Posts Tagged 'security'

Korean Data Leak Courtesy of Chinese Hackers

They just never quit do they? South Korea is the latest victim of a major data breach courtesy of Chinese hackers. Korean retailer Shinsegae, in addition 24 other companies, reported the theft of approximately 20 million customer accounts and private data. Police tracked down 3 South Koreans for attempting to sell the information online. The original Chinese hackers are still at large.

The government security agency plans on launching a probe into whether the corporations implemented adequate security measures to prevent such a theft. Otherwise, somebody gonna get fired. To date this has been the worst data breach in the country’s history.

“Shinsegae issued a statement of apology after data on 3.3 million of its customers was leaked from its online shopping mall.” (link)

Security News

So Conficker‘s big day rolled around and  a little dust stirred up. April 1st was the date the worm was to update itself by contacting a few websites for further instructions. A few reports have streamed in but little has happened. A few government facilities hit DEFCON3 temporarily as their systems were on the fritz but were quickly put back under control. Other than that, nothing has happened. Security experts continue to worry what the creators have in store for the future.

How about remotely disabling computers for unpaid Internet bills or if your laptop was stolen? Ericsson has developed a module which can perform such a task. Several manufacturers are currently using the modules: LG Electronics Inc., Dell Inc., Toshiba Corp. and Lenovo.It’s unlikely that ISPs would cut you off for missing a payment however the technology does exist and might show up in a computer near you. The real use comes into play when it comes to data protection. Stolen laptops and preventing sensitive data from falling into the wrong hands. Ever had a laptop stolen and had to resort to your backup? And then have that fail and need data recovery? Yeah, it’s a real pain. Trust me, you don’t want to go through it.

DNS tops black hat discussion

With the Black Hat security conference drawing to a close, it’s a good time to take a look at the various topics that dominated this year’s seminars. Security researcher Dan Kaminsky’s presentation on the DNS exploit he discovered months ago was a standing-room only event, and while we’ve covered the vulnerability several times here at Ars, Kaminsky provided additional details and some back history on his discovery. Cisco was also discussed at Black Hat this year, after several years of silence, and the EFF announced its own Coder’s Rights Project.

Kaminsky has made the slide deck from his presentation available (PPT); the slides are thorough enough to get a sense of his presentation. According to his talk, DNS and the infrastructure of the Internet itself remain fundamentally vulnerable in ways that will not be easy to correct. Kaminsky refutes the idea that SSL is an antidote to these DNS vulnerabilities, as SSL certifications are themselves dependent on proper DNS functionality. (link)

Only TSA laptop approved bags

There’s a new option for people annoyed at having to take their laptops out of their bags at airport security. The Transportation Security Administration will now allow travelers to leave their computers inside “checkpoint friendly” cases.

The new rules, announced Tuesday and set to take effect Aug. 16, are intended to help streamline the X-ray inspection lines.

TSA said it reached out to bag manufacturers this year to design laptop cases that would provide a clear, unobstructed image of the computer as it passed through an X-ray machine. The agency said the new bags will be available for purchase this month. (link)

Spam clogging up the Intertubes, 80% of email traffic

Almost everyone hates spam. The only people that don’t hate it are the ones that make vast amounts of money from sending it. The profits they turn are so large that regardless of what spam fighters do, the amount of spam keeps increasing. According to web security firm MessageLabs, spam accounted for 81.5 percent of all e-mail traffic in June.

This number, which is calculated based on 3 billion e-mail connections that MessageLabs scans every single day, more or less corresponds with US-specific data. An analysis of year-to-date spam rates for individual US states shows that the percentage of e-mails that were spam range from 77 (Montana) to 91 percent (Illinois). In other words, in every single state in the US, over three quarters of e-mails sent are junk. The average spam level in the US was 86 percent in June. (link)

Intel chips vulnerable to bug?

Security researcher and author Kris Kaspersky plans to demonstrate how an attacker can target flaws in Intel’s microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of what operating system the computer is running.

Kaspersky will demonstrate how such an attack can be made in a presentation at the upcoming Hack In The Box (HITB) Security Conference in Kuala Lumpur, Malaysia, during October. The proof-of-concept attacks will show how processor bugs, called errata, can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler.

“I’m going to show real working code…and make it publicly available,” Kaspersky said, adding that CPU bugs are a growing threat and malware is being written that targets these vulnerabilities.

Different bugs will allow hackers to do different things on the attacked computers. “Some bugs just crash the system, some allow a hacker to gain full control on the kernel level. Some just help to attack Vista, disabling security protections,” he said. (link)

Mobile group to establish web security for phones

Until recently, the development of mobile-friendly websites has been regarded as nothing more than an irrelevant black art. That has since changed, thanks to more web-capable phones making their way into the mainstream (such as, of course, the iPhone). But the landslide of new and improved mobile sites has opened the doors to a sort of standard-free chaos, where almost anything (that works) goes and security is a second thought. The Open Mobile Terminal Platform (OMTP) group hopes to change that, however, by launching a new initiative that focuses on mobile development without sacrificing important principles like security.

The project will be called BONDI and will be supported by a number of OMTP members: 3 Group, AT&T, T-Mobile, Telenor, Telefónica, Telecom Italia, and Vodafone. The group plans to “harmonize the various open and proprietary ongoing initiatives and this cooperative work will minimise the potential for technology fragmentation,” and will provide a secure web services interface for developers to use when creating mobile sites. “The new handset software will be engineered in such a way as to prevent fraudulent and malicious activity through unauthorized access to functions or sensitive personal information,” says OMTP. (link)


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 29 other followers

Technorati – Blog Search

Add to Technorati Favorites

submit express


Follow

Get every new post delivered to your Inbox.

Join 29 other followers