[SecurityRatty] tag: governmental

Asprox Botnet Mass Attack Hits Governmental, Healthcare, and Top Business Websites

Fri, 18 Jul 2008 21:43:41 +0000

During the first two weeks of July 2008, Finjan detected over 1,000 unique Website domains that were compromised by Asprox toolkit attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, [...]

Waukesha County job applicant data exposed in mailing

Tue, 15 Jul 2008 04:07:06 +0000

Technorati Tag: Security Breach

Date Reported:
7/13/08

Organization:
Waukesha County, Wisconsin

Contractor/Consultant/Branch:
Crivello Carlson, S.C.

Victims:
Job applicants from the year 2006

Number Affected:
"more than 130"

Types of Data:
Job applications including, names, addresses, job and education history, salary, and Social Security numbers

Breach Description:
"More than 130 people who applied for a job with Waukesha County in 2006 had their Social Security numbers, employment and salary information, addresses and phone numbers and other personal information released to one of the women who applied for the job. "

Reference URL:
Milwaukee Journal Sentinel
New Richmond News

Report Credit:
Raquel Rutledge, Milwaukee Journal Sentinel

Response:
From the online sources cited above:

Taunya Thomas was horrified when she got a call from a stranger who knew almost everything about her.

The woman on the phone told Thomas she knew her Social Security number, where she lived and worked, how much money she made and where she went to high school and college. She rattled them off, not missing a single digit or fact.

She promised she wasn't going to use the information.
[Evan] Yeah. The government body that exposed the information made the promise that "your Social Security number will remain confidential". So much for promises.

She was calling, she said, because she wanted Thomas and others to know where she had gotten it.

She hadn't stolen it.

Waukesha County sent it to her in the mail, along with the same personal information for more than 130 other people who had all applied for a job with the county in 2006.
[Evan] What's with Wisconsin and mailing confidential information (in error)? This is the third mailing error reported on The Breach Blog coming out of Wisconsin this year.

The woman on the phone, Bernadine Matthews, too had applied for the position as an economic support specialist.

This is Matthews displayed holding the applications. Source: Milwaukee Journal Sentinel

When she didn't get it, she filed a complaint with the Equal Employment Opportunity Commission.

As part of the complaint and the investigation, the EEOC requested copies of all the applications.

The law firm representing the county, Crivello Carlson, sent the applications to Matthews.
[Evan] Really? Any second thoughts about the fact that this may put innocent people at risk?

Waukesha County tried to reclaim the documents sent to Matthews, threatening to get a search warrant and send a lawyer to her house, Matthews said.

When Matthews refused, they insisted she bring the documents to the law firm so they could white-out the private information in the applications.

Again, Matthews refused.
[Evan] At what point does Matthews cross a line. The confidential information on those job applications does NOT belong to her. In my opinion, she has no right to maintain possession of the information. For Matthews to knowingly maintain information that does not belong to her almost seems criminal to me.

The applications would be critical to her discrimination suit, she thought.
[Evan] So risk the disclosure of senstive information belonging to 130 people for your own benefit? If not criminal, it is certainly selfish.

She quickly hired an attorney, copied the documents and sent a set back to the county. She keeps her copies in an oversize safe-deposit box at her bank, she said.
[Evan] Who authorized her to make copies? The data owners (victims) certainly did not.

"I'm not going to be like the county," Matthews said. "I'm going to protect the privacy of the information in this box. Obviously they didn't give a darn about the applicants' privacy."

The Waukesha County employment application specifically states it will protect Social Security numbers.

"Your Social Security Number will remain confidential and will not be copied or released but is required for applicant tracking purposes," the application reads.

Ray Pollen, an attorney with Crivello Carlson, at first said it was no mistake that Matthews received the uncensored applications.
[Evan] So Mr. Pollen sent the information on purpose. Did he stop to think that there might be a problem here? Did it occur to anyone that they should redact the most sensitive information such as Social Security numbers, or names?

He said it was required under federal law that all parties in an EEOC discrimination complaint receive copies of information requested by the agency investigating. He couldn't point to the specific provision.
[Evan] Does a specific provision exist? I cannot think of a single purpose that a Social Security number would serve in this case.

Several days later, Pollen said the EEOC had no such requirement.

"The EEOC is silent on the issue," he said.

Instead it's the state's Equal Rights Division that requires all parties be copied on information requested by the division but even that provision doesn't mandate that attachments - such as the applications - be included. And, Matthew's case was not filed with the state.

"We followed the state's protocol," Pollen said.

P.I. asked: So anyone who applies for a job with Waukesha County could have their private information disclosed to a non-governmental third-party?

Pollen answered: "We responded to a federal agency's request for information. . . . In my opinion there was no violation of any law or procedure."
[Evan] Let's give Mr. Pollen the benefit of the doubt. Let's say that there was no violation of any law or procedure here. There certainly seems to be a violation of trust, a violation of good judgment, and a violation of privacy. The "if the law don't state it, then I must be able to do it" mentality is one of the reasons we have so many laws. Maybe if we used a little more common sense.

Taunya Thomas called the release of her information to a stranger shocking. She said at a minimum the county should have notified her that her information had been compromised.

"I'm devastated that it's that easy for my information to be disclosed," she said. "For someone to call me and tell me where I worked, where I went to school, recite my Social Security number verbatim to me, that's scary."

Commentary:
This is a very frustrating breach to read about. It is frustrating when someone knowingly discloses confidential information and then tries to justify it. Equally frustrating is when a person that has no right to the information refuses to part with it. In the middle of all of this are 130 innocent people.

I do not claim to know half as much about the law as Mr. Pollen does. His actions may be well within his legal rights for all I know.

Past Breaches:
Unknown

Defining "Compliance"

Tue, 24 Jun 2008 20:00:00 +0000

As part of the RSA Compliance Solutions team I meet with companies all over the world to discuss their security challenges and priorities. Inevitably I spend much of my time discussing ... you guessed it ... compliance.

It is eye-opening to see how differently our customers and partners, as well as folks within RSA, define compliance. From what I've seen, most will immediately gravitate towards the notion of meeting the stated or implied security requirements within governmental mandates, such as Sarbanes-Oxley and HIPAA. In addition, "compliance" certainly conjures up images of the PCI Data Security Standard, which isn't surprising considering how many organizations these requirements impact. What we don't tend to see initially is a broader view of compliance...

Real ID, Real Problem

Tue, 17 Jun 2008 07:19:42 +0000

The Real ID program is proving to be a veritable sumo match of epic proportions. The calls are going out to kill it before it grows.

From the Baltimore Sun:

“No. Nope. No way.”

So exclaimed Democratic Gov. Brian Schweitzer of Montana when asked whether his state would participate in the federal Real ID program.

Frustration with this misguided, expensive and unworkable federal mandate also compelled another governor, Republican Mark Sanford of South Carolina, to call Real ID “the worst piece of legislation I have seen during the 15 years I have been engaged in the political process.” If Real ID has any friends in the states, they’re not speaking up.

This sentiment is now percolating through the halls of Congress. In recent hearings before the U.S. Senate Homeland Security and Governmental Affairs Committee, senators from both sides of the aisle were blistering in their criticism of Real ID.

Read on.

Article Link

Metro Round-Up: Aurora (Ill.), Bay Area (Calif.), Santa Fe Says Yes-Fi

Thu, 12 Jun 2008 06:13:56 +0000

As networks go dark, so, too, do governmental network advocates: I haven't tracked the political fortunes of elected and appointed officials who pinned their star to Wi-Fi's glow, but I have to imagine both those that have suffered removal from office or who have remained in position are infinitely less likely to push plans in the near future that have any parallels with the plans that stalled.

Aurora, Ill., joins MetroFi cities turning down gear deal: Aurora, the city of light, the first electrified streetlit city in the U.S., opts to not buy the MetroFi gear. Along with all of MetroFi's other networks (excluding Riverside, Calif., operated with AT&T), June 20 will likely be the last day of service. About 160 of 600 to 900 nodes were installed in Aurora.

San Francisco paper wraps up MetroFi's shutdowns in their area: Ryan Kim writes in the SF Chronicle about the many networks being shut down by MetroFi around the bay. Santa Clara and San Jose are still looking at MetroFi's equipment offer. Neither city has complete coverage; Santa Clara is focused on some residential portions, and San Jose has some downtown service. Kim brings up the spectre of twice or three times dead Ricochet.

Santa Fe bypasses Wi-Fi health concerns: The city council voted unanimously to approve Wi-Fi service in libraries and city-owned buildings. This odd paragraph appears in the AP story: "Julie Tambourine, an advocate for the disabled and homeless, said after Wednesday's meeting that the legal analysis was flawed, because it didn't take into account those with diabetes, seizure disorders, respiratory ailments and other conditions that can be adversely affected by microwave radiation." It's unfortunate the writer didn't get a medical research in any of those areas to discuss that. I have never heard the strongest advocates of the view that EMF causes health issues mention any of those conditions.

JetBlue Buys Airfone's Network

Sun, 08 Jun 2008 17:47:04 +0000

The LiveTV division of JetBlue will assume Verizon Airfone's operations, which includes 100 towers with communication gear in the US: While Airfone ceased commercial operations in 2006 following their giving up early in the bidding for plum spectrum won by AirCell, they still have governmental and corporate ("general aviation") customers. JetBlue's LiveTV won the smaller of two licenses (1 MHz); AirCell won the 3 MHz auction. AirCell built its own network (an expansion of previous general aviation service), and is launching very shortly with Virgin America and America Airlines.

Ostensibly this purchase allows JetBlue a faster and simpler path into operations. Whether it's worth it to JetBlue is hard to tell, except that they will likely be marketing this service to other airlines as a differentiator. It will be lower bandwidth than AirCell, but could be likewise cheaper and used for shorter-haul flights.

Verizon notes some of the technical details of their service's business status on a FAQ for their corporate customers, which has an oddly large amount of business detail. Verizon was obligated within two years of the end of the auction for the spectrum they occupied with their very inefficient narrowband analog service to cease operations on those frequencies. That date is about now (the certification of the auction results was close to two years ago), and Verizon clearly worked out the details to allow current customers to maintain continuity through the spectrum vacation and into JetBlue's hands on January 1.

As I noted a few days ago, a few sources had already tipped me that JetBlue's test aircraft with Wi-Fi onboard and email was using the ancient Airfone network, which is capable of slow dial-up modem speeds, rather than using the 1 MHz which could conceivably carry over 500 Kbps of data in each direction per plane.

Lock'em up and throw away the key...

Wed, 07 May 2008 04:32:50 +0000

In a typical governmental knee-jerk response, the U.K. House of Lords is considering making the loss of data a criminal offense.

Chinese Hacktivists Waging People's Information Warfare Against CNN

Mon, 21 Apr 2008 22:25:00 +0000

Empowering and coordinating script kiddies by releasing DIY DDoS tools (backdoored as well) during the DDoS attacks against Estonia for instance, is exactly what is happening in the time of blogging with a massive forum and IM coordination between Chinese netizens enticed to install a pre-configured to flood CNN.com piece of malware. Both of these coordinated incidents greatly illustrate what people's information warfare, and the malicious culture of participation is all about. The PSYOPS anti-cnn.com initiative is maturing into a central coordination point for recruiting DDoS participants on a nationalism level. Some info on hackcnn.com, the malware, internal commentary on behalf of the hacktivists, and who's behind it :

hackcnn.com (58.49.59.253)
58.48.0.0-58.55.255.255 CHINANET-HB CHINANET Hubei province network China Telecom A12
Xin-Jie-Kou-Wai Street Beijing 100088,
China, Beijing 100000
tel: 101 1010000
fax: 101 1010000
china@hackcnn.com

Upon execution of the tool, 18 TCP Connection Attempts to cnn.com (64.236.91.24:80) start, trying to access the following file at CNN.com :

- Request: GET /aux/con/com1/../../[LAG]../.%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp
Response: 400 "Bad Request"

antiCnn.exe
Scanner results : 3% Scanner(1/36) found malware!
TROJAN.DOWNLOADER.GEN
File size: 174592 bytes
MD5...: c03abd4d871cd83fe00df38536f26422
SHA1..: 0502c74ee90e110ceed3cbb81b2ee53d26068691
Released by : Red Flag Cyber Operations nixrumor@gmail.com

From a network reconnaissance perspective, the Chinese hacktivists didn't even bother to take care of Apache's /server status, and therefore we're easily able
to obtain such juicy inside information about hackcnn.com such as :

Current Time: Tuesday, 22-Apr-2008 07:00:56
Restart Time: Monday, 21-Apr-2008 15:25:39
Parent Server Generation: 0
Server uptime: 15 hours 35 minutes 17 seconds
Total accesses: 291670 - Total Traffic: 533.8 MB
5.2 requests/sec - 9.7 kB/second - 1918 B/request
4 requests currently being processed, 246 idle workers

Internal commentary excerpts regarding the motivation and their updates on the first DDoS round :

"Our team of non-governmental organisations, We only private network enthusiasts. However, we have a patriotic heart, We will absolutely not permit any person to discredit our motherland under any name, We are committed to attack some spreading false information, and malicious slander, libel, support Tibet independence site."

"User to a black CNN website suffer the same name. Yesterday, some Internet users attacked the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did not check the site found a relationship with CNN. Yesterday's attack was the website with the domain name sports.si.cnn.com engaged in the work of the network of residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that Tibet is a part of China, cnn protest against prejudice and false reports, the title page column was changed to "F * * kCNN!. " A few minutes later, the web site to enter a user ID and password before connecting, "evidently administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the attack, but received no response. Reporter verify that the contact address sports.si.cnn.com Pennsylvania in the United States, and the sports channel CNN web site is not the same, did not disclose information with the CNN."

DDoS-ing is one thing, defacing is entirely another, try sports.si.cnn.com/test.htm which was last defaced yesterday spreading "We are not against the western media, but against the lies and fabricated stories in the media", "We are not against the western people, but against the prejudice from the western society.!" messages.

According to forum postings however, now that they've sent a signal, the attitude is shifting from attacking CNN to Western media in general. Thankfully, just like the case with the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of the tool will remain as long as possible, by introducing a way to automatically update the tool with new targets. In fact, in the Electronic Jihad case, the hardcoded update locations were all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to obtain the targets list.

Privacy and Power

Tue, 11 Mar 2008 03:09:57 +0000

When I write and speak about privacy, I am regularly confronted with the mutual disclosure argument. Explained in books like David Brin's The Transparent Society, the argument goes something like this: In a world of ubiquitous surveillance, you'll know all about me, but I will also know all about you. The government will be watching us, but we'll also be watching the government. This is different than before, but it's not automatically worse. And because I know your secrets, you can't use my secrets as a weapon against me.

This might not be everybody's idea of utopia -- and it certainly doesn't address the inherent value of privacy -- but this theory has a glossy appeal, and could easily be mistaken for a way out of the problem of technology's continuing erosion of privacy. Except it doesn't work, because it ignores the crucial dissimilarity of power.

You cannot evaluate the value of privacy and disclosure unless you account for the relative power levels of the discloser and the disclosee.

If I disclose information to you, your power with respect to me increases. One way to address this power imbalance is for you to similarly disclose information to me. We both have less privacy, but the balance of power is maintained. But this mechanism fails utterly if you and I have different power levels to begin with.

An example will make this clearer. You're stopped by a police officer, who demands to see identification. Divulging your identity will give the officer enormous power over you: He or she can search police databases using the information on your ID; he or she can create a police record attached to your name; he or she can put you on this or that secret terrorist watch list. Asking to see the officer's ID in return gives you no comparable power over him or her. The power imbalance is too great, and mutual disclosure does not make it OK.

You can think of your existing power as the exponent in an equation that determines the value, to you, of more information. The more power you have, the more additional power you derive from the new data.

Another example: When your doctor says "take off your clothes," it makes no sense for you to say, "You first, doc." The two of you are not engaging in an interaction of equals.

This is the principle that should guide decision-makers when they consider installing surveillance cameras or launching data-mining programs. It's not enough to open the efforts to public scrutiny. All aspects of government work best when the relative power between the governors and the governed remains as small as possible -- when liberty is high and control is low. Forced openness in government reduces the relative power differential between the two, and is generally good. Forced openness in laypeople increases the relative power, and is generally bad.

Seventeen-year-old Erik Crespo was arrested in 2005 in connection with a shooting in a New York City elevator. There's no question that he committed the shooting; it was captured on surveillance-camera videotape. But he claimed that while being interrogated, Detective Christopher Perino tried to talk him out of getting a lawyer, and told him that he had to sign a confession before he could see a judge.

Perino denied, under oath, that he ever questioned Crespo. But Crespo had received an MP3 player as a Christmas gift, and surreptitiously recorded the questioning. The defense brought a transcript and CD into evidence. Shortly thereafter, the prosecution offered Crespo a better deal than originally proffered (seven years rather than 15). Crespo took the deal, and Perino was separately indicted on charges of perjury.

Without that recording, it was the detective's word against Crespo's. And who would believe a murder suspect over a New York City detective? That power imbalance was reduced only because Crespo was smart enough to press the "record" button on his MP3 player. Why aren't all interrogations recorded? Why don't defendants have the right to those recordings, just as they have the right to an attorney? Police routinely record traffic stops from their squad cars for their own protection; that video record shouldn't stop once the suspect is no longer a threat.

Cameras make sense when trained on police, and in offices where lawmakers meet with lobbyists, and wherever government officials wield power over the people. Open-government laws, giving the public access to government records and meetings of governmental bodies, also make sense. These all foster liberty.

Ubiquitous surveillance programs that affect everyone without probable cause or warrant, like the National Security Agency's warrantless eavesdropping programs or various proposals to monitor everything on the internet, foster control. And no one is safer in a political system of control.

This essay originally appeared on Wired.com.

Chip & PIN terminals vulnerable to simple attacks

Tue, 26 Feb 2008 17:33:32 +0000

Steven J. Murdoch, Ross Anderson and I looked at how well PIN entry devices (PEDs) protect cardholder data. Our paper will be published at the IEEE Symposium on Security and Privacy in May, though an extended version is available as a technical report. A segment about this work will appear on BBC Two’s Newsnight at 22:30 tonight.

We were able to demonstrate that two of the most popular PEDs in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a “tapping attack” using a paper clip, a needle and a small recording device. This allows us to record the data exchanged between the card and the PED’s processor without triggering tamper proofing mechanisms, and in clear violation of their supposed security properties. This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED.

In addition to the PIN, as part of the transaction, the PED reads an exact replica of the magnetic strip (for backwards compatibility). Thus, if an attacker can tap the data line between the card and the PED’s processor, he gets all the information needed to create a magnetic strip card and withdraw money out of an ATM that does not read the chip.

We also found that the certification process of these PEDs is flawed. APACS has been effectively approving PEDs for the UK market as Common Criteria (CC) Evaluated, which does not equal Common Criteria Certified (no PEDs are CC Certified). What APACS means by “Evaluated” is that an approved lab has performed the “evaluation”, but unlike CC Certified products, the reports are kept secret, and governmental Certification Bodies do not do quality control.

This process causes a race to the bottom, with PED developers able to choose labs that will approve rather than improve PEDs, at the lowest price. Clearly, the certification process needs to be more open to the cardholders, who suffer from the fraud. It also needs to be fixed such that defective devices are refused certification.

We notified APACS, Visa, and the PED manufactures of our results in mid-November 2007 and responses arrived only in the last week or so (Visa chose to respond only a few minutes ago!) The responses are the usual claims that our demonstrations can only be done in lab conditions, that criminals are not that sophisticated, the threat to cardholder data is minimal, and that their “layers of security” will detect fraud. There is no evidence to support these claims. APACS state that the PEDs we examined will not be de-certified or removed, and the same for the labs who certified them and would not even tell us who they are.

The threat is very real: tampered PEDs have already been used for fraud. See our press release and FAQ for basic points and the technical report where we discuss the work in detail.