JaysonSchultz.com

I just read a FANTASTIC article about how a CS graduate student and two faculty members of the Unversity of Washington received 9 DMCA takedown notices for printers, devices which can’t download anything, were caught downloading copyrighted material via BitTorrent.  Previously, the only way I knew anything close to this to be possible is through open access points.  But the article lists 5 ways that a client may be wrongly implicated for downloading infringing material.  In doing so, they examine a lot of mechanics of BitTorrent but not so much as to overwhelm a non-BitTorrent expert.  The article is a very neutral paper and is not meant to be be pro piracy or pro MPAA/RIAA and goes as far as making recommendations on how to improve the system so such false implications don’t occur in the future.  Nice work guys!

Technorati Tags: BitTorrent, Univeristy of Washington

I just finished reading a posting on Engadget about an armed robot that military may start deploying that “gets Kill commands via WiFi”.  Now unfortunately, I haven’t found much more about this robot other than what’s in the small Engadget posting and I’m guessing that given the limited range of what we know as WiFi (802.11a/b/g/n), that this isn’t truly WiFi, unless the army has plans to deploy access points throughout a warzone.  But if this IS WiFi, EGADS!!!  While WiFi has made some signficant strides in recent years with WPA2, what would happen if the opposing armies were able to hack this?!?!  No only would they be able to prevent their demise, but they would be able to use the weapon against OUR troops!  IF WiFi is truly used here, let’s hope that the engineers added some additional cryptography on top of native WiFi security measures and that the algorithms used have undergone public cryptanalysis.

Technorati Tags: A.R.E.S, WiFi, Cryptography

In the tenth anniversary edition of his Cryptogram (congrats by the way, Bruce), Bruce Schneier references an article that originally appeared in The Guardian talking about how the Transport Safety Administration (TSA) is now searching laptops in some cases when departing the country.   This means that when traveling, your data is not safe.  Moreover, they have the right to confiscate your hardware.  How can you ensure that your data is safe?  Schneier naturally recommends the use of encryption.  While there’s many ways to do this, what I personally have been doing lately is using TrueCrypt to create and encrypted file that I store on an external USB drive.  This way, not only is your data encrypted, but it’s not even physically on the laptop.  The nice thing about TrueCrypt is that it’s free (open source) and it’s cross platform.  So if you need access this data from various platforms, you have the ability to do so.  Go download this and start using it if you’ll be traveling out of the country any time soon.

Technorati Tags: TrueCrypt, TSA

I came across an article on SiliconValley.com that Google has just launched a new service, Google Health.  In a nutshell, Google is billing this as an aggregation service that allows you to pull your online health information from various sources into one place.  It also allows you to keep your own medical journal for information not found in any of the other sources.  When I first saw this, I thought it was another innovative idea.  However, one of the points that really jumped out at me was that the terms of service says that Google is not a “covered entity” under HIPAA.  This means that not only CAN they share your information with other parties, they can do so in a means that doesn’t protect this information from Joe Hacker.  In the spirit of not duplicating this, I’ll refer you to a ZDNet article that details this.  Now, to the defense of Google, the Google Public Policy Blog (likely in response to the various articles on this topic) does go through to explain that Google will protect your information.  However, if this is the case, then I personally wish they’d clean up their Usage Agreement.  Now, perhaps it’s because I’m very security minded from my job, but I personally think I’ll stay 10 feet away from this Google product.  What about you?  Would you put your information in Google Health?

Technorati Tags: Google Health, HIPAA

Phishing is everywhere nowdays and the Internet is more dangerous now than ever before. All this possible due to the increased dynamic content and more integration with other technologies, like ActiveX. One of the new defenses against phishing attacks is multi-factor authentication schemes. In this scheme, users are authenticated to a service by more than just a username/password combination. Generally, this uses another authentication proof (what you have, what you know, and what you are). While this is a new technology, company’s such as Citibank have been implementing this to maintain a competitive edge and secure their customers’ data. Well, now it appears that said solution from Citibank has been circumvented. The Washington Post is carrying details on how a WebSite used a “man-in-the-middle” attack and some very cleverly designed emails and website to lure unsuspecting users in. A few interesting points here… First, the email calls out an IP Address of the “hacker that tried to access the account”. Once a users bites, they are taken to a web page that appears to be in the citibank namespace, but upon closer inspection is actually on a russian (.RU) site. When the user enters their credentials and the one-time pin from the token, these are passed to a PHP page which logs into CitiBank as that user. Then a money transfer is quickly performed while the pin is still valid (lifetime of 1 min). Even better, if you present bad credentials, you will see an error on the phishing page. This is a very convincing phishing scheme that many would fall into. This is just further proof that we all need to be on our toes when surfing online. 

Technorati Tags: CitiBank, Phishing, Man-in-the-middle, privacy, two-factor authentication

After reading this article, that statement is now more true than ever. A team was asked to perform a Penetration Test on a credit union and was asked speciffically to push social engineering and USB security. Their approach? Develop a trojan and seed USB drives with it. They then planted the drives by the credit union entrance to be picked up by the employees as “a free USB drive”. Within MINUTES, the employees plugged these into their computers and the trojan went to work emailing confidential information to the auditors which they were then use to comprimise business critical systems. The worst part? The employees were already on alert that someone was going to be performing a Pen Test!!! This just tells me that despite the measures that some organizations take to secure their borders with firewalls and IDS’s, many companies overlook internal protection and user eductation.

Technorati Tags: usb, trojan horse, penetration test

I just saw two rather disturbing stories on Slashdot about people finding hard drives on eBay and at a Flea Market filled with the same personal data that they had when the parted their orginal owners.  In the flea market case, the drive was last in possession of the Geek Squad (Best Buy) that told the customer that the drives would be shredded in the store.  Here’s the lesson people, don’t trust others to secure your data.  If you’re getting rid of a computer, either wipe it with a DoD compliant wipe by using something like “Darik’s Boot and Nuke” or by drilling a hole through the drive to render it unusable.  I don’t know about you, but I dont want my credit card numbers to be in the clear.

Technorati Tags: Identify Theft, Hard Drive Wipe, Darik’s Boot and Nuke

The Archiveus Ransomware virus has been cracked. For those that have not heard of this virus, this was a particularly nasty virus that would encrypt files from your “My Documents” folder and not share the key unless you paid a ransom to the virus author. If you find yourself or a friend afflicted by this, the code to unlock these files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. These type of viri are particularly nasty. I would suspect that Archiveus is only the first of many. Therefore, let me take a minute to encourgage everyone to update their AV definitions, install all the latest patches, enable a spyware logger, and for God’s sake practice some safe computing. If you dont’ recognize the sender, don’t click on the VBS attachment. And even if you do recognize the sender, be sure to scan everything or to even look at using signed/secured email.

Technorati Tags: Archiveus, ransomware, encryption

File this one under “Bad Idea”.  The great folks in Redmond today have released a new service called “Windows Live One Care” whereby for $50 a month you get the following….

It works quietly in the background on your computer, so you don’t have to worry about nasty interruptions from viruses, spyware, hackers, and other unwanted intruders.

Now I know that many of us already swear by our favorite security vendor (i.e.:  Symantec, McAfee, etc.) to provide very similar services and we pay subscriptions each year also.  But to me there just seems to be something inherently wrong with Micro$oft charging for this service.  Rather, I think they should be more concerned issuing patches for the very vulnerabillities that they are defending against.  I must say that the thought paying MS to protect me against flaws in their code simply offends me.  They should be providing this service as part of the cost of their application.  The next thing you know, we’re going to have to start paying for the monthly security patches.  Am I the only one that feels this way?

Technorati Tags: Windows Live OneCare, Micro$oft

Hot off the press, e-EYE has reported a vulerabillity in Symantec’s Antivirus Corporate Edition 10.x which could allow an attacker to remotely control a computer “without any user intervention”. The included link goes to the SANS ISC for a little more objective coverage that what is currently going around. From what I’ve seen so far, it looks like they’re doing a great job capturing updates to it. I would assume they will have a fix posted here as well when one becomes available.