Roy Firestein

Security Feeds

Archive for March, 2009

Space Storm Alert: 90 Seconds from Catastrophe

March 31st, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Over the last few decades, western civilisations have busily sown the seeds of their own destruction. Our modern way of life, with its reliance on technology, has unwittingly exposed us to an extraordinary danger: plasma balls spewed from the surface of the sun could wipe out our power grids, with catastrophic consequences.

Protecting Against The Politics Of Layer 8

March 31st, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Discussions regarding security metrics appear nearly every other week on at least one of the mailing lists I follow. How do you measure your effectiveness as a security team, and what’s the ROI of this security product? The list goes on. What I’d like to see is the number of breaches due to layer 8, specifically the political part of that “layer.”

Conficker.C domain list for 1st April 2009

March 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

http://www.annysoft.com/confi/Domains_Conficker.C.txt

by Taneja Vikas

http://www.annysoft.com

Google Street View coming to Canada

March 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Google Street View is coming to Canada. According to Google, the camera cars are going to be hitting the streets in major Canadian cities any time soon. They plan to blur faces and license plates and, one can infer, they think this is enough to deal with privacy issues here. See: Smile, you’re on Google Street View – Digital Life.

European Parliament Rejects Three Strikes and You’re Out Approach

March 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Days after New Zealand dropped its support for the "three strikes and you're out" approach (also known as "graduated response") that would see ISPs terminate subscribers on the basis of three unproven allegations of copyright infringement, the European Parliament has similarly rejected the proposed approach.  Le Quadrature du Net reports that France had tried to generate support with the EP for a pan-European approach (France now one of the lone holdouts for the system).   Today the EP rejected the French pressure, adopting a new report on security and fundamental freedoms on the Internet that expressly rejects disproportionate measures for IP enforcement and warns IP holders against excessive access restrictions.

The key paragraph states that the Parliament recommends that the European Council:

proceed to the adoption of the directive on criminal measures aimed at the enforcement of intellectual property rights, following an assessment, in the light of contemporary innovation research, of the extent to which it is necessary and proportionate, and while simultaneously prohibiting, in pursuit of that purpose, the systematic monitoring and surveillance of all users’ activities on the Internet, and ensuring that the penalties are proportionate to the infringements committed; within this context, also respect the freedom of expression and association of individual users and combat the incentives for cyber-violations of intellectual property rights, including certain excessive access restrictions placed by intellectual property holders themselves;

While this is a mouthful, it is noteworthy that the Parliament emphasizes proportionality, the rejection of Internet monitoring, and the use of excessive access restrictions placed by IP rights holders.

Update: Network World reports that attempts to place the three strikes approach in the European Telecoms package has similarly failed.

Virtualization & Security: Disruptive Technologies – A Four Part Video Miniseries…

March 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

About nine months ago, Dino Dai Zovi, Rich Mogull and I sat down for about an hour as Dennis Fisher from TechTarget interviewed us in a panel style regarding the topic of virtualization and security.  It has just been released now.

Considering it was almost a lifetime ago in Internet time, almost all of the content is still fresh and the prognostication is pretty well dead on.

Enjoy:

Part 1: The Greatest Threats to Virtualized Environments

Part 2: The Security Benefits of Virtualization

Part 3: The Organizational Challenges of Virtualization

Part 4: Virtualization and Security Vendors

/Hoff

P.S. The camera adds like 40 pounds, really ;)

Firm vows to grow first flowers on the moon

March 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

via New Scientist

A firm that has designed habitats for plants and animals living in microgravity now hopes to grow the first flowers on the moon, the company’s founders announced on Friday.

Engineering firm Paragon Space Development plans to build a greenhouse to fly to the moon. It is set to travel on a lunar lander designed by Odyssey Moon, a competitor for the Google Lunar X Prize, a $30 million contest to send an unmanned lunar rover to the moon.

The greenhouse will be used to incubate fast-growing mustard seeds on the lunar surface, in the hopes of producing flowering plants and an iconic image that could be as thrilling as the Apollo images of Earth-rise over the lunar surface.

Paper: "Tracking GhostNet: Investigating a Cyber Espionage Network"

March 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
There’s been a bunch of news regarding a new report published indicating a wide spread Chinese espionage network dubbed ‘ghostnet’. From the paper “This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of…

GhostNet In The Machine

March 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Expect suspicions that China is spying on the world’s computers to intensify.

Shotgun Blast for 29 March 2009

March 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Couple of articles/blog posts worth taking a look at

Info on Ghostnet
http://www.f-secure.com/weblog/archives/00001637.html
*mirrors of the two papers are available above
http://news.bbc.co.uk/2/hi/americas/7970471.stm

I am personally glad when i see people getting pwned via client-sides make the news. Hear me and Vince talk about it a Notacon and DojoSec this month!

It’s also interesting, at least to me, to see real cyber warfare in action. cyber warfare doesnt have to be about stuff going boom, but having another nation state all in your network for god knows how long certainly makes you wonder how much of your “secret” activity isnt secret anymore.

Application Operation System Fingerprinting From Dan Crowley
whitepaper: http://x10security.org/appOSfingerprint.rar
his blog: http://x10security.org/blog

Sweet new updates to metasploit!

no link…just svn up your trunk and enjoy! the snmp community scanner is nice.

Weaponized Malware ??
http://preachsecurity.blogspot.com/2009/03/weaponized-malware-your-protection.html

while the question of what the home user is to do is tougher, in the enterprise keeping up with what is egressing your network may help with catching that malware calling home. It probably time to start looking at the problem as its going to happen how do I detect and respond instead of just “hoping” it doesnt happen.

What is conficker going to do on April 1st?
http://lastwatchdog.com/debate-significance-conficker-phoning-hom-april-fools/
http://lastwatchdog.com/countdown-conficker-worms-april-fools-day-climax/

do we worry or not? do you deserve what you get if you still have it in your network after this long?

If you allow gaming systems on your network without authentication can an attacker abuse that?
http://s148954166.onlinehome.us/2009/01/26/on-the-network-of-a-certain-university/

definitely something to keep in mind if a network requires authentication, can you change your MAC to that of a wii or xbox360 and gain access?

Exploiting Unicode Enabled Software by Chris Weber
http://www.lookout.net/2009/03/26/exploiting-unicode-enabled-software-slides-from-cansecwest-and-source-boston/

RCMP Seeks Backdoor Wiretap Access to Blackberry Messaging

March 26th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
CBC reports this evening that the RCMP is seeking backdoor wiretap access to Blackberry devices.  The law enforcement agency is concerned that email messaging with the Blackberry is secure and encrypted which raises fears that it is widely used by criminal elements.  Liberal MP Marlene Jennings touts her lawful access bill as the appropriate solution, while I respond with concerns about the impact on privacy and business.  I also argue – as has long been the case in the lawful access discussion – that before jumping into legislation solutions, law enforcement must first demonstrate that the current laws have created a real impediment to their investigations.

Ontario Court Orders Website To Disclose Identity of Anonymous Posters

March 26th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
An Ontario court has ordered the owners of the FreeDominion.ca to disclose all personal information on eight anonymous posters to the chat site.  The required information includes email and IP addresses.  The case arises from a lawsuit launched by Richard Warman, the anti-hate fighter, against the site and the posters.  The court focused heavily on the Ontario Rules of Civil Procedure, which contain a strong duty of disclosure on litigants. 

The discussion includes a review of many key Internet privacy cases, including the CRIA file sharing litigation (which the court distinguishes on the basis of different court rules) and the Irwin Toy case (which emphasized the importance of protecting anonymity, but which the court tries to distinguish on the basis of the newness of the issue at the time).  The court also looks at the string of recent cases involving child pornography cases and ISP disclosure of customer information, concluding that "the court's most recent pronouncement on this is that there is no reasonable expectation of privacy."

According to the defendants in the case, they are unsure if they have the resources to appeal.  This particular decision feels like a judge anxious to order to disclosure, despite the weight of authority that provides some measure of privacy protection for anonymous posters.  Indeed, the public policy issue is characterized as "we are dealing with an anti-hate speech advocate and Defendants whose website is so controversial that it is blocked to employees of the Ontario Public Service."  Leaving aside the fact that sites blocked to employees of the Ontario Public Service is not much of a threshold (Facebook is blocked to the OPS), the public policy issue is not the merits of the particular website.  Rather, it is the privacy and free speech rights of the posters to that site.

Protection for anonymous postings is certainly not an absolute, but a high threshold that requires prima facie evidence supporting the plaintiff's claim is critical to ensuring that a proper balance is struck between the rights of a plaintiff (whether in a defamation or copyright case) and the privacy and free speech rights of the poster.  I cannot comment on the postings themselves (and I recognize that Warman has been a frequent target online) but I fear that the high threshold seems to have been abandoned here, with the court all-too-eager to dismiss the privacy considerations associated with mandated disclosure by not engaging in an analysis as to whether the evidentiary standard was met.

Sniffing Keyboard Keystrokes with a Laser

March 26th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Interesting: Chief Security Engineer Andrea Barisani and hardware hacker Daniele Bianco used a handmade laser microphone device and a photo diode to measure the vibrations, software for analyzing the spectrograms of frequencies from different keystrokes, as well as technology to apply the data to a dictionary to try to guess the words. They used a technique called dynamic time warping…

100 Terrific Web Design Cheat Sheets that Will Save you Time, Money and Mistakes

March 26th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Most web designers know that cheat sheets are incredibly useful. You can use them for quick reference, easy learning, and more. In this list, we’ve compiled an incredible collection of the 100 best and most useful cheat sheets out there.

Reinventing Nuclear Power

March 26th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
A fusion-fission hybrid reactor could produce clean electricity. If it ever works.

Malware installing rogue DHCP server

March 22nd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Sans published an entry about a new piece of malware that installs a rogue DHCP server that specifies a rogue DNS server, presumably for phishing and malware deployment. I wouldn’t be surprised if this concept is fairly old but it appears to be the first time a common piece of malware…

Businesses don’t have privacy rights

March 16th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

If you’re a privacy professional you will know that Canada’s privacy laws are in place to protect the privacy rights of individuals, not businesses.

Despite this fact and that Canada’s federal privacy law, PIPEDA, has been in force since 2001, it’s surprising how many others are confused on this point.

For instance, I recently had a client make an information request to an organization for access to corporate information. When the organization responded, they denied access to the requested information and claimed that PIPEDA required that they do so in order to protect the privacy interests of a business.

There may be circumstances where organizations have other legitimate reasons for denying access to certain information. There may also be circumstances where privacy laws such as PIPEDA should be cited in denying access to certain business records where releasing the information could unlawfully disclose the personal information of another individual. Organizations should not, however, cite Canada’s privacy laws as a justification to deny access to information requests on account of the privacy rights of a business.

If you encounter this scenario you may be dealing with someone who either doesn’t understand privacy laws or who is perhaps being disingenuous. After all, the general thrust of Canada’s privacy laws is to encourage organizations to create a culture of privacy in order to protect the privacy of individuals whose personal information is collected, used, retained or disclosed by such organizations.

Posted in Access to Information, Due Diligence, PIPEDA, Privacy Tagged: Access to Information, Businesses, Corporate Information, PIPEDA, Privacy

Stupid legislation, stupid legislator

March 14th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

I keep a little list of stupid things that our leaders and representatives do in the name of protecting us. This is a great one. It turns out that a California State Lawmaker, Joel Anderson, has learned that the terrorists that attacked Mumbai used maps to plot their attacks! So, being a rational person, he realizes that it might be difficult to outlaw maps per se, but he could propose a law making it illegal for Google Earth to portray government buildings. Evidently he wants them to be blurred out. So forget using online tools to help you get to the Secretary of State branch, or the unemployment office.

Normally I would waste valuable time in explaining to this assemblyman that 1. The cat is out of the bag. You cannot put it back. 2. California is not the center of the Universe and cannot legislate the Internet. 3. When you outlaw 3-D images of government buildings only terrorists will have 3-D images of government buildings.

But who has time for this?

Update: Mr. Anderson answers questions on his soon to be killed bill.

Post from: ThreatChaos

Stupid legislation, stupid legislator

BBC cybercrime probe backfires

March 14th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
“The BBC hacked into 22,000 computers as part of an investigation into cybercrime but the move quickly backfired, with legal experts claiming the broadcaster broke the law and security gurus saying the experiment went too far. The technology show Click acquired a network of 22,000 hijacked computers – known as a…

Remote image processing in JavaScript

March 8th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

[Tom] wrote in to tell us about his JavaScript project for motion detection. It ties together two ideas we’ve talked about recently. The first is doing image processing in-browser using Canvas(), which we’ve seen employed in captcha breaking. The second is offloading heavy processing to browsers, which we saw recently in the MapReduce implementation. [Tom] is using JavaScript to compare consecutive images to determine if there’s any motion. He did this as part of MJPG-Streamer, a program for streaming images from webcams. It can run on very limited hardware, but image processing can be very intensive. Doing the image processing in-browser makes up for this limitation and means that a custom client program doesn’t have to be written. You can find the code here and a PDF about the proof of concept.

Privacy in the Age of Persistence

March 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Note: This isn’t the first time I have written about this topic, and it surely won’t be the last. I think I did a particularly good job summarizing the issues this time, which is why I am reprinting it. Welcome to the future, where everything about you is saved. A future where your actions are recorded, your movements are tracked,…

New critical XSS on Facebook fixed in record time due to ethical disclosure

March 2nd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Security researcher Pierre Gardenat is preparing a paper for the SSTIC 09 (http://www.sstic.org/SSTIC09/info.do – Rennes 3,4 and 5th June 2009) on the evolution of XSS threats; since wide social networks like Facebook can become powerful attack vectors, it was interesting to see if some of these networks were vulnerable to permanent XSS attacks, which would make XSS worm spreading possible.

Facebook to let users give input on policies

March 1st, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
NEW YORK (AP) – Facebook is trying its hand at democracy. The fast-growing online hangout, whose more than 175 million worldwide users could form the world’s sixth-largest country behind Brazil, said Thursday that those users will play a “meaningful …

Linux tips every geek should know

March 1st, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
What separates average Linux users from the super-geeks? Simple: years spent learning the kinds of hacks, tricks, tips and techniques that turn long jobs into a moment’s work. If you want to get up to speed without having to put in all that leg-work, we’ve rounded up over 50 easy-to-learn Linux tips to help you work smarter!