David Kirkpatrick

September 3, 2010

Balancing national security and privacy on the internet

An interesting breakdown on the current state of online privacy versus national security.

From the link:

In the wake of revelations that the US military network was compromised in 2008, and that US digital interests are under a relative constant threat of attack, the Pentagon is establishing new cyber security initiatives to protect the Internet. The Pentagon strategy–which is part digital NATO, part digital civil defense, and part Big Brother–may ruffle some feathers and raise concerns that the US Internet is becoming a military police state.

The mission of the United States Department of Defense is to provide military forces needed to deter war and protect the security of the nation. The scope of that mission includes emerging threats and the need to deter cyber war and protect the digital security of the nation as well. To fulfill that mission in an increasingly connected world, and with a rising threat of digital attack, the Pentagon wants to expand its sphere of influence.

This really is a tough issue. Certainly you want the nation to be safe, but at the same time the internet is largely a borderless “pseudo-nation” and clamping down too hard — not unlike the great firewall of China — can stifle much of what makes the net great. No easy answers here, but dramatically increasing the power of the government — particularly the military — over the private sector is not an acceptable solution.

January 27, 2010

Cloud computing security

Filed under: Business, Technology — Tags: , , , , — David Kirkpatrick @ 3:07 pm

Security is certainly the most prominent concern going right now with cloud computing. Having a long memory of dodgey connectivity using dial-up and even DSL lines, just making certain I could get to my data, services, et.al. in the cloud remain something of a personal concern.

From the link:

The hype around cloud computing would make you think mass adoption will happen tomorrow. But recent studies by a number of sources have shown that security is the biggest barrier to cloud adoption. The reality is cloud computing is simply another step in technology evolution following the path of mainframe, client server and Web applications, all of which had — and still have — their own security issues

Security concerns did not stop those technologies from being deployed and they will not stop the adoption of cloud applications that solve real business needs. To secure the cloud, it needs to be treated as the next evolution in technology not a revolution that requires broad based changes to your security model. Security policies and procedures need to be adapted to include cloud models in order to prepare for the adoption of cloud-based services. Like other technologies, we’re seeing early adopters take the lead and instill confidence in the cloud model by deploying private clouds or by experimenting with less-critical information in public clouds.

January 19, 2010

Microsoft’s Internet Explorer flaw behind Google’s security breach

I haven’t been tracking this story closely enough to realize an IE security issue caused the security breach of Google’s corporate network. One pretty simple solution is to change browsers. I was never enamored with Firefox, but finally tried out Google’s Chrome browser in August and have never looked back.

The lesson, as always with online security, is to make sure you have all your patches up to date and do seriously consider capable products to replace known security sieves like IE.

From the first link:

Microsoft (MSFT) is scrambling to patch an Internet Explorer flaw that was used to hack into Google’s (GOOG) corporate networks last month. The attack was used to hack into networks at 34 companies, including Adobe (ADBE), security experts say. Typically such hacks involve several such attacks, but the IE bug is the only one definitively linked to the hacking incident, which security experts say originated in China.

In a security advisory released Thursday, Microsoft said IE 6 users on Windows XP are most at risk from the flaw, but that other users could be affected by modified versions of the attack. Microsoft said it is developing a fix, but it did not say when it expects to patch the issue. The company is slated to release its next set of security updates on Feb. 9. A Google spokesman confirmed Thursday that the Internet Explorer attack was used against Google and that the company then reported the issue to Microsoft.

Google learned of the issue in December and, after discovering the server used to control the hacked computers, notified other companies affected by the hack. Apparently convinced that the infiltration was sanctioned by the Chinese government, Google has threatened to effectively pull its business out of China.

Hit these links for more background on the actual security breach.

December 28, 2009

Tech threats v.2010 — scareware and smartphone exploits

Filed under: Business, Media, Technology — Tags: , , , , , — David Kirkpatrick @ 2:51 pm

All the usual suspects — phishing, trojan virii, et.al. — will be around, but the proliferation of smartphones make that device a very enticing target for cybercriminals, and fake anitvirus scareware looks like a growth industry of sorts.

Smartphone security is going to be a major issue, particularly as mobile devices take over sensitive data functions, such as access to personal bank accounts, from larger, and hopefully quite secure, platforms like desktop and laptop computers.

As always, it’s a good idea to take a bit of time to understand the threats out there for any device you use and make sure to implement appropriate security measures for that device. The bad guys aren’t going away, they’re just adapting to the changing technology world.

From the link:

Another accelerating security trend is the wave of criminals selling rogue antivirus software. Fake antivirus software is often called “scareware,” since frightening the PC owner is often part of the scam. Rogue antivirus, which Symantec counts as a top threat going into 2010, is not only thriving, but criminals selling it are starting to display new tricks.

December 9, 2009

The sophistication of cybercrime

Filed under: Business, Media, Technology — Tags: , , , , , , — David Kirkpatrick @ 2:02 pm

It’s not about DDoS, phishing and Nigerian 419 scams any more. Now the main targets for these criminals are your data and social networking sites.

From the link:

What do phishing, instant messaging malware, DDoS attacks and 419 scams have in common? According to Cisco Systems, they’re all has-been cybercrimes that were supplanted by slicker, more menacing forms of cybercrime over the past year.In its 2009 Annual Security Report, due to be released Tuesday, Cisco says that the smart cyber-criminals are moving on.

“Social media and the data-theft Trojans are the things that are really in their ascent,” said Patrick Peterson, a Cisco researcher. “You can see them replacing a lot of the old-school things.”

Peterson is talking about attacks such as the Koobface worm, which spreads via Facebook and Twitter. Koobface asks victims to look at a fake YouTube video, which ultimately leads to a malicious download. Cisco estimates that Koobface has now infected more than 3 million computers, and security vendors such as Symantec expect social network attacks to be a major problem in 2010.

Another sneaky attack: the Zeus password-stealing Trojan. According to Cisco, Zeus variants infected almost 4 million computers in 2009. Eastern European gangs use Zeus to hack into bank accounts. They then use their networks of money mules to wire stolen funds out of the U.S. They have been linked to about $100 million in bank losses, some of which have been recovered, the U.S. Federal Bureau of Investigation said last month.

October 13, 2009

Cybersecurity and cloud computing

Filed under: Business, Technology — Tags: , , , , — David Kirkpatrick @ 2:25 pm

There are many pitfalls out there vis-a-vis security and privacy and cloud computing. Both enterprise and individuals should approach cloud computing methodically and really put some thought into what data goes into the cloud.

From the link:

The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what personal data they make public, won’t be easy.

Also from the link:

Access to personal data on the cloud from just about anywhere on a variety of devices, from smartphones and laptops to home PCs, shows another major vulnerability because other people may be able to find that data, too.

“As an attacker, you should be licking your lips,” said Haroon Meer, a researcher at Sensepost, a South African security company that has focused on Web applications for the past six years. “If all data is accessible from anywhere, then the perimeter disappears. It makes hacking like hacking in the movies.”

September 29, 2009

Congress, the federal government and internet security

Filed under: Media, Politics, Technology — Tags: , , , , — David Kirkpatrick @ 10:19 pm

I’m sympathetic to reality of cyberattack against the government, but I’m guessing it’s needless to say I’m against any form of government control over internet traffic.

From the link:

There is no kill switch for the Internet, no secret on-off button in an Oval Office drawer.

Yet when a Senate committee was exploring ways to secure computer networks, a provision to give the president the power to shut down Internet traffic to compromised Web sites in an emergency set off alarms.

Corporate leaders and privacy advocates quickly objected, saying the government must not seize control of the Internet.

Lawmakers dropped it, but the debate rages on. How much control should federal authorities have over the Web in a crisis? How much should be left to the private sector? It does own and operate at least 80 percent of the Internet and argues it can do a better job.

“We need to prepare for that digital disaster,” said Melissa Hathaway, the former White House cybersecurity adviser. “We need a system to identify, isolate and respond to cyberattacks at the speed of light.”

So far at least 18 bills have been introduced as Congress works carefully to give federal authorities the power to protect the country in the event of a massive cyberattack. Lawmakers do not want to violate personal and corporate privacy or squelching innovation. All involved acknowledge it isn’t going to be easy.

July 31, 2009

Quantum computing — a breakthrough and a warning

The potential power of quantum computing is astonishing, and a lot of research is going into creating quantum computers. Of course there’s always a dark side to anything — a quantum computer that realizes the full potential of the technology will also render current security and encryption obsolete overnight.

This post is a about a breakthrough involving the building blocks of matter and how that adds to quantum computing research, and also a cautionary tale from a researcher who is preparing for the security needs when the first quantum computer arises.

First the warning:

So far, so good, despite an occasional breach. But our security and our data could be compromised overnight when the first quantum computer is built, says Dr. Julia Kempe of Tel Aviv University‘s Blavatnik School of Computer Science. These new computers, still in the theoretical stage, will be many times more powerful than the computers that protect our data now.

Laying the groundwork to keep governments, companies and individuals safe, Dr. Kempe is working to understand the power of quantum computers by designing algorithms that fit them. At the same time, she is figuring out the limits of quantum computers, something especially important so we can build safety systems against quantum hackers.

“If a very rich person worked secretly to fund the building of a quantum computer, there is no reason in principle that it couldn’t be used for malevolent power within the next decade,” she says. “Governments, large corporations, entrepreneurs and common everyday people will have no ability to protect themselves. So we have to plan ahead.”

And now the breakthrough:

Discovery about behavior of building block of nature could lead to computer revolution

A team of physicists from the Universities of Cambridge and Birmingham have shown that electrons in narrow wires can divide into two new particles called spinons and a holons.

The electron is a fundamental building block of nature and is indivisible in isolation, yet a new experiment has shown that electrons, if crowded into narrow wires, are seen to split apart.

The electron is responsible for carrying electricity in wires and for making magnets. These two properties of magnetism and electric charge are carried by electrons which seem to have no size or shape and are impossible to break apart.

However, what is true about the properties of a single electron does not seem to be the case when electrons are brought together. Instead the like-charged electrons repel each other and need to modify the way they move to avoid getting too close to each other. In ordinary metals this does not usually make much difference to their behaviour. However, if the electrons are put in a very narrow wire the effects are exacerbated as they find it much harder to move past each other.

In 1981, physicist Duncan Haldane conjectured theoretically that under these circumstances and at the lowest temperatures the electrons would always modify the way they behaved so that their magnetism and their charge would separate into two new types of particle called spinons and holons.

The challenge was to confine electrons tightly in a ‘quantum wire’ and bring this wire close enough to an ordinary metal so that the electrons in that metal could ‘jump’ by quantum tunneling into the wire. By observing how the rate of jumping varies with an applied magnetic field the experiment reveals how the electron, on entering the quantum wire, has to fall apart into spinons and holons. The conditions to make this work comprised a comb of wires above a flat metal cloud of electrons. The Cambridge physicists, Yodchay Jompol and Chris Ford, clearly saw the distinct signatures of the two new particles as the Birmingham theorists, Tim Silk and Andy Schofield, had predicted.

Dr Chris Ford from the University of Cambridge’s Cavendish Laboratory says, ‘We had to develop the technology to pass a current between a wire and a sheet only 30 atomic widths apart.

‘The measurements have to be made at extremely low temperatures, about a tenth of a degree above absolute zero.

‘Quantum wires are widely used to connect up quantum “dots”, which may in the future form the basis of a new type of computer, called a quantum computer. Thus understanding their properties may be important for such quantum technologies, as well as helping to develop more complete theories of superconductivity and conduction in solids in general. This could lead to a new computer revolution.’

Professor Andy Schofield from the University of Birmingham’s School of Physics and Astronomy says, ‘The experiment to test this is based on an idea I had together with three colleagues almost 10 years ago. At that time the technology required to implement the experiment was still a long way off.

‘What is remarkable about this new experiment is not just the clarity of the observation of the spinon and holon, which confirms some earlier studies, but that the spinon and holon are seen well beyond the region that Duncan Haldane originally conjectured.

‘Our ability to control the behaviour of a single electron is responsible for the semiconductor revolution which has led to cheaper computers, iPods and more. Whether we will be able to control these new particles as successfully as we have the single electron remains to be seen. What it does reveal is that bringing electrons together can lead to new properties and even new particles.’

 ###

 Notes to Editors

1. The paper is published in Science 10.1126/science.1171769 at http://dx.doi.org/10.1126/science.1171769

2. The experiment was performed in Cambridge’s Cavendish Laboratory with theoretical support from scientists at the University of Birmingham’s School of Physics and Astronomy.

July 24, 2009

Online security issues — Twitter and Adobe Reader

Online security should always be at least a tiny voice in your head whenever connected to the web — and with mobile devices, Wi-Fi, et.al., being connected is becoming 24/7 for a lot of people.

Here’s two articles on security issues with popular online tools.

First up is Twitter:

In April, a Twitter wormknown as “Mikeyy” or “StalkDaily” reared its head. Similar to the 2005 Samy worm on MySpace, the Mikeyy worm was authored by a 17-year-old who took advantage of a code quirk to gain notoriety for his Web site, StalkDaily.com. Twitter shut it down–plus a few follow-up viruses (“How TO remove new Mikeyy worm!”)–fairly quickly. Following the worm attacks, cofounder Biz Stone wrote on the company blog, “Twitter takes security very seriously and we will be following up on all fronts.”

Shortened-URL Dangers

Parallel to the growth of Twitter is the expansion of URL-shortening services. Fitting your thoughts into 140 characters takes practice; including full URLs is almost impossible. Usually URLs have to be truncated through services such as Bit.ly and TinyURL.com, which also mask the true destination URL and can present their own security problems as a result.

The first signs of shortened-URL trouble came with a pair of Twitter worms that promised to help users remove the Mikeyy worm. In June, a wave of hidden poisoned URLs swept Twitter, using Bit.ly links to low.cc and myworlds.mp domains where users were asked to download a file called free-stream-player-v_125.exe to view a video. The file held malware. Bit.ly and TinyURL have been responsive to reports of abuse; Bit.ly, for one, now blocks those low.cc and myworlds.mp domains.

And second is a troubling issue combing two Adobe applications — Flash and Reader:

Adobe Systems Inc. late Wednesday admitted its Flash and Reader software have a critical vulnerability and promised it would patch both next week.One security researcher, however, said Adobe’s own bug-tracking database shows that the company has known of the vulnerability for nearly seven months.

In a security advisory posted around 10 p.m. Eastern time Wednesday, Adobe acknowledged that earlier reports were on target. “A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems,” the company said.

Click here to find out more!The “authplay.dll” mentioned in the advisory is the interpreter that handles Flash content embedded within PDF files, and is present on any machine equipped with Reader and Acrobat.Adobe said it would patch all versions of Flash by July 30, and Reader and Acrobat for Windows and Mac no later than July 31. Until a patch is available, Adobe said users could delete or rename authplay.dll, or disable Flash rendering to stymie attacks within malformed PDF files. Adobe did not offer any similar workaround for Flash and could only recommend that “users should exercise caution in browsing untrusted websites.”

The U.S. Computer Emergency Response Team (US-CERT), part of the Department of Homeland Security, included instructions on how to delete the Flash interpreter from Windows, Mac and Linux machines in a Wednesday advisory of its own.

June 12, 2009

Web 2.0 and security

Filed under: Business, Media, Technology — Tags: , , , , — David Kirkpatrick @ 3:16 pm

Here’s a group of four good security points from CIO.com to keep in mind when engaging in web 2.0/web 3.0/social networking.

Number four from the list:

4) Sadly, You Really Can’t Trust Your Friends or Your Social Network
As a tweet from the Websense Security Labs recently stated, “Web threats delivered via your personal Web 2.0 social network is the new black — do not automatically trust suspicious messages from friends.” The social networking explosion has created new ways of delivering threats. Web users are so accustomed to receiving tweets with shortened URLs, video links posted to their Facebook pages and email messages purportedly from the social networking sites themselves that most people don’t even hesitate to click on a link because they trust the sender.

The unfortunate reality is that criminals are taking advantage of that trust to disseminate malware and links to infected Web sites. Websense Security Labs recently found examples of e-mails sent from what appeared to be Facebook, but were really from criminals that encouraged users to click on a link to a “video” that was actually a page infected with malware.

April 16, 2009

As if you didn’t have enough …

Filed under: Technology — Tags: , , , , — David Kirkpatrick @ 2:41 pm

… to think about with computer security.

You don’t have to don a black hat and prowl the murkier waters of the internet to find an app as dirty as a password stealer — just hit download.com.

This is the extreme edge of controlling your security, but it is a useful bit of advice from the linked article, ” …  always assume that any login entered on any public computer is compromised and should have its password changed as soon as you’re back at a trusted PC.”

More from the link:

A simple search can turn up a keylogger program available for download on numerous sites, including PCWorld.com, with the idea that the tools are offered for personal use to catch someone messing around on your own PC, or perhaps for concerned parents. That may be a thin veneer, but Christopher Boyd posted on the SpywareGuide Greynets Blogthe he came across a tool available as a free download at the oft-visited download.com that exists solely to steal passwords for IM accounts.

The app presents a fake IM app and captures usernames and passwords that are typed into the window, according to Boyd. It’s a bit of a stretch to think of how such a tool might be meant for personal use to catch snoops on your own computer, especially with a description like “This is perfect if a visitor is coming round who wants to access their IM account.”

March 16, 2009

Parsing passwords

Filed under: Media, Technology — Tags: , , , — David Kirkpatrick @ 5:06 pm

Interesting stuff. This is an analysis of passwords from the recently hacked PHPBB site.