Security Issues

Strange Spam Behavior

Frank — Tue, 29 Apr 2008 16:43:00 GMT

In the past two days, I've gotten well over 200 "Mail Returned" errors to email addresses I've never sent emails to.

Each one of these emails has an attachment, which I'm sure contains a virus payload.

Anyone else seeing this?

Technorati Tags: Spam,Email,Security

Asirra: Keeping Out Bots and Helping Homeless Pets

Frank — Thu, 20 Mar 2008 00:08:00 GMT

The CAPTCHA has been around for a while now.

We've all seen those images that pop up when you post to a blog or sign up for a free account online somewhere.

The trouble is that the spammers ability to programmatically recognize these distorted words is catching up.

The solution is to up the ante, by making the challenge harder.

How about deciding whether or not a picture contains a dog or cat?

That's what Asirra (Animal Species Image Recognition for Restricting Access) does.

Asirra is a CAPTCHA (or HIP, Human Interactive Proof) that works by asking users to identify photographs of cats and dogs.

This is a difficult task for computers, but that something people can do quickly and accurately.

Microsoft Research teamed up with Petfinder.com, the world's largest site devoted to finding homes for homeless pets.

PetFinder has a catalog of over three million images of cats and dogs, manually classified by people at thousands of animal shelters across the United States.

In exchange, Asirra provides a small "Adopt Me!" link beneath each photo, as well as wider exposure for animals needing homes.

Best of all, the site provides information on adding Asirra to your site to keep the spam bots out and help out animals in need.

Win win for everyone.

Technorati Tags: Asirra,CAPTCHA,HIP,PetFinder

Cyber Warfare in Progress?

Frank — Sun, 03 Feb 2008 11:37:00 GMT

I'm with Warner on this one, three cable cuts to one region in a week seems awfully suspicious.

First, it was two cables under the Mediterranean that caused internet service disruptions as far away as India, now it's a cable off the coast of Dubai.

It could just be a series of coincidences, but the odds of that are shrinking.

Technorati Tags: Internet,Dubai,Cable Cut,Cyber Warfare

Governments Prepare for Cyber "Cold War"

Frank — Tue, 04 Dec 2007 08:10:00 GMT

ZDNet UK has an article about how seriously governments around the world are taking computer security: both as a means of offense and looking into shoring up their defenses.

From the article:

Countries are currently testing the water to gauge the threat and potential for damage posed by their cyber-assaults, according to the 2007 Virtual Criminology Report produced by security firm McAfee.
[..]
Paller said attacks against the US military this year — reportedly made by China, although the Chinese have denied responsibility — resulted in the loss of large amounts of data. The data had, in part, been stolen from the NIPRNet, a US military network which is open to the internet and used for the transmission of non-classified documents.

Maybe computer security will be taken more seriously in the future, maybe not.

From security guru Bruce Schneier's Blog, where he and Marcus Ranum discuss what computer security will be like ten years from now (emphasis added)

at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective.

It's 2007 and we haven't seemed to accept that:

You can't turn shovelware into reliable software by patching it a whole lot.
You shouldn't mix production systems with non-production systems.
You actually have to know what's going on in your networks.
If you run your computers with an open execution runtime model you'll always get viruses, spyware and Trojan horses.
You can pass laws about locking barn doors after horses have left, but it won't put the horses back in the barn.
Security has to be designed in, as part of a system plan for reliability, rather than bolted on afterward.

The list could go on for several pages, but it would be too depressing. It would be "Marcus' list of obvious stuff that everybody knows but nobody accepts."
You missed one important aspect of the problem: By 2017, computers will be even more important to our lives, economies and infrastructure.

Back to the ZDNet article (emphasis added):

They [security experts] warn that a "cyber cold war" is developing, in which governments are using technology not only for the immediate benefit of gaining intelligence from stolen data but also to probe critical national infrastructures for possible weak points that could be exploited in the event of conflict.

In some ways, we, as developers, are somewhat responsible for bad security. We write the code that can get exploited. We have no control, however, over poor administration, password on Post-It notes, and PEBKAC errors .

We can, however, have a positive impact by thinking about security more. Make it part of our architectures, insist on security audits, press your leadership to allow time to security to be built into the application design, rather than an afterthought.

It may take a while, but in ten years, we'll either be ten years older and wiser or just ten years older.

Maybe we need a 21st century version of this WW2 era poster:

Technorati tags: Security, CyberWar, Infrastructure, Malware, Bruce Schneier

Real World Steganography

Frank — Mon, 19 Nov 2007 14:22:00 GMT

In 2004, I had worked on an RFP for a project (Kreskin) to detect images hidden in other types of files, a technique known as Steganography.

All the security experts I interviewed said that it would take several years for steganography to become a priority for IT security professionals, as it would take that long for it to become widely in use.

It's seems that steganography is growing in popularity in some criminal circles.

[found via Slashdot]

Technorati tags: Steganography, Security

Little Bobby Tables

Frank — Tue, 16 Oct 2007 17:00:00 GMT

Now, here is a great name for a kid.

For those not in the know, this joke refers to a SQL Injection attack, as always WikiPedia has more information on the subject.

Technorati tags: SQL Injection Attack, Humor, Cartoon, xkcd, Security

Quantum Cryptography Put to Use

Frank — Fri, 12 Oct 2007 15:26:00 GMT

Swiss officials are using quantum cryptography to protect ballots cast in their upcoming parliamentary elections.

From the article:

Quantum cryptography uses photons to carry encryption keys to secure communications over fiber-optic lines and can automatically detect if anyone is trying to eavesdrop on a communications stream.
For the Swiss ballot-collection process, the quantum cryptography system made by id Quantique will be used to secure the link between the central ballot-counting station in downtown Geneva and a government data center in the suburbs.

Given the problems here in the US with electronic voting, it could be a while before we'll see quantum cryptography added to the mix.

[found via Slashdot]

Technorati tags: Quantum Cryptography, Electronic Voting, Security, Swiss

Gone Phishing and Identity Theft for Criminals

Frank — Fri, 14 Sep 2007 13:22:00 GMT

The Research Channel held a contest for college student to come up with computer security awareness videos.

All entries had to be two minutes or less.

The results are informative and hilarious.

My personal favorite is the "Gone Phishing" video.

Technorati tags: Security, Phishing, Research Channel

Symantec Report: Windows Gets Patched Faster

Frank — Wed, 28 Mar 2007 16:42:00 GMT

According to a recent Internet Security report from Symantec, Windows' flaws get fixed faster than Apple or Linux.

The report only covers the second half of 2006, so the data is both recent and short. However, it does indicate that Microsoft has turned the corner in regards to updating and patching to beat out everyone else.

Here's the line up from the report:

Microsoft
Vulnerabilities: 39 (12 high priority/severe)
Avg Fix Time: 21 days

Red Hat
Vulnerabilities: 208
Avg Fix Time: 58 days

Apple
Vulnerabilities: 43 (1 high priority/severe)
Avg Fix Time: 66 days

HP-UX
Vulnerabilities: 98
Avg Fix Time: 101 days.

Sun
Vulnerabilities: 63
Avg Fix Time: 122 days.

Sun, naturally, disputes the claims made on the report and wrote in an email to InternetNews.com: (emphasis added)

"Symantec's data on security vulnerabilities simply does not match Sun's. [..] averages are skewed by a small minority of 3rd party applications (or code) that are included/bundled with Solaris. [.. ] we stand by our reputation and established track record of responding to security vulnerabilities with Sun Alerts and a quick turnaround time for patches. "

A security flaw is a security flaw. Folks bent on breaking into your systems aren't going to care how they can break in. They're going to exploit any vulnerability they can, regardless of who wrote the code.

[found via the DevHammer (aka Andrew Duthie)]

Technorati tags: Security, IT Security, Patches, Windows, Sun, Apple, Symantec

Microsoft Research Videos on the Research Channel

Frank — Thu, 21 Dec 2006 17:57:00 GMT

For a brief period of time, we had Dish Network service at home.

One of the channels that got my attention on the program guide was the Research Channel.

I tuned into it and, much to my delight, there was a seminar on cryptography and steganography other other security related topics.

I was hooked.

Unfortunately, the only place where the dish would get any signals was right on the front of the house, where you get to see the back end of the dish.

Even I thought it was ugly and I'm a total geek, so you know my dish tolerance levels are pretty high.

Fortunately, the research channel has most of their content available online, including this seminar on Extraordinary Computing Experiences and Robots for the Masses: Fiction or Reality.

Technorati tags: Robotics, Research Channel, Cryptography, Microsoft, Steganography, Security Isssues, Dish, Satellite TV