Unlike members of the insect family, computer software bugs live forever. Software security bugs (well, flaws) are especially troubling since they demand respect from every software developer now and forever. We want to believe we can “eradicate” software flaws through reviews, testing, and vigilance. Eradication is a myth. A flaw’s spores simply go dormant to await the right conditions.
Continue reading Life Cycle of a Security Bug
To the left we see part of a malicious email. The author brags about how the From address is the same as the To address. This is supposed to mean that the author has broken into my email account.
I have been waiting patiently for someone to mail one of these to me. Now I can use it as an example. I’ll show you how to uncover it as a fraud.
Continue reading A Forged “From” Address
Here’s a clever two-step attack on a Macintosh. First, the victim downloads a file – it may be enough to email it to the victim as an attachment. Second, the victim opens a file or clicks a link. This executes the downloaded file. Yipes!
I received an impressive email scam recently. My response was to forward it to the email provider’s abuse contact (firstname.lastname@example.org) and file a complaint with the Internet Crime Complaint Center (ic3.gov). I’ll include the whole email later. The bottom line: Scammer has my password and will humiliate me if I don’t pay $1900 in bitcoin.
The scammer’s email landed in my spam folder. I was given a deadline of July 11. I didn’t clean out my spam folder till today (July 15).
In fact, the scammer does have one of my passwords: a throwaway password I use with throwaway accounts. When a web site makes me “register for an account” to retrieve information I want, this is the type of password I used to use. Now that I use password manager software (Lastpass specifically) I choose passwords more randomly and let the manager remember them.
Continue reading Interesting Email Scam I Received
My textbook lists categories of cyber-attacks that focus on an attack’s lasting impact: how does it affect the target’s assets and resources? Since the categories really reflect the attack’s impact on the target, they really represent risks. Here are the categories I use right now:
Denial of service – Pillage – Subversion
Masquerade – Forgery – Disclosure
This is a work in progress as I figure out some conceptual ideas.
Continue reading The Six Types of Cyber-Risks