Archive for the ‘security examples’ Category.

diigo.com’s domain is hijacked

The good news is that diigo.com is not defunct.

The bad news is that their domain has been momentarily hijacked, see http://www.diigo.net/about/domain:

Dear Diigo users,

We’re terribly sorry to inform you that we’re experiencing domain hijacking, ie. someone gained access to our Yahoo domain registrar account, and illegally hijacked the domain, www.diigo.com. Very soon www.diigo.com may not be accessible to you until this issue is resolved.

But please rest assured that all our servers and user data are NOT compromised, and your data can be alternatively accessed at

www.diigo.net

Your current Diigo extensions and bookmarklets will not work on diigo.net.

For now, to bookmark to diigo.net, please install this special bookmarklet for diigo.net >>

Again, we’re terribly sorry about any inconvenience this may have brought you. We’re working hard to resolve this. Thanks for your patience and continued support.

For the latest status update, please see our tweets at twitter.com/diigo

Sincerely,

The Diigo Team

Keeping track of breaches

My personal log of “this could be you” security examples
here
wasn’t ever exhaustive, and tended to be university-centric.
For those looking for a thorough view, these look like good places to keep an eye on:

At some point, the frequency will overwhelm the reporters, the readers’ eyes may glaze over, data will be available but more aggregated. Right now the California SB1798 requirement plus the high public scrutiny seem to be causing improvement in de facto standards for reporting. That will level off as companies and institutions test what they can get away with.

George Mason University ID system cracked

As a former university information security officer I take particular interest in these things (this could be you):
Hacker compromises data at George Mason University – Computerworld:

The names, photos and Social Security numbers of more than 32,000 students and staff at George Mason University in Fairfax, Va., have been compromised as the result of a hacker attack against the university’s main ID server.
The attack was discovered during a routine review of system files and prompted the school to disconnect the compromised server from the network, according to an e-mail sent to members of the university community yesterday by Joy Hughes, the school’s vice president for information technology.

A story of SCADA, radio, and sewage

Computerworld (June 30, 2004):

When an employee from an Australian company that makes manufacturing software got fired in early 2000, he applied for a job with the local government, but was turned down. In retaliation, he got a radio transmitter, went to a nearby hotel where there was a sewage valve, and used the radio to hack into the local government’s computerized waste management system.

Using software from his former employer, he released millions of gallons of raw sewage near the hotel grounds and into rivers and parks.

“He did this 46 times before he was caught,” notes Joe Weiss, a process-control cybersecurity expert and consultant at the Cupertino, Calif., office of Kema Consulting. “The first 20 [times], they didn’t even know it was cyber,” meaning an external attack launched using a computer, he says. “From 20 to 45, they finally figured it was cyber, but they didn’t catch him until 46.” Though this person never worked for the wastewater utility, he was still able to break into its supervisory control and data acquisition system, which was designed with a big security assumption in mind — that only insiders would want to access it.

More links to the same incident: The Register October 2001, ComputerWorld February 2006

SDSU and UCSD security incidents

  • San Diego State University, February 2004:

    While investigating a computer server sending spam e-mail messages, the Information Technology Security Office at San Diego State University discovered computer intruders had circumvented departmental server security and gained illegal access to a file server in the Office of Financial Aid and Scholarships.



    We recognize that identity theft has become one of the fastest growing
    crimes in the nation and SDSU is making every effort to ensure that Social
    Security information is not unnecessarily exposed. In late March, the
    University will implement an alternative ID system using a new nine-digit ID
    number called
    "Red ID".

    [via [Interesting-People] Bad year for San Diego Universities so far]

  • University of California, San Diego, May 2004:

    The University of California, San Diego is notifying past and present students, applicants, and some staff and faculty that unauthorized intruders have broken into four computers in the UCSD Business & Financial Services Department, computers which housed approximately 380,000 records of personal data including names, social security numbers, and drivers license numbers.

    [via [Interesting-People] UCSD Computer Security Incident Alert]

University data leaks

Pranksters bedevil TV weather announcment system

SecurityFocus: Pranksters bedevil TV weather announcment system:

But once approved, the system allowed a business to change their name and the details of the closing through the website without any further human attention.

“They didn’t actually get in there or compromise any of our equipment… They just signed up as a legitimate business, and then changed their information half-an-hour later,” Schell says.

Invisible Word ink in SCO legal document

CNET News.com: Document shows SCO prepped lawsuit against BofA

[via Slashdot | MS Word File Reveals Changes to SCO’s Plans]

See also Justin Mason:

This seems as good a time as any to re-plug

find-hidden-word-text
, a quick perl hack to use ‘antiword’
to extract hidden text from MS Word documents in an automated
fashion, based on
Simon Byers’ paper Scalable Exploitation of, and Responses to Information
Leakage Through Hidden Data in Published Documents
. It works
well ;)

Keyless Entry Disruption

Las Vegas has keyless encounters of the weird kind:

Was it the storm clouds, sun spots or Area 51?

By late Friday afternoon, some locksmiths, car dealerships and towing companies had been flooded with calls about mysteriously malfunctioning keyless vehicle entry devices.

[via Wi-Fi Networking News]

Software Bug Contributed to Blackout

Real reporting on the events leading to the blackout: SecurityFocus News: Software Bug Contributed to Blackout:

A previously-unknown software flaw in a widely-deployed General Electric energy management system contributed to the devastating scope of the August 14th northeastern U.S. blackout, industry officials revealed this week.

The bug in GE Energy’s XA/21 system was discovered in an intensive code audit conducted by GE and a contractor in the weeks following the blackout, according to FirstEnergy Corp., the Ohio utility where investigators say the blackout began. “It had never evidenced itself until that day,” said spokesman Ralph DiNicola. “This fault was so deeply embedded, it took them weeks of poring through millions of lines of code and data to find it.”

The next day GE Energy acknowledges blackout bug:

A U.S.-Canadian task force investigating the blackout said in November that FirstEnergy employees failed to take steps that could have isolated utility failures because its data-monitoring and alarm computers weren’t working.

Without a functioning emergency management system or the knowledge that it had failed, the company’s system operators “remained unaware that their electrical system condition was beginning to degrade,” the report said.

At the time, task force members said it remained unclear whether the software malfunctioned or if FirstEnergy’s computers had difficulty running it that day.

DiNicola said Thursday that the company, working with GE and energy consultants from Kema Inc., had pinned the trouble on a software glitch by late October and completed its fix by Nov. 19, coincidentally the same day the task force issued its report.

GE Energy spokesman Dennis Murphy said the company distributed a warning and a fix to its more than 100 other customers the following day.

[via Bruce Schneier’s Crypto-Gram]