• My Tweats

    • Flickr Photos

    Testing Biometrics: “…attempts to use fake eyeballs will be immediately obvious and suspicious”

    Bruce Schneier wrote on biometric ID testing at London Heathrow:

    The system under trial at Heathrow is a good use of biometrics. There’s a trusted path from the person through the reader to the verifier; attempts to use fake eyeballs will be immediately obvious and suspicious. The verifier is being asked to match a biometric with a specific reference, and not to figure out who the person is from his or her biometric. There’s no need for secrecy or randomness; it’s not being used as a key. And it has the potential to really speed up customs lines.

    Sometimes words and phrases jump out at me as silent pleasures. Reading the phrases bolded above was one of those.

    Sunday Information Security Links

    Prevent Identity Theft (ht Network Security Blog):

    So what are the best ways to prevent identity theft? Firstly, you must understand what personal information of yours should be kept private. While some personal information is inevitably going to be made public, there are some items with high sensitivity that should never be made public…

    Dark Reading: Cross-Site Request Forgery (CSRF):

    “If you think Cross-Site Scripting (XSS) is scary and prolific, just wait for the next big Website threat: Cross-Site Request Forgery (CSRF). The CSRF vulnerability lies in most every Website…”

    MyCEOSolutions: Five Steps to Safer Email:

    I am just summarizing their key points or step that SMBs might consider as they assess the security of their email system.

    Bruce Schneier: Architecture and Security:

    “You’ve seen them: those large concrete blocks in front of skyscrapers, monuments and government buildings, designed to protect against car and truck bombs. They sprang up like weeds in the months after 9/11, but the idea is much older. The prettier ones doubled as planters; the uglier ones just stood there.[…]”

    Bruce Schneier: Security and Class:

    “I don’t think I’ve ever read anyone talking about class issues as they relate to security…”

    This sounds like social engineering to me.

    The Hamburglar Moves Into Cyber Crime

    WatchYourEnd writes:

    It seems Burger chain McDonalds got more than it bargain for following a recent promotion in Japan to give away 10,000 MP3 players pre-loaded with 10 songs each. Apparently, the songs weren’t the only files resident on the little devices -also pre-loaded was the QQPass malware, which steals passwords, usernames and other information from any computer the host device is connected to.

     

     

     

     

     

     

     


    Originally uploaded by wiwik01.

    New York State adds to its Information Security Lawfare Capability

    Press release from 9.26.2006:

    Governor George E. Pataki announced today that he signed three measures into law that will further protect New York’s consumers and their privacy. These bills establish the Consumer Communication Records Privacy Act, place limits on the use and disclosure of Social Security account numbers, and further clarify and define what is considered a computer crime.

    and

    The Consumer Communication Records Privacy Act, sponsored by Senator Charles Fuschillo and Assemblyman Jeffrey Dinowitz (S.6723/A.12033), protects consumers by prohibiting the sale, fraudulent transfer, or solicitation of a consumers telephone records without consent from the consumer. This information is confidential and protected by both telephone companies and telephone consumers, and unauthorized release of telephone records harms consumers by taking away their sense of privacy, safety and security.

    and

    To guard against the potential misuse of Social Security account numbers (SSN), Senator Thomas Morahan and Assemblywoman Audrey Pheffer sponsored a bill (S.6909C/A.10076D) that will enact a new law placing limits on the use and dissemination of this information. Specifically, the new law: * prohibits the intentional communication of an individual’s SSN to the general public;
    * restrict businesses’ ability to print an individual’s SSN on mailings or on any card or tag required to access products, services, or benefits;
    * prohibit businesses from requiring an individual to transmit his or her encrypted SSN over the Internet; and
    * Require businesses that possess SSNs to implement appropriate safeguards and limit unnecessary employee access to SSNs.

    and

    A new measure, sponsored by Assemblyman Richard Brodsky and Senator James Wright (A.891F/S.5005F), keeps up with continually evolving computer technology by further defining and clarifying New York State’s Penal Law as it pertains to the unauthorized use of computers. This measure strengthens existing law to allow for the prosecution of those who intentionally disrupt, steal personal information, and plant malicious programs on consumer’s computers without authorization.

    Sunday Information Security Linkspasm

    Spot the Security Problems

    The importance of Egress Filtering on Routers and Firewalls

    Pretexting

    Virus Reporting (compare against multiple vendors)

    Records Retention

    Phishing Resources: Here, here, and here.

    WatchYourEnd: USBDumper Endpoint Security Hack Video Demonstration and more USB security stuff

    IDS/IPS

    Security Education

    Closing The Barn Door

    Security Ethics Survey (the results are not good)

    ZERT & Third Party Patches (I think this is a good idea)

    Economic Espionage

    SMB Security

    SlashDot has a post on ID Thieves and SMB.

    It is my own direct experience from a recent prior life that most small businesses have woefully poor information security programs. If they were being exploited, “by accident” would be the most likely means they have of detecting it.

    Rainy Saturday Links

    The Importance of Birth Order Debunked at Econlog

    The Shana Hiatt Blooper Reel

    Althouse: A fantasy scenario of trying Bin Laden A bullet to the head by the capturing American Infantryman works for me.

    Is the Thai Coup…a prelude to Islamization of Thailand?

    IEEE Spectrum Special Report: Unlocking the Terrorist Mind

    Peace Through Commerce at the FlowProject

    Muslim Brotherhood controls Al-Jizera? The Muslim Brotherhood is the best candidate for a large proto-5GW organization.

    Old 5GW posts at ChumpFish here and here.

    Possible 5GW Tactics: Culture Jamming and Memetic Engineering

    AmendmentNine on Moral War

    Live USB Hacking

    TV Zone: Five essential lessons from Grover

    MindStream: CyberIntel

    Bank Machine Hacking

    Marginal Revolution on the The phantom Tyler Cowen. Sounds a bit like the abstract OODA part of Phatic Communions Revised OODA.

    Here is the only link to something related to Paris Hilton I will every make (it is really about marketing and networking).

    TDAXP on Corporate Espionage One side effect of the blowback from the HP affair is that organization will get smarter about doing this sort of thing. I would see you will see hybrid enterprise consisting of Law Firms, and skilled intelligence folks. The doing it all through an outside law firm coordinated by the internal counsels gives legal cover. Also lots of money are at stake, so I see where corporate officers, accustomed to being told how smart they are will report to this.

    Shrinkwrapped on the UN

    Voting Machines Security

    Data Theft And Executives

    Top 20 Japanese Commercials (My favorite was the Cockroach vs the Samurai!)

    LGF: Another 9/11 Memorial Hijacked By Leftists

    We Don’t Need No Welfare State

    Offshoring Lawyers. Great – Lawfare will become cheaper. Not good.

    Lastly: Chapelle Show’s Jedi Knight Sex Scandal

    Endpoint Security Risks in Healthcare

    From Watch Your End:

    The endpoint security risks in healthcare or fairly obvious, however once you start realizing how many people have access to personal records and how easy it is to load this information onto a USB flash drive, CD-ROM, or even a camera or iPod it gets a little scarier. Very few hospitals or health insurance firms for that matter have solid enpdoint security measures in place to protect your data and as more records become digitized in becomes easier to steal. So remember that the next time you go in for your checkup, they’re probably a lot more people viewing your records than just your doctor.

    Attention corporate users of endpoint devices like the handy USB thumb drives – your use of them will be ending soon.

    The year 2007 will see widespread deployment of Endpoint Security measures. I am in the startup stages of one such project for a financial firm. It will be bittersweet, because I love my 1gig USB thumb drive. Bad guys love them too. 😦

    Update: I corrected a mistake with formatting. The second to last paragraph was mine, not that of the linked-to author.

    Information Security and the Market-State

    From SecurityFocus:

    In June 2006, renowned legal expert Mark Rasch analyzed the proposal and suggested that it represents a dangerous trend of turning private companies into proxies for law enforcement or intelligence agencies against the interests of their clients or customers.

    A transition to a Market-State from a Nation-State will not be easy. I am not sure it is desirable either.

    Hezbollah’s Information Technology Infrastructure Warfare

    FinancialCryptography has a post on Hezbollah’s Information Technology Infrastructure Warfare that is worth reading.

    Information Security Podcasts

    The Network Security Blog has a roundup of Information Security podcasts.

    InfoSec Lawfare Example: Zotob Author Sentenced To Prison

    SecurityFocus Reports:

    A Moroccan court handed Farid Essebar a two-year prison sentence on Tuesday for creating the Zotob worm, a bot program that spread among Windows 2000 computers last year and downed unpatched systems at CNN, the New York Times and other companies, according to international media reports.

    Three Spam / Email Troubleshooting Reference

    Senderbase
    Spamcop
    DNSstuff

    Old Link to Post about Kerckhoffs’ 6 Principles From 1883

    Financial Cryptography has an old post to Kerckhoffs’ 6 Principles From 1883.

    It is nice to file away information like this. I will some times use this blog as auxiliary memory for myself.

    Media History of Computer Security

    The ISC handler has a post tracing computer security incident reporting in the media going back to the 1960’s.

    For me personally, it was Clifford Stoll’s The Cuckoo’s Egg. That and of course science fiction are what got me interested.

    Enterprise use of HoneyPots (Darknets)

    DarkReading has a post titled “Enterprises Still Not Sweet on Honeypots” in which they write:

    While they’ve long been a darling of researchers and law enforcement, honeypots are still trying to prove their case for wider enterprise deployment.

    and

    One such application would be for detecting an internal user’s suspicious activity on the network, or if an outsider was poking around the network from the inside, says Logan. “Most times attackers will use an [enterprise’s] server or end-user PC to further explore the enterprise, so you could have an employee unwittingly being used.” But once you put up that sexy honeypot and attackers start buzzing around, you’ve exposed yourself, critics say. Thomas Ptacek, a researcher with Matasano Security, says honeypots not only invite trouble, but they also generate operational overhead that most organizations don’t have the manpower to handle. “They generate the same kind of information that IDSes do, and enterprises have a terrible enough time keeping up with that kind of information,” Ptacek says.

    I think they are overthinking it.

    Information Security Groups should deploy deploy a proto-honeypot internally that is often used by Network Service Providers called a “Darknet“.

    Basically, a Darket net is a sensor that logs all network traffic directed at it into a database that can be queried against (ad-hoc or automatically) and which provides reporting (graphically and/or textually). The key is that for each active subnet used by the organization, traffic to a few IP addresses (and any unused IP addresses) are routed to the Darknet sensor. This means all directed traffic and much broadcast traffic received by the sensor is illegitimate.

    If suddenly there are spikes of traffic to the Darknet, they can be followed up on and investigated. It is simple and cheap, and doesn’t require tricky software.

    Now, only if I could convince my new employer to let run a project to deploy one…

    DNSSEC Reference

    CircleID has a comprehensive article on DNSSEC (The DNS Security Extensions): “A Fundamental Look at DNSSEC, Deployment, and DNS Security Extensions” that is worth reading.

    Physical Security and Social Engineering With A Bonus PurpleSlog Story

    Dark Reading has a great article on physical security and social engineering which it refers to as “Analog Hacking”.

    One part made me chuckle:

    Unlike house burglars, who prefer to work when no one is home, physical hackers usually operate in the middle of the day, taking advantage of slipshod door locks and gullible employees. “We had one job recently where we posed as IT consultants, and one of the staffers actually gave us her username and password, then helped us navigate the system so we could find what we were looking for,” Stasiukonis says.

    An incident from my past flashed into my head.

    Continue reading

    Wednesday Night Links

    Shining City has: Fetal Shark Attacks

    Arnold Kling’s Suggested Ed Reform

    TV Squad investigators are all over the Lost video clues

    ISC Incident Handler on Information Security Standards

    Islam Is The Problem?

    Alt-History links

    On the War: Reasons for Optimism (5 part series) by guest Owen Johnson at Swinkwrapped. I have read them; FuturePurpleSlog needs to write a post on it.

    Why Do They Hate Walmart? I don’t shop there, but I like the idea of Walmart efficiency being added to banking and other services. The whole point is innovation of product (different,needs,style) and process (faster,cheaper,better). Competition (for the rewards = profit) foster creativity (incentives for progress) and Entrepreneurs. Better product,processes give people more life options (less misery, more happiness, human potential used).

    Culture Jamming. Hmm… 4GW/5GW/InfoWarfare technique?

    Lastly: Star Wars Burlesque – Not Safe for Work –>

    Continue reading

    Good Information Security Terms Glossary

    RSA Security has a good Information Security terms glossary.

    Blackhat 2006 Presentation Link Reference

    The Network Security Blog has a link to get them.

    Identity Theft Demo

    Dark Reading walks the reader though how identity theft works.

    They also have some common sense prescriptions that need repeating:

    For IT and security people, however, the message is more complex. IT organizations should sanitize any online resources that contain personal data about their employees, maintaining only the bare minimum online. Personnel profiles or applications should never be kept on systems that are widely accessible over the Web. If there is a need to post personal information on a Web-accessible site, consider securing it with some sort of two-factor authentication, such as the technology offered by RSA Security.

    Finally, IT departments should constantly monitor themselves for vulnerabilities. If a pen tester hadn’t come and shown the college the flaws in its alumni system, how long would it have taken its IT folks to find and fix them? A vulnerability can often be found in a system that may seem peripheral to the business or relatively unimportant to the enterprise. Once that vulnerability is exploited, however, the consequences for users, customers, or employees could be disastrous.

    AJAX Security References (just a list)

    Notes for Future Reference:

    Any other good suggestions?

    Open Source Network Bad Guys Requires Open Source Networked Good Guy To Counter Them

    From the ISC Handler Diary in an information security context:

    I put forward the conjecture that one of the main reasons malware development is accelerating is efficient and open collaboration. In my talks, I use this fact to explain what the ISC is trying to accomplish: We have to “out-share” in order to compete with new malware developments. This is somewhat counter intuitive for many security professionals. After all, we would never post our firewall rules (or passwords) on our web site. But why not a method you use to pick good passwords. Or better: How do you avoid using passwords?

    Open source network bad guys requires open source networked good guy to counter them. This is true in information security and modern warfare.

    Link to “A Chronology of Data Breaches”

    A good link from PrivacyRights.org called “A Chronology of Data Breaches” that list Beeches, and includes a link roundup for breach laws.