British Health Records Stolen

This is really beginning to get to me. With the proliferation of laptops in our society, you would think that knowledge of security would begin to rapidly spread as well. However, this is the second story in less than a week of a laptop being stolen from a car. Now, if this was an office of some sort, with semi-inconsequential data it would be understandable. But it seems that more and more, Healthcare IT staff are carrying around patient data on their personal laptops. These are people who are carrying around credit card info, banking numbers, social security numbers, Names, dates of birth. And i still wouldn't have a problem with it if they would take some sort of rudimentary precautions to ensure the protection of the data. However, there have been cases of IT staff storing full system backup tapes, laptops, USB Crypto keys, and entire servers in the back of their cars. They are then completely amazed when these top-level security measures are thwarted by a crook with a crowbar. This latest incident occured after a British IT worker for the NHS trust left his laptop unsecured in his car, along with 21,000 patients details. To make things worse, none of the information was encrypted. So the thief now has complete access to any and all patient data. The NHS trust reinforced the now common perception that they were completely technologically incompetent by stating (trying to make the situation better) "the data will almost certainly by wiped by the thief"

What steps should you take in order to secure a system from theft?
A. Set a Bios Level Password
B. Set at least a 14 digit password.
C. Require some sort of Biometric Authorization for Access
D. Always keep your data in an encrypted folder
E. If practical, Hide private data inside of another file
F. Keep any backups in humidity controlled, insulated environment.
G. Rule of Thumb: If your system can be seen, its public data.
H. Thumb of Rule: If your system is in your car, it deserves to be stolen.

ALERT:Credit Cards Able to Be Cloned!

It's a near ideal scene: a family riding a train, traversing hundreds of miles in a few hours. As the train chugs along at incredible speeds, they cross mountains,valleys, chug through forests and along beaches. The son begins to tug at his fathers curtail, accidentally knocking his dad into someone passing through the hallway.

No problem right?

Wrong. A group of hackers from the Netherlands used a technique that was popularized at DEFCON 15 to develop means to clone England's "Oyster" transit card. The cards use a microchip from the manufacturer "Mifare". A brief scan of a legitimate card reader (I.E, turnstiles to access the London Underground) reveal the cryptographic key that reads and authorizes a card to be used. Once the attacker uploads this key to his/her laptop, they are carrying a portable card reader wherever they go. This means that if the attacker is able to interrupt your cards RFID signature, they are able to clone your card onto a card of their choosing. This allows them to consume the balance of your card.

The Mifare chips are also used in numerous secure site authentication methods, which have drawn attention from the British government. When it was revealed that the same technology could be used to gain forged access to nuclear and governmental sites, they announced they would be replacing over 100,000 Mifare "Secure" RFID smart cards. At a cost of over 60 euros a piece, this security screw up could end up costing the British government over 3 million US dollars.

These events lead me wondering, how long before:
A.Credit Cards Have RFID
B.Hackers Crack It
C.Cloned Credit Cards
D.Aluminum Plated Wallets

I am controlling your PC via Bluetooth.

Microsoft's June Patch Tuesday release included a critical fix affecting all Windows Vista and XP systems, which could allow attackers to wirelessly steal confidential information from laptops by exploiting a flaw in the Bluetooth stack.

The Bluetooth stack flaw, detailed in Microsoft bulletin CVE-2008-1453 and rated 'critical', could allow an attacker to take complete control of an affected system, install programs, alter data or create new accounts with full user rights.

The MS08-030 patch modifies the way the Bluetooth stack handles a large number of service description requests.

Microsoft recommends applying the patch immediately and security experts advise users to turn off Bluetooth features until the patch has been applied.

Matthew Aburn, director of security consultancy Halcyon, said the flaw was particularly dangerous because hardware manufacturers usually set the factory default for Bluetooth as 'active'.

"Hardware-wise, most ship with Bluetooth on by default. I'd definitely recommend that if you're not using Bluetooth, you should turn it off," Aburn told ZDNet.com.au.

Rob Pregnall, Symantec's senior manager of Technical Product Management for Endpoint Security in Asia Pacific and Japan, agreed. He said hardware manufacturers should do this to make those features easier to access.

"When I look at a freshly bought machine from a reputable manufacturer, the first thing I notice is that every bell and whistle is turned on. I see it across different hardware manufacturers, including Macs," he said.

"All the different communication technologies are generally activated, so I think it's a move by manufacturers to ensure that everything is turned on so that minimal effort is needed to use the capabilities that users were sold on," Pregnall said.

In a blog, Microsoft admits that although in most cases an attacker would need to be in close range to exploit the vulnerability, there are ways to increase that distance.

"The standard range of Bluetooth is in the order of metres, although an attacker could use specialised antennas to increase this," the blog said.

This was backed up by Halcyon's Aburn.

"People look at the standard specifications for Bluetooth range of connectivity, which says you need to be so many metres away but using a directional antenna, people can target you from much further away," he said.

This month's Patch Tuesday includes fixes for a drive-by download weakness in Internet Explorer, as well as flaws in affecting Microsoft's multimedia.

The critical vulnerability affecting Internet Explorer described in CVE-2008-1442 and CVE-2008-1544 only affects Windows XP and Vista systems. The MS08-031 cumulative patch fixes a couple of vulnerabilities, including one that could allow remote code execution if a user viewed a specially crafted web page using Internet Explorer and another which could allow information disclosure if a similarly configured page was viewed using the browser.

The DirectX flaws affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-0011 and CVE-2008-1444. Microsoft says the vulnerability "could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

HP Support Hacked! UPGRADE NOW!

A customer support application that comes bundled with HP PCs have been found to harbour multiple security vulnerabilities.

The pre-installed software is designed to make it easy for users to keep drivers and HP software automatically updated. But flaws in ActiveX components within HP Instant Support give rise to multiple vulnerabilties that lend themselves to drive-by download malware attacks in cases where Windows users running the vulnerable software stray onto insecure or hacker controlled websites, CSIS Security Group warns.

HP Instant Support HPISDataManager.dll version 1.0.0.22 and earlier are vulnerable. Users need to upgrade to version 1.0.0.24 as explained in a security bulletin from HP here.

A CSIS advisory containing proof of concept demos of the flaws can be found here. And there's an easy to digest bit from Secunia here.

It's not the first trouble HP has had with rogue ActiveX controls in its pre-installed utilities. In December last year two ActiveX bugs created a mechanism for hackers to either thrash or inject hostile code onto HP PCs running either HP Software Update or HP Info Center, respectively.