GDT::Security::Watchdog::Archive::Year 2007

Security Watchdog

Russian Crackers Are Great Computer Crackers
The New York Times should be asking: What's Russian for 'Cracker'?
   "Russia has become a major breeding ground for hackers who 
    use their anonymity to inflict mayhem on the West, aided 
    by the Russian government's apparent indifference to their 
    activities. The roots of Russian hacktivism include the 
    country's strong system of math and science education, 
    generally poor job prospects for graduates of Russian 
    technical institutions, and societal encouragement of 
    rule-breaking as a form of resistance against the strictures 
    and despotism of the Communist regime."

This is little doubt that Russian programmers are excellent programmers.

   "There was always a great entrepreneurial spirit in Russia, 
    but it has always been directed at things that not only help 
    people, but also hurt people." notes Russian-American author 
    Gary Shteyngart. 

Entrepreneurialism is a big deal in the U.S. these days. Numerous universities are offering degrees in this area.

   "Rough estimates place 28 million Internet users in Russia, 
    versus 150 million in China and 210 million in America. 
    Russian hackers are considered by VeriSign to be the worst 
    type of hackers because of their links to organized crime 
    outfits that embezzle money with stolen bank and credit 
    card information.

Seems appropriate to add line to Don Henley's lyric...

   "The man with a briefcase and steal more money 
    than a man with a gun."

to include...

   "And a cracker with a high-speed Internet connection
    can steal more money than a man with a briefcase." What's Russian for 'Hacker'?

[22 December 2007, top]
Crackers Like PCs In Poor Countries
They are crackers; not hackers. Hackers don't crack computers that don't belong to them.

Good headlines often tell the story... Hackers have poor nations' PCs in their sights

[Extra] This is old news from last month...

   "A zero-day vulnerability in the latest version of 
    RealPlayer and RealPlayer 11 Beta is actively being 
    exploited, Symantec said Friday morning."
   "The issue affects an ActiveX object in the RealPlayer 
    component called 'ierpplug.dll.'"

Crackers can exploit the RealPlayer crack by putting crack code in dot-html files. If the dot-html files are rendered by IE (Internet Explorer), then...

   "The malicious .html page checks several versions of 
    RealPlayer to determine if the installed application 
    is vulnerable. If it is, the attacker can potentially 
    take control of the computer." -- Symantec
[22 December 2007, top]
Oak Ridge National Laboratory Cracked
If true, then bad news.
   "12/7/2007:  The Oak Ridge National Laboratory (ORNL) said a 
    'sophisticated cyberattack' executed over the past several 
    weeks might have allowed hackers to steal the personal 
    information of thousands of lab visitors."

The ORNL has massive quantities of computing capability.

The ORNL alerted employess with the following message.

   "[...] to be part of a coordinated attempt to gain access 
    to computer networks at numerous laboratories and other 
    institutions across the country."

It's not a "hack attack," it is a crack attack... Hack Attack Compromises National Lab

[08 December 2007, top]
Use Caution When Visiting appears to be a dangerous website to visit. ScanSafe was quoted saying, the website "is an entire cocktail of downloader Trojans and dropper Trojans." According to ScanSafe's analysis, contains 434 malicious files. The Security Watchdog wouldn't be suprised if this file count is growing and growing and growing.

[08 December 2007, top]
And What Are You Reading?
This is an old news that the Security Watchdog was not aware of.
   AP Headline:  "U.S. Withdraws Subpoena Seeking Identity of 
                  24,000 Amazon Customers Sought As Witnesses"

Federal prosecutors created a subpoena seeking the "identities of thousands of people who bought used books through online retailer Inc."

The following quote from U.S. Magistrate Judge Stephen Crocker is chilling in itself.

   "The (subpoena's) chilling effect on expressive e-commerce 
    would frost keyboards across America." 

   "Well-founded or not, rumors of an Orwellian federal criminal 
    investigation into the reading habits of Amazon's customers 
    could frighten countless potential customers into canceling 
    planned online book purchases."

The AP reported that "federal prosecutors issued the subpoena last year as part of a grand jury investigation into a former Madison [Wisconsin] official who was a prolific seller of used books on They were looking for buyers who could be witnesses in the case."

The AP quoted the government saying: "We didn't care about the content of what anybody read. We just wanted to know what these business transactions were. These were simply business records we were seeking to prove the case of fraud and tax crimes against Mr. D'Angelo."

[08 December 2007, top]
Crackers Might Exploit CPU Math Errors
Adi Shamir, is a professor at Israel's Weizmann Institute of Science. Adi is also the 'S' in RSA.
   "With the increasing word size and sophisticated optimizations 
    of multiplication units in modern microprocessors, it becomes 
    increasingly likely that they contain some undetected bugs. 
    This was demonstrated by the accidental discovery of the obscure 
    Pentium division bug in the mid 1990's, and by the recent discovery 
    of a multiplication bug in the Microsoft Excel program."

According to Wei Dai, co-creator of the "VMAC message authentication code and author of Crypto++, a free C++ class library of cryptographic algorithms, there are ways to protect against CPU math errors and that 'the RSA implementation in Crypto++ is already protected against this attack...'. In a nutshell, Wei Dai said, "[...] after doing the RSA private key operation y=x^d mod n, one should check that the result is correct by verifying that x=y^e mod n. Crypto++ has done this since version 5.1."

[24 November 2007, top]
Alltel Springs Ahead Instead of Falling Back
I've always thought date and time stuff was some of the more complicated stuff to program correctly. Moving clocks forward and backward just adds to the difficulty.
   "Most of the country moved their clocks back one hour when 
    daylight saving time ended Sunday, but some Alltel Corp. 
    customers saw their cellular phone clocks jump forward 
    an hour instead."

According to Alltel, cellular towers provide the time to the phones and the problem was with the towers.

[08 November 2007, top]
Spammers Using MP3 Files To Promote Stocks
People's creativity never ceases to amaze... spammers are using dot-mp3 files to promote stocks.

The following was reported by

   "Spammers have taken to using MP3 attachments in e-mails 
    named after recording artists as part of a pump-and-dump 
    stock scam. Most of the e-mails have no subject name; others, 
    however, appear to be named after the artist the MP3 file is 
    named after, according to several security vendors."

   "When recipients click on the attachment, a voice relays a 
    message promoting stock for a particular company."

The Security Watchdog's primary email account gets hit by a couple of stock market spams a day.

[19 October 2007, top]
Microsoft OS Defects, IE Defects, Word Defects
Microsoft is constantly issues patches. On 10/10/2007 the company released six security updates to "fix" holes in Vista and Internet Explorer.

The following quotes were issued by McAfee Avert Labs.

   "Today's Microsoft patches emphasize the need for proactive 
    browser protection and the risk of surfing the Web unprotected." 

All crackers need is one wrong click.

   "Many of the vulnerabilities addressed by the fixes could be 
    exploited if a Windows user simply clicks a malicious Web link, 
    a favorite attack method among cybercriminals. Users need to 
    be more careful than ever when surfing the Internet." 

The Security Watchdog gets the shakes when he reads about defects with Microsoft Word.

   "One of the other four critical patches is MS07-060, which 
    addresses previously reported 'in-the-wild' Microsoft Word 
    vulnerabilities that allow an attacker to send an infected 
    Word document as an attachment or as a downloadable file 
    from a Web site."

Infected word documents? Yuck!

[11 October 2007, top]
AOL Instant Messenger Must Be Bad Software
I wonder how many times we will see this news.
   "A security hole in widely used versions of AOL's instant-messaging 
    program could let a crook grab control of a victim's computer, 
    according to a security firm that says AOL's steps to repair the 
    problem don't go far enough."

AOL's IM has been cracked time and time again. Not all of the cracks have been serious, but in this case the finder of crack was quoted saying: "This is critical, this is very serious."

Beware of dangerous emoticons...

   "The security hole arose because of the way the vulnerable versions 
    of AIM let instant-messaging chatters augment their conversations 
    with various fonts and pictographic 'emoticons.' The flawed versions 
    of AIM do this by using Microsoft Corp.'s Internet Explorer program 
    to render images."

The Security Watchdog is not sure why anybody uses AOL.

[07 October 2007, top]
Crackers Offer Nude Actress Pics... Not
The headline caught my eye: "Hackers Push Trojan With Promises of 'Nude Angelina Jolie' Pics."

InformationWeek would be doing the computing profession a favor if it started using the term crackers instead of hackers. The headline should read: "Crackers Push Trojan With Promises of 'Nude Angelina Jolie' Pics."

InformationWeek reported that Sophos reported that "in September, one in every 833 e-mails were carrying malicious attachments, compared to 1 in every 1,000 during August." For some reason the Security Watchdog thought these ratios would be worse than they are. quoted a senior security consultant at Sophos saying, "The trick of tempting users with scantily clad pictures of hot-looking girls is as old as the hills, but people still fall for it."

[02 October 2007, top]
Spam is a Powerful Tool for Malware Crackers posted an article about the federal government stating the obvious: Crackers use spam to install malware. InformationWeek reported on events that took place at the Federal Trade Commission Spam Summit. Wow... a summit on spam. The Security Watchdog found this information worthy of quoting: "A community of malware providers has sprouted up such that a spammer can buy a spyware kit online for $17 to create a payload for his spam, and that kit will come with technical support." Capitalism at its worst. Spam Is Gateway To Malware Economy, Feds Say

[23 September 2007, top]
TD Ameritrade Cracked (6.3 Million Contacts)
TD Ameritrade's computer systems were cracked and "contact information" for more than 6.3 million customers was stolen. The company said that it does not appear as if the stolen data contained contain SSNs.
   "While the financial assets our clients hold with us were 
    never touched, and there is no evidence that our clients' 
    Social Security Numbers were taken, we understand that this 
    issue has increased unwanted SPAM, which is annoying and 
    inconvenient for them." --Joe Moglia, CEO

The TD Ameritrade CEO needs to learn that junk email messages are spam and not SPAM. In addition, phrase "unwanted spam" is redundant. Who wants spam?

[16 September 2007, top]
Monster of a Crack at
Monster Worldwide Inc. recently discovered that crackers stole contact information from resumes for 1.3 million people. In addition,, a "federal-government career-listing service operated by Monster," was also cracked.

Security guru Bruce Schneier thinks Monster's security woes should prompt other online services to look more closely at their security practices, but it probably won't happen.

   "You're going to see this happen again and again and again.
    I assure you, every other company didn't say, `Wow, look 
    what happened to Monster, we have to fix our problem.'"
    --Bruce Schneier Security Notice

[02 September 2007, top]
Yahoo Messenger Has Webcam Defects posted an article titled "Zero-Day Bug In Yahoo Messenger Pops Up." They went on to say "rosearchers at McAfee are reporting that they've reproduced a reported zero-day vulnerability in the Yahoo Messenger Webcam." The "zero-day bug" (i.e. defect) is due to a "classic heap overflow." More on the Yahoo! Messenger Webcam 0day

[16 August 2007, top]
Government Systems Getting Cracked
We need to start calling hackers crackers.
   "Hackers stole information from the Department of Transportation 
    and several U.S. corporations by seducing employees with fake 
    job-listings on ads and e-mail."

Hackers didn't steal information; crackers did!

   "What is most worrying is that this particular sample of malware 
    wasn't recognized by existing antivirus software. It was able to 
    slip through enterprise defenses." said Yankee Group security 
    analyst Andrew Jaquith, who learned of the breach from Morris.

Security software is software; therefore, it can be cracked especially if it is running on poorly administrated systems. An ethically grounded guruish SysAdmin is priceless.

[02 August 2007, top]
Fox News FTP Password Exposed
This was slashdotted...

Somebody discovered that Fox had the webserver configured to allow directory listings. They following the listings until they found a shell script that in turn had a FTP password embedded in it. Note: shell script files are POT files (i.e. plain-old-text); therefore, the password was human-readable. Oops?

[23 July 2007, top] eBay For Crackers?
The question is: Why did this take so long?
   "A Swiss Internet start-up is raising the ire and eyebrows 
    of the computer security community with the launch of an 
    online auction house where software vulnerabilities are 
    sold to the highest bidder." wants to be an eBay for crackers and they claim their "service will serve to make software users safer in the long run." Site Plans to Sell Hacks to Highest Bidder

[15 July 2007, top]
Cyber-terrorism is a Form of Cyber-warfare
An article posted on 7 July 2007 started as follows.
   "A British court last week handed down prison sentences of 
    up to 10 years to three Muslim men it called 'cyber-jihadis' 
    and convicted of using the Internet to urge Muslims to wage 
    holy war on non-Muslims. And the U.S. Computer Emergency 
    Readiness Team reported politically motivated cyberattacks 
    in Russia."

I've said it before on this blog and I'll say it again: Cyberwarfare is not going to be fun.

Bill Joy is infinitely more expert than me when it comes to this stuff. Here is a quote from Joy that is in my quote collection.

   "September 11 was essentially a collision of early 20th-century 
    technology: the aeroplane and the skyscraper. We don't want to 
    see a collision of 21st-century technology." Cyberterrorism: By Whatever Name, It's On The Increase

[08 July 2007, top]
Fidelity National Gives Up 2.3 Million Customer Records
Let's see... 2.3 million written as a whole number is 2,300,000. Good job Fidelity!

Fidelity National Information Services announced that a "senior-level database administrator at one of its subsidiaries stole 2.3 million consumer records containing credit card, bank account and other personal information."

The criminal sold the information to a "data broker" who in turn sold the information to marketing firms. I suspect the data broker and the "marketing firms" are criminals just like the guy who sold the information in the first place. Fidelity National: Ex-worker stole 2.3 million customer records

[06 July 2007, top]
Beijing Computers Great Source of Malware reported that during June of 2007 "some 40 percent of malicious software worldwide originated from Beijing." Many believe Beijing is the malware-headquarters because of the following scenario.
   "As more and more users come online in China, there's 
    a good chance those computers are using pirated software 
    without up-to-date security fixes, making them prime targets 
    for hackers who are actually located elsewhere in the world." Beijing scores number one spot for malware

[06 July 2007, top]
Cyber Warfare is Going to Suck
China is going to a major power when it comes to cyberwarfare.
   "China is seeking to unseat the United States as the dominant 
    power in cyberspace, so says a U.S. Air Force general leading 
    a new push in this area."

The general was quoted saying:

   "They're the only nation that has been quite that blatant about 
    saying, 'We're looking to do that.'" 

The following blurb was noteworthy.

   "The Defense Department said in its annual report on China's 
    military power last month that China regarded computer network 
    operations -- attacks, defense and exploitation -- as critical 
    to achieving 'electromagnetic dominance' early in a conflict."

   "China's People's Liberation Army has established information 
    warfare units to develop viruses to attack enemy computer systems 
    and networks, the Pentagon said."

Bottom-line: Cyberwarfare is going to suck. Bill Joy was right when he said we don't want to experience 21st century warfare.

[21 June 2007, top]
Can Digital Billboards Be Cracked?
This was a posting from last month (May 2007) that never got posted until now (21 June 2007).

A new mall in Tempe has digital billboards. Somebody was quoted saying the following.

   "With digital billboards, a company only has to e-mail a message 
    to the company's Phoenix hub and they can be quickly changed."

The comment prompted me to post the following to

   Just wait and see what shows up when these billboards get cracked. 
   I hope they aren't using Windows. Porn anyone?
   (Gerald9588, May 29, 2007 08:16AM)
[21 June 2007, top]
Cybercrime via Malware Pays
This is a posting that was left over from last month (i.e. May, 2007).

Dave DeWalt, president and CEO of McAfee, says things are going to get a lot worse in computer security before they get better.

   "Walking off the stage and down the aisle in his Tuesday 
    afternoon keynote at the Interop trade show in Las Vegas, 
    Dave DeWalt told the audience of IT and business professionals 
    that we will see more malware in the next 18 months than we have 
    in the past 20 years. Researchers at the company's legendary Avert 
    Labs are seeing 17,000 new phishing sites every month. He pointed 
    to a 50% to 80% growth in spyware."

There's money to be made by cyber-criminals.

   "During his keynote, DeWalt noted that 37,413 new pieces of malware 
    hit the Internet last year. A hacker, with a multi-star rating, was 
    actually selling an exploit for a Microsoft Excel vulnerability on 
    eBay for $55. And DeWalt, who said he's had his own credit card 
    information stolen, estimated that one out of four people will 
    suffer some kind of digital crime."

DeWalt claims that "cyber crime, as a whole, will cost $105 billion this year alone."

[21 June 2007, top]
Ohio To Protect Goverment Workers From ID Theft
This headline is reflective of the times: "Today's Confidential Data Loss Is in Ohio." The posting behind headline started with the following paragraph.
   "In yet another case of stolen confidential data, the 
    Social Security numbers and other personal details for 
    all 64,467 employees in the Ohio state government have 
    been stolen, Governor Ted Strickland announced Friday."

   note:  "Friday" being 15 June 2007.

The posting went on to say it the data was on a device that "requires special equipment to be accessed." It further quoted Ohio's governor as saying: "There's no reason to believe a breach of information has occurred."

Doesn't matter if a "breach of information" took place on not; this type of stuff has to stop. Today's Confidential Data Loss Is in Ohio

[15 June 2007, top]
Yahoo Messenger Defects Exploited by Crackers
InformationWeek reported that defects in Yahoo!'s Messenger program were used by crackers to take control of systems. It appears Yahoo! issued a report about the defect(s) and crackers used Yahoo!'s report to exploit the defect(s). Sometimes too much much information is indeed too much information. Yahoo Hacker Uses Story To Find, Exploit Yahoo Messenger Bug

[12 June 2007, top]
Universities of Virginia and Iowa Cracked
InformationWeek reported that on 8 June 2007 "both the University of Iowa and the University announced that they have been sending out notifications about the breaches." At the University of Virginia crackers gained access to "record of 5,375 faculty." The crack of the Unversity of Iowa "affected about 1,000 students and applicants to the school's Molecular and Cellular Biology graduate program, along with about 100 faculty members associated with the program." Sadly, InformationWeek called the crackers hackers instead of crackers. Two Universities Hit By Security Breaches

[12 June 2007, top]
Colorado University at Boulder Cracked
Security software is important, but security software is not that secure if it is defective. Security software is "software;" therefore, it contains defects just like any other software.
   "The University of Colorado at Boulder said sensitive 
    information on 44,998 students was exposed because a 
    worm attacked the network through an un-patched bug 
    in Symantec's anti-virus software."

   "On May 12, the university's IT security investigators 
    discovered that the worm entered the server through the 
    vulnerability, which the IT staff had failed to patch."

Defective software is one issue and sloppy system administration is a second issue. Bobby Schnabel, CU-Boulder vice provost for technology, wrote the following.

   "The server's security settings were not properly configured 
    and its sensitive data had not been fully protected. Through 
    a combination of human and technical errors, these personal 
    data were exposed, although we have no evidence that they 
    were extracted." CU-Boulder Arts And Sciences Server Hacked On May 12

[25 May 2007, top]
Alcatel-Lucent Looking For a Lost Disk
Alcatel-Lucent is a GDT::Portfolio stock and the company has "lost" some information. The company said it is "reviewing security procedures and has halted use of couriers for sending personnel information after a computer disk with financial and other data on employees and retirees went missing."

The "lost" disk contains "names, addresses, Social Security numbers, birth dates and salary data for thousands of employees, retirees and dependents on the company's U.S. payroll." Alcatel-Lucent trying to find lost disk

[19 May 2007, top]
University of Missouri Cracked (again)
For the second time this year, the University of Missouri has been cracked. This crack involved was the exposure of more than 22,000 Social Security numbers of current and former students obtained via a webpage.

Tom Chomicz, a network security engineer at CDW Government, was quoted saying the following.

   "Higher education is a completely different animal when it 
    comes to security. Universities aren't under mandates to 
    encrypt data in the same way as financial institutions, 
    and they still have some issues with identity management."

It appears as though the University of Missouri needs to tighten up their IT practices.

[10 May 2007, top]
EFF Gives a Legal Primer on 09 f9
Computer users are lucky we have the Electronic Frontier Foundation (EFF). says the Advanced Access Content System (AACS) is a standard for "content distribution and digital rights management, intended to restrict access to and copying of the next generation of optical discs and DVDs."

   "As was reported back in February, an enterprising hacker 
    unearthed and posted one of the decryption keys used by 
    AACS to decode HD-DVD movies (other keys and exploits have 
    been made available in the weeks since). Now the AACS-LA 
    (the entity that licenses AACS to makers of HD-DVD players) 
    has set its lawyers on the futile mission of trying to get 
    every instance of at least one key (hint: it begins with 
    09 f9) removed from the Internet." 09 f9: A Legal Primer

[07 May 2007, top]
USDA Gross Mis-Management of Data
The United States Department of Agriculture, or USDA, has "admitted it posted the Social Security numbers of 63,000 people who received grants from the department on a government Web site."

The following is difficult to believe: "The identifying information has been online since 1996, but was finally removed last week."

Marc Rotenberg of EPIC (Electronic Privacy Information Center) was quoted saying the following: "It was simply wrong for the Department of Agriculture to post Social Security numbers on a Web-accessible database." In that infamous proclaim of Homer Simpson... "doh!"

I remember embedding data within data... "The USDA said all of the private identifying information was embedded in a larger number and therefore not immediately identifiable."

The USDA claims "there is no evidence that this information has been misused" -- at least not yet.

[28 April 2007, top]
Zombie Computers are Dangerous
Computer security remains a growth industry and for some reason I don't think that's going to change anytime soon.
   McAfee Avert Labs:
   "The tactic for the e-mail is to make you think you've been 
    infected, and that you need to open the ZIP file to run a 
    patch or removal tool to fix your machine." 

I try to never say never, but I'd never click on a dot-exe file attached to an email message.

   VeriSign iDefense:
   "Once executed the worm installs a rootkit on the system 
    (wincom32.sys) and communicates over a private peer-to-peer 
    network to update itself." 

Zombie computers that have high-speed Internet connections are dangerous and they represent a major homeland security issue.
   "In essence, the infected computer becomes a zombie machine 
    on a botnet that can be used to send out spam that will 
    launch new attacks. It can also open the door for additional 
    malware to be installed on the victim's system."

What happens when we have zombie supercomputers? New Storm Surges Through I.T. World

[21 April 2007, top] = + had a posting titled "Top 10 Internet Crimes." mentioned the Internet Crime Complaint Center located on the web at The IC3 is a "partnership between the National White Collar Crime Center at and"

A few years ago I modernized the following song lyric by Don Henley... A man with a briefcase can steal more money than a man with a gun ...into... a person with a high-speed Internet connection can steal more money than a person with a briefcase. [20 April 2007, top]

Education Dept. Has Lots of Student Records
[via Slashdot] This is easy to believe.
   "Some lending companies with access to a national database 
    that contains confidential information on tens of millions 
    of student borrowers have repeatedly searched it in ways that 
    violate federal rules, raising alarms about data mining and 
    abuse of privacy, government and university officials said."

The Washington Post reported that the database contains "60 million records." There are some who believe data mining of student records has "grown exponentially." Lenders Misusing Student Database

[16 April 2007, top]
More Computers Lost By the DOE posted the following.
   "A government counterintelligence office in charge of 
    protecting information about nuclear technology from 
    foreign espionage has lost 20 desktop computers -- most 
    of them containing classified information, according to 
    a report from the department's Office of Inspector General."

This is downright frightening...

   "In the initial inventory of 618 computers assigned to the 
    directorate's headquarters, 241 were not immediately located. 
    Eventually, all but the 20 were found. The audit report, which 
    was released late last week, also showed that the 'inventory 
    records were so imprecise and inaccurate that the directorate 
    had to resort to extraordinary means" to locate 125 of those 
    241 computers.'" Department Of Energy Loses 20 Classified PCs

[Extra] While reading about the sloppy IT practices at the DOE, the following headline was eye-catching... Hackers Promise 'Nude Britney Spears' Pix To Plant .ANI Exploit

[04 April 2007, top]
Crackers Crack Computers, Not Hackers
On 30 March 2007, there was a posting titled "Hackers step up attack on Windows flaw" to the "Business Blogs" found on (i.e. the Arizona Republic). The use of the term hacker when referring to crackers prompted me (Gerald8100) to post the following comment.
   Comment from: Gerald8100
   03/31/07 @ 06:37

   I need to do my hacker/cracker bit...

   People who access computers without permission are crackers. 
   Not all crackers are hackers, but most of them probably are. 
   A very large percentage of hackers are not crackers. The computing 
   ethics followed by hackers prohibits them from being crackers (i.e. 
   hackers good, crackers bad).

My comment to the blog ended with a hyperlink to Raymond's "How To Become A Hacker" essay. What is a hacker?

[31 March 2007, top]
Symantec Says Microsoft Most Secure OS
According to a report issued by Symantec Corp., Microsoft is more secure than all other commercial operating systems.
   "The report found that Microsoft Windows had the fewest 
    number of patches and the shortest average patch development 
    time of the five operating systems it monitored in the last 
    six months of 2006."

Six months is not a very long time to monitor how secure systems are, but kudos to Microsoft for coming out on top when it comes to security.

Red Hat came in second followed by Mac OS, HP-UX and Solaris.

Sun Microsystems issued the following statement to "Symantec's data on security vulnerabilities simply does not match Sun's. We can't verify Symantec's sources and consider their report on Sun inaccurate." Surprise, Microsoft Listed as Most Secure OS

[22 March 2007, top]
Crackers Are Not The Major Problem
Note to the University of Washington: call people who crack computer systems crackers, not hackers.

Phil Howard, an assistant professor of communication at the University of Washington, issued a report that included the following.

   "By year's end the 2 billionth personal record -- some 
    American's social-security or credit-card number, academic 
    grades or medical history -- will become compromised, and 
    it's corporate America, not rogue hackers, who are primarily 
    to blame. By his reckoning, electronic records in the United 
    States are bleeding at the rate of 6 million a month in 2007, 
    up some 200,000 a month from last year."

According to Howard, crackers have accounted for about 31% of the 550 "malicious intrusions" between 1980 and 2006. The balance is due to sloppy IT operations and untrustworthy employees.

I found the following tidbit edifying: "The education sector, primarily colleges and universities, amounted to less than 1 percent of all lost records, but accounted for 30 percent of all reported incidents." Hackers get bum rap for corporate America's digital delinquency

[16 March 2007, top] Server Cracked
Kudos to for calling a cracker a cracker.

A cracker "gained user-level access to one of the servers that powers, and had used that access to modify the download file." The cracker made code modifications that "allow for remote PHP execution."

WordPress is an Open Source project that was "started in 2003 with a single bit of code to enhance the typography of everyday writing and fewer users than you can count on your hands and toes. Since then it has grown to be the largest self-hosted blogging tool in the world, used on hundreds of thousands of sites and seen by tens of millions of people every day." WordPress 2.1.1 Dangerous, Upgrade

[03 March 2007, top]
Who is Responsible for Customer Data?
Once again I got suckered by a headline: "Who's responsible for customer data?" To me the question has only one answer: The company that collects the data is responsible for it. If company A collects data and passes it on to company B, and if company B gets cracked, then company A is still responsible for the data. Who's Responsible For Customer Data?

[25 February 2007, top]
Parents Fail To Molest MySpace For $30 Million
A Texas judge tossed out a lawsuit against MySpace that was filed by a family whose 13-year-old daughter was assaulted by a man met via MySpace. The parents sued MySpace for $30 million because MySpace did not takeover parental responsibility from the parents. Kudos to the Texan judge. Judge: MySpace Guiltless In Child Assault

[16 February 2007, top]
Internet Connected Computers Constantly Under Attack
It appears as though Internet connected computers are constantly under attack by crackers.
   "University of Maryland researchers from the James Clark School 
    of Engineering observed the activities of hackers as they try 
    to gain access to a computer and exploit it. "Brute force" hackers 
    were the focus of the study, which set up four Linux computers with 
    weak security and Internet connections. The computers were attacked 
    an average of 2,244 times each day, or every 39 seconds on average, 
    confirming suspicions that the average computer is almost constantly 
    under attack."

Crackers like to crack systems so they can setup "botnets," which in turn can used for them to do more cracking.

   "Hackers would typically check the computer's software configuration, 
    change the password, check the configuration again, and download and 
    install a program, which they would then run. 'Often they set up back 
    doors--undetected entrances into the computer that they control--so 
    they can create 'botnets,' for profit or disreputable purposes."

If only crackers were called crackers instead of hackers. UM Study: Hackers Attack Computers Every 39 Seconds

[15 February 2007, top]
FBI Needs Help Securing Their Laptops reported the following on 2007.02.12.
   "Three to four laptops are lost or stolen from the FBI 
    every month, according to a report issued this month 
    from the Justice Department's Inspector General."

It is difficult to believe that stuff is stolen from the FBI.

   "While 116 FBI laptops were reported lost and 44 were 
    reported stolen in the last 44 months, the agency is 
    doing better than it was five years ago, the DOJ's audit 
    said of one of the nation's top investigative agencies. 
    Another audit, conducted in 2002, showed that in a 
    28-month period 300 FBI laptops had been lost and 
    17 had been stolen." Report: FBI Loses 3 To 4 Laptops Every Month

[13 February 2007, top]
Using Telnet on Solaris is Dangerous
The ISC (Internet Storm Center) at SANS has issued an alert about using 'telnet' with Solaris systems. The following is nasty.
   "The telnet daemon passes switches directly to the 
    login process which looks for a switch that allows 
    root to login to any account without a password. If 
    your telnet daemon is running as root it allows 
    unauthenticated remote logins." Another good reason to stop using telnet

[12 February 2007, top]
Internet Root Servers Hit By a DDoS Attack
Three of the Internet's 13 rootservers were hit by a DDoS (Distributed Denial of Service) attack. According to, the attacked rootservers were "operated by the U.S. Defense Department, the Internet Corporation for Assigned Names and Numbers (ICANN), and UltraDNS, a company that manages traffic primarily for dot-org Web sites." Given the Internet's design, is is extremely difficult to bring it done (or crash it completely). reported that "zombie" systems might have been employed to do the DDoS attack. Hackers Strike at Key Internet Servers

[08 February 2007, top]
Crackers Like Zero-Day (Hour) Attacks
It is amazing that dot-xls and dot-doc files can be used by crackers to crack computer systems.
   "Microsoft late Friday (2007.02.02) warned users to be on the 
    lookout for Excel files that arrive unexpectedly -- even if 
    they come from a co-worker's e-mail address."


   "This is the fourth known zero-day attack against the ever-present 
    Microsoft Office suite since early December 2006.  The three previous 
    attacks, all aimed directly at specific targets, used rigged Microsoft 
    Word .doc files."

I am glad to see the Wikipedia has a webpage that discusses what is meant by a "zero-day (or zero-hour) attack." I've always thought it meant crackers used zero to exploit program defects, but I was wrong. A "zero-day attack" is a computer threat that "exposes undisclosed or unpatched computer application vulnerabilities. Zero-day attacks can be considered extremely dangerous because they take advantage of computer security holes for which no solution is currently available." I wonder... Is a zero-hour attack worse than a zero-day attack?

[05 February 2007, top]
TJ Maxx Crack Costing is Costing the Company
TJ Maxx sloppy IT practices are going to cost the company money: "The company said last week it will record a fourth-quarter charge of 1 cent per share, or about $4.5 million, related to the hack." Of course InformationWeek meant to say crack instead of hack.

InformationWeek reported that "TJX was storing credit and debit card data in violation of the Payment Card Industry Data Security Standard created by Visa and MasterCard."

Needless to say, lawyers are going to make money thanks to TJ Maxx weak IT efforts.

[04 February 2007, top]
Secure Software: Ethical Obligation, Not Legal
Alan Cox is a Unix guru and he readily admits that nobody knows how to produce secure software. Because of this, he is concerned that nasty things will happen if companies and programmers are legally held responsible when their programs are cracked.
   "Red Hat developer Alan Cox told a House of Lords committee on 
    science and technology that a developer's obligation to create 
    secure software is ethical, not legal."

With respect to "closed-software," Cox said the following.

   "[Code] should not be the [legal] responsibility of software 
    vendors, because this would lead to a combatorial explosion 
    with third-party vendors. When you add third-party applications, 
    the software interaction becomes complex. Rational behavior for 
    software vendors would be to forbid the installation of any 
    third-party software." 

With respect to FLOSS, Cox said: "Potentially there's no way to enforce liability." Linux guru argues against security liability

[23 January 2007, top]
Storm Worm Hits PCs
An email-based virus named "Storm Worm" containing "storm alerts" has hit PCs. The subject-lines look real, for example: "230 dead as storm batters Europe." The email messages have attachments having names such as "video.exe," "fullstor.exe," or "readmore.exe."

According to the makers of security software, virus writers (i.e. crackers) have "begun responding more quickly to top news headlines, rather than using sex and celebrity as a means to ensure their viruses get activated." New 'Storm Worm' Pummels PCs

[Extra] Yikes... While at the website reading about the "Storm Worm," I came across a news story about a retailer named TJX being cracked. What warranted using the work Yikes is the fact that the cracked happened in May of 2006. Retail Giant TJX Discloses Massive Data Breach

[20 January 2007, top]
When Hippies Turn to Cyberterror
Time and time again I am reminded of the importance of subject lines and titles. Although I was never a hippy, I admit to being drawn to hippy related news items. Put "hippy" in the subject-line and there is a chance I'll click. When Hippies Turn to Cyber Terror

[16 January 2007, top]
Cisco Systems Buying Spam Blocker IronPort
San Jose, CA-based Cisco Systems Inc. (CSCO) announced it will "buy email and web security firm IronPort Systems Inc. for $830 million to tap growing demand for anti-virus and anti-spam software."

Cisco Systems has about 50,000 employees. On 6 January 2007, at a stock price of $28.47, Cisco had a market value of approximately $172.89 billion.

San Bruno, CA-based IronPort is a privately-held company "known for 'reputation filters' that block spam by examining a sender's record." IronPort has about 408 employees.

[06 January 2007, top]
Security Defect Found with Browser-DotPDF Handling calls it a "flaw," but I call it a defect. There has been a defect found with how browsers process dot-pdf files. NewsFactor wrote: "The Acrobat flaw does not occur in Acrobat or the Acrobat reader directly, but in the Web browser plug-in that lets PDF documents be read directly over the Internet in programs such as Microsoft's Internet Explorer or Mozilla's Firefox."

Symantec found the defect and reported that "a weakness was discovered in the way that the Adobe Reader browser plug-in can be made to execute JavaScript code on the client side." Damn JavaScript. Security Flaw Discovered in Acrobat

[05 January 2007, top]
About the Security Watchdog
The Security Watchdog starts 2007 with 368 postings. This blog was started during March of 2000 and the current world of computer security is worse now than it was then. Needless to say, there will always be content for the Security Watchdog for at least the next couple of years.

Security Watchdog Archives: 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000

[01 January 2007, top]

Author: Gerald D. Thurman []
Last Modified: Saturday, 05-Jan-2013 11:17:39 MST

Thanks for Visiting