From James B. Stewart’s “The Real Heroes Are Dead” (The New Yorker [11 February 2002]: 58):
… he was simply following the “Eight P’s,” a mnemonic that had been drummed into them in the military: “Proper prior planning and preparation prevents piss-poor performance.”
The military’s 8 P’s Read More »
From Seth David Schoen’s “Wiretapping vulnerabilities” (Vitanuova: 9 March 2006):
Traditional wiretap threat model: the risks are detection of the tap, and obfuscation of content of communication. …
POTS is basically the same as it was 100 years ago — with central offices and circuit-switching. A phone from 100 years ago will pretty much still work today. “Telephones are a remarkable example of engineering optimization” because they were built to work with very minimal requirements: just two wires between CO and the end subscriber, don’t assume that the subscriber has power, don’t assume that the subscriber has anything else. There is a DC current loop that provides 48 V DC power. The current loop determines the hook switch state. There’s also audio signalling for in-band signalling from phone to CO — or from CO to phone — or for voice. It all depends on context and yet all these things are multiplexed over two wires, including the hook state and the audio signalling and the voice traffic.
If you wanted to tap this: you could do it in three different ways.
* Via the local loop (wired or wireless/cellular).
* Via the CO switch (software programming).
* Via trunk interception (e.g. fiber, microwave, satellite) with demultiplexing.How do LEAs do it? Almost always at local loop or CO. (By contrast, intelligence agencies are more likely to try to tap trunks.)
From Bruce Schneier’s “Mitigating Identity Theft” (Crypto-Gram: 15 April 2005):
The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. …
The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. …
The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. …
The second issue is the ease with which a criminal can use personal data to commit fraud. …
Proposed fixes tend to concentrate on the first issue — making personal data harder to steal — whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.
… That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.
… The bank must be made responsible, regardless of what the user does.
If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions.
The real solution to identity theft: bank liability Read More »
From Bruce Schneier’s “More on Two-Factor Authentication” (Crypto-Gram: 15 April 2005):
Passwords just don’t work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there’s an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can’t be guessed. For anything that requires reasonable security, the era of passwords is over.
Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.
What two-factor authentication won’t do is prevent identity theft and fraud. It’ll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We’re already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.
One way to think about this is that two-factor authentication solves security problems involving authentication. The current wave of attacks against financial systems are not exploiting vulnerabilities in the authentication system, so two-factor authentication doesn’t help.
Two-factor authentication: the good & the bad Read More »
From Bruce Schneier’s “Hollywood Sign Security” (Crypto-Gram: 15 January 2005):
In Los Angeles, the “HOLLYWOOD” sign is protected by a fence and a locked gate. Because several different agencies need access to the sign for various purposes, the chain locking the gate is formed by several locks linked together. Each of the agencies has the key to its own lock, and not the key to any of the others. Of course, anyone who can open one of the locks can open the gate.
This is a nice example of a multiple-user access-control system. It’s simple, and it works. You can also make it as complicated as you want, with different locks in parallel and in series.
The HOLLYWOOD sign as multi-user access-control system Read More »
From Bruce Schneier’s “Burglars and “Feeling Secure” (Crypto-Gram: 15 January 2005):
This quote is from “Confessions of a Master Jewel Thief,” by Bill Mason (Villard, 2003): “Nothing works more in a thief’s favor than people feeling secure. That’s why places that are heavily alarmed and guarded can sometimes be the easiest targets. The single most important factor in security — more than locks, alarms, sensors, or armed guards — is attitude. A building protected by nothing more than a cheap combination lock but inhabited by people who are alert and risk-aware is much safer than one with the world’s most sophisticated alarm system whose tenants assume they’re living in an impregnable fortress.”
The author, a burglar, found that luxury condos were an excellent target. Although they had much more security technology than other buildings, they were vulnerable because no one believed a thief could get through the lobby.
When people feel secure, they’re easier targets Read More »
From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):
After successful exploitation, a bot uses Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HyperText Transfer Protocol (HTTP), or CSend (an IRC extension to send files to other users, comparable to DCC) to transfer itself to the compromised host. The binary is started, and tries to connect to the hard-coded master IRC server. Often a dynamic DNS name is provided … rather than a hard coded IP address, so the bot can be easily relocated. … Using a special crafted nickname like USA|743634 or [UrX]-98439854 the bot tries to join the master’s channel, sometimes using a password to keep strangers out of the channel. …
Afterwards, the server accepts the bot as a client and sends him RPL_ISUPPORT, RPL_MOTDSTART, RPL_MOTD, RPL_ENDOFMOTD or ERR_NOMOTD. Replies starting with RPL_ contain information for the client, for example RPL_ISUPPORT tells the client which features the server understands and RPL_MOTD indicates the Message Of The Day (MOTD). …
On RPL_ENDOFMOTD or ERR_NOMOTD, the bot will try to join his master’s channel with the provided password …
The bot receives the topic of the channel and interprets it as a command: …
The first topic tells the bot to spread further with the help of the LSASS vulnerability. … the second example of a possible topic instructs the bot to download a binary from the web and execute it … And if the topic does not contain any instructions for the bot, then it does nothing but idling in the channel, awaiting commands. That is fundamental for most current bots: They do not spread if they are not told to spread in their master’s channel.
Upon successful exploitation the bot will message the owner about it, if it has been advised to do so. …Then the IRC server (also called IRC daemon, abbreviated IRCd) will provide the channels userlist. But most botnet owners have modified the IRCd to just send the channel operators to save traffic and disguise the number of bots in the channel. …
The controller of a botnet has to authenticate himself to take control over the bots. …
… the “-s” switch in the last example tells the bots to be silent when authenticating their master. …
… Once an attacker is authenticated, they can do whatever they want with the bots … The IRC server that is used to connect all bots is in most cases a compromised box. … Only beginners start a botnet on a normal IRCd. It is just too obvious you are doing something nasty if you got 1.200 clients named as rbot-<6-digits> reporting scanning results in a channel. Two different IRC servers software implementation are commonly used to run a botnet: Unreal IRCd and ConferenceRoom:
- Unreal IRCd (http://www.unrealircd.com/) is cross-platform and can thus be used to easily link machines running Windows and Linux. The IRC server software is stripped down and modified to fit the botnet owners needs. Common modifications we have noticed are stripping “JOIN”, “PART” and “QUIT” messages on channels to avoid unnecessary traffic. … able to serve 80.000 bots …
- ConferenceRoom (http://www.webmaster.com/) is a commercial IRCd solution, but people who run botnets typically use a cracked version. …
What bots do and how they work Read More »
From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):
… some of the more widespread and well-known bots.
- Agobot/Phatbot/Forbot/XtremBot
… best known bot. … more than 500 known different versions of Agobot … written in C++ with cross-platform capabilities and the source code is put under the GPL. … structured in a very modular way, and it is very easy to add commands or scanners for other vulnerabilities … uses libpcap (a packet sniffing library) and Perl Compatible Regular Expressions (PCRE) to sniff and sort traffic. … can use NTFS Alternate Data Stream (ADS) and offers Rootkit capabilities like file and process hiding to hide it’s own presence … reverse engineering this malware is harder since it includes functions to detect debuggers (e.g. SoftICE and OllyDbg) and virtual machines (e.g. VMWare and Virtual PC). … the only bot that utilized a control protocol other than IRC. A fork using the distributed organized WASTE chat network is available.
- SDBot/RBot/UrBot/UrXBot/…
This family of malware is at the moment the most active one … seven derivatives … written in very poor C and also published under the GPL.
- mIRC-based Bots – GT-Bots
We subsume all mIRC-based bots as GT-bots … GT is an abbreviation for Global Threat and this is the common name used for all mIRC-scripted bots. … mIRC-scripts, often having the extension “.mrc”, are used to control the bot.
- DSNX Bots
Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. … code is published under the GPL. … one major disadvantage: the default version does not come with any spreaders.
- Q8 Bots
only 926 lines of C-code. … written for Unix/Linux systems.
- kaiten
… lacks a spreader too, and is also written for Unix/Linux systems. The weak user authentication makes it very easy to hijack a botnet running with kaiten. The bot itself consists of just one file.
- Perl-based bots
… very small and contain in most cases only a few hundred lines of code. They offer only a rudimentary set of commands (most often DDoS-attacks) … used on Unix-based systems.
Different types of Bots Read More »
From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):
“A botnet is comparable to compulsory military service for windows boxes” – Stromberg
… Based on the data we captured, the possibilities to use botnets can be categorized as listed below. …
- Distributed Denial-of-Service Attacks
Most commonly implemented and also very often used are TCP SYN and UDP flood attacks. Script kiddies apparently consider DDoS an appropriate solution to every social problem. … run commercial DDoS attacks against competing corporations … DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. … very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim’s website.
- Spamming
open a SOCKS v4/v5 proxy … send massive amounts of bulk email … harvest email-addresses … phishing-mails
- Sniffing Traffic
use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. … If a machine is compromised more than once and also a member of more than one botnet, the packet sniffing allows to gather the key information of the other botnet. Thus it is possible to “steal” another botnet.
- Keylogging
- Spreading new malware
In most cases, botnets are used to spread new bots. … spreading an email virus using a botnet is a very nice idea
- Installing Advertisement Addons and Browser Helper Objects (BHOs)
setting up a fake website with some advertisements … these clicks can be “automated” so that instantly a few thousand bots click on the pop-ups. … hijacks the start-page of a compromised machine so that the “clicks” are executed each time the victim uses the browser.
- Google AdSense abuse
… leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter.
- Attacking IRC Chat Networks
attacks against Internet Relay Chat (IRC) networks. … so called “clone attack”: In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network.
- Manipulating online polls/games
Online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets.
- Mass identity theft
Bogus emails (“phishing mails”) … also host multiple fake websites pretending to be Ebay, PayPal, or a bank …
From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):
An event that is not that unusual is that somebody steals a botnet from someone else. … bots are often “secured” by some sensitive information, e.g. channel name or server password. If one is able to obtain all this information, he is able to update the bots within another botnet to another bot binary, thus stealing the bots from another botnet. …
Something which is interesting, but rarely seen, is botnet owners discussing issues in their bot channel. …
Our observations showed that often botnets are run by young males with surprisingly limited programming skills. … we also observed some more advanced attackers: these persons join the control channel only seldom. They use only 1 character nicks, issue a command and leave afterwards. The updates of the bots they run are very professional. Probably these people use the botnets for commercial usage and “sell” the services. A low percentage use their botnets for financial gain. …
Another possibility is to install special software to steal information. We had one very interesting case in which attackers stole Diablo 2 items from the compromised computers and sold them on eBay. … Some botnets are used to send spam: you can rent a botnet. The operators give you a SOCKS v4 server list with the IP addresses of the hosts and the ports their proxy runs on. …
… some attackers are highly skilled and organized, potentially belonging to well organized crime structures. Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon.
From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):
A botnet is a network of compromised machines that can be remotely controlled by an attacker. … With the help of honeynets we can observe the people who run botnets … Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. …
We have identified many different versions of IRC-based bots … The bot joins a specific IRC channel on an IRC server and waits there for further commands. This allows an attacker to remotely control this bot and use it for fun and also for profit. Attackers even go a step further and bring different bots together. Such a structure, consisting of many compromised machines which can be managed from an IRC channel, is called a botnet. IRC is not the best solution since the communication between bots and their controllers is rather bloated, a simpler communication protocol would suffice. But IRC offers several advantages: IRC Servers are freely available and are easy to set up, and many attackers have years of IRC communication experience.
… Even a relatively small botnet with only 1000 bots can cause a great deal of damage. These 1000 bots have a combined bandwidth (1000 home PCs with an average upstream of 128KBit/s can offer more than 100MBit/s) that is probably higher than the Internet connection of most corporate systems. In addition, the IP distribution of the bots makes ingress filter construction, maintenance, and deployment difficult. In addition, incident response is hampered by the large number of separate organizations involved. Another use for botnets is stealing sensitive information or identity theft: Searching some thousands home PCs for password.txt, or sniffing their traffic, can be effective.
The spreading mechanisms used by bots is a leading cause for “background noise” on the Internet, especially on TCP ports 445 and 135. … These malware scan large network ranges for new vulnerable computers and infect them, thus acting similar to a worm or virus. … most traffic targets the ports used for resource sharing on machines running all versions of Microsoft’s Windows operating system …
The traffic on these four ports [445/TCP, 139/TCP, 137/UDP, 135/TCP] cause more then 80 percent of the whole traffic captured. …
Lessons Learned
- Number of botnets
… able to track little more than 100 botnets during the last four months. … at the moment we are tracking about 35 active botnets.
- Number of hosts
During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored. … If an IRCd is modified not to show joining clients in a channel, we don’t see IPs here. Furthermore some IRCds obfuscate the joining clients IP address and obfuscated IP addresses do not count as seen, too. … this would mean that more then one million hosts are compromised and can be controlled by malicious attackers.
- Typical size of Botnets
Some botnets consist of only a few hundred bots. In contrast to this, we have also monitored several large botnets with up to 50.000 hosts. … botnets with over several hundred thousands hosts have been reported in the past. … We know about a home computer which got infected by 16 (sic!) different bots, so its hard to make an estimation about world bot population here.
- Dimension of DDoS-attacks
From the beginning of November 2004 until the end of January 2005, we were able to observe 226 DDoS-attacks against 99 unique targets.
- Spreading of botnets
“.advscan lsass 150 5 0 -r -s” and other commands are the most frequent observed messages. Through this and similar commands, bots spread and search for vulnerable systems.
- Harvesting of information
… harvesting of information from all compromised machines. With the help of a command like “.getcdkeys” the operator of the botnet is able to request a list of CD-keys (e.g. for Windows or games) from all bots.
- “Updates” within botnets
… observed updates of botnets quite frequently. … bots are instructed to download a piece of software from the Internet and then execute it. … bots can be dynamically updated and be further enhanced. … In total, we have collected 329 binaries. … Most of the other binary files are either adware …, proxy servers … or Browser Helper Objects.
An analysis of botnets Read More »
From Dana Priest’s “CIA Holds Terror Suspects in Secret Prisons” (The Washington Post: 2 November 2005):
The CIA has been hiding and interrogating some of its most important al Qaeda captives at a Soviet-era compound in Eastern Europe, according to U.S. and foreign officials familiar with the arrangement.
The secret facility is part of a covert prison system set up by the CIA nearly four years ago that at various times has included sites in eight countries, including Thailand, Afghanistan and several democracies in Eastern Europe, as well as a small center at the Guantanamo Bay prison in Cuba, according to current and former intelligence officials and diplomats from three continents.
The hidden global internment network is a central element in the CIA’s unconventional war on terrorism. It depends on the cooperation of foreign intelligence services, and on keeping even basic information about the system secret from the public, foreign officials and nearly all members of Congress charged with overseeing the CIA’s covert actions.
The existence and locations of the facilities — referred to as “black sites” in classified White House, CIA, Justice Department and congressional documents — are known to only a handful of officials in the United States and, usually, only to the president and a few top intelligence officers in each host country. …
Virtually nothing is known about who is kept in the facilities, what interrogation methods are employed with them, or how decisions are made about whether they should be detained or for how long.
While the Defense Department has produced volumes of public reports and testimony about its detention practices and rules after the abuse scandals at Iraq’s Abu Ghraib prison and at Guantanamo Bay, the CIA has not even acknowledged the existence of its black sites. To do so, say officials familiar with the program, could open the U.S. government to legal challenges, particularly in foreign courts, and increase the risk of political condemnation at home and abroad. …
Although the CIA will not acknowledge details of its system, intelligence officials defend the agency’s approach, arguing that the successful defense of the country requires that the agency be empowered to hold and interrogate suspected terrorists for as long as necessary and without restrictions imposed by the U.S. legal system or even by the military tribunals established for prisoners held at Guantanamo Bay. …
It is illegal for the government to hold prisoners in such isolation in secret prisons in the United States, which is why the CIA placed them overseas, according to several former and current intelligence officials and other U.S. government officials. Legal experts and intelligence officials said that the CIA’s internment practices also would be considered illegal under the laws of several host countries, where detainees have rights to have a lawyer or to mount a defense against allegations of wrongdoing. …
More than 100 suspected terrorists have been sent by the CIA into the covert system, according to current and former U.S. intelligence officials and foreign sources. This figure, a rough estimate based on information from sources who said their knowledge of the numbers was incomplete, does not include prisoners picked up in Iraq.
The detainees break down roughly into two classes, the sources said.
About 30 are considered major terrorism suspects and have been held under the highest level of secrecy at black sites financed by the CIA and managed by agency personnel, including those in Eastern Europe and elsewhere, according to current and former intelligence officers and two other U.S. government officials. Two locations in this category — in Thailand and on the grounds of the military prison at Guantanamo Bay — were closed in 2003 and 2004, respectively.
A second tier — which these sources believe includes more than 70 detainees — is a group considered less important, with less direct involvement in terrorism and having limited intelligence value. These prisoners, some of whom were originally taken to black sites, are delivered to intelligence services in Egypt, Jordan, Morocco, Afghanistan and other countries, a process sometimes known as “rendition.” While the first-tier black sites are run by CIA officers, the jails in these countries are operated by the host nations, with CIA financial assistance and, sometimes, direction. …
The top 30 al Qaeda prisoners exist in complete isolation from the outside world. Kept in dark, sometimes underground cells, they have no recognized legal rights, and no one outside the CIA is allowed to talk with or even see them, or to otherwise verify their well-being, said current and former and U.S. and foreign government and intelligence officials. …
Among the first steps was to figure out where the CIA could secretly hold the captives. One early idea was to keep them on ships in international waters, but that was discarded for security and logistics reasons.
CIA officers also searched for a setting like Alcatraz Island. They considered the virtually unvisited islands in Lake Kariba in Zambia, which were edged with craggy cliffs and covered in woods. But poor sanitary conditions could easily lead to fatal diseases, they decided, and besides, they wondered, could the Zambians be trusted with such a secret? …
The largest CIA prison in Afghanistan was code-named the Salt Pit. It was also the CIA’s substation and was first housed in an old brick factory outside Kabul. In November 2002, an inexperienced CIA case officer allegedly ordered guards to strip naked an uncooperative young detainee, chain him to the concrete floor and leave him there overnight without blankets. He froze to death, according to four U.S. government officials. The CIA officer has not been charged in the death. …
The CIA program’s original scope was to hide and interrogate the two dozen or so al Qaeda leaders believed to be directly responsible for the Sept. 11 attacks, or who posed an imminent threat, or had knowledge of the larger al Qaeda network. But as the volume of leads pouring into the CTC from abroad increased, and the capacity of its paramilitary group to seize suspects grew, the CIA began apprehending more people whose intelligence value and links to terrorism were less certain, according to four current and former officials.
The original standard for consigning suspects to the invisible universe was lowered or ignored, they said. “They’ve got many, many more who don’t reach any threshold,” one intelligence official said.
The CIA’s ‘black sites’ hide terror suspects around the world Read More »
From Alex Mindlin’s “Seems Somebody Is Clicking on That Spam” (The New York Times: 3 July 2006):
Spam messages promoting pornography are 280 times as effective in getting recipients to click on them as messages advertising pharmacy drugs, which are the next most effective type of spam.
The third most successful variety is spam advertising Rolex watches, 0.0075 percent of which get clicked on, according to an analysis by CipherTrust, a large manufacturer of devices that protect networks from spam and viruses.
What kinds of spam are effective? Read More »
From AAP’s “Computers ‘glued’ to protect data” (News.com.au: 4 July 2006):
A rise in the level of corporate data theft has spurred some companies to take measures to stop rogue employees sneaking corporate data out of the workplace on memory sticks, iPods and mobile phones, The Australian Financial Review reported.
Rising data theft has prompted a number of companies to ban portable storage devices – such as the ubiquitous memory stick – that can be plugged into computers to download files from one machine and transfer to another. …
“We have heard of at least one case where a company took steps to disable USB ports on their PCs with superglue,” SurfControl Australia’s managing director, Charles Heunemann, said.
Ban USB devices or glue USB ports shut Read More »
From PR Newswire’s “OnStar Achieves Another First as Winner of Good Housekeeping’s ‘Good Buy’ Award for Best Servic” (3 December 2004):
Each month on average, OnStar receives about 700 airbag notifications and 11,000 emergency assistance calls, which include 4,000 Good Samaritan calls for a variety of emergency situations. In addition, each month OnStar advisors respond to an average of 500 stolen vehicle location requests, 20,000 requests for roadside assistance, 36,000 remote door-unlock requests and 19,000 GM Goodwrench remote diagnostics requests.
OnStar: the numbers Read More »
From Nate Mook’s “Cross-Site Scripting Worm Hits MySpace” (Beta News: 13 October 2005):
One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, “Samy” had amassed over 1 million friends on the popular online community.
How did Samy transcend his humble beginnings of only 73 friends to become a veritable global celebrity? The answer is a combination of XSS tricks and lax security in certain Web browsers.
First, by examining the restrictions put into place by MySpace, Samy discovered how to insert raw HTML into his user profile page. But MySpace stripped out the word “javascript” from any text, which would be needed to execute code.
With the help of Internet Explorer, Samy was able to break the word JavaScript into two lines and place script code within a Cascading Style Sheet tag.
The next step was to simply instruct the Web browser to load a MySpace URL that would automatically invite Samy as a friend, and later add him as a “hero” to the visitor’s own profile page. To do this without a user’s knowledge, the code utilized XMLHTTPRequest – a JavaScript object used in AJAX, or Web 2.0, applications such as Google Maps.
Taking the hack even further, Samy realized that he could simply insert the entire script into the visiting user’s profile, creating a replicating worm. “So if 5 people viewed my profile, that’s 5 new friends. If 5 people viewed each of their profiles, that’s 25 more new friends,” Samy explained.
It didn’t take long for friend requests to start rolling in – first in the hundreds, then thousands. By 9:30pm that night, requests topped one million and continued arriving at a rate of 1,000 every few seconds. Less than an hour later, MySpace was taken offline while the worm was removed from all user profiles.
How to get 1 million MySpace friends Read More »
From Nanette Asimov’s “Software glitch reveals private data for thousands of state’s students” (San Francisco Chronicle: 21 October 2005):
The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.
Teacher names and employee identification numbers are also visible to anyone logging onto the system, which is used locally by school districts including San Francisco, San Jose and Hayward.
The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher’s user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox. …
San Francisco administrators immediately shut down access to the service, called OARS — Online Assessment Reporting System — after a reporter phoned and said she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords. …
Most of the 96 districts statewide that use the system are in Southern California and the Central Valley. …
“We have confidence in the professionalism of our teachers” not to share their passwords, Bradshaw said.
But told how simple it was to gain access to the student records of any teacher who had not yet changed to a unique password, the administrators said they planned to make sure teachers did so.
“We will definitely monitor that,” Quinn said. “We don’t want anyone getting into student information.”
California’s wide-open educational software reveals personal info Read More »
From “Big Brother eyes ‘boost honesty’” (BBC News: 28 June 2006):
The feeling of being watched makes people act more honestly, even if the eyes are not real, a study suggests.
A Newcastle University team monitored how much money people put in a canteen “honesty box” when buying a drink.
They found people put nearly three times as much in when a poster of a pair of eyes was put above the box than when the poster showed flowers.
The brain responds to images of eyes and faces and the poster may have given the feeling of being watched, they say. …
Dr Melissa Bateson, a behavioural biologist from Newcastle University and the lead author of the study, said: “We found that people paid 2.76 times as much money when we put a notice on the wall that featured a pair of eyes as opposed to when the image was of some flowers.”
The feeling of being watched causes greater honesty Read More »
From Ryan Naraine’s “Microsoft Says Recovery from Malware Becoming Impossible” (eWeek: 4 April 2006):
In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.
“When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit,” Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.
Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.
He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. “In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,” Danseglio added.
… “We’ve seen the self-healing malware that actually detects that you’re trying to get rid of it. You remove it, and the next time you look in that directory, it’s sitting there. It can simply reinstall itself,” he said.
“Detection is difficult, and remediation is often impossible,” Danseglio declared. “If it doesn’t crash your system or cause your system to freeze, how do you know it’s there? The answer is you just don’t know. Lots of times, you never see the infection occur in real time, and you don’t see the malware lingering or running in the background.”
… Danseglio said the success of social engineering attacks is a sign that the weakest link in malware defense is “human stupidity.”
“Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity,” he said.
Microsoft: only way to deal with malware is to wipe the computer Read More »
From Bruce Schneier’s “Color-Coded Terrorist Threat Levels” (Crypto-Gram Newsletter: 15 January 2004):
The color-coded threat alerts issued by the Department of Homeland Security are useless today, but may become useful in the future. The U.S. military has a similar system; DEFCON 1-5 corresponds to the five threat alerts levels: Green, Blue, Yellow, Orange, and Red. The difference is that the DEFCON system is tied to particular procedures; military units have specific actions they need to perform every time the DEFCON level goes up or down. The color-alert system, on the other hand, is not tied to any specific actions. People are left to worry, or are given nonsensical instructions to buy plastic sheeting and duct tape. Even local police departments and government organizations largely have no idea what to do when the threat level changes. The threat levels actually do more harm than good, by needlessly creating fear and confusion (which is an objective of terrorists) and anesthetizing people to future alerts and warnings. If the color-alert system became something better defined, so that people know exactly what caused the levels to change, what the change means, and what actions they need to take in the event of a change, then it could be useful. But even then, the real measure of effectiveness is in the implementation. Terrorist attacks are rare, and if the color-threat level changes willy-nilly with no obvious cause or effect, then people will simply stop paying attention. And the threat levels are publicly known, so any terrorist with a lick of sense will simply wait until the threat level goes down.”
Living under Orange reinforces this. It didn’t mean anything. Tom Ridge’s admonition that Americans “be alert, but go about their business” reinforces this; it’s nonsensical advice. I saw little that could be considered a good security trade-off, and a lot of draconian security measures and security theater.
Why the color-coded threat alert system fails Read More »