October 2010
82 posts
Internet Storm Center: SQL Slammer Clean-up:... →
“Each CERT is unique. They have varying levels of funding and organization, their missions are not consistent from one country to another, but they do have a couple of things in common. Most are clearing-houses for abuse-reporting. If your research into the owner and up-stream provider of an infected IP address isn’t turning up working contacts, they can usually help identify...
Vanity Fair: Ask a Hacker: Does The Girl Who... →
“The interesting thing is, everything that she does is completely plausible—it’s the way she does it that is for the most part completely nonsensical as a technical matter.”
Computerworld: IE6 addiction throws monkey wrench... →
‘And although Microsoft has made it clear it wants IE6 dead and buried, the company needs to help solve a problem it created when it released the non-standard browser, then pressed businesses to develop IE6-specific applications, said Michael Silver of Gartner.
“Microsoft would rather put the non-standard browser technology behind it,” Silver said in a recently published...
Bank Info Security: ID Theft: SARs On The Rise →
“The majority of identity theft incidents reported by U.S. financial institutions don’t relate to phishing attacks and spoofed website pages. According to a new ID theft report from the Financial Crimes Enforcement Network, most cases of ID theft are linked to a victim’s family members or coworkers.”
Erika Napoletano: You and Your Little Buzzwords →
“You and your buzzwords. They’re meaningless. They’re the uncooked spaghetti of marketing-speak: you throw them out there and they don’t stick, they just fall to the floor with a pathetic splat. And it’s because they no longer have meaning.”
threatpost: Inside Google's Anti-Malware Operation →
“To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs. The company then ties this in with the data that it gathers from its automated crawlers that are tasked with looking for malicious code on legitimate Web sites.”
The Tech Herald: Bredolab smashed by Dutch while... →
“The Bredolab botnet, pegged as one of the largest botnets of its kind, is responsible for Spam attacks that delivered Malware, often in the form of Rogue anti-Virus applications.”
Joe Menn in Boing Boing: Good news, of a kind,... →
If you’ve read Joe Menn’s book Fatal System Error, or heard him speak, you’ll recall the story of a researcher whose teenage daughter was kidnapped from her western country as a warning, to make him stop looking into criminal activities.
“What I’m offering today…was good news to me personally, and it will be good news to those of you who have my read my book,...
The Security Skeptic: Misuse of Domain Privacy... →
“The studies show that a higher percentage of spammers use privacy protection services than registrants randomly selected from the general population, and that the percentage of spammers is consistent across our two study samples.”
Neil Schwartzman: RSA Conference &... →
“I’m a big fan of BankInfo Security and their sister site GovInfo Security. So, colour me chagrined when I recently was spammed about the RSA Conference in February to my CAUCE.org address (that’d be the Coalition Against unsolicited Commercial Email!) and a brief investigation turns up that ismgcorp.com is behind the spam run.”
InformationWeek: White House Unveils Internet... →
“Specifically, the subcommittee is charged with keeping an eye on global privacy challenges and coming up with ways to meet them, and fostering cooperation between the United States and other countries to develop policies to handle issues that arise.
It also will work with the private sector to balance the needs of those doing business on the Internet with any privacy principles or...
Email Security Matters: WHOIS Woes →
“Over the last couple of weeks, I’ve been working on a project where I needed to determine the creation dates of various domains. Little did I know about the complexities involved in achieving such an apparently simple task.”
Mother Jones: The Democrats' Voter Privacy Fail →
“As of Monday, the web page provided the names of Democrats who voted in 2008 but who aren’t always regular voters, plus their phone numbers, ages, locations, and party affiliations. …Anyone can access the information without so much as logging in. And as it turns out, some conservative activists are doing just that.”
Techdirt: Focusing On Google Getting Emails &... →
‘If you understand the technology of what was happening, it would collect mostly useless fragments of info, but if it was passing by at the time that someone was transmitting something like that in an unencrypted format, then of course it would collect that bit of info. …this data is out in the open for anyone to take. Google didn’t “hack” anything, or do...
Terry Zink: Why you need large data sets to... →
“One vendor’s 0% vs another’s 0.04% looks bad but the reality is that it is one message. However, it is percentages that are published, not number of false positives in the latest test.”
Benlog: Facebook can and should do more to... →
‘…to be fair to Facebook and the apps: they probably didn’t do this on purpose. The WSJ’s specific wording, “transmitting”, is misleading, because it assigns intent where there probably wasn’t. That said, I don’t think Facebook is off the hook: when you run a 500M user platform, it’s your responsibility to protect your users’ privacy before the story breaks. To their credit,...
The Consumerist: Chase Sends Me Updates On Bank... →
‘I tried calling the phone number for their online services provided in the emails (after I verified it was legit on chase.com) and when I choose the appropriate menu option, “Receiving chase.com emails in error” they wanted me to input my account number before I could talk to a representative. I don’t have an account with chase, so you could see how that is a...
Umair Haque in the Harvard Business Review:... →
‘The unvarnished truth is that the fundamental assumptions behind “marketing” haven’t changed for decades. Though you may be using slightly more efficient channels (like “social media”), more “creative” ideas, or more productive mechanisms (like pay-per-click), it’s still a militaristic, adversarial school of thought that’s largely...
Krebs on Security: Pill Gangs Besmirch LegitScript... →
“In the third week of September, hundreds of domains were registered using the name, phone number and former business address of John Horton, founder of LegitScript, an Internet pharmacy verification service. The domains, many containing the word “adult,” all redirect to a handful of porn and bestiality sites….”
Computerworld: Man pleads guilty to using hack,... →
“James Bragg, 41, faces five years in prison and a $250,000 fine for orchestrating the hacking and spamming portions of the scheme, which ran between November 2007 and February 2009….
Bragg used a Russian botnet operator, named only as B.T. in court documents, to send the spam and to access hacked brokerage accounts and buy the penny stocks without the victim’s...
threatpost: The Inside Story of SQL Slammer →
In early 2003, a new worm took the Internet by storm, infecting thousands of servers running Microsoft’s SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. This is the inside story...
Computerworld: Hacker hits Kaspersky website →
“Someone took advantage of a bug in a Web program used by the Kasperskyusa.com website and reprogrammed it to try and trick visitors into downloading a fake product, Kaspersky confirmed Tuesday.”
DarkReading: One-Time Passwords On The Rise But... →
“The use of one-time passwords (OTP) as a second factor of authentication is growing in popularity, but some experts warn if they are not deployed smartly, they could actually leave organizations less secure than if they had not used an OTP at all. Some critics point to Facebook’s deployment of OTP, announced last week, as a prime example.”
CNET: Facebook files three antispam lawsuits →
‘The lawsuits, filed Tuesday, allege that Jason Swan of Long Island, N.Y., had been running “more than 27 fake profiles, 13 fake pages, and at least 7 applications as part of an affiliate marketing advertising scam”; that Richter, also of Long Island, had been running about 40 fake profiles and 43 fake pages; and that the Canada-based Max Bounty Inc. had been...
All Spammed Up: Soft hyphens used to evade spam... →
“The problem stems from how browsers like Firefox treat text containing soft hyphens. The hyphens are represented by something called the SHY character. It gets its name from its representation in HTML–­. Although industry standards dictate that soft hyphens should be treated as visible characters used in a specific context, it’s often treated as a hidden hyphenation hint. What...
slight paranoia: It is time for the web browser... →
“Three times over the past six months, web browsers’ referrer headers have played a major role in major privacy issues. Much of the attention has reasonably been focused on the websites that were leaking their users’ private data (in some cases, unintentionally, but at least in Google’s case, intentionally). It may be time to focus a bit of attention on the role that...
Anil Dash: There's No Such Thing as... →
‘It’s important to note that blaming technology for horrendous, violent displays of homophobia or racism or simple meanness lets adults like parents and teachers absolve themselves of the responsibility to raise kids free from these evils. By creating language like “cyberbullying”, they abdicate their own role in the hateful actions, and blame the (presumably...
Beau Brendler in Internet Evolution: ICANN... →
‘The limited range of ICANN’s “scope” here is nothing but a smokescreen. ICANN’s absence from the White House is just another example of the organization running to hide behind the nearest opaque object when questions come up about how it fails to enforce its own legal contract with registrars, called, mundanely enough, the Registrar Accreditation Agreement. Language in that agreement...
DarkReading: Bots Hard To Kill -- Even When... →
“Many bots never really get completely cleaned up, even after their botnet masters are shut off from communicating with them. Their users either don’t wipe out the bot software, or the machines also harbor other bot infections and ultimately get recruited for other botnets. Or in many cases, the machines are already poorly maintained — unpatched and improperly secured...
Terry Zink: United States Is the Most Bot-Infected... →
“Viewing the data this way, we can see that while there are more bots in the United States than any other country, the problem is not as widespread as others. So the statement that the US has the most bots depends on how you look at the problem.”
Wall Street Journal: Facebook in Online Privacy... →
“The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook’s strictest privacy settings. The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure.”
Dark Reading: Facebook - why don't you learn a... →
“As alluring messages whirl around the site, spreading virally, more and more users are tempted into approving applications - even though they have no clue as to what they intend to do, or even who wrote them.”
Douglas Rushkoff at Care2: Who's in Charge - Our... →
“When a kid is taught a piece of software as a subject, she’ll tend to think of it like any other thing she has to learn. Success means learning how to behave in the way the program needs her to. Digital technology becomes the immutable thing, while the student is the movable part, conforming to the needs of the program in order to get a good grade on the test.”
BBC News: Bruce Schneier warns 'profits killing... →
“While the death of personal privacy had been predicted for a long time, rapid technological changes posed a mortal danger to it, he said.
Mr Schneier urged lawmakers to do more to help preserve and protect privacy.”
Seth's Blog: Getting smart about the hierarchy of... →
“Don’t talk to all your employees, all your users or all your prospects the same way, because they’re not the same.”
from a working library: On advertising →
“…it is the reading experience that brings people to the web, thereby making them available to the siren song of the advertisers; but it is the advertisers, who, in their effort to gain purchase over ever more significant corners of our brains, must distract and diminish the reading experience lest they be ignored. The story goes that every so often an advertiser surprises with a...
Bank Info Security: Zeus Strikes Mobile Banking →
‘Once online banking users logged in to access their accounts, they were asked to enter their mobile numbers and the makes of their mobile phones. A link was then SMS/text-messaged to the mobile users, who were each asked to click the alleged transaction-authentication/verification link contained within the text.
…This Zeus Trojan had the ability to manipulate a mobile...
NPR: The Zombie Network: Beware 'Free Public WiFi' →
‘Free Public WiFi isn’t set up like most wireless networks people use to get to the Internet. Instead, it’s an “ad hoc” network — meaning when a user selects it, he or she isn’t connecting to a router or hot spot, but rather directly to someone else’s computer in the area.
Though it doesn’t actually provide Internet access, the network has spread...
Email Security Matters: The Spam War Debate →
“In my opinion, the real problems lie at the head of the matter: the design of the Internet and the message transmission structure, and that little thing called money. The only true way to win the spam wars is to cut off both heads of the beast.”
The Day Before Zero: What’s in a Number? →
“For quite some time the security industry has been trapped in a cascade effect of ever increasing numbers. Driven by a requirement to maintain media attention, security teams have found themselves fixated in describing threat severity through the evidence of bigger numbers. Each worm, botnet, mass defacement or exploit needs to be bigger and (consequently) more severe than the...
BNET: Oops! Facebook’s New Groups Feature is a... →
“…because the social networking giant seems to have a pathological disdain for making features opt-in, the new Groups has become a way to conscript unwilling participants to obnoxious spam lists…just the kind of mistake a rookie web service would make.”
ISP Grub: Spam Headlines are Headline Spam →
‘Certain journalists covering the ISP sector have either become so bored by the “one man’s spam” discussion that they seem to have forgotten it even existed, or purposely recently ignored it to grab a quick headline, generate a reaction, and then produce an article that didn’t appropriately reflect the facts.’
Slate: You Must Forward This Story to Five Friends →
“The curious history of chain letters.”
The New Organizing Institute Education Fund: Don’t... →
‘You may have gotten solicitations…that essentially say, “Buy our emails, it will help you get more votes for your candidate.” It won’t. They will tell you that their emails are “opt-in.” They aren’t.’
techyum: Official: vb.ly Link Shortener Seized by... →
“It’s official: the Libyan government has seized vb.ly. This was done with no warning. Despite the fact that vb.ly was a one-page link-shortening service, Nic.ly (the registry for .ly domain reseller registrar Libyan Spider) informed us that the content of our website was offensive, obscene and illegal according to Libyan Islamic Sharia Law. Not the domain, but the content of the website...
Krebs on Security: FCC May Confront ISPs on Bot,... →
“…something like an ISP ‘code of conduct’ and best practice-oriented approach that ISPs could opt-in to or not, basically a standard of behavior for ISPs to follow when they find that a user of theirs has been infected….”