Infosec Year in Review -- 1999

Infosec Year in Review -- 1999

InfoSec Year In Review -- 1999 M. E. Kabay, PhD, CISSP. Security Leader, INFOSEC Group, AtomicTangerine Inc. Category 11 Breaches of confidentiality Date 1999-01-29 Keyword data leakage privacy confidentiality control Web Source, Vol, No. RISKS 20 18 The Canadian consumer-tracking service Air Miles inadvertently left 50,000 records of applicants for its loyalty program publicly accessible on their Web site for an undetermined length of time. The Web site was offline as of 21 January until the problem was fixed. Date 1999-02-03 Keyword data leakage Web script QA vulnerability confidentiality Source, Vol, No. WIRED via PointCast An error in the configuration or programming of the F. A. O. Schwarz Web site resulted paradoxically in weakening the security of transactions deliberately completed by FAX instead of through SSL. Customers who declined to send their credit-card numbers via SSL ended up having their personal details — address and so forth — stored in a Web page that could be accessed by anyone entering a URL with an appropriate (even if randomly chosen) numerical component. Date 1999-02-10 Keyword e-commerce credit card personal information password privacy Source, Vol, No. RISKS 20 20 Prof. Ross Anderson of Cambridge University analyzed requirements on the AMAZON.COM online bookstore for credit card number, password, and personal details such as phone number. He identified several risks: (1) merchant retention of credit card numbers poses a far higher risk of capture than of capture in transit; (2) adding a password increases the likelihood of compromise because so many naïve users choose bad passwords and then write them down; (3) even the British site for Amazon contravenes European rules on protecting consumer privacy; (3) such practices make it easier for banks to reject their clients' claims of fraudulent use of their credit-card numbers. Date 1999-04-08 Keyword criminal hacker investigation data diddling Source, Vol, No. UPI In East Lansing, MI a criminal hacker broke into a police computer through a faulty Web site and stole information with tips about rioters who trashed the town after "their" team lost a basketball game. Date 1999-04-22 Keyword privacy credit card Web quality assurance ISP Internet Service Provider QA bug error Source, Vol, No. AP, <http://www.infobeat.com/stories/cgi/story.cgi?id=2559272284-9a6> Joe Harris, a computer technician at the Seattle-area "Blarg! Online" ISP, discovered that improperly-installed shopping-cart software used widely on the Net to simplify shopping can allow anyone to see confidential data such as credit-card numbers. Security analysts pointed out that the plain ASCII file where such data are stored should not be on the Web server at all, or if it is, the file should be encrypted. Initial evaluation suggested that the weakness affects at least several hundred and possibly many thousands of e-commerce sites where the software installations were improperly done. Date 1999-04-30 Keyword Internet service provider ISP privacy surveillance scans PCs Source, Vol, No. Reuters An uproar broke out when Singapore Telecom scanned 200,000 computers belonging to its Internet service customers — without their knowledge or permission. At first, the company hung tough: "We are merely protecting the interest of our customers," said Paul Chong, CEO of Singapore Telecom. Staff explained that the non-invasive scans, carried out by anti-hacker personnel from the Ministry of Home Affairs, did not penetrate systems but merely noted vulnerabilities visible to any hacker. However, the company announced that 900 virus- infected computers had been found — which hardly seems non-invasive. The company apologized to its customers within a couple of days after the furore erupted. Date 1999-08-26 Keyword privacy Web aggregate data collection marketing purchases preferences books Source, Vol, No. USA Today The "Purchase Circle" feature of <amazon.com> caused ripples of concern among some observers because it allows anyone to view aggregated purchase data broken down by city, university and organization. Critics argue that knowing which books people in a given competitor are buying may provide valuable competitive information. Amazon responded by providing a way of opting out of participation in the data collection. Legal experts noted that such corporate data collection, publication and use of aggregated data is not illegal. Copyright (c) 2000 M. E. Kabay. All rights reserved. Page 1 of 86 Date 1999-10-05 Keyword criminal hackers crackers theft fraud Web pages sites Source, Vol, No. BBC MONITORING EUROPEAN - POLITICAL In late September 1999, Czech police arrested a criminal hacker who was trying to sell stolen personal information about 2.5M users of Internet accounts. The 21-year-old was an employee of the Ceska Sporitelna savings bank and he confessed to the crime. According to Czech criminal hackers interviewed on Czech radio in October, the state of security on most Czech Web sites is poor; however, the hackers tend to avoid police computers because of possible massive retaliation. Date 1999-10-16 Keyword privacy espionage information warfare confidentiality unlisted ex directory phone numbers gover Source, Vol, No. Wired Someone posted several confidential phone numbers for New Zealand government ministers on a home page in the GeoCities Web hosting system. The security breach rendered many home, mobile, and pager numbers unusable as a result of the disclosure. Category 12 Wiretapping, interception (not jamming; not govt/law enforcement) Date 1999-04-21 Keyword surveillance microphone camera Internet Source, Vol, No. The Times (London) According to an article in _The Times_ of London on 1999-04-21, Philip Loranger of the US Army Information Assurance Office demonstrated that unprotected networks with workstations that have microphones or cameras are vulnerable to surveillance. Category 13 Data diddling, data corruption, embezzlement Date 1999-01-03 Keyword theft fraud hackers bank impersonation crime punishment Source, Vol, No. RISKS 20 14 Two more Chinese criminal hackers were sentenced to death in China in December 1998. The twin bothers stole 720,000 Yuan (~U$87K) from a bank in Zhenjiang and transferred the money to their own accounts. Date 1999-04-06 Keyword theft surveillance eavesdropping data diddling hacking bank Source, Vol, No. TIMES OF INDIA The Times of India reported on the abysmal state of security in Indian businesses, where, as in the rest of the world, managers pay little attention to security until after there's a problem. The article claimed that "a large public sector bank in India was electronically molested recently by hackers who allegedly transferred cash . by invading the banks' network." Category 14 Viruses, hoaxes, Trojans (assembly level or macro: not ActiveX or Java) Date 1999-01-21 Keyword virus contamination sabotage disgruntled employee Source, Vol, No. Los Angeles Times Zhang Wenming, a disgruntled Beijing programmer, confessed in January 1999 to infecting 20,000 of copies of educational software with a dangerous virus whose payload included erasing a victim's hard disk. Apparently the 28-year-old self taught programmer was furious at being fired for "poor work habits" and wreaked his revenge on his employer in the last days of his employment. Date 1999-01-29 Keyword Trojan horse backdoor quality assurance QA Source, Vol, No. RISKS 20 18 Peter Neumann summarized a serious case of software contamination in RISKS 20.18: At least 52 computer systems downloaded a TCP wrapper program directly from a distribution site after the program had been contaminated with a Trojan horse early in the morning of 21 Jan 1999. The Trojan horse provided trapdoor access to each of the contaminated systems, and also sent e-mail identifying each system that had just been contaminated. The 52 primary sites were notified by the CERT at CMU after the problem had been detected and fixed. Secondary downloads may also have occurred." Date 1999-02-08 Keyword virus confidentiality privacy encryption key Source, Vol, No. RISKS 20 19 The Codebreakers, virus writers with more technical skill than good sense or ethical sensibilities, wrote the Caligula virus, which sends users' PGP secret key ring to their FTP site. This large virus illustrates the dangers of data transfer from inside the firewall and also the stupidity of a legal system that cannot recognize that virus code is not speech and should not be constitutionally protected. Cryptographers recommended that secret-key rings either be stored off the hard disk entirely when not in use or that all data on the disk be encrypted. Copyright (c) 2000 M. E. Kabay. All rights reserved. Page 2 of 86 Date 1999-02-12 Keyword QA quality assurance auditing Y2K consultants fraud embezzle Source, Vol, No. RISKS 20 21 Bruce Martin pointed out in RISKS that the frantic efforts to remediate the Y2K bugs in production software offer a perfect cover for criminals to insert Trojan code in financial software. Such Trojans could, for example, cause monetary transfers around the Y2K transition out of clients' accounts to the criminals' accounts in offshore banks. The expected confusion at the end of 1999 could cause serious difficulties for auditors as they tried to piece together the reasons for various losses experienced at the turn of the century. Date 1999-02-25 Keyword criminal hackers Internet spam virus denial of service Source, Vol, No. BBC translation of Bulgarian BTA report On January 26, criminal hackers attacked the Internet site of the Bulgarian Telecommunications Company in Sofia. The attackers used the site to send virus-infected e-mail [possibly Trojan attachments] to several thousand victims via a US server. On February 5, attackers repeated the spam attack, sending infected e-mail to "a prestigious US college." A few days later, reported the Bulgarian radio service, the BTC e-mail server was subjected to a denial of service spam attack.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    86 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us