|
Russian Crackers Are Great Computer Crackers
The New York Times should be asking: What's Russian for 'Cracker'?
"Russia has become a major breeding ground for hackers who
use their anonymity to inflict mayhem on the West, aided
by the Russian government's apparent indifference to their
activities. The roots of Russian hacktivism include the
country's strong system of math and science education,
generally poor job prospects for graduates of Russian
technical institutions, and societal encouragement of
rule-breaking as a form of resistance against the strictures
and despotism of the Communist regime."
This is little doubt that Russian programmers are
excellent programmers.
"There was always a great entrepreneurial spirit in Russia,
but it has always been directed at things that not only help
people, but also hurt people." notes Russian-American author
Gary Shteyngart.
Entrepreneurialism is a big deal in the U.S. these days.
Numerous universities are offering degrees in this area.
"Rough estimates place 28 million Internet users in Russia,
versus 150 million in China and 210 million in America.
Russian hackers are considered by VeriSign to be the worst
type of hackers because of their links to organized crime
outfits that embezzle money with stolen bank and credit
card information.
Seems appropriate to add line to Don Henley's lyric...
"The man with a briefcase and steal more money
than a man with a gun."
to include...
"And a cracker with a high-speed Internet connection
can steal more money than a man with a briefcase."
What's Russian for 'Hacker'?
[22 December 2007, top]
|
Crackers Like PCs In Poor Countries
They are crackers; not hackers. Hackers don't crack
computers that don't belong to them.
Good headlines often tell the story...
Hackers have poor nations' PCs in their sights
[Extra] This is old news from last month...
"A zero-day vulnerability in the latest version of
RealPlayer and RealPlayer 11 Beta is actively being
exploited, Symantec said Friday morning."
"The issue affects an ActiveX object in the RealPlayer
component called 'ierpplug.dll.'"
Crackers can exploit the RealPlayer crack by putting
crack code in dot-html files. If the dot-html files
are rendered by IE (Internet Explorer), then...
"The malicious .html page checks several versions of
RealPlayer to determine if the installed application
is vulnerable. If it is, the attacker can potentially
take control of the computer." -- Symantec
[22 December 2007, top]
|
Oak Ridge National Laboratory Cracked
If true, then bad news.
"12/7/2007: The Oak Ridge National Laboratory (ORNL) said a
'sophisticated cyberattack' executed over the past several
weeks might have allowed hackers to steal the personal
information of thousands of lab visitors."
The ORNL has massive quantities of computing capability.
The ORNL alerted employess with the following message.
"[...] to be part of a coordinated attempt to gain access
to computer networks at numerous laboratories and other
institutions across the country."
It's not a "hack attack," it is a crack attack...
Hack Attack Compromises National Lab
[08 December 2007, top]
|
Use Caution When Visiting IndiaTimes.com
IndiaTimes.com appears to be a dangerous website to visit.
ScanSafe was quoted saying, the website "is an entire cocktail
of downloader Trojans and dropper Trojans." According to
ScanSafe's analysis, IndiaTimes.com contains 434 malicious
files. The Security Watchdog wouldn't be suprised if this
file count is growing and growing and growing.
[08 December 2007, top]
|
And What Are You Reading?
This is an old news that the Security Watchdog was not aware of.
AP Headline: "U.S. Withdraws Subpoena Seeking Identity of
24,000 Amazon Customers Sought As Witnesses"
Federal prosecutors created a subpoena seeking the "identities of
thousands of people who bought used books through online retailer
Amazon.com Inc."
The following quote from U.S. Magistrate Judge Stephen Crocker
is chilling in itself.
"The (subpoena's) chilling effect on expressive e-commerce
would frost keyboards across America."
"Well-founded or not, rumors of an Orwellian federal criminal
investigation into the reading habits of Amazon's customers
could frighten countless potential customers into canceling
planned online book purchases."
The AP reported that "federal prosecutors issued the subpoena last
year as part of a grand jury investigation into a former Madison
[Wisconsin] official who was a prolific seller of used books on
Amazon.com. They were looking for buyers who could be witnesses
in the case."
The AP quoted the government saying: "We didn't care about the content
of what anybody read. We just wanted to know what these business
transactions were. These were simply business records we were seeking
to prove the case of fraud and tax crimes against Mr. D'Angelo."
[08 December 2007, top]
|
Crackers Might Exploit CPU Math Errors
Adi Shamir, is a professor at Israel's Weizmann Institute of Science. Adi
is also the 'S' in RSA.
"With the increasing word size and sophisticated optimizations
of multiplication units in modern microprocessors, it becomes
increasingly likely that they contain some undetected bugs.
This was demonstrated by the accidental discovery of the obscure
Pentium division bug in the mid 1990's, and by the recent discovery
of a multiplication bug in the Microsoft Excel program."
According to Wei Dai, co-creator of the "VMAC message authentication
code and author of Crypto++, a free C++ class library of cryptographic
algorithms, there are ways to protect against CPU math errors and that
'the RSA implementation in Crypto++ is already protected against this
attack...'. In a nutshell, Wei Dai said, "[...] after doing the RSA
private key operation y=x^d mod n, one should check that the result
is correct by verifying that x=y^e mod n. Crypto++ has done this since
version 5.1."
[24 November 2007, top]
|
Alltel Springs Ahead Instead of Falling Back
I've always thought date and time stuff was some of the
more complicated stuff to program correctly. Moving
clocks forward and backward just adds to the difficulty.
"Most of the country moved their clocks back one hour when
daylight saving time ended Sunday, but some Alltel Corp.
customers saw their cellular phone clocks jump forward
an hour instead."
According to Alltel, cellular towers provide the time to
the phones and the problem was with the towers.
[08 November 2007, top]
|
Spammers Using MP3 Files To Promote Stocks
People's creativity never ceases to amaze... spammers
are using dot-mp3 files to promote stocks.
The following was reported by eWeek.com.
"Spammers have taken to using MP3 attachments in e-mails
named after recording artists as part of a pump-and-dump
stock scam. Most of the e-mails have no subject name; others,
however, appear to be named after the artist the MP3 file is
named after, according to several security vendors."
"When recipients click on the attachment, a voice relays a
message promoting stock for a particular company."
The Security Watchdog's primary email account gets hit by
a couple of stock market spams a day.
[19 October 2007, top]
|
Microsoft OS Defects, IE Defects, Word Defects
Microsoft is constantly issues patches. On 10/10/2007 the company released
six security updates to "fix" holes in Vista and Internet Explorer.
The following quotes were issued by McAfee Avert Labs.
"Today's Microsoft patches emphasize the need for proactive
browser protection and the risk of surfing the Web unprotected."
All crackers need is one wrong click.
"Many of the vulnerabilities addressed by the fixes could be
exploited if a Windows user simply clicks a malicious Web link,
a favorite attack method among cybercriminals. Users need to
be more careful than ever when surfing the Internet."
The Security Watchdog gets the shakes when he reads
about defects with Microsoft Word.
"One of the other four critical patches is MS07-060, which
addresses previously reported 'in-the-wild' Microsoft Word
vulnerabilities that allow an attacker to send an infected
Word document as an attachment or as a downloadable file
from a Web site."
Infected word documents? Yuck!
[11 October 2007, top]
|
AOL Instant Messenger Must Be Bad Software
I wonder how many times we will see this news.
"A security hole in widely used versions of AOL's instant-messaging
program could let a crook grab control of a victim's computer,
according to a security firm that says AOL's steps to repair the
problem don't go far enough."
AOL's IM has been cracked time and time again. Not all of the
cracks have been serious, but in this case the finder of crack
was quoted saying: "This is critical, this is very serious."
Beware of dangerous emoticons...
"The security hole arose because of the way the vulnerable versions
of AIM let instant-messaging chatters augment their conversations
with various fonts and pictographic 'emoticons.' The flawed versions
of AIM do this by using Microsoft Corp.'s Internet Explorer program
to render images."
The Security Watchdog is not sure why anybody uses AOL.
[07 October 2007, top]
|
Crackers Offer Nude Actress Pics... Not
The InformationWeek.com headline caught my eye:
"Hackers Push Trojan With Promises of 'Nude
Angelina Jolie' Pics."
InformationWeek would be doing the computing profession a favor
if it started using the term crackers instead of
hackers. The headline should read: "Crackers Push
Trojan With Promises of 'Nude Angelina Jolie' Pics."
InformationWeek reported that Sophos reported that "in September,
one in every 833 e-mails were carrying malicious attachments,
compared to 1 in every 1,000 during August." For some reason
the Security Watchdog thought these ratios would be worse than
they are.
InformationWeek.com quoted a senior security consultant
at Sophos saying, "The trick of tempting users with scantily
clad pictures of hot-looking girls is as old as the hills,
but people still fall for it."
[02 October 2007, top]
|
Spam is a Powerful Tool for Malware Crackers
InformationWeek.com posted an article about the federal government
stating the obvious: Crackers use spam to install malware.
InformationWeek reported on events that took place at the
Federal Trade Commission Spam Summit. Wow... a summit on
spam. The Security Watchdog found this information worthy
of quoting: "A community of malware providers has sprouted
up such that a spammer can buy a spyware kit online for $17
to create a payload for his spam, and that kit will come with
technical support." Capitalism at its worst.
Spam Is Gateway To Malware Economy, Feds Say
[23 September 2007, top]
|
TD Ameritrade Cracked (6.3 Million Contacts)
TD Ameritrade's computer systems were cracked and
"contact information" for more than 6.3 million
customers was stolen. The company said that it
does not appear as if the stolen data contained
contain SSNs.
"While the financial assets our clients hold with us were
never touched, and there is no evidence that our clients'
Social Security Numbers were taken, we understand that this
issue has increased unwanted SPAM, which is annoying and
inconvenient for them." --Joe Moglia, CEO
The TD Ameritrade CEO needs to learn that junk email
messages are spam and not SPAM. In addition, phrase
"unwanted spam" is redundant. Who wants spam?
[16 September 2007, top]
|
Monster of a Crack at Monster.com
Monster Worldwide Inc. recently discovered that crackers
stole contact information from resumes for 1.3 million
people. In addition, USAJobs.gov, a "federal-government
career-listing service operated by Monster," was also cracked.
Security guru Bruce Schneier thinks Monster's security woes
should prompt other online services to look more closely at
their security practices, but it probably won't happen.
"You're going to see this happen again and again and again.
I assure you, every other company didn't say, `Wow, look
what happened to Monster, we have to fix our problem.'"
--Bruce Schneier
Security Notice
[02 September 2007, top]
|
Yahoo Messenger Has Webcam Defects
InformationWeek.com posted an article titled "Zero-Day
Bug In Yahoo Messenger Pops Up." They went on to say
"rosearchers at McAfee are reporting that they've reproduced
a reported zero-day vulnerability in the Yahoo Messenger Webcam."
The "zero-day bug" (i.e. defect) is due to a "classic heap overflow."
More on the Yahoo! Messenger Webcam 0day
[16 August 2007, top]
|
Government Systems Getting Cracked
We need to start calling hackers crackers.
"Hackers stole information from the Department of Transportation
and several U.S. corporations by seducing employees with fake
job-listings on ads and e-mail."
Hackers didn't steal information; crackers did!
"What is most worrying is that this particular sample of malware
wasn't recognized by existing antivirus software. It was able to
slip through enterprise defenses." said Yankee Group security
analyst Andrew Jaquith, who learned of the breach from Morris.
Security software is software; therefore, it can be cracked
especially if it is running on poorly administrated systems.
An ethically grounded guruish SysAdmin is priceless.
[02 August 2007, top]
|
Fox News FTP Password Exposed
This was slashdotted...
Somebody discovered that Fox had the webserver configured
to allow directory listings. They following the listings
until they found a shell script that in turn had a FTP
password embedded in it. Note: shell script files are
POT files (i.e. plain-old-text); therefore, the password
was human-readable.
Oops?
[23 July 2007, top]
|
WabiSabiLabi.com--An eBay For Crackers?
The question is: Why did this take so long?
"A Swiss Internet start-up is raising the ire and eyebrows
of the computer security community with the launch of an
online auction house where software vulnerabilities are
sold to the highest bidder."
WabiSabiLabi.com wants to be an eBay for crackers and
they claim their "service will serve to make software
users safer in the long run."
Site Plans to Sell Hacks to Highest Bidder
[15 July 2007, top]
|
Cyber-terrorism is a Form of Cyber-warfare
An InformationWeek.com article posted on 7 July 2007 started
as follows.
"A British court last week handed down prison sentences of
up to 10 years to three Muslim men it called 'cyber-jihadis'
and convicted of using the Internet to urge Muslims to wage
holy war on non-Muslims. And the U.S. Computer Emergency
Readiness Team reported politically motivated cyberattacks
in Russia."
I've said it before on this blog and I'll say it again:
Cyberwarfare is not going to be fun.
Bill Joy is infinitely more expert than me when it comes to this
stuff. Here is a quote from Joy that is in my quote collection.
"September 11 was essentially a collision of early 20th-century
technology: the aeroplane and the skyscraper. We don't want to
see a collision of 21st-century technology."
Cyberterrorism: By Whatever Name, It's On The Increase
[08 July 2007, top]
|
Fidelity National Gives Up 2.3 Million Customer Records
Let's see... 2.3 million written as a whole number is
2,300,000. Good job Fidelity!
Fidelity National Information Services announced that a
"senior-level database administrator at one of its subsidiaries
stole 2.3 million consumer records containing credit card,
bank account and other personal information."
The criminal sold the information to a "data broker" who in
turn sold the information to marketing firms. I suspect the
data broker and the "marketing firms" are criminals just like
the guy who sold the information in the first place.
Fidelity National: Ex-worker stole 2.3 million customer records
[06 July 2007, top]
|
Beijing Computers Great Source of Malware
reported that
during June of 2007 "some 40 percent of malicious software
worldwide originated from Beijing." Many believe Beijing
is the malware-headquarters because of the following scenario.
"As more and more users come online in China, there's
a good chance those computers are using pirated software
without up-to-date security fixes, making them prime targets
for hackers who are actually located elsewhere in the world."
Beijing scores number one spot for malware
[06 July 2007, top]
|
Cyber Warfare is Going to Suck
China is going to a major power when it comes to cyberwarfare.
"China is seeking to unseat the United States as the dominant
power in cyberspace, so says a U.S. Air Force general leading
a new push in this area."
The general was quoted saying:
"They're the only nation that has been quite that blatant about
saying, 'We're looking to do that.'"
The following blurb was noteworthy.
"The Defense Department said in its annual report on China's
military power last month that China regarded computer network
operations -- attacks, defense and exploitation -- as critical
to achieving 'electromagnetic dominance' early in a conflict."
"China's People's Liberation Army has established information
warfare units to develop viruses to attack enemy computer systems
and networks, the Pentagon said."
Bottom-line: Cyberwarfare is going to suck. Bill Joy was
right when he said we don't want to experience 21st century
warfare.
[21 June 2007, top]
|
Can Digital Billboards Be Cracked?
This was a posting from last month (May 2007) that never
got posted until now (21 June 2007).
A new mall in Tempe has digital billboards. Somebody was
quoted saying the following.
"With digital billboards, a company only has to e-mail a message
to the company's Phoenix hub and they can be quickly changed."
The comment prompted me to post the following to AzCentral.com.
Just wait and see what shows up when these billboards get cracked.
I hope they aren't using Windows. Porn anyone?
(Gerald9588, May 29, 2007 08:16AM)
[21 June 2007, top]
|
Cybercrime via Malware Pays
This is a posting that was left over from last month (i.e. May, 2007).
Dave DeWalt, president and CEO of McAfee, says things are going
to get a lot worse in computer security before they get better.
"Walking off the stage and down the aisle in his Tuesday
afternoon keynote at the Interop trade show in Las Vegas,
Dave DeWalt told the audience of IT and business professionals
that we will see more malware in the next 18 months than we have
in the past 20 years. Researchers at the company's legendary Avert
Labs are seeing 17,000 new phishing sites every month. He pointed
to a 50% to 80% growth in spyware."
There's money to be made by cyber-criminals.
"During his keynote, DeWalt noted that 37,413 new pieces of malware
hit the Internet last year. A hacker, with a multi-star rating, was
actually selling an exploit for a Microsoft Excel vulnerability on
eBay for $55. And DeWalt, who said he's had his own credit card
information stolen, estimated that one out of four people will
suffer some kind of digital crime."
DeWalt claims that "cyber crime, as a whole, will cost
$105 billion this year alone."
[21 June 2007, top]
|
Ohio To Protect Goverment Workers From ID Theft
This NewsFactor.com headline is reflective of the times:
"Today's Confidential Data Loss Is in Ohio." The posting
behind headline started with the following paragraph.
"In yet another case of stolen confidential data, the
Social Security numbers and other personal details for
all 64,467 employees in the Ohio state government have
been stolen, Governor Ted Strickland announced Friday."
note: "Friday" being 15 June 2007.
The NewsFactor.com posting went on to say it the data was
on a device that "requires special equipment to be accessed."
It further quoted Ohio's governor as saying: "There's no reason
to believe a breach of information has occurred."
Doesn't matter if a "breach of information" took place
on not; this type of stuff has to stop.
Today's Confidential Data Loss Is in Ohio
[15 June 2007, top]
|
Yahoo Messenger Defects Exploited by Crackers
InformationWeek reported that defects in Yahoo!'s
Messenger program were used by crackers to take
control of systems. It appears Yahoo! issued
a report about the defect(s) and crackers used
Yahoo!'s report to exploit the defect(s).
Sometimes too much much information is indeed
too much information.
Yahoo Hacker Uses Story To Find, Exploit Yahoo Messenger Bug
[12 June 2007, top]
|
Universities of Virginia and Iowa Cracked
InformationWeek reported that on 8 June 2007
"both the University of Iowa and the University
announced that they have been sending out
notifications about the breaches." At
the University of Virginia crackers gained
access to "record of 5,375 faculty." The
crack of the Unversity of Iowa "affected
about 1,000 students and applicants to the
school's Molecular and Cellular Biology graduate
program, along with about 100 faculty members
associated with the program." Sadly,
InformationWeek called the crackers
hackers instead of crackers.
Two Universities Hit By Security Breaches
[12 June 2007, top]
|
Colorado University at Boulder Cracked
Security software is important, but security software is
not that secure if it is defective. Security software is
"software;" therefore, it contains defects just like any
other software.
"The University of Colorado at Boulder said sensitive
information on 44,998 students was exposed because a
worm attacked the network through an un-patched bug
in Symantec's anti-virus software."
"On May 12, the university's IT security investigators
discovered that the worm entered the server through the
vulnerability, which the IT staff had failed to patch."
Defective software is one issue and sloppy system administration
is a second issue. Bobby Schnabel, CU-Boulder vice provost for
technology, wrote the following.
"The server's security settings were not properly configured
and its sensitive data had not been fully protected. Through
a combination of human and technical errors, these personal
data were exposed, although we have no evidence that they
were extracted."
CU-Boulder Arts And Sciences Server Hacked On May 12
[25 May 2007, top]
|
Alcatel-Lucent Looking For a Lost Disk
is a GDT::Portfolio
stock and the company has "lost" some information. The company
said it is "reviewing security procedures and has halted use of
couriers for sending personnel information after a computer disk
with financial and other data on employees and retirees went missing."
The "lost" disk contains "names, addresses, Social Security numbers,
birth dates and salary data for thousands of employees, retirees and
dependents on the company's U.S. payroll."
Alcatel-Lucent trying to find lost disk
[19 May 2007, top]
|
University of Missouri Cracked (again)
For the second time this year, the University of Missouri has
been cracked. This crack involved was the exposure of more
than 22,000 Social Security numbers of current and former
students obtained via a webpage.
Tom Chomicz, a network security engineer at CDW Government,
was quoted saying the following.
"Higher education is a completely different animal when it
comes to security. Universities aren't under mandates to
encrypt data in the same way as financial institutions,
and they still have some issues with identity management."
It appears as though the University of Missouri needs
to tighten up their IT practices.
[10 May 2007, top]
|
EFF Gives a Legal Primer on 09 f9
Computer users are lucky we have the .
Wikipedia.org says the is a standard for "content distribution
and digital rights management, intended to restrict access to and
copying of the next generation of optical discs and DVDs."
"As was reported back in February, an enterprising hacker
unearthed and posted one of the decryption keys used by
AACS to decode HD-DVD movies (other keys and exploits have
been made available in the weeks since). Now the AACS-LA
(the entity that licenses AACS to makers of HD-DVD players)
has set its lawyers on the futile mission of trying to get
every instance of at least one key (hint: it begins with
09 f9) removed from the Internet."
09 f9: A Legal Primer
[07 May 2007, top]
|
USDA Gross Mis-Management of Data
The United States Department of Agriculture, or USDA, has "admitted
it posted the Social Security numbers of 63,000 people who received
grants from the department on a government Web site."
The following is difficult to believe: "The identifying information
has been online since 1996, but was finally removed last week."
Marc Rotenberg of EPIC (Electronic Privacy Information Center) was
quoted saying the following: "It was simply wrong for the Department
of Agriculture to post Social Security numbers on a Web-accessible
database." In that infamous proclaim of Homer Simpson... "doh!"
I remember embedding data within data... "The USDA said all of the
private identifying information was embedded in a larger number and
therefore not immediately identifiable."
The USDA claims "there is no evidence that this information
has been misused" -- at least not yet.
[28 April 2007, top]
|
Zombie Computers are Dangerous
Computer security remains a growth industry and
for some reason I don't think that's going to
change anytime soon.
McAfee Avert Labs:
"The tactic for the e-mail is to make you think you've been
infected, and that you need to open the ZIP file to run a
patch or removal tool to fix your machine."
I try to never say never, but I'd never click on a dot-exe file
attached to an email message.
VeriSign iDefense:
"Once executed the worm installs a rootkit on the system
(wincom32.sys) and communicates over a private peer-to-peer
network to update itself."
Zombie computers that have high-speed Internet
connections are dangerous and they represent a
major homeland security issue.
NewsFactor.com::
"In essence, the infected computer becomes a zombie machine
on a botnet that can be used to send out spam that will
launch new attacks. It can also open the door for additional
malware to be installed on the victim's system."
What happens when we have zombie supercomputers?
New Storm Surges Through I.T. World
[21 April 2007, top]
|
IC3.gov = FBI.gov + NW3C.org
eWeek.com had a posting titled "Top 10 Internet Crimes."
eWeek.com mentioned the Internet Crime Complaint Center
located on the web at IC3.gov.
The IC3 is a "partnership between the National White Collar Crime
Center at NW3C.org
and FBI.gov."
A few years ago I modernized the following song lyric
by Don Henley... A man with a briefcase can steal more
money than a man with a gun ...into... a person with
a high-speed Internet connection can steal more money
than a person with a briefcase.
[20 April 2007, top]
|
Education Dept. Has Lots of Student Records
[via Slashdot] This is easy to believe.
"Some lending companies with access to a national database
that contains confidential information on tens of millions
of student borrowers have repeatedly searched it in ways that
violate federal rules, raising alarms about data mining and
abuse of privacy, government and university officials said."
The Washington Post reported that the database contains
"60 million records." There are some who believe data
mining of student records has "grown exponentially."
Lenders Misusing Student Database
[16 April 2007, top]
|
More Computers Lost By the DOE
InformationWeek.com posted the following.
"A government counterintelligence office in charge of
protecting information about nuclear technology from
foreign espionage has lost 20 desktop computers -- most
of them containing classified information, according to
a report from the department's Office of Inspector General."
This is downright frightening...
"In the initial inventory of 618 computers assigned to the
directorate's headquarters, 241 were not immediately located.
Eventually, all but the 20 were found. The audit report, which
was released late last week, also showed that the 'inventory
records were so imprecise and inaccurate that the directorate
had to resort to extraordinary means" to locate 125 of those
241 computers.'"
Department Of Energy Loses 20 Classified PCs
[Extra] While reading about the sloppy IT
practices at the DOE, the following headline
was eye-catching...
Hackers Promise 'Nude Britney Spears' Pix To Plant .ANI Exploit
[04 April 2007, top]
|
Crackers Crack Computers, Not Hackers
On 30 March 2007, there was a posting titled "Hackers
step up attack on Windows flaw" to the "Business Blogs"
found on AzCentral.com (i.e. the Arizona Republic).
The use of the term hacker when referring to crackers
prompted me (Gerald8100) to post the following comment.
Comment from: Gerald8100
03/31/07 @ 06:37
I need to do my hacker/cracker bit...
People who access computers without permission are crackers.
Not all crackers are hackers, but most of them probably are.
A very large percentage of hackers are not crackers. The computing
ethics followed by hackers prohibits them from being crackers (i.e.
hackers good, crackers bad).
My comment to the AzCentral.com blog ended with a hyperlink
to Raymond's "How To Become A Hacker" essay.
What is a hacker?
[31 March 2007, top]
|
Symantec Says Microsoft Most Secure OS
According to a report issued by Symantec Corp.,
Microsoft is more secure than all other commercial
operating systems.
"The report found that Microsoft Windows had the fewest
number of patches and the shortest average patch development
time of the five operating systems it monitored in the last
six months of 2006."
Six months is not a very long time to monitor how
secure systems are, but kudos to Microsoft for
coming out on top when it comes to security.
Red Hat came in second followed by Mac OS, HP-UX and Solaris.
Sun Microsystems issued the following statement to InternetNews.com:
"Symantec's data on security vulnerabilities simply does not match
Sun's. We can't verify Symantec's sources and consider their report
on Sun inaccurate."
Surprise, Microsoft Listed as Most Secure OS
[22 March 2007, top]
|
Crackers Are Not The Major Problem
Note to the University of Washington: call people
who crack computer systems crackers, not hackers.
Phil Howard, an assistant professor of communication
at the University of Washington, issued a report that
included the following.
"By year's end the 2 billionth personal record -- some
American's social-security or credit-card number, academic
grades or medical history -- will become compromised, and
it's corporate America, not rogue hackers, who are primarily
to blame. By his reckoning, electronic records in the United
States are bleeding at the rate of 6 million a month in 2007,
up some 200,000 a month from last year."
According to Howard, crackers have accounted for about 31% of
the 550 "malicious intrusions" between 1980 and 2006. The
balance is due to sloppy IT operations and untrustworthy
employees.
I found the following tidbit edifying: "The education sector,
primarily colleges and universities, amounted to less than 1
percent of all lost records, but accounted for 30 percent of
all reported incidents."
Hackers get bum rap for corporate America's digital delinquency
[16 March 2007, top]
|
WordPress.org Server Cracked
Kudos to WordPress.org for calling a cracker a cracker.
A cracker "gained user-level access to one of the servers
that powers wordpress.org, and had used that access to
modify the download file." The cracker made code modifications
that "allow for remote PHP execution."
WordPress is an Open Source project that was "started in 2003
with a single bit of code to enhance the typography of everyday
writing and fewer users than you can count on your hands and toes.
Since then it has grown to be the largest self-hosted blogging tool
in the world, used on hundreds of thousands of sites and seen by
tens of millions of people every day."
[03 March 2007, top]
|
Who is Responsible for Customer Data?
Once again I got suckered by a headline: "Who's
responsible for customer data?" To me the question
has only one answer: The company that collects the
data is responsible for it. If company A collects
data and passes it on to company B, and if company
B gets cracked, then company A is still responsible
for the data.
Who's Responsible For Customer Data?
[25 February 2007, top]
|
Parents Fail To Molest MySpace For $30 Million
A Texas judge tossed out a lawsuit against MySpace that was
filed by a family whose 13-year-old daughter was assaulted
by a man met via MySpace. The parents sued MySpace for $30
million because MySpace did not takeover parental responsibility
from the parents. Kudos to the Texan judge.
Judge: MySpace Guiltless In Child Assault
[16 February 2007, top]
|
Internet Connected Computers Constantly Under Attack
It appears as though Internet connected computers are
constantly under attack by crackers.
"University of Maryland researchers from the James Clark School
of Engineering observed the activities of hackers as they try
to gain access to a computer and exploit it. "Brute force" hackers
were the focus of the study, which set up four Linux computers with
weak security and Internet connections. The computers were attacked
an average of 2,244 times each day, or every 39 seconds on average,
confirming suspicions that the average computer is almost constantly
under attack."
Crackers like to crack systems so they can setup "botnets,"
which in turn can used for them to do more cracking.
"Hackers would typically check the computer's software configuration,
change the password, check the configuration again, and download and
install a program, which they would then run. 'Often they set up back
doors--undetected entrances into the computer that they control--so
they can create 'botnets,' for profit or disreputable purposes."
If only crackers were called crackers instead of hackers.
UM Study: Hackers Attack Computers Every 39 Seconds
[15 February 2007, top]
|
FBI Needs Help Securing Their Laptops
reported
the following on 2007.02.12.
"Three to four laptops are lost or stolen from the FBI
every month, according to a report issued this month
from the Justice Department's Inspector General."
It is difficult to believe that stuff is stolen
from the FBI.
"While 116 FBI laptops were reported lost and 44 were
reported stolen in the last 44 months, the agency is
doing better than it was five years ago, the DOJ's audit
said of one of the nation's top investigative agencies.
Another audit, conducted in 2002, showed that in a
28-month period 300 FBI laptops had been lost and
17 had been stolen."
Report: FBI Loses 3 To 4 Laptops Every Month
[13 February 2007, top]
|
Using Telnet on Solaris is Dangerous
The ISC (Internet Storm Center) at SANS has
issued an alert about using 'telnet' with
Solaris systems. The following is nasty.
"The telnet daemon passes switches directly to the
login process which looks for a switch that allows
root to login to any account without a password. If
your telnet daemon is running as root it allows
unauthenticated remote logins."
Another good reason to stop using telnet
[12 February 2007, top]
|
Internet Root Servers Hit By a DDoS Attack
Three of the Internet's 13 rootservers were
hit by a DDoS (Distributed Denial of Service)
attack. According to NewsFactor.com, the attacked
rootservers were "operated by the U.S. Defense Department,
the Internet Corporation for Assigned Names and Numbers (ICANN),
and UltraDNS, a company that manages traffic primarily for dot-org
Web sites." Given the Internet's design, is is extremely difficult
to bring it done (or crash it completely). NewsFactor.com reported
that "zombie" systems might have been employed to do the DDoS attack.
Hackers Strike at Key Internet Servers
[08 February 2007, top]
|
Crackers Like Zero-Day (Hour) Attacks
It is amazing that dot-xls and dot-doc files can be
used by crackers to crack computer systems.
"Microsoft late Friday (2007.02.02) warned users to be on the
lookout for Excel files that arrive unexpectedly -- even if
they come from a co-worker's e-mail address."
[...]
"This is the fourth known zero-day attack against the ever-present
Microsoft Office suite since early December 2006. The three previous
attacks, all aimed directly at specific targets, used rigged Microsoft
Word .doc files."
I am glad to see the Wikipedia has a webpage that discusses what
is meant by a "zero-day (or zero-hour) attack." I've always thought
it meant crackers used zero to exploit program defects, but I was
wrong. A "zero-day attack" is a computer threat that "exposes
undisclosed or unpatched computer application vulnerabilities.
Zero-day attacks can be considered extremely dangerous because
they take advantage of computer security holes for which no
solution is currently available." I wonder... Is a
zero-hour attack worse than a zero-day attack?
[05 February 2007, top]
|
TJ Maxx Crack Costing is Costing the Company
TJ Maxx sloppy IT practices are going to cost
the company money: "The company said last week
it will record a fourth-quarter charge of 1 cent
per share, or about $4.5 million, related to the
hack." Of course InformationWeek meant to say
crack instead of hack.
InformationWeek reported that "TJX was storing
credit and debit card data in violation of the
Payment Card Industry Data Security Standard
created by Visa and MasterCard."
Needless to say, lawyers are going to make
money thanks to TJ Maxx weak IT efforts.
[04 February 2007, top]
|
Secure Software: Ethical Obligation, Not Legal
is a Unix guru and
he readily admits that nobody knows how to produce secure
software. Because of this, he is concerned that nasty things
will happen if companies and programmers are legally held
responsible when their programs are cracked.
"Red Hat developer Alan Cox told a House of Lords committee on
science and technology that a developer's obligation to create
secure software is ethical, not legal."
With respect to "closed-software," Cox said the following.
"[Code] should not be the [legal] responsibility of software
vendors, because this would lead to a combatorial explosion
with third-party vendors. When you add third-party applications,
the software interaction becomes complex. Rational behavior for
software vendors would be to forbid the installation of any
third-party software."
With respect to FLOSS, Cox said: "Potentially there's no
way to enforce liability."
Linux guru argues against security liability
[23 January 2007, top]
|
Storm Worm Hits PCs
An email-based virus named "Storm Worm" containing "storm alerts"
has hit PCs. The subject-lines look real, for example:
"230 dead as storm batters Europe." The email messages
have attachments having names such as "video.exe,"
"fullstor.exe," or "readmore.exe."
According to the makers of security software, virus writers
(i.e. crackers) have "begun responding more quickly to top
news headlines, rather than using sex and celebrity as a
means to ensure their viruses get activated."
New 'Storm Worm' Pummels PCs
[Extra]
Yikes... While at the NewsFactor.com website reading
about the "Storm Worm," I came across a news story
about a retailer named TJX being cracked. What
warranted using the work Yikes is the fact that
the cracked happened in May of 2006.
Retail Giant TJX Discloses Massive Data Breach
[20 January 2007, top]
|
When Hippies Turn to Cyberterror
Time and time again I am reminded of the
importance of subject lines and titles.
Although I was never a hippy, I admit to
being drawn to hippy related news items.
Put "hippy" in the subject-line and there
is a chance I'll click.
When Hippies Turn to Cyber Terror
[16 January 2007, top]
|
Cisco Systems Buying Spam Blocker IronPort
San Jose, CA-based Cisco Systems Inc. (CSCO)
announced it will "buy email and web security firm
IronPort Systems Inc. for $830 million to tap growing
demand for anti-virus and anti-spam software."
Cisco Systems has about 50,000 employees. On 6 January 2007,
at a stock price of $28.47, Cisco had a market value of
approximately $172.89 billion.
San Bruno, CA-based IronPort is a privately-held company "known
for 'reputation filters' that block spam by examining a sender's
record." IronPort has about 408 employees.
[06 January 2007, top]
|
Security Defect Found with Browser-DotPDF Handling
calls it a "flaw,"
but I call it a defect. There has been a defect found with how
browsers process dot-pdf files. NewsFactor wrote: "The Acrobat
flaw does not occur in Acrobat or the Acrobat reader directly, but
in the Web browser plug-in that lets PDF documents be read directly
over the Internet in programs such as Microsoft's Internet Explorer
or Mozilla's Firefox."
Symantec found the defect and reported that "a weakness was discovered
in the way that the Adobe Reader browser plug-in can be made to execute
JavaScript code on the client side." Damn JavaScript.
Security Flaw Discovered in Acrobat
[05 January 2007, top]
|
About the Security Watchdog
The starts 2007
with 368 postings. This blog was started during March of 2000
and the current world of computer security is worse now than it
was then. Needless to say, there will always be content for the
for at least the
next couple of years.
Security Watchdog Archives:
2006 |
2005 |
2004 |
2003 |
2002 |
2001 |
2000
[01 January 2007, top]
|