Friday, February 29, 2008

Military Steps Up War on Blogs

Slashdot mentions an article appearing in Wired Blog Network 2 days ago about the Air Force blocking access to many blogs. It is cutting off access to almost every independent site with the word "blog" in its web address. At least one senior Air Force official calls the squeeze so "utterly stupid, it makes me want to scream."

See details at: Wired Blog Network .

Monday, February 25, 2008

Banks, Wall St. Feel Pinch from Computer Intrusion

Slashdot posted a link to an article in the Washington Post's Security Fix blog that claims that finacial institutions and companies in the securities/futures business are reporting sizable increases in the amount of losses attributed to computer intrusions and identity theft.

A non-public report assembled by the FDIC that contains detailed information was provided by a trusted source who asked to remain anonymous.

Interestingly, the report indicates that in most cases, banks are a loss as to how exactly the cybercriminals are stealing the funds. Still, the FDIC indicates hat a large portion of the unknown losses most likely resulted from malicious data-stealing programs.

For further information see the article in .

Friday, February 22, 2008

Securing Cyberspace Among the Top Technological Challenges of 21st Centruy, Panel Says

ACM TechNews cites an article about a National Academy of Engineering panel of renowned thinkers, including Larry Page, Google co-founder, that has identified 14 top technological challenges for this century. Securing cyberspace is among them.

"Since we live in an increasingly networked virtual world, cybersecurity is a fundamental engineering challenge," says Rob Socolow, professor of mechanical and aerospace engineering at Princeton University and a panel member.

See full article in NETWORKWORLD.

Thursday, February 21, 2008

How (Much) to Trust Wikipedia

Luca de Alfaro, Associate Professor of Computer Engineering at UC Santa Cruz gave a talk at CITRIS (Center for Information Technology Research in the Interest of Society) at the University of California, Berkeley yesterday regarding a system for trusting Wikipedia text based on author reputation. The trust system derives from the fact that as a collaborative encylopedia, anyone can contribute to a wikipedia and readers have no of knowing whether to trust the contributed content.

The trust system can be visualized via a coloring of the text background, effectively spotting attempts to tamper with Wikipedia information. The entire English Wikipedia can be browsed using this sytem at http://trust/cse/ucsc/edu.

Friday, February 15, 2008

Web Browsing, Search, and Online Ads Grow More Risky, Google Says

Today's issue of ACM TechNews points up Google security engineer Neils Provos' finding that Web browsing and search are increasingly becoming channels for the distribution of malware.

Google has found in excess of 3 million unique URLs on more than 180,000 websites that attempt to install malware on visitors' computers. Surprisingly, Provos and co-authors of a paper that describes the impact of "drive-by downloads", acknowledge that Internet advertising is contributing to malware distribution.

For further coverage of the issue, see InformationWeek.

Thursday, February 14, 2008

Powerful new antiphishing weapon DKIM emerges

Slashdot reports that Yahoo, Google, PayPal and other of the Internet's most powerful companies have a new weapon in the ongoing battle against email fraud. DKIM, which stands for DomainKeys Identified Mail, permits organizations to cryptographically sign outgoing email to verify that it sent the message.

"DKIM increases the trust with which people can regard their e-mail,"says Jim Fenton, a distinguished engineer with Cisco and one of the authors of the new standard."DKIM isn't going to put an end to phishing, but I'm confident that DKIM is going to make it harder for phishing attacks to occur."

For more about DKIM, see article in NETWORKWORLD.

Wednesday, February 13, 2008

Web browsers under siege from organized crime

A report issued by Help Net Security describes findings IBM released yesterday of the 2007 X-Force Security report. The report details the disturbing rise in the level of sophistication of attacks by cybercriminals on Web browsers throughout the world.

IBM says that, by attacking the browsers of users, the criminals are now stealing identities and controlling consumers' computers at a rate never seen before. The X-Force has been cataloguing, analyzing and researching vulnerability disclosures for 11 years.

See Slashdot for more information.

Facebook A Black Hole For Personal Info

Slashdot cites an article the New York Times ran earlier this week on how it is nearly impossible to get loose from Facebook. While the Facebook website offers the option of deactivating one's account, their servers keep copies of the information in those accounts indefinitely.

A number of users have contacted Facebook to complain when their requests to have their accounts deleted failed to erase their records from the network. One such unsuccessful user, director at a Manhattan biotechnology firm Nipon Das, says "It's like the Hotel California. You can check out any time you like, but you can never leave."

The subtle archiving of information from deactivated accounts has raised concerns about the network's potential abuse of private data, especially in the wake of Facebook's Beacon advertising debacle.

See the New York Times for the full article.

Thursday, February 07, 2008

Antivirus Inventor Says Security Pros are Wasting Time

Slashdot reports that earlier this week Peter Tippett, chief scientist at the ICSA Labs and the inventor of the program that became Norton Antivirus told the attendees of the Computer Forensics Show 2008 that it's time for security professionals to wake up and stop wasting their energy.

Tippett warned that roughly a third of the work security departments do today is a waste of time. He took aim at many of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process.

"If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network," notes Tippett." In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000. But what did you really gain by implementing them? He only needed one."

For more on Tippett's presentation, see Dark Reading.

Wednesday, February 06, 2008

Proposed Law in CA Clarifies Breach Notification Rules

In SANS NewsBites' TOP OF THE NEWS, it is announced that a bill passed by the California State Senate details how government agencies and other organizations should notify consumers when their personal data have been compromised in a breach of security.

The chamber voted 30-7 in favor of the data breach notification bill, which requires notices to explain clearly what has happened and what people can do to protect themselves.

"Others have sugarcoated the news, or buried it in legal jargon, with the result that people don't understand their vulnerability to identify theft," said Sen. Joe Simitian, who introduced the bill. "No one likes to get the news that information about them has been stolen, but when it happens, people are entitled to get a notice they can understand and that helps them decide what to do next."

Simitian's bill follows a recommendation from a study by the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley School of Law, which said notices should be standardized.

For more information about the bill, see InformationWeek.

Tuesday, February 05, 2008

Slashdot recounts information provided by an anonymous reader regarding problems with electronic voting stemming from a lack of mandated standardization.

To wit, LINUXINSIDER quotes Jamie McKown, Wiggins professor of government and polity at the College of the Atlantic:

"People debate the merits of e-voting for a variety of reasons, including suspicion of new technologies and a general distrust of politics. Reports on e-voting security often de-contextualize the history of voter fraud in this country, as if boxes were somehow assumed to be better. You constantly hear calls for paper trails, and open and free inspection of voting machine source code. But it's a very thorny issue and one that has a lot of facets,' McKown told LinuxInsider."

The article goes on in suggesting that once the decision about a universal voting platform is made, the way is clear for open-source software to address concerns over accuracy.

See full article in LINUXINSIDER.

Friday, February 01, 2008

Prof Aims to Improve Internet Security

ACM Technews reports that University of Wisconsin-Madison computer scientist Paul Barford and his colleagues have developed a new approach to detecting network intrusions by focusing on a slight vulnerability in malicious traffic.

Barford's technology is able to be specific and more general simultaneously when detecting and identifying malicious signatures. This has the effect of preventing benign traffic from being labeled malicious, thus reducing the crippling effects of false positives on security systems. Barford also says the technology can use a single signature to detect classes of attacks, a feature not offered by other systems.

For details, see this article in the Wisconsin State Journal.