In three sequential articles, ComputerWorld traces the sentencing of convicted botnet leader John Schiefer as well as his continued employment at the start-up Mahalo. Schiefer is an ex-security consultant and is the first botnet leader to be charged under the wiretap statutes. He entered his guilty plea almost a year ago, but sentencing has been delayed until now. He will be paying $2,500 in fines, paying nearly $20,000 in restitution, and spending 4 years in prison Perhaps what is more interesting is that Mahalo’s CEO Jason Calacanis has both allowed Scheifer to continue working during this time and has expressed a desire to offer him a job upon his release from prison. Calacanis has defended this decision on the basis that he trusts Schiefer and considers him a changed man from the person who committed the earlier crimes.
Current Event: Convicted Botnet Leader Retains Job
Current Event: Facial Recognition in Schools
Some community colleges in the UK are starting to use facial recognition software to check students into school (article at http://www.cambridge-news.co.uk/cn_news_home/displayarticle.asp?id=396794). The article focuses on the positive benefits of the new system. The key benefit is in the time savings of checking the students in. They also noted that having the data on who is currently at school is helpful in the case of fire drills (or real fires for that matter).
While this technology does make some administrative tasks much simpler and easier to carry out, it is important that steps are taken to keep this data secure. For example, if an attacker could comprimise the system, they could potentially track/stalk students more effectively. There is also the issue of false positives and false negatives. If a malicious person is recognized as a legitimate student, then they might be able to hide the fact that that student is missing, among other possibilities. On the flip side, if a legitimate student is not recognized, this would likely cause annoyance if they are informed, or could lead to the assumption that they are skipping when in fact they are there.
Current Events: UK Company Illegally Sold Worker Data
According to an article at the Guardian, dozens of companies in the UK had been buying personal information about potential employees from a company called the Consulting Association in violation of British data protection laws. The Data Protection Act made it illegal to collect and distribute private information about individuals without telling them. The Consulting Association aggregated information from the companies that subscribed to its services, and in return it gave them data on workers trying to get jobs. The files kept by the Consulting Association included data on union activity and other private details. Some workers in the British construction industry have claimed for years that companies have been blacklisting union activists, and one worker may have been blacklisted after filing an unfair dismissal case against an employer. This event represents a violation of privacy of employees, and an attempt to stifle organized labor.
Current Event: Speculation about Upcoming Pwn2Own Hacking Contest
A recent article from Ars Technica, modded to high popularity on Digg, reports that last year’s Pwn2Own winner is predicting that Safari will be the first browser to crash in this months”s contest.
Pwn2Own, in Vancouver BC, is part of the CanSecWest security conference. It challenges hackers to find and exploit vulnerabilities in popular web browsers including Safari, Firefox, Google Chrome, Internet Explorer, and Opera; on popular platforms including Windows, Mac OS, and mobile phones. The first person to hack each machine gets to take it home.The article highlights two interesting facets of security research:
- Encouraging “breaking” something makes it more secure. The Pwn2Own competition is motivated, not by malevolence, but by a desire to actually improve the software. This can be confusing to those outside the security community, who often see any attempt to hack as malicious – often creating disturbing headlines about well-meaning hackers being prosecuted legally. By providing a competition encouraging such behavior, the Pwn2Own competition is actually helping web browser developers to make their products more secure.
- “Perceptions” of security are extremely important. This article was modded up extremely high on Digg – and why? Because some hacker “feels like” Safari is less secure. Talking about actual bugs and exploits are not interesting/understandable to readers but they do care, in general terms, about whether a browser is more or less secure, even though they don’t know what exactly that means.
The implications of browser security are increasingly important as the browser wars continue, and as web-based applications are coming to dominate computing. With more and more people storing more of the information and performing more transactions online, the assets involved in securing online actions are extremely important. Furthermore, as 4 popular browsers are in competition, their relative security features are a major distinction for prospective users.
In about two weeks, the competition will take place right near our own school – sending hackers into a frenzy, and developers in a frenzy to fix the holes.
Dementia patients may benefit from new technology – or will they?
New technology arising from the UK is focusing on helping the elderly through technology. In particular, they are creating devices which can help dementia patients be able to live on their own for longer. Typically, when people start suffering from dementia, or experiencing memory loss, it is vital that someone be appointed to watch over them to be sure they don’t unknowingly do something harmful or forget to do something vital. This could involve a family member living with them and watching after them 24/7, or moving to an inpatient center or nursing home, under the supervision of a nurse. Engineers at Bath University beleive that computers can solve this problem, and help the family member or nurse, allowing the individual to stay at home longer.
The new technology involves a system integrated into the user’s home which has functions such as monitoring actions, speaking to you, turning off appliances, contacting help when needed, and even emailing a status to family members or caretakers. The system can remind you to turn off appilances or shut off the water if you forgot to, and can even turn them off itself if the user fails to comply. If the user unexpectedly gets up in the middle of the night, the system will turn the light on for you, and, if you are gone for long enough, will start talking to you and letting you know that “it seems a little late – don’t you think you should be getting back to bed?”
Current Event: The Elusive Tigger.A Trojan
The Tigger.A trojan was first discovered by iDefense, a security intelligence firm, in November 2008. It has proven to be very difficult to detect and remove from the beginning, which has many security researchers wondering if Tigger.A may actually be a new type of trojan. Since its discovery it has infected more than 250,000 Windows machines which were mainly located at major stock and options trading firms including E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade as well as Scottrade.
Security Review: Portable Computing
Portable computing continues to increase in diversity and use. While a few years ago the number of average people that carried a laptop around with them were relatively few, increases in the capabilities of cell phones as well as the rise of the netbooks are resulting in a society where any given person walking around on the street is likely to be carrying a portable computing device on them with the capability to store sensitive documents and browse the web. This means that it’s more and more likely that the average person has with them a device that is designed to make it convenient for them to access their bank accounts and sensitive personal documents.
Current Event: Someone in Tehran Knows Something About the Presidential Helicopter
According to Slashdot, NBC News and msnbc.com report that Tiversa, a Pennsylvania-based security company, recently found extensive information about Marine One, the president’s helicopter, on a computer with a Tehran IP address. This information included “engineering and communications” specifications, as well as “entire blueprints and avionics package,” and “sensitive financial information about the cost of the helicopter.” The leak appears to have originated on one of the computers of a defense contractor in Maryland. An employee reportedly downloaded a file-sharing program onto a computer containing the sensitive information, not realizing that this would allow others around the world access to the computer’s hard drive. Continue reading
Intel healthcare: SOA Expressway for Health Care
http://www.intel.com/healthcare/ps/soa/index.htm?iid=health+lhn_soa
Intel has created a scalable, easy to deploy health care network with the hopes of enabling sharing and collaboration of health care information. Intel Health Care network is build upon common components such as J2EE and the .Net framework, relying upon a High-performance XML Engine for data transmission. It is a “codeless” system, which means the network can be deployed and managed without the need for software development assistance. Once fully deployed this network promises great cost and efficiency gains, as healthcare and patient information can be shard much more easily. However the creation of a new system which will handle large amounts of sensitive patient and drug information brings about many interesting security questions.
Assets:
· Patient Information – it is of utmost importance to protect all sensitive patient information, including condition and treatment as well as address and billing information.
· Drug information – Many hospitals have strict regulatory policies on the management of drugs, outlining proper administration and inventory practices. The integrity (and sometimes secrecy) of information regarding the status of the pharmaceuticals in the organization must be maintained.
Adversaries:
· Doctors and hospital workers – The primary users of the system will be the various hospital staff. They will have the most interaction with the system as they will use it on a daily basis. Hospital staff utilizing the network will require a certain amount of authority (within the system) in order to properly operate it. This presents a potential threat, as they will have direct access to patient and drug information, as well as the authority to modify this information.
· Network maintenance technicians – The system is designed to be stand-alone on a day-to-day basis. There will be instances when the system will require a certain amount of routine technical maintenance. The people performing this maintenance will be very familiar with the internal workings of the system and will have full access to the system. This poses a threat, as it could potentially compromise patient information.
· Patients – If patients are given a chance to interact with the system, it may be possible that they can in some way compromise the system to extract confidential information, or falsify information.
Potential Weaknesses:
· Information Storage – If sensitive information is stored on accessible and/or unencrypted hard drives, it becomes increasingly easy to tamper with those components (the disks) in the interest of obtaining or modifying confidential information.
· Information Interception over Transmission – When sensitive information is shared between multiple nodes (a network), there must some kind of transmission mechanism. Such a mechanism could be a weakness if it does not properly protect the integrity and confidentiality of the data being transmitted. Also if the mechanism is not robust or reliable, this could result in the loss of important patient information, vital to patient care.
Defenses:
· Required authentication – all persons who will have any interaction with the system should have a strong means of identifying and authenticating themselves as valid users. All users should be limited in their actions and given just enough authority to perform the needed task.
· All information (both patient and otherwise) should be stored on encrypted hard drives which are protected physically.
· Any transmission of information should be done through an encrypted channel.
Risks:
The risks associated with this system are of grave consequences, as they involve sensitive and personal information for many patients. The risk of information leakage/compromise is present not only when the system is accessed/operated by hospital staff, but is also inherent in the fact that much sensitive information is stored and transmitted over potentially unsafe mediums.
Conclusion:
The Intel SOA Expressway for Health Care is a very promising technology which unites health care services and provides access to a great breadth of information. It is important to handle this information with great care and a sense of responsibility, as the information is oftentimes sensitive private. Intel is doing this by utilizing industry standard security practices, such as XML and web Security.
Verisign Will Support DNSSEC by 2011
Within the next two years Verisign has promised that it will support DNS Security extensions across all of the domains that are top-level. DNSSEC provides measures that allow for primarily the authentication of the origin of DNS data and also provides a means to check the integrity of the data that is being sent. This prevents hackers from misleading web traffic to spoof sites and the problem that arose in the discovery of the Kaminsky Bug.
DNSSEC has already been deployed in other countries (Sweden, Bulgaria, Brazil) and .gov and .org, both domains operated by the United States government will begin using it later this year. The reason this is so important is the majority of business domains, both .net and .com are among the most likely to benefit from these changes and currently are waiting for the thirteen root zone server clusters to switch over to the new security standard. Verisign controls two of these server clusters themself.
Continue reading