Saturday, August 23, 2008

Hack for Boston Subway System Revealed

A U.S. District Court judge has lifted the gag order against three MIT students who were to make a presentation at Defcon earlier this month about security holes in the Boston transit system.

So, folks, here's the whole presentation in living color now available to the public.

There's some interesting stuff in there, and it's textbook example of a good pen test, but it's all illegal. Don't try this at home.

Friday, August 22, 2008

Google Privacy Questioned Again

This is an unbelievable story out of Humboldt County in California. A Google Street Views driver drove onto the private driveaway of someone's home, past two No Trespassing signs, to take picture for the famous photo section of Google Maps.

Google, of course, contested the complaint, saying it had the right to take pictures on private property, and that it wasn't an intrusion.

Thursday, August 21, 2008

More IAM Ask The Expert Answers

TechTarget just posted a fresh batch of my Ask The Expert answers on their web site. I'm their identity and access management Ask The Expert.

What are the pre-requisites for implementing single sign-on (SSO) in an organization?
This question posed on 30 June 2008

To what exactly would a request for biometric data from an insurance provider pertain?
This question posed on 28 May 2008

Is it possible to support users to have their own IDs with root privilege so they aren't sharing a root password?
This question posed on 16 April 2008

What is the purpose of RFID identification?
This question posed on 10 March 2008

How are biometric signatures more than a fingerprint scanner?
This question posed on 08 February 2008

Wednesday, August 20, 2008

Data on 100,000 Exposed on Princeton Site

This is almost laughable but in a sad way. Due to avoidable configuration flaws, the Princeton Review web site exposed the personal information of 100,000 students from Florida and Virginia.

The story was reported in The New York Times on Monday with more details in Computer World the next day.

The data, which included names, birth dates, ethnicities, learning disabilities and test scores for the students was accessible for seven weeks. The breach was discovered by a competing test company, which alerted the Times.

This could have been avoided if there were access controls to the sensitive data on the site. The solution was simple to a breach -- though not really enormous in size -- was enormous in impact and embarrassment to the Princeton Review.

Friday, August 15, 2008

Cyberprelude to Russian-Georgian War

This is a fascinating article from The New York Times about the cyberwar before the war in Georgia. Security researchers had noticed hacking activity on Georgian web sites and infrastructure around July 20 prior to the start of the physical war.

It's interesting to note the story didn't compare the hacking activity to something similar against Estonia last year. Estonia is only listed as an example of an "Internet-dependent" country -- like the US -- vulnerable to cyberattack.

But Computer Week reported that Estonia, along with Poland, were providing cyberassistance to the beleaguered Georgian web infrastructure. Two Estonian computer experts have flown to Georgia and Poland has lent space on its president's web site.

Computer Week also reported on who might be responsible for the attacks, which are emanating, not surprisingly from Russia, but surprisingly not from the infamous Russian Business Network.

Tuesday, August 12, 2008

10 Quick Fixes and 15 Free Tools

Here's 10 quick security fixes and 15 free security tools from Computer World.

Among the quick fixes are obvious things like regularly updating your software patches, protecting passwords, steering clear of social engineers and phishers, and testing your web site for vulnerabilities with free tools.

Sunday, August 10, 2008

Latest DNS Patch Also Flawed

The patch for the recent DNS cache-poisoning exploit is itself flawed, according to this New York Times story. Technical details are on the blog of researcher Evgeniy Polyakov, a Russian physicist.

But I think The New York Times got it right down toward the middle of the article in saying that the fundamental problem with DNS is it wasn't built for identifying people, only machines. It was built 17 years ago, when the Internet was a kinder gentler place where everybody knew each other. This was long before it became the home of infinite users engaging in high-risk activities like online banking.

The article cited security experts who said many of these issues would be resolved with better identity and authentication on the Internet.

Saturday, August 09, 2008

Malware Posing as Spam from CNN

This one is scary and almost caught me off guard. It's a very real looking e-mail from CNN with links, supposedly, to real news stories. But click on one of those links, and you get malware posing as a fake Flash player, according to Computer World.

Security researcher Dancho Danchev has a real nice post on his blog with a list of affected URLs, and Adobe has also posted a warning.

Wednesday, August 06, 2008

The History and Future of LDAP

Here's a piece I wrote that came out Monday on SearchSecurity's Network Security newsletter about the LDAP, both its future and its history.

Monday, August 04, 2008

Database Security for Middle Market Companies

My article on database and data store security for middle market companies came out today on TechTarget's SearchCIO-Midmarket web site.

I discussed access controls, monitoring, insider access and security architecture of data stores.

The DNS Bug and The Mac

Apple has taken it on the chin for not responding fast enough to the recent DNS flaw, according to this editorial in Computer World.

A patch last week apparently didn't fix the issue for Mac OS X clients, but it wasn't clear if it fixed the issue on the server side either.

This was a do-it-yourself guide on protecting your Mac by pointing it to the DNS servers at OpenDNS, which have been patched.

Software Security Still An Increasing Threat

This is a nice short piece from CIO magazine about software security. The recommended coding and testing practices aren't new but, unfortunately, they're not practiced in many software shops.

Here's a sample from the article:

  • Training software developers to implement language-specific secure coding practices and ensuring their use;
  • Performing source-code review using static analysis and other types of code-analysis tools;
  • Understanding the differences between software security testing and traditional software testing, and reflecting these in the software test program;
  • Conducting risk-based security testing that exercises common mistakes, suspected software weaknesses and implemented approaches for mitigating risks to make sure they work and cannot be circumvented.

The article also emphasized performing an architectural risk analysis to assess the ability of the code to withstand security threats.

Friday, August 01, 2008

Storm Worm is Back with a Vengeance

Remember back in April when spam seemed to have disappeared from your inboxes? Well, of course, I spoke too soon back then. It was too good to be true.

I've noticed the spam surging starting again in the past few weeks. It could be due to another outbreak of that ever-evolving, ever-growing and ever-nimble Storm worm, according to both CERT and the FBI.

Sophos reports it's part of an FBI vs. Facebook spam campaign. The link in the e-mail leads to the a piece of malware called fbi_facebook.exe.