Information Risk

If you are standardizing your Log Management program, its worth to check out the security log review checklist created by Anton and Lenny.

The algorithm that prevents the interception of radio signals between cell phone and operators’ base stations was cracked by a cryptographer -

The channel-hopping crack comes as the collective is completing the compilation of a rainbow table that allows them to decrypt calls as they happen. The table works because GSM encryption uses A5/1, a decades-old algorithm with known weaknesses. The table – a 2-terabyte list of known results that allows cryptographers to deduce the unique key that encrypts a given conversation – was developed by volunteers around the globe using giant clusters of computers and gaming consoles.

RAM scrapers are scouring the RAM of point-of-sale (POS) terminals, where PINs and other credit card data is stored in clear.

Verizon employees recently found the malware on the POS server of an unnamed resort and casino that had an unusually high number of customers who had suffered credit card fraud. The malware was sophisticated enough to log only payment card data rather than dumping the entire contents of memory. That was crucial to ensuring the malware didn’t create server slowdowns that would tip off administrators.

The RAM scraper dumped the data onto the server’s hard drive. The perpetrators visited at regular intervals through a backdoor on the machine to collect the booty.

Its not a new attack but rapidly getting on top of the hackers’ chart.

Blippy is pushing the limits of privacy and proposing social netizens to push their credit card purchases to public networks.

Imagine being able to see everything your friends buy with a credit card as they do it. This not only tells you what kind of things they’re actually into (rather than someone just saying they like something), but also other information like how cheap they are, as well as where they actually are at a given time. There is actually a lot of data tied into the transactions we make, and Blippy takes that and makes it social.

Hope the folks in security world concur that this will result in more identify theft cases than ever before.

After NSA’s marriage with Microsoft with a commitment to enhance Windows 7 security w/o constraining the user to perform their everyday tasks, Northrop Grumman Corp is partnering with CERIAS, CMU and MIT to advance research and address the nation’s most pressing cyber threats.

Northrop is a major provider of cybersecurity support for U.S. defense and intelligence, and to civil governments in the U.S. and elsewhere. Brammer said the collaboration will speed up research with ideas that can be incorporated in contracts coming up soon as well as explore pro-active ways to protect information in the public and private sectors.

Worms kill but Ants save! Researchers at WFU are deploying a new defense modeled after one of nature’s hardiest creatures — the ant. Why ant? Per researchers: 

Our idea is to deploy 3,000 different types of digital ants, each looking for evidence of a threat. As they move about the network, they leave digital trails modeled after the scent trails ants in nature use to guide other ants. Each time a digital ant identifies some evidence, it is programmed to leave behind a stronger scent. Stronger scent trails attract more ants, producing the swarm that marks a potential computer infection.

Good direction but not sure if 3000 ants will be sufficient to crawl 1 trillion URLs on the web in near future.

This is not the first time Artificial Intelligence is used for monitoring or processing public information. In past researchers have suggested design for a smart computer that they believe will be able to detect insider trading fraud within the stock exchange almost instantly. Now EU has funded a five-year research program, called Project Indect, aims to develop computer programs which act as “agents” to monitor and process information.

According to the official website for Project Indect, which began this year, its main objectives include “to develop a platform for the registration and exchange of operational data, acquisition of multimedia content, intelligent processing of all information and automatic detection of threats and recognition of abnormal behaviour or violence”.

It talks of the “construction of agents assigned to continuous and automatic monitoring of public resources such as: web sites, discussion forums, usenet groups, file servers, p2p [peer-to-peer] networks as well as individual computer systems, building an internet-based intelligence gathering system, both active and passive”.

Phishers never stop innovating – after Vishing (voice phishing) and Smishing (SMS phishing), phishers are strengthening their phish by showing a bogus live chat support window to obtain more credentials via a live chat session initiated by fraudsters.

During the live chat session, the fraudster behind the attack presents himself as a representative of the bank’s fraud department and attempts to dupe customers who are online into divulging sensitive information – such as answers to secret questions that are used for online customer authentication. This attack is currently targeting a single U.S.-based financial institution.

According to a recent Consumer Report study, Car dealers have the technological ability to unlock test drivers credit report using only the info on the driver’s license. The report states that under FCRA, they must get driver’s permission but the verbiage is a little ambiguous -

Under the federal Fair Credit Reporting Act, a car dealer must always get your permission to look at your credit report. He or she can get that permission in writing—when you sign a release or a loan application—or by implication, without your signature, if there is a “legitimate business need.” 

Now, it further states that test drives do not constitute a legitimate business need but only when consumer is actually initiating the purchase or lease of a vehicle qualify as business that possibly involves a need to check credit but since technological solution is available, hope someone reviews metrics such as how many reports were pulled vs. how many vehicles were sold by a dealership.

Norton has developed a tool for evaluating your risk level, which provide an estimated value of your personal data to thieves in the criminal underground. The tool, which is built for raising consumer awareness on Cybercrime, can calculate your net worth on the black market using an algorithm and generates a report on cost of on line assets, value of on line identity on the black market, and risk of becoming a victim of identity theft.

I tried the tool when I was initially briefed on it a few months ago and was surveyed about my gender and age range; online assets (including credit card and bank account data, brokerage accounts, e-mail accounts, and social network accounts) and an estimated value of all that information; whether I use security software; how cautious I am when online; and how much I think my information is worth.

Can one calculate how much “risk” is added (or net worth increased on black market) in the process of gathering Users’ financial (credit card and bank and brokerage accounts) and personal (e-mail and social network accounts) info. For a User, if it throws a low number ($10), would it mean that the probability of his/her identity theft is low?

Stanford’s Center for Computers and Law is organizing the Intelligent Information Privacy Management Symposium on March 23 – 25, 2010.

This symposium takes a transdisciplinary approach in its exploration of privacy management by drawing from the key areas of Law, Computer Science, Artificial Intelligence, and Business. It will focus on the need to develop effective information privacy management frameworks, tools and techniques by addressing the underlying tension between transparency and disclosure in the privacy versus business strategy arenas.

The organizing committee is seeking three kinds of contributions: Issues papers, Position papers, and Technical papers. If anyone interested in coauthoring, please contact me. (The deadline seems tight though — October 2, 2009).

SQL injection, cross-site scripting, and cross-request forgery attacks are rated the most common high risk vulnerabilities. Not only that, NTA found that 27% of all applications contained at least one high risk issue — most dramatic change seen within charity and not-for-profit clients. See proposed suggestions, though I don’t agree that they provide protection for all of the noted attacks -

• Make sure all user-supplied data is properly sanitised before returning it to the browser or storing it in a database.
• Organisations should switch from a persistent authentication method to a transient authentication method to help prevent cross-request forgery attacks.
• An account lockout mechanism should be in place, to lock out accounts permanently or temporarily, to help prevent attackers from being able to brute force user accounts.