Thursday, January 10, 2008

10 security blunders

While one of the following links is actually from early 2008, they all refer to issues that arose during the year of 2007.

  1. The UK privacy breach: An employee of Her Majesty’s Revenue and Customs Office mailed two CDs containing confidential data on about 25 million UK citizens, including names, addresses, insurance account numbers, and bank account details for claimants in the national child benefit database. These CDs never made it to their destination. Just in case you think someone having your bank account number is no big deal, you should read about what happened to Top Gear TV series host Jeremy Clarkson when he published his account information in a newspaper to “prove” that having someone’s bank account will do nothing for a malicious party. At least Clarkson owned up to the mistake and started advocating disincentives for such poor security practice. I particularly like when he said “we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy.”
  2. Embassies confuse anonymity with security: Swedish security consultant Dan Egerstad showed that people all over the world, most notably certain embassies, tend to assume that using the Tor anonymizing network means they’re secure. Somehow, they’ve missed the importance of encryption to protect their data. One must wonder why governments are so bad at security. By the way, the Swedish equivalents to the FBI and CIA raided Egerstad’s apartment for undisclosed reasons, accused him of several crimes, then released him without charges.
  3. The iPhone runs everything as root: As Wired put it, IPhone’s Security Rivals Windows 95. This is very bad — and, of course, the root password for the iPhone was cracked in just three days. It had to happen eventually. To be fair, Windows Mobile devices all run everything as the administrative user as well, but this is not exactly unexpected (so it’s less notable). Credit to the fine folks at Metasploit for figuring it out, and figuring out how to make use of that fact.
  4. Sears installs spyware on customer computers: The depth and breadth of harvested data is truly frightening, and you just have to read it to believe it. Do not join the “My SHC Community”. Worse yet, if you follow the update link at the beginning of the article, you’ll find out that Sears (KMart is involved, too) is playing some pretty sketchy games with privacy policy presentation, based on whether the spyware is installed on your system. Considering this example, that’s probably reason enough to avoid ever getting mixed up in any online Sears community, but that’s not all. . . .
  5. Your Sears buying habits may be public knowledge: In short, by joining the Sears “Manage My Home” community, you can search through the Sears purchase history of anyone whose name and address you know. Not only should you avoid joining online Sears communities but, it seems, you should avoid shopping there as well. Apparently, major corporations are as bad as government agencies when it comes to security — especially Sears.

Old News

What follows is a list of older news items, from before 2007, that are still interesting and worth knowing about.

  1. Switching from Unix to MS Windows proves disastrous for air traffic control: A problem with a Microsoft Windows 2000 solution used to replace Unix air traffic control servers required regular restarts — and when the restart was overlooked once, it endangered 800 commercial aircraft in 2004.
  2. MS Windows crash cripples UK government agency: Only a couple months after the air traffic control debacle, almost the entire UK Department of Work and Pensions network crashed. This event was called the biggest crash in public sector history.
  3. The Pentagon improperly redacted text in a declassified document: Text was masked in a PDF by painting black lines over it, as if a physical, hardcopy, paper document had a black marker run over the relevant sections of text. Of course, doing that with Adobe Acrobat tends to leave all the text intact and recoverable, as such black “painting” occurs on a separate document layer. A Greek medical student at Bologna University recovered the obscured text with a couple of mouse clicks in 2005.
  4. The VA privacy breach: More than 26 million US military veterans’ personal data — including names, birthdates, and social security numbers — were taken home by a Veterans Administration employee. As necessitated by Murphy’s Law, the data was stolen (of course). It was stored on an unencrypted drive in the employee’s laptop but, surprisingly, it seems the thieves did not know what they had and the data was not used for identity theft purposes.
  5. Sony may have the worst consumer security record of any corporation: The six-part Boing Boing series on Sony’s “anti-consumer technology” problems makes a compelling case for getting your technology from anyone but Sony. If you thought the 2005 Sony rootkit was the only problem, you haven’t been paying attention — the rootkit installed even if you told it not to, there was a second Sony rootkit, the rootkit remover itself caused security issues, and the RIAA said it’s no big deal because other record labels also install rootkits. Somehow, I do not find that very reassuring

17 comments:

Flv Player said...

Great Article! Thank you very much for posted this...

逆円助 said...

さあ、今夏も新たな出会いを経験してみませんか?当サイトは円助交際の逆、つまり女性が男性を円助する『逆円助交際』を提供します。逆円交際を未経験の方でも気軽に遊べる大人のマッチングシステムです。年齢上限・容姿・経験一切問いません。男性の方は無料で登録して頂けます。貴方も新たな出会いを経験してみませんか

メル友募集 said...

最近仕事ばかりで毎日退屈してます。そろそろ恋人欲しいです☆もう夏だし海とか行きたいな♪ k.c.0720@docomo.ne.jp 連絡待ってるよ☆

家出 said...

最近TVや雑誌で紹介されている家出掲示板では、全国各地のネットカフェ等を泊り歩いている家出娘のメッセージが多数書き込みされています。彼女たちはお金がないので掲示板で知り合った男性の家にでもすぐに泊まりに行くようです。あなたも書き込みに返事を返してみませんか

動物占い said...

あなたの性格を、動物に例えて占っちゃいます。もしかしたらこんな動物かも!?動物占いをうまく使って、楽しい人間関係を築いてください

家出 said...

家出中の女性や泊まる所が無い女性達がネットカフェなどで、飲み放題のドリンクで空腹を満たす生活を送っています。当サイトはそんな女性達をサポートしたいという人たちと困っている女性たちの為のサイトです

セレブラブ said...

セレブ女性との割り切りお付き合いで大金を稼いでみませんか?女性に癒しと快楽、男性に謝礼とお互い満たしあえる当サイト、セレブラブはあなたの登録をお待ちしております。

夏フェス!! said...

夏フェス一緒に行ってくれる人募集!!夏の思い出一緒につくろぉ☆ megumi-0830@docomo.ne.jp 連絡してね♪

無料ゲーム said...

あなたのゲーマー度を無料ゲーム感覚で測定します。15個の質問に答えるだけの簡単測定で一度遊んでみませんか?ゲームが得意な人もそうでない人もぜひどうぞ。

素人 said...

Hな女性たちは素人ホストを自宅やホテルに呼び、ひとときの癒しを求めていらっしゃいます。当サイトでは男性ホスト様の人員が不足しており、一日3~4人の女性の相手をするホストもおられます。興味を持たれた方は当サイトにぜひお越しください

出会い系 said...

実は出会い系には…関係者用入り口があるのを知っていますか?広告主やスポンサー用に用意されたIDではサクラや業者が立ち入ることが出来ないようになっているのです。当サイトでは極秘に入手した関係者用URLが公開されています

逆援助 said...

男性はお金、女性は快楽を得る逆援助に興味はありませんか?お金を払っても性的欲求を満たしたいセレブ達との割り切り1日のお付き合いで当サイトでは大金を得ることができます。無料登録なのでアルバイト感覚でOK、詳しくはTOPページでどうぞ。

友達募集 said...

ホムペ完成記念!私の事みんなに知ってもらいたくて頑張りましたぁ。色々とご感想をお待ちしているので思った事を意見してください。メアドはほむぺにのせてありますぅ!★ fan.jna@docomo.ne.jp

家出 said...

夏休みで気軽に家出する女子○生が急増しています。しかし家出したはいいものの泊る所やお金が無い彼女たちは、掲示板などで泊めてくれる男性を探す子も多いようです。当掲示板にも夏休みに入ってから通常の3倍以上のメッセージが寄せられています

人妻 said...

今最もアツイバイトは人妻とのセフレ契約です。当サイトではお金を払ってでもセフレがほしい人妻が集まり、男性会員様との逆援生活を待っています。当サイトで欲求不満の女性との出会いをしてみませんか

素人 said...

素人ホストでは、男性のテクニック次第で女性会員様から高額な謝礼がもらえます。欲求不満な人妻や、男性と出会いが無い女性達が当サイトで男性を求めていらっしゃいます。興味のある方はTOPページからどうぞ

友達募集中 said...

少し魅惑な自分をネットだから公開してみました。普段言えない事など、思い切って告白しているプロフなので興味ある方はぜひ除いてみてください連絡待ってまぁす。 hinyaaaaa@docomo.ne.jp