January 2012
1 post
3 tags
Bad password advice
In the December issue of Computer Fraud & Security, an article by Prof Steven Furnell - ‘Assessing password guidance and enforcement on leading websites’ - presents some fascinating original research into the password practices of various leading websites - and also paints a somewhat worrying picture.
In the article, Prof Furnell, of the University of Plymouth, follows up on...
December 2011
1 post
6 tags
Review: BackTrack 5 Wireless Penetration Testing
Vivek Ramachandran. Published by Packt Publishing (ISBN: 978-1-849515-58-0). Price: $49.99, 208pgs, paperback.
It says something for the ubiquitious nature of wifi that this subject warrants a book to itself. Wireless networks are everywhere - some would argue they’re in too many places. And as we discuss in the article on pg.14 of this issue, the technologies that are supposed to secure...
November 2011
1 post
4 tags
Users are stupid
At the recent RSA Europe conference in London, security consultant Ira Winkler said something we’re not supposed to utter. To paraphrase, he said: “Users are stupid”.
We all know that computer users do stupid things. Infosecurity professionals within organisations must despair every time they hear, “Well, I clicked on the link because…” or “I gave him my password because…” followed by any one of...
October 2011
5 posts
4 tags
Black Project: security, secrecy and conspiracy
I’ve always been fascinated by the weird things people choose to believe. Credulity is a powerful force - it is the foundation, after all, of social engineering.
And I love a good conspiracy theory. The wackier the better. There are few things more entertaining than watching people construct an complex argument that can be demolished in a moment with a swift flick of Occam’s Razor.
...
3 tags
Hacktivism: assessing the damage →
My feature from the Aug 2011 issue of Network Security.
7 tags
Interview: Greg Hoglund - a fight-through...
The recent RSA Europe conference in London was unusual. Some of the high-profile security firms exhibiting and presenting have also been victims of serious breaches this year.
RSA, rather notoriously, had its SecurID product compromised by what it insists were state-sponsored hackers. Raytheon admitted to a couple of breaches. And also present at the conference, both in the exhibition hall and in...
3 tags
Review: Practical Lock Picking
Deviant Ollam. Published by Syngress (ISBN: 978-1-59749-611-7). Price: $34.95, 230pgs, paperback.
Picking locks and hacking have gone hand-in-hand right from the earliest days. Back in those heady years at MIT, when the term ‘hacking’ carried only positive connotations, lock picking was seen as part and parcel of the inquisitive nature that drove hackers.
Today, lock picking...
5 tags
Sony: just another victim
One of the most interesting aspects of the Anonymous/LulzSec hacking of Sony is the opportunity to observe what effects it might have over time. Now a legal decision in Australia has placed Sony in a position that, I suspect, it finds very agreeable - as a victim.
While most security analysts seem to agree that the hacks themselves were fairly trivial - from both a technical perspective and in...
September 2011
3 posts
3 tags
Review: Metasploit: the penetration tester's guide
By David Kennedy, Jim O’Gorman, Devon Kearns and Mati Aharoni. Published by No Starch Press (ISBN: 978-1-59327-288-3). Price: $49.95, 300pgs, paperback.
Metasploit has been such a key weapon in the penetration tester’s armoury for so long that a book like this is long overdue. Yes, there are other titles that provide a general guidance to the software, but this one is very focused on...
4 tags
Watch out! Hackers!
The very word ‘hacking’ is enough to make some people paranoid. Of course, it doesn’t help if they’re paranoid already.
Case in point: last week I was on a Certified Ethical Hacker (CEH) course in the UK. Right at the beginning, our instructor warned, “If anything goes wrong, even if the Coke machine breaks, we’ll get blamed”. And so it proved.
The...
3 tags
Wikileaks' security failure
Wikileaks has committed a cardinal security sin, and is busy trying to blame it on The Guardian.
It all revolves the infamous ‘Cablegate’ memos - the US diplomatic cables that Wikileaks has been peddling for some time now.
Wikileaks has been working with media organisations in an attempt to release the material in a piecemeal fashion. The reason for this is to cherry-pick the most...
August 2011
2 posts
2 tags
When is #Anonymous not Anonymous?
Not for the first time, the Anonymous activist collective is suffering some brand issues. It turns out that claiming you are ‘leaderless’ and ‘decentralised’ is something of a two-edged sword.
It’s also a lie, of course.
The concept is that anyone can operate under the Anonymous banner. There are no committees to attend, no leader from whom you need to seek...
3 tags
Time for a #LulzSec successor
Now that (allegedly) LulzSec spokesteen ‘Topiary’ has been arrested, and it’s only a matter of time before ‘Sabu’ is looking down the barrel of a law enforcement raid, maybe it’s time for a new group to take up the mantle of AntiSec.
We’ve already seen the rise of TrollzSec, which successfully outed Topiary’s true identity.
But there’s room...
June 2011
4 posts
4 tags
Dropbox security
A backlash against Dropbox shows just how little people understand security.
It seems that some people actually fell for Dropbox’s early assertions that files stored on the system might be more secure than those on your hard disk (ignoring the fact that these files are actually stored in both locations). No-one, but no-one, has access to your files, claimed the company.
Later, Dropbox...
1 tag
Talking about risk
The information security business is a bit like the world of 1970s French movies. At the time, these films had a reputation for being racy, of containing a lot of delicious naughtiness that was nevertheless somehow culturally uplifting. When you actually sat through them you found there was a lot of talking and very little action.
In the infosec domain I hear a lot about risk. Companies understand...
3 tags
Password problems
Some of the recent stunts by online mayhem seekers LulzSec have highlighted (again) something we all know: it’s bad to use a password for more than one website.
Recently, LulzSec hacked porn site pron.com, obtaining customer logins and admin credentials for a number of other porn sites - all with passwords apparently stored in plain text. Leaving aside the embarrassment that will be caused...
3 tags
Just in it for the lulz?
Supporters of Wikileaks are dedicated to freedom of speech - until, that is, someone disagrees with them.
“Humankind,” wrote Eliot, “cannot stand very much reality”. And so it is with a bunch of self-styled net buccaneers calling itself LulzSec.
The US Public Broadcasting Service (PBS) - normally the darling of those with anti-corporate leanings - has suffered the ire of...
April 2011
7 posts
4 tags
The wrong way to do software security
There is yet another example of how so-called ‘hacker’ laws can actually diminish security.
According to a post on DarkReading, a researcher who goes by the name of Acidgen is being threatened with criminal and civil suits by a firm whose software contains a security vulnerability. Acidgen found the stack buffer overflow in Music Maker 16 and made the mistake of telling the vendor,...
4 tags
Apple: not so obscure any more
It’s long been claimed that Apple platforms have been free of malware mainly because they represent such a small niche of the market that it wasn’t worth the effort creating viruses and trojans for them.
Not any more.
In fact, Apple has had such a significant share of the market for so long that it’s a wonder we haven’t seen more malware. What’s more, given the high...
3 tags
iPhone tracking: much ado about bugger all
Well, we’ve all had a jolly good time getting hysterical about the alleged ‘tracking’ of our movements by our iPhones. Even the revelation that Android devices do a similar thing hasn’t stopped the Apple-bashing.
Nor was the hysteria dampened all that much by Apple’s somewhat tardy explanation, in which it admits that some of the data collection is due to bugs that will be fixed soon.
What exactly...
6 tags
Banging the drum for security
#IBM #Infosec — IBM recently opened its Institute for Advanced Security, based in Brussels, with the avowed aim of helping companies and academics better understand cyber-threats and how to deal with them. IBM believes there is a need for a new conduit to help information flow between the public and private sectors. It also wants to provide easier access to its own research, services, products and...
2 tags
Two sides of security
#BSidesLondon #Infosec - At Infosec (or Infosecurity Europe 2011 to give it the full majesty of its title, which no-one ever uses) it was all business. Security is a large industry, with expensive toys and big-budget services. Infosec is like any trade show: there are bright, impressive stands and bright, eager people who will impress on you that this is an industry with exciting solutions that...
3 tags
It's about consumerisation, stupid
#infosec - If you bring your own smartphone or tablet to work, you’re not alone. Opinions vary about how much of a problem this presents to an organisation’s information security, but ‘consumerisation’ was the topic you just couldn’t escape at this year’s InfoSecurity show.
Yes, cloud was big too. But then it has been for some time and I got the impression that...
4 tags
Nice try, Sophos
Stop using that iPad now! That’s the warning from Sophos for those of you who: a) are concerned about data theft; and b) don’t know what day it is. Here’s the press release:
Sophos warns: iPad 2 and other mobile devices vulnerable to proximity theft
Aptly-named “substrate hack” could steal data from uncovered devices - but metallic crisp packets can provide temporary...
March 2011
1 post
3 tags
UK gets cyber-security chief
An unnamed “very senior military officer” has been appointed to head the UK Government’s cyber-security operations. He’ll have a £650m budget to play with, the amount set aside for the new Defence Cyber Operations Group.
Let’s hope he has more of a clue about cyber-security than Foreign Secretary William Hague.
Back in February, Hague prattled on about how the...
February 2011
3 posts
3 tags
Eek! I got cloned...
Having your credit card cloned is, sadly, an all too common experience. It hadn’t happened to me, but it has now.
The first clue that something was amiss was when my charge card account disappeared from my bank’s online banking service. Today, I was going to call the bank and give them a bollocking. Glad I didn’t.
The postwoman delivered two letters from the bank - the monthly statement for the...
1 tag
Net neutrality: long time dead
The idea of a neutral Intranet over which all traffic is treated as equal has been dead for a while. To some degree, anyway.
The debate that’s grabbed the headlines recently has been the noble attempt by the US Federal Communications Commission (FCC) to introduce rules enforcing net neutrality. The FCC went up against powerful lobbies and the result was a somewhat compromised success. Noble...
2 tags
The biggest security threat - money
This is hardly news, but some chats I had at the recent NetEvents EMEA Press Summit underlined for me that network security will never be rid of its most pernicious vulnerability - budgets.
Security costs money, there’s simply no getting around that. The problem is, while an organisation’s defences are subject to budget constraints and the need - as with any IT infrastructure - to sweat assets,...
January 2011
8 posts
3 tags
Brits in two minds about data security
Some 80% of people in the UK are “concerned about protecting their personal information online”, says the Information Commissioner’s Office (ICO). An even bigger proportion (96%) feels that organisations are not to be trusted with this information, because they’re not up to the job of keeping it safe.
Not much grey area there, then. Brits are clearly worried about what...
3 tags
Situational awareness for protestors
Avoiding being ‘kettled’ is now easier for students and other protestors in London. And it’s all to do with a smart way of sharing intelligence.
In the military world, there’s a lot of talk about ‘data fusion’ and ‘situational awareness’. This is where data from all kinds of systems - surveillance drones, fighter aircraft targeting pods, satellite...
4 tags
Facebook SSL security upgrade: why?
Facebook is now making it possible for users to access the site via SSL (ie, using ‘https’ rather than ‘http’). But is the timing significant?
Two things suggest it might be. The first is the hijacking of Facebook logins by the Tunisian Government. But the cynic in me says that a more likely reason is the ‘hacking’ of Mark Zuckerberg’s own Facebook page.
...
5 tags
FBI acts against 40 Anons
The execution of 40 search warrants by the FBI against alleged members of Anonymous is part of a co-ordinated operation with the UK’s Metropolitan Police Service, which made five arrests yesterday.
The FBI hasn’t announced any arrests yet and isn’t giving up much information about its targets. Its press release is pretty clear, however, that it is treating the DDoS attacks...
5 tags
Anonymous arrests
Five young men have been arrested in the UK in connection with DDoS attacks mounted by the Anonymous group, according to a report by the BBC. The five range in age from 15 to 26.
This was predictable - up to a point. Anonymous takes a fairly callous ‘cannon fodder’ attitude to its ‘members’ (if you can call them that).
The Low Orbit Ion Cannon (LOIC) software - the weapon...
6 tags
The year ahead
At the turn of the year, it’s practically a tradition that security and anti-malware vendors make their prognostications for what lies ahead for us over the next 12 months. Most of the predictions are, as it were, predictable. More malware, more Stuxnet-like cyberwar disguised as malware, more targeted phishing and a greater focus on mobile and Apple platforms as they become increasingly...
4 tags
A positive approach to the social media problem
Like it or not, social networking is a part of your organisation. Facebook, LinkedIn, Twitter and all those other time-wasting pastimes — or effective communications channels, if you prefer — are occupying at least a part of your workers’ time.
The dangers are familiar, including data leaks and reputational damage. And the countermeasures are equally varied, including banning the use of social...
2 tags
Who is Anonymous?
Reports that members of the Anonymous hacktivist movement have defaced the website of Irish opposition party Fine Gael are being denied by … well, members of Anonymous.
The hack exposed details of 2,000 members of the party. But chatter within Anonymous IRC channels suggests that most people who identify themselves with Anonymous want to distance themselves from this action.
It’s a...
December 2010
3 posts
5 tags
Operation Payback - success or failure?
Just how successful were the Anonymous Operation Payback DDoS attacks? Now that the hysterical press coverage has died down, it’s time to take stock.
It’s important to understand the nature of Anonymous: it’s not like a cybercrime gang aiming a botnet at a blackmail target. Nor is it like the Chinese attempting to take down Google.
Anonymous is more amorphous. The group (and we have to have some...
3 tags
An alternative DNS
Peter Sunde, formerly of the Pirate Bay, has announced his intention to create an alternative DNS infrastructure so that the Internet is no longer under the control of the authorities - particularly those in the US.
Perhaps prompted by the recent taking down of 82 websites in the US accused of selling counterfeit goods or infringing copyright, Sunde tweeted:
“Hello all #isp of the world....
1 tag
Are mobile broadband numbers recycled?
Recently, we’ve been making heavy use of a mi-fi unit (see some of our adventures here). It’s currently fitted with a mobile broadband SIM from French telcom SFR.
In addition to net access, you also get SMS text messaging. And since using the SFR SIM we’ve been getting a weekly bank account update.
Only it’s not for our account.
The SMS message is being sent by BNP...
November 2010
1 post
2 tags
Public infections
‘Dead Drops’ is a project underway in New York City by Berlin-based Aram Bartholl. It involves embedding USB flashdrives into walls, with just the plug sticking out (see Flickr photostream here). The idea is that passing people lean against the wall cradling their netbooks and laptops, plug into the flashdrive and share files - picking up or dropping off. It’s art, apparently.
...
September 2010
1 post
3 tags
Forget privacy, here's something shiny...
A recent experiment found that people don’t really care about privacy on the Internet, so let’s get over ourselves.
So long as you offer people something they want, they’ll happily give up private information. This is according to Upshot, a Chicago-based marketing agency.
Oh, wait, hang on a minute. A marketing agency? Do I scent a whiff of self-interest?
According to this...