Nokia Phones and the "Curse of Silence"

Security researchers from F-Secure have found an exploit which allows a specially crafted SMS or MMS to essentially cripple a Nokia phone's ability to send any more text messages.

Src: Curse Of Silence' Exploit Found For Nokia Handsets |

Storm Worm Reincarnates As Waledac

As 2008 draws to a close, it seems that the Storm Worm has once again resurfaced, morphed into yet a new form: Waledac.

The Storm Worm, which first surfaced in early 2007, has been one of the most formidable forms of malware ever seen. It is believed to have had control over as many as 50 million computers worldwide.

Src: Storm Worm Reincarnates As Waledac | SecurityProNews
Additional details about Waledac
Additional details about Storm Worm & its Botnet

Myths about Digital Privacy

ABC News has a good article on the Myths about Digital Privacy that applies to technology novices and veterans alike. Spoilers:
  • Myth: Opt-out means they no longer keep data about you
  • Myth: A privacy policy means your data is protected
  • Myth: If you remove it from the Internet, it's gone
Src: ABC News: Myth and Merriment

CyberCrime & Doing Time: More than 1 Million Ways to Infect Your Computer

When I teach my information security courses, I often find myself narrating instances of weak security leading to amazing compromises. This is one such story that I'll be too happy to relay to my students and see their eyes light up.

A relative of mine had this happen to them and spent tens of hours dealing with this malware infection. The average PC user is prone to infection, and worse, to paying for "removal" of this malware threat.

Src: More than 1 Million Ways to Infect Your Computer | CyberCrime & Doing Time Blog

Vulnerabilities in several virus scanners

When you can't trust your security software to keep you safe and infection-free, what is one to do? Depending on the case, it might be to remove some pieces of it.

Src: Vulnerabilities in several virus scanners - Heise Security UK

Dan Geer on Complexity

Dan Geer, the CISO for In-Q-Tel (and former VP of Verdasys) on complexity:
There’s zero doubt that we humans can build a system more complex than we can understand, much less control, to the point of no surprises.
Every time we add another security product to our enterprise mix, we increase the complexity of that mix.
Src: Dan Geer, IEEE Security & Privacy Nov/Dec 2008 ($)

Pescatore on Compromised Web Sites

I'd like to see web sites that are found to have easy to avoid vulnerabilities treated like restaurants that have cockroach infestations: not allow them to do business for a day or two and have them post a big notice while closed: 'Closed due to unsanitary business practices. Your business is important to us, though - have a nice day.' -- John Pescatore, Gartner Inc
Src: SANS NewsBites Vol. 10 Num. 99

PaulDotCom Wisdom

As overheard on episode 134...
The only difference between regular users and security professionals is that security professionals KNOW when they've been owned.
Src: Paul Dot Com Security Weekly Episode134

Dr. InfoSec on ID Theft

When it comes to a data breach, breach of credit card data has a sunset date whereas a breach of social security numbers doesn't.

In other words, when it comes to a breach, a credit card expires; SSNs are for life!

NH agency sends 9,300 SSNs as email attachment

If I were a New Hampshire resident I would be doubly furious that:

1. The Department of Health and Human Services sent an email with SSNs as an attachment to at least 61 recipients; and
2. That they (NH HHS) would have the audacity to say that there is "no evidence anyone has misused it." A credit card expires; SSNs are for life!

The icing on the cake comes from asking all of the email recipients to confirm that they have deleted that email. I guess someone will be implementing DLP (Data Loss Prevention) very quickly.

Src: NH agency sends 9,300 SSNs as email attachment | WCAX.COM

DefCon 15 - T505 - Dirty Secrets of the Security Industry

As seen on this Bruce Potter video:
Security is about not trusting what you are hearing, seeing, or [what is] being sent to you. -- Bruce Potter
Src: DefCon 15 - T505 - Dirty Secrets of the Security Industry

Does it seem like people with more education are harder to educate?

My colleague and fellow blogger over at Black Fist Security recently commented on his frustration dealing with my kind: faculty. He ended his blog entry with a question, " So is it just that people who have more education are too thick-headed to learn this?" My comment was as follows:
Being a university faculty myself, let me provide my perspective on the subject of faculty being harder to educate and on the need for improved security education/awareness.

First of all, faculty members who have tenure (myself included) can be quite stubborn and may as you put it "thick-headed." Some of that may come from an attitude of "if it ain't broke, don't fix it" stemming from years of administration-backed changes that seem to have little positive impact on the primary mission of the university, i.e. teaching.

However, I suspect that there's a deeper mechanism at work here, namely that the very "thought leaders" and "lifelong learners" that you have identified focus the subject of their lifelong learning so narrowly as to become unable to absorb new concepts, ideas, or worse change their way of thinking.

On a concept like information security in which technology and practices need to adapt to the changes in the threat environment, I find that many of my faculty colleagues are thinking more like dinosaurs rather than "thought leaders." Most security professionals would agree that what worked yesterday (or last month, or last year, or 10 years ago) may not work tomorrow. Yet, many faculty continue to act and think as if what they've come to know and experience in the near or distant past will continue to hold true.

On the subject of the phishing emails, the simple act of questioning the validity of an email message, or a message received via more traditional means, goes contrary to the environment of trust and sharing that adorns academia. Faculty may, by the very nature of their training and conditioning, be more susceptible to phishing than the average user.

Finally, you are absolutely correct in wanting to ensure better security for ALL the machines within your domain, faculty and lab machines included. I am a firm believer in the validity of the configuration standards that you mention for all publicly visible servers. If a faculty (or staff) doesn't know what TCP, SMTP, or DNS are, then they should not be administering the server, at least not on their own. I see a need for cooperation here, where IT services and others can agree to share the administration of these servers in order to provide a valuable service (the reason that the server is up in the first place) with reasonable security and patching processes (to make security managers happy and keep hackers at bay).
Src: Does it seem like people with more education are harder to educate? | Black Fist Security

Virtual Routing - The Anti-Matter of Network SECURITY...

Chris Hoff of the Rational Security Blog (renamed as the Rational Survivability Blog) says it best when it comes to the possibilities of virtualization but the realities of security:
When you look at the utility brought forward by the dynamic, agile and flexible capabilities of virtualized infrastructure, it's hard not to extrapolate all the fantastic things we could do.

Unfortunately, the crushing weight of what happens when we introduce security, compliance and risk management to the dance means we have a more sobering discussion about those realities.
Src: Virtual Routing - The Anti-Matter of Network SECURITY | Rational Survivability

NAI's New Privacy Principles Still Fall Short

The Network Advertising Initiative (NAI) has released updated privacy principles for their members. While the move is a step in the right direction, it falls short of ensuring best-practices in security and privacy.

The Security Principle requires members to "provide reasonable security for that data." The accompanying footnote reads:
Reasonable security is determined in light of several factors including, but not limited to, the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.
I read this as allowing NAI member businesses to take minimal steps towards security. There are no requirements of best-practices, audits, compliance checks, a named responsible party, staff training and awareness.

Another problem with self-regulatory privacy practices is that they often work in unexpected ways. Case in point is the NAI Opt-out tool, which allows you to opt-out from many NAI advertisers. However, since the choice is cookie-based, your settings will be lost if you choose to delete your cookies (which you might do to enhance your privacy).
The NAI Opt-out Tool is cookie-based. In order for the Tool to work on your computer, your browser must be set to accept third party cookies. If you buy a new computer, change web browsers or delete this cookie, you will need to perform the opt-out task again.

Social Engineering Outsourced - New service offers to localize cybercrime

Yes, as reported many times this year, the bad guys are getting more organized. The latest evidence is a service available in five languages that can provide social engineering services such as calling a bank and providing verbal authorization for a transaction.

Src: Social Engineering Outsourced - New service offers to localize cybercrime | Softpedia

The 7 Reasons why Businesses are Insecure!

Several times a year students and area businesses ask me how did we end up in such a precarious information security situation. The answer - doing nothing and pretending it's all going to go away. The cure - have a plan, involving management, education, policies, and practice incident response.

The article below goes into more details on each of these points and more.

Src: The 7 Reasons why Businesses are Insecure! | Beast or Buddha Blog

One more resource on this subject, educating upper-management as to the cyber risks, comes from the the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA). Earlier this year, they released a new guide to assist business executives in the analysis, management and transfer of financial risk related to a cyber attack.


ISACA - Do as I say, not as I do

Updated on 12/17/2008:

ISACA's reply (paraphrased, emphasis is mine) is that the password management system will change with the next update to their web site and that users can choose to have a password hint displayed or whether they want to have their old password sent back to their email address on record.

My reply to ISACA's
The problem with being able to send one's old password back to them is that it implies the password is stored in a form that can be retrieved. This can be achieved by storing the password in plaintext in the database, or via some (often home-grown) reversible encryption (such as ROT-13, XOR, etc).

This also implies that people who maintain the DB (and possibly the site) can have access to that data. Of course, I expect ISACA to have procedures in place to review access privileges and log all access attempts. Still, I would rather know that my password is stored in a one-way hash that cannot be reversed.
Original post:

In the current threat environment, best practices for web sites mandate that when a user has forgotten his/her password, a new one be created for them and sent to the address on record. It is disappointing to see a giant of security like not follow that advice with their own web site.

Open Sesame - How a CD-ROM can bypass keycard security

So you think you can solve security issues with technology, right? If humans are anyway involved or even nearby, you might be surprised to see the results.

Src: Open Sesame - The Daily WTF

Stiennon’s laws | ThreatChaos

Fellow blogger Richard Stiennon is known for his wit and in-depth coverage of the security landscape. Now, I might have to think of him as a philosopher as well.
1. Good end point security assumes the network is hostile.
2. Good network security assumes the end point is hostile.
3. Good data security assumes the user is hostile.
Src: Stiennon’s laws | ThreatChaos

Cisco Report: Hackers Will Be Bolder, Smarter, Craftier in 2009

Not quite the rosy picture for 2009, the Cisco Annual Security Report should be a wake up call to all in the security sphere. Ready your defenses...

Who can you trust? [insert name of trusted site here] - Are you sure?
Targeted attacks and blended, cross-vector assaults, along with a 90 percent growth in threats originating from legitimate domains
A cloudy forecast for Web 2.0:
Internet criminals have staked out new attack vectors this year based on the use of Web-based services reached through standard browsers.
Raising an army of machines:
Attacks using botnets, social engineering and reputation hijacking became noticeably more prevalent.
But the network is secure, right?
The edge of the network is expanding rapidly, and the increasing number of devices and applications in use can make the expanding network more susceptible to new threats.
And for the finale, some philosophy about security:
Human nature rules, and security decisions by corporations are sometimes only made after a problem develops.
Src: Hackers Will Be Bolder, Smarter, Craftier in 2009 |
More including videos at CNN Money

Open Letter From SESTA Calls For Tighter USB Security - DarkReading

In an open letter to IT professionals, the SanDisk Enterprise Solutions Technology Alliance calls for improved security for USB devices. The statistics below should be enough to shake any IT person into action:

Forrester Research data shows that 52 percent of companies surveyed have suffered data loss via USB drives and other removable media.[2] The Ponemon Institute reports that 53 percent of companies acknowledge confidential data resides on flash drives.[3] At the same time, 53 percent of these companies would have no way of knowing what data was on the flash drive if it was lost. Since 2005, more than 245 million records containing sensitive personal information have been involved in security breaches in the U.S. alone, according to Privacy Rights Clearinghouse.[4] Ponemon further reports that the average security breach costs corporations $6.3 million.[5]
Src: Open Letter From SESTA Calls For Tighter USB Security - DarkReading

Hackers using antivirus to sneak into computers

The Times of India reports that many free and commercial antivirus software are vulnerable to attacks that would allow hackers to gain access into a system running such software.

While this is nothing new, it does raise awareness into the issue that programs are just programs and the logic can detect a virus can itself be the target of a virus.
If the antivirus crashes, it can even cause remote system compromise. Attackers can steal information or cause denial of service' condition.
Using a variety of file fuzzing techniques, the team discovered abnormal behaviour in several security tools when handling complex or unusual executable header data. In such events, multiple bugs were found in antivirus software while processing malformed packed executables. Some of these bugs proved to be security vulnerabilities which could make the antivirus itself as a back door for hackers.
Src: Hackers using antivirus to sneak into computers | The Times of India

Printing error leaves La. taxpayers' data at risk

The culprit appears to be two-sided printing... I wonder how many more millions of printers are vulnerable to this flaw [tongue in cheek].

Src: Printing error leaves La. taxpayers' data at risk | WXVT-TV

German Government Lost Files So Secret Their Contents Are Unknown

For very sensitive documents, even meta-data (the data about the data) could provide adversaries with information about your activities or the state of your surveillance. But the other edge of the sword is that you might not know what you had if you were ever to lose it; in the case of the German government, they have acknowledged losing over 300 such documents.

Government has lost files so secret their contents are unknown | The Local

Honan on insider threats

Brian Honan comments on the Irish CyberCrime Survey:
Companies need to wake up that one of the biggest threats to their security is their own staff, remember those that you trust the most are the ones that can hurt you the most. -- Brian Honan, SANS NewsBites Vol 10, Num 97

If you don't need it, don't ask for it

I find it really strange to see so many data-hungry applications and web sites that ask for stuff seemingly just for the heck of it. The latest instance I have come across is from the Acronis message boards in which they actually ask for people's date of birth (see screenshot). What's next, a social security number?

Of course I understand that they need to abide with laws like COPPA, the Children's Online Privacy Protection Act, but isn't there a better way rather than asking for a date of birth?

How to Prevent Digital Snooping -

Bruce Schneier writing for the WSJ on how to prevent digital snooping:
The only way to ensure those people don't abuse the power they're entrusted with is through audit. Without it, we will simply never know who's peeking at what. -- Bruce Schneier
Src: How to Prevent Digital Snooping -

Gmail, Yahoo and Hotmail systematically abused by spammers

To anyone who still thinks that security can be solved with technology, they ought to read articles such as these dealing with how spammers and hackers are defeating Captcha technology. Captcha's are those annoying distorted letters or sounds that humans have to figure out in order to proceed with some online activity (often when registering a new email account).

Earlier this year, I saw an presentation from Jeremiah Grossman (of WhiteHat Security) at the Twin Cities OWASP chapter which mesmerized the audience and destroyed our dreams of easy security in a Web 2.0 world.

Src: Gmail, Yahoo and Hotmail systematically abused by spammers |

Gartner Identifies Top 30 Countries for Offshore Services in 2008

It's about time that security and privacy be factored into offshoring decisions. My own experience has been that one person's culture impacts his/her grasp of security and privacy. Some cultures have bartering concepts built every aspects of life and therefore may not offer the level of robustness-against-bribery that might be expected. Anyone heard of "baksheesh?"

The Gartner report ranks countries based on 10 criteria, which include: language, government support, labor pool, infrastructure, educational system, cost, political and economic environment, cultural compatibility, global and legal maturity, and data and intellectual property security and privacy.

Src: Gartner Identifies Top 30 Countries for Offshore Services in 2008

IBM warns ‘zero-day’ hacker exploits growing

Simply because this is old news (from August 26, 2008) does not make it any less relevant or chilling. According to IBM's X-Force 2008 Mid-Year Trend Analysis,
Cyber-criminals are adopting new automation techniques and strategies that allow them to exploit vulnerabilities much faster than ever before. The new tools are being implemented on the Internet by organized criminal elements, and at the same time public exploit code published by researchers are putting more systems, databases and ultimately, people at risk of compromise.

94 percent of all browser-related online exploits occurred within 24 hours of official vulnerability disclosure. These attacks, known-as "zero-day" exploits, are on the Internet before people even know they have a vulnerability that needs to be patched in their systems.

Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks

Ryan Naraine (of ZDNet) appears to have a knack for staying on top of Zero-day attacks. This time, the target is IE 7 running on XP SP2.

It seems to me that the number of Zero-day attacks is steadily increasing. 2009 will most likely prove to be an eventful year.

Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks |

European Commissioner on Privacy vs Security

Europeans have always been stronger proponents of privacy than their American counterparts. The following illustrates just to what extent the perspective from the other side of the ocean is different from our own. Thomas Hammarberg, Council of Europe's commissioner for human rights:
Counter-terrorism efforts rob citizens of basic privacy rights, which undermines rather than improves security.
General surveillance raises serious democratic problems which are not answered by the repeated assertion that those who have nothing to hide have nothing to fear. This puts the onus in the wrong place: It should be for states to justify the interferences they seek to make on privacy rights.

21 million German bank accounts for sale

Germans have reason to be cautious of what 2009 will mean for them after a German magazine, WirtschaftsWoche (meaning Economic Week), was able to buy details for 1.2 million bank accounts from underground criminals who claim to have data for up to 21 million bank accounts.

Src: 21 million German bank accounts for sale | ITworld

What I Want For Wednesday: More Error 408

In his blog, Gartner's John Pescatore muses about new HTTP error codes that would be targeted at users. In a comment on the blog post, I've suggested a few of my own:
How about 5xx additions as well:
506 - Server under Denial of Service Attack - We had no sys admin
507 - Server under Denial of Service Attack - Failed to pay extortion request
510 - Server Was Hacked - Start ID Theft Recovery Service Now
511 - Server Now Serving Malware - Please come again
Src: What I Want For Wednesday: More Error 408 (Gartner Blog)

John Pescatore (Gartner) on Antivirus products

The threats have moved way beyond what antivirus software can provide. -- John Pescatore, Gartner
Src: Microsoft Joins Free Security Software Push (BusinessWeek)

Thieves Winning Online War, Maybe Even in Your Computer -

This is by no means news to the Security Professionals. However, it is time that stories like this one hit the mass media in order to raise attention and awareness of the issues. Next time someone's machine is acting quirky, take it seriously and have someone knowledgeable take a look at it.

John Markoff, the author of the NYT article has several good quotes, including:
For example, malware programs now infect computers and then routinely use their own antivirus capabilities to not only disable antivirus software but also remove competing malware programs.

The cyber-criminals appear to be at least as technically advanced as the most sophisticated software companies. And they are faster and more flexible.
Src: Thieves Winning Online War, Maybe Even in Your Computer (

Malware writers spoof Firefox plug-in

It was to be expected: as more people embrace alternative browsers, attackers are shifting their sights to new targets, in this case Firefox plug-ins. While you need to be careful not to install unknown or untrusted plug-ins, I still recommend using Firefox + NoScript for those who can live with the extra power and responsibility of having to decide when a site should be allowed to run Javascript/Flash/PDFs, etc.

Malware writers spoof Firefox plug-in (

Is there a safe place left on the Net?

Of course the title is shocking, but the truth of the matter is, no web site is safe from being hijacked by attackers and used to distribute malware to visitors. The latest victim? A subdomain of the CBS TV network.

Read more at: CBS Web site bitten by iFrame hack (InfoWorld)

Malware Constructor - New Version

If it seems like the bad guys are winning the malware arms race, it's because they are. If you don't know, or don't believe, take a look at this year's malware reports from major AntiVirus vendors as they acknowledge that they simply can't keep up.

That's due in part to the hacker's ability to use "malware constructor" tools to generate new malware variants with a few click of the mouse.

Prepare your Incident Response plan TODAY.

Src: "Constructing" bad things...again (PandaLabs)

Document Metadata, the Silent Killer... - SANS InfoSec Reading Room

Larry Pesce of the PaulDotCom Security Weekly podcast has just completed his SANS paper entitled "Document Metadata, the Silent Killer..." now available from the SANS Institute - SANS InfoSec Reading Room - Digital Privacy Area or via direct link (PDF).

Congratulations and job well done.

Pescatore on the Srizbi Botnet

The bot client strategies for finding command and control centers has gotten increasingly devious. New techniques used mechanisms that are very similar to old style spycraft, the cyber equivalent of spy numbers stations and chalk Xs on mailboxes. -- John Pescatore, Gartner Inc, in SANS NewsBites Vol. 10 Num. 94

Thieves Stole Identities to Tap Home Equity

Police have made arrests in connection with more than $12 million stolen from home equity lines of credit. The thieves used online search databases to find information about their victims, and then contacted the banks to draw from the home equity credit.

This case also sheds light on a new type of attack that combines stolen information with social engineering for a greater gain; in this case, the thieves changed or forwarded the victim's phone calls to phone lines under their control in order to intercept any bank's attempt at verifying the transactions. With VoIP, they could potentially do this from anywhere in the world.

Src: Thieves Stole Identities to Tap Home Equity (Washington Post)

Breaking the Zero-Day Habit

Kudos to Mike Rothman (guest editing Ryan Naraine's column) for saying things the way they are:

"The sad truth is that a true zero day attack will own us all. The best we can do is to pay attention enough to clean up the mess, and you don’t need the press – or even a savvy security researcher – to tell you when you’ve been owned."

Src: Breaking the zero-day habit (

Massachusetts' Data Security Standards Affects More Than Just MA Companies

The new Massachusetts Data Security Standard (M.G.L. c. 93H) will impact more than just the businesses and government entities in that state; any company that keeps records on Massachusetts customers or employs Massachusetts residents must be in compliance (by May 1, 2009) or face a civil penalty of $5,000 for each violation of 93H. In the case of improper disposal, businesses can be subject to a fine of up to $50,000 for each instance.

Src: Privacy Compliance 101: Why Massachusetts Data Security Standards DO Affect You (CIO)

Dangers of 3rd Party Apps: Firefox3+Twitter+Cookies

The original posting illustrates why so much of the software that powers our everyday lives is still flawed. Worse, updates or improvements often oversell the security aspect of things, which ends up making us believe that we are safe when we're really not.

So, whose fault is it that Firefox saves a cookie of your twitter session even when you tell it not to save your password? Well, for one, cookies are not considered passwords. So Firefox is not technically saving your password; it's simply saving your current "session" so you can continue to check your Twitter feed. The real security problem stems from the over use of cookies to store valid sessions and allow multiple valid sessions. In the case of Twitter, this user ended up with 6 valid sessions, across multiple browsers and machines.

Earlier in 2008, GMail (Google Mail) started allowing users to track the number of open sessions (meaning cookies) that they had on their account and giving users the ability to expire those sessions from a central point. A session cookie can be stolen and provide access to your account, often for days (or years) following a password change!

Src: Domdingelom on security, fun and life: Is firefox+twitter+https messing with me?

Mumbai Terrorists used Technology as Weapon of War

This article presents an update on the methods used by the Mumbai terrorists: technology in the form of BlackBerry phones and Internet access. This shows a level of planning and organization that is unusual for most terrorist groups. However, it probably won't be the last time we see the bad guys using technology for sinister purposes.

Src: Terrorists turn technology into weapon of war in Mumbai (The Courier-Mail)

Malware Database - A must read!

By change, one of the security luminaries that I follow sent a link to the Malware Database site. If you want to stay current on the latest and greatest reports of malware in the wild, this is a must. There's also a Twitter account so you can get the latest malware news as Twitts.

Malware Database (web)
Malware Database (twitter)

Patching offline virtual machines

Excellent post from Security4all about the need for and the way to ensure that offline virtual machines are patched in a timely (and automated) manner. Patching solutions such as the ones discussed for Microsoft and VMWare will likely be the main differentiator between the virtualization leaders and their open-source competitors.

Sr: Patching offline virtual machines (Security4all)

How video and pictures can be a threat to security

This posting provides an update to the concept of "No Tech Hacking" which has made Johnny Long a commodity name in the InfoSec arena (Google video and book). Richard Stiennon is right on about the dangers that this Web 2.0 world poses to our daily lives. We are leaking information left and right, and there doesn't seem to be an end to it.

Larry Pesce of has been working on his SANS paper, and has numerous postings (latest one here) about tools like MetaGooFil and others to extract information from local and web documents.

Src: How video and pictures can be a threat to security ( ThreatChaos)

Lenovo Service Disables Laptops With a Text Message

There are days when I just ponder if we're doomed to continue to create "security solutions" that are double-edged swords. Today's solution is one unveiled by Lenovo, which would let users register up to 10 cell phones allowed to disable a laptop remotely.

How long before spammers start sending text messages to all cell phone numbers with the command: remote-erase-all-data-now?

Slashdot commentary on Lenovo Service Disables Laptops With a Text Message
Original story on eWeek

Windows Drivers & Licenses

This news post from Christopher Dawson exemplifies the problem that plague most of today's Windows-based distribution: licenses and drivers.

On the licensing side, the user is faced with a barrage of cryptic codes to enter, if they remember where they put the license key in the first place. How about coming up with word-based licenses instead G6QRH five times?

On the driver side, my own experience echoes that of Mr. Dawson in that both Dell and HP's service tags manage to recognize the machine but present an array of choices regarding hardware drivers. How is a user to know which particular version of a network card or sound card one has? Why can't manufacturers code that level of detail into their license tags? Please don't mention HPA (Host Protected Access), a special area of the disk where manufacturers "store" (hide?) drivers and restoration software.

Ubuntu, a free Linux distribution with the look and feel of Windows, will install and recognize most hardware without ever asking for a license or a driver. We need technology that simply works instead of getting in the way.

Src: Are you sure you don’t just want to use Ubuntu? (

Dr.InfoSec featured on BusinessWeek Front Page

Update on 11/25/2008: still showing up on BusinessWeek's Technology page.

Earlier this month, Douglas MacMillan wrote a story for BusinessWeek about scammers and the dangers to your online identity. The article featured Shawn Moyer and Nathan Hamiel and their successful scam: convincing fellow LinkedIn users (many of which are security professionals themselves) that they were the real Marcus Ranum (CSO of Tenable Network Security).

By chance, I happen to see the article on Twitter and leave a comment. The comment got picked up and I was asked by BW to provide a photo and give my blessings to be featured on the front page.

Many thanks to Stiennon's Twitts, the Security Bloggers Network and the Security Twits group for all of the positive attention.

Direct link to the BusinessWeek story (photo of front page area below)
BusinessWeek front page

Who Hijacked Your Domain?

In the past weeks, the security Bloggosphere has been abuzz with stories of folks who got their web sites hijacked (and held for ransom) by getting their web-based email accounts altered via the wonders of filters which can redirect specific emails to an attacker's email account.

Personally, I would like to see more being done by the web-based email providers to validate users' identities and protect the ever-increasing value of information being stored in email accounts.

Gmail Security Flaw Proof of Concept

Microsoft Ranked 5th Most Spam-Friendly ISP

The cost of ignoring spammers is simply too high; now Microsoft needs to repair its PR image from the latest snaffu: being listed as 5th (now 6th) most spam-friendly ISP. The rating, from’s list, points to several current issues that Microsoft has simply not resolved yet including allowing hotmail scams, file repositories used by hackers, and web spaces used by hackers.

Who will make the list next?

Src: Microsoft is 5th most spam-friendly ISP (

A Wealth of Data, and Nobody in Charge

Privacy advocates argue that academic institutions should hire full-time privacy officers to focus solely on privacy as "the job of security officers is to protect data that are already collected — not to ask whether the data should be captured and stored in the first place."

This article exposes a salient truth about the academic sector. In the past two weeks, I have come across two instances where academia has appeared clueless when it comes to data security and privacy. One is contained in the article below ("what's a CPO?"), the second was posted on the social networking site Twitter by a frustrated security professional who was dumb-founded to have to explain the term "penetration test" to a group of Computer Science PhDs.

Src: A Wealth of Data, and Nobody in Charge (

SUMO Linux - New Multi-OS Distro has re-mastered some solid Distros into one DVD format. The DVD available from SUMO Linux contains:

  • Backtrack 3
  • Helix 2.0
  • Samurai Linux
  • DBAN
  • DVL

SunTzuData, the company behind the SUMO Linux distro was founded by Marcus Carey. Marcus used to work for Computer Sciences Corp. (CSC) and was assigned to the DC3's Defense Cyber Crime Investigations Training Academy (DCITA) as a Researcher and Instructor.

Cyberscams Befriend Social Networks - BusinessWeek

I think it's time for these social networking sites to spend some of their money to validate new users' identity (would be nice to double-check existing users as well). They could learn something from the Google Knol's Name Verification program that can validate an identity based on a Credit Card or via phone directory (weaker IMHO).
Cyberscams Befriend Social Networks (BusinessWeek)

Use NoScript to force websites to SSL

Very useful feature of NoScript (browser plugin for Firefox) that allows you to force web sites to stay on the HTTPS side of things after authentication, instead of reverting back to plaintext HTTP.
Use NoScript to force websites to SSL (Security4all)

The Manchurian Chip - The news that shook the world!

If this story is to be believed then we're in for a whole lot of trouble, assuming we can do something about it of course. Suddenly your ten-year-old computer does not look so useless anymore. When ET calls home to China, everyone needs to pay attention.

And Now the Manchurian Microchip (Dily Artisan)

Businesses could be fined 10% of revenues for data protection breaches

This development is a step in the right direction in my opinion. Sure, it comes with a heavy price, but in this day and age, the penalties for not taking the appropriate steps to protect data should be commensurate with the size and extent of the breach.

This is good news for security professionals in the consulting realm. However, for those already employed by UK companies suddenly facing this law, their headaches just got a long stronger.

Businesses could be fined 10% of revenues for data protection breaches (Information Age)

Biggest Security Threat becomes Human Factor

Two stories published within days of each other reporting on the current biggest challenge: the human factor. At least one of my fellow bloggers, Jeff Evenson over at has made the human factor in security the focus of his writings.

The security threats have "more to do with human error and the usability of advanced authentication systems than any technical security problem." -- AlZomai (Web banking risk down to human error)


"Human error has become the biggest security concern for IT directors." -- Research report from Secure Computing (VUNet)

Only on eWeek

As I was reading a back issue of eWeek, I noticed some confusion as to who the laptop manufacturer really is...

Internet thieves make big money stealing corporate info

A big thanks to Stephen Northcutt of the SANS Technology Institute for pointing this resource out. The USA Today has a great (simple yet effective) graphical illustration (Flash-based) of the way attackers gain entry, compromise additional hosts, and leave with lots of data. Src: Internet thieves make big money stealing corporate info -

Sim Card Chip Unlocks iPhone 3G

Well, someone was going to invent it and market it: a sim card to unlock the iPhone 3G. We're sure to see more of these special-purpose chips to modify otherwise locked, or worse - secured, mobile devices.

Unlock iPhone 3G, Sim Card Chip, Gevey Sim For Unlock iPhone 3G

Four Twitter scenarios of doom

A fellow Twitter from the SecurityTwits group wrote an interesting article about the threats that something like Twitter poses to your personal and professional online identity. Four Twitter scenarios of doom (ThreatChaos)

Data on Japanese students revelead by Google Maps

Here lies a big problem with the usability of today's software regarding the privacy and security of data. The article points out that when using Google Maps, "Users of the service tend to assume that information entered is available only to themselves as the site promotes itself as an exclusive map for individual users."

We need a shift in the way we think about data, starting from the decision of what to collect, how things are presented (Human-Computer Interface), and how things are stored/communicated/processed. Until we do, these kinds of accidental data leaks will continue to occur due to human error or, in this case, erroneous assumptions.

Src: Student data slip out via Google Maps (The Daily Yomiuri)

GPG encrypted-email for the rest of us

The folks at The Register are known for their consistent coverage of InfoSec topics (among others). This time around, the story is more of a how-to for the average (really?) computer user to install and use GPG to encrypt email. Still sending naked email? Get your protection here (The Register)

Go Phish with Consumer Reports - Test your ability to detect phishing scams

Consumer Reports (CR) has put together a great resource called the Guide to Online Security. One of the features of that site is what CR calls Go Phish (opens in a new window) in which you have to determine whether each of 12 different emails is real or fake. Can you achieve a perfect score?

Eide Bailly web site failure

It's disappointing to see this kind of error in 2008 from a company like Eide Bailly. Since it's Saturday, it will most likely be a while before the site is back up and running.

Alan Paller on Vulnerabilities

On having to report on over 150 vulnerabilities in a single week:
It is crystal clear that web application programmers are writing a LOT of bad code and their bosses are either ignorant of the problem or negligent in exercising their management authority. -- Alan Paller, Director of Research, SANS Institute - @RISK: The Consensus Security Vulnerability Alert

GoogleDocs Broken - Phantom Shared Docs

It appears that GoogleDocs is once again broken. This time, it shows phantom shared documents with folks that I've never met (and don't know). Disappointing.

New Paper at SANS Institute - .NET Framework Rootkits: Backdoors inside your Framework


This paper introduces a new method that enables an attacker to change the .NET language. The paper covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper. SANS Institute Reading Room - .NET Framework Rootkits: Backdoors inside your Framework

Bruce Schneier: Securing Your PC and Your Privacy

Responding to a question about the single biggest threat to IT security, Bruce Schneier said:
Technological systems, especially newer ones, are exceedingly complex—and complexity is the worst enemy of security. -- Bruce Schneier in Securing Your PC and Your Privacy (

AVG and Rising signatures update detects Windows files as malware | Zero Day |

It was bound to happen... the False Positive (aka "type I error"). It gets nastier when the files that are wrongly detected as infected are your windows files and in the process cause the machine to continuously reboot. The answer? QA - test, test, test. AVG should have tested this signature update and (longshot coming here) users should have tested the update and have a way to revert back. Src: AVG and Rising signatures update detects Windows files as malware (ZDNet)

Security awareness extended to Belgian bathrooms

"The person you are looking at is responsible for your security." -- bathroom mirror wisdom

As reported on a Belgian Security Blogger's site, a mirror on a bathroom sported the message (modified to reflect that security and safety are translated in the same word in Dutch, one of the official languages in Belgium). Src:

Northcutt on Security

Success in security depends on either automating the fix or making it really easy for the user. -- Stephen Northcutt, President of SANS Technology Institute, SANS NewsBites Vol 10 No 89.

TKIP is broken. Long live WPA

As pointed out by one of the maintainers of the SANS ISC (Internet Storm Center), WPA/TKIP has been broken (in one direction, from WAP to Client). An excellent explanation of how this is done can be found here.
Also: RaDaJo (RAul, DAvid and JOrge) Security Blog: WPA/TKIP ChopChop Attack

European Data Protection Supervisor declares IP addresses must be treated as personal data

Talking about the confusion of many European Data Protection Authorities (DPAs) as to whether the IP data Google is collecting is private or not, Peter Hustinx, European Union's Data Protection Supervisor, affirmed that IP addresses and server logs should be treated as personal data.

As Google itself acknowledged, IP address data is sometimes private and sometimes not. Hustinx basically seeks to remove any confusion on the part of the EU DPAs so that if the DPAs can't clearly determine if sometimes the data is private and sometimes not, it should be considered to be private and protected as such.

Hustinx: nameless data can still be personal OUT-LAW.COM

Bruce Schneier on Privacy (and the Lack Thereof)

That's the best way to secure customer data, not to have it. The way to make it work is to make companies liable to exposed customer data, to give them the economic problem of owning my data. They are the only entity that can protect it, yet when the data is lost, they don't feel the pain - I do. -- Bruce Schneier
Src: CIO Insight - Know It All - Bruce Schneier - Schneier on Privacy (and the Lack Thereof)

On the state of malware vs patches

...the signature and patch-centric approach to protecting desktops isn't dealing with the new, targeted threats that aim at the user, not unpatched PCs. -- John Pescatore, NewsBites co-editor, in SANS NewsBites Vol 10 Issue 87

People & mistakes

Writing about a memory stick containing pass codes for a UK government system was found outside a pub:
People make mistakes that cause harm to others. The challenge is how we educate and reinforce in people to do what is correct. I have said for years there needs to be a law entitled U.S. Code Title 18 "Stupid". In my former life, I would have had a lot more convictions. However, I am not sure what the consequences should be for stupid. -- Ron Dick, NewsBites co-editor, in SANS NewsBites Vol 10 Issue 87

A people-based virus for the US elections?

Apparently the need for SETA (Security Education Training and Awareness) goes beyond just the information security sphere. Several states report that cell phone users received text messages informing them that election day had been moved to Wednesday, November 5th, and that the recipient of the message should forward the information on to others.
Election Hoax Sent Via D.C. Based E-Campaign Group - Security Fix

RSA finds Huge Cache of Stolen Financial Data

The RBN (Russian Business Network) is reportedly behind one of the greatest repository of stolen financial information. According to the RSA FraudAction Research Lab, it uncovered more than a half million credit card numbers and online bank account logins and passwords, apparently acquired by the RBN over the past 2.5 years.

Malware has increased in complexity and capability; the Sinowal trojan used in this attack can show the user a fake login page, luring the user to provide valid credentials which are then transmitted by the malware to a server in a remote location/country.
A Huge Cache of Stolen Financial Data - Bits Blog -

Phishers start validating credit card numbers

Times must be getting tough for phishers if they resort to validating credit card numbers before uploading them to the servers they control. Article from

$10 Zero-day Vulnerabilities

The security community has been raising the alarm for some time; now we have proof: new, never-seen (hence the "zero-day") exploits for as low as $10. What's next?
Black market for zero day vulnerabilities still thriving Zero Day

The future of the Internet according to Marcus Ranum

Marcus Ranum said it best about the Internet's future (in the Face-Off article of the September 2007 Information Security Magazine):
Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.

Former sysadmin sentenced for wrecking corporate servers

This story illustrates how many companies are still not ready to handle computer-related emergencies. A former system administrator removed critical operating system boot files. He reportedly wanted to cause "a small hickup", however "the company inadvertently caused more damage while trying to repair the situation."

There is no reason why missing boot files would have taken days to repair if the company had implemented appropriate incident response and business continuity plans. In my own home environment, I can be back up and running in less than 10 minutes should my entire operating system get trashed. Why can't a company do the same?

Former sysadmin sentenced for wrecking corporate servers

What trumps privacy?

Good article from Jay Cline about the 6 spheres of privacy and why the US will never look at privacy in the same way that the rest of the world does. Src: What trumps privacy? (ComputerWorld)

Privacy is good - Privacy by visibility is NOT good

As this FailBlog post illustrates, security and privacy often fail because they are "patched-on" instead of "baked-in."

Marriott Fail « FAIL Blog: Pictures and Videos of Owned, Pwnd and Fail Moments

Wise words from the US Army Ranger Handbook

"Two of the gravest general dangers to survival are the desire for comfort and a. passive outlook." -- U.S. Army Ranger Handbook

When Keyboards Talk, Who Listens?

We already knew that computers and electronic devices generate behaviors that could be picked up at a distance; this is the stuff of spy novels and movies. The TEMPEST program, rumored to have started as far back as the early to mid 1960s (src:, provided specific guidance on shielding electronic devices to prevent eavesdropping.

Now two researchers in Switzerland have actually gotten it to work in a way that can be easily demonstrated: what you type on a WIRED keyboard can be picked up and decoded from the same room and from an adjacent room. Watch the videos to get the full effect - - Be scared, be very scared.

Microsoft Releases Critical Patch Out of Cycle

This brings back memories of the early days of the 21st century when worms roamed across Microsoft Windows machines (and other operating systems as well). Mitigation: Patch, patch, patch (or make sure your firewall is up and you are not using file sharing).

Events of this magnitude must be brought to the attention of software developers to ensure that security is integrated in the software lifecycle.

Microsoft bulletin:
More info at:

QOTD - Microsoft on time to infection

The mean time to infection is less than five minutes. -- Richie Lai, Microsoft’s Internet Safety Enforcement Team
Src: NYTimes

The end of Antivirus Programs?

Secunia's experiment pitted 12 Antivirus programs against a host of exploits... the result: the best AV only detected 20% of malware (out of 300); the next best only detected 2.33%.

Users and businesses need to take the threat seriously and realise that firewalls and traditional security software, such as that included in Internet Security Suites, isn't sufficient to protect PCs and corporate networks. (Src: Secunia Blog Entry)

Src: Test Shows Shortcomings of Antivirus Programs - Host security News Analysis - Dark Reading

Direct link to Secunia Report

Social Engineering gets really creative

For some time, security professionals have been warning that the weak area in information security now resides with people, not technology. What we didn't know is how much information is available about ourselves or our loves ones out there for anyone to use. It seems that social engineers in Asia have found a new way to make money: fake kidnappings.
loose wire blog: Social Engineering, Part XIV

Sophos Security Threat 2008 Mid-Year Report

Highlights for the first six months of 2008 (Src: Sophos Security Threat 2008 Mid-Year Report):
  • Over 11 million different malware threats are known to exist
  • SQL injection attacks on web sites are the biggest threat today
  • Every 5 seconds a new web page is discovered to be infected
  • 97% of all email is spam
  • Blogger is the top host for malware - strange given the limited features of this Google-owned site.

Minority Report Version 2008

The US Department of Homeland Security wants to improve safety by reading your thoughts. Nice concept except that it can easily be defeated by terrorists finding a patsy who will obviously pass the "hostile thoughts" test.
Schneier's Blog Entry on Thoughtcrime
New Scientist's Original Story

Brits happy to hand over password details for £5 gift voucher

This story outlines what security professionals have been saying for a while: security is not just a technology problem, it's also (and really) a people problem. You may have the strongest Single Sign On (SSO) technology in the world, but if your users willingly hand over passwords, security goes out the window.
Brits happy to hand over password details for £5 gift voucher • The Register

And now... Clickjacking!

The whole world is waking up to the insecurities of today's browser applications... it will take a while before we can ever feel safe again. Time to dust off those old text-based browsers; lynx me up to the Internet.
Clickjacking: Researchers raise alert for scary new cross-browser exploit |

Foreign Travel Threat Assessment - A must know for every security professional

A US Homeland Security memo called "Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities" has made its way into the public light of the Internet. The importance of this document stems from information security best practices for travelers going abroad. None of the recommendations are new or surprising, but instead reinforce the need for governments and companies to be vigilant with the data entrusted to them and provide their employees with tools and education on how to avoid leaking sensitive data. Step 1 - leave your data at home or at the office.
Leaked Homeland Security doc warns of data threats | Tech News on ZDNet

Rethinking computing insanity, practice and research

Gene Spafford provides a historical perspective and commentary about the state of cyber-security research.
The current cyber security landscape is a major battlefield. We are under constant attack from criminals, vandals, and professional agents of governments.
Src: Rethinking computing insanity, practice and research | CERIAS | Purdue

Software-Generated Paper Accepted At IEEE Conference

The field of Computer-related publications has become saturated with mediocre papers presented at a multitude of obscure conference that are nothing but a ponzi scheme for the associations behind them, often charging speakers upward of $600 for the "privilege" of presenting their research. The work of these MIT students has exposed several conferences that accepted fake (computer-generated and senseless) papers.

Instead of focusing on writing papers that no one will ever read, researchers in the computer field should take a cue from their security colleagues and focus on research projects that make a difference and truly advance the profession, even at the risk of being labeled FUD.

It's time for academia to once again find its focus and voice. Instead of trying to compete with the MIT and Purdue of this world, teaching institutions (i.e. those below "tier one") should focus on what they are best at: teaching.

Src: Software-Generated Paper Accepted At IEEE Conference | Slashdot