Make sure your voicemail pin is long, or end up like HP. What does it feel like to wake up and hear one of your voicemail messages being read on CNBC?
posted by mt at 09:45

I love discoveries like this. A group from UMass claims they can identify DoS attacks. Read the details - every router along the path will need to be updated to do it. That's practical. We won't see this in production anytime soon.

Adler has developed an automated technique for tracing a stream of
packets back to its source. The technique uses a single bit in the
header of each packet, and requires each router along the path of
attack to perform a simple randomized protocol on each packet to
determine whether the value of that bit should be a 1 or a 0 when the
packet is received by its destination. If the victim receives a large
number of packets from the same source (as would occur in a DoS
attack), then it is virtually guaranteed to be able to determine the
identity of every router along the path of those packets. This means
that the victim knows the source of the attack.

posted by mt at 09:43

I know I said I'd be away, but I'm just checking email - honest. Couldn't resist this little update on Microsoft's recent MBSA tool. I haven't had a chance to play with it, but these reviews don't sound promising.

Damien Adams, of technical services firm ScienTech, said: "For Microsoft to suggest that users should pay for tools to fix problems in its software is insulting.

"Now that Microsoft is pushing security, and is even going to venture into the security market, will we have to pay for patches? A majority of Microsoft's security market exists because of holes in its software."

posted by mt at 09:38

I'll be away from computers for the next few days, but will check in whenever possible. Look for more activity next week. Have a good weekend.
posted by mt at 23:20

I remember stumbling across this guy's webpage last year after reading an article about him. The story painted him as a genius who built a European security firm and was living the good life. It was all quite slick and very flashy. But no one in the industry had ever heard of him, so there was a hint of BS floating around the whole thing. Looks like that was the case - he's in prison now for several counts of business fraud.

The escapades of larger-than-life German Netrepreneur Kim Schmitz made
him a cult figure. Now they've landed him in jail.

Eight months before the indictment, Kim Schmitz saw it coming. As
German authorities closed in on the one-time hacker and Internet
entrepreneur, he threw one last blow-out party in May, 2001 --
immortalizing the revelry with digital photos posted on his Web site.
Schmitz and entourage headed off to Monaco from Munich in a fleet of
rented sports cars, booked a pair of huge yachts, and invited a bevy
of attractive women in bikinis to join them. The champagne alone cost
$40,000, Schmitz boasted on his Web site.

posted by mt at 10:42

MS has postponed Hailstorm, it's privacy violating venture into web services.

"They ran into the reality that many companies don't want any company between them and their customers," said David Smith, vice president for Internet services at the Gartner Group (news/quote), a computer industry consulting and research firm.

The lack of interest also indicates that in a variety of industries outside the desktop computer business there remain significant concerns about Microsoft's potential to use its personal computer monopoly and its .Net software to leverage its brand into a broad range of service businesses.

posted by mt at 10:23

IRC - clubhouse for crackers? Personally, I think it's just a bunch of bots with the occasional conversation, it's not nearly as fun as it used to be. CNN has a short piece on how criminals are using IRC.
posted by mt at 10:20

Yikes - some airport security horror stories. I used to carry on 2 bags. Then I switched to a briefcase only, now it's just a book.

9:35 p.m.: McCarran International Airport, Las Vegas

Security officials report that about four hours earlier, a Southwest Airlines employee saw a passenger in an "employee only" area in Concourse C. While the employee called airport police to report the incident, an airport slot machine worker allowed the passenger to get into the concourse through an emergency exit. As a result of the security breach, the concourse was evacuated. Nineteen flights are delayed for 16 hours, 50 minutes.

posted by mt at 10:48

A computer crash wrought havoc on British flight schedules yesterday. It doesn't look to be security related, but shows the impact a brief outage (16 minutes) of a critical infrastructure component can have.

Information from the West Drayton computer centre which processes data for all British commercial flights was blacked out from 6.05am for a crucial 16-minute period. Data for all flights had to be hand-written, causing massive delays to flights in-bound and taking off.

posted by mt at 10:36

Reading through the wires this morning, same old stuff. Every story seems to be a rehash of something we already know - DoS still a threat, blah blah blah, security market attracts cautious investors, blah blah blah. It's difficult to find an original article, especially from a major outlet.

I did find this piece on corporate espionage, something that happens more often than we think. Unfortunately, most companies don't consider it to be a threat during risk analysis.

The information-gathering techniques are almost always legal and carried out by trained professionals - often former government intelligence operatives highly trained in obtaining military and economic secrets.

posted by mt at 09:13

This doesn't always have to be the case. Security and privacy can coexist.


posted by mt at 10:36

Another Microsoft story, this one from Salon, discussing the Trustworthy Computing program. Some interesting insight into the cultural fears MS, and computing in general, needs to address.

One of the reasons there's been little debate about Trustworthy Computing is that no one -- including most Microsoft employees -- seems to know what it is. Even the company's public relations experts have trouble conveying Mundie's vision. But for those willing to wade through it, his white paper details the big picture in depth: "Trustworthy Computing is a label for a whole range of advances that have to be made for people to be as comfortable using devices powered by computers and software as they are today using a device that is powered by electricity."

posted by mt at 10:25

My friend Scott's blog linked to this article at the NY Times discussing MS's security initiative. Evidently, every single programmer at MS has attended a secure programming class in the past 2 months - and now they're experts. I especially enjoyed this gem:

Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."

posted by mt at 08:59

I've read about a few private companies that sell satellite imagery for intelligence purposes. How did companies like that get started? I would have guessed they were somehow prevented from getting off the ground. They weren't, and now everyone's using satellite intel.

Perhaps a half-dozen countries as well as some private companies have spy satellites that, while not as good as those used by the United States, are able to supply solid military intelligence.

posted by mt at 08:38

A scary scenario discussing some possible ramifications of the recent Kazaa debacle. In case you didn't hear, Brilliant Digital (the company which distributes Kazaa) has the ability to control the PC's of those using the popular file-swapping service.

Any attacker who can control 100,000 machines is a major force on the internet, while someone with a million or more is currently unstoppable: able to launch massively diffuse DDOS attacks, perform needle in a hayfield searches, and commit all sorts of other mayhem. We already understand how worms could be used to gain control of so many machines. Yet the recent revelation that Brilliant Digital Media has bundled a small trojan with KaZaA has underscored another means by which an attacker could gain control of so many machines: poorly secured automatic updaters. If an attacker can distribute his own code as an update, he can take control of millions of machines.

posted by mt at 10:34

This is a great overview on the process of discovering security bugs. Seven steps to getting posted on BUGTRAQ.

To systematically find bugs, individuals do need
- common sense (to know what to look for),
- dedication (to spend endless hours poking through software code), and
- a bit of luck (to find meaningful results).

posted by mt at 10:19

Now it makes sense. The recent MS security initiatives are turning up in its antitrust defense.
posted by mt at 10:05

An interesting incident is outlined here involving computer forensics. What I find fascinating about this story is that the company who thought it was victimized, actually considered analyzing the drive in-house. They did the right thing by outsourcing the forensic work, but I'm amazed it was even an option. Could the evidence have stood in court had they done it themselves?
posted by mt at 10:03

Morning, I'm feeling better and back at the computer. In the car today, I heard Howard Stern, of all people, talking about hackers. It was kind of funny, I thought it was my imagination. Robin, his co-host, said something like "Hackers can go anywhere they want". And Howard correctly assumed that we have no idea how many breaches really take place. Strange hearing such talk on that show.
posted by mt at 09:45