When It rains It Pours... And It Leaks All Over
U.S. Exposed Personal Data: Census Bureau Posted 63,000 Social Security Numbers Online
In the continuing saga of mismanagement of data, computers and networks within the governmental infrastructure, we now learn that the Census Bureau--which practically guarantees confidentiality on the surveys it sends out every 10 years--has been releasing identity data of those that have sought financial aid in the past.
For those of us that have taken out student loans and were forced to finance our way through college, this is worrisome, even though this particular instance doesn't involve student loans. But since the federal government has outsourced much of the dealings and processes having to deal with student loans, and there has been a lot of news regarding the recent scandals involving student loan lenders, and anyone that has ever fell into arrears can testify how unethical the collectors hired by the Department of Education can be... well, I'll just let you come to the point I am trying to make.
However, given my recent posts on our government not being able to protect, use and guarantee our data systems, computers and networks used in all aspects of the federal government, this series of articles gives us more cause to pause and ponder how unsafe we really are... and how our own government is probably a bigger threat to our identity, privacy, security and civil liberties than even the Al-Qaeda criminals.
Cyberspies exploit Microsoft Office
Given that almost every corporation, federal and state agency, and most of our personal data is stored somewhere on a computer that either uses Microsoft Windows, or allows computers operating with Windows to access this stored data, the vulnerabilities that this article exposes is quite significant and presents an overwhelming threat to our national security. Even military operations on the ground in Iraq and Afghanistan employ Windows-based software and operating systems. The NSA, NSC, White House, Pentagon and Treasury Department use Windows-based software, operating systems and networks.
Personally, I have always questioned these common practices that Microsoft has epitomized:
1. Using beta releases to test the reliability and validity of its software; releasing these beta versions to any number of vendors, third-party software creators, educators and corporations developing software training programs, etc.;
2. Revealing internal security settings to other corporations doing high volume business for computer users relying upon Microsoft operating and network systems;
3. Releasing some of the buggiest software, operating systems, network management systems and having to release numerous patches, many of which create as many bugs as they fix;
4. Forcing end-users (regardless of the size/type of consumer) to visit the Microsoft web site to download updates and bug fixes;
5. Allowing Windows-based computers to send background information to Microsoft engineers and software experts regarding system crashes, authenticity verification, and automatic updates (newer computers operating under XP, .NET and VISTA platforms);
6. Dominating the marketplace with tactics that squeeze out the competition and getting involved in hundreds of law suits over patents, exposure, cybersecurity flaws, anti-trust activities, etc.
But since Microsoft is what it is--the most dominant software company in the world--we do not have many alternatives to substitute for its operating systems, office suites and utilities.
Lest we think that I have a bias against Microsoft, or that other platforms are not involved in similar risks, the news regarding Apple software and operating systems isn't without bad news: Mac platforms are at risk almost as much as Windows-based PCs and networks. However, hackers have is less interest in hacking Macs and Mac networks because there are so few of them used for exploitable databases, accounts and identity information.
Myth Crushed As Hacker Shows Mac Break-In: Dino Di Zovie Illustrates Security Flaws in OS X
But here is the really bad news:
Most Computer Attacks Originate in U.S.
For all the bruhaha about external security threats, the reality is that our biggest cybersecurity threats originate within our own borders, generated by the corporations that develop and maintain our networking backbone, the corporations that maintain millions of terabytes of data on our credit and business transactions, and our own government that is collecting data in an exponentially expanding manner.
There are a lot of unanswered questions and un-addressed issues in terms of cybersecurity, especially within our corporations (many of which are vendors for our government) and our governmental agencies... including those that claim they are protecting us and our civil rights.
REFERENCES:
Flaw Count Hits A High
U.S. Agencies Fail Cybersecurity Tests
Lawmakers Grill US Agencies on Cyberattacks
Wellesley College: CyberSecurity Guidelines
Threats And Vulnerabilities To Our Global Computer Networks And Systems Are Growing Faster Than We Can Address Them
U.S. Cybersecurity Czar Has His Marching Orders
In the continuing saga of mismanagement of data, computers and networks within the governmental infrastructure, we now learn that the Census Bureau--which practically guarantees confidentiality on the surveys it sends out every 10 years--has been releasing identity data of those that have sought financial aid in the past.
For those of us that have taken out student loans and were forced to finance our way through college, this is worrisome, even though this particular instance doesn't involve student loans. But since the federal government has outsourced much of the dealings and processes having to deal with student loans, and there has been a lot of news regarding the recent scandals involving student loan lenders, and anyone that has ever fell into arrears can testify how unethical the collectors hired by the Department of Education can be... well, I'll just let you come to the point I am trying to make.
However, given my recent posts on our government not being able to protect, use and guarantee our data systems, computers and networks used in all aspects of the federal government, this series of articles gives us more cause to pause and ponder how unsafe we really are... and how our own government is probably a bigger threat to our identity, privacy, security and civil liberties than even the Al-Qaeda criminals.
For more than a decade, the Census Bureau posted on a public Web site the Social Security numbers of 63,000 people who received financial aid, officials said yesterday. The apparent violation of federal privacy law prompted concerns about identity theft.
Government officials removed the data from the Web site on April 13, the day they were alerted to the breach by an Illinois farmer who discovered the numbers while surfing the Internet. They did not publicize the matter until yesterday, saying they needed the delay to enable information-security officials to contact those whose numbers were revealed and to contact "at least a half-dozen" mirror sites.
"We take full responsibility for this and offer no excuses for it," said Terri Teuber, a spokeswoman for the U.S. Department of Agriculture. "We absolutely do not think it was appropriate."
A watchdog group countered that officials tried to suppress the news.
"The bottom line is the government screwed up," said Gary Bass, executive director of OMB Watch. "What's really important is that they now try to rectify the problem. Thousands of research groups have copies of this site."
Government officials said they knew of no misuse of the personal data, but the breach underscores the ease with which such data can be exposed in the digital age.
Last month, Los Alamos National Laboratory discovered that a subcontractor working on a security system in 1998 had posted the names and Social Security numbers of 550 lab workers on the subcontractor's Web site. The site was removed that day, a spokesman said.
In the current incident, Marsha Bergmeier said she was bored April 12, so she did an Internet search for her farm's name. It brought up a link to FedSpending.org, a site created by OMB Watch to allow monitoring of federal spending.
The site includes a searchable database of federal contract information, and her farm loan amount, under an Agriculture Department program, was listed. Also listed, Bergmeier discovered, were the Social Security numbers of 28,000 farmers.
"I was in disbelief," she said.
Teuber said the USDA had been using Social Security numbers as part of a 15-digit federal contract identifier number. The practice dates back more than 25 years, she said, to when Social Security numbers were printed on checks. She said the USDA's information-security division was not aware of this continuing practice until last week.
The loans database was part of a larger public Web site run by the Census Bureau, which collects all federal loan and grant data. The site has been up since 1996.
Cyberspies exploit Microsoft Office
Given that almost every corporation, federal and state agency, and most of our personal data is stored somewhere on a computer that either uses Microsoft Windows, or allows computers operating with Windows to access this stored data, the vulnerabilities that this article exposes is quite significant and presents an overwhelming threat to our national security. Even military operations on the ground in Iraq and Afghanistan employ Windows-based software and operating systems. The NSA, NSC, White House, Pentagon and Treasury Department use Windows-based software, operating systems and networks.
Personally, I have always questioned these common practices that Microsoft has epitomized:
1. Using beta releases to test the reliability and validity of its software; releasing these beta versions to any number of vendors, third-party software creators, educators and corporations developing software training programs, etc.;
2. Revealing internal security settings to other corporations doing high volume business for computer users relying upon Microsoft operating and network systems;
3. Releasing some of the buggiest software, operating systems, network management systems and having to release numerous patches, many of which create as many bugs as they fix;
4. Forcing end-users (regardless of the size/type of consumer) to visit the Microsoft web site to download updates and bug fixes;
5. Allowing Windows-based computers to send background information to Microsoft engineers and software experts regarding system crashes, authenticity verification, and automatic updates (newer computers operating under XP, .NET and VISTA platforms);
6. Dominating the marketplace with tactics that squeeze out the competition and getting involved in hundreds of law suits over patents, exposure, cybersecurity flaws, anti-trust activities, etc.
But since Microsoft is what it is--the most dominant software company in the world--we do not have many alternatives to substitute for its operating systems, office suites and utilities.
Cyberspies have a new secret weapon: tainted Microsoft Office files.
A rising number of cyberattacks are taking aim at specific individuals at critical government agencies and corporations — enticing them to unwittingly open a corrupted Word, Excel or PowerPoint file sent as an e-mail attachment.
Clicking on the file relinquishes control of the PC without the user's knowledge. The attacker then uses the compromised PC as a base from which to roam the organization's internal network.
Federal agencies and defense and nuclear contractors are under assault. Security firm MessageLabs says it has been intercepting a series of attacks from PCs in Taiwan and China since November.
"The bad guys know which organizations have data worth stealing and are picking them out one by one," says Alex Shipp, senior technologist at MessageLabs.
In early 2006, security experts detected one or two such attacks a week. Last month, MessageLabs intercepted 716 e-mails carrying corrupted Office files aimed at 216 different agencies and companies.
Assaults are coming from China and perhaps other countries in the hunt for military, trade and infrastructure intelligence, says Alan Paller, research director at The SANS Institute, a security think tank. The goal: strategic advantage over the USA. "The attacks are working," says Paller. "Penetrations are deep and broad."
Some attacks could be "on-demand," at the behest of companies that hire cybergangs to pilfer data from rivals, says Righard Zwienenberg, chief researcher at Norman Data Defense Systems.
At a congressional hearing last week on cybersecurity, Donald Reid, a senior State Department official, described how an employee in May clicked on a Word document corrupted via a security hole for which Microsoft had no patch. A fix wasn't available until eight weeks later. Microsoft has issued 10 patches for security holes in Office programs since January 2006, including a handful delivered only after crooks began using newly discovered flaws in their attacks. The best protection: keeping Office security patches updated.
The Office file attacks are "very targeted and very limited," says Mark Miller, Microsoft's director of security response, who called on workers "to absolutely extend extreme caution" when opening Office files in e-mail.
Microsoft has been slow to patch security holes in Office programs, says Zwienenberg. "But the cybercriminals are getting smarter and smarter."
Lest we think that I have a bias against Microsoft, or that other platforms are not involved in similar risks, the news regarding Apple software and operating systems isn't without bad news: Mac platforms are at risk almost as much as Windows-based PCs and networks. However, hackers have is less interest in hacking Macs and Mac networks because there are so few of them used for exploitable databases, accounts and identity information.
Myth Crushed As Hacker Shows Mac Break-In: Dino Di Zovie Illustrates Security Flaws in OS X
A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver.
In winning the contest, he exposed a hole in Safari, Apple's browser. "Currently, every copy of OS X out there now is vulnerable to this," said Sean Comeau, one of the organizers of CanSecWest.
The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. "You see a lot of people running OS X saying it's so secure, and frankly, Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest
Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.
Dino Dai Zovi, who lives in New York, sent along a URL that exposed the hole. Because the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on.
The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Dai Zovi used it to open a back door that gave him access to anything on the computer, Comeau said.
The vulnerability won't be published. 3Com's TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.
The prize for the contest was originally one of the Macs. But on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest.
One reason Macs haven't been much of a target for hackers is that there are fewer to attack, said Terri Forslof, manager of security response for TippingPoint. "It's an incentive issue. The Mac is not as widely deployed of a platform as, say, Windows," she said. In this case, the cash may have provided motivation.
The contest was a chance for hackers to demonstrate techniques they may have boasted about. "I hear a lot of people bragging about how easy it is to break into Macs," Ruiu said.
Some attendees didn't think it was a coincidence that on late Thursday Apple released a patch for 25 vulnerabilities in OS X.
But here is the really bad news:
Most Computer Attacks Originate in U.S.
For all the bruhaha about external security threats, the reality is that our biggest cybersecurity threats originate within our own borders, generated by the corporations that develop and maintain our networking backbone, the corporations that maintain millions of terabytes of data on our credit and business transactions, and our own government that is collecting data in an exponentially expanding manner.
The United States generates more malicious computer activity than any other country, and sophisticated hackers worldwide are banding together in highly efficient crime rings, according to a new report.
Researchers at Cupertino-based Symantec also found that fierce competition in the criminal underworld is driving down prices for stolen financial information.
Criminals may purchase verified credit card numbers for as little as $1, and they can buy a complete identity — a date of birth and U.S. bank account, credit card and government-issued identification numbers — for $14, according to Symantec's twice-yearly Internet Security Threat Report released Monday.
Researchers at the security software company found that about a third of all computer attacks worldwide in the second half of 2006 originated from machines in the United States. That makes the United States the most fertile breeding ground for threats such as spam, phishing and malicious code — easily surpassing runners-up China, which generates 10% of attacks, and Germany, which generates 7%.
The United States also leads in "bot network activity." Bots are compromised computers controlled remotely and operating in concert to pump out spam or perform other nefarious acts.
The legitimate owner of the computer typically doesn't know the machine has been taken over — and the phenomenon is largely responsible for the palpable increase in junk e-mail in the past half year.
Spam made up 59% of all e-mail traffic Symantec monitored. That's up 5 percentage points from the previous period. Much of the spam was related to stock picks and other financial scams.
The United States is also home to more than half of the world's "underground economy servers" — typically corporate computers that have been commandeered to facilitate clandestine transactions involving stolen data and may be compromised for as little as two hours or as long as two weeks, according to the report.
There are a lot of unanswered questions and un-addressed issues in terms of cybersecurity, especially within our corporations (many of which are vendors for our government) and our governmental agencies... including those that claim they are protecting us and our civil rights.
REFERENCES:
Flaw Count Hits A High
Last year (2006), researchers at Internet Security Systems identified 5,195 vulnerabilities in software. On Monday (October 2006), the count for 2006 stood at 5,450, according to the Atlanta-based company's survey, and the projected total for the whole of the year is almost 7,500 bugs.
U.S. Agencies Fail Cybersecurity Tests
Overall government grades improve slightly, but Homeland Security, Defense, and State departments still need work.
Lawmakers Grill US Agencies on Cyberattacks
Lawmakers expressed concern Thursday that multiple U.S. agencies whose networks were hacked recently can't be sure they've fixed their vulnerabilities because of poor cybersecurity practices.
Several agencies haven't completed inventories of their IT equipment, and can't know how badly they've been compromised, said Representative James Langevin, a Rhode Island Democrat, during a hearing of the House of Representatives Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
Wellesley College: CyberSecurity Guidelines
As computer systems get more complex, the need to keep them up to date is crucial for preventing data loss and maintaining the security and privacy of your information. Some of the computing problems that have been seen on campus (anywhere) recently were (are) caused by viruses, security holes, mis-configured computers, and the illegal sharing and downloading of copyrighted material.
A compromised computer affects all the other computers on campus (anywhere) because we are connected to the same network. The speed of and reliability of our network can be affected because compromised computers may cause large amounts of network traffic and often attack computers on and off the campus network.
Threats And Vulnerabilities To Our Global Computer Networks And Systems Are Growing Faster Than We Can Address Them
Malicious code--viruses and worms--is being created to exploit software flaws within days, when only a year ago it would have taken months for such code to appear. Our water supply, electric grid, nuclear energy system and other critical infrastructures are interconnected and interdependent, increasing the likelihood that a cyberattack could disrupt major services and cripple economic activity.
Indeed, if a cyberattack occurred at the same time as a physical attack, critical emergency response systems and communications operations could be taken out, increasing the confusion of an attack, and the number of casualties.
When the Department of Homeland Security was created, the president eliminated the position of senior advisor to the president on cybersecurity and delegated its responsibilities to the new department. For months, the department failed to assume this responsibility and did little on cybersecurity.
The government cannot be naive in its approach and must recognize the unique and cross-cutting nature of the cyberworld.
U.S. Cybersecurity Czar Has His Marching Orders
Labels: cybersecurity, national security, security threats
posted by Jim Downey at 11:03 AM
0 Comments:
Post a Comment
<< Home