Chaos Program

What do you do if a foreign government attacks your country’s computer systems? In America we apparently throw a lot of money down a hole and then the guy theoretically in charge of defending our networks quits.

Anyone who has followed the news knows this is not a hypothetical question. For example, two years ago when Russia invaded Estonia there was a concurrent denial of service attack across the Internet on Estonian servers. This attack caused communications difficulties that may have affected the Estonia response to the invasion (not that there was ever very much they could do) and even reportedly disrupted such things as ATM transactions (See Russia’s Cyberwar on Estonia)

Recently, a story has been circulating that the Russians have admitted to being behind the Estonian attacks (See Russian politician: ‘My assistant started Estonian cyberwar’). There’s less to this story than meets the eye, though. Sergei Markov, a Russian government official, claimed recently that a deputy (who he conveniently refused to name) of his was outside Russia at the time the war began and started the cyber attacks entirely on his own, as a “reaction from civil society.” Apparently this was meant to indicate that the attacks had nothing to do with any official strategy but were a spontaneous uprising of the proletariat against the reactionary forces etc. etc.

In other words, it sounds like typical old-fashioned Soviet propaganda and just doesn’t pass the smell test. Unless the Russians really want the world to believe that low grade government functionaries often have access to destructive botnets that can be turned against any country that happens to annoy them?
read more »

Once, when I was considering things like blog names and twitter-like user names, I considered calling myself the Security Cynic. I know, that sounds redundant. Anyone who knows much about security is likely to be highly skeptical of much of what is often said about security. And anyone who has worked for a living may be, um, less than impressed by the security practices of a lot of companies or departments, even when their managers claim that security is the most important thing on their minds.

It would be easy at this point to segue into a discussion of the monstrous Heartland data breach but that’s not where I’m going with this today. Still, it’s an interesting object lesson in security cluelessness and should be studied as such. Here are some links:

• Heartland data breach could be bigger than TJX’s
• And the Heartland lawsuits pile on and up
• Heartland Payment Systems Under Informal SEC Inquiry – Another Red Flag

Now that that’s out of the way, back to today’s storyline. I laughed out loud (seriously enough to not even acronymize it!) when I saw this in the Twitter stream of dantheshive:

@pvponline Be sure to save that bad boy. I personally have a mail folder marked simply as “evidence”.
read more »

Is security a science? (I mean specifically computer/Internet security here.) Maybe the question is trivial but sometimes I wonder. The question occurred to me as I was reading a section on cross-site scripting attacks in Ed Skoudis’s excellent book Malware: Fighting Malicious Code, which is the textbook for a class I’m taking. Being a curious sort of guy, I tried it out. I took a prototype web site I had developed for my job and inserted some javascript into a text field, just to see if it would work. It did.

I had the advantage of knowing that I had not included defenses against such an attack in the code because it was a prototype intended to work through a problem, not an actual attempt to build a real live website. It was never going to see real life on the Internet. Well, it seems now that this may not be true. I’ve moved on to other things while that old prototype site has been handed to another programmer to build out into a more complete system. I guess I’d better warn the programmer that he has to include some kind of white listing or tag stripping in the data entry fields before it goes live.

Monday I guess I’ll add it to his backlog. It’s already on mine for the current project (at least, I hope it is!).
read more »

We commonly refer to computer programs that spread and cause trouble in terms of diseases; we call them viruses and we say that a computer that has one is infected. Lots of things spread, though. Butter. Ideas. Economic downturns. Clouds of nerve gas. But there are a more limited number of things that spread between people.

Twitter had a problem today. Not just today but that’s when it seemed to come to a head. (If you don’t know Twitter, all you need to know is that

Twitter without Don't Click

people send very short messages that will be seen by their friends who “follow” their posts, or by anyone who looks at the stream of all posts. More on Wikipedia at http://en.wikipedia.org/wiki/Twitter). This was both hilarious and disturbing. Hopefully that’s not a comment on life, the Internet, or Twitter itself.

What happened was that Twitter was hit by a piece of program code that used a simple social engineering trick to fool people into activating it, so it could reproduce. It showed a link that said “Don’t click this link.” Of course people did click the link, allowing the code to insert itself into their feed, where all their followers would see it – and passive-aggressively do what they knew they shouldn’t and replicate the link still farther.
read more »

It started out strange and got stranger. Then it got stupid.

Chapter 1: The first strangeness

A few months ago I noticed an odd charge on my cell phone bill. It was for about $10 and was for a service I didn’t recognize. I called the phone company and they said it was a subscription to a media service, so I could download ringtones and things to my phone. I explained that I never do that. I did download a ringtone a few years ago (Hell’s Bells by AC/DC) but since my phone is always on vibrate, getting another seems pointless. And I don’t download other media to my phone. I’m one of those weird old-fashioned guys who uses the phone for talking – and not a real lot of that.

The representative of the phone company was very understanding and helpful. When I told him I had no idea how this service got added to my bill and I did not want it, he removed the charge and canceled the subscription. After I verified on my next bill that he had done as he said, I thought the incident was over.

Not exactly. read more »

I’ve read a couple of year end pieces recently (sorry, I haven’t yet gotten into the habit of collecting links for pseudo-interesting stuff as I read) claiming that information security type jobs will be protected from the current economic downturn. The logic seems to go that companies understand that, in order to compete on the Internet, they have to protect themselves more than ever before. So, though they’ll be laying people off in all other sections of the business, they will actually expand their staff in protecting their digital assets.

This is some of the stupidest wishful thinking I have ever seen. Not THE stupidest, but it’s truly dumb. read more »