____/ Mark Kent on Wednesday 05 December 2007 12:38 : \____
> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> espoused:
>> ____/ Mark Kent on Tuesday 04 December 2007 11:18 : \____
>>
>>> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> espoused:
>>>> ____/ Mark Kent on Tuesday 04 December 2007 08:38 : \____
>>>>
>>>>> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> espoused:
>>>>>> Microsoft wireless keyboards crypto cracked
>>>>>>
>>>>>> ,----[ Quote ]
>>>>>>| Bluetooth is increasingly becoming the de-facto standard for wireless
>>>>>>| communication in peripheral devices and is reckoned to be secure. But
>>>>>>| some manufacturers such as Logitech and Microsoft rely on 27 MHz radio
>>>>>>| technology which, it transpires, is anything but secure.
>>>>>> `----
>>>>>>
>>>>>>
http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/
>>>>>>
>>>>>> Also the proprietary QuickTime for Windows should now be treated as a
>>>>>> secuirty hazard.
>>>>>>
>>>>>
>>>>> Nothing sent by radio is ever likely to be proof against eavesdropping.
>>>>> Perhaps using modulated lasers is one of the safe methods, but even that
>>>>> could be sniffed using partially silvered mirrors.
>>>>>
>>>>> It's also possible to sniff signals through fibres by curving them
>>>>> around a sufficiently narrow bend radius that they leak light. That
>>>>> light can be collected and demodulated. Coaxial transmission systems
>>>>> all leak a little, as do twisted pairs and fixed-separation transmission
>>>>> line systems.
>>>>
>>>> Yes, but that's why it should be encrypted properly, which in this case it
>>>> wasn't (and still isn't). Being an embedded device like this, you can't
>>>> just reflash to patch.
>>>
>>> Quite right, you can't. One wonders if open-source designs aren't the
>>> best way forward, since it could be possible to easily reflash with all
>>> manner of suitable encryption tailored to personal need. I'm not sure
>>> that HMG would accept this at 27MHz, though, since inter-continental
>>> transmission is regularly possible in this part of the spectrum with
>>> relatively low power.
>>>
>>>>
>>>>> Not so long ago, some researcher in the UK (Cambridge?) came up with
>>>>> a method for detecting the content of CRT screens remotely by radio
>>>>> detection. He showed his system displaying the screen of a nearby
>>>>> monitor sufficiently clearly to be easily read.
>>>>>
>>>>> The best way to keep a secret is, well, don't tell anyone. If secret
>>>>> data needs to be on a machine, then it should be encrypted, with strong
>>>>> encryption, and should be physically isolated, ideally within a Faraday
>>>>> cage to eliminate as far as possible eavesdropping opportunities.
>>>>
>>>> Kind of like WEP.
>>>>
>>>>> Even then, as HMG found out recently, people make mistakes and
>>>>> accidentally send the bank account details, names, dates of birth of
>>>>> Parents, children, NI numbers and more unencrypted on CDs through the
>>>>> post across the country.
>>>>>
>>>>> Of course we can trust the government!
>>>>
>>>> Well, the NHS have lost 3.6 billion pounds more than the value of this
>>>> data. People just need to change their passwords... and names... and start
>>>> a new family... and open a new bank account...
>>>>
>>>>
>>>
>>> If the data really makes it into the criminal world, it's quite possible
>>> that millions of people could be defrauded and have no idea even how to
>>> check on it.
>>
>> Worse -- it could make it into the /hands/ of millions (just potentially,
>> taking it to the extreme. so consider this a figure of speech). The nature
>> of such leaks is that once they are out there, they spread. You could soon
>> get your own copy via a torrent, for example. That's just the nature of
>> private data which is so trivial to duplicate. I bet the underground world
>> might be having a good time with those CDs if they reached the wrong hands
>> and the recipient realises the monetary value of this data.
>>
>
> Hopefully this has capped any further foolishness about ID cards,
> though. Only politicians could be so naive to believe that a government
> could successfully manage such data without security compromise.
Like a toddler hiding behind a stool and thinking that if he can't see /you/,
you can't see him/her. Bruce Schneier's take on this was interesting.
How about this one?
Details of the largest breach of customer data are starting to come to light.
,----[ Quote ]
| "The people who started the breach opened up the back of those terminals and
| used USB drives to load software onto those terminals," says the source. In a
| March filing with the Securities and Exchange Commission,TJX acknowledged
| finding "suspicious software" on its computer systems.
|
| The USB drives contained a utility program that let the intruder or intruders
| take control of these computer kiosks and turn them into remote terminals
| that connected into TJX's networks, according to the source. The firewalls on
| TJX's main network weren't set to defend against malicious traffic coming
| from the kiosks, the source says. Typically, the USB drives in the computer
| kiosks are used to plug in mice or printers. The kiosks "shouldn't have been
| on the corporate LAN, and the USB ports should have been disabled," the
| source says.
`----
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201400171
Update -- TJX Reveals Extent Of Hacker Damage
,----[ Quote ]
| In Wednesday's filing, TJX said for the first time that it first learned
| that there was suspicious software on its computer system on Dec. 18, 2006.
`----
http://www.forbes.com/2007/03/29/tjx-companies-fraud-markets-equity-cx_mk_0329markets35.html?partner=yahootix
http://tinyurl.com/38tyyq
--
~~ Best of wishes
Roy S. Schestowitz | "Mod me up and I'll mod you 'insightful'"
http://Schestowitz.com | GNU is Not UNIX | PGP-Key: 0x74572E8E
roy pts/2 cg093a.halls.man Wed Dec 5 11:01 still logged in
http://iuron.com - proposing a non-profit search engine
|
|