Recently, Apple unveiled a new system that allows customers to browse the iTunes store and “rent” selected movies for a smaller fee than it would cost to purchase them. This fee also happens to be slightly more than one would pay for renting from a video store, but convenience isn’t cheap. The iTunes rental system allows customers to download a video and store it for up to 30 days, but the movie must be watched within 24 hours of starting it. 24 hours after starting the movie, it is removed from the iTunes library.
Security Review: Metal Detectors and Security Checkpoints
Anybody who has flown on a national airline or had business in a federal, state, or county government building has certainly had the experience of waiting in the queue to be ushered through a beeping metal-detecting portal, separated from bags and other belongings which are whisked through an adjacent X-ray machine. Such devices are usually intended to secure the premises against an outside threat entering with weapons or other dangerous items. Continue reading
Posted in Physical Security, Policy, Privacy, Security Reviews
2 Comments
Latest on the RIAA and Copyright Infringement
(article) The RIAA is trying to push the PRO-IP bill through Congress, which would grant them more protection under copyright law, including the ability to sue even more for illegal copying of media. Thought $9,000 per song was too much? Try $1.5 million per CD…
(article1) (article2) The Motion Picture Association of America and the International Federation of the Phonographic Industry, among other media giants, are backing Sweden’s decision to charge the individuals responsible for running a public torrent site known as “The Pirate Bay”. The charge is accessory and conspiracy to break copyright law. Many think the charges have no grounds, but even if they lose the trial, according to them, the site isn’t going anywhere.
(article) Since September, when the RIAA lost the Interscope vs. Rodriguez case because of lack of evidence supporting their complaint, the association has attempted to add more details to their case; most notably the IP address connected with the alleged offender. Many believe that this isn’t good enough either.
I would like to expand upon this last bit, which happens to be directly connected to computer security. Continue reading
Posted in Current Events
1 Comment
Mega-D Botnet overtakes Storm Botnet
A new botnet, called Mega-D, is currently responsible for an estimated 32% of all spam, compared to the Storm botnet’s peak estimate of 21% in September 2007.
The Mega-D botnet runs on a distributed peer to peer network, and the virus disables itself if it is run in a virtual environment. The virus spreads via malicious e-mails, which trick its victims into visiting fake websites and downloading the trojan.
E-mails are made to mimic invites to social networking sites such as Facebook, and will ask users to update their Flash player, when in fact they are downloading the virus. Other malicious e-mails used subjects mentioning the recent death of Heath Ledger to trick users into reading the e-mail and visiting a malicious web page.
Mega-D is used to advertise male enhancement pharmaceutical products, and is gaining momentum in Asia and North America, where broadband availability is high.
The Storm botnet’s activity has been declining, largely in part to Microsoft’s malicious software removal campaign. Storm had received a lot of publicity, whereas there is little media coverage on Mega-D.
Security experts at Marshal (www.marshal.com), a security company that monitors spam and botnet trends, found that Mega-D is the current juggernaut of e-mail spam. Marshal also reports that 70% of all spam is delivered from five botnets: Mega-D, Pushdo, HTML, One Word Sub, and Storm.
While the Storm botnet is the most infamous, it is estimated that Storm currently contributes around %2 of spam, meaning we now need more attention on the other botnets.
http://www.securecomputing.net.au/news/69328,megad-botnet-stronger-than-storm-promotes-male-sexual-pills.aspx
http://www.zdnet.com.au/news/security/soa/Mega-D-sticks-it-to-Storm-in-spam-contest/0,130061744,339285587,00.htm
http://en.wikipedia.org/wiki/Storm_botnet
Posted in Current Events
Comments Off on Mega-D Botnet overtakes Storm Botnet
Malicious banner ads appear on Expedia, Rhapsody sites
http://www.scmagazineus.com/Malicious-banner-ads-appear-on-Expedia-Rhapsody-sites/article/104827/
Recently, malicious ad banners that deliver malware had appear on both Expedia and Rhapsody. Clicking on the malicious flash ad banner, SWF_ADHIJACK.A, leads to several re-directions, which eventually result to the installation of a rogue antispyware detected as TROJ_GIDA.A.
They are definitely not the first victims, as there have been reports of such discovery on other popular websites, such a MBL and NHL(www.crn.com/security/203101675). However, what surprised me is that Expedia and Rhapsody, both being web-oriented company, failed to prevent such ads from reaching the site. Unlike MLB.com, both Expedia and Rhapsody have the knowledge and expertise to easily identify such malicious banners. They just decided not to filter ads provided by ad-serving network.
Posted in Current Events
1 Comment
Security software or adware?
It recently came to my attention that Adobe is now including an option (which is checked by default) in their installers for Adobe Reader and the Shockwave player to install a Norton Security Scan program. I think this raises some serious questions about whether these companies can be trusted when it comes to maintaining security and privacy on one’s computer. Continue reading
Posted in Miscellaneous
Comments Off on Security software or adware?
Security Review: Mandylion Password Manager
Summary
Password complexity and policy enforcement in today’s enterprise has forced users to take unsecure measures to ensure recollection of the many passwords they use. Users may put passwords in text files on their computer, re-use old passwords frequently, or write them down on Post-It notes. Mandylion has created a convenient portable device to help store important passwords while providing military-grade protection for them. Continue reading
Posted in Security Reviews
3 Comments
UWnews hacked?
I stumbled upon this and wanted to share:
First go here -> http://uwnews.washington.edu/ni/article.asp?articleID=34207
Now go here -> http://uwnews.washington.edu/ni/
Any thoughts? Just a basic site defacing?
Posted in Miscellaneous
1 Comment
Perfect Security: Delusional and Misdirected
I hesitate to post commentary about this article, but feel that is important to deconstruct claims by those believing they have all the answers. Especially when they are posting in high-profile blog sites.
InfoWorld’s Security adviser Roger A. Grimes has detailed his “Perfect Plan” for making the Internet secure for every user. In his words: “All computer devices, users, and transactions must be authenticated by default.”
Posted in Current Events
1 Comment
One Username to Rule Them All
My husband has been working on a pet project lately that needs to have a user login system. Although he could build one himself or purchase a system, he is probably going to go with OpenID. Using OpenID simplifies the project immensely and is probably more secure than anything he or I could write. Already it is estimated that there are over 160-million OpenIDs with nearly ten-thousand sites supporting OpenID logins (http://openid.net/what/). But it does beg the question, how secure is OpenID?
OpenID is “an open, decentralized, free framework for user-centric digital identity (http://openid.net)”. Basically, a user sets up an account with one of several OpenID Providers (openid.net, aol.com, etc.). The provider keeps the username, password, email and all sorts of other account information the user wants there. When the user goes to a site that uses OpenID authentication (blogger.com, lol.com, and more), they enter their OpenID and are redirected to the Provider’s site. Here they enter their credentials and grant access to the referring website. That is the process in a nutshell, but see this video for a really great, succinct explanation.
The driving idea behind OpenID is to have only one set of credentials for all your online identities. This way you do not have to remember which username goes to which website and passwords for each. Sounds pretty good… but what happens if your OpenID is compromised. An adversary has access to ALL your online accounts. The consequences of a compromised OpenID are intense. On the other hand, people generally use the same username and password for everything anyways, which is definitely a security problem and has the same consequences of a compromised OpenID.
Benefits of OpenID are that small businesses and developers do not need to implement their own login system, users can change personal information or passwords once and have it apply everywhere, and users are less likely to do dumb things like write lists of usernames and passwords.
However, OpenIDs have some problems also. First, OpenIDs are URLs- for example, http://inkblotpassword.com/id/jessica. For an average user, a URL is difficult to remember and very unfriendly. Personally, I think users would get used to it just as they have with email addresses. There is nothing innately harder about URLs. The OpenID system is prone to phishing attacks because the user is redirected to the provider’s page which could easily be imitated. There have been problems with CSRF attacks (cross site request forgery attacks). One of the largest providers, MyOpenID.com site, had this issue, but when notified, they reacted promptly. Another issue is that the set of specifications that a provider must implement is fairly small. There are no requirements on the strength of passwords or even to have a password. From a security standpoint, OpenID just adds another layer of complexity for things to go wrong. It also puts a burden on the user to choose a provider they can trust.
With all this in mind, is OpenID a good system? Will it prove to be the downfall of the Internet as some naysayers have speculated? Or will it bring about a revolution in convienence? Should a website use OpenID as their username and password management system? Would it be an acceptable system for banks or other financial institutions?