Category: security

  • Twitter hacked

    It had to happen, didn’t it? I’ve fired up Pidgin with the microblog-purple plugin, only to get an “invalid certificate” error for twitter. I’ve quickly became nervous, since a quick digging indicated that I was getting the wrong IP address for the domain twitter.com. My first thought was: “I’ve been compromised”. After quickly verifying my…

  • Screenshot forensics

    One of the interesting thing I like to do when reading (security) blog posts, is to try to deduce details about the machine setup used. You can find some very interesting tidbits of information, like Sunbelt using Symantec AV on some of their machines. A couple of current examples: a CA researcher uses Office 2007…

  • Today’s fudbuster

    We begin today’s FUD-buster with – applause please – cyberterorism via an “article”: Cyberterrorism: A look into the future. The article talks about Estonia (which is the poster-child for “cyber” incidents these days) and says the following thing (amongst others equally high-quality content) – emphasis added: “The three-week cyberattack on Estonia threatened to black out…

  • Surprising numbers

    I was reading the latest FudSec piece (Generating a False Sense of Insecurity) where I found the following statement (emphasis added): Facebook now has 300 million users. Let’s assume that each user has at least one piece of user-generated content on their Facebook page cause, well, it’s a very user-content driven site. That means that…

  • The importance of false positives

    An interesting paper was bought to my attention recently by this blog post: The Base Rate Fallacy and its implications for the difficulty of Intrusion Detection. The central question of this paper is: if we have a flow of N packets per day and our network IDS has a false-positive rate of X, what is…

  • Back with a vengeance

    I’ve had limited connectivity / time in the last couple of weeks, but I’m back baby! The lesson of the day: you shouldn’t let your AV vendor provide general security. The lesson comes to us via Graham Cluley’s Sophos blog, which informs us that Sophos released a free encryption tool. So, what’s wrong with it?…

  • The myth of the cognitive quantum jumps

    Update: see this presentation given by Scott Berkun at Google, which which explains my points much more eloquently. Very often media (and I’m using the word “media” here in its most comprehensive way – including things like blogs, Slashdot, etc) tells us the story of some uber-hyper-mega-cool new-unseen-until-now method of performing X. This leads many…

  • A new security provider

    I found out about Dasient via the presentation they did at Google (which you can see embedded below). Their angle seems to be (although this probably will change – them being a young company) that: we check your rating at Google / McAfee / Symantec and if they say that you are bad, we will…

  • Know thy (cryptographic) functions

    More than I year ago I mentioned that VNC uses only the first 8 characters of the password to validate it. Today I found an other situation where this happens: the crypt function (to be fair, the glibc version of it has the option of using all the characters, but still we have the issue…

  • Social engineering malware – part deux

    Some time ago I written about that that information given by the UAC prompt in Windows (Vista and 7) is insufficient to make the correct decision, even if we would suppose (ad absurdum) that the user knew what s/he was doing. Symantec has a research project which can be used to replace the standard UAC…