ISP caching issue exposes Gmail data

Posted on February 24, 2008 by harsh

Last week, when a Kuwait-based Gmail user tried logging in, he was denied access to his own account, and instead was granted access to over 30 accounts that did not belong to him. He was able to peek into other people’s private information and personal emails, including one that contained “keycodes for some embassy gate”. This incident that occurred during the last weekend was fixed on the following Wednesday.

A Google spokesman who confirmed the issue said that the problem occurred due to a caching issue experienced by the ISP in that region. However, another user in Sri Lanka reported a similar issue with his Gmail account.

The same user who faced problems with his Gmail account wrote to CNN that he had no problems with his other accounts such as Hotmail. Though Google confirmed that the issue was caused by the ISP, I think it is also Google’s responsibility to enforce security measures which will prevent such minor issues outside itself from compromising its users’ accounts.

Fortunately, in this case, the issue was not widespread. If it were, one can only imagine how much damage it can potentially cause.

Sources:

http://www.techtree.com/India/News/Is_Someone_Reading_Your_Gmail_Right_Now/551-87047-643.html

http://www.news.com/8301-10784_3-9875714-7.html?tag=newsmap

Posted in Current Events | Tagged | 3 Comments

Security Review: Coin-Operated Laundromats

Posted on February 24, 2008 by zaxim

They’re out there…Some of us use them everyday…Especially college students living away from home…We can’t avoid them, unless we want to be stinky…

Yes I’m talking about coin-operated laundries…

Coin-operated washing facilities provide an interesting security problem, since the users only maintain a single asset, their clothes. The owners and operators of the facility are at most risk since they have to protect against people stealing money or gaining free use.

Continue reading

Posted in Miscellaneous, Physical Security, Security Reviews | 6 Comments

Collaborative Security Review: Wave2Go

Posted on February 24, 2008 by Chad

This security review is intentionally left incomplete. It is simply a topic that I think would be interesting for us as a group to explore. If you can add to the discussion, please do, even if it’s simply to propose an idea, or to shoot one down.

Washington State Ferries have been using the Wave2Go system for over a year now. The old system required passengers to remain in a holding area after they had bought their tickets from one of three booths. Many patients would wait to buy their tickets just before the ferry would board, causing long lines right before departure and occasionally delaying ferries.

Wave2Go allows clients to buy tickets from multiple kiosks in addition to the three ticket booths. Alternatively, you can purchase tickets ahead of time online and then print them out. Continue reading

Posted in Physical Security, Security Reviews | Tagged , , | 2 Comments

U.S. Intelligence wants to monitor WoW chat

Posted on February 24, 2008 by sky

Called The Reynard project, it is a series of plans for the U.S. Intelligence to monitor more internet traffic, most notably, data mining from several major MMORPGs, including WoW. The goal being to eventually create a system that can “automatically detecting suspicious behavior and actions in the virtual world.” Games often have things like bombs and assassinations in them, and it seems like the potential for a very high false positive rate is there. It kinda makes me wonder if custom UIs will have an option to use some sort of encryption with their in-game chat for those who are really bothered by big brother being over their shoulder.

Source:

http://blog.wired.com/27bstroke6/2008/02/nations-spies-w.html

http://www.joystiq.com/2008/02/23/wired-national-intelligence-seeking-terrorists-in-wow/

Posted in Current Events, Policy, Privacy | 2 Comments

Security Review: Full disk encryption

Posted on February 24, 2008 by mccoyt

Summary

The past week has seen a renewed interest on the part of the security community in the reliability of hard disk encryption. With the recent revelation that data on encrypted drives is vulnerable to unauthorized access via memory manipulation, the technology has come under new scrutiny, and the integrity of existing disk encryption technologies is being questioned. While this blog has explored both the recent security breach and specific encryption tools (cold-boot attacks , Truecrypt security review), this security review will take a broad look at the security principles behind disk encryption and vendor-independent weaknesses and strengths of the technology.

Continue reading

Posted in Security Reviews | Comments Off on Security Review: Full disk encryption

Security Researchers Crack Wireless GSM Encryption

Posted on February 24, 2008 by esoteric

Security researchers have announced the development of a ultra-fast method of cracking wireless GSM encryption in 30 minutes or less.  The 64-bit encryption algorithm was cracked in theory over 10 years ago, but the development of new technology has exploited the vulnerability on a timescale that poses a serious threat.  GSM is used by many mobile companies worldwide, including T-Mobile and AT&T in the United States.  With a GSM wireless frequency receiver and the proper resources, hackers will be able to eavesdrop on phone conversations and text messages at will.  Fortunately, the technology is currently not cheap.  The developers are charging $1,000 for a solution that cracks GSM in 30 minutes, and $100,000 for a solution that cracks it in 30 seconds.  Still, the potential for privacy invasion in the future is tremendously daunting.

Who else is ready to switch to Verizon or Sprint?

Source:  http://www.informationweek.com/story/showArticle.jhtml?articleID=206800800&cid=RSSfeed_IWK_All

Posted in Current Events, Privacy | Tagged , , , , | 6 Comments

Now that we are being listened to

Posted on February 24, 2008 by joyleung

The government has decided to continue wiretapping phones with assistance from phone companies. These companies are also pushing a bill for immunity from lawsuits for participating in the tapping. What is the line at which informational surveillance pushes too far into privacy? Should immunity be granted?

 
Articles:

http://yro.slashdot.org/yro/08/02/24/135225.shtml
http://www.reuters.com/article/newsOne/idUSN2229053420080224

Posted in Current Events, Policy, Privacy | Comments Off on Now that we are being listened to

16 hackers got arrested in Quebec recently

Posted on February 24, 2008 by felixctc

Recently, the police department in Quebec, Canada, busted an international hacking network. 16 people that were between the ages of 17 and 26 were arrested and this was the biggest hacking scam in Canadian history according to the police. These hackers collaborated online to attack and took control about one millions computer all over the world that didn’t have firewall or anti-virus software. Because of that, they injected Trojans or worms in those computers. The investigators mentioned that the hackers profited about 45 million dollars.
Continue reading

Posted in Current Events, Ethics, Integrity | 2 Comments

Cold Boot Attacks on Disk Encryption

Posted on February 22, 2008 by Scott Rose

Well-known security researcher and commentator Ed Felton and colleagues at Princeton report on a technique for breaking many whole-disk encryption schemes, including the most common ones. The attack is based upon scanning RAM for encryption keys, and is even (reported to be) effective on a machine that has been recently powered down.

Continue reading

Posted in Physical Security | 6 Comments

Spy Satellites

Posted on February 17, 2008 by Justin McOmie

Spy satellites will be used by local law enforcement to enforce the laws against United States citizens. Should this make us feel safer or more scared of our government?

On the one hand I expect any government to use the most sophisticated equipment it has available in the pursuit of law enforcement, but on the other, the more sophisticated the equipment gets the more difficult it will be for proper oversight to exist, and the tendency is increased (perhaps inadvertantly) that the tools will be used for nefarious purposes.

A lack of oversight has the potential to lead to disastrous results. The brouhaha that occurred over the warrantless wiretapping could be just a hint of what’s to come if programs such as this gain more ground.
When news of this type comes out I get an ominous feeling of “ickiness” about the fact that we have less and less implicit privacy (that being the general privacy to do things like walk outside into your fenced yard without risk of wanton surveillance). But at the same time I have a hard time determining where exactly the line is being crossed.

Can someone help determine where (if at all) a problem exists? Does it lie in the fact that the Federal government is using instruments of national security for issues that should be locally controlled? The Slashdot comments section has a lot of alarmist comments (including the ubiquitous “omg 1984” kind), but I’m not certain how a line is being crossed.

Source: http://yro.slashdot.org/article.pl?sid=08/02/13/2331224&from=rss

Posted in Miscellaneous, Privacy | 3 Comments