Search This Blog

Wednesday, June 29, 2011

This site has moved...

For those that have sent me notices asking why I have not updated my site in some time, it is because it has moved.  The new site can be found at:

http://www.josefweiss.com/

I am able to publish and control more information on the new site.

Monday, January 24, 2011

iPhone/Android/Blackberry Latest Vulnerabilities

Millions of e-mail addresses and passwords may have been stolen from Trapster, an online service that warns iPhone, Android, and BlackBerry owners of police speed traps, the company announced January 19. California-based Trapster has begun alerting its registered users and has published a short FAQ on the breach. "If you've registered your account with Trapster, then it's best to assume that your e-mail address and password were included among the compromised data," the FAQ stated. Trapster downplayed the threat, saying it was unsure the addresses and passwords were actually harvested. "While we know that we experienced a security incident, it is not clear that the hackers successfully captured any e-mail addresses or passwords, and we have nothing to suggest that this information has been used," Trapster said. 


In the Blackberry arena, PDF vulnerability found in Blackberry Attachment Service. Research In Motion has issued a security alert acknowledging a vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server. The vulnerability is rated 9.3 (out of 10) on the Common Vulnerability Scoring System (CVSS). That is considered "high" in the National Vulnerability Database severity ratings. The advisory is intended for BlackBerry Enterprise Server (BES) administrators, who are the recommended persons to apply the RIM-supplied fix. The vulnerability affects BES Exchange, IMB Lotus Domino and Novell GroupWise versions 4.1.6, 4.1.7, 5.0.0 and 5.0.1. BES Exchange and IMB Lotus Domino versions 5.0.2 and the Exchange-only 5.0.2 are also affected. 

Source: http://gcn.com/articles/2011/01/19/vulnerability-in-blackberry-attachmentservice. aspx

Monday, January 17, 2011

Security in 2020


There's really no such thing as security in the abstract. Security can 
only be defined in relation to something else. You're secure from 
something or against something. In the next 10 years, the traditional 
definition of IT security -- that it protects you from hackers, 
criminals, and other bad guys -- will undergo a radical shift. Instead 
of protecting you from the bad guys, it will increasingly protect 
businesses and their business models from you.  

Ten years ago, the big conceptual change in IT security was 
*deperimeterization*. A wordlike grouping of 18 letters with both a 
prefix and a suffix, it has to be the ugliest word our industry 
invented. The concept, though -- the dissolution of the strict 
boundaries between the internal and external network -- was both real 
and important.  

There's more deperimeterization today than there ever was. Customer and 
partner access, guest access, outsourced e-mail, VPNs; to the extent 
there is an organizational network boundary, it's so full of holes that 
it's sometimes easier to pretend it isn't there. The most important 
change, though, is conceptual. We used to think of a network as a 
fortress, with the good guys on the inside and the bad guys on the 
outside, and walls and gates and guards to ensure that only the good 
guys got inside. Modern networks are more like cities, dynamic and 
complex entities with many different boundaries within them. The access, 
authorization, and trust relationships are even more complicated. 

Today, two other conceptual changes matter. The first is 
*consumerization*. Another ponderous invented word, it's the idea that 
consumers get the cool new gadgets first, and demand to do their work on 
them. Employees already have their laptops configured just the way they 
like them, and they don't want another one just for getting through the 
corporate VPN. They're already reading their mail on their BlackBerrys 
or iPads. They already have a home computer, and it's cooler than the 
standard issue IT department machine. Network administrators are 
increasingly losing control over clients. 

This trend will only increase. Consumer devices will become trendier, 
cheaper, and more integrated; and younger people are already used to 
using their own stuff on their school networks. It's a recapitulation of 
the PC revolution. The centralized computer center concept was shaken by 
people buying PCs to run VisiCalc; now it's iPads and Android smart phones.
 

he second conceptual change comes from cloud computing: our increasing 
tendency to store our data elsewhere. Call it *decentralization*: our 
email, photos, books, music, and documents are stored somewhere, and 
accessible to us through our consumer devices. The younger you are, the 
more you expect to get your digital stuff on the closest screen 
available. This is an important trend, because it signals the end of the 
hardware and operating system battles we've all lived with. Windows vs. 
Mac doesn't matter when all you need is a web browser. Computers become 
temporary; user backup becomes irrelevant. It's all out there somewhere 
-- and users are increasingly losing control over their data. 

During the next 10 years, three new conceptual changes will emerge, two 
of which we can already see the beginnings of. The first I'll call 
*deconcentration*. The general-purpose computer is dying and being 
replaced by special-purpose devices. Some of them, like the iPhone, seem 
general purpose but are strictly controlled by their providers. Others, 
like Internet-enabled game machines or digital cameras, are truly 
special purpose. In 10 years, most computers will be small, specialized, 
and ubiquitous. 

Even on what are ostensibly general-purpose devices, we're seeing more 
special-purpose applications. Sure, you could use the iPhone's web 
browser to access the *New York Times* website, but it's much easier to 
use the NYT's special iPhone app. As computers become smaller and 
cheaper, this trend will only continue. It'll be easier to use 
special-purpose hardware and software. And companies, wanting more 
control over their users' experience, will push this trend. 

The second is *decustomerization* -- now I get to invent the really ugly 
words -- the idea that we get more of our IT functionality without any 
business relationship. We're all part of this trend: every search engine 
gives away its services in exchange for the ability to advertise. It's 
not just Google and Bing; most webmail and social networking sites offer 
free basic service in exchange for advertising, possibly with premium 
services for money. Most websites, even useful ones that take the place 
of client software, are free; they are either run altruistically or to 
facilitate advertising. 

Soon it will be hardware. In 1999, Internet startup FreePC tried to make 
money by giving away computers in exchange for the ability to monitor 
users' surfing and purchasing habits. The company failed, but computers 
have only gotten cheaper since then. It won't be long before giving away 
netbooks in exchange for advertising will be a viable business. Or 
giving away digital cameras. Already there are companies that give away 
long-distance minutes in exchange for advertising. Free cell phones 
aren't far off. Of course, not all IT hardware will be free. Some of the 
new cool hardware will cost too much to be free, and there will always 
be a need for concentrated computing power close to the user -- game 
systems are an obvious example -- but those will be the exception. Where 
the hardware costs too much to just give away, however, we'll see free 
or highly subsidized hardware in exchange for locked-in service; that's 
already the way cell phones are sold. 

This is important because it destroys what's left of the normal business 
relationship between IT companies and their users. We're not Google's 
customers; we're Google's product that they sell to their customers. 
It's a three-way relationship: us, the IT service provider, and the 
advertiser or data buyer. And as these noncustomer IT relationships 
proliferate, we'll see more IT companies treating us as products. If I 
buy a Dell computer, then I'm obviously a Dell customer; but if I get a 
Dell computer for free in exchange for access to my life, it's much less 
obvious whom I'm entering a business relationship with. Facebook's 
continual ratcheting down of user privacy in order to satisfy its actual 
customers -- the advertisers -- and enhance its revenue is just a hint 
of what's to come. 

The third conceptual change I've termed *depersonization*: computing 
that removes the user, either partially or entirely. Expect to see more 
software agents: programs that do things on your behalf, such as 
prioritize your email based on your observed preferences or send you 
personalized sales announcements based on your past behavior. The 
"people who liked this also liked" feature on many retail websites is 
just the beginning. A website that alerts you if a plane ticket to your 
favorite destination drops below a certain price is simplistic but 
useful, and some sites already offer this functionality. Ten years won't 
be enough time to solve the serious artificial intelligence problems 
required to fully realize intelligent agents, but the agents of that 
time will be both sophisticated and commonplace, and they'll need less 
direct input from you. 

Similarly, connecting objects to the Internet will soon be cheap enough 
to be viable. There's already considerable research into 
Internet-enabled medical devices, smart power grids that communicate 
with smart phones, and networked automobiles. Nike sneakers can already 
communicate with your iPhone. Your phone already tells the network where 
you are. Internet-enabled appliances are already in limited use, but 
soon they will be the norm. Businesses will acquire smart HVAC units, 
smart elevators, and smart inventory systems. And, as short-range 
communications -- like RFID and Bluetooth -- become cheaper, everything 
becomes smart. 

The "Internet of things" won't need you to communicate. The smart 
appliances in your smart home will talk directly to the power company. 
Your smart car will talk to road sensors and, eventually, other cars. 
Your clothes will talk to your dry cleaner. Your phone will talk to 
vending machines; they already do in some countries. The ramifications 
of this are hard to imagine; it's likely to be weirder and less orderly 
than the contemporary press describes it. But certainly smart objects 
will be talking about you, and you probably won't have much control over 
what they're saying. 

One old trend: deperimeterization. Two current trends: consumerization 
and decentralization. Three future trends: deconcentration, 
decustomerization, and depersonization. That's IT in 2020 -- it's not 
under your control, it's doing things without your knowledge and 
consent, and it's not necessarily acting in your best interests. And 
this is how things will be when they're working as they're intended to 
work; I haven't even started talking about the bad guys yet. 

hat's because IT security in 2020 will be less about protecting you 
from traditional bad guys, and more about protecting corporate business 
models from you. Deperimeterization assumes everyone is untrusted until 
proven otherwise. Consumerization requires networks to assume all user 
devices are untrustworthy until proven otherwise. Decentralization and 
deconcentration won't work if you're able to hack the devices to run 
unauthorized software or access unauthorized data. Decustomerization 
won't be viable unless you're unable to bypass the ads, or whatever the 
vendor uses to monetize you. And depersonization requires the autonomous 
devices to be, well, autonomous. 

In 2020 -- 10 years from now -- Moore's Law predicts that computers will 
be 100 times more powerful. That'll change things in ways we can't know, 
but we do know that human nature never changes. Cory Doctorow rightly 
pointed out that all complex ecosystems have parasites. Society's 
traditional parasites are criminals, but a broader definition makes more 
sense here. As we users lose control of those systems and IT providers 
gain control for their own purposes, the definition of "parasite" will 
shift. Whether they're criminals trying to drain your bank account, 
movie watchers trying to bypass whatever copy protection studios are 
using to protect their profits, or Facebook users trying to use the 
service without giving up their privacy or being forced to watch ads, 
parasites will continue to try to take advantage of IT systems. They'll 
exist, just as they always have existed, and -- like today -- security 
is going to have a hard time keeping up with them.

Welcome to the future. Companies will use technical security measures, 
backed up by legal security measures, to protect their business models. 
And unless you're a model user, the parasite will be you. 

This essay was originally written as a foreword to "Security 2020," by Doug Howard and Kevin Prince.http://www.amazon.com/exec/obidos/ASIN/0470639555/counterpane/

Thursday, January 13, 2011

Free City Cash Scam Spreads on Facebook

Free City Cash scam spreads on Facebook. A new survey scam is rapidly propagating on Facebook by promising users free virtual currency for use in Zynga’s latest hit game CityVille. "Woohoo! Thanks CityVille I got my 1,000 City Cash! http[colon]//apps[dot]facebook[dot]com/[censored]" or "CityVille is giving 1,000 City Cash for a limited time only! Grab Yours Now! http[colon]//apps[dot]facebook[dot]com/[censored]," the messages promoting this scam read. City Cash is one of several in-game currencies which can be used to build special buildings, expand the city’s land, and perform other actions. City Cash can be either earned or bought with real money. However, this is nothing more than one of the many rogue application-based survey scams that have plagued Facebook for the past half year. Opening the spammed links takes users to a well-designed page bearing the CityVille logo, but clicking on the button to claim the alleged prize prompts a permissions request dialog from an app called "Giveaway Promo." The application wants access to users’ profile information and to post on their walls in order to spam their friends. 

Source: http://news.softpedia.com/news/Free-City-Cash-Scam-Spreads-on-Facebook- 177588.shtml

Wednesday, January 12, 2011

Aging simulation scam hits Facebook users

Facebook scammers are tricking users into taking surveys by promising them an app that can simulate what their appearance would be 20 years from now. According to Facecrooks, the spam messages associated with this latest scam read "Wow, how creepy, LOL i look scary as an old person! - http[colon]//bit[dot]ly/[censored]" and share a page called "AGE yourself! See what you will look like in 20 years!" Clicking on the link takes users to a page which displays the picture of a girl and how she would allegedly look 20 years into the future. The images seem to have been copied from a real aging simulation service available at in20years.com that scammers deemed interesting enough to attract users. A message on the rogue page instructs users to click on the image to begin the simulation process. However, doing this will prompt a permissions dialog from an app called "OMG - How could this happen?" that wants access to post on people’s walls in order to spam their friends.

Source: http://news.softpedia.com/news/Aging-Simulation-Scam-Hits-Facebook-Users-%20177371.shtml

Researcher uses Amazon cloud to hack WPA-PSK passwords.

A security researcher in Germany is warning Amazon’s cloud service can be used to brute force weak passwords used to protect Wi-Fi security. Short and weak passwords would be vulnerable to a brute force attack, especially at the speeds offered by Amazon’s services, which is capable of testing 400,000 potential passwords every second. The researcher claims to have found the key for a network in his neighborhood using his method and Amazon’s service. The brute force attack took about 20 minutes to get the correct key, but he is making changes to his code which he reckons could bring the time down in such a case to about 6 minutes. He will distribute his software publicly and give demonstrations on using it at the Black Hat conference in Washington, D.C. He is releasing it to convince skeptical network administrators that such attacks will often be successful against protected networks.

Source: http://www.afterdawn.com/news/article.cfm/2011/01/11/security_researcher_uses_ama%20zon_cloud_to_hack_wpa-psk_passwords

Microsoft Repairs Critical Windows Flaw, Issues Temporary IE Fix

 Microsoft issued two security bulletins Tuesday, repairing two
critical flaws that affect all versions of Windows. The software
giant also updated a security advisory, issuing a temporary automated
workaround that if deployed, would block attackers from exploiting an
Internet Explorer zero-day vulnerability.

The January updates repaired three vulnerabilities in Microsoft
Windows and Windows Server. It was a quiet month compared to
December, which saw a record breaking 17 bulletins.

Source:http://go.techtarget.com/r/13151461/7882181