Well…not quite.

Now this is “thinking ahead” about security. Let’s see if the technology makes it though (personally I have high hopes).

Worrying about malicious software may be premature for a technology so young. The first digital electronic computer, ENIAC, went online in 1946 and the first known attacks against computer systems occurred about two decades later. Yet, in all likelihood, such attacks will become a reality, and that’s reason enough to worry now, said USC’s Lidar.

There is no telling what such an attack might look like. Destroying data or circumventing a calculation on a quantum computer is the easiest course. Attackers could operate a rogue computer on the quantum network or corrupt the communications line, he said.

Because some of the greatest advantages of quantum computing are in the area of security, I suspect that it will be on the forefront of quantum research.

What this article points out is a situation that every branch of security faces.

That is that every incident such as this one is yet another reminder that every attack has potential. Although the article doesn’t state how the attackers were able to compromise the laptop, I’m willing to bet they exploited some well known vulnerability or somebody was checking their email and clicking on questionable links.

I seriously doubt it was just because the attacker was “pretty good.” Granted he or she is probably “pretty good” – lucky for us in the States that they didn’t realize (or care) that they could have potentially disrupted water service for a bunch of people.

So the article goes on as they always do – a snazzy headline to grab readers attention. Something along the lines of,

Hack Could Have Given Attacker Control of Nukes

Then they interview law enforcement officials who say that disaster was averted yet once again. Good thing the attackers didn’t do/realize anything…

So the story goes, but these attacks hold a good deal of potential to cause some havoc. When that does happen one day we’ll hear on the news that the attack could have been prevented by something like updating Windows and that the warnings were ignored.

Not to be a doomsday nut – the end of the world is not coming, however one day something (major) that could of been prevented is.

Isn’t that how it is always going to be though?

I’ve heard of minimum password length requirements, but this is ridiculous…

Via the Washington Post:

Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities.

Anyone else being pummled with an onslaught of advertisements to buy penny stocks? This recent spate of online brokerage fraud seems to be related to the same pump-and-dump schemes showing up in your inbox. Buy a penny stock at a low price. Spam a bunch of people and say that it’s a great deal—inevitably some will agree and buy it. Why not stop there? Use other peoples’ accounts to buy a bunch of it too, pumping up the price. Then, sell your stock and profit!

This seems like it should be solvable. The SEC and the minor markets should put a bunch of honeypots out there, and get a bunch of email addresses on as many mailing lists as possible. As soon as they receive a spam message about a particular stock, they should hold off all trading on it for a few hours…

Found in eWeek …

Veteran malware researcher Joe Stewart was fairly sure he’d seen it all until he started poking at the SpamThru Trojan—a piece of malware designed to send spam from an infected computer.

The Trojan, which uses peer-to-peer technology to send commands to hijacked computers, has been fitted with its own anti-virus scanner—a level of complexity and sophistication that rivals some commercial software.

Other mass-mailing software running on your botnet getting you down? Not able to maximize that bandwidth on your pwned computer? Simply download, install, patch, and use pirated anti-virus software as part of your trojan!

Much like the fight against the terrorists, the only way we can win this war is to take away the economic incentive. In the case of terrorism, as soon as we stop buying foreign oil we’ll be set. In this case, I guess when people stop buying stuff out of spam emails…

via Bruce Schneier’s blog.

MSNBC has a neat article entitled Double Standards in Security Hassles:

If you want to know why America’s security is so heavy on busywork and inconvenience and light on practicality, consider this: The people who make the rules don’t have to live with them. Public officials, some law enforcement officers and those who can afford expensive hobbies are often able to pull rank.

Class warfare isn’t new. But in this form it is dangerous. By paying attention to the wrong things – grandma at the airport – we are ignoring the right things – identifying the most dangerous people. By training an army of low-paid workers to harass us all at airports by taking away our cologne, we aren’t doing the right things – hiring, training and rewarding an elite force of employees specially equipped to keep those who would hurt us off our airplanes and away from our bridges and tunnels.

Important things to think about. Remember, the 9/11 hijackers all flew first class…

I know what you’re saying. “This is an information security blog, what is he doing talking about security at the airport for?” I think the same type of thing tends to apply in information security as well. Does the CEO of the big multinational corporation use a smartcard to read his encrypted email? Or, does his assistant handle the hassles of decrypting and verifying for him? Does the system administrator have to abide by the same password rules ad you and I, or can they just set their account to “password never expires”? Class matters in all things related to security.

Good article on SecurityFocus about the rise of targeted attacks with specially designed trojans. A similarly themed story is running on CNET news.com.com.
Bruce Schneier has posted about it on his blog as well.

“If you haven’t noticed these attacks and you are a big company, you have likely already been attacked,” [MessageLabs security researcher Alex] Shipp told attendees at the Virus Bulletin 2006 conference. “Your problem is no longer how do I avoid being attacked, but how do I find where I’ve been compromised.”

Scary but accurate. If one wanted infiltrate a network, a trojan specifically crafted for that purpose which had never been seen before would probably be your best bet. OK, maybe not as good as free USB drives but probably a good idea.

NIST’s CSRC has released a whitepaper detailing an attack against RSA digital signature verification using PKCS-1 padding.

NIST has designed a sequence of messages that can be used by a vendor to test the vulnerability of an implementation to this type of attack (see http://csrc.nist.gov/cryptval/anncmnts.htm). Concerned users should contact the vendor of their RSA digital signature application to request information on the vulnerability of their implementation.

Worth noting and checking into…

From eWeek:

If the plan is perfectly executed, Nicholas Negroponte’s One Laptop Per Child project will deploy 100 million laptops in the first year. In one fell swoop, the nonprofit organization will create the largest computing monoculture in history.
Wary of the security risks associated with a computing monoculture—millions of machines with hardware and software of identical design—OLPC foundation officials are seeking help from the world’s best hackers to review the full specifications of the $100 laptop’s security model.

It’s a good question, and worth some thought. You probably can’t go down the typical anti-virus route depending on constantly updated signatures of common viruses. Yet, you need an updating scheme for when flaws are detected. You need strong controls everywhere from the BIOS to the disk, but you don’t want to hamstring users.

Perhaps a call to the Xbox 360 team at Microsoft would be in order. That’s been out for about a year, and despite the attempts of tons of hackers, people still can’t run unauthorized stuff on there—yet.