San Francisco authorities lose critical computer password
April 20, 2011
San Francisco authorities currently appear to be having embarrassing network issues one more time, after its Fire Department lost the critical computer password for its backup network.
The news come into an inquest into a major fire in the North Beach area of the city on Dec. 31, 2010 which left forty-eight people homeless.
Mayor Ed Lee and other officials "listened with growing disbelief as an emergency services representative casually mentioned that the computer network had crashed as the fire was raging out of control."
When city officials asked whether the firefighters had switched to a backup system, the answer came in the negative. "We couldn't find the computer password, and the only person who knew it wasn't there," the rep replied.
The connection was down for two or three hours, but the rep added, "That's why we have pencils and paper for."
The casual and inappropriate attitude might seem strange in a city that lives in constant danger of being hit by a massive earthquake.
But as division chief Rob Dudgeon added, "We still had radios and cellphones. And it's not like we are going to have Internet connection if we get hit with the Big One."
It's not the first time San Francisco authorities have come to grief over network passwords. Last year, San Francisco's own Terry Childs was given a four-year sentence for locking the city out of its own network.
In other security security news
Internet security provider Barracuda Networks just announced that it has sustained a serious attack on its servers that appears to have exposed sensitive data concerning the company's partners and employee login credentials.
Barracuda representatives didn't respond to emails seeking confirmation of the anonymous post, which claims the data was exposed as the result of a SQL injection attack. Screenshots showed what was purported to be names, email addresses and phone numbers for Barracuda partners from organizations including Fitchburg State University in Massachusetts and the U.K.'s Hartlepool College of Further Education.
But the anonymous post did appear to be authentic, according to some Internet security observers. The spilled contents also included what appeared to be the email addresses and hashed passwords of Barracuda employees authorized to log in to the company's CMS.
The passwords appeared to be hashed using the MD-5 algorithm method that is slowly being phased out in favor of algorithms that are considered more secure options. It was still unclear if the hashed passwords were salted to prevent them from being cracked using various free tools available on the Web.
Overall, SQL injections are the most common form of all Internet-based attacks and have been used as the starting point for an untold number of security breaches, including the one that exposed data for more than 130 million credit cards when confessed hacker Albert Gonzalez broke into credit card processor Heartland Payment Systems.
SQL injection techniques were also the cornerstone in a recent attack on HB Gary, the disgraced security firm that exposed tens of thousands of proprietary emails.
Overall, SQL injection attacks exploit poorly written Internet applications that fail to scrutinize user-supplied data entered into search boxes and other fields included on targeted Web sites. By passing database commands to the site's backend server, attackers can harness the vulnerabilities to view and even modify the confidential contents as much as they wish to.
In total, no less than twenty-two databases with full names including new_barracuda, information_schema and marketing_info were all exposed, according to the post, which was published today. The post indicated that the company's web apps ran on the ASP.net platform.
In other Internet security news
Microsoft said Friday that it is preparing itself for a new Patch Tuesday record with no less than 17 critical security bulletins to be posted tomorrow, nine rated very critical and eight classified as important, as part of the early April edition of its regular monthly updates that are always performed on Tuesdays.
Next Tuesday's security update batch for Windows computers and servers will collectively address a total of 64 security vulnerabilities. Security holes in Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework, Windows Server 2003 and Windows Server 2008 will all be patched.
Some of next Tuesday's security fixes will include a critical SMB Browser security flaw that affects all versions of Windows. Security vulnerability scanning firm Qualys warns that all supported versions of Office and Windows will both need updating, a task that is likely to result in plenty of overtime for sysadmins.
This is a huge update and system administrators should plan for deployment as all Windows systems including Server 2003 and 2008 and Windows 7 are all affected by critical security bulletins," said Amol Sarwate, manager of the Vulnerability Research Lab at Qualys.
Source: The City of San Francisco.
You can link to the Internet Security web site as much as you like.