Security Watch

Corporate Data Slips Out Via Google Calendar

Plus: ethical hacking; ATM security; Yahoo's bad move?

Yet another new Google tool offers companies a way to show how security-ignorant their employees are, according to this article from ComputerWorld.

Google calendar offers users a way to make events "public." Google touted the feature in November and said it would be a cool way for people to find interesting events. It would appear, however, that this message didn't make it to Google Calendar users, as many, including some very high-profile companies, have had users post information including meeting phone numbers and passcodes for events that surely weren't intended for the general public.

Another Web 2.0 risk that needs to be remembered. Employees should not be using hosted services unless there is a corporate contract for them.

Bug Hunters Face Online Apps Dilemma
This article claims that "ethical hackers" need a way to safely hack online Web applications for the good of us all.

This is one of those articles that makes us wonder, "What are they thinking?" Because laws regarding inappropriate access to Web sites are well-formed and long-standing, it's more clearly illegal to hack a Web application than it is to hack an application installed on your own PC. Besides, there are many eyes watching a hacking attempt against a Web applications, something not true of what you do on your own machines.

And this is a bad thing? The article suggests that because "ethical hackers" aren't being allowed to test the security of Web applications, they are therefore more insecure than others. Of course, this is false on its premise. Many Web applications get thorough code review and security testing, and may well be better secured than a standalone counterpart simply because it is going to be made available to the Internet-at-large.

Regardless, saying that hackers should have a free hand to hack anything they please is just ridiculous. As the article's only saving grace, it does go on to state that the best thing anyone wanting to test a Web application can do is to ask the applications owners for permission.

Security Breach Suspected at Grocery ATMs
Employees at WinCo, a California grocery story chain, discovered a card skimming device attached to an ATM in their store. This led to the discovery of another device at a different store, and evidence that a third store's ATM had previously been rigged. Customers who have used the ATMs are being encouraged to check their statements carefully. (Read the article from PE here.)

If you have ATMs at your facilities, they should be checked regularly for any suspicious-looking attachments. Skimmers are usually attached with Velcro or some other easily removable material, meaning they should stand out to even a cursory inspection. If you're using an ATM, always check that the device looks like one piece of equipment. If not, try entering wrong PIN codes and wait for it to say the transaction failed. If it doesn't, then it's a skimmer.

Yahoo Complies, Raising WHO's Ire
Information provided to the Chinese government by Yahoo is alleged to have led to the arrests and imprisonment of several individuals, says an article over at ars Technica. The organization claims that those individuals were subsequently tortured, and somehow feel that Yahoo is responsible.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Filing on behalf of a dissident jailed in China, the organization claims that Yahoo "should not be participating actively in promoting and encouraging major human rights abuses."

Yahoo complied with the laws in the country it was operating, and indicated that if its employees had not done so, both the company and those individuals could have been subjected to charges.

Cybertrust knows that companies must comply with local laws. Limiting information available in a given country to only those records pertaining to that country may mitigate the efforts that must be complied with, but ultimately, if you operate in a country, you must abide by that country's laws.

It would appear that this organization is using Yahoo to attempt to bring media attention to its cause. Whether the cause is laudable or not is irrelevant; Yahoo will lose no matter how it handles this.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular