So I thought it was just me getting hit with Link Spam. Turns out I’m far from alone–technorati has been hit so hard that it’s slowed indexing times from 7 minutes to several hours. Leave it to the (in my case online gambling) scumbags/spammers to trash yet another form of content distribution (blogs).

I hope they choke on a packet and die.

It seems like every time I open a Web brower today, I’m seeing something about a compromise of personal data. Whether its a poorly secured W-2 Tax Document site or poor Paris Hilton (again), it seems like everyone is losing personal data right and left.

Which leads me to revisit the questions. Where is my data? What’s being done with it? How much data about me is out there that no one is keeping an eye on? Things get archived in email–often by design. Things get onto backup tapes which then get lost. Things get stored on computers which get lost or stolen.

If I think about it too hard, it gets pretty hard to sleep at night. How about you?

I’m finally back in town after spending a lot of time in airports the past couple of weeks, and I have to concur with those who assess that the current state of airport security as totally unacceptable.

According to the article:

Posing as passengers, the decoys try to take dummy bombs, unloaded guns and other contraband through the airport’s security checkpoints. But the lawsuit said Covenant tracked the decoys via closed-circuit television cameras and tipped off workers at security gates to expect a test.

As a result, Covenant’s personnel intercepted as many as 90 percent of the federal decoys in the tests, according to the complaint.

First off, let me steal Schneier’s commentary:

All security systems require trusted people: people that must be trusted in order for the security to work. If the trusted people turn out not to be trustworthy, security fails.

Next, let’s consider what else this tells us–that even under perfect conditions (screeners alerted to the fact a test was coming), they still missed 10% of the threats!. This means that even when the target was identified, they were unable to find the hidden Bad Thing. In reality, people get things through that they shouldn’t have all the time. I watched an Air Marshall walk through the metal detector with his weapon plainly visible and it didn’t go off. So much for the Technology Factor.

I’ve got a couple more personal observations from my time spent in airports in the past few days. Nothing new or interesting, really, but distressing/irritating nonetheless.
(more…)

I just ran across This presentation (powerpoint format–blame the Arbor Networks guys) by Jose Nazario of Arbor Networks discussing a formula for predicting “wormability” of an exploit.

wormability (n) - The potential for a vulnerability’s use as the propagation attack in an Internet worm.

According to a story at The Register, it predicted Sasser but failed to predict Witty. Still, so long as it misses, rather than producing False Positives, it could be an extremely valuable tool.

Taking a stance as to whether a worm could be coming is something that I get to do every time a major vulnerability comes out, so I’m extremely interested in seeing where this goes. The model isn’t perfect–nor can you expect it to be. In many regards, it’s not all that different than predicting the weather–it might be able to make a pretty good guess, but only time will tell for sure. But if it could reliably predict the Big Ones, then could add a lot of value in terms of priortization or making sure that something subtle didn’t slip under the radar.

Note: This seems to follow-up on many of the concepts originally presented in his May 2004 Paper on The Evolving Worm Ecology (pdf), so you probably want to read it, too.

Call me a tease, but I’ve finally gotten around to posting some sample pages for my server statistics reporting tool, Stats++ . No downloads yet. I’ve got a few bugs still to work out and a lot of polishing, documentation, etc., but I’m making good progress.

Here are some sample screens I saved from the development server:
(Links open in new window)
The Dashboard
A traffic graph along with the Top 10 Lists:

• Busiest Pages, sortable by any column — traffic summary of hits, pages, new visitors, visitors, bandwidth, robots, etc.
• New Visitor Entry Pages — the pages which brought in the most new visitors
• Top Referers — The pages which referred the most traffic to pages on the site. Detailed information about which pages were referred can be found in the Referer Report.

Daily Traffic Report
A traffic report summarizing the traffic for, in this case, the month to date. The timespan is fully controllable using the form up in the navigation bar.

A traffic report for a single page.
This page basically provides similar information to the Traffic-By-Day report but includes all of the referers which have linked to this page. It also allows filtering to a specific query string and aritrary date ranges

Referer Traffic Report
Similar to the Page Report, but this one reports on traffic referred from a page, along with a summary of pages to which it links.

I also generate Operating System and Browser statistics, but left those off for the time being.

It’s a database-driven, web-based traffic reporting application, written using PHP4, ADO, JPGraph (Free for non-commercial use), PostgreSQL and PERL. Features include:
(more…)

This is what we have to look forward to in a DRM’ed world:

The HP BIOS for most models of laptop now have a whitelist of allowed Mini-PCI cards that can be installed in the laptop. If your new WiFi card isn’t on the (very small) list of allowed cards for that specific model of laptop, then your laptop won’t boot.

And before anyone starts getting too smug, IBM is guilty, too.

My Dell Laptop may be a complete piece of crap (the touchpoint mouse is psychotic, and while it suspends beautifully, it has serious problems with waking up), but at least it’s broken-ness is accidental. What benefit does limiting the list of MiniPCI cards provide?

Also, does this violate the licensing terms for the use of the MiniPCI trademark? Usually, when you state that you support a standard, you’re on the hook to support all compliant hardware.

*sigh*

So for those of you not playing along in the home game, ChoicePoint is a consumer credit & background information aggregator. This means that they accumulate information about credit histories, insurance claims, financial data and pretty much any other Personal Data they can get their hands on, then sell access to it.

Unfortunately, poor process security has led to the compromise of over 145,000 people’s identifying information and over 700 known cases of Identity Theft:

The perpetrators were able to dupe the company, which provides consumer data services to insurance companies, other businesses and government agencies, by passing themselves off as legitimate customers.

So just to recap:
1) A company which claims to be in the business of aggregating and analyzing data was repeatedly conned by people with fraudulent data
2) A company which claims to have processes in place to identify and prevent abuses by their customers didn’t find out that they were being scammed until the police came and told them
3) They keep restating up the number of affected accounts, which says to me that they’re still uncovering more abuse, either by the same group or other groups running the same scam against them.

Of my list above, #3 definitely worries me the most. Organized fraud gangs trade information about exploits just like they trade the information that those exploits produce. The breakdowns occurred at tht process level–they used front companies to bypass whatever security processes ChoicePoint thought they had in place to mount their attack.

ChoicePoint say that they’re instituting new and expensive security procedures to prevent this sort ot attack in the future. I wish them luck, since when they sneeze, I catch cold. But I’ll also be surprised if this does anything more than buy them some time until this incident either blows over or the Bad Guys come up with a new and improved process attack.

What we need is an acknowledgement that as the number of places this information is aggregated continues to grow, these sorts of incidents will become increasingly common. Thus, prevention alone is a lost cause. It’s time to accept this fact and begin to turn our attention toward improving mechanisms not just for preventing but also detecting and recovering from identify theft.

As an aside…

The way the attack probably worked is really very simple. They tried to set up a front company the first time and got turned down, so they tweaked the application and tried again. Maybe this time, they got to step two in the process, maybe not. In any case, the attackers keep changing variables in their approach until they finally determine the correct answer to each question along the way. If they are persistent enough, they will eventually breach the process and be able to act with impunity.

Process-level attacks like this are fairly common in the Private Banking world, which is where I first learned about them. The only response is a combination of constant refinement of your vetting processes and a consistent refusal to provide feedback to those you deny. In some cases, people would be escorted out of the Private Bank’s offices before they could even wipe their shoes on the matt. The risk of a lawsuit was less than the risk of a very expensive and potentially-embarrassing incident.

So according to the developers of WINE, an open-source implementation of the Windows API’s for running Windows applications on non-Windows OS’es (*cough*Linux*cough*), Microsoft is now actively checking for WINE users on their download sites.

they appear to want to discriminate wine users, while this may be acceptable for operating system components/updates, this is probably a violation of anti-trust law for all other downloads.
It’s also the first time Microsoft acknowledges the existence of Wine.

This is an interesting turn of events on many levels. First, as has already been noted, this is the first time that Microsoft has effectively acknowleded WINE’s existence, even though the project has been around for 10 years or so. Microsoft is obviously concerned about a weakening grip on their control of the operating systems market, public rhetoric notwithstanding. This too has been known since ever since the publication of the now-infamous Halloween Memo in 1998.

Still, so long as Microsoft isn’t actively seeking to break WINE users’ installations, I’ll put this down to curiosity. If I were Microsoft and wanted to know how many people were actively using WINE, I’d probably try and track it through the download site, too. Still, Microsoft has a bad track record with regards to working and playing well with others, especially those are are trying to work well with their products.

This could be nothing, but it could also be a prelude to a new round of anti-Open Source nastiness. It may be warmup for some sort of “Trusted” computing initiative, where if they can’t promise the Content Industry (RIAA & MPAA) that their applications are running on “real” windows as opposed to being a Brain in a Jar (like WINE) then the Content Industry won’t dub them, “Sir Content Distribution Monopoly.”

Nevertheless, this little factoid, combined with the unleashing of the Internet Explorer team to put out IE7 independently of Longhorn, says to me that Microsoft is running scared. They haven’t led anywhere in years. All of their “Initiatives” are actually responses to inroads made by competitors or efforts to dominate markets that others created. Run through a quick list: Search. Anti-Virus & Anti-Spyware (ironically, you could argue that they “created” this market, too). DLL Hell and Patch Management. The list goes on. Meanwhile, Microsoft Research is spending $6 billion per year on loads of Very Smart People who produce things like Microsoft Bob and Toilets that run windows.

Back to the immediate question at hand: What is Microsoft really trying to accomplish here? Microsoft has a long history of trying to kill piracy through technical means. I’ve already covered that in a previous post. If they’re now getting ready to try and kill legal alternatives too, though, that’s a whole different story, more akin to their DR-DOS Sabotage back in the Windows 3.0 days:

The most potentially damaging allegation in Caldera’s complaint is that Microsoft sabotaged Caldera’s DR-DOS in 1991 by writing a secret line of Windows code that displayed a misleading and alarming error message to users trying to install Windows on computers that were running any operating system other than MS-DOS. According to internal Microsoft e-mail recently leaked to The Wall Street Journal, the encrypted code was intended to “put competitors on a treadmill,” as it is put in a 1991 message written by Windows development chief David Cole. “We need to make sure [Windows] only runs on top of MS-DOS . . . the less people know about exactly what gets done the better.”

I’m still waiting to see where this ultimately goes, but I’m not hopeful.

Michael Bauer published an essay, “Fear and Loathing in Information Security” discussing a couple of key misconceptions about “hacking” as a slippery slope from curiosity to crime. It’s a relatively long read for an opinion piece, but worth the time.
(more…)

Richard Bejtlich has posted a nice summary of two recent mass identity thefts over at TaoSecurity.

You can read the details over there, but even if you don’t, remember his excellent point down toward the bottom:

These two cases also demonstrate my security mantra that prevention eventually fails. Therefore, we need to have robust detection and response mechanisms in place.