Just another hack attack, via SecurityFocus

A fan of the music group Linkin Park appears to have hacked into the lead singer’s mobile phone web account, stealing the phone bill, call records and digital photos taken using the phone.

Yeah, so what’s the big deal? Why am I suggesting it might be time to panic?

The explosive attack on the privacy of the band member reportedly came from Devon Townsend, an obsessed fan inside Sandia National Laboratories

Sandia Labs is part of the Nuclear Regulatory division of the Department of Energy… These are the folks that are dealing with the safety and security of our nuclear weapons.

If there’s someone working there that can get this obsessed with Linkin Park, what else do you think might go on there?

From this article a nifty way to protect your passwords at public terminals.

But even more interesting is the digg discussion on the topic.

I found a link to this list through a series of links back to a friend’s LiveJournal. But OSX has almost no ‘standard’ security features

These features are simple things like stack and heap protections. Anyone want to volunteer good code to OS X?

Funny quote :

“The copies available for download are not final code and users should avoid unauthorized copies which could be incomplete or tampered. This unauthorized download relies on the use of pre-RTM [release-to-manufacture] activation keys that will be blocked using Microsoft’s Software Protection Platform. Consequently, these downloads will be of limited value,” the statement said.

Are they suggesting that users wait for the complete version before downloading illegal copies?

Probably not, but a small chuckle nonetheless.

“Microsoft is happy that customers are eager to begin using Windows Vista,” the company said.

Trying looking online to find some good security news, come on…I dare you.

That’s what I did today – as it is a somewhat slow news day.

You know the old saying, “lead by example,” well that’s hard to do for the public if there aren’t many good examples.

Oh well, I suppose,

Man Doesn’t Have Identity Stolen because he Patched Windows

doesn’t make for interesting reading…

Bruce Schneier has a blog post about attacking bank-card PINs.

Basically, the paper describes an inherent flaw with the way ATM PINs are encrypted and transmitted on the international financial networks, making them vulnerable to attack from malicious insiders in a bank.

Just the fact that there are standalone ATMs in places like bus stations, seedy bars, and convenience stores worries me. Any bank in the whole ATM network could be the weak link.

...have been cracked (in less than 48 hours I might add ).

To make up for the slow progress on SecurityMusings recently, here’s one mega-post with bunches of links.

First off, PGP is 15 years old. The technology that started to put security and crypto into the average user’s hands has reached a pretty significant milestone, and deserves some recognition.

Next is not specifically security related — it is how much of an IT disaster the electronic health records management system at Kaiser is. Aside from the problems of downtime and amazingly high ($4B) cost, it seems that it’s beginning to affect patient care, which is a Very Bad Thing. Although we don’t work with Kaiser (yet), we have dabbled in EHR for other customers. The EHR groups and vendors suffer from an unfocused and unorganized approach to security — there are enough security-related standards in that space so that everyone can have their own.

Joel on Software put up a posting called What’s a SQL Injection Bug? which is a great description of exactly how serious — and easy to overlook — this kind of error is. Written by a programmer, for programmers, this kind of advice is always welcome.

Dark Reading has an article called Kicking some Brass:

Do you ever wonder what the heck is wrong with top management? Why don’t they see risks associated with IT security breaches? Why don’t they help you do something about it?

The results (highlighted in the article) are unsurprising, but the more this message gets out, hopefully the less people will be satisfied with the status quo.

Lastly, here’s a cute comic for your viewing pleasure. If you understand the comic, you officially get crypto.

Even the Starship Enterprise’s computers were broken into by countless aliens. (Quite easily I might add, complete compromise of a starship? Must be running Windows 98).

So I won’t blow this comment out of proportion, I think that it was a bit taken out of context:

During a telephone conference with reporters yesterday, outgoing Microsoft co-president Jim Allchin, while touting the new security features of Windows Vista, which was released to manufacturing yesterday, told a reporter that the system’s new lockdown features are so capable and thorough that he was comfortable with his own seven-year-old son using Vista without antivirus software installed.

Just because you’ve added some new security features (which aren’t out in the public quite yet – give those high schoolers some time – doesn’t mean that you can forgo other precautionary measures.

I’ll give you an example: It’s my favorite feature within Windows Vista, it’s called ASLR (Address Space [Layout] Randomization). What it does is, each Windows Vista machine is slightly different than every other Windows Vista machine. So even if there is a remote exploit on one machine, and a worm tries to jump from one machine to another, the probability of that actually succeeding is very small.

We’ll see what happens after this upcoming summer vacation.

via SecurityFocus:

On Tuesday night, Google accidentally sent out three posts on the official mailing list that contained copies of the Kapser.A worm, also known as the mass-mailing computer Kama Sutra. The video team pulled the posts from the archive on Wednesday, but not before 50,000 subscribers received the message, according to a PC World report.

Come on, Google. What about your corporate motto, “Don’t be evil“? Oh well, a little joke at Google’s expense. That said, isn’t it about time that 100% of news and mailing list servers scan 100% of messages posted?