MTA and McAfee Fail

Hello everyone and welcome back to BCB. Just a reminder for everyone that registration for summer semester has begun so please register in order to allow you get the classes you want. As posted in my last post i have a very interesting news regarding our very own MTA as well as a security fail from McAfee.

It seems like this is becoming a weekly occurrence. Huge companies having complete lapses in security. This weeks victim is New Yorks very own MTA. We all know the MTA is under extreme pressure to validate their budgets and explain where the money goes without raising our fares (which they will do regardless). The latest security issue can possibly cost the MTA millions of dollars which can spell bad news for New York transit riders. I first heard the story on a Paul DotCom Security Weekly podcast and read it on The Renderlab. The story was originally reported in the NY Daily News on April 24th. Supposedly the MTA has an issue with people selling Magic Keys for $27 a piece, why this is an issue is because the Magic Key is a key that allows riders to not have to pay for rides on the subway and also opens some private areas in stations. According to the NY Daily News article the police have been diligent in arresting people either using or selling the Magic Keys but it is still an ongoing problem. To make matters worse is in the NY Daily News article there is a picture of one of the reporters holding up a key that may be the actual “Magic Key.” The problem with that is that hackers and professional locksmiths can make copies of these keys using the photograph. The Renderlab article explains how this can be done and that researches have successfully made working copies of keys using photographs. If this is an issue the MTA will have to replace hundreds of locks on security gates and doors at hundreds of stations costing millions of dollars, and who do you think is going to pay for it, you guessed it every New Yorker and every rider of the subway.

This is a serious issue and i hate to see what the fall out will be if the MTA investigation into the issue comes up with the solution to replace all the locks. The next security fail story is from McAfee.

As many know on April 21, 2010 McAfee had what we call in the IT realm as an “Epic Fail.” As reported on CNET on April 22nd, McAfee released a buggy virus definition that attacked a specific Windows XP executable. The virus software registered the SVCHOST.exe as a virus and either quarantined the file or deleted it. This prompts a Blue Screen of Death that starts a reboot process. Upon reboot the system cannot find the SVCHOST.exe and reboots again and this continues. Svchost.exe is an executable that is needed to run certain services on your computer such as audio, themes and DHCP to name a few. Without that file these services cannot run and crashes the system. Many businesses such as police, hospitals, financial institutions and jails were brought to a grinding halt when their systems crashed. McAfee quickly pulled the bad file from its distribution servers but the damage had already been done. This raises a whole slew of questions such as, “Are Anti-Virus companies actually testing the virus definitions?” If the answer to that question is yes then how did this get out without being noticed? The biggest concern is if all it took was one bad bug to cause this much disruption, what must we do to fix this? Just some food for thought!!!

This goes to show you that no matter how much big companies focus on security and making sure things are working properly. For these two companies to have such huge lapses in security is baffling and the bottom line it will or has cost consumers millions of dollars.