Monday, April 28, 2008
Friday, April 25, 2008
by Gregg Keizer
"They're using the same techniques as last month, of an SQL injection of some sort," said Dan Hubbard, vice president of security research at Websense Inc., referring to large-scale attacks that have plagued the Internet since January.
Among the sites hacked were several affiliated with either the U.N. or U.K. government agencies, said Websense.
The exact number of sites that have been compromised is unknown, said Hubbard. He estimated that it's similar to the March attacks, which at their height infected more than 100,000 URLs, including prominent domains such as MSNBC.com.
"The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack," Websense said in an alert posted yesterday to its Web site. "We have no doubt that the two attacks are related."
"Once loaded, the file attempts eight different exploits," noted the Websense warning, including one that hits a vulnerability in Internet Explorer's handling of Vector Markup Language (VML) that was patched in January 2007.
Maone also said "I told you so" in his blog post yesterday. In an August 2007 entry, he had said that rather than fixing the underlying security problems on the U.N. site, the agency had simply deployed a "pretty useless" firewall that masked the most obvious attack surface.
However, even the disinfected sites could fall victim again, Maone maintained. "The sad truth, though, is that even those 'clean' sites are still vulnerable, hence they could be reinfected at any time," he said.
"Web site owners have to start securing their code," Hubbard noted.
Source: Computer World
Monday, April 21, 2008
Thursday, April 17, 2008
Wednesday, April 16, 2008
Friday, April 11, 2008
Thursday, April 10, 2008
By John Edwards
If you've never used a wireless network scanner, you may be surprised by what it can tell you about your network and the data that lies within its reach.
A growing number of businesses are deploying 802.11 wireless networks for both internal use and public access. Regardless of the network's purpose and configuration, a wireless network scanner is necessary for assuring its continued operation and security. Popular open-source wifi network scanners include NetStumbler and Kismet. These products, and most other network scanners, can help you learn the following things about your wireless network.
Overall Vulnerability: Network scanners are often used in conjunction with a laptop or other portable computer to sniff out wireless networks from a moving vehicle — a practice known as wardriving. Performing the same activity while strolling down a street or through a business site is called warwalking. There's also warbiking, warskating and probably war-go-karting happening as well. In any event, while you yourself may never use a network scanner for wardriving or similar activities, you can be certain that other people are doing so in order to test your network's availability, size and configuration, as well as its potential vulnerability.
NetStumbler and some other network scanners work actively, sending messages that are designed to probe any encountered access point for information, such as its SSID (service set identifier), MAC (machine access code) numbers and the name of the network it's connected to. If your network is secure, you have nothing to worry about. If, on the other hand, you suspect that your network may be vulnerable to intruders through the lack of security measures, you may want to perform your own wardrive in order to check for potential soft spots (such as improperly configured access points that allow unrestricted network access or those that spew too much identification information). Vendors such as AirMagnet Inc. and Aruba Networks Inc. offer technologies that are designed to lock down wireless networks.
The Presence of Rogue Access Points: This is perhaps the most useful network-scanner application. A rouge access point is an access point that exists without permission of the wireless network's administrator. Rogue access points are often installed by employees to create stealth wireless networks that circumvent security measures installed on the company wireless network. A network scanner lets you sniff out, pinpoint and eradicate unauthorized access points.
Criminals can also install a rogue access point within the range of a company wireless network to hijack the connections of legitimate users. The crooks can then use the connections to eavesdrop on transmitted information and potentially even gain entry to the company's main internal network.
Hardware Problems: A network scanner is indispensable for checking the state of wireless network hardware, particularly access points. By measuring signal strength, the scanner can help you quickly identify access points that are inoperative or performing poorly.
The Location of Weak and Dead Spots: Network coverage can be impaired by walls, trees and a variety of other man-made and natural objects. A network scanner can help you locate poor coverage areas, which can then be bolstered with additional access points.
The Sources of Wireless Interference: Wireless networks are subject to interference from neighboring 802.11 installations, as well as from a variety of consumer and business technologies, including cordless phones, motors and various types of industrial equipment. By showing signal strength as you move about, a network scanner can help you track down interference sources that generate signals on the same frequency as the wireless network.
Improperly Aimed Directional Antennas Used for Long-Haul Connections: Many companies use point-to-point wireless connections to link together 802.11 hotspots across a business campus or other geographical site. Aiming directional antennas requires precise adjustments to ensure continuous connectivity and maximum performance. By measuring signal strength, a network scanner makes antenna aiming a faster, more exact and less troublesome task.
Tuesday, April 8, 2008
by Lesley Fair
It may mean one thing on TV, but to savvy business executives, “CSI” should stand for Carefully Secure Information. Every company has an obligation to its customers, affiliates, and employees to safeguard sensitive data. As outlined in the Federal Trade Commission’s new handbook, Protecting Personal Information: A Guide for Business, one step of the process is to “Take Stock” — conduct a CSI-style “forensic audit” of your information practices.
Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has — or could have — access to it is essential to assessing security vulnerabilities. Whether you’re a industry giant or a lean-and-mean one-person shop, here are some tips on conducting your own “CSI” investigation:
# Secure the scene. Inventory all file cabinets, computers, flash drives, disks, and other equipment to find out where your company stores sensitive data. Don’t forget about laptops, employees’ home offices, cell phones, and email attachments. No security audit is complete until you check everywhere sensitive data might be stored.
# Look for footprints. Track personal information through your business by talking with your technology staff, human resources office, accounting personnel, and outside service providers. Get a complete picture of who sends your company sensitive data. Do you get it from customers? Call centers? Credit card companies? Banks or other financial institutions? Affiliates and contractors?
# Check the doors. How does sensitive data come in to your company? From your website? Via email? Through the mailroom? What kind of information is collected at each entry point? Customers’ credit card, debit, or checking account numbers? Sensitive health or financial data?
# Dust for fingerprints. Who has — or could have — access to the information? Which of your employees has permission to look at sensitive data? Could anyone else get a hold of it? What about vendors who supply and update software you use to process credit card transactions? Contractors running your call center, distribution, or fulfillment operations?
# Protect key evidence. Different types of data present varying risks. Pay particular attention to how you keep personally identifying information like Social Security numbers; credit card, debit, checking account, or financial information; and other sensitive data that could facilitate fraud or identity theft if it fell into the wrong hands.
Get your copy of Protecting Personal Information: A Guide for Business at www.ftc.gov/infosecurity.
Lesley Fair is an attorney in the FTC’s Bureau of Consumer Protection who specializes in business compliance.
Thursday, April 3, 2008
Every year sees a fresh crop of security breaches. Most go unreported, unless they involve consumers' personal data, at which point companies are required to give timely public notice of security breaches. The following list of 2007's worst security breaches consists mainly of such reportable incidents. The incidents are sorted in descending order of severity based on how many individuals were potentially affected.
Note that remote hackers played a role in a small minority of cases. Most data losses occurred because laptops, tapes or disks were not properly secured. It is a never-ending struggle to get users to adhere to physical security protocols.
Jan 17, 2007: The TJX Companies Inc. (which operates T.J. Maxx, Marshalls and other stores) announced that it suffered an “unauthorized intrusion” into its computer systems that process customer transactions. The company subsequently revealed that the hackers had access to between 46 million and 215 million customer records for 17 months. The costs of this breach have reportedly reached $216 million, and the lawsuits are still flying.
July 3, 2007: Some 8.5 million customer records were stolen by a database analyst employed by Certegy Check Services Inc., a subsidiary of Fidelity National Information Services. The theft included credit card and bank account data, as well as other personal information. In November 2007, the employee pled guilty to conspiracy and fraud charges. A California class-action lawsuit against the company and its parent alleging negligence remains pending.
Sept. 15, 2007: Online stockbroker TD AMERITRADE’s computer system was infiltrated by hackers, who stole up to 6.3 million customer contact records including names, addresses and phone numbers. The hackers were able to install a backdoor program on the company's server, which gave them access.
April 10, 2007: A CD containing the personal information of 2.9 million Medicaid and child health care insurance recipients was lost in shipping. Officials would not reveal whether the data was encrypted. The data was being shipped from an Atlanta office of Affiliated Computer Services Inc., which manages claims for the state, to another contractor in Maryland.
Aug. 23, 2007: Monster revealed that intruders using legitimate usernames and passwords entered its system and made off with 1.3 million jobs seekers' records, including email addresses, names, home addresses and phone numbers.
Sept. 28, 2007: A laptop containing the personal information — including Social Security numbers — of 800,000 employment applicants was stolen from the offices of a third-party vendor that manages application data for fashion retailer Gap Inc.
July 20, 2007: SAIC, a Pentagon contractor, failed to encrypt data on 580,000 military households before transmitting it over the Internet. The data included names, addresses, birth dates, Social Security numbers and health information. The data was stored on an unsecured server.
June 15, 2007: In Ohio, a backup tape stolen from a 22 year-old intern’s car contained the names and Social Security numbers of all 500,000 state employees, plus 225,000 similar records of taxpayers.
Oct. 4, 2007: The Massachusetts Division of Professional Licensure, responding to public-records requests from marketers, mailed out disks containing the names and addresses of 450,000 licensed professionals in the state. Then, the division hurriedly mailed letters to all 450,000 professionals saying that their Social Security numbers had been included inadvertently. All but two of the disks were recovered.
May 19, 2007: Hackers broke into the network of the Illinois Department of Financial and Professional Regulation in January 2007 and accessed nearly 300,000 records regarding licensed professionals and applicants for licenses. The breach was discovered on May 3, 2007.
Aug. 23, 2007: A laptop containing 280,000 records about city retirees was stolen from a consultant to the City of New York Financial Information Services Agency as he sat in a restaurant.
Dec. 5, 2007: The names and Social Security numbers of 268,000 blood donors were on a laptop stolen from Memorial Blood Centers in Duluth, Minn.
March 30, 2007: Three laptops were stolen from the offices of the Los Angeles County Child Support Services. The data included 130,500 Social Security numbers — most without names — 12,000 individuals’ names and addresses, and more than 101,000 child-support case numbers.
May 19, 2007: A computer was stolen from the Texas Commission on Law Enforcement Standards and Education. It contained the names, home addresses, driver-license numbers, birth dates and Social Security numbers of every licensed law enforcement officer in the state — some 230,000 individuals.
Oct. 30, 2007: Three backup tapes containing 230,000 records of The Hartford Financial Services Group Inc.'s customers were misplaced.
Oct. 23, 2007: West Virginia Public Employees Insurance Agency notified 200,000 current and past members of its insurance programs that a computer tape containing names, addresses, phone numbers and Social Security numbers was lost while being shipped via United Parcel Service of America Inc.
May 14, 2007: A virus that could have allowed a hacker access to 197,000 records about students at College of Southern Nevada attacked a server, but the school is not sure whether any data was actually taken.
Jan. 26, 2007: Tapes containing names, Social Security numbers and other data regarding 196,000 Wellpoint Anthem Blue Cross Blue Shield customers were stolen from a lockbox held by one of the company’s contractors.
Nov. 16, 2007: Tae Kim, a former auditor for the U.S. Department of Veterans Affairs, was arrested after being caught using fraudulent credit cards. His home computer contained 1.8 million records on Veterans Affairs medical patients pertaining to 185,000 unique individuals.
Tuesday, April 1, 2008
NMSR Reports, Vol. 4, No. 4, April 2008
Alabama Legislature Lays Siege to Pi
By April Holiday
The Associalized Press
HUNTSVILLE, Ala. -- NASA engineers and mathematicians in this high-tech city are stunned and infuriated after the Alabama state legislature narrowly passed a law yesterday [March 30, 2008] redefining pi, a mathematical constant used in the aerospace industry. The bill to change the value of pi to exactly three was introduced without fanfare by Leonard Lee Lawson (R, Crossville), and rapidly gained support after a letter-writing campaign by members of the Solomon Society, a traditional values group. Governor Guy Hunt says he will sign it into law on Wednesday.
The law took the state's engineering community by surprise. "It would have been nice if they had consulted with someone who actually uses pi," said Marshall Bergman, a manager at the Ballistic Missile Defense Organization. According to Bergman, pi (p) is a Greek letter that signifies the ratio of the circumference of a circle to its diameter. It is often used by engineers to calculate missile trajectories.
Prof. Kim Johanson, a mathematician from University of Alabama, said that pi is a universal constant, and cannot arbitrarily be changed by lawmakers. Johanson explained that pi is an irrational number, which means that it has an infinite number of digits after the decimal point and can never be known exactly. Nevertheless, she said, pi is precisely defined by mathematics to be "3.14159, plus as many more digits as you have time to calculate".
"I think that it is the mathematicians that are being irrational, and it is time for them to admit it," said Lawson. "The Bible very clearly says in I Kings 7:23 that the altar font of Solomon's Temple was ten cubits across and thirty cubits in diameter, and that it was round in compass."
Read more here: