[SecurityRatty] tag: s-job

Researchers Use Facebook App to Create Zombie Army

Fri, 05 Sep 2008 15:40:00 +0000

Facebook users who choose to install the wrong third party application could find themselves inducted into a robot computer army controlled by a hacker. At least, that's what a team of Greek computer researchers proved with their rogue Photo of the Day application.

The Analyzer Is Among The Suspects In $1.8 Million Theft From A Canadian Company

Fri, 05 Sep 2008 13:42:04 +0000

Ehud Tenenbaum, a 29-Israeli known online as “the Analyzer” and living in Montreal, was arrested after investigators spent nine months and found out that him and three other suspects allegedly stole $1.8 million from a Calgary company. The operation involved the U.S. Secret Service and municipal police in Calgary and Vancouver - as well as [...]

Friday Squid Blogging: Colossal Squid was a Lethargic Blob

Fri, 05 Sep 2008 12:36:05 +0000

Fierce deep-sea predator? Not so much:

"We are looking at something verging on the incredibly bizarre. As she got older she got shorter and broader and was reduced to a giant gelatinous blob, carrying many thousands of eggs," he says.
"Her shape was likely to have affected her behaviour and ability to hunt. I can't imagine her jetting herself around in the water at any great speed, and she was too gelatinous to have been a fighting machine.

"It's likely she was just blobbing around the seabed carrying her brood of eggs, living on dead fish, while her mate was off hunting."

Premature Update on Philadelphia Wi-Fi

Fri, 05 Sep 2008 09:23:51 +0000

I'm not sure why this article was written, as there appears to be nothing particularly newsworthy in it: The News.com reporter Marguerite Reardon has covered muni-Fi for as long as I have, and after reading this in-depth piece, I'm left wondering whether it was assigned far too early, and she was meeting an editorial desk requirement instead of feeling like the story was ready to "print." The article looks at Network Acquisition Corp. (NAC), the allegedly interim name for the group that's taken over Phila-Fi.

One source at the Knight Center for Digital Excellence notes, "The new network owners are supposed to have a much more sustainable business model." Supposed to. Later, "Network Acquisition Company, which acquired the network, hasn't talked publicly about the details of its new plan, but it has hinted that its strategy will differ from EarthLink's." Hasn't talked publicly. Then, "[NAC and Tropos] spokespeople said the companies would talk more about the network later this month when details of the new business plan are ready." Huh.

Reardon explains digital divide issues and looks into what Wireless Philadelphia has been up to, although doesn't note that delays in EarthLink's deployment and other factors have led to just a few hundred individuals that have been assisted by the non-profit; numbers may have changed, but that was as of a few months ago. Still, Wireless Philadelphia has apparently diversified its funding sources--Reardon cites 30 now.

I think we're still coming off the doldrums of August.

FAQ: Is your county posting your Social Security number online?

Fri, 05 Sep 2008 09:00:00 +0000

County and state Web sites may harbor Social Security numbers and other personal data in broadly accessible public records. Here's what you should know.

Contest: Cory Doctorow's Cipher Wheel Rings

Fri, 05 Sep 2008 08:01:09 +0000

Cory Doctorow wanted a secret decoder wedding ring, and he asked me to help design it. I wanted something more than the standard secret decoder ring, so this is what I asked for: "I want each wheel to be the alphabet, with each letter having either a dot above, a dot below, or no dot at all. The first wheel should have alternating above, none, below. The second wheel should be the repeating sequence of above, above, none, none, below, below. The third wheel should be the repeating sequence of above, above, above, none, none, none, below, below, below." (I know it sounds confusing, but here's a chart.)

So that's what he asked for, and that's what he got. And now it's time to create some cryptographic applications for the rings. Cory and I are holding an open contest for the cleverest application.

I don't think we can invent any encryption algorithms that will survive computer analysis -- there's just not enough entropy in the system -- but we can come up with some clever pencil-and-paper ciphers that will serve them well if they're ever stuck back in time. And there are certainly other cryptographic uses for the rings.

Here's a way to use the rings as a password mnemonic: First, choose a two-letter key. Align the three wheels according to the key. For example, if the key is "EB" for eBay, align the three wheels AEB. Take the common password "PASSWORD" and encrypt it. For each letter, find it on the top wheel. Count one letter to the left if there is a dot over the letter, and one letter to the right if there is a dot under it. Take that new letter and look at the letter below it (in the middle wheel). Count two letters to the left if there is a dot over it, and two letters to the right if there is a dot under it. Take that new letter (in the middle wheel), and look at the letter below it (in the lower wheel). Count three letters to the left if there is a dot over it, and three letters to the right if there is a dot under it. That's your encrypted letter. Do that with every letter to get your password.

"PASSWORD" and the key "EB" becomes "NXPPVVOF."

It's not very good; can anyone see why? (Ignore for now whether or not publishing this on a blog makes it no longer secure.)

How can I do that better? What else can we do with the rings? Can we incorporate other elements -- a deck of playing cards as in Solitaire, different-sized coins to make the system more secure?

Post your contest entries as comments to Cory's blog post -- you can post them here, but they're not going to count as contest submissions -- or send them to cryptocontest@craphound.com. Deadline is October 1st.

Good luck, and have fun with this.

Your Companies Biggest Security Hole - What is the BGP-style Vuln Lurking in Software Security?

Fri, 05 Sep 2008 04:31:58 +0000

My vote is MQ Series and other enterprise messaging systems. Schneier's succinct summary of BGP:

It's a man-in-the-middle attack. "The Internet's Biggest Security Hole" has been that interior relays have always been trusted even though they are not trustworthy.

That could apply word for word to how MQ Series and other enterprise messaging systems are deployed. Let's say you are a bank and have been happily running your business on a mainframe for decades. Life is good, come in at 9 leave at 5, count the cash. Then some dotcommer comes along and tells you that you need to get online. What are you gonna do? Rewrite your whole system from scratch? Hard to make that case.

Nope what you'll do is build out a web farm to talk to the consumer, but then you will realize all of your business runs on the mainframe, and you need to connect to it. How exactly? Enter MQ Series and friends, they broker the communications to legacy backends for most major corporations, but there is one slight problem - they didn't even bother to support useful security protocols until very recently, and most of the time the security protocols are not even implemented.

Typical anti-patterns include:

* no authentication, no authorization (just open up a queue) - run your whole book of business transaction backbone on anonymous ftp

* authorization with no authentication (mq enforces authorization policy on unverifiable tokens) - run your whole book of business transaction backbone on anonymous ftp, but think that you have security

What is strange about the MQ Series, enterprise messaging vulns is that there is no need for them, there are no technical excuses to not add better tokens, message security, and encryption. People don't do it, because of poor tool support, a mainframe mindset, silo projects, and a whole variety of reasons. But just because you choose to ignore a fact doesn't mean its not true. On the plus side, some of the open source ESBs are adding support for message security, so you can improve security and save your company money at the same time, what's not to like?

More MMORPG Fakeouts

Thu, 04 Sep 2008 12:16:43 +0000

Here's a few more sites presumably created by the maker of the fake Batman Online game.

Step up, Dragonball Z:

Click to Enlarge

To "download" this Dragonball Z MMORPG, you have to fill out a survey:

Click to Enlarge

Once done, you'll be amazed(!) to find you're taken to....shockingly....the official Dragonball Z MMORPG game.

The only problem? The website is in Japanese and the game hasn't been released yet.

Click to Enlarge

Forgive me for thinking this isn't the greatest deal I've ever been sold.

Now it's Harry Potters turn:

Click to Enlarge

Like the Batman site, you need to install Zango. Do so, and.....you're taken to the popular Hogwarts Live, which you could have easily found and played yourself without installing Adware. As you probably guessed, the screenshot from the title graphic on the site is not part of the game you'll eventually play.

The sites involved are

onlinedbzgame.info

and

harrypottergame.info

in case you want to add them to your blocklists.

Are you insecure about SOA security?

Thu, 04 Sep 2008 09:00:00 +0000

SOA's strength in open standards is also its biggest drawback from a security perspective. Here are some tips for how to address the issue.

Facebook tests New Jersey's icon for reporting predators, pornography

Thu, 04 Sep 2008 09:00:00 +0000

Facebook Inc. is testing an icon created by the state of New Jersey to provide online users with a way to report predators and inappropriate content to law enforcement authorities.