There’s an ongoing silent war between inmates and the personnel of the prison holding them. There have been quite a few movies on riots, guards having their families threatened and other such. And now this topic hits the endpoint security arena: a former inmate has hacked into a prison’s network and made the employee’s database available to his imprisonment colleagues.
The 42-year-old Francis G. Janosko accessed the names, addresses, dates of birth, social security numbers and telephone numbers of employees working for the Plymouth County Correctional Facility in Massachusetts, said the US District Court in Boston. Using a thin client connected to a prison server, Janosko exploited a bug in legal research software made available to inmates to gain access to the database.
Janosko then shared the private details with his felllow inmates and also managed access the Internet and to download videos and digital photographs of prison employees, inmates and aerial shots of the prison. The hacking took place between October 2006 and February 2007. He is currently charged with identity theft and intentional damage to a protected computer. If convicted, the maximum sentence is 12 years in prison and a fine of $250,000. He could additionally be forced to pay unspecified restitution.
If you are British and have been plotting to stalk a member of the British National Party (BNP) you might just have missed the opportunity. A list with all the party’s members, including names, addresses, and email addresses has recently shown up online. Some of those who just got exposed online are also underage (an extra “benefit” of the family plan BNP offers) and others had mentions of other personal details made public, such as job or hobbies.
As the Register puts it, “That’s how we know that that BNP members include receptionists, district nurses, amateur historians, pagans, line dancers and a male witch.” Members reacted pretty strongly, filing their comments with courses and outrage. As certain professions in the UK are expected to have no political color, they might even lose their job and according to several blog sources, some pretty powerful people in the BNP are to blame for the leak.
BNP spokespersons found out of the leak from the Register, but although completely unaware, they promised to treat whoever is responsible quite harshly!
The Wi-Fi Protected Access or WPA is aone of the most popular forms of security used by wireless networks. Yet the potential risk and ease of breaching it might trigger some alarms for a lot of poeple especially if they were at PacSec 2008 confefence in Tokyo.
A week before the conference, the Register announced two German researchers, Martin Beck and Erik Tews, were going to expose a vulnerability exposing WPA protected networds to an attack that could compromise certain communications in less than 15 minutes. If anyone reding our blog attended the conference, we’d love to hear how it all went.
But this is far from being the first vunlerability to go public.
In 2001, three researchers found a way to reliably break the previous wireless security protocol, known as Wired Equivalent Privacy (WEP), in less than two hours. By 2007, the latest refinement in attacks against WEP – found by Tews and two other researchers – reduced the time to recover a WEP key to less than a minute of calculations.
While those discovering how to tear security systems apart, those actually depending on them seem to be learning one thing: you’re never really safe! So if any extra security is at hand, apply it asap!
One of the most common causes of security breaches is stolen hardware. And I’m sure you’ve all heard of the thousands and thousands of laptops stolen in airports, from parking lots and other public places. And as most companies fail to implement a comprehensive endpoint security solution, a stolen laptop means trouble. For the end users, a laptop sometimes stores most of their documents, personal and business, memories from trips and other important events and everything that is private and dear to them. Picturing everything lost to a stranger’s hand is hard to cope it.
Dell states there’s a new way to prevent such bad things from happening: a self-encrypting laptop. Your data is still lost, but at least no one can acess it. The drives with self-encryption features are produced by Seagate and embedded in the new Dell product. And apparently, the Seagate hardware will soon be shipped by IBM and LSI as well. Let’s hope no one breaks the encryption system!
Express Script, a pharmacy benefits-management firm, has recently revealed a data theft that took place in early October. The information was made public after being threatened the stolen data will be made public if a certain amount of money had not been paid.
The threat was made within a letter from the thieves who claimed they had beached Express Script’s network security and gotten their hands on millions of customer records. According to SecurityFocus, the letter listed personal details on 75 of Express Script’s, including their names, dates of birth, social security numbers, and in some cases, their prescription information. Although it’s only recently been released to the public, the data theft had been reported by Express Scripts to the FBI. The Bureau is currently running a full investigation on the incident.
The company is also notifying all those affected by the breach so that they can take the neccessary precaution to prevent and identity theft. SecurityFocus has not released the sum of money requested by the thieves.
TechCrunch definitely seems to think so. So what’s Sarbanes-Oxley? Also known as Public Company Accounting Reform and Investor Protection Act of 2002, SOX or Sarbox, enacted on July 30, 2002. It’s purpose was to prevent major disasters such as Enron or WorldCom. Through its stipulation it also enforces some specific requirements on security policies, thus most endpoint security solutions try to help cover this aspect, some better than others.
While complying with SOX is mandatory in the US, it also works as a marketing tool for endpoint security solutions on other markets. This positioning, as legally and international standard compliant, helps developers sell their product easily.
So what’s wrong with SOX? According to TechCrunch, all flaws are related with business strategy aspects and not with security policies. The main problem is that SOX affects the way companies can prepare and have their initial public offering (IPO), fact that causes them to turn to either mergers instead of IPOs or to getting listed on foreign stock exchanges. They can always wait for 12 years to get listed or entirely give up the going public idea. All these because of huge compliance costs that most businesses can’t really afford.
It would be interesting to see if there other voices will rise agains SOX and how it will be changed in the future, business and security wise.