Wednesday, February 14, 2007

mobile dynamic security

Mobile attacks jumped fivefold in 2006, study says

Large-scale attacks were most likely in Europe, Asia and the Pacific Rim

Gregg Keizer   

The number of security attacks reported by mobile phone operators in 2006 jumped fivefold over the year before, a McAfee Inc. study reported today.

According to data gleaned from more than 200 mobile operators worldwide, an overwhelming majority -- 83% -- said that their subscribers have been hit by some kind of mobile device infection. "This research clearly demonstrates that mobile security is moving quickly up the industry agenda, with the number of malware incidents rising," Victor Kouznetsov, McAfee's senior vice president of mobile security, said in a statement.

Large-scale attacks during 2006 were most likely in Europe, Asia and the Pacific Rim. In those regions, the number of operators reporting incidents that affected more than 1,000 devices doubled during the year.

Operators worry most about the impact of attacks on their reputations and, ultimately, customer satisfaction, the security vendor said. In particular, they worry about the loss of credibility regarding the reliability of new transaction- and content-based services such as music downloads that mobile service providers hope will boost revenue. More than 70% of the surveyed mobile operators cited that as a top concern.

"As mobile data use and functionality proliferates, security is becoming an essential enabler for the success of new revenue-generating services," said Kouznetsov.

Predictions of widespread mobile device attacks -- while made annually by security vendors and analysts -- have not yet been borne out. That was backed up by the survey, which noted that attacks involving between 1,000 and 100,000 devices accounted for just 15% of all reported security events.


Wi-Fi security risk

RSA: Attendees drop ball on Wi-Fi security

Many IT security experts at conference used unsecured devices

John Cox   

 February 12, 2007 (Network World) -- More than half of the wireless LAN devices being used at last week's RSA Conference on information security were themselves unsecured.

That means that the network security experts charged with protecting enterprise data were't even protecting their own.
The finding was the result of two days of WLAN traffic scanning by wireless security vendor AirDefense Inc. On the first two days of the conference, AirDefense monitors found that more than half of the wireless devices on the conference network were vulnerable to two classes of attacks.

One was the "Evil Twin" attack, in which the attacker tricks a victim into wirelessly connecting to a laptop or handheld device posing as a legitimate access point or hot spot. The second class was various "zero day" attacks, which exploit newly found software flaws in applications such as Internet Explorer that haven't yet been fixed by the vendor or patched by the user.

On Day 1, Tuesday, 347 of 623, or 56% of laptops and handhelds were vulnerable. On the second day, almost the same percentage, 57%, were vulnerable, but the numbers were higher: 481 of 847 devices.

In a statement, AirDefense Chief Security Officer Richard Rushing said the vulnerabilities were not the fault of the conference network, which he praised as being secured "as well or better than most standard corporate networks."

Also on Day 1 of the monitoring, AirDefense found 70 devices using peer-to-peer connections by means of common Service Set Identifiers, or network names, such as "Free Internet Access" and "Linksys." On Day 2, the number rose to 87.

The monitoring found 30 devices pretending to be access points, and two of these pretending to be access points on the conference network. One of the two even had a self-sign certificate to mimic the conference authentication server. Five others were masquerading as common hotspots, with names such as "tmobile," "IBAHN" and several local hotels.

On Day 1, there were 57 denial-of-service attacks, including de-authenticating clients and jamming transmissions. That jumped to 85 on Day 2.

The airwaves were regularly and repeatedly scanned for access points by attendees using programs such as NetStumbler. Forty-five devices on the network had altered media access control addresses, apparently in an effort to hide the identity of the device and its user.

On Day 2, AirDefense reported, the tools used in the attacks were more sophisticated. Some tools were variations of the Karma program, which mimics the access point that the target laptop or handheld device is probing for. One attacker had wirelessly seized eight machines and used them to launch simultaneous attacks.

Many client devices connecting to an unencrypted network disclosed a wealth of information about their corporate networks, including domain, authentication server, Active Directory, user name and computer name. Leaking NetBIOS and IPX traffic information was common. According to AirDefense, attackers could (and may have) captured the corporate usernames and authentication hashes sent by the users over the airwaves.


dynamic security

Hacker allegedly breaks hi-def disc encryption

Will Sony now use its BD Plus protection to stop illegal copying?

Lucas Mearian   




February 13, 2007 (Computerworld) -- A hacker has reportedly broken through the keys used to unlock digital rights management (DRM) for all Blu-ray and HD DVD movies so that they can be copied to hard drives.

DVD backup forum Doom9 posted a blog stating that  a hacker called "arnezami" found the processing key used to decrypt the DRM on all high definition films.

“That’s pretty significant,“ said Jeff Moss, organizer of DefCon, the world's largest hacking convention that draws thousands of security researchers, government workers and hackers. "Now you can purchase the [DVD] content, store it, organize it, and arrange it anyway you want" on a hard drive.


In December, companies behind a copywrite protection system for high-definition DVDs reported they were investigating a hacker's claim that he had cracked the code protecting the new discs from piracy (see "High-def DVD copyright security allegedly hacked "). The  hacker, known as Muslix64, posted on the Internet details of how he unlocked the encryption, known as the Advanced Access Content System, which prevents high-definition discs from illegal copying by restricting which devices can play them.


Muslix64's BackupHDDVD software did not crack AACS, but it will make it easier for some technically adept users to decrypt movies (see "Researchers: Hack will help kill HD-DVD copy protection ")

The AACS system was developed by companies, including the Walt Disney Co., Intel Corp., Microsoft Corp., Toshiba Corp. and Sony Corp., to protect high-definition formats, including Toshiba's HD-DVD and Sony's Blu-ray.

Calls to Sony and Microsoft had not been returned by the time of this story’s posting.

While there are no automated tools to perform high-definition DVD backups, Moss believes someone over the next few months "will create a nice graphical tool -- if the hack is for real – that will allow you to back up your HD DVD just like you back up your DVDs."

"It might actually help create a whole new group of products for people to help manage their own media. So I'm not shedding a whole lot of tears over it," Moss said.

Sony now has the option of activating an additional level of DRM protection called BD Plus, a proprietary code aimed only at Blu-ray Disc formats. The question then would become whether HD DVD would have an advantage because it could be backed up to a home entertainment system.


posted by Made4biz Security at | 0 Comments  

Lost Laptops

FBI in the dark about its own lost laptops, DOJ report says

It lost 160 laptops in less than four years, some with sensitive data

Gregg Keizer   

The FBI lost 160 laptop computers in less than four years, or on average of nearly four each month, according to the inspector general for the Department of Justice. In many cases, the FBI didn't know what was on the missing computers.

Although the audit by the inspector general concluded that the FBI was doing a better job of hanging on to its laptops than it had in the past -- during an earlier review period losses averaged more than 11 a month -- it criticized the agency for not enforcing its own rules on reporting lost or stolen hardware. And the inspector general hit the agency for not being able to detail the contents of the laptops.

Ten of the computers had confidential or sensitive data on their hard drives, according to the report, including one stolen in the Boston area that included software for creating FBI identification badges. And 51 other systems also may have contained secrets. Of those, six had been assigned to the FBI's counterintelligence division and one had been with the agency's counterterrorism division.

"The FBI did not know the content of these computers or whether they contained sensitive or classified information," said the report. "Without knowing the contents of these lost and stolen laptop computers, it is impossible for the FBI to know the extent of the damage these losses might have had on its operations or on national security."

Counterintelligence and Counterterrorism are two departments in the FBI regularly entrusted with the agency's most confidential information.

The same audit also uncovered the loss of 160 FBI weapons, including 10 shotguns, six submachine guns and eight rifles, during the 44-month span. Unlike the majority of the laptops, which were reported as lost, 59% of the weapons were stolen, many from agents' vehicles.

In a statement yesterday, FBI Assistant Director John Miller noted that weapon and laptop losses at the agency had been reduced, but acknowledged that "more needs to be done to ensure the proper handling of the loss and theft of weapons and laptops, and the information maintained on them."

The FBI isn't the only federal agency having trouble keeping track of its computers. Yesterday, the Department of Veterans Affairs, for example, announced that a lost laptop may have contained as many as 1.8 million records of veterans and doctors. That's 36 times more than the 50,000 individuals first thought to be affected by the loss.

The inspector general's report is available online (download PDF).


posted by Made4biz Security at | 0 Comments  

ID theft

ID Theft: Where you live makes a difference, study finds

N.Y., Calif and Nevada are among the riskiest for ID theft

Jaikumar Vijayan   

 Faulkton S.D. has a population of 800 and virtually no crime to speak of. Yet the citizens of this rural town are second only to the people in Floral Park, N.Y. when it comes to being at risk for having their identities stolen.

That's just one of the findings of a study released today by San Diego, Calif.-based risk management firm ID Analytics Inc., which looked at U.S. identity fraud rates by geography.

Topping the list as the riskiest states for ID theft are New York, California, Nevada and Arizona, while the safest ones are Wyoming, Vermont, Montana and North Dakota. The riskiest 5-digit zip codes for ID theft -- after Floral Park and Faulkton -- are Old Bethpage, N.Y., New York City and Manhasset, N.Y.

The ID Analytics report is based on a study of over one million fraud events as indicated by fraudulent applications for credit using stolen identity data. The findings can help pinpoint specific areas where criminals may be operating in an organized fashion, said Stephen Coggeshall, CTO at ID Analytics and the author of the report. "We think it can provide valuable information for a variety of people," including financial institutions, retailers and law enforcement, he said.

The report could also tell consumers "if they live in a high identity fraud area," he said.

The ID Analytics study is so detailed that it can pinpoint specific addresses associated with a high-level of identity theft risk, he said. "Whether these are victims or perpetrators of ID theft is not 100% clear," Coggeshall said. But there are "strong indicators" that a majority of these addresses are associated with perpetrators, he said.

The ID Analytics findings are consistent with other studies when it comes to highlighting risky areas, Coggeshall said. However, unlike previous research based largely on consumer victim reports, the ID Analytics study is based on an analysis of attempted fraud using compromised data.

That distinction is important because an overwhelming majority of identity fraud results from the creation of "synthetic" identities rather than "true name" identity theft, an ID Analytics white paper noted. As a result, there is often no consumer victim to report the crime.

The identity-level data elements used for the analysis came from ID Analytics' customers in the financial services, retail, health care, telecommunications and other industries. The data included names, addresses and Social Security numbers culled from account applications and other transactions monitored by ID Analytics for fraudulent activity.

Fraud rates were calculated by dividing the total number of reported identity fraud incidents by the number of applications to credit grantors during 2005 through June 2006, Coggeshall said. The approach allowed for a better comparison of fraud rates across areas with different population densities, he said.

"We do see stability across time," Coggeshall said.

States that are consistently risky tend to be West coast states such as California, Nevada, Arizona and Oregon, as well New York, Texas, Florida, Illinois and Michigan, Alaska and Hawaii. The least risky states tend to be upper Midwestern ones such as Montana, Idaho, Wyoming and South Dakota, as well as New England states such as New Hampshire, Vermont and Massachusetts.


posted by Made4biz Security at | 1 Comments  

Dynamic Security

Lost VA hard drive may have held 1.8M IDs

Initially, the agency said just 50,000 were potentially affected

Gregg Keizer   

 The U.S. Department of Veterans Affairs yesterday began notifying 1.8 million veterans and doctors whose personal information may have been on a hard drive lost Jan. 22 that their data could be at risk. When the agency first reported the drive missing on Feb. 2, it said just 50,000 identities were involved.

In a weekend update, VA Secretary Jim Nicholson said that an investigation led by the department's inspector general had concluded information on 535,000 veterans might have been kept on the drive, along with data on 1.3 million physicians not associated with the VA.

According to the office of Rep. Artur Davis (D-Ala.), some of the veterans' information included names and matching Social Security numbers. The data on the doctors, said Davis in a letter posted to his Web site after a briefing by VA, included physicians' billing information and codes for Medicare services, which "could potentially be utilized for Medicare billing fraud."

According to the VA, the portable hard drive was reported missing by an employee at the Birmingham, Ala., VA Medical Center on Jan. 22. An investigation was launched the next day. Davis' district includes the city of Birmingham.

The announcement that nearly 2 million identities may have been on the drive was yet another embarrassment to VA, which last May announced that a laptop and hard drive containing 26.5 million personal records of current and former members of the military had been stolen. Although the hardware was later recovered, the incident led to a revamping of agency rules concerning information storage and use.

Nicholson again promised that his agency would lock down data. "VA is unwavering in our resolve to bolster our data security measures," he said in a statement. "We remain focused on doing everything that can be done to protect the personal information with which we are entrusted."

Davis, who earlier called the loss "unacceptable," also questioned why it took the VA three weeks after learning of the drive's loss to begin notifying veterans. Last Friday, he urged Nicholson to contact affected vets and doctors, said his spokesman, Cory Ealons.

VA will provide one year of free credit monitoring to people whose personal information may have been compromised.



posted by Made4biz Security at | 0 Comments  

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc