For those that have sent me notices asking why I have not updated my site in some time, it is because it has moved. The new site can be found at:
http://www.josefweiss.com/
I am able to publish and control more information on the new site.
Information Security Daily
Search This Blog
Wednesday, June 29, 2011
Monday, January 24, 2011
iPhone/Android/Blackberry Latest Vulnerabilities
Millions of e-mail addresses and passwords may have been stolen from Trapster, an online service that warns iPhone, Android, and BlackBerry owners of police speed traps, the company announced January 19. California-based Trapster has begun alerting its registered users and has published a short FAQ on the breach. "If you've registered your account with Trapster, then it's best to assume that your e-mail address and password were included among the compromised data," the FAQ stated. Trapster downplayed the threat, saying it was unsure the addresses and passwords were actually harvested. "While we know that we experienced a security incident, it is not clear that the hackers successfully captured any e-mail addresses or passwords, and we have nothing to suggest that this information has been used," Trapster said.
In the Blackberry arena, PDF vulnerability found in Blackberry Attachment Service. Research In Motion has issued a security alert acknowledging a vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server. The vulnerability is rated 9.3 (out of 10) on the Common Vulnerability Scoring System (CVSS). That is considered "high" in the National Vulnerability Database severity ratings. The advisory is intended for BlackBerry Enterprise Server (BES) administrators, who are the recommended persons to apply the RIM-supplied fix. The vulnerability affects BES Exchange, IMB Lotus Domino and Novell GroupWise versions 4.1.6, 4.1.7, 5.0.0 and 5.0.1. BES Exchange and IMB Lotus Domino versions 5.0.2 and the Exchange-only 5.0.2 are also affected.
Monday, January 17, 2011
Security in 2020
There's really no such thing as security in the abstract. Security can only be defined in relation to something else. You're secure from something or against something. In the next 10 years, the traditional definition of IT security -- that it protects you from hackers, criminals, and other bad guys -- will undergo a radical shift. Instead of protecting you from the bad guys, it will increasingly protect businesses and their business models from you.
Ten years ago, the big conceptual change in IT security was *deperimeterization*. A wordlike grouping of 18 letters with both a prefix and a suffix, it has to be the ugliest word our industry invented. The concept, though -- the dissolution of the strict boundaries between the internal and external network -- was both real and important.
There's more deperimeterization today than there ever was. Customer and
partner access, guest access, outsourced e-mail, VPNs; to the extent
there is an organizational network boundary, it's so full of holes that
it's sometimes easier to pretend it isn't there. The most important
change, though, is conceptual. We used to think of a network as a
fortress, with the good guys on the inside and the bad guys on the
outside, and walls and gates and guards to ensure that only the good
guys got inside. Modern networks are more like cities, dynamic and
complex entities with many different boundaries within them. The access,
authorization, and trust relationships are even more complicated.
Today, two other conceptual changes matter. The first is
*consumerization*. Another ponderous invented word, it's the idea that
consumers get the cool new gadgets first, and demand to do their work on
them. Employees already have their laptops configured just the way they
like them, and they don't want another one just for getting through the
corporate VPN. They're already reading their mail on their BlackBerrys
or iPads. They already have a home computer, and it's cooler than the
standard issue IT department machine. Network administrators are
increasingly losing control over clients.
This trend will only increase. Consumer devices will become trendier,
cheaper, and more integrated; and younger people are already used to
using their own stuff on their school networks. It's a recapitulation of
the PC revolution. The centralized computer center concept was shaken by
people buying PCs to run VisiCalc; now it's iPads and Android smart phones.
he second conceptual change comes from cloud computing: our increasing
tendency to store our data elsewhere. Call it *decentralization*: our
email, photos, books, music, and documents are stored somewhere, and
accessible to us through our consumer devices. The younger you are, the
more you expect to get your digital stuff on the closest screen
available. This is an important trend, because it signals the end of the
hardware and operating system battles we've all lived with. Windows vs.
Mac doesn't matter when all you need is a web browser. Computers become
temporary; user backup becomes irrelevant. It's all out there somewhere
-- and users are increasingly losing control over their data.
During the next 10 years, three new conceptual changes will emerge, two
of which we can already see the beginnings of. The first I'll call
*deconcentration*. The general-purpose computer is dying and being
replaced by special-purpose devices. Some of them, like the iPhone, seem
general purpose but are strictly controlled by their providers. Others,
like Internet-enabled game machines or digital cameras, are truly
special purpose. In 10 years, most computers will be small, specialized,
and ubiquitous.
Even on what are ostensibly general-purpose devices, we're seeing more
special-purpose applications. Sure, you could use the iPhone's web
browser to access the *New York Times* website, but it's much easier to
use the NYT's special iPhone app. As computers become smaller and
cheaper, this trend will only continue. It'll be easier to use
special-purpose hardware and software. And companies, wanting more
control over their users' experience, will push this trend.
The second is *decustomerization* -- now I get to invent the really ugly
words -- the idea that we get more of our IT functionality without any
business relationship. We're all part of this trend: every search engine
gives away its services in exchange for the ability to advertise. It's
not just Google and Bing; most webmail and social networking sites offer
free basic service in exchange for advertising, possibly with premium
services for money. Most websites, even useful ones that take the place
of client software, are free; they are either run altruistically or to
facilitate advertising.
Soon it will be hardware. In 1999, Internet startup FreePC tried to make
money by giving away computers in exchange for the ability to monitor
users' surfing and purchasing habits. The company failed, but computers
have only gotten cheaper since then. It won't be long before giving away
netbooks in exchange for advertising will be a viable business. Or
giving away digital cameras. Already there are companies that give away
long-distance minutes in exchange for advertising. Free cell phones
aren't far off. Of course, not all IT hardware will be free. Some of the
new cool hardware will cost too much to be free, and there will always
be a need for concentrated computing power close to the user -- game
systems are an obvious example -- but those will be the exception. Where
the hardware costs too much to just give away, however, we'll see free
or highly subsidized hardware in exchange for locked-in service; that's
already the way cell phones are sold.
This is important because it destroys what's left of the normal business
relationship between IT companies and their users. We're not Google's
customers; we're Google's product that they sell to their customers.
It's a three-way relationship: us, the IT service provider, and the
advertiser or data buyer. And as these noncustomer IT relationships
proliferate, we'll see more IT companies treating us as products. If I
buy a Dell computer, then I'm obviously a Dell customer; but if I get a
Dell computer for free in exchange for access to my life, it's much less
obvious whom I'm entering a business relationship with. Facebook's
continual ratcheting down of user privacy in order to satisfy its actual
customers -- the advertisers -- and enhance its revenue is just a hint
of what's to come.
The third conceptual change I've termed *depersonization*: computing
that removes the user, either partially or entirely. Expect to see more
software agents: programs that do things on your behalf, such as
prioritize your email based on your observed preferences or send you
personalized sales announcements based on your past behavior. The
"people who liked this also liked" feature on many retail websites is
just the beginning. A website that alerts you if a plane ticket to your
favorite destination drops below a certain price is simplistic but
useful, and some sites already offer this functionality. Ten years won't
be enough time to solve the serious artificial intelligence problems
required to fully realize intelligent agents, but the agents of that
time will be both sophisticated and commonplace, and they'll need less
direct input from you.
Similarly, connecting objects to the Internet will soon be cheap enough
to be viable. There's already considerable research into
Internet-enabled medical devices, smart power grids that communicate
with smart phones, and networked automobiles. Nike sneakers can already
communicate with your iPhone. Your phone already tells the network where
you are. Internet-enabled appliances are already in limited use, but
soon they will be the norm. Businesses will acquire smart HVAC units,
smart elevators, and smart inventory systems. And, as short-range
communications -- like RFID and Bluetooth -- become cheaper, everything
becomes smart.
The "Internet of things" won't need you to communicate. The smart
appliances in your smart home will talk directly to the power company.
Your smart car will talk to road sensors and, eventually, other cars.
Your clothes will talk to your dry cleaner. Your phone will talk to
vending machines; they already do in some countries. The ramifications
of this are hard to imagine; it's likely to be weirder and less orderly
than the contemporary press describes it. But certainly smart objects
will be talking about you, and you probably won't have much control over
what they're saying.
One old trend: deperimeterization. Two current trends: consumerization
and decentralization. Three future trends: deconcentration,
decustomerization, and depersonization. That's IT in 2020 -- it's not
under your control, it's doing things without your knowledge and
consent, and it's not necessarily acting in your best interests. And
this is how things will be when they're working as they're intended to
work; I haven't even started talking about the bad guys yet.
hat's because IT security in 2020 will be less about protecting you
from traditional bad guys, and more about protecting corporate business
models from you. Deperimeterization assumes everyone is untrusted until
proven otherwise. Consumerization requires networks to assume all user
devices are untrustworthy until proven otherwise. Decentralization and
deconcentration won't work if you're able to hack the devices to run
unauthorized software or access unauthorized data. Decustomerization
won't be viable unless you're unable to bypass the ads, or whatever the
vendor uses to monetize you. And depersonization requires the autonomous
devices to be, well, autonomous.
In 2020 -- 10 years from now -- Moore's Law predicts that computers will
be 100 times more powerful. That'll change things in ways we can't know,
but we do know that human nature never changes. Cory Doctorow rightly
pointed out that all complex ecosystems have parasites. Society's
traditional parasites are criminals, but a broader definition makes more
sense here. As we users lose control of those systems and IT providers
gain control for their own purposes, the definition of "parasite" will
shift. Whether they're criminals trying to drain your bank account,
movie watchers trying to bypass whatever copy protection studios are
using to protect their profits, or Facebook users trying to use the
service without giving up their privacy or being forced to watch ads,
parasites will continue to try to take advantage of IT systems. They'll
exist, just as they always have existed, and -- like today -- security
is going to have a hard time keeping up with them.
Welcome to the future. Companies will use technical security measures,
backed up by legal security measures, to protect their business models.
And unless you're a model user, the parasite will be you.
This essay was originally written as a foreword to "Security 2020," by Doug Howard and Kevin Prince.http://www.amazon.com/exec/obidos/ASIN/0470639555/counterpane/
Thursday, January 13, 2011
Free City Cash Scam Spreads on Facebook
Free City Cash scam spreads on Facebook. A new survey scam is rapidly propagating on Facebook by promising users free virtual currency for use in Zynga’s latest hit game CityVille. "Woohoo! Thanks CityVille I got my 1,000 City Cash! http[colon]//apps[dot]facebook[dot]com/[censored]" or "CityVille is giving 1,000 City Cash for a limited time only! Grab Yours Now! http[colon]//apps[dot]facebook[dot]com/[censored]," the messages promoting this scam read. City Cash is one of several in-game currencies which can be used to build special buildings, expand the city’s land, and perform other actions. City Cash can be either earned or bought with real money. However, this is nothing more than one of the many rogue application-based survey scams that have plagued Facebook for the past half year. Opening the spammed links takes users to a well-designed page bearing the CityVille logo, but clicking on the button to claim the alleged prize prompts a permissions request dialog from an app called "Giveaway Promo." The application wants access to users’ profile information and to post on their walls in order to spam their friends.
Source: http://news.softpedia.com/news/Free-City-Cash-Scam-Spreads-on-Facebook- 177588.shtml
Source: http://news.softpedia.com/news/Free-City-Cash-Scam-Spreads-on-Facebook- 177588.shtml
Wednesday, January 12, 2011
Aging simulation scam hits Facebook users
Facebook scammers are tricking users into taking surveys by promising them an app that can simulate what their appearance would be 20 years from now. According to Facecrooks, the spam messages associated with this latest scam read "Wow, how creepy, LOL i look scary as an old person! - http[colon]//bit[dot]ly/[censored]" and share a page called "AGE yourself! See what you will look like in 20 years!" Clicking on the link takes users to a page which displays the picture of a girl and how she would allegedly look 20 years into the future. The images seem to have been copied from a real aging simulation service available at in20years.com that scammers deemed interesting enough to attract users. A message on the rogue page instructs users to click on the image to begin the simulation process. However, doing this will prompt a permissions dialog from an app called "OMG - How could this happen?" that wants access to post on people’s walls in order to spam their friends.
Source: http://news.softpedia.com/news/Aging-Simulation-Scam-Hits-Facebook-Users-%20177371.shtml
Source: http://news.softpedia.com/news/Aging-Simulation-Scam-Hits-Facebook-Users-%20177371.shtml
Researcher uses Amazon cloud to hack WPA-PSK passwords.
A security researcher in Germany is warning Amazon’s cloud service can be used to brute force weak passwords used to protect Wi-Fi security. Short and weak passwords would be vulnerable to a brute force attack, especially at the speeds offered by Amazon’s services, which is capable of testing 400,000 potential passwords every second. The researcher claims to have found the key for a network in his neighborhood using his method and Amazon’s service. The brute force attack took about 20 minutes to get the correct key, but he is making changes to his code which he reckons could bring the time down in such a case to about 6 minutes. He will distribute his software publicly and give demonstrations on using it at the Black Hat conference in Washington, D.C. He is releasing it to convince skeptical network administrators that such attacks will often be successful against protected networks.
Source: http://www.afterdawn.com/news/article.cfm/2011/01/11/security_researcher_uses_ama%20zon_cloud_to_hack_wpa-psk_passwords
Source: http://www.afterdawn.com/news/article.cfm/2011/01/11/security_researcher_uses_ama%20zon_cloud_to_hack_wpa-psk_passwords
Microsoft Repairs Critical Windows Flaw, Issues Temporary IE Fix
Microsoft issued two security bulletins Tuesday, repairing two
critical flaws that affect all versions of Windows. The software
giant also updated a security advisory, issuing a temporary automated
workaround that if deployed, would block attackers from exploiting an
Internet Explorer zero-day vulnerability.
The January updates repaired three vulnerabilities in Microsoft
Windows and Windows Server. It was a quiet month compared to
December, which saw a record breaking 17 bulletins.
Source:http://go.techtarget.com/r/13151461/7882181
critical flaws that affect all versions of Windows. The software
giant also updated a security advisory, issuing a temporary automated
workaround that if deployed, would block attackers from exploiting an
Internet Explorer zero-day vulnerability.
The January updates repaired three vulnerabilities in Microsoft
Windows and Windows Server. It was a quiet month compared to
December, which saw a record breaking 17 bulletins.
Source:http://go.techtarget.com/r/13151461/7882181
Subscribe to:
Posts (Atom)