People are starting to wake up to the fact that RFID-enabled smartcards now can be far more easily, and cheaply, cracked than ever before, as a trio of young computer experts recently showed.
These are a particular type of processor-embedded cards, and are different from credit cards. The actual decryption work by the researchers was done on the widely deployed Mifare Classic wireless smartcard, now manufactured by a Philips spinoff, NXP Semiconductors. Decrypted, the cards can be counterfeited, and users' personal and bank data is exposed. >> More ..
Thursday, March 20, 2008
US Law makers voice concerns over cybersecurity plan
Members of the House of Representative sought details, on Thursday, of a $30 billion plan to secure federal government systems and upgrade network defenses to ward off attacks from foreign nations and online criminals.
Known as the Cyber Initiative, the Bush Administration project would dramatically reduce the number of interconnections between federal government networks and the Internet and put more advanced network security in place to monitor data traffic for signs of malicious attacks. While the 5- to 7-year project could dramatically improve the network defenses of government agencies, law makers questioned whether the initiative will be too little, too late, and whether the resulting network monitoring could undermine privacy.
"It's hard to believe that this Administration now believes it has the answers to secure our federal networks and critical infrastructure," Representative Bennie Thompson (D-MS), chairman of the House Committee on Homeland Security, said in prepared remarks at the opening of the hearing on Thursday. "I believe cybersecurity is a serious problem -- maybe the most complicated national security issue in terms of threat and jurisdiction. This problem will be with us for decades to come." >> More ...
Known as the Cyber Initiative, the Bush Administration project would dramatically reduce the number of interconnections between federal government networks and the Internet and put more advanced network security in place to monitor data traffic for signs of malicious attacks. While the 5- to 7-year project could dramatically improve the network defenses of government agencies, law makers questioned whether the initiative will be too little, too late, and whether the resulting network monitoring could undermine privacy.
"It's hard to believe that this Administration now believes it has the answers to secure our federal networks and critical infrastructure," Representative Bennie Thompson (D-MS), chairman of the House Committee on Homeland Security, said in prepared remarks at the opening of the hearing on Thursday. "I believe cybersecurity is a serious problem -- maybe the most complicated national security issue in terms of threat and jurisdiction. This problem will be with us for decades to come." >> More ...
Trend Micro Hit by Massive Web Hack
Security vendor Trend Micro has fallen victim to a widespread Web attack that splashed malicious software onto hundreds of legitimate Web sites in recent days.
A Trend Micro spokesman confirmed that the company’s site had been hacked Thursday, saying that the attack took place earlier in the week. "A portion of our site -- some pages were attacked," said Mike Sweeny, a Trend Micro spokesman. "We took the pages down overnight Tuesday night -- and took corrective action." >> More ..
A Trend Micro spokesman confirmed that the company’s site had been hacked Thursday, saying that the attack took place earlier in the week. "A portion of our site -- some pages were attacked," said Mike Sweeny, a Trend Micro spokesman. "We took the pages down overnight Tuesday night -- and took corrective action." >> More ..
Tuesday, March 11, 2008
Chinese hackers: No site is safe
ZHOUSHAN, China (CNN) -- They operate from a bare apartment on a Chinese island. They are intelligent 20-somethings who seem harmless. But they are hard-core hackers who claim to have gained access to the world's most sensitive sites, including the Pentagon.
In fact, they say they are sometimes paid secretly by the Chinese government -- a claim the Beijing government denies.
"No Web site is one hundred percent safe. There are Web sites with high-level security, but there is always a weakness," says Xiao Chen, the leader of this group. >> More ..
In fact, they say they are sometimes paid secretly by the Chinese government -- a claim the Beijing government denies.
"No Web site is one hundred percent safe. There are Web sites with high-level security, but there is always a weakness," says Xiao Chen, the leader of this group. >> More ..
Cyber Preparedness Symposium Leaves Unanswered Questions
WASHINGTON -- National Symposium on Unifying Cyber Preparedness Efforts -- Leaders of industry and academia today agreed that they need to work better together to prepare for cyber security threats. They just didn’t seem sure how to do it, or exactly what the threats are.
In a microcosm of the cross-industry, cross-disciplinary problems that it was called to help resolve, the symposium demonstrated a desire among some sectors to improve the security situation in the U.S., but few concrete ideas on how to coordinate the so-called “silos of excellence” that remain disconnected across the country.
Indeed, the panelists and participants showed little agreement on what “cyber preparedness” really means -- the half-day discussion meandered from defending against attacks on the nation’s government and infrastructure to resolving specific vulnerabilities on end-user PCs.
The idea was to discuss how government, industry, critical infrastructure providers, Congress, and academia can work together to build a cross-disciplinary effort to prepare for cyber threats.
>> More ..
In a microcosm of the cross-industry, cross-disciplinary problems that it was called to help resolve, the symposium demonstrated a desire among some sectors to improve the security situation in the U.S., but few concrete ideas on how to coordinate the so-called “silos of excellence” that remain disconnected across the country.
Indeed, the panelists and participants showed little agreement on what “cyber preparedness” really means -- the half-day discussion meandered from defending against attacks on the nation’s government and infrastructure to resolving specific vulnerabilities on end-user PCs.
The idea was to discuss how government, industry, critical infrastructure providers, Congress, and academia can work together to build a cross-disciplinary effort to prepare for cyber threats.
>> More ..
Saturday, March 1, 2008
Forgotten IT chores may have led to bank meltdown
While the protection of CII may often be focused on protection from external threats and internal threats, some of the simple and basic practices pertaining to security must be followed to ensure that there are no loopholes in the system that can be exploited. Employees should generally be trusted (if not you have a big problem in your organisation). However segregation of responsibilities and implementing management controls are still important practices that must be enforced.
In January 2008, a French Bank incurred huge losses due to poor enforcement of internal controls and segregation of responsibilities. The losses were result of an employee ... who was doing his job!!.
The huge losses reported by French bank Société Générale, apparently caused by a rogue trader with inside knowledge of the bank's procedures, don't necessarily point to an IT systems failure but rather to poor management of those systems, analysts say.
The bank has accused 31-year-old employee Jerome Kerviel of creating a fraudulent trading position in the bank's computers that ultimately caused it to lose around €4.9 billion (US$7.3 billion).
Kerviel achieved this by, among other things, misappropriating computer passwords, the bank said. It has revealed few other technical details of what caused the losses.
Management of passwords, including rescinding the old passwords of employees who move to different positions within the bank, or modifying the level of access those passwords allow, is often a task given to the lowest-level IT worker.
"It's dull and routine 99 percent of the time, but a vital backstop," said Bob McDowall, senior analyst at the TowerGroup. Senior IT managers should conduct more frequent reviews of password policies, he said.
In some cases, it may not have been the security of the passwords themselves that posed a problem, but rather the access those passwords allowed, said Ian Walden, professor of information and communications law at Queen Mary, University of London.
Organizations tend to think of access as being binary in nature: you get access to it all, or you don't, Walden said. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated."
To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk.
IT departments and business managers have yet to find a way to wrap security into business processes so it is not an impediment, Walden said. >> More..
In January 2008, a French Bank incurred huge losses due to poor enforcement of internal controls and segregation of responsibilities. The losses were result of an employee ... who was doing his job!!.
The huge losses reported by French bank Société Générale, apparently caused by a rogue trader with inside knowledge of the bank's procedures, don't necessarily point to an IT systems failure but rather to poor management of those systems, analysts say.
The bank has accused 31-year-old employee Jerome Kerviel of creating a fraudulent trading position in the bank's computers that ultimately caused it to lose around €4.9 billion (US$7.3 billion).
Kerviel achieved this by, among other things, misappropriating computer passwords, the bank said. It has revealed few other technical details of what caused the losses.
Management of passwords, including rescinding the old passwords of employees who move to different positions within the bank, or modifying the level of access those passwords allow, is often a task given to the lowest-level IT worker.
"It's dull and routine 99 percent of the time, but a vital backstop," said Bob McDowall, senior analyst at the TowerGroup. Senior IT managers should conduct more frequent reviews of password policies, he said.
In some cases, it may not have been the security of the passwords themselves that posed a problem, but rather the access those passwords allowed, said Ian Walden, professor of information and communications law at Queen Mary, University of London.
Organizations tend to think of access as being binary in nature: you get access to it all, or you don't, Walden said. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated."
To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk.
IT departments and business managers have yet to find a way to wrap security into business processes so it is not an impediment, Walden said. >> More..
Half of 2006 vulnerabilities still unpatched
It is important that when vendors send patch updates, these are implemented to prevent weaknesses from being exploited and depending on the system set up, can cause major interruptions to infrastructure. Despite its importance organisations still lack the diligence to keep up in updating the patches.
More than 3600 vulnerabilities discovered last year remain unpatched, according to a study.
The IBM Internet Security Systems (ISS) X-Force report for 2007 found of the 6437 vulnerabilities discovered, 20 percent of those targeting Microsoft, Apple, Oracle, IBM and Cisco were still in the wild up to 12 months later.
More than 50 percent of remaining 6200 flaws targeting other solutions remain currently unpatched. >> More....
More than 3600 vulnerabilities discovered last year remain unpatched, according to a study.
The IBM Internet Security Systems (ISS) X-Force report for 2007 found of the 6437 vulnerabilities discovered, 20 percent of those targeting Microsoft, Apple, Oracle, IBM and Cisco were still in the wild up to 12 months later.
More than 50 percent of remaining 6200 flaws targeting other solutions remain currently unpatched. >> More....
Subscribe to:
Comments (Atom)
Posts
