Decent “Hackers” Still have to be Good Criminals

This person , after leaving the company he worked for planted a “logic bomb” on his old company’s network.

A logic bomb is essentially leaving a piece of code to mess things up at a specified time.

Duronio quit his job as a systems administrator in February 2002 after repeatedly expressing dissatisfaction about his salary and bonuses, the statement said.

He then planted malicious computer code known as a “logic bomb” into about 1,000 of UBS PaineWebber’s approximately 1,500 networked computers in branch offices. On March 4, 2002, the “bomb” detonated and began deleting files.

Now this not-so-bright person was trying to profit off of the potential drop in stocks his old company would suffer after the files were deleted. Instead, he ended up losing $23,000 when the stock didn’t fall.

Meaning he likely bought the extra stocks after he left the company, or on margin (betting the stock would fall). Either way if he suddenly made $100,000+ from this “freak” accident either someone on Wall Street or his ex-company would probably get wind of this.

At least I hope so…

And he got caught either way. There are good/bad criminals and there are good/bad “hackers” – they are not necessarily the same thing.

That is probably why we’ve been seeing more organized crime organizations getting involved in cybercrime, recruiting talented coders from around the world. One has the technical skills, the other the criminal ones.

Combine that with low wages, youth, the “cool” factor, and the potential for some quick cash…

A dangerous trend for 2007.

Posted December 15 2006

More Personal Information Stolen

Yes, yes…happens all the time and the news doesn’t even make headlines anymore. Here is the WTH part:

The attacks on the database began in October 2005 and ended November 21 of this year, when computer security technicians noticed suspicious database queries, according to a news release posted on a school Web site set up to answer questions about the theft.

More than a year…

Here in the States we really need to enact some legislation requiring companies, universities, etc. to disclose these types of data breaches.

Most people probably don’t know that such laws don’t exist — they most likely think that CA and NY just have really bad IT security.

Posted December 12 2006

Identity Theft and Authorizations

From the SANS NewsBites today: Credit Bureau Security Breached.
My favorite part is the fact that one login had authorization to access multiple records from TransUnion – according to the article, any record in the country. This account supposedly belonged to a courthouse in Kingman, AZ. I want to know two things:

1. WTH is an account from Arizona doing with authorization to access any credit information in the country?

2. Why doesn’t TransUnion own up to the fact that yes, it was a breach of their security systems? – A misconfiguration on their part is still a security breach.

With regards to 1, the account was obviously given to a court to access other people’s records, and I can understand having access to multiple records, what I don’t understand is why that account was not configured to only have access to the records that fall under the court’s jurisdiction? This is a good example of why we use the principle of least permissions. Yeah, the person you assign that account to might be trustworthy, but people who get ahold of that account information probably aren’t. If the court needed access to records belonging to another jurisdiction, they should request that information from a court in that other jurisdiction, not help themselves to it. Sure, it’s a bit more of a hassle, but that’s security for you.

With regards to 2, WTH? If a windows admin assigns the Guest User Administrative privileges, that’s an authorization misconfiguration and a security breach in my book. Sure, the admins may not be responsible because their higherups told them that the account was to have those permissions, but the higherups are definitely responsible.
</end rant>

Posted December 5 2006

Time to panic?

Just another hack attack, via SecurityFocus

A fan of the music group Linkin Park appears to have hacked into the lead singer’s mobile phone web account, stealing the phone bill, call records and digital photos taken using the phone.

Yeah, so what’s the big deal? Why am I suggesting it might be time to panic?

The explosive attack on the privacy of the band member reportedly came from Devon Townsend, an obsessed fan inside Sandia National Laboratories

Sandia Labs is part of the Nuclear Regulatory division of the Department of Energy… These are the folks that are dealing with the safety and security of our nuclear weapons.

If there’s someone working there that can get this obsessed with Linkin Park, what else do you think might go on there?

Posted November 29 2006

Faking Out Keystroke Loggers

From this article a nifty way to protect your passwords at public terminals.

But even more interesting is the digg discussion on the topic.

Posted November 24 2006

OS X “security features”

I found a link to this list through a series of links back to a friend’s LiveJournal. But OSX has almost no ‘standard’ security features

These features are simple things like stack and heap protections. Anyone want to volunteer good code to OS X?

Posted November 22 2006