http://www.theregister.co.uk/2009/11/05/police_breaches/
By Chris Williams
The Register
5th November 2009
In the last year five British police forces have suffered major computer failures lasting three days or more as a result of malicious internet attacks.
The spate of intrusions by cybercriminals and the resulting outages was revealed recently by a senior authoritative source, who can't be identified because the disclosure was made under the Chatham House rule.
The source did not reveal which forces were the victims of the attacks or the method used.
The Association of Chief Police Officers, which coordinates police strategy nationally, declined to comment on the incidents.
Despite the official silence on the matter, the news of repeated breaches raises serious questions over the standard of police information security.
Virtually all of day-to-day police operations are dependent on IT systems such as the Police National Computer and the major incident coordination software HOLMES 2, as well as more mundane but vital human resources and equipment provisioning systems.
Friday 6 November 2009
Little-Known Hole Lets Attacker Hit Main Website Domain Via Its Subdomains
By Kelly Jackson Higgins
DarkReading
Nov 05, 2009
Turns out an exploit on a Website's subdomain can be used to attack the main domain: A researcher has released a proof-of-concept showing how cookies can be abused to execute such an insidious attack.
Michael Bailey, senior researcher for Foreground Security, published a paper this week that demonstrates how an exploit in a subdomain, such as mail.google.com, could be used to hack the main production domain, google.com, all because of the way browsers handle cookies.
"There's no specific vulnerability here, but it's widening the attack surface for any large organization that has more than one [Web] server set up. A [vulnerability] in any one of those servers can affect all the rest," Bailey says.
Most Web developers aren't aware that a vulnerability in a subdomain could be used to target the main domain. "We're trying to get the message out that now you have to treat everything [in the domain] as though someone can compromise your crown jewels," says Michael Murray, CSO for Foreground. "You have to realize that every vulnerability, every attack vector in those subdomains, can be used to compromise [other areas of the domain]," he says.
It all boils down to the browsers themselves. Within the DNS architecture, the main domain -- fortune500company.com, for instance -- has control over its subdomains, such as development.fortune500company.com. Development.fortune500company.com has no authority to change anything on the main fortune500company.com site.
But browsers do the reverse, Murray says.
Development.fortune500company.com can set cookies for fortune500company.com, the main domain. That leaves the door open for cookie-tampering, he says, when the subdomain has an exploitable vulnerability, such as cross-site scripting (XSS) or cross-site request forgery (CSRF).
DarkReading
Nov 05, 2009
Turns out an exploit on a Website's subdomain can be used to attack the main domain: A researcher has released a proof-of-concept showing how cookies can be abused to execute such an insidious attack.
Michael Bailey, senior researcher for Foreground Security, published a paper this week that demonstrates how an exploit in a subdomain, such as mail.google.com, could be used to hack the main production domain, google.com, all because of the way browsers handle cookies.
"There's no specific vulnerability here, but it's widening the attack surface for any large organization that has more than one [Web] server set up. A [vulnerability] in any one of those servers can affect all the rest," Bailey says.
Most Web developers aren't aware that a vulnerability in a subdomain could be used to target the main domain. "We're trying to get the message out that now you have to treat everything [in the domain] as though someone can compromise your crown jewels," says Michael Murray, CSO for Foreground. "You have to realize that every vulnerability, every attack vector in those subdomains, can be used to compromise [other areas of the domain]," he says.
It all boils down to the browsers themselves. Within the DNS architecture, the main domain -- fortune500company.com, for instance -- has control over its subdomains, such as development.fortune500company.com. Development.fortune500company.com has no authority to change anything on the main fortune500company.com site.
But browsers do the reverse, Murray says.
Development.fortune500company.com can set cookies for fortune500company.com, the main domain. That leaves the door open for cookie-tampering, he says, when the subdomain has an exploitable vulnerability, such as cross-site scripting (XSS) or cross-site request forgery (CSRF).
DOD approves new credentials for security professionals
By Kathleen Hickey
Defense Systems
Nov 05, 2009
The Defense Department has approved new credentials for information security professionals. The directive is expected to result in more than 100,000 personnel obtaining professional credentials.
DOD approved the (ISC) 2 Certification and Accreditation Professional (CAP), which requires that all DOD information assurance workers obtain a professional certification accredited under the global ANSI/ISO/IEC Standard 17024.
CAP certifies that the holder has in-depth knowledge of Certification and Accreditation, a formalized process for assessing IS risks and security requirements and ensuring that the systems have adequate security in place.
DOD and the National Institute of Standards and Technology are jointly trying to create a single C&A process across the government. CAP is undergoing changes to comply with the new C&A requirements, which go into effect March 2010.
Defense Systems
Nov 05, 2009
The Defense Department has approved new credentials for information security professionals. The directive is expected to result in more than 100,000 personnel obtaining professional credentials.
DOD approved the (ISC) 2 Certification and Accreditation Professional (CAP), which requires that all DOD information assurance workers obtain a professional certification accredited under the global ANSI/ISO/IEC Standard 17024.
CAP certifies that the holder has in-depth knowledge of Certification and Accreditation, a formalized process for assessing IS risks and security requirements and ensuring that the systems have adequate security in place.
DOD and the National Institute of Standards and Technology are jointly trying to create a single C&A process across the government. CAP is undergoing changes to comply with the new C&A requirements, which go into effect March 2010.
Experts gather for Cyber Operations Symposium
By Capability Development Integration Directorate Fort Leavenworth Lamp November 5, 2009
The Combined Arms Center Capability Development Integration Directorate hosted a Cyberspace Operations Symposium Oct. 27-30 at Fort Leavenworth.
More than 100 attendees from more than 25 organizations across Training and Doctrine Command and the greater community of interest actively participated in the symposium to further cyberspace operations capability development work. Working groups spent the first two days refining the Cyberspace Operations Concept Capability Plan.
"This document is really the first Army effort to standardize terminology and tie all the elements of cyberspace operations together,"
Thomas Jordan told the participants during his welcome to the group.
"The Army's reliance on information sharing and cyberspace technologies echoes that of our nation and even the world - this event and your work here this week are critical steps in advancing our capabilities in cyberspace because it will pave the way for future analytical efforts."
The third day of the symposium was an executive session. In addition to reviewing the draft briefing that will present the final Cyber CCP to the Senior Oversight Group in early November, this venue provided an opportunity to share ideas.
Illustrating the importance of including all stakeholders in the collaboration on cyberspace operations, Col. Jeffrey Witsken, deputy director of CAC-CDID, said, "Operations in cyberspace cross boundaries.
The traditional lines between military, commercial, academic and other communities are largely nonexistent in cyberspace. For example, the vast majority of advancements (in technology) are in the commercial sector, both nationally and internationally. What changes does this mean for the Army in how we go forward with cyberspace operations?"
Classified and unclassified briefings from a wide range of organizations, including U.S. Strategic Command, Space and Missile Defense Command/Army Forces Strategic Command, Joint Forces Command, the Cyber Innovation Center, U.S. Cyber Command, the U.S. Navy, the U.S. Air Force, the Communications-Electronics Research, Development, and Engineering Center, and the Defense Advanced Research Projects Agency, facilitated discussion of the central ideas, framework, and concepts of Army Cyber Ops. Experimentation initiatives, joint concepts, and potential partnerships with academic and industry partners also provided opportunities for enthusiastic interchanges.
Data security measures for Bord Gais
By Elaine Edwards
irishtimes.com
November 5, 2009
Bord Gais is to introduce new security procedures after it accepted it was in breach of Data Protection legislation in relation to the theft of details of some 93,000 customers on a laptop.
A report on the investigation by the Office of the Data Protection Commissioner (ODPC) into the theft of four laptops from Bord Gais's offices in Dublin's north inner city in June was published yesterday.
The laptops were stolen from Bord Gis offices on Foley Street in Dublin's north inner city in the early hours of Friday, June 5th.
One of the computers was not encrypted. It was originally believed to contain the banking details of about 75,000 people, but during the investigation it emerged the details of 93,857 customers had been compromised.
The laptop contained details such as account numbers, home addresses and branch details of people who had switched their electricity supply from the ESB as part of Bord Gais's "big switch" campaign.
Subscribe to:
Posts (Atom)
