An interesting taxonomy of some of the common turf wars in corporate IT departments. Clearly, we are not a socially deft people.
IT Turf Wars
February 14, 2011
Leave a Comment » | 
Social Engineering, Syndicated | 
Permalink
Posted by matt
The Google Two-Step
February 11, 2011Google has announced that two-factor authentication will be available for users to log into their Google Apps / GMail accounts. Essentially, the account holder’s mobile phone is used as an authentication token; once the number is registered, the user can opt to receive a numeric authentication code via SMS or voice call, or generate it with a local application. Both the traditional password and the authentication code from the phone must be used to access the account.
This is a tremendous step forward in security, especially for a free online service. Passwords have historically been the weak link in most network security schemes; they are often easily guessed or acquired through social engineering techniques. By requiring users to not only have a password but also have a physical token like a designated mobile phone, Google can render phishing and brute-force attacks completely impotent.
Excellent.
Leave a Comment » | Networking, Smartphones, Social Engineering, Syndicated | Permalink
Posted by matt
Hoover Dam
February 7, 2011Part of the hype for the current “Internet Kill Switch” legislation has been evocative images of the Hoover Dam. Clearly, nobody wants the floodgates of the Hoover Dam to open due to an Internet security breach – it’s a great image, because it’s like something out of a Bond movie. So the backers of the bill have been painting that picture and hoping that the visceral dread it evokes will help carry the bill through Congress.
Only one problem – the Hoover Dam, according to the people who actually manage it, isn’t connected to the Internet.
Next thing you know, villains won’t have eyepatches and cats. What a world.
Leave a Comment » | Legal, Syndicated | Permalink
Posted by matt
Tweet By Phone
February 1, 2011Google and Twitter have teamed up to help the Egyptian populace spread news on the Internet, despite the country shutting down all of its Internet traffic this week. They set up a service to allow tweets to be posted with the tag #egypt by calling a certain set of phone numbers; essentially, anyone with access to voice communication also has access to post on the Internet.
Kudos to everyone involved. As I read once, the Internet will interpret censorship as damage, and route around it.
Leave a Comment » | Networking, Syndicated | Permalink
Posted by matt
Facebook Subpoenas
January 28, 2011For a long time, public posts on the Internet have been admissible as evidence. But more and more often, private or restricted posts are being subpoenaed from sites like Facebook and MySpace for use in court.
From the article:
In the United States, postings on social networks are generally governed by the federal Stored Communications Act, which regulates how private information can be disseminated in non-criminal matters. The law has been interpreted to mean that the sites don’t have to hand over users’ personal data in response to a civil subpoena. Defense lawyers, though, have devised a strategy to work around this roadblock: They ask judges to order plaintiffs to sign consent forms granting defendants access to their private material. The defendants then attach these consent forms when they subpoena the sites. In these subpoenas, the plaintiffs are essentially authorising the sites to hand over printouts of the private portions of their pages to the defendants.
Long story short – if you’re going to claim a debilitating injury, you probably shouldn’t post photos of your rock-climbing trip a week later on Facebook. Even if they’re “private”, they’re not.
Leave a Comment » | Legal, Syndicated | Permalink
Posted by matt
UNC Breach
January 27, 2011An excellent writeup on the recent UNC-Chapel Hill security breach at Inside Higher Ed.
Here’s a quick synopsis: Dr. Bonnie Yankaskas, a professor of radiology at the university, was collecting mammography data for a study. The server holding the data, which included medical records and social security numbers, was breached by an unknown attacker and the data is considered to be potentially compromised.
The University wanted to fire her, but settled for demoting her to Assistant Professor and halving her pay.
Dr. Yankaskas’s argument is that she is an academic researcher, not a computer security expert – disciplining her for a security breach is unfair, because this is not her area of expertise or her responsibility. The school’s policy is that she should have appointed a “server caretaker” to monitor the firewall, install patches, etc., and the person she chose is a programmer with no training in security and no experience in server administration. She also ignored his requests for training over the years, and continually graded him as “excellent” in his administration of the server, despite the fact that he did not know what he was doing.
This is a typical tension in higher education – the faculty want to be free of the strictures of security and IT policy, because they feel it unfairly confines their research. IT, on the other hand, wants to be as strict as possible and keep everything in a nice, predictable box.
Leave a Comment » | Incidents, Syndicated | Permalink
Posted by matt
Facebook and Tunisia
January 25, 2011A fascinating story in The Atlantic about the cat-and-mouse game between the Tunisian government and Facebook during the recent political unrest. Ammar, the governmental security apparatus, strongarmed the ISPs that Tunisian citizens were using into running domain-level keylogging. Essentially, they were stealing an entire country’s worth of passwords.
The Facebook developers responded with an ingenious technical hack to get around the key capture. All password submissions were pushed over an encrypted channel, and also required the user to identify a friend from his or her accounts. Ingenious – the passwords as a single authentication token were rendered useless.
Leave a Comment » | Networking, Social Engineering, Syndicated | Permalink
Posted by matt
Rogue GSM
January 21, 2011An interesting demonstration at Black Hat DC, proving how easy it is to create a fake GSM network and lure unsuspecting users into connecting to it.
From the article:
Ralf-Philipp Weinmann showed how to cobble together a laptop using open-source software OpenBTS and other low-cost gear to create a fake GSM transmitter base station to locate iPhones in order to send their owners a message. A number of iPhone users in the room expressed surprise that they had gotten a message asking them to join the network.
Weinmann, who is researching vulnerabilities in cellular networks, said that with the right equipment, the range for the rogue GSM station he built can be 35 kilometers.
Once someone is connected to a GSM station you own, of course, that means that their voice traffic will pass through it and can be easily recorded. Perhaps it’s time for an overhaul of the Clinton-era code underlying the GSM networks.
Leave a Comment » | Smartphones, Syndicated | Permalink
Posted by matt