Thursday, October 23, 2008

US passport cards insecure

Do you know what a passport card is? An hour ago I did not. But now I know that the department of state is trying to offer an alternative to the normal US passport - A passport card, which can be produced for just 45% of the cost of a normal passport. With RFID implemented on the card it allows US citizens to cross borders to neighboring countries via land or sea. The card contains an ID that is transmitted when crossing the border. Those numbers are then checked against blacklists. There is just one problem. The numbers can be easily gathered and used to create fake passport cards. Equipment that can be bought for less than $2K can be used to do that.

Here is an article about the passport card by the state department: http://travel.state.gov/passport/ppt_card/ppt_card_3926.html

Here is a comment from Ari Juels, the director of RSA labs: http://www.rsa.com/rsalabs/node.asp?id=3557

1SSA - Security consulting, training and products: http://www.1ssa.net

Tuesday, October 21, 2008

Google Ads used to infect users with malware

We all have come to love and hate those Google ads that suddenly pop up over, under on the side or wherever with a text on a website, interrupting our reading with advertisement. Now this type of advertisement might not only have interrupted our reading but also the security of the PCs we are using. According to a news article published in CT, a German IT magazine, Google advertisement (also known as Adwords) has been used to distribute malicious code to exploit vulnerabilities in Adobe's Flash player.

If you are fluent in German, here is the article: http://www.heise.de/security/Google-Werbung-wird-als-Malware-Schleuder-missbraucht-Update--/news/meldung/117564

1SSA - Security consulting, training and products: http://www.1ssa.net

Thursday, October 16, 2008

Europe standardizing on privacy

EuroPriSE the European Privacy Seal has official started its work. Nine European countries are behind EuroPriSE, tasked to standardize privacy standards and assessment methods for (at least eight of the) EU states. Privacy has been one of the biggest problems in our information overloaded societies. Hopefully eventually we will see some true international standards that bring the US and the EU a little closer.

Read more at: http://www.european-privacy-seal.eu/

1SSA - Security consulting, training and products: http://www.1ssa.net

Tuesday, October 14, 2008

Fake MS email with PGP signature

Normally I would not post this since it is nowadays a constant annoyance that we are living with: Fake emails for phishing, trojan, virus, worms, etc. purposes. But this one was special. Not only that it was good in mimicking the Microsoft language normally used but it also contained a PGP signature block on the bottom! Nice job. Who checks the signature block each time you get a message? Lucky are the ones that use an email program that does it automatically. But not everyone has one like that.

Read the article: http://www.scmagazineus.com/Fake-Microsoft-email-contains-backdoor-virus/article/119306/

1SSA - Security consulting, training and products: http://www.1ssa.net/

Monday, October 13, 2008

Creditcard readers manipulated to send data to Pakistan

Wowww... In Europe law enforcement discovered credit card readers that had additional electronic build in that allowed it to send information to Pakistan. The only initial difference with the devices, made in China, is that they are 100 grams heavier than a normal reader. So far the criminals have created $50-$100 Million in damage an early estimate says.

Read the full article: http://online.wsj.com/article/SB122366999999723871.html?mod=googlenews_wsj#printMode

1SSA - Security consulting, training and products: http://www.1ssa.net/

Saturday, October 11, 2008

Deutsche Telekom (again) - This time 30 million customer data breach

I guess I keep typing and see if Deutsche Telekom continues to trump itself. This time 30 million customers are affected by a data breach that puts their confidential data on the Internet. A first reaction from Deutsche Telekom: "We shall adopt a new policy" in respect of communication...well you could also try to systematically build security in your business processes...but it gets even better: A spokesman said that bank details were not attached, and that "according to our information, even though these details have been put up for sale on the black market, there has not been a buyer." - My crystal ball did not tell me that but I guess Deutsche Telekom' crystal ball told them that. Data is NOT a physical piece that can be retrieved. Data can be copied and sold to multiple buyers. Once lost you can never be sure that it does not surface again, someday, somewhere in some kind of form!

Read the article here: http://www.dw-world.de/dw/article/0,2144,3706182,00.html

1SSA - Security consulting, training and products: http://www.1ssa.net/

Major data security breach is still causing Deutsche Telekom headaches

I guess some organizations will not learn it, maybe because they used to be owned by the government and still operate like they are or they simply have no concept around data privacy and security. Deutsche Telekom and its subsidiary T-Mobile (mainly focusing on mobile phone service) always had a bad reputation with the German population (they used to be the only choice for telephone services) but after a data breach that allowed access to sensitive customer data it issued some statements that really let the German population doubt that it had any concept around data privacy and security. The breach happened in spring 2006 and was just recently disclosed, even though T-Mobile reported the breach to authorities. I am kind of amused and shocked by a statement made by Philipp Humm, managing director of T-Mobile Germany: "We are very concerned by the fact that the incident from 2006 is relevant once again. Until now, we were under the assumption that the data in question had been recovered completely as part of the investigations of the public prosecutors' office and were safe." - data is not a car that gets stolen and recovered. Data can be copied a million times without anyone knowing about it.

Read the article here:
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=210700232

1SSA - Security consulting, training and products: http://www.1ssa.net/

Thursday, October 09, 2008

The dilemma with email spam

We all have our fair share of email spam every day we are dealing with. If you ask me I do not see any improvement in the number of spam messages I receive, no matter what legislation is passed or what "cool" anti-spam technology hits the market. My mailbox receives the same amount of spam messages now for years. Once in awhile it goes up a bit, usually when spammers discover a new way to get around anti-spam techniques (e.g. PDF Spam), and a couple of months later it goes down, when the anti-spam vendors have caught up with that new way of distributing spam. As with malicious code we are always one step behind. When is this going to change? Technically it could have changed years ago when major email providers (e.g. Yahoo, AOL, etc.) tried to implement better authentication/security into email. Unfortunately that lost momentum quickly due to the number of mail servers. We are actually facing the same problem with the DNS system, too many DNS servers to change if a new technology arrives, addressing the DNS security problems we have seen lately.

Here is an interesting article on how spammers check if they have a valid email account: http://www.scmagazineus.com/Spammer-campaign-exploits-email-read-receipts/article/119130/

1SSA - Security consulting, training and products: http://www.1ssa.net

Wednesday, October 08, 2008

Clickjacking - Serious security problems

Clickjacking is the latest flavor in attacks that "bad" people use to gain access to your information, money and even your web cam or microphone. Take a look at the YouTube video that shows how a simple online game can be used to enable cam and microphone to listen and watch you in front of your computer.

YouTube Video showing how it works: http://www.youtube.com/watch?v=gxyLbpldmuU

Blog Entry about Click Jacking: http://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/

1SSA - Security consulting, training and products: http://www.1ssa.net

Tuesday, October 07, 2008

VMware patches 64 Bit emulator bug

It is interesting how Vmware goes down the path of maturity as so many other vendors before. From "it is more secure" to it is just another piece that can fail and has flaws. This time Vmware is patching a serious problem with its 64-Bit emulator. An error in the 64-bit CPU emulation makes the CM jump to the wrong address when it receives a JMP instruction.

Read the article here: http://www.heise-online.co.uk/security/VMware-patches-holes--/news/111675

1SSA - Security consulting, training and products: http://www.1ssa.net/

Study shows that hotel networks are lacking security

This does not surprise me at all. I have been talking about this for years. Sometimes "looking around" on a hotel network is like a who-is-who of consulting companies. Some of them happily naming their laptops with a name that includes the firm's name. Worse is that most laptops are configured to trust (at least to a certain degree) the local network, meaning in the worst case every machine on a hotel network can access another machine's services . To add to this scenario make it wireless...

Cornell did their own study which shows that most U.S hotels are vulnerable to malicious attacks and are "ill prepared" to protect their guests from Internet security problems.

Read the full article: http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Stolen republican party laptop had no security safeguards in place

This is like the never ending story...it repeats and repeats. You would think that the government or in this case politicians and their staff learnt from the past. Not the recent past but maybe from the last three years? What is really interesting is that the victims now also publicly admit that the stolen laptop contains "...the type of stuff we wouldn't want another campaign to have,...” . Wonderful, now the thiefs know that they can get even more money for the laptop...I guess from either party.

Read the full article: http://www.scmagazineus.com/Stolen-McCain-party-laptop-had-minimal-data-safeguards/article/119080/

1SSA - Security consulting, training and products: http://www.1ssa.net/

Monday, October 06, 2008

Was Forever 21 wrongly certified PCI compliant?

The risk of being security professionals...I find it shocking and entertaining at the same time that a merchant takes a PCI certification as an excuse for lack of security and responsibility.

Breached clothing retailer Forever 21, which last week said it has been Payment Card Industry (PCI) compliant since 2007, apparently should have never been certified.
The Los Angeles-based company told a retail blog this week that its PCI Data Security Standard assessor failed to unearth tens of thousands of credit card files that it was unknowingly storing despite being unauthorized to do so.

Read the full article: http://www.scmagazineus.com/Was-Forever-21-wrongly-certified-PCI-compliant/article/118739/

1SSA - Security consulting, training and products: http://www.1ssa.net

Researcher finds server with stolen FTP credentials

An Israeli researcher has uncovered a criminal server containing the FTP account credentials for nearly 100,000 legitimate websites across 86 countries, including the U.S. Postal Service and several universities here.

Of the 200,000 credentials the criminals were storing, the criminals deemed 107,000 to be valid and some 80,000 led to web content, he said. More than 60 percent were associated with web servers in Europe, but many U.S. organizations were victimized, including the University of Pennsylvania's Wharton School and the University of Southern California.

Read the full article: http://www.scmagazineus.com/Researcher-finds-server-with-stolen-FTP-credentials/article/118756/

1SSA - Security consulting, training and products: http://www.1ssa.net

Data Breaches Expose About 30M Records in '08

U.S. corporations, governments and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft, according to a report released today by a nonprofit group that works to prevent fraud.

Read the full article at: http://voices.washingtonpost.com/securityfix/2008/10/516_data_breaches_in_2008_expo.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Friday, October 03, 2008

Nevada mandates encrypted personal data communication

On one hand I applaud Nevada to step up to protect personal information on the other hand it is just another step in the direction of slicing up security even smaller, overloading the already very busy security professionals. Not only that we need to worry about international privacy and security standards (if we happen to work for a company operating internationally) but now the US becomes by itself a major challenge. What happens if my company has a branch in Nevada but the rest is all over the US? Don't get me wrong, we need stronger privacy and security laws but on a federal level!

Read the full article: http://www.scmagazineus.com/Nevada-mandates-encrypted-personal-data-communication/article/118630/

1SSA - Security consulting, training and products: http://www.1ssa.net

Hackers penetrate South Korean missile manufacturer

According to news reports some hackers were able to steal information from a South Korean missile manufacturer. They planted some malicious code on the computer systems that eventually allowed them to gain access to secret data about missiles.

Read the full article at: http://www.theregister.co.uk/2008/10/01/missile_manufacturer_hacked/

1SSA - Security consulting, training and products: http://www.1ssa.net

Thursday, October 02, 2008

TCP weakness could potential result in new DoS attacks

Two researches (supposedly) discovered a new weakness in the TCP implementation that allows even with a relatively small up-link to run DoS attacks with high bandwidth web servers (e.g. Google, Ebay, etc.). So far no independent verification has been done but it would not surprise me if this is just another major flaw that we have to deal with.

Read Robert Graham's blog post: http://erratasec.blogspot.com/2008/10/tcp-dos-probably-real.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Wednesday, October 01, 2008

Phorm becomes Webwise

Back in 2006 British Telecom (BT) and Phorm tested the idea of personalized advertisement by secretly collecting information about surf habits and targets of 18,000 of its customers. Since 09/30/08 BT offers 10,000 of it's online customers a program which is now called "Webwise". All this is nothing new just the label that BT puts on this is quite concerning. It is sold as an online protection/security service. In reality it tracks all of the users online transactions from URLs visited up to searches done on search-engines to inject targeted advertisement into the data streams to the user.

Read the full article at: http://blog.wired.com/business/2008/09/phorm-trials-be.html

1SSA - Security consulting, training and products: http://www.1ssa.net