Category Archives: Security

Life Cycle of a Security Bug

bug crashes computer, Dahlgren, VA, 1947

Unlike members of the insect family, computer software bugs live forever. Software security bugs (well, flaws) are especially troubling since they demand respect from every software developer now and forever. We want to believe we can “eradicate” software flaws through reviews, testing, and vigilance. Eradication is a myth. A flaw’s spores simply go dormant to await the right conditions.

Continue reading Life Cycle of a Security Bug

“Eyes Only” Security Marking

[This post has been UPDATED three times since first published, most recently on Nov 14, 2019]

Occasionally in the news (and more often in spy fiction) people pass around super-secret documents marked “Eyes Only.” The United Kingdom and Canada use “Eyes Only” to indicate specific countries with whom a document may be shared. “UK Eyes Only,” for example, means that the document is only distributed within the UK and not to other countries. The marking may also have a list of countries, often the “five eyes.” The US has traditionally used other markings like REL TO (release to) or NOFORN (no foreign dissemination) for this purpose. This type of marking is often called a caveat as opposed to being a classification level, compartment, or codeword.

Classified document markings are treated seriously, and government agencies have published explicit definitions of them. US classification guides (for example, this one from the intelligence community) discuss “Eyes Only” exclusively in terms to the UK definition. This does not, however, cover all examples. Another US definition I’ve found dates from 1974:

c. Eyes Only Messages.-A privacy communication from one named individual to another individual. Delivery of this type of message is restricted to the named addressee or to those personnel (contacts) the addressee has authorized to receive such messages. No further dissemination is permitted unless so directed by addressee or authorized member of his staff.

Defense Intelligence Agency (DIA), Special Operations Branch Office Procedure No. 35-2, January 13, 1974 (quoted from a Senate hearing transcript later that year).
Continue reading “Eyes Only” Security Marking

Authentication Chapters Online

book cover - Authentication from Passwords to Public Keys

Thanks to my former publisher, Addison-Wesley nee-Pearson Education, I can post several chapters of my favorite writing project: Authentication: From Passwords to Public Keys. I’m including these chapters as material for the Cloud Cybersecurity course I’m doing at the University of Minnesota for Coursera.

The book was published in 2001, and it’s based on solid, well-documented technical concepts. Everything is sourced through the “Notes” and “Bibliography” sections. Authentication captures the 2001 technologies very thoroughly. For many people, that’s as much authentication technology as they ever see.

Continue reading Authentication Chapters Online

Ross Anderson and another edition of Security Engineering

Security Engineering, by Ross AndersonEvery cybersecurity professional knows – and almost certainly owns – this book. Ross Anderson published the first edition back around 2001. He’s starting a third edition and is using an on-line collaborative model for developing revisions. He has already posted drafts of a few revised chapters.

Ross recently pointed out a disappointing result from Edward Snowden’s releases of NSA classified documents: most published analysis has been reportage. No one has done a “deep dive” into the technical aspets of what was released. This would probably still be of technical interest. It astonishes me every day how, despite perceived ongoing radical improvements in technology, things don’t really change that much.

A Forged “From” Address

Email with a forged FROM addressTo the left we see part of a malicious email. The author brags about how the From address is the same as the To address. This is supposed to mean that the author has broken into my email account.

I have been waiting patiently for someone to mail one of these to me. Now I can use it as an example. I’ll show you how to uncover it as a fraud.

Continue reading A Forged “From” Address

This photo should not exist

pin.it/fnnc4j6fjamugy

Once we get past the creep factor of Nazi army uniforms, we see a communications team sending a secret message. They are using the legendary Enigma machine to encrypt the message.

But why, why did that officer allow a photographer to record this highly sensitive activity?

A failure of operational security (OPSEC). Allies in Bletchley Park would have sacrificed lives for this photo, or any photo showing the device in operation.

Continue reading This photo should not exist

Invoice Phishing Campaign

Phishing email

Here is a phishing email I received today. These almost always land in my junk mail (hooray!).

This particular one encourages me to click on a Microsoft Word file claiming to contain an invoice I should pay. I also received a couple with “.xps” attachments. These apparently make use of printer paper specification files in MS Windows.

According to an article in Threatpost, these may be part of a phishing campaign that uses an unpatched flaw in MS Windows.

Continue reading Invoice Phishing Campaign