tag:blogger.com,1999:blog-4462757548217387152024-02-07T00:14:45.191-05:001SSA - Security NewsThe latest news around Information Security from various sources.1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comBlogger121125tag:blogger.com,1999:blog-446275754821738715.post-79902718138550430362013-09-03T21:45:00.001-04:002013-09-03T21:45:32.560-04:00Data theft on the riseAccording to the latest numbers published by EMW a UK based law firm,data theft is on the rise, taking a significant jump up from last year's numbers.<div><br></div><div>Read more:</div><div><span style="font-family: Helvetica; font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); ">http://www.emwllp.com/news/confidential-information-theft-cases-reach-record-high/</span></div><div><span style="font-family: Helvetica; font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><br></span></div>1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-72846859345835127362013-09-02T13:40:00.001-04:002013-09-02T13:57:10.994-04:00DEA database even bigger than NSA<div dir="ltr">
According to a NBC report the DEA has an even bigger database of recorded phone conversations.</div>
<div dir="ltr">
Read more:<br />
<a href="http://investigations.nbcnews.com/_news/2013/09/02/20293683-dea-phone-call-database-bigger-than-nsas?lite" rel="nofollow" target="_blank">NBC News</a></div>
1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-46679066200588971462013-08-18T17:30:00.005-04:002013-08-18T17:31:37.107-04:00FB security does not believe security expert - Mark Zuckerberg pays for itSecurity experts notifies Facebook security about a vulnerability that allows him to post to anyone's wall, friend or not. FB security does not believe him, till he posts to Mark Zuckerberg's wall.<br />
<br />
Read more:<br />
<a href="http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/#!" rel="nofollow" target="_blank">RTT News</a><br />
<br />
<a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-14184091931003942132013-08-10T13:06:00.001-04:002013-08-10T13:06:13.743-04:00Over 32,000 patient records exposed to the Internet due to firewall off<span style="font-family: Arial, Helvetica, sans-serif;"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: myriad-pro-n4, myriad-pro, sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 19px; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Over 32,000 patients across 48 states were impacted by a security breach of their Protected Health Information (PHI) that Cogent Health had outsourced to M2ComSys. The PHI was sometimes even indexed by Google, exposing <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: myriad-pro-n4, myriad-pro, sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 19px; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">patients names, physician names, dates of birth, diagnosis description, treatment data, medical history and medical records numbers. According to the article below, the outsourcing company's</span></span> site had its firewall down. The access to these notes through the site began May 5, 2013, and ended following Cogent Healthcare’s discovery of the lapse on June 24, 2013.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">How can a firewall not be functional?</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">Read more:</span><br />
<a href="http://www.healthcareitnews.com/news/site-flaw-puts-patient-data-google" target="_blank">Healthcare IT News</a><br />
<br />
<a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-10337566683925601992013-08-08T10:45:00.001-04:002013-08-08T10:46:47.823-04:00White House offering incentives for implementing Cyber SecurityThe White House seems to be serious about increasing Cyber Security in the commercial sector. Offering incentives for companies that invest into Cyber Security.<br />
<br />
Read full article:<br />
<a href="http://www.csoonline.com/article/737795/white-house-considers-incentives-for-cybersecurity?source=CSONLE_nlt_update_2013-08-08">http://www.csoonline.com/article/737795/white-house-considers-incentives-for-cybersecurity?source=CSONLE_nlt_update_2013-08-08</a><br />
<br />
<a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-6131617489654273712013-07-23T21:35:00.001-04:002013-07-23T21:35:07.046-04:00Annual loss of up to $500B due to cybercrimeA new report compiled by CSI and McAfee shows that cybercrime generates annual losses of up to $500B on a global level. The report also states that many jobs in the U.S. are lost due to cybercrime.<div><br></div><div>Download the report here:</div><div><span style="font-family: Helvetica; font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); ">http://www.mcafee.com/sg/resources/reports/rp-economic-impact-cybercrime.pdf?cid=BHP016</span></div><div><span style="font-family: Helvetica; font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><br></span></div>1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-77444144390761971712013-06-23T07:55:00.005-04:002013-06-23T07:55:57.091-04:00Leaked documents expose massive UK spying operation involving 200 fiber optic cablesOnce considered a secure alternative to traditional cupper lines the use of fiber has not stopped the <span style="-webkit-text-stroke-width: 0px; background-color: white; color: black; display: inline !important; float: none; font-size-adjust: none; font-stretch: normal; font: 15px/22.5px Georgia, serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">GCHQ (the U.K. version of the NSA in the U.S.) to eavesdrop on communications that traveled across these major data pipelines. This is just another uncovering of a major privacy violation in the "free world" which has been pointing to other countries for their rather open practice of eavesdropping on Internet communication.</span><br />
<br />
Read More:<br />
<a href="http://www.washingtonpost.com/world/europe/guardian-leaked-documents-expose-massive-uk-spying-operation-involving-200-fiber-optic-cables/2013/06/21/98206990-daa2-11e2-b418-9dfa095e125d_story.html" target="_blank">Washington Post about Guardian article</a><br />
<br />
<a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-84813173573135426322013-06-22T22:21:00.005-04:002013-06-22T22:21:57.153-04:00Tridium vulnerability throws building controls wide open to hackersOnly recently, over the last 3-4 years, the ties between physical and IT security have been understood and yet most organizations keep them separate, resulting in disconnects and potential attacks slipping through the cracks. Since more and more physical security systems use IT for communication they are becoming now targets for hackers. Latest victim being Honeywell’s Tridium Niagara Framework which is built around TCP/IP and meant to provide web-based management for building assets.<br />
<br />
Read more:<br />
<a href="http://www.infosecurity-magazine.com/view/30620/tridium-vulnerability-throws-building-controls-wide-open-to-hackers/" target="_blank">Tridium vulnerability throws building controls wide open to hackers</a><br />
<br />
<a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-6164289997705901892013-06-22T17:28:00.001-04:002013-06-22T17:28:07.297-04:00FDA Safety Communication: Cybersecurity for Medical Devices and Hospital NetworksThe FDA issued a safety recommendation to the medical community, advising about cyber security issues with medical devices. Medical devices are more and more becoming Internet/Network enabled, allowing for traditional cyber security threats to execute on those rather immature (from a security perspective) devices.<br />
<br />
<a href="http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm" target="_blank">FDA Safety Communication</a><br />
<br />
<a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-45689491454819894722012-08-26T21:58:00.001-04:002012-08-26T21:58:00.865-04:00SAML - VulnerableGerman university publishes white paper that shows significant vulnerabilities in the SAML usage of large Internet businesses. SAML is used to authenticate users across security domains e.g. Using your Facebook credential to authenticate to another website.<br />
<br />
Read more: https://www.usenix.org/conference/usenixsecurity12/breaking-saml-be-whoever-you-want-be1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-50474326182960044842012-02-19T14:49:00.003-05:002012-02-19T15:00:24.110-05:00No stop to the "Ueber Breaches"<div>Latest member in the club of breached high profile companies: Symantec or to be fair, Verisign which now belongs to the Symantec empire. According to press releases Verising had a serious security breach back in 2010. According to Verisign no unauthorized access to critical servers has taken place. The question comes up how can Verisign, RSA and all those other companies be so sure about that no access to critical servers has taken place?!</div><div><br /></div><div>Looking at the amount of data that those breaches potentially have exposed we might soon see the ultimate hack, using all that information gathered so far.</div><div><br /></div><div>Read more: <a href="http://www.msnbc.msn.com/id/46238729/ns/technology_and_science-security/">Verisign data breach 2010</a></div><div><br /></div><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-40558300813189379042012-02-17T21:16:00.004-05:002012-02-17T21:42:56.053-05:00Where are the clouds moving to...<div><span ><span style="font-size: 100%;">...to every one's IT environment and not the outsourcing companies or at least not in the public cloud. The still sceptical industry is more and more leaning to the private cloud. The outsourcing industry that mainly benefited from the public cloud movement is still predicted to get a big slice of the market. However outages (Some hosting providers do not count outages less than 5 minutes), the still unresolved questions around privacy, the sometimes "interesting" SLAs that basically leave customers in the rain when things go wrong, do not necessary increase the trust in the public cloud and the outsourcing organizations offering public cloud services. The cloud technology will have its place in the IT universe without question, however it won't be the quantum jump that some cloud fanatics predicted. On the other hand probably up to the last second of cloud computing </span>existence<span style="font-size: 100%;">, assuming there is something else coming after it, vendors, hosting providers and software companies will fight over what cloud really is.</span></span></div><div><span ><span style="font-size: 100%;"><br /></span></span></div><div><a href="http://www.1ssa.net/" style="font-family: Georgia, serif; font-size: 100%; ">1SSA</a><span style="font-family: Georgia, serif; font-size: 100%; "> - Security Consulting, Training and Products</span></div>1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-87652465552823851412011-04-15T04:43:00.004-04:002011-04-15T05:01:18.133-04:00RSA security breach the new age of "Ueber breaches"RSA a trusted name in the security industry had a major security breach. Just like a giant can die from a virus that is a billion times smaller RSA got taught a lesson about human weaknesses.<br /><br />According to articles in the press a worker at RSA decided to retrieve an email from the spam folder which contained an Excel attachment. The individual opened up the Excel spreadsheet to just have an embedded flash file execute, running an exploit against Adobe's flash player, which in the recent past had several vulnerabilities with "zero-day" exploits being available. This allowed the attackers to install a backdoor and work their way through RSA's systems and network.<br /><br />Security experts are now convinced that RSA had the "seeds" of their security tokens exposed. So far RSA has neither denied nor confirmed this scenario. The seeds allow an attacker to calculate the security code that RSA's hardware tokens display and use for two factor authentication.<br /><br />The magnitude of this security breach is yet to be understood since the token business is one of the key business that RSA has. Thousands of customers around the globe have been using RSA's solution.<br /><br />Such an "Ueber Breach" is the first one of its kind but for sure not the last one. In our information reach society, where companies are competing to gather more and more information about individuals, we will see more and more of such security breaches. The cloud technology being another factor that potentially will accelerate the rate of security breaches of that magnitude.<br /><br />Read RSA's press release<br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-21693918775139390142011-04-15T04:22:00.005-04:002011-04-15T04:43:07.108-04:00Epsilon security breachesI received at least four notifications from various companies that have my personal information, notifying me that my email address and potentially other information had been exposed to an unauthorized third party as a result of a security breach at their marketing partner, Epsilon. All being the same format and verbiage. Telling me that Epsilon legal was potentially the source for the text.<br /><br />This breach might have some people ask themselves: So why would someone steal email addresses? This breach seem to be just the first step in a much larger scheme. Back in 2008 PWC's job web site was breached, stealing thousands of email addresses and passwords. Initially nobody could understand why someone would go after such a site till cases of Paypal attacks surfaced and got connected to the PWC case. The individuals that had gained access to the emails and passwords were using them to access sites like Paypal, exploiting the fact that we all like to re-use passwords.<br /><br />Read the official <a href="http://www.epsilon.com/News%20&%20Events/Press%20Releases%202011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3">Epsilon press release</a><br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-18989965073953602652011-02-12T15:14:00.002-05:002011-02-12T15:31:38.172-05:00Impact of Egypt's awakining on IT outsourcingEgypt had the reputation to be a country with a well educated youth but a GDP that was one of the worst worldwide. Now that things are changing we will very likely see that increasing (I would wish that for the people in Egypt very much!). But what does that mean for you and your outsourcing efforts? Egypt is just another country following in the footsteps of countries like India were cost of living went up, salaries followed and eventually the cost of outsourcing went up too. The changes in Egypt might at the same time increase friction between various layers of the population: The new IT elite which is getting higher salaries and others that feel left behind. Time will tell if this friction will result in more unrest or if the country manages to find a social approach that ensures the stability of the country. Social economic and human factors are often underestimated in IT and particular in IT security resulting in significant risks to the business.<br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-54414834052106700852011-02-06T05:35:00.003-05:002011-02-06T05:47:19.899-05:00Egypt crisis and Outsourcing companiesSome people see Egypt as the new India when it comes to IT outsourcing. What most people do not know is the fact that a lot of the IT support from Indian outsourcing companies already comes from countries like Egypt. A country with a well educated young generation that speaks English. It might be that your IT outsourcing is not directly affected, since being hosted in India, but the IT expert in India might have trouble getting his workstation supported from the help desk sitting in Egypt.<br /><br />It is just another lesson learnt of how outsourcing creates risks that are not well understood, particular when it comes to the chain of dependencies that a global economy creates. With the introduction of the cloud the picture even gets fuzzier.<br /><br />Read more: <a href="http://news.in.msn.com/business/article.aspx?cp-documentid=4866782&page=0">Outsourcing firms logging out of Egypt</a><br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-55743934175076362232010-12-30T06:32:00.003-05:002010-12-30T06:52:11.684-05:00Updates: Mobile apps & Cloud based services<strong>Mobile apps spying on you </strong>- It seems that there are two class action lawsuits that have been filled against Apple. Apple having tight control over apps that get posted on the iPhone app store has set itself up for this. Control also means responsibility and consumer feel cheated if they discover that Apple allows applications to spy on them.<br /><br /><strong>Cloud based services and the risks </strong>- The latest victim of its cloud technology seem to be Skype, which had major outages right around the Christmas time. The service blames older clients to be the source for the outage. Those clients shutdown/crashed when receiving certain offline messages that arrived delayed. This just shows that cloud technology creates super complex systems that are not yet well understood and difficult to test for all scenarios.<br /><br />Read more:<br /><a href="http://edition.cnn.com/2010/TECH/mobile/12/28/apple.app.lawsuits/?hpt=Sbin">Two lawsuits target Apple, app makers over privacy concerns</a><br /><a href="http://www.theregister.co.uk/2010/12/29/skype_explains_outage/">Skype's mega-FAIL: exec cops to cause</a><br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-75019434325073093212010-12-26T09:01:00.009-05:002010-12-26T09:55:16.876-05:00Cloud based services and the risksThe cloud is here, and it is here to stay...<br /><br />Having worked in the outsourcing business for some time it is quite entertaining to see how the marketing folks sell you the same old car over and over again, just by changing the sales pitch. What I am trying to say is that the cloud is just a collection of technologies that already existed before, being sold as part of a regular outsourcing deal: Virtualization, data centers in cheap labor countries, and network capacity are nothing new. But what are the risks?<br /><br />Many of the cloud solutions had outages according to various websites tracking these outages. Leaving sometimes customer with a total loss of data (E.g. <a href="http://1ssa-blog.blogspot.com/2009/10/sidekicks-and-danger-eous-cloud.html">T-Mobile's Sidekick outage</a>).<br /><br />Other times your privacy of your personal or business data is at risk (E.g. <a href="http://1ssa-blog.blogspot.com/2009/10/uk-healthcare-records-sold-in-india.html">Health care records stolen</a>).<br /><br />Reading through the fine print (<a href="http://1ssa.net/images/blog/privacy_issue.jpg">see screenshot</a>) of some of those cloud based services, you will notice that you just provided them with the permission to circumvent the local law. Agreeing to have your data stored "somewhere", where the laws of the country your reside in, might or might not protect your data.<br /><br />Read more:<br /><a href="http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf">Cloud Privacy report - World Privacy Forum</a><br /><a href="http://www.sbsfaq.com/?p=2070">Top-10 cloud outages in 2010</a><br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-81283830587414861542010-12-19T19:01:00.002-05:002010-12-19T19:16:06.843-05:00Mobile apps spying on phone usersDo you like listening to Pandora? According to a a study conducted by Wallstreet Journal you better be prepared to offer some of your private details. The Pandora application on iPhone, according to the article, sends information about you to at least eight (8!) tracking services that gather information. This is not unusual according to the article. Most of the 101 apps tested showed evidence that they provide information ranging from a unique phone ID up to location information, age, Zip code and gender to tracking companies. The article also mentions that iPhone apps seem to be worse than their siblings on Google's Android platform.<br /><br />Apple claims to review all applications before being allowed in the iPhone app store. This has caused a false sense of privacy with users. All of the apps reviewed by WSJ were available in Apple's app store.<br /><br />Blackberry applications were not reviewed but the model RIM (maker of Blackberry) introduced in it's Blackberries a different security model. Access to certain information can be blocked. The user needs to deny the application the "trusted application" status and allow just access to individual information.<br /><br />Read the WSJ article here: <a href="http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html?mod=e2tw">iPhone and Android Apps breach privacy</a><br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-51934066939258459632010-08-15T18:57:00.002-04:002010-08-15T19:12:02.173-04:00The big information security illusionNow for years various vendors have worked to bring the various worlds together: IT, mobile phone service and physically security. The new thinking of "Everything is secure as long as the end point is secure" might not work out. Countries like Saudi Arabia or UAE pretty much told Blackberry manufacture RIM "Too much security/privacy" and are either thinking about, or already have made Blackberries illegal in their respective country.<br /><br />Someone might say "Oh well not that big of a deal"...but this was just the start. Now IT outsourcing country #1 joins the club of Blackberry "haters" - India. What could that mean? For example software token solutions installed on your Blackberry used for multi-factor authentication could potentially be eavesdropped on by the Indian government. Some of them utilize SMS text messages to provide codes to users. Those codes are used to authenticate against IT systems requiring stronger authentication due to the sensitivity of the data stored on them. Some governments (e.g. Germany) already have advised to not use RIM devices for sensitive information.<br /><br /><br />Read more: <a href="http://online.wsj.com/article/SB10001424052748703960004575427312899373090.html?mod=WSJEUROPE_hpp_sections_tech">Wallstreet Journal article</a><br /><br /><br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-15858630067315540852010-02-03T17:47:00.002-05:002010-02-03T18:25:26.297-05:00From Enigma to Infinion's security chip...During Blackhat DC 2010 Christopher Tarnovsky a researcher announced that he had broken through the defense mechanisms of Infineon's security chip. The chip has multiple mechanisms to protect itself from tempering with it. Making it the choice for many vendors to implement it in its devices. As the German Enigma during World War II has shown nothing holds for ever. Now Infineon, a German company, has to see once again that blind trust in its engineering is a recipe for the wrong attention. In this case Mr. Tanovsky worked his way step by step through the defense mechanism of the chip, having in the end ultra-small needles tap into the data bus. He then could readout encryption keys and other internal data of the chip. Tarnovsky informed Infineon of the flaws he had discovered, but so far Infineon has not responded.<br /><br /><br /><br />According to Dark-Reading he told the Black-Hat audience: "Their initial reaction was to tell me that what I'd done was impossible," he said. "Then when I sent them some video and the code that I just showed [to the Black Hat audience], they went quiet. I have not heard back from anybody."<br /><br /><br /><br />History repeats and blind trust in your engineering is never a good idea.<br /><br /><br /><br />Read more: <a href="http://mobile.darkreading.com/9287/show/575baa2ef08cb38a3077417686e53489&t=0cd88a4fad7a9f5ce08e7b67d7d418d3">http://mobile.darkreading.com/9287/show/575baa2ef08cb38a3077417686e53489&t=0cd88a4fad7a9f5ce08e7b67d7d418d3</a><br /><br /><br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products<br />Attend our Oracle Security classes - Learn how to secure your Oracle databases1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-29437186767624291432010-01-17T12:35:00.003-05:002010-01-17T13:31:19.963-05:00Have you checked your billboard today?Times are over were just IT devices were a target for hacker attacks. Years ago I read an article in 2600 magazine describing how to hack traffic bill boards, the one's that have the bright orange LED type displays, making them display a random message. Now that art has been brought to a new level, adopting to the new display technology and a networked world. Last Thursday drivers on one of Moscow's (Russia) busiest roads were confronted with some porn clip that was flickering off a 30-foot-by-20-foot (aproximately 10m x 6.5m) size electronic billboard. This resulted in a major traffic jam since drivers slowed down to catch the "message" that the billboard was trying to convey. According to news article the advertising firm that owns the billboard stated that hackers had broken into their system and switched the content to the adult material.<br /><br />The more our society is networked and technologies are melted together, the more we expose ourselves to such juvenile hoaxes. In the end this one had some people being upset and others with a smile on their faces but it also could have been a nuclear power plant's controls that suddenly show Pac-man instead of the controls for the reactor.<br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products<br />Providing Solutions that protect your Assets and People in a changing world1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-26236795222396256062010-01-08T17:22:00.002-05:002010-01-08T18:06:38.756-05:00Y2K+10 it finally caught up with usEurope, particular Germany, Europe's largest economy has been shaken by a glitch in a security chip that is implemented in most ATM and some credit cards. This chip allows for additional security and is in some cases the only way for merchants to accept cash-less payments. Due to the weak security of the magnet stripe on the back of ATM and credit cards that chip was implemented. Up to midnight December 31st 2009 everything was fine. After that suddenly cards were rejected. Now after close to a week of confusion finally the riddle is solved, most ATM machines and merchants can now accept payments again. And this only because thousands of payment terminals and ATMs have been patched with new software.<br />Rumors say that the source for this disaster is a programmer at a french company producing the chips, confusing the format (hexadecimal or decimal) of the expiration year. Thinking that the year is in hexadecimal format, which did not matter for 09 but making the value 10 (hex) suddenly become a 16 (dec) in the decimal system. Since ATM cards usually have a lifetime/expiration of 5 years in Europe those cards were being rejected. According to various sources over 30 Million German ATM/credit cards have been affected. Even ATM cards in Australia seem to be impacted.<br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-27053416884431843882010-01-01T22:03:00.002-05:002010-01-01T22:13:58.807-05:00Promote moral behavior by a clean smellNew study suggest that a clean smell promotes moral behavior. According to this soon to be published study, led by a Brigham Young University professor, people are unconsciously fairer and more generous when they are in clean-smelling environments.<br /><br />While there current study examined the influence of the physical environment on morality, Zhong and Liljenquist previously published a work that demonstrated an intimate link between morality and physical cleanliness. Their 2006 paper in Science reported that transgressions activated a desire to be physically cleansed.<br /><br />So how can information security professionals make use of this knowledge? I guess that this might be a bigger challenge since criminals nowadays can sit thousands of miles away.<br /><br />Read more:<br /><a href="http://www.sciencedaily.com/releases/2009/10/091025091148.htm?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+sciencedaily+%28ScienceDaily%3A+Latest+Science+News%29&utm_content=Google+Reader">Science Daily</a><br /><br /><a href="http://www.1ssa.net/">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.comtag:blogger.com,1999:blog-446275754821738715.post-51837947593617420712009-11-08T19:34:00.005-05:002009-11-08T19:53:42.732-05:00German Big Brother Award - Companies & PrivacyEach year a committed of privacy experts determines the companies that have actively profited and supported the privacy breaches (so called legal ones or border line ones). This year, according to Heise Online, the price for the worst offender actually went to not only one company but a large number of companies:<br /><br />- Quante Netzwerke for the development and sale of programs that allow for storage of network information of Internet users also known as "Lawful Interception".<br /><br />- Utimaco Safeware for its "Data Retention Suite".<br /><br />- Datakom-subsidiary GTEN for its outstanding work in eavesdropping technology.<br /><br />- Syborg a company specialized in telephone recording and analysis.<br /><br />- DigiTask for the development of a Trojan (malicious code) that can be used to eavesdrop on Skype conversations.<br /><br />- Secunet because of selling/providing their "Sina-Box" to each telecom recording facility that the German government has in place.<br /><br />- Cisco for its excellent work in deep packet inspection that allows for continued monitoring of information even with increasing Internet traffic.<br /><br />- Trovicor, a Spin-Off from Nokia Siemens Networks (NSN), which delivered surveillance software to the Iran.<br /><br />Read more: <a href="http://www.bigbrotherawards.de/index_html-en?set_language=en">German Big Brother Awards</a>(English)<br /><br /><a href="http://www.1ssa.net">1SSA</a> - Security Consulting, Training and Products1SSA Bloggerhttp://www.blogger.com/profile/14752001541500454235noreply@blogger.com