induced death." {Sophos.com:: Michael Jackson suicide spam leads to Trojan horse }

[11 June 2005, top]
Purdue and Standford Have Insecure Computing Systems
Purdue University has a strong Computer Science department. Purdue is home to the Center for Education and Research in Information Assurance and Security (CERIAS). The Director of CERIAS is computer security guru (and GDT::DreamTeam member) Dr. Eugene H. Spafford. It just goes to show how difficult computer security is when Purdue University issues an alert about how records containing personal data was illegally accessed on 11,360 current and former employees.

Purdue.edu:: Purdue Issues Alert About Illegal Access of Computers

[Extra::26 May 2005] The FBI and Stanford University are investigating how someone cracked into a computer system containing "information about people looking for work through the university's Career Development Center."

[28 May 2005, top]
Spring Leftovers: Classified Data; Passports; CyberDefense
Spring cleaning time... this week postings all come from Government Computer News (GCN). [22 May 2005, top]
Knowledge@W.P.Carey Speaks About Identity Theft
Knowledge.WPCarey.ASU.edu:: Should Businesses Work Harder to Thwart Identity Theives?
When taken as a stand-alone question there is only one correct answer: "Yes."

The Knowledge@W.P.Carey article states:

   "According to a survey conducted by the Federal Trade Commission 
    (FTC), almost 10 million Americans said they were victims of some 
    form of identity theft in 2003 at a personal cost of $5 billion. 
    Identity theft losses to businesses and financial institutions 
    that same year totaled $48 billion."

This data alone implies companies must work harder to help prevent identity theft.

The article indicates companies risk losing the "trust" of its customers when identity theft occur; however, the lack of "consumer outrage" may be keeping companies from doing a better job when it comes to protecting the privacy of their customers.

The article correctly reported the following.

   "Identity theft isn't just relegated to cyberspace.  In fact, 
    studies have found that most identity theft and fraud comes 
    from plain, old-fashioned thievery such as stolen credit cards 
    and paper mail, dishonest employees or misrepresentation."

Walk down any street in any neighborhood during the middle of any business day and there is a never ending stream of unlocked mailboxes full of all kinds of stuff that can enable identity theft.

[11 May 2005, top]
Good News for RIAA and MPAA: FECA Becomes Law
Good news for the RIAA and MPAA... FECA becomes law. What's FECA? FECA is the Family Entertainment and Copyright Act. {News.com:: New Law Cracks Down on P2P Pirates } [30 April 2005, top]
Security Defects Found With IRS Computers
I did e-taxes for the first time this year and will probably use the Internet for future tax reporting. I don't understand why tax submissions are not exclusively under the domain of IRS.gov, but software definitely "hides" the complexity behind our tax forms. Of all the computer systems that need to be secure, IRS computers should be near the top of the list.

Government Computer News posted an article to their website on 21 April 2005 about potential security defects with respect the the computer systems used by the IRS (Internal Revenue Service). {GCN.com:: IRS Security Flaws May Expose Taxpayer Banking Data }

[23 April 2005, top]
UC Berkeley Receives $19 Million to Build TRUST
University of California, Berkeley, will "lead an ambitious multi-institution center to protect the nation's computer infrastructure from cyberattacks while improving its reliability." The center is called the Team for Research in Ubiquitous Secure Technology (TRUST) and it is a collaboration of academic partners "Carnegie Mellon University, Cornell University, Mills College, San Jose State University, Smith College, Stanford University and Vanderbilt University." TRUST also includes non-academic partners such as "Bellsouth, Cisco Systems, ESCHER (a research consortium that includes Boeing, General Motors and Raytheon), Hewlett Packard, IBM, Intel, Microsoft, Oak Ridge National Laboratory, Qualcomm, Sun Microsystems and Symantec."

TRUST has an outreach program that includes education programs for "K-12 schools, undergraduate students and institutions serving underrepresented populations." UC Berkeley's press release says the education outreach "will lay the groundwork for training new scientists and engineers who, center leaders say, will develop the next generation of trustworthy systems. The program includes a focus on outreach to women-only institutions, exemplified by the partnerships with Mills and Smith colleges."

{Berkeley.edu:: UC Berkeley to Lead $19 Million NSF Center on Cybersecurity Research } [16 April 2005, top]
Don't Crack My Mac
The DVForge Virus Prize 2005 was a contest challenging virus writers to "actually prove that they can introduce a harmless virus into two modern OS X Macs." The contest was consider improper and was subsequently cancelled. {DVForge.com:: Virus Prize 2005 } [09 April 2005, top]
UCSB Grades Altered; UCB Laptop Stolen
The news report starts as follows...
	"A UCSB student is being charged with four felonies 
	 after she allegedly stole the identity of two professors 
	 and used the information to change her own and several 
	 other students' grades."

UCSB is the University of California at Santa Barbara.

The student did not accomplish her criminal activity by cracking UCSB computer systems; instead, she obtained personal information about the professors as a result of job at Allstate Insurance--the professors were Allstate customers.

This criminal needs to learn that it doesn't pay to be greedy: she changed one grade from 'F' to 'B+'.

{DailyNexus.com:: Altered Grades Lead to Student's Arrest }

[Extra::Laptops Continue to be a Security Hole] A University of California, Berkeley office had laptop computer stolen from it. The computer contained personal information for about 100,000 people. {Berkeley.edu:: UC Berkeley police investigating theft of laptop containing grad student ID data }

[02 April 2005, top]
UC-Chico Cracked; Boston College Cracked; Publisher Cracked
California State University at Chico discovered that their system used to support University Housing and Food Service was cracked. The school announced that the system contained personal information that included names and social security numbers. Additional reporting indicates that 59,000 records may have been illegally accessed. {CSUchico.edu:: Computer Security Incident March 14, 2005 }

[Extra::Boston College Cracked] A Boston College computer was cracked potentiall granting access to personal data on more than 100,000 individuals. Computer forensics indicate that data was not accessed, but how can they be 100% confident the forensics is accurate? {BC.edu:: BC Computer Security Breach Update}

[Extra::Publisher Database is Cracked] Reed Elsevier (publisher) was cracked granting crackers access to personal data on about 32,000 people. {CNET News.com:: Hackers Break into Citizen Database}

[26 March 2005, top]
Cracking Computers Enables Cracking Into Cars
Graduate researchers at Johns Hopkins University successfully cracked Texas Instruments' "immobilizer" antitheft system used in millions of cars. From cracking into computers to cracking into vehicles, criminals must be excited about the current state of our digital world. {JHU.edu:: RFID Chips in Car Keys, Gas-Pump Pay Tage Carry Security Risks } [19 March 2005, top]
Mozilla's Buffers Overflow; ATMs Running Windows
Buffer overflows continue to happen will alarming frequency. The Mozilla application is becoming increasing popular and with increased usage more and more defects will probably be discovered. {Mozilla.org:: Memory Overwrite in String Library }

[Extra::Bank Loses Backup Tapes] The Bank of America lost backup tapes containing details of Visa cards that the bank issued to 1.2 million federal employees. About 900,000 of those affected work in the Defense Department.

[Extra::Automated Teller Machines Running Windows] Wells Fargo banks have implemented a "Windows-based infrastructure designed to allow Wells Fargo to update and add services such as new languages and envelope-free deposits to its entire network remotely." Windows-based? This implies we may start seeing ATMs with BSoDs (Blue Screens of Death). {ComputerWorld.com:: Wells Fargo Web-enables 6,200 ATMs }

[12 March 2005, top]
Buffer Overflow Found in Mozilla; Bank Loses Tapes
Buffer overflows continue to happen will alarming frequency. The Mozilla application is becoming increasing popular and with increased usage more and more defects will probably be discovered. {Mozilla.org:: Memory Overwrite in String Library }

[Extra::Bank Loses Backup Tapes] The Bank of America lost backup tapes containing details of Visa cards that the bank issued to 1.2 million federal employees. About 900,000 of those affected work in the Defense Department.

[Extra::Automated Teller Machines Running Windows] Wells Fargo banks have implemented a "Windows-based infrastructure designed to allow Wells Fargo to update and add services such as new languages and envelope-free deposits to its entire network remotely." Windows-based? This implies we may start seeing ATMs with BSoDs (Blue Screens of Death). {ComputerWorld.com:: Wells Fargo Web-enables 6,200 ATMs }

[05 March 2005, top]
Somebody Has Been Arrested for Spimming
An Instant Messager spammer (called a spimmer) was arrested for "allegedly sending 1.5 million messages advertising pornography and mortgages" to members of the MySpace.com online networking service. Additionally, the spimmer "allegedly threatened to share his methods for spamming members of the group if MySpace.com didn't sign an exclusive marketing deal that would have legitimized the messages he was sending via the service." Spammer and spimmers must be stopped. Find him guilty and lock him up without Internet access for at least a decade. {CNET News.com:: U.S. Makes First Arrest for Spim } [26 February 2005, top]
VoIP Security Alliance Formed
VoIP (Voice over IP) is becoming increasingly popular and as a result more than 20 companies have formed the VoIP Security Alliance (VOIPSA) to help ensure a secure computing environment. Reports indicate that "adoption of VoIP technology is expected to rise from 400,000 to 12 million over the next five years." {InternetNews.com:: VoIP Players Form Security Alliance } [12 February 2005, top]
Open Source Does Not Ensure Security (e.g. Jabber)
IM (Instant Messaging) continues to grow in popularity. Jabber is an open-sourced implementation of IM that is sometimes referred to as "the Linux of instant messaging." Although it happened more than a year ago, only recently it was discovered that a server hosting the Jabber website was cracked. {Jabber.org:: JSF/JabberStudio Service Update} [05 February 2005, top]
Univ. of Northern Colorado Lost Drive; FBI Retires Carnivore
The University of Northern Colorado (UNC) announced that it lost a storage device that contained data such as names, Social Security numbers, and bank account numbers for almost 16,000 current and past employees of the university. The school further indicated that the lost device also contained data for employee beneficiaries. {UNCO.edu:: Missing Hard Drive Fact Sheet and FAQ}

[Extra::FBI Discontinues Carnivore Usage] The FBI has retired the Carnivore system. Carnivore is a "customizable packet sniffer" that the FBI used from time-to-time to capture and analyze Internet traffic. {SecurityFocus.com:: FBI Retires Its Carnivore}

[Extra::Buffer Overflow Found in BIND] CERT.org:: BIND 8.4.4 and 8.4.5 vulnerable to buffer overflow in q_usedns

[29 January 2005, top]
Linux Getting Tougher to Crack; Crackers Like Wi-Fi
The Honeynet Project tracks crack attacks by setting up networks that have enabled incoming ports and watching access attempts. Honeynet released a 2004 study that indicates Linux systems are becoming more difficult to crack. {ComputerWorld.com:: Study: Linux Server Attacks Declining }

ComputerWorld.com quotes New Scientist magazine saying "Wi-Fi networks leave home computer users open to unprecedented levels of security breaches." The New Scientist article also contained the following quote from Bruce Scheier: "When convenience and features are in opposition to security, security generally loses. As wireless networks become more common, security will get worse." {ComputerWorld.com:: Wi-Fi Boom Makes Life Easier for Computer Hackers }

[22 January 2005, top]
Crackers Crack George Mason University
On 03 January 2005, George Mason University discovered their computer system had been cracked with crackers gaining access to personal information of faculty and students. GMU announced data for "all members of the Mason community who have identification cards" had been accessed and that the cracked data included social security numbers. More than 30,000 GMU faculty, staff and students are at increased risk of Identity Theft. {GMU.edu:: George Mason University - Server Intrusion } [14 January 2005, top]
McAfee Reports Top 10 Threats for 2004
McAfee is a leading computer security company and AVERT is McAfee's Anti-virus and Vulnerability Emergency Response Team. AVERT warns that 2004 was a bad year for computer security and 2005 isn't going to be any better. The team reports "Consumers are more affected by spyware/adware threats and less by email-borne threats because most consumers use Internet Service Providers that proactively scan and clean email viruses before being delivered to the consumer." {McAfeeSecurity.com:: AVERT Reports Top 10 Threats for 2004 and Advises on Future Threats } [07 January 2005, top]
Welcome to Year 2005
Happy New Year! welcome to 2005. The 2004 Security Watchdog has been archived. [01 January 2005, top]


Author: Gerald D. Thurman [deru@deru.com]
Last Modified: Saturday, 05-Jan-2013 11:17:39 MST

Thanks for Visiting