Network Lighthouse

Just doing my regular rounds of the InfoSec news sites and came across an article on the Symantec website (Puddles, Security Blogs Security Response).

Apparently in last year alone, there were ’286M new malware variants’.   This combined with the continual spate of breaches that are in the news almost weekly (thanks: Sony, Epsilon, RSA and so many others), makes me start to wonder if the current approach to Information Security needs a revamp.

I don’t have the answer to that, I have a few ideas, but none of them are pretty.

Going back to basics, lets assume that all software have security flaws, modern programs are incredibly complicated, so it really shouldn’t be a surprise that there are problems with them.

Secondly, users if given a choice, will choose easy over safe, often at the expense of security.  Fake AntiVirus programs are  a great example of this, exploiting users fears and lack of knowledge in order to take advantage of them.

Where does this leave us, all our tools are flawed, as are the people who use them.  Not a great state of affairs.

I have a sneaking suspicion that the iPhone and Android approach where each application is given its own set of permissions and sandbox is in the right direction.  It’s definitely not the whole solution, malware still exists for those platforms, but its a start and I believe it wont be long tell we see main stream computing adopting this approach.

-Daniel

— From the article

The college student accused of hacking into Sarah Palin’s e-mail account in 2008 has been found guilty of obstruction of justice and unauthorized access of a computer. The verdict against 22-year-old David Kernell came down late Friday, with sentencing to follow later.

— via Palin e-mail hacker found guilty.

I have mixed feelings about this outcome, while the individual undoubtadly did the wrong thing be breaking into someones email account, he also highlighted the risks we all face(particularly public figures) as a result of the (secret) question/answer system for reseting forgotten passwords.

I don’t think these issues could have been highlighted in any more clear way to raise the publics awareness of this.  No matter how many times the security iductry warns against the weaknesses of the present system, it takes real incidents (like the above) before the issues are generally accepted.

-Daniel

A couple of days ago I got a comment on one of my posts that struck me as unusual, it was marked as spam (thanks to akismet), but didn’t read like your standard spam. Here’s the text:

Good points raised here, (well, what I could read of it). I am afflicted with color blindness (tritanopia to be exact). I use Chrome browser (unsure if that matters), and a lot of your site is a little difficult for me to read. I don’t wish to whinge, and I know it is my problem really, nonetheless it would be cool if you could bear in mind color blind visitors when carrying out the next site re-working.

After a first glance I almost approved it without further thought, however something struck me as odd.   The comment linked to p_l_a_y_n_i_c_e .c_o .u_k, which backs up the post, still not convinced I did some googling and found a number of blogs with almost identically worded comments.   There was some differences in the wording, the browser changes, I’ve seen Chrome, Konqurer and Safari and there are a couple of different introductions.

The only thing I am sure of now is that this isn’t a legitimate comment, but is meant to serve some other purpose.   It may be just for self promotion, grandfathering links for search eangines, or potentially preparation for a drive by download attack.  I’ll keep track of the page and report any changes.

-Daniel

It’s been a while since I’ve done any writing on InfoSec topics, but it’s my new years resolution to take it up again, so expect more articles on info sec stuff from now on.

DataBreaches.net have updated their list of the top 10 Data breaches of all time.   What I find most disturbing about the list, isn’t the volumes (although that’s still concerning), is that 4 of the top 10 were due to poor information management and/or lack of encryption.   The causes for the other breaches (such as insiders leaking information) are harder to solve, and as such a little more (not a lot though) understandable.

• National Archives (70 Million)
• Department of Veterans Affairs ( 26 Million)
• HMRC (25 Million)
• T-Mobile (17 Million)

With the exception of Veterans Affairs, all of these have occured in the last 2 years, when the use of disk/tape encryption technology came into the mainstream.  There really is no excuse for these type of breaches anymore, if companies made it standard practice to encrypt sensitive data where ever it lives, then that would mean that over the past 2 years there would have been 128 Million less records breached. That’s almost as many were revealed in the Heartland hack!

Of course the top 10 doesn’t include breaches that go unnoticed and unreported, and if you start thinking about that you start to wonder how bad the problem really is.

-Daniel

Online privacy and the implications of data aggregation is a bit of a passion of mine, that’s part of what inspired me to write the thunderbird plugin.

Here’s an interesting story about one journalists discovery of what he found out about himself.

What the Web knows about you.

People wonder why identity theft happens, so much of our personal data is available online these days that it’s possible to build a fairly complete profile of anyone you want.  Just one of the reasons everyone needs to be careful needs to be careful of what they post on social networking sites.

-Daniel