By Joseph Menn | Los Angeles Times Staff Writer
Security researchers on Tuesday said they had discovered an enormous flaw that could let hackers steer most people using corporate computer networks to malicious websites of their own devising.
For bad news, that's pretty impressive. But there are two pieces of good news: First, no bad guys are known to be using the flaw yet. And second, in a possibly unprecedented display of industry cooperation, virtually every major software company affected is issuing patches to fix the problem.
System administrators will have 30 days to apply those patches -- from the likes of Microsoft Corp., Sun Microsystems Inc., Red Hat Inc. and others -- before the details of the flaw are disclosed at the Black Hat security conference in Las Vegas.
Security experts -- including the man who discovered the flaw, Dan Kaminsky of security firm IOActive Inc. -- hope that the patches are broad enough that evil types won't be able to reverse-engineer them to exploit the vulnerability.
"We got lucky in this particular bug, because it's a design flaw," Kaminsky said in an interview. "It shows up in everyone's network, but the fix is a design fix that doesn't point directly at what we're improving."
US CERT, the Computer Emergency Readiness Team at the Department of Homeland Security, issued an alert Tuesday on the scope of the problem. CERT made the initial discovery seem like child's play.
"It took a couple of hours to find the bug," said Kaminsky, "and a couple of months to fix it." Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking "by complete and total accident." Smaller DNS flaws have been used before to "poison" the servers that send people to the numerical address of the website name they enter.
But this failing is at least one order of magnitude bigger, and perhaps several.
"This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It's more, but I can't talk about how much more."
For bad news, that's pretty impressive. But there are two pieces of good news: First, no bad guys are known to be using the flaw yet. And second, in a possibly unprecedented display of industry cooperation, virtually every major software company affected is issuing patches to fix the problem.
System administrators will have 30 days to apply those patches -- from the likes of Microsoft Corp., Sun Microsystems Inc., Red Hat Inc. and others -- before the details of the flaw are disclosed at the Black Hat security conference in Las Vegas.
Security experts -- including the man who discovered the flaw, Dan Kaminsky of security firm IOActive Inc. -- hope that the patches are broad enough that evil types won't be able to reverse-engineer them to exploit the vulnerability.
"We got lucky in this particular bug, because it's a design flaw," Kaminsky said in an interview. "It shows up in everyone's network, but the fix is a design fix that doesn't point directly at what we're improving."
US CERT, the Computer Emergency Readiness Team at the Department of Homeland Security, issued an alert Tuesday on the scope of the problem. CERT made the initial discovery seem like child's play.
"It took a couple of hours to find the bug," said Kaminsky, "and a couple of months to fix it." Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking "by complete and total accident." Smaller DNS flaws have been used before to "poison" the servers that send people to the numerical address of the website name they enter.
But this failing is at least one order of magnitude bigger, and perhaps several.
"This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It's more, but I can't talk about how much more."
joseph.menn@latimes.com
2. Protecting Yourself Against Identity Theft
Brian Gardner, June 24, 2008
www.HackerScan.org/identity-theft/
About Hacker Scan organization:
Hacker Scan is an organization dedicated to raising awareness and informing the public about Internet Security including: identity theft, network security, and security software.
Identity Theft topped the Federal Trade Commission's list of consumer complaints in 2002 costing consumers $343 million during that year. Approximately 500,000 Identity Theft victims filed a police report in 2001 alone.
Identity Theft is the act of using someone else's personal information (e.g. account numbers, driver's license, insurance card, or Social Security number) without their knowledge and using the assumed identity to commit fraud or theft. Often, the personal information is used to get loans or open credit card accounts. Some victims of Identity Theft have lost job opportunities, been refused mortgages and been left with destroyed credit and reputations.
Identity Theft victims and financial experts have offered many precautions to help protect against this crime, including:
Identity Theft topped the Federal Trade Commission's list of consumer complaints in 2002 costing consumers $343 million during that year. Approximately 500,000 Identity Theft victims filed a police report in 2001 alone.
Identity Theft is the act of using someone else's personal information (e.g. account numbers, driver's license, insurance card, or Social Security number) without their knowledge and using the assumed identity to commit fraud or theft. Often, the personal information is used to get loans or open credit card accounts. Some victims of Identity Theft have lost job opportunities, been refused mortgages and been left with destroyed credit and reputations.
Identity Theft victims and financial experts have offered many precautions to help protect against this crime, including:
- Keep track of personal information and only share that information with a company that is known and trusted. Read and understand the fine print in every document.
- Protect your Social Security number and mother's maiden name. Avoid giving personal information out over the phone. Avoid posting your Social Security number online, on your checks, outside of envelopes, on driver's license, etc.
- Minimize the number of identification information and financial cards carried in a wallet.
- Sign all new credit cards upon receipt. Write "Check ID" after your signature as a note to shopkeepers to ask for identification.
- Keep new and canceled checks in a safe place and report lost or stolen checks to the issuing financial institution immediately.
- Never leave receipts at bank machines, bank counters, public trash receptacles, or unattended gas pumps. Save them to match against your monthly bills, and then shred them.
- Buy only from secure Internet sites. Look for the closed lock icon to appear at the bottom of your browser or "https" to display in the URL to check the site's security status.
- Shred any documents that have any personal information or credit account numbers on them before discarding, including tax returns and unwanted credit card offers.
- Report all lost or stolen credit cards. If you applied for a new credit card and it has not arrived in a timely manner, call the bank or credit card company that is issuing the card.
- Follow up with creditors if bills do not arrive on time. A missing credit card bill could mean an identity thief has changed your billing address to cover his/her tracks.
- Notify credit card companies and financial institutions in advance of any change of address or telephone number. Make sure to contact the sender if your statements are not received in the mail by their usual time.
- Monitor your credit. Check your credit report regularly from the three national credit reporting agencies for any unfamiliar changes, such as new accounts, inquiries, or public records.
- Review your Social Security Earnings and Benefits Statement annually to check for fraud. If you haven't received one lately, you can call 1-800-772-1213.
Keeping an eye on your financial statements and regularly monitoring your credit report can help protect you against the extensive damage of Identity Theft.
3. Law Enforcement Resources:
You're not alone. Here are 2 cybercrime-fighting online resources rolled into one for your convenience. Please file this in a safe place for future reference. You never know when you'll need it!
The Internet Crime Complaint Center (www.IC3.gov) was established as a partnership between the Federal Bureau of Investigation (www.FBI.gov) and the National White Collar Crime Center (www.NW3C.org) to serve as a means to receive Internet-related criminal complaints and to further research, develop, and refer the criminal complaints to federal, state, local, or international law enforcement and/or regulatory agencies for any investigation they deem to be appropriate.
The IC3 was intended, and continues to emphasize, serving the broader law enforcement community to include federal, as well as state, local, and international agencies, which are combating Internet crime and, in many cases, participating in Cyber Crime Task Forces.
Since its inception, the IC3 has received complaints crossing the spectrum of cyber crime matters, to include online fraud in its many forms including Intellectual Property Rights (IPR) matters, Computer Intrusions (hacking), Economic Espionage (Theft of Trade Secrets), Online Extortion (blackmailing), International Money Laundering, Identity Theft, and a growing list of Internet facilitated crimes. (And the list grows each day).
Since June 2000, it has become increasingly evident that, regardless of the label placed on a cybercrime matter, the potential for it to overlap with another referred criminal matter is substantial. Therefore, the IC3, formerly known as the Internet Fraud Complaint Center (IFCC), was renamed in October 2003 to better reflect the broad character of such matters having an Internet, or cyber, nexus referred to the IC3, and to minimize the need for one to distinguish "Internet Fraud" from other potentially overlapping cyber crimes.
The Internet Crime Complaint Center (www.IC3.gov) was established as a partnership between the Federal Bureau of Investigation (www.FBI.gov) and the National White Collar Crime Center (www.NW3C.org) to serve as a means to receive Internet-related criminal complaints and to further research, develop, and refer the criminal complaints to federal, state, local, or international law enforcement and/or regulatory agencies for any investigation they deem to be appropriate.
The IC3 was intended, and continues to emphasize, serving the broader law enforcement community to include federal, as well as state, local, and international agencies, which are combating Internet crime and, in many cases, participating in Cyber Crime Task Forces.
Since its inception, the IC3 has received complaints crossing the spectrum of cyber crime matters, to include online fraud in its many forms including Intellectual Property Rights (IPR) matters, Computer Intrusions (hacking), Economic Espionage (Theft of Trade Secrets), Online Extortion (blackmailing), International Money Laundering, Identity Theft, and a growing list of Internet facilitated crimes. (And the list grows each day).
Since June 2000, it has become increasingly evident that, regardless of the label placed on a cybercrime matter, the potential for it to overlap with another referred criminal matter is substantial. Therefore, the IC3, formerly known as the Internet Fraud Complaint Center (IFCC), was renamed in October 2003 to better reflect the broad character of such matters having an Internet, or cyber, nexus referred to the IC3, and to minimize the need for one to distinguish "Internet Fraud" from other potentially overlapping cyber crimes.
