[SecurityRatty] tag: schools

Summarizing Zero Day's Posts for September

Tue, 07 Oct 2008 06:54:00 +0000

As usual, here's September's summary of all of my posts at Zero Day. You may also want to catch up and go through August's and July's summaries, next to adding my personal RSS feed or Zero Day's main feed to your RSS reader.

Notable article for September - Spamming vendor launches managed spamming service.

01. DoS vulnerability hits Google's Chrome, crashes with all tabs
02. Malware and spam attacks exploiting Picasa and ImageShack
03. Spamming vendor launches managed spamming service
04. Facebook introducing new security warning feature
05. Google downplays Chrome's carpet-bombing flaw
06. Targeted malware attack against U.S schools intercepted
07. The most "dangerous" celebrities to search for in 2008
08. Norwegian BitTorrent tracker under DDoS attack
09. Attacker: Hacking Sarah Palin's email was easy
10. Bill O'Reilly's web site hacked, attackers release personal details of users
11. India's government: At last, we've cracked Blackberry's encryption
12. Memory exhaustion DoS vulnerability hits Google's Chrome
13. 44% of second hand mobile devices still contain sensitive data
14. Spammers attacking Microsoft's CAPTCHA -- again

CCTV Firm Threatens The Researcher Who Found Vulnerable Products That Reveal Cam Images Without Authentication

Sat, 20 Sep 2008 04:22:21 +0000

A flaw discovered by security researcher Mike Stephens, affects The LookC 4×4 server and Pro IX server, which allows anyone to view static images from any camera connected to its servers. This product is installed in some primary and secondary schools. The flaw requires no authentication to exploit and vulnerable servers might be found via [...]

Learning From Sarah Palins Yahoo Mail Compromise

Thu, 18 Sep 2008 09:31:56 +0000

The password reset functionality of any online service is a major source of risk. They are especially problematic when they use only a “secret question” concerning personal information only and don’t tie back to another email account or a text message. Another account or cell phone number is something “out of band” from a direct transaction with the online service. It becomes 2-factor authentication.

When an alternate email account or cell phone number is not tied to an account, online services often use personal information, supposedly only known by the account holder, to verify identity and reset a password. The risk here is the personal information is often known to other individuals and if the account holder is a public figure then the information may be easily researched. Birthdays, names of pets, locations of homes, schools, and events can often be discovered online or guessed.

Paris Hilton’s T-Mobile account, and thus all her Sidekick cell phone contents which were mirrored online, was compromised when someone “guessed” the answer to her secret question. The secret questions was, “What is your pet’s name.” The answer of course was, “Tinkerbell”. Something easily researched. Many people would not have their pet’s name online but friends, family members, or perhaps an ex would know the answer. Using a pet’s name is a very bad security practice.

Now we have Sarah Palin, another public figure, having her online account compromised because someone used the password reset functionality and guessed the answer to Sarah Palin’s secret question. This is how the attacker says he found out her personal information and guessed the answer to her secret question. He details this on 4chan.org:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Best practices for setting up the password reset functionality of any online service:

Tie an account to another email account or cell phone number if that is an option. This will cause the service to send an out of band message and in essence make the password reset a 2-factor authentication.
Do not use any personal information that can be guessed as the answers to secret questions. Treat these answers like passwords. Don’t use dictionary words. Add some numbers or symbols to the answer. For example is Sarah Palin had used “Wasilla high 1964″ or “!Wasilla high!” it is far less likely it would be guessed. Pick a scheme to modify your secret answers so they aren’t guessable.
Try resetting your password. See if there are downgrade attacks which make it easier to reset the password. Yahoo for instance will allow you to specify that you don’t have access to the email address tied to your account and thus not send a password reset email. Since an attacker can do this the safety of using another account is eliminated thus making the answers to the secret question all that more important.

U.S Schools Are Targeted In Malware Spam Campaign

Wed, 17 Sep 2008 18:34:59 +0000

MessageLabs intercepted a targeted, email-borne malware attack on US schools and government organizations starting in early September. The majority of attacks are located in New Mexico, Virginia, Illinois and Hawaii. The attack comprised more than 1000 emails from only 15 source IP addresses, most of which were located in the former Soviet Union on consumer-based [...]

Employee Fraud Spiralling Out of Control in the UK

Tue, 09 Sep 2008 06:08:00 +0000

You have read it before on TheBulletProofBlog - the tougher times get, the more likelihood that people will resort to criminal measures.

We reported it regarding the theft of copper from Churches, Hospitals, Schools - even from new homes still under construction. We brought to your attention the fact that thieves have become bolder, evidenced by the theft of manhole covers in public streets and drilling into fuel tanks on vehicles as petrol and diesel prices rise.

In "Personneltoday", it is reported that employers have been put on "red alert" as the downturn in the economy is prompting employees to make ends meet by dishonest means. One figure that employers every where are bound to find shocking is the fact that employee fraud has cost UK companies more than 77 Million Pounds Sterling (approx. $150,000,000.00),just in the first half of this year alone.

The most disturbing aspect of this figure is the fact that it is up from 10 Million Pounds Sterling (approx. $18,000,000.00)in the same period last year. This represents more than an 8 fold increase in employee fraud in a 12 month period.

The report was conducted by the accountancy firm BDO Stoy Hayward. Mr. Simon Bevan, the head of fraud services there attributes the escalation in criminal activity amongst employees to; "spiralling personal debt as a result of mortgage,food and fuel price hike". Sound familiar?

The population of the UK is one sixth that of the United States. It is frightening to imagine what the figures will look like from U.S. businesses at the end of this year and beyond. In 2002, employee fraud and abuse cost U.S. businesses $6 Billion Dollars (independently reported by the "Association of Certified Fraud Examiners" of which SEXTON is a member).

What would be the outcome to U.S, businesses if fraud costs escalated 8 fold to $48 Billion Dollars by year's end? How many would go under? How much further damage would that inflict on the already struggling economy? The economic circumstances in the U.S. are certainly similar to those of the UK.

U.S. businesses beware. Be proactive and fight fraud and abuse before it is too late. Your very survival just may depend upon it.

Is an incorrectly implemented security program better than a non-existent one ?

Wed, 03 Sep 2008 12:02:00 +0000

Think carefully before you answer that one. A large majority of you would be inclined to give a resounding 'yes' - but I really want you to think carefully on this one. Think long term. Think about implementation hurdles, think about project documentation.

The answer to this IMHO is a big "DEPENDS".

To explain:

Imagine you're working in a company that has no security controls in place - and is in desperate need of getting a security program impemented. They hire a new CISO to make sure their physical and logical controls are in place, network and applications are secured appropriately and their incident management and forensics capabilities are upto date. At this point the CISO clearly knows that he needs to create and implement a number of programs and hires a bunch of people to perform and manage a series of tasks. Till this point, things are going smoothly. Everyone understands the need, and is working towards meeting a common goal. The program is not in place yet, but people know and understand the urgency need to act immediately. The CISO's risk radar has a list of projects ranked by priority and everone begins to tackle them.

Now consider the scenario when certain security programs are not done right - say, a few of the high risk applications are not considered in the initial risk matrix or there are certain business units that have been granted an 'exception'to the process that is being put in place, with the most common excuses of:

1. This is a pilot
2. We will get to this in the next phase
3. The group has a number of high profile clients who don't want it implemented right now
4. <plug your own excuse here>

Well - initially, everyone is completely aware that they have more issues to remediate and and have honest intentions to fix that too, once the pilot and
PoC is well established and in place. But then things change. Leaders change. Managers change. People's roles change. What doesn't, is the documentation regarding the project. But documents usually tend to highlight what the project does, not what it doesn't do. Nobody seems to remember there are additional tasks that need to get completed. People take a quick look at documents detailing what was done in the program and begin to assume that it is well established, completely ignoring the fact that a very important Phase 2 still needs to be in place. A false sense of security is now well in place... and life goes on.

Till you get hacked.

..and then a forensics team attempts to determine the cause. A new CISO comes in, reviews the existing program, decides it is too complex and structureless and decides to do away with it entirely and create a new security program.. and the cycle continues.

The moral of the story: When you have no security program - be very careful while diligently working to get one in place

But when you have a partial one, be extremely careful and don't leave any loose ends while getting it completely and correctly put in place.

On a lighter note - here's an email I received from a school I was doing some courses from ..

Beautiful !! Here is your PIN (username). But we will not give you your password over email. I was sooo impressed when I got that! - Could it be that schools and universities are finally waking up and trying to understand security ? No more SSNs as IDs ? No more default 'password' passwords ? This was great. I followed the procedure outlined to receive a new password - it asked for my name, DOB and email.. and then .. I receive this:

For those who cannot see the image:

the email says:

blah blah blah blah blah blah..
your PIN:
your password: password1234

blah blah blah blah blah blah

Obama alma mater gets an education in 'net security

Tue, 02 Sep 2008 20:00:00 +0000

Punahou School in Honolulu has moved into the networking vanguard since presidential candidate Barack Obama graduated from the K-12 school in 1979. The private school’s 45 buildings are now connected via a fiber backbone and point-to-point laser system for short-range wireless communications, with Cisco switches and a voice-over-IP system for 500 phones.

Education and the willingness of parents ot insure their childs online safety is paramount

Tue, 02 Sep 2008 19:58:11 +0000

I agree with alot of both the Point and Counterpoint articles by Alan and Mary.
The Counterpoint article is at this link.
http://www.internetevolution.com/author.asp?doc_id=162622&f_src=ieupdate

clipped from www.internetevolution.com

One problem is that content filtering software simply isn’t good enough.?Yes, software blocks many child porn sites, but it also allows some sites to get through.?Also, child porn sites are typically very good at evading filters.?Just as importantly, the software mandated for schools and public libraries doesn’t just ban child porn, it bans thousands of sites.?Does the software company investigate the thousands of sites it blocks??Does it know whether a child engaged in illicit activity on a Website is 16, 18, or 21 years old?

File Sharing Program Exposes Prince William County Public School Private Records

Mon, 01 Sep 2008 18:13:58 +0000

Prince William County Public Schools (PWCS) recently learned that certain personal information relating to a small group of students, staff, and volunteers was inadvertently exposed to the public through the Internet for a period of approximately five weeks this summer. It was determined that a school-based employee, while working on school business from home on [...]

Kids with Cell Phones in Emergencies

Thu, 14 Aug 2008 08:20:24 +0000

In the middle of a sensationalist article about risks to children and how giving them cell phones can help, there's at least one person who gets it.

Since the 1999 Columbine High School shootings and the 9/11 terrorist attacks, many parents feel better having a way to contact their children. But hundreds of students on cell phones during an emergency can cause problems for responders.
"There's a huge difference between feeling safer and being safer," says Kenneth Trump, president of National School Safety and Security Services.

According to Trump, students' cell phone use during emergencies can do three things: increase the spread of rumors about the situation, expedite parental traffic at a scene that needs to be controlled and accelerate the overload of cell-phone systems in the area.

Tom Hautton, an attorney for the National School Board Association, said that cell phones in schools also can lead to classroom distractions, text-message cheating and inappropriate photographs and videos being spread around campus.

We are just naturally inclined to make irrational security decisions when it comes to our children.