I’ve been keeping track of interesting stories about security over the past couple of months for my intersession course, mostly ones that I have found through Slashdot, BoingBoing and/or Digg. As part of the process of selecting which ones will make it into the final week of the course and which ones will not, I thought I would put the whole list here, mostly without comment. If you notice anything that seems particularly interesting (especially if you happen to be in my course!) let me know and it will probably move up my list of things to discuss.
- Last year’s Hack of the Year involves a Swedish hacker obtaining passwords for a number of governmental and embassy email accounts using TOR, an open-source tool that obscures web traffic. Think TOR sounds cool? Check out this guide to using TOR to surf anonymously to learn more about how it works.
- Not surprisingly, a study of wireless networks used in retail stores shows that most of them are insecure to some degree, with 25% not even using any encryption at all.
- We have read about hackers taking advantage of default passwords back in the 80s, but it remains a problem and there are a number of lists out there of default passwords for modern hardware.
- This is a slightly older story and the infected drives were pulled off the market, but certain Maxtor 500GB hard drives are being shipped with Trojans on them that send information on them back to sites registered in Beijing. But it seems that hardware being shipped with malware installed is a growing problem with digital photo frames also recently being infected.
- Sometimes what you think is a virus is just Microsoft being Microsoft: “During normal operation or in Safe mode, your computer may play “Fur Elise” or “It’s a Small, Small World” seemingly at random. This is an indication sent to the PC speaker from the computer’s BIOS that the CPU fan is failing or has failed, or that the power supply voltages have drifted out of tolerance.”
- A hole in QuickTime allows SecondLife avatars to be hijacked and made to turn over their Linden cash. Huh – I am about halfway through that novel…. More seriously, though, security within MMORPGs as a subset of software security seems to be a growing topic of interest.
- A McAfee report predicts more cyberattacks against and by governments in the coming years, based on evidence that many countries, including the US, have already started to use cyberattacks. It seems the attacks are mostly for the purpose of espionage. A related article coming out of this reports frames the issue as a coming cyber cold war – interesting in the context of this report that a number of recent blackouts outside the US were due to cyberattacks. And cyber-espionage need not be just against countries; corporate cyber-espionage is also believed to be on the rise.
- There is a lot of argument about how to compare the relative safety or number of holes in operating systems or software. Recently Microsoft reported that the number of holes announced in IE was less than in Firefox, and the Head Security Strategist at Firefox responded that the count did not include holes patched in major service packs and thus not announced, and discusses the security risk this represents for users. A similar argument get made in comparing Mac versus Windows vulnerability stats, with Mac by this report having many more flaws, but there being a question of whether apples are being compared to apples or not…
- This commentary on the balance between security and usability is worth reading. Part of the usability issue here is supporting depreciated filetypes, and whether that support needs to include security patches.
- This long technical article, in PDF format, describes a Chinese black market in malware. I have only skimmed the article so far but it has an interesting classification of the different players in the black market and how they related to each other, as well as a couple of case studies. Somewhat related is this article on the emerging “malware economy”.
- If cracking WEP seems daunting (though it probably shouldn’t after reading that guide…), maybe you want to practice on the less securely encrypted wireless keyboards.
- Lots of end of the year reports, including that 3.2 billion dollars was lost to phishing attacks and anti-virus protection is less good at detecting malware when looking at responses to new attacks.
- Sometimes sneaky malware-style behavior finds its way into commercial products, such as the feature in Adobe’s CS3 that reports back usage data to a server with a sketchy name.
- South Carolina may require forensic investigators to
have a PI license and some are concerned since the specialized skill set for forensic investigation currently has little overlap with the training and skill set of licensed PIs. The motivation, of course, being a desire to ensure that evidence to be used in trial is collected using appropriate standards.
- A recent report says that projects to find and repair security holes in open source software are proceeding well – the more interesting part of
the article possibly being the large government supported effort to harden open source systems as their use expands. This would appear to be another “hidden” cost of free, open-source software.
- A case originating a couple of years ago and centering around the question of whether unauthorized (but unblocked) whois and DNS lookups constitute hacking has been decided in the positive (more commentary critical of the decision here).
- Worried after all of this that your computer is going to go kablooey any minute now? Keep this nifty Ubuntu LiveCD based technique for restoring your Master Boot Record in your back pocket…