In my previous post on Internet security, I was just scratching the surface of "How to secure the Internet", and emphasized that plain text communications, insecure by design, and our inability to measure the costs of cybercrime, are among the things to keep in mind.
Now, If I were asked about monocultures, "ship it now, patch it later" attitudes or slow reactive approaches, I would quickly ask is it Microsoft you're talking about? It's a common weakness to blame the most popular or richest companies before rethinking the situation, or even worse, waiting for someone else to secure you, instead of you trying to figure out how to achieve the balance. Is Linux, or, OS X more secure than Microsoft's Windows, or they are just not popular enough to achieve the scale of vulnerabilities, even interest in exploiting their weaknesses?
Important questions arise as always :
- Are Microsoft's products insecure by default, or what is insecure in this case?
- Should Microsoft's number of known vulnerabilities act as a benchmark for commitment towards security, quality of the software, or should this be totally excluded given the tempting target Microsoft's products really are?
- Should a vendor be held liable for not releasing a patch in a timely fashion, and what are the acceptable timeframes, given how quickly malware authors take advantage, and "worm the vulnerability"?
These and many other points led me to the idea of brainstorming on what Microsoft could do to secure the Internet as a whole, and contribute to the social welfare of the society(a $100 laptop powered by a hand crank, is so much better than a smartphone, given it's education, and not entertainment you're looking for! ). This is not an anti-microsoft oriented post, they've got enough anti-trust legislations and Vista issues to deal with, yet, it's a summary of my thoughts while going through Slashdot's chat with Mike Nash VP of security, and some Microsoft's comments on today's state of the market for software vulnerabilities.
1. Think twice before reinventing the security industry
What is the first thing that comes across your mind when you picture Microsoft as a security vendor? A worst case scenario for the Internet as a whole? Just kidding, but still, with such a powerful brand, BETA products, and their legal monopoly from my point of view, is quite a good foundation besides constant acquisitions. Microsoft is a software company, software innovation is among their core competencies. Yet, today’s fast growing information security market opens up many more profitable opportunities. Though, I’d rather they stick to their current OEM licensing agreements by the time they actually come up with something truly unique. Acquiring companies indeed improves competitiveness, but is it just me seeing the irony of entering the security industry without first dealing with the idea internally? The introduction of a OS build-in firewall, and bi-directional and fully working with IPSec for Vista would immediately provide Microsoft with a great opportunity to start serving certain market segments, while it would leave them in experimental mode while MS is gaining the experience.
Why it wouldn’t?
Because the information security market is growing so steadily, that if Microsoft doesn’t take a piece of the pie, it would be a totally flawed business logic. And they want to do it as independently, thus more profitably, as possible. The recent FBI’s 2005 Computer Crime Survey indicated that the majority of security dollars are spent on antivirus, antispyware, and perimeter based security solutions, no one would miss that opportunity. While you can acquire competitive advantage, and actually buy yourself an anti virus vendor, you cannot do the same with core competencies, moreover, I once said "less branding, but higher preferences", and you might end up making the right decision for the time being. Moreover, to operate in today’s anti virus market you need a brand name and if you don’t have it, there’s a great chance you wouldn’t be able to gain any market share, of course if you you don’t somehow capitalize on a niche, and introduce innovative competitive features. The rest is all about OEM agreements and licensing technologies or the opportunity to provide a service, still, it's Microsoft's brand and market development practices to worry about. Passport, Trustworthy Computing, InfoCard it's all under Microsoft's Brand umbrella.
2. Become accountable, first, in front of itself, than, in front of the its stakeholders
What is accountability in this case anyway? Releasing a patch given a vulnerability is known within a predefined timeframe? Set, report and improve its own benchmark on a fast response towards a security threat? Overall commitment as a whole? You cannot simply say “hold on” when the entire world is waiting for you to release a patch, any excuse in such a situation should be considered as lack of responsibility. And given that no vendor has been held liable for not releasing a patch in a timely manner, why would they bother to be the benchmark? I think the problem isn’t the lack of resources, but understanding the importance of it. Microsoft is so huge and powerful that’s its clumsiness is in direct proportion with this fact, isn't it. Can Elephants Indeed Dance in this case? Microsoft’s VP of Security Mike Nash, made a lot of comments for a Slashdot interview that made me an impression, such as :
“Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time.” – I can argue that nothing has changed since then, can you?
Why it wouldn’t?
Mainly because of the actual commitment, though I feel Microsoft could evolve if it manages to find the balance between being a software company with ambitions in the security industry. First, the clear benefits should be understood, and they obviously aren’t. I greatly feel that until a customer, or a legal party doesn’t start questioning various practices, this self-regulation is not getting us anywhere. Gratefully, the are independent researchers out there that have a point way faster than the vendor itself. I think exchanging information in a way that satisfies both parties would be the best thing to do. Employees training without successful evaluation of the progress is useless, and while seeking accountability from a programmer has been greatly discussed, I feel that outsourcing the auditing is always an option worth keeping in mind. Would confidentiality of the ultra-secret Microsoft’s code be breached? I doubt so given they implement close activities monitoring and the Manhattan project style operations and cooperation between teams.
Don’t get me wrong, Microsoft’s software will always be blamed for being insecure, but instead I feel its defacto position as an OS turns it into an exciting daily research topic, whereas its anti-trust compliance practices such as sharing technical details so that competitors could – puts them in a very unfavourable $279.83B market capitalization position. Security shouldn’t be something to live with as if it’s normal, instead it should be provoked by means of active testing and proactive solutions. I feel what they are missing is a legal incentive to promptly comply with patch releases, while on the other hand can you picture the outcome of a minor tax deduction in case a milestone in the release of proactive security vulnerabilities is reached, and watch them securing!
3. Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities
Have you even imagined Microsoft releasing proactive patches to fix 0day vulnerabilities it has managed to find out though third-party code auditing practices, or within its internal quality assurance departments? Sounds too good to be true, but reaching the proactive level is an important step, so hold your breath, the did it with Vista already! Still, their practices with dealing with the reactive response are questionable, and as it often happens, the window of opportunity due to their efforts to testing and localizing the patches for all their customers(the entire world) is causing windows of opportunities that I could argue drive the security industry.
Why it wouldn’t?
Resources and commitment, though the first can be successfully outsourced. What I greatly feel the company is missing is a clear strategy towards understanding the benefits, and eventually the commitment to do it. Microsoft isn’t insanely obsessed with the idea to provide bugs free software, but features rich one. And the way MSN is not going to get more allocated budget compared to MS Office, it’s going to take a while by the time they realize the importance and key role they play as being on the majority of PC and servers worldwide. Some comments again :
"I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time."
4. Introduce an internal security oriented culture, or better utilize its workforce in respect to security
Google’s 70/20/10 rule is an example, and while Microsoft tends to position itself as THE software company, to some it may be competing with other major software vendors, or the Open Source threat, it actually competes on IQ basis. Flame them, talk whatever you want, they are still able to attract the smartest people on Earth to work for them. My point is, that introducing a Google style culture, where engineers and anyone from their employees spend 10% of their time on personal projects, this time towards security, it would inevitable make an impact on finding the balance between usability and security on any of its products. Devoting any percentage of work time towards security related projects and initiatives would.
Why it wouldn't?
They pretend they have their own corporate citizenship methods, and moreover, they hate Google with a reason. Or is it about the culture, spending time on security/hacking cons to find out that's driving the industry, or basically stop shipping products with the majority of features turned on by default with the idea to "show off" their features?
5. Rethink its position in the security vulnerabilities market
Would this mean there would be more monopolistic sentiments? I’m just kiddin’ of course though it’s still questionable. Would a Microsoft’s initiative to recruit outstanding vulnerability researchers and actually purchase their research have any effect at all? It would definitely help them I cannot actually imagine Microsoft paying for 0day IE vulnerabilities, but I can literally see them catching up with week delay on the WMF vulnerability. But the usefulness and the potential of this approach are enormous, and the intelligence gathered will provide them with unique business development opportunities, given they actually take advantage of them.
Microsoft has stated numerous time that it doesn’t agree with the practice of buying security vulnerabilities, and while I also don’t agree that commercializing the current state of the process of discovering, exploiting, and patching is the smartest thing to do, picture a $250k bounty for information leading to the arrest of virus writers being spent on secure code auditing, or push/pull software vulnerabilities approach with reputable researchers only – it would make a change for sure.
Why it wouldn't?
Because the biggest problem of a 800 pound gorilla is its EGO with capital letters. We are not interested in pulling intelligence from you, we are interested in pushing you the final results branded with Microsoft’s logo. Is it profitable? It is. Is it realistic in today’s collective intelligence dominated Web? It isn’t, and the whole concept has to go beyond Live.com from my point of view. Until, then, let’s still say a big thanks for playing such a vital role in our society’s progress, but no one seems to tolerate the security trade-offs anymore, that’s a fact.
To conclude, as I’ve said I think it isn’t the lack of resources, but understanding the importance of the issue. What do you think, what else can Microsoft do, and why it wouldn’t? :)
Technorati tags :
Security, Microsoft
Monday, March 06, 2006
5 things Microsoft can do to secure the Internet, and why it wouldn't?
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Data mining, terrorism and security
I've been actively building awareness on what used to feel like an unpopular belief only - Cyberterrorism, and also covered some recent events related to Cyberterrorism in some of my previous posts.
Last week, The NYTimes wrote about "Taking Spying to Higher Level, Agencies Look for More Ways to Mine Data", and I feel that avoiding the mainstream media for the sake of keeping it objective is quite useful sometimes. From the article :
"On the wish list, according to several venture capitalists who met with the officials, were an array of technologies that underlie the fierce debate over the Bush administration's anti-terrorist eavesdropping program: computerized systems that reveal connections between seemingly innocuous and unrelated pieces of information. The tools they were looking for are new, but their application would fall under the well-established practice of data mining: using mathematical and statistical techniques to scan for hidden relationships in streams of digital data or large databases."
Interest in harnessing the power of data mining given the enormous flow of information from different parties would never cease to exist. What's more to note in this case, is the Able Danger scenario as a key indicator for usefulness of outdated information, given any has been there at the first place. Conspiracy theorists would logically conclude that the need for evidence of the power of data mining for tracking terrorists would inevitably fuel more investments in this area. So true, and here's a recent event to keep the discussing going - "Suit airs Able Danger claims: Two operatives in secret program say their lawyers were barred at hearings"
While on one hand wars are getting waged with the idea to eradicate terrorist deep from its roots, and sort of building "local presence" thus improving assets allocation and intelligence gathering, I feel the fact that a reliable communication channel could be estalibshed by a terrorist network over the Net is already gaining a lot of necessary attention. However, TIA's ambitions have always been desperately megalomaniac, what about some marginal thinking in here folks, you cannot absorb all the info and make sense out of it, and who says it has to be all of it at the first place?!
The Total Information Awareness program was prone to be abused in one way or another, like pretty much any data mining system from my point of view. And while it's supposidely down due to budget deficits and privacy violations outbreak, government legislation and ensuring key networks remain wiretaps-ready seems to be a valuable asset for any future data mining projects. TIA is still up and running folks, or even if it's not using the same name, the concept is still in between the lines of DHS's budget for 2006 and would always be, and with the majority of corporate sector's participants are opening up their networks to comply with "legal requirements", the lines between privacy and the war against terrorism, and what to exchange for what, seems to be getting even more shady these days.
In my previous posts, I also mentioned about the power of the Starlight project as existing initiative to data mine data from different and media-rich sources alltogether, and most importantly, visualize the output. If you fear BigBrother, don't fear the Eye, but fear the Eyeglasses :)
More resources on Data Mining and Terrorism :
Data Mining : An Overview
Data Mining and Homeland Security : An Overview (updated January 27, 2006)
Using data mining techniques for detecting terror-related web activities
Data mining and surveillance in the post-9.11 environment
The Dark Web Portal: Collecting and Analyzing the Presence of Domestic and International Terrorist Groups on the Web
Workshop on Data Mining for Counter Terrorism and Security
TRAKS: Terrorist Related Assessment using Knowledge Similarity
The Multi-State Anti-Terrorism Information Exchange (MATRIX)
A Knowledge Discovery Approach to Addressing the Threats of Terrorism - w00t
Gyre's Data Mining section
Eyeballing Total Information Awareness
Able Danger blog
EPIC's TIA section
EFF's TIA section
Technorati tags : Security, Terrorism, Cyberterrorism, Data Mining, TIA
Last week, The NYTimes wrote about "Taking Spying to Higher Level, Agencies Look for More Ways to Mine Data", and I feel that avoiding the mainstream media for the sake of keeping it objective is quite useful sometimes. From the article :
"On the wish list, according to several venture capitalists who met with the officials, were an array of technologies that underlie the fierce debate over the Bush administration's anti-terrorist eavesdropping program: computerized systems that reveal connections between seemingly innocuous and unrelated pieces of information. The tools they were looking for are new, but their application would fall under the well-established practice of data mining: using mathematical and statistical techniques to scan for hidden relationships in streams of digital data or large databases."
Interest in harnessing the power of data mining given the enormous flow of information from different parties would never cease to exist. What's more to note in this case, is the Able Danger scenario as a key indicator for usefulness of outdated information, given any has been there at the first place. Conspiracy theorists would logically conclude that the need for evidence of the power of data mining for tracking terrorists would inevitably fuel more investments in this area. So true, and here's a recent event to keep the discussing going - "Suit airs Able Danger claims: Two operatives in secret program say their lawyers were barred at hearings"
While on one hand wars are getting waged with the idea to eradicate terrorist deep from its roots, and sort of building "local presence" thus improving assets allocation and intelligence gathering, I feel the fact that a reliable communication channel could be estalibshed by a terrorist network over the Net is already gaining a lot of necessary attention. However, TIA's ambitions have always been desperately megalomaniac, what about some marginal thinking in here folks, you cannot absorb all the info and make sense out of it, and who says it has to be all of it at the first place?!
The Total Information Awareness program was prone to be abused in one way or another, like pretty much any data mining system from my point of view. And while it's supposidely down due to budget deficits and privacy violations outbreak, government legislation and ensuring key networks remain wiretaps-ready seems to be a valuable asset for any future data mining projects. TIA is still up and running folks, or even if it's not using the same name, the concept is still in between the lines of DHS's budget for 2006 and would always be, and with the majority of corporate sector's participants are opening up their networks to comply with "legal requirements", the lines between privacy and the war against terrorism, and what to exchange for what, seems to be getting even more shady these days.
In my previous posts, I also mentioned about the power of the Starlight project as existing initiative to data mine data from different and media-rich sources alltogether, and most importantly, visualize the output. If you fear BigBrother, don't fear the Eye, but fear the Eyeglasses :)
More resources on Data Mining and Terrorism :
Data Mining : An Overview
Data Mining and Homeland Security : An Overview (updated January 27, 2006)
Using data mining techniques for detecting terror-related web activities
Data mining and surveillance in the post-9.11 environment
The Dark Web Portal: Collecting and Analyzing the Presence of Domestic and International Terrorist Groups on the Web
Workshop on Data Mining for Counter Terrorism and Security
TRAKS: Terrorist Related Assessment using Knowledge Similarity
The Multi-State Anti-Terrorism Information Exchange (MATRIX)
A Knowledge Discovery Approach to Addressing the Threats of Terrorism - w00t
Gyre's Data Mining section
Eyeballing Total Information Awareness
Able Danger blog
EPIC's TIA section
EFF's TIA section
Technorati tags : Security, Terrorism, Cyberterrorism, Data Mining, TIA
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Anti Phishing toolbars - can you trust them?
A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive.
How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building? As far as trends are concerned, according to the AntiPhishingGroup's latest report :
• Number of unique phishing reports received in December: 15244
• Number of unique phishing sites received in December: 7197
• Number of brands hijacked by phishing campaigns in December: 121
• Number of brands comprising the top 80% of phishing campaigns in December: 7
• Country hosting the most phishing websites in December: United States
• Contain some form of target name in URL: 51 %
• No hostname just IP address: 32 %
• Percentage of sites not using port 80: 7 %
• Average time online for site: 5.3 days
• Longest time online for site: 31 days
In case you haven't came across to this research "Do Security Toolbars Actually Prevent Phishing Attacks?" you'll find that it has very good points and actual evidence. Antiphishing filters and toolbars protection are gaining popularity, and many popular companies are fighting for market share of the end users'
desktop, but keep in mind that :
"We conducted two user studies of three security toolbars and other browser security indicators and found them all ineffective at preventing phishing attacks. Even though subjects were asked to pay attention to the toolbar, many failed to look at it; others disregarded or explained away the toolbars’ warnings if the content of web pages looked legitimate. We found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be."
The topic of phishing and fighting the problem has been again greatly extended by the researcher Min Xu, while writing the thesis "Fighting Phishing at the User Interface" and introducing a solution that measures a site's reputation and trustfulness. While, this is among the simplest ways Google uses to while assigning PageRank's, I find this a common sense warning. Still, with the constant flood of Web 2.0 companies, does it matter? :) Check out some screenshots from this outstanding thesis, and get the point :
Localizing the attacks, taking advantage of the momentum, or a software vulnerability within a popular browser or site itself, as well as taking advantage of malware, are among the most common practices these days. Moreover, I feel that fighting phishing the wrong way could erode the end user's trust in the Web on the other hand, so do your homework on the social impact on anything you do. NetCraft's Anti Phishing toolbar, whatsoever, is my favorite combination of them all, still, awareness and lack of naivety when it comes to transactions or authentication is the perfect tool, what about yours?
Some resources worth mentioning are :
Candid's “Phishing in the middle of the stream” Today’s threats to online banking
Know your Enemy : Phishing
Phishing attacks and countermeasures
The Phishing Guide
Distributed Phishing Attacks
Phishiest Countries
MailFrontier Phishing IQ Test
Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures
Technorati tags :
Security, Phishing, Toolbar, AntiPhishing Group
How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building? As far as trends are concerned, according to the AntiPhishingGroup's latest report :
• Number of unique phishing reports received in December: 15244
• Number of unique phishing sites received in December: 7197
• Number of brands hijacked by phishing campaigns in December: 121
• Number of brands comprising the top 80% of phishing campaigns in December: 7
• Country hosting the most phishing websites in December: United States
• Contain some form of target name in URL: 51 %
• No hostname just IP address: 32 %
• Percentage of sites not using port 80: 7 %
• Average time online for site: 5.3 days
• Longest time online for site: 31 days
In case you haven't came across to this research "Do Security Toolbars Actually Prevent Phishing Attacks?" you'll find that it has very good points and actual evidence. Antiphishing filters and toolbars protection are gaining popularity, and many popular companies are fighting for market share of the end users'
desktop, but keep in mind that :
"We conducted two user studies of three security toolbars and other browser security indicators and found them all ineffective at preventing phishing attacks. Even though subjects were asked to pay attention to the toolbar, many failed to look at it; others disregarded or explained away the toolbars’ warnings if the content of web pages looked legitimate. We found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be."
The topic of phishing and fighting the problem has been again greatly extended by the researcher Min Xu, while writing the thesis "Fighting Phishing at the User Interface" and introducing a solution that measures a site's reputation and trustfulness. While, this is among the simplest ways Google uses to while assigning PageRank's, I find this a common sense warning. Still, with the constant flood of Web 2.0 companies, does it matter? :) Check out some screenshots from this outstanding thesis, and get the point :
Localizing the attacks, taking advantage of the momentum, or a software vulnerability within a popular browser or site itself, as well as taking advantage of malware, are among the most common practices these days. Moreover, I feel that fighting phishing the wrong way could erode the end user's trust in the Web on the other hand, so do your homework on the social impact on anything you do. NetCraft's Anti Phishing toolbar, whatsoever, is my favorite combination of them all, still, awareness and lack of naivety when it comes to transactions or authentication is the perfect tool, what about yours?
Some resources worth mentioning are :
Candid's “Phishing in the middle of the stream” Today’s threats to online banking
Know your Enemy : Phishing
Phishing attacks and countermeasures
The Phishing Guide
Distributed Phishing Attacks
Phishiest Countries
MailFrontier Phishing IQ Test
Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures
Technorati tags :
Security, Phishing, Toolbar, AntiPhishing Group
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
February's Security Streams
It's about time I summarize all my February's Security Streams, you can of course go through my January's Security Streams as well, in case you're interested in what was inspiring me to blog during January. The truth is - you, the 4,477 unique and 580 unique visitors returning during the entire February, and as this blog is melting down due to its audience and content, thanks for your time! As a matter of fact, it's been a while since I've last participated in students' thesis, but who knows these days :)
1. "Suri Pluma - a satellite image processing tool and visualizer", treat tool I recommended to everyone interested in that type of tools, as a matter of fact, I also got many other suggestions for alternatives. More on visualization
2. "CME - 24 aka Nyxem, and who's infected?" a small update on the Nyxem threat if any during February
3. "What search engines know, or may find out about us?"" a commentary on a CNET's Q&A with leading search engines on how they deal with subpoenas and user's privacy, further resources and opinions on the topic are provided as well. Anything that can be linked will be one way or another.
4. "The current state of IP spoofing" introducing the ANA Spoofer Project, commentary on the current state according to their sample, and many other distributed concepts again related to security are mentioned
5. "Hacktivism tensions" A brief coverage of the mass defacements of Danish sites out of the Muhamad's cartoons distribution over Europe, and of course, over the Net. I also mentioned a previous rather more severe case or Nation2Nation cyberwarfare PSYOPS attacks
6. "Security Awareness Posters" a small list with links to free security awareness posters worth using or enjoying their witty messages
7. "A top level espionage case in Greece" With the great possibility of an insider's job, the eavesdropping of major government officials and citizens was indeed the second case that made me an impression, next to the stone transmitter found in a Moscow's park
8. "The War against botnets and DDoS attacks" A post covering the introduction of McAfee's bot killing system, The ZombieAlert Service, some comments and lots of external resources on fighting and protecting against Botnets and DDoS attacks
9. "Who needs nuclear weapons anymore?" An in-depth article I wrote while coming across a news article on a recent EMP warhead test, with the idea to bring more awareness on the potential of EMP weapons, some of the current trends, and the emerging weaponization of Space . A reader also mentioned a Mig-25 found on Google Maps
10."Recent Malware developments" a post summarizing various events right in the middle of February, discussing some of the emerging trends to keey an eye on, a a commentary on Kaspersky's summary for 2005, worth checking out as well
11. "Look who's gonna cash for evaluating the maliciousness of the Web?" Crawling for malware and evaluating the maliciousness of the Web with automated patrol for sites distribution it is a very hot and feasible topic you can learn more about by reading this post
12. "Detecting intruders and where to look for" comments and external resources related to rootkits and forensics
13. "A timeframe on the purchased/sold WMF vulnerability" as requested by readers
14. "The end of passwords - for sure, but when?" As my first blog post was related to passwords security and why bother given their major insecurities, in this post I commented Bill Gate's remarks. I think they don't know what they are really up to at the bottom line
15."Smoking emails" Would you pay millions to avoid paying billions and keep a clean image? Of course you will!
16. "DVD of the weekend - The Lone Gunmen" the first post related to DVDs worth watching over the weekend
17. "How to win 10,000 bucks until the end of March?" Find a critical, as defined by Microsoft's security bulletins, vulnerability, participate in the market for software vulnerabilities - the future 0bay, and sell it to iDefense for 10,000 bucks, but what about the social outcome out of the process, if any?
18. "Chinese Internet Censorship efforts and the outbreak" recent events related to the Chinese efforts to monitor and censor the web, the the "West's'"reactions. I did quite a lot of quality posts on the topic during January and February mainly because I feel that the higher the publicity for the problem, the higher the pressure towards starting talks on the future of these efforts
19. "Master of the Infected Puppets" comments on botnets communication provoked out of a nice research I came across to
20. "Give it back!" Mixed signals from the CIA, DIA and the DoJ on secrecy
21. "One bite only, at least so far!" a brief coverage of the OS X trojan and the InqTana worm
22. "DVD of the Weekend - The Outer Limits - Sex And Science Fiction Collection" weekend two, second DVD
23. "Get the chance to crack unbroken Nazi Enigma ciphers" another distributed concept this time cracking unbroken Nazi messages
Technorati tags :
Security, Information Security
1. "Suri Pluma - a satellite image processing tool and visualizer", treat tool I recommended to everyone interested in that type of tools, as a matter of fact, I also got many other suggestions for alternatives. More on visualization
2. "CME - 24 aka Nyxem, and who's infected?" a small update on the Nyxem threat if any during February
3. "What search engines know, or may find out about us?"" a commentary on a CNET's Q&A with leading search engines on how they deal with subpoenas and user's privacy, further resources and opinions on the topic are provided as well. Anything that can be linked will be one way or another.
4. "The current state of IP spoofing" introducing the ANA Spoofer Project, commentary on the current state according to their sample, and many other distributed concepts again related to security are mentioned
5. "Hacktivism tensions" A brief coverage of the mass defacements of Danish sites out of the Muhamad's cartoons distribution over Europe, and of course, over the Net. I also mentioned a previous rather more severe case or Nation2Nation cyberwarfare PSYOPS attacks
6. "Security Awareness Posters" a small list with links to free security awareness posters worth using or enjoying their witty messages
7. "A top level espionage case in Greece" With the great possibility of an insider's job, the eavesdropping of major government officials and citizens was indeed the second case that made me an impression, next to the stone transmitter found in a Moscow's park
8. "The War against botnets and DDoS attacks" A post covering the introduction of McAfee's bot killing system, The ZombieAlert Service, some comments and lots of external resources on fighting and protecting against Botnets and DDoS attacks
9. "Who needs nuclear weapons anymore?" An in-depth article I wrote while coming across a news article on a recent EMP warhead test, with the idea to bring more awareness on the potential of EMP weapons, some of the current trends, and the emerging weaponization of Space . A reader also mentioned a Mig-25 found on Google Maps
10."Recent Malware developments" a post summarizing various events right in the middle of February, discussing some of the emerging trends to keey an eye on, a a commentary on Kaspersky's summary for 2005, worth checking out as well
11. "Look who's gonna cash for evaluating the maliciousness of the Web?" Crawling for malware and evaluating the maliciousness of the Web with automated patrol for sites distribution it is a very hot and feasible topic you can learn more about by reading this post
12. "Detecting intruders and where to look for" comments and external resources related to rootkits and forensics
13. "A timeframe on the purchased/sold WMF vulnerability" as requested by readers
14. "The end of passwords - for sure, but when?" As my first blog post was related to passwords security and why bother given their major insecurities, in this post I commented Bill Gate's remarks. I think they don't know what they are really up to at the bottom line
15."Smoking emails" Would you pay millions to avoid paying billions and keep a clean image? Of course you will!
16. "DVD of the weekend - The Lone Gunmen" the first post related to DVDs worth watching over the weekend
17. "How to win 10,000 bucks until the end of March?" Find a critical, as defined by Microsoft's security bulletins, vulnerability, participate in the market for software vulnerabilities - the future 0bay, and sell it to iDefense for 10,000 bucks, but what about the social outcome out of the process, if any?
18. "Chinese Internet Censorship efforts and the outbreak" recent events related to the Chinese efforts to monitor and censor the web, the the "West's'"reactions. I did quite a lot of quality posts on the topic during January and February mainly because I feel that the higher the publicity for the problem, the higher the pressure towards starting talks on the future of these efforts
19. "Master of the Infected Puppets" comments on botnets communication provoked out of a nice research I came across to
20. "Give it back!" Mixed signals from the CIA, DIA and the DoJ on secrecy
21. "One bite only, at least so far!" a brief coverage of the OS X trojan and the InqTana worm
22. "DVD of the Weekend - The Outer Limits - Sex And Science Fiction Collection" weekend two, second DVD
23. "Get the chance to crack unbroken Nazi Enigma ciphers" another distributed concept this time cracking unbroken Nazi messages
Technorati tags :
Security, Information Security
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
DVD of the (past) weekend
Hi folks, as I've been down for a couple of days, I'm actively updating my blog, so watch out for some quality posts later on and apologies for the downtime. Thanks for the interest and the questions received whatsoever!
So, after the "Lone Gunmen", and "The Outer Limits - Sex And Science Fiction Collection" it was about time we go beyond cyberspace with the second part of the "Lawnmower man" a classic techno thriller, with a lot of VR, Cyberpunks, and futuristic scenarious.
Favo quote from part one - "I find a way out, or I die in this diseased main frame" which is also worth watching as a matter of fact. I'm so excited of seeing Ray Kurzweil's views of the future in a DVD box. I am especially interested into Cyberware, and the biological adaptation with technologies. As a matter of fact, there have already been reported cases of people with implanted RFID chips, and while they wish they had Johnny Mnemonic's view of the Internet, that must be some kind of a joke. Picture yourself scanned and monitored wherever you go while walking around with a false sense of security. RFID is a lot of buzz, I feel the potential for information sharing, and resources cutting is outstanding, still, the levels of security or lack of understanding on the privacy implications is the biggest downsize so far.
Would we someday build an AI that would crawl the Universe forever colonizing the obeying the morale we learnt "it" to? I find this such a great idea :)
Some resources on Cyberware and Cyberpunks :
The Cyberpunk Project
Cyberpunk
"Cyberpunks in Cyberspace"
Cyberanarchists, Neuromantics and Virtual Morality
Cyberpunks and their online activities
Cyberpunk - Ebook
Cyberware Technology
Realistic and Affordable Cyberware Opponents for the Information Warfare BattleSpace
Cyberware Implants
Technorati tags :
Lone Gunmen, The Outher Limits, Lawnmower Man, Ray Kurzweil, Cyberware, Cyberpunk
So, after the "Lone Gunmen", and "The Outer Limits - Sex And Science Fiction Collection" it was about time we go beyond cyberspace with the second part of the "Lawnmower man" a classic techno thriller, with a lot of VR, Cyberpunks, and futuristic scenarious.
Favo quote from part one - "I find a way out, or I die in this diseased main frame" which is also worth watching as a matter of fact. I'm so excited of seeing Ray Kurzweil's views of the future in a DVD box. I am especially interested into Cyberware, and the biological adaptation with technologies. As a matter of fact, there have already been reported cases of people with implanted RFID chips, and while they wish they had Johnny Mnemonic's view of the Internet, that must be some kind of a joke. Picture yourself scanned and monitored wherever you go while walking around with a false sense of security. RFID is a lot of buzz, I feel the potential for information sharing, and resources cutting is outstanding, still, the levels of security or lack of understanding on the privacy implications is the biggest downsize so far.
Would we someday build an AI that would crawl the Universe forever colonizing the obeying the morale we learnt "it" to? I find this such a great idea :)
Some resources on Cyberware and Cyberpunks :
The Cyberpunk Project
Cyberpunk
"Cyberpunks in Cyberspace"
Cyberanarchists, Neuromantics and Virtual Morality
Cyberpunks and their online activities
Cyberpunk - Ebook
Cyberware Technology
Realistic and Affordable Cyberware Opponents for the Information Warfare BattleSpace
Cyberware Implants
Technorati tags :
Lone Gunmen, The Outher Limits, Lawnmower Man, Ray Kurzweil, Cyberware, Cyberpunk
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)