I’ve heard of minimum password length requirements, but this is ridiculous...

Via the Washington Post:

Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities.

Anyone else being pummled with an onslaught of advertisements to buy penny stocks? This recent spate of online brokerage fraud seems to be related to the same pump-and-dump schemes showing up in your inbox. Buy a penny stock at a low price. Spam a bunch of people and say that it’s a great deal—inevitably some will agree and buy it. Why not stop there? Use other peoples’ accounts to buy a bunch of it too, pumping up the price. Then, sell your stock and profit!

This seems like it should be solvable. The SEC and the minor markets should put a bunch of honeypots out there, and get a bunch of email addresses on as many mailing lists as possible. As soon as they receive a spam message about a particular stock, they should hold off all trading on it for a few hours…

Found in eWeek ...

Veteran malware researcher Joe Stewart was fairly sure he’d seen it all until he started poking at the SpamThru Trojan—a piece of malware designed to send spam from an infected computer.

The Trojan, which uses peer-to-peer technology to send commands to hijacked computers, has been fitted with its own anti-virus scanner—a level of complexity and sophistication that rivals some commercial software.

Other mass-mailing software running on your botnet getting you down? Not able to maximize that bandwidth on your pwned computer? Simply download, install, patch, and use pirated anti-virus software as part of your trojan!

Much like the fight against the terrorists, the only way we can win this war is to take away the economic incentive. In the case of terrorism, as soon as we stop buying foreign oil we’ll be set. In this case, I guess when people stop buying stuff out of spam emails…

via Bruce Schneier’s blog.

MSNBC has a neat article entitled Double Standards in Security Hassles:

If you want to know why America’s security is so heavy on busywork and inconvenience and light on practicality, consider this: The people who make the rules don’t have to live with them. Public officials, some law enforcement officers and those who can afford expensive hobbies are often able to pull rank.

Class warfare isn’t new. But in this form it is dangerous. By paying attention to the wrong things – grandma at the airport – we are ignoring the right things – identifying the most dangerous people. By training an army of low-paid workers to harass us all at airports by taking away our cologne, we aren’t doing the right things – hiring, training and rewarding an elite force of employees specially equipped to keep those who would hurt us off our airplanes and away from our bridges and tunnels.

Important things to think about. Remember, the 9/11 hijackers all flew first class…

I know what you’re saying. “This is an information security blog, what is he doing talking about security at the airport for?” I think the same type of thing tends to apply in information security as well. Does the CEO of the big multinational corporation use a smartcard to read his encrypted email? Or, does his assistant handle the hassles of decrypting and verifying for him? Does the system administrator have to abide by the same password rules ad you and I, or can they just set their account to “password never expires”? Class matters in all things related to security.

Good article on SecurityFocus about the rise of targeted attacks with specially designed trojans. A similarly themed story is running on CNET news.com.com.
Bruce Schneier has posted about it on his blog as well.

“If you haven’t noticed these attacks and you are a big company, you have likely already been attacked,” [MessageLabs security researcher Alex] Shipp told attendees at the Virus Bulletin 2006 conference. “Your problem is no longer how do I avoid being attacked, but how do I find where I’ve been compromised.”

Scary but accurate. If one wanted infiltrate a network, a trojan specifically crafted for that purpose which had never been seen before would probably be your best bet. OK, maybe not as good as free USB drives but probably a good idea.

NIST’s CSRC has released a whitepaper detailing an attack against RSA digital signature verification using PKCS-1 padding.

NIST has designed a sequence of messages that can be used by a vendor to test the vulnerability of an implementation to this type of attack (see http://csrc.nist.gov/cryptval/anncmnts.htm). Concerned users should contact the vendor of their RSA digital signature application to request information on the vulnerability of their implementation.

Worth noting and checking into…

From eWeek:

If the plan is perfectly executed, Nicholas Negroponte’s One Laptop Per Child project will deploy 100 million laptops in the first year. In one fell swoop, the nonprofit organization will create the largest computing monoculture in history.
Wary of the security risks associated with a computing monoculture—millions of machines with hardware and software of identical design—OLPC foundation officials are seeking help from the world’s best hackers to review the full specifications of the $100 laptop’s security model.

It’s a good question, and worth some thought. You probably can’t go down the typical anti-virus route depending on constantly updated signatures of common viruses. Yet, you need an updating scheme for when flaws are detected. You need strong controls everywhere from the BIOS to the disk, but you don’t want to hamstring users.

Perhaps a call to the Xbox 360 team at Microsoft would be in order. That’s been out for about a year, and despite the attempts of tons of hackers, people still can’t run unauthorized stuff on there—yet.

Our bulletin board has had this editorial from eWeek hanging for over 4 years now. Still worth a thought.

We have to get over the bias that there’s something dishonorable about choosing languages that prize safety over pure efficiency. Hardware capacity is growing faster than programmer accuracy. It’s time to require case-by-case justification of C and C++, the tools that grease the floor and let developers run with knives.

Have we reached that point yet? Have Java and .NET taken over, or are C and C++ still ruling the roost? If so, what is the holdup?

SecurityFocus is reporting that online attackers are hitting the U.S. Department of Commerce.

The U.S. Department of Commerce took hundreds of computers offline following a series of attacks aimed at federal employees’ computer accounts by online thieves that appear to be based in China, according to media reports published on Monday.

Kind of disappointing, considering NIST is an agency of the U.S. Commerce Department, and NIST has brought us the XP Security Guides and lots of other special publications. Good thing they also wrote SP 800-61, Computer Security Incident Handling Guide...

From eWeek, a link to a cute slideshow of Peter Coffee’s Dirty Dozen IT Embarrassments.

1999: Melissa Worm teaches crucial lessons—or does it?
How many of this worm’s enablers are still common IT practice?
The worm generated so much traffic, so quickly, that some sites had to turn off their e-mail servers. Melissa spread without user action by exploiting convenience features. Seven years later, we’re only beginning to rein in that syndrome—an effort that requires eternal vigilance.

It’s a cute list, as with all “Top X” lists people will agree and disagree with parts of them. Perhaps most interesting is that five out of the twelve are directly related to security and privacy. Perhaps it is time for a “top twelve security disasters”.