Going through airport security? You might want to be prepared for a few extra questions and a little longer inspection if you own the ultra-thin MacBook Air. Apparently, it's unusual physical dimensions is something that TSA inspectors might be unaccustom to. Further, when it's run through the scan, it doesn't look quite the same as many other laptops perhaps due to solid state drives and other cutting edge upgrades.

Bob, TSA employee since 2002, explains this on the Evolution of Security blog.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

Social networks like Facebook and MySpace continue to face security and privacy related issues as functional capabilities expand amd social interactions within the community become more complex.. Here are a couple of examples.

First up, Facebook. It recently acknowledge that a new functional capability called Beacon continues to track user activity long after users have logged off the site and even when users have elected to not display their activities to Facebook friends. Beacon is part of the Facebook Ads platform that tracks user acitivities on Facebook partner sites like Blockbuster and reports those activities to the "friends" of the Facebook account. Account holders may choose to not have those activities reported but it appears that even in that case, the activities are tracked and stored in some Facebook database. As you can imagine, privacy advocates are up in arms. You can read more about this case, if you're interested.

You can assume that these privacy issues will not go away and will continue to plaque Facebook and other social networks. Sometimes, problems are less about guarding privacy but rather the abuse of trust within the social network. Here's a chilling story about how a MySpace teen took her own life because of a cruel prank perpetrated by adult neighbors.

Perhaps the issue is that both the guarding of privacy and the protection of social network subscribers may be at odds with each other. To some extent, that's how it works in real life...we yield some privacy to trusted authorities - banks, hospitals, law enforcement, the state...to gain protective services of some kind or another.

However, striking this balance works in the cyberworld may not be so easy.

Posted by andreyee in Odds and Ends • Privacy/Information Theft • web 2.0 | Permalink | Comments (0) | TrackBacks (0)

First, it was Paris Hilton's cell phone. Then some mischievious hacker compromised Carrie Underwood's MySpace account. Now Ann Coulter, the controversial conservative talking head, joins a growing list of celebrities, including Madonna who have been "victimized" by hackers.

Apparently, hackers have cracked Ann Coulter's website and posted a fake message offering apologies for her recent comments and announcing her retirement as media talking head. Here's the fake message -

An Open Letter to Readers by Ann Coulter October 15, 2007

Dear Readers,

I've been participating in a charade for nearly eleven years, now. Quite frankly, I'm sick of it. You have all been a part of a sick joke that I began considering shortly after first getting on the air. At first, it was quite interesting to see how people would react when I would use twisted logic and poorly masked bigotry.

But eleven years is a long time to be living a fake life, and I can no longer tolerate this falsity. Even someone as fake as I tires out eventually.

Here's the truth, I don't care what people believe. Jews don't need to be "made perfect" as I so arrogantly proclaimed to Editor & Publisher not a half week ago. I don't even care if people are Muslim. Granted, I don't know much about the religion or the people, but they are people. This is something that we cannot forget, they are in an abhorrent situation. These people are in need of education. Perhaps if we did not participate in causing them misery, they would not hate us so.

In fact, does it really matter whether we are Christian, Jewish, Muslim, Atheist, or even Pagan? We are one nation. One. We should not let petty differences separate us, we are all American, and should act in that manner.

And with that, my precious viewers, I bid you adieu. My career as a media figurehead is over.

Signed,

Ann Coulter

P.S. - Oh, and Bill O'Reilly is also just acting.

[From the hackers:] Haha, did it again. Oh, those silly web admins...they just embarrass themselves.

(Admins, check for an e-mail address in the CMS. Find it. I know you will.)

It's tough being a celebrity these days. Never mind the paparazzi, now hackers are out to get you.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

What to do with old computers, printers, etc? If you're like me, you have a number of computers and peripherals sitting in your garage. Finally a company has caught onto the opportunity to make a profit while helping the environment.

Staples is starting a program to recycle old computer equipment. It's relatively inexpensive ($10/item) and it's an expansion of their existing recycling program for cell phones. Here's the press release.

Just before you jump in your car and head over to your local Staples with your old laptop circa 1998, just remember a couple of things. First, check to see if your local Staples offers this service because it's not rolled out nationwide. Secong, remember to boot up the machine and wipe your hard drive. If you don't do that, you just might expose proprietary or personal information, that you'd prefer to keep private.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

Security expert, Bruce Schneier says - no! Schneier was speaking at InfoSec Europe this week when he voiced his opinion that the very existence of the security industry is not a good thing. Here's what he said at his keynote -

"The fact this show even exists is a problem. You should not have to come to this show ever. "We shouldn't have to come and find a company to secure our email. Email should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure."

You can read a report on what he said here.

His point actually makes sense at some level - security isn't a capability. The security industry has developed because of a really big security problem. Yet, security should really be part of any operating environment or perhaps more accurately stated, every operating environment should be inherently secure.

Of course, some may view that as the utopian viewpoint but in fact, we are moving toward that point. I'm not suggesting that security products will go away anytime soon but the fact that security is now mainstream, means that it will eventually be embedded into the fabric of the network and operating system.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

Feel any safer, at least on the cyber security front? Well, the Department of Homeland Security scored it's first ever non failing grade on cyber-security. Not that it's anything to write home about. The DHS who has received an F for cyber-security, improved to a staggering D in this year's report from the U.S. House of Representatives Committee on Government Oversight.

There were overall signs of optimism as a number of departments improved. At the head of the class were the DOJ, improving from D to A and HUD, going to A+ from D+, the prior year. Unfortunately, NASA scores went down (B- to D-) while Department of Education received an F.

These scores are predicated on agency compliance with the federal law known as the Federal Information Security Management Act of 2002 (FISMA). FISMA established a broad framework of requirements, related to establishing information security programs, security product certification and training.

In my opinion, FISMA isn't necessarily the best indicator of security compliance. I think that it has become a little unwieldy and ill defined when applied to security products certification. But it's certainly one indicator and the fact that some agencies have declined in their security score makes you wonder if they are taking it seriously enough.

Unfortunately, there is little consequence except the public embarrassment that accompanies a low score.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

The One Laptop Per Child (OLPC) project is one of the more socially redeeming initiatives from the high tech industry. If you're not familiar with it, OLPC is a non profit initiative to provide laptops to children in the developing world. It's not a new initiative by any means but since 2005, it's gained significant momentum around its immediate goal to create and deliver a $100 laptop to the children of developing nations. It's gained support from industry luminaries like AMD's CEO Hector Ruiz.

Now what does this have to do with security? As you might imagine, potentially placing inexpensive laptops in the hands of hundreds of millions of children and then protecting them from all kinds of malware might pose a significant challenge. Students need to be able to download and use software as needed but be free from the threat of viruses, worms and Trojans.

Ivan Krstić, Director of Security for OLPC, has developed a security model called BitFrost that is very interesting and highly workable. He released the security model at the RSA Data Security Conference earlier this year. The premise for the security model is that programs should execute with a minimal, necessary set of privileges rather than the default privileges of the user. As an example, this means that the built-in calculator program in Windows should not be able to access the Internet or delete files. Instead of taking the traditional security approach of "looking for the bad stuff and eliminating it", BitFrost constrains the privileges of any application to a minimal set necessary for its basic operation, essentially creating a safe sandbox in which to operate.

This approach is by no means unique to BitFrost but I believe it's a key step toward safer operating environments. Let's hope this innovative approach isn't just limited to students in developing countries but will find its way to laptops running Windows in corporate America as well.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

Here's an interesting development on the war against spamming. Apparently, it is now becoming libelous to label someone a spammer. In his article, Don't Call It Spam, Forbes' Andy Greenberg reports on how labeling an email mass marketer, a spammer can land you in court. Here's a snippet of what he writes about this -

"When the Spamhaus Project, an organization devoted to cataloguing the Internet's most prolific spammers, placed marketer e360insight on a spammer "blacklist" in November 2003, the result was a $25 million lawsuit. E306insight founder David Linhardt says his Wheeling, Ill.-based marketing [firm] should never have been on Spamhaus' Registry of Known Spamming Operations...since his company landed on Spamhaus' list, it has been blocked from 4 million e-mail accounts, and has lost more than $3 million in revenue. "

Linhardt sued last year and won a judgement for $11.7M but Spamhaus, located in the UK has refused to pay. This kind of case may be unusual but I don't think we've heard the last of them...I'm quite sure disputes like this will continue to arise.

Part of the problem stems from a lack of a legal definition for spam. What is spam? If it's simply unwanted, unsolicited emails, there are many legitimate companies that fall into that category when all they are doing is simply marketing.

The notion of an opt-in list helps but isn't really an effective or fair solution. I hate spam as much as the next guy but I also have the perspective of running a small business and using email marketing campaigns as a means to promote a company webcast or new program. We mailed only to a mailing list that opted in but we were at times still accused as spamming by service providers. All it takes is one complain from a recepient from an opt-in list of thousands. Sometimes, the guy that opted in on behalf of the company had since departed...other times, the person who opted in forgot that he did so. We always got it cleared up with the ISPs but it was a hassle.

This is an interesting development because overall, I think from an end user's perspective, most ISPs appear to have gotten a decent handle on spam, unlike 2-3 years ago. To do so, besides the use of antispamming technology, they needed to adopt a strict stance against anything that looked or smelled like spam. But in the process, have legitimate companies been hurt? Or is this just the price you pay for the good of the entire Internet ecosystem?

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

Even as you're out participating in the democratic process today, you should probably know that many security experts have been sounding concern about the use of e-voting. In particular, they are concerned about the trustworthiness of the e-voting system. Recently, these experts have called on the Election Assistance Commission (EAC) to review and revise the e-voting security guidelines and processes.

In response, Paul DeGregorio, chairman of the EAC has opined that the concerns voiced by security experts are actually hurting the electoral process rather than helping it. He says

"Is there any proof that a voting system has successfully been hacked during an election? No... Can the hype over hacking discourage voters from participating in our elections? It certainly can."

Mr. DeGregorio may be right but there are others who are concerned about protecting the integrity of e-voting before any compromise or tampering occurs.

A Princeton paper released a couple of months ago highlighted that the Diebold e-voting machines were assessed to be vulnerable to malware and voter fraud. This has led to widespread concern about the overall security and robustness of the e-voting machines.

The Electronic Frontier Foundation argues convincingly for a paper trail in order to maintain auditability and provide confirmation to the voter that the votes were registered as intended. On their website, the EFF makes the following case -

"Twenty-three states still do not require a paper record of all votes, despite the demonstrated technical failures of e-voting machines in the 2004 presidential election -- including the complete loss of thousands of votes. In turn, voters cannot verify that the e-voting machines are recording their votes as intended, and election officials cannot conduct recounts."

To not federally mandate a paper trail befuddles me...seems like a simple enough solution with important ramifications. It's amazing that we can get paper verification on how much gas we've purchased but not on who we've voted for.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

An interesting development in the realm of malware is the battle for exclusive control of the infected host.
In recent years, we've seen how certain trojans and worms can eliminate other competing malware even while infecting the host with its specific malicious code. Here are a couple of examples -

The W32/Nachi worm would target hosts vulnerable to the W32/Lovesan (blaster) worm. In the process, it would eliminate the blaster worm and even go as far as to download the patch from the Microsoft site, protecting the host from further possible infection from the MS03-026 vulnerability. Later variants of Nachi such as W32/Nachi.worm.b would also eliminate competing viruses/worms.

Now Joe Stewart from SecureWorks writes about the Spamthru trojan that serves up spam from an infected host. It appears that Spamthru does not play nice with other spamming trojans, leveraging the Kaspersky Antivirus to eliminate other malware on the system while leaving its own in place. Here's what Joe tells us how Spamthru does
this -

"SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot. "

Of course, Spamthru also does bad stuff like acting as a proxy for spammers as well as serve up obfuscated spam using GIF randomization techniques.

This cannot be a good sign when malware like trojans, worms and spam/spyware engines have to compete for hosts. Do you think we have a serious problem?

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

Surfing on the web has always provided the individual with the cloak of anonymity. To paraphrase a popular commercial - "whatever is done on the web, stays on the web"...until now.

There are a number of emerging technologies that threaten to render anonymous web surfing a thing of the past. Clickprinting is one such technology. In a recent article on The Guardian, clickprinting is described as a "a unique pattern of web surfing behavior based on actions such as the number of pages viewed per session, the number of minutes spent on each page, the time or day of the week the page is visited, and so on".

Professor Professor Balaji Padmanabhan ( Wharton School at the University of Pennsylvania) and Professor Catherine Yang (Graduate School of Management at the University of California, Davis) assert that over a number of sessions, it is possible to distinguish patterns of web surfing that can uniquely identify a particular individual.

"Our main finding is that even trivial features in an internet session can distinguish users," Padmanabhan told the Wharton Review. "People do seem to have individual browsing behaviors." The duo found that anywhere from three to 16 sessions are needed to identify an individual's clickprint.

"The paper is really a proof of concept that behavior and minimal information can be used to identify users," says Yang. In one example, they found thatfrom just seven aggregated sessions they could distinguish between two different surfers with a confidence of 86.7%. Given 51 sessions, the confidence level rose to 99.4%.

Why the interest in this technology? It is anticipated that clickprinting can help identify eCommerce companies reduce the probability for fraud by identifying inconsistent user behavior. The notion is that even if someone gained access to your login information, their behavior may give them away and hence alert the eCommerce company of a possible fraud in play. I'm not sure if it'll work that well in practice but clickprinting is certainly worthy of note.

Of course, the idea of fingerprinting anonymous surfers isn't anything new. At the Black Hat Briefings in Las Vegas, Dr. Neal Krawetz, of Hacker Factor Solutions noted how gender, nationality and other attributes can be identified by non-classical forensic methods. This include analysis of text posted on blogs, listservs and forums. Dr. Krawetz cautions that this approach is only 60-70% accurate but it offers clues when you're tracking down a malicious hacker. If you're interested, you can checkout his presentation here.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

Microsoft has long been the ridicule of the hacker community for the perceived lack of security in their products. Besides being regularly exposed over newly discovered vulnerabilities, the company has even faced embarrasment of being victimized by hackers in 2000. Despite the launch of their Trustworthy Computing Initiative, the community has not looked kindly upon its initiatives...that is, until last week's unveiling of Vista to a throng of hackers at the 2006 Black Hat Conference.

The overall reception for Microsoft was not only cordial, it was even collegial, friendly and encouraging. Here's what one attendee had to say -

"I am here to learn how Microsoft is making the world better for us. If they are doing what they say they are, they are definitely headed in the right direction."

Remarkable. This turnabout can probably be traced back to a Blue Hat session last year sponsored by Microsoft to reach out to the hacker community, rather than treating them as the arch enemy. One has to ask - does this portend good things for the industry? Is the community embracing Microsoft as recognition of the improved security of its products or has it fallen prey to a variant of Microsoft's embrace, extend, extinguish approach?

For my part, I have no ax to grind with Microsoft - I often think they're in a tough position. For the sake of the industry, I hope it's evidence that security has improved, if not arrived, for the biggest software vendor in the world.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

This isn't new but I've wanted to post about this for a while now. With the popularity of iPods, a new threat emerges...less specifically about iPods and more about the fact that storage devices are increasing in capacity and decreasing in size to the degree that this becomes a real challenge in keeping company confidential data secure. This trend has significant implications to data theft in the enterprise.

Check out the article on "iPod Slurping"

http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html

Will the challenge of securing data never end?

Posted by andreyee in Odds and Ends | Permalink | Comments (1) | TrackBacks (0)