May 20
Spyware backup, database, education, events, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
I’ve been a Mac user for years, relying on Macs for both work and play. Although the experts and pundits today are quick to warn that hackers are about to start infiltrating our systems, I have yet to hear about an active virus or malware attacking the Mac OS specifically that wasn’t designed, distributed, and contained by the IT Security research community.
Still, any day now I’m sure there will be some nasty thing worming its way through Apples, and when the time comes I’d like to be prepared. It’s going to hit some mac users pretty hard if they’re not expecting it (in the ego, maybe).
I’ve been poking around the Internet to find a list of some free Mac A/V and anti-malware programs. Today there’s a new one on the list, since F-Secure has just released a Mac A/V program—in beta. They promise prizes and a subscription to anyone willing to provide “active feedback” to improve the software.
About.com also has a decent list of Mac security programs with brief reviews detailing how well each protects against various threats. It’s not as research-intense as the PC A/V reviews I posted last week, but simply describes the scope of how the software blocks—or ignores—different types of threats.
Here’s a list of some of the free Mac-based products out there:
The problem with some of the free programs is they focus solely on Mac issues and won’t clean the PC-viruses that some files harbor. If those infected files are sent to a PC, they could still pose a threat.If you use a dual boot or are working closely with other Windows machines, it may be more helpful to get a program for Mac users bundled with the Windows version, such as Norton AntiVirus.
Or if you want the best protection for the Mac, the product that looks the most comprehensive is Intego’s Virus Barrier. The company focuses only on Mac issues, which has disadvantages for those who switch systems, but may be ideal for people working in a Mac-only environment. And a huge plus is that the system uses heuristic scanning, checking for behaviors that resemble threats before they are identified. At $70, it’s a bit pricey, but if you’re the type who wants to be fortified and absolutely prepared, that might be your best solution.
Read more from the original source:
May 18
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
Some clever, benevolent hacker ought to do all U.S. citizens a favor and hack into the I.R.S. system, to fix their outdated accounts—just like one DSL customer did to his Internet hosting company.
The customer had paid for some changes to his account and service, got frustrated waiting for the company to deliver the service, and so he hacked in and just did the job on his own. Maybe the web company should think about offering the guy a job—to beef up security and fix others’ customer service issues.
It’s not unusual for small hosting companies to have trouble meeting their customers’ security and service needs, unfortunately. What’s more unfortunate is that the IRS apparently has about as many problems. Recently it came to light that they’ve been sending stimulus checks to dead folks—even workers that have been dead up to 35 years.
Is any concerned taxpayer willing to volunteer to hack in and clean up their system? Unlikely. It’s unclear whether the IRS would thank the hacker for the help (as the hosting company did for its customer), arrest them for an act of terrorism, or just fail to notice. My guess is the latter—if they didn’t realize those people had been dead for so long, how would they even notice if the accounts were deleted altogether?
The story doesn’t speak well for the government’s organization skills. No wonder we’re in such a financial pickle—well, you know, besides the billions donated to the war, and all the other reasons…
Read the original here:
Citizens Needed to Fix Broken IRS System
May 15
Spyware database, education, events, government, malware, microsoft, news, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
Imagine you’re exploring a new hobby that’s a bit esoteric, and Federal agents call to ask you some questions, but won’t tell you whom they represent–only that they think you might be a terrorist.
If it were me, that sort of Big Brother tactic would freak me out and I might even worry they’d come and whisk me away from my home and hold me captive next, without actually bothering to find out that the experiments are harmless.
This has indeed happened to at least one “biohacker”–an amateur scientist using synthetic DNA and organisms in experiments performed in home labs, built out of equipment bought on Ebay or other consumer sites.
Most of these experiments are totally harmless, yet government agents appear concerned anyway.
Carl Zimmer, a well-known biologist and science writer, points out that at least one amateur biologist was arrested and charged for his lab experiments, held under arrest even without cause. Even though artist Steven Kurtz’ experiments were allegedly harmless experiments in soil bacteria, the people who put him on trial did not have enough knowledge of basic biology to realize this.
This is the real danger in an age where an amateur biologist can work on lab experiments from home, that uninformed security administrators are so afraid of knowledge and experiments that they assume that any type of basic science can be dangerous.
It’s the same sort of mystery that appears to hang around the computer technology sphere– as if there’s a force-field of awe around certain types of technology, whether it’s computers or biology, that makes people assume it’s all-powerful and incomprehensible, and therefore something to fear.
Authorities can waste so much time interrogating well-meaning scientists, they’ll fail to really do their research and find out what’s actually dangerous and what’s not– and then they could miss a real threat.
The WSJ article paints a picture of how confusing the current regulation and atmosphere is around this issue:
Currently, regulation of labs like these is murky. It’s unclear what agency, if any, is responsible.
So far, most garage biologists playing around with synthetic DNA are simply adding a gene or two to an existing organism, a fairly standard scientific practice involving some test-tube mixing, and not something biosecurity experts are very worried about. But technology promises to allow the creation of entire organisms from scratch — something academics are aiming to do in university labs — and that has some experts worried.
Their final comment in that paragraph bothers me — I can’t say for certain, not being an expert myself, but it seems to me that academics working in university labs generally have access to much greater resources, financial support, and equipment than the average home do-it-yourselfer. Creating an entire organism from scratch (well, you’d need existing DNA, etc.) may be possible, but still requires a lot more knowledge and equipment than merely mixing a few things together in a test tube with some soil. It’s not comparable to the experiments that amateur biohackers do in their garages with an old centrifuge off ebay.
The idea that creating new life is possible seems to come attached, for many people, with a very emotional and irrational reaction–it’s scary, it’s wrong, it’s dangerous. Maybe it’s this emotional reaction that causes people to jump to conclusions, and take aggressive action, before analyzing the actual probability of how likely it is for a home DIY scientist to accomplish that feat. It’s that irrational response that causes people to investigate experiments that are clearly harmless, and make uninformed allegations.
To be fair, there is a danger that a scientist with the wealth, expertise and resources could pull a frankenstein maneuver–or more likely, create a bacterial warfare threat. I’m not saying that the government should ignore the possibility. But clearly it’s not being handled all that well, and the public has to start questioning what the qualifications of these “experts” really are–biology, or interrogation tactics?
I also find it pretty humorous that the article, although being a little alarmist, also has a sidebar that lists experiments people are doing at home for fun. Extracting strawberry DNA, anyone? Sounds tasty.
View original here:
Federal Agents Interrogate Amateur Biologists About Harmless Experiments
May 13
Spyware database, education, events, government, malware, microsoft, news, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
I knew it was going to come up after my last post, where I wrote that landlines are pretty much obsolete, and many people use cell phones because they offer the mobility and privacy people need nowadays.
Emergency 911 calls are the one reason people argue that landlines are still highly important to keep around. Today the Consumerist wrote a post to that effect: “landline connections do have one important advantage over cells: They’re safer.” They also posted asking what people think–and overwhelmingly, the initial responses suggest people don’t think 911 issues are a reason to keep their landlines.
Apparently many who call 911 from cell phones get put on hold for long waits, or the officials are not able to locate where the call originated from, so they aren’t able to get help as quickly.
Sounds scary, but I have to say that’s not always the case — I’ve called before and received a response immediately. (I cut off the end of my finger but still had plenty of time to tell them my address.)
In fact, I’m not sure that the argument holds much water. I imagine that if I’m ever in a really bad emergency situation, it will be while I’m out somewhere, either in a car accident, injuring myself while hiking or bicycling, or otherwise doing something active. Then, a landline isn’t going to help me, but having a cell phone is critical.
If I’m at home and there’s an accident, most likely I’ll still be conscious and awake and able to make the call–or hopefully have someone with me who can go for help.
The worst case scenario is something really bad happened and I’m in danger of passing out. But if I’m badly injured, am I going to be able to get to a landline any more than a cell phone? Chances are if I can get to a phone, have time to dial, I’ll also have time to tell someone where I am.
If I’m really bad, and the cell phone has a wait time, and I pass out before they pick up, I could be screwed. But I can’t really imagine many scenarios where that’s the case. What’s going to happen to me while home? I could get burnt, fall, inhale bad chemicals, etc. Most cases I can think of, either I pass out immediately and can’t get to a phone anyhow, or I’m pretty much conscious, so I have time. I have to say, in the nearly 30 years I’ve been alive, I’ve never had that kind of problem.
It only has to happen once, sure, but risk analysis is all about probabilities. Essentially, keeping a landline around for that specific reason is a form of insurance–it’s a bet that something might happen to you and a way for you to stop it. I think I’d rather buy renter’s insurance, or disability insurance.
I’m sure the case may be different for different demographics. Your elderly grandmother is more at risk, but then again, with a stroke or heart attack or broken hip, they aren’t getting time to call 911 anyway. People who have those risks find more comprehensive options, such as a special device they wear at them at all times, linking to the landline to call 911. And that’s an age group that, by and large, hasn’t given up their landlines anyway.
Here is the original:
Do People Need Landlines for Emergency 911 Calls?
May 11
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
Ars had an article today giving a fascinating statistic: 20% of all U.S. households rely exclusively on cell phones and have no land lines.
The main groups that make up that 20% are youth aged 18-29, one third of which are cell-phone-only, and adults that share housing, of which 60% use only cell phones. Additionally 25% of all Hispanics are also wireless-only.
Their data is good, but their conclusions overlook the obvious. Ars says the groups that make up the 20% are “lower income.” That may be true, and the reasoning is solid: tech-savvy youth are adopting the trend, Hispanics are traditonally lower income, and the logic holds that it doesn’t make a lot of sense to pay for a landline if you can use a cell phone.
But for some reason, I’m guessing the writer of the article is a 40-something, U.S.-native, home owner long removed from the process of moving and sharing housing. Because economics and tech-savvy aren’t the only reasons why renters and youth rely on cell phones. I think mobility and privacy are actually the deciding factors, at least from my experience–being one of those 29-year-old renters who exclusively uses a cell.
If you’re sharing housing, having your own phone means you don’t have to rely on roommates to give you messages, and your roommates don’t hear your personal messages. And even if you don’t share housing, but you’re young or renting, you’re more likely to be moving from apartment to apartment every few years. It’s not always your choice–a landlord can just decide to kick you out so their friends can move in to your apartment. It’s happened to me.
If you buy into a landline, then you have to go through the hassle of calling the phone company, resetting the wires, and telling all your friends about your new phone number when you move. If you have a cell phone, it’s no hassle and no change– whether you move down the block or across the country, your friends still have your number and you still have theirs.
It was nice of Ars to notice the socioeconomic issue in this case, that renters, Hispanics, and youth are traditionally lower income. But if you ask many cell-only homes, many might say that a new landline would not be high on their list of their priorities if they did have money. Instead, the fact is that these groups are more mobile, move more often, and share living spaces with a greater number of people–so, they have different needs out of a phone service.
Case in point — in the last 6 years, since I’ve been out of college, I’ve moved 6 times, but not regularly once a year. Sometimes 10 months, sometimes 6, sometimes 18. I finally got a cell phone when I had to move from Santa Cruz to the South SF Bay area for work, and I needed a cell phone to call prospective housemates and landlords from Craigslist. Since then, I only had a landline once, when it was already installed in my new apartment because my housemate had set up DSL. Neither of us ever used the phone and it couldn’t make long distance calls. Since I got a cell phone, I’ve had the same phone number and it hasn’t been a hassle.
In fact, you’ll find that a growing number of youth and renters like me are not low-income groups. Affording to buy a condo or home has become cost-prohibitive, whether or not you make a decent wage, and jobs are not as secure as they once were. In this recession, people are valuing mobility because they may have to move to find work. Many young people and adults bounce from jobs to jobs every few years. However, loan agents often won’t take people unless they can show they have worked for the same employer for the last few years–whether or not they have made a steady, sufficient wage at a steady stream of jobs, as many young people have. In the age of pink slips and home foreclosures, fewer and fewer people can afford homes, and more and more people will value and demand mobility.
And, more and more people of all stripes will probably come to see that their land lines are obsolete.
Why Renters and Young Adults Go Cell-Phone-Only: Mobility and Privacy
May 08
Spyware Anti Virus, database, education, events, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
While reading about the self-destruction of the Zeus botnet recently, I came across a link to this great comparison report from AV Comparatives that tested 17 popular anti-virus products on the market today.
The test appears to be quite comprehensive, and creates a rating for software based on their detection rates for malware, their speed in testing, and the rate of false positives that lower accuracy. Apparently this is an ongoing test performed four times a year, in February, May, August and November. The February 2009 test was the first in which the researchers calculated false positives and lowered the software scores based on that data.
The findings of the February 2009 test (No. 21) shows the following A/V products in the lead. They tested at an average or fast speed, with at least a 97% malware detection rate, and fewer than average false positives.
- Kaspersky AV 8.0.506a
- McAfee Virus Scan + 13.3.117
- NOD32 Antivirus 3.0.684
- Norton Anti-Virus 16.2.0.7
If you have one of these products, great! although, keep in mind that you would need to have the same version, testing at the same level, and just as up to date to achieve the same results.
Anti virus software that’s out of date, without the latest signatures, is just not going to be as effective… So, the word of the day: update, update, update.
Originally posted here:
In-Depth Anti-Virus Software Comparison
May 01
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
F-Secure had an interesting run down today on the security options available over at Facebook. They also critique Facebook’s security questions, which are generic items like “Mother’s maiden name,” “3rd-Grade Teacher,” “First pet.” These are items that your friends and family are likely to know about you, so they don’t necessarily guarantee your security. As F-Secure puts it, “Security challenge questions based on social information is probably not the best of ideas on a social networking site. “
The questions really are kind of ironic. I had to think a while to remember my third grade teacher’s name, but I do have one or two people on my flist I went to school with. They may remember better than me!
I also have direct experience that security questions can prove ineffective. In fact I remember being guilty myself–as a drama-ridden teenage girl, I hacked an ex-boyfriend’s email account, because I knew his password and security question answer. It was his place of birth, and most clever of me, I remembered exactly the way he always mis-spelled it. Hacking his account and then confronting him was not my best moment in life. Luckily I learned my lesson and will never do something like that again. My story only shows that it’s possible, and illustrates F-Secure’s concern.
The problem with developing genuinely secure questions is that all of those types of questions are usually, by nature, personal and social. They must be targeted to the user, and based on the user’s demographics and interests. When they work, it’s because the answer is a private thing, or a personal thing that no one else knows. For adults, in many cases, those types of questions work simply because the user’s adult friends weren’t around in elementary or high school when we had our first pets, third grade teacher, first car, etc..
Developing tougher, more targeted questions can also present a challenge. Recently, I had the opposite problem of the Facebook dilemma. Instead of the questions being too easy and well known, they were simply irrelevant. I opened some account where all the questions revolved around marriage, kids, mortgages. The writers assumed their users were older, and made the logical leap that they were married and had children or mortgages. But I’m under 30, unmarried, without children, and haven’t been able to afford my own home. I’m not alone, either–many of my peers are waiting much longer before getting married, having kids, and buying homes. So, I found the questions simply irrelevant, and had to puzzle out a while how to get around the obstacle of the security questions.
Of course, the questions are supposed to present an obstacle to hackers, not the account holder, so they have to be something easy to remember, applicable, and relevant, even before they enforce security. Sites that use security questions need to be aware of these problems, and walk a fine line between making the questions too easy, and having them be inappropriate for their users.
One solution would be for sites to offer more choices. Then, it’s up to the user to make sure to choose a question that he or she can remember the answer to, but others are unlikely to guess. Even if in general, the questions are easy or well-known, the user should be able to select a question or two that others won’t know.
Here is the original post:
Problems with Security Questions
Apr 27
Spyware database, education, events, government, malware, microsoft, news, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
Just take a look at this fun little word cloud generated by the scripty toy Wordle.net to find out what we’ve been posting lately–
…you put your right click in and it shakes the words about…
I found this toy through the PCI focused blog written by Michael Dahn this morning. Dahn uses it to create word clouds for his favorite Ten Greatest Books of All Time. Fun to read!
The toy seems to just take the first page or selected entries from the blog though, rather than its sum entirety. It made me think about spam filters and their level of assessing the text of emails.
Of course, spam filters have various levels of ability to read emails; some can only read the headers and not the content, while the more intelligent filtering programs can read the content and learn what is and is not a risk.
Of course many filters will automatically mark emails that have certain keywords like cialis or viagra as spam, or emails that contain a certain percentage of risky words. I imagine the more advanced also learn by what the user marks as spam, what type of content is unwanted, but can also make distinctions based on headers. For example, I might not really want random people sending me press releases about random computer programs or even security products, but I have spoken with many PR reps and spokespeople from various companies and am more likely to read their releases.
My current spam filter is pretty much crap, but ideally it would send through emails written directly to me from people I’ve spoken with before. Then it would filter all the random press releases into a spam folder and mark all the generic press releases I get from my contacts as potential spam in my inbox.
I think they are more likely to work by whitelisting the people you’ve emailed before, however that doesn’t really protect users from mass emails from their contacts. And those mass emails are often what could be infected with a virus or malware, if your contact’s computer has been compromised.
Content analysis is a pretty tricky business, partly because it’s not always clear what is a risk, or even what people want to read. Of course, there’s a fine and vague line sometimes about what is and isn’t spam versus marketing email versus solicited information. My spam (eg. random press releases) is another journalist’s daily bread. Or my spam is my cousin’s latest attempt at humor (tired forwarded jokes that should have died 10 years ago).
I think to be effective then, email filters need to have more preferences available, and advance to the point where they learn quickly and effectively what the user prefers.
It’s a double edged sword, however–the better my email filter gets, the better the spammers will get at bypassing it, and the more intelligent bots will get in general. They’ll be more likely to crack captchas, hack accounts, and so on.
Meanwhile I guess I’ll just be marking lots of emails as spam, and playing with word toys online. Not such a hard life, really! Here’s another fun one I made from a poem I recently discovered, “Meditations at Lagunitas,” by Robert Hass:
More here:
What IT Security is All About
Apr 22
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
My latest hobby for procrastination is browsing Craigslist ads, looking for new furniture and trying to get rid of old stuff. I’ve been doing spring cleaning and trying to sell off an old stereo, VCR, a Dell laptop, and other miscellaneous things. (Let me know if you need anything)
Along the way I’ve also gotten a few odd emails by folks asking to do a wire transfer or Moneygram–a classic Nigerian scam. Usually I either tell them I know it’s a scam, or just delete the emails without thinking much about it. So I was amused to read about another Craigslister actually responding and messing with the scammers.
Todd Lappin of Telstar Logistics–a little bit famous for creating a fake brand in order to avoid parking fees–happened to be selling a loveseat on CL when he received a convoluted, poorly written note asking to use a moneygram and explaining the transaction would be completed with the emailer’s secretary. Another classic Nigerian scam, which he recognized right away.
Todd’s not your ordinary guy, so instead of deleting the email, he responded to the friendly Nigerian scammer, played along, and got the guy to send him the check. Now he’s posted and exposed the scam on the Net for all to see, over at laughingsquid. The scammer will be expecting him to try cashing it and send back the difference between the check amount (nearly $3k) and the price of the loveseat ($200).
If he went along, the check would bounce and the scammers would be making off with the difference. And he might still be stuck with an ugly yellow loveseat. (Okay it’s actually not a bad loveseat, just the same horrible color my childhood bedroom was painted).
Why anyone still falls for these scams on CL is odd, since there are warnings plasted all over the site, and it’s common and easy to recognize. I suppose they wouldn’t be still trying if they didn’t get bites and people still ignorant enough to go for it. So it’s good to see people messing with and exposing the tricks.
Interestingly, Todd says the check he receives looks entirely authentic and may be from a genuine bank account. So he’s gone to the trouble of blurring the account number in the check image he posted. It’s good to see someone’s looking out for others’ security online.
The rest is here:
Playing Along with Nigerian Scammers
Apr 20
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
I spent a small chunk of time this morning reading through the slides posted online from a Malware course that was taught at the University of Helsinki earlier this year. The lecture slides are in PDF and available for anyone to browse.
The introduction starts off at a fairly basic level deconstructing many of the terms used to describe different attacks and shows examples of criminals’ posts on bulletin boards and prices for various attacks. Interesting stuff, even for a non-programmer like me. You could use them to educate staff or friends who are not computer professionals.
Then those of you who do security and programming may even find more useful stuff in there to work on… take a look.
Read more:
Malware course online from FSecure/University of Helsinki
Older Entries
RSS
