Apparently, the problem was corrected in a couple hours, and the consensus seems to be that it was an accident. If it was a concerted attack, or a test of attack methods, it certainly would have been a clumsy one, since it essentially resulted in a DDOS attack on the hypothetical attacker's own country. About as effective as a lit stick of dynamite strapped to a boomerang, really.

But that doesn't mean there isn't a huge vulnerability underlying this whole incident. It's conceivable that an attacking country (or other entity), if it were well prepared and didn't care all that much if innocent bystanders got cut off from the world, could use this routing vulnerability to strike at an enemy. It all depends on how desperate they are, and how willing they are to cripple the Internet as a whole. Gee, it doesn't seem too difficult to think of one or two groups who might fit that bill.

I suppose there's reason to hope that this incident will throw the spotlight back on a vulnerability that we've known about for years, but have never gotten around to fixing. That fix won't be easy, but clearly it's necessary.

Indeed, the very birth of the worm itself seems a cautionary tale. The first worm was created by John F Shock and Jon A Hupp of Xerox PARC, and its initial intent was good. Depending on which sources you read, it was either intended to help implement some sort of CPU load sharing, or to install tools to measure network performance. But a bug in the program caused it to spread mayhem instead, crashing each machine it touched as it travelled around the network.

So why do people keep talking about "good" worms for delivering updates and patches? Two reasons that I can see: It saves load on a central server, and it makes much more efficient use of network bandwidth to distribute the code to all users. This becomes especially attractive for delivering security patches when you consider that traditional means of patching are necessarily much slower than the speed at which the virus propagates. There's never any hope of getting ahead of the malicious code to stop its spread. All you can do is heal infected machines after the fact, slowly hardening the network as you go.

But the two main arguments against "good" worms are pretty compelling: First, they're too risky, and second, they're too sneaky. They're too risky because a very tiny bug can turn a beneficial worm into an unintentionally malicious worm, even if all that buggy worm does is bog down a machine, or eat up endless network resources. Those flaws alone can bring down an entire network. And they're too sneaky because they have to do what they do without permission from the user if they are to propagate with any sort of efficiency. It isn't just that we feel our sense of control violated by this—it's bad design. A system that changes itself without our permission or knowledge is, for all intents and purposes, an unstable system that we can't count on.

Consumers have learned more about the problem in the last year, and have gotten more vigilant in monitoring their accounts. This has led to more early detection of fraud, and limited damages. Another trend is that consumers continue to adopt online account management and forgo paper statements. As we learned last fall, it's these paper statements that are far more dangerous than online account access. Fewer paper records mean that dumpster diving becomes less profitable, and everyone is safer.

But there are some dark clouds in the survey as well. While the overall cost of ID fraud has decreased, the damages per victim have risen. This makes sense: the harder you make it to commit the crime, the fewer amateurs will be successful. That just leaves the clever crooks. So you have fewer incidences of crime, but those remaining incidents are more carefully designed frauds, and so are more effective and profitable taken individually.

The other black lining in this silver cloud is that your safety from ID fraud depends on where you live. If you live in California, Idaho, Illinois, West Virginia or Delaware, you are more likely to be a victim of ID fraud than say, a resident of Alaska, Colorado, Louisiana or Maine.

The Spanish courts passed it up the chain to the EU's highest court, which has sided with Telefonica SA.

Central to this whole mess is the question of how private one's IP address should be. Well, let's clarify: not how private one's IP address should be, but how private the link between one's IP address and one's personally identifying details should be. Most of us go around with our IP addresses hanging out for all to see. Few people bother to use an anonymizing proxy for simple web browsing or file sharing.

So how sacred should we make this identifying link? My instinct is that it should be very private, right up to the point where you commit a crime. Yet even this maxim represents a simplification of the issue. Who gets to determine when you've committed a crime? Surely not third parties who have a profit motive, or some even less noble motive to stop you from doing what you're doing. I'm not being anti-capitalist here—I believe in the right to profit from intellectual property. But the question of whether or not someone has committed a crime, and therefore forfeited the right to privacy, can not, and must not, be left in the hands of those responsible to no one but their own shareholders.

Even in the hands of governmental powers, this power is abused. But at least there is some semblance of responsibility to the general public when public officials must make these determinations. You can argue, of course, that this responsibility is not taken seriously, but that's not a reason to hand over the power to private parties.

But wow, do you have to have a high level of trust in any organization if you're going to start storing your personal files en masse on someone else's servers, especially when part of the infrastructure of said system includes a file-sharing capability, and when those files are going to be potentially read by an indexing program to make them searchable (one hopes, only to you).

I'm sure Google plans to lock this down as tight as they possibly can. I can also hear a chorus of "online data storage is the future, man -- get used to it" building in the world of tech punditry. But color me reluctant. I've used Google Docs and Spreadsheets almost since the day it was introduced (I was a JotSpot user before Google bought it), but never have I put any information up that could get me in trouble or allow someone access to my personal information. If I were to start using an online service to replace some of the need for my hard drive, I would necessarily start being more indiscriminate about what got stored there. Even if you try to be careful, your sensitive data will begin to migrate online the more you depend on such storage.

Can that data be secured as well as it can on your hard drive? I just don't think it can. It's going to make a tempting target for hackers: all that juicy personal data hanging from Google's tree of knowledge, waiting to be plucked. Whereas my hard drive is pretty hard to get to: It rarely leaves my house, and it's secured on a machine that offers no file sharing services, listens on no ports, and is itself hidden away behind a pretty tight network firewall. Furthermore, my drive is just one person's information. If someone cracks the Google system, they're potentially able to access the data of thousands or millions of people.

At some point we have to ask ourselves just how good our security technology can ever be. At best, we can stay one step ahead of data thieves. We're all just one slip-up away from a break-in. So maybe sometimes the question we should be asking is not "How can we secure this data?" but instead "Do I really need to expose this data to risk?".

Even Google's own internal information doesn't always stay secure. The last paragraph of the WSJ story claims, with no apparent awareness of irony, that:

A document Google inadvertently released on the Web in March 2006 said it was moving toward being able to "store 100% of user data," citing "emails, Web history, pictures, bookmarks" as a few examples.

"Inadvertently"? As in "unintentionally"? The point being that Google is an organization made up of flawed humans who will someday, inevitably, spill the contents of your hard drive onto a public sidewalk.

• One click site info: Click the site favicon in the location bar to see who owns the site. Identity verification is prominently displayed and easier to understand. In later versions, Extended Validation SSL certificate information will be displayed.

• Malware Protection: malware protection warns users when they arrive at sites which are known to install viruses, spyware, trojans or other malware. You can test it here (note: our blacklist of malware sites is not yet activated).

• New Web Forgery Protection page: the content of pages suspected as web forgeries is no longer shown. You can test it here.

• New SSL error pages: clearer and stricter error pages are used when Firefox encounters an invalid SSL certificate.

• Add-ons and Plugin version check: Firefox now automatically checks add-on and plugin versions and will disable older, insecure versions.

• Secure add-on updates: to improve add-on update security, add-ons that provide updates in an insecure manner will be disabled.

• Anti-virus integration: Firefox will inform anti-virus software when downloading executables.

• Vista Parental Controls: Firefox now respects the Vista system-wide parental control setting for disabling file downloads.
  

What I like about most of these features is that many of them are focused on not just preventing mischief, but on informing the user. Better feedback to the user about security I think works in an application's favor. Of course, "better" should not be equated with "more." Firefox seems to be on the right track here — explicitly warning users when necessary, but otherwise, putting the security information where users can get at it, but not presenting it in a way that forces them to swat away dialog and warning boxes every five minutes.

So, kudos to Mozilla. But there's always a catch. In this case, it's the fact that, by Mozilla's own estimate, this new version of Firefox represents two million new or changed lines of code. That's an awfully big landscape for new bugs to hide in. And some of those bugs are bound to be security related. But hey, that's what beta testing is all about, right?

But instead, the company is not stating any clear policy, and is instead limiting customer's traffic in ways the customer is never informed about. What are Comcast's rules of the road, and why do none of their customers know what these rules are?

I can think of a couple of reasons why Comcast might be doing things this way. First, I might be wrong about the simplicity of imposing caps. Maybe it is far simpler to just monkey with the specific traffic that comprises the worst of the bandwidth hogging: BitTorrent traffic. In this case, it's a question of expediency.

Or maybe it is simple to impose caps, but Comcast fears a customer backlash if they start clearly stating limitations to customers who will see such limitations as a throttling of their service — in essence, a diminution of service without a commensurate diminution in rates charged. In this case, its a question of Comcast trying to be stealthy, and solve their problem while staying under the radar.

Whatever the reasoning, it's clear that Comcast, by their own admission, is doing something to limit certain traffic generated by some of its customers, without stating any clear policies about what that limitation is, and how it is applied. I'm not saying Comcast can't manage its network. But I think they owe it to their customers to come clean about how they're doing it.

The study used data from 517 closed Secret Service cases that involved an identity theft component. Of these, fully half did not involve using the internet in any fashion. Of the remaining half that did use the internet in some way, it is difficult to determine the extent to which the internet was the primary means of committing the crime. The study does state, however, that in only 10 percent of the crimes was the internet the only means of committing the crime.

Really this is just more evidence that an organization's security is only partly a question of hardening your software. As long as account numbers are being printed on paper, and those papers can be carelessly thrown away, the best software in the world won't save you. Ditto for social engineering. If organizations don't train employees to recognize scams, the biggest vulnerabilities may remain as gaping holes.

Now I'm sure that this is a great tool for law enforcement and the Homeland Security folks. But what's most worrying to me is the first line of the company's description of its product:

"The Super Trackstick is the perfect tool for individuals, law enforcement and government agencies looking for a way to track anything that moves."

Notice that "individuals" come first in that list. And at $269, it's cheap! (Well, relatively.)

Made any enemies lately? I'd check under my rear bumper for one of these little babies, if I were you.

To make the discs play, customers must update their firmware. Except that for some of them, there is no new firmware update to be had. This leaves them in the infuriating position of having to watch their new movies on the schedule of their player manufacturer's software development team.

Now, if this happened once in a blue moon, they might be able to get away with it. But how long do you think it's going to take before a new crack motivates the movie studios to release yet another updated copy protection scheme that forces yet another firmware update?

And let's talk about those updates. Even when they're ready in a timely fashion, the average consumer faces unprecedented hurdles in applying these updates. Never before has there been a stand-alone entertainment appliance that required more specialized knowledge simply to make the thing perform its basic task. You either have to have a home network to plug the thing into, or you have to download .iso images and burn them to discs. Now, I can tell you, my Mom has neither a home network, or the knowledge to download and burn .iso images. And that is always the threshold that a consumer device should pass—can your mother use it? (Okay, some of you may argue that a TiVo is pretty complicated, and requires some fiddling. But I would say that to get it to perform its basic tasks, you don't need the network connection.)

I'm a technophile—I eagerly awaited a high-definition DVD format, and was looking forward to watching movies in stunning clarity on my HD TV. But, for the first time I can remember, I have decided to stick with an older technology because I can't tolerate the inconvenience and restrictions of meddlesome, intrusive DRM. I say "long live standard-def DVDs" until something more intelligent comes along.

If you happen to be in San Francisco this Thursday, you can register to hear CSI Director Robert Richardson present the findings from the 2007 Computer Crime and Security Survey.

Or, if you're looking for more, check out the CSI Conference and Expo, held November 3-9 in Arlington, VA.

"We believe education is essential if people are to avoid being ripped off by these phishing attacks and similar online scams," said Lorrie Cranor, associate research professor in the School of Computer Science’s Institute for Software Research and director of the CUPS Lab. "Unlike viruses or spyware, phishing attacks don’t exploit weaknesses in a computer’s hardware or software, but take advantage of the way people use their computers and their often-limited knowledge of the way computers work."

Phishing attacks attempt to trick people into revealing personal information or bank or credit card account information. Often, they involve emails that appear to be from a legitimate business, such as a bank, and direct recipients to visit a Web site that likewise appears to belong to that business. There they are asked to "verify" account information. In addition to spoof emails and counterfeit Web sites, some attacks even mimic parts of a user’s own Web browser.

"We designed the game to teach people how to use Web addresses, or URLs, to identify phishing Web sites,” said Steve Sheng, a Ph.D. student in CMU's Engineering and Public Policy Department and lead developer of Anti-Phishing Phil. “"That tactic can also be useful in analyzing suspicious email messages."

In addition to Cranor and Sheng, Anti-Phishing Phil developers include faculty members Jason Hong and Alessandro Acquisti, and students Bryant Magnien and Ponnurangam Kumaraguru. CUPS has also collaborated with Portugal Telecom to develop a Portuguese version of the game called Anti-Phishing Ze.]]> 2007-09-17T14:42:48Z 2007-09-17T14:42:08Z tag:,2007:/53.26767 2007-09-17T14:42:08Z

• Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition by David Hucaby. Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition, is a guide for the most commonly implemented features of the Cisco firewall security solutions.

• End-to-End Network Security: Defense-in-Depth, by Omar Santos. End-to-End Network Security gives you a comprehensive look at the mechanisms to counter threats to each part of your network.

• Cisco NAC Appliance: Enforcing Host Security With Clean Access, by Jamey Heary, Jerry Lin, Chad Sullivan, and Alok Agrawal. This book provides you with information about designing, configuring, deploying, and troubleshooting the Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access.
  
  
• LAN Swith Security: What Hackers Know About Your Switches, by Eric Vyncke, Christopher Paggen. This book explains the vulnerabilities in a network infrastructure related to Ethernet switches.
  

• Browser Defender. Defends against drive-by downloads and other new or unknown threats that exploit vulnerabilities in Internet Explorer. Zero-day proactive protection against obfuscated code attacks using ActiveX, JavaScript, and VBScript that specifically target the browser.
• Norton Identity Safe. Keeps personal information and identity safeguarded when buying, banking or browsing online. It enables users to control which information is shared with Web sites, stores private information securely, and fills in passwords and Web forms automatically. It stores and encrypts passwords and other confidential data, automatically retrieving it at a user’s request to save time and protect it from being stolen by eavesdropping keystroke loggers.
• One-Click Support. Delivers the same access to support options previously available in Norton 360. This approach to support automatically troubleshoots common issues such as connectivity, licensing, and product activation. It also provides direct access to tech support via telephone, free email or free live chat -- all from within the main user interface.
• Home Network Feature. aps connected devices to provide a view of devices on the local network. Monitors the overall security status of other computers with Norton Internet Security 2008 or Norton AntiVirus 2008 installed. In addition, within Norton Internet Security 2008 this feature checks the status of wireless network security, alerts users when they connect to an unsecure wireless network, and provides expert advice to help users manage network security settings. Wireless network security status provides recommendations for securing wireless routers along with educational information about home network security.
• Performance. Compared to Norton Internet Security 2007, the 2008 user interface responds 22% faster and completes a quick scan up to 39% faster.

Additionally, both products include SONAR behavioral detection technology that protects against malicious code before standard virus and spyware detection definitions have been created. In Norton Internet Security 2008, SONAR runs a full scan every time an application attempts outbound communication, further protecting identity information by improving the firewall's effectiveness against unknown threats. This new functionality complements the existing security protection of Norton Internet Security, which includes rootkit protection capabilities as well as new Threat Interceptor vulnerability protection technologies.