Archive for PBS

Lessons Not Learned? Porn Gets Uploaded To Sesame Street Site

Posted in Breach with tags , , on October 16, 2011 by datasecurityblog

There must be some hand wringing going on at Public Broadcasting Corporation (PBS) tonight.

On the heels of a PBS server breach earlier this year, that revealed the passwords of journalists from numerous media outlets.  They’ve now had to endure the defilement of their signature children’s program, Sesame Street.

If you grew up watching Oscar the Grouch trading one-liners with Bert and Ernie, you will be horrified to know that for about twenty minutes today X-rated video content was substituted for G-rated content.

It is shocking that anyone would think that putting X-rated content in front of the Sesame Street audience could be justified.

At this time, we don’t know the entry-point for this breach. It does make one wonder what might have happened to cause this incident.

An attacker might have been able to learn the username and password that allows Sesame Street producers to upload new content. As we saw in the breach of the PBS server in May of this year, once an attacker controls one critical system, it is often easy to discover the user names and passwords of users. Often the passwords are trivial to guess, or easy to “crack.”

And, often staff members use the same user/password pair to access multiple systems. It is possible that some sort of password stealing trojan was used against the staff of Sesame Street. Once that attacker(s) has one, or some passwords, the he might have found it trivial to impersonate a Sesame Street producer and upload whatever content he wished.

Even after so many attacks in the news (and more that don’t make the headlines), non-technical managers still look at information security as an expense, rather than a strategic investment. They often think that they are not a target since they are not a bank, or the Pentagon, or the FBI, and that they have nothing of value to take. Many non-technical decision makers downplay the risks, and once the risk is lowered, there is no need, in their minds, to take measures to protect the organization’s information assets.

What is disturbing, in this case is that AFTER a breach earlier this year at PBS, it appears that Sesame Street did not take information security measures to protect the most vulnerable members of the PBS audience.

There is a bigger message here for all organizations: Passwords alone are no longer effective in protecting information assets. Users have too many systems to log into to remember long, complex passwords for each system. And, with modern attacks, even THOSE passwords can be cracked or stolen with relative ease.

What’s a solution? Non-technical decision makers need to look at so-called multi-factor authentication. Something you know is one factor (a username/password) and something you have can be another factor. The best systems use multi-factor authentication with one time passwords. So that each time a user authenticates, a new, one time password is used. If an attacker steals that passwords, it is useless.

Of course we can’t overlook another strong possibility. Research shows us repeatedly, that disgruntled employees are often at the root of cyber breaches.  I hasten to add, that I have no information, aside from what I have read in the press. There are also several types of technologies that would alert management engages in unauthorized activity.

Technology provides the answers, but sometimes management has to get stung before they become curious enough to look into them.

By: Ira Victor G2700, GCFA, GPCI, GSEC, CGEIT, CRISC,  Member: HTCIA ; Ira Victor is an  information security and forensics analyst, and Co-Host of CyberJungle Radio

May 31, 2011 – Episode 215

Posted in Breach, darkweb, ediscovery, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , on May 30, 2011 by datasecurityblog

Episode 215 of  The CyberJungle is about 30 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 17:30 mark.

To listen to Episode 215 via the flash player:

Interview

Checklist Compliance vs. Security, with Lila Kee of GlobalSign. A new study reveals that up that some healthcare providers spend 100% of their data security efforts on compliance, rather than actual risk reduction.

Our Take on The Week’s News

Privacy: Users aren’t turning on Do Not Track browser featuresAs reported by Consumer Reports

Become a “Hacker” in 15 Minutes or Less: In a controlled experiment a small group of volunteers with limited technological knowledge followed a online tutorial to hack into a computer network

Tales from the Dark Web

Lockheed and PBS Join the Roster of Recent Victims as Motives Expand; Almost Anyone Is a Target

Verizon 2011 Data Breach Investigations Report: Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise . Read the important security essentials near the bottom of the news release.

Wrap

Dualboot MeeGoLinux or WIN7 On New Asus ultraslim portable computer

Follow

Get every new post delivered to your Inbox.

Join 1,140 other followers