Archive for September, 2007
Author: Dave Lewis
September 30, 2007 at 9:15 pm · Filed under Crime, Freedoms, Military
During this difficult and disturbing time in Burma we find that bloggers are doing their part. The military junta that controls Burma controls through fear and intimidation. People have been gunned down in the street such as the Japanese journalist whose murder by a Burmese soldier was caught on film. In is incumbent on the rest of the world to raise a collective voice to help keep this story on the forefront so that our respective governments will take notice and apply pressure.
From Spiegel Online:
The world has been watching as thousands of saffron-robed monks march through the streets of the Burmese captial Yangon in protest against the repressive military regime — thanks to the images seeping out of the country via the Internet. While foreign journalists are being refused visas and are forced to wait in Bangkok hotels, ordinary Burmese are taking huge risks by taking photographs and blogging to communicate with the outside world.
As the protests enter their 10th day, the military regime seems to be ignoring international pleas for restraint and is instead continuing its crackdown on the protestors. In the early hours of Thursday morning, troops raided a number of monasteries and dragged away hundreds of monks. Just a few hours later, images of the blood-spattered floor of the monasteries were posted on Internet news sites across the world.
Article Link
Tags: Burma, Myanmar, Military Junta, Monk Protest, Burma Cyber Rebellion
Author: Dave Lewis
September 30, 2007 at 3:52 pm · Filed under Apple
How very uncool. This is what happens when there is a lack of strong laws to protect consumers.
I first read about this over on Jon Lech Johansen’s blog earlier today.
I was expecting that the iPhone firmware update would simply relock unlocked iPhones so that they could only be used with AT&T. I was wrong. As you may know by now, after an unlocked iPhone has been upgraded with the 1.1.1 firmware it will refuse to activate with any SIM. The technical evidence so far indicates that this was intentional by Apple. Although the iPhone is still alive, it’s completely useless. It’s essentially a brick.
And then this afternoon I saw this piece over on the BBC:
Thousands of iPhone owners hacked their expensive gadget in order to unlock it for use with other mobile carriers and to run a host of unsupported programs.
There are also reports of the update causing issues with unaltered iPhones.
On Monday Apple issued a statement in which it said many of the unauthorised iPhone unlocking programs caused “irreparable damage” to the device’s software.
Apple, wtf? This is not acceptable behaviour from any vendor. The sad part is that this will most likely be tolerated by the consumer base. Now, if Microsoft pulled this type of thing all hell would break loose. Now, before you even think of breathing a word, no, I am most certainly not an acolyte of the Redmond Order.
There is a fix for those of you affected by the bricking (via So Sue Me)
Article Link
Tags: Bricked iPhones, Apple Disabled iPhones, Hacked iPhones Bricked, iPhone Hacks
Author: Dave Lewis
September 30, 2007 at 3:19 pm · Filed under Data Security, Privacy
The Gap clothing chain has had a rough year from a financial perspective. But, things got worse this past week when a laptop containing the information of 800,000 job applicants was stolen.
The data was not encrypted. Creepy when you consider this earlier story.
From the AP (via CTV.ca)
A thief stole a laptop computer containing unencrypted personal information of 800,000 people who applied for jobs at Gap Inc., the clothing retailer announced Friday.
The laptop stored Social Security numbers and other data from people in the U.S., Puerto Rico and Canada who applied online and by phone between July 2006 and June 2007 for jobs at Gap, Old Navy, Banana Republic and Outlet stores.
The incident came on the heels of a finding this week by the Canadian government that another international retailer, TJX Cos., hadn’t sufficiently encrypted data it stored from customer transactions, and that failure enabled hackers who intercepted wireless communications to steal data on millions of customers.
Gap has declined to identify the company that lost the laptop with their information. A move that I find a little peculiar as they will now take the brunt of the press storm. If anyone has a tip on the company that lost the laptop feel free to leave a comment.
Article Link
Tags: Gap Data Loss, Gap Laptop Stolen, Data Breach
Author: Dave Lewis
September 28, 2007 at 10:07 am · Filed under Freedoms, Military
Things continue to deteriorate in Myanmar. It appears that the public internet has been shut down by the military in an effort to stop pictures, stories and video from leaking out as they kill protesters in the street.
From Reuters:
Myanmar’s generals appeared to have cut public Internet access on Friday to prevent more videos, photographs and information getting out about their crackdown on the biggest protests against military rule in nearly 20 years.
Internet cafes were closed and the help desk at the main Internet service provider did not answer its telephones to explain why there was no access.
Citizen reporters have been at the forefront in informing the world of the protests against 45 years of military rule and declining living standards in Myanmar, also known as Burma.
They have even used the social networking site Facebook or hidden news in e-greetings cards. Networks of reporters for dissident news organisations have used the Internet to get stories and pictures out.
Correspondents who covered the last major uprising in Myanmar, in 1988, when the army killed an estimated 3,000 people, said a communications blackout was to be expected but would not stop the information flow.
“It may very well happen. It will just be a sudden shutdown,” said British journalist Dominic Faulder who was based in Bangkok during the 1988 uprising.
The widespread use of modern technology by protesters and dissident news networks is in stark contrast to 19 years ago, when reports of massive casualties from soldiers shooting into the crowds took days to leak out.
“They’re going to delay the message, but they’re not going to stop it. This time, there will be more pictures and they will come out,” Faulder said.
Article Link
Tags: Myanmar Oppression, Myanmar Internet, Myanmar Censorship
Author: Dave Lewis
September 28, 2007 at 8:51 am · Filed under Vulnerability
From Secunia:
Description:
Some vulnerabilities, security issues, and a weakness have been reported in the Apple iPhone, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or to compromise a vulnerable system.
1) An input validation error when handling SDP (Service Discovery Protocol) packets exists in the iPhone’s Bluetooth server. This can be exploited by an attacker in Bluetooth range to cause the application to crash or to execute arbitrary code by sending specially crafted SDP packets.
Successful exploitation requires that Bluetooth is enabled.
2) The problem is that users are not notified about changes of mail servers’ identities when Mail is configured to use SSL for incoming and outgoing connections. This can be exploited e.g. to impersonate the user’s mail server and obtain the user’s email credentials.
Successful exploitation requires a MitM (Man-in-the-Middle) attack.
3) It is possible to cause the iPhone to call a phone number without user confirmation by enticing a user to follow a “tel:” link in a mail message.
4) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
5) An error in Safari in the handling of “tel:” links can be exploited to cause the iPhone to dial a different number than the one being displayed in the confirmation dialog. Exiting Safari during the confirmation process may result in unintentional confirmation.
More after the jump »
Author: Dave Lewis
September 27, 2007 at 10:17 am · Filed under Education
The new issue of (In)Secure magazine is out.
In this issue:
Interview with Janne Uusilehto, Head of Nokia Product Security
Social engineering social networking services: a LinkedIn example
The case for automated log management in meeting HIPAA compliance
Risk decision making: whose call is it?
Interview with Zulfikar Ramzan, Senior Principal Researcher with the Advanced Threat Research team at Symantec
Securing VoIP networks: fraud
PCI DSS compliance: a difficult but necessary journey
A security focus on China outsourcing
A multi layered approach to prevent data leakage
Safeguard your organization with proper password management
Interview with Ulf Mattsson, Protegrity CTO
DEFCON 15
File format fuzzing
IS2ME: Information Security to Medium Enterprise
Download
Tags: (In)Secure Magazine, Security Magazine, Security Information
Author: Dave Lewis
September 27, 2007 at 9:06 am · Filed under Apple
Well they weren’t slow out of the gate. The Apple legal swarms have descended on an iPod hacker. It appears that Apple has their ear to the ground.
From TUAW:
a hacker named “Martyn” had obtained a broken iPod touch, and was planning to dive in and download every bit of code on it in the increasingly complicated effort to put 3rd party applications on the iPod touch. He didn’t plan to release the code to the public, but he did plan to upload the code to a secured area of his site in order to let the other touch hackers have a crack at it.
But even before his upload finished, we’re told, his ISP showed up, with a takedown notice in hand. Apple had somehow found his site, had contacted his ISP, and let them know that it would be against copyright law for him to upload that code to the Internet. Martyn isn’t interested in breaking the law (and it would be illegal to share that code), so he pulled the page off. But what’s amazing here is how fast Apple moved on this– either they’ve got someone listening in on the development wiki, or they’re taking cues from us on how things are going over there (hi, Apple!).
Competitive intelligence anyone?
Article Link
Tags: Apple Take Down Notice, iPod Hacker ISP Takedown
Author: Dave Lewis
September 27, 2007 at 8:37 am · Filed under Hacker, SCADA Security
There is a US video out that demonstrates the potential damage that hackers could have on the power grid.
Video Link (via Yahoo)
From the AP:
A government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down.
The video, produced for the Homeland Security Department and obtained by The Associated Press on Wednesday, was marked “Official Use Only.” It shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous turbine shudders as pieces fly apart and it belches black-and-white smoke.
The video was produced for top U.S. policy makers by the Idaho National Laboratory, which has studied the little-understood risks to the specialized electronic equipment that operates power, water and chemical plants. Vice President Dick Cheney is among those who have watched the video, said one U.S. official, speaking on condition of anonymity because this official was not authorized to publicly discuss such high-level briefings.
“They’ve taken a theoretical attack and they’ve shown in a very demonstrable way the impact you can have using cyber means and cyber techniques against this type of infrastructure,” said Amit Yoran, former U.S. cybersecurity chief for the Bush administration. Yoran is chief executive for NetWitness Corp., which sells sophisticated network monitoring software.
“It’s so graphic,” Yoran said. “Talking about bits and bytes doesn’t have the same impact as seeing something catch fire.”
The electrical attack never actually happened. The recorded demonstration, called the “Aurora Generator Test,” was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems. The programming flaw was quietly fixed, and equipment-makers urged utilities to take protective measures.
The narrator ends the package with the phrase “these systems were never designed with security in mind.” Well, yes. She got that correct.
Read on.
Article Link
Here is the SCADA community reaction. The story actually dates back to February/March ‘07 but, only now has come to light in the media.
More after the jump »
Author: Dave Lewis
September 26, 2007 at 10:37 am · Filed under Data Security, ID Theft
A report that hits the nail on the head. If, in fact, that nail is the nail of the bleeding obvious. The problem with Winners (rooted in the parent company TJX) that led to the loss of millions of customer information was (drum roll) lax security.
A hush falls across the room.
From CTV.ca:
Privacy Commissioner of Canada Jennifer Stoddart and Alberta Information and Privacy Commissioner Frank Work held the news conference in Montreal at the 29th International Conference of Data Protection and Privacy Commissioners.
Work told reporters that TJX collected driver’s licence numbers, credit card numbers and transaction records from clients. In some cases, he said, the information was held onto indefinitely, for no apparent reason.
And, he added: “The security measures put in place relied on weak encryption technology. TJX HomeSense/Winners should have moved to a better protocol earlier.”
Thieves were able to hack into the company’s database and use the information.
“A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures,” Stoddart said.
“The TJX breach is a dramatic example of how keeping large amounts of sensitive information — particularly information that is not required for business purposes — for a long time can be a serious liability.”
Read on.
Article Link
Tags: Winners Data Breach, TJX, ID Theft, Hackers
Next entries »
Explore
Security Bloggers Network
