Heading in the opposite direction

Just one day before April 1st 2006 I came across this article :



"German retail banker Postbank will begin using electronic signatures on e-mails to its customers to help protect them from phishing attacks."



Catching up with the phishers seems to be a very worrisome future strategy. Electronic Signatures by themselves are rarely checked by anyone, and many more attack vectors are making the idea of this totally irrelevant. Moreover, a great research "Why phishing works" was recently released and it basically outlines basic facts such as how end users doesn't pay attention to security checks, if there's a definition of such given the attack vectors phishers have started using recently. In some of my previous posts "Security threats to consider when doing E-Banking", and "Anti Phishing toolbars - can you trust them?" I mentioned many other problems related to this bigger than it seems problem, what you should also keep an eye on is the good old ATM scam I hope you are aware of.



Postbank is often targeted by phishers, still, the best protection is the level of security awareness stated in here :



"Phishing attacks have led 80% of Germans to distrust banking related e-mails, according to TNS Infratest." Moreover, "Postbank's electronic signature service isn't possible with web-based e-mail services provided by local Internet service providers such as GMX GmbH and Freenet.de AG, according to Ebert. One exception is Web.de"



Thankfully, but that's when you are going in exactly the opposite direction than your customers are, while trying to estalibish reputable bank2customer relationship over email. Listen your customers first, and follow the trends, and do not try to use the most popular dissemination vector as a future communication one.



Something else in respect to recent phishing statistics is the key summary points of the recently released, AntiPhishingGroup's Report for January, 2006 report :



• Number of unique phishing reports received in January: 17,877
• Number of unique phishing sites received in January: 9715
• Number of brands hijacked by phishing campaigns in January: 101
• Number of brands comprising the top 80% of phishing campaigns in January: 6
• Country hosting the most phishing websites in January: United States
• Contain some form of target name in URL: 45 %
• No hostname just IP address: 30 %
• Percentage of sites not using port 80: 8 %
• Average time online for site: 5.0 days
• Longest time online for site: 31 days



I feel there's a lot more to expect than trying to re-establish the communication over a broken channel, as far as E-banking is concerned.



More resources you might be interested in taking a look at are :
Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks
Netcraft: More than 450 Phishing Attacks Used SSL in 2005
SSL's Credibility as Phishing Defense Is Tested
Rootkit Pharming
The future of Phishing
Something is Phishy here...
Phishing Site Using Valid SSL Certificates
Thoughts on Using SSL/TLS Certificates as the Solution to Phishing



Technotati tags:
Security, Phishing, Scam, Banking Continue reading →

Securing political investments through censorship

I try to extensively blog on various privacy and Internet censorship related issues affecting different parts of the world, or provide comments on the big picture they way I see it.



Spending millions -- 6 million euro here, and I guess you also wouldn't let someone spread the word whether the cover is fancy enough for a vote or not -- on political campaigns to directly or indirectly influence the outcome of an election, is a common practice these days. Whereas, trying to build a wall around a government's practices is like having a tidal wave of comments smashing it. I recently came across the following article : "



"Singapore has reminded its citizens that web users who post commentary on upcoming elections could face prosecution. Election commentary is tightly controlled under Singaporean law; independent bloggers may comment on the election, but must register their site with the Media Development Authority (MDA)."



I'm so not into politics -- and try not to -- but threatening with prosecution on commentary, registering users, while not first "introducing yourself" as "During the November 2001 elections, Singapore's political parties limited their use of the Internet to posting schedules and candidate backgrounds." isn't the smartest long-term political strategy ever, don't you think?



More resources on the state of censorship in Singapore worth checking out are :

Internet Filtering in Singapore in 2004- 2005: A Country Study
EFF "Censorship - Singapore" Archive
Censorship in Singapore
To Net or Not to Net: Singapore’s Regulation of the Internet
Censorship Review Committee 2002/2003
The Internet and Political Control in Singapore



Technorati tags:
Censorship, Politics Continue reading →

Insider fined $870

Insiders still remain an unresolved issue, where the biggest trade-off is the loss of productivity and trust in the organizational culture. According to the Sydney Morning Herald :



"A court in Guangzhou, capital of the southern Chinese province of Guangdong, has upheld a lower court's guilty verdict against Yan Yifan for selling stolen passwords and virtual goods related to the online game "Da Xihua Xiyou.The court upheld a $870 US fine, arguing that victimized players had spent time, energy, and money to obtain the digital items Yan sold. Yan stole the players' information while an employee for NetEase.com, the company behind the game."



So, it's not just 0days, Ebay/PayPal accounts, and spyware market entry positions for sale -- but virtual world goods as well.



While it's not a top espionage case, or one compared to the recent arrest of "two men, identified as Lee and Chang, on charges of industrial espionage for downloading advanced mobile phone designs from employer Samsung for sale to a major telecommunications firm in Kazakhstan", insiders still represent a growing trend that according to the most recent FBI's 2005 Computer Crime Survey, cost businesess $6,856,450.


Then again, failing to adequatly quantify the costs may either fail to assess the situation, or twist the results based on unmateliazed, but expected sales, as according to the company, "Samsung could have suffered losses of $1.3 billion US had the sale been completed." Trust is vital, and so is the confidence in Samsung's business case.



Technorati tags:
Security, Insider, Espionage Continue reading →

The "threat" by Google Earth has just vanished in the air

Or has it actually? In one of my previous posts "Security quotes : a FSB (successor to the KGB) analyst on Google Earth" I mentioned the usefulness of Google Earth by the general public, and the possibility to assist terrorists. The most popular argument on how useless the publicly available satellite imagery is that it doesn't provide a high-resolution images, and recent data as well -- that's of course unless you don't request one, but isn't it bothering you that here we have a street-side drive-by POC?



The recently introduced Windows Live Local Street-Side Drive-by (A9's maps have been around for quite a while), is setting a new benchmark for interactive OSINT -- if any as this is also a privacy violation that can be compared with efforts like these if it was in real-time. Having had several conversations with a friend that's way too much into satellite imagery than me, I've realized that starting from the basic fact of targeting a well known or a movie-plot location doesn't really requires satellite imagery. I find that today's sources basically provoke the imagination and the self-confidence -- and hopefully nothing more!


There have been numerous articles on the threat posed by Google Earth, and India seems to be the most concerned country about this for the time being :



"Chief of the Indian Army General J.J. Singh warns that Google Earth could endanger national security by providing high resolution photographs of strategic defense facilities. The software could prove especially useful to countries that do not have their own satellite capabilities. Singh called Google Earth a shared concern for all countries, requiring all countries to cooperate to address the issue. Indian President APJ Abdul Kalam has also expressed concerns over Google Earth and national security."



You can spend hours counting the cars in front of NSA's parking lot through public satellite imagery resources, still you would never get to see what's going on in there, I guess things have greatly changed since the days when tourists sent over the USSR, or exactly the opposite, to the U.S, would try to get hold of as many maps as possible finish the puzzle.



In some of my previous posts on Cyberterrorism, I said that terrorists are not rocket scientists until we make them feel so, and I'm still sticking to this statement, what about you? As a matter of fact, Schneier is inviting everyone to participate in the Movie-Plot Threat contest -- stuff like terrorist EMP warfare, Nuclear truck bombs (the same story from 3 years ago), and other science fiction scenarios worth keeping an eye on.



Terrorism is a profitable paranoia these days, that's constantly fuelling further growth in defense and intelligence spending, as satellite imagery is promoted for the bust of Bin Laden, whereas their infrastructure seems to pretty safe, isn't it? (More photos, 1, 2, 3, 4, 5, 6) I'd rather we have known parties as an adversary, the way it used to be during the Cold War, whose competition sent us in Space, and landed us on the Moon , instead of seeing terrorists everywhere and missing the big opportunity.



Technorati tags:
Security, Terrorism, Cyberterrorism, Privacy, Google Earth, Google Maps, Space, Microsoft Live, New Media Continue reading →

Wanna get yourself a portable Enigma encryption machine?

Hurry up, you still have 5 hours to participate in the sale at Ebay as the BetaNews reported "eBay has long been a purveyor of the unusual and the unique, but it's not often an authentic piece of tech history captures as much attention as the Enigma 3 portable cipher machine that has racked up bids of almost 16,000 euros. The Enigma device was used extensively by Nazi Germany during World War II."



The Enigma machine was a key success factor for the Germans during WWII, until of course its messages started getting deciphered, it's great someone managed to preserve and resell one. Today's situation is entirely different, namely an average Internet user can easily encrypt data achieving military standards with the use of public tools, where Phil Zimmerman's PGP has been cause troubles for governments across the world since its release.


However, what the majority of end users don't realize is the how the keys lenght and the passphrase's quality means totally nothing when law enforcement is sometimes empowered to use spyware, and that quantum cryptography is also subject to attacks. Client side attacks and social engineering ones don't take into consideration any key lenght -- just naivety. In one of my previous posts "Get the chance to crack unbroken Nazi Enigma ciphers"


I mentioned about the existence of a distributed project to crack unroken nazi ciphers you can freely participate into. Being a total paranoid in respect to my favorite SetiATHome, you should also consider the possibility of a SETI Hacker -- which partly happened in Contact in case you reckon.



Technorati tags :
Cryptography, Encryption, Enigma Continue reading →

March's Security Streams

A quick summary of March's Security Streams ( January, February ). It was an unbelievably busy month, and while I'm multitasking and diversifying on a daily basis, I'm certain you've enjoyed this month's streams, thanks for all the feedback you've been sending, it's a small world if you just let yourself realize it!



1. "DVD of the (past) weekend" The Lawnmower man -- God made him simple, Science made him God!



2. "February's Security Streams" a summary of all the posts during February



3. "Anti Phishing toolbars - can you trust them?" Recent phishing trends and the usefulness of anti-phishing toolbars discussed -- at the bottom line the complexity of the relatively simple concepts seems to ruin the whole effect, but wish phishing was that simple!



4. "Data mining, terrorism and security" Commentary on NSA's data mining interests and the still active Total Information Awareness program. Data mining is a very popular trend towards fighting terrorism -- and too ambitious, whereas storage of someone's life in a digital form is getting even cheaper, making sense of it all in a timely fashion still remains the biggest problem



5. "5 things Microsoft can do to secure the Internet, and why it wouldn't?" That's the second most popular post this month, right after "Where's my Oday, please?". Basically, it gives an overview of key points Microsoft can execute in order to secure the insecure by default Internet, and why it wouldn't. The post isn't biased at all, it's just the fact that their QA procedures open up the most easily exploited windows of vulnerability ever -- client side attacks on the IE browser. As a matter of fact, Fortune's latest issue has interviewed Steve Balmer in their QuestionAuthority column -- important fact MS's investors should keep in mind in respect to the future competitiveness of the company is how Balmer's kids are forbidden from using iPods and Google, which is very sad



6. "The Future of Privacy = don't over-empower the watchers!" We sacrifice our privacy, or have it abused on a daily basis in order to function in today's digital society, whereas there's nothing groundbreaking as a future trend besides giving too much power to the Watchers ensuring our "Security vs Privacy or what's left left from it"



7. "Where's my 0day, please?" Introducing the International Exploits Shop and providing relevant comments on the current state of the market for software vulnerabilities -- I wonder are the informediaries already talking/realizing the potential for an 0bay auction model as given the growing number of both sellers and buyers, such a model would sooner or later emerge. If it does not, you will continue comming across or digging for sites offering fresh 0day exploits that have the capacity to keep the media echo for yet another several weeks. CERT is totally out of the question, end users doesn't know what is going on, and everyone is trying to cash for being a vulnerability digger, not a researcher!



8. "DVD of the Weekend - The Immortals" Forget entertainment and enjoy this visionary adaptation of Enki Bilal's Nikopol Trilogy



9. "Security vs Privacy or what's left from it" Sacrifices drive success to a certain extend, whereas Security shouldn't be sacrifices for Privacy, at any cost!



10. "Old physical security threats still working" The old physical security trick of abusing a CD/DVD's autostart feature by installing malware on the PC seems to be fully working even today, which isn't a big suprise at all. Physical security threats have greatly change on the other hand as employers themselves have realized the possibility for insider abuse. And while you might be a little more secure from threats like these, at the end of they day you'll probably have your boss snooping around to find out where's that abnormal P2P traffic coming from :)



11. "Getting paid for getting hacked" Cyber insurance seems very attractive, and it really is, have your company's databases stolen, you'll get premium for it, receive a DDoS extortion letter, get it paid with a smile on the herder's face. Moreover, considering the big picture, I feel you'd rather have a security vendor take care of the consultation process, with the idea that their revenues will be at least spend on R&D security investments compared to an insurance company, or that's how at least I see it



12."Successful" communication" Dilbert rocks my world, my most important point on commercializing vulnerability research is how it's happening in exactly the worst moment ever. The immature concept of reporting vulnerabilities and the economics of the process itself didn't really need money in between. In the eyes of these vendors, which as a matter of fact go through my posts, I am a naysayer, and I'm not. I'm just trying to keep up a constructive discussion, and the results of it will soon be posted in here



13. "Weekend Vibes - Psychedelic/Goa Trance" My music evolution went through Rainbow, Deep Purple, started getting "hard" with Metallica, Off Spring, Guano Apes, to today's mix of alternative, classic rock and psychedelic/goa trance. No matter how your taste changes, don't forget where you've started from



14. "Is a Space Warfare arms race really coming?" Yes, it is and the more awareness is build on this issue, the higher the public discussion and hopefully, transparency of the activities. I find Secrecy a double-edged sword for an intelligence/military agency, as sometimes you just need to hear an average person's opinion on your megalomaniac ambitions. But given you are sincerelly backed up by a couple of billion dollars budget, your purchasing power becomes a bad habit of yours



15. "The Practical Complexities of Adware Advertising" Advertising players simply cannot periodically evaluate the maliciousness of their members as they will lose the scale necessary to keep the revenues growing. The participants on the other hand, are indeed getting ads and paid for displaying them, and of course, questionable content from time to time. Seaching around the IAB's site however, you wouldn't find any info on the idea of spyware/adware in today's booming online advertising market



16."Privacy issues related to mobile and wireless Internet access" Both end users and companies are "going mobile" and thefore the possibilities for privacy violations/physical security location are getting even more relevant



17."DVD of the Weekend - War Games" A little something on the movie and the recent "yet another Microsoft IE 0day" in the wild case



18."Are cyber criminals or bureaucrats the industry's top performer?" Paper tigers have an unprecedented effect on the loss of productivity and a society's progress -- the worst thing is how much they actually enjoy it! A very resourceful post that covers some important issues to keep in mind



19."Visualization in the Security and New Media world" or why a picture is worth a thousand packets?



UPDATE : Here are the unique and returning visitor graphs for the last several months, the outcome? Learn to understand your readers and how to retain them, thank you all for expressing your comments, contacting me, and keeping the discussion going!




Technorati tags :
Security, Information Security Continue reading →

Visualization in the Security and New Media world

Information visualization seems to be a growing trend in today's knowledge driven, and information-overloaded society. The following represents a URL tree graph of the Security Mind Streams blog -- looks resourceful! Want to freely graph your site/blog? Take advantage of Texone's tree, just make sure you don't forget to press the ESC key at a certain point.



In my first post related to "Visialization, intelligence and the Starlight project" I introduced you a fully realistic and feasible solution to filtering important indicators whatever the reason. Moreover, I also came across a great visualization of malware activity in another post summarizing malware trends around February. What I'm truly enjoying, is the research efforts put in the concept by both, security/IT professionals, and new media companies realizing that the current state of the mature text-based Web.



Ever wanted to see how noisy connect() scans actually are? In early stage of its development, people are already experimenting with the idea, find more about while going through "Passive Visual Fingerprinting of Network Attack Tools" paper.


Things are getting much more quantitative and in-depth in another recommended reading on the topic "Real-Time Visualization of Network Attacks on High-Speed Links" whose purpose is to "show that malicious traffic flows such as denial-of-service attacks and various scanning activities can be visualized in an intuitive manner. A simple but novel idea of plotting a packet using its source IP address, destination IP address, and the destination port in a 3-dimensional space graphically reveals ongoing attacks. Leveraging this property, combined with the fact that only three header fields per each packet need to be examined, a fast attack detection and classification algorithm can be devised."



Presented at this year's BlackHat con "Malware Cinema, a Picture is Worth a Thousand Packets" will provide with much more fancy visualization concepts related to malware. Originally presented by Gregory Conti, you can also download the associated resources, and keep an eye on the audio in case you didn't attend the con.



As far as new media is concerned, I'm so impatient to witness more developments given how boring I find any of the browsers I've used so far -- and there're a lot of developments going on as always! Virtual worlds have the potential to change the face of the Web, the text/image based one the way we know it.



Remember how the federal agents were chatting face-in-face with the malicious attacker through the innovative and programmed for the masses browser, in NetForce? Hive7 is the alternative in 2006, and if you spend some with it, you'll be impressed by its potential -- say goodbye to the good old IRC?



UPDATE : LinuxSecurity.com picked up the post "Visualization in the Security and New Media world"



More resources can also be found at :

CAIDA Visualization Tools
NAV - Network Analysis Visualization
Digital Genome Mapping - Advanced Binary Malware Analysis
A Visualization Methodology for Characterization of Network Scans
NVisionIP : An Interactive Network Flow Visualization Tool for Security
Exploring Three-dimensional Visualization of Intrusion Detection Alerts and Network Statistics
Attacking Information Visualization System Usability Overloading and Deceiving the Human
Security Event Visualization and Analysis - courtesy of CoreLabs
A Visualization Paradigm for Network Intrusion Detection
FireViz: A Personal Firewall Visualizing Tool - the FireViz project



Technorati tags:
Security, Information Security, Monitoring, Visualization, Network, New Media Continue reading →

Are cyber criminals or bureaucrats the industry's top performer?

Last week, I came across a great article at Forbes.com, "Fighting Hackers, Viruses, Bureaucracy", an excerpt :



"Cyber security largely ends up in the backseat," says Kurtz, who prior to lobbying did stints in the State Department, the National Security Council and as an adviser to President George W. Bush on matters relating to computer security. "Our job is to shine a bright light on it, to help people understand it."



Basically, it provides more info on how bureaucracy tends to dominate, and how security often ends up in the "backseat". Moreover, Paul Kurtz executive director of the Cyber Security Industry Alliance and it's multi-billion market capitalization members can indeed become biased on a certain occasions.


Still, he provides his viewpoint on important legislative priorities :



- setting national standards for data breach notification

PrivacyRight's "Chronology of Data Breaches Reported Since the ChoicePoint Incident" keeps growing with the recent Fidelity's loss of laptop. Standards for data breach notification are important, and the trends is growing with more states joining this legal obligation to notify customers in case their personal information is breached into -- given they are actually aware of the breach. Moreover, with companies wondering "To report, or not to report?" and let me add "What is worth reporting?", Uncle Sam has a lot of work to do, that will eventually act as a benchmark for a great number of developed/developing countries. Personal data security breaches are inevitable given the unregulated ways of storing and processing the data, or is it just to many attack vectors malicious identity thieves could take advantage of these days? E-banking is still insecure, and protection against phishing seems too complicated for the "average victim". Compliance means expenses as well, so it better be a long-term one, if one exists given today's challenging threatscape.



- a law on spyware

Do your homework and try to bring some sense into who's liable for what. Claria obviously isn't, and it's not just pocket money we're talking about here. Spyware legislations are a very interesting topic, that I also find quite contradictive, laws and legislations change quite often, but given the Internet's disperse international laws, or the lack of such, a spyware/adware's vendor business practices may actually be legal under specific laws, or the simple absence of these.



- and ratification of the Council of Europe's Convention on Cybercrime

That's important, the Convention on Cybercrime I mean, would they go as far as ratifying Europe's well known stricter compared to the U.S privacy laws? Excluding the data retention legislation, and various other privacy issues to keep in mind, there's this tiny sentence in its privacy policy "Google processes personal information on our servers in the United States of America and in other countries.


In some cases, we process personal information on a server outside your own country", makes it so virtually easy to bypass a nation's privacy regulations that I wonder why it hasn't received the necessary attention already. On the other hand, we have Interpol acting as a common cybercrime body, that according to a recent article :



"We need an integrated legal framework to exchange data. A lot of legislation doesn't consider a data stream as evidence, because the evidence is hidden behind 0s and 1s. We have to rethink the legislative framework".


There is already such and that's the NSP-SEC - a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks.


Still, The Internet Storm Center remains the most popular Internet Sensor.



No matter how many security policies you develop and hopefully implement, at the bottom line you either need regulations or insightful security czar in charge. And while the majority of industry players profitable provide perimeter based defenses, going through "2004's Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" a decision-maker will hopefully start perceiving the problem under a different angle. While I find plain-text communications a problem, Bluecoat seems to be actively working in exactly the opposite direction. And while I find measuring the real cost of Cybercrime rather hard, applying a little bit of marginal thinking still comes handy. The future of privacy may indeed seem shady to some, and while data mining is definitely not the answer, sacrificing security for privacy shouldn't be accepted at all. Moreover, do not take a survey's results for granted, mainly because "There's always a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market development with messaging security vendor Proofpoint, which does a few surveys per year" - in NetworkWorld's great article "It's raining IT security surveys".



To sum up, I feel in the security world it's the malicious attacker having the time and financial motivation to "spread ambitions" that outperforms, while in the financial world, it's Symantec that is the top performer - (Google Finance, Yahoo! Finance) with its constant acquisitions and trendy business strategy realizing the current shift towards convergence in the industry. Wish they could also diversify and take some market share of WetPlanet Beverage's Jolt Cola drink :)



Illustration by Mark Zug



UPDATE : This post was recently featured at LinuxSecurity.com "Are cyber criminals or bureaucrats the industry's top performer?"



Technorati tags :
Security, Information Security, Technology, Compliance, Survey, Bureaucracy, CSIA, Cybercrime Continue reading →

DVD of the Weekend - War Games

Hi folks, as it's been a while since I last posted a quality post, I feel it's about time I catch up with some recent events. What I'm currently working on, is gathering a very knowledgaable bunch of dudes in order to open up a discussion on the emerging market for 0day vulnerabilities, and I'm very happy about the guys that have already showed interest in what I plan to do -- more on that around the week, or the beginning of the next week.



As you're all hopefully aware by now, yet another 0day IE vulnerability is in the wild, so either change your browsing habits for a little while(don't or you lose the battle, as secure surfing is still possible to a certain extend), or consider switching to another alternative -- security through obscurity isn't the panacea of fighting the problem in here, instead it's just a temporary precaution. On the other hand I'm desperately trying to promote my RSS compatible feed URL to make it easier for everyone to keep up to date with posts, whereas the majority of readers seem to enjoy reading the blog directly,


I appreciate that!



As always, it's disturbing how "quality" always becomes the excuse for security, in respect to MS delaying patches (or is it just patches only?) whereas WebSense is already aware of over 200 web sites disseminating the exploit code, I wonder are they counting the hundreds of thousands of zombie pcs acting as propagation vectors. In one of my previous posts "5 things Microsoft can do to secure the Internet, and why it wouldn't?" I tried to summarize some of my thoughts on the problem, while on the other hand things definitely change pretty fast as always -- for the good I hope! Was the participants' secrecy in place, in order not to get a "shame on you" look from fellow hackers, whatever the reason, I doubt anyone is going to change their hats soon.



UPDATE :
Déjà Vu as Third Parties Ship IE Patches, and the patches themselves, while on the other hand it's great that anti-virus vendors have as well started detecting malicious sites using it.



Going back this weekend's DVD (check out the previous DVDs and vibes as well) War Games has shaped not just imaginations back in 1983, but acted as an important factor for the rise of another generation -- not wardialers, but wannabe hackers obsessed with command'n'control strategies such as Civilization 1 or Dune II, or at least that's how I remember it. Today's War Games have another dimension and it's called Network-Centric Warfare, or military communications and control over IP, and while there's a little chance an AI would malfunction and cause Doom's day, human factor mistakes will always prevail. As always, SFAM seems to have reviewed the majority of cool movies, so check out the review.



Technorati tags :
Weekend, War Games, Cyberpunk Continue reading →

Privacy issues related to mobile and wireless Internet access

I just came across a research worth checking out by all the wardrivers and mobile/wireless Internet users out there. While it's written in 2004, "Privacy, Control and Internet Mobility", provides relevant info on an important topic - what kind of information is leaking and how can this be reduced. The abstract describes it as :



"This position paper explores privacy issues created by mobile and wireless Internet access. We consider the information about the users identity, location, and the serviced accessed that is necessarily or unnecessarily revealed observers, including the access network, interme- diaries within the Internet, and the peer endpoints. In particular, we are interested in data that can be collected from packet headers and signaling messages and exploited to control the users access to communications resources and online services. We also suggest some solutions to reduce the amount of information that is leaked."



A more in-depth overview on the topic can also be found in "A Framework for Location Privacy in Wireless Networks", an excerpt :



"For example, even if an anonymous routing protocol such as ANODR is used, an attacker can track a user's location through each connection, and associate multiple connections with the same user. When the user arrives at home, she will have left a trail of packet crumbs which can be used to determine her identity. In this paper, we explore some of the possible requirements and designs, and present a toolbox of several techniques that can be used to achieve the required level of privacy protection."



Mobile/Wireless location privacy would inevitable emerge as an important issue given the growth of that type of communication, and the obvious abuses of it.



Technorati tags :
Security, Privacy, Wireless, Mobile, Tracking Continue reading →

The Practical Complexities of Adware Advertising

A report released by the The Center for Democracy and Technology yesterday, "How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to Reverse the Trend", outlines the practical complexities of Adware Advertising. It gives a great overview of the parties involved, discusses a case study "CDT egages the advertisers", as well as outlines a possible solution, namely Adoption and Enforcement of Advertising Placement Policies. Here's a excerpt from the research findings :



"At this point, CDT has set a low bar by merely asking a small group of companies to contact us to discuss their advertising policies in the context of nuisance and harmful adware. We are working to increase awareness of the complex business models associated with nuisance and harmful adware, and we are pointing advertisers to policies and criteria that already exist as a step towards creating and enforcing their own policies. It is also imperative that advertising networks engage in self-regulation in order to aid in this endeavor. Initiatives such as the TRUSTe Trusted Download Program can help to set certification standards and provide public criteria for evaluating adware makers. Advertisers must demand strict compliance from their affiliates and refuse to work with blind networks and other networks that cannot commit to following stringent advertising policies. Without advertising dollars, there would be no nuisance or harmful adware. CDT is committed to working with advertisers to stem the tide of this nefarious form of software."



Now, if major advertising platforms start measuring the maliciousness of the Web, namely evaluate the participants' condition on a regular basis, they will loose the scale necessary for generating the billions of dollars necessary to, sort of, live with click-fraud. In respect to future online advertising trends, I feel that cost per performance/action model, would sooner or later emerge, given the successful collective bargaining of all the sites participating -- I really hope so!



How it would influence Google's ability to perform financially, contribute to the growth of Web 2.0, being among the few companies born in, is yet another topic to speculate on. As a matter of fact, Google recently launched Google Finance, still I miss what's all the buzz all about as compared to Yahoo's Finance Google still has a lot of job to do, given they actually want to turn and position themselves as Yahoo! 2.0 in respect to turning into a Internet Portal -- which I doubt as they tend to be rather productive while disrupting.



Great report, so consider going through it. And, in case you're interested in learning more about the different spyware/adware legislations, current and future trends, you can also check Ben Edelman's and Eric Goldman's outstanding research on the topic.



The post recently appeared at Net-Security.org - "The practical complexities of adware advertising"



More resources can also be found at :

Spyware/Adware Podcasts
Top 10 Anti Spyware Apps reviewed
Clean and Infected File Sharing Programs



Technorati tags :
Security, Spyware, Adware, Advertising, Center for Democracy and Technology Continue reading →

Is a Space Warfare arms race really coming?

In one of my previous posts "Who needs nuclear weapons anymore?" I was emphasizing on another, much more assymentric, still dangerous alternative, EMP weapons. I came across to a recent Boston.com article titled "Pentagon eyeing weapons in space" that's gives a relevant overview of the current state of the U.S's ambitions, an excerpt :



"The Pentagon is asking Congress for hundreds of millions of dollars to test weapons in space, marking the biggest step toward creating a space battlefield since President Reagan's long-defunct ''star wars" project during the Cold War, according to federal budget documents."



as well as some of the projects the request is going to be spent on :



-"One $207 million project by the Missile Defense Agency features experiments on micro-satellites, including using one as a target for missiles. This experiment ''is particularly troublesome," according to the joint report, ''as it would be a de-facto antisatellite test." "
-"A project description says the Air Force would test a variety of powerful laser beams ''for applications including antisatellite weapons."

-"The agency also has asked Congress for $220 million for ''Multiple Kill Vehicles," a program that experts say could be proposed as a space-based missile interceptor."

-"Meanwhile, the Air Force wants $33 million for the Hypersonic Technology Vehicle, envisioned as space vehicle capable of delivering a military payload anywhere on earth within an hour, according to an official project description."



Big government contractors(the majority of and past revenues secured bygovernment contracts) such as Northrop Grumman and Lockhead Martin are more than eager to get hold of implementing these projects and launching them into space.



I highly recommend you to read Space Warfare Foolosophy: Should the United States be the First Country to Weaponize Space? if you want to go through a very good point of view -- it's all about politics and who feels like getting superior. An arms race is slowly emerging, and that's the distrurbing part!



As a matter of fact, SFAM from the CyberpunkReview.com has recently featured a review of one of the best X-files episodes "Kill Switch" where the main characters try to escape an AI playing with leftover Star Wars military orbital lasers .



More resources can also be found at :

Orbital Weaponry
Space Based Weapons
Space Warfare Weapons
SpaceWar.com
Militarization and Weaponization of Space
Space and Electronifc Warfare (ELINT) Lexicon
Gyre's Space Warfare section
Directed Energy Warfare -- Space Age Weapons
Secret Orbiter System Revealed
Military Transformation Uplink: March 2006
Anti-Satellite Weapons
Military Space Programs
Space Weapons For Earth Wars
The Revolution in War (227 pages)
A Political Strategy for Antisatellite Weaponry
Space Weapons - Crossing the U.S Rubicon
Preventing the Weaponization of Space
Space Weapons: The Urgent Debate
Satellite Killers and Space Dominance
The Advent of Space Weapons
US Space Command Vision for 2020
China's Space Capabilities and the Strategic Logic of Anti-Satellite Weapons

U.S. Air Force Plans for Future War in Space - 2004
Space Warfare in Perspective - 1982



Technorati tags :
EMP, Nuclear, War, Space, Space Warfare, Space Weapons, Security Continue reading →

"Successful" communication

You know Dilbert, don't you? I find this cartoon a very good representation of what is going on in the emerging market for software vulnerabilities, and of course, its OTC trade practices -- total miscommunication and different needs and opinions. While different opinions and needs provoke quality discussion and I understand the point that everyone is witnessing that something huge is happening, "so why shouldn't I?", but at the bottom line, it's so obvious that there isn't any sort of mission or social welfare goal to be achieved, that everyone is commercializing what used to be the "information wants to be free" attitude.



Weren't software vulnerabilities supposed to turn into a commodity given the number of people capable and actually discovering them, where "windows of opportunities" get the highest priority as a con? That is, compared to commercializing vulnerability research, empowering researchers to the skies, and turning vulnerabilities into an IP, totally decentralizing the current sources of information, and fueling the growth of underground models, as it's obvious that for the time being vulnerabilities and their early acquirement seems to be where the $ is. What do you think?



Technorati tags :
Security, Vulnerabilities, 0day, 0bay, Dilbert Continue reading →

Getting paid for getting hacked

In the middle of February, Time Magazine ran a great article on Cyberinsurance or "Shock Absorbers", and I feel this future trend deserves a couple of comments, from the article :



"As companies grow more dependent on the Internet to conduct business, they have been driving the growing demand for cyber insurance. Written premiums have climbed from $100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. The need for cyberinsurance has only increased as hacker move away from general mischief to targeted crimes for profit. Insurers offer two basic types of cyber insurance: first-party coverage will help companies pay for recovery after an attack or even to pay the extortion for threatened attacks, while third-party coverage helps pay legal expenses if someone sues after a security breach. Demand for insurance is also driven by laws in over twenty states that require companies to notify consumers if a breach compromises their personal data. However, prevention is still the top priority for most companies, since loss of critical data to competitors would do damage beyond the payout of any policy."



Cyber insurance seems to be an exciting business with a lot of uncertainty compared to other industries with more detailed ROIs, as I feel the information security one is missing a reliable ROSI model. I once blogged about why we cannot measure the real cost of cybercrime, and commented the same issue with the "FBI's 2005 Computer Crime Survey - what's to consider?". Don't get me wrong, these are reliable sources for various market indicators, still the situation is, of course, even worse.


But how do you try to value security at the bottom line?



Bargaining with security, and negotiating its cost is projectable and easy to calculate, but whether security is actually in place or somehow improved, seems to be a second priority -- bad bargaining in the long-term, but marketable one in the short one.



Going back to the article, I hope there aren't any botnet herders reading this, especially the first-party coverage point. To a certain extend, that's a very pointless service, as it fuels the growth of DDoS extortion, as now it's the insurer having to pay for it, meaning there're a lot of revenue streams to be taken by the cybergang. While covering the expenses of extortion attempts is very marketable, it clearly highlights how immature the current state of the concept really is. Something else to consider, is that a lot of companies reasonably take advantage of MSSPs with the idea to forward risk/outsource their security to an experienced provider, and most importantly, budget with their security spending. And while the California's SB 1386 is important factor for growth of the service given the 20 states participating, with the number of stolen databases from both, commercial, educational and military organizations, insurers will start earning a lot of revenues that could have been perhaps spent in security R&D -- which I doubt they would spend them on, would they?



UPDATE:
The post has just appeared at Net-Security.org - "Getting paid for getting hacked", as well as LinuxSecurity.com - "Getting paid for getting hacked"



Related resources :

Cyber-Insurance Revisited
Economics and Security Resource Page
WEIS05 WorkShop on Economics and Information Security - papers and presentations
Valuing Security Products and Patches
The New Economics of Information Security
Safety at a Premium
Cyber Insurance and IT Security Investment Impact on Interdependent Risk
Valuing Security Products and Patches
Network Risks, Exposures and Solutions



Technorati tags :
Security, ROSI, Cyber Insurance, Economics Continue reading →

Old physical security threats still working

In "The Complete Windows Trojans Paper" that I released back in 2003 (you can also update yourself with some recent malware trends!) I briefly mentioned on the following possibility as far as physical security and malware was concerned :



"Another way of infecting while having physical access is the Auto-Starting CD function. You've probably noticed that when you place a CD in your CDROM, it automatically starts with some setup interface; here's an example of the Autorun.inf file that is placed on such CD's:
[autorun]open=setup.exeicon=setup.exe So you can imagine that while running the real setup program a trojan could be run VERY easily, and as most of you probably don't know about this CD function they will get infected and won't understand what happened and how it's been done. Yeah, I know it's convenient to have the setup.exe autostart but security is what really matters here, that's why you should turn off the Auto-Start functionality by doing the following: Start Button -> Settings -> Control Panel ->System -> Device Manager -> CDROM -> Properties -> Settings"



and another interesting point :


"I know of another story regarding this problem. It's about a Gaming Magazine that used to include a CD with free demo versions of the latest games in each new edition. The editors made a contest to find new talents and give the people programming games the chance to popularise their productions by sending them to the Editors. An attacker infected his game with a new and private trojan and sent it to the Magazine. In the next edition the "game" appeared on the CD and you can imagine the chaos that set in."


Things have greatly changed for the last three years, while it may seem that global malware outbreaks are the dominant trend, slow worms, 0day malware and any other "beneath the AVs radar" concepts seem to be the next pattern.



It's "great" to find out that age-old CD trick seems to be fully working, whereas I can't reckon someone was saying "Hello World" to WMF's back then! TechWorld wrote a great article two days ago titled "Workers duped by simple CD ruse", an excerpt :



"To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind. By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared. When a user ran the disc, the code on it prompted a browser window that opened a Web site, Chapman said. The site then tried to load an image from another Web site, Chapman said."



While we can argue how vulnerable to security theats and end user is these days, compared to physical security ones, there are lots of cases pointing out the targeted nature of attacks, and the simple diversification of attack methods from what is commontly accepted as current trend. My point is that if you believe the majority of threats are online based ones, someone will exploit this attitude of yours and target you physically.


And while I feel the overall state of physical security in respect to end users and their workstations has greatly improved with initiatives such as ensuring the host's integrity and IPSs, what you should consider taking care of is - who is capable of peeping behind your back and what effect may it have on any of your projects? 3M's Privacy Filters are a necessity these days, and an alternative to the obvious C.H.I.M.P. (monitor mirror). Be aware!



UPDATE - this post recently appeared at LinuxSecurity.com - Old physical security threats still working



More resources on physical security can also be found at :

19 Ways to Build Physical Security into a Data Center
Securing Physical Access and Environmental Services for Datacenters
CISSP Physical Security Exam Notes
Physical Security 101
SANS Reading Room's Physical Security section



Technorati tags :
Security, Physical Security, Workplace Continue reading →

Security vs Privacy or what's left from it

My latest privacy related posts had to do with "The Future of Privacy = don't over-empower the watchers!" and "Data mining, terrorism and security" in respect to the the still active TIA and the hopes for the effectiveness out of data mining. While these are important topics I feel every decent citizen living in the 21st century should be aware of -- many still "think conspiracies" than real-life scenarios. At the bottom line, privacy violations for the sake of your security and civil liberties are a common event these days!



Today, I came across an article "Google must capitulate to DoJ, says judge" in relation to the DoJ's subpoena trying to get access to random sites and searches in order to justify its statement that anti-porn filters do not protect young children online.


The NYtimes is also a running a story on this. What I truly liked is US District Judge James Ware's comment that he was reluctant to give the Justice Department everything it wanted because of the "perception by the public that this is subject to government scrutiny" when they type search terms into Google.com, that's right, but you would be also right to conclude that such requests would turn into a habit given Google's data aggregation power. It's s a complex process to run the world's most popular search engine when everyone wants to take a bite from you, at least they have hell of motto to sort of guide them in future situations like this, but is it?



This time it's a misjudged online porn request that gets approved, next time, it would be Google against the terrorists, again, for the sake of your Security, one backed up by a little bit of glue as on the majority of occasions!



Technorati tags :
Privacy, Google, Search Engine Continue reading →

DVD of the Weekend - The Immortals

The Lawnmower Man : Beyond Cyberspace was among the several other classic techno thrillers I was watching and mostly remembering pleasant times from the past. I actually got in touch with SFAM from the CyberpunkReview.com, and intend to contribute with another point of view to his initiative I highly recommend you to keep an eye on.



This weekend, I want to recommend you one of the best European film productions ever, namely Enki Bilal's adaptation of his Nikopol Trilogy - The Immortals.



Here's an excerpt from a review, and another one :
"New York City, year 2095. A floating pyramid has emerged in the skies above, inhabited by ancient Egyptian Gods. They have cast judgment down upon Horus, one of their own. Now he must find a human host body to inhabit, and search for a mate to continue his own life. Below, a beautiful young woman with blue hair, blue tears and a power even unknown to her, wanders the city in search of her identity. Reality in this world has a whole new meaning as bodies, voices and memories converge with Gods, mutants, extra-terrestrials and mortals."



The Matrix did shock, and set a new benchmark by combining Hollywood's passion for entertainment, and Japan's culture, still, European productions such as the 5th Element, and The Immortals, are on my hall of fame for effects and the stories themselves. Enjoy it!



Technorati tags :
Lone Gunmen, The Outher Limits, Lawnmower Man, Immortals, Enki Bilal, Nikopol Trilogy, Techno Thriller, Cyberpunk Continue reading →

Where's my 0day, please?

A site I was recently monitoring disappeared these days, so I feel it's about time I blog on this case. I have been talking about the emerging market for software vulnerabilities for quite some time, and it's quite a success to come across that the concept has been happening right there in front of us. Check out the screenshots. The International Exploits Shop I came across to looks like this :



It appears to be down now, while it has simply changed its location to somewhere else. Google no longer has it cached, and the the only info on this wisely registered .in domain, can be found at Koffix Blocker's site.



A lot of people underestimate the power of the over-the-counter(OTC), market for 0day security vulnerabilities. Given that there isn't any vulnerabilities auction in place that would provide a researcher with multiple proposals, and the buyers with a much greater choice or even social networking with the idea to possibly attract skilled HR, the seller is making personal propositions with the idea to get higher exposure from the site's visitors. Whoever is buying the exploit and whatever happens with it doesn't seem to bother the seller in this case.



As there's been already emerging competition between different infomediaries that purchase vulnerabilities information and pay the researchers, researchers themselves are getting more and more interested in hearing from "multiple parties". Turning vulnerability research, and its actual findings into an IP, and offering financial incentives is tricky, and no pioneers are needed in here!



There's been a lot of active discussion among friends, and over the Net. I recently came across a great and very recent research entitled "Vulnerability markets - what is the economic value of a zero-day exploit?", by Rainer Boehme, that's worth the read. Basically, it tries to list all the market models and possible participants, such as :



Bug challenges
- Bug challenges are the simplest and oldest form of vulnerability markets, where the producer offers a monetary reward for reported bugs. There are some real-world examples for bug challenges. Most widely known is Donald E. Knuth’s reward of initially 1.28 USD for each bug in his TEX typesetting system, which grows exponentially with the number of years the program is in use. Other examples include the RSA factoring challenge, or the shady SDMI challenge on digital audio watermarking



Bug auctions
-Bug auctions are theoretical framework for essentially the same concept as bug
challenges. Andy Ozment [9] first formulated bug challenges in the terms of auction theory,
in particular as a reverse Dutch auction, or an open first-price ascending auction. This allowed him to draw on a huge body of literature and thus add a number of eciency enhancements to the original concept. However, the existence of this market type still depends on the initiative of the vendor


Vulnerability brokers
-Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs are
built around independent organizations (mostly private companies) who oer money for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. In the standard model, only good guys are allowed to join the club


-Cyber Insurance
Cyber-insurance is among the oldest proposals for market mechanisms to overcome the security market failure. The logic that cures the market failure goes as follows: end users demand insurance against financial losses from information security breaches and insurance companies sell this kind of coverage after a security audit. The premium is assumed to be adjusted by the individual risk, which depends on the IT systems in use and the security mechanisms in place.



Let's try define the market's participants, their expectations and value added through their actions, if any, of course.



Buyers
-malicious (E-criminals, malware authors, competitors, political organization/fraction etc.)
-third party, end users, private detectives, military, intelligence personnel
-vendors (either through informediary, or directly themselves, which hasn't actually happened so far)



Sellers
-reputable
-newly born
-questionable
-does it matter at the bottom line?



Intermediaries
-iDefense
-ZeroDayInitiative-Digital Armaments



Society
-Internet
-CERT model - totally out of the game these days?



As iDefense simply had to restore their position in this emerging market developed mainly by them, an offer for $10,000 was made for a critical vulnerability as defined by Microsoft. I mean, I'm sort of missing the point in here. Obviously, they are aware of the level of quality research that could be sold to them.


Still I wonder what exactly are they competing with :



- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?



- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?



- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?



- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?



A lot of research publications reasonably argue that the credit for the highest social-welware return goes to a CERT type of a model. And while this is truly, accountability and providing a researcher with the highest, both tangible, and intangible reward for them is what also can make an impact. As a matter of fact, is blackmailing a nasty option that could easily become reality in here, or I'm just being paranoid?



To conclude, this very same shop is definitely among the many other active out there for sure, so, sooner or later we would either witness the introduction of a reputable Auction based vulnerabilities market model, or continue living with windows of opportunities, clumsy vendors, and 0day mom-and-dad shops :) But mind you, turning vuln research into IP and paying for it would provide enough motiviation for an underground 0bay as well, wouldn't it?



14.03.2006

OSVDB's Blog - Where's my 0day, please?
OSVDB's Blog - Vulnerability Markets



11.03.2006

LinuxSecurity.com - Where's my 0day, please?
FIRST - Where's my 0day, please?



10.03.2006 - Sites that picked up the story :

Net-Security.org - Where's my 0day, please?
MalwareHelp.org- The International Exploits Shop: Where's my 0day, please?
Security.nl - Internationale Exploit Shop levert 0days op bestelling
WhiteDust.net - Where's my 0day, please?
Reseaux-Telecoms.net - Danchev sur l'Achat de failles
Informit Network - 0-Days for Sale



09.03.2006 - Two nice articles related to the issue appeared yesterday as well, "Black market thrives on vulnerability trading", from the article :



"Security giant Symantec claims that anonymous collusion between hackers and criminals is creating a thriving black market for vulnerability trading. As criminals have woken up to the massive reach afforded to their activities thanks to the Internet, hackers too are now able to avoid risking prison sentences by simply selling on their findings. Graeme Pinkney, a manager at Symantec for trend analysis, told us: 'People have suddenly realised that there's now a profit margin and a revenue stream in vulnerabilities... There's an element of anonymous co-operation between the hacker and criminal.'"



and "The value of vulnerabilities", a quote :



“ There are no guarantees, and therefore I think it would be pretty naive to believe that the person reporting the issue is the only one aware of its existence. That in itself is pretty frightening if you think about it. "



Technorati tags:
Security, 0day, 0bay, Vulnerabilities, Exploits, iDefense, ZeroDayInitiative, Digital Armaments Continue reading →

The Future of Privacy = don't over-empower the watchers!

I blog a lot about privacy, anonymity and censorship, mainly because I feel not just concerned, but obliged to build awareness on the big picture the way I see it. Moreover, I find these interrelated and excluding any of these would result in missing the big picture, at least from my point of view. Some posts I did, worth mentioning are : "Anonymity or Privacy on the Internet?", "China - the biggest black spot on the Internet’s map", "2006 = 1984?", "Still worry about your search history and BigBrother?", "The Feds, Google, MSN's reaction, and how you got "bigbrothered?", "Twisted Reality", "Chinese Internet Censorship efforts and the outbreak", and the most recent one, "Data mining, terrorism and security".



Yesterday, I read a very nice essay by Bruce Schneier "The Future of Privacy" and while I feel it has been written for the general public to understand, you can still update yourself on some of the current trends he's highlighting, mostly the digital storage of our life activities, and how possible it really is.


Some comments that made me an impression though :

"The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video." - scary stuff, but so true!



"Today, personal information about you is not yours; it's owned by the collector." - if you were to question the practices of each and every "collector" you wouldn't be able to properly function in the 21st century.



"The city of Baltimore uses aerial photography to surveil every house, looking for building permit violations." - typical Columbian style, still applicable in here.

"In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it isto pass laws regulating its generation, use and eventual disposal."



I agree on regulation, given someone follows and it's actually implemented, still, I feel it's all about balancing the powers of the public and the rulling parties. The more a government is empowered to invade privacy in one way or another, the higher the risk of them abusing their power, or even worse, having their communications infrastructure wiretap-ready for third parties.



UPDATE - this post recently appeared at LinuxSecurity.com - The Future of Privacy = don't over-empower the watchers!



Technorati tags :
Privacy, Anonymity, Censorship Continue reading →