Archive for February, 2008
Author: Dave Lewis
February 29, 2008 at 1:05 pm · Filed under Crime, Hardware
Just in.
From the Standard:
U.S. and Canadian law enforcement authorities have seized more than US$78 million worth of counterfeit Cisco Systems networking equipment in an ongoing investigation into imports from China, the U.S. Department of Justice and other agencies announced Friday.
The coordinated operation, begun in 2005, has resulted in more than 400 seizures of Cisco hardware and labels, the DOJ said in a news release. The operation targets the illegal importation and sale of counterfeit network hardware such as routers, switches and network cards. One of the operation’s goals is to protect the public from network infrastructure failures associated with the counterfeits, the DOJ said.
“Counterfeit network hardware entering the marketplace raises significant public safety concerns and must be stopped,” Assistant Attorney General Alice Fisher of the DOJ’s Criminal Division, said in a statement. “It is critically important that network administrators in both private sector and government perform due diligence in order to prevent counterfeit hardware from being installed on their networks.”
The agencies that worked together on the operation included the U.S. Federal Bureau of Investigation’s Cyber Division, U.S. Immigration and Customs Enforcement (ICE), U.S. Customs and Border Protection (CBP) and the Royal Canadian Mounted Police (RCMP).
$2 million worth of the bust was captured in Toronto today. No word on who exactly was selling it at this point.
Article Link
Tags: Fake Cisco Gear, Chinese Cisco Gear, Operation Cisco Raider, China Cisco, CSCO
Author: Dave Lewis
February 29, 2008 at 8:22 am · Filed under Insider Threat, Threats
Karen Salmansohn wrote a piece for the Huffington post on “cyber” war (still hate that word) from within.
From Huffington Post:
By all mainstream press accounts, the U.S. remains focused on guarding against inbound attacks by large and small enemies, a classic defensive posture anticipating warfare coming from the outside-in: a War of Mass Destruction.
But what if it’s an inside-out job — a cyber-attack via the internet: a War of Mass Disruption?
Think about it: We’ve become a nation of “internet addicts.” Even the smallest of businesses is obsessively dependent on constantly accessing, transferring, and acting upon information via the Internet.
I confess to personally often feeling like a new millennium O.C.D. character in an Oliver Sachs book: “The girl who couldn’t stop watching my email” — with minor symptoms of “google junkie.”
And the more all of us Americans increase our dependence on the Internet, the more we make the Internet a prime target for “Hacktivists” — enemy cyber terrorists.
And, it really wouldn’t be that difficult to do. I would be more concerned with bored teens at this point than with a concerted attack. Think about it. The “bad guys” take out the internet? Not entirely likely as they need it for the same reasons that China wouldn’t hit Atlanta in a nuclear strike. They would want to watch their progress on CNN.
Read on.
Article Link
Tags: Cyber War, Insider Threat
Author: Dave Lewis
February 29, 2008 at 7:48 am · Filed under Data Security, ID Theft, Privacy
With the ever increasing upsurge in personal data theft it should comes as little surprise that healthcare providers have landed in the cross hairs. We have seen incidents all over, including here in Toronto last year. Identity theft is a lucrative and thriving business. More resources need to be either allocated or better utilized to help combat this problem. After having conducted security audits on healthcare providers in the past it really is no surprise that they are getting picked on by the bad guys.
From PC World:
“There is definitely an uptick in attacks,” says Dr. John Halamka, CIO at both Beth Israel Deaconess Medical Center and Harvard Medical School in the Boston area. “Privacy is the foundation of everything we do. We don’t want to be the TJX of healthcare.” TJX is the Framingham, Mass-based retailer which last year disclosed a massive data breach involving customer records.
Dr. Halamka, who this week announced a project in electronic health records as an online service to the 300 doctors in the Beth Israel Deaconess Physicians Organization, acknowledges computers in healthcare are sometimes compromised as spam relays or to host unauthorized content such as porn.
“It gives attackers a means to distribute it,” says Halamka. While he has seen no evidence of attackers targeting healthcare networks to steal patient data for financial gain, other security experts say that dangerous trend is well underway.
Dangerous trend? Well, yeah. Porn is really the least of their problems. It really shouldn’t come as a surprise to people that this targeting is going on. Where is a bank robber going to go for income? Well, a bank. And the identity thief will go where the information is. Namely, yours.
Now, with the impending HIPAA audits approaching at any point it would seem that folks are giving this problem sharper focus in the US.
Article Link
Tags: Healthcare Data Security, HIPAA, Identity Theft
Author: Dave Lewis
February 28, 2008 at 12:42 pm · Filed under Military
Just in, CNN The Drudge Report has disclosed that Prince Harry has been deployed in Afghanistan since December. So much for operational security.
From CNN:
The UK’s Prince Harry is in Afghanistan and has seen combat, the UK Ministry of Defence confirmed Wednesday.
He was deployed 10 weeks ago and his fellow soldiers were sworn to secrecy. The prince’s status is currently being reviewed, the Defense Ministry said.
Harry is third in line to the British throne.
Article Link
Tags: Prince Harry, Prince Harry In Afghanistan, Prince Harry Deployment
Author: Dave Lewis
February 28, 2008 at 9:28 am · Filed under Data Security, Hardware
From the Times Online UK:
‘Chip and PIN’ cards which require customers to enter a four-digit code before purchasing goods may not be as safe as previously thought, according to research.
Customers may unwittingly be handing over their card details and pin number when using the new terminals, which have been widely rolled out at supermarkets, service stations and other outlets, a group of computer security academics has claimed.
According to the research, with a relatively simple 10 minute procedure a merchant can program a chip and PIN terminal to capture all the information needed to clone a chip and PIN card, as well as the customer’s PIN number.
The fraudster would then be free to make withdrawals from the customer’s bank account, as well as commit identity fraud, the group said. The researchers, from the Computer Laboratory at the University of Cambridge, said they had no evidence to suggest the problem was widespread, though they were aware of several instances of it happening, including one at a Shell garage in 2006.
They said the vulnerability was caused by manufacturers’ failure to build appropriate encryption technology into the devices, known as PIN-entry devices (PEDs), which meant that information passed between the card and the device unprotected.
Article Link
Tags: Chip And PIN, PIN Number
Author: Dave Lewis
February 28, 2008 at 9:21 am · Filed under Crime, Malware
Rumblings about potential German police trojans and spyware seem to raised that hackles of the high court. This isn’t really anything new as the Supreme Court in Germany smacked down the use of hacking by German police over a year ago.
From BBC:
Germany’s highest court has restricted the right of the security services to spy on the computers of suspected criminals and terrorists.
Under the technique, software sent in an email enables the authorities to spy on a suspect’s computer hard drive.
The Federal Constitutional Court in Karlsruhe said cyber spying violated individuals’ right to privacy and could be used only in exceptional cases.
Civil liberties activists have warned of an unacceptable invasion of privacy.
The case - which began last year - was brought after the western state of North Rhine-Westphalia allowed officials to begin using the technique.
Court President Hans-Juergen Papier said that using such software contravened rights enshrined in Germany’s constitution, adding that the decision would serve as a precedent across the country.
So, the court said no and the police continue to develop? Who is leading this parade?
Article Link
Tags: Crime, German Police Trojans, LE Trojan
Author: Dave Lewis
February 28, 2008 at 8:57 am · Filed under Crypto, Wireless
From Daily Progress.com:
A University of Virginia graduate student and two fellow hackers say they have cracked the encryption code that protects billions of credit cards, subway passes and security badges.
With readily available equipment that cost less than $1,000, 26-year-old Karsten Nohl and his two Germany-based partners dismantled a tiny chip that is found inside many “smartcards” and mapped out its secret security algorithm.
With the cryptographic formula in hand, the hackers were then able to run it through a computer program that tried out every possible key. It broke the encryption after a few hours. If they were to try again, Nohl said, it would take a matter of minutes.
“I don’t want to help attackers, but I want to inform people about the vulnerabilities of these cards,” said Nohl, a Ph.D. candidate in computer engineering at UVa who is originally from Germany.
So, why does this seem familiar? The article seems a touch confusing. Did he break crypto or simply RFID? The quote from the article “found that it was fairly easy to crack the RFID chip’s code, potentially allowing a tech-savvy miscreant to clone credit cards, ride the Metro for free, or easily steal cars.” seems to indicate that they merely attacked the RFID as opposed to some encryption. Does anyone have a link to Nohl’s presentation from CCC?
Article Link
Tags: RFID, Karsten Nohl
Next entries »
Explore
Security Bloggers Network
