April 2011
90 posts
The Tech Herald: Samsung keylogger fears based on... →
“Yesterday, the Web was buzzing over a story published by NetworkWorld. It was written by Mohamed Hassan, founder of NetSec, who said that StarLogger - commercial grade keylogging software - was discovered on a brand new Samsung laptop after running an initial security scan. As it turns out, there was no keylogger. It was a false positive by his anti-Virus software.”
Yahoo! Mail Blog: Phishers Beware, YMAP Is Here →
“…I’m happy to announce the release of Yahoo! Mail Anti-Phishing Platform (YMAP), which further reinforces the trust and security of the Yahoo! Mail experience using existing email authentication technologies. It builds on the pilot anti-phishing program we ventured into with eBay/PayPal back in 2007, but this time we’re casting a wider net on the phishing problem.”
March 2011
126 posts
The Security Skeptic: Cloud hype creates fear,... →
‘A day doesn’t pass by when I don’t see an email, article or tweet that says “I’m tired of cloud marketing and cloud hype” or something equally negative. Granted, I spend more time with security greybeards and hard cores but anyone hoping to profit from offering cloud infrastructure or cloud-based services should pay close attention to this signal because...
Boing Boing: "Meat glue" sounds kind of awesome →
“I kind of think meat glue sounds pretty cool. I like the fact that we’ve found new ways to use scraps and parts of meat that aren’t sell-able on their own. That alone is nothing new. Humans have been doing that for centuries (See: sausage, soup stock).”
Word to the Wise: Does your unsubscribe process... →
“If your unsubscription link only works in Internet Explorer and Firefox, it doesn’t work for a quarter of recipients. If it only works in those two, plus Google Chrome, it doesn’t work for about 13% of recipients.
And if it doesn’t work, people are going to mark it as spam – and you really don’t want that.”
threatpost: FTC: Google Used Deceptive Practices... →
“Search giant Google has agreed to settle a case with the U.S. Federal Trade Commission on Wednesday over charges that it used deceptive tactics and violated its own privacy policy when it launched Google Buzz, a social network, in 2010.”
Computerworld: BP employee loses laptop containing... →
“The information, which had been stored in an unencrypted fashion on the missing computer, included the names, Social Security numbers, addresses, phone numbers, and dates of birth of people who filed claims related to the Deepwater Horizon accident.”
Pogo Was Right: Privacy harm: have we shrugged off... →
“Context matters in a discussion of privacy harm. And sometimes, a breach that may not seem particularly harmful at one point in time, may be viewed differently later.”
Krebs on Security: Microsoft Hunting Rustock... →
‘…Microsoft is required by law to now make a “good faith effort” to contact the owner(s) of Rustock control domains and other infrastructure the company has since seized, and to notify the individual(s) of the date, time and location of an upcoming court hearing in Seattle, Washington, where the defendants will have an opportunity to be heard.’
Spam Wars: How Much is Your Email Address Worth? →
“I don’t have a fixed dollar amount in mind, but I can tell you that a drug store chain here in the U.S. has determined it is worth them to pay me $4.00 to obtain my email address. That’s what the coupon spit out by the CVS pharmacy cash register at today’s purchase offered me.”
Work, Wine and Wheels: A Conversation with Ali... →
‘If you are serious about issues involving Internet infrastructure, then you’re probably a member of CircleID. It’s the online community where the “big brains” of the Internet go to debate Internet technology and policy.’
NetworkWorld: New method finds botnets that hide... →
“Domain-fluxing bots generate random domain names; a bot queries a series of domain names, but the domain owner registers just one. As an example, the research points to Conficker-A, which generated 250 domains every three hours. In order to make it harder for a security vendor to pre-register the domain names, the next version, Conficker-C, increased the number of randomly generated...
Econsultancy: What to do if your ESP gets hacked →
“A couple of major online brands have had to send communications informing users that their data had been comprised, and in one instance it has been confirmed it was a breach at their email marketing service provider.
This is going to happen more.”
SANS ISC: Firefox 4 Security Features →
“Like no other release before it, Firefox 4 includes a number of significant security features. These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server.”
Techdirt: What Does It Take For Mobile Operators... →
‘The various mobile operators have been making tons of revenue off of premium “short code” SMS programs. These are ways to add charges for various things directly to your phone bill. For example, they’ve become popular with various charities, so you can support them simply by texting a message to a particular short code. Of course, in many cases, the mobile...
Adrian Crenshaw: Crude, Inconsistent Threat:... →
‘A lot has been said and written about a “group” referred to as Anonymous. This paper will go into Anonymous’ motivations, organization (or lack thereof) and how the term “group” is sort of a misnomer.’
Neil Schwartzman in CircleID: Mooning the Porn... →
“For example, Kink.com owns 10,000 domains. To properly avoid domain squatters and fraudsters, phishers and other criminals from illicitly setting up look-alike domains they would have to spend hundreds of thousands of dollars buying domains they don’t want, beyond their normal operating TLDs of .net and .com.”
Krzysztof Kotowicz: Who's behind Facebook... →
“This guy, being clearly a beginner coder, can now be launching Facebook clickjacking scams on a daily basis, making $$$ no matter how small. There are probably dozens of similar stories.”
Naked Security: Malvertising resurfaces on Spotify... →
“It looks like Spotify has fallen victim to a favorite trick of malware purveyors: Place an advertisement with a widely distributed ad network, then change the code in the ad to exploit flaws in browser code to inject malware onto users’ computers.
Around the same time…there were malicious ads circulating on Facebook.”
Securosis: Crisis Communications →
‘The problem is that too much of ‘communications’ becomes a forlorn attempt to control information. If you don’t share enough information you lose control, because the rest of the world a) needs to know what’s going on and b) will fill in the gaps as best they can. And the “trusted” independent sources are press and pundits who thrive on hyperbole and worst-case scenarios.
Here’s what...
Errata Security: A brief introduction to web... →
“In case you are confused by SSL, and don’t fully understand the recent Comodo hack, I thought I’d write up a brief explanation for you. This is drastically simplified. I’m skipping a lot of steps in the process. I’m just trying to explain the essentials without getting lost in the details.”
The Tech Herald: Play.com CEO outs Silverpop as... →
“Last December, Silverpop suffered a data breach that impacted more than 100 customers. After the incident, McDonalds and deviantART warned customers that they were impacted as a result. Later, American Honda Motor Company, another Silverpop client, reported a breach of 4.9 million customer records.”
Spam Wars: Clueless Password Confirmation Emails →
“Unfortunately, when a new member joins and confirms, the program sends out a welcoming confirmation email, thanking the new member for signing up. This thank-you also repeats the username and password for the membership account. In full. In the clear.”
ClickZ: Device Fingerprinting Raises Privacy Fears →
“Once a device has been assigned a fingerprint, advertisers can use that ID to track its behavior as it moves across the web, providing similar functionality to a cookie. The strength of a fingerprint, however, is that it tracks the device itself rather than the cookie placed on it, meaning it cannot be deleted or lost, and can - in theory - remain consistent for the life of a...
threatpost: Lessons From the Rustock Takedown →
“Having taken a closer look at the specifics of the Rustock botnet – e.g. the CnC infrastructure, the criminals operating patterns, the DNS structure and domain registrations, malware evolution and dissections, etc. – it’s likely that this particular botnet has been beheaded and unlikely that the botnet operators will be able to regain control anytime soon (without exposing...
The Guardian: US spy operation that manipulates... →
“Persona management by the US military would face legal challenges if it were turned against citizens of the US, where a number of people engaged in sock puppetry have faced prosecution.”
Naked Security: What’s in a domain name? →
“The brief lines of text provided in search engine results make it hard enough for us to identify good sites from bad ones. When special-purpose domains for campaign microsites appear, it becomes even more confusing. At best, people might ignore the microsite domain, keeping themselves safe but making the marketing dollars a waste. At worst, the protection and reputation offered by use...
John Levine in CircleID: ICANN Approves .XXX Again →
“…I’ve come around to the viewpoint that ICANN’s job is to act in the public interest, and if the process conflicts with that, the process is wrong. This was brought home when I realized that of the sponsored TLDs approved over the past decade, the ones that are supposed to be for specific communities, every single one is a total failure. In every case, the community...
CAUCE: Microsoft, others help take down Rustock... →
Microsoft’s DCU and some federal agencies took down the Rustock botnet two days ago. …Here’s a compilation of various news and data….”
Financial Times: Yahoo to show how data used to... →
“Yahoo has launched a scheme in the UK to show visitors to its websites how their personal data are used to target advertising, the first such move by a large internet publisher ahead of the introduction of new European online privacy rules.”
apenwarr: I hope IPv6 *never* catches on →
“In short, any IPv6 transition plan involves *everyone* having an IPv4 address, right up until *everyone* has an IPv6 address, at which point we can start dropping IPv4, which means IPv6 will *start* being useful.”
Boing Boing: iPhone app store [review] of "Color"... →
“The photo sharing/social network app Color launched last week, and much fuss was made for a variety of reasons: massive media hype, massive funding, and a complete lack of documentation about how people should actually use the app. Mike 3K found this brilliant iPhone app store review of Color, which makes the whole affair worthwhile.”
Slate: Content farms: What do they say about what... →
“Content farms are to online media what tabloids are to print. Neither journalism nor advertising, they are a trashy and addictive product, sussing out what we really want in order to give us something we don’t really need—and, in so doing, telling us something important about ourselves.”
XBIZ Newswire: India Plans to Block .XXX →
“…anti-porn supporters claim that the new domain approved by the Internet Corporation for Assigned Names and Numbers last week, will make it easier for conservative Islamic states to block porn distribution channels, despite the fact that adult material can still be accessed with existing domain suffixes like .com and .in.”
The Globe and Mail: Rogers pays $275,000 after... →
“The Toronto-based wireless, cable, Internet and media company was using automated machines to make unsolicited calls to its own wireless customers, letting them know how to purchase more prepaid minutes for their cellphones. But under the Canadian Radio-television and Telecommunications Commission’s rules, telecom companies must first get prior consent for such activities.”
Tnooz: TripAdvisor issues warning after part of... →
‘Officials are keen to stress that the company does not collect credit card details or any other financial information, but it is warning members that they may receive some “unsolicited emails” as a result of incident.’
Electronic Frontier Foundation: Iranian hackers... →
“On March 15th, an HTTPS/TLS Certificate Authority (CA) was tricked into issuing fraudulent certificates that posed a dire risk to Internet security. Based on currently available information, the incident got close to — but was not quite — an Internet-wide security meltdown. As this post will explain, these events show why we urgently need to start reinforcing the system that is...
Boing Boing: Trademark thought experiment: when... →
“…under a proposed UN treaty, Internet Service Providers (as well as search engines, social media sites, online auctions, online games, and sites like Etsy and Thingiverse) will be responsible for detecting and interdicting trademark infringement and helping punish infringers by retaining and providing their personal information on demand from a trademark holder, without a court...
New York Times: Don’t Call Me, I Won’t Call You →
‘It’s at the point where when the phone does ring — and it’s not my mom, dad, husband or baby sitter — my first thought is: “What’s happened? What’s wrong?” My second thought is: “Isn’t it weird to just call like that? Out of the blue? With no e-mailed warning?”’
Gizmodo: This Is How We Surfed the Web In 1998:... →
“Thirteen years ago, a man made a VHS recording of himself exploring that newfangled internet thing. He’s finally gotten around to posting it on YouTube. So what was the internet like back then? A little slower and fewer kittehs, but the same healthy obsession with scantily clad anime ladies!”
SFGate: Do not track tools push firms to crossroad →
“For now, ad companies don’t have any legal obligation to abide by these stated preferences, but it nevertheless represents a critical step forward in the debate over digital privacy for one important reason: Businesses must now choose which of two camps they want to fall into, those that respect consumer wishes and those that don’t.”
What Real People Say When They Talk About Email
Man, noticing woman with mail: All junk, right?
Woman: Yeah.
Man: That’s why they invented email, so they can spam us instead.
Woman: And filters, so we can ignore it.
MailChimp: Letters to our Abuse Desk →
“As you can imagine, the MailChimp Abuse Desk receives some really nasty emails from people. Fortunately, we also get a lot of very positive emails from people trying to do the right thing, and who genuinely appreciate the measures we’ve put in place to protect the email ecosystem. If you work in an abuse desk somewhere — either an ISP or an ESP — this post is for you.”
Wall Street Journal: Microsoft, Feds Pull Plug on... →
‘Microsoft launched the raids as part of a civil lawsuit filed in federal court in Seattle in early February against unnamed operators of the Rustock “botnet,” a vast network of computers around the globe infected with malicious software that allows its masterminds to distribute enormous volumes of spam, peddling everything from counterfeit software to pharmaceuticals.’
WalletPop: Why You Should Be Cheering for Verizon... →
“That a registrar such as Above.com can behave as Verizon’s lawsuit alleges and still be “accredited” by the non-profit corporation that’s supposed to protect the public interest, then you’ve got a broken system. Consumers rely on accreditations all the time for all sorts of things. But ICANN’s accredition appear in frequent circumstances to be...
StopBadware: Best Practices for Web Hosting... →
“These best practices are designed to provide a best-of-breed framework that web hosting providers can use to respond to malware reports. They are designed to prescribe an overall strategy for receiving and processing the reports, rather than to specify highly specific tactics for providers to employ. They are tailored, as much as possible, to avoid burdening providers unnecessarily while...
Mitchell Sandham: Director and Officer Liability... →
‘…the legislation includes risk of personal liability to officers and directors who (allegedly) “directed, authorized, acquiesced in or participated in the offending conduct”…’
Tom Morris: .tel, .xxx and .mobi are all pointless... →
‘If I were an American, I’d now be saying something like “ICANN have jumped the shark”. Instead, I’m British, so I’ll say “ICANN are fucking useless twats who need a firm kick in the bollocks”.’
threatpost: IRS Security Holes Put Taxpayer Data... →
“…the IRS still hasn’t full implemented key components of a comprehensive information security program. In fact around 74 percent of known weaknesses in the IRS’s IT infrastructure remain unresolved or unmitigated, GAO found.”