IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.

« April 2005 | Main | June 2005 »

Sex hungry cop opened the door for Lexis Nexis hack

A police officer looking to view see nude pictures of a 14-year old girl is the key behind a  security breach of a Lexis Nexis online database, according to a story in Wired News. But the 14-year old turned out to be a member of a hacking group and the file he sent contained a virus that opened a back door to the officer's computer. Lexisnexis

While browsing the officer's computer, he ran into a file containing the username and password for Accurint, a Lexis Nexis service for law enforcement agencies that contains all kinds of personal data. The hacker used the information to look up personal data for celebrities.

One thing lead to the other. A fellow hacker who identified himself to Wired as "Null" and posing as and admin for Lexis Nexis, called an Accuring employee and convinced him to reset the password for another account – allowing him to create new user names and passwords.

"A whole bunch of user names were made and people were trading them and passing them around like candy," Null told Wired. "It was getting real bad."

The 16, 19 and 20 year old hackers claim they didn't use the data they found in the database. But with user accounts being traded and exchanged online, nobody knows for sure who saw what.

And so what started out as a normal hack of an officer's computer turned into on of the greatest security breaches to date. The whole affair becomes even scarier once you realise that the entire security chain sprang leaks, including Lexis Nexis.

Santa Clara County Deputy District Attorney Jim Sibley had this to say about the security at the database firm: "Their security is really bad. This isn't a situation where you're talking about needing an überhacker to compromise (the system). Their passwords weren't as secure as your average porn site. I think it didn't take a genius to break them. Although I think the way the hackers did it was creative. We'll give them style points."

May 26, 2005 | Permalink | Comments (0) | TrackBack

Data kidnapping is the latest thing

Finding a new way to extort unsuspecting computer users, cases have popped up where hackers encrypt user data such as photos and text documents, demanding $200 for the key to unlock the information.

In one case a user got affected by visiting a website that contained an exploit of a know security hole in Microsoft's internet explorer. But users could just as well get affected through an email worm or by downloading infected software.

The method shows that computer hackers are innovative folk who will constantly come up with new ways to profit from their malware. But I doubt however that this will be the next big thing in computer hacking. Sending money across the world tends to leave a trail.

May 24, 2005 | Permalink | Comments (0) | TrackBack

How much do you trust the government

Nick Negroponte may think governments should buy and distribute $100 laptops but if I was getting one of these I'd be very curious to know what's on it.

It's difficult to see the more repressive governments going along with this - or if they do not installing spyware on the systems. Governments recognise the power of IT; one of the defining moments in organising the velvet revolution in the old Czechoslovakia was when a bag of modems arrived - allowing unmonitorable communications.

So while the idea is good from a security standpoint it's a bit of a worry.

May 16, 2005 | Permalink | Comments (0) | TrackBack

Dr Who villain spotted in London


Well, not quite. But if you’re one of the hundreds of people who enjoys the odd lunch in Soho Square you’ll be able to see this near the entrance to Greek Street.

It’s a directional microphone, to go with the CCTV camera. Seven of these are already in place around Soho, (there’s a small prize to the first person to give the location of the other six) with more planned over the summer.

Now Westminster Council say these mics are only going to be activated once noise reaches illegal levels but think about it. You’re a security guard spending all day watching the streets and directing police to the odd pickpocket or mugger. You’re not even going to be tempted to check out what those two are laughing about?

I can think of no rational argument against reasonable use of CCTV. There’s just something in me that loathes it with a passion, it grates to be recorded without permission. Now it seems even conversations aren’t private.

May 8, 2005 | Permalink | Comments (7) | TrackBack

Big brother or big boss?

There's something creepy about Cisco's announcement that it is selling a server that can track you using a Wi-Fi network and RFID tags.

This has good applications but tracking employees is not one of them. I can't think of anything more likely to get employees' backs up than being monitored so closely. It's the equivalent of the corporate head telling you he doesn't trust you not to slack off.

Ah, but if you've done nothing wrong you've nothing to fear, goes the counter argument. But who amongst us can honestly say he hasn't wasted a single second of the day? Indeed there's a strong case for having a wander around just to clear your mind for some new ideas.

In certain highly specialised fields this kind of employee tagging is useful; hospitals could find doctors quickly, for example. Even large scale deployment could be justified over a short period if you wanted to determine general patterns of behaviour in the office with the intention of improving design.

But for the vast bulk of companies long-term large-scale monitoring would be counterproductive. You might know where everyone is but, considering the liberties you'll take with staff, you won't get many free thinking creative types applying to join.

May 4, 2005 | Permalink | Comments (1) | TrackBack