You are here

rick's blog

Data Disclosure by Copy Machines

When Joanne emailed me this video a few days ago, I responded with "Yes, yes, of course. Copiers are digital. They save stuff." But then I watched the video. THIS IS BAD:

This is why all hard drives should have built-in encryption.

Post category: 

Graphic of Facebook Privacy

One Matt McKeon of IBM has created a terrific graphical timeline of privacy erosion on Facebook. It's pretty alarming.

A pundit at Wired suggests the development of an open-systems alternative. It's an interesting idea.

Post category: 

Parameter substitution attack on antivirus software

Researchers at have found a parameter substitution attack on antivirus software.

One effective antivirus strategy is to watch how a program uses the operating system. Malicious software may tell the system to do suspicious things, like loading an invalid kernel mode driver. The antivirus software checks the parameters passed to system functions to detect and block such things.

However, the antivirus software performs the checks on user mode data. Thus, a subverted user mode program can swap a "safe" parameter for a subverted one after the antivirus check takes place. This is especially true when you have multiple cores.

Post category: 

9-year-old hacks the school superintendent

Jeremy Epstein reported this terrific report to Peter Neumann's Risks List: a school kid logged in as superintendent of schools. This was in Fairfax County, where I grew up. They use Blackboard, just like the college where I teach.

And yes, we're talking about a nine-year-old. It turned out to be a security policy problem. A teacher can add a student to a class, and a teacher has the power to change a student's password.

The kid found out his teacher's Blackboard password. They don't say how in the news, but it may have been written on a post-it, or some other piece of paper, or it may be the same as a password the kid watched the teacher use somewhere else, or it could just be an easy-to-guess choice.

Wordpress tag: 
Post category: 

Security Versus Compliance: Old Guard Versus Digital Natives?

Forrester Research and RSA have published an interesting report on corporate security priorities and compliance programs. The bottom line is no real surprise: companies spend more money on compliance with external requirements like PCI-DSS or HIPAA than they do on protecting their own secrets. These compliance requirements are tied to obvious business needs - you can't do much retail work unless you take credit cards - so it's hard to argue against such expenses. Forrester and RSA show statistics arguing that companies lose more money through lost company secrets. Yet a lot of companies focus their security efforts exclusively on compliance and really don't make a special effort to protect company-specific assets.

Kapersky Labs posted a reasonable summary of the report.

Slashdot's title writers dramatically misread the report, summarizing it under the title "Compliance is Wasted Money." I tend to think of Slashdot as being edgy in a digital native sort of way, so I'm surprised they spun it that way.

I think the report reflects two things. First, companies don't want to spend money to assess their losses from leaked company data, unless they're already inclined to be a secrecy-oriented company. If a company is more inclined towards openness and information sharing, then they don't want to collect such information: bad news makes management look bad, and there's no countervailing data to show a measurable benefit to being a more open company.

Post category: 

Not the Droid

I recently migrated from my venerable Palm Treo 700 to a Blackberry Storm II. In between I had a brief fling with a Droid, but jettisoned it after about a day. There were two problems. First, it's too much like having a laptop instead of a phone, IMHO. Second, I don't like the security model.

When we talk about the "Droid security model" we're really talking about the Android operating system and not about any particular phone. The exact phone I had isn't as important as the mechanisms that are undoubtedly common to all Droids.

The basic problem is that it's too vulnerable to malware like viruses, worms, or Trojan horses. This is a feature of its openness, but not a feature I personally crave on my cell phone. My phone serves a little as an electronic wallet, and I don't want malware in there, even if it limits my choice of apps.

Post category: 

The blunt sword of legislation

Minnesota's Senator Klobuchar has co-sponsored a bill to criminalize certain behavior by peer-to-peer file sharing programs.

The bill is supposed to require a sort of informed consent by computer owners whenever a P2P file sharing program arrives. Here's what the bill wants to require:

• Ensures that P2P file sharing programs cannot be installed without providing clear notice and obtaining informed consent of the authorized computer user.

• Makes it unlawful to prevent the authorized user of a computer from:

1. Blocking the installation of a peer-to-peer file sharing program, and/or

2. Disabling or removing any peer-to-peer file sharing program.

Having taught several networking courses (not to mention having written my share of networking software), I'm not sure where they can draw the line. What constitutes 'clear notice,' and does that include such things as Windows and Apple file sharing? Do these OS vendors already comply with planned legislative requirements, or will they have to update their configuration software?

Does "Microsoft Genuine Advantage" violate the law if it won't let the computer owner block its communication with the Mother Ship in Redmond? If so, how does Microsoft check for people using the same license on two or more computers?

Post category: 

The cost of security failure

Marcus recently finished this 'creative project' as he calls it.
Post category: 

Profiling ("Fingerprinting") a Browser

EFF (Electronic Frontier Foundation) has put up a web site called Panopticlick.

It collects every scrap of info from your browser that it can - a browser will divulge a lot in order to optimize its display of information - so a server can find your screen size, a list of fonts, and of course the operating system and browser versions. This is even without looking for cookies!

So a clever site could try to 'fingerprint' individuals by retrieving system details from the browser.

Wordpress tag: 
Post category: 

Paying for Identity

Marcus Ranum and Bruce Schneier recently had another one of their "face-offs," this time, discussing anonymity on the Internet. Bruce argued strongly in favor of it, but then so did Marcus - with a cleverly nuanced argument.

The problem with Internet anonymity is that it's so incredibly cheap - fraud and spam is easy to do because it's almost free to adopt a new identity on the Internet. Many spam/scam techniques rely on creating bogus IDs wholesale.

Wordpress tag: 
Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer