Still "Brent's pile o' stuff" but at least now there are sections.


“Those who would give up essential Liberty, to purchase a little temporary Safety, deserve the hottest brands at rock bottom prices!”

Open Source



Jon Stokes at Ars Technica has written an article entitled "How To Steal an Election". The PDF file is available here. (It's copyrighted, but permission is granted to distribute it if you link to the original article and PDF, as I've done here.) The rush to implement touchscreen voting with no paper trail as a backup is extremely worrisome; how long before we have a successful fraud that tips the balance of an election?

Best Practices



Mac OS X


It turns out that even though most VoIP streams are encrypted, the ones that use variable bit-rate (VBR) compression are vulnerable to analysis.


Yikes! An 11-byte code, embedded in a web page or sent by SMS, QR code, or NFC, can factory-reset your Samsung Galaxy S2 or S3 with no confirmation.

The only significant concern I have, personally, in the Carrier IQ scandal is the issue of keystroke capturing — because I use KeePass to store all my passwords on my phone. Carrier IQ vehemently denied that they track keystrokes, whereas the original and subsequent research says they do. What's the deal? This article sheds some light on the disconnect; Carrier IQ says in "some Carrier IQ implementations" (remember that each cell provider can customize their bloatware implementation), "keystroke data is being recorded in the log file, but that the data isn't sent back to Carrier IQ and the operators' database". Well, not intentionally transmitted anyway; but other apps presumably can sneak access to the data, and who knows whether an oversight might result in that data getting slung upstream unintentionally?

Android prior to 2.3.4 sends authentication data over unencrypted HTTP for Google Calendar, Contacts, etc.; beware using open wireless networks at coffee shops, libraries, etc. (Ars Technica analysis) Sprint is apparently working on a server-side fix.

Joanna Rutkowska's "Evil Maid Attack" — use a USB boot device to install a rogue boot loader, then capture your passwords etc. the next time you power it up. The moral, as always, is that when they get physical access, all bets are off.

Small is beautiful: UK mobile application developer Masabi has launched EncryptME, a Java ME security component with officially validated implementations of 4096-bit RSA and 256-bit AES... in only 3K! "Using a single SMS message, or a few bytes of GPRS data, EncryptME can set up a secure session and sign up a new user, a new credit card, and make a transaction." Nicely done.


Social-networking site malware (Jul. 2006)


Windows: The WMF vulnerability (Dec. 2005)

XSS: The "Samy is my hero" MySpace Ajax worm (Oct. 2005)

Security at Microsoft

Sanitizing MS Word documents (removing hidden data)

Research reveals that even "sanitized" anonymous data is easy to correlate to real people. "Using public anonymous data from the 1990 census [...] 87 percent of the population in the United States [...] could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth." "It turns out that date of birth, which (unlike birthday month and day alone) sorts people into thousands of different buckets, is incredibly valuable in disambiguating people."

As copiers and fax machines get "smarter" we have to start treating them like servers that must be secured and like storage units that must be purged.

An insightful SecurityFocus article from Robert Lemos on the challenge of defending against zero-day attacks if your organization uses the traditional patch-cycle approach.

Interesting editorial on embedded device security.

Good description of, and summary of research into, practical MD5 collisions.

Schneier writes about "identity theft" which he points out is a misnomer (identity is not "stolen"; the issue is fraudulent use of identification info.). There are two parts to these crimes: obtaining private data that can be used to impersonate, and using that data to conduct fraudulent transactions. Solutions that only focus on the first are insufficient.

IBM's rebuttal (PDF) to criticisms about TCPA. In short: TCPA might be used with Palladium and/or DRM, but those are separate elements requiring separate critique. TCPA is basically a "smart card built into the computer" and with ties to the BIOS. Cf. also the classic Ross Anderson FAQ on TCPA.

HD Moore (Metasploit) points out that in the current climate, "There is no way to report a vulnerability safely" (Robert Lemos article). This is a bad trend. Security researchers (including students) who act responsibly in good faith should be rewarded for reporting vulnerabilities, not prosecuted for it! Pascal Meunier at Purdue (CERIAS) describes his recent experience with this problem.

Pinch My Ride (Wired): Insurance companies often believe modern auto "passive antitheft systems" are infalliable, and deny theft claims since the car is "impossible" to steal. Worse: Some Honda models apparently have a back door (pulling the emergency brake, of all things) coded to your VIN.

Lockpicking used to be a relatively rare skill, but the Internet has spread this knowledge out to a lot more people. Not long ago, someone developed a technique for producing a master key, given a few normal keys (think college dorm). Now we have Sneakey: a new technique that can use a digital picture of a set of keys to reverse-engineer them.

Spam, Viruses, Malware

If confirmed, badBIOS would be very scary (further explanations), but skepticism is growing as researchers so far haven't been able to replicate it

Aug 2013: As predicted, botnets now starting to use Tor for C&C

Malware has evolved to the point where we can talk about it in terms of an "industry" that has "products and services" and a "business model": Malware as a Service (MaaS)

Interesting point about mobile malware and sandboxing: restricting all applications in sandboxes or in user-only mode, means that security software is also so restricted — and therefore, malware which takes advantage of vulnerabilities to root the mobile device can do more than the security software can

Report showing PDF is becoming the attack vector of choice

The Stuxnet worm, which appears to be written specifically to target SCADA systems, uses multiple Windows vulnerabilities (some 0-day). "These guys are absolutely top of the line in terms of sophistication." NYT article and Fox News article with more specifics; this is an amazingly targeted attack. It has now been revealed that Stuxnet was created by the U.S. and Israel; it wasn't supposed to leave the Iranian facility but it escaped.

Subsequent Stuxnet-class attacks include Duqu and Flame. Turns out the antivirus industry didn't detect these or the exploits they were based on until they were in the wild for years.

Here's an article summarizing most of the worst viruses released when I was a systems administrator; the names bring back lots of memories of late night damage control and subsequent infrastructure hardening.

Here's something new: Some malware in Europe that rewrites your online bank statement on the fly so you can't see the withdrawals they've making. And it resists white-hat research/response by providing fake compromised accounts to keep the real compromised accounts secret.

Botnet worm that targets routers

ARP spoofing + JavaScript insertion — one compromised host on your net can insert itself between all hosts and the router, and then inject JavaScript malware into every web page received by every browser — use arpwatch to detect

Conficker (a.k.a. Downadup) is the most significant malware seen since 2003 Blaster/Sasser.

Oct 2008, a new malware technique "return-oriented programming" which evades defenses like W^X and signed (trusted) code. Very clever stuff.

Oct 2008, a new TCP threat "Sockstress" is starting to be discussed; apparently it's a flaw in the TCP state table implementation of a whole lot of vendors, which can lead to DoS; could be quite a widespread issue.

SRI's new Malware Threat Center has stats.

New virus Kraken which uses dynamic DNS; not only can that redirect to new IPs when the old ones are shut down, but Kraken has an algorithm for switching to a new dynamic DNS hostname when the old one is shut down.

Washington Post article showing how the amount of malware is skyrocketing (look at that graph!) and AV vendors are struggling just to keep up; what a way to run a railroad.

Latest trends: Viruses that creates a free webmail account to send spam through it (apparently circumventing their CAPTCHA?), and conversely, viruses that use CAPTCHA-like distortion in attachments to prevent their email from being detected as spam. (Speaking of CAPTCHA, see elsewhere on this page for a cool article.)

Since new vulnerabilities are always coming along, 0wned computers may get swiped by a new 0wner at any time. "The bot network industry has become so profitable, and hijacked computers so valuable, that rival gangs are now fighting over them."

Some of the worms in the last few years, notably Witty (CAIDA analysis) and SQL Slammer (Sapphire) (CAIDA analysis), have been amazingly elegant: small (fit in one packet) and quick to saturate their targets ("flash worms"). Scary stuff. See The 10 Most Destructive PC Viruses Of All Time.

The latest malware is stealthier and more resilient:

Excellent set of articles describing the history of the spam arms race, and in particular how viruses (beginning with Sobig) have added a new dimension.

Another article with a history of recent worms and viruses (author's perspective is that legal punishment is too rare and light):

The sender-pays method of preventing UCE, back in 1933: 10 cents to ring my doorbell (via Bruce Schneier's blog) [I don't believe sender-pays is a workable solution for spam, by the way]

ID and Privacy

Yet another way to track users with a code that's hard to remove. KISSmetrics beat a hasty retreat when they were outed, but of course the technology stil exists for others to use.

Marketers are using every trick they can to tag your browser with a unique ID that will track you across all their sites. The latest is using HTML5's client-side database storage to add an ID — mysteriously, even if this storage element is removed, it is re-added by the server with the same ID. This is on the heels of some marketers who use Flash cookies, which are separate from regular browser cookies and are not removed by the browser's "clear cookies" function — the Flash cookie is used to re-created the traditional cookie after it's been removed. And now we have an even more advanced form of this: evercookie, a JavaScript API which uses no less than eight forms of cookie storage (HTML cookies, Flash cookies, cached PNGs, web history, and HTML 5 local storage). Here is a summary and ways to kill the evercookie.

GAO investigates flaws in passport issuance: "No credential can be more secure than its breeder documents and issuance procedures" (Schneier): If you can get a passport using forged documents, then all the high-tech anti-passport-forgery technology isn't going to help. Real ID still lumbers on (including follow-on PASS ID), with 36 states not in compliance by the December 31, 2009 deadline.

My contact information, brief autobiography (such as it is), and family tree.

Site created with Vim  HTML5 Powered with CSS3 / Styling, and Semantics EasyDNS: Control Your Domain