Some manufacturers of secure USB memory sticks have forgotten to encrypt the contents using the user-supplied password. Instead, they use a hardcoded password to decrypt the contents. They use the user-supplied password as an authorization check. Upon successful authorization, the stick uses its hardcoded password to decrypt the contents.

If you know the hardcoded password and you can bypass the authorization check, you can decrypt the contents without knowing the user's password.

The folks at the security firm SySS have done just that... check it out here.

Technorati Tags: data security memory stick encryption authorization authorisation USB

Technorati Tags: waf vulnerabilities grossman

This is retired Major Bruce Jenkins of the USAF commenting on cyber attacks originating from the Middle East.

Companies with even the remotest connections to the Middle East should be on guard against a malware or similar cyber-attack as a result of the ongoing conflict between Israel and the Palestinians.

Our observations suggest that a large number of Web sites have been defaced by a variety of hacker groups from Iran, Lebanon, Morocco and Turkey, and the trend is accelerating.

In the past, attacks were focused on the Department of Defense and other government organizations. But as the government, led by the US Air Force, have built up their cyber defenses, hackers need to move to less suspecting targets. Basically this means that any company with an Internet connection and which has perceived or rumoured connections with the two countries involved in this conflict - or has links with allegedly partisan firms who are also connected - could find their Web site and/or Internet- connected systems under active attack.

As a result, many tens of thousands of companies on the Web could find their hacker attack profile raised significantly, often for no good reason other than rumour and innuendo.

These sorts of attacks are random and reflect a hacker herd mentality. As a result, companies of all sizes should take extra precautions to protect their IT resources.

These precautions include ensuring your IT security, operating system and software patches are up to date, and monitoring the firm's network traffic for any unusual activity.

Given the fact that many Western leaders are urging all sides in the current Middle-Eastern conflict to stage a cease-fire and open diplomatic negotiations, most countries are now in the hacker firing line.

Given the fact that the Internet is so pervasive, I think we could see some very driven hacking and cracking attacks on all manner of targets. Companies of all types need to take precautions, especially as the Internet wakes up after the holiday period. Go here for an article on this subject.

So, apparently there have been little if any repercussions for the recent Monster.com breach. Society at large is starting to suffer from "security breach" a fatigue and customers are being told to believe breaches don't matter if SSNs aren't exposed. What will it take to finally get these companies to be accountable for AVOIDABLE losses?

This quote in particular sums it up: "And yet Monster might suffer little fallout - because the overall state of computer security is so bad anyway."

That kind of sentiment wouldn't be acceptable in any other industry. Oy!

http://www.google.com/hostednews/ap/article/ALeqM5g_bw5CTl4CQJz0y50UE_ebQRfJ8QD964UTIG0

Technorati Tags: security hack monster.com wtf fail

Technorati Tags: security hack rbs cybercrime get rich quick

CNet talking to Steve Balmer:

CNET News: Obviously, Microsoft didn't necessarily get everything it might have hoped for in terms of the critical response for Vista. What are you guys planning to do differently with Windows 7?

Ballmer: Well, I think we made some choices in Vista to improve security at the kind of expense, if you will, of compatibility. ...

I get nervous when I hear someone say "Our product flopped because we put in too much security" especially when there's no way to know what kind of train wreck it would have been if they hadn't gotten serious about security. We often hold up the Gates memo as the Platonic ideal for executive buy-in, but "when we face a choice between adding features and resolving security issues, we need to choose security" is what got us Vista. Let's hope people understand that, had they chosen features, there wouldn't have been an XPSP2 either, and that would have been an even bigger world of hurt as people fled to other operating systems, or simply decided that computers weren't a reliable way to do business.

Technorati Tags: Vista Microsoft Balmer Gates