For years, security experts have warned governments that national ID schemes, ID Data stockpiles and other systems that harvest and store large volumes of sensitive personal information are high risk targets that can and will become the object of criminal desire.
Israel has learnt about this the the hard way.
In a classic demonstration of just how bad the "Insider Threat" is a contract worker in Israel's Welfare Ministry has stolen the entire database of the Israels equivalent program to the US Visit system containing the records of 9 million Israelis both living and deceased.
The contract worker it seems moonlighted as a low level white colar criminal dabbling in things like Identity Theft. He went on to distribute the database to 6 contacts in the Israeli underground, one of whom uploaded the entire database to "Bit Torrent" filesharing sites under the name "Agron 2006".
Google searches for this torrent show that it is now widely distributed with numerous clone torrents offering the database to anyone that cares to download it.
I hate to say I told you so... but.....
Hopefully other governments are watching and learning from Israel's predicament.
Tuesday, 25 October 2011
Thursday, 13 October 2011
Update on the Keylogger Virus Security Incident affecting the US Predator & Reaper UAV fleet.
Wired has updated their article on the Keylogger Virus that has affected some of the US Airforce's critical infrastructure spreading so pervasively as to even reach the command and control systems of the US UAV fleet.
The US Airforce has now gone on record insisting that the malware was "more of a nuisance" than it was an actual "operational threat".
Creech Airforce Base in Nevada remains fully operational and has not been compromised in any way by the security incident.
The Airforce also claimed that the 24th Airforce, nominally in charge of cyber security operations, was fully aware of the incident and that theyve known about it all along.
Link to the USAF press release courtesy of wired:
http://ping.fm/Wzhu0
The whole situation seems like a shambles to me. The fact that such a generic pece of malware could spread so far and wide through critical systems is embarrassing at best and a serious threat to US national security at worst.
One would hope that there are some hard lessons being learnt from this....
The US Airforce has now gone on record insisting that the malware was "more of a nuisance" than it was an actual "operational threat".
Creech Airforce Base in Nevada remains fully operational and has not been compromised in any way by the security incident.
The Airforce also claimed that the 24th Airforce, nominally in charge of cyber security operations, was fully aware of the incident and that theyve known about it all along.
Link to the USAF press release courtesy of wired:
http://ping.fm/Wzhu0
The whole situation seems like a shambles to me. The fact that such a generic pece of malware could spread so far and wide through critical systems is embarrassing at best and a serious threat to US national security at worst.
One would hope that there are some hard lessons being learnt from this....
Wednesday, 12 October 2011
Sony Gets Hacked (Again).
Sony has been hacked again. This time more than 90,000 accounts for Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services were compromised in what looks like a simple Brute Force attack where the attacker or attackers simply tried common passwords against user accounts until they got in.
This attack strategy is hardly new and has been favoured in the past by Chinese hackers amongst others. Why? Its the oldest hack in the book. Its simple, easy to implement and relies on the fact that people are lazy or stupid or just dont care that passwords like "password" or "secret" or "s3cr3t" are easy to guess.
Whats surprising is that Sony STILL hasn't implemented a strong enough password policy to force users into using at least moderately secure passwords.
How many times do they need to get compromised before they follow simple information security best practice guidance that is taught to EVERY information security officer as part of EVERY training or certification.
Sony's CISO has posted a comforting blog message saying that this represented less than 0.1% of their user base and that no credit cards were compromised by the attackers (wouldn't want to fall foul of PCI now would we...). Hes also said that compromised accounts have been locked and that Sony will help roll back any unauthorised transactions.
You can read his blog post here: *http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/
I have to say as a CISO he certainly has his job cut out for him if he doesn't want Sony to take Microsoft's place as the company routinely trashed for having consistently bad security practice.
It took microsoft YEARS of hard work to escape that image (if they even have fully yet),
This attack strategy is hardly new and has been favoured in the past by Chinese hackers amongst others. Why? Its the oldest hack in the book. Its simple, easy to implement and relies on the fact that people are lazy or stupid or just dont care that passwords like "password" or "secret" or "s3cr3t" are easy to guess.
Whats surprising is that Sony STILL hasn't implemented a strong enough password policy to force users into using at least moderately secure passwords.
How many times do they need to get compromised before they follow simple information security best practice guidance that is taught to EVERY information security officer as part of EVERY training or certification.
Sony's CISO has posted a comforting blog message saying that this represented less than 0.1% of their user base and that no credit cards were compromised by the attackers (wouldn't want to fall foul of PCI now would we...). Hes also said that compromised accounts have been locked and that Sony will help roll back any unauthorised transactions.
You can read his blog post here: *http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/
I have to say as a CISO he certainly has his job cut out for him if he doesn't want Sony to take Microsoft's place as the company routinely trashed for having consistently bad security practice.
It took microsoft YEARS of hard work to escape that image (if they even have fully yet),
Sunday, 9 October 2011
US Army Plans to roll out its own Android Smartphone.
The US army plans to roll out and Android smartphone as part of the next evolution of its "Nett Warrior" Programme.
Its hoped the Android device will reduce kilos of comms equipment down to just a few pounds for it and the Rifleman Radio that it will hook into.
Why a Rifleman Radio? The Army ha sno intention of ever allowing this device to connect to any type of civilian telecoms or Wifi based network.
http://www.wired.com/dangerroom/2011/10/army-smartphone-beta/#more-59354
Its hoped the Android device will reduce kilos of comms equipment down to just a few pounds for it and the Rifleman Radio that it will hook into.
Why a Rifleman Radio? The Army ha sno intention of ever allowing this device to connect to any type of civilian telecoms or Wifi based network.
http://www.wired.com/dangerroom/2011/10/army-smartphone-beta/#more-59354
As Lake Mead hits levels not seen since 1937 Las Vegas plans Multi Billion Dollar water pipeline:
http://ping.fm/nDfAQ
http://ping.fm/nDfAQ
Friday, 7 October 2011
@bWestboro Baptist Church plans to Picket Steve Jobs Funeral^
Members of the contraversial Westboro Baptist church better known for their extremely distasteful campaign against homosexuality though the picketing the funerals of US servicemen killed in action have announced that they will be targeting the funeral of Steve Jobs.
The group, best known for their rainbow "God hates fags" signs and web page, are claiming the action is in response to Jobs not using his wealth to promote their interpretation of the Bible and for Apple being consistently voted one of the most gay-friendly employers. The group’s grievances and its original protest plans were posted from iPhones, something the Twittersphere has been quick to point out.
“We're not against technology; we're against using it to promote what God hates,” said Megan Phelps-Roper, granddaughter of the church’s founder Fred Phelps, before tweeting a picture of the group using their iPhones at a protest.
It will be interesting to see what happens when Apple Fanboi's clash with them. Assuming of course that anyone can get past the security perimeter.
Members of the contraversial Westboro Baptist church better known for their extremely distasteful campaign against homosexuality though the picketing the funerals of US servicemen killed in action have announced that they will be targeting the funeral of Steve Jobs.
The group, best known for their rainbow "God hates fags" signs and web page, are claiming the action is in response to Jobs not using his wealth to promote their interpretation of the Bible and for Apple being consistently voted one of the most gay-friendly employers. The group’s grievances and its original protest plans were posted from iPhones, something the Twittersphere has been quick to point out.
“We're not against technology; we're against using it to promote what God hates,” said Megan Phelps-Roper, granddaughter of the church’s founder Fred Phelps, before tweeting a picture of the group using their iPhones at a protest.
It will be interesting to see what happens when Apple Fanboi's clash with them. Assuming of course that anyone can get past the security perimeter.
Thursday, 6 October 2011
Huge data privacy vulnerability found in HTC devices
In a recent update, HTC added a suite of logging tools that harvest quite an EXTRAORDINARY amount of personal information as the user goes about his/her ordinary day to day usage. This information is stored on the device, where any application with basic Internet Access permission (pretty much any app that allowed to access the web, which is almost everything) can read it or sent it anonymously to a remote location.
The information collected include (but most definitely isn't limited to) the following items:
- The list of user accounts, including email addresses and sync status for each
- The last known network and GPS locations and a limited previous history of locations
- Phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
- device information (hardware and software)
- file system information
- content and service provider information
- network information including IP addresses
- a snapshot of every running process and every running thread.
HTC has promised that a patch is in the works.
Full details including proof of concept code can be found here:
Steve Job's death already in use by Facebook scammers
In a predictable move scammers who love to use attention grabbing news headlines in order to hook their victims have started to use the death of steve jobs.
One scam in particular states that Apple is giving away 50 iPads in his memory.
Obviously this is complete rubbish, but over 20,000 people have already clicked through to the bogus site.
Dutch court ruling heralds doom for usenet and threatens ISPs all over Europe
The Dutch Music and Film industry organisation "Stichting Brein" has won a landmark case against usenet provider news-service.com. Lawyers for Stichting Brein successfully argued that even though news-service.com is only providing access to material uploaded elsewhere, because it is available on their servers they are responsible for policing it. As a result, news-service.com has to come up with a way to remove or block access to all copyrighted content or face a fine of up to 50,000 euros per day.
http://ping.fm/QdVaD
This is potentially quite a worrying precedent for net neutrality. Not only does it potentially spell doom of usenet service providers all over Europe, but depending on how it is interpreted it could erode protection such as the UK "Mere Conduit" defence where ISP's have been able to successfully argue that they cannot be held liable for civil or criminal infringements cause by users of their bandwidth as all they are is a "bit pipe" to the internet and that it is in fact the user who must be held liable.
http://ping.fm/QdVaD
This is potentially quite a worrying precedent for net neutrality. Not only does it potentially spell doom of usenet service providers all over Europe, but depending on how it is interpreted it could erode protection such as the UK "Mere Conduit" defence where ISP's have been able to successfully argue that they cannot be held liable for civil or criminal infringements cause by users of their bandwidth as all they are is a "bit pipe" to the internet and that it is in fact the user who must be held liable.
Steve Jobs dies aged 56
The name "Steve Jobs" evokes a passionate response from many people, myself included. No matter what your feelings are however, there is little doubt that the world has lost a true visionary.
Steve Jobs shaped Apple as we know it today and under his guidance they created some of the most iconic technology products of our era. Steve Jobs was also responsible for business plan innovation that turned industries like the mobile phone industry completely on it's head.
RIP Steve Jobs, no matter what I thought of some of your ideas, you were an icon that changed the world around you.
http://ping.fm/rzBHj
http://ping.fm/bI0e3
Steve Jobs shaped Apple as we know it today and under his guidance they created some of the most iconic technology products of our era. Steve Jobs was also responsible for business plan innovation that turned industries like the mobile phone industry completely on it's head.
RIP Steve Jobs, no matter what I thought of some of your ideas, you were an icon that changed the world around you.
http://ping.fm/rzBHj
http://ping.fm/bI0e3
Smartphone Botnet's Arrive.
For some time now we have been predicting that the next evolution in smartphone malware will be for this type of malware to move closer to parity with traditional desktop malware. This has now been confirmed by Trend Micro who have found a varient of Malware - ANDROIDOS_ANDROIDSERVERBOT.A apparently originating from China that masquerades as an e-book reader app. Once on an infected device this malware uses an internet Blog site as its Command and Control server, joining infected devices into an army of zombie smartphones:
"From our analysis, we found that this malware has two hardcoded C&C servers to which it connects in order to receive commands and to deliver payloads. The first server is just like the usual remote site to which the malware posts information to and gets commands from. The second C&C server, however, caught our attention more. This is a blog site with encrypted content, which based on our research, is the first time Android malware implemented this kind of technique to communicate."
http://ping.fm/iO5kq
In an additional element of parity, this Malware also has the capability to disable on device security software, terminating the following chinese security apps:
com.qihoo360.mobilesafe
com.tencent.qqpimsecure
com.ijinshan.mguard
com.lbe.security
Smartphones are full computing platforms. This latest threat evolution was entirely predictable yet in my view very little is being done at the consumer end or even at the telco end to protect against the impact this sort of infection could represent.
Just imagine an army of millions of infected phones all calling premium rate numbers or sending out spam emails....
"From our analysis, we found that this malware has two hardcoded C&C servers to which it connects in order to receive commands and to deliver payloads. The first server is just like the usual remote site to which the malware posts information to and gets commands from. The second C&C server, however, caught our attention more. This is a blog site with encrypted content, which based on our research, is the first time Android malware implemented this kind of technique to communicate."
http://ping.fm/iO5kq
In an additional element of parity, this Malware also has the capability to disable on device security software, terminating the following chinese security apps:
com.qihoo360.mobilesafe
com.tencent.qqpimsecure
com.ijinshan.mguard
com.lbe.security
Smartphones are full computing platforms. This latest threat evolution was entirely predictable yet in my view very little is being done at the consumer end or even at the telco end to protect against the impact this sort of infection could represent.
Just imagine an army of millions of infected phones all calling premium rate numbers or sending out spam emails....
Wednesday, 5 October 2011
Facebook calls in the cavalry
Facebook has brought in third party web security firm Websense to "clean up" the malware links and other nasties that are plaguing the site.
About time too....
http://ping.fm/i1WtA
About time too....
http://ping.fm/i1WtA
Organisations handling credit cards continue to fail at delivering PCI DSS compliance
Only 1 in 5 organisations achieved a satisfactory level of compliance against the Payment Card Industry Data Security Standard (PCI DSS).
http://ping.fm/I2V48
http://ping.fm/I2V48
Bletchley Park
Bletchley Park UK, Home of Code-Breaking receives GBP 4.6 M restoration grant:
http://ping.fm/4vTfY
This is really great news.
http://ping.fm/4vTfY
This is really great news.
Marc Rogers Bio
Marc Rogers has worked in information security management for more than 15 years including 10 years Managing Security in companies such as the developer Skylan Group and global telecoms companies such as Vodafone, the worlds largest mobile telecoms operator. www.linkedin.com/in/marcrogers Marc sees himself as a Security Evangelist who has a positive outlook on how security should be implemented in todays global organisations. It is this outlook that Marc used when he helped put together the long running award winning BBC series "The Real Hustle". Marc Rogers lives in America with his wife Alissa Rogers and his three daughters. |
Subscribe to:
Posts (Atom)