Thursday, January 10, 2008

10 security blunders

While one of the following links is actually from early 2008, they all refer to issues that arose during the year of 2007.

  1. The UK privacy breach: An employee of Her Majesty’s Revenue and Customs Office mailed two CDs containing confidential data on about 25 million UK citizens, including names, addresses, insurance account numbers, and bank account details for claimants in the national child benefit database. These CDs never made it to their destination. Just in case you think someone having your bank account number is no big deal, you should read about what happened to Top Gear TV series host Jeremy Clarkson when he published his account information in a newspaper to “prove” that having someone’s bank account will do nothing for a malicious party. At least Clarkson owned up to the mistake and started advocating disincentives for such poor security practice. I particularly like when he said “we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy.”
  2. Embassies confuse anonymity with security: Swedish security consultant Dan Egerstad showed that people all over the world, most notably certain embassies, tend to assume that using the Tor anonymizing network means they’re secure. Somehow, they’ve missed the importance of encryption to protect their data. One must wonder why governments are so bad at security. By the way, the Swedish equivalents to the FBI and CIA raided Egerstad’s apartment for undisclosed reasons, accused him of several crimes, then released him without charges.
  3. The iPhone runs everything as root: As Wired put it, IPhone’s Security Rivals Windows 95. This is very bad — and, of course, the root password for the iPhone was cracked in just three days. It had to happen eventually. To be fair, Windows Mobile devices all run everything as the administrative user as well, but this is not exactly unexpected (so it’s less notable). Credit to the fine folks at Metasploit for figuring it out, and figuring out how to make use of that fact.
  4. Sears installs spyware on customer computers: The depth and breadth of harvested data is truly frightening, and you just have to read it to believe it. Do not join the “My SHC Community”. Worse yet, if you follow the update link at the beginning of the article, you’ll find out that Sears (KMart is involved, too) is playing some pretty sketchy games with privacy policy presentation, based on whether the spyware is installed on your system. Considering this example, that’s probably reason enough to avoid ever getting mixed up in any online Sears community, but that’s not all. . . .
  5. Your Sears buying habits may be public knowledge: In short, by joining the Sears “Manage My Home” community, you can search through the Sears purchase history of anyone whose name and address you know. Not only should you avoid joining online Sears communities but, it seems, you should avoid shopping there as well. Apparently, major corporations are as bad as government agencies when it comes to security — especially Sears.

Old News

What follows is a list of older news items, from before 2007, that are still interesting and worth knowing about.

  1. Switching from Unix to MS Windows proves disastrous for air traffic control: A problem with a Microsoft Windows 2000 solution used to replace Unix air traffic control servers required regular restarts — and when the restart was overlooked once, it endangered 800 commercial aircraft in 2004.
  2. MS Windows crash cripples UK government agency: Only a couple months after the air traffic control debacle, almost the entire UK Department of Work and Pensions network crashed. This event was called the biggest crash in public sector history.
  3. The Pentagon improperly redacted text in a declassified document: Text was masked in a PDF by painting black lines over it, as if a physical, hardcopy, paper document had a black marker run over the relevant sections of text. Of course, doing that with Adobe Acrobat tends to leave all the text intact and recoverable, as such black “painting” occurs on a separate document layer. A Greek medical student at Bologna University recovered the obscured text with a couple of mouse clicks in 2005.
  4. The VA privacy breach: More than 26 million US military veterans’ personal data — including names, birthdates, and social security numbers — were taken home by a Veterans Administration employee. As necessitated by Murphy’s Law, the data was stolen (of course). It was stored on an unencrypted drive in the employee’s laptop but, surprisingly, it seems the thieves did not know what they had and the data was not used for identity theft purposes.
  5. Sony may have the worst consumer security record of any corporation: The six-part Boing Boing series on Sony’s “anti-consumer technology” problems makes a compelling case for getting your technology from anyone but Sony. If you thought the 2005 Sony rootkit was the only problem, you haven’t been paying attention — the rootkit installed even if you told it not to, there was a second Sony rootkit, the rootkit remover itself caused security issues, and the RIAA said it’s no big deal because other record labels also install rootkits. Somehow, I do not find that very reassuring

Read more!

Posted by Paritosh at 2:14 PM 17 comments

Labels: ,

Subscribe to: Posts (Atom)