Marley & Me: Life and Love with the World's Worst Dog
by John Grogan
The Pillars of the Earth
by Ken Follett
Focaults Pendulum (Picador Books)
by Umberto Eco
Killing Floor
by Lee Child
The Truth (with jokes)
by Al Franken
The Lost World
by Michael Crichton
The Lincoln Lawyer : A Novel
by Michael Connelly
Dusk and Summer
by Dashboard Confessional
Eyes Open
by Snow Patrol
Experience Hendrix: The Best of Jimi Hendrix
by Jimi Hendrix
Get It
by The Lashes
IV
by Godsmack
Will You Find Me
by Ida
Demon Days
by Gorillaz
Taking the Long Way
by Dixie Chicks
Lateralus
by Tool
His Best: 1947 to 1955
by Muddy Waters
Echo Park (Harry Bosch)
by Michael Connelly
Letter to a Christian Nation
by Sam Harris
The God Delusion
by Richard Dawkins
Adventures from the Technology Underground: Catapults, Pulsejets, Rail Guns, Flamethrowers, Tesla Coils, Air Cannons, and the Garage Warriors Who Love Them
by William Gurstelle
I noticed that one of the throw-away email addresses I registered years ago for sony style product registration and accessories is now receiving spam. Was sony compromised or did they have an insider sell their addresses? Who knows... I know that I didn't give it out to anyone...
This kind of thing was going on long before "phishing" was coined. It's the same thing in a different technology medium.
FOR IMMEDIATE RELEASE CONTACT: Scott Thomsen April 25, 2007 phone: 206/615-0978 pager: 206/386-4233BILL COLLECTION SCAM TARGETS WEST SEATTLE
Customers Urged to Protect Credit Card Information from Con ArtistsSEATTLE - Seattle City Light is urging its customers to be on guard against telephone con artists posing as utility bill collectors who appear to be targeting customers with Asian surnames in the West Seattle area.
In the past few days, several customers reported they received phone calls from people claiming to be City Light employees. One customer’s account was fraudulently tapped for more than $3,000.
In the scam, the callers claim there is a problem with payment of the customer's bill by check and demand credit card information to resolve the matter. This is similar to incidents reported to City Light in January and earlier this month.
Carol Dickinson, director of customer relations and account services, said City Light wants to help its customers protect themselves from such scams.
"We do not make outbound calls to customers asking for money to pay their bill or to ask for credit card payments or personal account information as part of our daily work," Dickinson said. "We respect customer privacy and take security of customer account and payment information seriously. We take many proactive steps to ensure that customer information is kept safe."
City Light sends at least two written warnings to customers who are about to have their power turned off, asking them to contact the utility directly to make a payment.
City Light also would like to remind customers:
- Seattle City Light never asks customers over the telephone for credit card information to pay their bills.
- Seattle City Light does not call customers on weekends.
Seattle City Light employees carry identification with the City Light logo and will always display it when asked.
All City Light customers are advised to take down the name and telephone number of anyone who calls and represents themselves as a City Light employee. Also, before customers provide any credit information, they should call City Light at 684-3000 to verify that the request is legitimate. If a customer believes he or she has been contacted by a con artist, they are urged to contact the Seattle Police Department at (206) 625-5011 to report the incident.
Boing Boing: Craigslist hoax ad leads to destroyed home
This happened in Washington. I couldn't believe it when I heard about it and now it's made it to Boing Boing. Scary.
The National Institute of Standards and Technology (NIST) recently published a paper condemning paperless electronic voting machines as insecurable. I'll have to read the paper in-depth to see how they came to that strong of a conclusion, but I do know that there is no research showing that a purely electronic system can be completely trustworthy.
It's amazing how far this subject has come in just a few years, yet how far it still needs to go as evidenced by the irregularities in the recent 2006 midterm election.
Slashdot | NIST Condemns Paperless Electronic Voting
It's not really a typo but an intentionally left-out X separator forA Break for Code Breakers on a C.I.A. Mystery - New York Times
aesthetics on the sculpture that was intended to result in gibberish
when decrypted that would clue in the decryptors to reinsert a separator
and try again, except it ended up spelling something intelligible
instead of garbage so they thought they had decrypted it properly!
For nearly 16 years, puzzle enthusiasts have labored to decipher an 865-character coded message stenciled into a sculpture on the grounds of the Central Intelligence Agency's headquarters in Langley, Va. This week, the sculptor gave them an unsettling but hopeful surprise: part of the message they thought they had deciphered years ago actually says something else.
A study from a year ago but just as valid today. Actually, over the past year, IE got much worse. There were many exploits and unpatched holes in the browser.
One of the best things you can do for your Windows security is to make sure you upgrade to IE 7.x which has been redesigned to avoid many classes of attacks. It is being pushed out by Windows Update (or Microsoft Update) You can also switch to Firefox or Opera to get better security but please don't use IE 6.x or older anymore!
Unfortunately, you have to be on Windows XP SP2 or higher to use IE 7. So, it will force Windows 2000 users to upgrade to XP first. That is probably also a good thing for security though.
Schneier on Security: Internet Explorer Sucks
Get this: The list of top terrorist targets from the Department of Homeland Security is seriously braindead. It includes 1,305 casinos, 234 restaurants, an ice cream parlor, a tackle shop, a flea market, and an Amish popcorn factory
The worst part is that DHS didn't even try to hide the pork-barreling by making the inclusions and omissions clear and blatant. Oy. I reluctantly file this in the security category...
The Seattle Times: Local News: Dept. of Homeland Lunacy
When it comes to homeland security, I give up.
I've tried to highlight the absurdity of trying to protect every cranny of our country from al-Qaida attack. I've critiqued everything from the waste of buying anti-terrorist locks for Sammamish City Hall to the illogic of not having security cameras outside our airport. And yes, I've resorted to that columnist stock-in-trade: mocking and satirizing.
But it turns out nothing I can make up is as ludicrous as what the Department of Homeland Security is actually doing.
Here's a description of how to open a common Master brand lock in about 10 minutes. The design makes the 40^3 possible combinations collapse to 121. It's a physical metaphor for bad cryptography and reliance on obscurity.
I happen to have a lock that I forgot the combo to that this will definitely come in handy for...if I can only find the lock...
This was the most troubling one:
Airport Security Oversights | The Onion - America's Finest News Source
Sept. 3, London to New York: A few Muslim people may have slipped through with their dignity
U.S. Cryptographers: 'FrpX-K5jE-Oc4n-e5Dn' | The Onion - America's Finest News Source
WASHINGTON, DC—In a carefully phrased, 128-bit encoded announcement that has challenged U.S. security agency procedures, top officials of the National Cryptography and Information Security Council warned that "FrpX-K5jE-Oc4n-e5Dn" if "Ha4d-87gH-uiH3-gB5r-g8Bh" late Monday.
This is an article from a year ago that showed how each vendor was able to respond to key virus outbreaks. They also show the data from the previous year.
I personally recommend F-Secure's product. The base product gives you everything you need for anti-spyware and malware and is inexpensive. It is not a huge fat pig like some of the products out there (McAfee...) I've heard from others who enjoy Kapersky as well, so either of those would be good choices and happen to both top this list.
I also personally got rid of McAfee products after a multitude of issues:
1. The product is seriously bloated and the Security Center product seems geard toward selling other products by McAfee than providing normal users with value.
2. Many of the products in the suite are not well integrated. They often had their own installers and were a real pain to uninstall.
3. Lots of errors resulting in having to reinstall the product (without there being an easy way to do so).
4. Their website security is horrendous. My wife forgot her password to their site so she used their "forgot my password" feature. Guess what? They emailed her, not a new random password, but her _actual password_ This from a security company! They either store passwords without encryption or store them with reversible encryption--both of which are seriously bad ideas and McAfee should know better.
5. Their suite product line is very expensive and the price seems to go up every year. They have since reworked their product line and it seems to be better now.
6. I read the F-Secure blog and can tell those guys really get security.
7. McAfee was the company with the poor QA that removed critical Office files to "protect" you and also mislabeled a legitmate ISP software program
8. McAfee products, like Symantec, have suffered from some local privilege escalation vulnerabilities or remote buffer overflows. The cure is worse than the disease?
Ranking Response Times for Anti-Virus Programs - Security Fix
I would add a 5th item:
5. Develop Reusable Security Architectures that cover common scenarios and include appropriate protection by design
Tools are sexy; secure design is hard. That's why you see so many tools and vendors hawking tools but not as much work. I hear from people all the time who talk about this tool or pen testing or scanning some server or how you need to hack your wireless network to be secure. That is a bunch of crap in general because trying to audit your way to security is bottom-up grass-roots and can only get you so far. It's an early maturity model to be spending so much time and energy on audits and pen tests instead of security design reviews and developing security architectures. It's a lot easier and sexier to say you hacked a wireless network. We need to get to where it is just as cool to say you developed a wireless network security architecture such that you don't care who is connected to the wireless network because your security is not so brittle as to lose sleep over it. Where are those reusable models made open source?
As for item #3, I don't think that I believe that there can be "quantitative" security risk management. The biggest problem is that there is not enough good data to base future risk upon (try this: how do you quantify risk of brand damage due to event X?).
Item #4 is very important and speaks to ensuring security systems are usable.
CRA (Computing Research Association) Grand Research Challenges
Four Grand Challenges in Trustworthy Computing:
1. Eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years;
2. Develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets;
3. Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade;
4. Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.
It is hard to believe that such a blatant undervote error could be attributable solely to the DRE itself not properly recording them. But user interface designs can certainly be abused maliciously, or likely unintentionally, to create these situations. How ironic is it that the DREs that were touted to Help America Vote are actually helping them to undervote, due to poor design/implementation of the ballots?
Proper UI is just as important as sound underlying technology in ensuring proper understanding and usability of a system. Recall Why Can't Johnny Encrypt? A Usability Evaluation of PGP 5.0 and the more recent Why Johnny Still Can't Encrypt: Evaluating the Usability of Email Encryption Software for how even known secure software can result in insecure and unintended actions by the user. The infamous Butterfly ballots were not DRE-based but certainly were flawed UI that caused voting errors in previous elections so this is not a new issue to software or to voting by far.
This is a perfect example though of how using DREs to generate human-and-machine-readable reciepts (voter verifiable) could allow for voters to detect their undervotes before they drop them into the ballot box. There could even be very blatant warnings to the user on the receipt and on the screen that they didn't vote in X of the races to help prevent unintentional undervotes. Did these companies do any focus group testing of DREs?
FL-13: More Evidence of Ballot Design Issues - TalkLeft: The Politics Of Crime
...Bev Harris and the Jennings campaign want you to think otherwise. They want to point away from their mistakes. But the real problem was the design...
Aviv Raff On .NET - VML Exploit vs. AV/IPS/IDS signatures
Article showing how VirusTotal revealed how easy it can be to create "variants" that go undetected by most Anti Virus products. The VirustTotal website could be a valuable resource.
Freakonomics Blog: An airplane announcement I’ve been waiting for
if I were a terrorist, don’t you think that I could figure out how to take the top off a bottle of contact lens solution and put my explosive liquids in there? It is totally pointless to enforce rules which impose costs on innocent people, but are easily circumvented by terrorists. Can anyone think this is accomplishing anything productive?
The BRAD BLOG : HACKED: VIRUS IMPLANTED, SPREAD ON DIEBOLD TOUCH-SCREEN VOTING MACHINE!
Researchers at Princeton, including Ed Felton, have been able to implant malicious code on Diebold touch screen voting machines that was demonstrated to be able to flip election results. They have a video of them doing this as well.
The company response is typically clueless (as is their security). I wonder if the nice Diebold ATMs in use at banks such as USBank are anywhere near as vulnerable?
“This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.
Makes you wonder how secure those ATMs made by Diebold are (USBank uses them I know).
Schneier on Security: Hacked MySpace Server Infects a Million Computers with Malware
Malicious banner ad exploits unpatched IE hole (there are many and more all the time). You have switched to Firefox, Opera, Konqueror or anything other than IE, right?
Just found out about an informal security group that meets in Seattle. I've often seen a need for interaction with security professionals between Agora and ISSA monthly meetings (and I'm on the ISSA Puget Sound board). Where organizations don't meet needs, they often spring up on their own. Once my dance lessons are over at Century Ballroom, I'll be able to attend these on Wednesdays.
Why
Agora and ISSA are too formal. This is just a chance to hang out with local security professionals and get to know each other.
SSL-authenticated login pages certainly doesn't _solve_ the phishing problem since phishing is partly psychological/sociological and makes use of technology as a means of improving the odds of the hacking the human psyche. So, a purely technological fix is unlikely to, prima facia, address the root issues.
But, the SSL change can help in a couple of key ways:
That is not to say that SSL does not have its problems:
AJAX security is no different than normal web application security, except that it can add lots of complexity to a site and make black-box auditing much more difficult.
-----Original Message----- From: Andrew van der Stock [mailto:vanderaj@greebo.net] Sent: Tuesday, June 20, 2006 4:43 AM To: Webappsec ((((E-mail)))) Subject: Fwd: SF new article announcement: Ajax security basicsThis was posted to SecurityFocus.com yesterday.
Their article is eerily similar to my Ajax presentation from February
(particularly if you've seen me give the presentation), and even more
similar to the draft Ajax chapter I wrote shortly after for the OWASP
Guide (now posted to our Wiki - http://www.owasp.org/index.php/
Ajax_and_Other_%22Rich%22_Interface_Technologies). Hmmmm. As the saying
goes, this is the best form of flattery. I suppose.If you haven't had a chance to read up on Ajax security, their article
is a start... as is my presentation (http://www.greebo.net/?
page_id=329) and the draft chapter in the OWASP Guide 3.0 current.thanks,
AndrewBegin forwarded message:
> > Ajax security basics
> > By Jaswinder S. Hayre, and Jayasankar Kelath
> > 2006-06-19
> >
> > The purpose of this article is to introduce some of the security
> > implications with modern Ajax web technologies. Though Ajax
> > applications can be more difficult to test, security professionals
> > already have most of relevant approaches and tools needed.
> >
> > http://www.securityfocus.com/infocus/1868
OWASP is pleased to announce the immediate availability of the OWASP PHP Top 5. The OWASP Top 5 is an education piece which provides up to date advice to PHP developers, hosters, and other PHP users. The PHP Top 5 is produced by the OWASP PHP Project.The PHP Top 5 is based upon attack frequency in 2005 as reported to
Bugtraq. This information is a valuable insight into the most
devastating attacks against the world's most popular web application
framework.In 2005, OWASP collaborated with SANS to research and write a completely
new PHP section for their successful SANS Top 20 2005. The OWASP PHP Top
5 is the full unabridged text, updated to reflect recent XSS attacks and
SQL injection vectors.OWASP PHP Top 5
http://www.owasp.org/index.php/PHP_Top_5
OWASP PHP Project
More security window-dressing... More reason that ID checks and the watch list are BS security.
[IP] Govt Comp.News - Assessing "cyberterror" - couldn't find any!
>I've been working on the issue of how to build secure public networks >for about 7 years. I started out as a military analyst and I wanted to >put the cyber terror/cyber war issue in a larger strategic context. >About a year ago, I started looking for examples of cyber-terrorism, >where hackers had shut down critical infrastuctures. I was surprised to >discover that I couldn't find any, so I began to look more closely at >the hypothetical scenarios involving cyber war. Most of them turned out >to be implausible from a military or national security perspective. >Hence the report.
[infowarrior] - Microsoft sponsors security career guide Richard Forno Fri, 08 Jul 2005 22:39:04 -0700Microsoft sponsors security career guide
http://news.com.com/2060-10789_3-0.html?tag=nefd.blA nonprofit organization with help from Microsoft has created a "career
guide" to spark interest for the information security profession among high
school and college students.The guide was distributed last month to more than 3,500 school counselors,
administrators and educators at education conferences and has been made
available online, the International Information Systems Security
Certification Consortium, or (ISC)2, said this week.Microsoft sponsored the 35-page guide, which is titled "Decoding the
Information Security Profession." The booklet offers a description of
information security, typical jobs, titles, industries and organizations,
professional requirements, certification options, typical salaries, career
outlook, and a listing of schools, education facilities, certification
companies and other resources and associations.The guide can be found at:
https://www.isc2.org/careerguide/
Next time someone at your company says "we can't do encryption until we get a PKI", refer to this essay and collection of references.
I'll need to put together a related one to address the "we can't do ecnryption until we get a "key management" solution".
This is a filesystem client based on the SSH File Transfer Protocol. Since most SSH servers already support this protocol it is very easy to set up: i.e. on the server side there's nothing to do. On the client side mounting the filesystem is as easy as logging into the server with ssh.
Something to investigate...
Western Union blocks Arab cash deliveries - Yahoo! News
DUBAI, United Arab Emirates - Money transfer agencies have delayed or blocked thousands of cash deliveries on suspicion of terrorist connections simply because senders or recipients have names like Mohammed or Ahmed, company officials said. ADVERTISEMENTIn one example, an Indian driver here said Western Union prevented him from sending $120 to a friend at home last month because the recipient's name was Mohammed.
Hard to believe it could be possible, but this is more stupid than the TSA's Secure Flight program (also a miserable failure).
cryocone: Identity leak with Sprint wireless
Someone in their infinite wisdom at Sprint set up an IVR that you can call (intended for internal care reps for identity verification) and get anyone's CPNI/PII by simply keying in their sprint wireless phone number.
Really convenient for Sprint employees and the public -- and really stupid on all counts.
Time to switch your phone company. AT&T rewrote its privacy policy to basically say that your data is theirs and they will do what they please. Some legal manoevering to allow them to continue to sell those records to the NSA to spy on you. All Cingular customers should now be wary since AT&T will own them once the acquisition is complete.
But I guess, what do you expect when we live in a country that doesn't explicitly grant privacy protections like the EU and where privacy is routinely tromped on by companies and the government for their own ends? And when the US public has been trained that this is okay?
http://www.networkingpipeline.com/showArticle.jhtml?articleID=189600470
The most disturbing revelation was one on June 30, 2006 when it was revealed that the NSA allegedly Sought U.S. Call Records 7 Months Before 9/11 This is a perfect example of the danger of unchecked governmental power and unrestrained trust in governement to not abuse power given them or taken (as in the Bush Administration).
NPR 12-5-2002, All things considered 4pm.
"businesses are so interested in extending credit..." they just write off the losses. ID theft has not hit businesses economically yet, since that cost is borne by the victims, so they don't have incentive to do anything to fix these problems. And yet, the disclosure laws have given incentive to fix these problems but they seem to instead be incenting companies to water down the proposed federal legislation to neuter the positive effects they are having at creating a market economic incentive to fix the problems (though from the myriad reports still coming out every week about more data lost, you wonder what the heck some CISOs are doing).
Also, this story discusses a report that most ID theft is done by insiders. You do include insider attacks in your threat models, don't you? Kill the fortress mentality!
SecurityFocus HOME Columnists: Iraqi Cyberwar: an Ageless Joke
This is an OLD story so I hope that it is dead by now. But perfect example of the lack of fact-checking that goes on so much in the media.
Passionate condemnation of the music industry:
[IP] MUST READ Courtney Love does the math The controversial singertak
[IP] last on this topic -- Does File Trading Fund Terrorism? Successful artists not seeing any profit.
[IP] 2 more on Does File Trading Fund Terrorism?
And to round this out, a great interview with John Perry Barlow on the evils of Digital Restriction Management Wrapped up in Crypto Bottles
And to draw in a security angle to all of this:
Sony rootkit debacle highlights the failure of the security technology industry: The real story, as Bruce Schneier points out - why the hell didn't any Antivirus software (or IDS for that matter), detect this software sooner? Is corporate malware going to continue to be default allow by these products? We are collectively paying these companies billions of dollars for what?
[IP] I will start using my Visa card more
Wow this blog entry is old. But remember when every receipt had the full card number on it? And remember when Starbucks would mask out everything _except_ the last four digits so that you could get the full card number with just two receipts?
I still find that the business' copy of the receipts often has the full card number on it, with only my copy being masked out. But, I don't much care, except when it comes to my Debit card receipts since the US laws do not cover Debit cards as fully as credit cards.
Wired 14.05: The RFID Hacking Underground
Follow-along to the article on building your own RFID skimmer
The other day, I made what I think is a very apt analogy comparing