While this was a loss for the good guys, it does provide security professionals with some valuable information. First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice. Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program is a good and cost effective choice for protecting personal data as well as in small business environments. The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.
Anyone who knows me knows that I am not a “kid person.” To me, all babies (except for YOURS, of course) look like the offspring of Winston Churchill and a lizard. And they all (except YOURS) seem to emit a plethora of unpleasant sounds, odors, and substances. My wife reminds me every once in a while, that I, too entered the world as a baby, but I am becoming more and more convinced of the impossibility of this.
Well, it seems that my antipathy towards babies has been vindicated, folks – it turns out that today’s babies could grow up to be next generation of terrorists! According to Rep. Louie Gohmert (R, TX), those wily terrorists have been sending women to the US in order to have babies, which are then whisked back to Al Qaeda run Gymborees (complete with US citizenship) where they would be trained to wreak terroristic havoc on their (legal) return to the US in oh, 20 years and destroy our way of life. I knew it! I’m glad that there are courageous Americans like Rep. Gohmert who understand where the real threat to our nation lies – in cribs!
According to an interesting story at Wired’s Danger Room blog, the FTC has filed a lawsuit against a number of “John Doe” defendants who stole more than $10 million dollars from 1.3 million credit card holders since 2006. Using a variety of shell companies and money mules recruited via online advertising for work at home jobs, the unidentified defendants made small (20 cents to 10 dollar) charges to victims’ credit cards. Each card was charged only once, but at 1.3 million cards, we’re talking some serious coin here. In addition to being evil, this scheme was pretty smart – since the charges were so small, most people (90% in this case) never bothered to dispute them – after all, how much time are you willing to spend disputing a charge for a couple of bucks? While the FTC has identified some of the mules, the ringleaders remain unknown.
In the old days, this type of scam was called “salami slicing” – stealing just a little bit (one slice of salami) from a lot of people adds up to a big salami. Mmmmmm…. salami….
This is a really hard type of fraud to fight… since so few of the charges were contested, it took 4 years for and credit card issuers and feds to find a pattern. In the mean time, all of the victims suffered very small losses. The ringleaders got their millions and are still on the lam (eating salami and caviar sandwiches, I assume).
The subtitle of this blog promises reading to keep you up at night… so, here goes… aside from creating hot weather and giving us skin cancer, our Sun threatens our technological society in yet another, even scarier way. Solar activity can have a real effect on the Earth’s magnetic field, which in turn, can wreak havoc with such technological niceties such as GPS, radio communications, transpolar air travel and, the electrical grid which makes our way of life possible.
End of July? Vegas? Security folk and shady folk in one place? Stifling heat? You know I’m there… (If anyone points out that “it’s a dry heat” I reserve the right to throw something heavy and possibly explosive).
I’m planning a Vegas double header this July, attending both Security B-Sides and DefCon. I’m planning to blog/tweet during the festivities and would love to meet up with any of my readers… dm me (@alberg) when you are there… and if you are not planning to attend, consider it – both of these events are great places to learn security-fu, meet your peers (as well as many people whom you would not typically meet up with), and for the corporate types amongst us (myself included), they are very cost effective uses of your training budget dollars.
As we all know, the Internet is a series of tubes invented by Al Gore to allow us to exchange cute cat pictures and pornography. This past week, a paper presented at the Ninth Workshop on the Economics of Information Security provided some really interesting insight into both the economics of the Internet pornography industry and more importantly, how those economics translate into security considerations.
The research in question was conducted by a team of researchers from the Technical University of Vienna, Institute Eurecom, and UC Santa Barbara. A brief digression here… if I had been informed that conducting studies of Internet porn was an option, I definitely would have finished college and gone into academia. We should let kids know about this so that they stay in school!
If you ask people in my office what they hate about me, one of the items that is sure to show up on quite a few (long and varied) lists is my stubborn refusal to clear iPhones and iPads as corporate devices. Well, my stubborness has been vindicated twice over…
Now, Apple, in claiming that its flagship product is enterprise ready, tells us that iPhone3GS offers hardware-based- encryption and uses AES 256 bit encoding to try to protect all data on the device. Encryption is always enabled and cannot be disabled by users. I guess that the Apple version of AES just happens to replave every character with the same exact character…
This morning, the situation developed further… further research by Heise Security in Germany showed that it was possible to gain complete access to all data some iPhone 3Gs and 3GSes by connecting to them from a Windows system. The trick does not work every time on every phone, and it is still unclear what the exact conditions are which case the vulnerability to manifest itself. When it does work, this vuln allows the attacker to create an iTunes backup of all of the information on the device. Not good.