Wednesday, February 13, 2008

Top security breaches - 2007

Every year gets its share of major, jaw-dropping security blunders. This is a retrospective for the 21st century so far, with special attention on 2007.

The UK privacy breach: An employee of Her Majesty’s Revenue and Customs Office mailed two CDs containing confidential data on about 25 million UK citizens, including names, addresses, insurance account numbers, and bank account details for claimants in the national child benefit database. These CDs never made it to their destination. Just in case you think someone having your bank account number is no big deal, you should read about what happened to Top Gear TV series host Jeremy Clarkson when he published his account information in a newspaper to “prove” that having someone’s bank account will do nothing for a malicious party. At least Clarkson owned up to the mistake and started advocating disincentives for such poor security practice. I particularly like when he said “we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy.”

Embassies confuse anonymity with security: Swedish security consultant Dan Egerstad showed that people all over the world, most notably certain embassies, tend to assume that using the Tor anonymizing network means they’re secure. Somehow, they’ve missed the importance of encryption to protect their data. One must wonder why governments are so bad at security. By the way, the Swedish equivalents to the FBI and CIA raided Egerstad’s apartment for undisclosed reasons, accused him of several crimes, then released him without charges.

The iPhone runs everything as root: As Wired put it, IPhone’s Security Rivals Windows 95. This is very bad — and, of course, the root password for the iPhone was cracked in just three days. It had to happen eventually. To be fair, Windows Mobile devices all run everything as the administrative user as well, but this is not exactly unexpected (so it’s less notable). Credit to the fine folks at Metasploit for figuring it out, and figuring out how to make use of that fact.

Sears installs spyware on customer computers: The depth and breadth of harvested data is truly frightening, and you just have to read it to believe it. Do not join the “My SHC Community”. Worse yet, if you follow the update link at the beginning of the article, you’ll find out that Sears (KMart is involved, too) is playing some pretty sketchy games with privacy policy presentation, based on whether the spyware is installed on your system. Considering this example, that’s probably reason enough to avoid ever getting mixed up in any online Sears community, but that’s not all. . . .

Your Sears buying habits may be public knowledge: In short, by joining the Sears “Manage My Home” community, you can search through the Sears purchase history of anyone whose name and address you know. Not only should you avoid joining online Sears communities but, it seems, you should avoid shopping there as well. Apparently, major corporations are as bad as government agencies when it comes to security — especially Sears.


No comments: