For years, security experts have warned governments that national ID schemes, ID Data stockpiles and other systems that harvest and store large volumes of sensitive personal information are high risk targets that can and will become the object of criminal desire.
Israel has learnt about this the the hard way.
In a classic demonstration of just how bad the "Insider Threat" is a contract worker in Israel's Welfare Ministry has stolen the entire database of the Israels equivalent program to the US Visit system containing the records of 9 million Israelis both living and deceased.
The contract worker it seems moonlighted as a low level white colar criminal dabbling in things like Identity Theft. He went on to distribute the database to 6 contacts in the Israeli underground, one of whom uploaded the entire database to "Bit Torrent" filesharing sites under the name "Agron 2006".
Google searches for this torrent show that it is now widely distributed with numerous clone torrents offering the database to anyone that cares to download it.
I hate to say I told you so... but.....
Hopefully other governments are watching and learning from Israel's predicament.
Marc Rogers
Tuesday 25 October 2011
Thursday 13 October 2011
Update on the Keylogger Virus Security Incident affecting the US Predator & Reaper UAV fleet.
Wired has updated their article on the Keylogger Virus that has affected some of the US Airforce's critical infrastructure spreading so pervasively as to even reach the command and control systems of the US UAV fleet.
The US Airforce has now gone on record insisting that the malware was "more of a nuisance" than it was an actual "operational threat".
Creech Airforce Base in Nevada remains fully operational and has not been compromised in any way by the security incident.
The Airforce also claimed that the 24th Airforce, nominally in charge of cyber security operations, was fully aware of the incident and that theyve known about it all along.
Link to the USAF press release courtesy of wired:
http://ping.fm/Wzhu0
The whole situation seems like a shambles to me. The fact that such a generic pece of malware could spread so far and wide through critical systems is embarrassing at best and a serious threat to US national security at worst.
One would hope that there are some hard lessons being learnt from this....
The US Airforce has now gone on record insisting that the malware was "more of a nuisance" than it was an actual "operational threat".
Creech Airforce Base in Nevada remains fully operational and has not been compromised in any way by the security incident.
The Airforce also claimed that the 24th Airforce, nominally in charge of cyber security operations, was fully aware of the incident and that theyve known about it all along.
Link to the USAF press release courtesy of wired:
http://ping.fm/Wzhu0
The whole situation seems like a shambles to me. The fact that such a generic pece of malware could spread so far and wide through critical systems is embarrassing at best and a serious threat to US national security at worst.
One would hope that there are some hard lessons being learnt from this....
Wednesday 12 October 2011
Sony Gets Hacked (Again).
Sony has been hacked again. This time more than 90,000 accounts for Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services were compromised in what looks like a simple Brute Force attack where the attacker or attackers simply tried common passwords against user accounts until they got in.
This attack strategy is hardly new and has been favoured in the past by Chinese hackers amongst others. Why? Its the oldest hack in the book. Its simple, easy to implement and relies on the fact that people are lazy or stupid or just dont care that passwords like "password" or "secret" or "s3cr3t" are easy to guess.
Whats surprising is that Sony STILL hasn't implemented a strong enough password policy to force users into using at least moderately secure passwords.
How many times do they need to get compromised before they follow simple information security best practice guidance that is taught to EVERY information security officer as part of EVERY training or certification.
Sony's CISO has posted a comforting blog message saying that this represented less than 0.1% of their user base and that no credit cards were compromised by the attackers (wouldn't want to fall foul of PCI now would we...). Hes also said that compromised accounts have been locked and that Sony will help roll back any unauthorised transactions.
You can read his blog post here: *http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/
I have to say as a CISO he certainly has his job cut out for him if he doesn't want Sony to take Microsoft's place as the company routinely trashed for having consistently bad security practice.
It took microsoft YEARS of hard work to escape that image (if they even have fully yet),
This attack strategy is hardly new and has been favoured in the past by Chinese hackers amongst others. Why? Its the oldest hack in the book. Its simple, easy to implement and relies on the fact that people are lazy or stupid or just dont care that passwords like "password" or "secret" or "s3cr3t" are easy to guess.
Whats surprising is that Sony STILL hasn't implemented a strong enough password policy to force users into using at least moderately secure passwords.
How many times do they need to get compromised before they follow simple information security best practice guidance that is taught to EVERY information security officer as part of EVERY training or certification.
Sony's CISO has posted a comforting blog message saying that this represented less than 0.1% of their user base and that no credit cards were compromised by the attackers (wouldn't want to fall foul of PCI now would we...). Hes also said that compromised accounts have been locked and that Sony will help roll back any unauthorised transactions.
You can read his blog post here: *http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/
I have to say as a CISO he certainly has his job cut out for him if he doesn't want Sony to take Microsoft's place as the company routinely trashed for having consistently bad security practice.
It took microsoft YEARS of hard work to escape that image (if they even have fully yet),
Sunday 9 October 2011
US Army Plans to roll out its own Android Smartphone.
The US army plans to roll out and Android smartphone as part of the next evolution of its "Nett Warrior" Programme.
Its hoped the Android device will reduce kilos of comms equipment down to just a few pounds for it and the Rifleman Radio that it will hook into.
Why a Rifleman Radio? The Army ha sno intention of ever allowing this device to connect to any type of civilian telecoms or Wifi based network.
http://www.wired.com/dangerroom/2011/10/army-smartphone-beta/#more-59354
Its hoped the Android device will reduce kilos of comms equipment down to just a few pounds for it and the Rifleman Radio that it will hook into.
Why a Rifleman Radio? The Army ha sno intention of ever allowing this device to connect to any type of civilian telecoms or Wifi based network.
http://www.wired.com/dangerroom/2011/10/army-smartphone-beta/#more-59354
As Lake Mead hits levels not seen since 1937 Las Vegas plans Multi Billion Dollar water pipeline:
http://ping.fm/nDfAQ
http://ping.fm/nDfAQ
Friday 7 October 2011
@bWestboro Baptist Church plans to Picket Steve Jobs Funeral^
Members of the contraversial Westboro Baptist church better known for their extremely distasteful campaign against homosexuality though the picketing the funerals of US servicemen killed in action have announced that they will be targeting the funeral of Steve Jobs.
The group, best known for their rainbow "God hates fags" signs and web page, are claiming the action is in response to Jobs not using his wealth to promote their interpretation of the Bible and for Apple being consistently voted one of the most gay-friendly employers. The group’s grievances and its original protest plans were posted from iPhones, something the Twittersphere has been quick to point out.
“We're not against technology; we're against using it to promote what God hates,” said Megan Phelps-Roper, granddaughter of the church’s founder Fred Phelps, before tweeting a picture of the group using their iPhones at a protest.
It will be interesting to see what happens when Apple Fanboi's clash with them. Assuming of course that anyone can get past the security perimeter.
Members of the contraversial Westboro Baptist church better known for their extremely distasteful campaign against homosexuality though the picketing the funerals of US servicemen killed in action have announced that they will be targeting the funeral of Steve Jobs.
The group, best known for their rainbow "God hates fags" signs and web page, are claiming the action is in response to Jobs not using his wealth to promote their interpretation of the Bible and for Apple being consistently voted one of the most gay-friendly employers. The group’s grievances and its original protest plans were posted from iPhones, something the Twittersphere has been quick to point out.
“We're not against technology; we're against using it to promote what God hates,” said Megan Phelps-Roper, granddaughter of the church’s founder Fred Phelps, before tweeting a picture of the group using their iPhones at a protest.
It will be interesting to see what happens when Apple Fanboi's clash with them. Assuming of course that anyone can get past the security perimeter.
Thursday 6 October 2011
Dutch court ruling heralds doom for usenet and threatens ISPs all over Europe
The Dutch Music and Film industry organisation "Stichting Brein" has won a landmark case against usenet provider news-service.com. Lawyers for Stichting Brein successfully argued that even though news-service.com is only providing access to material uploaded elsewhere, because it is available on their servers they are responsible for policing it. As a result, news-service.com has to come up with a way to remove or block access to all copyrighted content or face a fine of up to 50,000 euros per day.
http://ping.fm/QdVaD
This is potentially quite a worrying precedent for net neutrality. Not only does it potentially spell doom of usenet service providers all over Europe, but depending on how it is interpreted it could erode protection such as the UK "Mere Conduit" defence where ISP's have been able to successfully argue that they cannot be held liable for civil or criminal infringements cause by users of their bandwidth as all they are is a "bit pipe" to the internet and that it is in fact the user who must be held liable.
http://ping.fm/QdVaD
This is potentially quite a worrying precedent for net neutrality. Not only does it potentially spell doom of usenet service providers all over Europe, but depending on how it is interpreted it could erode protection such as the UK "Mere Conduit" defence where ISP's have been able to successfully argue that they cannot be held liable for civil or criminal infringements cause by users of their bandwidth as all they are is a "bit pipe" to the internet and that it is in fact the user who must be held liable.
Subscribe to:
Posts (Atom)