Joan Laporta was reportedly fuming as his laptop apparently went walkabout whilst he was managing his team in their game against Manchester United last week at Cap Nou.
It wasn’t bad enough that Laporta had to endure a no-score-draw from the match, despite the fact that his team had 65 per cent of the ball’s possession during the event. The guy gets back to his office in the morning and finds his laptop has gone walkies.
Was it the cleaner paid by an enthusiastic paparazzi looking for nuddy pictures of Mrs Juan Laporta or was it the work of a dark industrial espionage figure? It doesn’t really matter, what does matter is that this is one more recent case where physical theft was chosen over an electronic attack.
Is your company protected from a physical attack?
Goal.com has the full story here.
Filed under: Physical Security | Leave a Comment
Tags: engineering, social
TechCrunch and The Register were both running a story a few days ago about the case of physical server theft from a CarPhone Warehouse owned ISP from their data center on a Sunday evening.
In my previous post I’ve mentioned that in a world were networks become more and more secure bad guys will have to become more creative, a large part of it will physically break-ins and social engineering.
You see even when computers become smarter and smarter evil nasty types can always trust human stupidity and laziness even after thousands of years of evolution.
Filed under: Physical Security | Leave a Comment
Tags: hacking, social engineering
That was the lesson Northern Trust Bank from Naples, FL was taught when a 34-year-old employee stole a number of computers and hawked them on eBay as well as his colleagues.
It is important for corporations of all sizes to understand that attacks won’t always initiate from outside the corporate environment.
In the case of the 34-year-old bank employee, the fact that up to 15 bank PCs have gone missing, almost certainly means that bank customer and/or employee data has gone too.
Although normally it’s the laptops that get stolen, this time around it’s the desktops at the bank that have been stolen. This just simply illustrates the need to adopt a data encryption rule for all data regardless of their physical location but also that it’s impossible to know if there are any or who are the rogue elements in an organisation.
It’s a lot safer to consider both inside and outside networks as equally untrusted. It’s important to use Access control both at the electronic and physical levels.
The bank employee at the centre of the US bank computer theft case now faces up to three years in prison, but if any customer data lost as a result is used for fraud, then the incident could be an expensive one for the Northern Trust Bank. The US is a highly litigious country and the bank could yet see a class action lawsuit, even if the data is not used for fraud. If I were a Northern Trust Bank director, I’d be more than a little worried about this case,” he said.
In a world were networks become more and more secure bad guys will have to become more creative, a large part of it will physically break-ins and social engineering. Are you ready?
Filed under: General Security | Leave a Comment
Tags: banks, social engineering, USA
Fortify decided to jump on the SQL Injection bandwagon with the following statement:
Fortify says that [the recent] reports of a rash of SQL attacks on Web sites should make software developers sit up and take notice.
“Newswire reports suggest that hundreds of thousands of Web site have been hit by a mass SQL attack. This is symptomatic of hackers developing highly sophisticated and semi-automated attack routines,” said Jacob West, Manager of Fortify’s Security Research Group.
West added that “The script or tool behind the attack uses Google to search for sites that include a file type and parameter that appear to often be susceptible to SQL injection and uses that list returned from Google to mount its attack. The attack uses the SQL injection vulnerability to mount a persistent cross-site scripting attack that embeds malicious JavaScript/HTML in the vulnerable application and infects all visitors to the infected site until it is explicitly identified and removed.”
According to West, the current crop of SQL attacks appears to be the result of sloppy programming on the part of Web site developers.
“Although this wave of attacks targets an application vulnerability that is the result of poor programming, it is indicative of the larger problem that we in the software engineering and security fields need to provide developers with APIs that make getting security right easier and better tools and processes to ensure that the software they build with these APIs is secure.,” he said.
West added “SQL injection is a straightforward problem to identify and avoid when compared with other code-level vulnerabilities, but these attacks demonstrate that some organizations building web applications today are still woefully behind the bad guys. The solution to this and similar problems is a software development lifecycle designed to build security into software from the ground up. Security is a critical attribute during the design, building, testing and deployment phases. Software developed without a full-lifecycle approach and the right tools to support each phase is destined to suffer security compromises like the one seen here“
Now let me translate that in Non-PR talk:
Fortify says… Buy our products and sleep safe at night.
Filed under: Penetration Testing | Leave a Comment
Tags: hacking, sql injection
This is not a new story, it’s been on The Register (and other news sites) several times before. The problem of legitimate web sites having one line of rogue code inserted has been growing since November. Just google for nihaorr1.com.
As this article points out, merely sticking to well known sites isn’t enough. Your workstation will still get compromised if you fail to patch and update all your software – not just Windows or Microsoft products.
Anyway. The more interesting thing is to read the comments. Take a look at the fifth comment. “Steve Roper” has attempted to supply code that will filter input.
This as an example of how easy it is for someone to think that they have solved the input validation problem with eleven lines of code. “Steve Roper” was confident enough to publish this code. He may now discover the error of his ways. How many others use code like this and don’t realise the consequences?
Filed under: Penetration Testing | Leave a Comment
Tags: hacking, sql injection
Mark Dowd published a paper [here] recently called “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine”; that has excited researchers [here]. In it Mark points out techniques that promise to open up a class of exploits and vulnerability research previously thought to be prohibitively difficult, in other words exploiting Null Pointers.
But what are Null Pointers to start with? A Null Pointer is simply a pointer with a value of zero. It is considered an error to dereference a null pointer. In C terms think of malloc, the C function that allocates chunks of memory for programs to work with. When malloc fails, it returns NULL. According to many a university lecturers, their students are meant to check for that value, because malloc can fail at absolutely any time, and it makes sense since their code is not the only program claiming memory. Unfortunately the reality is far from it.
You can read an excellent technical write-up on Dowd’s hardcore exploit by Thomas Ptacek (of Matasano) blog [here].
There is an old saying, “Give a man a fish and you fed him for a day; teach him how to fish and you fed him for a life”*. In other words as long as we keep forcing developers to correct their mistakes but ignore teaching them, and them memorising, how to code properly we’ll always get into a similar situations – yes, kudos to Mark Dowd for doing something neat like this but then again, nothing to look here, move along.
It wont take long before businesses use this for fear-mongering and publicity stunts, to sell more products, more services and ensure us all that their product/service offers all the guarantees that corporations need. [read the Update!]
* For transparency I must include the following saying as well, “Give a man a fish and you fed him for a day. But if you knock him down and take his fish, you can sell it and buy some weed.”
UPDATE: IT security software specialist Tier-3 says that a report on Slashdot regarding Flash vulnerabilities indicates that null pointer security flaws could be here to stay and quickly evolve into the next big thing in hacking exploits.
Tier-3’s, CTO, Geoff Sweeney agrees, “We have been monitoring this for some time and confirm that null pointer security flaws are exploitable and could quickly replace buffer overflows as the next big threat. Buffer overflows are of course still an issue, but they are a problem that has been tackled by the industry for many years. Null pointer de-referencing has not received anywhere near the same level of attention, which means that users need to be more vigilant than ever.”
Filed under: General Security | Leave a Comment
Tags: exploits, hacking
A survey by Infosecurity Europe (www.infosec.co.uk) of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.
This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy. The researchers also asked the office workers for their dates of birth to validate that they had carried out the survey here the workers were very naïve with 61% revealing their date of birth. Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)
Workers were also queried about their use of passwords at work, half said that they knew their colleagues passwords and when asked if they would give their passwords to someone who phoned and said they were from the IT department, 58% said they would. Researchers also asked workers if they thought other people in their company knew their CEOS’s password, 35% of them thought that someone else did know with Personal Assistants and IT staff being the most likely suspects.
“This research shows that it’s pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department.” Sellick continued, “This type of social engineering technique is often used by hackers targeting a specific organisation with valuable data or assets such as a government department or a bank.”
One man said, ‘I work for a government department, I would never give my password to anyone else, it could cost me my job’.
Most people used only one (31%), two (31%) or three (16%) passwords at work, but a few poor souls had to use as many as 32! It was also found that 43% of people rarely or never change their password which is very poor security practice.
Filed under: General Security | 1 Comment
Tags: infosecurity europe, password management, polls, social engineering
It’s that time of the year again, time to grab our emailsystems paper bag from the reception and fill it with a few goodies and loads of paper from the many exhibitors of Infosecurity Europe expo in London this week.
Myself and a select elite team of “secret shoppers” will be there providing you with updates on the largest security expo in London.
Watch this space!
Filed under: Expos & Cons | Leave a Comment
Tags: hacking, infosecurity europe
Residents of Oklahoma State have reportedly been hit this week with the bad news that tens of thousands of their names, social security numbers and allied data were effectively available on the Web for around three years.
The source of the problem is simply a classic SQL injection vulnerability, a security lapse that could easily have been caught with a simple code review.
The sad thing is that vulnerabilities like these indicate to attackers that other related applications and organizations are probably vulnerable as well.
According to newswire reports, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma DoC Web site.
Then, by the simple process of amending the long URLs returned by the site, they could retrieve tens of thousands of social security numbers and their allied data from the site.
For more information on the Oklahoma social security number leak:
Filed under: General Security | Leave a Comment
Tags: hacking, Oklahoma, social security, sql injection, USA
A recent investigation by Finjan, a secure web gateway products company, has warned that according to the 2008 Banking Code report online banking customers may be responsible for losses on their account if they don’t keep their PC secure and if they don’t use using up-to-date anti-virus and spyware software and a personal firewall. Under the code, these acts could be seen as “acting without reasonable care” by the customer.
“The new code, specifically sections 12.9 and 12.11, places the onus on bank customers to take reasonable care and make sure that their anti-virus and anti-spyware software are up-to-date. If not, they might be hold responsible for losses on their online banking account” said Yuval Ben-Itzhak, Finjan’s CTO.
According to Ben-Itzhak, the new approach in dealing with online banking fraud potentially gives the banks a position to reject online fraud claims upfront.
“This means that specifically business customers of banks should take steps to review their IT security arrangements and ensure that they have the needed solution to protect their IT resources,” he said.
Unless business customers adopt this approach to IT security, Ben-Itzhak said, they might face an uphill battle in recovering their funds if they go missing in the event of electronic fraud.
“And with companies typically holding thousands of pounds in their bank accounts, the ramifications of an electronic fraud are extremely serious.” he said.
Filed under: General Security | Leave a Comment
Tags: banks, hacking
Events CalendarBeing Social
Recent Entries
- Barcelona FC Manager gets Laptop Stolen – Industrial Espionage or Dirty Pictures?
- Attacks Won’t Always Come From outside – Part 2
- Attacks Won’t Always Come From Outside Young Grasshopper
- More from the SQL Injection Bandwagon – Fortify’s All Out Attack on Devs
- Input Validation from Real Dummies
- Null Pointer Security Flaws: The Next Big Scare
- Infosec Europe: 45% of women happy to trade passwords for Chocolate
- Infosec Europe: Infosecurity London Expo
- Oklahoma leaks tens of thousands of social security numbers
- UK Banks to Customers: “Your fault if you get hacked!”
Categories
- Expos & Cons (1)
- General Security (5)
- Penetration Testing (2)
- Physical Security (2)
