security

Eavesdropping with your cell phone

From David S. Bennahum’s “Hope You Like Jamming, Too” (Slate):

…innovative industrial spies, who have several neat new tricks. These days, a boardroom Mata Hari can purchase a specially designed cell phone that will answer incoming calls while appearing to be switched off. In a business meeting, she could casually leave her phone on the table while excusing herself to go to the bathroom. Once she’s gone, she can call the phone she left behind and eavesdrop on what the other side is saying in her absence.

Eavesdropping with your cell phone Read More »

How an email account without passwords can be good for security

From Robert X. Cringely’s “Stream On“:

Mailinator is ad hoc e-mail for those times when just maybe you don’t want to use your regular e-mail address. Say you are snitching on the boss, buying inflatable people, or want 32 different PayPal accounts. Just tell someone—anyone—that your e-mail address is fatman@mailinator.com or skinnykid@mailinator.com, or clueless@mailinator.com or any other address you like at mailinator.com. But this is no dead-end. When people write to you at that address the message will go through. That’s because Mailinator accepts any message going to that domain and automatically assigns an e-mail account to it. But what about passwords? There are none. Anyone can go to Mailinator and check the mail for clueless or any other name. But with so many names and the idea that Mailinator is only for occasional use, who cares?

How an email account without passwords can be good for security Read More »

Better security = reduced efficiency

From Robert X. Cringely’s “Stream On“:

Yet nearly everything we do to combat crime or enhance safety comes at the expense of reduced efficiency. So we build airports to make possible efficient air transportation, then set up metal detectors to slow down the flow of passengers. We build highways to make car travel faster, then set speed limits to make it slower.

Better security = reduced efficiency Read More »

The email dead drop

From the L.A. Times‘ “Cyberspace Gives Al Qaeda Refuge“:

Simplicity seems to work best. One common method of communicating over the Internet is essentially an e-mail version of the classic dead drop.

Members of a cell are all given the same prearranged username and password for an e-mail account on an Internet service provider, or ISP, such as Hotmail or Yahoo, according to the recent joint report by the Treasury and Justice departments.

One member writes a message, but instead of sending it, he puts it in the ‘draft’ file and then logs off. Someone else can then sign onto the account using the same username and password, read the draft and then delete it.

‘Because the draft was never sent, the ISP does not retain a copy of it and there is no record of it traversing the Internet—it never went anywhere, its recipients came to it,’ the report said.

The email dead drop Read More »

American Express’ security policies made things more insecure

From Bruce Schneier’s Crypto-Gram of 15 August 2003:

When I called to activate an American Express credit card I had received in the mail, the automated system told me that I would have to associate a PIN with it. The system told me that other users liked the idea of using their mother’s birthday as a four digit PIN. After some experimentation, I discovered that the system would accept only those four digit PINs that corresponded to dates: 0229 was acceptable but not 0230 and certainly not 3112 (New Year’s Eve, European style.) Thus the system policy administrators had reduced the 10,000 possible four-digit PINs to 366.

American Express’ security policies made things more insecure Read More »

Getting past security on planes

From Bruce Schneier’s Crypto-Gram of 15 August 2003:

It’s actually easy to fly on someone else’s ticket. Here’s how: First, have an upstanding citizen buy an e-ticket. (This also works if you steal someone’s identity or credit card.) Second, on the morning of the flight print the boarding pass at home. (Most airlines now offer this convenient feature.) Third, change the name on the e-ticket boarding pass you print out at home to your own. (You can do this with any half-way decent graphics software package.) Fourth, go to the airport, go through security, and get on the airplane.

You can even make a knife on board the plane. Buy some steel epoxy glue at a local hardware store. It comes in two tubes: a base with steel dust and a hardener. Make a knifelike mold by folding a piece of cardboard in half. Then mix equal parts from each tube and form into a knife shape, using a metal fork from your first-class dinner service (or a metal spoon you carry aboard) for the handle. Fifteen minutes later you’ve got a reasonably sharp, very pointy, black steel knife.

Getting past security on planes Read More »

Laundering a car’s VIN

From Bruce Schneier’s Crypto-Gram of 15 October 2003:

Precision stripping: criminal steals car, chop shop strips car completely down to chassis, chassis dumped on street, cops tow chassis away, chassis sold at auction, criminal buys chassis, chop shop reattaches parts. Result: legitimate car that can be legally sold used. The VIN has been ‘laundered’.

Laundering a car’s VIN Read More »

What seems obvious in security often is not

From Russell Nelson’s comment to Bruce Schneier’s Crypto-Gram of 15 November 2003:

> A New York detective was once asked whether pickpockets in
> Manhattan dressed in suits and ties to facilitate their crimes
> subsequent escape. He responded by saying that in twenty years
> he had never arrested even one pickpocket in a tie.

Do you mean this as evidence to bolster your point or to counter it? It seems to me that if he never arrested even one pickpocket in a tie, that would be very good evidence that pickpockets wearing ties escape arrest.

What seems obvious in security often is not Read More »

A nanny’s man-in-the-middle attack

From Bruce Schneier’s Crypto-Gram of 15 April 2004:

Here’s a story of a woman who posts an ad requesting a nanny. When a potential nanny responds, she asks for references for a background check. Then she places another ad, using the reference material as a fake identity. She gets a job with the good references—they’re real, although for another person—and then robs the family who hires her. And then she repeats the process.

Look what’s going on here. She inserts herself in the middle of a communication between the real nanny and the real employer, pretending to be one to the other. The nanny sends her references to someone she assumes to be a potential employer, not realizing that it is a criminal. The employer receives the references and checks them, not realizing that they don’t actually belong to the person who is sending them.

A nanny’s man-in-the-middle attack Read More »

Problems with ID cards

From Bruce Schneier’s Crypto-Gram of 15 April 2004:

My argument may not be obvious, but it’s not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.

It doesn’t really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names. …

Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse. …

But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American—one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. …

What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone’s intentions, and their identity has very little to do with that.

Problems with ID cards Read More »

Security decisions are often made for non-security reasons

From Bruce Schneier’s Crypto-Gram of 15 July 2004:

There was a single guard watching the X-ray machine’s monitor, and a line of people putting their bags onto the machine. The people themselves weren’t searched at all. Even worse, no guard was watching the people. So when I walked with everyone else in line and just didn’t put my bag onto the machine, no one noticed.

It was all good fun, and I very much enjoyed describing this to FinCorp’s VP of Corporate Security. He explained to me that he got a $5 million rate reduction from his insurance company by installing that X-ray machine and having some dogs sniff around the building a couple of times a week.

I thought the building’s security was a waste of money. It was actually a source of corporate profit.

The point of this story is one that I’ve made in ‘Beyond Fear’ and many other places: security decisions are often made for non-security reasons.

Security decisions are often made for non-security reasons Read More »

Some great gross parasites

Parasitoid Wasps

From Charles Q. Choi’s “Web-manipulating wasps” (Live Science: 2 March 2011):

Although parasites harm their hosts, they don’t usually kill them, if only to keep themselves alive. Not so with parasitoids, which ultimately destroy and often consume their hosts. Parasitoid wasps, which inspired the monster in the movie “Alien,” lay their eggs inside their victims, with the offspring eventually devouring their way out. A number of the species control their host’s minds in extraordinary ways — the larvae of the wasp Hymenoepimecis argyraphaga, which infests the spider Plesiometa argyra, makes their victims spin unusual webs especially well-suited for supporting their cocoons.

From Charles Q. Choi’s “Male-killing bacteria” (Live Science: 2 March 2011):

The genus of bacteria known as Wolbachia infests a whopping 70 percent of the world’s invertebrates, and has evolved devious strategies to keep spreading. In female hosts, the germ can hitch a ride to the next generation aboard the mother’s eggs, and since males are essentially useless for the bacteria’s survival, the parasite often eliminates them to increase the rate of females born, by either killing male embryos outright or turning them into females.

From Charles Q. Choi’s “Head-bursting fungus” (Live Science: 2 March 2011):

Dead ant zombified by fungus

Credit: David P. Hughes

In a bizarre death sentence, the fungus Ophiocordyceps unilateralis turns carpenter ants into the walking dead. The fungus prefers the undersides of leaves of plants growing on the forest floor. That’s where temperature, humidity and sunlight are ideal for the fungus to grow and reproduce and infect more victims. The parasite gets the insects to die hanging upside down, and then erupts a long stalk from their heads with which it sprinkle its spores to other ants. Fossil evidence recently suggested this fungus has zombified ants for millions of years.

From Charles Q. Choi’s “Tongue-eating crustacean” (Live Science: 2 March 2011):

The crustacean Cymothoa exigua has the dubious and unsettling honor of being the only parasite known to replace an organ. It enters through the gills of the spotted rose snapper, attaching to the base of the fish’s tongue, where it drinks its blood. The bloodsucking causes the tongue to eventually wither away, at which point the crustacean attaches itself to the tongue stub, acting as the fish’s tongue from then on.

Some great gross parasites Read More »

Evaluating software features

When developing software, it’s important to rank your features, as you can’t do everything, & not everything is worth doing. One way to rank features is to categorize them in order of importance using the following three categories:

  1. Required/Essential/Necessary: Mission critical features that must be present
  2. Preferred/Conditional: Important features & enhancements that bring better experience & easier management, but can wait until later release if necessary
  3. Optional/Nice To Have: If resources permit, sure, but otherwise…

Of course, you should also group your features based upon the kinds of features they are. Here’s a suggestion for those groups:

  • User experience
  • Management
  • Security

Evaluating software features Read More »

My response to the news that “Reader, Acrobat Patches Plug 23 Security Holes”

I sent this email out earlier today to friends & students:

For the love of Pete, people, if you use Adobe Acrobat Reader, update it.

http://krebsonsecurity.com/2010/10/reader-acrobat-patches-plug-23-security-holes/

But here’s a better question: why are you using Adobe Reader in the first place? It’s one of the WORST programs for security you can have on your computer. And most of the time, you just don’t need it!

If you use Windows, give Foxit Reader (http://www.foxitsoftware.com/pdf/reader/) a whirl. It’s free!

If you use a Mac, you already have a great PDF reader installed with your operating system: Preview. Use it.

The ONLY reason to use Adobe Reader is to fill out tax forms. When I need to do that, I download Adobe Reader, download the PDFs from the gubmint, fill out the PDFs, send ’em to the Feds & the State, & then remove Adobe Reader. I encourage others to do the same.

My response to the news that “Reader, Acrobat Patches Plug 23 Security Holes” Read More »

The Irish Church lies in creative – and evil – ways

From Patsy McGarry’s “Church ‘lied without lying’” (Irish Times: 26 November 2009):

One of the most fascinating discoveries in the Dublin Archdiocese report was that of the concept of “mental reservation” which allows clerics mislead people without believing they are lying.

According to the Commission of Investigation report, “mental reservation is a concept developed and much discussed over the centuries, which permits a church man knowingly to convey a misleading impression to another person without being guilty of lying”.

It gives an example. “John calls to the parish priest to make a complaint about the behaviour of one of his curates. The parish priest sees him coming but does not want to see him because he considers John to be a troublemaker. He sends another of his curates to answer the door. John asks the curate if the parish priest is in. The curate replies that he is not.”

The commission added: “This is clearly untrue but in the Church’s view it is not a lie because, when the curate told John that the parish priest was not in, he mentally reserved the words ‘…to you’.”

Cardinal Desmond Connell had explained the concept to the commission as follows:

“Well, the general teaching about mental reservation is that you are not permitted to tell a lie. On the other hand, you may be put in a position where you have to answer, and there may be circumstances in which you can use an ambiguous expression realising that the person who you are talking to will accept an untrue version of whatever it may be – permitting that to happen, not willing that it happened, that would be lying. It really is a matter of trying to deal with extraordinarily difficult matters that may arise in social relations where people may ask questions that you simply cannot answer. Everybody knows that this kind of thing is liable to happen. So mental reservation is, in a sense, a way of answering without lying.”

In Mr Madden’s case, emphasised he did not lie to the media about the use of diocesan funds for the compensation of clerical child sexual abuse victims.

[Cardinal Connell] explained to [Andrew] Madden [a sexual abuse victim, that] he had told journalists “that diocesan funds ARE (report’s emphasis) not used for such a purpose; that he had not said that diocesan funds WERE not used for such a purpose. By using the present tense he had not excluded the possibility that diocesan funds had been used for such purpose in the past. According to Mr Madden, Cardinal Connell considered that there was an enormous difference between the two.”

The Irish Church lies in creative – and evil – ways Read More »

Big security problems with the current way Firefox handles extensions

From Help Net Security’s “Zero-day vulnerabilities in Firefox extensions discovered” (20 November 2009):

At the SecurityByte & OWASP AppSec Conference in India, Roberto Suggi Liverani and Nick Freeman, security consultants with security-assessment.com, offered insight into the substantial danger posed by Firefox extensions.

Mozilla doesn’t have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension.

Any Mozilla application with the extension system is vulnerable to same type of issues. Extensions vulnerabilities are platform independent, and can result in full system compromise.

Big security problems with the current way Firefox handles extensions Read More »

The Kraken botnet

From Kelly Jackson Higgins’s “New Massive Botnet Twice the Size of Storm” (DarkReading: 7 April 2008):

A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa. (See The World’s Biggest Botnets and MayDay! Sneakier, More Powerful Botnet on the Loose.)

The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software.

Royal says like Storm, Kraken so far is mostly being used for spamming the usual scams — high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance.

Its bots are prolific, too: The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day.

Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. “We know the picture… ends in an .exe, which is not shown” to the user, Royal says.

The Kraken botnet Read More »

Australian police: don’t bank online with Windows

From Munir Kotadia’s “NSW Police: Don’t use Windows for internet banking” (ITnews: 9 October 2009):

Consumers wanting to safely connect to their internet banking service should use Linux or the Apple iPhone, according to a detective inspector from the NSW Police, who was giving evidence on behalf of the NSW Government at the public hearing into Cybercrime today in Sydney.

Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online.

The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows.

“If you are using the internet for a commercial transaction, use a Linux boot up disk – such as Ubuntu or some of the other flavours. Puppylinux is a nice small distribution that boots up fairly quickly.

Van der Graaf also mentioned the iPhone, which he called “quite safe” for internet banking.

“Another option is the Apple iPhone. It is only capable of running one process at a time so there is really no danger from infection,” he said.

Australian police: don’t bank online with Windows Read More »

Malware forges online bank statements to hide fraud

From Kim Zetter’s “New Malware Re-Writes Online Bank Statements to Cover Fraud” (Wired: 30 September 2009):

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.

The victims’ computers are infected with the Trojan, known as URLZone, after visiting compromised legitimate web sites or rogue sites set up by the hackers.

Once a victim is infected, the malware grabs the consumer’s log in credentials to their bank account, then contacts a control center hosted on a machine in Ukraine for further instructions. The control center tells the Trojan how much money to wire transfer, and where to send it. To avoid tripping a bank’s automated anti-fraud detectors, the malware will withdraw random amounts, and check to make sure the withdrawal doesn’t exceed the victim’s balance.

The money gets transferred to the legitimate accounts of unsuspecting money mules who’ve been recruited online for work-at-home gigs, never suspecting that the money they’re allowing to flow through their account is being laundered. The mule transfers the money to the crook’s chosen account. The cyber gang Finjan tracked used each mule only twice, to avoid fraud pattern detection.

The researchers also found statistics in the command tool showing that out of 90,000 visitors to the gang’s rogue and compromised websites, 6,400 were infected with the URLZone trojan. Most of the attacks Finjan observed affected people using Internet Explorer browsers …

Finjan provided law enforcement officials with details about the gang’s activities and says the hosting company for the Ukraine server has since suspended the domain for the command and control center. But Finjan estimates that a gang using the scheme unimpeded could rake in about $7.3 million annually.

Malware forges online bank statements to hide fraud Read More »