Gag Orders & Jail Time for Whistle Blowers

Security Whitepapers

Beginner Security Articles

Network Security Jobs

Consultants Directory

Exploit Articles

Internet Anonymity

General Security

Encryption Information

E-Mail Security

HTTP Protocol Security

Linux Security

Exploit Discussion

Complete PDF Archive of Security Manuals

In The News General Security Information Exploit & Vulnerability Mailing List Archives Product and Program Reviews GSO Tutorials System Security Windows Systems Beginners Section Linux & Unix Systems Trojan & Virus Errata Networking Security / Firewall / IDS / VPN / Routers System Hardening E-Mail Security Wifi Security Trial Member Uploads Upload discovered Trojans & Mal ware (25 posts) The Cork Board Network Security Consultant Directory Network Security Jobs The Archives Encryption Information General Network Security Internet Anonymity HTTP Protocol Security Linux Security MS IIS Information Exploit Articles Programming / Tool Design GSO Software Projects Public Downloads Microsoft Security Questions and Papers
	Database Security (Common-sense Principles)
	Places that viruses and trojans hide on start up
	Step-by-Step Guide to Using the Security Configuration Tool Set
	Improving the Security of Your Site by Breaking Into it
	Domain Name Robbery
	XDCC - An .EDU Admin's Nightmare
	Database Security
	Database Security
	Is Database Security an Oxymoron?
	Database security: protecting sensitive and critical information
	The database security blanket
	Database security in your Web-enabled apps
	Making Your Network Safe for Databases
	SQL Injection: Modes of Attack, Defence, and Why It Matters
	Database Security in High Risk Environments
	Linksys Router Information (A collection)
	Common Ports
	Protection of the Administrator Account in the Offline SAM
	Windows 2000 Security
	The dangers of ftp conversions on misconfigured systems
	Win98.BlackBat
	AnnaKournikova worm decrypted
	C/C++ made easy with GoGooSE 1.0
	UNIX Bourne Shell Programming
	BATCH ProgramminG
	Assembly for nerds using linux
	THE LATEST IN DENIAL OF SERVICE ATTACKS: "SMURFING"
	The Ingredients to ARP Poison
	Outlook 2002: can't send .exe file with Email
	Windows 9x/Me Security and System Restrictions
	Exploiting The IPC Share
	Local Windows hacking
	Windows Cryptic Error Messages
	Windows NT Registry Tutorial
	catch a macro virus
	Protecting Files with Windows NTXP
	Microsoft Baseline Security Analyzer V1.1
	A Beginners Guide To Wireless Security
	Default Logins and Passwords for Networked Devices
	How To Eliminate The Ten Most Critical Internet Security Threats
	About computer crime
	System Backdoor Information
	System Backdoors Explained
	Introduction to Buffer Overflow
	Donald Pipkin's Security Tips for the Week of December 23rd
	Getting IP data from numerous sources
	Rainbow Series Library [The One The Only]
	Honeypots (Definitions and Value of Honeypots)
	General Attack Descriptions
	Wireless Taping
	CYBERTERRORISM
	Security from a different angle

Gag Orders & Jail Time for Whistle Blowers -25 Feb 2003

After a couple from South Africa noticed 50,000 british pounds of withdrawals from their dining club card they contacted Citibank. Upon telling the company that they were not actually making those charges, Citibank informed them that they must have, since it was impossible for the security encryption placed on the ATM PINS to be broken. Hence, Citibank was going to hold them liable for the withdrawals from their account.

In response to the charges network security researchers were called to determine if such a vulnerability was possible. During their research they discovered an extremely alarming vulnerability in the encryption format used to protect the PIN numbers. For their successful research they were awarded with gag orders issued by the British courts to prevent them form releasing there findings.

Once again we have a major corporation feeling High and Mighty about the level of security on their systems. Perhaps instead of immediately dismissing the impossible we should begin to realize today's impossibility is tomorrow's discovery. Once we fall into the complacency of believing the ridiculous notion, that a system is unbreakable. We immediately open ourselves up to a criminal who believes nothing is secure. Perhaps, instead of issuing a gag order on the researchers, the British courts should issue criminal negligence charges on Citibank for not placing a higher priority on the financial information of their customers.

We run into the same sort of pompous "higher than thou" attitude in the U.S. with the recent arrest of a student who apparently broke into his schools network. Now yes, at first glance it seams as if this student did break the law. But, if we take a look at they rest of the story a new angle comes to light.

The student informed his computer teacher of the possibility that a dire network vulnerability existed. Now the teacher took the right attitude and informed the network administrator. When the network administrator heard what the student said he merely laughed and said, "It's impossible." . (There's the ugly head of hubris poking out again!).

Well the young student did what any pure-blooded American teenager would have done; He set out to prove them wrong! Boy did he prove them wrong. According to the article at http://bayarea.com he downloaded an encrypted file that contained the entire database of teachers usernames and passwords. (This sounds like he downloaded the windows SAM database) He then decrypted the file at home.

The next day he brought in the information to prove his point. Low and behold, what do they do? They arrest him and press criminal charges. Once again, was the teenager the criminal? Not at all, the administrator should lose his job. The administrator should have taken the students warning and investigated further. Plus, if the student did merely download the SAM database, the administrator must have not been worth his a grain of salt. Every administrator knows of a multitude of ways to protect the SAM database from prying eyes. ( I won't go into detail now, but it will be a future article)

So, instead of this student's talent being noticed and perhaps polished, he will now be a criminal. Forever scared with a blemish on his permanent record. Once again the teachers and administrator failed this student. The student was the victim not the school.

Ok, now to bring this rant to a close. Perhaps we have placed the blame for the media's "Hacker Outbreak" on the wrong party. Maybe, we should ask the question, "How was this even possible?" If we look at the issue in that light, the guilty party becomes painfully obvious: "The pompous attitude of corporations and educators."

Blake Wiedman
GSecur Founder
admin@governmentsecurity.org

Sources:

" Citibank gags crypto researchers" http://theregister.com/content/55/29446.html

"Student arrested for breaking into school network" http://www.bayarea.com