[SecurityRatty] tag: pcworld

Its not just about a strong password any more

Fri, 28 Nov 2008 13:30:52 +0000

Make sure, as discussed in this great article, that you have a hard to guess login name.

Logins Are Half Your Access

Thieves need the login and password to access your accounts, so make the login difficult to guess, too. Avoid a simple, name-based method; add extra numbers, letters, or an ID that’s entirely different. Ideally, use unique logins (and passwords) for each service to isolate any exposure, should someone breach an account. (At the very least, keep unique logins and passwords for your most sensitive accounts, such as online banking.) While you may have to tell a customer service representative your login on occasion, don’t share the information without need. And never give anyone a password.

The Bot Monsters are right outside your door!

Thu, 30 Oct 2008 12:48:57 +0000

GO Chicken Heart!
Sorry, a flashback to my days as a kid. Yes, I was a kid!
Make sure your Firewall is properly configured to thwart attacks or you may be getting a trick instead of a treat this Halloween.

clipped from www.pcworld.com

Don’t Be Dragooned Into the Botnet Army

A favorite multipurpose weapon of online thieves is growing larger and more powerful, according to those who combat the threat.

The malware armies are growing, with a sharp rise in the number of computers corralled into botnets–far-flung networks of infected PCs that digital crooks use to steal financial account data, relay spam, and launch crippling Internet attacks. Now that popular Web sites can invisibly and unwillingly spread malicious software, the days of staying safe just by being careful where you surf are sadly long gone. But you can take steps to protect yourself and your PC from these threats.

SearchScan works nicely alongside SiteAdvisor

Thu, 03 Jul 2008 10:59:20 +0000

A really great service for Yahoo SE users.
Anything you can do to stay safe, do it!

clipped from www.pcworld.com

Yahoo Search Adds SearchScan, a Good Security Step

SearchScan, as Yahoo calls the feature, is a good move that can help protect users’ privacy and security, and one that I’d like to see the company take further. Here’s how it works.

Social Networking: When It All Goes Horribly Wrong

Tue, 01 Jul 2008 15:33:10 +0000

Interesting article over at PCWorld:

One of the first social networking upstarts, MySpace, is facing continuing security problems that threaten to spoil many of the innovative features that make the site useful.

Hackers, spammers and Internet malcontents have turned many of the "group" sites, which are dedicated to interests such as home beer brewing, animal welfare and gay rights issues, into cyber-graffiti walls, filled with offensive comments and photographs.

Link here.

Youll have to pay better attention soon.

Thu, 26 Jun 2008 10:04:28 +0000

I really hope this works. It will serve to educate users faster about the dangers of online safety.
On the other hand, I dont think it will cut down on the number of infections anytime soon.

clipped from www.pcworld.com

Coming: A Change in Tactics in Malware Battle

As a vast flood of new malware threatens to overwhelm antivirus software, security companies have begun changing how their programs protect PCs. To avoid being left in the dust by the crooks, companies plan to turn the tables on them by allowing only known good programs to run.

"many of Colt's clients" affected by breach, CNET included

Wed, 25 Jun 2008 07:25:20 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
CNET Networks, Inc. ("CNET")

Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")

Victims:
"current and former employees and their dependants"

Number Affected:
"around 6,500"

Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"

Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."

Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight

Report Credit:
The Maryland State Attorney General

Response:
From the online sources cited above:

On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.

Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.

The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598

Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.

The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.

Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.

report number 08-12367

In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.

The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.

some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.

We do not have any understanding that the computers stored personal health information.

Our client is providing written notification to all affected individuals at the last home address we have on record

Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.

Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.

Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.

Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.

We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!

Colt Express is looking into what additional steps may be taken to provide enhanced security.

By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?

Towards the end of last year, our customer base was reduced to an unsustainable level.

Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.

http://www.colthr.com/

Those decisions are now final.

We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.

We sincerely apologize for the inconvenience and concern this incident will cause.

Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.

This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).

Past Breaches:
Unknown

What would happen to you?

Thu, 19 Jun 2008 10:22:44 +0000

How are you protected if something like this happened?
Interesting to think about huh?
Maybe some investigating is needed on your employee computer usage guidelines.

clipped from www.pcworld.com

A Misconfigured Laptop, a Wrecked Life

Fiola: I will never go to work for them again. I would not work for a company that would not protect its employees. I feel they didn’t protect me. The SMS was disabled on that computer.

SCSU web server becomes spam server and exposes personal information

Fri, 02 May 2008 07:12:47 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
Southern Connecticut State University

Contractor/Consultant/Branch:
None

Victims:
Current and former students

Number Affected:
11,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
"Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised."

Reference URL:
SCSU Alert
PCWorld
NBC Channel 30 News
Chronicle of Higher Education

Report Credit:
Southern Connecticut State University

Response:
From the online sources cited above:

From the University's Alert Page:
During a recent security review of the Southern Connecticut State University Web server, it was discovered that certain identifying information pertaining to current students and alumni could have been vulnerable to access by unauthorized individuals.
[Evan] As you will read further in this posting, the web server appears to have been compromised. I don't think "could have been vulnerable" is an accurate assessment. The information WAS vulnerable.

The information, including names, addresses, and Social Security numbers, was contained in a protected records office file in which students would register for graduation.

Records of about 11,000 students had been stored in the file dating back to 2002.
[Evan] Personal information belonging to thousands of people on a public web server. UGH.

Upon discovering this potential vulnerability, the university immediately disabled the application and secured the file.

There has been no determination that the personal information contained in the file was accessed, nor is there any indication that this data has been or will be used for purposes of identity theft.
[Evan] Even novice web site administrators log access to web pages and files. If the attacker accessed the file through the web service/daemon, then access was probably logged. If the attacker had completely compromised the web server or taken a different avenue of attack, then there might not be easily obtained evidence of access. Either way, I assume that the file could have been accessed easily.

The university has notified all the affected individuals by letter and taken a number of proactive steps, along with a full security review of the university's Web server.
[Evan] What is proactive in a response?

The University has undertaken a review of all files containing personal information on its Web server and there is no evidence to date that any of them have been compromised.
[Evan] The University should undertake a review of all files containing personal (and other confidential) information everywhere, not just its Web server. Why would personal information storage be permitted at all on a web server?

Identity protection services will be provided at the university's expense to the affected individuals, for a period of up to two years. To obtain this optional coverage, registration for this service is necessary.
[Evan] At the "university's expense" means at the current and future student's expense. As the cost of business goes up, so does the cost of service (at some point) which means an increase in the price of tuition or increase in taxes (SCSU is a member of the Connecticut State University System). Does this sound like good management?

A help desk has been established to respond to questions. The help desk number is: (203) 392-7216 and will be staffed between the hours of 8:30 a.m. to 4:30 p.m.

A dedicated Web page, containing updated information, has been created and may be accessed at www.southernct.edu/creditmonitoring/

Now From Outside Sources:
Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.
[Evan] Do you see how the school's alert web site differs from outside sources? See a spin (one way or the other)? Do you think that the outside sources try to sensationalize the story, or do you think that the school doesn't want the embarrassment that their web server was a spam-related site for some time? Maybe a combination of the two.

The personal data was in a file on the university's Web server, which was accessed by criminals who were using the university's site as part of a spam operation, said Patrick Dilger, the university's director of public affairs.
[Evan] Not only was personal information stored on a public web server, but it was stored on a poorly secured (and probably poorly monitored) public web server.

"The hackers were using our Web server as a host for their own Web site," he said.

Pages on the university's site contained ads for diamond rings, Viagra and Cialis.

After noticing the ads on April 9th, IT staff discovered the file containing the sensitive information. "When we were doing the security review after the hacker incident, we saw this file there and it wasn't properly secured, so it could have been targeted by someone," Dilger said.

The university believes that the hackers came from outside the U.S., and it is working with Connecticut's attorney general's office to investigate

Richard Blumenthal, Connecticut’s attorney general, sent a letter last week to Michael J. Hogan, president of the University of Connecticut, describing the breach and advising him that the many campuses he oversees should be vigilant about their storage, use, and disposal of confidential data.

Commentary:
There are so many things wrong with this, it is hard to know where to start. Will anyone be held accountable.

Past Breaches:
April, 2008 - Stolen SunGard laptop affects at least 10 post-secondary schools (PogoWasRight has been keeping a running update of the Sungard breach, check out their search.)

Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more...

Wed, 07 Nov 2007 19:52:27 +0000

Synopsis:Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #70, a 51-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

NOTE: This show was recorded on October 25, 2007.

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:

Dan???s new employment with Voxeo
Dan at VON next week ??? Dean Elwood is doing a VoIPUser dinner ??? perhaps a Blue Box dinner as well?
We hope you enjoyed Blue Box SE 21 with Phil Zimmermann ??? many thanks to Martyn Davies for helping with that.
Reporters for some of the spring shows? (we can probably get you press credentials??? if you are there)

XSS attack and SQL injection via SIP against Asterisk
The XSS attack against Linksys SPA-941 we discussed last week was picked up by Secure Computing which resulted in this SearchSecurity.com article: New Attack Methods Target Web 2.0, VoIP (last link sent to us by Rhodri Davies)
Sipera released a range of vulnerabilities related to Vonage, Grandstream and more ??? note that the Vonage thread has been picked up by ZDNet???s Russell Shaw
Wired: Phones Aren???t Safe Either, Hackers Say ??? also discussed in Network World and Russell Shaw We???ve toasted so many of these (VoIP) networks??? and Dustin Trammell???s blog (in the list of sessions he attended)
SANS: Vishing, Skype, and VoIP-Based Fraud (sent in by Craig Bowser)
CXO Today: The Phishing Epidemic
PCWorld.CA: The eight most dangerous consumer technologies (Skype and consumer VoIP are #6 on page 2 )
TMC Net: VoIP Peering in Search of a Viable Interconnect Business Model (note the comments about security toward the bottom)
Cisco TechWise podcasts Session Initiation Protocol and Security (it???s on the page??? came out 10/18/07 )
TechRepublic: Sanity check: Will Microsoft be your next phone company? (nice roundup of the MS announcements??? some of the comments are also interesting)
Comcast

- Upcoming shows:
- Oct 24-25, New York, USA, Interop
- Oct 29-Nov 1, Boston, USA, Fall 2007 VON
Comment (email) from Dan Wing about episode 69 and the potential DDoS attack
Comment (email) from Raul Siles about episode 66
Comment (email) from Raul Siles about SANS VoIP Security course
Two-year-anniversary:
- Comment (audio) from Martyn Davies
- Comment (audio) from Dean Elwood
- Comment (audio) from Mike Wallace
- Comment (audio) from Raul Siles (with Matrix inclusion)
- Comment (audio) from Carsten Helmuth (cut off)
- Comment (email) from Scott Tanner
- Comment (email) from Shlomo Dubrowin
- Drawing for the book
- Review of the last week's traffic on the VOIPSEC public mailing list

- Wrap-up of the show

51:14 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-206-350-7280 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more...

Wed, 07 Nov 2007 18:52:53 +0000

Synopsis:Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #70, a 51-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

NOTE: This show was recorded on October 25, 2007.

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:

Dan’s new employment with Voxeo
Dan at VON next week – Dean Elwood is doing a VoIPUser dinner – perhaps a Blue Box dinner as well?
We hope you enjoyed Blue Box SE 21 with Phil Zimmermann – many thanks to Martyn Davies for helping with that.
Reporters for some of the spring shows? (we can probably get you press credentials… if you are there)

XSS attack and SQL injection via SIP against Asterisk
The XSS attack against Linksys SPA-941 we discussed last week was picked up by Secure Computing which resulted in this SearchSecurity.com article: New Attack Methods Target Web 2.0, VoIP (last link sent to us by Rhodri Davies)
Sipera released a range of vulnerabilities related to Vonage, Grandstream and more – note that the Vonage thread has been picked up by ZDNet’s Russell Shaw
Wired: Phones Aren’t Safe Either, Hackers Say – also discussed in Network World and Russell Shaw We’ve toasted so many of these (VoIP) networks… and Dustin Trammell’s blog (in the list of sessions he attended)
SANS: Vishing, Skype, and VoIP-Based Fraud (sent in by Craig Bowser)
CXO Today: The Phishing Epidemic
PCWorld.CA: The eight most dangerous consumer technologies (Skype and consumer VoIP are #6 on page 2 )
TMC Net: VoIP Peering in Search of a Viable Interconnect Business Model (note the comments about security toward the bottom)
Cisco TechWise podcasts Session Initiation Protocol and Security (it’s on the page… came out 10/18/07 )
TechRepublic: Sanity check: Will Microsoft be your next phone company? (nice roundup of the MS announcements… some of the comments are also interesting)
Comcast

- Upcoming shows:
- Oct 24-25, New York, USA, Interop
- Oct 29-Nov 1, Boston, USA, Fall 2007 VON
Comment (email) from Dan Wing about episode 69 and the potential DDoS attack
Comment (email) from Raul Siles about episode 66
Comment (email) from Raul Siles about SANS VoIP Security course
Two-year-anniversary:
- Comment (audio) from Martyn Davies
- Comment (audio) from Dean Elwood
- Comment (audio) from Mike Wallace
- Comment (audio) from Raul Siles (with Matrix inclusion)
- Comment (audio) from Carsten Helmuth (cut off)
- Comment (email) from Scott Tanner
- Comment (email) from Shlomo Dubrowin
- Drawing for the book
- Review of the last week's traffic on the VOIPSEC public mailing list

- Wrap-up of the show

51:14 - End of show

Thank you for listening and please do let us know what you think of the show.