The Harlow Report - GIS

ISSN 0742-468X
Since 1978
On-line Since
Y2K

Archived Industry Notes: Technology
Published in 2010

Ghost in the machine: Database weaknesses expose SAP deployments

Researchers have found glaring vulnerabilities in the way SAP interacts with the database layer that would allow remote attackers to own a company’s SAP systems, including controls that manage sensitive functions, such as vendor and invoice creation, simply by compromising the database that lays at the heart of a SAP deployment. Speaking at a recent conference, a security researcher for Argentinean firm Onapsis highlighted how a malicious attacker can create a nearly undetectable ghost user account in SAP once he gains unauthorized access. Access can be gained by attacking vulnerabilities in any one of the layers that make up an integrated SAP deployment: the operating system layer, database layer, application layer, or SAP business layer. One of the biggest misconceptions that enterprises have about SAP systems is that their security is simply a function of implementing proper segregation of duties. Onapsis is releasing a free, new tool that helps detect the creation of ghost users within SAP systems. While the tool can be useful in fighting fraud within compromised systems, it is important to remember one critical fact, the researcher said. “In order to install a back door, the attacker needs to compromise the system first.”

Details Here

first published week of:   08/09/2010

Global e-crime gang transitions to crimeware

The world’s most prolific phishing gang has completed a transition from using conventional phishing to massively propagating stealthy password-stealing crimeware that does not require user cooperation to surrender financial account credentials, according to a report by APWG. While the Avalanche botnet infrastructure had been used to launch conventional spam-based phishing attacks over the past two years, the phishing has been replaced with a scheme that infects users’ PCs with the potent Zeus Trojan, a powerful banking credential-stealing malware. The phishing syndicate had been successfully using the Avalanche botnet for conventional spambased phishing attacks that provoke a user to visit a counterfeit website and enter or his or her credentials. This Avalanche phishing accounted for two-thirds of all phishing attacks observed worldwide in the second in late 2009. But the Avalanche infrastructure was involved in just four conventional phishing attacks in the month of July 2010. Instead, the Avalanche-based syndicate ramped up a concerted campaign of crimeware propagation to fool victims into receiving the Zeus crimeware and infecting their PCs with it. Avalanche has been sending billions of faked messages from tax authorities such as the IRS, false alerts/updates purporting to be from popular social networking sites, and other lures. These lures take victims to drive-by download sites, where the criminals infect vulnerable machines.

Details Here

first published week of:   10/25/2010

Google and Verizon offer a vision for managing Internet traffic

Google and Verizon on August 9 introduced a proposal for how Internet service should be regulated - and were immediately criticized by groups that favor keeping the network as open as possible. According to the proposal, Internet service providers would not be able to block producers of online content or offer them a paid “fast lane.” It says the Federal Communications Commission should have the authority to stop or fine any rule-breakers. The proposal, however, carves out exceptions for Internet access over cellphone networks, and for potential new services that broadband providers could offer. In a joint blog post, the companies said these could include things like health care monitoring, “advanced educational services, or new entertainment and gaming options.” The two companies are hoping to influence regulators and lawmakers in the debate over a principle known as net neutrality, which holds that Internet users should have equal access to all types of information online. But some proponents of net neutrality say that by excluding wireless and other online services, Google and Verizon are creating a loophole that could allow carriers to circumvent regulation meant to ensure openness.

Details Here

first published week of:   08/16/2010

Google asked to drop “launch now, fix later” policy

Government officials from 10 countries sent Google an open letter(PDF) this week asking the company to adhere to a list of privacy principles in the wake of the company’s botched Buzz launch. The leaders, which include officials from Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain, and the UK, make it clear that they understand Google swiftly responded to user complaints immediately after Buzz was opened to the public. Still, they’re unsatisfied with Google’s “launch now, fix later” philosophy and want to ensure the company takes privacy into serious consideration before launching future products.

Details Here

first published week of:   04/19/2010

Google delays its 1Gbps fiber announcement

Google pledged to unveil the winner of its Google Fiber initiative by the end of the year, but that date has now slipped into 2011. For the cities so eager to host the project that they even changed their name, the delay may be frustrating—but Google says it's simply due to the overwhelming demand.

Earlier this year, Google announced an ambitious plan to pick one US community and wire it with 1Gbps fiber, then make that new fiber network “open access” (any Internet provider could sell service on it).

The announcement unleashed pent-up demand for world-class broadband networks among midsize US communities. Many immediately resorted to carnival-hawker tactics; the city of Topeka changed its name to Google, Kansas, while a Raleigh, North Carolina city council member offered to name his unborn twins Sergey and Larry Gaylord if Raleigh got the nod.

Details Here

first published week of:   12/13/2010

Google Stops Wi-Fi Mapping Project After "Mistakenly" Scoring Personal Data

AFP reports that Google is frantically attempting to get rid of data the company now wishes it hadn’t acquired. Google sends out cars across the world for mapping purposes as well as photographing at ground level for Street View. They’ve also been using those Street View cars to map unsecured Wi-Fi hotspots, presumably to insert them into Google Maps so travelers will be able to find places with available wireless Internet.

It’s a cool idea, but apparently some information found its way from that survey into Google’s servers. Most unsecured wireless networks are intentionally unsecured, like in cafes or public hotspots. But some are unsecured because its users either don’t know or don’t care that a lack of security puts their data at risk. Google’s Street View cars were gathering more data than they wanted or needed, it seems.

Nothing illegal was happening here; there was no hacking involved (these are unsecured, after all) and it’s very doubtful there was malicious intent. But it’s still creepy for Google to have access to personal data gathered from a roving high-tech car outside your window. Said Alan Eustace, a Google senior VP:

Details Here

first published week of:   05/17/2010



Archived Gov't Notes Archived Technology Notes Archived Utility Notes
return to current news

Warning: include(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in C:\domains\STP100152\theharlowreport.com\wwwroot\2010\archivenotes10\archivenotes10_TECH.PHP on line 204

Warning: include(http://www.theharlowreport.com/2007/Amazon_context.txt): failed to open stream: no suitable wrapper could be found in C:\domains\STP100152\theharlowreport.com\wwwroot\2010\archivenotes10\archivenotes10_TECH.PHP on line 204

Warning: include(): Failed opening 'http://www.theharlowreport.com/2007/Amazon_context.txt' for inclusion (include_path='.;C:\php\pear') in C:\domains\STP100152\theharlowreport.com\wwwroot\2010\archivenotes10\archivenotes10_TECH.PHP on line 204