Guardian Loses 500 000 CVs

It’s been widely report this week that the Guardian jobs website was hacked resulting in 500 000 CVs being stolen. Although no logon or financial information was exposed, the breach is still considered serious as a typical CV contains plenty of information that can be used for identity theft. Similar information has previously been stolen from the likes of Monster.

Although the security breach was embarrassing and the theft illegal the actual data loss is perhaps less serious than it first appears. Much of the information found in a CV is often available legally in the public domain. Public profiles of business networks such as Linkedin are a good example as are the usual suspects such as Facebook for social networks. Most countries now have online phone books that can provide address and phone number details. Personal blogs and websites often complete the picture.

It wouldn’t be out of the question to develop an information crawler to farm personal information from public web sites and services. Granted that stealing CVs would provide a higher quality of data but it also comes with the risks of severe punishment if caught.

Legal methods of harvesting even more personal information are already in circulation. For example the Porn Star Name game that circulated on Twitter recently.

So although we should be concerned about crimes against our personal information, we should also pay attention as to what we give away for free.

T-Mobile Data Loss

The security story of the week that I have found the most interesting is the data loss by Microsoft subsidiary Danger, which provides Sidekick data services to T-Mobile customers. There are lots of different stories about what actually happened including one about a disaffected insider deliberately sabotaging certain critical systems. Whatever is true, there was clearly something lacking in the backup and restore procedures. What I find most astonishing is that some Microsoft apologists seem to be trying to blame Oracle and Sun for the issue as this was the platform in use for the Sidekick data services. If you are a customer who has just lost your data, this is not what you want to hear, as it for the supplier to manage the systems whatever they are.

At the business level, if you trust your data to a third party, you need assurances that they not only correctly backup your data but they that test also the restore procedures at regular intervals. Off site storage of backup media should also be a non negotiable requirement. Obviously at the consumer level, such assurances are harder to come by.

There has also been some debate as to whether the incident has been a set back for Cloud Computing. Putting aside the argument about what Cloud Computing actually is, if you engage a Cloud Computing service you need to check its provision for backup and restore as you would any other service.

It now looks like the T-Mobile data will be recovered which is great for consumers and hopefully a wake up call for other companies who manager and process data.

Buffer Overflows

With Microsoft due to have its biggest ever patch Tuesday with 34 security flaws addressed, it got me thinking about buffer overflow exploits. At least two of the security problems to be fixed are due to weaknesses that allow stack overflow errors. Although buffer overflows have been around since as early as 1972, it wasn’t until 1999 that I really became aware of them. A company called eEye Digital Security released details of an exploit in IIS 4 that allowed you to open a remote shell on the targeted system over the HTTP protocol. If memory servers me correctly, there was a bit of a fuss at the time with Microsoft claiming the vulnerability was released to the public in an irresponsible way whereas eEye and others stated that without such ‘shock’ tactics, Microsoft wouldn’t treat the problem with enough urgency. Whatever the truth I got the distinct impression that Microsoft security notification service including how they credited 3^rd parties suddenly got a lot better.

Perhaps the most famous exploit of a buffer overflow was the Code Red worm in 2001 which exploited a vulnerability in the Microsoft indexing software distributed in IIS. Although a patch had been available for over a month, many system administrators of public facing servers had failed to apply it or even disable the software if it wasn’t used. The positive aspect of the Code Red worm was the ‘wake up call’ it gave system administrators to correctly patch their systems.

There are many ways to protect against buffer overflows including a technique called Address Space Layout Randomization (ASLR) which is incorporated into Microsoft Windows 2008 and Vista. Linux and Mac OS X 10.5 also have some ASLR functionality. ASLR picks different locations to load systems components into memory each time a system is started, making buffer exploits difficult but not impossible. Intrusion Prevention Systems (IPS) can help block known attacks or exploits but a good attack should be able to hide its intent.

Ultimately the best way to protect against buffer overflow is good programming from the most basic OS functions right up to application software.

Null Prefix Attacks against SSL

There has been a lot of noise about over the past few days about attacking SSL using counterfeit certificates. The story gained momentum when a fake certificate for www.paypal.com was posted to the net with Paypal banning the author of the exploit from their service a few days later. It is possible to create the false certificate because certain browsers that rely on the Microsoft CryptoAPI fail to correctly interpret a null character in the common name. There seems to be much confusion about the seriousness of the vulnerability and how to exploit it. If you have a spare hour, I recommend watching the original Black Hat presentation by Moxie Marlinspike entitled More Tricks for SSL, which examines techniques for attacking SSL traffic including using certificates with the null byte in the common name. It includes examples of how such attacks can be used to harvest real data.

Poisoning Google

There are a couple of stories on The Register today about hackers manipulating search engine results so that searches for popular items would display links to sites serving malware. Google Wave and Microsoft Security Essentials were just two of the search terms that were targeted.

You have to admire the innovation of some of these hackers and wonder just how much money they could be making if they put their efforts into a legitimate business. The frightening aspect is that as they choose to work in the black economy the rewards available must be extremely lucrative to make it worth while.

Security Essentials

One of the bigger security stories of the week is the release of Microsoft’s free Security Essentials package which contains anti-spyware and anti-virus functionality. The motivation behind the software seems to be to allow the millions of unprotected PCs in the world to get some basic anti-malware functionality. Microsoft is not well known for its displays of altruism when it comes to software and indeed there is an element of self interest in the move.

The Windows platform has the reputation of being the least secure of modern operating systems. This is at least partly due to the fact that it is the most popular OS by far and hence has the largest number of non technical users ill equipped to secure their PC. This makes Windows an attractive target for malware writers as the chances of a successful exploit are much greater than an attack against for example Linux. Although security awareness is better than it once was, anti malware software either comes at a cost or is free but with excessive marketing blurb to get you to upgrade to a paid for version. Security Essentials is an easy to download and install package which so far at least seems to be very unobtrusive. Hopefully it will encourage owners of non protected systems to improve their security.

Why is this a good thing if your own PC is already well protected? The simple answer is that the millions of compromised PCs in the world affect us all every day as they can be used to distribute SPAM, launch denial of service attacks or act as a platform for other exploits. The lower the numbers of unprotected systems, the lower are the possibilities for exploitation. This is good for Microsoft in that it makes the internet a safer place to do business and could potentially improve the reputation of its software.

Microsoft will not be bundling Security Essentials with future OS releases nor distributing it as a critical update, probably to avoid problems with anti-competition regulation. Neither will it install on pirated copies of Windows. Although these measures are understandable, the effectiveness will no doubt be reduced as many of the PCs in most need of anti-malware software will fail to receive the package.