Hacktivists change the Global Warming Debate

Calendar November 23, 2009 | Posted by Dave

Unless you have been living under a rock during the past 20 years you know that Man made Global Warming has been a very hot topic (no pun intended :) ).  Recently it seemed that the Pro-Global Warming team had been making the most ground.  As the inventor of the Internet Al Gore put it “The debate is over”..  Is it???

It appears that a group of Hacktivist may have pulled some skeletons out of the closet, for the whole world to see.  A Hacktivist is a Hacker who hacks for a cause.  We have seen many far-leaning ideologue groups around the world, on both sides of the debate, who have employed various attacks against their enemy.  The attacks have included defacing websites, Dos/DDoS, and other destructive attacks.  This attack however was different. 

hacktivism

Hacktivist stole over 4000 documents from  the Climatic Research Unit of the University of East Anglia in Britain, which included over 1000 emails.  Many of these emails were correspondents between high profile Global Warming “Alarmist”, and it seems a few of these emails included some of their deepest secrets such as how to manipulate data to hide discrepancies between their cause and the actual data (There is growing data that Global Warming may have stopped in the late 90s.).  The university has acknowledged the breech and the authenticity of the documents, many of which are available on the internet.

Score one for the Hacktivists it seems,  but what does this mean for the future?  If these really are a smoking gun, which all indications point to yes, then this will definitely embolden others who believe they can expose their opponent’s agenda by breaking the law.     

The lessons to take from this?  Not all malicious attacks are Dollar driven.  Some people will go to extremes to prove a point. And finally, if you want something to be kept a secret do not put it in an email.

 

- Dave

 

Link to an article about the attack  http://www.washingtonpost.com/wp-dyn/content/article/2009/11/20/AR2009112004093_pf.html

Category Categories: Recent News | Tag Tags: , , | Comments No Comments »

Protecting from Identity Theft? A good Start

Calendar November 12, 2009 | Posted by Dave

I apologize for delays in new post, business has been well keeping me busy.  2010 I hope to update more regularly.  Until here is an article I wrote for security magazine in 2008.  I hope you enjoy.

Protecting from Identity Theft? A Good Start

by Dave Chronister
April 1, 2008

Technology’s ever-growing importance is a mixed blessing.

On one hand, it keeps me employed, but many times I will find myself talking about “new threats” that aren’t really new, they are just finally coming to the public’s attention.

The issue “de jour” is identity theft, and, according to the general public, this never happened until the TJ Maxx break in. Am I the only one who watched Sandra Bullock in “The Net?” Granted this movie was a little far-fetched — I mean, come on, ordering a pizza online? But there we were in the mid-1990s watching a movie about a recluse woman whose identity was stolen in order to cover up a major conspiracy. Now, 13 years later, we live in a world where it seems the only data leak to worry about is consumer information.

Doesn’t a company with revolutionary ideas worry about corporate espionage and loss of trade secrets? Shouldn’t a publicly traded company need to ensure its financials are not released prematurely?

In reality, security professionals have to deal with data of different levels of security, much of which is unknown to even them. So while the rest of the world is focused on the little old ladies’ Social Security numbers, let’s look at the best strategies on keeping our sensitive information in our castle’s keep and maybe even use the identity theft hysteria to our advantage.

The decentralization of a company’s data stores and multiple facets of data retrieval have rendered the security strategy of building a bigger outside wall obsolete.  A silver-bullet solution will eventually become an Achilles’ tendon. Instead, you want to go for layers, defense in depth. Structure your security solutions to identify threats, guard against automated scans, and slow down and report possible intrusions. In the event of a successful attack, ensure containment and, if possible, identify the offenders of the data loss.

Let’s take a look at a few weapons that you may want to put in your arsenal.

First, there are network traffic analyzers — and we are not talking about your network administrator’s wire shark system. These analyzers will examine the content and determine if sensitive data may have been sent out to unauthorized recipients. Many traffic analyzers will even determine if information is being sent to correct destinations but over incorrect channels, say instant messaging or IM, or to the public network unencrypted.

The obvious concern with this technology would be the potential bottleneck that you would face even on a small network. Global Velocity, one of the newer companies in this realm, is about to release a hardware-based content analyzer that it claims can process 10gbps. The potential is a godsend, but it isn’t without limitations. It can only analyze clear text. Someone sending out binaries, say screen prints, or encrypted traffic, such as a virtual private network or VPN stream, would not be analyzed. It also only handles traffic heading out of your network to other networks either public or private.

This doesn’t address other avenues of “data escape,” such as mobile devices and USB keys. There are multiple solutions to this problem, from physical USB locks to software solutions, such as Devicewall’s Centennial, which can block various types of USB devices, such as MP3 players or PDAs, and provide a complete audit trail. Microsoft shops could even use network policies to lock USB ports.

Speaking of policies, let’s take a quick look at your greatest weapon and your worst enemy: The User.

Sometimes it may seem a better idea to give flamethrowers to your local Cub Scout troop than to depend on John Q. User to ensure the integrity of your data. No matter how much you secure your sensitive data, the simple fact is your employee will be retrieving and writing this data on a daily basis. You need to ensure your security awareness program prepares them to handle the various aspects of social engineering as well as prevent accidental data leaks. After all, hackers are targeting the secretaries, not the Certified Information Systems Security Professionals or CISSPs. Computer-based training and posters should be part of your program, not the entire program.

Finally, getting upper management’s buy-in to the cost of data protection in money and manhours can be a daunting task. The horror stories of other data breeches as well as the projected cost to a business for identity theft can be used as a case study during your presentation. If that doesn’t work, maybe you can bust out your VCR and hope Bullock’s stellar performance in “The Net” does.

http://www.securitymagazine.com/Articles/Feature_Article/BNP_GUID_9-5-2006_A_10000000000000298345

Category Categories: Best Practices, Original, compliance | Tag Tags: , , , | Comments 1 Comment »

Social Security number code cracked, study claims

Calendar July 6, 2009 | Posted by Dave
RANDOLPH E. SCHMID
Published: July 6, 2009

WASHINGTON (AP) — For all the concern about identity theft, researchers say there’s a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans’ Social Security numbers.

“It’s good that we found it before the bad guys,” Alessandro Acquisti of Carnegie-Mellon University in Pittsburgh said of the method for predicting the numbers.

Acquisti and Ralph Gross report in Tuesday’s edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.

For people born after 1988 — when the government began issuing numbers at birth — the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts.

For smaller states their accuracy was considerably higher than in larger ones.

Acquisti said in a telephone interview that he has sent the findings to the Social Security Administration and other government agencies with a suggestion they adopt a more random system for assigning numbers.

Social Security spokesman Mark Lassiter said the public should not be alarmed by the report “because there is no foolproof method for predicting a person’s Social Security number.”

“The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” Lassiter said via e-mail.

However, he added: “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year.”

The researchers say their report omits some details to make sure they aren’t providing criminals a blueprint for obtaining the numbers.

The predictability of the numbers increases the risk of identity theft, which cost Americans almost $50 billion in 2007 alone, Acquisti said.

A problem in the battle against identity thieves is that many businesses use Social Security numbers as passwords or for other forms of authentication, something that was not anticipated when Social Security was devised in the 1930s. The Social Security Administration has long cautioned educational, financial and health care institutions against using the numbers as personal identifiers.

“In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone,” he said, warning against providing too much data on social network sites.

Acquisti, who researches the economics of privacy, said he got interested in what could be learned from easily available by looking at social networks, which he termed “a great experiment in self-revelation.”

People were willing to include their date of birth and hometown, he said, and he already knew that was part of the information used in issuing Social Security numbers.

So the researchers turned to the SSA’s “Death Master File,” which lists the numbers of people who have died. The purpose of making that file public is to prevent impostors from assuming the Social Security numbers of deceased people.

But by plotting the data for people listed on the file between 1973 and 2003 the researchers were able to develop patterns for number issuance.

“I was surprised by the accuracy of certain predictions,” Acquisti said.

The system can produce a range of possibilities for the last four numbers, making it easier for a computer to test the possibilities until the correct number is found for an individual, Acquisti explained.

In addition, “attackers can exploit various public- and private-sector online services, such as online “instant” credit approval sites, to test subsets of variations to verify which number corresponds to an individual with a given birth date.

While it was well known that the numbers have a geographic component, past studies have used the patterns plus other data to estimate when and where a specific number may have been issued.

“Our work focuses on the inverse, harder, and much more consequential inference: it shows that it is possible to exploit the presumptive time and location of SSN issuance to estimate, quite reliably, unknown SSNs,” Acquisti said.

The research was supported by the National Science Foundation, the U.S. Army Research Office, Carnegie-Mellon University and the Pittsburgh Supercomputing Center.

___

On the Net:

PNAS: http://www.pnas.org

http://newsok.com/social-security-number-code-cracked-study-claims/article/feed/55270?custom_click=pod_headline_national-politics

Category Categories: Recent News, Security Tools | Tag Tags: , , | Comments No Comments »

Pink Floyd star David Gilmour joins fight to halt extradition to US of hacker Gary McKinnon

Calendar May 27, 2009 | Posted by Dave

This isn’t really security news. But I am a big Dave Gilmour fan and I love UFO stories so this is a great story for me.  As far as Gary McKinnon’s actions, I believe if NASA had UFO information they would most likely bury it.  But again hacking is still illegal.

Speaking of mysteries, does anyone remember this Floyd mystery?

~~Dave

PS.. If Mr Gilmour by chance reads this, I am free to jam whenever you are :)

Musicians from such diverse groups as Pink Floyd and Boyzone have joined forces in a last-ditch campaign to halt the extradition to the US of north London computer hacker Gary McKinnon.

The family and friends of McKinnon, who has Asperger’s syndrome, are hoping that a campaign also supported by well-known names including Terry Waite, Boris Johnson, Sting, Lord Carlile and Jane Asher, will finally bear fruit.

Next month, McKinnon is due to have what is likely to be his final legal appearance in a judicial review over the decision of home secretary,Jacqui Smith, to send him to stand trial in the US for hacking into the US defence department and Nasa computer systems in a search for evidence about UFOs.

An earlier judicial review ruled that Smith had failed to take adequate consideration of evidence of McKinnon’s medical condition. If McKinnon failed in this bid for a reconsideration of the extradition decision, he could be sent immediately for trial in the US and face a lengthy jail sentence.

To help the case, Graham Nash has authorised a reworking of his song Chicago, written when he was part of Crosby, Stills and Nash in the wake of the violent 1968 Democratic party convention in Chicago and the subsequent trial of the so-called Chicago Seven.

David Gilmour, the Pink Floyd musician and political activist, has agreed to produce a fresh recording of the song to publicise McKinnon’s plight.

Boyzone singer Keith Duffy has also expressed his support for McKinnon. “As the parent of a child with autism I know only too well that getting support at the right time can be crucial,” said Duffy

http://www.guardian.co.uk/uk/2009/may/25/gary-mckinnon-extradition-pink-floyd-hacker-us

Category Categories: Passwords, Recent News | Tag Tags: , , | Comments No Comments »