But there are things you can do to protect yourself. NGO-in-a-box has developed Security-in-a-box, a set of tools and tactics for your digital security. Worth taking a look!

It’s often said that “if we can envision it, we can create it,” but in the world of computer (and network) software this is only partially true. We can attempt to create it, but it will always have bugs in it. And those bugs are the chinks in the armor that allow malware to work and cyberwarfare to succeed.

[2] See also The Social Graph of Malware, my site where I explore ways in which social engineering is used by the bad guys to get malware onto your computer.

The post No chance for true security? appeared first on Sky's Blog.

That’s my experience too. So it’s actually “user stupidity” that gets users’ computers hacked. They click on a link in an email advertising a sexy video and they end up on a site that poisons their computer instead. Or they open a tempting file that has been sent to them by email. Social engineering is the technique used to get into most computers.

Don’t click that link! Don’t open that file!

The post It’s the User, Stupid (It’s the Stupid User?) appeared first on Sky's Blog.

Cloud Computing– it’s a relatively new term for a relatively old concept. For at least six months now I’ve been thinking about two inevitabilities: 1) that my servers will fail some day soon; and 2) that I may have to rapidly scale (up) some customer’s site because it will suddenly have traffic needs well beyond the capacity of my servers.

The answer is pretty obvious to me – I’ll soon be eliminating my own serves in favor of purchasing computing power in whatever quantities I need at the time. Scalable on demand. From one of the cloud service providers that are coming online now.

Buying cloud computing essentially means buying computing power without knowing or caring exactly where it is physically located or what type of equipment it’s on. Someone else buys the servers, puts them in racks, powers them, cools them, and connects them to the Internet. And they stand there ready to go into service whenever they’re needed.

I looked at Amazon EC2 first, because it’s been getting a lot of publicity. Amazon has built server farms that could scale up and down rapidly, and has been supporting its own services on those computers, for years. It’s was logical that they’d be in a position to sell “time” on servers to anyone who wants it…as long as they had the spare capacity. But Amazon charges $0.10 per hour for a basic “server” instance, which means $2.40 a day or over $72 a month for even one server. That’s pretty close to what I was paying Verio for a virtual private server in the late 1990s, and it’s probably 50% of what it costs me to have my own server with several times the capacity.

Then I ran across a company called Slicehost – recently acquired by Rackspace. These guys offer raw server instances (virtual private servers) starting at $20 a month. These $20 “slices” are small, but they get the job done and they’re ideal for hosting web sites that are simple, have low traffic requirements, and yet might have to be scaled up at a future date. To scale, you access the Slicehost online control panel, and within minutes you can have a much larger slice of a server – still “private” – with literally the click of a button.

Oh, and the “private” is important. My clients need pretty tight security, and running a web site on a virtual private server means they don’t have to worry about some other user of the same server having a weak password and getting hacked, consequently opening up a window to my client also getting hacked. With a virtual private server, there’s only one user, and you’re responsible for your own problems.

So the site you’re looking at right now is on Slicehost. On their smallest and cheapest offering. And yet handling the traffic pretty well. And on top of that, I have several sites all on the same slice. This isn’t for the faint of heart – I had a Ubuntu 8.04 server instance installed and from there I installed all of the services I needed, but this really requires some middling sysadmin expertise. (Takes me under an hour to provision one slice and bring up a WordPress instance. Then about 30 minutes for additional WordPress instances or web sites.)

This is the future and it’s slick.

Oh, by the way, the new look of the web site is not related to the switch to Slicehost. I just got tired of the old look, and loved this new theme, and switched over during the migration to Slicehost.

The post Slicing up the Cloud appeared first on Sky's Blog.

Clear is the program that pre-screens travelers, collects biometric data, puts this on a smart-card (embedded processor+memory, not RFID) and then allows travelers at a few high-traffic airports to go thru a quick-screen line (including a retinal scan to verify ID) rather than stand in lines with un-pre-screened passengers. They still get screened, but they “jump line,” sometimes skipping ahead of a hundred or more who are waiting in the regular lines.

Almost predictably, a laptop containing the data of 33,000 applicants (not participants) was stolen from a secured room at SFO. A spokesperson says “it [the laptop] was protected by two passwords” – but that doesn’t tell us whether the information was encrypted, how secure the encryption was, nor why sensitive information would be on a computer that is portable (and thus easy to steal) computer. (It is pretty easy to bypass password security unless the data is also encrypted – I’ve done it myself more than once on client computers where they’ve forgotted a password – takes about 10 minutes.) And we don’t know what other types of information might be on this computer.

Clear is run by an independent contractor under TSA oversight.

One interesting outcome was the comments ABC7 (San Francisco TV) collected – for instance “Clear customers say the sooner the changes are made the better, although no one seemed too worried about the security breach. ‘You’re information is everywhere and people volunteer their information on places like Facebook, on Twitter, on MySpace and stuff,’ … a traveler.” I don’t actually think they understand the breadth of information that was reported to be on that computer – this is information that is to be used in a security screening, not just social security numbers (though those may not have been present), and presumably known only to the applicant – a far broader range of confidential information than most other systems would hold. It just shows that people are resigned to living in a transparent world – probably until they are directly affected, of course.

KTVU reportage on this same story. KTVU also reports “The TSA requires RT service providers and sponsoring entities to encrypt all files containing participants’ sensitive personal information. Noncompliance with such requirements can result in actions including suspension of a program and possible civil penalties.” I have not verified this, and we don’t know the type of encryption that’s required – for instance a password on a ZIP file is probably not very secure, while encryption with a 2048-bit RSA key would be a lot harder to crack.

I earlier reported on “odd” scanning of my driver’s license at a regional airport, to which TSA replied (in comments on my blog) that it was (probably) an ultraviolet light (blacklight) being passed over the license to be sure it was genuine (this process reveals the “holographic” images in the license’s plastic layers). As I said, I was concerned that any scanned information that passed into a laptop computer allowed potential theft of this confidential information. Well, I guess this Clear incident further emphasizes that security information has no business being stored on a computer that can be physically stolen.

The post Let’s be Clear About This – Lots more Laptops will be Stolen appeared first on Sky's Blog.

After I walked thru the metal detector, he took a small penlike device and scanned it across the name, address and photo on my driver’s license. Slowly. Twice. Which is why I figured he was scanning. At first my reaction was that he was optically scanning the information into this “pen” and that it would be dumped into a computer later on.

Bruce Schneier is a fantastic source of information and particularly the debunking of security and security myths. From what I’ve read on Bruce’s blog, it’s possible that the TSA guy was just running an ultraviolet light across the license to look at the holograms on the license. But my eyes are pretty sensitive to UV and honestly I didn’t see any reflection. (Cool video of Bruce’s Q&A at defcon 15.)

So I’m still working the theory that he scanned an image that would later end up in a TSA computer. (See IRIS pen scanner, or look at what the New York Times reported last year.)

What would happen to that scanned information? Well, if banks and healthcare institutions are any indication, it would likely go (via USB) onto a laptop computer somewhere, later on to be stolen.

I am continuing to research this, but wonder if anyone else has run into this scanning behavior by TSA?

The post What was that TSA guy doing with my driver’s license? appeared first on Sky's Blog.

I’ll start with China, which is of course very much in the news right now for repressive measures it takes against its citizens. Many of you will know already that China monitors and censors Internet (particularly web) users, but may not be aware how widely it monitors its citizens.

This article China’s All-Seeing Eye by Naomi Klein in Rolling Stone, should get you started. Her subtitle is With the help of U.S. defense contractors, China is building the prototype for a high-tech police state. It is ready for export.

China is notable because what we in the U.S. might regard as fundamental freedoms, like the right to free speech and dissent, seem to be viewed as hindrances to social and economic development.

The post The All-seeing eye (in China) appeared first on Sky's Blog.

I wonder how many of you are noticing it yet. Steep uptick in the past two weeks.

First, of course, spam continues to snowball. (A snowball from Hell!) Increasing at a ferocious rate. Since I manage email for a number of friends and customers, I have multiple spam filters in front of my mail because I receive hundreds of spam messages every day (many of them duplicates, of course, to the same account). Having three filters means that almost all spam messages are caught. But the filters are so aggressive that many messages I need to read also are trapped in the spam dragnet. So I have to go thru the spam box several times a day and 1) fish out the legitimate messages; and 2) trash-can the spam.

My defenses include: 1) SpamAssassin running on my mailserver, which catches at least half of the spam so it never reaches my computer, and almost never quarantines a message that I really want; plus 2) Intego Personal Anti-Spam which is more than aggressive and is rule and blacklist-driven; plus 3) SpamSieve, which is a Bayesian filter (looking at word combinations).

For virus-protection on the server side, I have Macafee anti-virus installed (integrated into my Kerio mailserver) – which updates its definitions every few hours, and on my computer I use Intego VirusBarrier, which complements Intego’s spam product.

The other problem that’s on the rise over the past couple of weeks is a malware explosion, including trojans/viruses embedded in attachments. We call ’em poisoned files. I have seen poisoned ZIP, RAR, PDF, DOC and JPG files recently. It has gotten so bad that I no longer open any attached files unless I know exactly what they are and where they came from.

And many of these viruses look like they came from friends – even though their computers seem to be uncompromised. (Viruses used to mail themselves from infected computers, but recently that has not been the attack vector and instead the viruses seem to know how to get a list of your friends from elsewhere and then use that list, plus a legitimate email you have sent in the past, to target only your friends who would be interested in that message. Truly social engineering.

And the most insidious attack vector is the poisoning of files that are legitimately available for download on well-traffic’d web sites. Particularly visible among the Tibet support groups, certain computers have been invaded and trojans and virus-laden versions of PDF and other files that are there for download have been poisoned with viruses. So you go to a perfectly-good web site, download a file you expect to be OK, and suddenly you’ve got a virus. This practice is so widespread that it’s almost impossible to tell 1) how the file got infected; 2) how the server was invaded; and 3) to even know that you shouldn’t download! (I can say more about this later on when we know more about the attack vectors and the results of the malware – this is still pretty new and is evolving rapidly.) I hear from friends that Kaspersky and F-Secure are the best protection against virus-laden downloads – at least for Windows users.

The post The Exploitation of the Online Class appeared first on Sky's Blog.

For example, one tale from this article… “As Chinese citizens become aware that their most potent advantage over censorship is their sheer numbers, more and more grievances are aired online — sometimes with significant consequences. The first cyber-rebellion to have a major political impact took place in 2003. Sun Zhigang, a young migrant worker in Guangzhou, died in police detention after failing to produce identity documents during a street check. Sun’s friends protested his death on discussion boards, and soon other sites picked up a campaign demanding police accountability and reform of the laws affecting migrant workers. Before the unprepared system monitors could react, an avalanche was in motion. …”

“Of course, China is hardly a Jeffersonian paradise. Thousands languish in prison because of harmless online activities. A recent example is Zhang Jianhong — blogging as Li Hong — who was sentenced to six years for posting political essays. Cases like his justify strong criticism of China. But they don’t prove that its monitoring system is successful on a national scale. …”

The post China’s Golden Shield (The Great Firewall of China) – How long can it stand? appeared first on Sky's Blog.