So Called 'Smart' Clothes Coming Soon
I found this Security::Watchdog posting from a couple
of months ago that never got posted...
Earlier today I was at ASU hearing about embedded
and wireless systems. In fact, a picture of a
smart shirt was displayed. Embedded, wireless
systems along with nanosized sensors will make
for an interesting, if not scary, future.
"When micro-sized sensors can enquire our business in a
particular neighbourhood, and equally micro-sized agents
embedded within our clothing answer on our behalf, what
are the risks to our personal data? How will we safeguard
our personal privacy in such a society? SWAMI project
researchers aimed to find out."
SWAMI is "Safeguards in a World of Ambient Intelligence."
Personal data protection vital to future civil liberties
[30 December 2006, top]
Crackers Working Hard To Crack Windows Vista
It is no surprise that crackers are going to work hard
to crack Microsoft's new Windows Vista OS. Some defects
have already been found, but so far no major cracks have
been exploited. Supposedly, Microsoft has never tested
software as much as it has tested Vista. Only time will
tell if their testing was quality versus quantity.
Windows Vista Flaw Not Cause for Major Concern
[28 December 2006, top]
Mississippi State University System Cracked
Mississippi State University (MSU) was cracked exposing
information on approximately 2,400 students and employees.
The information included names and SSNs. The university
took pride in the fact they shut the system down immediately
upon learning about the crack. MSU said it is moving away
from Social Security numbers as student identifiers, but
that it is slow process to do so.
[26 December 2006, top]
Boeing Cracked Yet Again (3rd Time Within a Year)
have lost yet another laptop containing personal information.
This is the third time within a year that Boeing has had
information stolen from them. The most recent loss included
names and Social Security numbers of 382,000 employees and
retirees. Boeing stated the following: "It's very disturbing
to us when things like this happen."
Boeing is a huge aerospace company that does a lot of
work the for the United States DoD (Dept. of Defense).
The government should force this company to learn how
to secure their computers before giving them any more
huge contracts. Examples: On 25 December 2006,
Boeing got a $23.2 million deal from the Navy; and,
on 15 December 2006, the company announced a $13
million deal with the Air Force. Isn't doing
business with Boeing a homeland security issue?
[18 December 2006, top]
MySpace Passwords Not That Bad
Bruce Schneier has written an article about the passwords
used on MySpace accounts. The passwords were collected as
part of a MySpace phishing crack that stole "34,000 actual
user names and passwords" before being fixed by MySpace.com.
"We used to quip that 'password' is the most common password.
Now it's 'password1.' Who said users haven't learned anything
"But seriously"... the passwords on MySpace are not that bad.
Schneier wrote that "less than 4 percent were dictionary words
and that the great majority were at least alphanumeric." The
average password length was eight characters.
MySpace Passwords Aren't So Dumb
[15 December 2006, top]
Computer Systems at UCLA Cracked
Yet another university computer system has been cracked.
This time it is UCLA (University of California at Los
Angeles). Crackers gained access to personal information
on about "800,000 current and former students, faculty and
staff." The personal information included names and social
UCLA Probes Computer Security Breach
[12 December 2006, top]
Stop the Online Exploitation of Our Children Act
Politicians continue to want to control the Internet.
Each law that gets passed has the potential to erode
away at our computing freedoms.
"Millions of commercial Web sites and personal blogs
would be required to report illegal images or videos
posted by their users or pay fines of up to $300,000,
if a new proposal in the U.S. Senate came into law."
The proposed bill is called the "Stop the Online Exploitation
of Our Children Act." It is the politicians, however, who need
to be stopped. [
EFF.org: Support Bloggers' Rights]
Senator: Illegal images must be reported
[12 December 2006, top]
MySpace User Profiles Cracked Using QuickTime Player
User profiles on MySpace were cracked by a "worm that directed
victims to a phishing site where they were asked to type in their
Apple Computer's QuickTime player, which can be embedded in
MySpace user profiles. People logged into MySpace could have
their profiles infected by simply visiting an infected profile."
Accoring to InformationWeek, in July of 2006, a "worm spreading
visitors to a site claiming the U.S. government was behind the
9/11 terrorist attacks."
Bottom-line: Cracking computers and websites is a form of
MySpace Shuts Down User Profiles Due To Worm Infection
[06 December 2006, top]
Dept. of Homeland Security Issues Cyberattack Alert
Cyberwarfare will be ugly. It would be chaos if a majority
of Americans woke up one morning and all their savings and
investment accounts had been set to zero.
"The U.S. government warned American private financial services
on Thursday of an al-Qaida call for a cyber attack against online
stock trading and banking Web sites beginning on Friday."
[Friday was 1 December 2006]
In a nutshell, the attack, if any, will try to wipe out
financial databases. Cracking databases is hard, but denial
of services attacks, which don't access data, could prevent
access to data.
U.S. warns of possible Qaida financial cyber attack
[01 December 2006, top]
MPAA Wants To Know About Your Home Theater
[Update::2006.11.29] This was a hoax.
(MPAA) is worried about "home theaters" because they have the right
to know what is being shown in theaters. The MPAA needs laws to ensure
they know what is being shown in theaters (and that includes homes).
Everybody will have to register their home theater with the MPAA and
pay a $50 dollar registration fee. If they don't, then they could
risk a $500,000 fine for every movie shown.
"The MPAA defines a home theater as any home with a television
larger than 29" with stereo sound and at least two comfortable
chairs, couch, or futon.
The poster wrote the following.
"The bill would require that any hardware manufactured in the future
contain technology that tells the MPAA directly of what is being shown
and specific details on the audience. The data would be gathered using
various motion sensors and biometric technology."
Will we still be able to watch movies naked?
MPAA head Dan Glickman is quoted saying the following.
"We didn't act early enough with the online sharing of our
copyrighted content. This time we're not making the same
mistake. We have a right to know what's showing in a theater."
Glickman is correct when he effectively said Hollywood was
asleep at the wheel when it came to the power of the Internet.
Here is another Glickman quote.
"Just because you buy a DVD to watch at home doesn't give you the
right to invite friends over to watch it too. That's a violation
of copyright and denies us the revenue that would be generated
from DVD sales to your friends. Ideally we expect each viewer
to have their own copy of the DVD, but we realize that isn't
always feasible. The registration fee is a fair compromise."
I guess it all depends on the how fair is defined.
Sadly politicians are going to make the definition and
courts of law will decide if politicians define it constitutionally.
The MPAA has lots of money; consequently, the MPAA has good friends
in both the political and legal worlds.
MPAA Lobbying for Home Theater Regulations
[28 November 2006, top]
Firefox Defective When Handling Passwords
Allowing website users to enter HTML into webpage
forms has been exploited by crackers for a long
time. It appears as though browser writers are
still having a problem making it secure. Caution
must be used when you have the browser save password
information on our personal computer because the
information might not stay personal.
Firefox 2 Browser Struck by Password Flaw
[25 November 2006, top]
Yet Another Laptop With Customer Info Lost
Yet another laptop stolen and this time the
laptop contained 11 million customer records.
Interestingly, the laptop was missing three
months before customers were notified. The
BBC posting included the following quote.
"There is no chance of any customer suffering any financial
loss on their accounts as a result of this."
-- Philip Williamson, Nationwide chief executive
Nationwide is from whom the laptop was stolen.
Williamson's quote is difficult to believe: "There is no chance..."
Easy for him to say. In the phrase "no chance," the word "no" implies
zero. Nationwide customers should probably not be be so confident.
Security raised over laptop theft
[19 November 2006, top]
49 Million Adults Cracked Over Three Years
As of 18 November 206, the U.S. population was approximately
"An estimated 49 million U.S. adults have been told over
the last three years that their personal information has
been lost, stolen or improperly disclosed."
49 million is 16.3% of the entire U.S. population.
"Specifically, more than one in five adults said some organization
had notified them that their personal information was improperly
disclosed, translating into about 49 million people. Among those
adults, 48 percent were notified by a government agency, 29 percent
a financial company, and 12 percent by a commercial company. Other
organizations that had made notifications included educational
institutions, 6 percent, and healthcare facilities, 5 percent."
Given how many eductional systems have been cracked, I was
surprised that only six percent of the notifications came
from academic institutions.
"Fully 81 percent of adults notified of trouble perceived nothing
harmful happening as a result."
These 81 percent of adults have to be careful because
many criminals have a virtue called "patience." Just
because I have information that can be used for criminal
activity doesn't mean I have to use that information
"Much of the damage suffered by victims was caused by friends and
family, stolen wallets or purses, pilfered information from mailboxes
or trash containers, and insider theft of personal data by employees
So true... interestingly there was no mention of
people using unsecure computers connected to the
[18 November 2006, top]
Bad Software, Bad SysAdmining, Bad People Habits
Bad software, bad SysAdmining, and bad people habits
are the three reasons crackers are happy in 2006.
"The SANS Institute has released its annual list of
leading computer security concerns. Identified as
prime targets for computer attacks are Microsoft's
Internet Explorer, Microsoft Office, Apple Computer's
Mac OS X, and 'configuration weaknesses' in UNIX."
The most common type of crack is the "zero-day exploit"
of web applications. At the time of this posting, I cannot
explain what a "zero-day exploit" is, but I do know crackers
Here is another copy/paste from the CNET posting.
"SANS Institute also identified P2P applications, media
players, voice over Internet protocol phones, and people
themselves as some of the weakest spots in security."
I wish CNET would use the term "cracker" instead
of "hacker" when writing about computer security.
SANS names top hacker targets
[18 November 2006, top]
British Passports Can Be Cracked
The U.K. is using 21st century passports, however, it
appears as though their "advanced digital encryption
technique" contains defects that allow crackers to crack
the supposedly crack-proof passports.
"Today, some three million such passports have been issued,
and they don't look so secure. I am sitting with my scary
computer man and we have just sucked out all the supposedly
secure data and biometric information from three new passports
and displayed it all on a laptop computer."
[17 November 2006, top]
Villanova University Has Student Data Stolen
Villanova University had a laptop stolen that contained
information on more than 1,200 students and staff. The
information did not contains SSNs. This sounds like just
another university being careless with student data report,
but in this case the laptop was stolen from Villanova's insurance
company. Villanova needs to lead by example and find a new
Bottom-line: When it comes to responsibility,
Villanova is responsible for this data loss.
[06 November 2006, top]
Online Brokerages Popular With Crackers
It appears crackers are cracking online trading accounts.
I use Scottrade.com and it appears their website is relatively
secure, but the problem is I'm not sure my home computer and
network are secure. There are lots of places for crackers to
"About 25 percent of U.S. retail stock trades are made
by online investors through roughly 10 million online
accounts, according to brokerages regulator NASD."
I wish ZDNet would start calling crackers crackers
instead of hackers.
Brokerages lose millions in hacker onslaught
[02 November 2006, top]
Elections Are Less Than a Week Away
Elections occur in less than one week (and none to soon).
Protecting our voting systems is critical to preventing
chaos within our political systems (which are seriously
broken). May all go well. It appears Diebold machines
are going to be the most commonly used and those are the
machines that will be employed in Arizona.
E-Voting State by State
[02 November 2006, top]
Storage Devices With Built-In Encryption
With companies, organizations, and institutions unable to
keep track of their laptop computers, disk drives with
built-in encryption sounds like an excellent idea. Sadly,
the initial drives to do this will probably be expensive.
Seagate Debuts New Hard Drives with Built-In Encryption
[31 October 2006, top]
Catch a Terrorist Via Social Networking
The posted about how
"Brian Hayes thinks a multidisciplinary focus on mathematics
and social networking could perhaps give intelligence analysts
the means to make reasonable assumptions about terrorist conspiracies
based on surveillance data." Technews indicating that Hayes says the
"main challenge is to enable algorithms to 'somehow distinguish a few
dozen people intent on mayhem from other groups of the same size and
structure who are planning a family reunion, canvassing the neighborhood
for a lost cat, running for city council or war-dialing to win free
concert tickets from a radio station.'"
Connecting the Dots
[25 October 2006, top]
Chinese Servers Used To Crack U.S. Systems
I wish news reporting organizations would use the
term cracker instead of hacker when
reporting this stuff.
"The federal government's Commerce Department admitted that
heavy attacks on its computers by hackers working through
Chinese servers have forced the bureau responsible for granting
export licenses to lock down Internet access for more than a month."
"Hundreds of computers must be replaced to cleanse the agency
of malicious code, including rootkits and spyware."
Note: Just because Chinese servers were used to crack
U.S. computer systems does not mean the crackers were
People (and they don't have to be hackers) who access
computers without permission are crackers.
Chinese Hackers Hit Commerce Department
[25 October 2006, top]
Too Many Passwords Are a Pain
I admit it... I'm a sucker for "catchy" subject-lines.
Forbes.com posted an article on the subject of password
proliferation. I also admit to being lazy when it comes
to my password administration.
A Forbes.com posting says "the Web-savvy user now
has an average of 30 password-protected accounts."
I can see how this might true.
Companies and researcher are working hard at
trying to come up with secure, efficient, and
usable systems that will allow us to do away
I 4got mY PasswRD
[21 October 2006, top]
Microsoft Sets a Patch Record
The headline caught my eye: "Microsoft sets new patch record."
Immediately I wondered how many of the patches were patches to
patches. According to InformationWeek.com, Microsoft issued
patches to fix 26 defects. Ten of the patches were related
to security defects. The Windows operating system is so
defective the Windows applications have a relatively easy
time taking advantage of the defects.
Microsoft Sets New Patch Record, Fixes 26 Flaws
[Extra] On a related note, NewsFactor.com had a posting
titled "Symantec Predicts $10 Billions Sales by 2010." This
will mean Symantec will double currents sales within the next
four years. I guess they should give a huge Thank You to Microsoft.
[11 October 2006, top]
General Electric Loses a Laptop Computer
announced that a "company laptop containing the names and Social
Security numbers of 50,000 current and former employees was stolen
in early September." [source: Reuters]
I get a kick when I read stuff like the following.
"Evidence suggested the thief was after the stolen computer,
rather than the data on it."
A thief is a criminal who steals. Maybe initially they steal the
laptop for the computer, but when they learn that it contains data,
then the thief can use the data to steal people's identity. I can
see it being easy for a property thief of today to turn into an
identity thief tomorrow.
[27 September 2006, top]
U.S. Commerce Dept. Excels At Losing Laptop Computers
The U.S. Commerce Department has "lost"
1,137 laptop computers
in the last five years. The Census Bureau alone lost
672 of the
246 of those contained private data like names,
social security numbers and income levels.
It was estimated that the missing laptops "could contain the
information of nearly 6,200 households." It was also reported
that 100 percent of the Census Bureau's computers were
password-protected; however, only
Hundreds of Census Bureau Laptops Lost
[25 September 2006, top]
Draining Batteries of Internet Connected Cell Phones
Laptop recalls have been in the news lately and the
recalls have been because of defective batteries.
Now there was a report that crackers can drain
cell phone batteries, which in turn could distrupt
many cellular commications networks.
"Battery power is the bottleneck for a cell phone.
It can't do anything with a dead battery."
-- Hao Chen assistant professor of CS at UC Davis
Cell phones conserve battery life by spending most
of their time in standby mode, but Chen has discovered
that the MMS protocol can be used to send packets of
junk data to a cell phone. Everytime a packet is received,
the cell phone must awake from its slumber and this
in turn drains the cell phone battery.
Note: the MMS protocol enables a cell phone to receive
pictures, video and audio files.
Stealth Attack Drains Cell Phone Batteries
[11 September 2006, top]
Second Life Role Playing Game Cracked
Crackers cracked into databases of the "popular online
role-playing game 'Second Life' and accessed 650,000 player
names, addresses, and passwords, prompting the developer to
order all players to change their log-ins."
"Players' credit card information, which was stored in
another database, was encrypted and not compromised,
the company assured users."
Changing passwords is a good thing, but many computer
users use the same password on multiple accounts. I
hope 'Second Life' is instructing their user to change
their passwords everywhere if necessary.
Role-Playing Game Site Hacked, 650,000 Affected
[11 September 2006, top]
An 81 Percent That is Difficult to Believe
Physical security is just as important as making sure
we are using secure software.
"Eighty-one percent of companies surveyed reported the
loss of one or more laptops containing sensitive information
during the past 12 months, according to the survey, which
queried nearly 500 information security professionals."
81% implies 81 out of every 100 companies have lost a laptop
computer over the span of the last year.
Survey: 81% of U.S. firms lost laptops with sensitive data in the past year
[11 September 2006, top]
Crack DRM and See Microsoft Patch Quickly
Computer security guru
wrote an article for Wired concerning Microsoft's patching practices.
When Schneier speaks, it pays to listen. Schneier's article starts
with the following paragraph.
"If you really want to see Microsoft scramble to patch a hole
in its software, don't look to vulnerabilities that impact
countless Internet Explorer users or give intruders control
of thousands of Windows machines. Just crack Redmond's DRM."
DRM is Digital Rights Management. In a nutshell, Schneier says
Windows defect that hurt corporate Microsoft are patched must
more quickly than defects that hurt Microsoft users.
Schneier's article ends with the following paragraph.
"If Microsoft abandoned this Sisyphean effort and put the
same development effort into building a fast and reliable
patching system, the entire internet would benefit. But
simple economics says it probably never will."
Quickest Patch Ever
[11 September 2006, top]
Drop Slip Found with Name/SSN at SCC
The Fall 2006 semester is underway at SCC and
in the middle of week three I found my first
drop slip on the ground. The drop slip was
discovered while walking from the boys room
to my office in the CM building complex. I
picked the slip up and had access to a name
along with a social security number.
I continue to be amazed that some MCCCD students
have their social security numbers for their
student identifiers. This should be illegal.
Somebody in a leadership role at the MCCCD
should read the following "extra."
[Extra] This was news on 2 August 2006...
"Cal Poly has joined a growing list of colleges and
universities that no longer use Social Security numbers
as default identifiers for students. Colleges in California
and across the nation are working to remove Social Security numbers
from as much of the daily business of the institution as possible.
Although the numbers will still be stored and used for reporting for
such reasons as financial aid and health care, a new number will be
used for routine purposes such as class lists."
[09 September 2006, top]
Verizon Wireless Exposes Customer Information
It is amazing how sloppy companies are with customer
information. Mistakes happen, but companies need to
be penalized when they make mistakes with customer data.
The following is from late-August of 2006.
"Verizon Wireless mistakenly e-mailed an Excel spreadsheet
containing information on more than 5,200 subscribers to
about 1,800 customers of the company. The e-mail was supposed
to include an electronic order form for a Bluetooth wireless
headset as part of a promotional offer. The Excel file did
not contain highly sensitive information such as credit card
or Social Security numbers, but it did include names, e-mail
addresses, and cell phone models and numbers.
Verizon Mistakenly E-Mails Customer Data
[09 September 2006, top]
AT&T's Webstore Cracked
of information on lots of people; therefore, it
not good when their systems get cracked. In
this case it appears AT&T's webstore was
Hackers steal AT&T customer info
Note: It was crackers (not hackers) who stole
AT&T customer information.
[30 August 2006, top]
Crash a Server with Spam--Get Curfew
In 1990, Britian must of passed a law called
the Computer Misuse Act, but I suspect it doesn't
do much good in today's computing world.
"A British teenager has been sentenced to a two-month
curfew for sending millions of e-mails to a former
employer, causing its servers to crash. The teenager
is not allowed to leave his home between the hours of
12:30 a.m. and 7:00 a.m. on weekdays and between 12:30
a.m. and 10:00 a.m. on weekends."
This kid crashed somebody's server and that is
a criminal act. A penalty of "curfew" was not
remotely close to being sufficient.
[27 August 2006, top]
Microsoft Busy Patching Patches
Patches are usually necessary evils, but when you start
patching patches, then you have are moving beyond evil.
Sadly, we have been patching patches for four decades.
"Microsoft acknowledged that a patch issued earlier
this month for significant flaws in its operating
system has led to new problems for some users."
Note: This is the third consecutive Microsoft-related
posting to this blog. It may appear as though we are
picking on Microsoft, but we're not--Microsoft is simply
dominating computer security news at this point and time.
Microsoft patch can cause IE trouble
[18 August 2006, top]
Dept. of Homeland Security Worried About Windows
issues a computer security alert, it is much more than a "flaw."
It is a defect and Windows has consistently proven itself to be
defective for many, many years.
Simple man statement: Windows is just good
enough software, but when it gets connected
to the Interent it comes just bad enough software.
U.S. Warns of Windows Security Flaw
[Extra] According to TechWeb, Microsoft has "patched almost
as many critical vulnerabilities in the first 8 months of 2006 as
it did in 2004 and 2005 combined."
[10 August 2006, top]
Buffer Overflow Defect Found with Microsoft DNS
Microsoft DNS has a "character string buffer overflow"
defect. DNS is the Domain Name System that is used to
map domain names into IP numbers.
announced it has
"discovered and provided preemptive protection for critical flaws in
the Microsoft Domain Name System (DNS) client since February 2006.
ISS is providing customers with security content and protection for
all of the vulnerabilities disclosed by Microsoft today, including
a flaw in the Microsoft Server Service, which X-Force predicts could
soon be used by attackers to create an Internet worm."
Internet Security Systems says that crackers can use
"these vulnerabilities to answer a DNS query with a
malicious response, triggering a heap corruption and
gaining complete, unauthorized control of an affected
Microsoft DNS Client Character String Buffer Overflow Vulnerability
[08 August 2006, top]
AOL Not Cracked, But Exposes Anonymous Data
AOL (America OnLine) had a website snafu that has
many users upset.
"AOL released search information on about 20 million
searches done from its software by about 658,000 anonymous
AOL users over a three-month period, representing about
one-third-of-1-percent of searches conducted over that time."
The fact that the search information was for "anonymous"
users, there is concern because "keyword searches have
included users who search their own names."
"The link to the actual file, containing searches done
by users whose personal IDs are replaced with random
numbers, is no longer available on AOL's Web site."
Id's were replaced with random numbers, but names
weren't replaced by random names. On balance, AOL
made a mistake, but in this case it does not appear
to be that bad of a mistake.
AOL Takes Down Site With Users' Search Data
[Extra::2006.08.11] Quote from Google's CEO:
"We are reasonably satisfied ... that this sort of thing
would not happen at Google, although you can never say never."
[Update::2006.08.25 AOL's chief technology officer
resigned and two other people were fired thanks to AOL's
security oops. Kudos to AOL for taking care of sloppy
[08 August 2006, top]
E-Passports Already Being Cracked
Crackers are cracking e-passports before they
are even put into use. The United States plans
to issue e-passports to U.S. citizens beginning
in October 2006.
"The whole passport design is totally brain damaged.
From my point of view all of these RFID passports
are a huge waste of money. They're not increasing
security at all."
Hackers Clone E-Passports
[03 August 2006, top]
tool for cracking into intranets (corporate and home).
to map a home or corporate network and attack connected
servers or devices, such as printers or routers."
[30 July 2006, top]
U.S. Navy Needs Better IT Controls
Hey cyber-terrorists... take a look at some of the U.S. Navy
computer systems. The following came from
FCW (Federal Computer Week).
"For the second time in recent weeks, officials from
the Navy said that personal information on Navy personnel
was posted on public Web sites, this time on the site of
the Naval Safety Center (NSC). In June, 28,000 records
were improperly placed on a public Web site of the Navy
Personnel Command (NPC). In the second case, names and
Social Security numbers for more than 100,000 Navy personnel
were exposed, possibly affecting every active-service Navy
and Marine aviator of the past 20 years. The personal information
was also inadvertently included on 1,083 disks that the Navy mailed
to Navy and Marine Corps commands. The Navy is working to recover
those disks, and it has set up a hotline where affected individuals
can obtain more information."
Personal data exposed on Navy Web site
[22 July 2006, top]
Northwestern University in Illinois Cracked
From the YAUSC department (YAUC is Yet Another
University Cracked) comes the following...
was cracked by crackers who gained "access to nine
personal computers on campus that contained sensitive
data on about 17,000 students and applicants." The
Chicago Sun-Times needs to report this stuff, but
they need to use the word cracker instead
of hacker. Bottom-line: The media will
never get around to using the correct terminology
when reporting about computer cracks.
Hackers break in to NU admissions, financial aid computers
[20 July 2006, top]
Spyware Crackers Like MySpace On Windows
A WashingtonPost blog posting started as follows.
"An online banner advertisement that ran on MySpace.com
and other sites over the past week used a Windows security
flaw to infect more than a million users with spyware when
people merely browsed the sites with unpatched versions of
Windows, according to data collected by iDefense."
Supposedly the security defect was discovered by
somebody using MySpace.com with a Linux system.
Bottom-line: beware of files having a
Hacked Ad Seen on MySpace Served Spyware to a Million
[20 July 2006, top]
Beware of "SQL Injection" Cracks
I had never heard of "SQL injection," but
it is on the rise and it sounds scary.
"SQL Injection is a type of security exploit in
which the attacker adds Structured Query Language
(SQL) code to a Web form input box to gain access
to an organization's resources or to make changes
to data. Using this technique, hackers can determine
the structure and location of key databases and can
download the database or compromise the database server."
SQL injection attacks against banks on the rise
[19 July 2006, top]
Defect Found with Cisco Intrusion Detection Systems
Cisco systems are widely used to connect computers
and networks to the Internet, internets, intranets,
extranets and so on. On 12 July 2006, Cisco issued
an advisory that was summarized as follows.
"Cisco Intrusion Prevention System (IPS) software
version 5.1 is vulnerable to a denial of service
condition caused by a malformed packet, which may
result in an IPS device becoming inaccessible remotely
or via the console and fail to process packets. A power
reset is required to recover the IPS device. There are
no workarounds for this vulnerability."
Cisco Intrusion Prevention System Malformed Packet Denial of Service
[14 July 2006, top]
Motley Fool Says Computing Might Never Be Secure
Motley Fool Headline via Yahoo: "Securing Your Portfolio."
I see the headline because ISSX (Internet Security Systems
Inc) is a GDT::Portfolio stock and the Motley Fool posting
mentions ISSX stock. The Motley Fool posting believes is
erroneous for anyone to think that eventually "the
h@ck3rs will be crushed."
"Now there's some wishful thinking. It's doubtful that there
will ever be a clear winner in the war against online malcontents.
As long as a data-security company can hire a Ph.D. to write an
encryption algorithm, there will be crime rings out there willing
to pay another Ph.D. a hefty sum to find its holes. That said,
since there's no indication that individuals, financial institutions,
and other businesses and corporations plan to reduce their exposure
to the Internet, there should be a continued demand for products that
will keep their virtual valuables secure."
The Motley Fool writer was recommending investors invest
in what he called the "500 pound gorilla's" of computer
security. This list did not include ISSX.
[14 July 2006, top]
Debian Server Cracked Thanks To Weak Passwords
A Debian GNU/Linux server was cracked thanks to a weak
password on developer account. The account was used by
a cracker to exploit a "vulnerability in the Linux kernel
to gain root -- or admin -- access on the server." An
audit discovered that numerous developer accounts had
"weak" passwords and these accounts have been "locked."
Question: Why were these accounts allowed to be
created with "weak" passwords?
On the goods news front, Debian reported the following.
"The only obviously compromised binary was /bin/ping.
The compromised account did not have access to any
of the restricted Debian hosts. Hence, neither the
regular nor the security archive had a chance to
Debian locks out developers after server hack
[14 July 2006, top]
It's Long Past Time to Protect Student Data
is full of postings about university computer systems
being cracked. During the first half of 2006, the
Security Watchdog has had postings about cracks at
the following academic institutions: Western Illinois
University, Kentucky University, Ohio University,
University of Texas, and Georgetown University.
[Note: I don't even come close to posting
about every crack of a university system.]
have posted this article about five years ago.
"A third of all data leaks are at universities. Academia
should be held to stricter record confidentiality standards."
It's Time to Protect Students' Data
[11 July 2006, top]
Crackers Probably Enjoy Wireless Networks
Hmmm... We've been taking this position long before
Gartner's July 2006 survey: wireless networks are
difficult to secure.
"Security was rated in the top five concerns about
wireless LANs by 95 percent of respondents."
"More alarming, 60 percent of enterprises said they
do not believe they have adequate security for their
If corporate enterprises can't secure wireless networks,
how are city-wide Wi-Fi networks secured?
Security Is Biggest Drawback To Wireless Networks: Survey
[07 July 2006, top]
Today's Browsers are Full of Security Defects
a "well-known hacker has vowed to disclose the details of
at least one browser flaw every day in July as part of a
project, called the Month of Bugs, that is designed to draw
attention to unpatched security vulnerabilities."
The "hacker" is named ,
a "researcher and the creator of the widely used Metasploit
Is this cracking for the good of humanity?
NewsFactor.com quotes a Gartner analyst saying, "The fact remains that
the browsers have too many vulnerabilities and we are all better off
if Moore exposes them before the criminals exploit them."
Question: Who reacts most quickly, the cracker or the
browser user needing to patch their browser?
If I am wandering the neighborhood and find an unlocked
door at 123 E. Foo St. in Tempe, should this information
be posted to the WWW?
Hacker Goes Public with Unpatched Browser Bugs
[07 July 2006, top]
McAfee Predicts Viruses to Double by 2008
This headline caught my attention: "McAfee Predicts Viruses
to Double by 2008." provides
computer security software.
"McAfee vendor added the 200,000th definition to its
threat database, and the security vendor expects the
total number of identified threats to double in another
two years. McAfee's antivirus products use these definitions
as digital fingerprints to determine which software should
not be allowed to run on a user's PC."
On the upside, McAfee believes there are
"fewer serious outbreaks on the horizon"
despite the rise in worms and viruses.
Although this sounds oxymoronic, McAfee
claims "serious outbreaks" attract attention;
therefore, crackers are executing smaller
cracks more frequently.
The PC World article mentioned that on older PCs
the size of the McAfee definition database might
force those PCs to run slow.
McAfee Predicts Viruses to Double by 2008
[07 July 2006, top]
Pentagon Computers Under Attack by Crackers
A report published
on 2 July 2006 starts with the following paragraph.
"The number of reported attempts to penetrate
Pentagon computer networks rose sharply in the
past decade, from fewer than 800 in 1996 to more
than 160,000 last year - thousands of them successful.
At the same time, the nation's ability to safeguard
sensitive data in those and other government computer
systems is becoming obsolete as efforts to make improvements
have faltered and stalled."
What does "thousands of them successful" mean?
The word them means crack attempts, but thousands imply
a minimum of a 1,000 and a maximum of 9,999.
It would be nice if the Baltimore Sun and other
major newspapers would write cracker
instead of hacker when they write about
computers being cracked by criminals, foreign
countries and terrorists.
The following about Chinese crackers isn't good news.
"Pentagon computers, in particular, are under
constant attack. Recently, Chinese hackers were
able to penetrate and steal data from a classified
computer system serving the Joint Chiefs of Staff,
according to two sources familiar with the incident.
A security team spent weeks eliminating the breach
and installing additional safeguards."
Hacker attacks hitting Pentagon
The majority of hackers are not crackers. Most crackers are hackers,
but you can be a cracker without being a hacker. Hacker good, cracker
bad. I noticed the next posting is about ActiveX controls... hackers
who are crackers like ActiveX controls.
[06 July 2006, top]
ActiveX Controls Remain Defective
It has been a while since something was posted about
nasty ActiveX controls. It appears as though these
objects remain a great source of security defects.
Kudos to for helping make our computer world
a safer place. [Note: Internet Security
Systems is a GDT::Portfolio stock.]
"Internet Security Systems announced that its X-Force®
research and development team discovered a serious vulnerability
in the ActiveX control used by the popular Web conferencing
software, WebEx. ISS has worked closely with the company to
resolve the vulnerability and according to WebEx, there have
been no reported cases of users adversely affected by the
now resolved vulnerability."
WebEx ActiveX Control DLL Injection
[06 July 2006, top]
Sophos Tells Windows Users to Switch to Macs
, a computer
security firm, has issued a report saying because
of security concerns Windows users should switch
to using Macs.
The BBC reports that Sophos claims the "10 most
commonly found pieces of malicious software all
targeted Windows machines," while none of the
malware infected Macs running the Mac OS X
Note: Macs can and are cracked. Almost all
systems running 20th century operating systems
can be cracked. Ditto for Linux systems.
Threats prompt Mac switch advice
[06 July 2006, top]
Western Illinois University Cracked; Kentucky University Loses Student Data
University systems continue to be a gold mine for crackers.
A server at Western Illinois University containing
"between 200,000 and 240,000 Social Security or credit
card numbers for current and former students may" have
been cracked. I like how they use the word "may."
At the University of Kentucky, a faculty member lost a "thumb drive"
containing class rosters. It was reported that the UofK was "in the
process of replacing Social Security numbers as identifiers for
students, but the rosters on the stolen drive date back to
1998 and contain Social Security numbers."
I find two or three social security numbers at SCC every semester.
And these finds are made without looking for them. Academic
institutions must stop using social security numbers as
[20 June 2006, top]
Laptop Stolen from ING Financial Services
has a major problem with the security of their
laptop computers and they call it a "gap." The
following was reported by the on 18 June 2006.
"A laptop containing the Social Security numbers and
other personal data of 13,000 District of Columbia
employees and retirees has been stolen."
"The computer was stolen Monday from the Washington
home of an employee of ING U.S. Financial Services."
The AP news reported that the "laptop was not password-protected
and the data was not encrypted." Obviously ING Financial Services
need to be replace some of their SysAdmins.
"For us, this is very unfortunate, but we're moving forward,
we're very focused and committed to find any other laptops
that don't have encryption software and to fix that.
This incident revealed a gap."
Since they are calling their shoddy security a "gap,"
an adjective needs to be used--it is a "huge gap."
"Two other ING laptops containing information on 8,500 Florida
hospital workers were stolen in December, but the employees were
not notified until this week, said ING spokesman Chuck Eudy.
Neither laptop was encrypted, he said."
Obviously this company's employees are not
good at "live and learn."
[18 June 2006, top]
National Nuclear Saftey Administration Cracked
Crackers gained access to "personal records of at least
1,500 employees and contractors" by cracking a system
the belongs to the
The Times are Good for Cracking VoIP
It appears that any "new" computer technology/service
becomes a furtile playground for crackers. In this
case it is VoIP (Voice Over Internet Protocol).
"A Miami man and his cohort have been arrested and
charged with hacking into Voice over Internet Protocol
(VoIP) networks and stealing more than 10 million minutes
of call time. Federal prosecutors allege that Edwin Pena,
who owned and operated two VoIP telephone companies, sold
the minutes, earning more than $1 million altogether."
Why doesn't NewsFactor.com call these hackers crackers?
Massive VoIP Theft Nets Hackers $1 Million
[11 June 2006, top]
Data Cracked on 2.2 Million Natl. Guard/Reserves
Same old story, sloppy handling of information by our
government. Prior to this crack, data was stolen on
26.5 million U.S. military veterans. Potential new
military motto: Looking for a few good identities
for crackers to steal.
"Personal information on about 2.2 million active-duty,
National Guard and Reserve troops was stolen last month
from a government employee's house."
"This means nearly all current U.S. military personnel
may be at risk for identify theft, the Pentagon said."
Troops' names among those on stolen VA database
[07 June 2006, top]
processing, most websites become unusable.
"Multiple security organizations warned Tuesday that
Internet Explorer, Firefox, Mozilla, and SeaMonkey
-- on Windows, Linux, and the Mac -- are vulnerable
attacker to dupe users into giving up sensitive
personal information such as credit card or bank
account numbers and passwords."
IE and Firefox Sport New Zero-day Flaw
[07 June 2006, top]
Embed RFID Tags in Immigrants
RFID (Radio Frequency IDentification) tags can be safely
embedded in human-beings. One "brand" of RFID is the
"VeriChip is a RFID tag about the size of a large grain of rice.
It can be injected directly into the body; a special coating on
the casing helps the VeriChip bond with living tissue and stay
Why not chip everybody who legally enters the country?
"Scott Silverman, Chairman of the Board of VeriChip Corporation,
has proposed implanting the company's RFID tracking tags in
immigrant and guest workers. He made the statement on national
television on May 16."
Immigration is huge issue; therefore, it is only natural
for VeriChip Corporation to try to grow its business by
advocating the chipping of immigrants.
Proposal to Implant Tracking Chips in Immigrants
[05 June 2006, top]
Symantec's Anti-Virus Software Contains Defects
In the Windows world lots of computer users use software
from to help
secure their computers. But even Symantec's software
can be cracked.
has discovered defects that "could allow an attacker to create a
worm able to take over a user's computer and destroy critical
programs and files."
Symantec Anti-Virus Software Contains Defects
[29 May 2006, top]
Patched Software Cannot Be Secure
It is difficult to believe that any "patched" software
is secure. This is especially true when you have have
patches on top of patches. Oracles's CSO (Chief Security
Officer) was correct when she said the following.
"What if civil engineers built bridges the way
developers write code? What would happen is that
you would get the blue bridge of death appearing
on your highway in the morning."
Ms. Davidson also said something interesting about
"[They have] the perfect temperament to be hackers--technically
skilled, slightly disrespectful of authority, and just a touch
of criminal behavior."
Bottom-line: Crackers are criminals.
Oracle exec hits out at 'patch' mentality
[29 May 2006, top]
VA Cracked--26 Million Records Exposed
What timing... Memorial Day is only a few days away.
"As many as 26.5 million veterans were put at risk of
identity theft May 3 when an intruder stole an electronic
data file from the Aspen Hill home of a VA data analyst,
who was not authorized to remove the data from his office.
The electronic file contained names, birth dates and Social
Security numbers of veterans discharged since 1975, as well
as veterans who were discharged earlier and filed for VA benefits."
The "fact" that the VA data analyst was "not authorized to remove
data from his office" is a moot point.
to fire some of the IT people.
Veterans Angered by File Scandal
[25 May 2006, top]
Ohio University Computers Cracked
University systems continue to be a great
way for crackers to obtain information that
can be used for criminal activities such as
identity theft. This time it is that has been cracked. The school
said that its cracked server "exposed personal information
on about 300,000 individuals for more than a year." Data
had been exposed since March 2005.
Ohio University reports two separate security breaches
[06 May 2006, top]
University of Texas Cracked Again
The University of Texas at Austin had its computer
system cracked again (the first crack was in 2003).
This time the cracker gained access to
197,000 records. The records
contained information on alumni, faculty,
staff, current students, prospective students,
and corporate recruiters.
Unauthorized access of computer records discovered
at The University of Texas at Austin
[26 April 2006, top]
Filing Taxes Online May Be Dangerous To Your Identity
I would agree with the following quote by New York
State Attorney General Eliot Spitzer.
"This is an attempt by the tax preparation services
to fatten their bottom lines at the expense of their
Until we compute in a secure computing world, the
should not allow "tax preparers to sell personal
information with consent." The "with content"
is bull foo. I still don't know why I don't go
IRS.gov to file taxes.
Kudos to TechWeb.com for asking an important question...
Could IRS Plan Open Taxpayers To Identity Theft?
[06 April 2006, top]
Electronic Passports Coming During Summer 2006
The State Department has started pilot production of
electronic passports month and plans to roll out
e-passports for the general public during the
summer of 2006.
This is bothersome.
"The senior official in charge of the project also said
that technical issues raised recently about e-passport
security would not prevent the general distribution of
The comments were prompted by the following news blurb.
"In recent weeks, a Dutch RFID testing laboratory,
Riscure BV of Delft, has issued a statement that
it has been able to crack the encryption of the
Dutch e-passport using a PC in two hours."
e-Passports here they come ready or not...
State launches e-passports, rejects security concerns
[05 April 2006, top]
IE Has Had a Lot of Critical Defects
During the week ending 25 March 2006, two "critical"
defects were found with the Microsoft Internet Explorer
(IE) web browser program. IE the most popular web browser
in use today with an approximate 85% market share.
Second Bug In A Week Smacks At IE
[05 April 2006, top]
Mis-Configured CentOS Makes It a Cracker
Somebody was hosting websites for the city of Tuttle in Oklahoma.
The hosting service was using CentOS and they did a poor job of
SysAdmining the operating system and the Apache webserver software.
The government of the city of Tuttle thought CentOS had cracked
into their systems and they were mad to the point where they
threatened to call in the FBI. According to TheRegister, the
following was sent to CentOS.
"Please remove your software immediately before
I report it to government officials!! I am the
City Manager of Tuttle, Oklahoma."
The Tuttle city manager needs to fire some of his
Oklahoma city threatens to call FBI over 'renegade' Linux maker
[25 March 2006, top]
Internet Security Systems Finds Sendmail Defect
accounced that they had discovered and issued a patch for
a defect in the Sendmail server software. X-Force reported
that "by sending malicious data at certain time intervals,
it is possible for a remote attacker to corrupt arbitrary
stack memory and gain control of the affected host."
Sendmail is one of the most popular server software
used on the Internet.
Sendmail Remote Signal Handling Vulnerability
[Internet Security Systems is a GDT::Portfolio stock.]
[22 March 2006, top]
Credit Card Applications; Georgetown U. Server Cracked
It is difficult to believe, but somebody taped
together a torn-up credit card application and
was able to get a credit card. It appears the
only safe way to dispose of a paper document is
to run it through a shredder (or eat it).
The Torn-Up Credit Card Application
server cracked. The server contained "personal information
on more than 41,000 individuals being tracked by the
District of Columbia's Office of Aging." The cracked
took place on 12 February 2006, but was not reported
until two weeks later.
[16 March 2006, top]
Cell Phones Running J2ME Can Be Cracked
Crackers are cracking cell phones. The pretends to "access WAP pages via
free SMSs. But instead, it sends SMSs to premium rate numbers,
implying economic losses for the user." These SMSs get charged
at a $5-$6 rate. The Trojan spreads via a program named
"RedBrowser." [What is WAP? WAP is the Wireless
Application Protocol and it is used to enable wireless
devices to access parts of the Internet.]
[Extra] Physical security is important and carrying
important data around in an unencrypted format is not wise.
Computer security firm McAfee's auditor lost a CD containing
unencrypted data on more than 9,000 McAfee employees. The CD
was left in a seat pocket on an airliner. Doh!
[01 March 2006, top]
The NSA Likes To Use HTTP Cookies
The National Security Agency, in the name of homeland
security, likes to use HTTP "cookies."
[Extra] Speaking of homeland security...
"The Homeland Security Department is working with the
departments of Defense and State, the FBI and the
Commerce Department's National Institute of Standards
and Technology as well as technology vendors to develop
a new generation of 10-finger 'slap capture' units
for fingerprint collection."
"The department plans to deploy existing 10-print capture
systems to border locations where they would be suitable.
But the existing systems have size, mobility, speed and
power requirements that make them unsuitable for many
locations where DHS plans to gather 10 print records,
according to procurement documents."
DHS shoves fingerprint tech forward
[23 February 2006, top]
Be Careful What You Search For
I don't know how this can be true, but a recent survey of 800
Americans by the
discovered the following.
60% opposed the storage of users' search queries
32% supported the practice
65% opposed government monitoring of search queries
30% supported the practice
50% opposed Google giving search query data to the government
44% supported Google giving away the information
Every web user should know that every query string that
is type into every search engine is probably being stored.
In many cases, these search queries are never deleted.
[22 February 2006, top]
Blackberry Handhelds Can Be Cracked
By supplying a specially crafted TIFF image as an
email attachment and convincing a user to view the
image on a BlackBerry Handheld, a remote, unauthenticated
attacker could cause a denial of service to the Blackberry
Attachment Service. [The BlackBerry Attachment Service
renders certain types of files sent as email attachments for
display on BlackBerry Handhelds and other BlackBerry client
Vulnerability Note VU#570768
[13 February 2006, top]
[sub-titled: "Research in Motion (RIM) BlackBerry Attachment Service
does not properly handle TIFF image files."]
EFF Co-Founder Must Show ID If He Wants To Fly
In a nutshell, the court said, "The Constitution does
not guarantee the right to travel by any particular
form of transportation." Thus, , co-founder of the EFF, lost his
case to fly without needed to show identification.
Court says ID checks at airports constitutional
[13 February 2006, top]
Ameriprise Laptop Stolen From a Car
Once again we see how important physical security
is in today's computing world. In addition, it is
difficult to believe that critical information is
stored on laptop computers.
"A laptop containing information on 230,000 individuals
was stolen from the car of an employee of Ameriprise
Financial in December. The computer included names
and Social Security numbers for more than 70,000 financial
advisors, and names and Ameriprise account numbers for
158,000 customers of the firm, which was spun off of
American Express last year."
It is even more difficult to believe that
critical data was stored in an un-encrypted
"Andy MacMillan, a spokesperson from the company,
said that although access to the data is protected
by a password, the data were not encrypted, which
is a violation of written company policies."
"MacMillan said the company does not believe that the
thief knew about the information contained on the laptop
and thinks that it is unlikely any of the information
will be accessed or used fraudulently."
When the laptop was stolen, the thief may not have
known it contained unencrypted data, but now they
might. I fail to see how Ameriprise can tell us
that it is "unlikely any of the information will
be accessed or used fraudulently." If they think
this make anybody feel better, they're wrong.
[13 February 2006, top]
Nyxem Virus Scheduled To Hit 3 February 2006
Friday, 3 February 2006, is an important date
because that is when the Nyxem virus is scheduled
to "delete Word, Powerpoint, Excel and Acrobat
files on infected machines."
The Nyxem virus sounds nasty.
"On infected machines the virus raids address books
to find e-mail addresses to send itself to."
"The virus also tries to spread by searching for machines
on the same local network as any computer it has compromised."
"Unlike many recent viruses Nyxem is set to overwrite 11 different
types of file on infected machines on the third of every month."
"Separately, the virus also tries to disable anti-virus software
to stop it updating and can also disable the mouse and keyboard
on infected machines."
Countdown for nasty Windows virus
[30 January 2006, top]
Marriott International Backup Tapes Stolen
This is old news, but stuff like has to to stop happening.
Physical security plays an important role in overall
Marriott International Inc.'s time-share division announced
it is "missing backup computer tapes containing credit card
account information and the Social Security numbers of about
206,000 time-share owners and customers, as well as employees
of the company."
[30 January 2006, top]
"Wi-Fi Security" Are Oxymorons
I've always been concerned about Wi-Fi security
and it appears those concerns were justified.
Windows Wi-Fi Flaw Uncovered
[Extra] Speaking of cybercrime... The FBI has released
a study indicating "that yearly losses to computer crimes exceed
$67 billion." For the last few years, we have had fun morphing
the following Don Hendley lyric.
Hendley sings: "A man with a briefcase can steal
more money than a man with a gun."
Morphed lyric: "A person with a high-speed Internet
connection can steal more money than a man with a briefcase."
[21 January 2006, top]
2005 A Record Year For Computer Cracking
The quote says it all:
"2005 saw the most computer security breaches ever; more than
55M Americans exposed." 55M is 55,000,000. It appears as
will have a busy 2006.
Record bad year for tech security
[07 January 2006, top]
About the Security WatchDog Blog
The is a blog that
monitors (i.e. watches) and records computer security issues and
news items. This includes information pertaining to computer
ethics and computer privacy.
The Security Watchdog includes postings about viruses, worms, trojan
horses, cracks, and stuff like that. This blog also keeps an eye on
issues such as biometrics, information warfare, privacy, and legal
stuff (e.g. DMCA, SSSCA, etc.).
was started in March 2000 and as of 01 January 2006
it contained 287 postings.
[01 January 2006, top]