There are days I wonder if I’m about to join the foil hat club. Today is one of them. With the revelation that the World Bank’s most sensitive data has been accessed by outsiders repeatedly in the last year one can’t help but wonder how that may have impacted the wild gyrations of the financial markets. At the very least, someone should look into what data was retrieved and how it may have been useful in market manipulation. It would also be very useful to secure World Bank’s data. There is clearly a lack of will in the bank’s management to properly secure their systems if they have been repeated and continuously hacked. Heads should roll, and government led investigations should begin immediately. Unfortunately here in the US, our appointed watchdogs led by Chris Dodd, and Barney Frank are busy covering their fingerprints on the present credit crisis and campaigning.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

In a frantic midnight e-mail to colleagues, the bank’s senior technology manager referred to the situation as an “unprecedented crisis.” In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public. (Fox News)

It appears that we should not believe the Telcos in their promises to handle sensitive data. That includes the handsets you might trade in for a credit –

New research finds 44 per cent of second-hand devices still contain sensitive
data

Over a third of BlackBerry devices are sold without being wiped of sensitive personal and corporate data, according to new research released today by BT.

The study of over 160 second-hand handheld devices found they still contained details of bank accounts, board meetings and financial data.

Nearly a quarter of phones contained information which could allow the previous owner and employer to be identified, while 43 per cent of BlackBerrys contained information which could pose a significant risk to organisations if exposed.

Nearly half had sensitive data still on them! So if you are going to be trading in a old phone for new. Once the data is transferred, if the rep is going to wipe the unit then ask for it back for a moment after it is done to confirm it. Five minutes now might save you weeks later in avoiding an identity theft incident.

Linky.

Think twice about taking your laptop on international flights. Even if you have a backup, your personal and business data is at risk of being shared as it has to be surrendered to border officials. That will make it much safer to rent or borrow a computer at your destination vs carry. A thumb drive containing your data will probably not get so much attention. Then again, secure storage in the cloud may be an even better solution.

As was widely expected, an appeals court has ruled that customs agents have every right to search the content of your laptop, reversing the only court case that had ruled otherwise (a few others had previously said such searches were just dandy). The court found (just like the other rulings) that there’s an “exception” to the 4th Amendment against unreasonable search and seizure at the border. The government, of course, claims that it needs to be able to search laptops to keep people safe — but it doesn’t explain why it needs the ability to search any laptop even if there’s no suspicion or reason to do a further search. (Techdirt)

Rumor has it there is a simple exploit in the wild that could deliver your personal data to people who do not mean you well. Since it’s your data, not AT&T or 2Wire’s it’s your problem:

“2Wire manufactures DSL modems and routers for AT&T and other major carriers. Their devices suffer from a DNS redirection vulnerability that can be used as part of a variety of attacks, including phishing, identity theft, and denial of service. This exploit was publicly reported more than eight months ago and applies to nearly all 2Wire firmware revisions. The exploit itself is trivial to implement, requiring the attacker only to embed a specially crafted URL into a Web site or email. (Slashdot)

You can always call AT&T and see if they have an unaffected device to trade. Simpler yet, just go buy a more secure one almost anywhere.

I am not one for grand conspiracy theories. They are too hard to maintain in reality and most can likely be explained by bumbling ineptitude. But even this observation as a body of truth to it. You’re not going to stumble across a secret map of the network. But every major corporation has in their IT department a map of the major nodes of their network and who the carrier is and the the associated end nodes for those routes. So it is entirely plausible it is what is stated in the article. Or as likely it goes to Army Defense command. —

A U.S. government office in Quantico, Virginia, has direct, high-speed access to a major wireless carrier’s systems, exposing customers’ voice calls, data packets and physical movements to uncontrolled surveillance, according to a computer security consultant who says he worked for the carrier in late 2003.

“What I thought was alarming is how this carrier ended up essentially allowing a third party outside their organization to have unfettered access to their environment,” Babak Pasdar, now CEO of New York-based Bat Blue told Threat Level. “I wanted to put some access controls around it; they vehemently denied it. And when I wanted to put some logging around it, they denied that.”

Pasdar won’t name the wireless carrier in question, but his claims are nearly identical to unsourced allegations made in a federal lawsuit filed in 2006 against four phone companies and the U.S. government for alleged privacy violations. That suit names Verizon Wireless as the culprit.

Pasdar has executed a seven-page affidavit for the nonprofit Government Accountability Project in Washington, which on Tuesday began circulating the document (.pdf), along with talking points (.doc), to congressional staffers hashing out a Republican proposal to grant retroactive legal immunity to phone companies who cooperated in the warrantless wiretapping of Americans.

But you know for all the fancy tacking, links and DS3 lines, if the content is encrypted it will take time for anyone to crack it. Oh yeah the NSA has supercomputers that can crank this stuff. But even hackers are getting smart and are using polymorphic techniques to mask signatures. So polymorphic cypers would make the cracking job very hard. You would have to assure you got all the pieces of the message and have to crack each message segment individually.

Its provided for our Readers for what it is worth.

Linky.

In what will be an opening salvo in the BitTorrent war with Comcast the Geeks are preparing their next offensive. That’s right they are preparing to set up routines that will mask the traffic markers for BitTorrent. —

Contents

* Announce Parameter
* Announce Response
* Peer List Obfuscation
* Optimizations
* Backwards Compatibility
* Rationale
* References
* Example Python Code

This extends the tracker protocol to support simple obfuscation of the peers it returns, using the infohash as a shared secret between the peer and the tracker. The obfuscation does not provide any security against eavesdroppers that know the infohash of the torrent. The goal is to prevent internet service providers and other network administrators from blocking or disrupting bittorrent traffic connections that span between the receiver of a tracker response and any peer IP-port appearing in that tracker response.

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in IETF RFC 2119 [5].
Announce Parameter

When using this extension, instead of passing the info_hash parameter to the tracker, a sha_ih is passed.

The value of sha_ih MUST be the info-hash of the torrent, with a second SHA-1 applied to it.

For example if a torrent has infohash with hex representation aaf4c61ddcc5e8a2dabedef3b482cd9aea9434d then its sha_ih is sha1(infohash)=’6b4f89a54e2d27ecd7e8da5b4ab8fd9d1d8b119′.

The value MUST be url encoded, just like the info_hash. Thus the sha_ih above when url encoded becomes kO%89%A5N-%27%EC%D7%E8%DA%05%B4%AB%8F%D9%D1%D8%B1%19.

This extension does not change the semantics of any parameter passed in the peer’s announce.
Announce Response

If the tracker supports this extension, the response should be exactly the same as if the info_hash had been passed, except that any field that contains peer information (such as peers, peers6 or any other field defined by another extension) MUST be obfuscated as described in the next section.

There are additional parameters the tracker may OPTIONALLY return. These are discussed in the optimizations section.
Peer List Obfuscation

We distinguish between the tracker peer list and the returned peer list. The tracker peer list contains the ip-port pairs of all known peers in a given torrent, i.e., those peers that have reported to the tracker that they are transferring the file with a given infohash. The tracker may store this peer list however it wishes. The returned peer list contains a packed array of ip-port pairs conforming to the BitTorrent protocol specification. If the swarm is sufficiently large then the returned ip-port pairs constitute a subset of the ip-port pairs in the tracker peer list.

The returned peer list is encrypted using RC4-drop768 encryption using the infohash as a shared secret and optionally employing an initialization vector.

So what’s mean for Comcast? Trouble. So far they have spent a good chunk of money on ‘traffic shaping’ hardware that will maybe worthless iron or will have to be retooled. Either way they wasted money.

But that’s just the beginning. If 10 years of internet security has taught us anything it is that the ‘attacker’ has the advantage. The defender can only respond to the latest attack and adjust. That will be the trend here as well. But there will be a difference. I think the Bittorrent guys are smarter than the average bear. Probably by round three they will have developed port level round robin techniques that will make it entirely impossible to track as the transmission hops around the port table on a unprescribed pattern. Kinda of like OFDM for BitTorrent. At that point what does Comcast do, other than punt?

Wouldn’t it be better to spend the money and offer a premium data channel service for nerds? Oh, I forgot, from the nerd to the head end its a shared pipe. Poor Comcast, whats an ISP to do?

Linky.

Pleeaaaze, not only is this old hat to some of us, but yes it is generally ignored by the major corporations that utilize networked MFPs heavily. But the reality is there is already corporate policy in place within IT. Its called a corporate security policy. The only thing that needs to change to utilize it is realize they are SERVERS that just happen to spit bits of plastic on paper.

That networked multifunction printer sitting innocently in the corner of your office just might be the most significant entry point for hackers to hijack sensitive data from your business.

Even worse, security researchers warn, they are a forgotten risk in every enterprise, featuring hardware that combines several functions in a single unit—fax, copier, printer and scanner.

“A compromised [multifunction printer] is dangerous for a number of reasons. First and foremost, no one in the enterprise pays attention to them. That lack of visibility makes for a very attractive attack platform,” said Brendan O’Connor, a researcher who was among the first to call attention to the printer security risk during a Black Hat talk in 2006.

“When I was doing my research, I had dozens and dozens of MFDs under my control, and no one in IT knew what I was doing. The idea of an attacker having equipment completely under their control on a company’s internal network is a frightening proposition,” O’Connor said in an interview with eWEEK.

Continuting…

Thomas Ptacek, principal and founder at New York-based penetration testing firm Matasano Security, said the risk is more than just theoretical.
“Should my mom be worried that a hacker is living in her printer? No. But, if you’re a Fortune 500 company, vulnerable printers on your network is a scary thing,” Ptacek said in an interview with eWEEK.

“There are several of these printers on every floor of every business, basically working as file servers for important documents,” Ptacek said. “Printers deal with much more sensitive information than your typical file or storage server, but they get no protection whatsoever. They’re altogether ignored as a risk on the network. Do you know of anyone looking for patches for a printer? People underestimate how dangerous these things are.”

In the financial and health sectors, for example, he said a skilled hacker with unfiltered access to a print server can do serious damage.

“He can hide himself in there with a rootkit, capture all the documents passing through the print server. He can take over the printer and basically have full control of every action. It’s the perfect catbird seat,” Ptacek said.

What is missed by most IT types is the concentration of information flow that hits a printer. Some of it at the very top, in executive row. For all the data that sits on servers to mine by some hacker it is a diffuse chunks of data compared to what would come out of a hacked printer from the Executive Assistants in the typical board room row of the Fortune 500. It is all nicely condensed, formatted and forward leaning in what the company is preparing to do for the future. It also carries with the considered assessments of the 1/4 of management as to actionable thinking.

[Shameless Plug Dept.: So still concerned and don't know what to do? I am available to consult, having 10yrs experience in corporate print methodologies and cost reductions in this area of IT for a fortune 10. link.]

Linky

Banks first created the teller, and it was considered good. Banks then created the ATM, and it was considered great. Banks then created electronic banking systems and it was considered fanastic. Banks have now created checks scanned to deposit, and it is? Oh, well the jury is still out. Fact the technology is just now being trialed. –

Soon you will be able to deposit checks by scanning them at home and sending them electronically to your bank. No need to visit a branch or even an ATM.

This is possible because of the Check Clearing for the 21st Century Act, passed in 2003, which allows banks to exchange electronic images of checks. Already about half of all checks are scanned by businesses or the banks they are deposited into and not shipped in bags back to the banks on which they were drawn.

Fiserv, the big transaction services company, has announced new software that will enable banks to let home users deposit checks by scanning them. It already has a similar service for small and medium businesses. USAA, the financial services company that serves the military, has offered deposits through scanners for two years, but the idea has not yet caught on.

The time is right for such a service, said Rodney Springhetti, a Fiserv vice president of business development. The technology has been debugged through several years of working with businesses, and meanwhile consumers increasingly have scanners at home, largely in the form of all-in-one printer units.

And this from Fiserv a provider of the service –

BROOKFIELD, Wis.–(BUSINESS WIRE)–CheckFree, now part of Fiserv Inc. (NASDAQ: FISV - News), a leading provider of information technology services to the financial industry, today unveiled its new remote deposit capture product, an innovative solution that allows retail customers to electronically scan and deposit checks from any location with a PC, a scanner and an Internet connection. It provides simple, easy-to-use functionality for the consumer without compromising the security, fraud identification or processing quality required by financial institutions.

Competition in the retail banking market is tremendous and banks must continually seek to offer new and innovative products to attract new consumers and retain existing customers. By providing a convenient, secure and easy–to-use online banking option for depositing checks, financial institutions will offer their customers faster funds availability without a trip to the branch, ATM or post office, thereby enriching the banking experience.

“Consumer capture will fundamentally change the way consumers interact with their financial institution, brokerage firm, utility or other payment processor when depositing checks. By offering consumer capture, financial institutions can quickly provide an online product that will attract new customers without regard to geographic territory; accelerating expansion beyond their brick and mortar branches,” said Mike Ringuette, executive vice president, Fiserv Global Payments. “This new solution allows banks, credit unions, other financial institutions and payments processors to offer expanded deposit windows due to the immediate receipt of an electronic image and all associated electronic data, with the potential to reduce costs and environmental resources associated with personnel, transportation and processing in the branch or back office.”

I might be interested in this as a service were I a small business. Considering funds to me are distributed direct deposit I don’t have many paper checks passing thru my front door. But others needs may vary. The other issue for me would be security. How valid is it in electronic form? The few checks I do deposit at the Credit Union, the teller still asks for ID’s on deposits. So the institution knows that the person presenting is who they say they are. [I should go on record here a note that most checks institution to institution travel in electronic form for which I have no qualms about.]

NYT article.
Fiserv press release.

A Skype feature that allows users to share videos form MetaCafe.com and DailyMotion.com has been disabled due to a worm vulnerability.

Last week Raff showed how attackers could exploit the bug to run unauthorized software on a Skype user’s PC. But on Tuesday, the security researcher said the flaw was more serious than he’d first thought. It can “be triggered by simply visiting a Web site, or clicking on a link from your instant messaging application,” he wrote in a blog posting, “Which basically means that this vulnerability is now wormable.”

More on Worm scare kills Skype Video sharing

John is the gadget guy on Boing Boing. He was invited onto the Thompson Show for the latest and greatest cool stuff. Instead he b slapped AT&T for its pending policies.

Irony? The Thompson show’s biggest sponsor is AT&T.