softsecurity.com All in one

Updated versions of Anti-Keylogger and PrivacyKeyboard released!

Thu, 23 Apr 2009 17:25:00 GMT

Anti-Keylogger 9.2.1 and PrivacyKeyboard 9.2.1 have been released. Support of Internet Explorer 8 has been added.

New versions of Anti-Keylogger and PrivacyKeyboard released!

Fri, 26 Dec 2008 10:51:00 GMT

Anti-Keylogger 9.1 and PrivacyKeyboard 9.1 have been released. Updated versions include most recent bugfixes and improvements.

Anti-Keylogger 9.0 and PrivacyKeyboard 9.0 have been released!

Tue, 25 Nov 2008 17:00:00 GMT

Official Windows Vista compatible versions of Anti-Keylogger and PrivacyKeyboard have been released today. These products are available for download here.

New versions of Anti-Keylogger and PrivacyKeyboard released!

Mon, 22 Sep 2008 11:10:00 GMT

Anti-Keylogger 8.2 and PrivacyKeyboard 8.2 have been released. Updated versions include most recent bugfixes and improvements.

PC Activity Monitor 6.5.1 released!

Mon, 22 Sep 2008 11:09:00 GMT

New versions of PC Activity Monitor, PC Activity Monitor Net and PC Activity Monitor Pro have been released.

PC Acme Lite and Standard 7.7.1 released

Fri, 19 Sep 2008 16:40:00 GMT

PC Acme Lite 7.7.1 and PC Acme Standard 7.7.1 have been released. Some minor bugs in log-viewer were fixed.

New version of PC Acme Professional is released

Thu, 24 Apr 2008 13:26:00 GMT

PC Acme Professional 7.6.4 has been released today. The changes are made to monitoring agent.

New versions of PC Acme Lite and Standard

Mon, 04 Feb 2008 16:43:00 GMT

PC Acme Lite 7.7 and PC Acme Standard 7.7 have been released.

New versions of PC Acme 6 products

Thu, 27 Dec 2007 16:33:00 GMT

PC Acme 6.5, PC Acme Net 6.5 and PC Acme Pro 6.5 have been released.

iPhone crashing bug could lead to serious exploit

Fri, 03 Jul 2009 00:30:49 GMT

More fun with SMS Updated This story was updated to correct factual errors contained in an IDG News article that first reported the vulnerability.?The power of collaboration within unified communications

Top ten e-threats for June 2009

Thu, 02 Jul 2009 23:00:58 GMT

BitDefender released the top ten e-threats for the month of June. Five of the ten worst e-threats are Trojans, making this the best represented e-threat category. In tenth position is a generic det...

Speculation mounts over AVG plans for OS X client

Thu, 02 Jul 2009 21:00:09 GMT

'Mac users have no antibodies' AVG bosses aren't saying much, but there's new evidence the anti-virus maker is seriously considering building an application for the Mac.?

New ENISA Quarterly Review available for download

Thu, 02 Jul 2009 19:12:47 GMT

European Network and Information Security Agency (ENISA) Quarterly Review is a publication that is distributed to stakeholders and other interested readers every three months. Vol. 5 - No. 2 ...

Boomerang attack against AES better than blind chance

Thu, 02 Jul 2009 18:33:06 GMT

Pesky algorithm not invulnerable Cryptographic researchers have uncovered a chink in the armour of the widely used AES algorithm.?

Manchester City Council pays $2.4m in Conficker clean up costs

Thu, 02 Jul 2009 17:22:26 GMT

How severe can the impact of the Conficker worm be on a single city council that has apparently not implemented basic security solutions in place? Pretty severe according to a recently released a report entitled “Service interruption resulting from ICT disruption in February 2009” which details the financial costs of a Conficker incident affecting Manchester City [...]

Spam levels bounce back after botnet takedown

Thu, 02 Jul 2009 16:02:33 GMT

Even botnets have backup now Spam levels are returning to normal following the recent takedown of crime-friendly ISP 3FN, which temporarily interrupted the operation of a significant spam spewing botnet.?

Event: 14th European Symposium on Research in Computer Security

Thu, 02 Jul 2009 15:33:41 GMT

ESORICS, the European Symposium On Research In Computer Security, is the leading research-oriented conference on the theory and practice of computer se- curity in Europe. The aim of ESORICS is to f...

New cryptanalytic attack on AES

Thu, 02 Jul 2009 14:59:34 GMT

Alex Biryukov and Dmitry Khovratovich from University of Luxembourg published a paper titled "Related-key Cryptanalysis of the Full AES-192 and AES-256".In this paper we present two related-key attac...

Ixquick - the search engine that protects your privacy

Thu, 02 Jul 2009 14:46:11 GMT

Every time you use a regular search engine, your search data is recorded. Your search terms, the time of your visit, the links you choose, your IP address and your User ID cookies all get stored in a ...

Month of Twitter Bugs: bit.ly multple vulnerabilities

Thu, 02 Jul 2009 14:23:34 GMT

First report in the Month of Twitter Bugs focuses on multiple vulnerabilities in bit.ly URL shortening service. Discovered security issues include:Reflected Cross-Site Scripting in the �url� query pa...

Stealthy click fraud tool exploits 9ball attack

Thu, 02 Jul 2009 02:02:45 GMT

Meet the Keyser Soze of malware Miscreants have developed one of most sophisticated click fraud malware applications to date.?Offloading malware protection to the cloud

Feds: hospital hacker's 'massive' DDoS averted

Thu, 02 Jul 2009 00:32:54 GMT

Arrest foils 'Devil's Day' scheme The leader of a malicious hacker collective who used his job as a security guard to breach sensitive Texas hospital computers has been arrested just days before his group planned a "massive DDoS" attack for the July 4 Independence Day holiday.?

Month Of Twitter Bugs Goes Live With Mini-URL Flaws

Wed, 01 Jul 2009 23:18:00 GMT

Researcher launches Day One of daily third-party Twitter app vulnerability disclosures, while some members of Twitter christen July 1 "TwitterSec Day"

Jackson mass mailer adds to attack onslaught

Wed, 01 Jul 2009 19:55:47 GMT

More zombies than the Thriller video Miscreants have created a Michael Jackson mass-mailing worm.?

Torrentreactor breach serves potent exploit cocktail

Wed, 01 Jul 2009 19:19:06 GMT

iframe redirection redux Torrentreactor has long been regarded as one of the top bit torrent search engines, and with the demise of The Pirate Bay, it's likely bigger than ever. Now, it's been breached and is serving a potent cocktail of exploits to people browsing the site, Websense Security Labs says.?

Michael Jackson themed mass-mailing worm

Wed, 01 Jul 2009 18:36:01 GMT

Sophos discovered of a mass-mailing worm attack that is currently spreading via a malicious email campaign. The email, which has the subject line 'Remembering Michael Jackson' and claims to come from ...

SecureAuth 5.0.6 strong authentication for Cisco VPN and cloud applications

Wed, 01 Jul 2009 18:24:35 GMT

MultiFactor Corporation announced the release of SecureAuth 5.0.6. The new release of SecureAuth�s proven two-factor authentication solution for Cisco IPSec and SSL VPNs now incorporates a secure Sing...

The state of today�s firewall management challenges

Wed, 01 Jul 2009 18:08:42 GMT

Most organizations are receiving a poor return on their firewall investments, according to an IDC multimedia white paper sponsored by McAfee. The findings are outlined in a study titled �The State of ...

Webroot upgrades its Web and Email Security SaaS solutions

Wed, 01 Jul 2009 18:06:00 GMT

Webroot announced new releases of Webroot Web Security SaaS and Webroot Email Security SaaS with essential enhancements including web browsing quotas to enforce Internet use policies and a new Webroo...

Kaspersky Lab vs Zango: Kaspersky wins

Wed, 01 Jul 2009 17:58:06 GMT

9th U.S. Circuit Court of Appeals has ruled in Kaspersky Lab's favor in claims brought by Zango. In a precedent-setting case for the Internet security industry, the 9th U.S. Circuit Court of Appeals r...

Kaspersky beats Zango in malware classification case

Wed, 01 Jul 2009 16:48:22 GMT

Right to call spade a digging implement won Kaspersky Lab has secured a legal victory against notorious adware firm Zango, with a ruling that goes a long way towards protecting security software developers from nuisance lawsuits from the developers of internet pests in future.?

A closer look at Little Snitch 2.1.4

Wed, 01 Jul 2009 15:21:27 GMT

Little Snitch is a Mac tool that protects private data from undesirable transmission. It informs you whenever a program attempts to establish an outgoing Internet connection. You can then choose to al...

Off the wire: Whitepaper - How to build and architect a reliable and scalable enterprise level email system

Wed, 01 Jul 2009 14:36:45 GMT

Increase uptime, improve security, and lower costs for Enterprise level companies.

Conficker left Manchester unable to issue traffic tickets

Wed, 01 Jul 2009 13:53:39 GMT

Infection cost �1.5m in total Manchester City Council was prevented from issuing hundreds of motoring penalty notices in time after the infamous Conficker worm knocked out parts of its IT systems.?

China spam crisis provokes researcher's ire

Wed, 01 Jul 2009 12:48:57 GMT

Name and shame campaign aims to change attitudes A security researcher is calling for action against Chinese internet firms which are failing to protect their services from abuse by cybercrooks.?

Event: The 8th International Conference on Cryptology and Network Security (CANS 2009)

Wed, 01 Jul 2009 12:36:04 GMT

The main goal of this conference is to promote research on all aspects of network security, as well as to build a bridge between research on cryptography and on network security. We therefore welcome ...

Current list of the top 5 most notorious botnets

Wed, 01 Jul 2009 12:32:53 GMT

According to the latest MessageLabs Intelligence Report, botnets are responsible for over 80% of all spam. Here's a snapshot of where the top 5 most notorious botnets currently stand: Cutwail Th...

New CORE IMPACT Pro v9 penetration testing solution

Wed, 01 Jul 2009 12:06:15 GMT

Core Security Technologies released CORE IMPACT Pro v9, the latest installment of its flagship penetration testing software solution. The new version of CORE IMPACT Pro provides IT security managers w...

Phishing for the Credit Union Australia users

Wed, 01 Jul 2009 12:06:01 GMT

There is an email being spammed around purportedly from the Credit Union Australia informing people their Web Banker account contained a new message in the secure mailbox. E-mail sent around is sho...

Information Leakage from Keypads

Thu, 02 Jul 2009 20:09:30 GMT

Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The second is almost certainly guessable in one.

More Security Countermeasures from the Natural World

Thu, 02 Jul 2009 14:11:41 GMT

The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten most of the leaves' nutrients. Cabbage aphids arm themselves with chemical bombs: Its body carries two reactive chemicals that only mix when a predator attacks it. The injured aphid dies. But in the process, the chemicals in its body react and trigger an explosion that delivers lethal amounts of poison to the predator, saving the rest of the colony. The dark-footed ant spider mimics an ant so that it's not eaten by other spiders, and so it can eat spiders itself: M.melanotarsa is a jumping spider that protects itself from predators (like other jumping spiders) by resembling an ant. Earlier this month, Ximena Nelson and Robert Jackson showed that they bolster this illusion by living in silken apartment complexes and travelling in groups, mimicking not just the bodies of ants but their social lives too. Now Nelson and Robert are back with another side to the ant-spider's tale - it also uses its impersonation for attack as well as defence. It also feasts on the eggs and youngsters of the very same spiders that its ant-like form protects it from. It is, essentially, a spider that looks like an ant to avoid being eaten by spiders so that it itself can eat spiders. My previous post about security stories from the insect world.

MD6 Withdrawn from SHA-3 Competition

Wed, 01 Jul 2009 22:27:35 GMT

In other SHA-3 news, Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list: We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward. Basically, the issue is that in order for MD6 to be fast enough to be competitive, the designers have to reduce the number of rounds down to 30-40, and at those rounds, the algorithm loses its proofs of resistance to differential attacks. Thus, while MD6 appears to be a robust and secure cryptographic hash algorithm, and has much merit for multi-core processors, our inability to provide a proof of security for a reduced-round (and possibly tweaked) version of MD6 against differential attacks suggests that MD6 is not ready for consideration for the next SHA-3 round. EDITED TO ADD (7/1): This is a very classy withdrawal, as we expect from Ron Rivest -- especially given the fact that there are no attacks on it, while other algorithms have been seriously broken and their submitters keep trying to pretend that no one has noticed.

New Attack on AES

Wed, 01 Jul 2009 19:49:18 GMT

There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher complexity. The second attack is the first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle. In an e-mail, the authors wrote: We also expect that a careful analysis may reduce the complexities. As a preliminary result, we think that the complexity of the attack on AES-256 can be lowered from 2119 to about 2110.5 data and time. We believe that these results may shed a new light on the design of the key-schedules of block ciphers, but they pose no immediate threat for the real world applications that use AES. Agreed, while this attack is better than brute force -- and some cryptographers will describe the algorithm as "broken" because of it -- it is still far, far beyond our capabilities of computation. The attack is, and probably forever will be, theoretical. But remember: attacks always get better, they never get worse. Others will continue to improve on these numbers. While there's no reason to panic, no reason to stop using AES, no reason to insist that NIST choose another encryption standard, this will certainly be a problem for some of the AES-based SHA-3 candidate hash functions.

Security, Group Size, and the Human Brain

Wed, 01 Jul 2009 14:51:56 GMT

If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with.

Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking" part of the mammalian brain -- volume with the size of primate social groups. By analyzing data from 38 primate genera and extrapolating to the human neocortex size, he predicted a human "mean group size" of roughly 150.

This number appears regularly in human society; it's the estimated size of a Neolithic farming village, the size at which Hittite settlements split, and the basic unit in professional armies from Roman times to the present day. Larger group sizes aren't as stable because their members don't know each other well enough. Instead of thinking of the members as people, we think of them as groups of people. For such groups to function well, they need externally imposed structure, such as name badges.

Of course, badges aren't the only way to determine in-group/out-group status. Other markers include insignia, uniforms, and secret handshakes. They have different security properties and some make more sense than others at different levels of technology, but once a group reaches 150 people, it has to do something.

More generally, there are several layers of natural human group size that increase with a ratio of approximately three: 5, 15, 50, 150, 500, and 1500 -- although, really, the numbers aren't as precise as all that, and groups that are less focused on survival tend to be smaller. The layers relate to both the intensity and intimacy of relationship and the frequency of contact.

The smallest, three to five, is a "clique": the number of people from whom you would seek help in times of severe emotional distress. The twelve to 20 group is the "sympathy group": people with which you have special ties. After that, 30 to 50 is the typical size of hunter-gatherer overnight camps, generally drawn from the same pool of 150 people. No matter what size company you work for, there are only about 150 people you consider to be "co-workers." (In small companies, Alice and Bob handle accounting. In larger companies, it's the accounting department -- and maybe you know someone there personally.) The 500-person group is the "megaband," and the 1,500-person group is the "tribe." Fifteen hundred is roughly the number of faces we can put names to, and the typical size of a hunter-gatherer society.

These numbers are reflected in military organization throughout history: squads of 10 to 15 organized into battalions of 3-4 squads, organized into companies of three to four battalions, organized into regiments or brigades of three battalions, organized into divisions of three regiments, and organized into corps of two to three divisions.

Coherence can become a real problem once organizations get above about 150 in size. So as group sizes grow across these boundaries, they have more externally imposed infrastructure -- and more formalized security systems. In intimate groups, pretty much all security is ad hoc. Companies smaller than 150 don't bother with name badges; companies greater than 500 hire a guard to sit in the lobby and check badges. The military have had centuries of experience with this under rather trying circumstances, but even there the real commitment and bonding invariably occurs at the company level. Above that you need to have rank imposed by discipline.

The whole brain-size comparison might be bunk, and a lot of evolutionary psychologists disagree with it. But certainly security systems become more formalized as groups grow larger and their members less known to each other. When do more formal dispute resolution systems arise: town elders, magistrates, judges? At what size boundary are formal authentication schemes required? Small companies can get by without the internal forms, memos, and procedures that large companies require; when does what tend to appear? How does punishment formalize as group size increase? And how do all these things affect group coherence? People act differently on social networking sites like Facebook when their list of "friends" grows larger and less intimate. Local merchants sometimes let known regulars run up tabs. I lend books to friends with much less formality than a public library. What examples have you seen? An edited version of this essay, without links, appeared in the July/August 2009 issue of IEEE Security & Privacy.

The Network Security Podcast, Episode 156

Wed, 01 Jul 2009 03:18:52 GMT

Martin is off in Japan this week, so I’m joined by our good friend Amrit Williams from BigFix and the Techbuddha blog. Amrit and I start off by talking about the rolling blackouts in California and disaster preparedness, before jumping into the week’s security news. <Martin> I’m off in Japan, but not forgotten. I’m almost [...]

Cryptography Spam

Tue, 30 Jun 2009 21:36:42 GMT

I think this is a first. Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can be forgery. The virus can get into your computer. Most not pleasant, what none, cannot give you guarantees, safety. But, this disgrace can put an end. I have developed the program which, does impossible the fact of abduction of a passwords, countersign, and personal data of the users. In the program the technology of an artificial intellect is used. As you cannot, guess about what the person thinks. As and not possible to guess, algorithm of the program. This system to crack it is impossible. I assure that this system, will be most popular in the near future. I wish to create the company, with branches in the different countries of the world, and I invite all interested persons. Together we will construct very profitable business.

Growth of the CSE

Tue, 30 Jun 2009 14:32:53 GMT

The Communication Security Establishment (CSE, basically Canada's NSA) is growing so fast they're running out of room and building new office buildings.

FIRST 2009: Dr. Suguru Yamaguchi

Tue, 30 Jun 2009 05:32:05 GMT

I had the opportunity to talk to Dr. Suguru Yamaguchi, Professor of the Graduate School of Information at the Nara Institute of Science and Technology, member of the JPCERT and advisor on Information Security for the National Information Security Center, Cabinet Office Japan. Dr. Yamaguchi presented the opening keynote for the FIRST 2009 Conference here [...]

Anti-Stab Knife

Mon, 29 Jun 2009 22:18:22 GMT

I've already written about the risks of pointy knives. This no-stabbing knife is the solution, and seems not to be a joke.

Protecting Against the Snatched Laptop Data Theft

Mon, 29 Jun 2009 14:51:02 GMT

Almost two years ago, I wrote about my strategy for encrypting my laptop. One of the things I said was: There are still two scenarios you aren't secure against, though. You're not secure against someone snatching your laptop out of your hands as you're typing away at the local coffee shop. And you're not secure against the authorities telling you to decrypt your data for them. Here's a free program that defends against that first threat: it locks the computer unless a key is pressed every n seconds. Honestly, this would be too annoying for me to use, but you're welcome to try it.

Friday Squid Blogging: 8 Gig USB Squid Flash Drive

Sat, 27 Jun 2009 00:52:39 GMT

Cute.

Fake Receipts

Fri, 26 Jun 2009 21:16:12 GMT

For all of you who want to scam your company's expense reimbursement system. I've heard of sites where you give them a range of dates and a city, and they give you a full set of receipts for a trip to that city: airfare, hotel, meals, everything -- but I can't find a website.

The Problem with Password Masking

Fri, 26 Jun 2009 14:17:52 GMT

I agree with this: It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply. Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers. More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue. Shoulder surfing isn't very common, and cleartext passwords greatly reduces errors. It has long annoyed me when I can't see what I type: in Windows logins, in PGP, and so on.

Clear Shuts Down Operation

Thu, 25 Jun 2009 20:36:40 GMT

Clear, the company that sped people through airport security, has ceased operations. My first question: what happened to all that personal information it collected on its members? An answer appeared on its website: Applicant and Member data is currently secured in accordance with the Transportation Security Administration's Security, Privacy and Compliance Standards. Verified Identity Pass, Inc. will continue to secure such information and will take appropriate steps to delete the information. Some are not reassured: The disturbing part is that everyone who joined the Clear program had to give this private company (and the TSA) fingerprint and iris scans. I never joined Clear. But if I had, I would be extremely concerned about what happens to this information now that the company has gone defunct. I can hear it now -- they'll surely say all the biometric and fingerprint data is secure, you don't need to worry. But how much can you trust a company that shuts down with little notice while being hounded by creditors? Details matter here. Nowhere do the articles say that Clear, or its parent company Verified Identity, Inc., have declared bankruptcy. But if that does happen, does the company's biggest asset -- the personal information of the quarter of a million Clear members -- become the property of Clear's creditors? I previously wrote about Clear here. More commentary.

Heading to Kyoto: Who do you want to hear from?

Thu, 25 Jun 2009 16:10:50 GMT

The wife and I are all packed, the house sitter has been briefed (”Just don’t burn down the house while we’re gone”) and we’re heading off to the airport in a few minutes to fly to Kyoto, Japan to attend the 21st annual FIRST Conference. The folks at FIRST have tapped me to be the [...]

10 Things Dave wants you to know about auditors

Thu, 25 Jun 2009 15:47:05 GMT

I really wish I could disagree more with Dave Shackleford and his post, 10 Things Your Auditor Isn’t Telling You, but I think he’s really hit it on the head with this one. And hit it hard. He starts the post by saying he’s not trying to be mean, but as a PCI QSA, there [...]

Authenticating Paperwork

Thu, 25 Jun 2009 14:11:32 GMT

It's a sad, horrific story. Homeowner returns to find his house demolished. The demolition company was hired legitimately but there was a mistake and it demolished the wrong house. The demolition company relied on GPS co-ordinates, but requiring street addresses isn't a solution. A typo in the address is just as likely, and it would have demolished the house just as quickly. The problem is less how the demolishers knew which house to knock down, and more how they confirmed that knowledge. They trusted the paperwork, and the paperwork was wrong. Informality works when everybody knows everybody else. When merchants and customers know each other, government officials and citizens know each other, and people know their neighbours, people know what's going on. In that sort of milieu, if something goes wrong, people notice. In our modern anonymous world, paperwork is how things get done. Traditionally, signatures, forms, and watermarks all made paperwork official. Forgeries were possible but difficult. Today, there's still paperwork, but for the most part it only exists until the information makes its way into a computer database. Meanwhile, modern technology -- computers, fax machines and desktop publishing software -- has made it easy to forge paperwork. Every case of identity theft has, at its core, a paperwork failure. Fake work orders, purchase orders, and other documents are used to steal computers, equipment, and stock. Occasionally, fake faxes result in people being sprung from prison. Fake boarding passes can get you through airport security. This month hackers officially changed the name of a Swedish man. A reporter even changed the ownership of the Empire State Building. Sure, it was a stunt, but this is a growing form of crime. Someone pretends to be you -- preferably when you're away on holiday -- and sells your home to someone else, forging your name on the paperwork. You return to find someone else living in your house, someone who thinks he legitimately bought it. In some senses, this isn't new. Paperwork mistakes and fraud have happened ever since there was paperwork. And the problem hasn't been fixed yet for several reasons. One, our sloppy systems generally work fine, and it's how we get things done with minimum hassle. Most people's houses don't get demolished and most people's names don't get maliciously changed. As common as identity theft is, it doesn't happen to most of us. These stories are news because they are so rare. And in many cases, it's cheaper to pay for the occasional blunder than ensure it never happens. Two, sometimes the incentives aren't in place for paperwork to be properly authenticated. The people who demolished that family home were just trying to get a job done. The same is true for government officials processing title and name changes. Banks get paid when money is transferred from one account to another, not when they find a paperwork problem. We're all irritated by forms stamped 17 times, and other mysterious bureaucratic processes, but these are actually designed to detect problems. And three, there's a psychological mismatch: it is easy to fake paperwork, yet for the most part we act as if it has magical properties of authenticity. What's changed is scale. Fraud can be perpetrated against hundreds of thousands, automatically. Mistakes can affect that many people, too. What we need are laws that penalise people or companies -- criminally or civilly -- who make paperwork errors. This raises the cost of mistakes, making authenticating paperwork more attractive, which changes the incentives of those on the receiving end of the paperwork. And that will cause the market to devise technologies to verify the providence, accuracy, and integrity of information: telephone verification, addresses and GPS co-ordinates, cryptographic authentication, systems that double- and triple-check, and so on. We can't reduce society's reliance on paperwork, and we can't eliminate errors based on it. But we can put economic incentives in place for people and companies to authenticate paperwork more. This essay originally appeared in The Guardian.

Microsoft Security Essentials Beta Full in One Day

Thu, 25 Jun 2009 03:32:27 GMT

After launching yesterday, the Beta for Microsoft Security Essentials has filled up ? see the screenshot below. This first Beta was limited to 75,000 participants within some targeted geographies and it is encouraging to see this target achieved in such a short time.

Workshop on Economics of Information Security

Wed, 24 Jun 2009 14:45:06 GMT

I'm at the 8th Workshop on Economics and Information Security at University College London (field trip to see Jeremy Bentham). Ross Anderson is liveblogging the event. I wrote about WEIS 2006 back in 2006.

Fixing Airport Security

Wed, 24 Jun 2009 14:40:39 GMT

It's been months since the Transportation Security Administration has had a permanent director. If, during the job interview (no, I didn't get one), President Obama asked me how I'd fix airport security in one sentence, I would reply: "Get rid of the photo ID check, and return passenger screening to pre-9/11 levels." Okay, that's a joke. While showing ID, taking your shoes off and throwing away your water bottles isn't making us much safer, I don't expect the Obama administration to roll back those security measures anytime soon. Airport security is more about CYA than anything else: defending against what the terrorists did last time. But the administration can't risk appearing as if it facilitated a terrorist attack, no matter how remote the possibility, so those annoyances are probably here to stay. This would be my real answer: "Establish accountability and transparency for airport screening." And if I had another sentence: "Airports are one of the places where Americans, and visitors to America, are most likely to interact with a law enforcement officer - and yet no one knows what rights travelers have or how to exercise those rights." Obama has repeatedly talked about increasing openness and transparency in government, and it's time to bring transparency to the Transportation Security Administration (TSA). Let's start with the no-fly and watch lists. Right now, everything about them is secret: You can't find out if you're on one, or who put you there and why, and you can't clear your name if you're innocent. This Kafkaesque scenario is so un-American it's embarrassing. Obama should make the no-fly list subject to judicial review. Then, move on to the checkpoints themselves. What are our rights? What powers do the TSA officers have? If we're asked "friendly" questions by behavioral detection officers, are we allowed not to answer? If we object to the rough handling of ourselves or our belongings, can the TSA official retaliate against us by putting us on a watch list? Obama should make the rules clear and explicit, and allow people to bring legal action against the TSA for violating those rules; otherwise, airport checkpoints will remain a Constitution-free zone in our country. Next, Obama should refuse to use unfunded mandates to sneak expensive security measures past Congress. The Secure Flight program is the worst offender. Airlines are being forced to spend billions of dollars redesigning their reservations systems to accommodate the TSA's demands to preapprove every passenger before he or she is allowed to board an airplane. These costs are borne by us, in the form of higher ticket prices, even though we never see them explicitly listed. Maybe Secure Flight is a good use of our money; maybe it isn't. But let's have debates like that in the open, as part of the budget process, where it belongs. And finally, Obama should mandate that airport security be solely about terrorism, and not a general-purpose security checkpoint to catch everyone from pot smokers to deadbeat dads. The Constitution provides us, both Americans and visitors to America, with strong protections against invasive police searches. Two exceptions come into play at airport security checkpoints. The first is "implied consent," which means that you cannot refuse to be searched; your consent is implied when you purchased your ticket. And the second is "plain view," which means that if the TSA officer happens to see something unrelated to airport security while screening you, he is allowed to act on that. Both of these principles are well established and make sense, but it's their combination that turns airport security checkpoints into police-state-like checkpoints. The TSA should limit its searches to bombs and weapons and leave general policing to the police - where we know courts and the Constitution still apply. None of these changes will make airports any less safe, but they will go a long way to de-ratcheting the culture of fear, restoring the presumption of innocence and reassuring Americans, and the rest of the world, that - as Obama said in his inauguration speech - "we reject as false the choice between our safety and our ideals." This essay originally appeared, without hyperlinks, in the New York Daily News.

Research on the Security of Online Games

Wed, 24 Jun 2009 11:33:59 GMT

The May/June 2009 issue of IEEE Security and Privacy contains five articles about the security of online games. Unfortunately, the articles are all behind paywalls.

The Network Security Podcast, Episode 155

Wed, 24 Jun 2009 02:57:54 GMT

We start the show off by wishing Martin luck with his presentation at the FIRST conference in Kyoto, foolishly trusting Rich with the keys to the podcast. Then Rich fawns over his iPhone 3GS a little too much, but he does manage to talk about some cool new security features. Rich also rants a little on [...]

Microsoft Free Anti-Malware (Morro/Microsoft Security Essentials) Released as Beta

Wed, 24 Jun 2009 00:06:12 GMT

Though I have not been directly involved with Morro (or any other anti-malware products), I am excited to see Morro (Microsoft Security Essentials, http://www.microsoft.com/security_essentials/) reach the next stage of development by releasing as a Beta package. I personally think that Microsoft Security Essentials is a significant step forward in helping make the Internet a safer and more trusted experience for the average user. That may seem strange, given how long the industry has been around and given that there are already several free antivirus solutions available, for those that have even a slight technical interest in finding them. I?ve shared my experience and opinion in the past about how the business anti-malware industry drives vendors to optimize towards businesses and away from consumers, so I won?t dig into that, but I do think there are some key points worth reviewing. 1. Barriers exist for ?home user? protection. Unfortunately, many barriers to quality PC protection remain for consumers, both in mature and emerging markets where many threats originate. If you are the ?free IT support? for your family and friends, then you already know what I?m talking about. My Mom?s PC came bundled with trial security bundle where different components were fully enabled for some months, while other protections were partially enabled and yet other components required an upgrade to be enabled. Bottom line? Customers are confused by trials and annual subscription renewals, in many cases believing their PCs are covered when in fact their subscriptions have expired and they are not protected. And also, let?s be frank, certain members of my family are just never going to pull the trigger on some of the online subscriptions that are available, even if they could figure out which ones are legitimate and which ones are actually disguised malware or unwanted software. And upgrades or updates? Please. 2. Threats continue to grow and evolve. E-mail threats continue to grow and evolved and since many of these are now blended threats involving web sites and some aspects of social engineering, they are even becoming more platform agnostic. By some measures, over 97% of e-mail messages sent over the Internet fall into the ?unwanted? and unsolicited category. Of course, since my Mom and yours are more aware of security issues than they were 10 years ago, malware developers have begun heavily leveraging ?fake security software? and social techniques to target consumers and get them to voluntarily deploy their unwanted software. By providing an easy to find, easy to deploy solution from a known brand like Microsoft, Microsoft Security Essentials can help provide some basic, well, essentials to help fight this issue. 3. Too Many Users Need More Protection. Ultimately, the evolution of threats and the barriers for home users combine to create a situation where many users need more protection. This is not just a threat to those users, but represents a threat to the broader ecosystem when these systems are at risk of catching and spreading malware. Key Principles I?ve talked with the product teams about their driving principles and I think they are spot on for what home users need: Essential Features that are necessary to enable a safer and more trusted Internet experience. Real-time and scan detection and cleaning Live Kernel Behavior monitoring (leveraging technology acquired from Komoku) Improved anti-stealth functionality ? (?rootkit revealer? style scanning) Rootkit removal Standalone boot scanning (boot to a preinstall environment to scan while completely inactive) Frequent Dynamic Signature updates Dynamic update capability (no wait for next ?full signature? release) Heuristics with pre-execution program emulation Ability to quickly address false positives with the dynamic update capability Easy to Get, Easy to Use Will be easy to find from a trusted location on microsoft.com No cost, not trials or expirations Smart default configurations including a dark hours update schedule Daily updates Quiet Protection Lightweight design, tuned for performance CPU throtting Fewer interruptions ? no ?information only? UI, only when action is needed Deep and Broad Research Team Led by Vinny Gullotto (long time personal colleague back to our days at McAfee) One of the best, most experienced anti-malware research teams in the industry, built up by Vinny over the past few years. Truly, though Microsoft has been in this space a short while, the team members that Vinny has assembled have been helping make the Internet safer for pretty much forever. Final Comments Let me emphasize that this is just a Beta, so hopefully there will be warts. Yes, I say hopefully, because the purpose of a Beta is to get a lot of folks engaged to find those warts and report them so that they can be fixed before the product is released. Having said that, my next step is to install Morro on my home computers tonight and see if I can talk my Mom through installing it on her home machine 2000 miles away. Those two experiences should give me some great feedback that I can feed to the Microsoft Security Essentials team to help improve the Beta for final release. I?ll likely share those experiences with you here on the blog. I also ask you to try it out and share your thoughts and feedback with me. I have a fair amount of product management experience and I?m happy to distill your various feedback down into some core requirements and then deliver it directly to the product team. This is that latest in a series of steps over several years that I think is helping make tangible progress for making the Internet safer and more trusted for many users: Lots of security improvements in Windows XP SP2. Remember the days before pop-up protection was introduced into IE6 in XP SP2? Remember when you kept the personal firewall turned off? Windows Defender. Breaking ground for Essentials, Defender helped raise the bar even it it?s Beta stage. Defense-in-depth security features in Windows Vista and the upcoming Windows7. Say what you want about Windows, security researchers and data are showing that it raised the security bar. Best regards ~ Jeff

John Walker and the Fleet Broadcasting System

Tue, 23 Jun 2009 21:30:26 GMT

Ph.D. thesis from 2001: An Analysis of the Systemic Security Weaknesses of the U.S. Navy Fleet Broadcasting System, 1967-1974, as exploited by CWO John Walker, by MAJ Laura J. Heath Abstract: CWO John Walker led one of the most devastating spy rings ever unmasked in the US. Along with his brother, son, and friend, he compromised US Navy cryptographic systems and classified information from 1967 to 1985. This research focuses on just one of the systems compromised by John Walker himself: the Fleet Broadcasting System (FBS) during the period 1967-1975, which was used to transmit all US Navy operational orders to ships at sea. Why was the communications security (COMSEC) system so completely defenseless against one rogue sailor, acting alone? The evidence shows that FBS was designed in such a way that it was effectively impossible to detect or prevent rogue insiders from compromising the system. Personnel investigations were cursory, frequently delayed, and based more on hunches than hard scientific criteria. Far too many people had access to the keys and sensitive materials, and the auditing methods were incapable, even in theory, of detecting illicit copying of classified materials. Responsibility for the security of the system was distributed between many different organizations, allowing numerous security gaps to develop. This has immediate implications for the design of future classified communications systems.

The Iranian Firewall

Tue, 23 Jun 2009 17:09:47 GMT

Two blog posts on Iran's attempts to censor the Internet

Eavesdropping on Dot-Matrix Printers by Listening to Them

Tue, 23 Jun 2009 14:16:49 GMT

Interesting research. First, we develop a novel feature design that borrows from commonly used techniques for feature extraction in speech recognition and music processing. These techniques are geared towards the human ear, which is limited to approx. 20 kHz and whose sensitivity is logarithmic in the frequency; for printers, our experiments show that most interesting features occur above 20 kHz, and a logarithmic scale cannot be assumed. Our feature design reflects these observations by employing a sub-band decomposition that places emphasis on the high frequencies, and spreading filter frequencies linearly over the frequency range. We further add suitable smoothing to make the recognition robust against measurement variations and environmental noise. Second, we deal with the decay time and the induced blurring by resorting to a word-based approach instead of decoding individual letters. A word-based approach requires additional upfront effort such as an extended training phase as the dictionary grows larger, and it does not permit us to increase recognition rates by using, e.g., spell-checking. Recognition of words based on training the sound of individual letters (or pairs/triples of letters), however, is infeasible because the sound emitted by printers blurs so strongly over adjacent letters. Third, we employ speech recognition techniques to increase the recognition rate: we use Hidden Markov Models (HMMs) that rely on the statistical frequency of sequences of words in text in order to rule out incorrect word combinations. The presence of strong blurring, however, requires to use at least 3-grams on the words of the dictionary to be effective, causing existing implementations for this task to fail because of memory exhaustion. To tame memory consumption, we implemented a delayed computation of the transition matrix that underlies HMMs, and in each step of the search procedure, we adaptively removed the words with only weakly matching features from the search space. We built a prototypical implementation that can bootstrap the recognition routine from a database of featured words that have been trained using supervised learning. Afterwards, the prototype automatically recognizes text with recognition rates of up to 72 %. Researchers have done lots of work on eavesdropping on remote devices. (One example.) And we know the various intelligence organizations of the world have been doing this sort of thing for decades.

John Mueller on Nuclear Disarmament

Mon, 22 Jun 2009 21:46:56 GMT

The New York Times website has a blog called "Room for Debate," where a bunch of people -- experts in their areas -- write short essays commenting on a news item. (I participated a few weeks ago.) Earlier this month, there was a post on nuclear disarmament, following President Obama's speech in Cairo that mentioned the subject. One of the commentators was John Mueller, Ohio State University political science professor and longtime critic of the terrorism hype. (I recommend his book, Overblown.) His commentary was very good; I especially liked the first sentence. An excerpt: The notion that the world should rid itself of nuclear weapons has been around for over six decades -- during which time they have been just about the only instrument of destruction that hasn't killed anybody. The abolition idea has been dismissed by most analysts because, since inspection of any arms reduction cannot be perfect, the measure could potentially put wily cheaters in a commanding position. There may be another approach to the same end, one that, while also imperfect, would require far less effort while greatly reducing the amount of sanctimonious huffing and puffing we would have to endure. Just let it happen. While it may not be entirely fair to characterize disarmament as an effort to cure a fever by destroying the thermometer, the analogy is instructive when it is reversed: when fever subsides, the instrument designed to measure it loses its usefulness and is often soon misplaced. Indeed, a fair amount of nuclear arms reduction, requiring little in the way of formal agreement, has already taken place between the former cold war contestants.

NFR Letter to the PCI Council

Mon, 22 Jun 2009 20:29:47 GMT

The representatives of the National Retail Federation and other associations sent a letter to Bob Russo of the PCI Council on June 8th. While the letter makes a couple of interesting points, it’s mostly smoke and mirrors meant to draw attention away from the fact that many merchants don’t want to spend the time and [...]

Engineers More Likely to Become Muslim Terrorists

Mon, 22 Jun 2009 15:10:52 GMT

Time to start profiling.