For years, security experts have warned governments that national ID schemes, ID Data stockpiles and other systems that harvest and store large volumes of sensitive personal information are high risk targets that can and will become the object of criminal desire.
Israel has learnt about this the the hard way.
In a classic demonstration of just how bad the "Insider Threat" is a contract worker in Israel's Welfare Ministry has stolen the entire database of the Israels equivalent program to the US Visit system containing the records of 9 million Israelis both living and deceased.
The contract worker it seems moonlighted as a low level white colar criminal dabbling in things like Identity Theft. He went on to distribute the database to 6 contacts in the Israeli underground, one of whom uploaded the entire database to "Bit Torrent" filesharing sites under the name "Agron 2006".
Google searches for this torrent show that it is now widely distributed with numerous clone torrents offering the database to anyone that cares to download it.
I hate to say I told you so... but.....
Hopefully other governments are watching and learning from Israel's predicament.
Marc's Security Blog
Tuesday 25 October 2011
Thursday 13 October 2011
Update on the Keylogger Virus Security Incident affecting the US Predator & Reaper UAV fleet.
Wired has updated their article on the Keylogger Virus that has affected some of the US Airforce's critical infrastructure spreading so pervasively as to even reach the command and control systems of the US UAV fleet.
The US Airforce has now gone on record insisting that the malware was "more of a nuisance" than it was an actual "operational threat".
Creech Airforce Base in Nevada remains fully operational and has not been compromised in any way by the security incident.
The Airforce also claimed that the 24th Airforce, nominally in charge of cyber security operations, was fully aware of the incident and that theyve known about it all along.
Link to the USAF press release courtesy of wired:
http://ping.fm/Wzhu0
The whole situation seems like a shambles to me. The fact that such a generic pece of malware could spread so far and wide through critical systems is embarrassing at best and a serious threat to US national security at worst.
One would hope that there are some hard lessons being learnt from this....
The US Airforce has now gone on record insisting that the malware was "more of a nuisance" than it was an actual "operational threat".
Creech Airforce Base in Nevada remains fully operational and has not been compromised in any way by the security incident.
The Airforce also claimed that the 24th Airforce, nominally in charge of cyber security operations, was fully aware of the incident and that theyve known about it all along.
Link to the USAF press release courtesy of wired:
http://ping.fm/Wzhu0
The whole situation seems like a shambles to me. The fact that such a generic pece of malware could spread so far and wide through critical systems is embarrassing at best and a serious threat to US national security at worst.
One would hope that there are some hard lessons being learnt from this....
Wednesday 12 October 2011
Sony Gets Hacked (Again).
Sony has been hacked again. This time more than 90,000 accounts for Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services were compromised in what looks like a simple Brute Force attack where the attacker or attackers simply tried common passwords against user accounts until they got in.
This attack strategy is hardly new and has been favoured in the past by Chinese hackers amongst others. Why? Its the oldest hack in the book. Its simple, easy to implement and relies on the fact that people are lazy or stupid or just dont care that passwords like "password" or "secret" or "s3cr3t" are easy to guess.
Whats surprising is that Sony STILL hasn't implemented a strong enough password policy to force users into using at least moderately secure passwords.
How many times do they need to get compromised before they follow simple information security best practice guidance that is taught to EVERY information security officer as part of EVERY training or certification.
Sony's CISO has posted a comforting blog message saying that this represented less than 0.1% of their user base and that no credit cards were compromised by the attackers (wouldn't want to fall foul of PCI now would we...). Hes also said that compromised accounts have been locked and that Sony will help roll back any unauthorised transactions.
You can read his blog post here: *http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/
I have to say as a CISO he certainly has his job cut out for him if he doesn't want Sony to take Microsoft's place as the company routinely trashed for having consistently bad security practice.
It took microsoft YEARS of hard work to escape that image (if they even have fully yet),
This attack strategy is hardly new and has been favoured in the past by Chinese hackers amongst others. Why? Its the oldest hack in the book. Its simple, easy to implement and relies on the fact that people are lazy or stupid or just dont care that passwords like "password" or "secret" or "s3cr3t" are easy to guess.
Whats surprising is that Sony STILL hasn't implemented a strong enough password policy to force users into using at least moderately secure passwords.
How many times do they need to get compromised before they follow simple information security best practice guidance that is taught to EVERY information security officer as part of EVERY training or certification.
Sony's CISO has posted a comforting blog message saying that this represented less than 0.1% of their user base and that no credit cards were compromised by the attackers (wouldn't want to fall foul of PCI now would we...). Hes also said that compromised accounts have been locked and that Sony will help roll back any unauthorised transactions.
You can read his blog post here: *http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/
I have to say as a CISO he certainly has his job cut out for him if he doesn't want Sony to take Microsoft's place as the company routinely trashed for having consistently bad security practice.
It took microsoft YEARS of hard work to escape that image (if they even have fully yet),
Sunday 9 October 2011
US Army Plans to roll out its own Android Smartphone.
The US army plans to roll out and Android smartphone as part of the next evolution of its "Nett Warrior" Programme.
Its hoped the Android device will reduce kilos of comms equipment down to just a few pounds for it and the Rifleman Radio that it will hook into.
Why a Rifleman Radio? The Army ha sno intention of ever allowing this device to connect to any type of civilian telecoms or Wifi based network.
http://www.wired.com/dangerroom/2011/10/army-smartphone-beta/#more-59354
Its hoped the Android device will reduce kilos of comms equipment down to just a few pounds for it and the Rifleman Radio that it will hook into.
Why a Rifleman Radio? The Army ha sno intention of ever allowing this device to connect to any type of civilian telecoms or Wifi based network.
http://www.wired.com/dangerroom/2011/10/army-smartphone-beta/#more-59354
As Lake Mead hits levels not seen since 1937 Las Vegas plans Multi Billion Dollar water pipeline:
http://ping.fm/nDfAQ
http://ping.fm/nDfAQ
Friday 7 October 2011
@bWestboro Baptist Church plans to Picket Steve Jobs Funeral^
Members of the contraversial Westboro Baptist church better known for their extremely distasteful campaign against homosexuality though the picketing the funerals of US servicemen killed in action have announced that they will be targeting the funeral of Steve Jobs.
The group, best known for their rainbow "God hates fags" signs and web page, are claiming the action is in response to Jobs not using his wealth to promote their interpretation of the Bible and for Apple being consistently voted one of the most gay-friendly employers. The group’s grievances and its original protest plans were posted from iPhones, something the Twittersphere has been quick to point out.
“We're not against technology; we're against using it to promote what God hates,” said Megan Phelps-Roper, granddaughter of the church’s founder Fred Phelps, before tweeting a picture of the group using their iPhones at a protest.
It will be interesting to see what happens when Apple Fanboi's clash with them. Assuming of course that anyone can get past the security perimeter.
Members of the contraversial Westboro Baptist church better known for their extremely distasteful campaign against homosexuality though the picketing the funerals of US servicemen killed in action have announced that they will be targeting the funeral of Steve Jobs.
The group, best known for their rainbow "God hates fags" signs and web page, are claiming the action is in response to Jobs not using his wealth to promote their interpretation of the Bible and for Apple being consistently voted one of the most gay-friendly employers. The group’s grievances and its original protest plans were posted from iPhones, something the Twittersphere has been quick to point out.
“We're not against technology; we're against using it to promote what God hates,” said Megan Phelps-Roper, granddaughter of the church’s founder Fred Phelps, before tweeting a picture of the group using their iPhones at a protest.
It will be interesting to see what happens when Apple Fanboi's clash with them. Assuming of course that anyone can get past the security perimeter.
Thursday 6 October 2011
Huge data privacy vulnerability found in HTC devices
In a recent update, HTC added a suite of logging tools that harvest quite an EXTRAORDINARY amount of personal information as the user goes about his/her ordinary day to day usage. This information is stored on the device, where any application with basic Internet Access permission (pretty much any app that allowed to access the web, which is almost everything) can read it or sent it anonymously to a remote location.
The information collected include (but most definitely isn't limited to) the following items:
- The list of user accounts, including email addresses and sync status for each
- The last known network and GPS locations and a limited previous history of locations
- Phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
- device information (hardware and software)
- file system information
- content and service provider information
- network information including IP addresses
- a snapshot of every running process and every running thread.
HTC has promised that a patch is in the works.
Full details including proof of concept code can be found here:
Subscribe to:
Posts (Atom)