Pessimists are fond of saying that no good deed goes unpunished. An Australian teenager who reported a security vulnerability in a government website and now faces legal troubles probably agrees. Joshua Rogers, a 16-year-old Victoria native, discovered a security hole that gave him access to a database containing the full names, addresses, home and mobile phone numbers, e-mail addresses, dates of birth, and nine of the 16-digit credit card numbers for about 600 000 commuters who paid for fares via the Metlink website run by the Transport Department. When he stepped forward in late December to tell the site’s operators about the vulnerability, they never bothered to respond. Two weeks later, Rogers told his story to The Age; when the newspaper asked the Transportation Department about it, officials there reported Rogers to the police.
“It’s truly disappointing that a government agency has developed a website which has these sorts of flaws,” Phil Kernick, of cyber security consultancy CQR, told The Age. “So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.”
I guess the Transportation Department, knowing that it will face scrutiny over leaving its customers’ data so open to misappropriation, is trying to appear serious about security by taking a preemptive strike—albeit against someone who attempted to notify them of the hole instead of exploiting it.
Target's Data Breach Diagnosis Off Target
I’m shocked—shocked!—to find out that Target wildly underestimated the number of people whose personal data was stolen in a data breach that occurred between 27 November and 15 December. Target came out today and retracted the 42 million figure it had been sticking to since news of the breach broke on 19 December. The retailer announced today that names, mailing addresses, phone numbers, and e-mail addresses of roughly 70 million people fell into the hands of cybercriminals. Much of the data newly identified as having been accessed by the hackers was supposedly stored on a separate part of the company’s internal networks from the one Target knew was hacked.
Few Plaudits for Yahoo's Belated Security Update
Yahoo finally made HTTPS the default setting for its e-mail service this week, years after rivals such as Google made the move. But if it was expecting handshakes and pats on the back, it has another thing coming. Security experts say that after Yahoo finished inexplicably dragging its feet, it has come up with a scheme that is not likely to keep users’ communications away from prying eyes. The “new configuration leaves a lot to be desired,” Ivan Ristic, director of application security research at security firm Qualys, told Security Watch. Ristic and other observers are scratching their heads about Yahoo’s decision not to support Perfect Forward Secrecy, which ensures that communications are secured by randomly generated ephemeral public keys. “Without Forward Secrecy, even encrypted data is feasibly at risk from private key compromise,” Ristic warns.
In Other Cybercrime News
- RSA is facing a backlash over reports that it entered into a secret contract with the U.S. National Security Agency that called for the company to use a random number generator known to be flawed in its encryption tools. A growing number of security experts have withdrawn papers from an upcoming RSA conference in protest. In late December, Josh Thomas of Altredis announced that he had changed his mind about delivering a talk at the conference. The very next day, Mikko Hyponnen of F-Secure posted an open letter to RSA saying he was also canceling his talk on government-sponsored malware. At least a half dozen other people expected to be in the conference’s lineup have sent their regrets.
- Researchers from Carleton University in Ottawa, have proposed a way to create a user- and machine-generated narrative, based on the user’s recent activity on a computer, which would serve as a device’s authentication mechanism instead of a password. They reason that a familiar narrative will be easy for the authorized user to remember but exceedingly difficult for a hacker to crack. “Allow the system to have a dialogue and prove that you are you and tell it things you know,” says one of the authors of the paper (“Towards Narrative Authentication; or Against Boring Authentication”).
- Researchers have discovered vulnerabilities in industrial Ethernet switches manufactured by Siemens that could let attackers hijack Web sessions and perform unauthorized admin tasks on the switches.
- As cars get smarter and increasingly Internet connected, privacy issues regarding the flood of data a vehicle generates have come to the fore.
- Security firm Invincea reported this week that the video-sharing site DailyMotion, which attracts 17 million visitors a month, has been plagued by an attack that redirects users to a scam. Kaspersky Lab’s Threatpost explains the threat thusly: “When the user lands on the DailyMotion home page, an invisible iframe redirects to the scam which warns the user of a critical process that must be cleaned to prevent system damage. The victim is then presented with a dialog box that offers to clean the computer of the problem. If the user agrees, they’re asked to run a file which is the malicious executable.
Photo: Getty Images