Security on The Truth Imperative

Ios Clients Not Vulnerable To Heartbleed What Does The Source Say

Thu, 17 Apr 2014 15:05:00 -0700

Apple’s language in their assertion that they are not vulnerable to heartbleed on iOS are troubling as they specifically say (via ReCode), “IOS and OS X never incorporated the vulnerable software…” However, not incorporating the vulnerable OpenSSL software is merely one way that their customers could have been made vulnerable. What about the Apple SSL/TLS implementation? Has anyone checked it? Did they incorporate RFC 6520 for heartbeat support? I couldn’t find anything Google so figured I would share what I found.

Using VNC to securely connect to OSX without exposing an unlocked console

Sun, 13 Apr 2014 22:27:00 -0700

I couldn’t believe how supremely difficult it is to securely use VNC to access an OSX mac remotely. Turns out that by default, using a standard VNC client (as opposed to an Apple Remote Desktop client) does not afford you an option to have the physical console lock when someone connects to the VNC server. Some third-party clients make this an option, but all that I could find were paid VNC clients that support it. It is somewhat ridiculous that this setting is left to the client rather than enforced on the server, but I digress…

I Get An Irs Scam Voice Mail

Sun, 13 Apr 2014 22:22:00 -0700

Had to share this hilarious voice-mail I received from an IRS scammer (happened to come in with Unknown caller ID – I read online that others had been spoofing US phone numbers for caller ID in the past). The transcript does not do it justice. I laughed out loud when I heard the phrase, “and you get arrested” as that is precisely what one would expect to hear from the IRS.

Information Warfare Via Url Shorteners

Wed, 18 Sep 2013 23:21:00 -0700

As I’ve used Twitter more, I’ve noticed how many of the shared URLs are shortened. And to think that the Library of Congress is archiving all US tweets, how many will actually be usable at some point in the future? Hopefully their process logs the resolved actual URL instead of the shortened one. When I restored my blog, it was amazing how many broken links I found. I stopped fixing them. That’s just the regular web. Adding URL shortening is another level of indirection that is also another failure point.

Seattle Infosec calendar

Thu, 11 Jul 2013 00:34:00 -0700

I searched and didn’t find a Seattle-specific Information Security calendar showing not only conferences, but smaller security events. So I created a new public one. And I guess that means now I’m maintaining one ;-)

If you know of something I’ve missed, let me know and I’ll add it.

To subscribe: ICAL, XML

Full browser web view

What can we learn from the ZRTPCPP / Silent Circle debacle?

Tue, 02 Jul 2013 23:37:00 -0700

07:00

As a way of background, Phil Zimmerman’s company Silent Circle became wildly successful recently after Snowden’s disclosures of extensive NSA data collection of telephony “metadata” and “data — including e-mails, videos, pictures, and connection logs — from the main servers of Microsoft, Google, Apple, and other leading U.S. tech companies” (1). “Mike Janke, one of the founders, estimated that the number of new customers for its subscription-based service surged by 400 percent” (2)

SONY compromised?

Mon, 26 Nov 2007 14:50:00 -0800

I noticed that one of the throw-away email addresses I registered years ago for sony style product registration and accessories is now receiving spam. Was sony compromised or did they have an insider sell their addresses? Who knows… I know that I didn’t give it out to anyone…

Seattle City Light Billing Scam Warning

Mon, 14 May 2007 15:04:00 -0700

This kind of thing was going on long before “phishing” was coined. It’s the same thing in a different technology medium.

FOR IMMEDIATE RELEASE CONTACT: Scott Thomsen April 25, 2007 phone: 206/615-0978 pager: 206/386-4233

BILL COLLECTION SCAM TARGETS WEST SEATTLE Customers Urged to Protect Credit Card Information from Con Artists

SEATTLE - Seattle City Light is urging its customers to be on guard against telephone con artists posing as utility bill collectors who appear to be targeting customers with Asian surnames in the West Seattle area.

Craigslist Hoax Lures People To Destroy Woman'S House

Tue, 10 Apr 2007 12:17:00 -0700

Boing Boing: Craigslist hoax ad leads to destroyed home

This happened in Washington. I couldn’t believe it when I heard about it and now it’s made it to Boing Boing. Scary.

Notable Security Quote Does Your Company Suffer From Employee Infallability Syndrome

Sat, 10 Mar 2007 15:15:00 -0800

I will say that any government (or other) program which assumes the honesty of employees and contractors is fundamentally flawed, and any associated risk analysis is either incompetent, or in failing to identify risk to travellers, seriously incomplete.

-- Ian Farquhar on the Cryptography mailing list 2/27/2007

Notable Security Quote Insane Probabilities

Sat, 10 Mar 2007 15:06:00 -0800

Yes, of course an infinite number of texts hash to the same value; that’s the way the function works. But the odds of it happening naturally are less than the odds of all the air molecules bunching up in the corner of the room and suffocating you, and you can’t force it to happen, either.

--Bruce Schneier

Clearwire Secure Clear As Mud In Their Own Words

Sun, 18 Feb 2007 08:36:00 -0800

I got an advertisement for Clearwire wireless broadband to my house that had a terrible Q & A about security:

Q: How secure is the connection? Is it more secure than Wi-Fi? A: Your Clearwire connection is very secure. That’s because Clearwire wireless technology uses OFDM transmission protocol, featuring a design standard that includes secure wireless data transmission.

Well, it starts off not too bad. Very high-level and milquetoast of a response. But unfortunately, they continue:

Slashdot | Possible Serious Security

Sat, 02 Dec 2006 16:00:00 -0800

Slashdot | Possible Serious Security Flaw In ATMs

Nist Blasts Paperless Electronic Voting

Sat, 02 Dec 2006 15:58:00 -0800

The National Institute of Standards and Technology (NIST) recently published a paper condemning paperless electronic voting machines as insecurable. I’ll have to read the paper in-depth to see how they came to that strong of a conclusion, but I do know that there is no research showing that a purely electronic system can be completely trustworthy.

It’s amazing how far this subject has come in just a few years, yet how far it still needs to go as evidenced by the irregularities in the recent 2006 midterm election.

Cia Kryptos Sculpture Has A Typo

Fri, 24 Nov 2006 17:00:00 -0800

It's not really a typo but an intentionally left-out X separator for 
aesthetics on the sculpture that was intended to result in gibberish 
when decrypted that would clue in the decryptors to reinsert a separator 
and try again, except it ended up spelling something intelligible 
instead of garbage so they thought they had decrypted it properly!
```[A Break for Code Breakers on a C.I.A. Mystery - New York Times](https://www.nytimes.com/2006/04/22/us/22puzzle.html?ex=1164603600&en=52cd0484e7cbb98b&ei=5070) 

> For nearly 16 years, puzzle enthusiasts have labored to decipher an 865-character coded message stenciled into a sculpture on the grounds of the Central Intelligence Agency's headquarters in Langley, Va. This week, the sculptor gave them an unsettling but hopeful surprise: part of the message they thought they had deciphered years ago actually says something else.

Upgrade IE ASAP

Fri, 24 Nov 2006 16:53:00 -0800

A study from a year ago but just as valid today. Actually, over the past year, IE got much worse. There were many exploits and unpatched holes in the browser.

One of the best things you can do for your Windows security is to make sure you upgrade to IE 7.x which has been redesigned to avoid many classes of attacks. It is being pushed out by Windows Update (or Microsoft Update) You can also switch to Firefox or Opera to get better security but please don’t use IE 6.x or older anymore!

Department Of Homeland Pork

Fri, 24 Nov 2006 16:41:00 -0800

Get this: The list of top terrorist targets from the Department of Homeland Security is seriously braindead. It includes 1,305 casinos, 234 restaurants, an ice cream parlor, a tackle shop, a flea market, and an Amish popcorn factory 3,650 sites total. What’s going on? Pork-barrel politics is what’s going on. We’re never going to get security right if we continue to make it a parody of itself.

The worst part is that DHS didn’t even try to hide the pork-barreling by making the inclusions and omissions clear and blatant. Oy. I reluctantly file this in the security category…

How To Break A Common Master Combination Lock

Fri, 24 Nov 2006 16:38:00 -0800

Here’s a description of how to open a common Master brand lock in about 10 minutes. The design makes the 40^3 possible combinations collapse to 121. It’s a physical metaphor for bad cryptography and reliance on obscurity.

I happen to have a lock that I forgot the combo to that this will definitely come in handy for…if I can only find the lock…

Airport Security Oversights From The Onion

Fri, 24 Nov 2006 16:35:00 -0800

This was the most troubling one:

Airport Security Oversights | The Onion - America’s Finest News Source

Sept. 3, London to New York: A few Muslim people may have slipped through with their dignity

Encrypted Government Announcements

Fri, 24 Nov 2006 16:33:00 -0800

U.S. Cryptographers: ‘FrpX-K5jE-Oc4n-e5Dn’ | The Onion - America’s Finest News Source

WASHINGTON, DC—In a carefully phrased, 128-bit encoded announcement that has challenged U.S. security agency procedures, top officials of the National Cryptography and Information Security Council warned that “FrpX-K5jE-Oc4n-e5Dn” if “Ha4d-87gH-uiH3-gB5r-g8Bh” late Monday.

Competitive Information For Picking An Antivirus Solution

Fri, 24 Nov 2006 15:21:00 -0800

This is an article from a year ago that showed how each vendor was able to respond to key virus outbreaks. They also show the data from the previous year.

I personally recommend F-Secure’s product. The base product gives you everything you need for anti-spyware and malware and is inexpensive. It is not a huge fat pig like some of the products out there (McAfee…) I’ve heard from others who enjoy Kapersky as well, so either of those would be good choices and happen to both top this list.

Four Challenges For Computer Security Research

Fri, 24 Nov 2006 14:47:00 -0800

I would add a 5th item:

5. Develop Reusable Security Architectures that cover common scenarios and include appropriate protection by design

Tools are sexy; secure design is hard. That’s why you see so many tools and vendors hawking tools but not as much work. I hear from people all the time who talk about this tool or pen testing or scanning some server or how you need to hack your wireless network to be secure. That is a bunch of crap in general because trying to audit your way to security is bottom-up grass-roots and can only get you so far. It’s an early maturity model to be spending so much time and energy on audits and pen tests instead of security design reviews and developing security architectures. It’s a lot easier and sexier to say you hacked a wireless network. We need to get to where it is just as cool to say you developed a wireless network security architecture such that you don’t care who is connected to the wireless network because your security is not so brittle as to lose sleep over it. Where are those reusable models made open source?

Ballot Design Not Dre Issues At Play In Fl Undervote Anomalies

Fri, 24 Nov 2006 06:52:00 -0800

It is hard to believe that such a blatant undervote error could be attributable solely to the DRE itself not properly recording them. But user interface designs can certainly be abused maliciously, or likely unintentionally, to create these situations. How ironic is it that the DREs that were touted to Help America Vote are actually helping them to undervote, due to poor design/implementation of the ballots?

Proper UI is just as important as sound underlying technology in ensuring proper understanding and usability of a system. Recall Why Can’t Johnny Encrypt? A Usability Evaluation of PGP 5.0 and the more recent Why Johnny Still Can’t Encrypt: Evaluating the Usability of Email Encryption Software for how even known secure software can result in insecure and unintended actions by the user. The infamous Butterfly ballots were not DRE-based but certainly were flawed UI that caused voting errors in previous elections so this is not a new issue to software or to voting by far.

Scans From 1962 Fallout Shelter Handbook

Wed, 22 Nov 2006 15:51:00 -0800

The Ward-O-Matic: Fallout Shelter Handbook 1962

I’ve been working on emergency preparedness for my neighborhood lately so this is very apropos.

BTW, I found a $79.99 Ready kit at Home Depot that is a pretty good deal for a 2-person 72 hour kit (what is recommended for personal preparedness at a minimum). Don’t forget supplies for your pets too!

VirusTotal: Free site to check malware and AV solution efficacy

Thu, 12 Oct 2006 01:57:00 -0700

Aviv Raff On .NET - VML Exploit vs. AV/IPS/IDS signatures

Article showing how VirusTotal revealed how easy it can be to create “variants” that go undetected by most Anti Virus products. The VirustTotal website could be a valuable resource.

No Fly List

Tue, 10 Oct 2006 02:43:00 -0700

Schneier on Security: No-Fly List

What a piece of crap!

Microsoft Bug Reporting Process Makes Me Cacl

Mon, 09 Oct 2006 13:28:00 -0700

The story of how Microsoft has ended up with so many unconnected and uncoordinated versions of command-line tools to manage setting and displaying ACL (Access Control List) entries is funny enough, but wait until you hear about my experience trying to report a bug in the tool. First, on the sordid history that has lead to three versions of the same tool, instead of one version that actually works correctly and handles all situations. There was first cacls.exe, which shipped with windows AFAIK. That was missing some key features so in all their wisdom, Microsoft released xcacls.exe in a resource kit that made up for the shortcomings in cacls.

Ing Direct'S Anti Phishing Measure Backfires

Mon, 09 Oct 2006 13:17:00 -0700

Another funny observation I had was about ING’s anti-phishing security mechanisms and usability. They make you use an annoying, long numeric ID as your login ID (you can’t change it to an easily-rememberable one) which you can’t likely remember so you have to write it down or use Password Safe to recall it. By making account IDs a secret, they are hoping to buy additional security from the obscurity.

However, they recently added a feature on the site (likely because of the usability problems with people not knowing or remembering their login ID) where you can enter some static identifying information (SSN, zip code, birthdate) and they will then pre-populate your customer login ID. I use this often because although you have to type in more information, the usability is better because it is faster to do this than to look up what my login ID is. But, they have now created a great target for phishers that can undo all the benefits of the hidden login ID and the additional measures on the site because this feature is not protected with their RSA/Cyota eStamp as their login dialog is.

Security and Privacy "Certifications" often mean the opposite

Fri, 06 Oct 2006 06:56:00 -0700

Certifications and Site Trustworthiness

An excellent paper summarizing many of the problems with certifiers such as TRUSTe as well as showing that sites that get these certifications to prove their trustworthiness are actually more likely to NOT be trustworthy!

I know companies who are simply concerned about wanting customers to _think_ that their site was secure that they worked on getting a certification instead of investing in actually _making_ their site secure. No corrective action was taken to align technology or processes to the spirit or letter of the “certification”. The same crummy procedures and mindsets that existed before the certification were there after the certification.

TSA Insecurity. An economists perspective

Mon, 25 Sep 2006 16:44:00 -0700

Freakonomics Blog: An airplane announcement I’ve been waiting for

if I were a terrorist, don’t you think that I could figure out how to take the top off a bottle of contact lens solution and put my explosive liquids in there? It is totally pointless to enforce rules which impose costs on innocent people, but are easily circumvented by terrorists. Can anyone think this is accomplishing anything productive?

Diebold Voting Systems Hacked Again

Thu, 14 Sep 2006 15:31:00 -0700

The BRAD BLOG : HACKED: VIRUS IMPLANTED, SPREAD ON DIEBOLD TOUCH-SCREEN VOTING MACHINE!

Researchers at Princeton, including Ed Felton, have been able to implant malicious code on Diebold touch screen voting machines that was demonstrated to be able to flip election results. They have a video of them doing this as well.

The company response is typically clueless (as is their security). I wonder if the nice Diebold ATMs in use at banks such as USBank are anywhere near as vulnerable?

Exploding Heads At Tsa

Sat, 02 Sep 2006 13:49:00 -0700

t-tsa

Boing Boing: What would the TSA do about exploding ID?

Airline Insecurity Anew

Sun, 13 Aug 2006 13:24:00 -0700

Crooks and Liars � Aviation Critic Michael Boyd on our Airport Security

Latest Airline Quot Security Quot Hysteria

Thu, 10 Aug 2006 20:08:00 -0700

Educated Guesswork: Threat modelling airplane explosive detection

A good analysis of why the threat model of materials in checked luggage may be sufficiently different than carry-on that would need to hold for the new security measures to make sense.

I’m not sure I agree with Bruce Schneier’s assessment that, “Given how little we know of the extent of the plot, these don’t seem like rediculous [sic] short-term measures.” I don’t agree with this because if it is too risky to bring these kinds of materials onboard today, then why would it ever be okay to allow them tomorrow? It’s kind of like the precautionary disconnect from the Internet, “Why, why, why do they let employees use the Internet at all if they occasionally stop trusting its safety? Threats don’t magically shrink just because you updated the antivirus package.” It doesn’t make much sense occassionally stop trusting liquids/gels on airplanes, They are either a threat (someone can always masquerade a bomb as benign liquid at anytime and can always disguise a detonator as anything–imagine if terrorists use cellphones instead of keyfobs for a detonaor–the public reaction to banning cellphones in carry-on would be huge) or they aren’t. I agree that there is a heightened threat right now, but that threat has been and will be nonzero, so when will it be “safe” to allow them back on board and what criteria would determine this?

Diebold A Danger To America

Mon, 31 Jul 2006 15:19:00 -0700

The Open Voting Foundation

“This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.

Rfid No Good For Vehicle Security

Mon, 31 Jul 2006 15:16:00 -0700

Wired 14.08: Pinch My Ride

Alternate attack vectors mean that RFID is often not the part of the security system that gets broken (not unlike strong crypto). All of the supporting systems around it are easily broken.

Myspace Infects Yourpc

Wed, 26 Jul 2006 10:45:00 -0700

Schneier on Security: Hacked MySpace Server Infects a Million Computers with Malware

Malicious banner ad exploits unpatched IE hole (there are many and more all the time). You have switched to Firefox, Opera, Konqueror or anything other than IE, right?

SeaSec security forum

Wed, 26 Jul 2006 10:42:00 -0700

07:00

SeaSec security forum

Just found out about an informal security group that meets in Seattle. I’ve often seen a need for interaction with security professionals between Agora and ISSA monthly meetings (and I’m on the ISSA Puget Sound board). Where organizations don’t meet needs, they often spring up on their own. Once my dance lessons are over at Century Ballroom, I’ll be able to attend these on Wednesdays.

Ingdirect Deploying Rsa Cyota Estamp

Tue, 18 Jul 2006 04:38:00 -0700

Information about the change.

US Election System Still Frought with Systemic Problems

Sun, 09 Jul 2006 10:46:00 -0700

USNews.com: The road to reform in election corrections has been slow going

That messy 2000 election was supposed to be the jolt America needed. After chronic flaws in the country’s voting process became painfully public, an ambitious reform effort was supposed to make hanging chads and butterfly ballots relics of election nightmares gone by.

But nearly six years later, it hasn’t turned out that way. In the state of Washington, the 2004 governor’s election took more than six months to resolve–again before a court. And some liberal activists still believe that vote tampering and dirty tricks handed Ohio to the GOP, enabling President Bush to win re-election. Now, heading into the midterm congressional elections, despite the expenditure of billions of dollars, a litany of problems remains.

Why SSL alone will not solve the phishing problem

Sun, 09 Jul 2006 07:44:00 -0700

SSL-authenticated login pages certainly doesn’t _solve_ the phishing problem since phishing is partly psychological/sociological and makes use of technology as a means of improving the odds of the hacking the human psyche. So, a purely technological fix is unlikely to, prima facia, address the root issues.

But, the SSL change can help in a couple of key ways:

Rather than give customers 0 tools to protect themselves, we can give them at least the best tool out there so far for authenticating our site and therefore make an informed decision.

Ajax Security Basics

Sun, 09 Jul 2006 07:30:00 -0700

AJAX security is no different than normal web application security, except that it can add lots of complexity to a site and make black-box auditing much more difficult.

-—-Original Message—– From: Andrew van der Stock [mailto:vanderaj@greebo.net] Sent: Tuesday, June 20, 2006 4:43 AM To: Webappsec ((((E-mail)))) Subject: Fwd: SF new article announcement: Ajax security basics

This was posted to SecurityFocus.com yesterday.

Their article is eerily similar to my Ajax presentation from February (particularly if you’ve seen me give the presentation), and even more similar to the draft Ajax chapter I wrote shortly after for the OWASP Guide (now posted to our Wiki - https://www.owasp.org/index.php/ Ajax_and_Other_%22Rich%22_Interface_Technologies). Hmmmm. As the saying goes, this is the best form of flattery. I suppose.

Php Security Top 5 From Owasp

Sun, 09 Jul 2006 07:29:00 -0700

OWASP is pleased to announce the immediate availability of the OWASP PHP Top 5. The OWASP Top 5 is an education piece which provides up to date advice to PHP developers, hosters, and other PHP users. The PHP Top 5 is produced by the OWASP PHP Project.

The PHP Top 5 is based upon attack frequency in 2005 as reported to Bugtraq. This information is a valuable insight into the most devastating attacks against the world’s most popular web application framework.

Airline Lt Strike Gt Security Lt Strike Gt-

Sun, 09 Jul 2006 07:09:00 -0700

A Dangerous Loophole in Airport Security - If Slate could discover it, the terrorists will too. By Andy Bowers

More security window-dressing… More reason that ID checks and the watch list are BS security.

The Phantom "Cyber" terrorism?

Sun, 09 Jul 2006 07:08:00 -0700

[IP] Govt Comp.News - Assessing “cyberterror” - couldn’t find any!

>I’ve been working on the issue of how to build secure public networks >for about 7 years. I started out as a military analyst and I wanted to >put the cyber terror/cyber war issue in a larger strategic context. >About a year ago, I started looking for examples of cyber-terrorism, >where hackers had shut down critical infrastuctures. I was surprised to >discover that I couldn’t find any, so I began to look more closely at >the hypothetical scenarios involving cyber war. Most of them turned out >to be implausible from a military or national security perspective. >Hence the report.

Security Career Guide at ISC^2: sponsored by Microsoft

Sun, 09 Jul 2006 06:43:00 -0700

[infowarrior] - Microsoft sponsors security career guide Richard Forno Fri, 08 Jul 2005 22:39:04 -0700

Microsoft sponsors security career guide https://news.com.com/2060-10789_3-0.html?tag=nefd.bl

A nonprofit organization with help from Microsoft has created a “career guide” to spark interest for the information security profession among high school and college students.

The guide was distributed last month to more than 3,500 school counselors, administrators and educators at education conferences and has been made available online, the International Information Systems Security Certification Consortium, or (ISC)2, said this week.

Pki Considered Harmful

Sun, 09 Jul 2006 06:30:00 -0700

PKI considered harmful

Next time someone at your company says “we can’t do encryption until we get a PKI”, refer to this essay and collection of references.

I’ll need to put together a related one to address the “we can’t do ecnryption until we get a “key management” solution”.

SSH Filesystem

Sun, 09 Jul 2006 06:26:00 -0700

07:00

SSH Filesystem

This is a filesystem client based on the SSH File Transfer Protocol. Since most SSH servers already support this protocol it is very easy to set up: i.e. on the server side there’s nothing to do. On the client side mounting the filesystem is as easy as logging into the server with ssh.

Something to investigate…

Asinine Terrorist Detection At Western Union

Sun, 09 Jul 2006 04:09:00 -0700

Western Union blocks Arab cash deliveries - Yahoo! News

DUBAI, United Arab Emirates - Money transfer agencies have delayed or blocked thousands of cash deliveries on suspicion of terrorist connections simply because senders or recipients have names like Mohammed or Ahmed, company officials said. ADVERTISEMENT

In one example, an Indian driver here said Western Union prevented him from sending $120 to a friend at home last month because the recipient’s name was Mohammed.

Sprint Wireless security SNAFU

Sun, 09 Jul 2006 03:48:00 -0700

cryocone: Identity leak with Sprint wireless

Someone in their infinite wisdom at Sprint set up an IVR that you can call (intended for internal care reps for identity verification) and get anyone’s CPNI/PII by simply keying in their sprint wireless phone number.

Really convenient for Sprint employees and the public – and really stupid on all counts.

At Amp T Usurps Customer Records

Sun, 09 Jul 2006 03:28:00 -0700

Time to switch your phone company. AT&T rewrote its privacy policy to basically say that your data is theirs and they will do what they please. Some legal manoevering to allow them to continue to sell those records to the NSA to spy on you. All Cingular customers should now be wary since AT&T will own them once the acquisition is complete.

But I guess, what do you expect when we live in a country that doesn’t explicitly grant privacy protections like the EU and where privacy is routinely tromped on by companies and the government for their own ends? And when the US public has been trained that this is okay?

Identity Theft Still The Victim'S Problem

Sun, 25 Jun 2006 16:32:00 -0700

NPR 12-5-2002, All things considered 4pm.

“businesses are so interested in extending credit…” they just write off the losses. ID theft has not hit businesses economically yet, since that cost is borne by the victims, so they don’t have incentive to do anything to fix these problems. And yet, the disclosure laws have given incentive to fix these problems but they seem to instead be incenting companies to water down the proposed federal legislation to neuter the positive effects they are having at creating a market economic incentive to fix the problems (though from the myriad reports still coming out every week about more data lost, you wonder what the heck some CISOs are doing).

The Iraq hoax that just won't die

Sun, 25 Jun 2006 16:22:00 -0700

SecurityFocus HOME Columnists: Iraqi Cyberwar: an Ageless Joke

This is an OLD story so I hope that it is dead by now. But perfect example of the lack of fact-checking that goes on so much in the media.

Artists And Consumers Get Screwed By The Music Industry

Sun, 25 Jun 2006 16:06:00 -0700

Passionate condemnation of the music industry:

[IP] MUST READ Courtney Love does the math The controversial singertak

[IP] last on this topic – Does File Trading Fund Terrorism? Successful artists not seeing any profit.

[https://www.marketplace.org/play/audio.php?media=/2003/03/12_mpp&start=00:00: 20:00.0&end=00:00:27:30.0](https://www.marketplace.org/play/audio.php?media=/2003/03/12_mpp&start=00:00: 20:00.0&end=00:00:27:30.0)

[IP] 2 more on Does File Trading Fund Terrorism?

Visa prohibits display of card numbers on receipts

Sun, 25 Jun 2006 15:57:00 -0700

[IP] I will start using my Visa card more

Wow this blog entry is old. But remember when every receipt had the full card number on it? And remember when Starbucks would mask out everything _except_ the last four digits so that you could get the full card number with just two receipts?

I still find that the business’ copy of the receipts often has the full card number on it, with only my copy being masked out. But, I don’t much care, except when it comes to my Debit card receipts since the US laws do not cover Debit cards as fully as credit cards.

Tales from the RFID Hacking Underground

Sun, 25 Jun 2006 15:32:00 -0700

Wired 14.05: The RFID Hacking Underground

Follow-along to the article on building your own RFID skimmer

More Black Marks For Dhs

Sun, 25 Jun 2006 15:18:00 -0700

Think Progress: Homeland Insecurity.

Have You Taken Your Security Pills

Sun, 25 Jun 2006 15:02:00 -0700

The other day, I made what I think is a very apt analogy comparing the security product industry to the diet and herbal supplement industry.

Both operate with little to no oversight or regulation (though security at least has bloggers and scientists willing to call out some of the more egregious offenders)
Products often have little to no academic, scientific or factual basis for their designs or claims
Products tend toward the panacea/“silver bullet” realm and claim to solve all your ills

Cracking Java Byte Code Encryption

Sun, 25 Jun 2006 10:59:00 -0700

Cracking Java byte-code encryption

Why Java obfuscation schemes based on byte-code encryption won’t work.

Nsa Surveillance Only The Tip Of The Iceberg

Sun, 25 Jun 2006 10:18:00 -0700

A gaggle of links about the illegal NSA domestic spying program. More apropos in light of even more spying by the Bush Administration – this time on international wire transfers

Think Progress: NSA Whistleblower To Expose More Unlawful Activity: ‘People…Are Going To Be Shocked’

Media Matters - Myths and falsehoods on the NSA domestic call-tracking program

Good End User Information On Phishing From Paypal

Sat, 24 Jun 2006 15:28:00 -0700

PayPal - Identity Protection Resources

It was a very good touch that PayPal even uses HTTPS (SSL) for their pages providing this security information so that end users can authenticate the pages originate from PayPal and get used to ensuring that their interactions with PayPal are SSL-secured.

Move Over Chroot Apparmor Is Here

Thu, 22 Jun 2006 03:55:00 -0700

-here

Plugging my own product, but what the hell, it is open source :)

AppArmor https://opensuse.org/Apparmor is an application security container technology for Linux. It lets you create application profiles (policies) that define the files that the application can read, write, and execute. It lets you do this per-application, so you actually could allow users to upload arbitrary C/binary programs and expect them to behave as you specified. It provides an inheritance model so that you can’t escape from this jail by exec’ing something fun: the child is controlled by policy too.

Build Your Own Rfid Skimmer

Tue, 20 Jun 2006 16:32:00 -0700

How to Build a Low-Cost, Extended-Range RFID Skimmer

Oh, I’m definitely going to have to build one of these!!

More Proof For Danger Of Allowing Arbitrary Redirect

Tue, 20 Jun 2006 06:29:00 -0700

ZDNetAsia : Printer Friendly - Paypal fixes phishing hole

Ing Data Loss

Tue, 20 Jun 2006 06:27:00 -0700

(19 June 2006) Letters are being sent to 13,000 individuals whose personal data are held in a laptop computer stolen from the home of an ING US Financial Services agent. ING is instating a new security policy for laptop computers that includes encryption and password protection; the stolen computer had neither. The people affected by the data security breach are all District workers and retirees. (please note: this site requires free registration) https://www.washingtonpost.com/wp-dyn/content/article/2006/06/18/AR2006061800716_pf.html [Editor’s Note ( Northcutt): ING’s slogan is Your Future. Made Easier. Try telling that to the 13,000 impacted individuals. This wave of data losses is starting to remind me of counties that don’t put traffic lights up until there is a motorist fatality. (Grefer): Invest around 30-40 dollars into a cable lock for your laptop computers and spare yourselves this embarrassment as well as lots of headaches for your customers. Further, even if you don’t want to spend the money for encryption software, at least use the EFS (Encrypted File System) functionality provided within Windows XP Professional to add a bit more security to the mix.]

Bizarre Notepad Bug

Sat, 17 Jun 2006 17:09:00 -0700

27B Stroke 6

Bizarre notepad bug that really exists. If you type a phrase consisting of a 4 letter word, then two three letter words, then a 5 letter word, save it, then reopen it, the text will be corrupted and unreadable. There is a claim that not all words cause this to occur. See the linked story for examples of what does work.

There was a great quote:

Security time capsule opens up: SANS researcher emerges.

Tue, 25 Apr 2006 09:17:00 -0700

************************************************************************* SANS NewsBites April 25, 2006 Vol. 8, Num. 33 ************************************************************************* -- snip – --Researcher Warns Some Online Banking Sites Don’t Provide Adequate Authentication (20 April 2006) SANS Institute chief research officer Johannes Ullrich says many widely used online banking sites do not use authentication technology to assure that they are who they claim to be. Banks would be well advised to send users to an HTTP Secure (HTTPS) web page which uses the Secure Sockets layer (SSL) security protocol instead of merely encrypting login forms. Web pages that do not use HTTPS make themselves vulnerable to DNS spoofing in which attackers try to trick users into visiting phony web sites in an attempt to gather their account information. https://www.computerworld.com/printthis/2006/0,4814,110738,00.html Internet Storm Center: https://isc.sans.org/diary.php?storyid=1278 -- snip –

Microsoft To End Support For Quot Outdated Quot Operating Systems

Fri, 21 Apr 2006 03:36:00 -0700

--Microsoft to End Support for “Outdated” Operating Systems (18 April 2006) Microsoft plans to retire support for Windows 98, Windows 98 SE and Windows ME on July 11, 2006; after that date, there will be no more security updates for these versions of the company’s operating systems. Microsoft calls these systems “outdated” and recommends that users upgrade to a more secure operating system, such as Windows XP. https://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1182527,00.html

Congress Trying To Soften Data Breach Notification Laws

Fri, 24 Mar 2006 14:43:00 -0800

https://thomas.loc.gov/cgi-bin/query/z?c109:H.R.3997:

Call your representatives now to get them to oppose this legislation. This is the bill that passed out of committee and would seriously weaken the gains that have been made over the past few years in data breach notification, as well as preventing people from preemptively “freezing” their credit file from being used to open new accounts–something that itself could curb much of the ID theft problems (and perhaps some consumer credit problems…)

Safedisc Drm Update For Windows Xp Reduces Online Gaming Risk

Sun, 19 Mar 2006 12:42:00 -0800

-risk

https://www.microsoft.com/downloads/details.aspx?familyid=eae20f0f-c41c-44fe-84ce-1df707d7a2e9&displaylang=en

This update starts the driver secdrv for SafeDisc from Macrovision at boot time to allow you to run games as a non-admin, lower-privilege user. Games that use SafeDisc otherwise require you to play the game as Administrator in order to have the rights to start the Manual service. Now, if only PunkBuster were to do the same…

Have I mentioned that DRM and copy protection sucks?

Zphone: Encrypt your VOIP

Sun, 19 Mar 2006 12:40:00 -0800

Boing Boing: Encrypted VOIP from PGP creator Zimmermann: Zfone

Encrypted VOIP from PGP creator Zimmermann: Zfone

Good reason to switch to VOIP instead of traditional phones to protect yourself from Big Brother Bush.

Riaa Says Future Drm Might Quot Threaten Critical Infrastructure And Potentially Endanger Lives Quot-

Sun, 19 Mar 2006 12:26:00 -0800

Freedom to Tinker � Blog Archive � RIAA Says Future DRM Might “Threaten Critical Infrastructure and Potentially Endanger Lives”

Yet another reason DRM sucks. But unbelievably, the “BSA, RIAA, MPAA, and friends” actually are objecting to DRM exemptions for critical systems!

I was also reading recently about how much extra processor and battery life is sucked up when playing DRM files that have to constantly be checking for a valid license and other cruft.

Dhs Adds Another Quot F Quot To Chertoff'S Record

Fri, 17 Mar 2006 01:25:00 -0800

DHS Gets Another F in Computer Security

Is anyone surprised? They can’t even manage a disaster in the physical world (Katrina), what makes you think they can manage the disaster that DHS is? Another black mark for Chertoff and the Bush administration.

Why does the public still think that the Bush administration is strong on defending America?

Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday.

Another Bush Administration Inconsistency Dubai But No Israel

Sat, 11 Mar 2006 09:39:00 -0800

Well, at least they’re committed to national security consistent conservative… I give up.

“The same Bush administration review panel that approved a ports deal involving the United Arab Emirates has notified a leading Israeli software company that it faces a rare, full-blown investigation over its plans to buy a smaller rival.

The objections by the FBI and Pentagon were partly over specialized intrusion detection software known as “Snort,” which guards some classified U.S. military and intelligence computers.”

Sciam On Quot The Rise Of Crimeware Quot-

Sat, 11 Mar 2006 09:36:00 -0800

quot-

Crimeware coverage by Scientific American

Crimeware coverage by Scientific American. Several good stats and comments from attendees of the RSA Conference. Why the increase in crime on the Internet? Well, it’s where the money is and there is very little risk of getting caught. Job security for a security guy like me though.

Can You Actually Fly Without Providing Id

Sat, 11 Mar 2006 09:25:00 -0800

ng-id

IDP : Investigation

Help us help you determine whether the TSA told the 9th Circuit the truth. Can you fly without ID? According to what the government told the 9th Circuit Court of Appeals in the Gilmore case, you can – you need only submit to secondary screening in order to fly anonymously.

I am just reading a Lee Child book from 1999 (pre 9/11) where the main character flew under president’s names. Would be fun if you could get away with this. Might try it on my next flight…

Defeating Censorware

Sat, 11 Mar 2006 09:17:00 -0800

If your employer or corrupt, undemocratic, dictator-based government uses a filtering service such as Secure Computing’s SmartFilter to block access to BoingBoing.net, you can try the following workarounds…

Boing Boing’s Guide to Defeating Censorware

Of course, good network admins take evasive action for these evasive actions, but the reality is that there are always ways to get around proxies. Especially when they do stupid shit like “Smart” filter does. Smartfilter will often block an entire domain in a category for one single page that may fit in that category. They blocked attrition.org under “criminal skills” and several other security sites. I recall them blocking geocities.com or something like it when only some of the pages met the criteria. Why don’t they block specific URLs or URL patterns instead of an entire domain?

Another Reason To Buy A Cross Cut Shredder

Sat, 11 Mar 2006 08:26:00 -0800

The Torn-Up Credit Card Application

They tore up their own credit card application, then changed the address and phone number and still got the card!

I always shred the applications I get in the mail.

And the good thing is that in Seattle, you can either recycle your shreddings or put them in your yard waste container.

Welcome to Bizarro World - Oracle has 'the security problem solved!'

Wed, 08 Mar 2006 01:05:00 -0800

Australian IT - Oracle on track of secure search (, MARCH 07, 2006)

“We have the security problem solved. That’s what we’re good at, and that’s the hard part of the problem.” -- Larry Ellison

Hell has not frozen over so I don’t believe him.

Just How Insecure Is Electronic Voting

Fri, 24 Feb 2006 09:07:00 -0800

Black Box Voting : 2-23-06: Someone accessed 40 Palm Beach County voting machines Nov 2004

This is good work. NOW do the naysayers see why we need voter verifiable paper ballots?

Racial Profiling For Terrorists

Mon, 20 Feb 2006 02:28:00 -0800

On The McLaughlin Group yesterday, there was a lot of ridiculous sophistry regarding racial profiling as a valuable and necessary tradeoff between liberty and security.

Bruce Schneier has written many times on this subject. In this piece, there is a perfect quote about what is misguided about the position that racial profiling is not only necessary, but is actually effective, “Whenever you design a security system with two ways through – an easy way and a hard way – you invite the attacker to take the easy way. Profile for young Arab males, and you’ll get terrorists that are old non-Arab females.”

Lt Strike Gt Security In Airlines Lt Strike Gt Airline Insecurity

Wed, 30 Nov 2005 14:37:00 -0800

When people tried to evacuate during Hurricane Katrina, airline security prevented many from being able to leave before the airport had to be shut down. This is where a threat model would have helped make the right decision in the face of competing risks. And where “zero tolerance” policies really show how they are “zero thought” policies.

Hurricane Security and Airline Security Collide

And recently, if you thought that airline security was too strict, it is working. You should know it is only designed to make you _think_ that so that you will keep flying. If they really based it on a real threat model, you would have a very different traveling experience and stupid things like taking fingernail clippers and metal knives away, but allowing you to have full glass bottles of alcohol on planes would not happen. My cousin, who was in the army, recently said, “I’d like a terrorist to try to attack me with fingernail clippers.” The implication was that he would kick their ass to a bloody pulp before they got anywhere because that is stupidity masquerading as a threat to airline security.

Judges Order Publishing Of Breathalyser Source Code

Wed, 30 Nov 2005 14:14:00 -0800

-code

LiveAmmo Security Blog: Drunk drivers granted access to breathalyser source code

If only I was able to be granted the source code for the laser detector that incorrectly clocked me over the speed limit…

I like when judges don’t treat technology as infallible. In my case, there was not any argument that could detract from the “evidence” , even the likely EMI!

High Tech Safecracking

Wed, 30 Nov 2005 13:52:00 -0800

This link wasn’t working at the time of posting, but it is interesting to see how you can use infrared to determine a combination from a recently-used keypad. There must be some equipment that would cost less than $5000 that could do this? I’ll have to check the local spy shop.

https://lcamtuf.coredump.cx/tsafe/

Richard Stallman Quot Foils Quot Rfid Quot Security Quot-

Wed, 30 Nov 2005 13:51:00 -0800

quot-

GNU project founder foils UN security

Glad my passport does not expire for many years to come. Perhaps by then passports won’t have RFID tags in them any longer. But if they do, I guess this is an easy way to keep myself from being a target for a shoulder-fired missile overseas.

FOUNDER of the GNU project, Richard Stallman, got in trouble at the UN World Summit on the information society in Tunis for putting tin foil around his RF ID.

Serious flaws in wiretapping equipment

Wed, 30 Nov 2005 13:47:00 -0800

Signaling Vulnerabilities in Wiretapping Systems

Ahh, too bad I don’t work for a telecom compnay anymore (actually, it is good). This might be fun to test out…

In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both “pen register” and “full audio” (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity. These countermeasures do not require cooperation with the called party, elaborate equipment, or special skill.

Isakmp The Standard For Incompatibility

Wed, 30 Nov 2005 13:40:00 -0800

Peter Gutman wrote a great summary of the lengths that many have to go to in order to get ISAKMP implementations to interoperate.

I had a hell of a time trying to get Windows 2000/XP IPSec to work with FreeS/WAN in the past. It was very difficult to debug what was going on and I resorted to using tools that translated FreeS/WAN configuration into Windows IPSec configuration so that I was sure that the settings were correct.

Internet Security Tips

Sun, 20 Nov 2005 03:27:00 -0800

https://www.eweek.com/article2/0,1759,1883072,00.asp?kc=EWRSS03129TX1K0000614

Md4 And Md5 Collision Generators

Sun, 20 Nov 2005 03:21:00 -0800

There are still not known attacks against encryption schemes that make use of these, but certainly anything relying on these hashes for integrity protection should switch to alternate mechanisms.

Sent: Monday, November 14, 2005 10:48 AM To: cryptography@metzdowd.com Subject: MD4 and MD5 collision generators

I am releasing my collision generators for MD4 and MD5. They have significant time improvements over the ones described in the papers by Wang, et al.

MD4 collisions can be generated almost instantly, MD5 can be generated in approximately 45 minutes on my p4 1.6ghz (on average).

Password Hash Dash

Wed, 09 Nov 2005 23:26:00 -0800

-dash

Rainbow Crack is a time/memory tradeoff tool that can break passwords knowing just the password hash. So, those people who still think that disclosing password hashes is not a big deal…

SANS documented and proved, using a modified version of Rainbow Crack, something that I have suspected for a while. That Oracle’s proprietary password hashes are weak There are plenty of good ways to do this that it’s a wonder these days that people still roll-their-own crypto. The SANS team is releasing an update to Rainbow Crack that can crack Oracle passwords.

Eff Breaks Secret Tracking Quot Dot Code Quot-

Sun, 30 Oct 2005 14:33:00 -0800

EFF: DocuColor Tracking Dot Decoding Guide

This is a breakthrough. It has been rumoured for years that printers and copy machines include secret codes on documents to track them back to the source machine but the EFF now has real evidence and even tools that you can use to perhaps decode your printer’s secret tracking information.

This guide is part of the Machine Identification Code Technology project. It explains how to read the date, time, and printer serial number from forensic tracking codes in a Xerox DocuColor color laser printout. This information is the result of research by Robert Lee, Seth Schoen, Patrick Murphy, Joel Alwen, and Andrew “bunnie” Huang. We acknowledge the assistance of EFF supporters who have contributed sample printouts to give us material to study. We are still looking for help in this research; we are asking the public to submit test sheets or join the printers mailing list to participate in our reverse engineering efforts.

New Favorite Word Hoffing

Sun, 30 Oct 2005 14:30:00 -0800

Hackers no hassle: Hoff - People - Entertainment - theage.com.au

More From Oracle'S Cso

Sun, 30 Oct 2005 14:17:00 -0800

Wow. Note how she says that she researches “hacking techniques” as well as the network-security-centric language throughout. A CSO should not typically be operating at this level but rather at the “big picture” strategic level.

No wonder Oracle continues having application security and patch quality problems. Their CSO seems too busy hacking the network and writing articles about it and how bad vulnerability researchers are and not enough time executing on a strategy to improve the security posture of their software and processes. Some on security mailing lists are calling for her to resign.

More Php Web Application Security Tips

Sun, 30 Oct 2005 14:09:00 -0800

Hacks From Pax: PHP Web Application Security - The Community’s Center for Security

Today on Hacks From Pax we’ll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We’ll discuss some of the main security “gotchas” when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities.

Preventing Future Threats Not With A Quot Lack Of Protective Imagination Quot-

Sun, 30 Oct 2005 13:53:00 -0800

And, after hurricane Katrina, I would add that on top of a “lack of protective imagination”, government continues to suffer as well from “pork barrel security projects” and “visible-but-ineffective security projects” that divert precious resources away from the real or more likely threats.

An unfortunate example of this is how “The federal government will pay the overtime of cops and emergency medical workers if the drill involves an act of terrorism, but it won’t if locals rehearse for a natural disaster.” So, the government is still making it difficult for localities, such as Seattle, to prepare for _likely threats_ and instead they have to fake it by running drills for the more unlikely terrorism-related scenarios instead. See Is Seattle Really Ready?

Even More Evidence Of Php Becoming The New C

Sun, 30 Oct 2005 13:46:00 -0800

Another example of how PHP can be dangerous. Having to know the internal workings of variable acceptance to implement secure data checking seems to negate the value of having a higher-order programming language.

And, it is common in other languages to work with variables in a REQUEST structure of some sort.

PHP should provide a built-in set of semantics for data input filtering that work across all of the possible input types so that each application doesn’t have to build their own. I even remember when you used to have to build your own PHP session management or use additional PHP modules (PHPlib was a great implementation) before it got rolled into PHP 4.

Roll Your Own High Entropy Hardware Randomness Generator

Sun, 30 Oct 2005 13:44:00 -0800

High-Entropy Randomness Generator

In this paper, we explain how to construct a High-Entropy Randomness Generator, suitable for a wide range of applications, including extremely demanding ones. We will explain and then use some key theoretical ideas:

* We start with a raw input, typically from a good-quality sound card. * We obtain a reliable lower bound on the raw input’s entropy density (as defined in appendix A). This is calculated based on physics principles plus a few easily-measured macroscopic properties of the sound card. (This stands in stark contrast to other approaches, which obtain a loose upper bound based on statistical tests on the data.) * We make use of the hash saturation principle, as discussed in section 3.2. The resulting output has essentially 100% entropy density. This is provably correct under mild assumptions. * We use no secret internal state and therefore require no seed. * We do not depend on assumptions about “one-way functions”.

Flashback More On Php Security

Sun, 30 Oct 2005 13:40:00 -0800

I dug this out for additional evidence of how PHP gives programmers too much rope to hang themselves, not unlike C.

-J

-—-Original Message—– From: David Wheeler [mailto:dwheeler@ida.org] Sent: Wednesday, August 08, 2001 2:06 PM To: me Subject: PHP

Ben Ford said:

>>Don’t call it a weakness of the language, call it by its true name: >> Lazy Programming.

If this was a common problem in other languages, I might agree with you. But it’s not. Essentially all other computer languages do _NOT_ let attackers set the state of arbitrary program variables to arbitrary values, and then require programmers to constantly reset values if they’d like to prevent attackers from controlling them.

Is Php The New C

Sun, 30 Oct 2005 12:34:00 -0800

I’ve been wondering lately if PHP is much like C from a security perspective in that the chances that if you are using PHP for an application that your application is secure depends on tribal knowledge about “what not to do” with the basic language. Another way to say this is that like C, PHP gives you plenty of rope to hang yourself if you don’t know what you are doing. Which is unfortunate for a language that should be safer by default for use by UI programmers.

Does Voting Machine Technology Affect The Outcome Of Elections

Sun, 30 Oct 2005 12:30:00 -0800

Some interesting results found in a study of 2000-2004 election data.

We first show that there is a positive correlation between use of touch-screen voting and the level of electoral support for George Bush. This is true in models that compare the 2000-2004 changes in vote shares between adopting and nonadopting counties within a state, after controlling for income, demographic composition, and other factors. Although small, the effect could have been large enough to influence the final results in some closely contested states.

Study: Motivations for global terrorism over the past 25 years

Sun, 30 Oct 2005 08:57:00 -0800

This is not so much about Islam vs. Christianity (although I think a lot of wacky Christians are making this case still) Courtesy of Bruce Schneier.

An absolutely fascinating interview with Robert Pape, a University of Chicago professor who has studied every suicide terrorist attack since 1980. “The central fact is that overwhelmingly suicide-terrorist attacks are not driven by religion as much as they are by a clear strategic objective: to compel modern democracies to withdraw military forces from the territory that the terrorists view as their homeland.”

Acceptable Risk As A Euphamism For Shifting Fraud Liability To The Consumer

Sun, 30 Oct 2005 02:51:00 -0800

Financial Cryptography: “Acceptable Risk” - a Euphemism for Selling Fraud?

This is a post from a while back but is still relevant to recent discussions about how the financial industry is still shifting the burden of identity theft and fraud to the customers. Bruce Schneier just wrote about this in regards to phishing in the most recent edition of Crypto-Gram as well.

The “acceptable risk” concept [writes guest financial cryptographer Ed Gerck] that appears in recent threads has been for a long time a euphemism for that business model that shifts the burden of fraud to the customer.

Biometrics In Atms

Sun, 30 Oct 2005 01:48:00 -0700

-atms

InformationWeek > Biometric Security > Privacy Concerns, Expense Keep Biometrics Out Of U.S. ATMs > October 12, 2005

This article is chock full of fun things to comment on.

Ricardo Prieto, who was vice president for system operations at BanCafe when the system was installed, said that at first ATMs failed to recognize fingerprints on the well-worn hands of some elderly customers and laborers such as construction workers.

Rant On Oracle Just Not Quot Getting It Quot-

Tue, 11 Oct 2005 17:03:00 -0700

Funny and entertaining and sad rant about Oracle’s inability to do security in stark contrast to public claims by their CSO, marketing, etc.

This has inspired others to note how there are some Oracle vulnerabilities that have been open for 768 days!! among other comments. Oracle even tried to put the cat back in the bag on some other disclosed vulnerabilities recently. They just don’t get it. I’m wondering if Larry Ellison were in Bill Gate’s place just how much worse off the Internet and world would be from a security perspective.

Quot Open Sesame Quot Opens Quot High Tech Quot Cockpit Doors

Tue, 11 Oct 2005 02:32:00 -0700

The Seattle Times: Business & Technology: Glitch forces fix to cockpit doors

Well, “Open Sesame” works if you say it through a nearby walkie-talkie:

For more than two years, U.S. airplane passengers have flown more securely because high-tech cockpit doors created a barrier to prevent a repeat of 9/11, when terrorists entered the cockpit and commandeered four planes.

But, the doors were not foolproof.

New Book Security And Usability

Fri, 07 Oct 2005 08:06:00 -0700

Usable Security Blog Archive O’Reilly Book: Security and Usability

One of the research areas that I am very interested in:

O’Reilly has released Security and Usability: Designing Secure Systems That People Can Use, a collection of 34 essays on security and usability edited by Lorrie Cranor and Simson Garfinkel.

Preoccupied With Firewalls

Mon, 26 Sep 2005 15:03:00 -0700

Firewalls a dangerous distraction says expert

I don’t know who Abe Singer is but he makes a great point that I have been touting for years. Look at your infosec program and count how many people you have dealing directly with firewalls. Now, count how many people you have dealing with application security audits, standards, reviews, etc. More than likely, you only need one hand to count the latter. That is why there is such a problem with insecure applications on the Internet. It starts with misunderstanding your threat model and continues with inadequate staffing and misplaced priorities

Blast From The Past Dmv Fraud

Mon, 26 Sep 2005 14:56:00 -0700

As the REAL ID act meets reality, recall a previous report on DMV fraud and lax security. If you think you have problems budgeting for security in your company, imagine being handed an unfunded mandate from the federal government. Do you think current problems will magically go away?

Date: Mon, 2 Feb 2004 09:50:52 -0500 From: Monty Solomon Subject: Security Holes at DMVs Nationwide Lead to ID Theft and Safety Concerns

On The Insecurity Of Passwordspassphrases These Days

Mon, 26 Sep 2005 13:46:00 -0700

In a posting to the cryptography mailing list. Interesting statistics in the presentation. Update your threat models!

Folks might want to look at https://www.huitema.net/talks/ietf63-security.ppt the slides from a talk Christian Huitema gave at the Applications Area at IETF63 this past week. Of particular interest is just how cheap it is to brute-force a passphrase these days, especially if it’s just used as a cryptographic key with known plaintext (i.e., in challenge/ response protocols).

Creative Zen Digital Media Players Ship With A Worm

Mon, 26 Sep 2005 13:43:00 -0700

Glad I’m sticking with the Neuros which doesn’t run Windows now and will run Linux in the next version. Not to mention the open source aspects and the ability to play OGG/Vorbis audio files…

https://rss.slashdot.org/Slashdot/slashdot?m=251

Are You Blocking Flash Cookies

Mon, 26 Sep 2005 13:36:00 -0700

Spammers and people without regard for your privacy or your privacy preferences (blocking cookies means I don’t want them in any form) are insidious.

Unbeknownst to many people, Macromedia Flash player allows surreptitious cookies to be dropped on your computer that can be used to track you even if you block traditional browser cookies.

Some information on eradicating them:

Firefox extension for blocking flash cookies: [https://www.yardley.ca/objection/]

Macromedia info (opens up the hidden flash config tool in your browser that lets you view and expunge flash cookies): [https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html]

The browser wars are back: on security turf

Mon, 26 Sep 2005 13:06:00 -0700

In this article, OSS means slower patches, David Sykes from Symantec makes some absurd claims about open source being slower to patch than closed source.

“It is relying on the goodwill and best efforts of many people, and that doesn’t have the same commercial imperative,” he said. “I’m sure that is part of what is causing the blow-out in the patch window.”

So… “commercial imperative” is a requirement to be quick with patches? Where has this guy been for the past 10+ years when commercial vendors have done everything to thwart publication of vulnerabilities and have been the slowest to patch (and still are, such as Oracle and Cisco).

Security reading list

Fri, 19 Aug 2005 15:17:00 -0700

A book that I am reading right now:

Between Silk and Cyanide A true story of cryptography in the field during WWII.

A free 900 page eBook from Microsoft Press: Improving Web Application Security: Threats and Countermeasures

You may want to just buy a paper copy since it weighs in at 3-4 inches of paper (I have a copy of the “real” book and it’s big).

Another book that sounds interesting:

Secrets of Computer Espionage: Tactics and Countermeasures “Covers electronic and wireless eavesdropping, computer surveillance, intelligence gathering, password cracking, keylogging, data duplication, black bag computer spy jobs, reconnaissance, risk assessment, legal issues, and advanced spying techniques used by the government.

Security books to check out

Fri, 19 Aug 2005 15:14:00 -0700

https://www.wiley.com/legacy/compbooks/mcnamara/

Secrets of Computer Espionage: Tactics and Countermeasures

by Joel McNamara

Covers electronic and wireless eavesdropping, computer surveillance, intelligence gathering, password cracking, keylogging, data duplication, black bag computer spy jobs, reconnaissance, risk assessment, legal issues, and advanced spying techniques used by the government.

Author shares easily-implemented countermeasures against spying to detect and defeat eavesdroppers and other hostile individuals.

Addresses legal issues, including the U.S. Patriot Act, legal spying in the workplace, and computer fraud crimes.

Who's fault is ID theft and financial fraud? Ask your bank.

Fri, 19 Aug 2005 14:21:00 -0700

Repeat after me: Identifiers are not Authenticators.

SSN: Identifies you, does not prove your identity. This is a claimed identity on its own.
Credit/debit Card Number: Identifies your credit card account, does not prove your identity. Possession or presentment does not prove that the presenter of this information is authorized to make use of it. But that doesn’t stop the financial industry from using it as the payment authenticator…
ACH/Bank account and routing numbers: Identifies your bank account (along with the type, checking or savings). Again, possession or presentment does not prove that the presenter of this information is authorized to make use of it. Realize that you give this out to everyone and anyone if you send out checks since all the information to transfer money in or out of your account is right there on the check.

Several stories that prove the world is going crazy

Fri, 19 Aug 2005 13:52:00 -0700

First out of the gate:

Fedex sued a loyal customer for posting photos of furniture he made for himself out of Fedex boxes on the web. Get this, they used many…er…novel…legal arguments to try to scare him. Welcome to the doghouse FedEx. You’ve got great company, such as Cisco and Oracle.

Some highlights:

They tried to use the DMCA in their claims. But were complaining about trademark issues. Copyright law does not cover trademarks. Next!

Using threat modeling featured in new OWASP WAPT

Fri, 19 Aug 2005 13:48:00 -0700

This will be something to look forward to. I have not seen much of the theory of threat modeling end-to-end put into practice effectively or completely. And much of what I have seen of threat modeling really should be baked into the SDLC process and something that project teams do as part of normal development efforts (why are security people doing separate data flow diagrams, for example?).

From Threatsandcountermeasures:

The next release of the OWASP Web Application Penetration Test (WAPT) guide will include a section on using threat modelling effectively

25 And A Bit More Green For An X509 Certificate

Fri, 19 Aug 2005 12:36:00 -0700

That sounds like quite a deal actually. Verisign still charges an exhorbitant amount of money for bits that do the same thing.

-Jason

From Peter Gutman to the Cryptography Mailing list Subject: How much for a DoD X.509 certificate?

$25 and a bit of marijuana, apparently. See:

https://www.wjla.com/news/stories/0305/210558.html https://www.wjla.com/news/stories/0105/200474.html

Although the story doesn’t mention this, the “ID” in question was the DoD Common Access Card, a smart card containing a DoD-issued certificate. To get a CAC, you normally have to provide two forms of verification… in this case I guess the two were photo ID of dead presidents and empirical proof that you know how to buy weed.

Homeland Security Getting Smarter Or Staying Stupid

Fri, 19 Aug 2005 09:53:00 -0700

Getting smarter:

Chertoff is a good guy. When I heard this NPR interview I remember thinking, holy crap, someone who gets it. Security is about tradeoffs and with limited resources, making the most cost effective and rational decisions based on risk and threat analysis.

TSA may move to reallow knives, etc. back on aircraft. Threats Reassessed To Make Travel Easier for Public

The stay-seated the first and last 30-minutes of a flight rule is also going away, due to reasoned analysis: https://www.mail-archive.com/infowarrior@g2-forward.org/msg01084.html

Non English Internet Domain Names Likely Delayed Due To Phishing Concerns

Fri, 15 Jul 2005 05:45:00 -0700

Non-English Domain Names Likely Delayed - Yahoo! News

Social engineering attacks using similar characters to trick users are called homograph, or semantic attacks Also see this article on IDN Homograph Attacks.

Concerns about “phishing” e-mail scams will likely delay the expansion of domain names beyond non-English characters, the chairman of the Internet’s key oversight agency said Friday.

Vint Cerf, head of the Internet Corporation for Assigned Names and Numbers, would not speculate on when such characters might appear but said Internet engineers must now spend time “trying to winnow down, frankly, the number of character (sets) that are allowed to be registered.”

Cell Phone Service Temporarily Disabled In Nyc For Quot Security Quot-

Tue, 12 Jul 2005 07:42:00 -0700

CNN.com - Cell phone service disabled in New York tunnels - Jul 12, 2005

Cell phone service was disabled inside the four tunnels leading into Manhattan after the terrorist bombings in London, but Mayor Michael Bloomberg questioned Monday whether the move “makes the most sense.”

I’m with Mayor Bloomberg. I don’t think it makes sense at all for at least four major reasons:

Reduce Fear Increase Security

Tue, 12 Jul 2005 06:21:00 -0700

This appeared in the October 2004 crypto-gram and is a very good description of how the current “security” measures at airports, etc. serve only to “reduce fear” and don’t actually “increase security”. The latter is the hard problem….

From: Anonymous Subject: Fear and Security

This is in response to the letter you published last month by Wayne Schroeder: Fear and security are closely coupled in simple situations, like riding a motorcycle. The way to reduce the fear is to increase your safety, such as by driving more slowly. Millions of years of evolution have evolved fear as a mechanism for keeping us alive, but millions of years of evolution never had to deal with a 767. It evolved for simpler things, like bad weather, high speeds, and scary animals.

Homeland Security Terror Alerts

Tue, 12 Jul 2005 06:11:00 -0700

Good to look back on in light of the raising of the alert (and only for public transportation…) Is the best our intelligence can do is to assume that the next attack will be the same MO and style as recent ones?

Schneier on Security: Do Terror Alerts Work?

When Attorney General John Ashcroft came to Minnesota recently, he said the fact that there had been no terrorist attacks in America in the three years since September 11th was proof that the Bush administration’s anti-terrorist policies were working. I thought: There were no terrorist attacks in America in the three years before September 11th, and we didn’t have any terror alerts. What does that prove?

SecureUML, with Visio templates

Mon, 11 Jul 2005 04:02:00 -0700

Mark Curphey’s Blog

I am very methodical when it comes to security design and security reviews so I am sure that these templates will come in very handy to ensure uniform coverage of requirements and mechanisms.

My only quibble so far is that they call this “SecureUML”. The UML isn’t Secure, nor is having a well-defined Authorization model imply security (look no further than the Sarbanes-Oxley efforts that define wonderful processes and models, but the auditor testing never covers the effectiveness of the underlying mechanisms implementing these controls…)

Free Open Source Tool Released For Web Services Security Scanning

Mon, 11 Jul 2005 02:08:00 -0700

Foundstone, Inc.� Strategic Security

Have not checked it out yet. Sounds promising. Although it would be nice to have a scanning tool that can do application security checks regardless of the protocol being HTML over HTTP, XML over HTTP, SOAP, etc. Many of the attacks and scanning signatures will be the same. Only the formatting and perhaps the detection of success/fail of a test. I’d be interested in knowing more about what they encountered as to whether the differences are significant enough to warrant a separate tool.

Unintended consequences of improved SSL UI in browsers

Thu, 07 Jul 2005 05:45:00 -0700

SSL Organization Vulnerabilities

The following example web site spoofs demonstrate the vulnerabilities that exist if First-Generation vetting practices for digital certificates are used in combination with new browser enhancements which bring the certificate Organizational information forward and displayed next to the SSL Lock symbol.

Spoofers these days are adapting very fast to new technology to counter their tactics. This is one in which adversaries are generating certificates with Organization information that matches a target site to spoof, and dumb “Trusted” third party CAs happily sign these certificates. Some browsers, such as Opera, are now providing the organization information directly to users to help them make better trust decisions. Unfortunately, this is rearranging deck chairs on the Titanic since the SSL TTP model is totally broken–it does not allow for adequate authentication of sites to end users, hence the rampant phishing attacks and soon to be man-in-the-middle attacks (my prediction).

Study: Users becoming more security Conscious

Thu, 07 Jul 2005 05:14:00 -0700

Fear of Spyware Changing Online Habits - Yahoo! News

Internet users worried about spyware and adware are shunning specific Web sites, avoiding file-sharing networks, even switching browsers. ADVERTISEMENT

Many have also stopped opening e-mail attachments without first making sure they are safe, the Pew Internet and American Life Project said in a study issued Wednesday.

Some good indications that end users are gaining levels of awareness of the security problems in today’s Internet environment. Go read the full report It has a lot more meat than the wire stories.

More Tsa Idiocy

Sun, 03 Jul 2005 15:04:00 -0700

Following up on my earlier posting on TSA idiocy… Supposedly this was also at SeaTac.

Just met with some friends tonight and the subject of airline/airport “security” came up. A true story about a recent run-in with TSA:

85-year-old resident of Washington state arrives home after an international flight where he had successfully taken about six different flight legs without incident carrying on a small watch/clock repair toolkit with him in his carry-on luggage. On the final leg, he is accosted by TSA because he is carrying a 2 inch hammer in this kit with a metal head and wooden handle!! The TSA tells him that tools are prohibited and that they are going to confiscate this tiny hammer.

Cryptography Must Overcome Ui Problems To Be Both Useful And Effective

Wed, 29 Jun 2005 13:05:00 -0700

A great paper to read up on, especially given that Phishing is showing us that the “Trusted Third Party” model as implemented in today’s web browsers is horribly broken.

Don Davis’ Cryptography Articles. Specifically, read “Compliance Defects in Public-Key Cryptography”.

Abstract: Public-key cryptography has low infrastructural overhead because public-key users bear a substantial but hidden administrative burden. A public-key security system trusts its users to validate each others’ public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but public-key security systems lack a centralized infrastructure for enforcing users’ discipline. A “compliance defect” in a cryptosystem is such a rule of operation that is both difficult to follow and unenforceable. This paper presents five compliance defects that are inherent in public-key cryptography; these defects make public-key cryptography more suitable for server-to-server security than for desktop applications.

Best Quote

Wed, 29 Jun 2005 12:42:00 -0700

Best quote:

“Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment.”

-- Peter Gutman, https://mail-archive.com/cryptography@metzdowd.com/msg00891.html

The rest of the post is great as well, with a “sound” warning about the CIPE VPN.

Wireless security can be funny

Wed, 29 Jun 2005 12:37:00 -0700

This is a true story!

The link to the story below is stale now, but this one still works:

Hackers tell man he’s “too fat” to eat at Burger King - silicon.com

https://www.ananova.com/news/story/sm_853744.html?menu=news.latestheadlines

Burger King customers told: ‘You are too fat to have a Whopper’

Police believe teenage pranksters are hacking into the wireless frequency of a US Burger King drive-through speaker to tell potential customers they are too fat for fast food.

TSA abuse of power comes to a city near me

Wed, 29 Jun 2005 12:23:00 -0700

This story from my hometown of Seattle is further proof that the current airport security procedures are nothing more than window dressing and are leading to the loss of civil rights for innocent people.

When was the last time you heard about these security procedures actually catching a terrorist?

komo news | ‘This Is Not Right’

DES MOINES - Cecilia Beaman is a 57-year-old grandmother, a principal at Pacific Middle School in Des Moines, and as of Sunday is also a suspected terrorist.

At Amp T Plans Security News Channel

Wed, 29 Jun 2005 12:22:00 -0700

AT&T plans CNN-style security channel

Security experts at AT&T are about to take a page from CNN’s playbook. Within the next year they plan to begin delivering a video streaming service that will carry Internet security news 24/7, according to the executive in charge of AT&T Labs.

The service, which currently goes by the codename Internet Security News Network, (ISN) is under development at AT&T Labs, but it will be offered as an additional service to the company’s customers within the next nine to 12 months, according to Hossein Eslambolchi, president of AT&T�s Global Networking Technology Services and AT&T Labs

Suspected Steganography lead to raising the terror alert in 2003

Wed, 29 Jun 2005 11:45:00 -0700

07:00

Bogus analysis led to terror alert in Dec. 2003 - Lisa Myers & the NBC Investigative Unit - MSNBC.com

WASHINGTON - Christmas 2003 became a season of terror after the federal government raised the terror alert level from yellow to orange, grimly citing credible intelligence of another assault on the United States.

Debunking Biometric Assumptions

Wed, 29 Jun 2005 03:48:00 -0700

Chris Hill’s biometrics thesis:

This is a very interesting development. It challenges a key assumption that people have made about biometrics:

“that stored biometrics pose no threat to their owner (if they are stolen by another party), because it is not possible to recreate the original biometric from the stored data.”

So, attackers can potentially bypass biometric systems in a couple of ways if they can compromise digital representations of biometric data (from storage or by sniffing, e.g. USB sniffer or keyboard sniffer): They can recreate new physical biometrics that will have properties indistinguishable from the original.

Washington State Getting Tough on Rampant Spyware Problem

Tue, 17 May 2005 11:54:00 -0700

Slashdot | Washington State Outlaws Spyware

the Governor of Washington signs a a bill outlawing spyware (bill history) which imposes penalties of $100,000 per violation.

This is a step in the right direction. I am not sure if it will be effective due to jurisdictional and technological issues with tracking, identifying, and prosecuting purveyors of spyware. The anti-spam legislation in the state and federal laws has not exactly dramatically curbed spam. But this clarification of the computer crime statutes is helpful to avoid ambiguity.

Identity Theft Is Okayif Done By The State

Mon, 16 May 2005 02:46:00 -0700

Ohio Agents Use Woman’s Identity in Strip-Bar Sting: Internal Affairs at Officer.com

This is absolutely unbelievable! Imagine if the state was to damage your reputation or financial status (e.g. FICO score or credit worthiness) due to the unauthorized use of your identity!

Nasal said the ploy was legal because a change in Ohio’s law the previous year aimed at curbing identity theft. The law allows police to use a person’s identity within the context of an investigation, he said.

Penguins Not On Terrorist Watch List

Mon, 16 May 2005 01:57:00 -0700

TheDenverChannel.com - Slideshow

The American public can rest easy now that these penguins have been rigorously vetted by the TSA. Someone managing the Terrorist Watch List must have recently seen one of the Batman movies. That was _just a movie_.

Ipsec Esp Protocol Flaw Discovered

Fri, 13 May 2005 08:41:00 -0700

NISCC Vulnerability Advisory IPSEC - 004033

From what I have read on this, the flaw in ESP only will affect you if you are using ESP for confidentiality protection only (no integrity check in ESP) and are relying on other layers for integrity protection (e.g. AH or the application layer). I would never recommend you configure IPSec in this manner. Confidentiality protection without integrity protection in the same layer is not very useful IMHO. And it can be dangerous, as this flaw indicates.

Intel Hypterthreading Leads To Security Bug

Fri, 13 May 2005 00:37:00 -0700

y-bug

Hyper-Threading considered harmful

This is an interesting case where a hardware flaw can be used to subvert software security.

I find it fun to ask vendors who create their own OS and processors for appliances how they ensure things such as memory page protection. I get a lot of blank stares. They often focus entirely on the macro-level security in their software and have spent little to no time addressing the basic hardware and OS-level security issues that are taken for granted by software authors.

Another Governmental Pdf Quot Redaction Quot Blunder

Tue, 03 May 2005 12:09:00 -0700

The Washington Monthly

here’s a question: do you think the Italian computer whizzes will be any more competent than their American counterparts when they release their report? The U.S. report is full of redactions, as you can see in the picture above, but once again an American agency has used the searchable PDF format to distribute a report, and all you have to do is save the report as a text file in order to recover all the redacted parts.

Defeating Fingerprint Readersby Force

Thu, 07 Apr 2005 04:12:00 -0700

Carjackers swipe biometric Merc, plus owner’s finger | The Register

Carjackers swipe biometric Merc, plus owner’s finger By John Lettice Published Monday 4th April 2005 13:52 GMT

A Malaysian businessman has lost a finger to car thieves impatient to get around his Mercedes’ fingerprint security system. Accountant K Kumaran, the BBC reports, had at first been forced to start the S-class Merc, but when the carjackers wanted to start it again without having him along, they chopped off the end of his index finger with a machete.

Big Brother May Be Watching Your Wlan

Tue, 05 Apr 2005 05:04:00 -0700

The Feds can own your WLAN too : TomsNetworking :

Also a [slashdot discussion](https://hardware.slashdot.org/hardware/05/04/05/1428250.shtml?tid=193&tid=172
) of this technique, which essentially cracks WEP implementations that are vulnerable to weak keys and uses some nice “features” of some APs to get the AP to send out additional encrypted packets to improve the speed of the attack. They can crack WEP in minutes. Pretty interesting…

Id Theft Targets Are Everywhere

Mon, 28 Mar 2005 08:19:00 -0800

Security no match for theater lovers

This article shows that for the promise of a $7-$10 movie ticket, you can trivially gather enough information about almost anyone to steal their identity. And this was at a security conference. I’ve seen a couple of other studies such as this with other low-value enticements work just as effectively.

Owasp Opens Seattle Chapter

Thu, 24 Mar 2005 13:35:00 -0800

Web Security Group Launches Northwest Chapter

Web Security Group Launches Northwest Chapter

The leading web application security organization, Open Web Application Security Project (OWASP), has opened a local chapter in Seattle.

I may be spending some time with this group. Glad to see more volunteer security orgs in the Seattle area! And glad to see some emphasis on application security, of course.

Their website is https://www.owasp.org/local/seattle.html

Verisign conflict of interest opposition

Thu, 24 Mar 2005 12:08:00 -0800

07:00

ICANN Email Archives: [net-rfp-verisign]

…Verisign also operates a ‘Lawful Intercept’ service called NetDiscovery [2]. This service is provided to “… [assist] government agencies with lawful interception and subpoena requests for subscriber records [3].”

We believe that under such a service, VeriSign could be required to issue false certificates, ones _unauthorised_ by the nominal owner. Such certificates could be employed in an attack on the user’s traffic via the DNS services now under question. Further, the design of the SSL browser system includes a ‘root list’ of trusted issuers, and a breach of _any_ of these means that the protection afforded by SSL can now be bypassed.

Not Issuing Driver'S Licenses To Illegal Aliens Reduces Security

Mon, 17 Jan 2005 04:21:00 -0800

U.S. Newswire : Releases : “Not Issuing Driver’s Licenses to Illegal Aliens…”

Sign the Petition: Stop the Florida Tion of the 2004 election

Tue, 26 Oct 2004 20:36:00 -0700

ActForChange Petition: Stop the Florida-tion of the 2004 election

“Today, there is a new and real threat to voters, this time coming from touchscreen voting machines with no paper trails and the computerized purges of voter rolls.

Urge your friends to join SCLC President Martin Luther King III and investigative reporter Greg Palast in opposing the “Florida-tion of the 2004 Presidential election” by signing this petition.”

Memory Errors Trick Virtual Machines

Tue, 26 Oct 2004 20:33:00 -0700

Interesting paper on how to use memory errors to attack a virtual computer. The attack exploits the fact that a “time of compilation” check is not necessarily valid at “time of use.”

This happens to be the theory behind the Java ByteCode verifier. I just heard Whit Diffie talk yesterday at SecureWorld Expo about how the run-time check of the bytecode is intended to validate that proper array bounds checking is going to be done, for example.

SecuritySpace monthly reports

Tue, 26 Oct 2004 20:31:00 -0700

Monthly reports on security and non security-related items, such as analyzing SSL webserver usage, apache module usage. Very interesting. I like to see Apache having almost 80% of the market share now :-)

SecuritySpace

SSL unsafe for users?

Tue, 26 Oct 2004 20:28:00 -0700

“99% of SSL users have no idea how SSL works and consequently make informed decisions”

Browser manufacturers try to make things easy for users but end up diluting the security properties of the hierarchical trust model.

A lot of talk in recent years on the cryptography mailing list indicates that this model is too broken and perhaps should be replaced with an ad-hoc mechanism, such as the SSH model, with all web servers installing _some_ sort of certificate by default–even self-signed. The thoughts are that some confidentiality protection with reasonable MITM detection is better than so few sites supporting encryption since they don’t want to pay Verisign blood money for a “real” certificate.

History Of Buffer Overflow Protection

Tue, 26 Oct 2004 20:24:00 -0700

A great (old) post to Risks 22.74 about the past issues with designing solutions to buffer overflows in hardware. Also, a link to a paper describing the history of these efforts that I’ll be looking to check out.

Crispan was just spotted at SecureWorld Expo in Seattle today…

-Jason

-————— Date: Sat, 10 May 2003 19:19:12 -0700 From: Crispin Cowan Subject: Re: OpenBSD … protects against buffer-overflow … (Ardley, R 22.72)

Pki'Not Working 39-

Tue, 26 Oct 2004 20:22:00 -0700

I still run into people who believe that PKI is a viable end-user authentication solution for the masses. My favorite were the systems that tried to solve the certificate portability problem by allowing download of certs from a website – with only a password! The vendor couldn’t see that it was no more secure than the password itself. Another case of “But this one goes to 11”.

-J

PKI ’not working’

Crying'Security 39-

Tue, 26 Oct 2004 20:14:00 -0700

And now candidates are crying “security” to win elections… It works on both sides apparently.

-J

WSJ.com - Companies Cry ‘Security’ to Get A Break From the Government

In Kansas, utilities want to raise rates without having to tell their customers why. Elsewhere, grocers and mall owners seek tax breaks for equipment purchases. And at sports arenas, teams want to keep banner-trailing planes away from their stadiums.

Homeland Security Measures Ignore Fiscal Responsibility

Tue, 26 Oct 2004 19:58:00 -0700

Catching up on draft postings, this is one that is very timely today, although it was originally penned over a year ago.

-J

Message: 6 Date: Sat, 20 Sep 2003 14:26:14 -0800 From: “Rob, grandpa of Ryan, Trevor, Devon & Hannah” Subject: Cost/benefit

In commenting on yet another pointless “homeland security” proposal, the INFOCON mailing list passed along this quote:

“The number one threat to American national security during this long war is neither anthrax nor truck bombs . it is uncontrolled spending. We cannot afford to put guards on every bridge and at every critical node of our infrastructure. We cannot afford a sophisticated chemical and biodetector in every government building. America cannot afford a risk-free society in a world of global terrorism. The enemy’s strategy is to destroy our economy. We must not facilitate their efforts. America will need to spend considerable sums of money to ensure our security . but we must do it wisely . there will be no money to waste on irrational fear and unconscionable pork. We must develop a strategic plan to guide our efforts. This must include federal, state and local governments, plus the private sector. Since 9-11, more than 130 bills regarding homeland security have been introduced in the House of Representatives. This is not the example of spending based on a strategic plan.

Reducing Your Exposure Running Dvarchive On Linux

Tue, 18 Nov 2003 10:19:00 -0800

I recently got a ReplayTV 5040 for a steal on closeout at buy.com and just love it. One of the most attractive features is how it is network-aware by default and that the community has created some great free software for integrating with it. I have been using DVArchive to expand the capacity for recording without having to violate my ReplayTV warranty by hacking the hardware. DVArchive enables your PC to act as a software-based ReplayTV unit for replay, archival, vending photos, as well as playing recorded mpegs remotely on your PC.

Sony Style Warning needs a Warning?

Sat, 30 Aug 2003 16:18:00 -0700

Within the past month or so, I received a warning from Sony about fraudulent e-mails claiming to be from Sony but that actually were not. The deceptive e-mails were designed to lure Sony customers into divulging personal information at a fake Sony site. It “falsely indicates that it is from SonyStyle.com” and “includes a link to a bogus SonyStyle.com registration site”

So, I was shocked to notice that the e-mail from Sony that was supposedly warning about deceptive e-mails and URLs was itself guilty of using apparently deceptive or “fraudulent” URLs!

Best Buy Hoax Notification

Fri, 20 Jun 2003 04:52:00 -0700

Here is an excerpt from an e-mail I got today. If you ever get e-mail purportedly from a company that asks for you to divulge personal information, there is a high likelihood that it is one of the many social engineering attacks running around. Popular ones try to snag AOL and eBay/Pay Pal users. Be wary of what e-mails and Internet sites you trust your personal information to!!

IMPORTANT: E-MAIL HOAX NOTIFICATION

Cert Needs To Plug Leak

Mon, 02 Jun 2003 16:01:00 -0700

Confidential bug report gets sent to CERT.
CERT sends it out to their advanced ISA (Internet Security Alliance: pay for early warning) group (Jericho calls “a vulnerability cartel)
The bug report is leaked out to the public, perhaps by an ISA member who was either compromised (if so, they would need more than CERT to help them…) or purposefully leaked it out

Jericho’s comments on the ISN list were classic, especially:

Danger And Absurdity Of The Tsa No Fly List

Mon, 02 Jun 2003 15:53:00 -0700

John Gilmore points out how to have fun with bomb scanners by using hand lotion with Glycerine, or at least points out how easily such expensive equipment can be rendered useless. If equipment has any significant number of false-positives, be sure that it, or procedures, will tune out any hope of finding a real needle in the haystack.

Also, if you notice an “S” on your boarding pass, prepare for extra scrutiny at the airport. The TSA believes, based on often erroneous matching, that you are a member of its “Selectee” list of people who need additional security measures.

Is The Price Right For Your Freedom

Mon, 02 Jun 2003 15:41:00 -0700

How do you measure a cost-benefit for the new security measures or of your liberty? It is hard to even come up with a causal link from the “increased” security measures (ask me about the absurd experience I had in LAX…) to increased safety, let alone quantifying such a benefit.

There is also a discussion at https://www.plastic.com/article.html;sid=03/03/12/06265215;cmt=42

NYTimes.com Abstract

In an unusual twist on cost-benefit analysis, an economic tool that conservatives have often used to attack environmental regulation, top advisers to President Bush want to weigh the benefits of tighter domestic security against the ‘‘costs’’ of lost privacy and freedom.

Secure programming in UNIX HOWTO

Mon, 02 Jun 2003 15:30:00 -0700

David Wheeler has put together a set of design and implementation guidelines for programming securely in several languages. The document is actually in a ton of different formats, even ones suitable for Wireless devices. So, take yours with you and learn it well!

Secure Programming for Linux and Unix HOWTO

There is also a set of overview slides that are definitely worth a look.

Quot Us Gov'T Blindly Trusts The Antivirus Industry Quot-

Mon, 02 Jun 2003 15:15:00 -0700

I love the quote below and the 15 claims about how shady the Antivirus industry is are great, especially #7, “expect applause when you release hundreds of security patches for your product each year;”

Vmyths.com- Truth About Computer Virus Myths & Hoaxes

“The Pentagon should not protect a weapon system with software written by people they’d never trust. Yet they do.”

Low Bandwidth Application Dos Attacks

Mon, 02 Jun 2003 11:25:00 -0700

Interesting work and something that I can’t seem to get many people to pay attention to. Not all DoS attacks are bandwidth exhaustion attacks. DoS attacks can be thought of generically as resource exhaustion or suppression attacks. This does not necessarily require using a large amount of bandwidth.

The traditional thoughts on DoS attacks cause people to believe that normal modes of monitoring systems will catch DoS attacks early just because it would be hard to not notice such brazen resource consumption. However, low-flying attacks could possibly cause DoS attacks that are more difficult to detect without finer-grained application-level monitoring than is often employed.

Interpreting 'Access' And 'Authorization' In Computer Misuse Statutes

Fri, 30 May 2003 02:49:00 -0700

The paper is 81 pages long but based on the abstract, it appears like important work. I hope that this will be taken to heart by policy shapers.

Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes

This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably na�. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting “access” and “authorization.” This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges.

E Voting Interview Reveals Serious Risks To Election Integrity

Thu, 29 May 2003 15:22:00 -0700

This scares me as a security professional. This especially scares me as a resident of Washington State.

Some gems from this interview with representatives from Sequoia systems:

Miller: “On the touch screen – we do have the hand recounts of close races too.”

Harris: “On a machine with no voter-verified paper trail?”

Miller: “Well, there’s no way to do a hand recount on a DRE.”

-————

Harris: “But the positive, which can be proved, is that every election system that’s ever been used in the USA has, at one time or another, been tampered with. And what we do know is that $800 million has gone toward contributions to candidates. So certainly we can predict that someone will try to tamper with a programmer. And therefore, what I’m asking, is what safeguards do we have in place to make sure that, if someone tampers with a program or a CD update –”

Bmw 7 Series Windowsce Crash Traps Driver Inside

Sun, 25 May 2003 04:46:00 -0700

A post to the IP and Risks lists is a harbinger of things to come as more and more complexity and computer-controlled systems get added to everyday devices without ensuring the same kind of quality and safety engineering. We can only hope that Ford and other car companies will not be successful in overturning laws requiring mechanical connections for safety-critical systems like steering, braking, etc.

-core24

Date: Tue, 13 May 2003 17:31:11 -0700 From: “Robert J. Berger” Subject: MS Windows crash traps Thai politician in car (From Dave Farber’s IP)

Quot If You Want To Win An Election Just Control The Voting Machines Quot-

Fri, 23 May 2003 11:06:00 -0700

quot-

A couple more sites working against all-electronic voting machines:

https://www.blackboxvoting.com/ https://www.ecotalk.org/VotingSecurity.htm

Also, an article discussing a situation that, if true, is truly egregious:

The senator who won the election in Nebraska allegedly “was the head of, and continues to own part interest in, the company that owns the company that installed, programmed, and largely ran the voting machines that were used by most of the citizens of Nebraska.”

The bigger issue, in my opinion, is not whether the senator had rigged his election but the fact that we are entirely unable to verify whether this occurred or not. With a voter verifiable and recountable audit trail, we could.

Can Microsoft Be Secure

Fri, 23 May 2003 10:57:00 -0700

I sure hope so. I have high expectations for Windows 2003. We’ll see how things progress.

I want to know who the companies are that were surveyed… I assure you mine wasn’t one of them.

Commentary: Can Microsoft be secure? | CNET News.com

Customers worry about Microsoft’s security: Seventy-seven percent of respondents to a Forrester survey cited security as their top concern about deploying Windows. Despite those concerns, 89 percent of users are still deploying sensitive applications like financial transaction systems and medical records databases on Windows.

Facial Recognition Systems Quot Improve Quot-

Fri, 23 May 2003 10:47:00 -0700

quot-

[IP] NIST rates facial recognition systems

“The three top-rated systems verified identities correctly 87 percent to 90 percent of the time with a false-alarm rate of 1 percent. When NIST specified a false-alarm rate of 0.1 percent, the success rate dropped to between 79 percent and 82 percent.”

From the report itself:

“Typically, the watch list task is more difficult than the identification or verification tasks alone. Figure 8 shows detection and identification rates for varying watch list sizes at a false alarm rate of 1%. For the best system using a watch list of 25 people, the detection and identification rate is 77%. Increasing the size watch list to 3,000 people, decreases the detection and identification rate to 56%.”

Handset Security Flaws On The Horizon

Fri, 23 May 2003 10:35:00 -0700

Software quality, especially data input filtering, is critical for mobile devices; especially devices that do not typically have user-updateable software.

News: Mobile phone hacking expected to spread

United States-based security company @stake has released a security advisory detailing a Denial of Service (DoS) vulnerability in the Nokia 6210 GSM mobile phone, and although the flaw isn’t serious it could be a sign of worse things to come.

Drm Threat Analysis Shows Futility In Drm Mechanisms

Fri, 23 May 2003 10:23:00 -0700

This analysis shows how DRM solutions are ineffective because they [attempt to] address the wrong threat model.

“Many DRM advocates make the classic mistake of refusing to choose a threat model. When they complain about the problem, they seem to be using the Napsterization model – they talk about one infringing copy propagating across the world. But when they propose solutions they seem to be solving the casual-copying problem, asking only that the technology keep the majority of customers from ripping content. So naturally the systems they are building don�t solve the problem they complain about.”

Insider Attack Nails Shut Janteknology'S Coffin

Fri, 23 May 2003 10:07:00 -0700

Evidence of the damage that insider attacks can wreak. Ironically, this was a security software distributor.

It’s unbelievable how often I hear things like:

“Well you have to trust your employees/administrator/etc!” “But we’re behind the firewall!”

I even noticed Microsoft’s STRIDE threat model does not include the threat:

Misuse of granted privileges.

Whoops. People all too often don’t look inside their own organizations at the threats all around you. Insider attackers are a difficult, and perhaps not entirely solveable problem. It is much easier for someone to attack your network when they are already on it than through your firewall over the Internet. Your firewall rejects access, but then your HR department allows it. They will even give a potential adversary a computer, cubicle, network access, badge, etc.!

Acm Testimony To Congress Against Dmca'S Chilling Effect

Fri, 23 May 2003 01:19:00 -0700

USACM co-chair Barbara Simons spoke out against sections of the DMCA during recent Congressional review of the DMCA’s anti-circumvention provisions.

ACM MemberNet

You can also read the transcript of Simons’ testimony

“During a time when our nation is devoting unprecedented resources to homeland security, we should be eliminating laws such as the DMCA that encourage insecurity,”

Anti Polygraph

Mon, 19 May 2003 13:08:00 -0700

Here is a 176-page PDF paper on the fallacy of polygraph exams (a.k.a. “lie” detectors). I have not read up on this subject in some time but this looks to be a good read.

Lie Behind the Lie Detector

Stupid Security

Mon, 19 May 2003 12:59:00 -0700

Found out about this great site through this month’s Crypto-Gram newsletter. It posts articles on – you guessed it – all the stupid security measures people come across.

Stupid Security: Exposing Fake Security Since 2003

E Voting Systems Assailed

Tue, 06 May 2003 15:43:00 -0700

A great article with some perfect quotes from leading advocates and experts for voter verifiable audit trails. Also, there are some documented cases of voting machine errors in the article.

New Voting Systems Assailed

New Voting Systems Assailed Computer Experts Cite Fraud Potential

By Dan Keating Washington Post Staff Writer Friday, March 28, 2003; Page A12

As election officials rush to spend billions to update the country’s voting machines with electronic systems, computer scientists are mounting a challenge to the new devices, saying they are less reliable and less secure from fraud than the equipment they are replacing.

Users tricked into believing a Nokia upgrade hoax

Fri, 21 Mar 2003 12:19:00 -0800

“Nokia 7650 upgrade - hoax

An internet hoax is traveling round the internet that purports to be a press release from Nokia offering an upgrade for owners of the Nokia 7650 handset to support a series of new features.

The press release says that “Nokia today announced after months of speculation and rumours that it will be re-releasing it’s flagship Symbian OS phone, the 7650, with the long awaited increased memory capabilities.

SSL Patent suit update: victory for SSL!

Fri, 21 Mar 2003 11:23:00 -0800

07:00

A press release on RSA’s website announces that a unanimous verdict was reached on all infringement claims in favor of the defendants, RSA Security Inc. and Verisign Inc.

RSA Security | RSA Security Wins SSL Patent Infringement Trial

Analysis Of The Educational Initiatives Outlined In The National Cybersecurity Strategy

Fri, 21 Mar 2003 10:52:00 -0800

Rob Slade takes an in-depth look at what the National Cybersecurity Strategy is for security education and doesn’t really find much. To summarize:

“we [the U.S. Gov’t] can’t do it alone, so we’re not going to do anything”

“How will it happen?”

“Focus or force?”

“Security awareness cannot be promoted by establishing contests where nobody will compete.”

“Again, this proposal sounds good, but, without details to back it up, I doubt that there will be any impact any time soon”

E Voting Banter Between Scientists

Thu, 20 Mar 2003 10:20:00 -0800

There was voluminous and heated discussion on the cryptography mailing list about the dangers of the paper audit trail for e-voting that is being pushed by the e-voting academic experts. The instigator and perpetuator of the discussion was Ed Gerck.

His main criticism was that the paper audit trail does not address the problems of massive external vote tampering by extortion (vote this way and prove you voted this way or I’ll kill you) or vote selling (vote republican, prove it to me, and I’ll pay you $$). He is afraid that the paper audit trail will be just the thing that can be photographed as proof of your vote to enable these system.

New Ieee Security And Privacy Magazine

Thu, 13 Mar 2003 14:53:00 -0800

I will have to check this out. Although, I have several piles of other publications to whittle down first.

“The IEEE Computer Society has created a new magazine called “Security and Privacy” specifically for the security community The magazine intends to present a balanced mix of scientific research and practical security discussion. "

Risks Of Public Internet Access Terminals

Thu, 13 Mar 2003 14:49:00 -0800

This story about 16M Yen (~$136,000) stolen from someone’s CityBank online banking service after the user’s password was compromised at an Internet cafe highlights the tremendous risk of insecure client computers. It does not make a darned bit of difference what crypto strength you were to use, it is so trivial to install a keystroke capture device that nobody would ever notice that will catch everything before it is encrypted.

Krispy Kreme Grossly Overcharges 28 Customers

Thu, 13 Mar 2003 14:20:00 -0800

From RISKS 22.61.

“A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers while figuratively deep-frying over two dozen customers. Irrespective of what they ordered, each of 28 customers using a credit card were charged EXACTLY $84,213.60 for the purchase. "

The PGN comments simply made the posting though:

[These charges were actually APPROVED, and of course also blew the customers’ credit ratings for a few days. Amazing! ``The $84,000 charge, were it legitimate, would have purchased over 170,000 … doughnuts, enough to stretch over 9 miles if placed end-to-end.’’ …

VoteHere whistleblower lawsuit and other e Voting madness

Thu, 13 Mar 2003 14:13:00 -0800

BlackBox Voting is reporting on a whistleblower lawsuit filed here in Washington state by a software engineer against his former employer VoteHere. He alleges that he was wrongfully terminated to silence his complaints while third party “certification” of the VoteHere system was being conducted. The lawsuit enumerates many of the system’s flaws that he documented in defect reports. It is a must-read.

In other unbelievable news, Santa Clara County, CA and Collins County, TX both voted for electronic voting machines without paper audit trails against all sound advice from experts around the world. Santa Clara County reportedly cited the same kinds of “certifications” as evidence that the system is okay without the voter verifiable audit trail.

Aol Customers Buyer Beware

Tue, 04 Mar 2003 15:08:00 -0800

Many of the attacks described are social engineering attacks and not computer security holes. I can’t believe the mumbling attacks–hilarious! Social engineering attacks are very hard to defend against, especially with huge callcenters like AOL must have.

AOL customers beware your privacy. AOL not only makes it easy to get on the Internet, they make it easy for others to get on the Internet as you too!

“Using a combination of trade tricks and clever programming, hackers have thoroughly compromised security at America Online, potentially exposing the personal information of AOL’s 35 million users. "

SSL under patent dispute

Tue, 04 Mar 2003 15:05:00 -0800

The March 3 Security Wire Digest and Reuters are reporting that:

“Leon Stambler, who has won financial settlements from companies such as National Cash Register, First Data and Openwave Systems, seeks up to $20 million in the federal suit, being heard in Delaware. "

“Certicom and Openwave each paid $400,000 plus ongoing royalty fees for their licenses and First Data paid $4 million, he testified. "

He is suing RSA Security and Verisign now, trying to extract money. Ugh.

Wireless hackers invade!

Tue, 04 Mar 2003 14:57:00 -0800

“Two Alberta men with a passion for locating and mapping wireless computer networks have come under the scrutiny of Canada’s spy agency.”

“The press release, which also included Mr. Kaczor’s name and contact information, featured the tongue-in-cheek headline “Wireless hackers invade Red Deer!””

High-tech hobby falls under CSIS suspicion

Debate On Copyright Vs Innovation At Stanford

Mon, 03 Mar 2003 05:13:00 -0800

[IP] Pondering Value of Copyright vs. Innovation

“Technology scholars, business leaders and policy makers gathered at California conferences this weekend to argue whether a mismatch between two different technologies and the legal policies that govern them could inhibit free expression and innovation. "

““We have ceded too much power to copyright owners,” said Ms. Lofgren, who plans on Tuesday to reintroduce a bill that would amend the 1998 law. “People are afraid to proceed on innovative measures.””

Outlawing Encryption Under Patriot Ii

Mon, 03 Mar 2003 05:10:00 -0800

ot-ii

Among other nasty things, the US government is trying to make the use of encryption while committing a crime over a computer a new crime that would add 5 years onto your sentence, if convicted.

“If you order a book from Amazon.com and fail to pay state tax, the SSL session with Amazon supports a five year felony. [RFF - I’d also include using GSM cell phones with the built-in encryption….]”

Worm press release template

Sun, 02 Mar 2003 13:50:00 -0800

Keep this handy for the next MS Worm. Posted to RISKS 22.53: . [From Pete Lindstrom, Spire Security, petelind@spiresecurity.com]

* Computer Worm Internet*

In the wee hours of , a computer worm spread throughout the Internet. Dubbed because <ridiculous reason that doesn’t explain anything about how it works>, and also known as and , the worm has infected an estimated systems within . Experts are calling this worm the most since .

Bsa Joins Ranks With Riaa In Threatening Without Cause

Fri, 28 Feb 2003 02:19:00 -0800

The BSA (Business Software Alliance) is now taken to sending out threatening letters based on the results of a web/ftp spider search for the word “Office”. The RIAA has done similar things in searching for “pirated” music by keyword and then automatically mailing.

From the BSA letter:

“What was located as infringing content: -—————————– Filename: /mandrake_current/SRPMS/OpenOffice.org-1.0.1-9mdk.src.rpm (199,643kb) Filename: /mandrake_current/i586/Mandrake/RPMS/OpenOffice.org-libs-1.0.1-9mdk.i586.rpm (35,444kb)”

OpenOffice.org thread

Anyone have a clue stick handy?

Microsoft Spyware

Wed, 26 Feb 2003 14:38:00 -0800

tecChannel reverse-engineered Windows Update to find that it can spy on other installed applications. It is unclear whether it actually does spy though. Although an article at The Inquirer claims as much.

They are offering a utility that you can run yourself to spy on the spyware. You have to pay 1.99 Euro for the full article and get the software included. A summary can be found for free though at The Inquirer.

More On Santa Clara E Voting

Wed, 26 Feb 2003 09:53:00 -0800

Just heard an NPR story on the Santa Clara e-voting saga. A vote today did not decide on whether they would only go with a system with a paper ballot. Only to test such a system.

The Sequoia company representative (the chosen product) admitted that they only agreed to add the paper ballot because they listen to customer demands. He didn’t think it was necessary though.

“Officials in California’s Santa Clara County learn that those who know computers best have the biggest concerns about them. That county, home to Silicon Valley, is deciding on an electronic voting system. But a computer scientist fights to keep old-fashioned paper in the voting process. NPR’s Andy Bowers reports.”

Homeland Quot Security Quot Measures Coming Under Fire

Wed, 26 Feb 2003 09:17:00 -0800

I heard someone talk about how in the 50’s and 60’s everyone was building bomb shelters for protection against nuclear attack and fallout but now people are being told that some tarp and duct tape are all that is needed.

The question was asked, “Who is going to protect us from Tom Ridge, and his bumblers in the Dept of Homeland Security…”

[IP] More bad advice from Tom Ridge…

Now It'S 8 Million Credit Cards Stolen

Wed, 26 Feb 2003 00:22:00 -0800

“In what is believed to be the biggest credit card hacking incident so far, Omaha-based Data Processors International, which processes transactions involving Visa, MasterCard, American Express and Discover Financial Services for merchants, said in a statement that it had “recently experienced a system intrusion by an unauthorized outside party.”

Yahoo! News - FBI Probing Theft of 8 Million Credit Card Numbers

Acm Joins Opposition To Tia

Tue, 25 Feb 2003 15:15:00 -0800

o-tia

There is a story in this month’s ACM MemberNet publication on the ACM’s opposition to Total Information Awareness (TIA).

This isn’t exactly news, because the ADM letter was drafted on Jan 23. The latest status on the EPIC TIA page was Jan 24 when Amendment 59 was included in a bill to impose limits on TIA. However, the requirement that the government simply provide a report in order to continue funding seems weak. There isn’t anything defining what content within the report would be satisfactory. It sounds too much like corporate privacy policies. It doesn’t matter what is in them, so long as the company abides by it. The report could say exactly what privacy advocates fear most and TIA will still be funded. However, the catch-all requiring congress to approve use of TIA is a step in the right direction.

Santa Clara County More Clueless Electronic Ballot Junkies

Tue, 25 Feb 2003 15:13:00 -0800

Santa Clara County faces key decision on electronic ballots

“The future of electronic voting may be rewritten this week in Santa Clara County, where county leaders are weighing warnings that the touch-screen voting machines they want to buy are more prone to error and fraud than the systems they would replace.”

“Sequoia’s systems don’t produce paper ballots that voters can verify, and supervisors didn’t ask for such a device in their bid proposal. Vendors and election officials say paper ballots aren’t needed because the machines have internal safeguards, are certified by federal and state governments and tested repeatedly before and after elections.”

Study shows Linux defect rate much better than commercial Unix

Tue, 25 Feb 2003 15:04:00 -0800

A study of TCP/IP code of various commercial and open source operating systems found that the defect rate in the Linux implementation was much better than others studied.

“The Linux defect rate was 0.1 defects per 1,000 lines of code, Reasoning found. The rate for the general-purpose operating systems–two of them versions of Unix–was between 0.6 and 0.7 per 1,000 lines of code. The rates for the two embedded operating systems were 0.1 and 0.3 per 1,000 lines of code. "

Scuba Diving Computer Recall

Tue, 25 Feb 2003 14:57:00 -0800

From RISKS 25.57.

I have friends who dive and hope to get certified myself soon so this is of particular concern.

Date: 17 Feb 2003 05:35:20 -0800 From: tom.race@skipton.co.uk (Tom Race) Subject: Scuba diving computer recall

[See also Risks in scuba equipment, Carl Page, RISKS-21.41]

In simple terms, a dive computer monitors the amount of nitrogen dissolved in the diver’s blood. Typically worn like a wrist watch, it tracks the diver’s depth and calculates the absorbed nitrogen according to a mathematical model of the human body’s various tissues.

Someone compromised 1% of all visa and mastercard account numbers

Tue, 25 Feb 2003 14:55:00 -0800

A 2-17-2003 very short Reuters story reports that Over 5 million Visa/MasterCard accounts hacked into

“More than five million Visa and MasterCard accounts throughout the nation were accessed after the computer system at a third party processor was hacked into, according to representatives for the card association”

This story by the BBC has more details

Great. Why were the account numbers on Internet-accessible systems. And why were the accounts not stored encrypted at the third party?

Orange Alert Status Terror For Students

Tue, 25 Feb 2003 14:48:00 -0800

From RISKS 22.56

“Date: Thu, 13 Feb 2003 05:46:37 -0500 From: “Rebecca Mercuri” Subject: Risks of Doing Homework

At the faculty meeting at Bryn Mawr College on 12 Feb 2003, we were informed that a student at Haverford (our affiliated College) was arrested over the weekend when he was trying to do his homework assignment in Philadelphia. As part of the Cities project, he was taking photographs of SEPTA (our regional transit authority) facilities when he was arrested, detained for a few hours, and eventually released. Haverford administration is working to try to ensure that this event not be a part of the student’s permanent police record. Apparently taking photographs at transit facilities is cause for arrest during “Code Orange” alert, the authorities explained. Faculty were advised to be careful about assigning “field trip” projects during such alerts.

Not Only N Korea Can Have Nukes

Tue, 25 Feb 2003 14:23:00 -0800

A Wired article describes an unbelievable story of reporter Noah Shachtman trivially breaching the physical security at none-other-than Los Alamos National Laboratory described as “the world’s most important nuclear research facility”.

“On Saturday morning, I slipped into and out of a top-secret area of the lab while guards sat, unaware, less than a hundred yards away.”

New Ssl Active Mitm Attack

Fri, 21 Feb 2003 15:11:00 -0800

" In a paper researchers at the Security and Cryptography Laboratory of Swiss University (Lasec) EPFL demonstrate a timing-based attack on CBC cipher suites in SSL and TLS.

The attack assumes that multiple SSL or TLS connections involve a common fixed plaintext block, such as a password. Since credit cards numbers are normally sent to a secure server only once this particular attack has little or no chance of success.

Citibank Trying To Silence Atm Pin Security Research

Fri, 21 Feb 2003 07:17:00 -0800

Citibank is trying to prevent the disclosure of new scientific research that has apparently broken ATM PIN confidentiality protection wide-open. This is even in the face of “phantom” charges appearing on people’s accounts that banks refuse to reverse, claiming that their system is so secure that users cannot repudiate such charges.

“The card’s issuer says that’s not possible, because their ATM network is secure, and is suing the couple to recover the nearly $80,000 that was charged against the card. "

Slag your drives to thwart data recovery

Fri, 21 Feb 2003 06:58:00 -0800

A recent MIT study of 129 used hard drives indicated that people leave a treasure trove of data behind on their discarded computers.

This begs the question of how can you securely dispose of old hard drives? Well, the typical answers are to use a secure wiping program or degaussing, but these are not 100% effective.

Some people have come up with a foolproof method called Drive Slagging which involves melting down the platters and essentially creating aluminum ingots.

TurboTax copy protection mucks with sectors on your hard disk

Wed, 19 Feb 2003 14:30:00 -0800

DRM is getting even more annoying, dangerous, and insidious. Intuit thought that it would be necessary to utilize a product called SafeCast to prevent unauthorized copying of its popular TurboTax product. Extremetech did some testing and found that SafeCast copy (not copyright) protection relied on modifying sector 33 on your hard drive outside of your operating system. This is not necessarily a Good Thing ™

TurboTax Test Results Part II

To Thwart the Identity Thieves

Mon, 17 Feb 2003 11:39:00 -0800

There is an excellent article in BusinessWeek on what is supposed to be the fastest growing crime in the U.S.: Identity Theft. I agree that only radical reform will solve the problem. However, I always think that the solutions focus on symptoms of the problem disclosure of customer identifying information) and not on the root cause of the problem (insufficient authentication (i.e. PROOF of identity) requirements by credit issuers). Your identifying information should not have to be secret. That is the mark of an insecure system.

Richard Forno Let Go Rants About Symantec

Mon, 17 Feb 2003 09:53:00 -0800

Richard Forno was let go by Symantec, coincidentally right after he had politely complained in a letter about the extremely inefficient payment procedures they brought with them to SecurityFocus.

I really enjoyed his commentary so I hope to see him show up somewhere else soon!

symantec-bitch

Computer Security And Intelligence Web Links

Mon, 17 Feb 2003 08:58:00 -0800

The C4I.org - Computer Security and Intelligence website has, according to the author, “little nuggets” of information he finds “interesting enough to post online”.

The most interesting thing that I found there (so far) is Tradesports.com where people are betting on current events, such as whether or not Saddam will still be in power as of March 31.

-Jason

The Myth of Security at Canada�s Airports

Mon, 17 Feb 2003 01:01:00 -0800

07:00

Senate Committee on National Security and Defense in Canada recently released a report on the new airport security measures.

Entitled, “The Myth of Security at Canada�s Airports”

“…measures have reassured many travellers that security has been tightened at Canadian airports since the tragic events of September 11, 2001. The problem is that there has been little or no improvement to huge security gaps that persist behind the scenes in the Canadian travel industry. "

Patriot 2 Encryption An Aggravating Circumstance

Thu, 13 Feb 2003 15:23:00 -0800

Declan McCullagh asks a good question on the cryptography list:

When encryption is omnipresent in everything from wireless networks to hard drives to SSH clients, might the basic effect of such a law [Patriot 2] be to boost potential maximum prison terms by five years?

It is a terrible idea to presume that using encryption is an aggravating circumstance. “Why are you using encryption? You must have something to hide…”

World's Most Stupid Security Measures

Thu, 13 Feb 2003 15:16:00 -0800

“Human rights watchdog Privacy International has launched a quest to find the World’s Most Stupid Security Measure. "

https://www.theregister.co.uk/content/55/29279.html

There were some preliminary examples in discussion on the cryptography mailing list.

E Voting In Washington Say Goodbye To Election Integrity

Thu, 13 Feb 2003 14:07:00 -0800

“The most important question to ask is this:

With respect to this year’s all-electronic voting machines, is there any meaningful evidence that the vote you cast was correctly recorded – that is, evidence that there were no misconfigured systems, accidents, internal fraud, etc.? For almost all of the existing systems (with the exception of one that actually incorporates the Mercuri Mechanism, namely, Avante), the answer is an UNEQUIVOCAL NO. This is an untenable situation if you believe in election integrity, IRRESPECTIVE of your party affiliations.”