Here are RFID Debit Cards, whether you wanted them or not.

Posted on January 27, 2008 by davidjsh

In the world of banking, attention has turned to the prospect of using RFID technology for contactless transactions via bank cards.  While this in of itself is a security concern, John Leyden brought to light in his article (http://www.theregister.co.uk/2008/01/27/paywave/) that some banks have started phasing in these cards without the consent of their customers.    

In the UK, some banks such as Halifax are trying a system backed by Visa known as PayWave.  Under PayWave, customers can make transactions under £10 without the need for a pin or having to sign anything.  In the article, we find that Pete is one of the customers upon whom this technology has been pushed without their consent.   After destroying the new PayWave card (which he did not request) out of security concerns, Pete found that Halifax had also cancelled his old card.  The replacement card Halifax ended up sending him was also a PayWave card.  Though Pete was eventually able to obtain a non-PayWave card by enough complaining, it alarms me that banks would presume that convenience outweighs security for every customer.  What prevents a “vendor” from rigging up a reader located in a backpack that would allow them to roam the streets charging a small transaction to every passing card.  Few people would notice such a miniscule charge on their statements, and the “vendor” could potentially obtain a large sum of money over time.   In my opinion, companies that are entrusted with our money should be much more responsible when it comes to security.  Or at least they should ask their customers first.

Posted in Current Events | 7 Comments

Logic Bomb Fails to Cripple Medco’s Systems

Posted on January 27, 2008 by kurifodo

In a recent article on Computerworld, it was reported that a former system administrator of Medco planted a logic bomb which was intended to cripple the company’s network. Medco deals with prescribing drugs and various other heath services. Due to the nature of this attack, the well-being of customers of Medco were put at risk. Fortunately, the logic bomb did not succeed, and it is reported that the first wave of the attack failed due to buggy code, and subsequent waves were detected and prevented before they could trigger. The former system administrator will now serve 30 months and has to pay $81,200 in damages.

It is mentioned that upcoming layoffs could have triggered the system administrator (Lin) to commit this offense. Medco had just been restructured, and layoffs had taken place, but Lin did not lose his job. However, there were more layoffs to come, so perhaps in anticipation, Lin planted the logic bomb. It is difficult to say if there could have been anything done to prevent this offense. Since Lin was a system administrator, it is difficult to stop or deter a person of this position if they are willing to commit such a serious offense. I think the best a company could do is respond to actions taken by employees by checking their work, but enforcing a system like this would be too pricey and time consuming to be plausible.

As mentioned before, the impact of this event, if it were successful, could have been very serious. People’s lives could have been lost due to lack of prescription drugs, and others could have been damaged for life potentially. One very difficult question to answer is, what should we do with people like Lin? What kind of punishment is suitable for the crime? Even though it was not successful, the intent to harm was always present. After Lin completes his sentence, should he be trusted to work with a company’s computer systems? Who knows if Lin will have learned his lesson, or if he will be even more upset and “out to get the world.” I would think it is safe to say that a company will never hire Lin to work on their computer systems with this kind of event on his record.

Posted in Current Events, Ethics, Policy | 2 Comments

Pillaged MySpace Photos Show Up in BitTorrent Download

Posted on January 27, 2008 by felixctc

More than half of the million images that are private photos of MySpace users was stolen and uploaded onto BitTorrent. This is a huge privacy breach to MySpace users. The hacker, “DMaul”, said that he learned the security hole from the WIRED and used the method of attack. This security hole was surfaced last fall and because of this, various adversaries such as possible pedophiles, voyeurs, and advertisements were able to steal these photos. DeMaul ended up seeding these photos and advertised them as “pictures taken exclusively from private profiles”. It turns out that his attack cycles through the accounts by MySpace Friend ID numbers, thus did not target any specific group of people. Although, the attack did not target any specific group, this is a significant breach that affected users who are under 16 because their accounts are automatically set of private and their adversaries are more dangerous. Even though the attack result in leaks of a huge amount of pictures, it seems that MySpace didn’t follow up with the issue properly.

Continue reading

Posted in Availability, Current Events, Privacy | 5 Comments

Alledged Skype Surveillance by German Police

Posted on January 26, 2008 by iddav

Documents posted today on WikiLeaks suggest that German police in Bavaria may have used a trojan for intercepting Skype calls as part of their surveillance of suspects. One document is an offer from DigiTask, a German company, to rent Skype surveillance technology at EUR 3,500 per month per instance. The other document is a letter between the Ministry of Justice and the Prosecutors office about distributing this cost.

Continue reading

Posted in Current Events, Privacy | 4 Comments

DoS attacks and International Tension

Posted on January 25, 2008 by joyleung

Last May during a protested movement of a World War II soviet statue, Estonian governmental and political sites were flooded in a series of Denial of Service (DoS) attacks. These attacks consisted of hammering the sites servers with requests till they crash or shut down. While investigating, Estonia blamed the attacks on the Russian government, increasing the political tension between the two countries. Today, a twenty year old Estonian was fined for organizing some of the attacks.

 

Many Estonians of Russian decent were angered last May at the movement of the statues and there many rioted. A DoS attack perhaps was also used as a form of retaliation because of its relative ease. Whereas an attack on government building is easily caught, an attack over the internet can be easier to do and much harder to trace.

 

It isn’t clear what sort of protection these servers had from such attacks. However, preventing a DoS attack is difficult. While servers can be made to shut down more gracefully when attacked, it is hard to prevent denial of service. Firewalls and filters can help as well but they can keep out legitimate use of a site as well as attacks. The best solution seems to be preparedness. Quick detection and intervention of an attack occurring can allow more evidence to identify the offending party quicker. That coupled with high fines can also probably deter more attacks.

 

What is most interesting is the political side to these attacks. Cyber attacks can be used as a vector to make political statements as well as exacerbate political situations. The internet is a different and convenient medium for malicious groups wanting to increase political tensions or perhaps even start a war. For something with such impact it is surprising that these attacks are not so well protected against.

 

http://politics.slashdot.org/politics/08/01/25/0120221.shtml

http://www.nytimes.com/reuters/technology/tech-estonia-cybertrial.html?scp=2&sq=estonia&st=nyt

Posted in Availability, Current Events | 2 Comments

$7.1 billion loss at major European Bank due to fraud

Posted on January 24, 2008 by chrislim

I haven’t been able to thoroughly analyze this situation, but it seemed like something particularly germane to this blog (so I decided to post it with brief commentary). Basically, the French bank Société Générale (SocGen) recently revealed that single rogue employee was able to concoct “elaborate, fictitious transactions” that ultimately cost the company $7.1 billion dollars (€4.9 billion).

Jérôme Kerviel, the perpetrator, was able to breach 5 levels of controls and was called a “computer genius” by the governor of the bank. Apparently, he was allowed to move from a back office position to the trading floor, which removed the separation of duties that was intended to protect against this kind of fraud. The expertise in control procedures that he gained while working in the back office, enabled him to develop the complex scheme which covered his fraudulent actions until auditors discovered fictitious trades on the books of the bank’s risk management office.

As this story unfolds, it will be interesting to hear more of the details of the breach, particularly with respect to computer security. From a policy perspective, many questions have been raised about tightening controls and even if a single person was able to engineer the process, how a single person would be able to finance the fraud without detection. Why did the numerous financial safeguards fail at the hands of single person?

This must be quite a blow for an already tumultuous industry…

http://www.businessweek.com/globalbiz/content/jan2008/gb20080124_769729.htm?campaign_id=rss_daily

http://www.iht.com/articles/2008/01/24/business/socgen.php

http://www.iht.com/articles/2008/01/25/business/profile.php

UPDATE: apparently there are conflicting reports about Kerviel’s computer skills and it should be noted that SocGen has not accused him of personally profiting from the trades (though they may in the future).  This incident sounds like its going to be in the news for quite awhile.

Posted in Current Events | 3 Comments

Maryland abandons e-voting machines for paper ballots

Posted on January 22, 2008 by cbhacking

The state of Maryland has decided, after spending $65 million on electronic voting machines made by Premier (formerly known as Diebold) Election Systems, to spend another $20 million on optical-scan machines that read paper ballots. The reason for this incredible expenditure of taxpayer money, which the state will be paying off until at least 2014? Security concerns about the purely computerized voting machines. Continue reading

Posted in Current Events, Integrity, Physical Security, Policy | Tagged , , , , , , | 3 Comments

Comodo Launches Memory Firewall

Posted on January 21, 2008 by diademed

Dark Reading reports that Comodo, an security interest group / company has developed and released a memory firewall, purported to block 90% of all buffer overflow attacks, as well as several other common attack vehicles. Comodo also markets several products, including the standard suite of anti-virus, network firewall, and anti-malware, as well as consulting and network monitoring services.

The prospect of a ‘firewall’ that a user can run to prevent attacks on various types of buffer overflow attacks is really quite exciting. Presumably working by blocking execution of code in invalid memory regions (namely the stack or the heap), it holds the potential to be an excellent preventative measure for anyone concerned about the security of their applications.

While the product is just out of beta, and information and reviews hard to find, such an application brings to light some interesting issues regarding performance, security, and trust. In order to detect attempted illegal execution locations in an arbitrary virtual memory space, the firewall would likely need to be run with elevated permissions. In addition, peeking into foreign virtual memory spaces will have some performance impact, however small, which may or may not be a significant impact to performance-critical applications.

Using the application while aware of both, or either of these issues implies a fair amount of trust in Comodo as a company. From their website, they are involved in many facets of the security world, not just developing secure applications. They disclose a fair number of partners, as well as a research program, and offer ‘services’ in both research and cryptographic expertise.  While probably most of this information is completely benign, it nonetheless opens potential avenues for vulnerabilities to manifest in a company that provides you with a program to be run at elevated permissions.

Posted in Current Events | Tagged , , | 1 Comment

Say goodbye to saying ‘Hello’

Posted on January 20, 2008 by Chad

Microsoft has filed a patent application for a monitoring system that collects data such as heart rate, respiration rate, body temperature, and brain signals and interprets this into the worker’s stress, frustration and productivity levels. Microsoft claims that it will optimize management and production by allowing employers to view current reports of their employees and allowing coworkers to be alerted when their fellow employees need help. Yet the ethical implications are unnerving. A friendly conversation at your workstation could lead to a warning that your productivity was below average. Or if you’re having trouble at home and bring it to work, your coworkers could be notified.

I’m sure Microsoft only has the best intentions for this system, yet it sounds too close to Orwell’s “Thought Police.” Adversaries wouldn’t need to interpret your purchases on amazon or intercept wireless signals beaming your thoughts to a game console, they’d just need to be your coworker and in a company as big as Microsoft, you may find yourself with a lot of adversaries.

Note: While this article is marked in the “Current Event” category because of it’s recent posting in Scientific American and Techdirt, the patent was actually filed June 27, 2006.

Posted in Current Events, Ethics, Privacy | Tagged , | 2 Comments

Want to Steal A Baby?

Posted on January 20, 2008 by jessicaf

Overview: 

Overlake Hospital Birthing Center has put a security system and policies in place to make sure babies are safe there.  First of all, mothers are given a bracelet when they come in that identifies who they are.  This is just the regular hospital bracelet with the name of the doctor on it.  As soon as the baby is born, he is given to the mother.  Babies are never to be taken out of the room without one of the parents except in extreme emergency cases.  The nurses ask the parents for the name of the new child.  Then, four bracelets are printed out – one for the mother, one for the father or birthing coach, one for the baby’s wrist, and one for the baby’s ankle.  Each of these have a matching number that must be checked whenever nurses give the baby back to the parents.

There is also an ankle band put on the baby with a security device.  Every door leading out of the birthing center is equipped with a security mechanism that will sound if a security band is brought within ten feet of the door.  This causes a complete lock down.  Every door is immediately closed and locked.  The band also will sound an alarm if it is cut.

Continue reading

Posted in Physical Security, Security Reviews | Tagged , , | 3 Comments