I’ve been keeping track of interesting stories about security over the past couple of months for my intersession course, mostly ones that I have found through Slashdot, BoingBoing and/or Digg. As part of the process of selecting which ones will make it into the final week of the course and which ones will not, I thought I would put the whole list here, mostly without comment. If you notice anything that seems particularly interesting (especially if you happen to be in my course!) let me know and it will probably move up my list of things to discuss.
- Last year’s Hack of the Year involves a Swedish hacker obtaining passwords for a number of governmental and embassy email accounts using TOR, an open-source tool that obscures web traffic. Think TOR sounds cool? Check out this guide to using TOR to surf anonymously to learn more about how it works.
- Not surprisingly, a study of wireless networks used in retail stores shows that most of them are insecure to some degree, with 25% not even using any encryption at all.
- We have read about hackers taking advantage of default passwords back in the 80s, but it remains a problem and there are a number of lists out there of default passwords for modern hardware.
- This is a slightly older story and the infected drives were pulled off the market, but certain Maxtor 500GB hard drives are being shipped with Trojans on them that send information on them back to sites registered in Beijing. But it seems that hardware being shipped with malware installed is a growing problem with digital photo frames also recently being infected.
- We all got used to the idea of disabling Javascript or Java in our browsers to block malware, but now Flash advertisements have malware embedded in them too.
- Sometimes what you think is a virus is just Microsoft being Microsoft: “During normal operation or in Safe mode, your computer may play “Fur Elise” or “It’s a Small, Small World” seemingly at random. This is an indication sent to the PC speaker from the computer’s BIOS that the CPU fan is failing or has failed, or that the power supply voltages have drifted out of tolerance.”
- A hole in QuickTime allows SecondLife avatars to be hijacked and made to turn over their Linden cash. Huh – I am about halfway through that novel…. More seriously, though, security within MMORPGs as a subset of software security seems to be a growing topic of interest.
- A McAfee report predicts more cyberattacks against and by governments in the coming years, based on evidence that many countries, including the US, have already started to use cyberattacks. It seems the attacks are mostly for the purpose of espionage. A related article coming out of this reports frames the issue as a coming cyber cold war – interesting in the context of this report that a number of recent blackouts outside the US were due to cyberattacks. And cyber-espionage need not be just against countries; corporate cyber-espionage is also believed to be on the rise.
- There is a lot of argument about how to compare the relative safety or number of holes in operating systems or software. Recently Microsoft reported that the number of holes announced in IE was less than in Firefox, and the Head Security Strategist at Firefox responded that the count did not include holes patched in major service packs and thus not announced, and discusses the security risk this represents for users. A similar argument get made in comparing Mac versus Windows vulnerability stats, with Mac by this report having many more flaws, but there being a question of whether apples are being compared to apples or not…
- This commentary on the balance between security and usability is worth reading. Part of the usability issue here is supporting depreciated filetypes, and whether that support needs to include security patches.
- This long technical article, in PDF format, describes a Chinese black market in malware. I have only skimmed the article so far but it has an interesting classification of the different players in the black market and how they related to each other, as well as a couple of case studies. Somewhat related is this article on the emerging “malware economy”.
- If cracking WEP seems daunting (though it probably shouldn’t after reading that guide…), maybe you want to practice on the less securely encrypted wireless keyboards.
- Lots of end of the year reports, including that 3.2 billion dollars was lost to phishing attacks and anti-virus protection is less good at detecting malware when looking at responses to new attacks.
- Sometimes sneaky malware-style behavior finds its way into commercial products, such as the feature in Adobe’s CS3 that reports back usage data to a server with a sketchy name.
- South Carolina may require forensic investigators to
have a PI license and some are concerned since the specialized skill set for forensic investigation currently has little overlap with the training and skill set of licensed PIs. The motivation, of course, being a desire to ensure that evidence to be used in trial is collected using appropriate standards. - A recent report says that projects to find and repair security holes in open source software are proceeding well – the more interesting part of
the article possibly being the large government supported effort to harden open source systems as their use expands. This would appear to be another “hidden” cost of free, open-source software. - A case originating a couple of years ago and centering around the question of whether unauthorized (but unblocked) whois and DNS lookups constitute hacking has been decided in the positive (more commentary critical of the decision here).
- Worried after all of this that your computer is going to go kablooey any minute now? Keep this nifty Ubuntu LiveCD based technique for restoring your Master Boot Record in your back pocket…
Excellent post. I remember hearing about many of these things over the course of the year. The following is just an explosion of short ideas.
Tor is a great utility which aids to the privacy of Internet users and personally I’ve been using it for about 2 years now coupled with Privoxy. However I started not using it for sensitive data connections, due to the exit nodes being unencrypted. Nowadays I rarely use it at all, since the connections are so slow.
The Maxtor hard drives — Brad and I actually did a 10 minute podcast segment that never made it into a blog post, but I thought this was a new step into malware. Then the digital picture frame malware came out, and I realized that the digital progression of the world is starting to walk a very dark path. It’s going to get to the point where any piece of digital equipment you plug into the computer is going to need formatted in some way as precaution.
In regard to the Flash ads, I’ve completely forgotten about ads with the combination of AdBlock Plus and NoScript in Firefox. I also keep the Netcraft toolbar installed which checks URL’s for phishing attempts and stops and warns you before going to a website which looks like it contains a phished URL.
I want my computer to sing to me when it’s about to blow up. I was amused when I discovered this, but I don’t think it should play something happy, it obviously needs something like a funeral dirge.
The malware industry is booming and is being used globally by anyone who needs a computer network to send spam or DDOS attacks. It’s extremely profitable, and also highly unlikely to be taken down or busted by authorities due to the jurisdiction. The people running the botnets more than likely live overseas where the governments could case less, and the computers are infected worldwide. This makes thing incredibly difficult. Not to mention that the person has the complete control over the computers, and can change servers the botnet reports to, etc. to conceal activities. Malware and botnets are the new black market in digital form.
I remember reading about Coverity and I was very happy with what they are doing, and I hope they continue on, validating the idea that open source software is just as good as any, if not better.
Whois and DNS lookups constitute hacking? Sounds like someone needs to figure out what those terms actually mean, then figure out what hacking is, then find their ass from a hole in the ground. That information is out there for a reason — as a point of contact if something looks wrong. If the activists believed this guys servers were sending spam, then they had every right to whois and DNS lookup him and expose it. That’s what it’s there for. Sounds like someone got caught doing something wrong and now is crying foul with a lawsuit, and sadly won.