[Sunnet Alert] Advisory #244 - iPhone, Java, Asterisk, Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Fri Jul 6 01:42:08 EST 2007
Sûnnet Beskerming Alert List Advisory #244
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 iPhone
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.2 Java
- Remote Hacker Automatic Control
- Time Since Discovery - 1 Week
1.3 Asterisk
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Vista Security Claims Not All They Appear
2.2 A BlackHat Showdown
2.3 Time to Blacklist Blacklists
2.4 A Glitch in the Matrix, or a Hungry Exploit?
2.5 Hunting Safari
2.6 Acknowledging the Importance of Web Security
2.7 Investigating the iPhone
2.8 Why Hack When You Can Buy Your Way to Identity Theft
2.9 A Lesson in Why Regulating Online Activity is Difficult
=====================================
1. SECURITY
1.1 iPhone - Remote hacker automatic control
-- Products Affected --
iPhone
-- Technical Description --
errata security are claiming the discovery of a vulnerability that
affects the Safari browser on the iPhone. At this stage details about
the level of access that the vulnerability grants have not been
disclosed, but it is considered to be at least an application crash,
and potentially arbitrary control. Although the exact vulnerability
has not been disclosed, knowledge that there are remote code
execution vulnerabilities in existence for the desktop Safari browser
makes it a reasonable assumption that similar issues will be
affecting the iPhone Safari (given that the disclosed issue is
similar to one affecting desktop Safari).
-- Description --
After initial speculation that the first general vulnerabilities
targeting the iPhone would be discovered within the first few weeks
of release, it has been disclosed that at least one vulnerability
exists which can allow a remote attacker to gain some level of
control / application crash if the user can be tricked into visiting
a malicious site using the inbuilt Safari browser. This new issue is
an almost exact copy of issues found on the desktop version of the
Safari Internet browser, which can give some clues to potential
weaknesses to be discovered.
-- Recommended Action --
If iPhone users are concerned about the potential risk to their new
devices, they should apply caution to the sites that they visit using
the inbuilt Safari browser and limit the sites visited to trusted
sites only.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 Java - Remote hacker automatic control
-- Products Affected --
Java J2SE
-- Technical Description --
Java Web Start may provide access to overwrite local files and pass
control of the system to a remote attacker that has convinced a user
to interact with a malicious Java application via the Internet.
Arbitrary code execution is possible within the context of the local
user. Specifically, JDK, JRE 5.0 Update 11 and earlier, and SDK, JRE
1.4.2_13 and earlier are vulnerable on Windows platforms.
-- Description --
Late last week a set of vulnerabilities affecting Java Web Start in
J2SE were disclosed and patched by Sun. These vulnerabilities can
lead to situations where a remote attacker is able to take control of
the victim's system in the context of the current victim's privilege
level. Of note, JDK and JRE 6, Solaris, and Linux versions of J2SE
are not vulnerable to these issues.
-- Recommended Action --
Apply the updates for J2SE at the earliest opportunity
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)
1.3 Asterisk - Remote hacker automatic control
-- Products Affected --
Asterisk 1.4.2 and prior.
-- Technical Description --
Multiple Remote unauthenticated stack overflows in Asterisk
chan_sip.c, specifically two closely related stack based buffer
overflows exist in the SIP/SDP handler. These vulnerabilities can be
triggered with a number of different SIP messages affecting calls
received by Asterisk, or in response to calls made by Asterisk.
-- Description --
Asterisk is vulnerable to two related issues affecting handling of
SIP/SDP network traffic. These issues can lead to an attacker taking
control of a vulnerable server / system that is running Asterisk.
Asterisk developers have released an update to address this issue.
-- Recommended Action --
Update to the latest versions of Asterisk or AsteriskNOW as
appropriate.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Vista Security Claims Not All They Appear
Microsoft employee Jeff R Jones (Security Strategy Director) recently
released a report claiming that Windows Vista is significantly more
secure than competing operating system platforms.
After being released to CSO Online, the news was picked up and
repeated by many sites, but not many stopped to analyse the
information actually being put forward in the paper. Some sites, such
as Slashdot, saw heated discussion about the methodology used and
conclusions presented in the report, but overall most people accepted
the report at face value.
Now that more people have had the opportunity to dig deeper through
the report, more claims are being put forward that the report
presents the wrong conclusions and is using flawed methodology.
The first warning sign for many is the fact that a paper written by a
Microsoft employee places Microsoft in an advantageous position.
While parochialism should be supressed by professionalism, it does
lead to concerns about bias.
Parochialism aside, the biggest problem that most observers are
having with the published article is that the author has interpreted
the available data sources in a very constrained manner that is not
consistent for all of the considered platforms.
Windows Vista certainly has had fewer vulnerabilities publicly
reported and patched by Microsoft, but it has only been available for
a few months. Of concern to researchers is the number of critical
vulnerabilities that are due to buffer overflows and those derived
from old code. Technology such as ASLR was supposed to neutralise the
majority of these vulnerabilities.
The report skips 'silently fixed' issues, which Microsoft did not
publicly acknowledge as existing. It also covers bundled software
when considering other operating systems, such as RHEL 4, which are
provided with numerous database, mail, and web servers, along with a
host of other applications that the base Windows installations do not
come with.
With the continuing trend of the same vulnerabilities being found on
Vista as on other systems, some are seeing it as a reason NOT to
upgrade to Vista (or at least not until SP1). Consumers and
businesses are continuing to push for the ongoing sale of Windows XP,
and there are concerns from some quarters that Microsoft may have
painted itself into a corner with Vista.
It appears that Microsoft's big push to rewrite the core system with
security in mind hasn't quite achieved the goals that were set (ASLR
can be defeated reliably, as well). This, and the response to the
recent report is quite disappointing, especially as Microsoft really
has improved their stance on security and development practices in
recent years.
2.2 A BlackHat Showdown
An old-fashioned Wild West show down appears to be on the cards at
the 2007 Black Hat USA Briefings & Training, due to kick off in Las
Vegas on July 28.
Lining up on one side is a team of luminaries who have gathered under
the Matasano Chargen banner, seeking to demonstrate that they can
arbitrarily detect hardware-level (hypervisor) rootkits (such as Blue
Pill).
Opposing this is the Blue Pill team, led by Joanna Rutkowska, who
believe that they have a better than fair chance at evading reliable
detection by the Matasano Chargen team.
With an armament of:
* Direct Timing Observation;
* Indirect Timing Observation, and
* Functional Observation
the team from Matasano Chargen believe that they have what it takes
to identify and knock down Blue Pill. The difficulty will be in
applying these capabilities in a manner that does not adversely
impact the end user experience (some cryptographic attacks that use
timing observation effectively DoS the system while they are running).
Watching the two teams posturing ahead of the challenge, the
impression is gained that they are both moving towards the same
goals, but there is a little bit of a discrepancy between the aim
points. That discrepancy is going to be the key as to whether Blue
Pill succeeds or Matasano succeeds.
Even though there are lines being drawn in the sand by the supporters
of each side, the outcome (at this stage) is basically a coin flip.
If Blue Pill can reliably counter each of the techniques being used
in an attempt to detect it, then the Blue Pill team wins. In a real
infection scenario, disabling the detection software is also a valid
procedure (though it will serve as a detection in this case).
If the Matasano team can implement even one reliable detection
technique, then they win. The real difficulty is making that
technique reliable, given all the other processes that might be
competing for resources that are under observation.
Drawing on how the arms race for kernel-level rootkits, detection,
and counter-detection has developed, there is a slight advantage to
the Blue Pill team.
What everyone watching should hope for is that there is no repeat of
last year, where lengthy arguments developed after disputed claims
were made about being able to hack WiFi connections on OS X machines.
UPDATED -
Black Hat Showdown a No Down.
An eagerly awaited Security showdown at this year's Black Hat
briefings in Las Vegas, between the developers of the Blue Pill
hypervisor rootkit and a team that claims they can reliably detect
it, is no more.
In establishing the ground rules for the face off, the Blue Pill
developers requested a fee of $384,000 USD to be paid as compensation
for time and resources used to develop the technology and bring it to
a commercial stage of completion.
Nobody is claiming that the Blue Pill team should not be compensated
for their efforts, but the amount that they have requested is enough
to throw iced water over the concept of a show down at this year's
Black Hat conference in Las Vegas.
Is this the market rate for complete control of a brand new rootkit?
Or is it indicative of the hidden costs that software development and
security research really bring to a company? The quoted market rate
of $200 per hour might be within a reasonable bracket, but applying
it for the length of time that the rootkit has been in development is
generally being interpreted as unfair. Suggestions have been put
forward that it may be worth closer to 15-20% of what they have asked
for, but with trades for information like this it will always be
worth what someone is willing to pay.
Other suggestions have been that it should be handled like a proper
wager (where better to do it than Vegas), with each side fronting up
their bet, and winner takes all.
The show down may not be a complete writeoff, however. The team who
were lined up to detect the rootkit will still be presenting an
outline at the Black Hat Briefings of the technology and guiding
principles that will allow for detection of these hardware level
rootkits.
After news of the initial challenge grabbed the attention of a lot of
people, the subsequent cancellation has led to some interesting ideas
about how to still achieve some sort of outcome and test the claims
of both parties.
One of the most prominent concepts that has been put forward so far
is for a good faith bet, where the detecting team places their tool
online, and allows arbitrary third party use and testing of the tool
to see whether it would comply with the initial guidelines of the
test, and allow the Blue Pill team to internally test against it
(that particular report would have to be accepted on good faith for
accuracy).
While not the same as a public head-to-head test, it still allows
most of the aims to be achieved, including the most stringent
limitations placed on the detection tool (don't significantly degrade
the user experience).
2.3 Time to Blacklist Blacklists
Blacklists have their place for detecting and identifying malicious
content and activity, with the whole signature-based malware
detection industry effectively being built around the concept that
blacklists are reliable mechanisms.
The only problem is that they aren't.
They certainly are an important element of security models, but the
last couple of decades of security research has shown that they
quickly become ineffective in the face of a rapidly evolving threat.
Early in the life of antivirus tools, simple signature based
detection was enough. An internal blacklist could identify all known
pieces of malware because they did not evolve or spread very rapidly.
When polymorphic malware began to exhibit better software
development, the need for heuristic detection engines became more
urgent. Most antimalware software now has a combination of
blacklisting and heuristics in use to assist in identifying malicious
activity (when they aren't busy deleting critical system files or
being compromised by their own analysis engines).
Having an exhaustive blacklist helps companies claim that they detect
many tens of thousands of viruses and malware, when in reality it may
be many different versions of a few key pieces of malware, just
different enough from previous versions to require a brand new
blacklist signature.
Moving on to blacklists of known spam-generating IPs and malware-
serving sites, we start to see significant problems emerge with this
particular approach to protection.
Many mail server administrators will have encountered at least one
period where they have found their IP on an RBL (Real Time Block
List) alongside IPs that have seen to be spewing spam across networks
(or they could have just had AOL mailing list subscribers who find it
easier to report as spam than unsubscribe from something they
manually subscribed to). With the use of dynamic IP addresses and
virtual hosts, many have found that if they have a bad network
neighbour, they can be hit with the same blocking (we've had it
happen a few times) from indiscriminate RBL maintainers.
Even important registries are not immune from arbitrary blockage and
ongoing annoyance from poorly developed RBLs.
The problem of misidentification becomes even worse when blacklists
of websites that are hosting malware and phishing attacks are
maintained. Microsoft, Mozilla, Opera, McAfee, and Google are just
some of the large bodies that have invested significant resources to
the creation, maintenance, and use of website blacklists to warn
users of potential malicious activity on websites (and in some cases
prevent access).
Anyone who spends even just a little bit of time involved with
researching and observing the patterns and pace of website attacks,
hacks and defacements will know that websites are essentially fragile
entities and it doesn't take much for a well-trusted site to become a
malware-spewing nightmare.
Like trying to use DRM to restrict the spread of copyright
infringement, using blacklists / blocklists to limit access to sites
will only stop the honest, and the casual attacker (extremely casual
attacker) from getting people to see their site. Any attacker that is
remotely serious about their work will have plenty of ways to bypass
and overcome the minor inconvenience that the blacklists pose.
If any further evidence was required, a security researcher (Kuza)
has published a small set of techniques that can be used to bypass
these website blacklists. The set of techniques published reflects
just a small number of the many different ways that it is possible to
avoid these lists, not least of which is the fact that it takes time
for a site to be added to a blacklist.
The response that Kuza received from Microsoft when he reported his
techniques for phishing detection avoidance is actually quite an
intelligent response - "[it] is not a security feature".
The only problem with this is that many, many people (including a lot
of 'security' people who should really know better) consider these
lists to be just that - a security feature.
It is time that people became aware that these lists are a small tool
of their protection arsenal, and not the major innovation that their
creators and maintainers describe them as. It is also time that
people became aware of the problems that these lists can cause when
improperly developed and maintained (and even when they aren't).
2.4 A Glitch in the Matrix, or a Hungry Exploit?
Sûnnet Beskerming researchers observed an interesting deviation in
global network traffic over the last 24 hours, particularly for South
American, Asian, and Australian networks. Normally, global Internet
traffic (as observed by the Internet Traffic Report) oscillates
around 9% packet loss, with global response times of 138 ms, and the
internally derived traffic index at around 79.
Sustained over the last 24 hours, the traffic index has dipped almost
5%, packet loss has climbed to 11%, and the global response time to
almost 150 ms.
Normal spikes and dips as observed on the Internet Traffic Report
show up as no more than 3 or 4 hour blocks of odd results before
settling back into normalcy. This latest spike and dip has been
sustained for at least 18 hours, with a rapid ramp up in the six
hours prior to the peaks (and lows) being reached.
When the figures are considered against the 7 day average, and the 30
day average, the deviation appears to be quite significant and seems
to mark a distinct event or set of events. When the reports for Asia,
South America, and Australia are looked at in isolation, the three
regions appear to be suffering from a related event, with similar
patterns being observed in the data being put forward for those
regions. Data for Europe and North America indicates that whatever is
affecting the other regions, it isn't affecting Europe or North
America. Independently sourced data at Keynote (using their Internet
Health Report) indicates that there is nothing adversely impacting
the US at this time.
Either these regions are experiencing the first stages of a global
event, or they contain networks that are under a sustained attack for
some specific reason.
So, what can be causing this problem? There appears to be nothing
that is being reported by any of the usual agencies or news feeds,
with SANS indicating a GREEN Threat level, and Symantec, McAfee, and
the other major security software providers not indicating any new
malicious software emergence.
Looking at the current Top 10 report from SANS, it appears that Port
5901 (used for VNC) is leading the charge for the top rating across
all metrics (including a 20% lead on the next port on the rising
Trends chart). At the time of writing, the raw data for Port 5901 was
showing disturbing results.
While there is spam, drive-by phishing attacks, and persistent worms
attacking global networks, these have been ongoing attacks and should
not be responsible for such a large change in such a short period of
time by themselves.
If we consider port 5901 to be relevant to the reason behind the
attacks, then we might have found a potential cause, and a potential
target.
An exploit was added a couple of days ago to a number of security
mailing lists, distribution sites, and other sources, which targets a
remote code execution vulnerability in the AMX VNC ActiveX control.
Since appearing on these sources it has spread to thousands of sites,
and is guaranteed to have been seen by many, many people - some with
malicious intent.
Although a remote code execution exploit is nothing special nowadays,
this particular piece of code claims to achieve its goals without
alerting the victim to the fact that they have just been successfully
hacked.
Whether or not it is relevant to the real reason behind the observed
response time and packet loss deviation will be seen over time. At
the least, administrators and end users should keep a closer eye on
their systems and networks over the next few days to see if this
unknown problem is going to spread.
UPDATED -
Since so many people have been asking about whether there are any
updates to our Glitch in the Matrix post, we've decided to post a
quick update based on what our researchers are continuing to observe.
Overall Internet traffic, as observed by The Internet Traffic Report
has settled back into normal ranges, though the 7 day charts show a
clear deviation from the norm at the end of last week (29-30 June)
and a little bit more volatility in the period since.
There is still no clear picture as to what was behind the lengthy
deviation, with some regional networks still encountering out of the
ordinary behaviour (though that might be within normal operating
ranges for those networks, especially if they are under maintenance).
Port 5901 has now dropped to more reasonable levels on the SANS Top
10, but the fact that it is still present on the Top 10 should still
be a concern for end users. Feedback from various sources and
communication with the ISC indicated that while the observed traffic
patterns were of interest, there was nothing that could be clearly
identified as being more than a possible source for the behaviour.
2.5 Hunting Safari
When Apple's Safari browser was released for beta testing on Windows
at this year's WWDC, it was expected that many researchers would turn
their attention to this little piece of Apple in a Microsoft world.
These expectations were met when vulnerabilities were rapidly
discovered and disclosed within a matter of hours of the release of
the browser, some with detailed exploitation code accompanying the
disclosure.
A lot of the remaining publicly known vulnerabilities are low threat
issues, providing cross site scripting and minor data corruption
opportunities. However, there are still serious vulnerabilities being
released, such as the '0-day' code execution vulnerability due to
excessive Title tag length when a page is added to the bookmarks.
While Apple quickly moved to patch the known vulnerabilities,
bringing the browser to beta version 3.02 in short order, some
'researchers' have decided to take a more unprofessional route while
vulnerabilities continue to be disclosed by others.
Repeating the oft-used line that unpaid research and Quality
Assurance for a software vendor is not what they are there for, at
least one security researcher has publicly stated that they will be
withholding disclosure of serious Safari vulnerabilities until after
the release of OS X 10.5 (Leopard), preferring to wait until a
reasonable userbase has been established prior to disclosure.
The risk of taking this approach is that it is possible (maybe even
probable) that another researcher will identify and report the
vulnerabilities before the release and widesperad use of Leopard.
Intentional suppression of vulnerability data (including not
reporting it to the vendor), with the intention of later publicity,
is a practice that many find unethical and unprofessional and the
researchers may find that software vendors will be less willing to
negotiate with them in the future.
Whatever the outcome, it is to be expected that many more Safari-
focussed vulnerabilities will be disclosed over the next several months.
2.6 Acknowledging the Importance of Web Security
Two recent articles in the mainstream technical media are helping to
bring increased awareness to the importance of web security as a key
component in the overall security picture.
With acknowledgement of the increasing difficulty of spreading
malware through traditional channels (email), Paul Henry suggests
that the web is becoming the dominant distribution channel for malware.
Supporting this argument through figures that point to increasing
numbers of websites hosting malicious content, Paul fails to
recognise that the recent explosion in the number of sites hosting
malicious content has largely been due to hosting providers that were
compromised through known weaknesses in their hosting solutions
(especially of systems with numerous virtual hosts).
There are still increasing numbers of dedicated malicious sites, but
this analysis (like many) fails to properly account for previously
trusted sites that are temporarily compromised by an attacker or via
included third party content (such as banner ads). This sort of
problem will forever be the Achille's heel of programs like
SiteAdvisor and browser-based phishing protection.
Although the article at ZDNet is a press release masquerading as news
(guess who has a vested interest in the product hawked in the
article), it does raise some valid points that people outside of the
web security sphere may not have been aware of, but should be
informed about.
A better article, over at C|Net, identifies some of the problems
associated with web security, particularly in terms of creating and
implementing standards.
The assertion that the industry is 'basically making up web security
as it goes along', however, is somewhat unfair. Perhaps this is the
case in companies where there is not even a basic understanding of
web security, but there is a growing repository of freely available
information and common baseline knowledge that will propel companies
and developers a long way towards implementing reasonable levels of
security.
Beyond reasonable security the situation changes. It becomes like the
rest of Information Security, where a small set of researchers and
attackers are constantly probing away at the edges of what is known -
seeking to improve the common knowledge (or improve the ability to
attack and control).
Creating and implementing standards that can get entities to a level
of reasonable security is the difficult part (as the article points
out). Any standards body risks becoming irrelevant as soon as a
standard is published (just like every other standards body),
particularly with the rapid pace of security research and discovery.
It doesn't take much research to find examples of this (PCI DSS), but
the ongoing efforts of groups like OWASP and WASC are likely to form
the initial basis of any eventual standards (it would almost be
criminal for them not to).
2.7 Investigating the iPhone
When Apple's iPhone was released at the end of last week, not only
were purchasers lined up to get their hands on the device, but
security researchers were keenly awaiting physical access to the device.
It didn't take long, with what appears to be a recovery system image
posted to a number of sites within a matter of hours of the release
of the iPhone. Initial analysis of the files has provided clues about
the internal setup of the phone (assuming the files represent an
accurate firmware image). The presence of low level accounts (admin
and root), along with passwords for them came as a minor surprise.
Password recovery tools quickly allowed recovery of the underlying
passwords.
Those discoveries are a major assistance to web security researchers
on both sides of the fence. Web security researchers sat up and took
closer notice after Steve Jobs announced at the recent WWDC that
third party developers will be able to develop applications for the
iPhone by creating 'Web 2.0' style applications that iPhone users are
able to access using the Safari browser on the phone.
Observing what sort of vulnerabilities continue to be discovered for
desktop browsers, it is only going to be a matter of time until
someone discovers a vulnerability that will allow for complete access
to all of the data on the iPhone. Already researchers are busy
looking at ways that can be used to access the information stored on
the device.
Researchers who are focussed on the network that the iPhone connects
to have disclosed that in order to access voicemail across the
network a password is not required, merely a valid Caller ID.
Guidance on addressing the situation has also been released, which
should be followed by all iPhone holders.
Initial analysis of the network traffic coming from the iPhone has
raised some interesting possibilities and similarities to OS X, and
it is likely that there are going to be some significant results to
come from this approach over coming weeks.
The next couple of days are likely to see activation cracks released,
according to one group looking at the code, and it is reasonable to
assume that arbitrary execution code will only be a matter of weeks
away (at most).
The team over at errata security are claiming what could be the first
set of vulnerabilities to affect the iPhone, after less than 96 hours
of general availability of the device.
At this stage they are claiming the presence of an unidentified
Safari bug, and an interesting Denial of Service against the
Bluetooth connection. Even without full disclosure, the Safari bug
throws up some interesting material for others who are looking at the
potential weaknesses in the device.
It appears to be the same as a bug that errata security have
identified with the desktop version of Safari (but not fully
disclosed). If this not just a one off, then there are plenty of
vulnerabilities affecting the desktop version of Safari that will
give enterprising researchers and attackers a useful means to probe
deeper into the iPhone.
With the timeframe since the release of the iPhone so short, the
vulnerabilities being discussed and disclosed are somewhat raw around
the edges, it should be expected that they will soon become more
useful and more efficient, even if the potential infection base is
around 1 million devices.
2.8 Why Hack When You Can Buy Your Way to Identity Theft
Continuing a trend of employees stealing valuable data, an employee
at a Fidelity National Information Services subsidiary at some time
prior to May 2007 stole more than 2 million records that contained a
range of personal, financial account, and credit card data for users
of Fidelity services.
Immediately profiting off the theft, the employee sold the
information to a data broker that then sold the information on to
direct marketing companies. Even though officials from the Fidelity
subsidiary involved have stated that none of the data was used for
fraudulent financial activity, the consumers who were subsequently
contacted by the direct marketing firms might think otherwise.
Even though they have found no fraudulent activity, the Fidelity
subsidiary just doesn't know what the data has been used for, or
where it has exactly spread to - which is always the considered risk
with identity data theft. A clear example of failing to understand
how fluid the storage and distribution of information is, the company
has set out to recover all of the data stolen. They will be able to
recover copies of it, but there will be no guarantee that they can
recover all copies of it.
The employee who stole the data was a senior DBA who has subsequently
been fired and is likely to face civil and criminal charges in the
near future.
2.9 A Lesson in Why Regulating Online Activity is Difficult
When the controversial online music distribution site AllofMP3.com
went dark recently, it was touted as a victory by various groups
responsible for music royalties (who weren't getting a cut from
AllofMP3.com) and a positive sign of US-Russian relations due to the
intimation that US pressure was used to force the Russian authorities
to terminate the link between AllofMP3 and their ISP.
This celebratory feeling was somewhat short-lived when MP3Spark.com
suddenly appeared from nowhere, apparently being operated by the same
parties responsible for AllofMP3.com. Account holders from
AllofMP3.com have confirmed that it appears that their accounts and
other details appear on the new site, and the catalogue presented on
MP3Spark.com contains the same spelling errors and misattributions
that AllofMP3.com maintained.
MP3Spark.com also appears to have the same arrangement with the
disputed collector of royalties within Russia that AllofMP3.com
maintained. It is claimed that this particular organisation has tried
to distribute royalty funds, but has been turned down by rights holders.
Media Services, the company that appears to be behind both sites is
currently in the process of being sued by multiple parties inside and
outside of Russia, so it may be a shorter timeframe before the new
site is taken offline (or moved to a country that doesn't care about
copyright as much).
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list