Tuesday, 8 December 2009

White House security 'breached 91 times since 1980

By Giles Whittell in Washington
The Times
December 8, 2009

If the would-be celebrities who crashed a White House state dinner knew
what the Secret Service knew they might not even have bothered to dress
up.

According to a devastating internal review leaked after Tareq and
Michaele Salahi strolled into the banquet for the Indian Prime Minister
without a ticket, there have been at least 91 breaches of Secret Service
security in the past 30 years, including at least four by a serial
intruder who believes that God has made him undetectable to bodyguards.

It turns out that the men who talk into their cuffs are only human. A
family of four once penetrated the White House security cordon simply by
honking on the horn of their minivan. Five years later an intruder
nicknamed the Paper Boy drove through an open White House gate
unchallenged and gave a Secret Service agent a pair of handcuffs before
he was himself arrested.

In 2003 a stowaway flew several thousand miles across Africa aboard Air
Force One without credentials, claiming when apprehended that he had
brought weapons on to the presidential jet, and four times between 1991
and 2003 the Rev Richard "Rich" Weaver shook hands with presidents he
was not cleared to meet. On at least two of those occasions Mr Weaver
managed to give the Commander in Chief a souvenir of his supposedly
divine mission.

[...]

HSBC exposed sensitive bankruptcy data

By Robert McMillan
IDG News Service
December 4, 2009

HSBC Bank says a bug in its imaging software inadvertently exposed
sensitive data about some of its customers going through bankruptcy
proceedings.

In notification letters made public Thursday, the bank said it had
redacted sensitive information in Chapter 13 bankruptcy proof-of-claim
forms that were filed electronically, but that the information turned
out to be viewable "as a result of the deficiency in the software used
to save imaged documents."

An HSBC spokeswoman declined to elaborate on the cause of the problem,
but said "a limited number of customers" were affected. HSBC has "no
reason to believe customers' personal information may have been
compromised," she added via e-mail. The company sent letters to affected
customers in October and is offering them one year of free credit
monitoring.

Some customers of the following HSBC companies are affected: HSBC
Taxpayer Financial Services, Beneficial New Hampshire and Household
Finance Corporation.

[...]

PayPal mistakes own email for phishing attack

By John Leyden
The Regiser
4th December 2009

Banks and financial institutions are fond of lecturing customers about
the perils of phishing emails, the bogus messages that attempt to trick
marks into handing over their login credentials to fraudulent sites. Yet
many undo this good work by sending out emails themselves that invite
users to click on a link and log into their account rather than going a
safer route and telling users to use bookmarked versions of their site.

The problems of the former approach are neatly illustrated by a blog
posting by Randy Abrams, a former Microsoft staffer who is now director
of technical education at anti-virus firm Eset. Abrams complained about
the inclusion of a link in an email from PayPal as it looked rather too
much like a phishing email.

PayPal support staffers responded not by noting that Abrams may have a
point, which it would consider, but by treating its own email - which it
acknowledged was "suspicious-looking" - as a phishing attack.

"Not even PayPal support can tell the difference between a legitimate
PayPal email and a phishing attack," Abrams notes.

[...]

New cloud-based service steals Wi-Fi passwords

By Robert McMillan
IDG News Service
December 7, 2009

For $34, a new cloud-based hacking service can crack a WPA (Wi-Fi
Protected Access) network password in just 20 minutes, its creator says.

Launched today, the WPA Cracker service bills itself as a useful tool
for security auditors and penetration testers who want to know if they
could break into certain types of WPA networks. It works because of a
known vulnerability in Pre-shared Key (PSK) networks, which are used by
some home and small-business users.

To use the service, the tester submits a small "handshake" file that
contains an initial back-and-forth communication between the WPA router
and a PC. Based on that information, WPA Cracker can tell whether the
network seems vulnerable to this type of attack.

The service was launched by a well-known security researcher who goes by
the name of Moxie Marlinspike. In an interview, he said that he got the
idea for WPA Cracker after talking to other security experts about how
to speed up WPA network auditing. "It's kind of a drag if it takes five
days or two weeks to get your results," he said.

TSA Leaks Sensitive Airport Screening Manual

By Kim Zetter
Threat Level
Wired.com
December 7, 2009

Who needs anonymous sources when the government is perfectly capable of
leaking its own secrets?

Government workers preparing the release of a Transportation Security
Administration manual that details airport screening procedures badly
bungled their redaction of the .pdf file. Result: The full text of a
document considered "sensitive security information" was inadvertently
leaked.

Anyone who's interested can read about which passengers are more likely
to be targeted for secondary screening, who is exempt from screening,
TSA procedures for screening foreign dignitaries and CIA-escorted
passengers, and extensive instructions for calibrating Siemens
walk-through metal detectors.

The 93-page document also includes sample images of DHS, CIA (see above)
and congressional identification cards, with instructions on what to
look for to verify an authentic pass.

The manual, titled Screening Management Standard Operating Procedure, is
dated May 28, 2008. It contains this warning: "NO PART OF THIS RECORD
MAY BE DISCLOSED TO PERSONS WITHOUT A 'NEED TO KNOW.'"

Notwithstanding that disclaimer, the document appeared on FedBizOpps, a
government clearinghouse that lists federal contracting opportunities
for vendors. It has since been removed from the site, but not before
someone grabbed it and submitted it to the whistleblower site Cryptome,
where the formerly-redacted portions are highlighted in red boxes. The
discovery was first made by a blogger at Wandering Aramean.

[...]

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News