Security Watch

Who's in Your Wallet?

Thanks to legislative pressure, security breaches are public knowledge, but media coverage has turned transparency into hype and hassle.

• By Russ Cooper
• 05/09/2005

• Ameritrade recently warned 200,000 clients about a potential data breach.
• DSW Shoe Warehouse announced that thieves who accessed its database obtained 1.4 million credit card numbers, 10 times more than previous estimates.
• Global bank HSBC Holdings is notifying at least 180,000 people whose credit card details may have been accessed by criminals.
• Carnegie Mellon University reported that more than 5,000 graduate students, staff, alumni and others' data may have been accessed by a hacker who broke into computers at the university's Tepper School of Business.

These reports are the result of California legislation demanding that anyone whose private information may have been affected by a security breach be contacted; the media, however, are doing an incredibly bad job of handling these reports.

A reporter has yet to dig into why, for instance, an attack is successful when an institution is supposed to be protecting such information; or what any of them are doing to prevent future break-ins. We haven't heard from any of the people whose data has possibly been compromised to find out what, if anything, they're doing in response, or how hard it's been to get themselves protected from the potential misuse of their sensitive information.

The onslaught of these types of stories is only going to cause the public to lose interest, or, alternatively, make people so fearful they'll avoid providing information anywhere. If the media are going to run these stories, they should back them up with enough information for the public to get a better grip on the scope of the problem.

In all likelihood, your data has already been compromised; if every state had a law similar to California's, you would probably know it by now. The only reason you haven't heard is that the company either doesn't know your data was part of such a breach, or thinks there's no need to inform you.

Matrix, a 3-year-old database project to provide law enforcement with access to information from disparate sources quickly, has had its federal funding pulled. Matrix, or Multistate Anti-Terrorism Information Exchange, has been dogged by claims that the database invades privacy; some say the database includes credit-card information, travel records and fingerprint data, an accusation denied by law enforcement officials.

The lack of government funding for the database shouldn't be taken as an indication that this type of system isn't important (Matrix is still available for states that want to fund it themselves). Law enforcement continues to need access to data from a variety of sources, and if terrorism is going to be thwarted, it needs the ability to share information efficiently and quickly between states, as well as between countries.

At this rate, the IRS is going to have more vulnerabilities in a couple of years than Internet Explorer and Windows combined. Congressman James Sensenbrenner said, "This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately," which would be helpful if the IRS actually knew how to deal with the problems and not create more new ones in the meantime.

Hacking
Proof-of-concept exploit code has been published for the vulnerability patched by MS05-021, the Exchange server ESMTP vulnerability. This is a critical vulnerability for Exchange 2000 installations which accept unfiltered Internet-based SMTP traffic.

It's likely that attacks are already underway, probably by spammers looking to own Exchange servers. If you haven't patched your Exchange 2000 server, get it patched ASAP. The vulnerability also affects Exchange 2003, but on those platforms, authentication is required, making them unlikely to be compromised by an Internet-based attacker. (The proof-of-concept exploit code won't work on Exchange 2003.)

Oracle released a "mega" patch this month, covering security and non-security-related vulnerabilities. Although one vulnerability is to a Denial of Service attack for its interMedia service, four others are SQL Injection vulnerabilities. SQL Injection vulnerabilities usually result in the attacker being able to execute code in the security context of the database. Details have yet to be disclosed, but are expected within three months.

The security discoveries were made by NGSSoftware. Its previous discoveries of Oracle vulnerabilities turned out to be extremely critical once details were published. As such, the safest action would be to ensure that any Oracle servers that interact with untrusted visitors be patched as soon as possible after testing has been completed. Review your parsing techniques and make sure you're catching everything unexpected.

Malicious Code
The news service Reuters shut down its instant messaging service following an attack by the Kelvir worm on its network. Kelvir works similar to many e-mail worms: it sends instant messages to a user's IM contacts, providing a link to a Web site where the worm is stored. The worm is then downloaded and executed on the victim's system.