May 18th, 2002, 09:35 PM
Security News Network
New MIT Technique Enables Realistic Alteration of Video
contributed by lafcadio (May 17, 2002 2:21 pm EST)
MIT scientists have developed an automated method for altering videos such that volunteers in a laboratory could not distinguish the real videos from the altered videos. Given 2-4 minutes of a person speaking on video, the researchers are able to modify speakers' facial expressions so that it appears they are speaking completely different words, even different languages.
While the method has its limitations -- it only works well on stationary videos with the speaker facing forward, and does not generate audio or mimic emotions -- it is a significant improvement over previous work in the field, which is noticeably computer generated.
The impact this technology will have on the submission of video evidence in court and the credibility of video broadcasts in the media remains to be seen. Certainly, it will prove useful, and profitable, in the realm of movies, video games and television.
- Boston Globe (requires payment)
- Early Research Whitepaper (1997)
Insecure WLANs at the Defense Agency
contributed by Black Adder (May 17, 2002 2:21 pm EST)
The security cameras at the HQ of the agency responsible for the U.S. Defense Department's global network and classified command and control systems uses an insecure wireless network.
Not only is the SSID of the access point easily gleaned, the WLAN is also not using WEP, i.e. it is not-encrypted.
So, I guess in the next James Bond movie they will hack the camera's wireless network to subvert the images.
Ferrari Victim of Drive-By Hacking
contributed by Rex (May 15, 2002 12:57 pm EST)
An article from the "Register" indicates that crackers are taking hactivism to new levels. Some motorsports fans have protested Formula 1 team tactics by hacking the ferrari-group.com web site. I guess it's a good thing these guys don't have a political agenda.
John Leyden for The Register reports:
Defacers turned motor sport fans yesterday in a protest against the controversial decision to gift Michael Schumacher victory at the Austrian Grand Prix. Ferrari-group.com was defaced by a group called S4t4n1c_Souls after the race with a profane message criticising Ferrari's management for ordering Rubens Barichello, who dominated the race, [to] make way for Schumacher on the last corner, handing him an undeserved victory.
"BARRICHELO ROX FERRARI SUX," the message reads, in part. Defacement archive Alldas.org records eight attacks against Ferrari in recent months. Drivers have been handed victory before, but the end of the race at the A1 ring [...] has sparked particular criticism because it was seen as a particularly cynical ploy, that went against any notion of sportsmanship in F1...
- Crackers deface Ferrari
Canada To Hire More Hackers
contributed by Black Adder (May 14, 2002 1:08 pm EST)
Canada's electronic spy agency has just acquired an additional $280m to hire new staff members. The Communications Security Establishment (CSE) is interested in hiring hackers to expand it's current espionage team in the wake of the September terrorist attacks.
Among other things, the CSE monitors telephones, faxes, satellites, computer traffic, and foreign radio (Are they the only ones who listen to the BBC?).
- Communications Security Establishment
Old Worms Die Hard
contributed by scarielli (May 8, 2002 1:29 pm EST)
When Nimda and Code Red first hit the Internet last year, users were once again reminded of the importance of patching systems. News stories on the worms were rampant, and many companies struggled to control the damage and install the latest patches. After a while, the publicity died, but Code Red and Nimda are still out there, and according to a study by Arbor Networks, are still hitting new targets. The Arbor study noted that Nimda is still hitting vulnerable systems at a steady rate, while the rate of Code Red II infections has actually increased in the last month.
That so many systems remain unpatched and vulnerable, even after the whirl of publicity last year, is unsettling. If the initial repercussions of Nimda didn't convince system owners of the need to stay up to date on patches, what will? Recently, there has been some debate on whether software companies should be held liable for shipping products with serious security vulnerabilities. The analagous area of debate might be whether companies with unpatched systems should be held liable for spreading viruses and worms.
- CNN: 'Nimda,' 'Code Red' still alive and crawling
Viral "Marketing" Through Malware
contributed by J.C. Patilla (May 7, 2002 2:09 pm EST)
So-called viral marketing gets ugly when a company decided to exploit a browser security vulnerability to collect information on unknowing site visitors. Visitors to Flowgo, which bills itself as the leading family entertainment portal, recently became the victims of a particularly pernicious pop-up ad campaign.
The pop-up ad redirected unsuspecting browsers, who were offered no choice in the matter, to a booby-trapped web site called KoolKatalog. The KoolKatalog site exploited a known flaw (see MS00-075) in the MS Internet Explorer virtual machine (VM) to begin covertly downloading files onto the victim's computer.
Virus experts estimate that tens of thousands of users have had their personal PCs back-doored by the KoolKatalog malware. Several virus detection software vendors have added the apps to their scanning databases.
- Salon: The pop-up ad campaign from hell
- Symantec: Backdoor.Autoupder
Melissa Virus Author Sentenced to 20 Months
contributed by Stephen Scharf (May 1, 2002 1:09 pm EST)
After causing millions of dollars in damages by releasing a virus "by mistake", David Smith was sentenced on Wednesday to 20 months in a federal prison and fined $5,000. Smith was able to avoid a more severe penalty of up to 5 years in prison by co-operating with investigators in the pursuit of "thwarting other virus creators".
- AP: 'Melissa' Virus Maker Gets 20 Months
- MSNBC: 'Melissa' creator gets 20 months
- CNN: Creator of 'Melissa' virus sentenced to 20 months
DMCA...What is it Good For?
contributed by Eric Karofsky (May 1, 2002 12:52 pm EST)
The Digital Millennium Copyright Act (DMCA) continues to baffle the industry. Scott Bradner, of Network World, writes about yet another problem in the act – "Internet radio stations will soon have to pay royalty fees on the material they stream to listeners." Who will pay for this? The advertisers? The listeners? Probably no one – which could yield the end of Internet broadcasting.
Here's another example, which hits closer to home for the security industry. In short, the DMCA allows a licensee to reverse engineer software to detect security flaws. This is in conflict with virtually every license agreement that specifically states that reverse engineering is in violation of the agreement. Too bad that license agreements (contract law) preempts legislation. Therefore, is the DMCA moot? While most applaud the objectives of the DMCA, will it ever satisfy its noble intentions or just be a useless piece of legislation that only hurts the people it was trying to protect?
- Network World Fusion: "Subscription Only?"
Employees are Biggest Security Threat
contributed by Si (Apr 30, 2002 1:27 pm EST)
This may not come as a surprise, but the UK Department of Trade and Industry's annual Information Security Breaches report says that 48% of large companies blame their most serious security incident on employees. Compare this to the previous year's report when 75% of companies blamed external attacks.
Now that most companies are using firewalls - and now that some companies even keep their externally visible servers patched and up to date - the easiest way to attack a corporate network is from the inside.
Preventing this kind of attack is a difficult problem. Restricting employees' access to sensitive systems while still allowing them the access they need to do their jobs is a tricky balancing act. The more services a computer provides, the more likely it is that one of those services will have security vulnerabilities that can be exploited by an internal attacker.
- BBC News: Employees seen as computer saboteurs
Investigation begins in Australia
contributed by Edgar Legarda (Apr 29, 2002 5:21 pm EST)
Australia's largest computer investigation has begun in New South Wales to find the hackers responsible for gaining access to Optus Internet Services' 400,000 user accounts. Originally, reports claimed that only user logins and passwords were compromised. However, PC World Australia recently alleged that a user's credit card information had been stolen and posted on the Internet. Another user claimed that they had Aus$500 stolen from their credit card account.
- InfoSecurity News: Australian ISP Accounts Hacked
- PC World Australia
contributed by Black Adder (Apr 26, 2002 3:27 pm EST)
Earlier this week an FAA system was penetrated by hackers who were able to download unpublished information on airport passenger screening activities, federal officials confirmed Thursday.
The hackers, known as the "The Deceptive Duo", defaced the compromised web site with a message stating that they are "two US Citizens that understand how sad our country's cyber-security really is". They also called for better security - "Tighten the security before a foreign attack forces you to,"..."At a time like this, we cannot risk the possibility of compromise by a foreign enemy."
Several screen shots were also available on the web site demonstrating the information the hackers were able to collect from the compromised system. One of the interesting screen shots was of an access database file that listed screener information, including 3-letter airport codes, FAA inspector names, screener I.D. numbers, the number of passengers each screener had handled, and the number of guns, explosives, or chemicals he or she intercepted.
The issue here is why that kind of information is available on a public facing web server without any proper protection...
- SecurityFocus: FAA Confirms Hack Attack
- Alldas Mirror of the defacement
contributed by Paul Kvanvig (Apr 25, 2002 5:28 pm EST)
There has been a decrease in successful Denial of Service attacks against major Internet sites since the widely publicized attacks against Yahoo, Amazon, and Microsoft in 2000 and 2001. However, this morning MSNBC was unavailable due to a SYN flood attack.
New Distributed Denial of Service software continues to be developed, with attack enhancements that make it increasingly difficult to characterize and block. Furthermore, sophisticated control mechanisms hamper efforts to find those responsible, as these attacks are outlawed under the National Information Infrastructure Protection Act of 1996.
Many resources exist for those who must defend against Trinoo, TFN, TFN2K, Stacheldraht and Trinity based attacks. Unfortunately, some defense plans still require significant time to distinguish between malicious and legitimate traffic.
Several security luminaries have proposed mechanisms that would improve the ability to trace packets as they travel through the Internet. While these techniques are debated, it is important to remember that it's everyone's responsibility to secure their systems and networks to avoid their use in an attack.
- MSNBC.com briefly bumped off line
- Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks
- Policing and Shaping Overview
- Distributed Denial of Service (DDoS) Attacks/tools - David Dittrich
- Advanced and Authenticated Marking Schemes for IP Traceback
Client Side Security Analogy
contributed by John Nye (Apr 23, 2002 2:12 pm EST)
Whether it's frequent flyer miles, discounts for using merchant branded credit cards, or S&H Green Stamps at the grocery store; customer loyalty programs are a common building block of the business to consumer relationship. Hands down, the most enjoyable such program is the 'beers around the world' club common to many a college town pub. From the Hong-Kong in Harvard Square here in Cambridge to Raleigh's on Telegraph Avenue in Berkeley, students who manage to consume one of each beer sold by these well-stocked establishments celebrate their achievement by receiving a commemorative plaque or T-shirt.
To track each customer's progress such pubs typically issue a card listing the required beverages. Customers present their cards at each purchase where upon the server marks the beverage as sold. Once the requisite libations have been consumed, the customer shows the card to the bartender as proof of their accomplishment.
However, one Boston area pub with plans for giving beer mugs to their thirstiest customers is hesitant to issue this type of loyalty card. During a lively debate over the merits of initialing the card vs. punching a hole in it, the bartender sagely observed, "No matter what we do, the MIT students will find a way to get their free mug without drinking all the beers. The only way this will work is if we keep the cards behind the bar."
The moral of this story? Client side security is always fallible. So, the next time you're designing an application, think about the cookies, session IDs, java applets, and hard-coded values you place in the hands of your end users. You may just want to take the advice of an experienced publican and keep them behind the bar instead.
US Government to Test Passport Services
contributed by Patrick Madden (Apr 19, 2002 5:11 pm EST)
Two separate articles covering Microsoft Passport are in the news this week. The common thread: people are signing up for Passport not for its authentication functionality, but instead because they are compelled to do so by the applications they want or need to use.
The first article, from ZDNet, explains just this fact, discussing Gartner Group survey results showing that a mere 2% of respondents said they use Passport for convenience in authenticating to multiple web sites. Gartner asserts that most of the respondents stated their reason for signing up was that doing so was prerequisite to using a service. [Some services require users to register simply to obtain rates, fares, or schedules, when one could obtain the same information anonymously over the phone or in person.]
The second article, from the Seattle Times, tells us that the US Government is planning to roll out test services based on Passport in September. Authentication via Passport will be a prerequisite for businesses and citizens wishing to use these services to conduct government business and obtain online information. One of the big drawbacks to this plan, though, is that custody of peoples' online identities will impose significant liability on Microsoft in cases of fraud or identity theft. The final outcome remains to be seen, but one wonders how long it will be before Congress considers legislation absolving identity warehouses from most liability and places all risk for a mandatory system into individuals' laps.
In a world where people's PCs suffer from trojan horses, worms, and viruses, one wonders whether the government has considered attacks against client platforms as a key element in the overall threat model in its applications.
All users want to be secure, yet the vast majority of them are unable to manage critical aspects of security that they don't understand, such as authentication technologies installed on their machines. (This is one of several reasons that browser client certificates have fallen far short of global acceptance.) Reliance on technologies they don't understand leaves users vulnerable to attacks. Add the compelled use of the technology, either by the government or by companies that may have no need for authentication other than to build lists of users: the end result is that users are effectively put between the proverbial rock and a hard place if they want to get anything done.
May 22nd, 2002, 02:30 PM
Wow... That's a lot of news... Wouldn't it be easier if you split it up into several posts? It certainly would be easier to have a discussion about each story instead of all of them at once. Just a thought...