Navy Federal Credit Union employs the use of bad security because other banks in the industry do the same thing. If one person does something bad then that means it is okay for another person to do the same thing, according to their reasoning.
When I wrote “Many Banks failing to use SSL authentication”, I was surprised to see how many people didn’t get it and actually got angry with me for pointing out a serious security issue with online banking even though all the security experts agree that this is a real serious problem. But even more of a surprise, one of my more astute readers “CitizenW” pointed out to me that Navy Federal has this explanation for their bad security. Now I can understand if some people misunderstood me, but this is an official ignorance from the Bank! If this security hole isn’t fixed immediately, I’m going to keep escalating the situation until they do. Here is my official response to Navy Federal and the people who run their online systems and I am going to send a copy of this letter to their management.
This is a problem that is only going to grow. NFCU does not have anyone on staff which can explain to their management the reasons why their bad decisions are horrible for security, therefore this problem is not going away anytime soon.
The NSA phone call database is nothing short of a privacy nightmare. Not only is it disconcerting that the President authorized such actions, but America is still unsure about the legality of the whole process. The privacy laws in the US are inadequate for issues of this nature.
It will be interesting to see how this data is retained by the NSA, which is one of the remaining unanswered questions. Europe has much more stringent privacy laws and this excellently written essay explains it in exquisite detail.
Why should anyone care that the outcome would have been so different under European privacy law? One reason for the comparison with Europe is that it enables us to understand better current developments in American law. It is striking how similar American and European data privacy law was in the early 1970s, how different it is today. The first European database privacy statutes of the 1970s drew on the U.S. Privacy Act of 1974. Alan Westin’s Privacy and Freedom, published in 1967, was read widely by both American and European policymakers. There are many reasons for the divergent paths of the two systems. This latest example of difference highlights one set of reasons: the President’s new constitutional powers in fighting terrorism, post-September 11. Congress, the courts, and the public might very well accept that the NSA program is legal, based on the President’s inherent authority as commander-in-chief. In Europe, that would not be possible.
After reading the entire article I am left wondering just how this is all going to play out in the United States. Sure makes you wonder who our elected officials truly believe they represent.
Mozilla Firefox 1.5.0.4 released in order to address a number of security issues. Update immediately, just to be on the safe side.
If you are interested in information security then you are doing yourself a major disservice if you do not follow the Secunia advisories that are released daily. The following are the top 10 most read advisories based on today’s released Secunia Weekly Summary Issue 2006-22:
1. [SA20153] Microsoft Word Malformed Object Code Execution Vulnerability
2. [SA19762] Internet Explorer “object” Tag Memory Corruption Vulnerability
3. [SA20107] RealVNC Password Authentication Bypass Vulnerability
4. [SA19738] Internet Explorer “mhtml:” Redirection Disclosure of Sensitive Information
5. [SA20261] Cisco VPN Client Privilege Escalation Vulnerability
6. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing
7. [SA18680] Microsoft Internet Explorer “createTextRange()” Code Execution
8. [SA20288] Novell Netware abend.log User Credentials Disclosure
9. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
10. [SA20300] Basic Analysis and Security Engine “BASE_path” File Inclusion
Secunia offers a number of easy ways to be notified of the latest and greatest security vulnerabilities associated with all the software available. Get on one of their mailing lists, or subscribe to an RSS feed, so that you can be immediately notified of any exploits that your network might be vulnerable to.
Trend Micro, based in Tokyo, Japan, just announced the release of PC-cillin Internet Security for Windows Vista. Their press release has all the gory details of this delivery.
A Windows Vista beta version of Trend Micro™ PC-cillin will be available for download at Microsoft’s “Security at Home†Web site, which provides a variety of security information to help customers prepare for Windows Vista.
Trend Micro makes one of the best, and most widely used, anti-virus applications available today. If your company already makes use of one of the other existing products then consider a little defense-in-depth, by deploying Trend Micro in key areas of your network.
It would appear as if a new Internet explorer vulnerability has been found. By right-clicking on a file containing very specific contents, explorer will crash. The file can only be removed by using the command-line.
This exploit is currently only proof of concept and the severity is unknown. Look for further information to be released later in the week, as more people are made aware of the vulnerability.
If you handle passwords like me then you know how much trouble it is to keep track of the numerous passwords necessary to conduct daily business. Since writing down passwords is about the worst form of password security possible, short of disclosing them to someone else, many turn to electronic means for storing them for easy recall when required. The Mandylion Password Manager is one such device that even went so far as to be certified for use by the U.S. Army.
Unfortunately, we all have to deal with modern life’s little cyber-burden, the password. Some of us do so by simply re-using an old password when the system asks you to change it. Other times we use the same password but just add the month at the end. Some people even resort to keeping their passwords written on yellow stickey notes or in their wallet. None of these options, however, is very effective for protecting your valuable data. Instead, we would like to present a superior solution brought to you compliments of the US Military.
This nifty little gadget will hold up to 50 passwords and will even go so far as to generate them as well. It is small enough to fit on a keychain, so it is easy to keep on your person at all times. It can create passwords based on a number of settings and will even prompt for password changes at set intervals. All data is stored in permanent memory, so in the unlikely event that the battery dies the passwords remain stored.
If you find the burden of managing passwords to be too intense then this might be exactly what the doctor ordered.
TrueCrypt is an open-source freeware disk encryption application for Windows and Linux. The encryption is on-the-fly and even goes so far as to offer plausible deniability in the event that an adversary forces you to reveal the password. If you are in need of securing documents then this might be just what the doctor ordered.
If you have ever been concerned with catching a virus, or having your computer exploited, after completing a fresh install of Windows XP then this guide by the SANS Institute is exactly what you need. Windows XP: Surviving the First Day is written for the average computer user, in order to ensure that they are able to successfully complete an installation of Windows XP without fear of getting 0wned, so to speak.
This is probably one of the best written, well laid out articles on this very subject. Whether you are in to computer security or not, this is a guide that should be followed by all.
If you are a web developer then you should already be aware of the implications of storing passwords in cleartext in a database. Doing so is one of the largest mistakes that you can make when designing the infrastructure for the site. All it would take is for one account to get compromised, privileges elevated and then an attacker would have the plaintext versions of all users signed up on the site. Imagine the horror!
The PHP Security Consortium has a well written article on using password hashing in web based applications. If you are still storing passwords in cleartext in a database then I highly suggest reading this article and then working on migrating to storing passwords hashes instead. When the inevitable security breach comes to light do not be surprised.
In this article I’m going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I’ve been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords. Password hashing is a way of encrypting a password before it’s stored so that if your database gets into the wrong hands, the damage is limited. Hashing is nothing new - it’s been in use in Unix system password files since long before my time, and quite probably in other systems long before that. In this article I’ll explain what a hash is, why you want to use them instead of storing real passwords in your applications, and give you some examples of how to implement password hashing in PHP and MySQL.
In the unlucky event that you are storing cleartext passwords in a database then writing a script to store the password hash instead should be quite easy. Like I said previously, I highly recommend changing your design if you are using this horrible one. You will thank yourself, and this article, in the longrun.