GDT::Security::Watchdog::Archive::Year 2006

Security Watchdog

So Called 'Smart' Clothes Coming Soon
I found this Security::Watchdog posting from a couple of months ago that never got posted...

Earlier today I was at ASU hearing about embedded and wireless systems. In fact, a picture of a smart shirt was displayed. Embedded, wireless systems along with nanosized sensors will make for an interesting, if not scary, future.

   "When micro-sized sensors can enquire our business in a 
    particular neighbourhood, and equally micro-sized agents 
    embedded within our clothing answer on our behalf, what 
    are the risks to our personal data? How will we safeguard 
    our personal privacy in such a society? SWAMI project 
    researchers aimed to find out."

SWAMI is "Safeguards in a World of Ambient Intelligence." Personal data protection vital to future civil liberties

[30 December 2006, top]
Crackers Working Hard To Crack Windows Vista
It is no surprise that crackers are going to work hard to crack Microsoft's new Windows Vista OS. Some defects have already been found, but so far no major cracks have been exploited. Supposedly, Microsoft has never tested software as much as it has tested Vista. Only time will tell if their testing was quality versus quantity. Windows Vista Flaw Not Cause for Major Concern

[28 December 2006, top]
Mississippi State University System Cracked
Mississippi State University (MSU) was cracked exposing information on approximately 2,400 students and employees. The information included names and SSNs. The university took pride in the fact they shut the system down immediately upon learning about the crack. MSU said it is moving away from Social Security numbers as student identifiers, but that it is slow process to do so. [26 December 2006, top]
Boeing Cracked Yet Again (3rd Time Within a Year)
Boeing Company announced they have lost yet another laptop containing personal information. This is the third time within a year that Boeing has had information stolen from them. The most recent loss included names and Social Security numbers of 382,000 employees and retirees. Boeing stated the following: "It's very disturbing to us when things like this happen."

Boeing is a huge aerospace company that does a lot of work the for the United States DoD (Dept. of Defense). The government should force this company to learn how to secure their computers before giving them any more huge contracts. Examples: On 25 December 2006, Boeing got a $23.2 million deal from the Navy; and, on 15 December 2006, the company announced a $13 million deal with the Air Force. Isn't doing business with Boeing a homeland security issue?

[18 December 2006, top]
MySpace Passwords Not That Bad
Bruce Schneier has written an article about the passwords used on MySpace accounts. The passwords were collected as part of a MySpace phishing crack that stole "34,000 actual user names and passwords" before being fixed by
   "We used to quip that 'password' is the most common password. 
    Now it's 'password1.' Who said users haven't learned anything 
    about security?"

"But seriously"... the passwords on MySpace are not that bad. Schneier wrote that "less than 4 percent were dictionary words and that the great majority were at least alphanumeric." The average password length was eight characters. MySpace Passwords Aren't So Dumb

[15 December 2006, top]
Computer Systems at UCLA Cracked
Yet another university computer system has been cracked. This time it is UCLA (University of California at Los Angeles). Crackers gained access to personal information on about "800,000 current and former students, faculty and staff." The personal information included names and social security numbers. UCLA Probes Computer Security Breach

[12 December 2006, top]
Stop the Online Exploitation of Our Children Act
Politicians continue to want to control the Internet. Each law that gets passed has the potential to erode away at our computing freedoms.
   "Millions of commercial Web sites and personal blogs 
    would be required to report illegal images or videos 
    posted by their users or pay fines of up to $300,000, 
    if a new proposal in the U.S. Senate came into law."

The proposed bill is called the "Stop the Online Exploitation of Our Children Act." It is the politicians, however, who need to be stopped. [ Support Bloggers' Rights]

CNET Senator: Illegal images must be reported

[12 December 2006, top]
MySpace User Profiles Cracked Using QuickTime Player
User profiles on MySpace were cracked by a "worm that directed victims to a phishing site where they were asked to type in their user name and password." The worm used "JavaScript inside of Apple Computer's QuickTime player, which can be embedded in MySpace user profiles. People logged into MySpace could have their profiles infected by simply visiting an infected profile." Accoring to InformationWeek, in July of 2006, a "worm spreading through the site embedded JavaScript code into profiles that redirected visitors to a site claiming the U.S. government was behind the 9/11 terrorist attacks."

Bottom-line: Cracking computers and websites is a form of terrorism. MySpace Shuts Down User Profiles Due To Worm Infection

[06 December 2006, top]
Dept. of Homeland Security Issues Cyberattack Alert
Cyberwarfare will be ugly. It would be chaos if a majority of Americans woke up one morning and all their savings and investment accounts had been set to zero.
   "The U.S. government warned American private financial services 
    on Thursday of an al-Qaida call for a cyber attack against online 
    stock trading and banking Web sites beginning on Friday."
    [Friday was 1 December 2006]

In a nutshell, the attack, if any, will try to wipe out financial databases. Cracking databases is hard, but denial of services attacks, which don't access data, could prevent access to data.

CNet U.S. warns of possible Qaida financial cyber attack

[01 December 2006, top]
MPAA Wants To Know About Your Home Theater
[Update::2006.11.29] This was a hoax.

The Motion Picture Association of America (MPAA) is worried about "home theaters" because they have the right to know what is being shown in theaters. The MPAA needs laws to ensure they know what is being shown in theaters (and that includes homes). Everybody will have to register their home theater with the MPAA and pay a $50 dollar registration fee. If they don't, then they could risk a $500,000 fine for every movie shown.

   "The MPAA defines a home theater as any home with a television 
    larger than 29" with stereo sound and at least two comfortable 
    chairs, couch, or futon. 

The poster wrote the following.

   "The bill would require that any hardware manufactured in the future 
    contain technology that tells the MPAA directly of what is being shown 
    and specific details on the audience. The data would be gathered using 
    various motion sensors and biometric technology."

Will we still be able to watch movies naked?

MPAA head Dan Glickman is quoted saying the following.

   "We didn't act early enough with the online sharing of our 
    copyrighted content. This time we're not making the same 
    mistake. We have a right to know what's showing in a theater."

Glickman is correct when he effectively said Hollywood was asleep at the wheel when it came to the power of the Internet.

Here is another Glickman quote.

   "Just because you buy a DVD to watch at home doesn't give you the 
    right to invite friends over to watch it too. That's a violation 
    of copyright and denies us the revenue that would be generated 
    from DVD sales to your friends. Ideally we expect each viewer 
    to have their own copy of the DVD, but we realize that isn't 
    always feasible. The registration fee is a fair compromise."

I guess it all depends on the how fair is defined. Sadly politicians are going to make the definition and courts of law will decide if politicians define it constitutionally. The MPAA has lots of money; consequently, the MPAA has good friends in both the political and legal worlds. MPAA Lobbying for Home Theater Regulations

[28 November 2006, top]
Firefox Defective When Handling Passwords
Allowing website users to enter HTML into webpage forms has been exploited by crackers for a long time. It appears as though browser writers are still having a problem making it secure. Caution must be used when you have the browser save password information on our personal computer because the information might not stay personal. Firefox 2 Browser Struck by Password Flaw

[25 November 2006, top]
Yet Another Laptop With Customer Info Lost
Yet another laptop stolen and this time the laptop contained 11 million customer records. Interestingly, the laptop was missing three months before customers were notified. The BBC posting included the following quote.
   "There is no chance of any customer suffering any financial 
    loss on their accounts as a result of this." 
    -- Philip Williamson, Nationwide chief executive

Nationwide is from whom the laptop was stolen.

Williamson's quote is difficult to believe: "There is no chance..." Easy for him to say. In the phrase "no chance," the word "no" implies zero. Nationwide customers should probably not be be so confident. Security raised over laptop theft

[19 November 2006, top]
49 Million Adults Cracked Over Three Years
As of 18 November 206, the U.S. population was approximately 300,231,640.
   "An estimated 49 million U.S. adults have been told over 
    the last three years that their personal information has 
    been lost, stolen or improperly disclosed."

49 million is 16.3% of the entire U.S. population.

   "Specifically, more than one in five adults said some organization 
    had notified them that their personal information was improperly 
    disclosed, translating into about 49 million people. Among those 
    adults, 48 percent were notified by a government agency, 29 percent 
    a financial company, and 12 percent by a commercial company. Other 
    organizations that had made notifications included educational 
    institutions, 6 percent, and healthcare facilities, 5 percent."

Given how many eductional systems have been cracked, I was surprised that only six percent of the notifications came from academic institutions.

   "Fully 81 percent of adults notified of trouble perceived nothing 
    harmful happening as a result." 

These 81 percent of adults have to be careful because many criminals have a virtue called "patience." Just because I have information that can be used for criminal activity doesn't mean I have to use that information immediately.

   "Much of the damage suffered by victims was caused by friends and 
    family, stolen wallets or purses, pilfered information from mailboxes 
    or trash containers, and insider theft of personal data by employees 
    of organizations."

So true... interestingly there was no mention of people using unsecure computers connected to the Internet.

[18 November 2006, top]
Bad Software, Bad SysAdmining, Bad People Habits
Bad software, bad SysAdmining, and bad people habits are the three reasons crackers are happy in 2006.
   "The SANS Institute has released its annual list of 
    leading computer security concerns.  Identified as 
    prime targets for computer attacks are Microsoft's 
    Internet Explorer, Microsoft Office, Apple Computer's
    Mac OS X, and 'configuration weaknesses' in UNIX."

The most common type of crack is the "zero-day exploit" of web applications. At the time of this posting, I cannot explain what a "zero-day exploit" is, but I do know crackers like them.

Here is another copy/paste from the CNET posting.

   "SANS Institute also identified P2P applications, media 
    players, voice over Internet protocol phones, and people 
    themselves as some of the weakest spots in security."

I wish CNET would use the term "cracker" instead of "hacker" when writing about computer security.

CNET SANS names top hacker targets

[18 November 2006, top]
British Passports Can Be Cracked
The U.K. is using 21st century passports, however, it appears as though their "advanced digital encryption technique" contains defects that allow crackers to crack the supposedly crack-proof passports.
   "Today, some three million such passports have been issued, 
    and they don't look so secure. I am sitting with my scary 
    computer man and we have just sucked out all the supposedly 
    secure data and biometric information from three new passports 
    and displayed it all on a laptop computer." Cracked it!

[17 November 2006, top]
Villanova University Has Student Data Stolen
Villanova University had a laptop stolen that contained information on more than 1,200 students and staff. The information did not contains SSNs. This sounds like just another university being careless with student data report, but in this case the laptop was stolen from Villanova's insurance company. Villanova needs to lead by example and find a new insurance company.

Bottom-line: When it comes to responsibility, Villanova is responsible for this data loss.

[06 November 2006, top]
Online Brokerages Popular With Crackers
It appears crackers are cracking online trading accounts. I use and it appears their website is relatively secure, but the problem is I'm not sure my home computer and network are secure. There are lots of places for crackers to find cracks.
   "About 25 percent of U.S. retail stock trades are made 
    by online investors through roughly 10 million online 
    accounts, according to brokerages regulator NASD."

I wish ZDNet would start calling crackers crackers instead of hackers. Brokerages lose millions in hacker onslaught

[02 November 2006, top]
Elections Are Less Than a Week Away
Elections occur in less than one week (and none to soon). Protecting our voting systems is critical to preventing chaos within our political systems (which are seriously broken). May all go well. It appears Diebold machines are going to be the most commonly used and those are the machines that will be employed in Arizona. E-Voting State by State

[02 November 2006, top]
Storage Devices With Built-In Encryption
With companies, organizations, and institutions unable to keep track of their laptop computers, disk drives with built-in encryption sounds like an excellent idea. Sadly, the initial drives to do this will probably be expensive. Seagate Debuts New Hard Drives with Built-In Encryption

[31 October 2006, top]
Catch a Terrorist Via Social Networking
The ACM Technews posted about how "Brian Hayes thinks a multidisciplinary focus on mathematics and social networking could perhaps give intelligence analysts the means to make reasonable assumptions about terrorist conspiracies based on surveillance data." Technews indicating that Hayes says the "main challenge is to enable algorithms to 'somehow distinguish a few dozen people intent on mayhem from other groups of the same size and structure who are planning a family reunion, canvassing the neighborhood for a lost cat, running for city council or war-dialing to win free concert tickets from a radio station.'" Connecting the Dots

[25 October 2006, top]
Chinese Servers Used To Crack U.S. Systems
I wish news reporting organizations would use the term cracker instead of hacker when reporting this stuff.
   "The federal government's Commerce Department admitted that 
    heavy attacks on its computers by hackers working through 
    Chinese servers have forced the bureau responsible for granting 
    export licenses to lock down Internet access for more than a month."

   "Hundreds of computers must be replaced to cleanse the agency 
    of malicious code, including rootkits and spyware."

Note: Just because Chinese servers were used to crack U.S. computer systems does not mean the crackers were Chinese.

People (and they don't have to be hackers) who access computers without permission are crackers. Chinese Hackers Hit Commerce Department

[25 October 2006, top]
Too Many Passwords Are a Pain
I admit it... I'm a sucker for "catchy" subject-lines. posted an article on the subject of password proliferation. I also admit to being lazy when it comes to my password administration.

A posting says "the Web-savvy user now has an average of 30 password-protected accounts." I can see how this might true.

Companies and researcher are working hard at trying to come up with secure, efficient, and usable systems that will allow us to do away with passwords. I 4got mY PasswRD

[21 October 2006, top]
Microsoft Sets a Patch Record
The headline caught my eye: "Microsoft sets new patch record." Immediately I wondered how many of the patches were patches to patches. According to, Microsoft issued patches to fix 26 defects. Ten of the patches were related to security defects. The Windows operating system is so defective the Windows applications have a relatively easy time taking advantage of the defects. Microsoft Sets New Patch Record, Fixes 26 Flaws

[Extra] On a related note, had a posting titled "Symantec Predicts $10 Billions Sales by 2010." This will mean Symantec will double currents sales within the next four years. I guess they should give a huge Thank You to Microsoft.

[11 October 2006, top]
General Electric Loses a Laptop Computer
On 9/26/2006, General Electric Co. announced that a "company laptop containing the names and Social Security numbers of 50,000 current and former employees was stolen in early September." [source: Reuters]

I get a kick when I read stuff like the following.

   "Evidence suggested the thief was after the stolen computer, 
    rather than the data on it."

A thief is a criminal who steals. Maybe initially they steal the laptop for the computer, but when they learn that it contains data, then the thief can use the data to steal people's identity. I can see it being easy for a property thief of today to turn into an identity thief tomorrow.

[27 September 2006, top]
U.S. Commerce Dept. Excels At Losing Laptop Computers
The U.S. Commerce Department has "lost" 1,137 laptop computers in the last five years. The Census Bureau alone lost 672 of the laptops and 246 of those contained private data like names, social security numbers and income levels.

It was estimated that the missing laptops "could contain the information of nearly 6,200 households." It was also reported that 100 percent of the Census Bureau's computers were password-protected; however, only 107 used data encryption. Hundreds of Census Bureau Laptops Lost

[25 September 2006, top]
Draining Batteries of Internet Connected Cell Phones
Laptop recalls have been in the news lately and the recalls have been because of defective batteries. Now there was a report that crackers can drain cell phone batteries, which in turn could distrupt many cellular commications networks.
   "Battery power is the bottleneck for a cell phone.  
    It can't do anything with a dead battery."
   -- Hao Chen assistant professor of CS at UC Davis 

Cell phones conserve battery life by spending most of their time in standby mode, but Chen has discovered that the MMS protocol can be used to send packets of junk data to a cell phone. Everytime a packet is received, the cell phone must awake from its slumber and this in turn drains the cell phone battery.

Note: the MMS protocol enables a cell phone to receive pictures, video and audio files. Stealth Attack Drains Cell Phone Batteries

[11 September 2006, top]
Second Life Role Playing Game Cracked
Crackers cracked into databases of the "popular online role-playing game 'Second Life' and accessed 650,000 player names, addresses, and passwords, prompting the developer to order all players to change their log-ins."
   "Players' credit card information, which was stored in 
    another database, was encrypted and not compromised, 
    the company assured users."

Changing passwords is a good thing, but many computer users use the same password on multiple accounts. I hope 'Second Life' is instructing their user to change their passwords everywhere if necessary. Role-Playing Game Site Hacked, 650,000 Affected

[11 September 2006, top]
An 81 Percent That is Difficult to Believe
Physical security is just as important as making sure we are using secure software.
   "Eighty-one percent of companies surveyed reported the 
    loss of one or more laptops containing sensitive information 
    during the past 12 months, according to the survey, which 
    queried nearly 500 information security professionals."

81% implies 81 out of every 100 companies have lost a laptop computer over the span of the last year. Survey: 81% of U.S. firms lost laptops with sensitive data in the past year

[11 September 2006, top]
Crack DRM and See Microsoft Patch Quickly
Computer security guru Bruce Schneier wrote an article for Wired concerning Microsoft's patching practices. When Schneier speaks, it pays to listen. Schneier's article starts with the following paragraph.
   "If you really want to see Microsoft scramble to patch a hole 
    in its software, don't look to vulnerabilities that impact 
    countless Internet Explorer users or give intruders control 
    of thousands of Windows machines. Just crack Redmond's DRM."

DRM is Digital Rights Management. In a nutshell, Schneier says Windows defect that hurt corporate Microsoft are patched must more quickly than defects that hurt Microsoft users.

Schneier's article ends with the following paragraph.

   "If Microsoft abandoned this Sisyphean effort and put the 
    same development effort into building a fast and reliable 
    patching system, the entire internet would benefit. But 
    simple economics says it probably never will." Quickest Patch Ever

[11 September 2006, top]
Drop Slip Found with Name/SSN at SCC
The Fall 2006 semester is underway at SCC and in the middle of week three I found my first drop slip on the ground. The drop slip was discovered while walking from the boys room to my office in the CM building complex. I picked the slip up and had access to a name along with a social security number.

I continue to be amazed that some MCCCD students have their social security numbers for their student identifiers. This should be illegal. Somebody in a leadership role at the MCCCD should read the following "extra."

[Extra] This was news on 2 August 2006... "Cal Poly has joined a growing list of colleges and universities that no longer use Social Security numbers as default identifiers for students. Colleges in California and across the nation are working to remove Social Security numbers from as much of the daily business of the institution as possible. Although the numbers will still be stored and used for reporting for such reasons as financial aid and health care, a new number will be used for routine purposes such as class lists."

[09 September 2006, top]
Verizon Wireless Exposes Customer Information
It is amazing how sloppy companies are with customer information. Mistakes happen, but companies need to be penalized when they make mistakes with customer data. The following is from late-August of 2006.
   "Verizon Wireless mistakenly e-mailed an Excel spreadsheet 
    containing information on more than 5,200 subscribers to 
    about 1,800 customers of the company. The e-mail was supposed 
    to include an electronic order form for a Bluetooth wireless 
    headset as part of a promotional offer.  The Excel file did 
    not contain highly sensitive information such as credit card 
    or Social Security numbers, but it did include names, e-mail 
    addresses, and cell phone models and numbers. 

CNET Verizon Mistakenly E-Mails Customer Data

[09 September 2006, top]
AT&T's Webstore Cracked
AT&T stores lots of information on lots of people; therefore, it not good when their systems get cracked. In this case it appears AT&T's webstore was defective. Hackers steal AT&T customer info

Note: It was crackers (not hackers) who stole AT&T customer information.

[30 August 2006, top]
Crash a Server with Spam--Get Curfew
In 1990, Britian must of passed a law called the Computer Misuse Act, but I suspect it doesn't do much good in today's computing world.
   "A British teenager has been sentenced to a two-month 
    curfew for sending millions of e-mails to a former 
    employer, causing its servers to crash.  The teenager
    is not allowed to leave his home between the hours of 
    12:30 a.m. and 7:00 a.m. on weekdays and between 12:30 
    a.m. and 10:00 a.m. on weekends." 

This kid crashed somebody's server and that is a criminal act. A penalty of "curfew" was not remotely close to being sufficient.

[27 August 2006, top]
Microsoft Busy Patching Patches
Patches are usually necessary evils, but when you start patching patches, then you have are moving beyond evil. Sadly, we have been patching patches for four decades.
   "Microsoft acknowledged that a patch issued earlier 
    this month for significant flaws in its operating 
    system has led to new problems for some users."

Note: This is the third consecutive Microsoft-related posting to this blog. It may appear as though we are picking on Microsoft, but we're not--Microsoft is simply dominating computer security news at this point and time. Microsoft patch can cause IE trouble

[18 August 2006, top]
Dept. of Homeland Security Worried About Windows
When the Department of Homeland Security issues a computer security alert, it is much more than a "flaw." It is a defect and Windows has consistently proven itself to be defective for many, many years.

Simple man statement: Windows is just good enough software, but when it gets connected to the Interent it comes just bad enough software. U.S. Warns of Windows Security Flaw

[Extra] According to TechWeb, Microsoft has "patched almost as many critical vulnerabilities in the first 8 months of 2006 as it did in 2004 and 2005 combined."

[10 August 2006, top]
Buffer Overflow Defect Found with Microsoft DNS
Microsoft DNS has a "character string buffer overflow" defect. DNS is the Domain Name System that is used to map domain names into IP numbers.

Internet Security Systems announced it has "discovered and provided preemptive protection for critical flaws in the Microsoft Domain Name System (DNS) client since February 2006. ISS is providing customers with security content and protection for all of the vulnerabilities disclosed by Microsoft today, including a flaw in the Microsoft Server Service, which X-Force predicts could soon be used by attackers to create an Internet worm."

Internet Security Systems says that crackers can use "these vulnerabilities to answer a DNS query with a malicious response, triggering a heap corruption and gaining complete, unauthorized control of an affected machine." Microsoft DNS Client Character String Buffer Overflow Vulnerability Version 1.0

[08 August 2006, top]
AOL Not Cracked, But Exposes Anonymous Data
AOL (America OnLine) had a website snafu that has many users upset.
   "AOL released search information on about 20 million 
    searches done from its software by about 658,000 anonymous 
    AOL users over a three-month period, representing about 
    one-third-of-1-percent of searches conducted over that time."

The fact that the search information was for "anonymous" users, there is concern because "keyword searches have included users who search their own names."

   "The link to the actual file, containing searches done 
    by users whose personal IDs are replaced with random 
    numbers, is no longer available on AOL's Web site."

Id's were replaced with random numbers, but names weren't replaced by random names. On balance, AOL made a mistake, but in this case it does not appear to be that bad of a mistake. AOL Takes Down Site With Users' Search Data

[Extra::2006.08.11] Quote from Google's CEO: "We are reasonably satisfied ... that this sort of thing would not happen at Google, although you can never say never."

[Update::2006.08.25 AOL's chief technology officer resigned and two other people were fired thanks to AOL's security oops. Kudos to AOL for taking care of sloppy computing practices.

[08 August 2006, top]
E-Passports Already Being Cracked
Crackers are cracking e-passports before they are even put into use. The United States plans to issue e-passports to U.S. citizens beginning in October 2006.
   "The whole passport design is totally brain damaged. 
    From my point of view all of these RFID passports 
    are a huge waste of money. They're not increasing 
    security at all." Hackers Clone E-Passports

[03 August 2006, top]
JavaScript Effective at Cracking Intranets
JavaScript continues to a great tool for crackers. CNET reported that JavaScript is becoming an effective tool for cracking into intranets (corporate and home).
   "Security researchers have found a way to use JavaScript 
    to map a home or corporate network and attack connected 
    servers or devices, such as printers or routers." JavaScript opens doors to browser-based attacks

[30 July 2006, top]
U.S. Navy Needs Better IT Controls
Hey cyber-terrorists... take a look at some of the U.S. Navy computer systems. The following came from FCW (Federal Computer Week).
   "For the second time in recent weeks, officials from 
    the Navy said that personal information on Navy personnel 
    was posted on public Web sites, this time on the site of 
    the Naval Safety Center (NSC). In June, 28,000 records 
    were improperly placed on a public Web site of the Navy
    Personnel Command (NPC). In the second case, names and 
    Social Security numbers for more than 100,000 Navy personnel 
    were exposed, possibly affecting every active-service Navy 
    and Marine aviator of the past 20 years. The personal information 
    was also inadvertently included on 1,083 disks that the Navy mailed 
    to Navy and Marine Corps commands. The Navy is working to recover 
    those disks, and it has set up a hotline where affected individuals 
    can obtain more information." Personal data exposed on Navy Web site

[22 July 2006, top]
Northwestern University in Illinois Cracked
From the YAUSC department (YAUC is Yet Another University Cracked) comes the following...

Northwestern University was cracked by crackers who gained "access to nine personal computers on campus that contained sensitive data on about 17,000 students and applicants." The Chicago Sun-Times needs to report this stuff, but they need to use the word cracker instead of hacker. Bottom-line: The media will never get around to using the correct terminology when reporting about computer cracks. Hackers break in to NU admissions, financial aid computers

[20 July 2006, top]
Spyware Crackers Like MySpace On Windows
A WashingtonPost blog posting started as follows.
   "An online banner advertisement that ran on 
    and other sites over the past week used a Windows security 
    flaw to infect more than a million users with spyware when 
    people merely browsed the sites with unpatched versions of 
    Windows, according to data collected by iDefense."

Supposedly the security defect was discovered by somebody using with a Linux system. Bottom-line: beware of files having a dot-wmf suffix. Hacked Ad Seen on MySpace Served Spyware to a Million

[20 July 2006, top]
Beware of "SQL Injection" Cracks
I had never heard of "SQL injection," but it is on the rise and it sounds scary.
   "SQL Injection is a type of security exploit in 
    which the attacker adds Structured Query Language 
    (SQL) code to a Web form input box to gain access 
    to an organization's resources or to make changes 
    to data. Using this technique, hackers can determine 
    the structure and location of key databases and can 
    download the database or compromise the database server." SQL injection attacks against banks on the rise

[19 July 2006, top]
Defect Found with Cisco Intrusion Detection Systems
Cisco systems are widely used to connect computers and networks to the Internet, internets, intranets, extranets and so on. On 12 July 2006, Cisco issued an advisory that was summarized as follows.
   "Cisco Intrusion Prevention System (IPS) software 
    version 5.1 is vulnerable to a denial of service 
    condition caused by a malformed packet, which may 
    result in an IPS device becoming inaccessible remotely 
    or via the console and fail to process packets. A power 
    reset is required to recover the IPS device. There are 
    no workarounds for this vulnerability." Cisco Intrusion Prevention System Malformed Packet Denial of Service

[14 July 2006, top]
Motley Fool Says Computing Might Never Be Secure
Motley Fool Headline via Yahoo: "Securing Your Portfolio." I see the headline because ISSX (Internet Security Systems Inc) is a GDT::Portfolio stock and the Motley Fool posting mentions ISSX stock. The Motley Fool posting believes is erroneous for anyone to think that eventually "the h@ck3rs will be crushed."
   "Now there's some wishful thinking. It's doubtful that there 
    will ever be a clear winner in the war against online malcontents. 
    As long as a data-security company can hire a Ph.D. to write an 
    encryption algorithm, there will be crime rings out there willing 
    to pay another Ph.D. a hefty sum to find its holes. That said, 
    since there's no indication that individuals, financial institutions, 
    and other businesses and corporations plan to reduce their exposure 
    to the Internet, there should be a continued demand for products that 
    will keep their virtual valuables secure." 

The Motley Fool writer was recommending investors invest in what he called the "500 pound gorilla's" of computer security. This list did not include ISSX.

[14 July 2006, top]
Debian Server Cracked Thanks To Weak Passwords
A Debian GNU/Linux server was cracked thanks to a weak password on developer account. The account was used by a cracker to exploit a "vulnerability in the Linux kernel to gain root -- or admin -- access on the server." An audit discovered that numerous developer accounts had "weak" passwords and these accounts have been "locked."

Question: Why were these accounts allowed to be created with "weak" passwords?

On the goods news front, Debian reported the following.

   "The only obviously compromised binary was /bin/ping. 
    The compromised account did not have access to any 
    of the restricted Debian hosts. Hence, neither the 
    regular nor the security archive had a chance to 
    be compromised." Debian locks out developers after server hack

[14 July 2006, top]
It's Long Past Time to Protect Student Data
The Security Watchdog is full of postings about university computer systems being cracked. During the first half of 2006, the Security Watchdog has had postings about cracks at the following academic institutions: Western Illinois University, Kentucky University, Ohio University, University of Texas, and Georgetown University. [Note: I don't even come close to posting about every crack of a university system.] should have posted this article about five years ago.

   "A third of all data leaks are at universities.  Academia 
    should be held to stricter record confidentiality standards." It's Time to Protect Students' Data

[11 July 2006, top]
Crackers Probably Enjoy Wireless Networks
Hmmm... We've been taking this position long before Gartner's July 2006 survey: wireless networks are difficult to secure.
   "Security was rated in the top five concerns about 
    wireless LANs by 95 percent of respondents."

   "More alarming, 60 percent of enterprises said they 
    do not believe they have adequate security for their 
    wireless networks."

If corporate enterprises can't secure wireless networks, how are city-wide Wi-Fi networks secured? Security Is Biggest Drawback To Wireless Networks: Survey

[07 July 2006, top]
Today's Browsers are Full of Security Defects reported that a "well-known hacker has vowed to disclose the details of at least one browser flaw every day in July as part of a project, called the Month of Bugs, that is designed to draw attention to unpatched security vulnerabilities."

The "hacker" is named H.D. Moore, a "researcher and the creator of the widely used Metasploit security toolkit."

Is this cracking for the good of humanity? quotes a Gartner analyst saying, "The fact remains that the browsers have too many vulnerabilities and we are all better off if Moore exposes them before the criminals exploit them."

Question: Who reacts most quickly, the cracker or the browser user needing to patch their browser?

If I am wandering the neighborhood and find an unlocked door at 123 E. Foo St. in Tempe, should this information be posted to the WWW? Hacker Goes Public with Unpatched Browser Bugs

[07 July 2006, top]
McAfee Predicts Viruses to Double by 2008
This headline caught my attention: "McAfee Predicts Viruses to Double by 2008." McAfee provides computer security software.
   "McAfee vendor added the 200,000th definition to its 
    threat database, and the security vendor expects the 
    total number of identified threats to double in another 
    two years. McAfee's antivirus products use these definitions 
    as digital fingerprints to determine which software should 
    not be allowed to run on a user's PC."

On the upside, McAfee believes there are "fewer serious outbreaks on the horizon" despite the rise in worms and viruses. Although this sounds oxymoronic, McAfee claims "serious outbreaks" attract attention; therefore, crackers are executing smaller cracks more frequently.

The PC World article mentioned that on older PCs the size of the McAfee definition database might force those PCs to run slow. McAfee Predicts Viruses to Double by 2008

[07 July 2006, top]
Pentagon Computers Under Attack by Crackers
A Baltimore Sun report published on 2 July 2006 starts with the following paragraph.
   "The number of reported attempts to penetrate 
    Pentagon computer networks rose sharply in the 
    past decade, from fewer than 800 in 1996 to more 
    than 160,000 last year - thousands of them successful. 
    At the same time, the nation's ability to safeguard 
    sensitive data in those and other government computer 
    systems is becoming obsolete as efforts to make improvements 
    have faltered and stalled."

What does "thousands of them successful" mean? The word them means crack attempts, but thousands imply a minimum of a 1,000 and a maximum of 9,999.

It would be nice if the Baltimore Sun and other major newspapers would write cracker instead of hacker when they write about computers being cracked by criminals, foreign countries and terrorists.

The following about Chinese crackers isn't good news.

   "Pentagon computers, in particular, are under 
    constant attack. Recently, Chinese hackers were 
    able to penetrate and steal data from a classified 
    computer system serving the Joint Chiefs of Staff, 
    according to two sources familiar with the incident. 
    A security team spent weeks eliminating the breach 
    and installing additional safeguards." Hacker attacks hitting Pentagon

[Extra] The majority of hackers are not crackers. Most crackers are hackers, but you can be a cracker without being a hacker. Hacker good, cracker bad. I noticed the next posting is about ActiveX controls... hackers who are crackers like ActiveX controls.

[06 July 2006, top]
ActiveX Controls Remain Defective
It has been a while since something was posted about nasty ActiveX controls. It appears as though these objects remain a great source of security defects. Kudos to Internet Security Systems for helping make our computer world a safer place. [Note: Internet Security Systems is a GDT::Portfolio stock.]
   "Internet Security Systems announced that its X-Force®
    research and development team discovered a serious vulnerability 
    in the ActiveX control used by the popular Web conferencing 
    software, WebEx. ISS has worked closely with the company to 
    resolve the vulnerability and according to WebEx, there have 
    been no reported cases of users adversely affected by the 
    now resolved vulnerability." WebEx ActiveX Control DLL Injection

[06 July 2006, top]
Sophos Tells Windows Users to Switch to Macs
Sophos, a computer security firm, has issued a report saying because of security concerns Windows users should switch to using Macs.

The BBC reports that Sophos claims the "10 most commonly found pieces of malicious software all targeted Windows machines," while none of the malware infected Macs running the Mac OS X operating system.

Note: Macs can and are cracked. Almost all systems running 20th century operating systems can be cracked. Ditto for Linux systems. Threats prompt Mac switch advice

[06 July 2006, top]
Western Illinois University Cracked; Kentucky University Loses Student Data
University systems continue to be a gold mine for crackers.

A server at Western Illinois University containing "between 200,000 and 240,000 Social Security or credit card numbers for current and former students may" have been cracked. I like how they use the word "may."

At the University of Kentucky, a faculty member lost a "thumb drive" containing class rosters. It was reported that the UofK was "in the process of replacing Social Security numbers as identifiers for students, but the rosters on the stolen drive date back to 1998 and contain Social Security numbers."

I find two or three social security numbers at SCC every semester. And these finds are made without looking for them. Academic institutions must stop using social security numbers as student identifiers.

[20 June 2006, top]
Laptop Stolen from ING Financial Services
ING Financial Services has a major problem with the security of their laptop computers and they call it a "gap." The following was reported by the East Valley Tribune on 18 June 2006.
   "A laptop containing the Social Security numbers and 
    other personal data of 13,000 District of Columbia 
    employees and retirees has been stolen."

   "The computer was stolen Monday from the Washington 
    home of an employee of ING U.S. Financial Services."

The AP news reported that the "laptop was not password-protected and the data was not encrypted." Obviously ING Financial Services need to be replace some of their SysAdmins.

   "For us, this is very unfortunate, but we're moving forward, 
    we're very focused and committed to find any other laptops 
    that don't have encryption software and to fix that. 
    This incident revealed a gap."

Since they are calling their shoddy security a "gap," an adjective needs to be used--it is a "huge gap."

   "Two other ING laptops containing information on 8,500 Florida 
    hospital workers were stolen in December, but the employees were 
    not notified until this week, said ING spokesman Chuck Eudy. 
    Neither laptop was encrypted, he said."

Obviously this company's employees are not good at "live and learn."

[18 June 2006, top]
National Nuclear Saftey Administration Cracked
Crackers gained access to "personal records of at least 1,500 employees and contractors" by cracking a system the belongs to the National Nuclear Safety Administration." Reuters reports that the crack happened during September of 2005, but "top Energy Department officials were not told about it until this week." Let's see... September 2005 to June 2006 is not quite a year and in the world of U.S. government this is probably considered good turn around time. [11 June 2006, top]
The Times are Good for Cracking VoIP
It appears that any "new" computer technology/service becomes a furtile playground for crackers. In this case it is VoIP (Voice Over Internet Protocol).
   "A Miami man and his cohort have been arrested and 
    charged with hacking into Voice over Internet Protocol 
    (VoIP) networks and stealing more than 10 million minutes 
    of call time. Federal prosecutors allege that Edwin Pena, 
    who owned and operated two VoIP telephone companies, sold 
    the minutes, earning more than $1 million altogether."

Why doesn't call these hackers crackers? Massive VoIP Theft Nets Hackers $1 Million

[11 June 2006, top]
Data Cracked on 2.2 Million Natl. Guard/Reserves
Same old story, sloppy handling of information by our government. Prior to this crack, data was stolen on 26.5 million U.S. military veterans. Potential new military motto: Looking for a few good identities for crackers to steal.
   "Personal information on about 2.2 million active-duty, 
    National Guard and Reserve troops was stolen last month 
    from a government employee's house."

   "This means nearly all current U.S. military personnel 
    may be at risk for identify theft, the Pentagon said." Troops' names among those on stolen VA database

[07 June 2006, top]
Browsers Still Having Problems Securing JavaScript
Damn JavaScript... Sadly, if you disable client-side processing, most websites become unusable.
   "Multiple security organizations warned Tuesday that 
    Internet Explorer, Firefox, Mozilla, and SeaMonkey 
    -- on Windows, Linux, and the Mac -- are vulnerable 
    to a JavaScript bug that could allow a determined 
    attacker to dupe users into giving up sensitive 
    personal information such as credit card or bank 
    account numbers and passwords." IE and Firefox Sport New Zero-day Flaw

[07 June 2006, top]
Embed RFID Tags in Immigrants
RFID (Radio Frequency IDentification) tags can be safely embedded in human-beings. One "brand" of RFID is the VeriChip.
   "VeriChip is a RFID tag about the size of a large grain of rice. 
    It can be injected directly into the body; a special coating on 
    the casing helps the VeriChip bond with living tissue and stay 
    in place."

Why not chip everybody who legally enters the country?

   "Scott Silverman, Chairman of the Board of VeriChip Corporation, 
    has proposed implanting the company's RFID tracking tags in 
    immigrant and guest workers. He made the statement on national 
    television on May 16."

Immigration is huge issue; therefore, it is only natural for VeriChip Corporation to try to grow its business by advocating the chipping of immigrants. Proposal to Implant Tracking Chips in Immigrants

[05 June 2006, top]
Symantec's Anti-Virus Software Contains Defects
In the Windows world lots of computer users use software from Symantec Corp. to help secure their computers. But even Symantec's software can be cracked. eEye Digital Security has discovered defects that "could allow an attacker to create a worm able to take over a user's computer and destroy critical programs and files." Symantec Anti-Virus Software Contains Defects

[29 May 2006, top]
Patched Software Cannot Be Secure
It is difficult to believe that any "patched" software is secure. This is especially true when you have have patches on top of patches. Oracles's CSO (Chief Security Officer) was correct when she said the following.
   "What if civil engineers built bridges the way 
    developers write code? What would happen is that 
    you would get the blue bridge of death appearing 
    on your highway in the morning."

Ms. Davidson also said something interesting about British crackers.

   "[They have] the perfect temperament to be hackers--technically 
    skilled, slightly disrespectful of authority, and just a touch 
    of criminal behavior."

Bottom-line: Crackers are criminals.

CNET Oracle exec hits out at 'patch' mentality

[29 May 2006, top]
VA Cracked--26 Million Records Exposed
What timing... Memorial Day is only a few days away.
   "As many as 26.5 million veterans were put at risk of 
    identity theft May 3 when an intruder stole an electronic 
    data file from the Aspen Hill home of a VA data analyst, 
    who was not authorized to remove the data from his office. 
    The electronic file contained names, birth dates and Social 
    Security numbers of veterans discharged since 1975, as well 
    as veterans who were discharged earlier and filed for VA benefits."

The "fact" that the VA data analyst was "not authorized to remove data from his office" is a moot point.

The Veterans Administration needs to fire some of the IT people. Veterans Angered by File Scandal

[25 May 2006, top]
Ohio University Computers Cracked
University systems continue to be a great way for crackers to obtain information that can be used for criminal activities such as identity theft. This time it is Ohio University that has been cracked. The school said that its cracked server "exposed personal information on about 300,000 individuals for more than a year." Data had been exposed since March 2005. Ohio University reports two separate security breaches

[06 May 2006, top]
University of Texas Cracked Again
The University of Texas at Austin had its computer system cracked again (the first crack was in 2003). This time the cracker gained access to 197,000 records. The records contained information on alumni, faculty, staff, current students, prospective students, and corporate recruiters. Unauthorized access of computer records discovered at The University of Texas at Austin

[26 April 2006, top]
Filing Taxes Online May Be Dangerous To Your Identity
I would agree with the following quote by New York State Attorney General Eliot Spitzer.
   "This is an attempt by the tax preparation services 
    to fatten their bottom lines at the expense of their 
    customers' privacy."

Until we compute in a secure computing world, the Internal Revenue Service should not allow "tax preparers to sell personal information with consent." The "with content" is bull foo. I still don't know why I don't go to to file taxes.

Kudos to for asking an important question... Could IRS Plan Open Taxpayers To Identity Theft?

[06 April 2006, top]
Electronic Passports Coming During Summer 2006
The State Department has started pilot production of electronic passports month and plans to roll out e-passports for the general public during the summer of 2006.

This is bothersome.

   "The senior official in charge of the project also said 
    that technical issues raised recently about e-passport 
    security would not prevent the general distribution of 
    the documents."

The comments were prompted by the following news blurb.

   "In recent weeks, a Dutch RFID testing laboratory, 
    Riscure BV of Delft, has issued a statement that 
    it has been able to crack the encryption of the 
    Dutch e-passport using a PC in two hours."

e-Passports here they come ready or not... State launches e-passports, rejects security concerns

[05 April 2006, top]
IE Has Had a Lot of Critical Defects
During the week ending 25 March 2006, two "critical" defects were found with the Microsoft Internet Explorer (IE) web browser program. IE the most popular web browser in use today with an approximate 85% market share. Second Bug In A Week Smacks At IE

[05 April 2006, top]
Mis-Configured CentOS Makes It a Cracker
Somebody was hosting websites for the city of Tuttle in Oklahoma. The hosting service was using CentOS and they did a poor job of SysAdmining the operating system and the Apache webserver software. The government of the city of Tuttle thought CentOS had cracked into their systems and they were mad to the point where they threatened to call in the FBI. According to TheRegister, the following was sent to CentOS.
   "Please remove your software immediately before 
    I report it to government officials!! I am the 
    City Manager of Tuttle, Oklahoma."

The Tuttle city manager needs to fire some of his IT staff. Oklahoma city threatens to call FBI over 'renegade' Linux maker

[25 March 2006, top]
Internet Security Systems Finds Sendmail Defect
Internet Security Systems, Inc. accounced that they had discovered and issued a patch for a defect in the Sendmail server software. X-Force reported that "by sending malicious data at certain time intervals, it is possible for a remote attacker to corrupt arbitrary stack memory and gain control of the affected host." Sendmail is one of the most popular server software used on the Internet. Sendmail Remote Signal Handling Vulnerability

[Internet Security Systems is a GDT::Portfolio stock.]

[22 March 2006, top]
Credit Card Applications; Georgetown U. Server Cracked
It is difficult to believe, but somebody taped together a torn-up credit card application and was able to get a credit card. It appears the only safe way to dispose of a paper document is to run it through a shredder (or eat it). The Torn-Up Credit Card Application

[Extra] Georgetown University had a server cracked. The server contained "personal information on more than 41,000 individuals being tracked by the District of Columbia's Office of Aging." The cracked took place on 12 February 2006, but was not reported until two weeks later.

[16 March 2006, top]
Cell Phones Running J2ME Can Be Cracked
Crackers are cracking cell phones. The RedBrowser.a virus pretends to "access WAP pages via free SMSs. But instead, it sends SMSs to premium rate numbers, implying economic losses for the user." These SMSs get charged at a $5-$6 rate. The Trojan spreads via a program named "RedBrowser." [What is WAP? WAP is the Wireless Application Protocol and it is used to enable wireless devices to access parts of the Internet.] J2ME/RedBrowser.a

[Extra] Physical security is important and carrying important data around in an unencrypted format is not wise. Computer security firm McAfee's auditor lost a CD containing unencrypted data on more than 9,000 McAfee employees. The CD was left in a seat pocket on an airliner. Doh!

[01 March 2006, top]
The NSA Likes To Use HTTP Cookies
The National Security Agency, in the name of homeland security, likes to use HTTP "cookies."

[Extra] Speaking of homeland security...

   "The Homeland Security Department is working with the 
    departments of Defense and State, the FBI and the 
    Commerce Department's National Institute of Standards 
    and Technology as well as technology vendors to develop 
    a new generation of 10-finger 'slap capture' units 
    for fingerprint collection."

   "The department plans to deploy existing 10-print capture 
    systems to border locations where they would be suitable. 
    But the existing systems have size, mobility, speed and 
    power requirements that make them unsuitable for many 
    locations where DHS plans to gather 10 print records, 
    according to procurement documents." DHS shoves fingerprint tech forward

[23 February 2006, top]
Be Careful What You Search For
I don't know how this can be true, but a recent survey of 800 Americans by the University of Connecticut discovered the following.
   60% opposed the storage of users' search queries
   32% supported the practice

   65% opposed government monitoring of search queries
   30% supported the practice

   50% opposed Google giving search query data to the government
   44% supported Google giving away the information

Every web user should know that every query string that is type into every search engine is probably being stored. In many cases, these search queries are never deleted.

[22 February 2006, top]
Blackberry Handhelds Can Be Cracked
By supplying a specially crafted TIFF image as an email attachment and convincing a user to view the image on a BlackBerry Handheld, a remote, unauthenticated attacker could cause a denial of service to the Blackberry Attachment Service. [The BlackBerry Attachment Service renders certain types of files sent as email attachments for display on BlackBerry Handhelds and other BlackBerry client devices.] Vulnerability Note VU#570768
[sub-titled: "Research in Motion (RIM) BlackBerry Attachment Service does not properly handle TIFF image files."]

[13 February 2006, top]
EFF Co-Founder Must Show ID If He Wants To Fly
In a nutshell, the court said, "The Constitution does not guarantee the right to travel by any particular form of transportation." Thus, John Gilmore, co-founder of the EFF, lost his case to fly without needed to show identification.

CNET Court says ID checks at airports constitutional

[13 February 2006, top]
Ameriprise Laptop Stolen From a Car
Once again we see how important physical security is in today's computing world. In addition, it is difficult to believe that critical information is stored on laptop computers.
   "A laptop containing information on 230,000 individuals 
    was stolen from the car of an employee of Ameriprise 
    Financial in December.  The computer included names 
    and Social Security numbers for more than 70,000 financial 
    advisors, and names and Ameriprise account numbers for 
    158,000 customers of the firm, which was spun off of 
    American Express last year."

It is even more difficult to believe that critical data was stored in an un-encrypted format.

   "Andy MacMillan, a spokesperson from the company, 
    said that although access to the data is protected 
    by a password, the data were not encrypted, which 
    is a violation of written company policies."

   "MacMillan said the company does not believe that the 
    thief knew about the information contained on the laptop 
    and thinks that it is unlikely any of the information 
    will be accessed or used fraudulently."

When the laptop was stolen, the thief may not have known it contained unencrypted data, but now they might. I fail to see how Ameriprise can tell us that it is "unlikely any of the information will be accessed or used fraudulently." If they think this make anybody feel better, they're wrong.

[13 February 2006, top]
Nyxem Virus Scheduled To Hit 3 February 2006
Friday, 3 February 2006, is an important date because that is when the Nyxem virus is scheduled to "delete Word, Powerpoint, Excel and Acrobat files on infected machines."

The Nyxem virus sounds nasty.

   "On infected machines the virus raids address books 
    to find e-mail addresses to send itself to."

   "The virus also tries to spread by searching for machines 
    on the same local network as any computer it has compromised."

   "Unlike many recent viruses Nyxem is set to overwrite 11 different 
    types of file on infected machines on the third of every month."

   "Separately, the virus also tries to disable anti-virus software 
    to stop it updating and can also disable the mouse and keyboard 
    on infected machines." Countdown for nasty Windows virus

[30 January 2006, top]
Marriott International Backup Tapes Stolen
This is old news, but stuff like has to to stop happening. Physical security plays an important role in overall computer security.

Marriott International Inc.'s time-share division announced it is "missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company."

[30 January 2006, top]
"Wi-Fi Security" Are Oxymorons
I've always been concerned about Wi-Fi security and it appears those concerns were justified. Windows Wi-Fi Flaw Uncovered

[Extra] Speaking of cybercrime... The FBI has released a study indicating "that yearly losses to computer crimes exceed $67 billion." For the last few years, we have had fun morphing the following Don Hendley lyric.

   Hendley sings:  "A man with a briefcase can steal
   more money than a man with a gun."

   Morphed lyric:  "A person with a high-speed Internet
   connection can steal more money than a man with a briefcase."
[21 January 2006, top]
2005 A Record Year For Computer Cracking
The USA Today quote says it all: "2005 saw the most computer security breaches ever; more than 55M Americans exposed." 55M is 55,000,000. It appears as though the Computer Watchdog will have a busy 2006. Record bad year for tech security

[07 January 2006, top]
About the Security WatchDog Blog
The Security WatchDog is a blog that monitors (i.e. watches) and records computer security issues and news items. This includes information pertaining to computer ethics and computer privacy.

The Security Watchdog includes postings about viruses, worms, trojan horses, cracks, and stuff like that. This blog also keeps an eye on issues such as biometrics, information warfare, privacy, and legal stuff (e.g. DMCA, SSSCA, etc.).

The Security WatchDog was started in March 2000 and as of 01 January 2006 it contained 287 postings.

[01 January 2006, top]

Author: Gerald D. Thurman []
Last Modified: Saturday, 05-Jan-2013 11:17:39 MST

Thanks for Visiting