Prepare your business for digital disaster

Note: This article was originally published in late September 2012. However, following hurricane Sandy and increased concerns about disaster preparedness, we have decided to reprint this guide. If you have any suggestions not covered in the article, please share your ideas in a comment below.

You don’t have to look hard to find tales of technological disaster. The Gauss virus infiltrated thousands of Middle Eastern PCs, where it could intercept online banking credentials. Apple iPhones were revealed to be vulnerable to spoofed SMS messages. Floods all but demolished Western Digital’s hard drive production facilities in Thailand.

Closer to home, writer Mat Honan saw his digital life all but erased when a hacker used a couple of phone calls to order a remote wipe of his MacBook Air. Honan says that he lost more than a year’s worth of photos after the breach—photos that, of course, he hadn’t backed up.

These incidents—and to some degree, anything that goes wrong with your tech universe—have one thing in common: With careful planning, the victims could have rendered the problems much easier to recover from.

Sure, enduring a flood that wipes out your production facility is worse than losing some stored baby pictures, but disaster planning is essential for individuals and businesses of all shapes and sizes. The only real variable is the complexity of the necessary planning. For a small businesses, it’s essential to plan for disasters so that you won’t be completely crushed if catastrophe does strike. Here’s how to start.

Backups

You can sharply reduce the bad effects of most technology problems by adopting a single surprisingly simple precaution: Back up your data.

You’ve undoubtedly heard this advice before, but even computer users who have suffered crashes, malware infestations, and other data-killing disasters often find it hard to get started, fearing that regularly scheduled backups are too tedious to perform or too complicated to set up.

None of this is true today. Myriad solutions and systems have simplified the task of backing up, whether you're dealing with one computer or a dozen. Here are some strategies you can start with.

Local USB backup

This is the simplest way to perform backups, but it’s suitable for people with just one or two PCs. Plug a high-capacity USB hard drive into your computer, and set up a backup program. Windows 7 has one included—Windows 8 will add File History capabilities to the mix—and copious options exist online. If you arrange for automatic backups, so much the better.

Windows' Backup and Restore utility is fairly straightforward to use.

Synchronization

Another strategy is to keep two computers in sync so that if one goes down, the other is available so you can pick up where you left off. Again, this option is effective only for very small businesses or in environments where everyone uses the same machine. One big advantage of a sync strategy is that you can set up computers in different rooms or different parts of the building so that if something happens in one part of the workplace (or if a thief steals equipment from there), the other side of the building may still be safe. Check out GoodSync for a solid sync arrangement.

GoodSync helps you sync your data between two PCs.

NAS backup

When multiple computers need backing up, a network-attached storage (NAS) system makes excellent sense. A NAS device attaches to your router. You then use included software or your own backup program to back up to the NAS periodically. One drawback: Often, the backup software included with these drives is limited, and backup traffic can be so heavy that it floods your network. Check out the WD MyBook Live series for a great small-office NAS.

Western Digital's My Book Live NAS box provides mobile access to your files.

Online backup

If you have plenty of Internet bandwidth available, backing up online can be the most secure way to protect your data against disasters such as a house fire that destroys everything on the premises. Online backup sends your files (usually automatically) to a far-off location, removing any risk of loss from physical theft, fire, or flood at your business. Onthe other hand, some online, cloud-based services have been victimized by security breaches. That risk is probably tolerable for most of us, but if you work with highly sensitive information such as customer credit-card data, you might be best served by backing up this information locally and securing at an offsite location, such as a safe deposit box.

Antimalware and data security

Another common—and oft-ignored—tip is to install antimalware software on all of your business's PCs and keep it up to date.

This measure isn’t terribly onerous if you're dealing with a single PC, but things can get complicated and expensive if you're trying to safeguard a small-business network. Any number of paid and free single-computer security solutions are available. If you have more than a few computers, you can save money by opting for a small-business security suite package. Some of these packages are no more than a bundle of licenses for the individual suite, each of which must be installed and maintained separately. Others offer a central management console for pushing updates out to users' PCs and receiving notifications about threats found on the network. Shop around to determine the approach that works better for you.

Physical security

Software safeguards aside, a thug with a crowbar can inflict massive damage on your business. That's why physical security should be a major consideration, whether you’re a one-person shop or a company with a hundred employees. Every business owner knows to lock the doors and install an alarm system if there are valuable assets on the premises. But you should also take specific actions to protect your computer equipment, in addition to securing your building proper.

Cable locks

Cable locks are a simple way to increase any computer's security at very low cost. Almost all laptops have a special Kensington lock port, and most desktops have a metal loop that extends from the back and through which you can run a security cable. (Computers that don't have a lock port can instead use a “universal” lock system that attaches directly to the chassis.) Connect the computer to a desk with the cable, and you’ve added sufficient security to thwart most smash-and-grab operators. Be sure to store the keys to the cable locks in a secure location. You should also use a cable lock whenever you take a laptop out of the office.

LoJack systems

Kensington ClickSafe combination locks can anchor a laptop to your desk

LoJack for Laptops is software that runs unnoticed in the background but lets your laptop broadcast its location when you report it as lost. This helps law enforcement locate the computer more easily and enables you to wipe its hard drive remotely if recovery seems unlikely. Tools like Find My iPhoneoffer similar features to smartphone and tablet users. Install them before your device goes missing.

Video surveillance systems

The all-seeing eye of a camera won’t prevent determined thieves from breaking into your office, but remote surveillance systems may help you catch them red-handed. Video surveillance with motion detection will show the scene of a crime in real-time and record footage to help you pursue the bad guys later.

Fire, floods, and acts of God

Logitech Alert video surveillance system is a good choice for monitoring several locations.

We’ve dealt with thieves, but what about interventions of overwhelmiong magnitude? The general preparedness tips outlined above—especially the use of offsite backups—will help mitigate damage due to natural disasters, but a few devices can do even more, if you’re concerned that a fire or flood might whisk away your life’s work.

For digital storage, ioSafe makes a range of external hard drives designed to resist both fire (at up to 1550 degrees Fahrenheit) and water (a water column of up to 10 feet for 3 days). Keep analog essentials such as paper documents (and printouts of essential data) either offsite in a safe deposit box or in a sturdy fire safe on the premises. These inexpensive safeguards are well worth the investment.

And of course, you should include high-quality surge protectors or UPSs on all high-tech equipment for protection against power surges and lightning strikes.

Insurance

You can replace computer equipment, but that costs money. And if your business is out of commission for a month or two while you rebuild from a fire, you won’t be earning anything along the way. That problem can destroy a company that might withstand the physical damage caused by a disaster.

Generally, insurance is the best safeguard against financial ruin. Standard property insurance will cover the loss of hardware, but business interruption insurance is essential if you want a safety net to preserve your company against lost sales.

Succession planning

One other component of your small business needs to be protected: you. Do you want your business continue to operate after you’ve shuffled off this mortal coil? If the plan is to shut it down, how will that happen? How will ongoing ownership issues be determined? Who’s going to run the show?

These are complicated issues that any small-business owner should discuss with a qualified estate planner to resolve, and any protégés being groomed to take over when you’re gone need to be aware of the plans well in advance. Software such as Quicken WillMaker steps an individual through basic estate planning. It's a serious subject, but tackling the creation of a will and a succession plan while you’re young and healthy is far better than waiting until you’re lying in a hospital bed. Make it a priority to create a continuity plan (or a dissolution plan, if you aren't going to pass the business along to an heir), and revisit it annually to ensure that it’s up to snuff.

Source: pcworld.com

Read More

Malware infects 13 percent of North American home networks

Some 13 percent of home networks in North America are infected with malware, half of them with "serious" threats, according to a report released Wednesday by a cyber-security company.

However, that number is a one-percent decrease from the quarter that ended in June, according to Kindsight Security Labs, of Mountain View, California, in its third-quarter malware report [PDF].

Based on information gathered from service providers, Kindsight reported that 6.5 percent of the home network infections were high-level threats that could turn a home computer into a spam-spewing zombie on a botnet or compromise a computer owner's bank account.

ZeroAccess botnet

Some 2.2 million home networks worldwide are infected with malware controlled by the ZeroAccess botnet, the report estimated. In North America, one in every 125 home networks are infected with malicious software.

Map of the ZeroAccess botnet as it spreads across North America

"The ZeroAccess.net has grown significantly to become the most active botnet we've measured this year," Kevin McNamee, Kindsight security architect and director, said in a statement.

"Cyber criminals are primarily using it to take over victim computers and conduct click fraud," McNamee continued. "With ZeroAccess, they can mimic the human behavior of clicking online ads, resulting in millions of dollars of fraud."

Kindsight estimates that online advertisers lose $900,000 a day in fraud perpetrated by ZeroAccess.

Big money for evil-doers

Spam, add-click malware, banking Trojans, theft of identity information, and fake security software are big money makers for cybercriminals, the report noted.

The cyber-security vendor also reported that it saw a 165% increase in the number of Android malware samples during the period. Nevertheless, despite the growth in spyware apps and malware, there have been no major malware outbreaks, the report said.

"Aggressive Adware," some of it bordering on spyware, continues to be a problem in the Android market, according to Kindsight. It estimates that three percent of all mobile devices host some form of that software.

While security software aimed at removing aggressive adware from mobile devices has been introduced into the market, the report explained, it remains to be seen how effective it will be in mitigating the problem.

Similar efforts were made in the past to address spyware problems in the Windows world, but the Android environment is a horse of a different color. "One key difference between these ad-funded Android apps and the traditional Window’s variety is that the Android variety is being distributed from the Google Play App Store, which lends them considerable legitimacy," the report said.

Source: pcworld.com

Read More

Report: Open DNS resolvers increasingly abused to amplify DDoS attacks

Open and misconfigured DNS (Domain Name System) resolvers are increasingly used to amplify distributed denial-of-service (DDoS) attacks, according to a report released Wednesday by HostExploit, an organization that tracks Internet hosts involved in cybercriminal activities.

In the latest edition of its World Hosts Report, which covers the third quarter of 2012, the organization included data about open DNS resolvers and the Autonomous Systems—large blocks of Internet Protocol (IP) addresses controlled by network operators—where they are located.

That’s because, according to HostExploit, incorrectly configured open DNS resolvers—servers that can be used by anyone to resolve domain names to IP addresses—are increasingly abused to launch powerful DDoS attacks.

DNS amplification attacks date back more than 10 years and are based on the fact that small DNS queries can result in significantly larger DNS responses.

An attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target’s IP address. As a result, the resolvers will send their large responses back to the victim’s IP address instead of the sender’s address.

In addition to having an amplification effect, this technique makes it very hard for the victim to determine the original source of the attack and also makes it impossible for name servers higher up on the DNS chain that are queried by the abused open DNS resolvers to see the IP address of the victim.

“The fact that so many of these unmanaged open recursors exist allow the attackers to obfuscate the destination IPs of the actual DDoS targets from the operators of the authoritative servers whose large records they’re abusing,” said Roland Dobbins, solutions architect in the Security & Engineering Response Team at DDoS protection vendor Arbor Networks, Thursday via email.

“It’s also important to note that the deployment of DNSSEC has made DNS reflection/amplification attacks quite a bit easier, as the smallest response the attacker will stimulate for any query he chooses is at least 1300 bytes,” Dobbins said.

Even though this attack method has been known for years, “DDoS amplification is used far more frequently now and to devastating effect,” Bryn Thompson of HostExploit wrote Wednesday in a blog post.

“We have seen this recently and we see it increasing,” Neal Quinn, the chief operating officer of DDoS mitigation vendor Prolexic, said Thursday via email.

“This technique allows relatively small botnets to create large floods toward their target,” Quinn said. “The problem is serious because it creates large volumes of traffic, which can be difficult to manage for many networks without use of a cloud mitigation provider.”

Dobbins couldn’t immediately share any data about the recent frequency of DNS-based DDoS amplification attacks, but noted that SNMP (Simple Network Management Protocol) and NTP (Network Time Protocol) reflection/amplification attacks “can also generate very large, overwhelming attack sizes.”

In its report, HostExploit ranked the Autonomous Systems with the largest number of open DNS resolvers in their IP address spaces. The top one, controlled by Terra Networks Chile, contains more than 3,200 open resolvers in a pool of around 1.3 million IPs. The second one, controlled by Telecomunicacoes de Santa Catarina (TELESC)—now part of Oi, Brazil’s largest telecom operator—contains nearly 3,000 resolvers in a space of 6.3 million IP addresses.

“It should be stressed open recursive nameservers are not a problem in themselves; it is the mis-configuration of a nameserver where the potential problem lays,” HostExploit said in its report.

Source: pcworld.com

Read More

Cyber espionage campaign targets energy companies

Signs suggest remote access trojan by group that attacked RSA.

 Hackers using a Remote Access Trojan (RAT) named Mirage have been engaged in a systematic cyber espionage campaign against a Canadian energy company, a large oil firm in the Philippines and several other entities since at least this April, Dell's SecureWorks Counter Threat Unit says. The campaign is the second one targeted at oil companies to be discovered by SecureWorks this year. In February, researchers at the firm discovered attackers using remote access tools similar to Mirage to target several oil companies in Vietnam. That campaign also targeted government agencies in several countries, an embassy, a nuclear safety agency and multiple business groups, according to SecureWorks.

The domains for three of the command and control (C&C) servers used to control Mirage and for several of the C&C servers used in the February campaign, appear to belong to the same individual or group of individuals, SecureWorks said.

Also noteworthy is the fact that the IP addresses for the command and control servers used for Mirage and in the February campaign belong to China's Beijing Province Network. The same network was also implicated in last year's attacks on security vendor RSA that resulted in the theft of confidential information related to the company's SecurID two-factor authentication technology.

Command and control servers associated with the 2009 GhostNet campaign that targeted government computers in more than 100 companies also used IP addresses in the same network. The evidence suggests that the same group of people is behind the sweeping cyber espionage campaigns, SecureWorks researchers Joe Stewart said today. The latest Mirage campaign has so far impacted companies in Canada, the Philippines, a military organization in Taiwan and several unidentified entities in Nigeria, Egypt, Brazil and Israel, Stewart said.

The Mirage malware program itself is very crafty and is designed to evade easy detection, according to SecureWorks. All of its communications with its command and control servers are disguised to appear like the URL traffic pattern associated with Google searches.

Those behind the espionage have used phishing emails to trick mid-level to senior executives at the targeted companies to click on attachments containing malware for installing Mirage on their systems. One of the emails used in the campaign for instance, contained a pdf of a news story about Yemeni women being eligible to participate in that country's elections.

Over the past few months, researchers at SecureWorks discovered several customized variants of Mirage designed to evade detection by anti-virus and anti-malware programs

"One of the variants was seen in a subset of samples that had been modified specifically for the environment targeted by the threat actors," SecureWorks analyst Silas Cutler wrote in the alert. "These samples had been configured with default credentials for the targeted environment's web proxy servers," he noted. 

 Source : computerworld.com

Read More

Hacker to use cloud for brute force WiFi crack

WPA-PSK not powerful enough in a cloud world.

A security researcher claims to have figured out a quick and inexpensive way to break a commonly used form of password protection for wireless networks using powerful computers that anybody can lease from Amazon.com over the Web.

Thomas Roth, a computer security consultant based in Cologne, Germany, says he can hack into protected networks using specialised software that he has written that runs on Amazon's cloud-based computers. It tests 400,000 potential passwords per second using Amazon's high-speed computers.
That leaves businesses as well as home networks prone to attack if they use relatively simple passwords to secure their networks.

Amazon leases time on computers to developers and companies that don't have the money to buy their own equipment, or don't use it frequently enough to justify doing so. Customers include individual programmers and corporate users.

A spokesman for Amazon said that Roth's research would only violate his company's policies if he were to use Amazon Web Services (AWS) and its Elastic Compute Cloud (EC2) computing service to break into a network without permission of its owner.

"Nothing in this researcher's work is predicated on the use of Amazon EC2. As researchers often do, he used EC2 as a tool to show how the security of some network configurations can be improved," said Amazon spokesman Drew Herdener.

"Testing is an excellent use of AWS, however, it is a violation of our acceptable use policy to use our services to compromise the security of a network without authorisation."

Roth will distribute his software to the public and teach people how to use it later this month at the Black Hat hacking conference in Washington, D.C.

He said he is publicising his research in a bid to convince skeptical network administrators that a commonly used method for scrambling data that travels across WiFi network passwords is not strong enough to keep crafty intruders from breaking in to networks.

That encryption method, dubbed WPA-PSK, scrambles data using a single password. If a potential intruder is able to figure out the password, he or she can gain access to computers and other devices on the network.

Roth said that the networks can be broken into if hackers use enough computer power to "brute force" their way into figuring out the passwords that protect networks.

Those passwords were difficult for the average hacker to break until Amazon.com recently started leasing time on powerful computers at relatively inexpensive rates: It takes the processing capability of multiple computers to perform mathematical calculations needed to break the passwords.

The online retailer charges users 28 cents a minute to use machines that Roth used in his attack. It would cost at least tens of thousands of dollars to purchase and maintain that equipment.

Roth said that he used his software and Amazon's cloud-based computers to break into a WPA-PSK protected network in his neighborhood. It took about 20 minutes of processing time. He has since updated his software to speed its performance and believes he could hack into the same network in about 6 minutes.

"Once you are in, you can do everything you can do if you are connected to the network," he said.

Roth said he was not publicising his discovery to encourage crime, but to change a misconception among network administrators:

"People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so," he said. "But it is easy to brute force them."

Read More

To fight scammers, Russia cracks down on .ru domain

In a bid to cut down on fraud and inappropriate content, the organization responsible for administering Russia's .ru top-level domain names is tightening its procedures.

Starting April 1, anyone who registers a .ru domain will need to provide a copy of their passport or, for businesses, legal registration papers. Right now, domains can be set up with no verification -- a practice that has allowed scammers to quickly set up .ru domains under bogus names.


The changes will help Russia align its rules with international best practices, said Olga Ermakova, informational projects manager with the Coordination Center for the .ru top-level domain, in an e-mail interview. The .ru administrators care about the "cleanness" of the domain, she added. "We don't need negative content, and such content is often [created] by unknown users."

Loopholes in the domain name system help spammers, scammers and operators of pornographic Web sites to avoid detection on the Internet by concealing their identity. Criminals often play a cat-and-mouse game with law enforcement and security experts, popping up on different domains as soon as their malicious servers are identified.

Criminals in eastern Europe have used .ru domains for a while, registering domain names under fake identities and using them to send spam or set up command-and-control servers to send instructions to networks of hacked computers.

With the new domain registration requirements, it will be more difficult for criminals to continue with business as usual. At the very least, the requirement that registrants must submit paper documents will make setting up domains a more costly and time-consuming process.

"It's pushing the malicious activity elsewhere," said Rodney Joffe, chief technologist with Neustar, a DNS service provider. "If it's so much of a hassle, they'll say, 'Screw it. I'm going to register another top-level domain.'"

Russia has been under pressure to clean up the .ru system, which is widely perceived as a safe haven for scammers. China made similar changes last month to the way that its .cn space is administered.

Joffe said it's too early to say how effective the .cn changes have been.

The .ru domain has been a top source of fraud of late, agreed Robert Birkner, chief strategy officer with Hexonet, a domain name service company. But even if it is cleaned up, criminals will have other places to go. Vietnam's .vn domain and Indonesia's .id have also been a problem lately, he said.

Earlier this week, representatives from the U.S. Federal Bureau of Investigation and the U.K.'s Serious Organised Crime Agency (SOCA) lobbied the group responsible for coordinating the Internet's domain name system to enforce tighter name recognition policies. Now it is "ridiculously easy" to register a domain name under false details, said Paul Hoare, senior manager and head of e-crime operations with SOCA.

Last month, a study of Internet domain name databases found that only 23 percent of records were accurate.

source: ComputerWorld.com

Read More

Mozilla confirms critical Firefox bug

Slates patch for March 30; flaw can't be used in upcoming Pwn2Own hack contest
Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month.

Although the patch won't be added to Firefox before next week's Pwn2Own browser hacking challenge, researchers won't be allowed to use the flaw, according to the contest's organizer.

"The vulnerability was determined to be critical and could result in remote code execution by an attacker," Mozilla acknowledged in a post to its security blog late Thursday. "The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix."

Firefox 3.6, which Mozilla launched in January, is affected, Mozilla said, adding that it would be patched in version 3.6.2, currently slated to ship on March 30.

The bug was disclosed by Russian researcher Evgeny Legerov a month ago in a message posted on a forum hosted by Immunity, the Miami Beach, Fla. developer best known for its Canvas penetration testing framework. Legerov works for Moscow-based Intevydis, which produces the VulnDisco add-on for Canvas.

Legerov did not publish attack code, and initially refused to provide details to Mozilla, according to a March 4 entry he posted on his blog. "I've ignored e-mails ... from Mozilla, please do not waste my and your time anymore," Legerov wrote. The blog has since been deleted, but is still available via Google's cache.

In comments appended to a vulnerability alert published by Danish bug tracker Secunia, several users questioned Legerov's motives for making the announcement, while others chided Secunia for not thoroughly testing the flaw or claimed that it was all a hoax.

Mozilla yesterday said Legerov had eventually sent them "sufficient details to reproduce and analyze the issue."

Until the March 30 patch is released, users can upgrade Firefox to the beta of version 3.6.2, which includes the fix, by downloading the preview.

Although Apple and Google have recently updated Safari and Chrome, respectively -- beefing up the browsers' security before the $100,000 Pwn2Own hacking contest starts March 24 -- the version of Firefox that will be used in the challenge will lack the patch for Legerov's vulnerability. Pwn2Own will pit only production versions of Chrome, Firefox, Internet Explorer (IE) and Safari against the hacking talents of researchers.

However, that doesn't mean hackers will be able to use the bug to claim one of the $10,000 prizes for successfully exploiting Firefox. "We will have our entire research team on-site so that we can do our best to ensure that known issues such as this one do not turn up at our contest," said Aaron Portnoy, a research team lead with 3Com TippingPoint, the company sponsoring Pwn2Own.

Portnoy, who organized the fourth annual contest, has predicted that Microsoft's IE8 will be the first browser to fall during the three-day event.

Mozilla will also patch Firefox 3.0 (with 3.0.19) and Firefox 3.5 (with 3.5.9) on March 30. Firefox 3.0.19 will be the final security update for the browser Mozilla debuted in mid-2008.

Source: ComputerWorld.com

Read More

Internet freedom and security

It's already been a busy year in the area of Internet freedom and security.

10 of the Worst Moments in Network Security History

First, Google reported that it, along with a bunch of other major companies, had been hacked, and pointed the finger at China.

Then Secretary of State Hillary Rodham Clinton gave a few "Remarks on Internet Freedom" in which she pushed for one Internet, without barriers.

Separately, the Federal Trade Commission notified about 100 companies that some of their secrets had been exposed by employees who were running peer-to-peer software.

Finally the Internet security firm NetWitness said that it had figured out that 75,000 computers at 2,500 companies had been compromised with the ZeuS Trojan starting in 2008.

Nope - not a good start to 2010. I would like to think that things will quiet down some for the rest of the year but it does not look like that will happen.

In early January, Google announced that it had been hacked from China, that the hackers seemed to be after the gmail accounts of Chinese human rights activists and that Google was going to review "feasibility of our business operations in China."

Well, that caused quite a splash. Google's accusation fit so well with the general public perception of China's approach to the Internet that it was easy to assume that the hacking was directed by the Chinese government.

Clinton did not go quite so far as to accuse the Chinese government of complicity during her speech on Internet freedom,but she did call upon it to "conduct a thorough review" of the Google hacks and that the results of the review be transparent. Clinton's speech was quite a good one from the point of view of those of us who value the positive impact of the communication enabled by the Internet.

Properly, she did not hide the fact that communication over the Internet can be used for good (human rights activists) and evil (terrorists).

Read More

More than 100 companies targeted by Google hackers

Two months after hack, security firm says another 68 command-and-control servers have been identified

IDG News Service — The hackers who broke into Google two months ago have gone after more than 100 companies, according to an estimate by security vendor Isec Partners.

Researchers have been closing in on the unidentified criminals responsible for the attack over the past month. In the process, they have uncovered another 68 so-called command-and-control servers, used to control the hacked machines.

Investigators had already identified 34 hacked companies after examining the single command-and-control server used in the Google attack, and the discovery of another 68 servers could mean that many more companies were compromised than previously thought. "It's easily over 100 companies," said Alex Stamos a partner with Isec Partners.

In the weeks since Google went public with details of the hack, informal discussion lists have sprung up, including security experts and staffers from companies that have been compromised. In those discussions, "that list of control machines keeps getting longer and longer," Stamos said.

The code used in the attacks, known in security circles as Aurora, has been in use for at least 18 months, Stamos said. But the security industry was unaware of Aurora until Google discovered the intrusion last December. That allowed hackers to get onto corporate networks undetected.

Other technology companies, including Intel, Adobe, and Symantec, have also been hit by the attack, which investigators have traced back to China.

To break into victim companies, the hackers sent carefully targeted e-mail or instant messages to victims, hoping to trick them into visiting Web pages or opening malicious documents that would then attack their computers.

The worst part of the attack is what happens once the initial victim has been compromised. The hackers then use a variety of techniques to acquire additional usernames and passwords and fan out across the targeted company's network, downloading sensitive data, which is then moved offshore.

This type of targeted attack is not new, but it is dangerous because it is so good at circumventing traditional security measures, said Rob Lee, a computer forensics instructor with the SANS Institute. "We've been dealing with [these attacks] for five years," he said. "They're basically going around all the security appliances via email."

Not all of these attacks have been linked to Aurora, but Lee said that "there have been hundreds of companies infiltrated."

Stamos agreed that traditional security products such as antivirus and intrusion detection systems are not enough to stop the attack. "The interesting thing to me about these attackers is they're very patient," he said. "They'll spend a lot of time writing custom malware to get around people's antivirus."

"They'll use a social network to learn about one person in the company, and then will send emails or chats messages as that person's friend," he added.

Read More

Watchdog issues spam warning to real estate agent

Targets real estate sector.
The communications watchdog has issued a "formal warning" to Elders Real Estate Wollongong following an investigation that found the agency breached the Spam Act.

The Australian Communications and Media Authority said the real estate agent breached the Act by sending commercial electronic messages without an unsubscribe facility.

ACMA said it contacted "more than forty" head offices of real estate franchisors and companies last year to inform them of "key obligations" and "consequences of non-compliance" with anti-spam laws.

"This is the first enforcement measure taken against a real estate agent since an ACMA awareness campaign about unsolicited communications targeted at the real estate sector," said Chris Cheah, acting chairman of the ACMA.

Penalties of up to $1.1 million per day may be imposed by the Federal Court for repeat offenders of the Spam Act, ACMA said.

Read More

Chrome sets browser security standard, says expert

Dino Dai Zovi urges browser makers to follow Google's lead
All browser makers should take a page from Google's Chrome and isolate untrusted data from the rest of the operating system, a noted security researcher said today.

Dino Dai Zovi, a security researcher and co-author of The Mac Hacker's Handbook, believes that the future of security relies on "sandboxing," the practice of separating application processes from other applications, the operating system and user data.

In a Wednesday entry on Kaspersky Labs' ThreatPost blog, Dai Zovi described sandboxing, as well as the lesser security technique of "privilege reduction," as "[moving] the bull (untrusted data) from the china shop (your data) to the outside where it belongs (a sandbox)."

The idea behind sandboxing is to make it harder for attackers to get their malicious software onto machines. Even if an attacker was able to exploit a browser vulnerability and execute malware, he would still have to exploit another vulnerability in the sandbox technology to break into the operating system and, thus, get to the user's data.

"Sandboxing raises the bar significantly enough that attackers will have to turn to other [types of attacks], like rogue anti-virus software," Dai Zovi said today in a telephone interview.

The pervasiveness of Web-based attacks calls for browser sandboxing, Dai Zovi argued. "It's crucially important because, in my opinion, the browser will become the OS," he said. "Google is the first to realize that the browser is the operating system, and Chrome is a huge leap forward with its ground-up rewrite."

Chrome has included sandboxing since its September 2008 debut. And while Dai Zovi considers it easily the leader in security because of that, other browser have, or will, make their own stabs at reducing users' risks.

For example, Microsoft's Internet Explorer 7 (IE7) and IE8 on Vista and Windows 7 include a feature dubbed "Protected Mode," which reduces the privileges of the application so that it's difficult for attackers to write, alter or destroy data on the machine, or to install malware. But it's not a true sandbox as far as Dai Zovi is concerned.

Currently, Mozilla's Firefox, Apple's Safari and Opera Software's Opera lack any sandboxing or privilege reduction features. "Apple, for example, has implemented some sandboxing in Snow Leopard, but [although] security researchers were hoping to see some of that technology used in Safari, that hasn't happened," Dai Zovi said.

Mozilla is working on Chrome-like sandboxing for Firefox -- the project's dubbed "Electrolysis" -- but the feature probably won't make it into the browser until Firefox 4.0, which is now slated to ship in late 2010 or early 2011.

Dai Zovi sees browser sandboxing as an answer to the flood of exploits that have overwhelmed users in the past year. "This isn't perfect, but it's the direction we should be heading in," he said. "The idea of fixing every vulnerability is clearly not working. We can't always win the race to patch."

But sandboxing, or at the least, reducing the browser's ability to affect the rest of the OS, may be the way to block most attacks. "It adds more defense-in-depth and impedes attackers," Dai Zovi said.

Read More

More flash drive firms warn of security flaw; NIST investigates

The drives were certified to meet NIST standards
SanDisk Corp. and Verbatim Corp. have joined Kingston Technology Inc. in warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives.

The hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.

"It's really onerous. It's a stupid crypto mistake and they screwed up, and they should be rightfully embarrassed for making it," said cryptographer and computer security specialist Bruce Schneier.

Verbatim warned that the security flaw exists in its Verbatim Corporate Secure and Corporate Secure FIPS Edition series of USB flash drives; SanDisk revealed a threat related to its Cruzer Enterprise series of USB flash drives. Both companies issued online application upgrades to address the issue.

According to SanDisk and Verbatim, the security issue only applies to the application running on the host system; it doesn't apply to the drive itself or the drive's firmware. Computerworld reported earlier this week that Kingston had recalled its DataTraveler secure USB flash drives so it could update the devices because of the same issue. The Kingston models affected include the DataTraveler BlackBox, DataTraveler Secure-Privacy Edition and DataTraveler Elite-Privacy Edition.

All three companies claimed their USB drives had met security criteria set by the Federal Information Processing Standard (FIPS) 140-2. FIPS is a U.S. government standard used to accredit devices with encryption algorithms. The standard was developed by the National Institute of Standards and Technology and includes both hardware and software components. FIPS 140 covers four levels of security.

"There are lots of certifications out there, and they mean very different things," Schneier said. "These certifications are far more about marketing than they are about real security."

Storage companies tout FIPS 140-2 certification as part of their marketing materials, stating that their devices are secure enough for use by government agencies. Because of security problems in the past, however, the government has banned the use of removable flash media devices by its employees.

"What does the NIST certification mean? Is it a good standard or a bad standard? That certainly is the issue here," Schneier said. "If you look at the NIST certification, all it means ... is there's some level of tamper resistance in the hardware. Does it mean it's any good? No."

German security company SySS GmbH found the flaw when it tested the drives' security and designed code for each device that modifies the software running in the computer's memory, telling it to always authorize the password -- no matter who enters it or what it is.

Schneier said NIST will likely have to revamp its certification standards to cover the hardware-based encryption flaw found by SySS.

In a response to a Computerworld inquiry, NIST said it is aware of the vulnerability involving several FIPS 140-2-validated USB drives and is now reviewing information on the flaw.

According to NIST, the FIPS 140-2 certification only covers cryptographic modules, which scramble data into an encrypted format that is indecipherable. The data is then decrypted and retrieved only by entering the correct password, key or other means of authentication processed by the module.

"From our initial analysis, it appears that the software authorizing decryption, rather than the cryptographic module certified by NIST, is the source of this vulnerability," a statement read. "Nevertheless, we are actively investigating whether any changes in the NIST certification process should be made in light of this issue."

According to Fountain Valley, Calif.-based Kingston, the security flaw involves the way the drives process passwords. According to Kingston, "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained on" its DataTraveler encryption-enable USB drives.

A Kingston spokesman said the company would not comment on any specifics surrounding the security flaw, because "anything we say [could give] other hackers fuel and clues" as to how to break into the drive's security features.

The security flaw appears to be in the password authentication process in the host computer's memory. When a new USB flash drive from one of the companies is used for the first time, software on the device tells the computer it's a CD-ROM, allowing it to automatically ask for a password to unlock data on the device after a password is established. While the user's password is stored on the USB drive, the authentication code runs on the PC or a server's CPU.

Ultimately, that host system's authentication password for each company is the same on all of its devices.

"So if a hacker is able to find those default set of characters, all they need to do is return those and they will have access to encrypted data on the drive," said David Jevans, CEO of high-end USB manufacturer IronKey Corp. IronKey makes USB drives using higher-cost single-level cell NAND flash memory, compared with the more typical multilevel cell NAND flash that most other manufacturers use.

Jevans agreed that FIPS certification, which IronKey also touts, is to some extent marketingspeak that's needed to sell to government agencies and private corporations. But "there's more value to it," he said.

"We don't want people implementing proprietary cryptographic algorithms, which are almost always shown to be flawed," Jevans said. "That's one benefit: FIPS specifies that you will use well-known cryptographic algorithms, and AES went through a long and detailed public evaluation."

When Kingston, SanDisk and Verbatim issued their warnings, IronKey was among a number of companies to issue statements reassuring customers that their devices were safe from the same attacks. Jevans said that's because the password and authentication process is contained on the USB drive itself and has nothing to do with the host system.

"We don't trust the computer at all," he said. "The computer could have malware on it or have hackers accessing it. In our security design, we said we have to assume the computer is completely untrustworthy. That's where we started our threat modeling."

Jevans said FIPS doesn't tell vendors how to build a secure product but assumes that the manufacturer knows what it's doing. "When I talk to our FIPS analysis guys who helped write the standard, they said they've known about this problem for a long time."

The reason current FIPS standards don't defend against the vulnerability is because in a corporate environment, being able to unlock and manage hundreds of USB flash drives with a single administrative password is useful, Jevans noted, "which is effectively what this vulnerability is."

The device password, which is unlocked by a user password, is built into the software that resides on all of the USB drives.

"You can see why, in a data center environment, that makes sense. But that's very different from millions of users walking around with these things," he said. "That's not currently contemplated with the FIPS standards and where I think they're going to be evolving it."

Read More

White House calls for IT boost to fight terrorism

Better technology needed to 'connect the dots' on terror-related data, says Obama report
The White House report on the failed bombing attempt of a U.S airliner on Christmas Day highlights the challenges U.S intelligence agencies face in correlating terrorism-related information gathered from multiple databases and sources.

The review, released yesterday, identified an overall failure by intelligence agencies to "connect the dots," despite having enough information at their disposal to have potentially disrupted the botched attack.

The problem, according to the report, was not a lack of information sharing between government agencies but a failure by the intelligence community to "identity, correlate and fuse into a coherent story all of the discrete pieces of intelligence held by the U.S. government."

In listing the various causes for this failure, the report noted that information technology within the counter-terrorism community "did not sufficiently enable the correlation of data that would have enabled analysts to highlight the relevant threat information."

Nigerian citizen Umar Farouk Abdulmutallab attempted to detonate an explosive device while onboard an international flight from Amsterdam to Detroit on Dec. 25. Though the plane landed safely, the incident sparked widespread concern over the intelligence lapses that led to his being allowed on the flight in the first place.

Prior to his having boarded the flight, Abdulmutallab's father had expressed concerns about his son's radicalization to U.S. embassy officials in Nigeria. Various other agencies had gathered information about Abdulmuttalab's visiting Yemen and meeting with operatives from an Al Qaida-affiliated terror group.

The report called on the director of national intelligence to "accelerate information technology enhancements" in areas such as knowledge discovery, database integration and cross-database searches. It also called for improved capabilities for linking biographic information with terrorism-related intelligence.
Computers that don't talk to each other

The report identifies what's been a challenge for some time within the intelligence community, said James Lewis, director and senior fellow at the Center for Strategic and International Studies (CSIS). The office of the Director of National Intelligence, one of the agencies responsible for analyzing and integrating terrorism-related intelligence gathered by the U.S. government, has been struggling for years to accomplish its mission, Lewis said.

"In the past, the director of the National Counter Terrorism Center had 11 different computers because none of the computers could talk with each other," said Lewis, who led a CSIS-led group that submitted a set of cybersecurity recommendations to President Obama last January.

The DNI has been trying to address the issue by standardizing its technology acquisition, but the task still remains a work in progress, Lewis said. in this particular case, "the dots were in several different places and we haven't brought them to a single place."
The incident also highlights an intelligence culture that emphasizes secrecy over information sharing, said John Pescatore, a former analyst at the National Security Agency who is now an analyst at research firm Gartner Inc.

The State Department and intelligence agencies, including the NSA, the FBI and the CIA, all have their own processes for handing raw intelligence data that they gather, Pescatore said. Often this raw information is filtered before being passed or shared with other agencies, which results in an incomplete picture of an unfolding scenario, such as the attempted Christmas Day bombing, he said.

"The first issue isn't tools, it is what you would do with the information the tool might discover," Pescatore said. The intelligence community was developed to gather information about opponents that was to be used in attacking the opponent, he said. "Defending against kamikaze pilots, suicide bombers or airplane terrorists is not the same thing by a long shot."

Handling terrrorist threats will require intelligence agencies to be more proactive in sharing information, he said. And rather than relying on threat information, the Transportation Security Administration and other consumers of intelligence information need to have a more direct role in analyzing intelligence data, he said,
Fix the culture first

More than eight years after the terrorist attacks of Sept 11, 2001, the biggest challenge for U.S. counter-terrorism efforts continues to be cultural issues rather than technology issues, said Bruce Schneier, a noted security expert and chief security technology officer at BT Group PLC.

"The intelligence community has been optimized to fight the cold war where secrecy was paramount," Schneier said. "That kind of secrecy doesn't make sense any more. You need more openness and collaboration and sharing," Schneier said. While it is conceivable that IT enhancements could boost data correlation abilities, the fundamental issue that needs to be overcome is cultural, he said.

Unlike Cold War foes such as the Soviet Union, Al Qaida and other adversaries are decentralized and poorly funded. "Our intelligence organizations need to trade techniques and expertise with industry, and they need to share information among the different parts of themselves," Schneier said.

"Today's terrorist plots are loosely organized ad hoc affairs, and the dots that are so important for us to connect beforehand might be on different desks, in different buildings, owned by different organizations," he said. "What we need is an intelligence community that shares ideas and hunches and facts on Facebook, Twitter, and wiki. I'm not advocating that the CIA and NSA open its networks to everyone, but they need to bring Web 2.0 tools into their own classified networks

Read More

Would a server by any other name be as functional?

When I graduated from college, my parents bought me a new computer as a graduation gift (a Power Computing Mac clone, if you remember that odd little interlude in Apple's history). It was an order of magnitude more powerful than my Mac Plus, and I was so thrilled to have it that I decided that it would be auspicious to christen it. Since I was in grad school studying ancient history at the time, I changed the name of the hard drive from whatever the boring default was (it may have actually just been "HARD DRIVE") to "Kleopatra," using the more correct Greek spelling of the ancient queen's name.

Over the next few years -- especially after I fled academia -- I wondered if maybe I should cast aside this little bit of whimsy, but I did like thinking of my computer as more than just another grey-beige box of silicon taking up desk space. So Kleopatra stayed, and when I got a second internal hard drive, I named it after her husband Marc Antony, just to keep her company. I thought that this affectation made me unique and just a little bit weird. But then I got my first real job.

The job was as a copy editor at a San Francisco Web publishing startup, and I quickly learned that all of the Unix servers upon which our internal and external processes depended had names. And not boring names like PRODUCTION_SERVER; these machines were all named after African nations. This didn't exactly turn every trip into the office into an exotic vacation, but dealing every day with machines named Rwanda and Angola at least gave us something concrete to rant about when tech difficulties beset our work. (I hope the good people of Angola weren't hurt by the invectives we hurled when their country's namesake computer went out of commission for good, leaving us in two weeks of limbo before we eventually replaced it with Congo.) But more to the point, it taught me about the feeling of of hominess and community you get from a consistent naming system for your machines.

It's possible to give them too much personality
Photo by c.j.b.

When our business unit was merged with another one back east, and they started foisting their own, non-geographical naming conventions onto us -- well, that's when we knew that an era was ending.

The spy who named me

As it happens, such a naming system wasn't unique to our little office. Sandra Henry-Stocker was our company's Unix admin when I started that job, though she wasn't the originator of the African naming scheme. However, she did once work with a similar server naming scheme at another workplace with a slightly more exciting mission. "When I worked at the CIA," she says, "the office I worked in named its servers after states -- like Alaska and NewHampshire. We'd briefly considered wineries, but figured most of the staff would have no hope of pronouncing them, so we abandoned that idea pretty quickly."

It didn't stop there, though: "Client systems in each subnet were named after cities in the associated states. So we had systems with names like Juneau and Portsmouth. Some analysts grumbled that they wanted to 'move,' but it was easy to tell which subnet a particular analyst was on just by knowing his or her workstation's name and a bit of geography. The funny part was the looks I'd get in the elevator when I'd say to a coworker with a tone of annoyance something like 'I don't know what we're going to do about Maine! We're seeing crashes every day now.'"

It seems that this concept -- giving your servers a naming system that is at once arbitrary and consistent -- is a near-universal one, either passed down from admin to admin or reinvented dozens of times over the years. There are thousand-post Slashdot threads on the subject, and enthusiastic user discussions at O'Reilly and ISP discussion sites. What's really interesting to me is how these arbitrary conventions can take on a life of their own and affect how we think about the machines we use every day, like they did for Henry-Stocker's CIA analysts who wanted to move to better "locations."

Sometimes mere names can get downright philosophical . Lee Mandell, now the president of communications agency Matlin Mandell, recalls, "At a small agency I worked for back in the dot-com days we named our servers after quarks. Thus our file server and its mirrored backup were TRUTH and BEAUTY, because, after all 'Beauty is truth, truth beauty -- that is all Ye know on earth, and all ye need to know.' And our Web server and its mirrored backup were UP and DOWN. Unfortunately I never got the chance to say to my boss that, due to a server crash, UP was down -- but don't worry because DOWN is up.'"

However, naming schemes can go beyond whimsy and enter what strikes me as enabling. "At my current agency," says Mandell, "we name all our computers after playwrights. Notably our main file server was named O'Neill. It was always problematic, given to disk crashes (twice), BSOD lockups and slowness. 'But,' my partner once said to me, 'what else would you expect from a server named after an alcoholic depressive?'" Would a box merely named FILESERVER1 have been so indulged? Fortunately, since O'Neill was just a server after all and not a beloved family member or Nobel-winning playwright, it was not confronted in an elaborate intervention, but eventually merely replaced. Kaufman, the new server, "is doing just fine," Mandell reports.

Method to the madness

Is there something more to this than just whim, and an aid to anthropomorphism that may or may not be healthy? Perhaps. Sandra Henry-Stocker describes the arrangement at her current workplace. "The naming scheme, largely resulting from the fact that one of our prior sysadmins was a diver, started with Caribbean Islands -- like StCroix and StBarts -- and then moved to the Mediterranean with names like Malta and Sicily. One of the other development groups uses a naming scheme that mimics the project and system types. So we have systems named gwx1a and gwx1b where the 'gwx1' stands for 'Gateway Netra X1'. These names are so boring and easily confused (e.g., did you just say 'gwx1b' or 'gwx1d'?) that the users all refer to them by their IP addresses! The islands, on the other hand, seem to invoke some enthusiasm on the users' part. In fact, we often refer to them as 'the islands' rather than 'the servers.'"

I think there's a couple of important data points in this story. The first is that server names that seem "logical" to a particular kind of very systematic and linear computer geek -- like gwx1 -- are actually pretty difficult to remember. Our language-focused brains aren't really built to accommodate them. (It's a really bad sign when your naming scheme is less user-friendly than IP addresses!)

It's also interesting to note that enthusiasm for one scheme -- in this case, the islands -- can inhibit the adoption of another scheme viewed as inferior. Presumably the more enthusiastc you are about one, the less likely you are to brook changes. "Sometimes it seems people pay nearly as much attention to this as to how they name their kids!" says Henry-Stocker. And that reminds me of another situation I heard about second-hand. A former roommate was a research scientist, and in the department where he worked, most of the servers were named after chemical elements; however, my roommate's boss wanted to keep things a little closer to home -- so he named his group's servers after his own theories.

The march of history

And what about Kleopatra? The Egyptian queen died famously of a snakebite suicide; my Power Computing machine went less glamorously, to a tinkerer from a Mac mailing list who volunteered to take her off my hands. She was followed by a series of ancient rulers, with gaps of a few centuries between each; there was Theodosius, then Justinian, and my current laptop is named Heraclius, after the 7th-century Byzantine emperor. I even have a little ecosystem going on at home: my Wi-Fi access points, set up when I had my previous computer, are named Belisarius and Narses (after Justinian's great generals) and my iPhone is named Niketas (after Heraclius's cousin).

When my wife wanted to name her phone Pinky, rather than after some ancient figure, I didn't make too much of a fuss, even though it wounded me inside. I have something bigger to worry about: if I jump forward a few centuries with every new computer, what do I do when I catch up with the present?

Read More

Hackers attack IE7 flaw

Less than a week after the last round of Microsoft Internet Explorer patches, security experts are already warning that exploit code is in circulation.

The particular flaw, MS09-002, is being exploited using a specially crafted Word document which is emailed to users. Once opened it installs malware onto the target system, including a Trojan to allow the malware to update itself.

"Several anti-virus vendors reported MS09-002 exploits in the wild. We can confirm that the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working on an unpatched Windows XP machine," said Bojan Zdrnja of the Sans Internet Storm Center.

"Initially there was some confusion about this attack as most anti-virus vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document.

"That being said there is absolutely nothing preventing attackers from using the exploit in a drive-by attack and we can, unfortunately, expect that this will happen very soon."

The first malware to try and exploit the flaw looks to have been reverse-engineered rather than being in existence before the patch was announced, experts said. The malware collects information from infected computers, encrypts it and sends it to a server in China.

The short turnaround time from patch to malware will leave IT administrators racing to update corporate servers in time, and they are advised to warn users about potential threats.

Read More

Curiosity drives Twitter "social virus"

If you were hanging out on Twitter today, you probably noticed a lot of very similar Tweets coming through, saying "Don't Click" followed by a shortened URL.

Many people, upon receiving that Tweet, immediately clicked the link, which took them to a page with a "Don't Click" button. And when they clicked on that button (assuming they were logged into Twitter in their web browser) they ended up posting a Tweet from their account. This Tweet repeated the original message: "Don't Click" followed by a shortened URL. Which all their Followers clicked. And so on.

The end result of this was huge numbers of "Don't Click" Tweets, a lot of puzzlement on the part of the Twitter community, and nothing more serious. This time at least.

The security community immediately got to work investigating the event and found that it was accomplished via clickjacking. Chris Shiflett has a done a great job of explaining the exploit, as has Sunlight Labs. This wasn't a case of using clever javascript or any scripting at all. It was just done with an IFrame, pulling the Twitter page into the "Don't Click" page and populating the Status Update box on the Twitter page. However the IFrame was rendered invisible via CSS. You thought you were clicking this "Don't Click" button on the page, but you were actually clicking the (now invisible) Update button on the embedded Twitter page. If that went over your head, the links above step through it much more clearly.

To their credit, the Twitter Engineers blocked the problem very quickly, and no real harm was done. But their fix isn't bulletproof, as Jeff Jones discovered.

In some ways, the most interesting part of this story was the way it was the "virus" was distributed. Apparently the very best way to get people to click on something is to label it "Don't Click"!

Read More

Hackers clone passports in drive-by RFID heist

A British hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco.

Chris Paget, director of research and development at Seattle-based IOActive, used a US$250 Motorola RFID reader and an antenna mounted in a car’s side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration.

During the demonstration he picked up the details of two US passport cards, which are fitted with RFID chips and can be used instead of traditional passports for travel to Canada, Mexico and the Caribbean.

“I personally believe that RFID is very unsuitable for tagging people,” he said.

“I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Western Hemisphere Travel Initiative be scrapped.”

Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a ‘kill code’ (which can wipe the card’s data) and a ‘lock code’ that prevents the tag’s data being changed.

However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.

The ease with which the passport cards were picked up is even more worrying considering that less than a million have been issued to date.

Paget is a renowned ‘white hat’ ethical hacker and has made the study of the security failings of RFID something of a speciality.

In 2007 he was due to present a paper on the security failings of RFID at the Black Hat security conference in Washington but was forced to abandon the plans after an RFID company threatened him with legal action.

He points out that RFID tags are increasingly being used in physical security systems such as building access cards and the technology needs significant security adding before it could be considered safe for commercial use.

Copyright © 2009 vnunet.com

Read More