security

Zombies! 100s of 1000s of zombies!

From The New York Times‘ “An Army of Soulless 1’s and 0’s“:

Officials at the F.B.I. and the Justice Department say their inquiries on the zombie networks are exposing serious vulnerabilities in the Internet that could be exploited more widely by saboteurs to bring down Web sites or online messaging systems. One case under investigation, officials say, may involve as many as 300,000 zombie computers …

In one recent case, a small British online payment processing company, Protx, was shut down after being bombarded in a zombie attack and warned that problems would continue unless a $10,000 payment was made, the company said. It is not known whether the authorities ever arrested anyone in that case. …

More than 170,000 computers every day are being added to the ranks of zombies, according to Dmitri Alperovitch, a research engineer at CipherTrust, a company based in Georgia that sells products to make e-mail and messaging safer. …

Mr. Alperovitch said that CipherTrust had detected a sharp rise in zombie computers in recent months, from a daily average of 143,000 newly commandeered computers in March to 157,000 in April to 172,000 last month.

He said that the increase was attributable to two trends: the rising number of computers in Asia, particularly China, which do not use software to protect against zombies and the worldwide proliferation of high-speed Internet connections.

Zombies! 100s of 1000s of zombies! Read More »

Social engineering via celebrities

From PC World’s “Britney Spears Ranked Top Virus Celebrity“:

Researchers combed through the seven years of virus-laden messages stored in Panda’s malware database to determine which celebrities most often had their names involuntarily used in association with malicious spam. …

The top ten list of celebrity virus rankings (in descending order) is: Britney Spears, Bill Gates, Jennifer Lopez, Shakira, Osama Bin Laden, Michael Jackson, Bill Clinton, Anna Kournikova, Paris Hilton, and Pamela Anderson.

Social engineering via celebrities Read More »

A CNN for security?

From InfoWorld‘s “AT&T plans CNN-syle security channel“:

Security experts at AT&T are about to take a page from CNN’s playbook. Within the next year they will begin delivering a video streaming service that will carry Internet security news 24 hours a day, seven days a week, according to the executive in charge of AT&T Labs.

The service, which currently goes by the code name Internet Security News Network, (ISN) is under development at AT&T Labs, but it will be offered as an additional service to the company’s customers within the next nine to 12 months, according to Hossein Eslambolchi, president of AT&T’s Global Networking Technology Services and AT&T Labs

ISN will look very much like Time Warner’s Cable News Network, except that it will be broadcast exclusively over the Internet, Eslambolchi said. “It’s like CNN,” he said. “When a new attack is spotted, we’ll be able to offer constant updates, monitoring, and advice.”

A CNN for security? Read More »

Your typical phisher

From the Wall Street Journal‘s “Phisher Tales: How Webs of Scammers Pull Off Internet Fraud“:

The typical phisher, he discovered, isn’t a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag.

If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.

Phishers with different skills will trade with each other in IRC chat rooms, says Mr. Abad. Some might have access to computers around the world that have been hijacked, and can thus be used in connection with a phishing attack. Others might design realistic “scam pages,” which are the actual emails that phishers send. ..

One thing that’s different about phishers, he says, is how little they like to gab.

“Real hackers will engage in conversation,” he says. “With phishers, it’s a job.”

Your typical phisher Read More »

Articles read on 25 November 2003

Crypto-Gram Newsletter of 15 November 2003

"I don’t believe that airplane hijacking is a thing of the past, but when the next plane gets taken over it will be because a group of hijackers figured out a clever new weapon that we haven’t thought of, and not because they snuck some small pointy objects through security."

The Big Here and Long Now, by Brian Eno

"The Long Now is the recognition that the precise moment you’re in grows out of the past and is a seed for the future. The longer your sense of Now, the more past and future it includes. It’s ironic that, at a time when humankind is at a peak of its technical powers, able to create huge global changes that will echo down the centuries, most of our social systems seem geared to increasingly short nows."

The End of the Modern Era, by Vaclav Havel

"The end of Communism is, first and foremost, a message to the human race. It is a message we have not yet fully deciphered and comprehended. In its deepest sense, the end of Communism has brought a major era in human history to an end. It has brought an end not just to the 19th and 20th centuries, but to the modern age as a whole."

OpenOffice.org : Using it with Style

"We will examine how the styles work within OpenOffice.org and how they can be used to make your job easier when it comes to word processing."

KDE, Mac Os X, Windows: What can we learn (copy or improve) from them?
http://www.gnome.org/~fherrera/bof-conclusions.pdf (PDF)

Howard Rheingold: Smart Mobs

"Smart mobs use mobile media and computer networks to organize collective actions, from swarms of techo-savvy youth in urban Asia and Scandinavia to citizen revolts on the streets of Seattle, Manila, and Caracas. Wireless community networks, webloggers, buyers and sellers on eBay are early indicators of smart mobs that will emerge in the coming decade. Communication and computing technologies capable of amplifying human cooperation already appear to be both beneficial and destructive, used by some to support democracy and by others to coordinate terrorist attacks."

Problems with the Book of Mormon

"Written by a former believer in the book of Mormon, this article reveals serious objective weaknesses in any truth claims concerning the Book of Mormon."

Articles read on 25 November 2003 Read More »

How willingly we fool ourselves

This comes from a Wall Street Journal article titled “People Believe a ‘Fact’ That Fits Their Views Even if It’s Clearly False”:

… what we remember depends on what we believe. “People build mental models,” explains Stephan Lewandowsky, a psychology professor at the University of Western Australia, Crawley, who led the study that will be published in Psychological Science. “By the time they receive a retraction, the original misinformation has already become an integral part of that mental model, or world view, and disregarding it would leave the world view a shambles.” Therefore, he and his colleagues conclude in their paper, “People continue to rely on misinformation even if they demonstrably remember and understand a subsequent retraction.”

How willingly we fool ourselves Read More »

Why are we bad at estimating risk?

Bruce Schneier: "Why are people so lousy at estimating, evaluating and accepting risk? That’s a complicated question, and I spend most of Chapter 2 of Beyond Fear trying to answer it. Evaluating risk is one of the most basic functions of a brain and something hard-wired into every species possessing one. Our own notions of risk are based on experience, but also on emotion and intuition. The problem is that the risk analysis ability that has served our species so well over the millennia is being overtaxed by modern society. Modern science and technology create things that cannot be explained to the average person; hence, the average person cannot evaluate the risks associated with them. Modern mass communication perturbs the natural experiential process, magnifying spectacular but rare risks and minimizing common but uninteresting risks. This kind of thing isn’t new—government agencies like the FDA were established precisely because the average person cannot intelligently evaluate the risks of food additives and drugs—but it does have profound effects on people’s security decisions. They make bad ones." [The Evolution of a Cryptographer]

Why are we bad at estimating risk? Read More »

My first book – Don’t Click on the Blue E! – is out!

For all those surfers who have slowly grown disenchanted with Microsoft’s Internet Explorer web browser, Don’t Click on the Blue E! from O’Reilly is here to help. It offers non-technical users a convenient roadmap for switching to a better web browser – Firefox.

The only book that covers the switch to Firefox, Don’t Click on the Blue E! is a must for anyone who wants to browse faster, more securely, and more efficiently. It takes readers through the process step-by-step, so it’s easy to understand. Schools, non-profits, businesses, and individuals can all benefit from this how-to guide.

Firefox includes most of the features that browser users are familiar with, along with several new features other browsers don’t have, such as a bookmarks toolbar and window tabs that allow users to quickly switch among several web sites. There is also the likelihood of better security with Firefox.

All indications say that Firefox is more than just a passing fad. With USA Today and Forbes Magazine hailing it as superior to Internet Explorer, Firefox is clearly the web browser of the future. In fact, as it stands today, already 22% of the market currently employs Firefox for their browsing purposes.

Don’t Click on the Blue E! has been written exclusively for this growing audience. With its straightforward approach, it helps people harness this emerging technology so they can enjoy a superior – and safer – browsing experience.

Read two sample excerpts: Counteracting Web Annoyances (651 kb PDF) & Safety and Security (252 kb PDF).

Translated into Japanese!

Buy Don’t Click on the Blue E! from Amazon!

My first book – Don’t Click on the Blue E! – is out! Read More »

SSL in depth

I host Web sites, but we’ve only recently [2004] had to start implementing SSL, the Secure Sockets Layer, which turns http into https. I’ve been on the lookout for a good overview of SSL that explains why it is implemented as it is, and I think I’ve finally found one: Chris Shiflett: HTTP Developer’s Handbook: 18. Secure Sockets Layer is a chapter from Shiflett’s book posted on his web site, and boy it is good.

SSL has dramatically changed the way people use the Web, and it provides a very good solution to many of the Web’s shortcomings, most importantly:

  • Data integrity – SSL can help ensure that data (HTTP messages) cannot be changed while in transit.
  • Data confidentiality – SSL provides strong cryptographic techniques used to encrypt HTTP messages.
  • Identification – SSL can offer reasonable assurance as to the identity of a Web server. It can also be used to validate the identity of a client, but this is less common.

Shiflett is a clear technical writer, and if this chapter is any indication, the rest of his book may be worth buying.

SSL in depth Read More »

Crack Windows passwords in seconds

This is an oldie but still a goodie – or a baddie, if you use or depend on Windows. Back in 2003, researchers released tools that enable the cracking of Windows passwords in an average of 13.6 seconds. Not bad, not bad at all. CNET has a nice writeup titled Cracking Windows passwords in seconds, which explains that the best way to guard against the attack is to create passwords that use more than just alphanumeric items. In other words, read my SecurityFocus column from May 2004, Pass the Chocolate, which contains this advice: “… you should use a mix of at least three of these four things: small letters, capital letters, numbers, and symbols. If you can use all four, great, but at least use three of them.”

If you want to download and test the security of your Windows passwords, you can grab the software at Ophcrack. You can get source, as well as binaries for Windows and Linux. There’s even an online demo of the software, in which you can paste a hash of the password you’d like to crack and get back the actual password. Nice!

Crack Windows passwords in seconds Read More »