Monday, September 26, 2011


...extra points for Ethical Hackers!
Millions of student exams, tests and data exposed?
September 26, 2011 by admin
On September 19, Darren Pauli reported:
Multiple zero-day security vulnerabilities have been found in the world’s most popular educational software – holes that allow students to change grades and download unpublished exams, whilst allowing criminals to steal personal information.
Vulnerabilities in the Blackboard Learn platform have the potential to affect millions of school and university students and thousands of institutions around the world.
The platform is used by the United States military to train soldiers.
After several weeks of investigation by university IT managers, security professionals and SC Magazine, Blackboard Learn has acknowledged it is sending a security advisory to customers to address the issue.
Read more on CRN.
On September 22, Blackboard responded to the concerns on their blog. Jessica Finnefrock writes, in part:
So how does that finding contrast with some of the headlines you may have read? Put simply: although these issues are important, and we’re committed to fixing them quickly, most of them could only have a limited impact at the class level, do not seriously threaten the overall institution or system data, and – most importantly – there have been no client reports of exploitation of any of these vulnerabilities. [Did they know they should be testing? Bob] Most of the issues raised are common to lots of Web applications, not just Blackboard Learn. That doesn’t make them less important – but it is important to understand that their scope and potential impact are generally low.
What are the issues exactly? Most involve common attacks like phishing. To give you an example, a successful exploit would require an authenticated user with a valid login to create a malicious website and then create a link within Blackboard to that website. The user would need to convince another user to actively click on a suspicious link and provide their user credentials again. These issues do not involve actual system break-in or data vulnerabilities such as SQL injections.
What’s the risk? While the exploits could enable access to another user’s account, a successful attack is not highly probable, requires significant user intervention, and even then exposure would be limited to only functions which may be performed by the impacted user. These issues would not allow access to the entire system for grades or other system-wide information. The likelihood of an administrator account being compromised is low, and any attempted malicious actions would be logged and traceable.
Read more on Blackboard.


An easy but unverifiable conclusion. I would be much more concerned if a “Single point of failure” was being addressed...
Data Security: SK Communications Data Breach Due To “Cheap” Foreign Antivirus Software
September 25, 2011 by admin
Sang Lee provides a follow-up on the SK Communications hack that affected 35 million South Koreans, covered previously on this blog:
According to South Korean media, the Korean Committee on Culture, Sports, Tourism, Broadcasting & Communications released a report yesterday noting that, of the 50 or so antivirus software available in the Korean market, SK Comm used Norton from Symantec.
Per the articles covering the issue, the specific malware that caused the SK Comm breach was detected by five particular antivirus solutions. Norton was not part of that group of five. However, it appears that Norton is less expensive than some solutions that were tested.
This prompted the Committee to slam SK Comm for using “cheap” foreign antivirus software and accused it of being pennywise and pound foolish. And by slammed SK Comm I mean they brought in the CEO and told it to his face.
Read more on AlertBoot.


Every new technology is adopted with no thought of the lessons learned using earlier technologies. Therefore we always start with no security, no backups, no privacy, etc.
USA Today's Twitter account falls victim to hackers
The same group that hacked NBC News' Twitter account on September 9 and sent tweets about a bogus attack on Ground Zero apparently grabbed hold of USA Today's Twitter feed today and fired off a clutch of messages.
The taunting tweets from someone claiming to be The Script Kiddies asked if Twitter had the courage to suspend the group again and encouraged Twitter users to vote for the next account to be hacked.

(Related) “SmartPhones are much more that “phones” but since we never secured phones, why bother securing SmartPhones?
How security is becoming a must-have on smartphones (Inside Apps)
When writing a weekly column about the apps business, it's easy to get caught up on the new opportunities, capabilities and trends emerging from this burgeoning area. It's equally easy, however, to forget that they come alongside new threats.
These threats, which include rogue apps that can swipe your personal data or steal passwords for your bank accounts, are real and they're growing.
A study conducted by security software provider McAfee found that the amount of malicious software, also known as malware, targeting Android had jumped 76 percent since the previous quarter, a remarkable rise in just three months. At the same time, Android had surpassed Symbian as the most often attacked mobile platform.

(Related) Think of this as a threat that many managers won't be able to match to a technology they are using!
From the man who discovered Stuxnet, dire warnings one year later
… Like the Hiroshima bomb, Stuxnet demonstrated for the first time a dangerous capability – in this case to hackers, cybercrime gangs, and new cyberweapons states, he says in an interview.
With Stuxnet as a "blueprint" downloadable from the Internet, he says, "any dumb hacker" [...and imagine what the good ones can do. Bob] can now figure out how to build and sell cyberweapons to any hacktivist or terrorist who wants "to put the lights out" in a US city or "release a toxic gas cloud."


This should cause a kerfuffle. Or perhaps those who drank the Kool-Aid just don't care?
Logging out of Facebook is not enough (Updated)
September 25, 2011 by Dissent
Nik Cubrilovic writes:
Dave Winer wrote a timely piece this morning about how Facebook is scaring him since the new API allows applications to post status items to your Facebook timeline without a users intervention. It is an extension of Facebook Instant and they call it frictionless sharing. The privacy concern here is that because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see.
The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.
Read more on Nik Curbrilovic Blog and do note his update where he reports that he contacted Facebook a few times about this issue over the past year and got no response.
Is this a deceptive business practice under the FTC Act? Wouldn’t the average user believe that if they are logged out, their data are not being sent back to Facebook.com?
UPDATE: Facebook denies these allegations. See their statement to The Register.

(Related)
Facebook: ‘We don’t track logged-out users’
September 26, 2011 by Dissent
Richard Chirgwin reports:
Facebook has attempted to shoot down claims that it leaves cookies on users’ machines even after they log out of the social network. The response came after an Australian blogger alleged the site can still snoop on your web surfing after you’ve signed out. [See previous coverage on PogoWasRight.org here - Dissent]
[...]
However, Facebook doesn’t agree. Whether or not Cubrilovic’s claim that he notified Facebook without response during 2010 is accurate, he certainly got a hair-trigger response from Facebook this time.
In a comment on Cubrilovic’s blog, a Facebook engineer – identifying himself as staffer Gregg Stefancik – said that “our cookies aren’t used for tracking”, and that “most of the cookies you highlight have benign names and values”.
“Generally, unlike other major internet companies, we have no interest in tracking people,” [None? Bob] the insider added.
Read more on The Register.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)