NOUVEL Blogs > InfoSec in the News

The NY Times: SecureID Security Breach in the News

Mon, 28 Mar 2011 09:00:18 +0200

John Markoff’s article “SecurID Company Suffers a Breach of Data Security” in The New York times reveals an embarrassing data security breach for information security industry giant RSA Security. The security breach involved the theft of some unspecified information related to RSA’s SecurID product.
The security breach is hugely significant as by RSA’s own admission, 250 million people globally use a SecurID “token” (see photo) to authenticate their identity to their information systems. The SecurID token essentially provides a second password for use during login, an information security technique called “strong authentication.” Strong authentication is more complicated (and expensive) to implement than traditional password-only authentication (also known as “weak authentication”). Therefore, strong authentication is typically only used to protect valuable, sensitive information assets, or assets that are perceived to be more vulnerable to attack. For example, many corporations and government sites require the use of SecurID tokens for remote access via the Internet.
So, to summarize, the security product used to help control access to some of the most sensitive information systems in the world has been compromised. Oops.
What is the precise nature of the compromise? RSA isn’t precisely saying. RSA behaved responsibly by notifying their customers of the problem. An open letter from company chairman Art Coviello was prominently posted on the RSA website, giving a high-level explanation of the security breach. Unfortunately, aside from using the new “Advanced Persistent Threat” buzz-phrase, nothing of substance about the security breach was revealed.
If your site uses SecurID tokens as part of their information security infrastructure, I suspect that you’ll be paying close attention to this story for the foreseeable future. More information will be forthcoming in the coming weeks and months as the many SecurID users around the world demand to know if their strong authentication systems are still strong. Only with additional information will it be possible for organizations to make an accurate and credible assessment.
—Jim Herbeck

RSA SecurID product photo and website fragment are ©Copyright EMC Corporation.

USA Today: Car Hacking in the News

Mon, 14 Mar 2011 09:00:50 +0100

Ken Thomas article “Auto industry guards against hacking” in USA Today offers a misleading summary of the state of security of the computers found in modern automobiles.
The computers that are used in cars are properly referred to as embedded systems. In general, the lack of embedded system security is one of the dirty little secrets of the information security profession.
There are three factors to consider for securing embedded automotive systems:
1) Safety. When considering security for general purpose computers, e.g., PCs, the goal of information security is protecting confidentiality, integrity, and availability. But the embedded systems in a car may control important driving functions (engine and braking systems) in addition to auxiliary functions (lighting and sounds systems). Imagine a car travel at highway speed on a rainy night. Then imagine any of the following events occurring: - the engine speeds up, causing the car to accelerate to an unsafe speed; - the brakes stop working; - the interior and exterior lights all turn off and won’t turn on; - the sound system turns on at a high volume and won’t turn off. Could any of those events cause the driver to lose control of the car, and as a consequence cause an accident that could possible injure the driver, passenger, or other drivers? These imagined events could potentially occur if the cars embedded systems were compromised.
2) Lack of software updates. General purpose computers running mainstream operating systems (Windows, Mac OS, Linux) receive frequent software updates. Computer and smartphone users expect security vulnerabilities to be resolved with periodic software updates. But when was the last time an automobile embedded system received a software update to correct a security vulnerability? The answer is “never.” Is this because there are no security vulnerabilities in automotive embedded systems? Or, should it be assumed that there are millions of automobiles on the road today with vulnerable embedded systems?
3) New attack vectors. In the past, automotive embedded systems would require physical access to exploit. In other words, the attacker needs to have physical access to an unlocked car to attack the embedded systems. This ties the risk of embedded system attack to the risk associated with physical security, which is fairly well understood (and fairly low). But consider more recent cars that have bluetooth wireless interfaces or built-in cellular telephones. These vehicles can be attacked by someone outside the car, and in the case of the cellular telephone interface, possibly thousands of miles away.
The threat of new attack vectors combined with vulnerable embedded systems in automobiles creates a serious risk of potential accidents and injuries.
While I’m gratified that, as the article reports, “the industry formed a panel to investigate the issue during the past month and hopes to develop common standards and ways to address hacking within the next year,” this sounds to me like having a committee meet to discuss fire safety in a building that’s already on fire. I think car companies should stop selling cars with bluetooth or cellular interfaces until they can guarantee the security (and safety) of their products.
—Jim Herbeck

The NY Times: Cyber War in the News

Mon, 8 Feb 2010 09:00:03 +0100

John Markoff, David E. Sanger and Thom Shanker’s story “In Digital Combat, U.S. Finds No Easy Deterrent” at The New York times offers a sobering view on the state of cyber security in the US. The article recounts the details of a simulated cyber attack against US infrastructure on Jan 11. The would-be attacker had many advantages: stealth, anonymity, and unpredictability. The defenders had many challenges: no way to retaliate without knowing who was attacking, no legal authority to respond, and no way of determining whether the attack was vandalism, industrial espionage, or state-sponsored cyber terrorism—each of which would require a different response.
The article also notes the similarity of this simulation with the recent real-world cyber attack against Google that was traced to the Chinese. It also noted that Google broke the silence that usually surrounds security breaches. Most organizations are reluctant to admit that they were vulnerable to attack.
Some people are depressed by articles that openly discuss the threat of hacking, and how many large corporations and government organizations are not capable of defending themselves against a cyber attack. But I’m encouraged: only through more openness and more discussion about the very real cyber security challenges that the world faces will there be progress toward securing cyber space.
—Jim Herbeck

The NY Times: Weak Passwords in the News

Mon, 25 Jan 2010 15:22:41 +0100

Ashlee Vance’s story “If Your Password Is 123456, Just Make It HackMe” in The New York times reveals how weak passwords are at some websites. The story is based on analysis of password data that was exposed during the RockYou! data security breach. RockYou!, a Facebook widget developer, was hacked on Dec 9, 2009. The attacker was able to access a database that contained the usernames and unencrypted passwords of approximately 32 million users. After the attack, the list of stolen usernames and passwords was briefly posted on a website.
Imperva, a data security firm, analyzed the passwords and published their results in a data security study entitled “Consumer Password Worst Practices” (registration required). The report reveals the most popular passwords:
Password Popularity – Top 20 Passwords from Exposed RockYou! Database

from “Consumer Password Worst Practices,” Imperva, p. 4
The Times article has a good discussion about the problems associated with weak passwords. I draw two additional conclusions:
1. Website developers that don’t force users to choose good passwords, and who then store the weak passwords unencrypted, in clear text, should face legal consequences for negligence—they’re a menace to unsuspecting Internet users;
2. Users who choose ridiculously-obvious passwords (e.g., password, abc123, 1234, 12345, etc.) should have their Internet access suspended until they can pass a basic internet security awareness test.
—Jim Herbeck

The Daily Beast: Potential Compromise of the Google “Cloud”?

Mon, 18 Jan 2010 08:00:21 +0100

Douglas Rushkoff’s story “The Great Google Coverup?” at TheDailyBeast.com discusses a problem Google may have protecting their data assets in China. This is a troubling aspect of cloud computing: how can the security of the cloud be reasonably guaranteed? Everyone with a stake in the success of cloud computing speaks confidently about the security of the cloud, but I remain skeptical. According to the article, Google may have put the confidentiality of Chinese Google/gmail users at risk by storing their data on servers located in China. Servers in China could be more vulnerable to physical security breaches and wiretaps by the Chinese government. From my perspective, I’m concerned about any data stored in any cloud—not just clouds that extend into China.
—Jim Herbeck