Security Watch

Corporate Data Slips Out Via Google Calendar

Plus: ethical hacking; ATM security; Yahoo's bad move?

• By Russ Cooper
• 06/06/2007

Google calendar offers users a way to make events "public." Google touted the feature in November and said it would be a cool way for people to find interesting events. It would appear, however, that this message didn't make it to Google Calendar users, as many, including some very high-profile companies, have had users post information including meeting phone numbers and passcodes for events that surely weren't intended for the general public.

Another Web 2.0 risk that needs to be remembered. Employees should not be using hosted services unless there is a corporate contract for them.

Bug Hunters Face Online Apps Dilemma
This News.com article claims that "ethical hackers" need a way to safely hack online Web applications for the good of us all.

This is one of those articles that makes us wonder, "What are they thinking?" Because laws regarding inappropriate access to Web sites are well-formed and long-standing, it's more clearly illegal to hack a Web application than it is to hack an application installed on your own PC. Besides, there are many eyes watching a hacking attempt against a Web applications, something not true of what you do on your own machines.

And this is a bad thing? The article suggests that because "ethical hackers" aren't being allowed to test the security of Web applications, they are therefore more insecure than others. Of course, this is false on its premise. Many Web applications get thorough code review and security testing, and may well be better secured than a standalone counterpart simply because it is going to be made available to the Internet-at-large.

Regardless, saying that hackers should have a free hand to hack anything they please is just ridiculous. As the article's only saving grace, it does go on to state that the best thing anyone wanting to test a Web application can do is to ask the applications owners for permission.

Security Breach Suspected at Grocery ATMs
Employees at WinCo, a California grocery story chain, discovered a card skimming device attached to an ATM in their store. This led to the discovery of another device at a different store, and evidence that a third store's ATM had previously been rigged. Customers who have used the ATMs are being encouraged to check their statements carefully. (Read the article from PE here.)

If you have ATMs at your facilities, they should be checked regularly for any suspicious-looking attachments. Skimmers are usually attached with Velcro or some other easily removable material, meaning they should stand out to even a cursory inspection. If you're using an ATM, always check that the device looks like one piece of equipment. If not, try entering wrong PIN codes and wait for it to say the transaction failed. If it doesn't, then it's a skimmer.

Yahoo Complies, Raising WHO's Ire
Information provided to the Chinese government by Yahoo is alleged to have led to the arrests and imprisonment of several individuals, says an article over at ars Technica. The organization claims that those individuals were subsequently tortured, and somehow feel that Yahoo is responsible.

Filing on behalf of a dissident jailed in China, the organization claims that Yahoo "should not be participating actively in promoting and encouraging major human rights abuses."

Yahoo complied with the laws in the country it was operating, and indicated that if its employees had not done so, both the company and those individuals could have been subjected to charges.

Cybertrust knows that companies must comply with local laws. Limiting information available in a given country to only those records pertaining to that country may mitigate the efforts that must be complied with, but ultimately, if you operate in a country, you must abide by that country's laws.

It would appear that this organization is using Yahoo to attempt to bring media attention to its cause. Whether the cause is laudable or not is irrelevant; Yahoo will lose no matter how it handles this.