Like we really needed this.

Hacker’s Blog

January 30, 2006

The sky is falling! Virtually

Filed under: Security — Hacker @ 4:32 pm

Late last year VMWare released a very cool new tool called the VMWare player. There are now so many cool things that one can do with VMWare that it boggles the mind.

Of course a lot of them are big security problems. Big enough to make the whole USB Drive/ipods are evil scare a while back look, well, as silly as the whole thing was. I’m not going to start listing all of the obnoxious things I can do with VMWare just yet. I don’t want the panic to get started before I get the chance to build some of them out and have some fun.

However, for the record, I do proclaim that VMWare and the portability of VMWare player is a significant technology change that now opens many security holes. Way more than just copying files around.

• • •
 

January 26, 2006

Real Security – A different perspective about information security

Filed under: Personal,Security — Hacker @ 2:35 pm

Wow, one of my security heroes has a blog and it looks a whole lot better than mine.

Real Security – A different perspective about information security

This reminds me that I really need to keep in tough with people better.

Hopefully, once again, I’ll be borrowing from Jim to make myself look competent. This time for my blogs design evolution.

• • •
 

January 23, 2006

Phishing Prevention for Dummies

Filed under: Security — Hacker @ 7:42 pm

It seems that too many online institutions still don’t get the phishing threat. Take a look at this email from an ISP that puts more bait on phishers’ hooks than cutting of phishing lines.

Dear ISP Subscriber,

ISP is committed to providing you with a safe and secure
online experience — and we’d like to share some important
information to help you avoid online scams and safeguard your
computer from viruses, spyware, and other security threats.

********************************
PROTECT YOURSELF WITH THESE TIPS
********************************
1. Be wary of opening email from people you don’t know. Even
if you know the sender, use caution before opening a message
with a strange subject line or an unexpected attachment.

Hmmm. Do I know you “Support”?

2. Choose your passwords carefully and keep them safe. For tips
on creating secure passwords, please visit:
http://www.ISP.net/password

Gee, that link looks safe. It’s always good to prime the clicking finger with good links first.

3. Never email your password, or sensitive personal information,
such as your credit card number, Social Security number, secret
word, or PIN.

More thoughtful good advice. This has got to be real.

4. Never click on a link in an email that asks you to submit
sensitive information, as the link can redirect you to a
fraudulent Web site designed to steal that information. To
ensure that a site is legitimate, always type the Web address
into your browser.

Gosh darn it, if that ain’t the pig’s potato I don’t know my cow pie’s from my Aunt Lucille’s mincemeat.

************************************************
INSTALL FREE ISP PROTECTION CONTROL CENTER
************************************************
The ISP Protection Control Center is your one,
easy-to-use program that provides everything you need to stay
safe online, including:

*Single scan for spyware and viruses

*AntiVirus and Firewall software with automatic updates to
ensure you’re protected against the latest online threats

*Spyware Blocker — detects and disables invasive programs that
secretly install themselves on your computer and track your
online activities

*ISP Toolbar — sits above your Web browser and includes
our exclusive Pop-Up Blocker and ScamBlocker, which prevents you
from visiting Web sites that are on our “scam list”

The Protection Control Center is available through our FREE
TotalAccess software. If you have not installed TotalAccess, you
can download the software or order a free CD copy at:
http://www.ISP.net/home/software

Gee, what great software. I should get that installed right away. Let me click on that link, which must be good since this whole message seems as caring and honest as ol’ Preacher Morganstern and if that dear man were still alive would probably be in the sermon this Sunday. Halleluhah.

Once you’ve installed TotalAccess, or if you already have the
software, you may need to run the Update Service to install
the ISP Protection Control Center. On the TotalAccess
Task Panel, just click on “Toolbox,” then “Check for Updates.”

Yessirree. I want every piece of software I own to automagically go out and patch itself without me knowing a damn thing about how it works or if it is secure.

******************************
VISIT THE MYSECURITY WEB PAGE
******************************
The mySecurity Web page has all the information you need to
protect your PC and your privacy online:
http://www.ISP.net/mysecurity

**********
NEED HELP?
**********
If you have questions, you can trade real-time messages with a
friendly Live Chat representative:
http://support.ISP.net/chat

We look forward to providing you with a safe and enjoyable
online experience for years to come.

Sincerely,

ISP Support

************************************************************
This is an Administrative Message from ISP. It is
not spam. From time to time, ISP will send you such
messages in order to communicate important information about
your subscription.
************************************************************

If the sarcasm didn’t come through clear enough, I’ll try a favored method from the 419’ers:

DEAR .COM

YOU MAY BE SUPRISED TO LEARN THAT SENDING YOUR USERS EMAIL ANY WITH CLICKABLE LINKS IS JUST TRAINING THEM TO FALL FOR PHISHING. I SHARE THIS WITH YOU BECAUSE I TRUST YOU’RE A LITTLE BIT SMARTER THAN THE PHISHERS AND MIGHT WISE UP BEFORE THEY START SENDING EMAIL THAT LOOKS JUST LIKE THIS. PLEASE AT LEAST ENCOURAGE THE USE HTTPS.

• • •
 

January 18, 2006

Copyright and The Choice Between DRM and Security

Filed under: Security — Hacker @ 7:43 am

Slashdot | The Choice Between DRM and Security

Seeing the above made me think about Copyright and Security. It seems that Copyright used to be a security mechanism to protect one’s creations. Before the digital age, copying creative works was expensive. Those who sought to make a profit from copying other’s work could find themselves at the wrong end of the law and thus were taking a large risk with their capital. Gift copying was too expensive for most and had limited distribution, even as audio and video cassettes became common.

Now in the digital age, commerce is global and it is hard to track down copyright pirates. Worse, gift copying has practically no cost to the gifter. Thus copyright can no longer protect information profitably. Note that doesn’t mean copyright is useless, just not useful for ensuring profits from the distribution of a creative work.

None of this is new and there are others who have studied and written about this in much more detail. What I think is interesting is to take the pure security view. This is hard for a security techie like me, because we have been taught that security is some piece of technology.

Technology is not the best word to use here, since its meaning has morphed over time. Copyright was a ‘technology’ by the old definition. Now we use technology to refer to automata. This causes us to forget a lot about what information security is about and can be. We techies get so lost in the bits and algorithms that we forget that much of the security we rely on today is as insecure as copyright.

As the world becomes more digital, there will be new options, such as DRM, that can provide protections where old ones like Copyright fail. In some ways, these protections are even stronger than what was available before, but they also come with a price, such as privacy. As a security practitioner, one has to dig deep to understand the history of the protection of an asset as well as the potential consequences of new protection technologies.

• • •
 
Like we really needed this.