Print this articleWhich would you prefer at the airport security check: a pat down or a "whole body imaging scan" that provides a highly detailed image of all your, um, curves (but does have your face blurred to protect your identity)?
The Transportation Security Administration (TSA) has been testing out these devices, called millimeter wave machines, at Phoenix's Sky Harbor International Airport and this week is adding the machines to Los Angeles International Airport and New York City's John F. Kennedy International.
The TSA says that during the test in Phoenix, 90 percent of travelers preferred the scan to having a full body pat down. The TSA agent viewing the image from one of the devices will be in a separate booth and will not be able to see the traveler's face in order to maintain privacy. After the image has been checked it won't be stored, according to the TSA.
Even so, are these images invasive? What about privacy concerns?According to the TSA blog, "These images are friendly enough to post in a preschool. Heck, it could even make the cover of Reader's Digest and not offend anybody."
The TSA also claims the machine emits 10,000 times less energy than a cell phone transmission.
You can see how the body image is captured in a video here and also watch a demonstration of the actual machine in motion here.
Millimeter wave machines are already in use at airports in Britain, Spain, Japan, Australia, Mexico, Thailand and the Netherlands. [Source CNN]
The Transportation Security Administration (TSA) has been testing out these devices, called millimeter wave machines, at Phoenix's Sky Harbor International Airport and this week is adding the machines to Los Angeles International Airport and New York City's John F. Kennedy International.
The TSA says that during the test in Phoenix, 90 percent of travelers preferred the scan to having a full body pat down. The TSA agent viewing the image from one of the devices will be in a separate booth and will not be able to see the traveler's face in order to maintain privacy. After the image has been checked it won't be stored, according to the TSA.
Even so, are these images invasive? What about privacy concerns?According to the TSA blog, "These images are friendly enough to post in a preschool. Heck, it could even make the cover of Reader's Digest and not offend anybody."
The TSA also claims the machine emits 10,000 times less energy than a cell phone transmission.
You can see how the body image is captured in a video here and also watch a demonstration of the actual machine in motion here.
Millimeter wave machines are already in use at airports in Britain, Spain, Japan, Australia, Mexico, Thailand and the Netherlands. [Source CNN]
At least one Australian company every day falls victim to telephone hackers, who rack up an average bill of $78,000, a national telephone security expert said yesterday.
But David Stevens, managing director of Telecoms Security, said most businesses did not realise how easy it was until too late.
Australian Federal Police last night confirmed they were working with their international counterparts to stop hackers hitting Australian businesses, after it was revealed that criminals had penetrated the phone systems of at least two Melbourne companies in recent weeks.
The scam is allegedly being carried out by overseas manufacturers of international phone cards commonly used by students and tourists to make cheap calls.
The card manufacturers are believed to then hack into unsuspecting company's phone systems, known as a private automatic branch exchange (PABX), so the calls made by card users get charged to unsuspecting victims of the scam.
The Camberwell Electrics Superstore and Swinburne University have both been hit with collective phone bills of more than $100,000 of overseas calls. Camberwell Electrics' accountant Chris Koh said the company had been alerted when Telstra called it to ask why they had made $20,000 in overseas calls in less than two weeks.
"The calls were made to Romania, other parts of Eastern Europe, India, Russia and Asia out of office hours," Mr Koh said.
He said the hackers had bypassed codes, passwords and other security systems. Computers ran through combinations in milliseconds until they found the right one to exploit.
A Swinburne University spokeswoman said the university knew nothing of the scams until it received an $80,000 phone bill.
The university's chancellery executive director, Michael Thorne, said the charges related to phone numbers the organisation did not own.
Both companies are fighting Telstra over the bills.
But Mr Stevens said that while most companies took extra steps to protect their IT security from hackers, many left their telephone systems - both traditional PABX systems and modern VoIP systems - vulnerable.
He said telephone hacking was a lot more common than most people realised, and the onus was on businesses to protect themselves.
"Our figures show that one Australian company is being hacked every single day," he said.
But David Stevens, managing director of Telecoms Security, said most businesses did not realise how easy it was until too late.
Australian Federal Police last night confirmed they were working with their international counterparts to stop hackers hitting Australian businesses, after it was revealed that criminals had penetrated the phone systems of at least two Melbourne companies in recent weeks.
The scam is allegedly being carried out by overseas manufacturers of international phone cards commonly used by students and tourists to make cheap calls.
The card manufacturers are believed to then hack into unsuspecting company's phone systems, known as a private automatic branch exchange (PABX), so the calls made by card users get charged to unsuspecting victims of the scam.
The Camberwell Electrics Superstore and Swinburne University have both been hit with collective phone bills of more than $100,000 of overseas calls. Camberwell Electrics' accountant Chris Koh said the company had been alerted when Telstra called it to ask why they had made $20,000 in overseas calls in less than two weeks.
"The calls were made to Romania, other parts of Eastern Europe, India, Russia and Asia out of office hours," Mr Koh said.
He said the hackers had bypassed codes, passwords and other security systems. Computers ran through combinations in milliseconds until they found the right one to exploit.
A Swinburne University spokeswoman said the university knew nothing of the scams until it received an $80,000 phone bill.
The university's chancellery executive director, Michael Thorne, said the charges related to phone numbers the organisation did not own.
Both companies are fighting Telstra over the bills.
But Mr Stevens said that while most companies took extra steps to protect their IT security from hackers, many left their telephone systems - both traditional PABX systems and modern VoIP systems - vulnerable.
He said telephone hacking was a lot more common than most people realised, and the onus was on businesses to protect themselves.
"Our figures show that one Australian company is being hacked every single day," he said.
Mystery IIS Hack Unveiled
Researchers at SANS have discovered how thousands of Web sites were compromised earlier this year. As a result of the break-ins countless users' computers were infected with malware.
Back in January, thousands of sites running Internet Information Server (IIS) and SQL Server were cracked by what at the time was thought to be some sort of SQL injection attack. As it turns out that is exactly what happened.
While reviewing malicious files served up by a particular server, researchers at SANS stumbled upon an attack tool that revealed exactly what was being done to crack the affected sites. According to the analysis provided by researcher Bojan Zdrnja, the tool queries Google to discover sites that are potentially vulnerable. The tool then tries to launch SQL injection attacks against each identified site. The tool's interface is written in Chinese and also had logic that attempted to contact a site in China to record transaction data.
A SANS blog reader, Nathan, wrote to elaborate on the nature of the SQL query itself. According to Nathan, the query used by the tool iterates through all tables to find specific types of columns and then appends data to existing column field data. The data then appears as part of Web pages at affected sites.
The SANS blog entry has links to a number of Web pages that can help administrators secure their sites against SQL injection attacks.
Researchers at SANS have discovered how thousands of Web sites were compromised earlier this year. As a result of the break-ins countless users' computers were infected with malware.
Back in January, thousands of sites running Internet Information Server (IIS) and SQL Server were cracked by what at the time was thought to be some sort of SQL injection attack. As it turns out that is exactly what happened.
While reviewing malicious files served up by a particular server, researchers at SANS stumbled upon an attack tool that revealed exactly what was being done to crack the affected sites. According to the analysis provided by researcher Bojan Zdrnja, the tool queries Google to discover sites that are potentially vulnerable. The tool then tries to launch SQL injection attacks against each identified site. The tool's interface is written in Chinese and also had logic that attempted to contact a site in China to record transaction data.
A SANS blog reader, Nathan, wrote to elaborate on the nature of the SQL query itself. According to Nathan, the query used by the tool iterates through all tables to find specific types of columns and then appends data to existing column field data. The data then appears as part of Web pages at affected sites.
The SANS blog entry has links to a number of Web pages that can help administrators secure their sites against SQL injection attacks.
MySpace profile hack provides early warning to predators
A security issue on MySpace may put a spanner in the works of law-enforcement efforts to track miscreants using the social networking site.
Many MySpace profiles contain code that subscribes visitors to a profile's video channel. Normally this is all well and good, but hackers are able to subvert the feature for filthy purposes, according to Chris Boyd, security research manager at FaceTime Communications.
Hackers have set up dozens of accounts used as a springboard for spamming or attempts to vandalise other profiles.
The feature (used in conjunction with an IP address tracker) might also be employed by predators to keep tabs on anyone who might be tracking their activities, Boyd says. Although MySpace has made attempts to prohibit the use of IP trackers, miscreants have found a way around these blocks.
Crackers "are using every trick in the book they can to know who is watching them," Boyd said.
In particular, the feature could be used by predators to detect if their attempts to groom youngsters have come to the attention of law enforcement, potentially curtailing or frustrating evidence in child abuse investigations.
The tactic has been in play since at least October 2007. MySpace was informed of the issue in late March but is yet to act. According to Boyd, the social networking site has responded to his concerns about the issue by describing it as a "system error".
Pending a fix from MySpace itself, Boyd has posted advice to surfers about how to avoid tracking here, a tip child abuse investigators might well find useful.
A security issue on MySpace may put a spanner in the works of law-enforcement efforts to track miscreants using the social networking site.
Many MySpace profiles contain code that subscribes visitors to a profile's video channel. Normally this is all well and good, but hackers are able to subvert the feature for filthy purposes, according to Chris Boyd, security research manager at FaceTime Communications.
Hackers have set up dozens of accounts used as a springboard for spamming or attempts to vandalise other profiles.
The feature (used in conjunction with an IP address tracker) might also be employed by predators to keep tabs on anyone who might be tracking their activities, Boyd says. Although MySpace has made attempts to prohibit the use of IP trackers, miscreants have found a way around these blocks.
Crackers "are using every trick in the book they can to know who is watching them," Boyd said.
In particular, the feature could be used by predators to detect if their attempts to groom youngsters have come to the attention of law enforcement, potentially curtailing or frustrating evidence in child abuse investigations.
The tactic has been in play since at least October 2007. MySpace was informed of the issue in late March but is yet to act. According to Boyd, the social networking site has responded to his concerns about the issue by describing it as a "system error".
Pending a fix from MySpace itself, Boyd has posted advice to surfers about how to avoid tracking here, a tip child abuse investigators might well find useful.
Mobile working pushes up data loss risk
The IT security threat posed by healthcare workers is rising as they become increasingly mobile and use laptops containing sensitive patient information.
Unlike some other parts of the world, UK law does not protect data kept on healthcare computer systems beyond 'duty of care' and a professional requirement for patient confidentiality.
The warning from Absolute Software, which specialises in computer theft and asset tracking, follows a spate of high-profile data loss incidents in recent months, including the NHS losing hundreds of thousands of patients' records.
Absolute Software said that, while encryption provides strong external security, the biggest threat is from within.
Employees can get access to encrypted information as they have encryption keys and passwords. Organisations are advised to complement encryption with the ability to remotely delete data from missing computers for the highest level of protection.
The healthcare market also fails accurately to manage mobile computer assets. Absolute believes that, at best, only a fraction of laptops can be accounted for by IT managers.
Many hospitals and clinics allow information to be accessed on open-air terminals, such as ward and nursing stations. But these workstations are at great risk of data breaches and information can be easily accessed and downloaded.
Absolute said that unattended stationary computers should always be monitored and protected with an authentication prompt.
The company also highlighted the difficulty in implementing a comprehensive data security plan.
Healthcare facilities are advised to institute a comprehensive data security plan to secure computing assets and sensitive information which includes both IT and physical precautions.
Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords, the company said.
Lastly, few healthcare facilities have "nightmare scenario" policies in place should a data breach occur.
There should be a standard procedure in place to manage the event, from timely notification of supervisors to informing the police.
Absolute said that, in a data breach situation, computer theft recovery software solutions have the capability to remotely delete sensitive files, track lost or stolen computers and partner with local police in order to recover them.
The IT security threat posed by healthcare workers is rising as they become increasingly mobile and use laptops containing sensitive patient information.
Unlike some other parts of the world, UK law does not protect data kept on healthcare computer systems beyond 'duty of care' and a professional requirement for patient confidentiality.
The warning from Absolute Software, which specialises in computer theft and asset tracking, follows a spate of high-profile data loss incidents in recent months, including the NHS losing hundreds of thousands of patients' records.
Absolute Software said that, while encryption provides strong external security, the biggest threat is from within.
Employees can get access to encrypted information as they have encryption keys and passwords. Organisations are advised to complement encryption with the ability to remotely delete data from missing computers for the highest level of protection.
The healthcare market also fails accurately to manage mobile computer assets. Absolute believes that, at best, only a fraction of laptops can be accounted for by IT managers.
Many hospitals and clinics allow information to be accessed on open-air terminals, such as ward and nursing stations. But these workstations are at great risk of data breaches and information can be easily accessed and downloaded.
Absolute said that unattended stationary computers should always be monitored and protected with an authentication prompt.
The company also highlighted the difficulty in implementing a comprehensive data security plan.
Healthcare facilities are advised to institute a comprehensive data security plan to secure computing assets and sensitive information which includes both IT and physical precautions.
Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords, the company said.
Lastly, few healthcare facilities have "nightmare scenario" policies in place should a data breach occur.
There should be a standard procedure in place to manage the event, from timely notification of supervisors to informing the police.
Absolute said that, in a data breach situation, computer theft recovery software solutions have the capability to remotely delete sensitive files, track lost or stolen computers and partner with local police in order to recover them.
The PCI Security Standards Council announced on Tuesday an updated version of its security standards for applications that process credit-card transactions, aiming to prevent data breaches such as those at Hannaford Bros. and the TJX Companies.
Known as the Payment Application Data Security Standard (PA-DSS), the compliance effort will allow the Council to become a "one-stop shop" for merchants who want to search for applications and services that will not increase their exposure to attacks, a PCI Security Standards Council spokesperson said. Version 1.1 of the standard (pdf) will make certain that payment applications do not store sensitive data, such as the information typically stored on the magnetic stripe on the back of credit and debit cards
"Having a single source of information on approved payment applications and security assessors provides business value to merchants and service providers and allows them to make informed choices regarding the security of their payment application," Bob Russo, general manager for the PCI Security Standards Council, said in a statement announcing the new standard.
The latest version of the application-security standard follows the revelation that online data thieves managed to make off with millions of credit- and debit-card numbers from grocery store chain Hannaford Bros. In 2007, retail giant TJX Companies also announced a large data breach, and by the end of the year, estimates of the size of the loss surpassed 100 million credit- and debit-card numbers. While TJX Companies had not complied with the PCI Data Security Standard, it is currently not known whether Hannaford Bros. had remained in compliance. According to Visa, about three-quarters of large companies and two-thirds of medium-sized firms had complied with the PCI's payment security standards by the end of 2007.
The PCI Security Standards Council plans to certify companies over the next year to be Payment Application Qualified Security Assessors (PA-QSAs). The application standard is based on Visa's Payment Applications Best Practices (PABP) requirements for its merchants.
Known as the Payment Application Data Security Standard (PA-DSS), the compliance effort will allow the Council to become a "one-stop shop" for merchants who want to search for applications and services that will not increase their exposure to attacks, a PCI Security Standards Council spokesperson said. Version 1.1 of the standard (pdf) will make certain that payment applications do not store sensitive data, such as the information typically stored on the magnetic stripe on the back of credit and debit cards
"Having a single source of information on approved payment applications and security assessors provides business value to merchants and service providers and allows them to make informed choices regarding the security of their payment application," Bob Russo, general manager for the PCI Security Standards Council, said in a statement announcing the new standard.
The latest version of the application-security standard follows the revelation that online data thieves managed to make off with millions of credit- and debit-card numbers from grocery store chain Hannaford Bros. In 2007, retail giant TJX Companies also announced a large data breach, and by the end of the year, estimates of the size of the loss surpassed 100 million credit- and debit-card numbers. While TJX Companies had not complied with the PCI Data Security Standard, it is currently not known whether Hannaford Bros. had remained in compliance. According to Visa, about three-quarters of large companies and two-thirds of medium-sized firms had complied with the PCI's payment security standards by the end of 2007.
The PCI Security Standards Council plans to certify companies over the next year to be Payment Application Qualified Security Assessors (PA-QSAs). The application standard is based on Visa's Payment Applications Best Practices (PABP) requirements for its merchants.
Fring, the company founded by Avi Shechter, the former co–CEO of ICQ and VP at AOL, has announced that it released a test version of its popular application which brings Skype, as well as MSN, Google Talk and AIM to Apple's iPhone.
"This special pre-release version of fring, developed in conjunction with the Holon Institute of Technology academic research labs is a direct response to iPhone users kicking our behind to get fring for their COOOOOL devices," the company said on its website.
"Part of the objective here (besides getting you all excited with fring for iPhone) is to get feedback prior to release of the full-feature version and create a truly superb user experience for iPhone users," Fring says.
The fring application is only available to those who jailbroke their iPhones or iPod Touches. The application is not endorsed by Apple which is against VoIP applications for its gadgets. This is the case because access to free calls could dramatically cut into the profit margins of the carriers licensed to supply the handset, and everything Apple does is about large profit margins (like its Mac desktop computers). Also, application runs in the background, which is forbidden by Apple.
Of course, the iPod Touch does not have a microphone so you need the Touchmods dock connector microphone.
Fring, also co-founded by Boaz Zilberman and Alex Nerst, is headquartered in Israel, and has representation in Italy, UK and Germany. In February, BusinessWeek reported that more than 100,000 new users from 160 countries were downloading, installing, and registering to use fring each month.
"This special pre-release version of fring, developed in conjunction with the Holon Institute of Technology academic research labs is a direct response to iPhone users kicking our behind to get fring for their COOOOOL devices," the company said on its website.
"Part of the objective here (besides getting you all excited with fring for iPhone) is to get feedback prior to release of the full-feature version and create a truly superb user experience for iPhone users," Fring says.
The fring application is only available to those who jailbroke their iPhones or iPod Touches. The application is not endorsed by Apple which is against VoIP applications for its gadgets. This is the case because access to free calls could dramatically cut into the profit margins of the carriers licensed to supply the handset, and everything Apple does is about large profit margins (like its Mac desktop computers). Also, application runs in the background, which is forbidden by Apple.
Of course, the iPod Touch does not have a microphone so you need the Touchmods dock connector microphone.
Fring, also co-founded by Boaz Zilberman and Alex Nerst, is headquartered in Israel, and has representation in Italy, UK and Germany. In February, BusinessWeek reported that more than 100,000 new users from 160 countries were downloading, installing, and registering to use fring each month.
A security firm claims to have uncovered a denial-of-service vulnerability in version 1.1.4 of Apple's Safari web browser for the iPhone.
Radware said that the phone is vulnerable to DoS attacks owing to a design flaw that may be triggered by a series of memory allocation operations on the dynamic memory pool, which in turn triggers a bug in the garbage collector.
"While vendors are struggling to push new products and applications, it is evident that security still remains a secondary concern," said Itzik Kotler, security operation centre manager at Radware.
"Hackers continue to misappropriate other people's software and their job is made easier by design flaws embedded into software products."
To exploit the vulnerability, an iPhone user must open an HTML page which contains JavaScript that manifests this vulnerability.
Once at the site, an application-level DoS attack crashes the Safari browser and could go as far as crashing the iPhone completely.
Users could be lured to sites containing this attack via links in spam messages or other social engineering techniques.
It is unclear whether the fault can cause any permanent damage to the phone or is simply a nuisance.
Radware said that the phone is vulnerable to DoS attacks owing to a design flaw that may be triggered by a series of memory allocation operations on the dynamic memory pool, which in turn triggers a bug in the garbage collector.
"While vendors are struggling to push new products and applications, it is evident that security still remains a secondary concern," said Itzik Kotler, security operation centre manager at Radware.
"Hackers continue to misappropriate other people's software and their job is made easier by design flaws embedded into software products."
To exploit the vulnerability, an iPhone user must open an HTML page which contains JavaScript that manifests this vulnerability.
Once at the site, an application-level DoS attack crashes the Safari browser and could go as far as crashing the iPhone completely.
Users could be lured to sites containing this attack via links in spam messages or other social engineering techniques.
It is unclear whether the fault can cause any permanent damage to the phone or is simply a nuisance.
Women are four times more likely than men to give out "passwords" in exchange for chocolate bars.
A survey by of 576 office workers in central London found that women are far more likely to give away their computer passwords to total strangers than their male counterparts, with 45 per cent of women versus ten per cent of men prepared to give away their login credentials to strangers masquerading as market researchers.
The survey, conducted outside Liverpool Street Station in the City of London, was actually part of a social engineering exercise to raise awareness about information security in the run-up to next week's Infosec Europe conference.
Infosec has conducted similar surveys every year for at least the last five years involving punters apparently handing over login credentials in exchange for free pens or chocolate rewards.
Little attempt is made to verify the authenticity of the passwords, beyond follow-up questions asking what category it falls under. So we don't know whether women responding to the survey filled in any old rubbish in return for a choccy treat or handed out their real passwords.
This year's survey results were significantly better than previous years. In 2007, 64 per cent of people were prepared to give away their passwords for a chocolate bar, a figure that dropped 21 per cent this time around.
So either people are getting more security-aware or more weight-conscious. And with half the respondents stating that they used the same passwords at home and work, then perhaps the latter is more likely.
Taken in isolation the password findings might suggest the high-profile HMRC data loss debacle had increased awareness about information security. However, continued willingness to hand over personal information that could be useful to ID fraudsters suggests otherwise.
The bogus researchers also asked for workers' names and telephone numbers, ostensibly so they could be entered into a draw to go to Paris. With this incentive 60 per cent of men and 62 per cent of women handed over their contact information. A similar percentage (61 per cent) were happy to hand over their dates of birth
A survey by of 576 office workers in central London found that women are far more likely to give away their computer passwords to total strangers than their male counterparts, with 45 per cent of women versus ten per cent of men prepared to give away their login credentials to strangers masquerading as market researchers.
The survey, conducted outside Liverpool Street Station in the City of London, was actually part of a social engineering exercise to raise awareness about information security in the run-up to next week's Infosec Europe conference.
Infosec has conducted similar surveys every year for at least the last five years involving punters apparently handing over login credentials in exchange for free pens or chocolate rewards.
Little attempt is made to verify the authenticity of the passwords, beyond follow-up questions asking what category it falls under. So we don't know whether women responding to the survey filled in any old rubbish in return for a choccy treat or handed out their real passwords.
This year's survey results were significantly better than previous years. In 2007, 64 per cent of people were prepared to give away their passwords for a chocolate bar, a figure that dropped 21 per cent this time around.
So either people are getting more security-aware or more weight-conscious. And with half the respondents stating that they used the same passwords at home and work, then perhaps the latter is more likely.
Taken in isolation the password findings might suggest the high-profile HMRC data loss debacle had increased awareness about information security. However, continued willingness to hand over personal information that could be useful to ID fraudsters suggests otherwise.
The bogus researchers also asked for workers' names and telephone numbers, ostensibly so they could be entered into a draw to go to Paris. With this incentive 60 per cent of men and 62 per cent of women handed over their contact information. A similar percentage (61 per cent) were happy to hand over their dates of birth
PBB Teen Editon Plus Scandal ( Beauty )
WILLIAMSVILLE, N.Y. (AP) - Authorities say several current and former students broke into a school districtÂ’s computer system in western New York last month and copied secure files that included the personal information of employees.
The computer breach by Williamsville North High School students marks the third incident in the past month. Students in the Grand Island and West Seneca districts have been charged with unauthorized computer use.
Amherst Police Chief John Askey tells the Buffalo News that students overrode the security defenses of a classroom computer at Williamsville North and went trolling for information.
At least three individuals are suspected, and several more knew about it. Those involved have told police they simply were interested in how far they could get into the system.
Askey adds that several of the hackers are considered "very bright kids" and good students with no lengthy disciplinary records. It may take weeks to determine the extent of the breach.
Superintendent Howard Smith sent a letter this week to the districtÂ’s 1,800 employees, asking them to notify police if they uncover any suspicious credit card or banking activity.
Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
The computer breach by Williamsville North High School students marks the third incident in the past month. Students in the Grand Island and West Seneca districts have been charged with unauthorized computer use.
Amherst Police Chief John Askey tells the Buffalo News that students overrode the security defenses of a classroom computer at Williamsville North and went trolling for information.
At least three individuals are suspected, and several more knew about it. Those involved have told police they simply were interested in how far they could get into the system.
Askey adds that several of the hackers are considered "very bright kids" and good students with no lengthy disciplinary records. It may take weeks to determine the extent of the breach.
Superintendent Howard Smith sent a letter this week to the districtÂ’s 1,800 employees, asking them to notify police if they uncover any suspicious credit card or banking activity.
Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
MOUNTAIN VIEW, Calif.--Corey Fro is chasing a large metal orb across the pavement at the NASA Ames Research Center here. He is desperately trying to make sure that the orb doesn't crush a nearby robot.
The orb in question is being remotely directed by a kid wielding an Xbox-like wireless controller, but it's the kid's first time using the device, and he really doesn't have any idea what he's doing.
And that's why the orb has rolled away and is bearing down rapidly on the unsuspecting and defenseless robot a few yards away. In the end, Fro caught the wayward sphere and saved the day, or at least the innocent robot.
If this sounds unusual, it isn't. At least not at Yuri's Night, a 12-hour celebration of space, science, music, and art held at NASA Ames and other locations around the world Saturday in honor of Russian cosmonaut Yuri Gagarin's first flight into space.
The orb is part of Swarm, a project designed for Burning Man built around the concept of autonomous spheres that can be programmed to perform in one of many ways.
Or, as Fro put it, "They're kinetic sculptures that drive around in an autonomous but choreographed pattern."
Fro is just one of about 30 people who built the orbs for Burning Man 2007, and now the project is returning to Burning Man 2008 as an art piece partially funded--and therefore honored as noteworthy--by the curators of the annual countercultural arts festival.
But before it can go back out to the Nevada desert, Swarm had to make an appearance at Yuri's Night, and it was certainly one of the main attractions for the thousands in attendance Saturday.
And that's at least in large part because of what they can do.
"The orbs control their own movement, light show, and music," explained Fro. "The way they do that is by communicating with the mother node."
"The Swarm of autonomous beings by their very nature will have emergent and complex behavior," the project's Web site states. "They will flock, flirt, dance and interact, and their actions will surprise and astonish even us, their creators. They are simple, but together they will behave in ways more complex than we can predict."
The idea is that five of the six orbs--which look something like specialized see-through hubcaps turned into spheres with really expensive robotic controls and LEDs inside--are subservient to the desires of the lead orb, or mother node.
The only information the subservient orbs send out is GPS and accelerometer data, which they send to the lead orb, which, Fro said, uses that information to coordinate the movements and lighting effects of all the spheres.
"So the movement coordination allows it to follow the leader, drive in patterns or (even) make the orb representation of planetary systems," Fro said. "But once they're running under control of the mother node, there's no control from humans.
That means, once all the orbs are in motion--something that wasn't on display at Yuri's Night--the only way to stop them is direct the mother node to stop.
Each orb, Fro said, is driven by counterbalancing using the weight of lead-acid batteries as ballast. By swaying the ballast forward, the orb moves forward as the center of gravity changes.
"To turn right or left," Fro said, "we swing the ballast right or left."
At Burning Man, where the entire project, in its 2008 configuration, will be unfurled, the Swarm team plans to erect a mast on the open desert floor that projects a large laser circle on the ground.
The idea is to define a safety zone so that pedestrians, bicyclists, and those on other forms of conveyance are safe.
"If they walk into that circle," Fro said, "all bets are off."
I was very happy to see the orbs at Yuri's Night because Swarm was one of the legendary art projects I missed at Burning Man 2007. It was something I heard a lot of people talk about after the fact in very reverent terms.
And as befits many Burning Man art projects, the 2008 version is sure to be new and improved. In fact, Fro said, the Xbox-like controllers were a big part of what's new for this year: joysticks that can allow anyone to take very subtle control over the orbs.
But it's also very easy to lose control of them, as I saw multiple times on Saturday as Fro would hand the controller over to one person or another.
"Try not to rock it so much," he said to someone at one point, "because if you hit the kill switch, it will stop."
The orb in question is being remotely directed by a kid wielding an Xbox-like wireless controller, but it's the kid's first time using the device, and he really doesn't have any idea what he's doing.
And that's why the orb has rolled away and is bearing down rapidly on the unsuspecting and defenseless robot a few yards away. In the end, Fro caught the wayward sphere and saved the day, or at least the innocent robot.
If this sounds unusual, it isn't. At least not at Yuri's Night, a 12-hour celebration of space, science, music, and art held at NASA Ames and other locations around the world Saturday in honor of Russian cosmonaut Yuri Gagarin's first flight into space.
The orb is part of Swarm, a project designed for Burning Man built around the concept of autonomous spheres that can be programmed to perform in one of many ways.
Or, as Fro put it, "They're kinetic sculptures that drive around in an autonomous but choreographed pattern."
Fro is just one of about 30 people who built the orbs for Burning Man 2007, and now the project is returning to Burning Man 2008 as an art piece partially funded--and therefore honored as noteworthy--by the curators of the annual countercultural arts festival.
But before it can go back out to the Nevada desert, Swarm had to make an appearance at Yuri's Night, and it was certainly one of the main attractions for the thousands in attendance Saturday.
And that's at least in large part because of what they can do.
"The orbs control their own movement, light show, and music," explained Fro. "The way they do that is by communicating with the mother node."
"The Swarm of autonomous beings by their very nature will have emergent and complex behavior," the project's Web site states. "They will flock, flirt, dance and interact, and their actions will surprise and astonish even us, their creators. They are simple, but together they will behave in ways more complex than we can predict."
The idea is that five of the six orbs--which look something like specialized see-through hubcaps turned into spheres with really expensive robotic controls and LEDs inside--are subservient to the desires of the lead orb, or mother node.
The only information the subservient orbs send out is GPS and accelerometer data, which they send to the lead orb, which, Fro said, uses that information to coordinate the movements and lighting effects of all the spheres.
"So the movement coordination allows it to follow the leader, drive in patterns or (even) make the orb representation of planetary systems," Fro said. "But once they're running under control of the mother node, there's no control from humans.
That means, once all the orbs are in motion--something that wasn't on display at Yuri's Night--the only way to stop them is direct the mother node to stop.
Each orb, Fro said, is driven by counterbalancing using the weight of lead-acid batteries as ballast. By swaying the ballast forward, the orb moves forward as the center of gravity changes.
"To turn right or left," Fro said, "we swing the ballast right or left."
At Burning Man, where the entire project, in its 2008 configuration, will be unfurled, the Swarm team plans to erect a mast on the open desert floor that projects a large laser circle on the ground.
The idea is to define a safety zone so that pedestrians, bicyclists, and those on other forms of conveyance are safe.
"If they walk into that circle," Fro said, "all bets are off."
I was very happy to see the orbs at Yuri's Night because Swarm was one of the legendary art projects I missed at Burning Man 2007. It was something I heard a lot of people talk about after the fact in very reverent terms.
And as befits many Burning Man art projects, the 2008 version is sure to be new and improved. In fact, Fro said, the Xbox-like controllers were a big part of what's new for this year: joysticks that can allow anyone to take very subtle control over the orbs.
But it's also very easy to lose control of them, as I saw multiple times on Saturday as Fro would hand the controller over to one person or another.
"Try not to rock it so much," he said to someone at one point, "because if you hit the kill switch, it will stop."
A Colombian citizen has been sentenced to nine years in prison for a complex computer fraud which affected more than 600 people.
Mario Simbaqueba Bonilla, 40, was also sentenced to three years supervised release on his exit from prison, and ordered to pay restitution of $347,000.
Simbaqueba Bonilla pleaded guilty in January to charges of conspiracy, access device fraud and aggravated identity theft.
According to the charges Simbaqueba Bonilla, alone and in concert with a co-conspirator, engaged in a complex series of computer intrusions, identity thefts and credit card frauds designed to steal money from payroll, bank and other accounts.
The court recognised the attempted and actual loss from the scheme at $1.4m.
Much of the identity theft, initiated from computers in Colombia, targeted individuals residing in the US, including Department of Defense personnel.
Simbaqueba Bonilla used the money to buy expensive electronics and luxury travel and accommodation in various countries, including Hong Kong, Turks and Caicos, France, Jamaica, Italy, Chile and the US.
The man engaged in a conspiracy between 2004 to 2007 that began with illegally installing keystroke logging software on computers located in hotel business centres and internet lounges around the world.
This software collected the personal information of those who used the computers, including passwords and other identifying information used to access bank, payroll, brokerage and other accounts online.
Simbaqueba Bonilla used the data to steal or divert money into accounts he had created in the names of other people he had victimised in the same way.
Through a complex series of electronic transactions designed to cover his trail, Simbaqueba Bonilla transferred the stolen money to credit, cash or debit cards and had the cards mailed to himself and others at commercial mailing addresses.
Federal agents arrested Simbaqueba Bonilla when he flew into the US in August 2007.
At the time of his arrest, Simbaqueba Bonilla was flying on an airline ticket purchased with stolen funds, and had in his possession a laptop also purchased with stolen funds.
The laptop contained the names, passwords and other personal and financial information of more than 600 people.
Mario Simbaqueba Bonilla, 40, was also sentenced to three years supervised release on his exit from prison, and ordered to pay restitution of $347,000.
Simbaqueba Bonilla pleaded guilty in January to charges of conspiracy, access device fraud and aggravated identity theft.
According to the charges Simbaqueba Bonilla, alone and in concert with a co-conspirator, engaged in a complex series of computer intrusions, identity thefts and credit card frauds designed to steal money from payroll, bank and other accounts.
The court recognised the attempted and actual loss from the scheme at $1.4m.
Much of the identity theft, initiated from computers in Colombia, targeted individuals residing in the US, including Department of Defense personnel.
Simbaqueba Bonilla used the money to buy expensive electronics and luxury travel and accommodation in various countries, including Hong Kong, Turks and Caicos, France, Jamaica, Italy, Chile and the US.
The man engaged in a conspiracy between 2004 to 2007 that began with illegally installing keystroke logging software on computers located in hotel business centres and internet lounges around the world.
This software collected the personal information of those who used the computers, including passwords and other identifying information used to access bank, payroll, brokerage and other accounts online.
Simbaqueba Bonilla used the data to steal or divert money into accounts he had created in the names of other people he had victimised in the same way.
Through a complex series of electronic transactions designed to cover his trail, Simbaqueba Bonilla transferred the stolen money to credit, cash or debit cards and had the cards mailed to himself and others at commercial mailing addresses.
Federal agents arrested Simbaqueba Bonilla when he flew into the US in August 2007.
At the time of his arrest, Simbaqueba Bonilla was flying on an airline ticket purchased with stolen funds, and had in his possession a laptop also purchased with stolen funds.
The laptop contained the names, passwords and other personal and financial information of more than 600 people.
Security researchers have unearthed more details about a Trojan that targets backend databases as well as desktop clients.
The Fribet Trojan has been planted on pro-Tibet websites, possibly using a Vector Markup Language flaw (MS07-004) patched by Microsoft early last year. When visitors to the pro-Tibet websites are infected, the Fribet Trojan creates a backdoor on compromised hosts.
In addition, the Trojan loads a "SQL Native Client" ODBC library that's designed to execute arbitrary SQL statements received from a command and control server. The feature provides the ability to run arbitrary SQL commands from compromised machines onto connected database servers. This functionality allows hackers to steal data or modify databases, providing they are able to log onto these databases in the first place.
The attacker still needs to find out the host name, database name, username and password. However, monitoring functions included with Fribet as well as easily-guessable weak and default values might leave the door open for hackers, net security firm McAfee reports.
The Fribet Trojan emerges little more than a month after SQL injection attacks, which inserted iFrame links to sites hosting exploit scripts and malware on legitimate websites.
Unlike those attacks, the Fribet Trojan can be used against the attack sites protected against conventional SQL injection attacks. McAfee researchers Shinsuke Honjo and Geok Meng Ong explain.
"This Trojan apparently can be used as an alternate to SQL Injection attacks, but in a more direct way," they write. "Even the administrators of secure web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector.
The Fribet Trojan has been planted on pro-Tibet websites, possibly using a Vector Markup Language flaw (MS07-004) patched by Microsoft early last year. When visitors to the pro-Tibet websites are infected, the Fribet Trojan creates a backdoor on compromised hosts.
In addition, the Trojan loads a "SQL Native Client" ODBC library that's designed to execute arbitrary SQL statements received from a command and control server. The feature provides the ability to run arbitrary SQL commands from compromised machines onto connected database servers. This functionality allows hackers to steal data or modify databases, providing they are able to log onto these databases in the first place.
The attacker still needs to find out the host name, database name, username and password. However, monitoring functions included with Fribet as well as easily-guessable weak and default values might leave the door open for hackers, net security firm McAfee reports.
The Fribet Trojan emerges little more than a month after SQL injection attacks, which inserted iFrame links to sites hosting exploit scripts and malware on legitimate websites.
Unlike those attacks, the Fribet Trojan can be used against the attack sites protected against conventional SQL injection attacks. McAfee researchers Shinsuke Honjo and Geok Meng Ong explain.
"This Trojan apparently can be used as an alternate to SQL Injection attacks, but in a more direct way," they write. "Even the administrators of secure web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector.
Web designers making very old mistakes are letting malicious hackers hijack visitors to their sites, say experts.
Many of the loopholes left in the code created for websites have been known about for almost a decade say the security researchers.
The poor practices are proving very attractive to hi-tech criminals looking for a ready source of victims.
According to Symantec the number of sites vulnerable in this way almost doubled during the last half of 2007.
Wholly vulnerable
Kevin Hogan, director of security operations at Symantec, said the bug-ridden web code was putting visitors to many entirely innocent sites at risk.
"It overturns the whole notion that if you stay away from gambling and porn sites you are okay," he said.
The attack that a malicious hacker can carry out via these web code vulnerabilities is known as cross-site scripting (abbreviated as XSS).
Typically these involve lax control of the data being swapped between a web server and the browser program someone is using to interact with it.
An XSS vulnerability could, for instance, allow attackers to steal the login credentials of a visitor to a site.
Mr Hogan said more and more attackers were looking for websites that were vulnerable to these scripting attacks because they required little work to mount.
By contrast, said Mr Hogan, a phishing attack required the creation of tempting e-mails, fake servers and dead-drops to gather data.
In its most recent Internet Security Threat Report Symantec identified 11,253 specific XSS vulnerabilities in the last six months of 2007. Six months earlier the count stood at 6,961.
Symantec said there were likely many more that had not reported vulnerabilities.
Drawing its data from XSSED which gathers data on these vulnerabilities, Symantec said only 473 of these loopholes had so far been fixed.
Website administrators had a poor record of closing loopholes, it said.
"Attackers..., can expect that [a] site maintainer will not address the vulnerability in a reasonable amount of time, if at all," said the report.
"There are a lot more websites out there that are prone to this," said Mr Hogan. "It's a much bigger proposition to make a safe website than it is to patch a browser."
Chris Wysopal, co-founder and chief technology officer at Veracode which produces online tools that scan code for security flaws, said the problem was getting worse.
"I do not see trends slowing this down," he said.
XSS attacks were becoming more popular because more and more websites were writing their own snippets of code so visitors could get more out of a site, he said.
Unfortunately, he added, the same mistakes were being made in this custom code years after they were first discovered.
"The problem was identified eight years ago or so," he said. "Over time attackers have figured out better and more interesting things to do with cross-site scripting."
He added: "It's such a target rich environment I do not think the attackers need to have a very sophisticated way to harvest sites for vulnerabilities."
Automated web tools were available that can scan custom web code and highlight vulnerabilities but few web designers used them, said Mr Wysopal.
"The awareness is not there that if you write code you need to test it before you put it out there," he said.
Many of the loopholes left in the code created for websites have been known about for almost a decade say the security researchers.
The poor practices are proving very attractive to hi-tech criminals looking for a ready source of victims.
According to Symantec the number of sites vulnerable in this way almost doubled during the last half of 2007.
Wholly vulnerable
Kevin Hogan, director of security operations at Symantec, said the bug-ridden web code was putting visitors to many entirely innocent sites at risk.
"It overturns the whole notion that if you stay away from gambling and porn sites you are okay," he said.
The attack that a malicious hacker can carry out via these web code vulnerabilities is known as cross-site scripting (abbreviated as XSS).
Typically these involve lax control of the data being swapped between a web server and the browser program someone is using to interact with it.
An XSS vulnerability could, for instance, allow attackers to steal the login credentials of a visitor to a site.
Mr Hogan said more and more attackers were looking for websites that were vulnerable to these scripting attacks because they required little work to mount.
By contrast, said Mr Hogan, a phishing attack required the creation of tempting e-mails, fake servers and dead-drops to gather data.
In its most recent Internet Security Threat Report Symantec identified 11,253 specific XSS vulnerabilities in the last six months of 2007. Six months earlier the count stood at 6,961.
Symantec said there were likely many more that had not reported vulnerabilities.
Drawing its data from XSSED which gathers data on these vulnerabilities, Symantec said only 473 of these loopholes had so far been fixed.
Website administrators had a poor record of closing loopholes, it said.
"Attackers..., can expect that [a] site maintainer will not address the vulnerability in a reasonable amount of time, if at all," said the report.
"There are a lot more websites out there that are prone to this," said Mr Hogan. "It's a much bigger proposition to make a safe website than it is to patch a browser."
Chris Wysopal, co-founder and chief technology officer at Veracode which produces online tools that scan code for security flaws, said the problem was getting worse.
"I do not see trends slowing this down," he said.
XSS attacks were becoming more popular because more and more websites were writing their own snippets of code so visitors could get more out of a site, he said.
Unfortunately, he added, the same mistakes were being made in this custom code years after they were first discovered.
"The problem was identified eight years ago or so," he said. "Over time attackers have figured out better and more interesting things to do with cross-site scripting."
He added: "It's such a target rich environment I do not think the attackers need to have a very sophisticated way to harvest sites for vulnerabilities."
Automated web tools were available that can scan custom web code and highlight vulnerabilities but few web designers used them, said Mr Wysopal.
"The awareness is not there that if you write code you need to test it before you put it out there," he said.
SAN FRANCISCO--It turns out al-Qaida's leader and his cohorts aren't the biggest threat to our cybersecurity. You are.
Six years ago, Osama bin Laden represented the nightmare scenario for the computer security establishment. But more immediate cyberdangers lurk on the horizon. Experts attending the RSA conference that began here today say it's you--Mr. & Mrs. Computer User--who keep goofing up.
In fact, they contend, the future of cybersecurity hinges less on a latter-day version of spy-versus-spy against shadowy terror groups than on a more serious effort to instill best practices. Listening to their heeding was something akin to the scene in the movie Groundhog Day, where Bill Murray repeatedly wakes up to the same morning.
Security gurus have long urged the business world to turn network security into part of the corporate DNA. The message is not fully getting through. And now we're seeing the predictable results.
After listening to Symantec's John Thompson's morning keynote, I later kidded him about purposely scaring the hell out of people. He was a good sport about my joshing but pointed out that the information security landscape is increasingly punctuated by cases of data theft. He backed that up by reciting a litany of worrisome stats from his company's latest Internet security threat report. Truth be told, it makes for grim reading.
Symantec CEO John Thompson
(Credit: Charles Cooper/CNET News.com)
Among the report's highlights:
• 65% of the new code being released into the market is malicious
• The U.S. was the top country of attack origin in the second half of 2007
• The education sector accounted for 24 percent of data breaches that could lead to identity theft.
• Government was the top sector for identities exposed, accounting for 60 percent of the total
• Theft or computer loss resulted in the most data breaches that could lead to identity theft
• The United States had the most bot-infected computers worldwide
If the statistics are accurate, rank-and-file computer users are far from internalizing the security mantra. What's more, the findings suggest it will be quite some time before most people treat computer security as more than an afterthought. In the meantime, of course, Thompson didn't preclude the possibility of a terror or state-based organization launching a big cyber attack. But he believes the more likely danger to the nation's infrastructure will emanate from a different quarter.
"The threat landscape has changed," he said. "When people used to talk about the "Big One," they were thinking about that in the context of an attack on the infrastructure itself. That's still possible but less probable today because attackers have shifted to the information itself. They're much more stealth-like. Before, they wanted to become obnoxiously visible. Now they don't. They want to quietly penetrate defenses so they can sell what they steal in what's become a growing underground economy."
DHS Secretary Michael Chertoff
(Credit: Charles Cooper/CNET News.com)
(He's got a point. Symantec's report found that bank accounts are the most commonly advertised item for sale on underground economy servers, accounting for 22 percent of all activity tracked.)
In years past, Thompson and other computer security executives have pushed the idea of making cyber-security as familiar to most people as the fire prevention campaign underwritten by the government in the 1960s and 1970s. Considering the amount of money Uncle Sam is spending on cyber-security these days, that's a pipedream.
Department of Homeland Security Secretary Michael Chertoff, who also presented a keynote on Tuesday, offered litte indication Washington was about to ride to the rescue. In remarks during his prepared speech and subsequent press conference, Chertoff offered a dutiful recitation of what he described as the President's interest in shoring up the nation's digital security.
But despite Chertoff's repeated commitment to doing the right thing - including a call to arms inviting Silicon Valley's best and brightest technologists to come to Washington to work on cyber-security - I wonder how many industry skeptics he'll win over. Until recently, DHS couldn't get a cyber-security director to stay in what essentially was a figure-head job much longer than a year. Off-the-record interviews with people familiar with the goings-on there have described the situation to me as a bureaucratic mess.
DHS finally staffed up by putting in Greg Garcia, a former official with the Information Technology Association of America trade organization, as assistant secretary for cybersecurity and telecommunications. More recently, Rod Beckstrom, an author and entrepreneur best-known for starting business collaboration software maker Twiki.net, was in charge of directing a national cybersecurity center that operates inside DHS.
Give Chertoff credit for being candid about where DHS has come up short. He said the government needs to reduce its (literally) thousands of network access points to around 50. At the same time, Chertoff wants his department to faster detect and analyze computer anomalies. A big part of that will involve a revamp of U.S. CERT's early warning system
"Even giving an adversary one bite at the apple before we've figured out the meta data or (digital) signature is one bite too many," he said.
In the end, however, money talks and you-know-what walks. The feds only have a $115 million budget to work with. Chertoff's department has requested $192 million for the new fiscal year but that's still doing it on the cheap. By comparison, we spend $720 million in Iraq each day.
Six years ago, Osama bin Laden represented the nightmare scenario for the computer security establishment. But more immediate cyberdangers lurk on the horizon. Experts attending the RSA conference that began here today say it's you--Mr. & Mrs. Computer User--who keep goofing up.
In fact, they contend, the future of cybersecurity hinges less on a latter-day version of spy-versus-spy against shadowy terror groups than on a more serious effort to instill best practices. Listening to their heeding was something akin to the scene in the movie Groundhog Day, where Bill Murray repeatedly wakes up to the same morning.
Security gurus have long urged the business world to turn network security into part of the corporate DNA. The message is not fully getting through. And now we're seeing the predictable results.
After listening to Symantec's John Thompson's morning keynote, I later kidded him about purposely scaring the hell out of people. He was a good sport about my joshing but pointed out that the information security landscape is increasingly punctuated by cases of data theft. He backed that up by reciting a litany of worrisome stats from his company's latest Internet security threat report. Truth be told, it makes for grim reading.
Symantec CEO John Thompson
(Credit: Charles Cooper/CNET News.com)
Among the report's highlights:
• 65% of the new code being released into the market is malicious
• The U.S. was the top country of attack origin in the second half of 2007
• The education sector accounted for 24 percent of data breaches that could lead to identity theft.
• Government was the top sector for identities exposed, accounting for 60 percent of the total
• Theft or computer loss resulted in the most data breaches that could lead to identity theft
• The United States had the most bot-infected computers worldwide
If the statistics are accurate, rank-and-file computer users are far from internalizing the security mantra. What's more, the findings suggest it will be quite some time before most people treat computer security as more than an afterthought. In the meantime, of course, Thompson didn't preclude the possibility of a terror or state-based organization launching a big cyber attack. But he believes the more likely danger to the nation's infrastructure will emanate from a different quarter.
"The threat landscape has changed," he said. "When people used to talk about the "Big One," they were thinking about that in the context of an attack on the infrastructure itself. That's still possible but less probable today because attackers have shifted to the information itself. They're much more stealth-like. Before, they wanted to become obnoxiously visible. Now they don't. They want to quietly penetrate defenses so they can sell what they steal in what's become a growing underground economy."
DHS Secretary Michael Chertoff
(Credit: Charles Cooper/CNET News.com)
(He's got a point. Symantec's report found that bank accounts are the most commonly advertised item for sale on underground economy servers, accounting for 22 percent of all activity tracked.)
In years past, Thompson and other computer security executives have pushed the idea of making cyber-security as familiar to most people as the fire prevention campaign underwritten by the government in the 1960s and 1970s. Considering the amount of money Uncle Sam is spending on cyber-security these days, that's a pipedream.
Department of Homeland Security Secretary Michael Chertoff, who also presented a keynote on Tuesday, offered litte indication Washington was about to ride to the rescue. In remarks during his prepared speech and subsequent press conference, Chertoff offered a dutiful recitation of what he described as the President's interest in shoring up the nation's digital security.
But despite Chertoff's repeated commitment to doing the right thing - including a call to arms inviting Silicon Valley's best and brightest technologists to come to Washington to work on cyber-security - I wonder how many industry skeptics he'll win over. Until recently, DHS couldn't get a cyber-security director to stay in what essentially was a figure-head job much longer than a year. Off-the-record interviews with people familiar with the goings-on there have described the situation to me as a bureaucratic mess.
DHS finally staffed up by putting in Greg Garcia, a former official with the Information Technology Association of America trade organization, as assistant secretary for cybersecurity and telecommunications. More recently, Rod Beckstrom, an author and entrepreneur best-known for starting business collaboration software maker Twiki.net, was in charge of directing a national cybersecurity center that operates inside DHS.
Give Chertoff credit for being candid about where DHS has come up short. He said the government needs to reduce its (literally) thousands of network access points to around 50. At the same time, Chertoff wants his department to faster detect and analyze computer anomalies. A big part of that will involve a revamp of U.S. CERT's early warning system
"Even giving an adversary one bite at the apple before we've figured out the meta data or (digital) signature is one bite too many," he said.
In the end, however, money talks and you-know-what walks. The feds only have a $115 million budget to work with. Chertoff's department has requested $192 million for the new fiscal year but that's still doing it on the cheap. By comparison, we spend $720 million in Iraq each day.
The UK is catching up the US as an internet crime hotspot, according to IT security consultancy Global Secure Systems (GSS).
GSS bases its warning on a study of the recently released Internet Crime Report by the Internet Crime Complaint Centre (IC3).
"Despite the fact that the IC3 study is a national US annual report, it concludes that the UK is in second position with 15.3 per cent when it comes to the origin of US internet crime reports," said David Hobson, managing director of GSS.
"This is significantly ahead of other cyber-crime hotspots such as Nigeria (5.7 per cent) and Romania (1.5 per cent). It's also worth noting that internet crime in the US hit an all-time high in 2007, with an almost 20 per cent increase on the fraud reported in 2006."
According to Hobson, reported internet crime losses are only the tip of the cyber-crime iceberg, as there are many more cases that go unreported for various reasons.
He added that the report should act as a "wake-up call" to companies that are not properly securing their networks from attack from the organised criminal gangs who are prowling the web searching for new targets.
"How they achieve their fraud is irrelevant. If they can find a way in, they will," he said.
According to the IC3 report, 90,008 complaints were referred to federal, state and local law enforcement agencies across the US.
According to Hobson: "That's around one complaint every six minutes throughout the year, day and night. If that statistic doesn't make a company IT manager sit up and take note, I don't know what will."
GSS bases its warning on a study of the recently released Internet Crime Report by the Internet Crime Complaint Centre (IC3).
"Despite the fact that the IC3 study is a national US annual report, it concludes that the UK is in second position with 15.3 per cent when it comes to the origin of US internet crime reports," said David Hobson, managing director of GSS.
"This is significantly ahead of other cyber-crime hotspots such as Nigeria (5.7 per cent) and Romania (1.5 per cent). It's also worth noting that internet crime in the US hit an all-time high in 2007, with an almost 20 per cent increase on the fraud reported in 2006."
According to Hobson, reported internet crime losses are only the tip of the cyber-crime iceberg, as there are many more cases that go unreported for various reasons.
He added that the report should act as a "wake-up call" to companies that are not properly securing their networks from attack from the organised criminal gangs who are prowling the web searching for new targets.
"How they achieve their fraud is irrelevant. If they can find a way in, they will," he said.
According to the IC3 report, 90,008 complaints were referred to federal, state and local law enforcement agencies across the US.
According to Hobson: "That's around one complaint every six minutes throughout the year, day and night. If that statistic doesn't make a company IT manager sit up and take note, I don't know what will."
At the end of February Home Office minister Meg Hillier explained the UK ID scheme security system to the Home Affairs Committee. "The National Identity Register, essentially," she said, "will be a secure database; ...hack-proof, not connected to the Internet... not be accessible online; any links with any other agency will be down encrypted links."
Except she didn't, apparently, because by the time the Committee session transcript was published, here, Hillier words had become: "The National Identity Register, essentially, will be a secure database; it will not be accessible online; any links with any other agency will
be down encrypted links."
Spooky? We are indebted to William Heath's Ideal Government blog for spotting the difference between what was actually said (noted at the time by an eyewitness) and what appeared in the official record. We should also explain at this point that Hansard, the UK parliamentary record system, is not intended to function as an entirely verbatim transcript of proceedings. It is largely verbatim, but includes some facility for publishing what the speaker meant to say, or perhaps even what they ought to have said.
Ordinarily, however, changes amount to little more than polishing and seldom materially affect the meaning. Ordinarily...
In this case, the removal of "hack-proof, not connected to the Internet" goes some way beyond minor polishing. Do we understand from this that Hillier's officials think it unwise (which, of course, it is) to claim that the NIR is hack-proof? And are they keen to leave wiggle-room on Internet connectivity? A database that is "not accessible online" is not necessarily the same thing as a database that is not connected to the Internet, depending on what you might mean by "not accessible".
Hillier is relatively new to the ID card brief at the Home Office, and has come up with several improbable and/or unfortunate claims in recent months (e.g., "we should see an identity card, like a passport, in country"). At the Committee session, Ideal Government reports that "the officials present were passing notes to try to get her back on message", which we would guess is just the sort of thing that's likely to prompt the acute observer to take especially careful notes. It's a tough job minding some people. ®
Except she didn't, apparently, because by the time the Committee session transcript was published, here, Hillier words had become: "The National Identity Register, essentially, will be a secure database; it will not be accessible online; any links with any other agency will
be down encrypted links."
Spooky? We are indebted to William Heath's Ideal Government blog for spotting the difference between what was actually said (noted at the time by an eyewitness) and what appeared in the official record. We should also explain at this point that Hansard, the UK parliamentary record system, is not intended to function as an entirely verbatim transcript of proceedings. It is largely verbatim, but includes some facility for publishing what the speaker meant to say, or perhaps even what they ought to have said.
Ordinarily, however, changes amount to little more than polishing and seldom materially affect the meaning. Ordinarily...
In this case, the removal of "hack-proof, not connected to the Internet" goes some way beyond minor polishing. Do we understand from this that Hillier's officials think it unwise (which, of course, it is) to claim that the NIR is hack-proof? And are they keen to leave wiggle-room on Internet connectivity? A database that is "not accessible online" is not necessarily the same thing as a database that is not connected to the Internet, depending on what you might mean by "not accessible".
Hillier is relatively new to the ID card brief at the Home Office, and has come up with several improbable and/or unfortunate claims in recent months (e.g., "we should see an identity card, like a passport, in country"). At the Committee session, Ideal Government reports that "the officials present were passing notes to try to get her back on message", which we would guess is just the sort of thing that's likely to prompt the acute observer to take especially careful notes. It's a tough job minding some people. ®
Virginia became the first state this year to require Internet safety courses in its public schools. Illinois and Texas both have laws on the books relating to curriculum and instruction in this area, but Virginia is currently the only state to require such courses according to VNUNet.
As one student in the article pointed out,
James River High School student Maya Towers said: “I thought it was very important because we post a lot of things on the internet. I didn’t know how much information can be exposed.”
This highlights the attitudes of most of our students. While some conceal their identities on MySpace, Facebook, AOL, and other bits of social media, many others blithely post pictures, locations, and even phone numbers and addresses.
Now that my students have discovered Twitter, I’ve had to warn them about being too revealing in their tweets. Few realized that the growing network of followers (particularly for my feed) had access to any information they posted. Fortunately, most of my followers are either students or other folks interested in the educational value of social media. However, even these followers don’t need to know that Ashley and Susie are at the local movie theater alone and will be getting out at 9:45.
The level of naivete among many students is disturbing at best; well-planned curricula in the public schools could go a long ways towards keeping safe as we increasingly live a second life (no pun intended) online.
As one student in the article pointed out,
James River High School student Maya Towers said: “I thought it was very important because we post a lot of things on the internet. I didn’t know how much information can be exposed.”
This highlights the attitudes of most of our students. While some conceal their identities on MySpace, Facebook, AOL, and other bits of social media, many others blithely post pictures, locations, and even phone numbers and addresses.
Now that my students have discovered Twitter, I’ve had to warn them about being too revealing in their tweets. Few realized that the growing network of followers (particularly for my feed) had access to any information they posted. Fortunately, most of my followers are either students or other folks interested in the educational value of social media. However, even these followers don’t need to know that Ashley and Susie are at the local movie theater alone and will be getting out at 9:45.
The level of naivete among many students is disturbing at best; well-planned curricula in the public schools could go a long ways towards keeping safe as we increasingly live a second life (no pun intended) online.
YOUR COUNTRY NEEDS you, nerd, seemed to be US Homeland Security chief, Michael Chertoff’s message to Silicon Valley in his patriotic keynote speech at the RSA Conference in San Francisco yesterday.
Chertoff even went as far as saying that future cyber attacks could be on the scale of the attacks suffered by the US in 9/11, a desperate strategy attempting to appeal to the nationalism and conscience of Valley workers, as opposed to appealing to their wallets. (But, hang on, aren’t most of them foreign anyway?)
In what sounded more like a military troop rally, the security chief told the auditorium full of Valley workers to stand up and be counted in America’s fight to secure the cyber highway, noting "The human and economic sacrifices from a cyber-attack can be devastating ... on par with what this country experienced on September 11".
Taking out a small onion and with tears of patriotism in his eyes, he begged the private sector to "please send some of your brightest and best to do service in the government", referring to a new inter-agency group (National Cyber Security Center) set up to act as an early warning system for major network attacks that would help the federal government protect its computer networks from organised cyber attacks. He theatrically added that joining up would be " the best thing you can do for your country".
Chertoff thought it best to instill terror in his yuppie audience about the potential chaos that could be caused if cyber attacks were to hit financial or government bodies, melodramatically stating "a single individual, a small group or a nation state can exact damage and destruction similar to dropping a bomb or explosives."
Noting that the US government took threats to the online world as seriously as those in the real world, Chertoff also outlined government plans to develop the equivalent of the "Manhattan Project" to defend US federal networks and national security interests from the big bad boogey man of large-scale cyber-attacks
Chertoff even went as far as saying that future cyber attacks could be on the scale of the attacks suffered by the US in 9/11, a desperate strategy attempting to appeal to the nationalism and conscience of Valley workers, as opposed to appealing to their wallets. (But, hang on, aren’t most of them foreign anyway?)
In what sounded more like a military troop rally, the security chief told the auditorium full of Valley workers to stand up and be counted in America’s fight to secure the cyber highway, noting "The human and economic sacrifices from a cyber-attack can be devastating ... on par with what this country experienced on September 11".
Taking out a small onion and with tears of patriotism in his eyes, he begged the private sector to "please send some of your brightest and best to do service in the government", referring to a new inter-agency group (National Cyber Security Center) set up to act as an early warning system for major network attacks that would help the federal government protect its computer networks from organised cyber attacks. He theatrically added that joining up would be " the best thing you can do for your country".
Chertoff thought it best to instill terror in his yuppie audience about the potential chaos that could be caused if cyber attacks were to hit financial or government bodies, melodramatically stating "a single individual, a small group or a nation state can exact damage and destruction similar to dropping a bomb or explosives."
Noting that the US government took threats to the online world as seriously as those in the real world, Chertoff also outlined government plans to develop the equivalent of the "Manhattan Project" to defend US federal networks and national security interests from the big bad boogey man of large-scale cyber-attacks
A British researcher has developed a biometric keylogger of sorts that can capture fingerprints required to unlock building doors or gain access to computer networks or other restricted systems.
For now, the Biologger is a proof-of-concept aimed at showing the insecurity of many biometric systems, according to Matthew Lewis, who demonstrated the tool at last month's Black Hat Amsterdam conference. But the researcher, who works for Information Risk Management, warns the attack could become commonplace if current practices don't change and could be used to log images of retinas, facial features and any other physical characteristics used by biometric systems.
"Biometric device manufacturers and system integrators cannot rely on security through obscurity alone for the overall security of their devices and systems," he writes in this white paper (PDF). "Without adequate protection of the confidentiality, integrity and availability of biometric access control devices and their data, the threat of "Biologging" activities within those enterprises employing such access controls is real."
The unspecified access control device used in Lewis's demonstration didn't bother to encrypt data before sending it to back-end servers, making it ripe for interception by a man-in-the-middle laptop that logged all traffic passing between the two devices. The researcher was able to construct an image of a fingerprint by subjecting portions of the captured data to an algorithm designed to graphically identify image data and resolution.
"The result of such a finding to attackers could be significant," Lewis wrote. "If a good quality image can be reconstructed, then it is conceivable that techniques described ... could again be used to generate a 3D spoof finger of users that have obviously been registered with the system at some point."
The research is the latest cautionary reminder that biometrics are by no means a panacea to the difficulty of verifying a person's identity. Last week, a hacker club published what it said was the fingerprint of Wolfgang Schauble, Germany's interior minister and an ardent supporter of storing a digital representation of citizen's fingerprints in their passports. Schauble's print was embossed on a sticky piece of plastic that can leave the print on coffee cups, telephones and biometric readers.
Lewis was also able to issue commands to the access control device that enabled him to unlock doors and add new users with full administrative rights without presenting a fingerprint. That's because the device needed a single 8-byte message that passed over the network in plaintext. Although he was never able to crack a 2-byte checksum used for issuance of each message, he was able to overcome this limitation by taking a brute-force approach, in which every possible combination of checksums was used.
There are other limitations to Lewis's attack. For one, it requires attackers to have privileged access to the network connecting the access point to the server. Another is that the traffic was transmitted using the user datagram protocol, which rendered the brute-force attempts "not 100% reliable."
But his point seems to be that, just as best practices require that passwords are never stored in the clear, fingerprints and other biometric data should likewise be encrypted. Architects designing the next generation of biometric systems,
For now, the Biologger is a proof-of-concept aimed at showing the insecurity of many biometric systems, according to Matthew Lewis, who demonstrated the tool at last month's Black Hat Amsterdam conference. But the researcher, who works for Information Risk Management, warns the attack could become commonplace if current practices don't change and could be used to log images of retinas, facial features and any other physical characteristics used by biometric systems.
"Biometric device manufacturers and system integrators cannot rely on security through obscurity alone for the overall security of their devices and systems," he writes in this white paper (PDF). "Without adequate protection of the confidentiality, integrity and availability of biometric access control devices and their data, the threat of "Biologging" activities within those enterprises employing such access controls is real."
The unspecified access control device used in Lewis's demonstration didn't bother to encrypt data before sending it to back-end servers, making it ripe for interception by a man-in-the-middle laptop that logged all traffic passing between the two devices. The researcher was able to construct an image of a fingerprint by subjecting portions of the captured data to an algorithm designed to graphically identify image data and resolution.
"The result of such a finding to attackers could be significant," Lewis wrote. "If a good quality image can be reconstructed, then it is conceivable that techniques described ... could again be used to generate a 3D spoof finger of users that have obviously been registered with the system at some point."
The research is the latest cautionary reminder that biometrics are by no means a panacea to the difficulty of verifying a person's identity. Last week, a hacker club published what it said was the fingerprint of Wolfgang Schauble, Germany's interior minister and an ardent supporter of storing a digital representation of citizen's fingerprints in their passports. Schauble's print was embossed on a sticky piece of plastic that can leave the print on coffee cups, telephones and biometric readers.
Lewis was also able to issue commands to the access control device that enabled him to unlock doors and add new users with full administrative rights without presenting a fingerprint. That's because the device needed a single 8-byte message that passed over the network in plaintext. Although he was never able to crack a 2-byte checksum used for issuance of each message, he was able to overcome this limitation by taking a brute-force approach, in which every possible combination of checksums was used.
There are other limitations to Lewis's attack. For one, it requires attackers to have privileged access to the network connecting the access point to the server. Another is that the traffic was transmitted using the user datagram protocol, which rendered the brute-force attempts "not 100% reliable."
But his point seems to be that, just as best practices require that passwords are never stored in the clear, fingerprints and other biometric data should likewise be encrypted. Architects designing the next generation of biometric systems,
A plan to expand the number of government police and security agencies that can tap into detailed satellite images is proceeding, despite concerns from Congress, the head of the U.S. Department of Homeland Security said Wednesday.
During a roundtable discussion with bloggers and journalists here, Secretary Michael Chertoff said a "charter has been signed" to create a new office, which will serve as a clearinghouse for requests from law enforcement, border security, and other domestic homeland security agencies to view feeds from powerful satellites. It will be called the National Applications Office.
"I think the way is now clear to stand (the office) up and go warm on it," said Chertoff at Homeland Security's headquarters here.
Right now, these spy satellites are more commonly used for things like monitoring volcanic activity, hurricanes, floods, and various environmental and geological shifts. But the agency has said it sees important applications for the images in other areas within its purview, such as terrorism investigations and illegal immigration busts.
Originally, the satellite office was supposed to take shape last October but those plans were delayed after congressional Democrats raised privacy concerns. They said they wouldn't be able to support the program until the agency lays out exactly what legal framework it will be using to fulfill requests by, say, state and local police, and how it will protect Americans' civil liberties.
Chertoff said Wednesday that the department has completed the privacy impact assessments for the new office and should be releasing them within a few days. He said that members of Congress have received briefings and that he thinks there's a "good process in place to make sure there aren't any legal transgressions."
In the past, Homeland Security officials have downplayed the implications of allowing more agencies to access the satellites, arguing that in addition to scientific applications, the technique has already been employed from time to time by the Secret Service and FBI. For instance, when a well-publicized series of sniper attacks swept through the Washington, D.C., area in October 2002, the CIA and FBI were permitted to use images provided by the National Geospatial Intelligence Agency to look for places snipers might hide along highways along the east coast.
"I think we have fully addressed everybody's concerns," Chertoff said Wednesday. "We've made it clear this is not going to be interception of communications, verbal or oral or written. That's still going to be done under the traditional way."
The Homeland Security secretary, however, may not have that easy a time persuading congressional overseers.
Within the next few days, Reps. Jane Harman (D-Calif.) and Christopher Carney (D-Penn.), who lead Homeland Security subcommittees, are planning to send Chertoff a letter that says the new scheme still isn't ready for launch, a Democratic aide to the U.S. House of Representatives Homeland Security Committee, which oversees the department, told CNET News.com on Wednesday.
Committee leaders say the charter for the National Applications Office is "wholly inadequate," said the aide, who spoke on condition of anonymity since the letter is still being drafted. They plan to criticize the department for allegedly failing to outline the legal framework and other "standard operating procedures" governing the program.
Furthermore, the Government Accountability Office has not yet vetted the program's privacy guidelines, which was made a condition for the National Applications Office to receive congressional funding, the aide said.
On cybersecurity
Also at the roundtable discussion, Chertoff attempted to defuse concerns that Homeland Security's cybersecurity arm plans to "sit on the Internet," as he put it, and monitor traffic in a manner reminiscent of the Chinese government.
As part of its efforts to detect network intrusions in real time, Homeland Security has said it plans to expand use of an existing system known as Einstein, that will, among other things, monitor visits from Americans and foreigners visiting .gov Web sites. The set-up is in place at 15 federal agencies, but Chertoff has asked for $293.5 million from Congress in next year's budget to roll it out governmentwide.
In addition to outfitting federal networks with those tools, Chertoff said the government also plans to help companies to fend off cyberattacks by offering some of its "classified" intrusion detection tools--but such aid will be purely optional.
As for the department's broader strategy, "in some ways, it's more and better of what we're doing," Chertoff said. "In some cases, it may involve some additional things I can't talk about."
During a roundtable discussion with bloggers and journalists here, Secretary Michael Chertoff said a "charter has been signed" to create a new office, which will serve as a clearinghouse for requests from law enforcement, border security, and other domestic homeland security agencies to view feeds from powerful satellites. It will be called the National Applications Office.
"I think the way is now clear to stand (the office) up and go warm on it," said Chertoff at Homeland Security's headquarters here.
Right now, these spy satellites are more commonly used for things like monitoring volcanic activity, hurricanes, floods, and various environmental and geological shifts. But the agency has said it sees important applications for the images in other areas within its purview, such as terrorism investigations and illegal immigration busts.
Originally, the satellite office was supposed to take shape last October but those plans were delayed after congressional Democrats raised privacy concerns. They said they wouldn't be able to support the program until the agency lays out exactly what legal framework it will be using to fulfill requests by, say, state and local police, and how it will protect Americans' civil liberties.
Chertoff said Wednesday that the department has completed the privacy impact assessments for the new office and should be releasing them within a few days. He said that members of Congress have received briefings and that he thinks there's a "good process in place to make sure there aren't any legal transgressions."
In the past, Homeland Security officials have downplayed the implications of allowing more agencies to access the satellites, arguing that in addition to scientific applications, the technique has already been employed from time to time by the Secret Service and FBI. For instance, when a well-publicized series of sniper attacks swept through the Washington, D.C., area in October 2002, the CIA and FBI were permitted to use images provided by the National Geospatial Intelligence Agency to look for places snipers might hide along highways along the east coast.
"I think we have fully addressed everybody's concerns," Chertoff said Wednesday. "We've made it clear this is not going to be interception of communications, verbal or oral or written. That's still going to be done under the traditional way."
The Homeland Security secretary, however, may not have that easy a time persuading congressional overseers.
Within the next few days, Reps. Jane Harman (D-Calif.) and Christopher Carney (D-Penn.), who lead Homeland Security subcommittees, are planning to send Chertoff a letter that says the new scheme still isn't ready for launch, a Democratic aide to the U.S. House of Representatives Homeland Security Committee, which oversees the department, told CNET News.com on Wednesday.
Committee leaders say the charter for the National Applications Office is "wholly inadequate," said the aide, who spoke on condition of anonymity since the letter is still being drafted. They plan to criticize the department for allegedly failing to outline the legal framework and other "standard operating procedures" governing the program.
Furthermore, the Government Accountability Office has not yet vetted the program's privacy guidelines, which was made a condition for the National Applications Office to receive congressional funding, the aide said.
On cybersecurity
Also at the roundtable discussion, Chertoff attempted to defuse concerns that Homeland Security's cybersecurity arm plans to "sit on the Internet," as he put it, and monitor traffic in a manner reminiscent of the Chinese government.
As part of its efforts to detect network intrusions in real time, Homeland Security has said it plans to expand use of an existing system known as Einstein, that will, among other things, monitor visits from Americans and foreigners visiting .gov Web sites. The set-up is in place at 15 federal agencies, but Chertoff has asked for $293.5 million from Congress in next year's budget to roll it out governmentwide.
In addition to outfitting federal networks with those tools, Chertoff said the government also plans to help companies to fend off cyberattacks by offering some of its "classified" intrusion detection tools--but such aid will be purely optional.
As for the department's broader strategy, "in some ways, it's more and better of what we're doing," Chertoff said. "In some cases, it may involve some additional things I can't talk about."
Sidestep spammers with dedicated email accounts for online bills. By Andrew Brown.
Somewhere out there some firm that holds my credit-card details has been hacked. I know this because I have started to get spam to an email address I only ever use for buying things. I have no idea which firm it might be: in the past 212 years, I have had at least 520 messages to that address, from about 75 different companies. I don't think it's likely that any of the big ones has been hacked or else we would hear more of it. (Wouldn't we?) But among the software publishers, the music sites, the wine merchants and second-hand book dealers I have been paying from this address there is one whose customer database has been plundered.
Keeping specialised and unique email addresses for different tasks is one of those tricks that everyone should know and practice: for one thing, it can be combined with spam-filtering rules to make a rock-solid defence against phishing scams. Since I have unique addresses for eBay, PayPal, the various Amazons and my bank, none of which are ever used for other correspondence, I know that an email purporting to come from any of those firms that is not sent to the right private address must be a scam, and it's easy to set up rules to delete it unread. I have not done this with the correspondence for one-off purchases, all of which went to the address that has now become a spam target, because each new address would have to be set up in the spam filter.
The gang that stole my customer details is unlikely to be the same one that is sending me the spam. There are well-established marketplaces for email lists and the number of addresses for sale is hard to grasp: one moderate-sized botnet analysed by SecureWorks last year contained 162 million addresses. Many millions of these will be dead, of course; the spamming software has routines built into it to detect and delete addresses that have been blackholed, but messages that are instead bounced will keep the address alive.
There's nothing I can do, of course, other than keep a beady eye on my credit card and bank statements. But I do that anyway, and it will only detect damage after the event. In any case, I don't know whether my credit-card details are gone. On a well-designed site, they would be stored separately from the customer database; but a well-designed site wouldn't get hacked.
In the meantime, I skim-read the spam that drifts up in what used to be my private inbox, since Thunderbird's built-in spam filter is nothing like as efficient as Gmail's, or the one in Opera's mail module. There is a strange, twisted poetry of longing to discover here. The black economy of the internet has invented another criminal trade: alongside the programmers and the data thieves, there must be copywriters for the penis-enlargement pills. Perhaps someone, somewhere is publishing What Penis? magazine.
You'd have thought that after 10 years or more of pretty much continual spam there would be nothing fresh to say about enlargement pills, patches and creams. How can there be anyone out there who supposes that any of this will work? Yet the inexhaustible stream of spam proves that there must be hundreds of suckers born every minute.
Much of it seems written by people who don't speak English as a first language. But the awful thing is that all the circumlocutions are perfectly clear, because they speak to the universal fear of being a despised outcast. If you take the time to read the spam, it becomes clear that the market is the men's equivalent of anti-ageing creams for women: what is really being offered is the promise of being attractive, or at least not loathsome.
It may seem implausible to anyone over the age of 12 that a man whose tool bangs against his knees will be - whatever his other problems - irresistible to women. But the alternative explanation for a lack of success is that women are giggling behind your back at your pathetic, stunted personality. And that would be even worse.
Somewhere out there some firm that holds my credit-card details has been hacked. I know this because I have started to get spam to an email address I only ever use for buying things. I have no idea which firm it might be: in the past 212 years, I have had at least 520 messages to that address, from about 75 different companies. I don't think it's likely that any of the big ones has been hacked or else we would hear more of it. (Wouldn't we?) But among the software publishers, the music sites, the wine merchants and second-hand book dealers I have been paying from this address there is one whose customer database has been plundered.
Keeping specialised and unique email addresses for different tasks is one of those tricks that everyone should know and practice: for one thing, it can be combined with spam-filtering rules to make a rock-solid defence against phishing scams. Since I have unique addresses for eBay, PayPal, the various Amazons and my bank, none of which are ever used for other correspondence, I know that an email purporting to come from any of those firms that is not sent to the right private address must be a scam, and it's easy to set up rules to delete it unread. I have not done this with the correspondence for one-off purchases, all of which went to the address that has now become a spam target, because each new address would have to be set up in the spam filter.
The gang that stole my customer details is unlikely to be the same one that is sending me the spam. There are well-established marketplaces for email lists and the number of addresses for sale is hard to grasp: one moderate-sized botnet analysed by SecureWorks last year contained 162 million addresses. Many millions of these will be dead, of course; the spamming software has routines built into it to detect and delete addresses that have been blackholed, but messages that are instead bounced will keep the address alive.
There's nothing I can do, of course, other than keep a beady eye on my credit card and bank statements. But I do that anyway, and it will only detect damage after the event. In any case, I don't know whether my credit-card details are gone. On a well-designed site, they would be stored separately from the customer database; but a well-designed site wouldn't get hacked.
In the meantime, I skim-read the spam that drifts up in what used to be my private inbox, since Thunderbird's built-in spam filter is nothing like as efficient as Gmail's, or the one in Opera's mail module. There is a strange, twisted poetry of longing to discover here. The black economy of the internet has invented another criminal trade: alongside the programmers and the data thieves, there must be copywriters for the penis-enlargement pills. Perhaps someone, somewhere is publishing What Penis? magazine.
You'd have thought that after 10 years or more of pretty much continual spam there would be nothing fresh to say about enlargement pills, patches and creams. How can there be anyone out there who supposes that any of this will work? Yet the inexhaustible stream of spam proves that there must be hundreds of suckers born every minute.
Much of it seems written by people who don't speak English as a first language. But the awful thing is that all the circumlocutions are perfectly clear, because they speak to the universal fear of being a despised outcast. If you take the time to read the spam, it becomes clear that the market is the men's equivalent of anti-ageing creams for women: what is really being offered is the promise of being attractive, or at least not loathsome.
It may seem implausible to anyone over the age of 12 that a man whose tool bangs against his knees will be - whatever his other problems - irresistible to women. But the alternative explanation for a lack of success is that women are giggling behind your back at your pathetic, stunted personality. And that would be even worse.
Security is both a feeling and a reality, and they're different. You can feel secure even though you're not, and you can be secure even though you don't feel it. There are two different concepts mapped onto the same word — the English language isn't working very well for us here — and it can be hard to know which one we're talking about when we use the word.
There is considerable value in separating out the two concepts: in explaining how the two are different, and understanding when we're referring to one and when the other. There is value as well in recognizing when the two converge, understanding why they diverge, and knowing how they can be made to converge again.
Some fundamentals first. Viewed from the perspective of economics, security is a trade-off. There's no such thing as absolute security, and any security you get has some cost: in money, in convenience, in capabilities, in insecurities somewhere else, whatever. Every time someone makes a decision about security — computer security, community security, national security — he makes a trade-off.
People make these trade-offs as individuals. We all get to decide, individually, if the expense and inconvenience of having a home burglar alarm is worth the security. We all get to decide if wearing a bulletproof vest is worth the cost and tacky appearance. We all get to decide if we're getting our money's worth from the billions of dollars we're spending combating terrorism, and if invading Iraq was the best use of our counterterrorism resources. We might not have the power to implement our opinion, but we get to decide if we think it's worth it.
Now we may or may not have the expertise to make those trade-offs intelligently, but we make them anyway. All of us. People have a natural intuition about security trade-offs, and we make them, large and small, dozens of times throughout the day. We can't help it: It's part of being alive.
Imagine a rabbit, sitting in a field eating grass. And he sees a fox. He's going to make a security trade-off: Should he stay or should he flee? Over time, the rabbits that are good at making that trade-off will tend to reproduce, while the rabbits that are bad at it will tend to get eaten or starve.
So, as a successful species on the planet, you'd expect that human beings would be really good at making security trade-offs. Yet, at the same time, we can be hopelessly bad at it. We spend more money on terrorism than the data warrants. We fear flying and choose to drive instead. Why?
The short answer is that people make most trade-offs based on the feeling of security and not the reality.
I've written a lot about how people get security trade-offs wrong, and the cognitive biases that cause us to make mistakes. Humans have developed these biases because they make evolutionary sense. And most of the time, they work.
There is considerable value in separating out the two concepts: in explaining how the two are different, and understanding when we're referring to one and when the other. There is value as well in recognizing when the two converge, understanding why they diverge, and knowing how they can be made to converge again.
Some fundamentals first. Viewed from the perspective of economics, security is a trade-off. There's no such thing as absolute security, and any security you get has some cost: in money, in convenience, in capabilities, in insecurities somewhere else, whatever. Every time someone makes a decision about security — computer security, community security, national security — he makes a trade-off.
People make these trade-offs as individuals. We all get to decide, individually, if the expense and inconvenience of having a home burglar alarm is worth the security. We all get to decide if wearing a bulletproof vest is worth the cost and tacky appearance. We all get to decide if we're getting our money's worth from the billions of dollars we're spending combating terrorism, and if invading Iraq was the best use of our counterterrorism resources. We might not have the power to implement our opinion, but we get to decide if we think it's worth it.
Now we may or may not have the expertise to make those trade-offs intelligently, but we make them anyway. All of us. People have a natural intuition about security trade-offs, and we make them, large and small, dozens of times throughout the day. We can't help it: It's part of being alive.
Imagine a rabbit, sitting in a field eating grass. And he sees a fox. He's going to make a security trade-off: Should he stay or should he flee? Over time, the rabbits that are good at making that trade-off will tend to reproduce, while the rabbits that are bad at it will tend to get eaten or starve.
So, as a successful species on the planet, you'd expect that human beings would be really good at making security trade-offs. Yet, at the same time, we can be hopelessly bad at it. We spend more money on terrorism than the data warrants. We fear flying and choose to drive instead. Why?
The short answer is that people make most trade-offs based on the feeling of security and not the reality.
I've written a lot about how people get security trade-offs wrong, and the cognitive biases that cause us to make mistakes. Humans have developed these biases because they make evolutionary sense. And most of the time, they work.
he government has further delayed the introduction of crucial legislation to criminalise new forms of hacking activities.
Laws to amend the 18-year-old Computer Misuse Act (CMA) were due this month, but have been put back as the Home Office tries to iron out potential conflicts in the legislation.
The updates are important because they target cyber crime techniques that were not envisaged when the act was first written particularly, denial of service attacks and the selling of hacking tools.
Amendments were first approved by parliament in the Police and Justice Act two years ago, but have not been implemented because of potential overlap with the Serious Crime Bill and a fear they might criminalise legitimate security professionals.
The legislation is needed urgently because the CMA has been so ineffective in tackling hacking, said shadow home affairs minister James Brokenshire.
“Further delays send out the message to criminals that the UK is a soft touch on cyber crime,” he said. “We need action.”
Denial of service attacks are becoming increasingly sophisticated. Last month, gambling company Gala Coral experienced a new breed of attack that disabled its network for almost half an hour despite costly protection systems.
Even when the legislation comes into force there are no guarantees it will work, said MP John Hemming, who used to run an e-commerce site.
“The government often looks for simple solutions to complex situations and very often gets it wrong,” he said.
The Home Office said no date has been set for the commencement order.
“Work on legislation will begin in April we are still considering when to bring in the legislation,” said a spokeswoman.
Laws to amend the 18-year-old Computer Misuse Act (CMA) were due this month, but have been put back as the Home Office tries to iron out potential conflicts in the legislation.
The updates are important because they target cyber crime techniques that were not envisaged when the act was first written particularly, denial of service attacks and the selling of hacking tools.
Amendments were first approved by parliament in the Police and Justice Act two years ago, but have not been implemented because of potential overlap with the Serious Crime Bill and a fear they might criminalise legitimate security professionals.
The legislation is needed urgently because the CMA has been so ineffective in tackling hacking, said shadow home affairs minister James Brokenshire.
“Further delays send out the message to criminals that the UK is a soft touch on cyber crime,” he said. “We need action.”
Denial of service attacks are becoming increasingly sophisticated. Last month, gambling company Gala Coral experienced a new breed of attack that disabled its network for almost half an hour despite costly protection systems.
Even when the legislation comes into force there are no guarantees it will work, said MP John Hemming, who used to run an e-commerce site.
“The government often looks for simple solutions to complex situations and very often gets it wrong,” he said.
The Home Office said no date has been set for the commencement order.
“Work on legislation will begin in April we are still considering when to bring in the legislation,” said a spokeswoman.