Thursday, October 23, 2008

US passport cards insecure

Do you know what a passport card is? An hour ago I did not. But now I know that the department of state is trying to offer an alternative to the normal US passport - A passport card, which can be produced for just 45% of the cost of a normal passport. With RFID implemented on the card it allows US citizens to cross borders to neighboring countries via land or sea. The card contains an ID that is transmitted when crossing the border. Those numbers are then checked against blacklists. There is just one problem. The numbers can be easily gathered and used to create fake passport cards. Equipment that can be bought for less than $2K can be used to do that.

Here is an article about the passport card by the state department:

Here is a comment from Ari Juels, the director of RSA labs:

1SSA - Security consulting, training and products:

Tuesday, October 21, 2008

Google Ads used to infect users with malware

We all have come to love and hate those Google ads that suddenly pop up over, under on the side or wherever with a text on a website, interrupting our reading with advertisement. Now this type of advertisement might not only have interrupted our reading but also the security of the PCs we are using. According to a news article published in CT, a German IT magazine, Google advertisement (also known as Adwords) has been used to distribute malicious code to exploit vulnerabilities in Adobe's Flash player.

If you are fluent in German, here is the article:

1SSA - Security consulting, training and products:

Thursday, October 16, 2008

Europe standardizing on privacy

EuroPriSE the European Privacy Seal has official started its work. Nine European countries are behind EuroPriSE, tasked to standardize privacy standards and assessment methods for (at least eight of the) EU states. Privacy has been one of the biggest problems in our information overloaded societies. Hopefully eventually we will see some true international standards that bring the US and the EU a little closer.

Read more at:

1SSA - Security consulting, training and products:

Tuesday, October 14, 2008

Fake MS email with PGP signature

Normally I would not post this since it is nowadays a constant annoyance that we are living with: Fake emails for phishing, trojan, virus, worms, etc. purposes. But this one was special. Not only that it was good in mimicking the Microsoft language normally used but it also contained a PGP signature block on the bottom! Nice job. Who checks the signature block each time you get a message? Lucky are the ones that use an email program that does it automatically. But not everyone has one like that.

Read the article:

1SSA - Security consulting, training and products:

Monday, October 13, 2008

Creditcard readers manipulated to send data to Pakistan

Wowww... In Europe law enforcement discovered credit card readers that had additional electronic build in that allowed it to send information to Pakistan. The only initial difference with the devices, made in China, is that they are 100 grams heavier than a normal reader. So far the criminals have created $50-$100 Million in damage an early estimate says.

Read the full article:

1SSA - Security consulting, training and products:

Saturday, October 11, 2008

Deutsche Telekom (again) - This time 30 million customer data breach

I guess I keep typing and see if Deutsche Telekom continues to trump itself. This time 30 million customers are affected by a data breach that puts their confidential data on the Internet. A first reaction from Deutsche Telekom: "We shall adopt a new policy" in respect of communication...well you could also try to systematically build security in your business processes...but it gets even better: A spokesman said that bank details were not attached, and that "according to our information, even though these details have been put up for sale on the black market, there has not been a buyer." - My crystal ball did not tell me that but I guess Deutsche Telekom' crystal ball told them that. Data is NOT a physical piece that can be retrieved. Data can be copied and sold to multiple buyers. Once lost you can never be sure that it does not surface again, someday, somewhere in some kind of form!

Read the article here:,2144,3706182,00.html

1SSA - Security consulting, training and products:

Major data security breach is still causing Deutsche Telekom headaches

I guess some organizations will not learn it, maybe because they used to be owned by the government and still operate like they are or they simply have no concept around data privacy and security. Deutsche Telekom and its subsidiary T-Mobile (mainly focusing on mobile phone service) always had a bad reputation with the German population (they used to be the only choice for telephone services) but after a data breach that allowed access to sensitive customer data it issued some statements that really let the German population doubt that it had any concept around data privacy and security. The breach happened in spring 2006 and was just recently disclosed, even though T-Mobile reported the breach to authorities. I am kind of amused and shocked by a statement made by Philipp Humm, managing director of T-Mobile Germany: "We are very concerned by the fact that the incident from 2006 is relevant once again. Until now, we were under the assumption that the data in question had been recovered completely as part of the investigations of the public prosecutors' office and were safe." - data is not a car that gets stolen and recovered. Data can be copied a million times without anyone knowing about it.

Read the article here:

1SSA - Security consulting, training and products:

Thursday, October 09, 2008

The dilemma with email spam

We all have our fair share of email spam every day we are dealing with. If you ask me I do not see any improvement in the number of spam messages I receive, no matter what legislation is passed or what "cool" anti-spam technology hits the market. My mailbox receives the same amount of spam messages now for years. Once in awhile it goes up a bit, usually when spammers discover a new way to get around anti-spam techniques (e.g. PDF Spam), and a couple of months later it goes down, when the anti-spam vendors have caught up with that new way of distributing spam. As with malicious code we are always one step behind. When is this going to change? Technically it could have changed years ago when major email providers (e.g. Yahoo, AOL, etc.) tried to implement better authentication/security into email. Unfortunately that lost momentum quickly due to the number of mail servers. We are actually facing the same problem with the DNS system, too many DNS servers to change if a new technology arrives, addressing the DNS security problems we have seen lately.

Here is an interesting article on how spammers check if they have a valid email account:

1SSA - Security consulting, training and products:

Wednesday, October 08, 2008

Clickjacking - Serious security problems

Clickjacking is the latest flavor in attacks that "bad" people use to gain access to your information, money and even your web cam or microphone. Take a look at the YouTube video that shows how a simple online game can be used to enable cam and microphone to listen and watch you in front of your computer.

YouTube Video showing how it works:

Blog Entry about Click Jacking:

1SSA - Security consulting, training and products:

Tuesday, October 07, 2008

VMware patches 64 Bit emulator bug

It is interesting how Vmware goes down the path of maturity as so many other vendors before. From "it is more secure" to it is just another piece that can fail and has flaws. This time Vmware is patching a serious problem with its 64-Bit emulator. An error in the 64-bit CPU emulation makes the CM jump to the wrong address when it receives a JMP instruction.

Read the article here:

1SSA - Security consulting, training and products:

Study shows that hotel networks are lacking security

This does not surprise me at all. I have been talking about this for years. Sometimes "looking around" on a hotel network is like a who-is-who of consulting companies. Some of them happily naming their laptops with a name that includes the firm's name. Worse is that most laptops are configured to trust (at least to a certain degree) the local network, meaning in the worst case every machine on a hotel network can access another machine's services . To add to this scenario make it wireless...

Cornell did their own study which shows that most U.S hotels are vulnerable to malicious attacks and are "ill prepared" to protect their guests from Internet security problems.

Read the full article:

1SSA - Security consulting, training and products:

Stolen republican party laptop had no security safeguards in place

This is like the never ending repeats and repeats. You would think that the government or in this case politicians and their staff learnt from the past. Not the recent past but maybe from the last three years? What is really interesting is that the victims now also publicly admit that the stolen laptop contains "...the type of stuff we wouldn't want another campaign to have,...” . Wonderful, now the thiefs know that they can get even more money for the laptop...I guess from either party.

Read the full article:

1SSA - Security consulting, training and products:

Monday, October 06, 2008

Was Forever 21 wrongly certified PCI compliant?

The risk of being security professionals...I find it shocking and entertaining at the same time that a merchant takes a PCI certification as an excuse for lack of security and responsibility.

Breached clothing retailer Forever 21, which last week said it has been Payment Card Industry (PCI) compliant since 2007, apparently should have never been certified.
The Los Angeles-based company told a retail blog this week that its PCI Data Security Standard assessor failed to unearth tens of thousands of credit card files that it was unknowingly storing despite being unauthorized to do so.

Read the full article:

1SSA - Security consulting, training and products:

Researcher finds server with stolen FTP credentials

An Israeli researcher has uncovered a criminal server containing the FTP account credentials for nearly 100,000 legitimate websites across 86 countries, including the U.S. Postal Service and several universities here.

Of the 200,000 credentials the criminals were storing, the criminals deemed 107,000 to be valid and some 80,000 led to web content, he said. More than 60 percent were associated with web servers in Europe, but many U.S. organizations were victimized, including the University of Pennsylvania's Wharton School and the University of Southern California.

Read the full article:

1SSA - Security consulting, training and products:

Data Breaches Expose About 30M Records in '08

U.S. corporations, governments and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft, according to a report released today by a nonprofit group that works to prevent fraud.

Read the full article at:

1SSA - Security consulting, training and products:

Friday, October 03, 2008

Nevada mandates encrypted personal data communication

On one hand I applaud Nevada to step up to protect personal information on the other hand it is just another step in the direction of slicing up security even smaller, overloading the already very busy security professionals. Not only that we need to worry about international privacy and security standards (if we happen to work for a company operating internationally) but now the US becomes by itself a major challenge. What happens if my company has a branch in Nevada but the rest is all over the US? Don't get me wrong, we need stronger privacy and security laws but on a federal level!

Read the full article:

1SSA - Security consulting, training and products:

Hackers penetrate South Korean missile manufacturer

According to news reports some hackers were able to steal information from a South Korean missile manufacturer. They planted some malicious code on the computer systems that eventually allowed them to gain access to secret data about missiles.

Read the full article at:

1SSA - Security consulting, training and products:

Thursday, October 02, 2008

TCP weakness could potential result in new DoS attacks

Two researches (supposedly) discovered a new weakness in the TCP implementation that allows even with a relatively small up-link to run DoS attacks with high bandwidth web servers (e.g. Google, Ebay, etc.). So far no independent verification has been done but it would not surprise me if this is just another major flaw that we have to deal with.

Read Robert Graham's blog post:

1SSA - Security consulting, training and products:

Wednesday, October 01, 2008

Phorm becomes Webwise

Back in 2006 British Telecom (BT) and Phorm tested the idea of personalized advertisement by secretly collecting information about surf habits and targets of 18,000 of its customers. Since 09/30/08 BT offers 10,000 of it's online customers a program which is now called "Webwise". All this is nothing new just the label that BT puts on this is quite concerning. It is sold as an online protection/security service. In reality it tracks all of the users online transactions from URLs visited up to searches done on search-engines to inject targeted advertisement into the data streams to the user.

Read the full article at:

1SSA - Security consulting, training and products:

Tuesday, September 30, 2008

Cros site request forgery - What comes next?

A pair of Princeton University researchers announced Monday that they have discovered cross-site request forgery (CSRF) vulnerabilities on four popular websites — ING Direct, YouTube, MetaFilter and The New York Times.

Researchers found CSRF vulnerabilities on The New York Times website which made user email addresses available to an attacker. On ING Direct's website, attackers could open up bank accounts on behalf of a user and transfer funds into their own account.

Read the full article here:

1SSA - Security consulting, training and products:

Monday, September 29, 2008

Adobe Exploit toolkit in the wild

An Adobe exploit toolkit has been discovered in the wild. It seems that it has already reached a quite mature state with all kinds of features that can make security professional's life miserable. PDF - Once the format of trust, to exchange information with un-trusted parties, it now can become another victim of its functionality.

The full article can be found here:

1SSA - Security consulting, training and products:

Friday, September 26, 2008

Brits happy to hand over password details for £5 gift voucher

This should tell security professionals something...Although the majority (60 percent) of 207 London residents were happy to hand over computer password data which might be useful to potential ID thieves in exchange for a £5 M&S gift voucher, the public at large take a hard line on firms who fail to keep tight hold of customer data. Maybe a topic for the next security training session?

Read the full article here:

1SSA - Security consulting, training and products:

Cloned US ATM cards used in the UK at self checkouts

The "plastic money" no matter in which form, ATM card, credit card, debit card, blah blah...all have a significant flaw. US issued cards have a fall back to using data from the magnetic stripe in cases where the cards does not support Chip and PIN. For the longest time card reader and writer that could write that information were not available to the public, at least in certain countries and that was already the flaw. Nowadays it is very easy to copy such cards or create them once you have the information that needs to go on the card.

Read the full article at:

1SSA - Security consulting, training and products:

Passport snooping public servant faces year in prison

A bored former State Department analyst faces up to a year behind bars as a result of his penchant for reading the passport files of celebrities. In our information overloaded society access rights, trust and the ability to make an informant decision (i.e. what does an airport TSA screener know about my computer files? - a separate post for this topic is coming).

Read the full article at:

1SSA - Security consulting, training and products:

Thursday, September 25, 2008

World's electrical grids open to attack

History repeats....doesn't that sound like something we had 10-12 years ago? People discovering buffer overflows in all kinds of applications. Now hackers and security experts are discovering the edge technologies of IT e.g. SCADA.Read the full article: - Security Consulting, Products and Training -

read more | digg story

Wednesday, September 24, 2008

US and China top cyber attacker list

According to a study the United States tops the list of cyber attackers against SecureWorks' clients with 20.6 million attempted attacks originating from computers within the country.

China ran second with 7.7 million attempted attacks emanating from computers within its borders. This was followed by Brazil with over 166,987 attempted attacks, South Korea with 162,289, Poland with 153,205, Japan with 142,346, Russia with 130,572, Taiwan with 124,997, Germany with 110,493, and Canada with 107,483.

The only two questions I have are: What is your customer base? Is it distributed evenly across the globe? Studies/Statistics can sometimes paint a wrong picture, even though I believe that the overall distribution of attackers could be right.

Having talked with a friend in China I get the impression that they are in a phase of Internet adoption that we had back in 2000. Not much strategic thinking around security (e.g. Today ISPs in the US offer free Antivirus software. They have learnt that for example a worm that spreads across its customer base only back fires on them - congested networks, unhappy customers, etc. To invest in providing a free antivirus solution to its customers helped and in the end paid for itself.)

1SSA - Security consulting, training and products:

Tuesday, September 23, 2008

Certification still pays for CISSPs, CISMs

Of 165 IT certs, 17 increased in value... 7 of those being security certs. The trend starts with compliance concerns and security awareness has grown from there. With increased awareness comes greater need for experienced security pros to manage security plans and systems. Info Sec has proven to be one of the most stable IT niches.1SSA - Consulting, Training and Products

read more | digg story

Two-Third of US companies victim of cybe-crime in 2005

According to a report compiled by the US Department of Justice (DoJ) Two-Third of the companies replying to its survey have been a victim of cyber-crime. The DoJ received more than 7800 replies to its request for information. That is 23% of the overall send out requests.

Read the report here:

1SSA - Security consulting, training and products:

Monday, September 22, 2008

Kaspersky with new patents...faster and better in recognizing rootkits

Kaspersky registered several patents with the US patent office. Most of them are targeted to increase the speed (most of the readers know that this is a favorite topic of mine). But also new approaches on finding rootkits. Overall none of the patents is really new, according to AV-TEST, a website that tests antivirus solutions.

Here is one of the patents:

1SSA - Security consulting, training and products:

DNSSEC for .gov

According to a Networkworld article the US government has decided to deploy DNSSEC, a technology that replaces the old venerable DNS services that is used to look up Internet addresses of websites and email servers. The old system was the target of multiple attacks in recent years and was never designed for the Internet as it is used today.

Read more at:

1SSA - Security consulting, training and products:

Sunday, September 21, 2008

After Trend now Kaspersky...killing Windows Vista

After Trend Micro now Kaspersky...both vendor released updates to their antivirus products that identified valid (not infected) Windows Vista system files as infected files and deleted or quarantined them. As a result users got stuck with after a reboot with the famous blue screen. The latest signature files should address the issue...questions comes up where we are heading with the signature based anti-virus approach? It slows systems down more and more due to the constantly increasing number of virus signatures that it needs to check against and how much longer before we run the issue of valid files (maybe we have reached that point already) being identified as infected? A signature is only a few bytes long and some vendors have some other methods to check for an infection but one thing that we learnt out of those two incidents is that it is not fool proof.

For the German speaker here is a link to Kaspersky's German forum with lots of "stressed" users:

1SSA - Security consulting, training and products:

Friday, September 19, 2008

Clickjacking...what comes next?

Clickjacking is nothing new but so far nobody really came up with a way to use it for bad things. I guess this has changed and some guys tried to present about their discovery at the OWASP (Open Web Aplication Security Project) conference in New York this month but I guess too much explosive material in it and the presentation was canceled. So what is clickjacking? It makes a user click on a link/button/etc. that is only visible for a short time or hardly visible.

I personally was thinking about this for years, ebing annoyed by Widnows behavior of switching the focus of windows, right int he middle when I was typing a password...I think most of us had that happen to us, at least sot of us power users ;-) This might not qualify as a clickjacking attack but for sure it is anoying and has resulted in at least oen of my passwords goign out via IM message to a friend.

Read more about clickjacking (or why nobody should know about the security problems associated with it) here:

1SSA - Security consulting, training and products:

Wednesday, September 17, 2008

NSA snooping on cell phone calls

According to a posting on Bruce Schneier's blog the NSA seems to have triggered a new market for data mining in the cell phone space.

Read the full post here:

1SSA - Consulting, Training and Products:

Phishing is out and Trojans are back in according to an APWG report

According to the latest report released by the Anti-Phishing-Work-Group (APWG) there is a trend with websites being used to distribute malicious code (Trojans) that has now outnumbered the number of phishing attacks.

You can download the report from here:

Business Week website hacked - Another victim of SQL injection

And another prominent victim of a SQL injection attack. Most people do not know but tools are now widely available to automate such attacks. Sooner or later the attacker will find a vulnerable site where the tool is successful....scary but in the battle of good and evil we are unfortunately always one step behind.

Here is the full article on Sophos' blog:

Monday, September 15, 2008

Hackers infiltrate Large Hadron Collider systems

Hackers have mounted an attack on the Large Hadron Collider, raising concerns about the security of the biggest experiment in the world.

read more | digg story

Saturday, September 13, 2008

Cloud computing may draw government action - Network World

Cloud computing has been pitched as the silver bullet for resource management. Big players are already offering it. Now it draws some more attention and I think some of the concerns are quite justified.

read more | digg story

Friday, September 12, 2008

iPhone records all user actions according to a Iphone hacker

That is what we need, another privacy issue...The iPhone is recording everything users see and do on their devices, for caching purposes, an iPhone hacker has said.Read the full article at:,1000000189,39487429,00.htm

read more | digg story

Wednesday, September 10, 2008

Stolen laptops at airport number too high?

Seems like Computer World magazine did not buy into a common study that claims that thousands of laptops got stolen every week at US airports. The number seem to be a little high and Computer World did some research....Here is the link:

read more | digg story

Tuesday, September 09, 2008

PwC in Germany looses unknown number of user data including clear text passwords

You would expect that one of the leading audit companies would play by the rules it preaches to its customers. But it seems that PriceWaterhouse Coopers (PwC) in Germany had a major security breach according to ZDF, the German public TV channel. At least 56,000 users of their online application system have been affected. To make it worse, PwC is currently not sure how many data elements have been affected. But to top the whole story: The passwords used by applicants were stored in clear text (!!) and have been used for attacks on online payment systems like Money Bookers and Click&Pay, using the passwords stolen from PwC.

On a site note:
According to the German magazine WiSo, which conducted a survey with 2000 users, approximately 80% of them use the same password for their online accounts. Which is not surprising in our information rich society, requiring us to have sometimes 20-30 accounts with passwords.

Here is the German online article:

Monday, September 08, 2008

4 critical patches coming from Microsoft in the September patch round

The never ending story of buffer, heap, etc. overflows...this time the full bandwidth of Microsoft products is part of it. Let's see if my PC boots up Tuesday after the patches have been applied.

See Microsofts anouncement below:

Trend Micro identifying Microsoft operating system files as Trojans

Oh after over a decade of Anti Virus products we still use pattern recognition as the primary method of identifying malware....I guess either we run out of paterns or Trend Micro was a little too aggressive ;-)

Recent updates from Trend Micro Internet Security, pattern 5.521.50 and 5.525.50, detected the Microsoft operating system files as Troj_Generic or Troj_Generic.ADV and quarantined them.

Read the Trend Micro Support update here:

Thursday, September 04, 2008

The Number of Machines Controlled by Botnets Has Jumped 4x

Increasing number of compromised machines in botnets.

read more | digg story

Wednesday, September 03, 2008

Study: 88% of IT Pros Would Steal Passwords or Data if Fired

If you needed another reason to keep your sysadmins happy: Out of 300 IT pros polled by security company Cyber Ark, 88% said they would steal sensitive data or futz with master login passwords if they happened to be fired.

read more | digg story

Security spending continues despite shaky economy, Forrester

An uncertain economy is causing many companies to do some budget tightening, but the continued barrage of data breach news has helped keep data security a priority in most company board rooms, says Khalid Kark, a principal analyst at Cambridge, Mass.-based Forrester Research Inc. In this interview, Kark shares some of the details of a recent securi

read more | digg story

Procter & Gamble outsources security to IBM, but keeping security staff

Outsourcing is a reality nowadays and if done right it can create win win situations for everyone involved. Standard tasks that overwhelm security professional nowadays are one candidate for outsourcing. Seems like someone at Procter & Gamble understood that.

Here is the full article:

1SSA can help with evaluating what and how to outsource security!

Tuesday, September 02, 2008

Hackers attacking Iraq's vulnerable computers

It seems like that we have reached a new level of war against terror. At least in Iraq. Now that the infrastructure is halfway working again, hackers are attacking computer systems.

Read the full article at:

Online Gamers target of Virus authors

I was kind of amazed to hear this but it kind of makes sense. As the primary target of virus authors the online gamer has emerged. Even the virus discovered on the space station some weeks back was targeted to online gamers. According to NOD32-producer Eset Win32/PSW.OnLineGames was with 13 Prozent the #1 Virus in July. Even McAfee estimates that a stolen WoW account is worth $10 and worth mroe than a stolen credit card data, which is valued 50 Cents (!!) nowadays.

Here is a nice report that McAfee has put together:

Data breaches in 2008 outpaces 2007's

The number of data breaches reported in 2008 has surpassed those reported in 2007, according to the Identity Theft Resource Center (ITRC), a non-profit organization tracking the statistics.

See the full article at:,289142,sid14_gci1327048,00.html?track=sy160

Monday, September 01, 2008

Vmware - security problems

It is kind of "cute" to talk with folks that are specilized in makes me remember the times when a new OS had to be more secure....sure it is more complex but for that reason it must be more secure....hmmmm...I think at least with OSes we have learnt that a new release does not always mean more security. With Vmware for years everyone believed that it made the world more secure...lately Vmware is cranking out more and more patches. This time to prevent address information disclosure, privilege escalation and other security issues....whatever that means. Reality is that we take physical controls and emulate them in the Vmware system....what comes next?

Here is the Vmware anouncement:

USB stick/Thumbdrive - AES encryption cracked

Wasn't everyone released when we finally saw USB sticks/Thumbdrives (and whatever else name those little fellows got) came up with AES encryption? Expensive but worth the money, protecting the valuable company data with hardware encryption...correct...oh well...its all in the details. According to CT a German computer magazine at least one of the encrypted fellows has been cracked.

According to the magazine there is a serious flaw that the developers of the encrypted USB thumbdrive stumbled over. A security process...and most of us should be familiar with it...storing already used passwords to check if a user really changed the password. BTW...the USB stick was FIPS 140-2 certified....ouch!

If you can read German, here is the link to the full article:

BBC - Man's 'pants' password is changed

According to a BBC news report the British bank Lloyds TSB had an incident with a customer that had his password changed by one of its employees. Sounds to me like a serious problem with access rights and password change process in general.

'A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not". Steve Jetley, from Shrewsbury, said he chose the password after falling out with Lloyds TSB over insurance that came free with an account.
He said he was then banned from changing it back or to another password of "Barclays is better". The bank apologised and said the staff member no longer worked there. ' - BBC

Read the full news report here:

Welcome to 1SSA's security blog!


This is the new 1SSA blog with the latest security news !

Daily updates will bring you the latest news around Information Security.


Frank Siepmann