[SecurityRatty] tag: round-up

Fake IE 7 Update Spam Installs Malware

Mon, 11 Aug 2008 06:00:15 +0000

Another round of fake “authority” email has been launched, this time it is a bogus Internet Explorer 7 (IE7) update spam. Here is a current version of the email (it will probably change a bit soon): From: admin@microsoft.com Subject: Internet Explorer 7 Message: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your [...]

SQL Attacks Still Inject Websites Including Government Sites In US, UK

Fri, 08 Aug 2008 06:43:32 +0000

A new round of SQL injection attacks (most likely by Asprox) has infected millions of web pages belonging to businesses and government agencies, including those that belong to the National Institutes of Health and Education Department in the US and the UK Trade & Investment. It seems that a lot of domains involved are still [...]

FBI warns of new Storm Worm attacks

Tue, 29 Jul 2008 20:00:00 +0000

A rash of complaints prompted the FBI to issue a warning of a new round of spam e-mails bombarding the Internet to spread the malicious Storm Worm.

Security Briefing: June 24th

Tue, 24 Jun 2008 07:00:07 +0000

Another day, another coffee.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

Former SEMO Employee Found with Data Files of Personal Information of Students | KFVS 12
Ruby flaws send security researchers into shock | The Register
WhiteHat Secures $7 Million Round of Funding | Earth Times
UK firm offers web-based software audit | vnunet
Educating Employees Reduces Security Breaches | Small Business Computing
New Trojan Leverages Unpatched Mac Flaw | Washington Post
Secrecy an effective legal tool The Star

Tags: News, Daily Links, Security Blog, Information Security, Security News

Another Round Of Fake Breaking News Spam Installs Malware

Sat, 21 Jun 2008 18:43:33 +0000

Nuwar spammers have recently moved from real news of natural disasters and current affairs to creating their own fictional events in an attempt to infect users computers. This new high volume spam campaign is using some attention drawing subjects to lure people into clicking on the links. The spam message has a list of newsworthy subjects [...]

Spring ISD mobile devices stolen along with personal student information

Sun, 18 May 2008 19:01:44 +0000

Technorati Tag: Security Breach

Date Reported:
5/16/08

Organization:
Spring Independent School District ("Spring ISD")

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
~8,000

Types of Data:
"personal information, including name, social security number or state-assigned identification number, gender, name of school, grade and birthday"

Breach Description:
"Spring ISD has been informing the parents of about 8,000 students of an incident that occurred in the evening on Wednesday, May 14 that involves the students’ personal information. The Spring ISD testing coordinator’s car was broken into while she was making a stop at a business on her way home from work that evening and a Spring ISD laptop computer and an external flash drive were stolen."

Reference URL:
Spring ISD News
Houston Chronicle
ABC Channel 13 News

Report Credit:
Spring ISD

Response:
From the online sources cited above:

Spring ISD has been informing the parents of about 8,000 students of an incident that occurred in the evening on Wednesday, May 14 that involves the students’ personal information.

The Spring ISD testing coordinator’s car was broken into while she was making a stop at a business on her way home from work that evening and a Spring ISD laptop computer and an external flash drive were stolen.
[Evan] The fact that the district allows personal student information to be stored on mobile devices is very troubling. There is no mention of encryption, so I will assume that there was none. This is very careless.

The coordinator's computer bag was stolen from her vehicle between 5:30 and 7 p.m. Wednesday when she stopped to run an errand near Mason Road and Beltway 8, on her way home from work

The coordinator had the laptop, Curry said, because the job responsibilities often require her to work nights and weekends.
[Evan] Fine. This is the reason why many organizations use laptops. The problem is the lack of control and security. If an organization decides to employ laptops, then the organization MUST ensure that they are adequately protected.

The flash drive contains the Texas Assessment of Knowledge and Skills (TAKS) results of third and fifth graders who have taken the first round of reading and math tests, eighth graders who have taken the first round of math tests and 11th and 12th graders who have taken the exit level retest.

In addition, the drive contains the students’ personal information, including name, social security number or state-assigned identification number, gender, name of school, grade and birthday.
[Evan] Why in the *&^$ does a testing coordinator have Social Security numbers on a laptop and/or flash drive?! A Social Security number should have no correlation to testing scores.

This also applies to students who are in those testing groups but were absent when the testing took place.

Personal phone calls were made to the parents of these students on Thursday, letters were sent home with students and the letters are being mailed to homes also in an effort to help parents quickly take steps to protect their children from identity theft.

"The district immediately contacted federal agencies to make them aware of the theft, and we are checking to see whether there is any thing else we can do on behalf of the individual students. In the meantime, we urge parents to use the information we have provided," said Regina Curry, assistant superintendent for communications and community relations.

The theft is being investigated by the Harris County Sheriff’s Department and every effort is being made to recover the equipment.

The district has reported the incident to the Texas Education Agency Test Security Task Force and will comply with whatever action they require.

"This incident is highly regrettable and the district is looking at potential security precautions to protect the students’ personal information in the future," Curry said.
[Evan] I'm sure that the district regrets the incident, but careless acts have consequences and this should have been known beforehand.

Anyone with information about the theft is urged to call the Harris County Sheriff's Office Burglary and Theft Division at 713-967-5770 or the Spring ISD Police Department at 832-764-4911.

Commentary:
I try to be politically correct in many of my comments although sometimes I push the boundaries. I can't think of a word right now that adequately expresses my thoughts. Where was common sense? It could be argued that many breaches we read about entail a certain amount of dumbness, but this one definitely strikes a chord.

Who in their right mind would allow highly-confidential personal information to be carried around on mobile devices? Without encryption? When it isn't necessary? It puzzles me.

I feel like I should say more, but my high blood pressure has gone high enough for the day. I should rest.

Past Breaches:
Unknown

Second edition

Sun, 27 Apr 2008 13:10:52 +0000

The second edition of my book “Security Engineering” came out three weeks ago. Wiley have now got round to sending me the final electronic version of the book, plus permission to put half a dozen of the chapters online. They’re now available for download here.

The chapters I’ve put online cover security psychology, banking systems, physical protection, APIs, search, social networking, elections and terrorism. That’s just a sample of how our field has grown outwards in the seven years since the first edition.

Enjoy!

Ross

BART Wi-Fi Access Moves Closer in Bay Area

Wed, 09 Apr 2008 02:39:32 +0000

WiFi Rail may sign contract with Bay Area Rapid Transit soon: That's typical marketing fare from many companies, to pre-announce deals, but a BART official confirmed the state of negotiations in this Sacramento Bee article. I had a long talk with the WiFi Rail folks a few months ago, and they sent me some fascinating video of a live four-way video chat with three participants communicating from moving trains.

Their technical description of what they're doing makes a lot of sense, and if they can pull off their trial work in a production environment, they will have a set of patents and products that will likely be the model for deploying subway and train Wi-Fi in urban areas around the world. Yes, that's a big claim; but they have a unique and interesting solution.

The company told the Bee that they would start on heavily traveled underground routes first, with service available within 4 months of a contract. WiFi Rail relies on leaky coax, which is wiring that runs in the tunnel already, and they've overlaid Wi-Fi signals on in a way that simulates a very long antenna.

The Bee reports that they've raised $1.5m in financing so far with another round of $15m to $20m to close later this year. With a BART contract in hand, I can't imagine they'll have any difficulty getting funds. Captive audiences are worth the big bucks.

On Hannaford Brothers Breach and PCI

Tue, 18 Mar 2008 11:58:00 +0000

So, is Hannaford Brothers breach a PCI failure? Rich Mogul discuss this here by pointing at this piece in the breach FAQ:

"Is it safe to continue shopping in your stores?

We have continually devoted significant round-the-clock resources to ensure Hannaford has comprehensive data security systems in place. For example, our security measures meet industry compliance standards and many go above and beyond what is required by industry standards."

Are they alluding to PCI here? I think so ... So, is this a PCI failure? Or this is simply a reflection of the fact that you CAN be 0wned, no matter how many compliance hurdles you overcame....?

Dave Cowan of Bessemer says mid-market is the new battleground for security

Mon, 10 Mar 2008 05:32:03 +0000

Brad Feld turned me on to this interview of Dave Cowan of Bessemer Ventures on Red Herring TV. Dave and Brad have co-invested in several deals, Postini being one of them. Dave speaks about his recent involvement in a 100+ million dollar round in Perimeter Securtity, the MSSP aimed at mid-market and SMBs. Dave and Bessemer have invested in many security companies over they years and he has a well honed view into the space. His comments are that security is saturated at the top of the pyramid, meaning the Fortune 2000 and large government accounts. He thinks the real opportunity is at the mid-market. Not surprising given his recent Perimeter investment.

From my perspective though, I have to agree. I think the mid-market is a much more dynamic marketplace for security. You know what they say about the Fortune 500? There are only 500 of them. Anyway, here is the interview, but be advised the security talk is only for about the first half of the show. The rest is on VC stuff.