Friday, December 15, 2006
UCLA probes computer security breach
UCLA probes computer security breach By BROOKE DONALD, Associated Press Writer
Tue Dec 12, 2:29 PM ET
The University of California, Los Angeles alerted about 800,000 current and former students, faculty and staff on Tuesday that their names and certain personal information were exposed after a hacker broke into a campus computer system.
Only a small percentage — "far less than 5 percent" — of the records in the database were actually accessed, UCLA spokesman Jim Davis told The Associated Press.
Still, it was one of the largest such breaches involving a U.S. higher education institution.
The attacks in October 2005 and ended Nov. 21 of this year, when computer security technicians noticed suspicious database queries, according to a statement posted on a school Web site set up to answer questions about the theft.
Davis said the hacker used a program designed to exploit an undetected software flaw to bypass security and get into the restricted database, which has information on current and former students, faculty and staff, and some student applicants and parents of students or applicants who applied for financial aid.
Many of the records in the database do not link names and Social Security numbers, however, the two pieces of information the hacker was after, Davis said.
The university's investigation so far shows only that the hacker sought and obtained some of the Social Security numbers. Out of caution, the school said, it was contacting everyone listed in the database.
About 3,200 of those being notified are current or former staff and faculty of UC Merced and current or former employees of the University of California Office of the President, for which UCLA does administrative processing.
Acting Chancellor Norman Abrams said in a letter posted on the site that while the database includes Social Security numbers, home addresses and birth dates, there was no evidence any data have been misused.
The letter suggests, however, that recipients contact credit reporting agencies and take steps to minimize the risk of potential identity theft. The database does not include driver's license numbers or credit card or banking information.
"We have a responsibility to safeguard personal information, an obligation that we take very seriously," Abrams wrote. "I deeply regret any concern or inconvenience this incident may cause you."
The breach is among the latest involving universities, financial institutions, private companies and government agencies. A stolen Veterans Affairs laptop contained information on 26.5 million veterans, and a hacker into the Nebraska child-support computer system may have gotten data on 300,000 people and 9,000 employers.
Security experts said the UCLA breach, in the sheer number of people affected, appeared to be among the largest at an American college or university.
"To my knowledge, it's absolutely one of the largest," Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association, told the Los Angeles Times.
Petersen said that in a Educause survey released in October, about a quarter of 400 colleges said that they had experienced a security incident in which confidential information was compromised during the previous 12 months, the newspaper reported.
In 2005, a database at the University of Southern California was hacked, exposing the records of 270,000 individuals.
This spring, Ohio University announced the first of what would be identified as five cases of data theft, affecting thousands of students, alumni and employees — including the president. About 173,000 Social Security numbers may have been stolen since March 2005, along with names, birth dates, medical records and home addresses.
Tue Dec 12, 2:29 PM ET
The University of California, Los Angeles alerted about 800,000 current and former students, faculty and staff on Tuesday that their names and certain personal information were exposed after a hacker broke into a campus computer system.
Only a small percentage — "far less than 5 percent" — of the records in the database were actually accessed, UCLA spokesman Jim Davis told The Associated Press.
Still, it was one of the largest such breaches involving a U.S. higher education institution.
The attacks in October 2005 and ended Nov. 21 of this year, when computer security technicians noticed suspicious database queries, according to a statement posted on a school Web site set up to answer questions about the theft.
Davis said the hacker used a program designed to exploit an undetected software flaw to bypass security and get into the restricted database, which has information on current and former students, faculty and staff, and some student applicants and parents of students or applicants who applied for financial aid.
Many of the records in the database do not link names and Social Security numbers, however, the two pieces of information the hacker was after, Davis said.
The university's investigation so far shows only that the hacker sought and obtained some of the Social Security numbers. Out of caution, the school said, it was contacting everyone listed in the database.
About 3,200 of those being notified are current or former staff and faculty of UC Merced and current or former employees of the University of California Office of the President, for which UCLA does administrative processing.
Acting Chancellor Norman Abrams said in a letter posted on the site that while the database includes Social Security numbers, home addresses and birth dates, there was no evidence any data have been misused.
The letter suggests, however, that recipients contact credit reporting agencies and take steps to minimize the risk of potential identity theft. The database does not include driver's license numbers or credit card or banking information.
"We have a responsibility to safeguard personal information, an obligation that we take very seriously," Abrams wrote. "I deeply regret any concern or inconvenience this incident may cause you."
The breach is among the latest involving universities, financial institutions, private companies and government agencies. A stolen Veterans Affairs laptop contained information on 26.5 million veterans, and a hacker into the Nebraska child-support computer system may have gotten data on 300,000 people and 9,000 employers.
Security experts said the UCLA breach, in the sheer number of people affected, appeared to be among the largest at an American college or university.
"To my knowledge, it's absolutely one of the largest," Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association, told the Los Angeles Times.
Petersen said that in a Educause survey released in October, about a quarter of 400 colleges said that they had experienced a security incident in which confidential information was compromised during the previous 12 months, the newspaper reported.
In 2005, a database at the University of Southern California was hacked, exposing the records of 270,000 individuals.
This spring, Ohio University announced the first of what would be identified as five cases of data theft, affecting thousands of students, alumni and employees — including the president. About 173,000 Social Security numbers may have been stolen since March 2005, along with names, birth dates, medical records and home addresses.
Labels: UCLA
Sunday, December 10, 2006
Hackers find use for Google Code Search
Hackers find use for Google Code Search
Shortcut for vulnerability seekers (whatever their hat color)
Robert McMillan Today’s Top Stories or Other Cybercrime/Hacking Stories
Securing Credit Card Data: Are Your Customers at Risk Because of Spyware?
Don't Make Me Come Over There-Tapping Into The Power of Symantec pcAnywhere's Improved Connectivity
Symantec Backup Exec System Recovery-Restore Systems Anytime, from Anywhere to Virtually Any Device
How Secure is VoIP?
An Executive's Guide to Vulnerability Management
Data Protection Strategy Kit
Intrusion Protection
Intrusion Protection
Voice-over-IP will dominate the enterprise in the next few years - are you ready?
October 06, 2006 (IDG News Service) -- Google Inc. has inadvertently given online attackers a new tool.
The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet in the first place, security experts said Friday.
Unlike Google's main Web search engine, Google Code Search peeks into the actual lines of code whenever it finds source-code files on the Internet. This will make it easier for developers to search source code directly and dig up open-source tools they may not have known about, but it has a drawback.
"The downside is that you could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it," said Mike Armistead, vice president of products with source-code analysis provider Fortify Software Inc.
Attackers could also search code for vulnerabilities in password mechanisms, or to search for phrases within software such as "this file contains proprietary," possibly unearthing source code that should never have been posted to the Internet.
Security experts say that the security implications of Google Code Search are noteworthy, if not earth-shattering.
Skilled hackers may already be able to do this type of search with Google's Web search engine, but Code Search is "another tool that makes it a tad easier for the attacker," said Johnny Long, a security researcher with Computer Sciences Corp, in an e-mail interview.
For its part, Google did not have much to say about possible misuse of its new product. "Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing appropriately," the company said in a statement.
Google has never said much about the steps it takes to cut down on this kind of misuse of its search engine, though the issue comes up from time to time. In July, Websense Inc. used a little known binary search capability within Google Inc.'s search engine to look for malware on the Internet.
While Google Code Search will probably not have much of an effect on popular open-source projects, which are already heavily scrutinized, it could help ferret out vulnerabilities in lesser known pieces of code, according to Lev Toger, a software developer with Beyond Security Ltd.
"Using Google's code search, it's much easier to find interesting code portions," he said via e-mail. "If your task is to find vulnerability in some random code, this filtering can save you a lot of time. "
Shortcut for vulnerability seekers (whatever their hat color)
Robert McMillan Today’s Top Stories or Other Cybercrime/Hacking Stories
Securing Credit Card Data: Are Your Customers at Risk Because of Spyware?
Don't Make Me Come Over There-Tapping Into The Power of Symantec pcAnywhere's Improved Connectivity
Symantec Backup Exec System Recovery-Restore Systems Anytime, from Anywhere to Virtually Any Device
How Secure is VoIP?
An Executive's Guide to Vulnerability Management
Data Protection Strategy Kit
Intrusion Protection
Intrusion Protection
Voice-over-IP will dominate the enterprise in the next few years - are you ready?
October 06, 2006 (IDG News Service) -- Google Inc. has inadvertently given online attackers a new tool.
The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet in the first place, security experts said Friday.
Unlike Google's main Web search engine, Google Code Search peeks into the actual lines of code whenever it finds source-code files on the Internet. This will make it easier for developers to search source code directly and dig up open-source tools they may not have known about, but it has a drawback.
"The downside is that you could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it," said Mike Armistead, vice president of products with source-code analysis provider Fortify Software Inc.
Attackers could also search code for vulnerabilities in password mechanisms, or to search for phrases within software such as "this file contains proprietary," possibly unearthing source code that should never have been posted to the Internet.
Security experts say that the security implications of Google Code Search are noteworthy, if not earth-shattering.
Skilled hackers may already be able to do this type of search with Google's Web search engine, but Code Search is "another tool that makes it a tad easier for the attacker," said Johnny Long, a security researcher with Computer Sciences Corp, in an e-mail interview.
For its part, Google did not have much to say about possible misuse of its new product. "Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing appropriately," the company said in a statement.
Google has never said much about the steps it takes to cut down on this kind of misuse of its search engine, though the issue comes up from time to time. In July, Websense Inc. used a little known binary search capability within Google Inc.'s search engine to look for malware on the Internet.
While Google Code Search will probably not have much of an effect on popular open-source projects, which are already heavily scrutinized, it could help ferret out vulnerabilities in lesser known pieces of code, according to Lev Toger, a software developer with Beyond Security Ltd.
"Using Google's code search, it's much easier to find interesting code portions," he said via e-mail. "If your task is to find vulnerability in some random code, this filtering can save you a lot of time. "
Antiphishing efforts try to keep pace
Antiphishing efforts try to keep pace
It's a daunting process just staying in place
Cara Garretson Today’s Top Stories or Other Cybercrime/Hacking Stories
Securing Credit Card Data: Are Your Customers at Risk Because of Spyware?
Don't Make Me Come Over There-Tapping Into The Power of Symantec pcAnywhere's Improved Connectivity
Symantec Backup Exec System Recovery-Restore Systems Anytime, from Anywhere to Virtually Any Device
How Secure is VoIP?
An Executive's Guide to Vulnerability Management
Data Protection Strategy Kit
Intrusion Protection
Intrusion Protection
Voice-over-IP will dominate the enterprise in the next few years - are you ready?
October 11, 2006 (Network World) -- While many experts say phishers will continue to stay one step ahead of even advanced preventive measures, some security companies are developing new ways to keep the public informed about fraudulent Web sites and cut down on scams.
These initiatives are designed to fight phishing by providing helpful data to ISPs, e-mail security firms and antimalware vendors whose products are designed to protect their customers from cybercrime, as well as the financial institutions and online retailers whose Web sites are mimicked by fraudulent ones.
Meanwhile, the fight against phishing also is playing out on the desktop, as tools to keep Web users from visiting fraudulent sites become more prominent. For example, the next version of Internet Explorer will include the Phishing Filter, designed to warn users if they visit a fraudulent Web site, according to Microsoft officials. The next version of the Firefox browser is expected to have a similar feature.
Yet by the time these upgrades are widely adopted, phishers will have found ways around the blocking mechanisms, one analyst says.
"Phishing attacks as we know them will go away, but I'm sure [phishers] will come up with something else," says Avivah Litan, a vice president at Gartner.
"I think it's spy vs. spy," echoes Todd Bransford,vice president of marketing with antiphishing vendor Cyveillance. "We see more variants of phishing as the bad guys get more creative and come up with new ways to circumvent security . . . they're just different enough so that they're not recognized by the security efforts."
Among the new initiatives designed to fight phishing is an offering from Cyveillance, whose service is used by financial institutions, online retailers and other companies to protect their brand on the Web. Last week the company announced it will make its data regarding phishing sites available for reuse by other vendors.
The OEM Content Program is designed for ISPs and security companies that need to block users from phishing sites, Bransford says. This phishing data from Cyveillance is used by AOL and Microsoft with their ISP offerings.
The company's crawlers and agents constantly scour the Web for misuse of its clients' brands, and often discover fraudulent sites. With the new offering, Cyveillance will make this information available to companies that interact directly with users to help protect them from these sites, Bransford says. The information provided via this service is backed by a no-false-positives service-level agreement.
Cyveillance competitor MarkMonitor late last month announced a private-label desktop application that it will sell to financial institutions looking to offer their customers protection against fraudulent sites. Called Trust Guard for Financial Services, the software performs real-time heuristics and contextual analysis to decide if a Web page is fraudulent and also checks sites against the MarkMonitor's own black list.
The software is available as a stand-alone application or can be integrated into existing applications and toolbars. Financial institutions can rebrand the software and distribute it directly to their customers.
This week Tipping Point, a division of 3Com, plans to announce a Firefox browser add-in designed for use by cybercrime investigators, network operators and security companies that provides instant information about the Web site the user is visiting. Called Monkeyspaw and based on open source code, the tool aims to help security professionals analyze and report fraudulent sites, says Tod Beardsley, lead counterfraud engineer with Tipping Point.
Monkeyspaw provides information such as the IP address of a Web server, its configuration information and its geographical location -- data that can prove helpful in determining whether a site is valid. While this information can be obtained by some digging, Monkeyspaw presents it quickly and clearly, Beardsley says. The tool also can be used to report a fraudulent site to CastleCops' Phishing Incident Reporting and Termination Squad, which takes down phishing sites.
It's a daunting process just staying in place
Cara Garretson Today’s Top Stories or Other Cybercrime/Hacking Stories
Securing Credit Card Data: Are Your Customers at Risk Because of Spyware?
Don't Make Me Come Over There-Tapping Into The Power of Symantec pcAnywhere's Improved Connectivity
Symantec Backup Exec System Recovery-Restore Systems Anytime, from Anywhere to Virtually Any Device
How Secure is VoIP?
An Executive's Guide to Vulnerability Management
Data Protection Strategy Kit
Intrusion Protection
Intrusion Protection
Voice-over-IP will dominate the enterprise in the next few years - are you ready?
October 11, 2006 (Network World) -- While many experts say phishers will continue to stay one step ahead of even advanced preventive measures, some security companies are developing new ways to keep the public informed about fraudulent Web sites and cut down on scams.
These initiatives are designed to fight phishing by providing helpful data to ISPs, e-mail security firms and antimalware vendors whose products are designed to protect their customers from cybercrime, as well as the financial institutions and online retailers whose Web sites are mimicked by fraudulent ones.
Meanwhile, the fight against phishing also is playing out on the desktop, as tools to keep Web users from visiting fraudulent sites become more prominent. For example, the next version of Internet Explorer will include the Phishing Filter, designed to warn users if they visit a fraudulent Web site, according to Microsoft officials. The next version of the Firefox browser is expected to have a similar feature.
Yet by the time these upgrades are widely adopted, phishers will have found ways around the blocking mechanisms, one analyst says.
"Phishing attacks as we know them will go away, but I'm sure [phishers] will come up with something else," says Avivah Litan, a vice president at Gartner.
"I think it's spy vs. spy," echoes Todd Bransford,vice president of marketing with antiphishing vendor Cyveillance. "We see more variants of phishing as the bad guys get more creative and come up with new ways to circumvent security . . . they're just different enough so that they're not recognized by the security efforts."
Among the new initiatives designed to fight phishing is an offering from Cyveillance, whose service is used by financial institutions, online retailers and other companies to protect their brand on the Web. Last week the company announced it will make its data regarding phishing sites available for reuse by other vendors.
The OEM Content Program is designed for ISPs and security companies that need to block users from phishing sites, Bransford says. This phishing data from Cyveillance is used by AOL and Microsoft with their ISP offerings.
The company's crawlers and agents constantly scour the Web for misuse of its clients' brands, and often discover fraudulent sites. With the new offering, Cyveillance will make this information available to companies that interact directly with users to help protect them from these sites, Bransford says. The information provided via this service is backed by a no-false-positives service-level agreement.
Cyveillance competitor MarkMonitor late last month announced a private-label desktop application that it will sell to financial institutions looking to offer their customers protection against fraudulent sites. Called Trust Guard for Financial Services, the software performs real-time heuristics and contextual analysis to decide if a Web page is fraudulent and also checks sites against the MarkMonitor's own black list.
The software is available as a stand-alone application or can be integrated into existing applications and toolbars. Financial institutions can rebrand the software and distribute it directly to their customers.
This week Tipping Point, a division of 3Com, plans to announce a Firefox browser add-in designed for use by cybercrime investigators, network operators and security companies that provides instant information about the Web site the user is visiting. Called Monkeyspaw and based on open source code, the tool aims to help security professionals analyze and report fraudulent sites, says Tod Beardsley, lead counterfraud engineer with Tipping Point.
Monkeyspaw provides information such as the IP address of a Web server, its configuration information and its geographical location -- data that can prove helpful in determining whether a site is valid. While this information can be obtained by some digging, Monkeyspaw presents it quickly and clearly, Beardsley says. The tool also can be used to report a fraudulent site to CastleCops' Phishing Incident Reporting and Termination Squad, which takes down phishing sites.
Opinion: Preventive security is a farce
Opinion: Preventive security is a farce
Steve Duplessie
December 04, 2006 (Computerworld) Q: Why are we still having what seem like the same security issues? Where are the advancements and real solutions? -- X.Z., Wilmington, Del.
Warning: This column is a long, political rant.
A: Oh, no, my friend, it's not the same at all. It's worse. It's much, much worse. You are most likely referring to the fact that you still read about lost tapes in The Wall Street Journal, and you still get malicious viruses sent to you, and you still get outrageous amounts of spam even though you have 11 filters and an armed guard. Preventive security is still a farce in my opinion, and, sorry to say, the ultimate end is going to be that you will never prevent bad people from doing bad things, or good people from doing dumb things, or accidents from happening. All you can hope to do is minimize the damage, and that will inevitably end up meaning you will encrypt everything, all the time. I know, I know. What about the keys? Yeah, yeah, yeah. Deal with it. Ultimately, there is no other way.
Now, having said that, let me tell you something more horrific than the fact that last year my good friends at Marriott lost my personal data (see "When data goes missing: will you even know ") and two weeks later, The Boston Globe not only lost my information, it printed it in hard copy and distributed it across the great state of Massachusetts, apparently.
Democracy itself is being decimated, one hacked bit at a time.
Like many of you, I am smashed in the head with so many sensory inputs daily that I can't possibly comprehend the magnitude of most events. I live in an ADD haze where the fact that thousands of people die every day in wars around the globe and genocide still occurs gets the same nonattention as the cute little puppy left homeless after a local fire or which team won the football game. I think about security and data and privacy and ethics as isolated elements, as singular events designed at the hands of some poor slob or evil-doer with a small-minded mission, like stealing my money. Then I stumbled upon an HBO documentary (via OnDemand) calledHacking Democracy.
This may sound like some political rambling for a few minutes, but bear with me. I'm as capitalistic and conservative as a centrist can be. As a matter of fact, I'm a Republican living in Massachusetts, which makes me the political equivalent of a panda -- odd, interesting to look at, the brunt of many debates and not very threatening since we all know neither of us is going to aggressively attack anyone.
The basis of democracy is that everyone gets the right (and duty, in my opinion) to vote. One person, one vote. You don't like how things are going? You have the right to cast your ballot and try to change it. Granted, most Americans complain and yet don't vote, but they could if they wanted to. We can even vote for complete nitwits, as it is our right. Silly, idealistic me grew up believing this fundamental principle, and believing that all other things I hold dear about the democratic process and all its warts are based upon this one basic principle. It never dawned on me that someone would hijack the process.
Sure, we know that a person could make a "mistake" counting votes. We know that sometimes things get lost -- but only at a small, local level, right? I mean, please, if there are lots of votes to count, we use computers. Counting things is what computers do, isn't it? Haven't we been able to use a computer to tabulate basic math functions since, well, the invention of computers? Wasn't the first computing machine an automated abacus? Of all the problems yet to solve with computers, counting isn't one of them. We did that already. Or so I thought.
A vote-counting computer is the gizmo you use to either vote directly on, if it is a touch screen, or you have your ballot placed into and read, if it's an optical character recognition type. Either way, all that baby has to do is add up how many voters checked Box 1, and how many checked Box 2. That's it. My 12-year-old could program it.
Because we like to believe in higher-level constructs like truth and justice, we sort of just assumed that a) the voting tabulators, a.k.a. dumbed-down calculators (requiring approximately 4% of the functionality of a 69-cent device available in 99% of all electronic products everywhere in the world) could add, and b) the integrity of those machines (i.e., the security of those machines) would be ironclad. Sure, some could be compromised locally, but the checks and balances associated with such a simple process would have to be impossible to overcome, right?
Bam! Smashed in the mouth with reality. I'm not that smart, but here's how I would have assumed such devices might operate:
The magic voting tabulator would have a hardened OS that was entirely self-contained. It would not accept any field changes -- ever. Since all it has to do is add, the program would have been locked down since about 1972. Of course, there would be independent auditors who validate the machine code, create tests to run, and certify the integrity of the machines - that work for the people, by the people. Once the box is "enabled" (i.e., ready to accept votes when the polls open), any physical activity would trigger a tampering fault, and the system would shut down. All the data that had been read thus far would have already been either pushed out to the next level tabulator -- with no data being kept on the collection device itself -- over an encrypted proprietary link. There would be no bidirectional communication allowed: only one way out.
I'm fairly confident I could start a company and deliver the above specified devices without leaving my home and be able to make a tidy profit selling said devices for roughly $200 each. I'm also confident that if my 12-year-old couldn't program it, there's some other neighborhood kid who can. I'd let the guys who keep the nuke codes be the ones who are in charge of verifying the integrity of the system -- or maybe even better, the guys who keep the Oscar winners a secret. Make it a federal crime with the penalty of death for tampering with the voting process. I'd vote for that.
Apparently, I've been drinking the wrong Kool-Aid again. HBO uncovered the ugly truth behind the uglier process. Actually, a grandmother in Seattle did and brought HBO along for the ride. The story is scarier than Hostel and all three Saw movies combined.
This nice Seattle lady, Bev Harris, wondered why her district went from the old fill-in-the-oval ballots to touch screens. She didn't like the answers, so she started snooping around on the Internet. During her homework, she stumbled upon an FTP site from voting machine market leader Diebold. The FTP site contained all the source code for the voting machines. Up until that time, the world was told that source on such devices was completely secure, impenetrable and bulletproof. It was B.S.
She took the source to a few security gurus, who were able to hack the code and make it do whatever they wanted in about 10 seconds. They could make it output any result they wanted, regardless of the input. The Diebold machines used a removable disk that kept the tabulated data. That disk and all the others were then physically removed and inserted into the aggregation machine, which added up all the subvotes, declaring a winner. While the company boldface-lied to everyone and anyone, insisting the system was impenetrable, Bev and one honest guy who ran a voting district in Florida and smelled a rat proved that they could put a hacked executable on these disks and upload the hack with no problem -- and it takes only one machine to screw up an entire election.
The CEO of Diebold was portrayed as the cheesiest, smarmiest liar I've ever seen. The company spokesman/stooge was a "marketing director," which means there was no way any VP type was going to put his name on this titanic debacle. The poor guy reminded me of Tariq Aziz and Lee Anne McBride combined. (Tariq was Saddam's spinmaster during the first Gulf War, and I loved how this guy could say things like, "We are depleting the enemy of their critical armaments and are assured of victory within hours.") Lee Anne is Dick Cheney's spinmaster. She told us about the unfortunate accident where Dick shot his pal in the head with a shotgun on a very dangerous quail hunting trip.
Diebold's CEO and its spokesman lied to everyone from Congress to me. They did so without any consideration of the facts that stared them in the face. They actually said that Harris stole the source code. It was an awesome display of ethical devolution combined with outright ineptitude. At least Bernie Ebbers and Ken Lay were smart dirtballs. These guys are buffoons.
So it was completely and absolutely proven that the Diebold voting machines had security flaws you could sail an ocean liner through. (For the record, there are two other companies that make this stuff, but I can't remember their names, and they weren't implicated as dirtbags in this documentary.) It was also exposed that they charge huge money for these easily hackable calculators. One district paid $20,000,000 for a bunch of the bad boxes. Absurdity at its finest.
We are, after all, the country that elected Marion Barry back to office even after he was videotaped smoking crack. Democracy in action. The HBO program spent a lot of time showing how Republicans were benefiting by the scam, but the security issue affects all parties and peoples. It did do a nice job of showing how one district in Florida had its machines so wonderfully hacked that not only did Bush kick butt vs. Gore, but Gore actually received negative 16,000 votes. True story.
So, I'm sorry about the political, do-gooder rant. Security matters, and we aren't doing enough about it. It's not about technology alone; it's about policy and process. Presidential candidate Sen. John Kerry knew that in New Mexico, overwhelmingly Democratic districts reporting overwhelmingly Democratic outcomes in the exit polling were reporting Republican victories. He knew, and he did nothing. Worse, by conceding the race under the auspices of saving the belief in the system, there was no legal way to launch an official inquiry. There were people ready to go.
As long as people tolerate security botches, they will occur. As long as greed or power or lunacy is accepted as a reason for leaving a back door open for the ethically challenged, they will enter. As long as our system rewards dirtbags by allowing them to build junk and sell it for a ton, they will. Am I really to believe that IBM couldn't build these things? I don't even want to think about the ATMs these guys make. Stealing my ID sucks; stealing democracy violates every principle I thought I had.
Steve Duplessie
December 04, 2006 (Computerworld) Q: Why are we still having what seem like the same security issues? Where are the advancements and real solutions? -- X.Z., Wilmington, Del.
Warning: This column is a long, political rant.
A: Oh, no, my friend, it's not the same at all. It's worse. It's much, much worse. You are most likely referring to the fact that you still read about lost tapes in The Wall Street Journal, and you still get malicious viruses sent to you, and you still get outrageous amounts of spam even though you have 11 filters and an armed guard. Preventive security is still a farce in my opinion, and, sorry to say, the ultimate end is going to be that you will never prevent bad people from doing bad things, or good people from doing dumb things, or accidents from happening. All you can hope to do is minimize the damage, and that will inevitably end up meaning you will encrypt everything, all the time. I know, I know. What about the keys? Yeah, yeah, yeah. Deal with it. Ultimately, there is no other way.
Now, having said that, let me tell you something more horrific than the fact that last year my good friends at Marriott lost my personal data (see "When data goes missing: will you even know ") and two weeks later, The Boston Globe not only lost my information, it printed it in hard copy and distributed it across the great state of Massachusetts, apparently.
Democracy itself is being decimated, one hacked bit at a time.
Like many of you, I am smashed in the head with so many sensory inputs daily that I can't possibly comprehend the magnitude of most events. I live in an ADD haze where the fact that thousands of people die every day in wars around the globe and genocide still occurs gets the same nonattention as the cute little puppy left homeless after a local fire or which team won the football game. I think about security and data and privacy and ethics as isolated elements, as singular events designed at the hands of some poor slob or evil-doer with a small-minded mission, like stealing my money. Then I stumbled upon an HBO documentary (via OnDemand) calledHacking Democracy.
This may sound like some political rambling for a few minutes, but bear with me. I'm as capitalistic and conservative as a centrist can be. As a matter of fact, I'm a Republican living in Massachusetts, which makes me the political equivalent of a panda -- odd, interesting to look at, the brunt of many debates and not very threatening since we all know neither of us is going to aggressively attack anyone.
The basis of democracy is that everyone gets the right (and duty, in my opinion) to vote. One person, one vote. You don't like how things are going? You have the right to cast your ballot and try to change it. Granted, most Americans complain and yet don't vote, but they could if they wanted to. We can even vote for complete nitwits, as it is our right. Silly, idealistic me grew up believing this fundamental principle, and believing that all other things I hold dear about the democratic process and all its warts are based upon this one basic principle. It never dawned on me that someone would hijack the process.
Sure, we know that a person could make a "mistake" counting votes. We know that sometimes things get lost -- but only at a small, local level, right? I mean, please, if there are lots of votes to count, we use computers. Counting things is what computers do, isn't it? Haven't we been able to use a computer to tabulate basic math functions since, well, the invention of computers? Wasn't the first computing machine an automated abacus? Of all the problems yet to solve with computers, counting isn't one of them. We did that already. Or so I thought.
A vote-counting computer is the gizmo you use to either vote directly on, if it is a touch screen, or you have your ballot placed into and read, if it's an optical character recognition type. Either way, all that baby has to do is add up how many voters checked Box 1, and how many checked Box 2. That's it. My 12-year-old could program it.
Because we like to believe in higher-level constructs like truth and justice, we sort of just assumed that a) the voting tabulators, a.k.a. dumbed-down calculators (requiring approximately 4% of the functionality of a 69-cent device available in 99% of all electronic products everywhere in the world) could add, and b) the integrity of those machines (i.e., the security of those machines) would be ironclad. Sure, some could be compromised locally, but the checks and balances associated with such a simple process would have to be impossible to overcome, right?
Bam! Smashed in the mouth with reality. I'm not that smart, but here's how I would have assumed such devices might operate:
The magic voting tabulator would have a hardened OS that was entirely self-contained. It would not accept any field changes -- ever. Since all it has to do is add, the program would have been locked down since about 1972. Of course, there would be independent auditors who validate the machine code, create tests to run, and certify the integrity of the machines - that work for the people, by the people. Once the box is "enabled" (i.e., ready to accept votes when the polls open), any physical activity would trigger a tampering fault, and the system would shut down. All the data that had been read thus far would have already been either pushed out to the next level tabulator -- with no data being kept on the collection device itself -- over an encrypted proprietary link. There would be no bidirectional communication allowed: only one way out.
I'm fairly confident I could start a company and deliver the above specified devices without leaving my home and be able to make a tidy profit selling said devices for roughly $200 each. I'm also confident that if my 12-year-old couldn't program it, there's some other neighborhood kid who can. I'd let the guys who keep the nuke codes be the ones who are in charge of verifying the integrity of the system -- or maybe even better, the guys who keep the Oscar winners a secret. Make it a federal crime with the penalty of death for tampering with the voting process. I'd vote for that.
Apparently, I've been drinking the wrong Kool-Aid again. HBO uncovered the ugly truth behind the uglier process. Actually, a grandmother in Seattle did and brought HBO along for the ride. The story is scarier than Hostel and all three Saw movies combined.
This nice Seattle lady, Bev Harris, wondered why her district went from the old fill-in-the-oval ballots to touch screens. She didn't like the answers, so she started snooping around on the Internet. During her homework, she stumbled upon an FTP site from voting machine market leader Diebold. The FTP site contained all the source code for the voting machines. Up until that time, the world was told that source on such devices was completely secure, impenetrable and bulletproof. It was B.S.
She took the source to a few security gurus, who were able to hack the code and make it do whatever they wanted in about 10 seconds. They could make it output any result they wanted, regardless of the input. The Diebold machines used a removable disk that kept the tabulated data. That disk and all the others were then physically removed and inserted into the aggregation machine, which added up all the subvotes, declaring a winner. While the company boldface-lied to everyone and anyone, insisting the system was impenetrable, Bev and one honest guy who ran a voting district in Florida and smelled a rat proved that they could put a hacked executable on these disks and upload the hack with no problem -- and it takes only one machine to screw up an entire election.
The CEO of Diebold was portrayed as the cheesiest, smarmiest liar I've ever seen. The company spokesman/stooge was a "marketing director," which means there was no way any VP type was going to put his name on this titanic debacle. The poor guy reminded me of Tariq Aziz and Lee Anne McBride combined. (Tariq was Saddam's spinmaster during the first Gulf War, and I loved how this guy could say things like, "We are depleting the enemy of their critical armaments and are assured of victory within hours.") Lee Anne is Dick Cheney's spinmaster. She told us about the unfortunate accident where Dick shot his pal in the head with a shotgun on a very dangerous quail hunting trip.
Diebold's CEO and its spokesman lied to everyone from Congress to me. They did so without any consideration of the facts that stared them in the face. They actually said that Harris stole the source code. It was an awesome display of ethical devolution combined with outright ineptitude. At least Bernie Ebbers and Ken Lay were smart dirtballs. These guys are buffoons.
So it was completely and absolutely proven that the Diebold voting machines had security flaws you could sail an ocean liner through. (For the record, there are two other companies that make this stuff, but I can't remember their names, and they weren't implicated as dirtbags in this documentary.) It was also exposed that they charge huge money for these easily hackable calculators. One district paid $20,000,000 for a bunch of the bad boxes. Absurdity at its finest.
We are, after all, the country that elected Marion Barry back to office even after he was videotaped smoking crack. Democracy in action. The HBO program spent a lot of time showing how Republicans were benefiting by the scam, but the security issue affects all parties and peoples. It did do a nice job of showing how one district in Florida had its machines so wonderfully hacked that not only did Bush kick butt vs. Gore, but Gore actually received negative 16,000 votes. True story.
So, I'm sorry about the political, do-gooder rant. Security matters, and we aren't doing enough about it. It's not about technology alone; it's about policy and process. Presidential candidate Sen. John Kerry knew that in New Mexico, overwhelmingly Democratic districts reporting overwhelmingly Democratic outcomes in the exit polling were reporting Republican victories. He knew, and he did nothing. Worse, by conceding the race under the auspices of saving the belief in the system, there was no legal way to launch an official inquiry. There were people ready to go.
As long as people tolerate security botches, they will occur. As long as greed or power or lunacy is accepted as a reason for leaving a back door open for the ethically challenged, they will enter. As long as our system rewards dirtbags by allowing them to build junk and sell it for a ton, they will. Am I really to believe that IBM couldn't build these things? I don't even want to think about the ATMs these guys make. Stealing my ID sucks; stealing democracy violates every principle I thought I had.
2006: The year in security
2006: The year in security
Jeremy Kirk and Robert McMillan
December 07, 2006 (IDG News Service) Though Internet-crippling virus attacks now seem to be a thing of the past, PC users didn't feel a lot more secure in 2006. That's because online attacks have become more sneaky and professional, as a new breed of financially motivated cybercriminals has emerged as public enemy No. 1. Microsoft Corp. patched more bugs than ever, and whole new classes of flaws were discovered in kernel-level drivers, office suites and on widely used Web sites. Vendors' chatter about security is at an all-time high, but the bad guys are still finding lots of places to attack.
And, oh yes, spam is back.
Following are five of the top computer security stories in 2006.
Cybercrime dividends
Hackers teamed with professional criminal gangs in increasingly sophisticated computer crime operations aimed purely for profit.
Much of the trouble centered on phishing, a type of attack where fake Web pages are constructed to harvest log-in details, credit card numbers or other personal information. Credit card numbers are often sold online for illicit gain.
In May, 20,000 phishing complaints were reported, a 34% increase over the previous year, according to a U.S. Department of Justice report. The U.S. hosts the largest percentage of phishing sites, it said.
But law enforcement agencies are getting more organized and cooperating better, particularly in international investigations. At least 45 countries participate in the G8 24/7 High Tech Crime Network, which requires nations to have contacts available around the clock to aid in quickly securing electronic evidence for transborder cybercrime investigations.
The private sector has also helped. Microsoft filed dozens of civil suits and gave information to law enforcement for criminal cases in Europe, the Middle East and the U.S. against alleged phishers throughout 2006.
It's a brand-new zero day
With automatic software updates now the norm, hackers have been forced to look a little harder for ways to put their malicious software on unsuspecting victims' PCs. In 2006, they turned to zero-day attacks as never before.
These attacks take advantage of previously unreported flaws in software, and in 2006, they became a top concern, according to the SANS Institute. In fact, hackers kicked off the new year in 2006 by releasing zero-day attack code based on a flaw in the way Internet Explorer handled Windows Metafile documents.
This was followed later in the year by a rash of very targeted online attacks that exploited unpatched flaws in Microsoft's Office software. In fact, Microsoft warned of the latest such attack -- this one targeting a flaw in Word -- just this Tuesday (see "Microsoft warns of zero-day attack on Word").
To underline the scope of the zero-day problem, security researchers launched widely publicized "Month of Kernel Bugs" and "Month of Browser Bugs" projects, during which they exposed a new, unpatched vulnerability in browsers and operating systems every day for a month.
Spam avalanche
Microsoft's Chief Software Architect Bill Gates predicted two years ago that spam would be gone by 2006. He should check his in-box.
Rising volumes of junk mail nagged IT administrators throughout 2006. Up to 90% of all e-mail was spam, depending on the vendor recording the statistics. Spammers found creative ways to circumvent security software. Image-based spam, where individual messages appear to be unique by subtracting or adding pixels, foiled some security techniques.
Spammers also put messages in the images themselves, a tougher challenge to stop since it requires processor-intensive optical character recognition techniques. Spam remained the delivery vehicle for other malicious software such as keystroke loggers and rootkits in addition to promoting links to phishing sites, which often aim to steal financial data or log-in credentials.
Web 2.0 gets Hacked 1.0
MySpace.com may be a poster child for Web 2.0, but from a security perspective, it hasn't been looking so pretty.
That's because the popular social networking site was hit hard this week by a password-stealing worm that exploited a scripting vulnerability on the Web site. And this was not even the first worm to hit MySpace. In October, another more benign worm, called Samy, automatically added a Los Angeles teenager's name to visitors' profiles, quickly making him appear to be the most popular member of the MySpace community (see "Teen uses worm to boost ratings on MySpace.com").
Security experts say that the kind of cross-site scripting attack used in the recent MySpace worm has become much more prevalent in the past year, as hackers have discovered just how much can be done with these attacks. These bugs can be used to do far more harm than many people realize, security experts say, including forcing PCs to download illegal content, hack other Web sites or send e-mail.
Vista lockout irks vendors
Microsoft rankled security vendors by saying it wouldn't allow their software to access the kernel of the 64-bit version of Windows Vista. Patch Guard, Microsoft's kernel security technology, blocks access to prevent unauthorized modifications by malicious software.
Vendors, led by Symantec Corp. and McAfee Inc., argued they needed access to the kernel to detect malicious software such as rootkits, which burrow deep into the operating system. After a flurry of public statements and pressure from the European Commission, Microsoft agreed to make application programming interfaces (API) available.
The APIs will allow host intrusion-prevention technologies used by vendors to function without hooking the kernel. But Microsoft said the APIs wouldn't be ready until the release of Service Pack 1 for Vista.
Jeremy Kirk and Robert McMillan
December 07, 2006 (IDG News Service) Though Internet-crippling virus attacks now seem to be a thing of the past, PC users didn't feel a lot more secure in 2006. That's because online attacks have become more sneaky and professional, as a new breed of financially motivated cybercriminals has emerged as public enemy No. 1. Microsoft Corp. patched more bugs than ever, and whole new classes of flaws were discovered in kernel-level drivers, office suites and on widely used Web sites. Vendors' chatter about security is at an all-time high, but the bad guys are still finding lots of places to attack.
And, oh yes, spam is back.
Following are five of the top computer security stories in 2006.
Cybercrime dividends
Hackers teamed with professional criminal gangs in increasingly sophisticated computer crime operations aimed purely for profit.
Much of the trouble centered on phishing, a type of attack where fake Web pages are constructed to harvest log-in details, credit card numbers or other personal information. Credit card numbers are often sold online for illicit gain.
In May, 20,000 phishing complaints were reported, a 34% increase over the previous year, according to a U.S. Department of Justice report. The U.S. hosts the largest percentage of phishing sites, it said.
But law enforcement agencies are getting more organized and cooperating better, particularly in international investigations. At least 45 countries participate in the G8 24/7 High Tech Crime Network, which requires nations to have contacts available around the clock to aid in quickly securing electronic evidence for transborder cybercrime investigations.
The private sector has also helped. Microsoft filed dozens of civil suits and gave information to law enforcement for criminal cases in Europe, the Middle East and the U.S. against alleged phishers throughout 2006.
It's a brand-new zero day
With automatic software updates now the norm, hackers have been forced to look a little harder for ways to put their malicious software on unsuspecting victims' PCs. In 2006, they turned to zero-day attacks as never before.
These attacks take advantage of previously unreported flaws in software, and in 2006, they became a top concern, according to the SANS Institute. In fact, hackers kicked off the new year in 2006 by releasing zero-day attack code based on a flaw in the way Internet Explorer handled Windows Metafile documents.
This was followed later in the year by a rash of very targeted online attacks that exploited unpatched flaws in Microsoft's Office software. In fact, Microsoft warned of the latest such attack -- this one targeting a flaw in Word -- just this Tuesday (see "Microsoft warns of zero-day attack on Word").
To underline the scope of the zero-day problem, security researchers launched widely publicized "Month of Kernel Bugs" and "Month of Browser Bugs" projects, during which they exposed a new, unpatched vulnerability in browsers and operating systems every day for a month.
Spam avalanche
Microsoft's Chief Software Architect Bill Gates predicted two years ago that spam would be gone by 2006. He should check his in-box.
Rising volumes of junk mail nagged IT administrators throughout 2006. Up to 90% of all e-mail was spam, depending on the vendor recording the statistics. Spammers found creative ways to circumvent security software. Image-based spam, where individual messages appear to be unique by subtracting or adding pixels, foiled some security techniques.
Spammers also put messages in the images themselves, a tougher challenge to stop since it requires processor-intensive optical character recognition techniques. Spam remained the delivery vehicle for other malicious software such as keystroke loggers and rootkits in addition to promoting links to phishing sites, which often aim to steal financial data or log-in credentials.
Web 2.0 gets Hacked 1.0
MySpace.com may be a poster child for Web 2.0, but from a security perspective, it hasn't been looking so pretty.
That's because the popular social networking site was hit hard this week by a password-stealing worm that exploited a scripting vulnerability on the Web site. And this was not even the first worm to hit MySpace. In October, another more benign worm, called Samy, automatically added a Los Angeles teenager's name to visitors' profiles, quickly making him appear to be the most popular member of the MySpace community (see "Teen uses worm to boost ratings on MySpace.com").
Security experts say that the kind of cross-site scripting attack used in the recent MySpace worm has become much more prevalent in the past year, as hackers have discovered just how much can be done with these attacks. These bugs can be used to do far more harm than many people realize, security experts say, including forcing PCs to download illegal content, hack other Web sites or send e-mail.
Vista lockout irks vendors
Microsoft rankled security vendors by saying it wouldn't allow their software to access the kernel of the 64-bit version of Windows Vista. Patch Guard, Microsoft's kernel security technology, blocks access to prevent unauthorized modifications by malicious software.
Vendors, led by Symantec Corp. and McAfee Inc., argued they needed access to the kernel to detect malicious software such as rootkits, which burrow deep into the operating system. After a flurry of public statements and pressure from the European Commission, Microsoft agreed to make application programming interfaces (API) available.
The APIs will allow host intrusion-prevention technologies used by vendors to function without hooking the kernel. But Microsoft said the APIs wouldn't be ready until the release of Service Pack 1 for Vista.
Internet gangs hire students for cybercrime
Internet gangs hire students for cybercrime By Peter Griffiths
Fri Dec 8, 3:51 AM ET
Organized gangs have adopted "KGB-style" tactics to hire high-flying computer students to commit Internet crime, a report said on Friday.
Criminals are targeting universities, computer clubs and online forums to find undergraduates, according to Internet security firm McAfee.
Some gangs have sponsored promising students from other disciplines to attend computer courses before planting them in businesses as "sleepers."
McAfee said the students write computer viruses, commit identity theft and launder money in a multi-billion dollar industry that is more lucrative than the drugs trade.
The gangs' tactics echo the way Russian agents sought out experts at trade conferences or universities during the Cold War, the company said in an annual report.
"Although organized criminals may have less of the expertise and access needed to commit cybercrimes, they have the funds to buy the necessary people to do it for them," the report says.
McAfee said its study was based partly on FBI and European intelligence.
In Eastern Europe, some people are lured into "cybercrime" because of high unemployment and low wages.
"Many of these cybercriminals see the Internet as a job opportunity," McAfee quoted FBI Internet security expert Dave Thomas as saying. "With low employment, they can use their technical skills to feed their family."
Hackers are paid to write computer viruses that can infect millions of machines to discover confidential information or send unwanted "spam" emails.
This "spyware" can detect credit card numbers or other personal information which is then used by fraudsters.
Criminals trawl through social networking Web sites which allow people to leave their pictures and personal details.
Their research helps them to target "phishing" attacks, where people are sent fraudulent emails to trick them into revealing credit card numbers.
Hackers are increasingly hired to spy on businesses, McAfee said. "Corporate espionage is big business," it added.
Fri Dec 8, 3:51 AM ET
Organized gangs have adopted "KGB-style" tactics to hire high-flying computer students to commit Internet crime, a report said on Friday.
Criminals are targeting universities, computer clubs and online forums to find undergraduates, according to Internet security firm McAfee.
Some gangs have sponsored promising students from other disciplines to attend computer courses before planting them in businesses as "sleepers."
McAfee said the students write computer viruses, commit identity theft and launder money in a multi-billion dollar industry that is more lucrative than the drugs trade.
The gangs' tactics echo the way Russian agents sought out experts at trade conferences or universities during the Cold War, the company said in an annual report.
"Although organized criminals may have less of the expertise and access needed to commit cybercrimes, they have the funds to buy the necessary people to do it for them," the report says.
McAfee said its study was based partly on FBI and European intelligence.
In Eastern Europe, some people are lured into "cybercrime" because of high unemployment and low wages.
"Many of these cybercriminals see the Internet as a job opportunity," McAfee quoted FBI Internet security expert Dave Thomas as saying. "With low employment, they can use their technical skills to feed their family."
Hackers are paid to write computer viruses that can infect millions of machines to discover confidential information or send unwanted "spam" emails.
This "spyware" can detect credit card numbers or other personal information which is then used by fraudsters.
Criminals trawl through social networking Web sites which allow people to leave their pictures and personal details.
Their research helps them to target "phishing" attacks, where people are sent fraudulent emails to trick them into revealing credit card numbers.
Hackers are increasingly hired to spy on businesses, McAfee said. "Corporate espionage is big business," it added.
