Thursday, January 31, 2008

Information is our only security weapon: Bruce Schneier

In his keynote address to the Linux conference currently being held in Melbourne, Australia, Slashdot notes that computer security expert Bruce Schneier took aim at several sacred cows in the area of security technology, including RFID tags, national ID cards, and public CCTV security cameras.

Schneier said that these technologies were all examples of security products tailored to provide the perception of security rather than actually tackling security risks and he notes that despite the well known impact of emotional and psychological thinking on security decisions, information remains the greatest weapon that we have in creating good security solutions.

For more commentary by Schneier, see iTnews.

Wednesday, January 30, 2008

Risking Communications Security: Potential Hazards of the Protect America Act.

Highly respected security researchers Steve Bellovin, Matt Blaze, Whit Diffie, Susan Landau, Peter Neumann, and Jennifer Rexford have released a preprint of a paper they cowrote about the security holes that would be opened if a broad warrantless wiretapping law is passed, reports Slashdot.

The paper states "It is critical that the new surveillance system neither enable exploitation of US communications by unauthorized parties nor permit abuse by authorized ones."

New security risks, risk reduction, architectural choices, oversight and recommendations are among the areas addressed in the paper.

To see the complete preprint of the article to appear in IEEE Security and Privacy, go to Risking Communications Security: Potential Hazards of the Protect America Act.

Tuesday, January 29, 2008

Spies in the Phishing Underground

An anonymous reader sent Slashdot to for an interview with security researchers Nitesh Dhanjani and Billy Rios. The two researchers managed to infiltrate the phishing underground with the intent of simply examining phishing sites. However, they discovered a much deeper and complex system that supports the business of phishing.

"For the next few years, we are going to continue to apply band-aids around the problem of data leakage, and continue to play whack-a-mole with the phishers without solving the actual problem at hand," says Dhanjani. "In order to make any significant progress, we must come up with a brand new system that does away with depending on static identifiers. We will know we've accomplished this when we will be able to publish our credit reports publicly without fearing for our identities."

See for the complete interview.

Monday, January 28, 2008

Microchips Everywhere: a Future Vision

Slashdot notes a lengthy article posted last Saturday describing the near future as having microchips with antennas embedded in almost everything you buy, wear, drive and read.

With so many objects with RFID tags relaying information to databases that can be linked to credit and bank cards, almost no aspect of life may soon be safe from the prying eyes of corporations and governments, says Mark Rasch, former head of the computer-crime unit of the U.S. Justice Department.

He envisions a future where anyone from police to identity thieves to stalkers might scan locked car trunks, garages, or home offices from a distance. "Think of it as a high-tech form of Dumpster diving," says Rasch, who's also concerned about data gathered by "spy" appliances in the home.

For the full article, see

Friday, January 25, 2008

Phishing Group Caught Stealing From Other Phishers

Slashdot points up an article Netcraft has written about a website offering free phishing kits with one ironic twist -- they all contain backdoors to steal stolen credentials from the fraudsters that deploy them.

In the Netcraft article, the creators of the kits are described as a group of Moroccan fraudsters calling themselves Mr-Brain, whose intentions are to encourage as many people as possible to use their phishing kits. Close inspection of the configuration script reveals deceptive code hiding the true set of electronic mail addresses that are contacted by the kit, ie., every fraudster who uses the kit will unwittingly send a copy of each victim's details back to the Mr-Brain group.

For details, including another Mr-Brain scam earlier this month configured to covertly send harvested credentials from Bank of America, see this issue of Netcraft.

Thursday, January 24, 2008

Cyber Thieves Going After Americans' Healthcare Data

In a SANS newsbyte of last week, US Department of Homeland Security analyst Mark Walker reportedly told attendees at a National Institute of Standards and Technology (NIST) workshop that early last year, the Centers for Disease Control and Prevention website became infected with malware and then a computer with information about a military health insurance program was broken into last spring. The foreign hackers are primarily from China and Russia.

"They've been focused on the Department of Defense - the military - but now are spreading out into the health care private sector," Walker said.

For further information, see FCWCOM.

Wednesday, January 23, 2008

RIAA Website Hacked

Slashdot reports the existence of an SQL injection attack on the Recording Industry Association of America's (RIAA) website last Sunday.

The Register says the "RIAA's high-profile lawsuits against file sharers have made it a prime target for hack attacks."

While the RIAA has restored, whether is is any more secure than before is questionable since the site did not have even rudimentary security controls in place.

See TorrentFreak for sample screen shots of the result of the attack on the RIAA site.

Tuesday, January 22, 2008

Why Privacy and Security is not a Zero-Sum Game

Slashdot mentions a write-up in ars technica about why security consultant Ed Giorgio's statement that privacy and security are a zero-sum game is wrong. It is reasoned that, according to Metcalfe's law , the value of a government network to the good guys is the same as for the bad guys.

The author of the article notes that with the government's tendency to gather all of its eggs in one database, we'll end up with neither security nor privacy, unless more attention is paid to privacy -- i.e., a lot of privacy can be traded away for no gain in security and it's not necessary. For details and examples of the issue, see ars technica.

Thursday, January 17, 2008

iPhone Trojan Sign of Things to Come?

Slashdot refers to an article about the appearance of the first hack on iPhones .

According to ITBusinessEdge , the USCERT (US Computer Emergency Response Team) warns that a currently relatively harmless Trojan that overwrites some utilities bodes ill for future development.

Further, the SANS Institute lists threats against mobile phones in the top 10 security threats for 2008.

See Top Ten Cyber Security Menaces for 2008 for details.

Wednesday, January 16, 2008

'War on Terror' Allies Form Information Consortium

According to Slashdot, Guardian Unlimited posted a story yesterday about the FBI's interest in connecting its own database resources with other countries'.

A U.S.-initiated program called "Server in the Sky" would take cooperation among police forces a level beyond the current faxing of fingerprints. The FBI told the Guardian:"Server in the Sky is an FBI initiative designed to foster the advanced search and exchange of biometric information on a global scale."

See Guardian Unlimited Special reports .

Tuesday, January 15, 2008

Most Home Routers Vulnerable to Flash UPNP Attack

Slashdot reports that Universal Plug and Play vulnerabilities are being researched by contributors to Gnu Citizen, a self-described cutting-edge think tank/ethical hacker outfit. They've produced a flash swf file that is capable of opening open ports into your network by merely visiting a URL.

They claim that cannot really go to a vendor to ask for a solution because it is not actually a bug that they are finding but rather a conglomeration of design problems.

For details, see the January 12th publication of GNUCITIZEN.

Monday, January 14, 2008

Malware Distribution Through Physical Media a Growing Concern

A slashdot post yesterday mentions a story that had run in the Register about the increasing number of digital devices reaching consumers with malware already installed on them.

In the latest incidents, three photo frames made by Advanced Design Systems and bought from different Sam's Club stores each contained a Trojan horse, according to reports to the SANS Internet Storm Center.

In another incident in 2006 Apple iPods were infected with a Windows virus. Other incidents include infected disk drives. "When (the first incident) pops up, we thought it might be someone that was infected and blamed it on the digital picture frame," says Marcus Sachs, volunteer director of the Internet Storm Center and executive director of government affairs at Verizon. "But this is malware - and malware that does not seem to be very well detected. You could plug in a device and infect yourself with something you would never know you had."

For additional information, see The Register.

Friday, January 11, 2008

FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

An online newsletter published by the SANS Institute states that, according to a report the US Federal Aviation Administration, the onboard computer networks of the Boeing 787 Dreamliner could be used to gain access to the aircraft's control systems.

"This is serious," said Mark Loveless, a network security analyst with Autonomic Networks, a company in stealth mode. "This isn't a desktop computer. It's controlling the systems that are keeping people from plunging to their deaths. I hope they are really thinking about how to get this right."

For further information, see Wired.

Thursday, January 10, 2008

Open Source Code Contains Security Holes

Slashdot points to an article published yesterday that covers the US Department of Homeland Security's program for examining the security of open source code. Popular open source code dynamic languages like Samba, PHP, Perl, Tcl, and backup and recovery software Amanda were found to have hundreds of security holes and defects.

The DHSS granted a $300,000 contract to Coverity in March 2006 to review code generated by 180 open source projects resulting in fixing 7826 open source project defects.

For details see Charles Babcock's article in InformationWeek.

Wednesday, January 09, 2008

Researchers Say Wi-Fi Outbreak Possible

Indiana University IT researchers have announced that a seriously damaging WiFi attack is possible if piggybacked across unsecured access points in a large city. Such an attack could take over 20,000 wireless routers within a two-week period.

The researchers theorize that the attack would work by guessing administrative passwords and then instructing the wireless routers to install worm-like firmware causing the infected router to attack other devices in its range.

For details, see NETWORKWORLD and Slashdot.

Tuesday, January 08, 2008

Mass hack infects tens of thousands of sites

Slashdot reports a successfully launched automated SQL injection attack against more than 70,000 websites as of last Saturday. By Sunday, a second attack had infected more than 90,000 servers.

The SANS Institute states that hacked sites included both .edu and .gov domains.

The full article can be seen in COMPUTERWORLD.

Monday, January 07, 2008

Can You Count on Voting Machines?

A Slashdot post points to a lengthy article published last Sunday by the NY Times regarding new voting technologies and their shortcomings, as one-by-one, states renounce the use of touch-screen voting machines.

It comes as no surprise then that, after a series of incidents in the last few years, Diebold, a company know at one time primarily for making safes and A.T.M.'s, tried to sell off its voting-machine business. After failing to find a buyer, Diebold changed the name of the division last August to 'Premier Election Solutions'.

See complete article at  
The New York Times Magazine

Friday, January 04, 2008

Electronic Passports Raise Privacy Issues

ACM Technews cites an article from the Washington Post regarding a new passport card offered by the federal government to U.S. citizens who travel frequently between the U.S. and Canada, Mexico or the Caribbean.

The card is equipped with electronic data chips that can be read wirelessly from 20 feet. The goal of the passport card is to reduce the wait at land and sea border checkpoints.

"The government is fundamentally weakening border security and privacy for passport holders in order to get people through the lines faster," said Ari Schwartz, deputy director of the Center for Democracy and Technology, which submitted comments in opposition to the proposed rule, along with 4,000 others.

See full article at