Archive for January, 2008
Wednesday, January 30th, 2008
For those who haven’t already noticed, Security Notes[truedigitalsecurity.com] are now accessible from this blog! For this month[truedigitalsecurity.com], I discussed how many organizations seem to be emphasizing perimeter security to the detriment of many other aspects that make up a healthy, holistic security program.
For more examples of why just keeping people out doesn’t solve the whole problem, check out this[sans.org] Internet Storm Center Diary and this[truedigitalsecurity.com] previous post.
Tags: perimeter security, security notes, security program
Posted in Security | No Comments »
Wednesday, January 30th, 2008
For an example of the insider threat in action, check out this story[foxnews.com]. I’ll bet she feels stupid!
Think the insider threat isn’t a big deal? You’re wrong[cert.org]. In 1999, NIPC estimated that 55% of attacks were perpetrated by an insider. Some groups put the current totals as high as 85%. Whatever the case, if your organization is going to be attacked, the most malicious actions will likely come from an insider–destruction of company information, exfiltration of proprietary data, etc. Why? Because an insider knows exactly where to look for data, what data is most valuable, and what is most important to business continuity. Joe Hacker on the Internet is looking for big, juicy targets with lots of personal data (for identity theft) or bandwidth (so he can set up the biggest botnet and get the most money for renting it out).
Tags: data destruction, exfiltration, insider threat
Posted in Security | No Comments »
Friday, January 25th, 2008
We can all breathe a collectively sigh of relief – terrorists now have the ability to communicate securely[reuters.com]. I was really starting to be concerned for their privacy…
Tags: Encryption, jihad, privacy, terrorists
Posted in Encryption, Give me more Internets!, Security, Terrorism, privacy | No Comments »
Friday, January 25th, 2008
HBO will soon make many of their shows and movies available on the Internet[reuters.com] for no additional charge, similar to what many other channel are already doing. In related moves, Wal-Mart recently suspended Internet movie rentals and Apple added movie rentals to its iTunes store.
While people are undoubtedly interested in accessing this type of content on-demand over the Internet, I wonder whether Wal-Mart’s move indicates an unwillingness in consumers to pay for such services. It will be interesting to see whether Apple has better success with their movie rentals.
Tags: Apple, HBO, Internet, movie rentals, Netflix, streaming video, Wal-Mart
Posted in Give me more Internets! | No Comments »
Wednesday, January 16th, 2008
For those who do not follow Apple news, today was the annual Apple keynote by Steve Jobs. These keynotes are highly anticipated as Jobs usually surprise announces the new Apple products: iPod, iPhone, MacBooks, etc. Since most people cannot go to the keynote, websites like Engadget[engadget.com] provide a live running blog of the event. Even knowing that they would have a abnormally large number of visitors to their site, Engadget was still taken down[engadget.com]. The massive amount of people visting their site caused a denial of service at 2 AOL data centers (AOL hosts Engadget). This goes to show that even with advanced planning, unintended or non-malicious denial of service is still a threat.
Tags: Apple, DOS
Posted in Security | No Comments »
Tuesday, January 15th, 2008
On Friday, the DHS took another step forward[news.com] in their drive to increase the reliability of state drivers’ licenses by releasing their “Final Rule,”[dhs.gov] of minimum standards for compliance. These changes are required by the REAL ID Act of 2005 and have been a source of controversy in the security and civil-rights communities. Additionally, some states have passed legislation rejecting REAL ID.
Tags: civil-rights, driver's license, Identification, privacy, REAL ID, Security
Posted in Identification, Security, privacy | No Comments »
Tuesday, January 15th, 2008
GNUCitizen[gnucitizen.org] has released details of a new attack[gnucitizen.org] on UPnP-enabled home routers that can be perpetrated by a Flash object running on the browser of any user. I haven’t tested this, but it looks like it should work even if executed under a non-privileged account. (You do use non-privileged accounts, right?) It should work because this attack vector doesn’t do anything particularly suspicious, and certainly not something that would require administrator privileges. There are several very bad results from this attack, but a worst-case scenario is described in the details published on GNUCitizen’s website:
The most malicious of all malicious things is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. It is also possible to reset the admin credentials and create the sort of onion routing network all the bad guys want.
That would suck.
What’s interesting here is that this is not a vulnerability in UPnP itself. A pre-existing web session with the home router is a prerequisite for this attack to occur. However, GNUCitizen has several other discussions which show that a simple XSS attack is all that is needed to establish the prerequisite. So this is an attack vector that is opened by another exploit entirely!
Tags: hack, Security, upnp, xss
Posted in Security | No Comments »
Tuesday, January 15th, 2008
The AP has released a story [FOXNews.com] detailing that a New Jersey company which provides accounting software to the adult-entertainment industry has been hacked. The software apparently tracks referrals from one website to another and determines how much each website owner is supposed to be paid based on those referrals. The breach allowed the attackers to obtain the subscriber lists of several adult websites. Those subscribers are now being spammed with targeted adult advertisements from competitor websites. The greatest quote from the article from the owner of several adult websites: “There’s a loss, in my opinion, of user confidence.”
Tags: privacy, Security, spam
Posted in Security | No Comments »
Friday, January 11th, 2008
Did anyone notice this story on SecurityFocus? It’s an article discribing a series of attempted malware infections that were first reported by the SANS Internet Storm Center over Christmas. Apparently, three people reported buying digital picture frames made by the same manufacturer from three different Sam’s Club stores. When plugged into a computer, the malware on the picture frames attempted to perform various nasty things.
This type of threat is likely to increase as more and more devices become digitally aware. Your best bet for protecting yourself is to disable the autorun feature in Windows. That way you can scan and examine the devices you attach to your computer before the malware they may be hosting has an opportunity to become a part of your digital life.
Tags: autoplay, autorun, digital picture frame, Malware, tweak ui
Posted in Malware, Windows | No Comments »
Friday, January 11th, 2008
Comcast is unveiling a new cable Internet standard today at CES. The new standard is DOCSIS 3.0, and promises to allow download speeds of 150Mbps. That’s faster than the 100Mbps most home-user network interface cards currently support. Comcast believes they will have the technology available to millions of homes in 2009.
In other news, dozens of RIAA and MPAA execs have been found cowering in the fetal position in the corner of their offices…
Tags: cable, DOCSIS, high-speed Internet, HSI
Posted in Give me more Internets! | No Comments »