NEWS
How software helped nail Eliot Spitzer, prostitution ring
blogs.zdnet.com — New York Governor (for now) Eliot Spitzer’s prostitute scandal is all the big news here in New York, but the lesser known tale is how an information system–the U.S. Treasury’s Financial Crimes Enforcement Network–played a role in his downfall.More… (Security)
mklopez made popular 1 hr 33 min ago
Postscript: The Wall Street Journal in its Wednesday edition reports that Capital One’s North Fork unit is at least one of the banks that flagged Spitzer’s transactions. The Journal notes that banks monitor the financial transactions of politically connected people–legislators, judges and their relatives–to probe for ill-gotten gains.
Wow! It is already the 2nd Tuesday of the month, and with it comes the announcement of some new bulletins! This is Tami Gallupe, MSRC Release Manager, and I just wanted to let you know that we just posted our March 2008 Bulletins. We released four bulletins today, all are for Office and all have a maximum severity rating of Critical. Here is a quick list of what we released:
MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution. Note that this Excel bulletin addresses the issue highlighted in Microsoft Security Advisory (947563).
MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution
MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution
Our team also plans to post some additional in-depth technical information about today’s release on the Security Vulnerability Research & Defense blog. It will be available this afternoon, and I think it will be worthwhile to stop by and check it out.
http://blogs.washingtonpost.com/securityfix/
Posted at 02:30 PM ET, 03/11/2008
Microsoft Patches 12 Office Security Holes
Microsoft today issued four updates to fix at least a dozen security vulnerabilities in its Office software products. All of the updates earned Microsoft's "critical" label, meaning attackers could exploit the flaws to break into Windows systems with little or no help from users.
Included in today's Patch Tuesday roundup are fixes for just about every Office suite or stand-alone product that Microsoft currently supports -- going back to Office 2000 and including Office for Mac software and various Office Viewer components.
One of the updates, which mends at least seven flaws in different Office titles, patches a security hole that hackers were exploiting as early as last week, according to reports from US-CERT and the SANS Internet Storm Center.
Interestingly, that patch and one other address security holes found in Office 2007, a product that underwent rigorous code review in an attempt to minimize the kinds of security weaknesses that were found to be pervasive in older versions of Office.
RFID-Hack Hits 1 Billion Digital Access Cards Worldwide
A warning is issued that some security access cards that use RFID technology are vulenarble to hack attacks. 12-Mar-2008
Pointsec Full Disk Encryption cracked
"This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator.
This attack is made possible because the operating system on the computer loads and boots directly into Windows without first asking for a Pointsec ‘preboot authentication’ password. Normally, with whole disk encryption, a user is required to enter a password immediately upon turning the machine on. That password is what unlocks the decryption key and allows the rest of the operating system to load and execute. This FireWire attack would not be successful in that case, because the attack requires that Windows already be up and running. In the circumstance of a properly configured encrypted computer, a stolen system that is powered off would be well protected from unauthorized access and this type of attack."
Hacking Medical Devices
Okay, so this could be big news:
But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker.
They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal -- if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory.
The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device’s maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery.
There's only a little bit of hyperbole in the New York Times article. The research is being conducted by the Medical Device Security Center, with researchers from Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington. They have two published papers:
- "Security and Privacy of Implantable Medical Devices," Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Pervasive Computing, January 2008.
- "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Symposium on Security and Privacy, May 2008.
This is from the FAQ for the second paper (an ICD is a implantable cardiac defibrillator):
As part of our research we evaluated the security and privacy properties of a common ICD. We investigate whether a malicious party could create his or her own equipment capable of wirelessly communicating with this ICD.
Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could violate the privacy of patient information and medical telemetry. The ICD wirelessly transmits patient information and telemetry without observable encryption. The adversary's computer could intercept wireless signals from the ICD and learn information including: the patient's name, the patient's medical history, the patient's date of birth, and so on.
Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could also turn off or modify therapy settings stored on the ICD. Such a person could render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.
Of course, we all know how this happened. It's a story we've seen a zillion times before: the designers didn't think about security, so the design wasn't secure.
The researchers are making it very clear that this doesn't mean people shouldn't get pacemakers and ICDs. Again, from the FAQ:
We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed. We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs.
For all our experiments our antenna, radio hardware, and PC were near the ICD. Our experiments were conducted in a computer laboratory and utilized simulated patient data. We did not experiment with extending the distance between the antenna and the ICD.
I agree with this answer. The risks are there, but the benefits of these devices are much greater. The point of this research isn't to help people hack into pacemakers and commit murder, but to enable medical device companies to design better implantable equipment in the future. I think it's great work.
Of course, that will only happen if the medical device companies don't react like idiots:
Medtronic, the industry leader in cardiac regulating implants, said Tuesday that it welcomed the chance to look at security issues with doctors, regulators and researchers, adding that it had never encountered illegal or unauthorized hacking of its devices that have telemetry, or wireless control, capabilities.
"To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide," a Medtronic spokesman, Robert Clark, said. Mr. Clark added that newer implants with longer transmission ranges than Maximo also had enhanced security.
[...]
St. Jude Medical, the third major defibrillator company, said it used "proprietary techniques" to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them.
Just because you have no knowledge of something happening does not mean it's not a risk.
Another article.
The general moral here: more and more, computer technology is becoming intimately embedded into our lives. And with each new application comes new security risks. And we have to take those risks seriously.
Posted on March 12, 2008 at 10:39 AM • 18 Comments • View Blog Reactions
UN backs out of virtual protest against Internet censorship
Reporters Without Borders organized today's Online Free Expression Day and accompanying cyber-protests, but was dismayed when a UN agency backed out of sponsoring the event at the last minute.
March 12, 2008 - 12:25PM CT - by Nate Anderson
Study: amount of digital info > global storage capacity
A study conducted by IDC has determined that the total volume of digital content has surpassed the total storage capacity supplied. The digital universe has grown to 281 billion gigabytes.
March 12, 2008 - 10:30AM CT - by Ryan Paul
Airplanes Produce Dangerous Turbulence
Turbulence is never desirable whenever talking about airplanes, however it is an effe... [read >>]
in Nano-Biotechnology, 12 March, 15:57 GMT
R.E.M. Puts New Album Online Via iLike
from the a-step-in-the-right-direction dept
R.E.M. is the latest big name band to take a step in the right direction, as it's making its new album available via iLike, the popular social networking app, even before it releases the actual album. As R.E.M.'s Michael Stipe said:
"I think you can either go with it or sit back and watch it happen, and I would rather be out on the field than in the bleachers."
This one is interesting, as the band is still on a major label (Warner Music), unlike many of the other, more radical, experiments we've been seeing. The band had also made news a few weeks ago by allowing fans to create videos of the first single off the album. It's not entirely clear why they are doing this through iLike. It never makes sense to me to focus on one app or system. After all, the music can go anywhere, so why not make it available however people want it? Either way, it's certainly a step (if just a small one) in the right direction, especially from a big name artist on a major label.
3 Comments | Leave a Comment..
Library of Congress Photos on Flickr
By Kate Greene | 01/22/2008 | 0 Comments
Is There Really an IT Labor Shortage?
2008-03-05
Despite what you've been told about the IT skills shortage, there's a multitude of evidence that suggests that line of reasoning is a self-serving myth. Baseline cuts in to the belly of the IT shortage debate.
ICANN recommendations on fast-flux hosting not tough enough: experts
Jack Rogers March 12, 2008
Security experts have expressed skepticism that recent recommendations from ICANN for combatting fast-flux hosting will do much to stop the practice, which is utilized by criminal bot herders to mask their activities.
Exploit code created for hole in RealPlayer
Dan Kaplan March 11, 2008
The researcher who discovered a zero-day vulnerability in the widely deployed RealPlayer has developed a working exploit for it, he told SCMagazineUS.com on Tuesday.
| Spam Takes a Vacation - 3/11/2008 5:50:00 PM |
|
|
| FTP Hacking on the Rise - 3/11/2008 4:20:00 PM |
|
|
| Australian Government Systems Under Attack - 3/10/2008 6:00:00 PM |
U.S. kicks off second cyber war game
, 2008-03-11
"Intel has confirmed plans to ship a new line of solid-state drives for laptop and notebook PCs with storage capacities of 80GB to 160GB. While it did not lock in a ship date, Intel told Computerworld that the drives would be available in the second quarter. From the story: 'An aggressive move into the laptop and PC notebook flash disk drive business would catapult Intel into direct competition with hard drive manufacturers such as Toshiba Corp. and Samsung Electronics Co. that are trying to spark demand before their SATA-based offerings are released in the coming months.'"
Here are the answers to your questions for Major General William T. Lord, who runs the just-getting-off-the ground Air Force Cyber Command. Before you ask: yes, his answers were checked by both PR and security people. Also, please note that this interview is a "first," in that Generals don't typically take questions from random people on forums like Slashdot, and that it is being watched all the way up the chain of command into the Pentagon. Many big-wigs will read what you post here -- and a lot of them are interested in what you say and may even use your suggestions to help set future recruiting and operational policies. A special "thank you" goes to Maj. Gen. Lord for participating in this experiment, along with kudos to the (necessarily anonymous) people who helped us arrange this interview.
· Judge Rules Against Accused Spyware Distributor PC World - Mon Mar 10, 5:20 PM ET
The U.S. Federal Trade Commission gets a judgment against a company accused of distributing spyware and adware onto people's computers.
Japan To Outlaw Child Porn Possession
Date: March 11, 2008
Source: Allheadlinenews.com
By:
Tokyo, Japan (AHN) - Japan is drafting legislation to ban possession of child pornography, but the prohibition reportedly exempts manga comics and animated film. The draft law is in response to international pressure.
Among G8 countries, Japan and Russia still have yet to ban owning pornographic images of children, as long as the owner does not intend to sell or distribute the images on the Internet. In 1999, Tokyo forbade the production, sale and distribution of pornographic images of children under 18. But, despite the law, Japan remains one of the top suppliers of underage pornography and second biggest consumer after the United States.
Yuka Saito of the Unicef Japan office told Guardian Unlimited it wanted to include manga in the ban, but it was encountering difficulties. "We keep encountering arguments about freedom of expression, but if the U.S. and other countries can ban that kind of material, why does Japan continue to tolerate it?" Saito asked.
Even Japan's legal system is less tough when it comes to printed materials. The October arrest of the U-15 magazine on child prostitution and pornography charges resulted to indictment of the suspects to a less serious charge of violating the Child Welfare Law.
The Tokyo district prosecutor explained, "While the DVDs qualify as child pornography, we have determined that compared to magazine s and other materials being sold, the pornographic content is not very high."
No comments:
Post a Comment