 Wednesday, 06. November 2002
Versicherungsgruppe HUK-Coburg legte Kundendaten offen ins Netz und stellt Strafanzeige gegen Datenschützer
Die Versicherungsverträge der HUK24, Online-Tochter der fränkischen Versicherungsgruppe HUK-Coburg, waren bis vor kurzem mitsamt aller Kundendaten über ein offenes Serververzeichnis problemlos zugänglich. Die gravierende Sicherheitslücke entdeckte nach Hinweisen aus der Hackerszene am Sonntag unter anderem der Jenaer Computerfreak Christian Kahlo. Noch am selben Tag informierte der Mitarbeiter des E-Commerce-Spezialisten Intershop den Datenschutzbeauftragten der Online-Versicherung über ein Formular auf der Website. Als auch nach einem Anruf bei den zuständigen Webadministratoren zunächst keine Reaktion erfolgte, lud Kahlo zusammen mit dem Jenaer Datenschutzexperten Lutz Donnerhacke die Kundenliste aus dem Netz und wandte sich über ein Posting an die Mailingliste debate des Fitug (Förderverein Informationstechnik und Gesellschaft) an die Öffentlichkeit.
"Das war eine riesige XML-Datei mit allen Verträgen, die persönliche Daten wie Telefon, Fax oder teilweise E-Mail sowie Angaben über Berufsgruppe und Geburtstag von über 2500 Kunden enthielten", erklärte Donnerhacke gegenüber heise online. Die Liste sei nicht geschützt gewesen: "Um das komplette Serververzeichnis abzurufen, musste auf einer Unterseite zur Tarifübersicht nur die Endung 'index.html' in der Webadresse gelöscht werden", betonte Donnerhacke. Auch die komplette Serverkonfiguration und die privaten Schlüssel für das Sicherheitsprotokoll SSL seien auf diesem Weg zugänglich gewesen. Als Serversoftware machten die Computerexperten eine über ein Jahr alte Apache-Version aus, die auf einem Windows-System lief. Ein Sicherheits-Update, das zumindest nach dem "Wüten" mehrerer Apache-Würmer im Sommer hätte erfolgen müssen, war nicht aufgespielt worden.
Kahlo und Donnerhacke hatte der Fund nach eigenen Angaben zunächst regelrecht "schockiert". Sie rätselten, ob sie die betroffenen Kunden per Fax oder E-Mail über die schlampige Behandlung ihrer Daten informieren sollten, nachdem die einzige Reaktion aus Coburg zunächst darin bestand, die XML-Datei als noch leichter downloadbare, komprimierte Zip-Version auf dem Server "zu verstecken". "48 Stunden müssten eigentlich reichen, um eine solche Lücke zu schließen", findet Donnerhacke. Aber "irgendwelchen Deals, um derlei Peinlichkeiten unauffällig aus der Welt zu räumen", steht Kahlo skeptisch gegenüber.
Die Aufmerksamkeit, die der Fall nun in der Netzöffentlichkeit genießt, hat inzwischen zumindest dazu geführt, dass das Serververzeichnis der HUK24-Seite nicht mehr über die Änderung der Webadresse einsehbar ist. Eine Stellungnahme der Versicherungsgruppe ist am heutigen Mittwoch bislang allerdings auch auf Anfrage nicht erfolgt. Ironie am Rande: Die HUK24 wirbt im Netz just mit ihrem "vorbildlichen Sicherheitskonzept". Dort heißt es wörtlich: "Der Abschluss einer Versicherung ist reine Vertrauenssache und erst wenn Sie sich wirklich sicher fühlen, schenken Sie der HUK24 Ihr Vertrauen." Aus diesem Grund lege die Firma "großen Wert" auf die Themen Datensparsamkeit, Datensicherheit und Datenschutz.
Dass den Überbringern der gegenteiligen Nachricht nun rechtliche Konsequenzen auf Basis der einschlägigen Hackerparagraphen aus dem Strafgesetzbuch drohen könnten, glauben die Entdecker nicht. "Paragraph 303 trifft auf keinen Fall zu", ist sich Donnerhacke sicher, da es zu keiner Veränderung des Systems gekommen sei. Auch ein "Ausspähen" von Daten, das nach Paragraph 202 StGB strafbar ist, läge nicht vor. "Das setzt einen besonderen Schutz voraus", erklärt der Mitgründer des Jenaer Internetproviders IKS. Doch auf der Website der HUK24 sei nicht mal ein Passwort abgefragt worden.
Mittlerweile nahm die Versichungsgruppe offiziell zu dem Vorfall Stellung. Man bedauere den Fehler; und obwohl man davon ausgehe, dass den betroffenen Kunden kei Schaden entstanden sei, werde man sie über den Sachverhalt informieren. Bei den Daten habe es sich "im Wesentlichen um Antragsdaten zur Kraftfahrt-Versicherung" gehandelt. Der Fehler sei im Zuge von Wartungsarbeiten aufgetreten und nach dem Bekanntwerden sofort geschlossen worden. Ob sich die Entdecker der Sicherheitslücke allerdings so sicher wiegen können wie Donnerhacke meint, wird sich möglicherweise erst noch zeigen müssen. Denn die HUK24 leitete "wegen der Beschaffung und möglichen Weitergabe illegal beschaffter Daten" strafrechtliche Schritte ein. (Stefan Krempl) [heise]
00:00 |
#
Monday, 21. January 2002
Software uncovers e-mail untruths
SAS Institute has developed software that it says can sift through e-mails
and other electronic text to discern falsehoods. "The patterns in people's
language change when they are uncertain or lying," says Peter Dorrington,
business solutions manager at SAS. "We can compare basic patterns in words
and grammatical structures versus benchmarks to detect likely lies." For
instance, over-use of the word "or" and too many adjectives can be
giveaways, according to Aldert Vrij's book, "Detecting Lies and Deceit."
SAS says its software can also be used to detect inaccuracies in resumes and
job applications. (*Financial Times*, 20 Jan 2002; NewsScan Daily, 21 Jan
2002) http://news.ft.com/news/industries/internet&e-commerce
[Risks? What risks? PGN] ["NewsScan" via risks-digest Volume 21, Issue 88]
00:00 |
#
Wednesday, 09. January 2002
Reinventing snake oil: compression
Snake oil is on the rise. Latest to join the fray is Zeosync
(www.zeosync.com), which announced on 7 Jan 2002 that they have new
algorithms that can provide 100:1 lossless data compression over
"practically random" data. (What they mean by "practically" isn't defined.)
Lots of criticism and proofs that it's impossible in Slashdot
http://slashdot.org/article.pl?sid=02/01/08/137246&mode=thread
and elsewhere. So far the algorithms haven't been given, except to provide
the single longest stream of buzzwords I've seen in a long time. The one
part that says it might not be 100% snake oil is that they have a Fields'
Prize winner as one of the participants.
The risk here is that they've added enough buzzwords to the announcement
that some people might actually believe it. The media doesn't seem very
skeptical, which they should be. Reuters quoted David Hill, an analyst with
Aberdeen Group as saying "Either this research is the next 'Cold Fusion'
scam that dies away or it's the foundation for a Nobel Prize. I don't have
an answer to which one it is yet." Others have been much more willing to
figure out which way it's going. Remember the 1999 story about the
16-year-old Irish girl whose new form of cryptography would revolutionize
the world? ["Jeremy Epstein" via risks-digest Volume 21, Issue 87]
00:00 |
#
Wednesday, 26. December 2001
Secure in, insecure out
As readers of RISKS know, many Internet users think that HTTPS is equivalent
to security. Here's an example where that went badly wrong.
My employer uses an online service to handle signups for the flexible
spending plan (*). It uses an HTTPS form to collect the usual personal
info: name, address, social security number, and amount to be deducted. So
far, so good. I don't know what it does with the information (presumably
puts it in a database, which has it's own issues). Then they e-mail the
information back to the user for confirmation, including the SSN.
Interestingly, *someone* at the company understood the risks, because their
"security and privacy" policy on their home page notes that unencrypted
e-mail is not safe. (**) Whoever wrote that policy obviously wasn't working
with the people building the system.
The response when we pointed the problem out was "we use HTTPS, so we're
secure". After several rounds of back-and-forth with the vendor, they
admitted the problem, and proposed to fix it early next year. Since this is
software that gets used once a year (to meet the Dec 31st deadline), that
was clearly a silly proposal, since all users would be forced into using the
incorrect version. So after some arm-twisting, they changed the
confirmation message to eliminate all but the last 4 digits of the SSN. A
big improvement.
The risk here is that this is a commercial system that's presumably used by
many other companies besides ours. How many other companies use this flawed
system and never objected? And how many other equivalent systems are there
out on the net? If I were looking for an easy way to commit identity theft,
I'd be monitoring e-mails coming out of that company... chances are there's
a lot of good info! (Which is why I'm not giving their name or URL!)
-----
(*) A flexible spending plan is established by US tax law to allow tax-free
deductions from salary into an account which can then be used to pay for
medical or child care expenses. By law, you have to decide by December 31st
how much money will be deducted in the following year, and you (generally)
can't change that decision once it's made. Also, any unspent money is not
returned to the employee, so it's important to estimate accurately. Because
of the legal Dec 31st deadline, it wasn't possible/feasible to wait for a
more appropriate resolution of the problem.
(**) I did a Google search on the actual phrase used on their Web page to
see if it would disclose who the vendor is. They were the only vendor of
their type who used the particular phrase, which is why I haven't quoted it
verbatim, but it seems to be a catch phrase used in MANY security and
privacy policies. So perhaps they just cut & pasted it without having a
clue what it meant.
--Jeremy
P.S. Yes, I understand there are a lot of other risks in this system besides
just sending the SSN unencrypted. This was just particularly egregious. [Jeremy Epstein via risks-digest Volume 21, Issue 83]
00:00 |
#
Wednesday, 30. November 1994
British Telecom "hacker" article was a hack!
[Thanks to sidney@apple.com (Sidney Markowitz) for letting me see
copyrighted Newsbytes material, which I have starkly abstracted. PGN]
Steve Fleming, the reporter noted in RISKS-16.58 as responsible for the
article on the "hacking" of BT's Customer Service System (CSS), has admitted
that he himself was the unknown Internet hacker. ``Instead of gaining
unauthorized access to the BT computers, he actually worked for a lengthy
period of time (three months, according to Newsbytes sources) and was
required to access the CSS computer system as part of his job. "I didn't
realize how sensitive the information was, but I was horrified how easy it
was to get into the system," he is quoted as saying in the London Observer
newspaper.'' Fleming may be prosecuted. [sidney@taurus.apple.com (Sidney Markowitz) via risks-digest Volume 16, Issue 59]
03:36 |
#
Friday, 31. January 1992
Another hacking myth
There has been an instructive little flurry about hacking in the British press.
It starts with Police Review, 17 January 1992: A columnist, C H Rolph, writes:
"Did you know that there are hackers (i.e., people who make a hobby out of
studying and programming other people's computers, or who get unauthorised
access to computer systems by telephone) making a good living out of `cleaning
up' people's driving licences. A wealthy man with an endorsed licence will pay
a lot to have his file beautified at the Driver and Vehicle Licensing Centre at
Swansea. I'm told that for 100 pounds a point, it is possible to get an
endorsement completely erased, and then apply for and get an unblemished
licence. Or was, until fairly recently."
The Times took up this "revelation" and, on 20 January, reported that "an
investigation is under way after claims that computer hackers are wiping
motorists' penalty points from the DVLC computer in Swansea. The hackers are
charging 100 pounds for each penalty point, according to the Police Review".
On 31 January, C H Rolph returned to the affair. He referred to the Times story
and said "I didn't quite say that. I said there were allegations that this *had
been* going on. And it turns about that there had certainly been attempts. The
Driver and Vehicle Licencing Centre at Swansea tells me that the story first
appeared in the *Sun* in 1986, and that it was at once jointly investigated and
refuted by the DVLA and Scotland Yard ... "
Looks like pretty bad behaviour by C H Rolph (a former senior police officer,
by the way). His original story seems to have had no foundation whatsoever (the
*Sun* is not a serious newspaper), but he is trying to wriggle out of accepting
fault. And the Times doesn't come out of it well, either. Doesn't *anyone*
check out hacking stories, or do journalists prefer urban myth. (I write as a
journ.)
[This sounds as if an old tale had been warmed over. See RISKS-2.38,
8 April 1986, for Brian Randell's contributed item on the alleged DVLC
hacking activities. (See also Software Engineering Notes, vol 11, no
2, April 1986, page 4. [The reference is WRONG in the RISKS INDEX,
which appears once again in the January 1992 issue of SEN, pp. 23-32.
I just noticed that in digging for the original.) PGN] [Robert Jenkins via risks-digest Volume 13, Issue 09]
20:35 |
#
disLEXia, a research project by Maximillian Dornseif
|
|
