Archive for May, 2008
Author: Dave Lewis
May 13, 2008 at 6:28 am · Filed under Crime, Data Security
Ah Chile. Beautiful landscapes. Great wines. And apparently, some jackass that thought it would be fun to publish the personal information for 6 million folks on the web.
From AFP via Yahoo News:
“Its a serious matter and we’re investigating,” Police Cibercrime Brigade chief Jaime Jara told the newspaper.
The data was displayed for several hours before authorities removed it on the technology information website “FayerWayer” and community website “ElAntro.”
The hacker said on the websites he splashed the data “for the whole world to see … (to) show how unprotected personal data is in Chile … nobody bothers protecting that information.”
Uh boy. This is not a good way to demonstrate a security hole. Sure it grabs the headlines but,…
Never mind.
I’m just going to sip my coffee.
Chilean in fact.
Article Link
Author: Dave Lewis
May 12, 2008 at 1:58 pm · Filed under Dumbass, Wireless
Ah the joy of the first panicked post departure phone call. Today is my first day away from the office and my now former day joy called. It turns out that an old wireless router that had been sitting in a box in my office had been pinched soon after I left. That’s fairly typical. Someone exits the company whether on bad or, in my case, good terms, they leave things behind in their office.
Well, the router was one of them.
An old Linksys.
Damn if someone didn’t just pinch it. No. They had to go one step further. Some knothead plugged it in. Suffice as to say the hunt is on. Good luck folks.
Pity the half wit that thought it would be a good idea to plug it in.
Author: Dave Lewis
May 12, 2008 at 5:47 am · Filed under Data Security
The day of data reckoning has arrived for UK businesses.
From Contractor UK:
Organisations that recklessly or deliberately commit breaches under the Data Protection Act can now be fined by Britain’s privacy watchdog.
Under the Criminal Justice and Immigration Act, the Information Commissioner’s Office has the right to financially punish any outfit found in serious breach of the 1998 law.
The tougher sanctions in the act, which won royal assent on Friday, are seen as the first step to repairing the public’s
dwindling confidence in how their data is handled.
They also send the strongest signal yet to organisations that a “cavalier” approach to customers’ data security is “completely unacceptable” and that it must become a priority.
It all fairness it should have always been a priority. But, better late rather than never.
Article Link
Author: Dave Lewis
May 11, 2008 at 9:19 pm · Filed under Spam/Phishing
Uh boy. The spammers are at it again.
From CNET:
A “serious security flaw” in Gmail turns Google’s e-mail service into a spamming machine, according to a recent security report.
INSERT, the Information Security Research Team, has created a proof of concept that exploits the “trust hierarchy” that exists between mail service providers. By exploiting a flaw in the way Google forwards messages, a spammer can send thousands of bulk e-mails through Google’s SMTP service, bypassing Google’s 500-address bulk e-mail limit and identity fraud protections.
The report notes that with the rising volume of spam, e-mail providers have turned to whitelists and blacklists to help root out IP addresses of known spammers. Because, Gmail falls into the trusted whitelist category, messages are allowed “carte blanche” to bypass spam filtering.
So, that’s why I’ve won so many lotteries that I never entered 
Article Link
Author: Dave Lewis
May 9, 2008 at 8:59 am · Filed under News
There was a bill tabled on Wednesday in US Congress that aims to hold DHS’s feet to the flames.
From Securityfocus:
Rep. Jim Langevin, D-RI, introduced a bill on Wednesday that aims to hold the U.S. Department of Homeland Security responsible for investigating every cyber attack and for shoring up its network security.
The bill would better define the roles and responsibilities of the agency’s chief information officer, require that the department reduce the number of successful attacks against its networks and mandate that the DHS investigate the state of contractors’ network security before signing a contract with them. The bill comes after more than a year of investigations by the House of Representative’s Committee for Homeland Security into cybersecurity breaches at numerous government agencies. Rep. Langevin heads up the Subcommittee on Emerging Threats, Cybersecurity and Science & Technology, which has held most of the hearings on the issues.
For the full piece read on.
Article Link
Author: Dave Lewis
May 8, 2008 at 10:08 pm · Filed under Data Security
HSBC has been having a rough week with regards to data security stories in the media. Turns out that they lost a server at a location in Hong Kong two weeks ago.
From The Asian Banker:
The Hongkong and Shanghai Banking Corporation Limited confirms one of its computer servers went missing on 26 April 2008 at its Kwun Tong Branch, which has been undergoing renovation. The server held transaction data on approximately 159,000 accounts. The data held on the server includes account number, customer name, transaction amount and transaction type. However, the server does not contain any customer PINs, passwords or User IDs.
The server is protected by multiple layers of security. The risk of data leakage and fraudulent transactions resulting from the loss of the server is deemed to be low by the Bank. HSBC has in place fraud monitoring tools that are regularly reviewed.
Multiple layers of security? I find it interesting that at no point do they indicate if the drives were encrypted.
Article Link
Author: Dave Lewis
May 8, 2008 at 8:52 pm · Filed under Patches
It’s that time again. The only difference for me this time is that I’ll be relaxing on the deck. I’ll stop basking in it once I start the new gig.
From PC World:
Although Microsoft’s note does not describe the bugs in detail, it looks like the company is planning to fix a known bug in the Jet database engine, which was disclosed in late March. Attackers had figured out a new way to launch a malicious Jet file using Microsoft Word, Microsoft warned in a blog posting.
Jet files, which have a .mdb extension, are typically blocked by Outlook, but “attackers have figured out a way to work around the mitigations built into Outlook,” Microsoft said in its post.
The Jet flaw affects Windows XP, 2000 and Server 2003 Service Pack 1.
The Word flaw is rated critical for both Windows and Mac users.
Although rated only “moderate,” the DoS bug in Microsoft’s security products is also a cause for concern. It affects many Microsoft security products including OneCare, Antigen, Windows Defender, Standalone System Sweeper and several Forefront Security products.
Read on.
Article Link
Author: Dave Lewis
May 8, 2008 at 7:07 pm · Filed under Wireless
Hmm. OK.
I’m not sure what to make of this one. RFID is not my specialty to say the least. Any one have thoughts on this one?
From RFID Journal:
NeoCatena, a Sunnyvale, Calif., startup company, has emerged to address an issue its founders believe is of growing importance to end users of RFID technology: system security. The firm has created a security appliance designed to act as a firewall between RFID interrogators and the edge server of middleware an end user employs to collect and transmit RFID tag data upstream to its enterprise software.
The appliance, known as RF-Wall, runs software developed by NeoCatena to protect an RFID network from counterfeit RFID tags, and from attempts to use tags encoded with malware to introduce a virus to back-end systems, or to execute some type of breach to the security of sensitive data, according to the company’s cofounders, Boris Wolf and Lukas Grunwald.
While there have been no publicized incidents involving the use of RFID-based network attacks or counterfeit RFID tags, Wolf and Grunwald believe the threats to be real, and say experiments performed by Grunwald dating back to 2004 have proven such things possible.
Read on.
Article Link
« Previous entries ·
Next entries »
Explore
Security Bloggers Network
