Security Blog |
5.17.2002
Uh Oh The NYTimes is reporting a major security breach at Ford Motors. Hackers posing as employees of the Ford Motor Credit Company have in recent months harvested a trove of 13,000 credit reports — a virtual one-stop shop for fraud and identity theft — with data on consumers in affluent neighborhoods across the country.
Las Vegas Phreaks A follow up report to the Las Vegas story I posted several weeks ago. Evidently phone phreaks were working with the local, how should I phrase this - entertainment business, to route calls. Interesting read. At a time when official Washington is emphasizing the link between the United States' "critical infrastructures" and national security, it may be a state regulatory body more accustomed to tariffs than cyber terrorists that first takes on oversight of an infrastructure provider's network security. And all because a ragtag lineup of lost and struggling peddlers of vice wouldn't fade quietly into the neon glow of the Las Vegas night.
Morning Wire The things people do amaze me. This guy war drove a DISA network, then tells the media? Way to make friends... While parked across the street from DISA's headquarters, O'Ferrell was able to easily map the topology of the agency's network, including the Service Set Identifier (SSID) numbers of access points and numerous IP addresses. Using a standard 802.11b wireless LAN card attached to his laptop computer and "sniffer" software, he was able to probe the network in less than half an hour. And for grins, I'll throw in this piece on the security industry's favorite buzzword - CYBERWAR. In terms of present-day vulnerability, such a terrorist could simply be a lone fanatic wielding a laptop. And the damage could be staggering. 5.16.2002
Too far gone Jon Lasser, of Security Focus, makes several valid points in his commentary on MS security versus open source security. He thinks MS is too screwed up and nothing will work short of a complete recode. Sadly, he's probably right. But I'm now ready to through in the towel on this debate. Maybe Allchin is right: Microsoft's security record would be a whole lot worse if they were forced to disclose too much.
Jailed The Deceptive Duo that cracked multiple websites in an effort to alert US government and corporations to lax security has been caught. Security Focus has a good report on all of the activity.
Jello - 1, Biometrics - 0 Great story from the Register on how a Japanese cryptologist defeated biometric devices using some neat tricks. First Tsutomu Matsumoto used gelatine (as found in Gummi Bears and other sweets) and a plastic mould to create a fake finger, which he found fooled fingerprint detectors four times out of five. 5.15.2002
Missed This Last Night Interesting report regarding ISP's who are challenging a court order which allows police officiers to be present during the execution of a search warrant. "A large Internet service provider can receive literally thousands of search warrants and other requests for information during the course of a year," the brief said.
Portscanning - Art? Strange things happen when artisits start dabbling with computer security. An Internet-based artwork in an exhibition at the New Museum of Contemporary Art was taken offline on Friday because the work was conducting surveillance of outside computers. It is not clear yet who is responsible for the blacking out - the artists, the museum or its Internet service provider - but the action illuminates the work's central theme: the tension between public and private control of the Internet. The shutdown also shows how cyberspace's gray areas can enshroud museums as they embrace the evolving medium. 5.14.2002
Sign Me Up This sounds like an awesome project organized by the government. I hope it doesn't get screwed up - and keep the damn executives out! Start another group for them... WASHINGTON - For more than 40 years, an elite group of academic
Too Much Stuff Funny, some days I can't find anything worth posting, other days stories pop up everywhere I go. This takes the prize for the strangest of the day. The Pentagon is preparing a sting operation with a difference – training ordinary bees to smell out explosives, drugs and even to help clear minefields.
More Info Here's the orginal article from the piece below discussing the cracker who hasn't been caught. Much more meat in this link.
Beware of Monitor Glow Sounds like several other methods which generate similar results. We'll have to wait and see if this has any practical application, or if it's just a lab experiment picked up by the media. Marcus Kuhn, an associate professor at Cambridge University in England, presented research on Monday showing how anybody with a brawny PC, a special light detector and some lab hardware could reconstruct what a user sees on the screen by catching the reflected glow from the monitor.
More from the Deceptive Duo From eweek: "With our defacements, we hope to show our nation that we are still in a vulnerable state. We are not only forcing the system administrators of our targets to take stronger action with their security, but we are also showing the people who witness this that they must act as well."
Great Cars, Bad Security From Tom's Hardware: Defacers turned motor sport fans yesterday in a protest against the controversial decision to gift Michael Schumacher victory at the Austrian Grand Prix.
Firewalls of the Future Here's an interesting report on application level firewalls. This is the next wave of security software. Firewalls always will be required at the trust boundaries of enterprise networks. However, the current generation of firewalls provide protection only at the network level, with minimal application awareness. The rise of Web services will require the addition of application-level firewalls to protect against external attacks, as well as the effects of unintentionally malicious software being transferred between business partners. The processing demands of application-level processing and decrypting SSL connections will require customer security hardware as a key element of the solution.
Sounds Fishy According to this short piece, a cracker has hassled a company for over 9 months - without being caught. I find that hard to believe. Didn't they hire anyone to come in and catch this guy? Nine months later, the criminal is still at large. The thief has brazenly taunted executives with repeated e-mails while staying ahead of investigators, deftly wiping away his electronic fingerprints and covering his tracks at every turn. 5.13.2002
Cracker heaven? A judge is attempting to correct a loophole which let crackers go free in Argentina. This is a followup to the story we mentioned a few weeks ago.
Scams Short story on credit card trading. There are a few interesting stats comparing online and real-world fraud. "This is highlighting a tremendous lack of security,'' said Richard Power, editorial director of the Computer Security Institute, an association of computer security professionals that recently published a report with the FBI on computer crime. ``In the old days, people robbed stagecoaches and knocked off armored trucks. Now they're knocking off servers.''
Monday morning... I didn't miss much this weekend. Nothing on the wires, and the piece I did want to read was "down temporarily". |
