Category: Security

You can never rely on encryption

Like most people in Ireland I listened to the story of how the Irish Blood Transfusion Service (IBTS) had a laptop stolen in New York with the details of 171,000 blood donors on it, not least because, as a blood donor, there is a good chance some of my data is involved.

The IBTS has said that

The records were on a CD that was encrypted with a 256 bit encryption key. These records were transferred to a laptop and re-encrypted with an AES 256 bit encryption key. This represents one of the highest levels of security available and to our knowledge there is no record of a successful attack against this level of encryption.

Unfortunately, people who were relying on Apple’s FileVault, or Window’s Bitlocker encryption software to keep their data secure, were probably equally satisfied with that AES encryption until yesterday when a group from Princeton demonstrated how that encryption could be broken with a bit of liquid nitrogen!

The IBTS justified the fact that people’s personal information was in New York because the IBTS are updating their software and wanted to bring live data with them with which to test the new software. Why it didn’t occur to them to obfuscate the information which could identify people I really can’t understand. You can never rely on encryption alone.

BT Broadband users can be hacked!

James Galvin posted a couple of weeks ago about a recently published exploit which made hacking Eircom’s wireless routers trivial.

As Eircom are the largest provider of residential broadband in Ireland, this is potentially a big deal. As Joe Drumgoole commented at the time:

they have inadvertently created Ireland’s largest free WIFI network. Good man Eircom!

However, BT is now facing an even more serious issue on its wireless routers according to an article in the Register today. At least in Eircom’s case, the vulnerability only exposed the WEP key, allowing use of the wifi on the router.

In the case of the BT router, the Reg is reporting that

a remote attacker can quietly gain full administrator control over a device simply by social engineering a user into visiting a website. The exploit makes it possible to steal a user’s WPA key, listen in on VoIP calls, steal VoIP credentials or change DNS settings so users are silently redirected to fraudulent websites

This is a far more serious an issue then the Eircom one and the number of routers this affected is likely to be orders of magnitude greater.

The one saving grace is that the hack hasn’t been published in the wild, as was the case with Eircom. Yet.

Chinese Military launch cyber attack on the Pentagon?

The financial Times is reporting today that the Pentagon’s computers were hacked by the Chinese Military in June of this year!

If it is true then this is the first publicised attack on US computer systems by the Chinese Military since the Titan Rain attacks of 2003.

According to the article:

The PLA regularly probes US military networks – and the Pentagon is widely assumed to scan Chinese networks – but US officials said the penetration in June raised concerns to a new level because of fears that China had shown it could disrupt systems at critical times.

“The PLA has demonstrated the ability to conduct attacks that disable our system…and the ability in a conflict situation to re-enter and disrupt on a very large scale,” said a former official, who said the PLA had penetrated the networks of US defence companies and think-tanks.

What with the Russian cyber attacks on Estonia earlier this year and now this Chinese attack on the US, cyber warfare seems to be becoming less science fiction and more science fact.

Update – more coverage of this story on Techmeme

Google launches phishing blacklist api

I see on the Google Security Blog that Google have launched a Safe Browsing api.  In other words, Google are making available its dynamic blacklist of phishing and malware sites so ISPs and web app coders can check against it.

This should help ensure unwitting users are notified before they browse to to unsafe sites and submit their confidential information.

Google are actively encouraging 3rd party participation –

Sign up for a key and let us know how we can make the API better. We fully expect to iterate on the design and improve the data behind the API, and we’ll be paying close attention to your feedback as we do that. We look forward to hearing your thoughts.

Great idea guys.

Airport security is a joke

Not that we haven’t known that for some time but it was recently drilled home to me on my flight back from Madrid last week.

My son Enrique has asthma. He got quite bad with it earlier this year when we were in Spain and a Spanish doctor prescribed a cough suppressant called Expectu to help him sleep.

When I was in Madrid, my wife asked me to get another bottle of Expectu to bring home. So far, so good. Except, the bottles for sale in the pharmacies were 200ml and you can only bring bottles less than 100ml onto the plane (I only had hand luggage).

What did I do? I asked the pharmacist to decant the 200ml of Expectu into smaller bottles (in dreadfully pidgen Spanish!). He obliged and poured it into four 75ml bottles. I put these bottles into a clear plastic bag along with my deodorant and toothpaste fully expecting to be stopped at the airport.

Not a bit of it. Going through security, the guard took out one of the four bottles, checked the volume of it and, satisfied that it was less than 100ml, replaced it in the clear plastic bag!

Fantastic! For all you aspirant terrorists out there making liquid bombs – decant the bombs into small bottles if you want to get them onto the plane and you are sorted (oh, and just in case you thought I was serious, here’s why you should save yourself the trouble of trying to make a liquid bomb)!

Airport security is a joke!

Urgent update to WordPress

WordPress was updated to 2.1.2 overnight after it was found that one of their download servers was compromised and malicious code introduced into version 2.1.1 to include code that would allow for remote PHP execution!

From the WordPress site:

What You Can Do to Help

If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files, especially those in wp-includes. Check out your friends blogs and if any of them are running 2.1.1 drop them a note and, if you can, pitch in and help them with the upgrade.

If you are a web host or network administrator, block access to “theme.php” and “feed.php”, and any query string with “ix=” or “iz=” in it. If you’re a customer at a web host, you may want to send them a note to let them know about this release and the above information.

This only affects you if you are hosting your own copy of WordPress and it is version 2.1.1. If you are on any other version or are on WordPress.com then you can safely ignore this.

More bad news for Vista

According to an article in InformationWeek, a privilege escalation vulnerability has been found in Windows Vista.

The vulnerability was reported to Microsoft by eEye Digital Security on the 19th of January.

Marc Maiffret, Chief Hacking Officer of eEye said:

with this vulnerability, you can elevate yourself to system-level access. Any normal user can do anything they want to the system.

He went on to speculate that:

If it was coupled with a virus or a different remote vulnerability, it would be a lot more serious… On its own, though, it’s only medium [threat]

Oh dear! How much did Microsoft invest in Vista again?

Symantec CEO profits while company burns!

Good buddy Dennis Howlett has uncovered, through some clever financial detective work (Dennis is a former accountant), some very dodgy dealings.

It seems that the CEO of Symantec, John Thompson, made $1.5m profit on the sale of Symantec shares very shortly before the announcement to the market of losses by Symantec (and the inevitable share price fall that ensued).

This looks very bad and reeks of insider knowledge (whether or not that is, in fact, the case).

Companies engaged in security need to be whiter than white. When the CEO’s reputation is on the line like this, Symantec needs to explain this one quickly to everyone’s satisfaction of John Thompson needs to resign.

Critical vulnerabilities or a clever marketing ploy?

Microsoft released updates for critical vulnerabilities in Windows (2000, XP and 2003). This includes fixes for three vulnerabilities that “criminal hackers are already exploiting” according to Brian Krebs.

The patches fix vulnerabilities which can allow remote code execution (it doesn’t come much worse than that!).

Microsoft critical security updates

Personally, I think they are trying to scare people into upgrading to Vista 😉

Let the conspiracy theories commence…

Throw away the key!

I’m delighted to see that Bill Lockyer, California’s attorney general has filed felony criminal charges against former HP Chair Patricia Dunn and four others for their spying on fellow board members and on journalists.

The back story to this is that HP were concerned about leaks to the press from HP’s board meetings. An investigation was begun which involved spying on members of the board and various journalists (illegally accessing their phone records amongst other things).

The story broke recently causing havoc on the board (Dunn resigned, as did the general counsel, a second director and two other senior officers).

It will be interesting to see how this affects the company’s stock price.

I used to work for an employer who wouldn’t hesitate to spy on employees – throw away the key I say!