It is one thing when TJ Maxx or The Gap are careless with employee or customer data. Everyone entrusted with sensitive information such as addresses, birthdates, credit card information, bank account data, social security numbers, etc. should take the responsibility that comes with that trust very seriously. But, one institution that should put protection of personal and sensitive data above all else is the Internal Revenue Service (IRS). However, a recent report from the Treasury Inspector General for Taxpayer Information, a government agency, shows that they discovered almost 2,000 rogue, unidentified web servers within the IRS. Their review of the IRS systems also found more than 2,000 web servers with at least one known vulnerability, 540 of which have at least one Highly Critical vulnerability. To me, this is just inexcusable. It is unacceptable for the organization entrusted with the income tax information for every working American to have problems of this magnitude. You can read the report (Unauthorized and Insecure Internal Web Servers Are Connected to the Internal Revenue Service Network) for more details on your tax dollars at work.

A while back I wrote a blog post called '4 Minutes to Compromise' noting that a recent report claimed that an unpatched and unprotected Windows XP system would not last more than 4 minutes on the public Internet without being compromised. Along those same lines, About.com's Internet for Beginners Guide Paul Gil recently addressed the question So, How Bad is the Threat of Hacking? Four minutes seems pretty bad. It is certainly not enough time to download and install the patches and updates necessary to protect the system. Paul's post includes an interview with whitehat hacker Jacques Erasmus and a demonstration of just how fast these systems can be 0wn3d.

You have probably noticed that most retail establishments now have you swipe your own credit card. That is based, at least in part, on a goal to never have your card leave your possession for security reasons. Of course, who knows what happens or who records the information from your credit card everytime you give it to a waiter or waitress at a restaurant...but that is another story. The newer trend is 'contactless' credit cards that don't even need to be swiped. They only need to be waved in the proximity of the reader. This is accomplished using RFID chip technology. The RFID chip contains your credit card information, and the scanner is an RFID scanner that can capture that information. It is a little like wireless network technology though. What about others in close proximity? If the retail scanner can pick up your credit card info from 6 inches away, then couldn't any attacker with a pocket-sized RFID scanner that manages to get within 6 inches of your wallet do the same thing? The Discovery show Mythbusters attempted to examine this very issue. However, according to co-host Adam Savage (as quoted in this article from The Register), when the Mythbusters team set up a meeting with Texas Instruments to get more information about the RFID technology and how it is protected, they were blindsided with an army of credit card industry lawayers. Savage says "they [MythBusters production team] were way, way outgunned and they [lawyers] made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was." So, we apparently won't get to see the Mythbusters episode, but is the implication of this strong-arm legal censorship that your contactless credit card is not secure? Do Visa, Mastercard, and American Express think that attackers can't figure this stuff out unless they see it on Mythbusters? In the wake of Savage's statement though, there has been some contention about the facts, and this recent story seems to tell a different story about the legal pressure. The bottom line? Are we sure that 'contactless' credit card data can't be intercepted by attackers?

Google is jumping into the browser war. Chrome, the new web browser from Google, is set to take on Microsoft Internet Explorer, Mozilla Firefox and others. The current release is only a Beta version. By definition that means that they are still testing it and working on it and that it is not *really* ready for 'Primetime'. That said, with the state of malware and the Internet and the fact that they themselves have been targeted and victimized by various DoS (denial-of-service) and XSS (cross-site scripting) attacks, you would expect that security would be an integral part of the product from the ground up. If that is the case, it seems they may be missing the mark with some of the code. Within about 24 hours of the Beta version of Chrome being made publicly available, there are already a string of vulnerabilities and security issues that have been identified:

• Google's Chrome Tries To Raise The Bar For Browser Security
• Google Chrome vulnerable to carpet-bombing flaw
• Early security issues tarnish Google's Chrome