Current Feed Content from 28 Jul 08 22:05
The Mysterious DNS Exploit
Fri, 18 Jul 2008 04:16:56 +0000On Tuesday, July 8th, Microsoft’s usual package of patches seemed to end-users like every other Patch Tuesday — some security updates to various and sundry Windows files to patch security vulnerabilities unknown. However, it contained something very unusual this time — a design change to DNS. DNS has been around since the 1970’s, so people don’t [...]Two-Factor Auth for World of Warcraft
Mon, 30 Jun 2008 21:25:25 +0000Blizzard Entertainment, makers of the phenomenally-successful multiplayer game World of Warcraft, have introduced two-factor authentication for logging into the game. For $6.50, they’ll sell you a dynamic password keychain token called the Blizzard Authenticator, which looks much like the RSA keyfobs many in the IT industry use to log into their corporate VPNs. It may seem [...]Ubuntu/Debian CRNG Cracked - SSH Vulnerable
Sun, 18 May 2008 02:41:14 +0000I don’t usually post about newly-discovered vulnerabilities, simply because there are so many of them — a dozen come out every day, especially in web applications. However, this one has further-reaching consequences. Security researcher HD Moore (of Metasploit fame) has discovered a vulnerability in the OpenSSL cryptographic random number generator used by Debian Linux, the [...]The Black Hat Tax
Fri, 16 May 2008 18:05:48 +0000Auren Hoffman at Summation has an interesting post on the “black hat tax.” Essentially, how much do hackers and other online criminals actually cost us? He estimates it at 25% of time and resources, after taking into account not just hackers but also scammers, phishers, and responding to law enforcement requests. According to James Currier [...]Charter Communications Using Ad Replacer
Fri, 16 May 2008 16:50:39 +0000A story in the New York Times tells us that Charter Communications (the United States’s fourth-largest cable company) is going to start tracking user behavior and using it to sell ads. They spin this as a potential problem because of privacy implications — it means that the cable company is watching your web surfing so [...]Data Hiding at the Airport
Fri, 02 May 2008 05:28:33 +0000According to the EFF blog, customs has taken to randomly searching electronic devices for suspicious data. It is somewhat mysterious what they are searching them for — given only a few minutes and a technically unskilled border guard doing the searching, it’s hard to imagine them actually finding anything better hidden than a file on [...]Ad Replacers Let Dan Kaminsky RickRoll the Entire Web
Thu, 24 Apr 2008 05:11:17 +0000I’ve talked before about ad replacers, where ISPs dynamically edit the contents of web traffic for their customers, replacing ads on web sites with ads of their own. This is a threat to the business model of the internet, as if done on a wide scale it would render small, advertiser-supported websites unable to [...]Surveillance and Ubiquity
Thu, 10 Apr 2008 18:07:08 +0000HexView has an article about tracking vehicles with RFID tire pressure monitors. The devices are found in tires and transmit tire pressure to the engine control module, which sounds innocuous enough, but to prevent modules from reading neighboring cars’ tires by accident, they also transmit a unique ID. Thus, you can follow a [...]Blacklists and Cross-Site Scripting
Tue, 08 Apr 2008 17:41:01 +0000Microsoft gets a lot of criticism over Internet Explorer not being “standards-compliant.” However, it’s actually not so simple, for a variety of reasons. One of them is that the web itself is not very standards-compliant — while IE8 has a standards-compliant-browser mode, it has to offer an IE7 rendering fallback mode because most [...]Mom lets 9-year-old take subway home alone!
Thu, 03 Apr 2008 17:22:48 +0000The Today Show has a cover story today entitled “Mom lets 9-year-old take subway home alone.” The controversy over this — that is, the fact that there is any — is a wonderful example of how poorly people assess risk in modern society. What this woman, Lenore Skenazy, has done to stir up [...]Ad Replacers and the Future of the Internet
Mon, 10 Mar 2008 21:46:00 +0000A company named Phorm (formerly 121Media) has introduced a new product for ISPs. The idea is that the ISP installs this product (basically a transparent proxy) on their network, and as their customers surf the web, the OIX proxy replaces advertisements on web pages with advertisements on the Phorm network. To make it more palatable, [...]Whole-Disk Encryption Cracked
Thu, 28 Feb 2008 18:19:10 +0000Early this week, some researchers at Princeton University’s Center for Information Technology Policy released a fascinating video of whole-disk encryption being cracked quite quickly and easily. Whole-disk encryption products — such as PGP Whole Disk Encryption, TrueCrypt System Encryption, and Windows Vista’s BitLocker — work by encrypting the entire hard disk with a symmetric key, save [...]Deterring the Internal Attacker
Mon, 18 Feb 2008 19:03:43 +0000On January 21st, 2008, the major French bank Société Générale lost $7.09 billion attempting to unwind unauthorized trading positions taken by Jérôme Kerviel, a futures trader with the bank. Kerviel had taken positions worth $73.3 billion, far above not only his trading limits but the bank’s entire market capitalization. The loss taken [...]ASUS Eee PC and Linux vmsplice Vulnerabilities
Tue, 12 Feb 2008 05:32:27 +0000It wasn’t a good weekend for Linux. The ultraportable ASUS Eee PC has seen quite a bit of publicity lately. With prices starting as low as $300, it’s about as cheap as laptops get, and runs on a solid-state drive instead of a hard disk. Of course, to get such a low price, it [...]OS-Based Mitigations Against Common Attacks
Mon, 04 Feb 2008 23:41:44 +0000In my last post about finding a job in information security, when discussing application security, I off-handedly mentioned several mitigation technologies — GS, DEP, SAL, and ASLR. These are technologies developed by OS vendors to provide system-wide protection against common attacks, and are things every application developer should know about when dealing with native [...]How to Get a Job in Information Security
Fri, 01 Feb 2008 01:27:15 +0000Don Parker at SecurityFocus has an article called Skills for the Future about how to get a job in information security. He outlines one path, and while I don’t deny it’s a good one, and probably the most common, it’s not the only way, either. There are quite a few different areas of specialization within [...]Semi-Electronic Bank Robbery
Wed, 30 Jan 2008 18:14:26 +0000The AP has a story about an electronic bank robbery foiled when a bank employee pulled the plug on the robbers’ network connection. Apparently the robbers had gained physical access to the employee’s workstation at some point, and installed “advanced technical equipment” underneath the desk to remotely control the computer. I would guess that the “advanced [...]…Or Maybe They Do
Mon, 28 Jan 2008 01:35:15 +0000On further investigation, it turns out that there is a reason for the DRM protection on Qtrax downloads… it’s just not to prevent piracy. When a Qtrax-downloaded file is played, the WMA licensing notifies Qtrax of the act — so that they can divvy up advertising revenue from the site based on what people are listening [...]Record Companies Still Don’t Understand DRM
Mon, 28 Jan 2008 01:21:53 +0000So, there’s been a lot of news about Qtrax, a new music download service approved by the major record labels. It sounds like a good thing for consumers — a Songbird-based browser lets you select pretty much any song imaginable, including the entire catalog of songs available from iTunes, and download it freely and [...]IP Addresses: Personally Identifiable Information?
Fri, 25 Jan 2008 04:06:46 +0000Peter Scharr, Germany’s Commissioner of Data Protection and head of the European Union’s privacy working group, has stated that information identified only by IP address must be considered personally identifiable information. As the AP article points out, this could have rather serious implications for search engines and many other electronic businesses, and RSnake is [...]
Building Security in a Networked World
feedcat.net promotes your content, measures audiences
and saving load of your server resources!
*