Slashdot poses an interesting question and the ensuing discussion should get security folks’ minds churning.
So I’ll pose the question here as well and add how something like this should/could be implemented?
Several people are writing about the once-not free-now-free encryption tool SecureZip.
Don’t be fooled by the talk of digital certificates however. The free version doesn’t let you use anything more than passwords to encrypt files (albeit with 256 bit AES) – it’s really just Winzip encryption.
The layout of the software is also a bit confusing, the word signatures is thrown around and no warnings are given if you create a SecureZip file that isn’t encrypted. (Files are not encrypted by default).
You can read the review or find out how easy it is to crack Winzip passwords.
The first commercial product that enhances password security by analyzing the way they are typed is being rolled out. They are calling it bio-security, though I don’t know where the “bio” comes from.
A US company is aiming to reduce the risk of identity theft by introducing ‘bio-security’ to passwords, meaning that users would have to type their user name and password with consistent speed in order to be logged in.
The technology, which measures the time for which keys are held down, as well as the length between strokes, takes advantage of the fact that most computer users evolve a method of typing which is both consistent and idiosyncratic – especially for words used frequently such as a user name and password.
In case you are drunk sleepy and type your password in using an unusual pattern, a series of security questions are presented. It’s $35,000 per server and $1.15 subscription fee per user annually.
We’re paying to be more secure, but don’t get payments for insecurity. I bet you if each bank had to pay $1.15 to each user who’s account information they lost…
The fraud sites, the malware sites, the questionable ones, and finally the real Hokie Donation Site.
You can help SANS determine which is which as well. More shady sites are sure to pop up.
Again I feel the need to rant about a non-information security topic, but this is important to discuss. Unless you have been living under a rock, you have heard about the events of this past Monday.
I don’t think we learned anything from Columbine. Cho Seung-Hui exhibited all the classic warning signs, and was able to buy two guns and killed 32 innocent people. Read on for my rant.
In the paper On the Anniversary of Columbine:Ten Lessons Learned and Forgotten by James Garbarino and Ellen deLara of Cornell University, there are two lessons which seem extremely related to what happened with Cho Seung-Hui:
Lesson #4: Most school shootings are thwarted or intercepted because other kids share information with adults. Most kids who kill “leak” their intent to other kids-and sometimes even to adults. We are making progress in convincing the peers of violent youth that they must take responsibility of recognizing this “leakage” and reporting it to caring and capable adults.
Lesson #7: We need to listen to our kids. If a couple of students are expressing concerns for safety at school, it is very likely that they represent the feelings of others. Further, when students express anger towards classmates, they may be at risk for harming themselves or others. We are beginning to take this seriously, but too slowly. We still want to believe that “it isn’t going to happen here,” so we fail to take kids seriously.
Now, listen to these quotes from today’s CNN article—
Authorities confirmed that Cho had been investigated last year for stalking a woman in person and by e-mail.
...
(Professor Lucinda) Roy, meanwhile, said the writings by Cho, an English major, were disturbing enough that she went to police and other university officials to seek help.
...
Ian MacFarlane, who said he had class with Cho, called two plays Cho wrote “very graphic” and “extremely disturbing.”... “It was like something out of a nightmare,” MacFarlane wrote in a blog. “We students were talking to each other with serious worry about whether he could be a school shooter.”
Now from another article from the Associated Press:
Professor Carolyn Rude, chairwoman of the university’s English department, said Cho’s writing was so disturbing that he had been referred to the university’s counseling service.
“Sometimes, in creative writing, people reveal things, and you never know if it’s creative or if they’re describing things, if they’re imagining things or just how real it might be,” Rude said. “But we’re all alert to not ignore things like this.”
Students, roommates, and professors recognized that this was a troubled individual. They seem to have done the right things; students told teachers, teachers told counselors and police. So, what happened? How did this slip through the cracks?
This is one of those situations where there might not be a right answer. For every gun-toting mass murderer, there are probably 10 or even 100 loners that others consider a bit strange. We can’t just lock them all up, but can we at least prevent them from purchasing firearms?
Even if you are using strong encryption methods to protect the contents of your emails, you may be giving more away than you realize.
We all want to get our emails read and increase the efficiency of our electronic mails. A good way to accomplish both is to have very specific subject lines.
I recommend using the subject line to convey the general contents of the email – don’t use the subject line to write the message.
Lines like, “Merger of Company X to be Announced Today @3“ may not be such a good idea.
Companies often try to enhance security without asking users to do anything. ‘Secure’ images are one such attempt and can be used in phishing attacks as demonstrated (QuickTime video). You can read more here and here.
Secure images don’t help prevent phishing attacks, and we don’t like them either.
Like Peter Parker’s Uncle Ben said, “with great power comes great responsibility.” Banks, TurboTax, and the like certainly have a lot of power, with little oversight.
As reported by NBC4 :
A Turbo Tax customer herself, the woman attempted to access some past filings and the route she took online opened returns for several others with the same last name but different first initials.
She was able to access tax returns for Turbo Tax customers she never met in different parts of the country. On her screen, she found everything needed for electronic filing from bank account to routing digits and Social Security numbers.
OK, so if some innocent woman accidentally stumbled upon this, what is the likelihood that the real bad guys haven’t just seen it, but exploited it too?
If I were a paying customer of TurboTax Online, I would immediately demand they remove my information from their system and provide me a full refund, as well as a few years of a credit monitoring service at Intuit’s expense. Of course, why anyone would prepare their taxes on a website seems kind of strange to me…
Nifty, but the iPod needs to be running Linux to be infected by Linux.Noslo.
Kaspersky Lab has discovered the first virus designed to infect iPod portable media players. The virus, which has been named Podloso, is a proof of concept program which does not pose a real threat.
The virus is a file which can be launched and run on an iPod. It should be stressed that in order for the virus to function, Linux has to be installed on the iPod. If the virus is installed to the iPod by the user, the virus then installs itself to the folder which contains program demo versions. Podloso cannot be launched automatically without user involvement.
Also, the virus has to actually be installed by the user, but just think about all of those other portable devices, cell phones included, where that isn’t the case.