“It’s truly disappointing that a government agency has developed a website which has these sorts of flaws,” Phil Kernick, of cyber security consultancy CQR, told The Age. “So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.”
I guess the Transportation Department, knowing that it will face scrutiny over leaving its customers’ data so open to misappropriation, is trying to appear serious about security by taking a preemptive strike—albeit against someone who attempted to notify them of the hole instead of exploiting it.
Target's Data Breach Diagnosis Off Target
I’m shocked—shocked!—to find out that Target wildly underestimated the number of people whose personal data was stolen in a data breach that occurred between 27 November and 15 December. Target came out today and retracted the 42 million figure it had been sticking to since news of the breach broke on 19 December. The retailer announced today that names, mailing addresses, phone numbers, and e-mail addresses of roughly 70 million people fell into the hands of cybercriminals. Much of the data newly identified as having been accessed by the hackers was supposedly stored on a separate part of the company’s internal networks from the one Target knew was hacked.
Few Plaudits for Yahoo's Belated Security Update
Yahoo finally made HTTPS the default setting for its e-mail service this week, years after rivals such as Google made the move. But if it was expecting handshakes and pats on the back, it has another thing coming. Security experts say that after Yahoo finished inexplicably dragging its feet, it has come up with a scheme that is not likely to keep users’ communications away from prying eyes. The “new configuration leaves a lot to be desired,” Ivan Ristic, director of application security research at security firm Qualys, told Security Watch. Ristic and other observers are scratching their heads about Yahoo’s decision not to support Perfect Forward Secrecy, which ensures that communications are secured by randomly generated ephemeral public keys. “Without Forward Secrecy, even encrypted data is feasibly at risk from private key compromise,” Ristic warns.
In Other Cybercrime News
- RSA is facing a backlash over reports that it entered into a secret contract with the U.S. National Security Agency that called for the company to use a random number generator known to be flawed in its encryption tools. A growing number of security experts have withdrawn papers from an upcoming RSA conference in protest. In late December, Josh Thomas of Altredis announced that he had changed his mind about delivering a talk at the conference. The very next day, Mikko Hyponnen of F-Secure posted an open letter to RSA saying he was also canceling his talk on government-sponsored malware. At least a half dozen other people expected to be in the conference’s lineup have sent their regrets.
- Researchers from Carleton University in Ottawa, have proposed a way to create a user- and machine-generated narrative, based on the user’s recent activity on a computer, which would serve as a device’s authentication mechanism instead of a password. They reason that a familiar narrative will be easy for the authorized user to remember but exceedingly difficult for a hacker to crack. “Allow the system to have a dialogue and prove that you are you and tell it things you know,” says one of the authors of the paper (“Towards Narrative Authentication; or Against Boring Authentication”).
- Researchers have discovered vulnerabilities in industrial Ethernet switches manufactured by Siemens that could let attackers hijack Web sessions and perform unauthorized admin tasks on the switches.
- As cars get smarter and increasingly Internet connected,privacy issues regarding the flood of data a vehicle generates have come to the fore.
- Security firm Invincea reported this week that the video-sharing site DailyMotion, which attracts 17 million visitors a month, has been plagued by an attack that redirects users to a scam. Kaspersky Lab’s Threatpost explains the threat thusly: “When the user lands on the DailyMotion home page, an invisible iframe redirects to the scam which warns the user of a critical process that must be cleaned to prevent system damage. The victim is then presented with a dialog box that offers to clean the computer of the problem. If the user agrees, they’re asked to run a file which is the malicious executable.
Photo: Getty Images
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.