Computer Security Articles

Today is Data Privacy Day, 2011. Have a good one.

The point of the day seems to be raise awareness of the data privacy issues which affect us all, both organizations and human beings. In the developed world it seems that someone is maintaining data about any of us. They are the companies we do business with, various governments, our doctors and insurance companies, our schools and more.

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information.

Microsoft has a Data Privacy Day page which mostly stresses how people are concerned about the problem, but also includes a number of tips for managing privacy.

Google’s Alma Whitten, Director of Privacy, Product and Engineering, discusses Data Privacy Day on their Public Policy Blog. She will be on a panel discussion this morning with representatives of NIST, the FTC and the EFF. She also lists some of the features Google has brought to their software to manage privacy.

In an interview Lumension CEO Pat Clawson, analyst Eric Ogren from The Ogren Group argues that Data Privacy Day is a PR event with no real influence. He’s rather downbeat on the issue of data privacy, but says there are good examples to follow in the laws in other countries and the Massachusetts Data Protection Law. (Note: I also write for Lumension’s web site intelligentwhitelisting.com.)

Full story: Security Watch

If your phone’s lock screen leaves you feeling a little insecure, you might soon be able to supersede it with biometric security controls.

Full story: Network World on Security

“… an international celebration of the dignity of the individual expressed through personal information.”

Data Privacy Day will be marked Friday in the U.S. and 27 countries in Europe. It’s a day for education and awareness events “… to promote understanding of privacy best practices and rights. Educational events focus on informing teens about the importance of protecting the privacy of their personal information online, on social network sites and other internet activities.”

It’s a division of The Privacy Projects, which is described on the web site as “a nonprofit think tank and research organization dedicated to facilitating the role of consumer privacy and data protection in regulatory controls, technological innovation and consumer protection…”

$ 10 off VIPRE Home and Premium: $ 19.95.

In an effort to raise awareness of the increased dangers online and to help consumers protect themselves from digital identify risks, GFI is offering limited-time pricing incentives on its high-performance VIPRE Antivirus Home product line to those seeking to safeguard their personal information and protect their PCs.

On January 28, 2011 – Data Privacy Day, GFI Software will offer a $ 10 discount on VIPRE Antivirus Home and VIPRE Antivirus Premium, bringing the entry level price point to $ 19.95. Visit: http://virpreantivirus.com to take advantage of this special pricing, which is only available on Friday, January 28, 2011 until 11:59pm EST.

Tom Kelchner

Full story: GFI Labs blog

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

Facebook has put off its plan to allow developers access to users’ phone numbers and home addresses. The company posted an update on its Developer Blog Tuesday morning, saying that it got “useful feedback” about the decision and that it would be making changes so that it’s clearer when users are about to share such sensitive info. As a result, the “feature” is being turned off until a better solution is found.

Privacy advocates got up in arms after the company announced that developers would be able to access a whole new level of personal info through its API, as long as the users gave them permission. Security firm Sophos issued a solemn warning on its blog about the move; the firm pointed out that Facebook app developers already manage to trick users into giving them access to personal data, and the situation will only get worse with real addresses and phone numbers in the mix.

Read the comments on this post

Full story: Security

AFP – Two hackers were charged Tuesday with breaking into the AT&T mobile network and stealing data from 120,000 users of Apple’s iPad tablet computer, including several celebrities, US officials said.

Full story: Yahoo! News: Security News

What happens when all of your personal data is readily available for use by a cybercriminal?

Full story: Securelist / All Updates

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

Yesterday it just happened. The external speaker of my HTC HD2 phone stopped working. Not the worst problem, the phone kept working, except it is if the phone is on silent-mode all the time and you don’t hear any calls coming in. That means it will be very quiet, but since we all seem to become dependent on cell-phones, it would become a nuisance quickly. As the phone is still under warranty, I will let HTC deal with the problem to fix it and so far that all seems to work.

Nevertheless, I started to look on the internet what an external speaker would cost and what it would cost to have it repaired. And then I stumbled into a website in The Netherlands. It will not tell me right away what it would cost to have my phone repaired so I started the process to “order” a repair.
After selecting the right Brand and Model

I was asked to fill in details that were beyond my imagination:

To fill in the serial-number does not really pose a risk. If I would send in the phone to them, they would simply be able to copy it from the sticker on the inside of the phone. They do insist however that you enter it.

And yes, even if you order a back-panel replacement that you have shipped to you.
But why would they want to know my pincode? Do they expect me to leave my simcard in the phone? With the pincode of course they can call the entire world at my expense, so no thanks! I wonder how many people will fill in the requested details.
Even if this is a legitimate website and repairshop – and so far I do not have any reason to doubt that – it would be unwise to use them as they do insist on this data to be filled in. It almost seems like a phishing website or a shop with dubious actions.

The website does list both a physical address as well as telephone contact information, so it is time to contact them to tell them this is not the way to ask for details, especially when it would not be needed. And to be honest, they would never need it, as a legitimate repairshop they would have simcards around just for testing and repair purposes.

Of course we advise you to be really cautious when filling in credentials like the ones asked on this website. I never heard of this company before, I will not risk it (and I have no need) and then should be logical that you take extra safety precautions.
 

Full story: Norman’s security blog

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

User data for some registered developers of Mozilla Add-ons was temporarily exposed by mistake on a Mozilla server. Mozilla has disabled those users’ accounts until they reset their passwords.

As a registered user, I received an e-mail last night from Chris Lyon, Director of Infrastructure Security at Mozilla, informing me of the breach, which occurred on December 17 and was discovered by “a 3rd party,” identified as a security researcher in a subsequent blog post on the matter. A file was on the server containing “…a partial representation of the users database from addons.mozilla.org. The file included email addresses, first and last names, and an md5 hash representation of your password.”

The letter stated that, apart from the referenced 3rd party, only Mozilla staff had downloaded the file before it was removed. They have also identified how the file came to be on the server and have take steps to prevent it being repeated.

Nevertheless, as a precaution they removed all those users’ passwords from the Addons site and requested that users perform the Password Reset function in order to create a new one. To do so, users click “I forgot my password” at the login screen and enter an e-mail address. An e-mail with a personalized link is sent to the e-mail address, which is associated with a particular account. That link brings the user to a page which resets the password. Until that is done, the user cannot log in.

The accounts in the exposed file all had older MD5 hashes and (like mine) were inactive. On April 9, 2009, Mozilla changed to a password system using SHA-512 password hashes and per-user salts. Users with active accounts were not affected.

Full story: Security Watch

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

Following attacks on Gawker, Walgreens and McDonalds, it seems hackers have set their eyes on a new target: Santa!

Reports from the North Pole have confirmed that Santa’s Naughty/Nice list has been compromised.

The list is said to contain the name, stocking address and naughty/nice score (the child equivalent of a credit score) of every child on earth. Absent from the leaked data is the “What I want for Christmas” list which is said to be stored in a separate database.

While St. Nick is not commenting on how the leak occurred, an insider elf mentioned a spear phishing campaign a few days ago promising milk and cookies after logging in to a suspicious site.

In the meantime, Santa is asking children to reset the password on their stockings. Santa’s workshop has also set up a hotline for children who get coal in their stockings on Christmas day due to any mix up.

This attack and others are a reminder to all that sending spam will land you on the naughty list, even if you manage to get a copy of that list.

Hat tip: Thanks to SophosLabs researcher Tareq Alkhatib for bringing this breaking news story to our attention.

Customers of Microsoft’s Business Productivity Online Suite—a cloud-based suite including Exchange, SharePoint, LiveMeeting, and Office Communicator—may have had certain data leaked after a configuration error left their contact information exposed.

The configuration problem left information in customers’ Offline Address Books exposed to other customers. The Offline Address Book is an Exchange feature that allows Outlook users to download a copy of all the e-mail addresses and mailing list aliases that an organization uses, so that they can be used even when disconnected from Exchange. It’s e-mail addresses on those lists that could have been made available.

Microsoft says that it fixed the configuration problem within two hours of discovering the problem, and that only a small number of illegitimate downloads occurred. However, the company didn’t say when the faulty configuration was pushed to its servers, so it’s not known how long the problem has existed. The company says it has notified all affected customers.

As data breaches go, this one was quite limited. No e-mails or documents were disclosed, nor were any personal contacts. Still, the disclosure of corporate address books is something of an unfortunate black eye for the company as it strives to expand its cloud services market. Microsoft is positioning the next version of BPOS, named Office 365, as a complete package to compete with the likes of Google Apps.

This setback is unlikely to impede the growth of cloud services—but they do highlight one of the risks that they bring. A similar configuration problem on a private Exchange server is unlikely to have any consequences—the sharing of infrastructure can bring with it risks that don’t exist on private installations.

As the use of cloud services proliferates, this kind of issue is likely to be a regular occurrence. Cloud services bring many conveniences—freedom from having to administer an Exchange server is no small thing—but those upsides will have to be balanced against the unique downsides that cloud systems bring.

Read the comments on this post

– on Security

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

A database leak in Mesa County, Colorado has left the personal information of 200,000 people in jeopardy. And not just any 200,000 people—these are suspects, victims, and informants working with the sheriff’s department to out other criminals. The incident has left the sheriff’s department scrambling to find out who might have accessed the information—and whether it’s now posted elsewhere on the Internet.

The leak started flowing when a county IT employee who had legal access to the database copied it to another server in April of this year. According to the Associated Press, the employee had copied over the database in the form of a giant text file with everyone’s information available in plaintext, assuming that the target server was secure.

Read the comments on this post

– on Security

Crowd-sourcing cybercrime reports could help the fight against online crime, according to a senior European Union official.

Rob Wainwright,… – on Computer Crime Research News

I’ve been traveling, and whenever I return to the office, there’s always a lot of news to catch up on. I’m just now reading the details related to Gawker Media’s recent security breach. Over one million Gawker/Gizmodo/Lifehacker related commenting accounts were compromised last weekend, and more than 500,000 e-mail addresses and 185,000 decrypted passwords are being shared on The Pirate Bay.

On Monday there was a Twitter spam outbreak promoting Acai berries. Many people use the same password on multiple sites, which they really shouldn’t, and so the compromised Gawker accounts provided access to Twitter accounts…

If you use any Gawker related sites, you should update all of your related passwords.

That’s all very interesting, but I’m curious about something else related to Gawker. Last June, a group called “Goatse Security” exploited a vulnerability on AT&T Web servers and harvested iPad customer e-mail addresses and network IDs.

From the Wall Street Journal: “In a blog post defending Goatse Security’s actions, a member of the group said it only gave the data to Gawker and later destroyed it.”

In that same Goatse blog post, I was quoted as saying: “the disclosure was completely irresponsible.”

Did I think the vulnerability disclosure was irresponsible?

No.

Did I think the exploitation of the vulnerability was irresponsible?

Well, kind of, I mean, they could have bought an iPad to exploit themselves and didn’t really need to harvest other people’s names to make their point… but, let’s say no. Even exploiting the vulnerability wasn’t “completely” irresponsible.

So what was it that I though was so completely irresponsible?

It was the turning over of an unredacted dataset to Gawker Media.

Why?

Because regardless of how much Goatse Security trusted Remy Stern and Ryan Tate of Gawker/Valleywag (and I’m sure they’re very trustworthy), Goatse Security never should have trusted AT&T customer information to Gawker’s security infrastructure.

After all, six months later, Gawker was hacked:

Image from Slate’s Was Your Gawker Password Hacked?

And so who knows now where those iPad addresses have ended up?

Hopefully they were deleted from Gawker’s servers after the FBI finished their investigation.

I e-mailed Ryan Tate last June to ask how the iPad dataset was sent, encrypted or not, but I never heard back… I’m sure Ryan was busy at the time. And I’m sure he’s busy now as well, but at this point, I want to know.

How and in what format was the iPad dataset sent to Gawker, and how/when was it deleted?

— Sean —

Edited: Even exploiting the vulnerability wasn’t “completely” irresponsible.

Typo has been corrected.

On 15/12/10 At 05:42 PM

– on F-Secure Antivirus Research Weblog

McDonald’s is working with law enforcement authorities after malicious hackers broke into another company’s databases and stole information about an undetermined number of the fast food chain’s customers. – on Computerworld Security News

It’s been a busy summer for SafeCentral and I am eager to share the results of our hard work. We’ve put out a couple of press releases recently that hint at the action going on behind the scenes: we got the first of 5 patents assigned to our Trusted Security Extensions (TSX) technology and just completed the sale of our antivirus business to Commtouch. First I’d like to say that the Commtouch folks have been a real pleasure to work with over the summer as we put together a deal that makes a ton of sense both to them and us. That transaction allows us to focus on proactive data and application protection powered by TSX and embodied in our SafeCentral product. TSX brings unparalleled protection to sensitive data for consumers and enterprises alike.

There is no better signal of our focus than renaming the entire company to SafeCentral, Inc.! We will be launching a new website in a couple of weeks that takes the wraps off some additional products we are bringing to market.

Our consumer product is going strong–we will be announcing several distribution partnerships for SafeCentral over the next few weeks. We will also be announcing some of the new things we have been working on for enterprise customers. Here is a sneak peek at endpoint data protection for thin client access methods such as Virtual Desktop Infrastructure (VDI), Virtual Applications, and Remote Desktop.

Source: SafeCentral Blog

Information is money and modern criminals know how to get their hands on both. Enterprise IT professionals are severely challenged these days to keep corporate data both protected and available to authorized users at the same time.

Going to Sea in a Sieve
Greg Shipley called out security software vendors in this InformationWeek article, pointing out that: “…we’ve spent billions of dollars on security technologies, and we still can’t curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize.”

When it comes to endpoint PCs I have to agree. The problem I see is that the Windows PC is too open, too programmable, with too many APIs and too many extensible applications like web browsers and productivity suites. This creates a rich environment for malware authors to infiltrate and take up permanent, or at least persistent, residence as a malicious ghost haunting the machine. From this position a malware operator can harvest sensitive data, including authentication credentials, customer records, employee data and other sensitive information.

IT teams have the strange mandate to deploy an extremely flexible operating system, but immediately take flexibility away from end users. This creates a tug of war between security and usability.

Benefits of Data Centralization
These facts are inducing a reverse in the swing of the IT pendulum, which is now moving back to centralization. Cloud-based apps, which keep data-at-rest in the data center, are helping to limit the physical spread of data and keep it under tight control behind many layers of physical and network protection. Hosted Virtual Desktops like Citrix XenDesktop do the same thing for entire virtual machines..allowing IT to build, deploy and maintain virtual PCs inside the data center and then deliver them over the Internet to thin client applications like the Citrix Receiver.

Don’t Forget the Endpoint
Centralization is good for data, but not for people. The workforce has become more distributed, working from home or the road or a branch office. The point is that data can be stored centrally in the data center but it must be used out on the edge of the network; that’s where the users are. In most cases, “the edge” still means a Windows PC or laptop (I exclude call centers from “the edge”).

The information security benefits of data centralization are lost when unmanaged or semi-managed endpoint PCs connect to the data center. All the risks that Greg Shiply called out then come into play:

Centralized Data with Secure Remote Access
I think the pendulum is swinging to a safer place. Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works. Network Access Control (NAC) was an attempt to ensure that only properly secured endpoint computers could connect to a corporate network. But NAC relies on the imperfect Antivirus and Firewalls Greg Shipley called out as ineffective.

Here at SafeCentral we are addressing the risks to data in use on remote endpoints differently. We do not protect the endpoint, we protect the data..while it is in use. We provide a Secure Desktop that protects against keyloggers, screen-scrapers, DNS redirection, code injection and other threats. From the Secure Desktop the user launches their VPN client and logs in, with full anti-keylogger protection for their username and password. Once connected to the VPN and while on the Secure Desktop, the user can only run applications white-listed by the IT administrator. “Thin client applications” like Citrix or Microsoft Remote Desktop are perfect fits for the SafeCentral Secure Desktop (see my earlier posting: Patented Data Loss Protection). Users can switch back and forth between the locked-down Secure Desktop and their normal Windows desktop, multi-tasking throughout the day. This gives them the benefit of extreme lock-down while accessing corporate data, with an option to switch out to the more open environment of the standard Windows desktop when they want. The data on the Secure Desktop remain protected.

Examples of White-listed Clients on the SafeCentral Secure Desktop:

• Cisco AnyConnect VPN
• Juniper Netconnect VPN
• Juniper Citrix Services secure proxy
• F5 Firepass VPN
• Citrix XenDesktop or XenApp
• VMWare View 4.5 Client
• Microsoft Remote Desktop Client
• SafeCentral SafeBrowser (a locked-down web browser)
• Attachmate
• more on the way…

If you are interested in hearing more, please drop me a line at rdickenson/at/safecentral/dot/com or post a comment here.

Source: SafeCentral Blog

Internet giants Google and Facebook have been having a war of words this week over user data portability.

View full post on Network World on Security