Category Archives: News

2000% Increase in Attacks on Israeli Websites

Interesting stats…. (Please do not post political propaganda on my site: it’s about information security not Middle East politics):

An increase of 2000% in attacks on pro-Israel and Israeli government websites was recorded in the first few days after the IDF takeover of the Turkish ship ‘Marmara’ headed for Gaza. Most of the attacks originated from Turkish and Palestinian sources.

Tests conducted by Internet security experts from IBM also found that the attackers managed to breakthrough to 500 Israeli websites and make changes or to plant propaganda on them.

IBM also found that Israeli government sites held up well to the attacks and most of the break-ins were into sites of companies and organizations in the private sector.

Latvia Hacker “Neo” is Folk Hero

From the AP wires:

Latvia’s police confirmed on Thursday they had unmasked the man who became a folk hero for hacking tax office data to reveal fat salaries still being paid to state officials despite an official austerity drive.

“Neo” became famous earlier this year for publishing the tax office data of highly paid state officials, some of whom continued to receive salaries that went into thousands of lats or who got bonuses even as the government was cutting old age pensions, raising taxes and reducing spending.

I guess he swallowed the Red Pill.

Biometric ID Cards Thwart Illegal Employment?

Time magazine recently quoted two Senators claiming that a biometric ID card will help stop illegal employment because employers can check and determine if the person they seek to hire is eligible for work. Here’s the trust of the legislation:

“If you say they can’t get a job when they come here, you’ll stop it,” Schumer told the Wall Street Journal.

Unfortunately as long as cash is used to transact business, illegal immigrants will be able to find employment. The question is simply: what percentage?

[I should also note there are a host of security issues that surround the ID card and the biometric data stored on it. Card cloning is one issue.]

Unannounced Ethical Hacking

The French Twitter hacker claimed it was an ethical hack. This defense has rarely been credible in the US since 9/11 due to the uptick in professional services and change in cultural mindset.

… he wanted to reveal just how vulnerable online data systems are to break-ins — and he says he didn’t mean any harm.”I’m a nice hacker,” suspect Francois Cousteix told France 3 television Thursday, a day after he was released from police questioning, adding that his goal was to warn Internet users about data security.

Here is why I no longer report security vulnerabilities I find.

Response: Thoughts on the Lower Merion School District

I received the following email:

Are you of the flap in our area – Lower Merion Pa – that has international attention. It seems that the schoolboard bought software that can control the laptop camera to track lost or stolen computers. Someone got the bright idea that they could spy on a kid suspected of drug use. Fourth amendment issues aside this is spyware. It seems a great opportunity to alert the public of how likely things like this may well be on their computers. You might have the needed “Bull Pulpit.”

I’ve been silent on this issue for awhile. Here’s my email reply to the inquiry:

It’s a very difficult case. When does the public sphere end and the private one begin? Would you be against turning on the camera/mic if it occurred only on school grounds? Could asset tracking software constitute a breach of privacy even if it does not turn on the camera and microphone? What about administrators who need to update the machine with the latest patches, software versions, etc?

I admit that I do not have the answers to these questions and how to proceed. Intuitively I think that software that remotely turns on the camera and mic should categorically be denied on public/school computers. Although laptops will need some type of asset tracking (perhaps installed in the bios at the hardware level) to prevent theft of devices and illegal resales of hardware. If the BIOS tracking was disclosed and explained to the laptop recipient then I think it would be OK. Updating software remotely may give too much access by administrators who could then install additional “spyware”. How to proceed with such laptop maintenance is still unclear to me.

NYT: Push Iranian Revolution via Software

The New York Times has an interesting article on how to help Iran’s Green Movement and push the country toward Democracy. Don’t issue new sanctions, allow them free software! I think it’s particularly brilliant:

The sanctions will feel cathartic, satisfy the have-to-do-something itch in the Congress, and change nothing. I’m just about resigned to that. But there is a smarter approach to Iran: Instead of constraining trade, throw it open.

Verma wrote: “The Department of State is recommending that the Department of Treasury’s Office of Foreign Assets Control (O.F.A.C.) issue a general license that would authorize downloads of free mass-market software by companies such as Microsoft and Google to Iran necessary for the exchange of personal communications and/or sharing of information over the Internet such as instant messaging, chat and e-mail, and social networking.”

Now that’s smart! There’s a way to bolster the remarkable, still unbowed opposition movement in Iran as well as weaken the Revolutionary Guards’ stranglehold on society and the economy. And what has O.F.A.C. done about this request in the past two months?

Nothing.

No license has been issued. It’s still illegal for Microsoft to offer MSN Messenger in Iran. Instead, earlier this month, Treasury sanctioned four Guards companies — a meaningless gesture. Treasury has things upside down.

Now if they would only include encryption modules!

Crash: Toyota’s Closed Data System

Did you know that your car has a blackbox similar to airplanes? Most car companies use an open platform that allows this blackbox data to be downloaded and analyzed in order to aid investigations.  In the February 22nd, 2010 issue of Newsweek, Matthew Philips reported that Toyota uses a closed data system. Unfortunately this article is not online so I cannot link to it, but it is on page 12 of the current issue.

The article gives no indication whether or not the data is encrypted or encoded. It is my guess that it’s an uncrypted proprietary format. To me it seems unlikely that Toyota would go though such efforts to protect/encrypt data that they claim is not designed for accident reconstruction but namely intended to “aid research on safety systems such as airbags.”

Given the Toyota recall, we see the double edged nature of closed systems: on one hand, the data is protected from eyes outside Toyota; on the other hand, the lack of transparency (and non-compliance with industry open standards) leaves it vulnerable to attack by the larger justice system for being potentially negligent about the technical malfunctions that leads to a higher crash rate.

10,000 TSA staff to get secret intel

This is an interesting decision. The public will most likely never know about the false positives — identifying a person as a potential terrorist even they are not a terrorist — created by this change in policy that are almost guaranteed to happen:

The 10,000 people in line to get classified information are managers, supervisors and “behavior detection officers” who roam airports looking for suspicious people. They represent about 20% of the TSA’s airport workforce and exclude screeners who scan passengers and bags.

The information will give workers details about terrorist “tactics, planning, operations and threats,” TSA spokeswoman Sterling Payne said. Those details “give context to things they see every day which may otherwise not appear unusual” and let workers “exercise discretion” in dealing with travelers, Payne added. She would not elaborate on specific intelligence the workers will get. All TSA airport workers now get daily intelligence briefings that include less sensitive information.

This change in policy (I believe) was a response to the underwear bomber. In infosec vulnerability language it is in response to false negatives!

As security professionals who (should) err on the side of caution, these false positives should be OK within normal bounds. It will be interesting to see what will happen if (and when) there are egregious problems.

NYT: Wrong about China Security

The New York Times ran a story on how China is under constant security attacks and how vulnerable their infrastructure may be:

Despite China’s robust technological abilities, its cyber defenses are almost certainly more porous than those of the United States, American experts say. To cite one glaring example, even Chinese government computers are frequently equipped with pirated software from Microsoft, they say. That means many users miss out on security upgrades, available to paying users, that fix security breaches exploited by hackers. (emphasis mine)

100% WRONG: Paul Cooke from Microsoft states on the Windows Security Blog:

There seems to be a myth that Microsoft limits security updates to genuine Windows users.

Let me be clear: all security updates go to all users.

Not only do all security updates go to all users’ systems, but non-genuine Windows systems are able to install service packs, update rollups, and important reliability and application compatibility updates. In addition, the users of non-genuine Windows systems can also upgrade a lot of the other software on their computer.

Given my experiences in South Korea/Asia, this porousness is more likely due to a lack of policy, a lack of enforcement of existing policy and a non-priority given to information security than to pirated Windows software. Non-uniform policies and application of security resources as well as little respect and lack of eduction by those under the infosec policies are also primary factors. Most infosec professionals in the US experience something akin to the following at one point or another:

Deep inside a Chinese military engineering institute in September 2008, a researcher took a break from his duties and decided — against official policy — to check his private e-mail messages. Among the new arrivals was an electronic holiday greeting card that purported to be from a state defense office.

The researcher clicked on the card to open it. Within minutes, secretly implanted computer code enabled an unnamed foreign intelligence agency to tap into the databases of the institute in the city of Luoyang in central China and spirit away top-secret information on Chinese submarines.

It’s just not a unique Chinese situation.

SPAM used to sway UK Tax election outcome

It is alleged that Goldman Sachs did this in London:

The Robinhood Tax campaign claimed that one of the two computers used to spam the Internet poll with “no” votes on Thursday, belonged to the investment bank.

Technical staff for the Robinhoodtax.org.uk said that the website registered more than 4,600 negative votes over a 20-minute period starting at 3.41pm.

The number of “no” votes jumped from 1,400 to 6000 before the site’s security was tightened.

I wrote about this possibility — although using a different technique to simply change public opinion — back in 2008 for the US presidential elections.