The San Francisco story is sounding more like a techie's personal tragedy and less like terrorism or hijacking or a ransom thing. Paul Venezia was contacted by someone in the IT department who knew Terry Childs, the "rogue admin."
Apparently Childs is a highly talented admin who is obsessed with his network. If the anonymous source is painting an accurate picture, then it's just an unfortunate combination of limited social skills on his part and hysterical overreaction on the part of his managers.
It's not an easy fix because it requires planning ahead, discipline, and effort. But it's essentially why banks can hire low-wage tellers and not worry about theft at the till (or at least not as much).
San Francisco has lost control of their FiberWAN. It's not clear how much this affects day to day operations, since the city appears to still be working. And that in itself is a tribute to separation of duty.
There's some terrific stuff here. Unfortunately, it's packaged with Internet-based password selection.
Get it straight: you're only supposed to share your passwords with yourself and your keyboard. You aren't supposed to ask your astrologer for one, or collect one from someone on the bus, or at a cocktail party. And never, ever from an Internet web site.
Someone picked up the domain 'highsecuritypasswordgenerator.com' and has proceeded to implement a password generator on it. The generator applies a common technique (I described it in my book Authentication) wherein you choose two words from long lists and separate them with a special character of some sort.
The down side should be obvious to anyone who thinks about web security: the password is shared with the password generating site and with anyone who sniffs the web page as it travels across the Internet.
The City of San Francisco has just suffered what sounds like the nightmare scenario of an insider attack on their computing infrastructure.
The 'disgruntled employee' who reportedly was 'disciplined for poor performance' had enough access to critical system components to give himself exclusive control of the infrastructure and apparently lock out other administrators. The system is said to still be running, but administrators have little control over it.
So what's the lesson here?
DNS is vulnerable. Duh.
The real news here is that multiple vulnerabilities have been lashed together into a new, more effective attack.
This particular report is pretty closely tied to the primary reports from CERT. As such, it is factual without being sensational (and borderline silly) like postings on various newspaper blogs.
read story | digg story
If this article had been written in 1935 about Karpis, Dillinger, and their friends, the author would have said things like "Cars, Red Meat, Cash, Lake Cottages," and other non-criminal things that we look upon as either necessities or calm, conventional parts of life.
The "cybercriminal" list includes things like "Broadband, Wi-Fi, Removable Media.."
A realistic list should indicate things that really matter, like Executable Content, Non-existent Vendor Quality Control, or Languages that Ignore Buffer Overflow.
A recent article on Wired News by AP writer Anick Jesdaunin talks about the problem of trigger-happy Internet Service Providers (ISPs) who are inclined to take a customer off-line at the first hint of "trouble" - where trouble is defined as any complaint that sounds scary: porn on non-porn vendors, copyright infringement, or posting "hacker tools.