[SecurityRatty] tag: bbc

Amazing Use of GPS

Mon, 04 Aug 2008 18:53:12 +0000

This BBC video show the migration of people and vehicles around the UK. Truly brilliant visualization. Thanks to Bill Marriott for pointing me to this.

Things that happen in China when nodoby is watching

Sat, 19 Jul 2008 14:33:00 +0000

Here is another reason to pay attention for your own safety when you visit China - especially during the Olympics.

The BBC World News ran a story yesterday of a local Beijing woman whose house was about to be torn down, leaving her homeless. Why was her home being demolished? The Government had decided that her house would not look nice enough to the foreign visitors coming to Beijing for the summer Olympics. They planned to plant flowers in the spot where her home stood.

Apparently, the authorities knew that the woman was not going to willingly accept this obvious abuse of power. A couple of Police vans watched the house from about a block away. Then the cameras left after interviewing the woman. When the television cameras came back the next day, the house was gone and so was the woman. The house had been torn down in the middle of the night when there were no witnesses. Nobody could say what happened to her as the flower planters went about the task of digging flower beds.

The BBC had obtained similar footage that had been covertly recorded earlier at another house. In this instance, a couple of the homeowners tried to resist the authorities tearing down their house. The camera graphically recorded two men who attempted to protest on the roof of their humble abode. A couple of "heavies" pulverised the seated men with vicious blows and kicks. One poor man was kicked full-force in the face and head several times. The camera shot him being taken away by ambulance and his whole face was swollen and lacerated. It seems that the Chinese Government are very serious when it comes to planting flowers. They certainly appear to have a higher regard for flowers than they do for human rights.

Our advice to you if you are visiting Beijing this summer - don't pick the flowers. I have seen how they treat people when they think nobody is watching. It isn't pretty.

Shake-up For Internet Proposed

Tue, 24 Jun 2008 06:45:48 +0000

From the BBC:

The net could see its biggest transformation in decades if plans to open up the address system are passed.

The net’s regulators will vote on Thursday to decide if the strict rules on so-called top level domain names, such as .com or .uk, can be relaxed.

If approved, it could allow companies to turn their brands into domain names while individuals could also carve out their own corner of the net.

The move could also see the launch of .xxx, after years of wrangling.

The part I find funny is the number of politicians that think having a .xxx domain will cordon off sexually oriented websites from the rest of the web.

The move could yet be blocked as the independent arbitration panel can reject domains based on “morality or public order” grounds.

Morality on the Internet. Hmmm, ok.

Article Link

Some of the other noteworthy breaches last week, 6/16/08 - 6/22/08

Mon, 23 Jun 2008 04:11:34 +0000

Technorati Tag: Security Breach

The Breach Blog

Just SOME of the other noteworthy breaches from the past week (6/16/08 - 6/22/08)

Citibank Hack Blamed for Alleged ATM Crime Spree
By Kevin Poulsen, Wired.com, 6/18/08

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.

Security firm finds server with health-care data
By Jeremy Kirk, NetworkWorld, 6/18/08

Security researchers with Finjan Software are seeing a growing thirst from cybercriminals for data other than credit-card numbers, with the latest findings including servers containing passwords leading to heath-care records and airline systems data.

The problem is two-fold: sensitive data is being stolen after PCs are infected with malicious software, and then that data sent to unprotected remote servers, said Yuval Ben-Itzhak, chief technology officer for Finjan. The content of those servers is then indexed by search engines, leaving it open to anyone who uses the right query terms.

Bank scam spreads as institutions look for possible source of breach
By Leanne Tokars, WSBT Channel 22 News, 6/18/08

SOUTH BEND - An international bank scam is spreading, and there is some idea how that information may have gotten out.

Hundreds of people and dozens of banks and credit unions across our area are trying to recover from a major security breach.

[Evan] This story is related to the "1st Source Bank reissues all debit cards in response to breach" posting on 5/30/08. Another supporting story; Fraudulent ATM transactions overseas could be tied to Indiana bank breach This is a winding storyline.

Parents livid over database putting student profiles, pictures online
By Mohit Joshi, Top News, 6/16/08

Melbourne, June 16: With the State government planning to post the profile of every state school student on its intranet database, called OneSchool, parents in Australia are livid over the fact that it will make their kids vulnerable to paedophiles.

OneSchool, will provide each and every detail of the state's 480,000 public school students enrolled from Prep to Year 12, for which, the photographs, personal details, career aspirations, off-campus activities and student performance records are already being collected from all 1251 state schools.

[Evan] I think I’d be livid too. Are parents given the opportunity to opt out, without penalty or lost opportunities? "According to Education Minister Rod Welford, if the parents refuse to give their consent to their child being profiled, they could also be denied access to public education."

Blears PC loss - officials blamed
BBC News, 6/17/08

Information on a computer stolen from Communities Secretary Hazel Blears' office had been sent in breach of data security rules, it has emerged.

The Communities and Local Government department admitted its officials had "not fully" complied with guidance on handling sensitive data.

Its top civil servant Peter Housden said "no damage had been done" as the documents were not secret.

The computer contained a combination of constituency and government information relating to defence and extremism.

[Evan] It is disappointing to read about breaches where the government does not follow its own laws and regulations. Mr. Housden claims that the files were "not secret". They certainly weren’t public, were they?

Personal details of thousands of patients stolen from hospital in new security blunder
By James Tozer, The Daily Mail, 6/18/08

Laptops holding tens of thousands of patients' records have been stolen from a hospital and a GP's home, it emerged yesterday.

In the latest lost personal data scandal, the information was stored on the machines in contravention of NHS guidelines.

It was revealed that details of 20,000 patients were on six laptops stolen earlier this month from filing cabinets at St George's Hospital, in Tooting, South West London.

[Evan] This is six stolen laptops in one month, and the four breaches in one year?! The exposed information in this breach was "names, postcodes, hospital numbers and dates of birth". Check out the excuse for storing confidential information on these poorly secured laptops; "Normally such information is stored on the hospital's central network, but because of technical problems it was being stored temporarily on the laptops."

To Readers: I am testing this weekly "Other noteworthy breaches" post. I am using this first one to gauge interest and decide if it is something we should continue. Please feel free to comment.

youve come a long way, baby!

Fri, 20 Jun 2008 13:49:41 +0000

Sorry, couldnt resist.
Congrats you old timers for bringing what we have today. I know I couldnt live without it.

clipped from newsvote.bbc.co.uk

One tonne ‘Baby’ marks its birth

Sixty years ago the “modern computer” was born in a lab in Manchester.

Fun Reading on Security - 4

Tue, 17 Jun 2008 07:36:00 +0000

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #4, dated June 17, 2008.

So my next iteration of fun reading on security, logging and other topics.

"Security-as-control" vs "security-as-assurance" - a very useful idea (more here), which is often confused with bad results (e.g. "secure" software = has password authentication OR has has no overflow bugs)
Rich Mogul grabs GRC by the balls and kicks it, hard, again. A Burton Group guy comes and helps him by doing a nice roundhouse kick in its butt. Still, it doesn't die, as more people kick it ... Maybe 'cause Andy "loves or hates it?"
Good advice from Andy IT Guy: "We need to step back from time to time and evaluate what we are doing to determine if it still makes sense." (more)
BBC on cloud security, actually interesting. More on the same subject, albeit with a dumb name
Breach disclosure laws and security study by CMU, that SANS called idiotic ("What a silly study. It measures the wrong outcome. What matters about data breach notification is what it does to the quality of defenses.") AND "badly flawed" as well. More fun comments on it are here. More discussion of this complicated subject. Rick kicks it too here.
Along the same line, "Data breaches at retailers are the top cause of credit and debit card theft, accounting for about 20% of all incidents." Wow!
"The biggest issue in both Audit and IT is a lack of strategic thought." (maybe) When I read it, it reminded me of the old wisdom from Ms Trunk: "if you think you are a 'strategist' - check maybe you think that 'cause your execution sux"
A very fun read: "Facing The Monster: The Labors Of Log Management." I am happy that log management has been granted a monster status :-)
Role of compliance for SCADA security puzzles me: think about it - you need a law to make people protect systems that control utilities EVEN THOUGH you already demonstrated (kind of) that hackers can explode generators remotely. So, people fear fines from regulators more than exploded power generators? Yep.
Is it time to regulate the security of cloud computing?
"How to Sell Security" by Bruce Schneier - a MUST read. BTW, FUD is NOT dead, and won't be dead. Ever!
OMG, this is huge and will grow: PCI Compliance and Virtualization (think "only one primary function per server" mandated in PCI). Same source on costs of PCI (also fun!) - still, IMHO, PCI is cheaper than properly securing your environment ... And while we are on the subject of PCI, check out Rich's "The Good (Yes, Good) And Bad Of PCI" and the discussion that followed.
New wave of compliance is incoooooooooooooming. Take cover!!!
Please shut up about ALL security being rolled into the network. Hoff says it best here. If you want to join this bandwagon, say "all NETWORK security will be in the network." (you'd probably still be wrong, but less embarassed :-))
Finally, some "Unintentional hilarity" from David: this is sooooo the world we live in :-)

Security Briefing: June 17th

Tue, 17 Jun 2008 07:33:11 +0000

Sleep deprivation, caffeine overload and documentation. How long till I start hallucinating? Stay tuned.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

Router-hacking Trojans spotted | Web User News
The ’secret’: Banks are freaked out by security | ZDNet
Malware not man blamed in child abuse download case | The Regsiter
Security Bonuses for Vista Programmers | eWeek
PCI DSS: Section 6.6 gets teeth – finally
IM Security’s Three Kings | CSO Online
Victim of its own success | BBC News
Dacre promises new look at rules on hacking by journalists Guardian

Tags: News, Daily Links, Security Blog, Information Security, Security News

Links for 2008-06-13 [del.icio.us]

Fri, 13 Jun 2008 20:00:00 +0000

The power of communication.

Fri, 13 Jun 2008 13:24:00 +0000

I think many of us fail to realize the extreme importance of communicating in a way that ensures we are understood.When I was working for the United Nations in different countries around the world, I would often be told by other UN staff that they were surprised that they could actually understand what I was saying. Apparently, they had met other Irish and could only understand a few words here and there. That was easy for me to understand. As the Deputy and later Chief of the United Nation's Special Investigation Unit, it was of the utmost importance that people could understand me. Imagine questioning a person who was facing deportation back to their country for an alleged crime. It would be unfair to them if I didn't make my self understood, even if it meant that I had to slow down my fast Irish speech and leave out the Irish slang words (that very few people around the world can ever understand).

I was in Dublin last weekend, passing through on my way to the Middle East. The big topic was the Irish referendum on the Lisbon treaty. It seems that the country was fairly evenly divided by those who were; voting yes, voting no, did not know. I wasn't that terribly sure what it was all about so I asked my sister and her husband. They had to admit that the whole thing was rather unclear and that the Politicians didn't do a great job of explaining. Then I met up with my brother. He too was not 100% about the importance of a "yes" or "no" vote. I got the impression that Ireland might lose their National identity if they voted "yes", so I left thinking that "no" was the way to go.

Apparently the rest of Ireland thought so too, as I am sitting in my hotel room in Dubai listening to the BBC and Sky news talking about the after effects of Ireland's rejection of the Lisbon treaty. That got me thinking. The only time we really ever had any problems with a client involved communicating, or a lapse on somebody's part. It is amazing how large the repercussions can be when you are talking about a whole country. Next time you are involved in a negotiation, remember the Lisbon treaty and make sure you know what is at stake. You could be avoiding a costly mistake.