Archive for the ‘security examples’ Category.
The good news is that diigo.com is not defunct.
The bad news is that their domain has been momentarily hijacked, see http://www.diigo.net/about/domain:
Dear Diigo users,
We’re terribly sorry to inform you that we’re experiencing domain hijacking, ie. someone gained access to our Yahoo domain registrar account, and illegally hijacked the domain, www.diigo.com. Very soon www.diigo.com may not be accessible to you until this issue is resolved.
But please rest assured that all our servers and user data are NOT compromised, and your data can be alternatively accessed at
Your current Diigo extensions and bookmarklets will not work on diigo.net.
For now, to bookmark to diigo.net, please install this special bookmarklet for diigo.net >>
Again, we’re terribly sorry about any inconvenience this may have brought you. We’re working hard to resolve this. Thanks for your patience and continued support.
For the latest status update, please see our tweets at twitter.com/diigo
The Diigo Team
My personal log of “this could be you” security examples
wasn’t ever exhaustive, and tended to be university-centric.
For those looking for a thorough view, these look like good places to keep an eye on:
At some point, the frequency will overwhelm the reporters, the readers’ eyes may glaze over, data will be available but more aggregated. Right now the California SB1798 requirement plus the high public scrutiny seem to be causing improvement in de facto standards for reporting. That will level off as companies and institutions test what they can get away with.
As a former university information security officer I take particular interest in these things (this could be you):
Hacker compromises data at George Mason University – Computerworld:
The names, photos and Social Security numbers of more than 32,000 students and staff at George Mason University in Fairfax, Va., have been compromised as the result of a hacker attack against the university’s main ID server.
The attack was discovered during a routine review of system files and prompted the school to disconnect the compromised server from the network, according to an e-mail sent to members of the university community yesterday by Joy Hughes, the school’s vice president for information technology.
Computerworld (June 30, 2004):
When an employee from an Australian company that makes manufacturing software got fired in early 2000, he applied for a job with the local government, but was turned down. In retaliation, he got a radio transmitter, went to a nearby hotel where there was a sewage valve, and used the radio to hack into the local government’s computerized waste management system.
Using software from his former employer, he released millions of gallons of raw sewage near the hotel grounds and into rivers and parks.
“He did this 46 times before he was caught,” notes Joe Weiss, a process-control cybersecurity expert and consultant at the Cupertino, Calif., office of Kema Consulting. “The first 20 [times], they didn’t even know it was cyber,” meaning an external attack launched using a computer, he says. “From 20 to 45, they finally figured it was cyber, but they didn’t catch him until 46.” Though this person never worked for the wastewater utility, he was still able to break into its supervisory control and data acquisition system, which was designed with a big security assumption in mind — that only insiders would want to access it.
More links to the same incident: The Register October 2001, ComputerWorld February 2006
SecurityFocus: Pranksters bedevil TV weather announcment system:
But once approved, the system allowed a business to change their name and the details of the closing through the website without any further human attention.
“They didn’t actually get in there or compromise any of our equipment… They just signed up as a legitimate business, and then changed their information half-an-hour later,” Schell says.
Las Vegas has keyless encounters of the weird kind:
Was it the storm clouds, sun spots or Area 51?
By late Friday afternoon, some locksmiths, car dealerships and towing companies had been flooded with calls about mysteriously malfunctioning keyless vehicle entry devices.
[via Wi-Fi Networking News]
Real reporting on the events leading to the blackout: SecurityFocus News: Software Bug Contributed to Blackout:
A previously-unknown software flaw in a widely-deployed General Electric energy management system contributed to the devastating scope of the August 14th northeastern U.S. blackout, industry officials revealed this week.
The bug in GE Energy’s XA/21 system was discovered in an intensive code audit conducted by GE and a contractor in the weeks following the blackout, according to FirstEnergy Corp., the Ohio utility where investigators say the blackout began. “It had never evidenced itself until that day,” said spokesman Ralph DiNicola. “This fault was so deeply embedded, it took them weeks of poring through millions of lines of code and data to find it.”
The next day GE Energy acknowledges blackout bug:
A U.S.-Canadian task force investigating the blackout said in November that FirstEnergy employees failed to take steps that could have isolated utility failures because its data-monitoring and alarm computers weren’t working.
Without a functioning emergency management system or the knowledge that it had failed, the company’s system operators “remained unaware that their electrical system condition was beginning to degrade,” the report said.
At the time, task force members said it remained unclear whether the software malfunctioned or if FirstEnergy’s computers had difficulty running it that day.
DiNicola said Thursday that the company, working with GE and energy consultants from Kema Inc., had pinned the trouble on a software glitch by late October and completed its fix by Nov. 19, coincidentally the same day the task force issued its report.
GE Energy spokesman Dennis Murphy said the company distributed a warning and a fix to its more than 100 other customers the following day.
[via Bruce Schneier’s Crypto-Gram]