New Body Scans at Airport Security See Through Clothes

Which would you prefer at the airport security check: a pat down or a "whole body imaging scan" that provides a highly detailed image of all your, um, curves (but does have your face blurred to protect your identity)?

The Transportation Security Administration (TSA) has been testing out these devices, called millimeter wave machines, at Phoenix's Sky Harbor International Airport and this week is adding the machines to Los Angeles International Airport and New York City's John F. Kennedy International.

The TSA says that during the test in Phoenix, 90 percent of travelers preferred the scan to having a full body pat down. The TSA agent viewing the image from one of the devices will be in a separate booth and will not be able to see the traveler's face in order to maintain privacy. After the image has been checked it won't be stored, according to the TSA.

Even so, are these images invasive? What about privacy concerns?According to the TSA blog, "These images are friendly enough to post in a preschool. Heck, it could even make the cover of Reader's Digest and not offend anybody."

The TSA also claims the machine emits 10,000 times less energy than a cell phone transmission.

You can see how the body image is captured in a video here and also watch a demonstration of the actual machine in motion here.

Millimeter wave machines are already in use at airports in Britain, Spain, Japan, Australia, Mexico, Thailand and the Netherlands. [Source CNN]

Posted in | 0 comments

One hack of a phone bill

At least one Australian company every day falls victim to telephone hackers, who rack up an average bill of $78,000, a national telephone security expert said yesterday.

But David Stevens, managing director of Telecoms Security, said most businesses did not realise how easy it was until too late.

Australian Federal Police last night confirmed they were working with their international counterparts to stop hackers hitting Australian businesses, after it was revealed that criminals had penetrated the phone systems of at least two Melbourne companies in recent weeks.

The scam is allegedly being carried out by overseas manufacturers of international phone cards commonly used by students and tourists to make cheap calls.

The card manufacturers are believed to then hack into unsuspecting company's phone systems, known as a private automatic branch exchange (PABX), so the calls made by card users get charged to unsuspecting victims of the scam.

The Camberwell Electrics Superstore and Swinburne University have both been hit with collective phone bills of more than $100,000 of overseas calls. Camberwell Electrics' accountant Chris Koh said the company had been alerted when Telstra called it to ask why they had made $20,000 in overseas calls in less than two weeks.

"The calls were made to Romania, other parts of Eastern Europe, India, Russia and Asia out of office hours," Mr Koh said.

He said the hackers had bypassed codes, passwords and other security systems. Computers ran through combinations in milliseconds until they found the right one to exploit.

A Swinburne University spokeswoman said the university knew nothing of the scams until it received an $80,000 phone bill.

The university's chancellery executive director, Michael Thorne, said the charges related to phone numbers the organisation did not own.

Both companies are fighting Telstra over the bills.

But Mr Stevens said that while most companies took extra steps to protect their IT security from hackers, many left their telephone systems - both traditional PABX systems and modern VoIP systems - vulnerable.

He said telephone hacking was a lot more common than most people realised, and the onus was on businesses to protect themselves.

"Our figures show that one Australian company is being hacked every single day," he said.

Posted in | 0 comments

IIS Hack

Mystery IIS Hack Unveiled

Researchers at SANS have discovered how thousands of Web sites were compromised earlier this year. As a result of the break-ins countless users' computers were infected with malware.

Back in January, thousands of sites running Internet Information Server (IIS) and SQL Server were cracked by what at the time was thought to be some sort of SQL injection attack. As it turns out that is exactly what happened.

While reviewing malicious files served up by a particular server, researchers at SANS stumbled upon an attack tool that revealed exactly what was being done to crack the affected sites. According to the analysis provided by researcher Bojan Zdrnja, the tool queries Google to discover sites that are potentially vulnerable. The tool then tries to launch SQL injection attacks against each identified site. The tool's interface is written in Chinese and also had logic that attempted to contact a site in China to record transaction data.

A SANS blog reader, Nathan, wrote to elaborate on the nature of the SQL query itself. According to Nathan, the query used by the tool iterates through all tables to find specific types of columns and then appends data to existing column field data. The data then appears as part of Web pages at affected sites.

The SANS blog entry has links to a number of Web pages that can help administrators secure their sites against SQL injection attacks.

Posted in | 0 comments

Unplugged 'system error'

MySpace profile hack provides early warning to predators

A security issue on MySpace may put a spanner in the works of law-enforcement efforts to track miscreants using the social networking site.

Many MySpace profiles contain code that subscribes visitors to a profile's video channel. Normally this is all well and good, but hackers are able to subvert the feature for filthy purposes, according to Chris Boyd, security research manager at FaceTime Communications.

Hackers have set up dozens of accounts used as a springboard for spamming or attempts to vandalise other profiles.

The feature (used in conjunction with an IP address tracker) might also be employed by predators to keep tabs on anyone who might be tracking their activities, Boyd says. Although MySpace has made attempts to prohibit the use of IP trackers, miscreants have found a way around these blocks.

Crackers "are using every trick in the book they can to know who is watching them," Boyd said.

In particular, the feature could be used by predators to detect if their attempts to groom youngsters have come to the attention of law enforcement, potentially curtailing or frustrating evidence in child abuse investigations.

The tactic has been in play since at least October 2007. MySpace was informed of the issue in late March but is yet to act. According to Boyd, the social networking site has responded to his concerns about the issue by describing it as a "system error".

Pending a fix from MySpace itself, Boyd has posted advice to surfers about how to avoid tracking here, a tip child abuse investigators might well find useful.

Posted in | 0 comments

Healthcare IT failing on security

Mobile working pushes up data loss risk

The IT security threat posed by healthcare workers is rising as they become increasingly mobile and use laptops containing sensitive patient information.

Unlike some other parts of the world, UK law does not protect data kept on healthcare computer systems beyond 'duty of care' and a professional requirement for patient confidentiality.

The warning from Absolute Software, which specialises in computer theft and asset tracking, follows a spate of high-profile data loss incidents in recent months, including the NHS losing hundreds of thousands of patients' records.

Absolute Software said that, while encryption provides strong external security, the biggest threat is from within.

Employees can get access to encrypted information as they have encryption keys and passwords. Organisations are advised to complement encryption with the ability to remotely delete data from missing computers for the highest level of protection.

The healthcare market also fails accurately to manage mobile computer assets. Absolute believes that, at best, only a fraction of laptops can be accounted for by IT managers.

Many hospitals and clinics allow information to be accessed on open-air terminals, such as ward and nursing stations. But these workstations are at great risk of data breaches and information can be easily accessed and downloaded.

Absolute said that unattended stationary computers should always be monitored and protected with an authentication prompt.

The company also highlighted the difficulty in implementing a comprehensive data security plan.

Healthcare facilities are advised to institute a comprehensive data security plan to secure computing assets and sensitive information which includes both IT and physical precautions.

Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords, the company said.

Lastly, few healthcare facilities have "nightmare scenario" policies in place should a data breach occur.

There should be a standard procedure in place to manage the event, from timely notification of supervisors to informing the police.

Absolute said that, in a data breach situation, computer theft recovery software solutions have the capability to remotely delete sensitive files, track lost or stolen computers and partner with local police in order to recover them.

Posted in | 0 comments