With World Cup fever sweeping most of the globe, this snippet of the Wireless SSID and password for the World Cup’s security center being accidentally exposed in the background of a media photo made me chuckle!

As we move into the age of the Internet of Things, expect to see more and more stories like this one, where a luxury toilet firm here in Japan have developed a Android-app controlled 'smart toilet'. The problem? All the toilets are hardcoded to a PIN of 0000 -- allowing anyone with the app (in bluetooth range) to control the toilet.

While the actual benefits of a Android-app controlled toilet escape me at present (and the impact of an attack is admittedly pretty minor), the poor security in the execution is unfortunately all too common. Today it's a toilet, tomorrow implanted medical devices (actually that is also today...).

The toilet pales in comparison to the Smart TV Hacking [pdf] research from Korea. Which is extra creepy if you're watching your smart TVon your smart toilet...

The New Zealand Government has suffered a major data breach...or have they? From the initial reporting it seems more like they had a gaping vulnerability that was found by a freelance journalist and blogger (Keith Ng) - although he had admitted to downloading the data and apparently then wiping it.

So what can we learn from the published details?

The breach was through physical access to kiosk terminals
Despite the fact the kiosks have internet access, there is nothing I've seen so far to indicate the data was steal-able from the internet. Physical access is always going to be trouble, so extra care needs to be taken. (of course if their remaining network security was as poor as this kiosk example, it may well have been even easier to steal this information for afar...)

The kiosk terminals had full MS Office suite installed.
The obvious question is why? Never install any software you don't need. In this case Kevin Ng used the MS Office 'open file' dialog to access the underlying file structure to move and copy files.
This leads to a greater question of why did the (I assume) auto-logon account even have permissions to access to any file location with sensitive data.....

The Kiosk terminals could access other internal network shares.
Again, why? Once again least privilege was not applied here. If all the kiosks needed was intranet/internet access - then that is all they should be able to access. Bare minimum permissions - once again 'least privilege'. In fact they should have been on an isolated network (in a perfect world), but at the very least, firewalled from the sensitive stuff.

The kiosk terminals allowed the use of USB mass storage devices
Obviously a bad idea. Even if you needed to allow Joe Public to upload data, the USB ports can be set to read only via a registry setting. Better still, disable them completely (physically if need be). One can only wonder if the terminals also allowed booting from USB.....

The Kiosks were running Windows 2000 and XP.
Considering they were installed 'just over a year ago' I really hope the reporter got it wrong. Windows 2000? Really? XP is bad enough, but at least it will be supported for a few more years. Windows 2000 support ended quite a while ago - which means no security updates or patches (which makes enabling USB drives even worse....)

There is also some discussion about whether Keith should be charged. Personally I think he didn't need to go as far as downloading data and "taking it home for analysis" in order to confirm the poor security state of the kiosks. But he wouldn't be the first to be prosecuted for embarrassing a government or organization who publicized their poor security...

*edit*: I rather like this opinion piece on the matter. It is probably closer to the mark than we'd like to think. Keith did get 'tipped off' about the vulnerability. Could it have been a disgruntled (or perhaps outraged) insider?

So since I heard about the leak of the LinkedIn passwords, I've been waiting to see what the first analysis of the dumped hashes would reveal. Theoretically LinkedIn is a bit of a different beast to other sites that have been breached, as the target users are working professionals, the type of people who have more than likely been educated again and again on passwords by their employers.

As for LinkedIn, using unsalted hashes to store passwords? This is security 101 stuff and quite frankly, embarrassing for a company of their size and age. Of course the unsalted part may not be the worst, the big question still remains about how the passwords got stolen in the first place.

As Richard previously posted - change your password! And if you are interested in seeing if your password was included* in the released ones: http://www.leakedin.org/

(*not specifically YOUR password, but a hash of the same password as the one you were using.)

This arrived in my inbox yesterday:

Atari recently learned of a potential security violation in connection with the unauthorized access to Cryptic Studios’ user databases that occurred in December 2010.  At that time, Atari owned Cryptic and the intrusion may have affected users on Atari’s databases as well and, therefore, we are taking proactive measures to correct the issue. This includes notifying certain users who are registered on Atari.com and TDU2.com (Test Drive Unlimited 2).

As a precaution, on Atari.com and TDU2.com, we have reset all accounts for users which we believe were affected. This will require you to reset your password upon attempting to log into each site separately to regain access to your account.  To do so, please refer to our website at http://atari.com/pages/cryptic-studios-security-notice-atari-websites for detailed instructions and more information about this issue.

If the existing user name and password was used to access other online accounts, we highly recommend that you update those passwords as well.

We take the security of our user accounts very seriously and are investigating this issue further with Cryptic Studios.   Please note that this was not an intrusion on our existing database, but one that occurred prior to our divestment of Cryptic Studios in July of 2011.  Cryptic no longer manages Atari’s databases.  Our deepest apologies for the inconvenience.

Atari

December 2010? And it took until April 2012 to tell impacted customers? *sigh*.
Look at what else occurred between the breach and the notification:

• "Arab Spring" uprisings oust leaders in Tunisia, Egypt, Yemen and Libya,
• Southern Sudan became an independent republic.
• The earthquake/tsunami and reactor meltdown in Fukushima, Japan
• British Royal Wedding
• Osama Bin Laden killed by US special forces
• End of the US Space shuttle program
• European economic crisis
• Severe flooding in Thailand and Fiji
• The entire 'occupy' movement
• Encyclopaedia Britannica stops hard-copy publication
• Steve Jobs, Elizabeth Taylor, Peter Falk, Whitney Houston, the King of Tonga and Randy "Macho Man" Savage all died.

Not good enough Atari. On the bright side, despite once owning the home console market, you're less of a household name than Sony so probably won't get as much press....

2011 has almost come to a close, and it may well be remembered as the year when data breaches truly went mainstream.

Vodafone kicked off the year, exposing customer data through shared/poor passwords on an internet accessible customer management system. Vodafone went into damage control, resetting employee passwords daily and eventually some staff were fired as a result.

Then came Sony! Sony's massive multiple breaches (aka the 'sownage') made ongoing front page news and caused plenty of concern in boardrooms around the world due to it's scope and the high-profile nature of the target (I mean, who doesn't have a Sony product at home somewhere!?!).

Less noteworthy for many outside the industry, but a bombshell for those of us in it, was the RSA data breach. When the company whose technology is used to secure millions was so easily penetrated and 'something' stolen (did they ever give a clear indication as to what?), many people started questioning the security of their multi-factor authentication provider. RSA offered new tokens and assured all was well - until Lockheed Martin was breached and pointed the finger at the RSA attackers.
Showing hacking knows no industry vertical boundaries, email marketing giant Epsilon was also popped, exposing the details of many customers of some of then world's top companies.

Closer to home, web hosting provider Distribute.IT was pwned and driven out of business in a particularly malicious and destructive attack. While the cops got their man, it was too late for many of the company's customers who lost all of their data.

Corporate 'hacking' made the mainstream news - or indeed was the mainstream news - when Rupert Murdoch's News of the World UK newspaper was outed as having been routinely hacking voicemail messages of celebrities and victims of crime. The main outrage was the claim that journalists had deleted voicemails of an abducted young girl  - a claim that has now been claimed to be inaccurate. Nonetheless the scandal was enough to have Murdoch shut down the paper, and not rule out shutting down a second.

Journalist hackers have been in trouble here in Australia as well, with the Melbourne Age Newspaper under investigation for hacking a database of a political party.

Certificate Authorities weren't immune either, with Diginotar hacked and issuing valid certificates for bad guys. The end result was game over for the Dutch CA, but with unverified claims from the hacker that he's pwned other CAs as well.

High profile data breaches came to Japan in 2011, first it was Sony (as mentioned above), followed by the Japanese parliament and defence contractor Mitsubishi Heavy Industries. Japanese Parliamentarians were reported to be using their personal devices to store confidential government data which has other implications all of their own.

Proving that no good deed goes unpunished, First State Super in Australia provided a textbook-like lesson on how not to deal with reported vulnerabilities in web applications by attempting to shoot the messenger. Thankfully a rethink meant the messenger was spared, but the public humiliation remained, along with the potential loss of a multi-million dollar deal.

Australia's biggest Telco, Telstra, helped keep data loss in the news when it was revealed an internal customer database was accidentally exposed to the internet. Perhaps having learnt the lesson of First State Super, Telsta declined to shoot any messengers and reacted fairly swiftly, taking down the site and contacting 60,000 effected customers. However, it wasn't enough to avoid an investigation by the Privacy Commissioner, nor a phishing campaign.

I'm sure there were others that escape me at the moment, but nonetheless these examples alone show that data loss and intrusion were big news in 2011. With more press comes a growing customer awareness that companies may not be securing personal data as the public expects and perhaps a growing pressure from consumers for companies to meet higher data protection standards. Or will increased awareness and reporting mean we end up with 'breach fatigue' where data breaches become so common consumers just tune out?

Here in Australia, data protection (or 'cybersecurity') recently moved from the Attorney Generals Office to the Department of Prime Minister & Cabinet (an area which has had it's own problems in the past), so it remains to be seen what (if any) legislative changes are made here and whether we end up with any kind of mandatory breach notification laws or legislated security controls.

Time will tell! Onwards to 2012!

Richard passed me this, perhaps the perfect stocking filler for the social engineer to give to his targets?

Pocket sized and perfect for recording all the things those pesky security guys tell you not to write down - all in one convenient place!

Worryingly, it is currently out of stock...a best seller perhaps?

Here's one for the shame file. An Australian security researcher, while accessing his superannuation fund's website, noticed a security flaw - a direct object vulnerability when the website displayed customer statements.

He notified the company, provided them his personal details and the details of the vulnerability. He even notified the ex-colleague whose records he accidentally viewed. The companies reaction? Call the cops, engage the lawyers and even threaten that he may be held liable for the cost of fixing the vulnerability!


Seriously? What planet are these guys living on? Would the outcome have been better if he had sold or disclosed the vulnerability to some less ethical party? Or done nothing and waited for someone else to exploit it in future? Maybe it's time to implement some kind of whistleblower-style laws to protect researchers in these circumstances.

I guess no good deed really does go unpunished. This kind of URL manipulation (ie: changing a single digit) hardly constitutes hacking in my mind. It'll be interesting to see the outcome here, and how our judicial system handles this case (if it gets that far).

What's wrong with this picture?

(Thanks to Richard for the pic)

Things have been quiet here at the Circus, as work and Uni have been in high gear alongside preparing for the CISM exam.

I will hopefully be back on a regular blogging schedule soon, in the meantime here is a gem from reddit.com:
Oh dear.