Technology

This new thumbdrive/memory stick/flash pin (choose or add your prefered name) offers a finger print scanner. A scanner that looks for the live skin, something that is claimed to increase accuracy, and allows you to use dirty fingers and still get access.

The only downside is that now I can no longer cut of your fingers to gain access to your data. I need you alive and kicking at my side...

My blogging buddy Andy IT-Guy is in trouble! Please pop on over to help him!

 

Facebook (and a number of other platforms in the Social Networking revolution) enables great minds to do great things. Many of us uses these services on a regular basis (daily, hourly, or even every moment of the waking hours). 

I for one is a huge fan of networking, and using networking sites enables me to communicate and stay in touch with old and new contacts easily. On the other hand, I recognize the security challenges - namely the ID-theft and the social engineering (SE) possibilities that is enabled through such services. 

One of the messages I try to convey in speeches and trainings is the threat that Facebook Apps may be. Granting an application access to your profile, automatically enables that application to harvest a huge amount of data about you and your friends. Now, most applications are "for real" - thus doing only the thing it claims to do. Still, imagine a business manager sitting on 10s of thousands of users and their data, in need for money. It would be extremely easy to use the data already harvested,  as well as rewrite the application to be more aggressive in it's harvesting. 

The other scenario is malicious apps appearing cool and fun and a "must have". These apps would offer you a service (chocolate) as a killer app - something you just have to have. And you would invite all your friends to use it too. By offering the coolest, it will become popular, and thus the road is open to harvest and use information. Information that you normally only would share with friends only.   

---

In enters the Social Engineer. Uses the information about you, collates it with other info shared on other sites, creating a complete profile of you, your interests, your family, friends, co-workers, neighbors and so forth. 

Perhaps one day he bumps in to you at the local mall. Or calls you because "someone said that you could be interested in ..." 

Having a complete profile of you, he (she) would know all the answers, and thrill you into doing anything. Given enough time, and a valuable target, there are no limits to what can be achieved. 

---

Given this outlook - perhaps it is best to continue as before - in ignorance. Hoping that "it will never happen to me".  

---

I gotta run.

Just got this incredible, almost unbelievable, opportunity! This complete stranger called me out of nowhere!

See you in a bit!  

---

Ka-zing. 

---

(Thanks to Liquidmatrix / Dave Lewis. And man, do I love that cartoon!)

Gnucitizen established a new community project called House of Hackers. The purpose is to create an area where 

"...support the hacker culture, mindset, way of life, ideologies, political views, vision, etc."

If you are into hacking, and interested in keeping with the community, I suggest you pop over and take a look.

Just a few hours ago, the Tromsø airport in Norway was evacuated due to a hand grenade found in the luggage (Norwegian link).

The hand grenade was found in the hand luggage of a passenger moving through security. I can only imagine the eyes of the security clerk who discovered it.

Eyes Wide Open comes to mind. Certainly, the Big Red Button was very close indeed.

ALARM!

The hole airport was evacuated, secured and shut down.

Only to be reopened 25 minutes later, when the Grenade was discovered to be a belt buckle!

I got a feeling that the security clerk would wish to move forward and dismiss this event as an error. I for one will go on and order a couple of belts. Imagine the disorder to be created if these buckles keeps trying to enter the airports around the world!

Obviously, when it becomes customary to wear and carry grenade look-a-likes as belt buckles, it will be much easier to bring actual grenades hidden as a buckle. So, sometimes soon, I predict the politicians to enforce a

"No Grenade look-a-like Belt Buckles allowed on Airports!"

 

---

Edit: Just read about the complete opposite experience at the Digital Soapbox! Thanks, Rafal! 

Earlier this week, I received a new wall post on my Facebook profile. Now, I do not use Facebook a lot – I mainly maintain a small network to test and research this trend – so receiving a wall post was kinda fun.

Except – this particular post was written in English, by a Norwegian. Further, the message pointed to a service I had a very hard time imagining that my contact would be promoting.

Yes, yes, I know, I am a bit too paranoid!

Anyway, I contacted my friend, and as I suspected, she had not posted this – or the 150 other messages posted to her contacts. I started to poke around a bit, and pretty soon she admitted that she had experienced other strange episodes lately.

One of the other signs where that when on MSN, MSN would disconnect her, stating that she where being loged on using a different computer. Unlike some of us, she only had one computer she used for this.

I started to suspect that a key logger or other spyware had infected her computer, and made sure that she changed her log on details (username and passwords) on all the services she uses – and that she did so from a different computer.

The next step now is to reformat and reinstall the OS and applications – just to make sure that any software that may have been hidden is gone for good. Did I mention I am paranoid?

I also told her to go to the police – not because I think they can do anything about this event – but to make sure the event ends up in the statistics.

She may have picked up the key logger while browsing the net. She might have got it through a download – or by an email from a friend. Or by a large number of other means available to hackers. She might also have left her credentials while using her friends computer.

It does not really matter in this case. What does matter is her statement when I started to ask about the spam message on Facebook:

“I received reactions from my other contacts too – and I told them I had not done it. I thought it was just a system error, and wasted no more time considering it”.

(Emphasized by me)

And here we have the base of the challenge – normal users are not able to tell a threat from an error. Heck, sometimes us pro’s have problems with the very same challenge! And as threats evolve, and gets better at hiding, the harder it gets to know for sure.

I remember reading about this a while back – how all the errors in IT-systems have taught users that when unexpected things happen, it is just an error. Just restart and get on with it. (Please provide link if you know the story – I am unable to find it…).

And the result today is that when you do not understand what is going on with the computer, you just write it off as a “system error”, and get’s back on to what you where doing.

We spend a large amount of time to teach users how to deal with security. But if we are not able to teach them the difference between a system error and a plain security threat – how can we ever expect to succeed?

 

Have you ever wondered how to learn how to do SQL-injection attacks? Rescue is here!

You are now able not only to read about attacks and try to understand their logics, you can now set up your own lab and start doing injections directly. Thanks to Gerasimos Kassaras (I had a hard time spelling that, and will not even try to pronounce it), who have written this excellent walk-through on the topic!

He will even walk you through setting up IIS and the other tools required!

Still not into SQL-injections?

Well, you should be. Security now and in the future will be about two things - information management on one hand, and application security on the other hand.  

In a couple of weeks, one of the most important security events takes place in Europe.

 

The Infosecurity Europe 2008 event takes place in London April 22-24.

I am planning on going, and I would love meeting up with peers and blog readers. If you are going too, please drop me a comment or send me an e-mail (use my first name @ my domain name), and we will find a time to grab a beer or a breakfast.

I will give you my views and updates on what is going on too, so if you cannot be there, keep reading the blog ;)

I am not alone - now Rob Newby gets hammered down with comment spam too. 

Ever considered security to incorporate application uptime? Or do you just consider any downtime of your applications as a break for you? Time for your cup of coffee?

 When you consider enterprise wide application like banking applications, CRM, ERP, or look at controlling applications for your SCADA or CNC machine, it is easy to spot the cost and risk. But what about other applications - perhaps only used occasionally? Or by a small group of users only?

 If you only use your computer to write letters and check your email, you experience this when you do not find letters you wrote earlier, and when you are not able to check you email. Usually, you just call IT-support and gives it no more thought.  Perhaps you should give it some thoughts next time it happens?

Just take the time spent (10 minutes perhaps?),  multiply by the times it happens each year (12 - once a month?), and adjust for the hourly cost (insert relevant number here). For you - the result is 2xrelevant number above (10x12=120 minutes, divided by 60mins per hours = 2 hours).

Obviously, you need to adjust all the numbers above.

Then, you take the number you got and multiply by numbers of employees in your company. The number that shows up is usually quite stunning.

The reason I bring this topic to your mind is the very fact that I myself experienced a down-time in a service. The service is a Cron-service, running to automatically publish blog posts on my blog (yes, I just blew my cover... - I do plan ahead, and I do prepare some posts perhaps weeks ahead - I do it in order to have at least some posts arriving even when I am traveling).

The Cron what? It is a special services running on servers using *nix OS. The purpose of it is simply to schedule tasks so that a human do not have to do all the tasks the computer can do just as well by itself. Usually, such tasks runs and runs and runs and runs. So I tend to forget it being there at all. 

So when the server itself decides to fall over and die (yes, these things do happen - and usually at the most inconvenient of times too). Luckily, the dying of this particular server did not affect me nor my business. Or so I thought.

It took me one week (yes, yes, yes, I know...) to realize no posts arrived at my blog, and then I needed a few more hours to remember that the Cron job I run to run the update script on my blog was on the particular server that went to Computer Heaven last week.

Thus - today you get the weekend laugh that was supposed to be yours last Friday.

On the upside - I got to write this post :)

The moral is simple - computers are not reliable. Make sure you prepare yourself and your company for downtime. And have a plan to get back up.

As always - feel free to share your experiences :)