Like we really needed this.

Hacker’s Blog

January 23, 2006

Phishing Prevention for Dummies

Filed under: Security — Hacker @ 7:42 pm

It seems that too many online institutions still don’t get the phishing threat. Take a look at this email from an ISP that puts more bait on phishers’ hooks than cutting of phishing lines.

Dear ISP Subscriber,

ISP is committed to providing you with a safe and secure
online experience — and we’d like to share some important
information to help you avoid online scams and safeguard your
computer from viruses, spyware, and other security threats.

********************************
PROTECT YOURSELF WITH THESE TIPS
********************************
1. Be wary of opening email from people you don’t know. Even
if you know the sender, use caution before opening a message
with a strange subject line or an unexpected attachment.

Hmmm. Do I know you “Support”?

2. Choose your passwords carefully and keep them safe. For tips
on creating secure passwords, please visit:
http://www.ISP.net/password

Gee, that link looks safe. It’s always good to prime the clicking finger with good links first.

3. Never email your password, or sensitive personal information,
such as your credit card number, Social Security number, secret
word, or PIN.

More thoughtful good advice. This has got to be real.

4. Never click on a link in an email that asks you to submit
sensitive information, as the link can redirect you to a
fraudulent Web site designed to steal that information. To
ensure that a site is legitimate, always type the Web address
into your browser.

Gosh darn it, if that ain’t the pig’s potato I don’t know my cow pie’s from my Aunt Lucille’s mincemeat.

************************************************
INSTALL FREE ISP PROTECTION CONTROL CENTER
************************************************
The ISP Protection Control Center is your one,
easy-to-use program that provides everything you need to stay
safe online, including:

*Single scan for spyware and viruses

*AntiVirus and Firewall software with automatic updates to
ensure you’re protected against the latest online threats

*Spyware Blocker — detects and disables invasive programs that
secretly install themselves on your computer and track your
online activities

*ISP Toolbar — sits above your Web browser and includes
our exclusive Pop-Up Blocker and ScamBlocker, which prevents you
from visiting Web sites that are on our “scam list”

The Protection Control Center is available through our FREE
TotalAccess software. If you have not installed TotalAccess, you
can download the software or order a free CD copy at:
http://www.ISP.net/home/software

Gee, what great software. I should get that installed right away. Let me click on that link, which must be good since this whole message seems as caring and honest as ol’ Preacher Morganstern and if that dear man were still alive would probably be in the sermon this Sunday. Halleluhah.

Once you’ve installed TotalAccess, or if you already have the
software, you may need to run the Update Service to install
the ISP Protection Control Center. On the TotalAccess
Task Panel, just click on “Toolbox,” then “Check for Updates.”

Yessirree. I want every piece of software I own to automagically go out and patch itself without me knowing a damn thing about how it works or if it is secure.

******************************
VISIT THE MYSECURITY WEB PAGE
******************************
The mySecurity Web page has all the information you need to
protect your PC and your privacy online:
http://www.ISP.net/mysecurity

**********
NEED HELP?
**********
If you have questions, you can trade real-time messages with a
friendly Live Chat representative:
http://support.ISP.net/chat

We look forward to providing you with a safe and enjoyable
online experience for years to come.

Sincerely,

ISP Support

************************************************************
This is an Administrative Message from ISP. It is
not spam. From time to time, ISP will send you such
messages in order to communicate important information about
your subscription.
************************************************************

If the sarcasm didn’t come through clear enough, I’ll try a favored method from the 419’ers:

DEAR .COM

YOU MAY BE SUPRISED TO LEARN THAT SENDING YOUR USERS EMAIL ANY WITH CLICKABLE LINKS IS JUST TRAINING THEM TO FALL FOR PHISHING. I SHARE THIS WITH YOU BECAUSE I TRUST YOU’RE A LITTLE BIT SMARTER THAN THE PHISHERS AND MIGHT WISE UP BEFORE THEY START SENDING EMAIL THAT LOOKS JUST LIKE THIS. PLEASE AT LEAST ENCOURAGE THE USE HTTPS.

• • •
 

January 18, 2006

Copyright and The Choice Between DRM and Security

Filed under: Security — Hacker @ 7:43 am

Slashdot | The Choice Between DRM and Security

Seeing the above made me think about Copyright and Security. It seems that Copyright used to be a security mechanism to protect one’s creations. Before the digital age, copying creative works was expensive. Those who sought to make a profit from copying other’s work could find themselves at the wrong end of the law and thus were taking a large risk with their capital. Gift copying was too expensive for most and had limited distribution, even as audio and video cassettes became common.

Now in the digital age, commerce is global and it is hard to track down copyright pirates. Worse, gift copying has practically no cost to the gifter. Thus copyright can no longer protect information profitably. Note that doesn’t mean copyright is useless, just not useful for ensuring profits from the distribution of a creative work.

None of this is new and there are others who have studied and written about this in much more detail. What I think is interesting is to take the pure security view. This is hard for a security techie like me, because we have been taught that security is some piece of technology.

Technology is not the best word to use here, since its meaning has morphed over time. Copyright was a ‘technology’ by the old definition. Now we use technology to refer to automata. This causes us to forget a lot about what information security is about and can be. We techies get so lost in the bits and algorithms that we forget that much of the security we rely on today is as insecure as copyright.

As the world becomes more digital, there will be new options, such as DRM, that can provide protections where old ones like Copyright fail. In some ways, these protections are even stronger than what was available before, but they also come with a price, such as privacy. As a security practitioner, one has to dig deep to understand the history of the protection of an asset as well as the potential consequences of new protection technologies.

• • •
 

December 14, 2005

Security for Calculators

Filed under: Security — Hacker @ 9:10 am

I think it’s about time that we document security for calculators. No, I’m not talking about the cherished TI-35 that I’ve got buried in a drawer somewhere. I’m talking about the machine I’m working on and its brethren. I’m also not talking about documenting the security of calculators. Security for calculators. That is, security documentation that can be understood and processed by computers as well as people.

Let’s face it; if it wasn’t for people, then we wouldn’t be having all of these information security problems. The InfoSec world continues to get more and more complex, and yet for the most part, people are required to process all this complex data. Let’s look at a couple of specific examples.

First are the IP Services and ports that are required to support an application. Often this traffic must pass through a firewall or NAT (or both) and often there are issues around that. Currently if this is documented at all, then it is a poorly formatted list of TCP/UDP ports and possibly end points. Some expensive firewall engineer has to look at those, determine if there are any security issues with them, and then correctly translate them into the format the firewall understands. Anomaly IDS sensors have to learn the application flows, because no one can take the time to tell it what they should be. Etc.

The effort to load firewalls and other security devices could be reduced substantially by having some XML schema for documenting the IP services in use. Security is only as good as the knowledge about the application in question. Having such standards would substantially enhance the ability to know what was going on within an application.

A second area is within RFC standards. Currently, if there is a security section at all, it again must be parsed by a human. Does a service provide its own authentication? What controls are available within the service? What are the expectations, dependencies etc? Even having the packet schema in XML would help a lot in developing parsers for new protocols. I’ll probably need to explain this in more detail this, but that will have come later.

Ultimately security is too important to leave up to us humans, but we’re never going to get computers to do it well if we can’t put things in terms that they can understand. We have the tools, XML, various standards bodies, etc. We just need to start using them.

• • •
 

December 9, 2005

My Original Site

Filed under: Personal — Hacker @ 2:39 pm

I thought I post the text of my original site that lasted for over two years…

Welcome to the homepage of Eric Hacker.

Yes, my original unchanged family surname is an aptronym.

This domain became active on Tuesday, Nov 18th 2003 and I have not had much time to create a site. It was only on a whim that I even checked to see if it had become available, as it had been taken but not used for quite some time. Now the domain is in the hands of a ‘real’ Hacker who has had no time to plan a real site.

Expect to find some information about my professional interest in information security here soon.

Yep. That’s it.

And there’s still nothing about information security here yet.

• • •
 

December 8, 2005

What’s up with the knee?

Filed under: Personal — Hacker @ 11:21 pm

What’s up with the knee?

Saturday October 22nd began easy enough. I was coming off of an 80 hour work week and spending Saturday morning taking the boys to a birthday party for a 7 year old classmate at an indoor soccer field. First crisis: I learn upon arriving that the soccer match is to be parent’s versus the kids.

Clad in my best Doc Marten boots I was not exactly prepared to play soccer. But I knew that I needed to be a positive role model for my eldest son who often held back from engaging in new activities. And heck, I used to play soccer over 20 years ago. They’re just kids, how bad can it be? Such is the logic of a Dad after an exhaustive work week.

So out onto the field I lumbered. The astroturf was this soft shaggy material. It seemed innocent enough. Not even three minuets into the game, and I try a sliding steal to get the ball away from some eight year old girls, and pop, twist, crunch goes my right knee. I find out afterwards that astroturf is a leading killer of knees.

The final diagnosis from the MRI was that I tore the ACL, the MCL, bruised the bone and generally made a mess out of my knee. I had been doing my Physical Therapy and finally seeing some results. Just as I was starting to get mobile again, I had the ACL reconstruction surgery on December 5th.

This has been the highest sustained pain I have ever experienced. Yes, it was even worse than the Army. I think I’ve found the right pain killer cocktail to let me function somewhat. That is, if you think these blog posts are functional.

Peace,
Hacker

• • •
 

Well, it’s about time.

Filed under: Personal — Administrator @ 12:27 pm

So, I’m recovering from knee ACL reconstruction and in a lot of pain and someone I haven’t heard from in couple of years drops me a two line email chastising me about the fact that after two years I still don’t have a web site for my new domain. Fast forward a couple of hours, still in pain, because the Tylenol #3 ain’t good enough to kill all the pain but that codeine is plenty good enough to keep me awake at 1 AM, and I get up out of bed, crutch over to my office, get uncomfortable in my chair because there is no comfortable position and start hacking. Anybody in their right mind wouldn’t be doing this, so whatever this first blog entry turns out like, remember, it’s my normally odd self pushed over the edge.

I hop on over to my “new” hosting provider, and start to get set up for bringing my final domain over. It goes smoothly, until I hit a glitch with the WordPress install. Oh well. It will probably take a few days for DNS changes to propagate anyway.

17 hours, several naps, physical therapy and other interruptions later and I think I finally got the graphics into the “annoying enough but still legible state” and this blog is ready to roll. Still a lot I have to figure out about WordPress and whatnot, but what the heck, it’ll never happen if I try to get it perfect.

So thanks Ric, please let me know next time your suffering from a major illness so I can point out how unkempt your yard looks.

Peace,
Hacker

• • •
 
« Previous Page
Like we really needed this.