Archive

Posts Tagged ‘Information Security’

Smart Grid & Privacy

October 11, 2009 Leave a comment

Another MSNBC article Talking about how the avalanche of data expected to be generated by consumer smart homes can be used knowingly or unknowingly to reconstruct your daily/private life.

Utility companies, by gathering hundreds of billions of data points about us, could reconstruct much of our daily lives — when we wake up, when we go home, when we go on vacation, perhaps even when we draw a hot bath. They might sell this information to marketing companies — perhaps a travel agency will send brochures right when the family vacation is about to arrive. Law enforcement officials might use this information against us (“Where were you last night? Home watching TV? That’s not what the power company says … ”). Divorce lawyers could subpoena the data (“You say you’re a good parent, but your children are forced to sleep in 61-degree rooms. For shame …”). A credit bureau or insurance company could penalize you because your energy use patterns are similar to those of other troublesome consumers. Or criminals could spy the data, then plan home burglaries with fine-tuned accuracy.

The Full article can be read HERE

Advertisements

Vodafone Turkey Woes and Telco Regulations

September 13, 2009 1 comment

Floods that hit turkey on Wednesday, September 9th sweept Vodafone’s Ikitelli’s district data centers causing a complete network failure that affected millions. Below is a video taken from security cameras of Vodafone’s Data Center in Ikitelli’. (1.54 Minutes into the Video )

Just few minutes after data center incident millions of Vodafone subscribers (according to Vodafone about 3.8 million people) started having communication problems (complete signal loss) for at least 48 hours. customers still report 3G/EDGE problems till this moment.

The DR Plan didn’t kick off for 24 hours and Vodafone had to fly-in the UK Disaster Recovery team, clearly there has been a problem with the DR plan ( perhaps not taking the flooding scenario into consideration , perhaps the scale of the problem was just to big to handle with current resources ). But the question remains:

– Now that Communication (A Critical Infrastructure by definition) affects the life of millions, should nations regulate and/or audit the resilience of the service, unfortunately most Telecommunications regulatory authorities doesn’t review the the DR/BC plans or the annual BC/DR audit reports of private companies although this comes under QoS. With most of the countries now enjoying 3 or 4 Mobile operators I always thought that there should be someway to re-assign and re-distribute affected users to the other operational networks for a fee (Paid by Insurance companies , or the malfunctioning Telco ). I’m not a GSM expert but I assume the concept is similar to Roaming.

What the DHS collects about US Visitors ?

September 9, 2009 Leave a comment

A recent post in the blog philosecurity discussed a copy of the U.S. Customs and Border Patrol’s Automated Targeting System (ATS) revealing some of the information held by the DHS on all US visitors, The ATS records was obtained through a FOIA/Privacy Act request.

The ATS document reveals that the DHS is storing the following Personal information on any US visitor:

-Credit card number and expiration
-IP address used to make web travel reservations
-Hotel information and itinerary
-Full Name, birth date and passport number
-Full airline itinerary, including flight numbers and seat numbers
-Cruise ship itinerary
-Phone numbers, incl. business, home & cell
-Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation
-Travel Agent name and contact
-All the hotels that the Travel Agent recommended.

I want to add that the ATS report also include personal preferences like:

-Smoking/Non Smoking Hotel Room preferences
-Preferred Airplane seats ( Rear/Front/Window)

Interestingly enough the DHS’s ATS report does not contain information about International flights using Private Jets

All this information is used to assign a “Risk Factor” marking the likelihood of any involvement with a terrorist cell or criminal activity.

The full ATS report can be found here

Energy-Aware Internet Routing

August 18, 2009 Leave a comment

An Internet-routing algorithm that tracks electricity price fluctuations could save data-hungry companies such as Google, Microsoft, and Amazon millions of dollars each year in electricity costs. By rerouting data to locations where electricity prices are lowest on a particular day. A recently completed research reported Here.

Google Data Centers (US)

Google Data Centers (US)

My Comments:
– A good idea economy wise.
– If the routing algorithm becomes publicly available/predictable, Would it be possible to predict where Google’s main Data will be located/redirected on a given day, making targeted attacks easier and more effective.

The Original MIT research paper is called ( Cutting the Electric Bill for Internet Scale Systems )

(DOE) Department of Energy goes DNSSEC

July 27, 2009 Leave a comment

The Energy Department has started implementing Domain Name System Security Extensions (DNSSEC) on its high-performance Energy Sciences Network (ESnet), using a commercial appliance to digitally sign DNS records and manage cryptographic keys.

DNSSEC is a set of protocols for digitally signing records used by the DNS to translate numerical IP addresses into commonly used domain names. Because DNS transactions underlie most activity on the Internet, assuring the authenticity of this information is crucial to security. The .gov (TLD) top-level domain was digitally signed in February, and the Office of Management and Budget is requiring agencies to sign second-tier domains within .gov by the end of the year.

NIST, NTIA , ICANN, and VeriSign are all working on a practical scheme for deploying DNSSEC in the Internet’s authoritative root zone.

Resources:

The DNSSEC Deployment Initiative Official Website
GOVSEC Free Presentations about the Government’s Plan of Deployment

Leveraging Ethernet Card Vulnerabilities in Field Devices – White Paper

July 27, 2009 Leave a comment

DigitalBond will post one of their S4 (SCADA Security Scientific Symposium ) white papers every week from now till January 2010.

The first paper is “Leveraging Ethernet Card Vulnerabilities in Field Devices“. This paper shows the exploitation of unauthenticated firmware uploads in field devices can be exploited and the potential impact of an intelligent exploit.

You Can Check Out the paper Here

Power Lines Can be Used to Steal Data

July 19, 2009 Leave a comment

A recently announced exploit is targeting the electrical grid , with no expensive pieces of equipment required, How to execute these attacks will be demonstrated at the Black Hat USA 2009 security conference in Las Vegas later this month by Andrea Barisani and Daniele Bianco, a pair of researchers for network security consultancy Inverse Path.

Stealing Keystrokes via Electrical Lines

Stealing Keystrokes via Electrical Lines

In the power-line exploit, the attacker grabs the keyboard signals that are generated by hitting keys. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical system feeding the computer. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say.

The attack proved successful when tapping electric sockets located up to 15 meters from where the target computer was plugged in the researchers say.

“If our small research was able to accomplish acceptable results in a brief development time (approximately a week of work) and with cheap hardware,” they say. “Consider what a dedicated team or government agency can accomplish with more expensive equipment and effort,”

Comments: Applying the same technique Can a vulnerable Smart Meter be used to steal data from all the wired Computers in a house ?

Full Article HERE