Apparently cybercriminals are getting smarter. Some of the more interesting facts in this story include:
Spam accounts for 90% of e-mail.
There are now businesses in China and India whose employees are tasked with typing in those text picture tests that you have to fill out to open some accounts online.
E-mail attachment attacks have decreased significantly over the years.
It is hard to believe that so much of the world's email is spam, but I suppose we should not be surprised. The majority of e-mail I get on my regular G-Mail account is spam. It should also be disheartening that even the picture tests are not enough to stop spammers from getting new accounts. At least we can be consoled by the fact that there are less attachment attacks, although it is possible they have just been replaced with more sinister types of attacks.
Cisco: Cybercriminals more savvy than ever in 2008
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1342560,00.html
Wednesday, December 17, 2008
Tuesday, December 16, 2008
Security Review: Xbox and Playstation.
With the new advancement in gaming systems and numerous uses of the new Xbox or playstation, can these devices be another tool for hackers to use to violate our lives and gain personal information. Within the last two or three years both the Xbox 360 and the Playstation 3 have been hacked into. In January of 2006 “Sources say that a group calling themselves Team Pi have discovered a vulnerability in the Xbox 360, or more specifically in the kiosk CD being used in retailers displays. It seems that though the executable on the disk is signed, the other media on the disk is not signed allowing someone to swap the Project Gotham Racing 3 demo video with a WMV-HD rip of a full length movie. This is far from being a complete hack of the Xbox 360 but it is one little step closer to a full hack.”
This month “PlayStation Home, a 3D social gaming community available on PS3 that allows users to interact communicate and share gaming experiences, launched last Thursday and over the weekend it was hacked multiple times. Hackers found several vulnerabilities that allowed them to run some code to bypass advertisement, replace content originally placed by Sony with the user's own images. Another hack allows uploading files to hack the Home server or deleting any file from the Home server.”
Although these events were both of the minor variety, this leaves a lot to be questioned. On Both consoles people can purchase movies, games, and music by using their online accounts. On these online accounts people provide very sensitive information to be granted access to the following features. Internet access, Movie download center, and music download center. Although not necessary all the features are desired by every user. My question is can these devices, which are operated over the web, be possible hacking opportunities?
Articles : http://news.teamxbox.com/xbox/18394/PlayStation-Home-Hacked-Already/
http://theconsolewars.blogspot.com/2006/01/impossible-to-hack-xbox-360.htmlMonday, December 15, 2008
Adobe PDF and Flash are source of web attacks
"Attackers are finding new ways to stay one step ahead of security, exploiting ubiquitous Adobe Flash applications and PDF files, which many organizations and end users incorrectly assume are safe against compromise." was quoted in an article describing Adobe attacks on December 9th, 2008.
"In its Q4 Web Security Trends Report, Finjan Inc. says its Malicious Code Research Center (MCRC) has found that millions of PCs have been compromised by either Flash- or PDF-borne Web exploits, as crimeware writers widen their attack vectors and find new ways to evade detection and snare user machines." Flash is an application that allows animations in webpages. Flash is a specific type of webpage coding. The Flash exploits rely on basic Adobe ActionScript functionality to exploit browser vulnerabilities. Flash malware can be delivered through malicious banner ads. "Although most networks inspect the ads for security risks, their efforts are often insufficient." Adobe advises uses to set a parameter, "AllowScriptAccess," to "never," but is more typically set to "always." "This allows ActionScript to inject an IFRAME, which can then pull in malicious content and infect the end-user machine."
PDF a mistakenly considered as a safe file format to many. However they can be exploited through a pair of buffer overflow vulnerabilities. Adobe has patches for these flaws, but many machines aren't up to date. Starting with version 1.4, the PDF format includes JavaScript capabilities. The problem grew by the emergence of simply crimeware toolkits, such as Neosploit and Fiesta, which include PDF components that "enable attackers to obfuscate scripts within PDF files to execute Web exploits. Signature-based detection is not generally effective against these attacks, so antimalware engines must rely on real-time detection."
The best way to prevent these attacks seem to be by simply updating these programs since there are patches available. Perhaps Adobe should come up with an automatic software update, like Microsoft uses. This article is interesting to me because I use Flash coding all the time and I always felt like it was safer, even though I had nothing to support this reasoning. I also think this is interesting since we recently learned about web based attacks. It would be interesting to see if these programs are exploited in ways similar to cross-site scripting. I think it is also important that antivirus and spyware detection programs update their software to protect users against these attacks.
Sources:
Flash, PDF are growing malware targets
By Neil Roiter, Senior Technology Editor, Information Security magazine09 Dec 2008 SearchSecurity.com
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1341749,00.html
"In its Q4 Web Security Trends Report, Finjan Inc. says its Malicious Code Research Center (MCRC) has found that millions of PCs have been compromised by either Flash- or PDF-borne Web exploits, as crimeware writers widen their attack vectors and find new ways to evade detection and snare user machines." Flash is an application that allows animations in webpages. Flash is a specific type of webpage coding. The Flash exploits rely on basic Adobe ActionScript functionality to exploit browser vulnerabilities. Flash malware can be delivered through malicious banner ads. "Although most networks inspect the ads for security risks, their efforts are often insufficient." Adobe advises uses to set a parameter, "AllowScriptAccess," to "never," but is more typically set to "always." "This allows ActionScript to inject an IFRAME, which can then pull in malicious content and infect the end-user machine."
PDF a mistakenly considered as a safe file format to many. However they can be exploited through a pair of buffer overflow vulnerabilities. Adobe has patches for these flaws, but many machines aren't up to date. Starting with version 1.4, the PDF format includes JavaScript capabilities. The problem grew by the emergence of simply crimeware toolkits, such as Neosploit and Fiesta, which include PDF components that "enable attackers to obfuscate scripts within PDF files to execute Web exploits. Signature-based detection is not generally effective against these attacks, so antimalware engines must rely on real-time detection."
The best way to prevent these attacks seem to be by simply updating these programs since there are patches available. Perhaps Adobe should come up with an automatic software update, like Microsoft uses. This article is interesting to me because I use Flash coding all the time and I always felt like it was safer, even though I had nothing to support this reasoning. I also think this is interesting since we recently learned about web based attacks. It would be interesting to see if these programs are exploited in ways similar to cross-site scripting. I think it is also important that antivirus and spyware detection programs update their software to protect users against these attacks.
Sources:
Flash, PDF are growing malware targets
By Neil Roiter, Senior Technology Editor, Information Security magazine09 Dec 2008 SearchSecurity.com
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1341749,00.html
Web Security Notes
Someone pointed out that I hadn't posted the web security note) online. Here they are:
Web Security slides
Web Security slides
Sunday, December 14, 2008
Oooops they did it again
Microsoft has made itself the joker of the modern computer world once again. No, I'm not talking about windows vista aka "mojave" I'm referring to a new vulnerability on the Internet Explorer program that runs on all of Microsoft's operating systems. On Friday, Microsoft released a statement about a number of "zero day" attacks that occur as a result of a vulnerability in the way the browser processes XML (a way of writing information to websites). Verisign released an announcement late last week that a group of Chinese security researches discovered an accidentally released the flaw in IE. The main idea of the attacks is to load malicious software onto computer that are vulnerable to the attack. These programs can give the hacker all the normal privileges that the user would have including access to sensitive records and files. Below are links to two articles including one that talks specifically about ACL's and how to block the vulnerability at the server before it enters the network. This does not completely block the threat but it does lower the risk until a patch is made available.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1342278,00.html
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1342135,00.html
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1342278,00.html
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1342135,00.html
Sunday, December 7, 2008
Facebook revisited
As the other posters have mentioned facebook is really in no way secure. First you can setup an account claiming to be someone else. This can cause slanderous things to be posted on someone's facebook page that isn't really theirs. People can also pretend to someone and hit on girls or boys and then in person the person who thinks they are being hit can be extremely hurt because everything is hoax. Facebook needs to develop a system of verification to make sure these things do not happen.
As for the virus attack i am constantly bombared with these phishing attacks. Some of them come as wall posts from friends who have "zombie computers". Recently facebook added a new feature called "facebook chat". This is the faceboook equivalent of instant messaging. Many of the most recent phishing attacks I have receiver have come via facebook chat. Facebook needs to come up with a way to prevent this virys from spreading further. Most of the attacks are extremely obvious such as "click here to reduce your debt". None of my friends would care about debt nor would they advise me on how to lower it. The other attacks about tagging and adding photos etc is much more harmful because it could seem legitimate and could end up being malicious.
As for the virus attack i am constantly bombared with these phishing attacks. Some of them come as wall posts from friends who have "zombie computers". Recently facebook added a new feature called "facebook chat". This is the faceboook equivalent of instant messaging. Many of the most recent phishing attacks I have receiver have come via facebook chat. Facebook needs to come up with a way to prevent this virys from spreading further. Most of the attacks are extremely obvious such as "click here to reduce your debt". None of my friends would care about debt nor would they advise me on how to lower it. The other attacks about tagging and adding photos etc is much more harmful because it could seem legitimate and could end up being malicious.
Saturday, December 6, 2008
Security Review: Off-Campus Housing Door Security
In the dorms on campus, doors play a crucial role in terms of security. A number of security features are intended to keep the dorm and residents safe (ID card scanners, restricted access hours, and PIN keypads). Furthermore, doors to individual rooms make use of locks and keys, and strong physical construction to maintain the security of a room. Unfortunately these measures are not always enough to prevent theft and unauthorized access.
What happens, then, when students live outside of the Notre Dame bubble in the neighborhoods surrounding campus? What measures are used on doors to maintain the security of off campus houses? In this security review, I will assess some common methods of securing the doors and overall safety of an off campus house.
Exterior doors can be equipped with different types of locks (handle locks, single-cylinder deadbolts, double-cylinder deadbolts), construction materials (metal, solid-wood, composites), and sensors (surface door contacts, recessed contacts). Not all methods provide the optimal security condition as the integrity of the physical barrier can be compromised. Ideally for the home owner or resident, the door will of course prohibit unauthorized entry and will not readily expose to view (disclose) the contents of the house. This also addresses the integrity of the house and its residents and associated property. In addition, the door should allow authorized individuals entry.
Would-be attackers would be interested in knowing what methods are used to secure the door. Do the residents make actually use the installed deadbolt lock when leaving? An underutilized deadbolt is pointless in keeping attackers out. Is the deadbolt a single cylinder (key used only on exterior), or a double cylinder (key needed on inside and outside) lock? A single cylinder lock located right next to a large glass window would provide easy entry after breaking the glass (alteration). Is there an associated alarm system that is actually activated? The presence of alarm equipment does not guarantee that residents turn on the system. Furthermore, some alarms are disconnected and only emit a loud noise. While this may scare an intruder away, he or she still has time to grab property before fleeing.
The overall construction of the door is something that most tenants can do little about. This vulnerability of really only a small piece of the puzzle. The quality of door design is null if users fail to adequately lock the door using the deadbolt. Seemingly the largest vulnerability in this case is human action. For instance, even if a door is well protected, there may be other means of entry. An open window (or a closed,yet unlocked window) or secondary door could prove the main door security measures unimportant. It would be like beefing up security on HTTP ports while ignoring the POP3 port in a computer system.
Attempts to secure the door through multiple and sometimes extreme ways must be tempered by sensitivity to the ease of entry by authorized individuals. Ultimately some risk acceptance is inherent in a system that literally opens doors. Nevertheless, the amount of risk can be reduced and transferred. Installing double-cylinder deadbolts (especially when doors are adjacent to windows or glass panels) and always making use of the deadbolt clearly demonstrate good protocol. By making a home doorway harder to breach homeowners can deter would-be attackers. Risk transference can be achieved by obtaining homeowner's or renter's insurance for property potentially lost to burglary.
alarmsystemreviews.com
homesecurityguru.com
What happens, then, when students live outside of the Notre Dame bubble in the neighborhoods surrounding campus? What measures are used on doors to maintain the security of off campus houses? In this security review, I will assess some common methods of securing the doors and overall safety of an off campus house.
Exterior doors can be equipped with different types of locks (handle locks, single-cylinder deadbolts, double-cylinder deadbolts), construction materials (metal, solid-wood, composites), and sensors (surface door contacts, recessed contacts). Not all methods provide the optimal security condition as the integrity of the physical barrier can be compromised. Ideally for the home owner or resident, the door will of course prohibit unauthorized entry and will not readily expose to view (disclose) the contents of the house. This also addresses the integrity of the house and its residents and associated property. In addition, the door should allow authorized individuals entry.
Would-be attackers would be interested in knowing what methods are used to secure the door. Do the residents make actually use the installed deadbolt lock when leaving? An underutilized deadbolt is pointless in keeping attackers out. Is the deadbolt a single cylinder (key used only on exterior), or a double cylinder (key needed on inside and outside) lock? A single cylinder lock located right next to a large glass window would provide easy entry after breaking the glass (alteration). Is there an associated alarm system that is actually activated? The presence of alarm equipment does not guarantee that residents turn on the system. Furthermore, some alarms are disconnected and only emit a loud noise. While this may scare an intruder away, he or she still has time to grab property before fleeing.
The overall construction of the door is something that most tenants can do little about. This vulnerability of really only a small piece of the puzzle. The quality of door design is null if users fail to adequately lock the door using the deadbolt. Seemingly the largest vulnerability in this case is human action. For instance, even if a door is well protected, there may be other means of entry. An open window (or a closed,yet unlocked window) or secondary door could prove the main door security measures unimportant. It would be like beefing up security on HTTP ports while ignoring the POP3 port in a computer system.
Attempts to secure the door through multiple and sometimes extreme ways must be tempered by sensitivity to the ease of entry by authorized individuals. Ultimately some risk acceptance is inherent in a system that literally opens doors. Nevertheless, the amount of risk can be reduced and transferred. Installing double-cylinder deadbolts (especially when doors are adjacent to windows or glass panels) and always making use of the deadbolt clearly demonstrate good protocol. By making a home doorway harder to breach homeowners can deter would-be attackers. Risk transference can be achieved by obtaining homeowner's or renter's insurance for property potentially lost to burglary.
alarmsystemreviews.com
homesecurityguru.com
Security Review: Credit Card Security
The use of credit cards to make purchases is becoming more and more common, but what is being done to ensure its security? When you make a purchase, you have no idea what is being done with the information. Where is it being sent? Where is it being stored? Who has access to it? What is being done to protect it? Credit card fraud affects everybody – the card companies, the stores, and the customers. As a result, a number of new methods have emerged in the past few years that are designed to increase security. Discover Card developed the Secure Online Account Number Program for online purchases. This produces a random number for each transaction to be used instead of the credit card number when an online purchase is made. The merchant gets Discover Card to verify it, before it is connected to your account, so the business you are buying from doesn’t see your real credit card number. Additionally, a combined effort between Visa and MasterCard developed the Payment Card Industry Data Security Standards which is a set of guidelines put in place between the credit card companies and the merchants. Some online retailers are now requiring the shipping address to be the same as the one associated with your credit card. This may reduce the risk of fraud, but it is a huge inconvenience to the customer and may hurt the merchant’s sales. Finally, VeriSign’s provides merchants with up to 256-bit encryption using Secure Sockets Layer (SSL) technology.
With the addition of various types of Card Verification Codes (CVC), the security of transactions has improved. For transactions at physical stores, CVC1 is used for verification. This is a code that is in the magnetic strip on the back of the credit card. On the other hand, CVC2, a three or four digit number on the card, is used for many online, mail order, and over the phone transactions to help prevent fraud. The CVC is created using a key that only the bank knows that includes using a hash function on the expiration date and the card number. The information in the magnetic strip is very valuable because it allows fraudulent credit cards to be made. Therefore, credit card companies are making a greater effort to make sure merchants are not storing this information.
However, CVC2 is still vulnerable to phishing scams. This can be done by either using a typical phishing scam (developing a fake website requesting sensitive information) or by already having the credit card number, giving it back to the cardholder, and requesting the CVC2. In addition to phishing attacks, there are countless other ways to obtain credit card information. A store’s employee could very easily write down a customer’s credit card information and copy the signature, especially at the type of place where they take your card out of sight for a short time (such as a restaurant). With the name of the person, it would be easy to obtain their address and then make online transactions using the stolen card information.
Because credit card information is so valuable (the cardholder’s money is a risk), it is essential to protect the information. In order to mitigate the risk of information being stolen and fraudulent transactions made, I think that a few steps should be taken. First of all, all online merchants should be required to ask for the CVC2 when a transaction is being made. For in person transactions, merchants should not be allowed to store the information on the magnetic strip. They should also be required to ask for another form of ID to make sure it matches the name on the card as well as get a signature. The Luhn Algorithm that we discussed in class helps to verify the integrity of credit card numbers while CVC is used to verify integrity of the user of the credit card information. When credit card fraud is committed, the confidentiality of the cardholders’ information is lost and their money may no longer be available when they need it. The physical card will always be at risk for theft, especially in a situation like the dorms where the mail is left in a pile in the lobby. Despite the numerous ways to commit credit card fraud, I think that the actions card companies are taking will help to decrease the risk. However, there is no way to completely ensure the security of information.
http://news.cnet.com/Putting-the-squeeze-on-credit-card-fraud/2100-7349_3-5856625.html
http://www.creditorweb.com/articles/credit-card-security.html
Friday, December 5, 2008
Facebook Virus
In light of the recent security review on Facebook(see earlier post), I thought this article would be of particular interest. PC World Reports that a Facebook Virus is spreading rapidly. The virus turns an infected computer into a zombie, for potential use in a botnet. This is achieved by setting the affected machine to access the internet via a proxy set up by the hacker.
The virus is being spread through Facebook messages with bizarre titles like "Hey, I have this hilarious video of you dancing" and "You look awesome in this new movie." When users click on the link to the 'video' they are prompted by a Flash Player update download. The download, while something most people would routinely click, actually has a malicious file embedded.
Although this tactic seems obvious and ridiculous, the rate of success is alarming not only with regard to security, but also when the gullibility of internet users is concerned.
The virus is being spread through Facebook messages with bizarre titles like "Hey, I have this hilarious video of you dancing" and "You look awesome in this new movie." When users click on the link to the 'video' they are prompted by a Flash Player update download. The download, while something most people would routinely click, actually has a malicious file embedded.
Although this tactic seems obvious and ridiculous, the rate of success is alarming not only with regard to security, but also when the gullibility of internet users is concerned.
Thursday, December 4, 2008
Apple posts, then removes, suggestion for use of anti-virus software
"Shortly after updating a security bulletin recommending widespread use of antivirus software on Macs, Apple took it down." (wired.com)
Apple's initial recommendation was surprising to many Mac enthusiasts, who, for years had been told their systems were not threatened by malicious software. The advice was given in Apple's "Knowledge Base" collection of articles. The original post advocated the use of "multiple antivirus utilities so that virus programmers have more than one application to circumvent." (Although the article was removed, you can still read excerpts).
Clearly the author of the article was advocating defense in depth; however, it seems that the PR machine at Apple was concerned about the implication that encouraging the use of anti-virus software on Macs was an admission of system vulnerability.
One observer states, "The benefit of Apple's tight control over its operating system and hardware is the ability it gives the company to implementing effective, reliable security measures." And until Apple's market share increases significantly, it is unlikely that hackers will target the Mac platform.
While this may well be the case, I certainly wouldn't want to play guinea pig for the security team.
Apple's initial recommendation was surprising to many Mac enthusiasts, who, for years had been told their systems were not threatened by malicious software. The advice was given in Apple's "Knowledge Base" collection of articles. The original post advocated the use of "multiple antivirus utilities so that virus programmers have more than one application to circumvent." (Although the article was removed, you can still read excerpts).
Clearly the author of the article was advocating defense in depth; however, it seems that the PR machine at Apple was concerned about the implication that encouraging the use of anti-virus software on Macs was an admission of system vulnerability.
One observer states, "The benefit of Apple's tight control over its operating system and hardware is the ability it gives the company to implementing effective, reliable security measures." And until Apple's market share increases significantly, it is unlikely that hackers will target the Mac platform.
While this may well be the case, I certainly wouldn't want to play guinea pig for the security team.
Wednesday, December 3, 2008
Security Review: Facebook
Social networking sites allow millions of people around the world to communicate with each other, in addition to sharing pictures, videos, stories, and other useful information. By far, the two most well known social networking sites are MySpace and Facebook. As if you did not already know, users on Facebook mainly communicate via short written messages on the “Facebook walls” of other users. Users can communicate more privately with “Facebook messages”, and can also create “Facebook events” that describe pertinent information regarding upcoming community events. Facebook has even become a place of social activism: multi-member “Facebook groups” can be created for a wide variety of social, political, economic, and environmental causes.
Depending on the privacy settings of a particular user, other users can see the user profile that user. Facebook accounts contain information that would be useful to potential employers, coworkers, friends, family members, and “romantic interests”. As a result, Facebook users and administrators require a high-level of integrity—if the information contained within Facebook cannot be mostly accurate, the appeal of the social networking site would markedly diminish. In addition, there would also be information, pictures, or notes that Facebook users want to keep away from potential employers, nosy coworkers, and family members. As such, confidentiality is also important. Facebook administrators also want authorized users to be able to access the information stored on Facebook as easily as possible without jeopardizing security.
However, cyber-attackers may want to achieve alteration or disclosure of important Facebook information, because the hackers could use that information for personal financial gain—for instance, they could sell other users’ e-mail addresses and phone numbers—or to make other job applicants appear less favorable, etc. Furthermore, if hackers gain access to a Facebook account, they can easily “spam” the friends of the compromised user with links to phishing scams, pornography, or the like. Also, if a denial of service attack was implemented, there would be an uproar from millions of Facebook users.
As a Facebook user for the past two and a half years, I have not once been asked to change my password. Therefore, I run the risk of hackers determining my password, which would lead to my account being compromised. In addition to that, another vulnerability that Facebook cannot easily address is the very nature of social networking systems. If one account becomes compromised, that account could enable other accounts to be compromised. Furthermore, since Facebook has no method for ensuring that passwords are “strong” as opposed to “weak,” it is vulnerable to a brute force attack. Facebook is even vulnerable to XSS attacks that infect users with spyware, adware, and other types of malware.
In the end, Facebook is prone to the various vulnerabilities, risks, and threats to which all large social networks are prone. However, the Facebook network complicates these vulnerabilities by allowing so many users easy access to the account information of other users. The networking and information-sharing capabilities of Facebook users are necessary for a successful social networking site, though, and should not be truly avoided or transferred. In fact, I believe a combination of risk mitigation and risk acceptance would be more proper. Facebook must simply accept that it will be prone to the security vulnerabilities and threats common to social networking sites. However, Facebook can take preventative measures to make itself less vulnerable to brute force attacks and XSS attacks. For example, it can mandate that passwords be “strong” and be updated regularly.
Depending on the privacy settings of a particular user, other users can see the user profile that user. Facebook accounts contain information that would be useful to potential employers, coworkers, friends, family members, and “romantic interests”. As a result, Facebook users and administrators require a high-level of integrity—if the information contained within Facebook cannot be mostly accurate, the appeal of the social networking site would markedly diminish. In addition, there would also be information, pictures, or notes that Facebook users want to keep away from potential employers, nosy coworkers, and family members. As such, confidentiality is also important. Facebook administrators also want authorized users to be able to access the information stored on Facebook as easily as possible without jeopardizing security.
However, cyber-attackers may want to achieve alteration or disclosure of important Facebook information, because the hackers could use that information for personal financial gain—for instance, they could sell other users’ e-mail addresses and phone numbers—or to make other job applicants appear less favorable, etc. Furthermore, if hackers gain access to a Facebook account, they can easily “spam” the friends of the compromised user with links to phishing scams, pornography, or the like. Also, if a denial of service attack was implemented, there would be an uproar from millions of Facebook users.
As a Facebook user for the past two and a half years, I have not once been asked to change my password. Therefore, I run the risk of hackers determining my password, which would lead to my account being compromised. In addition to that, another vulnerability that Facebook cannot easily address is the very nature of social networking systems. If one account becomes compromised, that account could enable other accounts to be compromised. Furthermore, since Facebook has no method for ensuring that passwords are “strong” as opposed to “weak,” it is vulnerable to a brute force attack. Facebook is even vulnerable to XSS attacks that infect users with spyware, adware, and other types of malware.
In the end, Facebook is prone to the various vulnerabilities, risks, and threats to which all large social networks are prone. However, the Facebook network complicates these vulnerabilities by allowing so many users easy access to the account information of other users. The networking and information-sharing capabilities of Facebook users are necessary for a successful social networking site, though, and should not be truly avoided or transferred. In fact, I believe a combination of risk mitigation and risk acceptance would be more proper. Facebook must simply accept that it will be prone to the security vulnerabilities and threats common to social networking sites. However, Facebook can take preventative measures to make itself less vulnerable to brute force attacks and XSS attacks. For example, it can mandate that passwords be “strong” and be updated regularly.
Infrared Communications - Utility and Security
I was first introduced to infrared communications when purchasing my first cell phone (3 1/2 years ago). I favored the Bluetooth, but it is not a technology that should be overlooked. My understanding is that Bluetooth was invented as an enhancement to Infrared (in terms of energy efficiency and increased range). Infrared finds utility in direct connections.
Reportedly, Infrared technology allows computing devices to communicate via short-range wireless signals (approximately 5 meter range limit). The infrared transmission technology used in computers is similar to that used in consumer product remote control units. In comparison with about 100Mbps maximum communication speed in wireless communications, there is a possibility of 1Gbps with infrared communications (due to its much shorter wavelength than wireless communications, broadband communications are available). In this way, infrared communications are suitable for transmitting large amounts of data such as animations. The most common use for infrared ports is to transfer files between devices. For example, you can transfer files between a Windows CE device and a desktop PC or between two notebook PCs.
The two main problems with Infrared are the sun and line-of-sight (similar to a TV remote, devices must be point directly at eachother to communicate). The sun gives off a lot of infrared light. In direct sunlight, the IR receiver can be "flooded" and won't be able to see any incoming messages (best used indoors).
Now onto security issues - Because infrared operates at such a short distance (and a narrow angle), it is relatively difficult for an attacker to intercept data that is being transmitted. Infrared communication is secure with high concealment in its ability to specify its receivers, based on the strong directivity of infrared communication. However, infrared does not provide data encryption. Because data is sent in plaintext, it is vulnerable to packet sniffing attacks.
There is a plethora of communication options available; Infrared's lack of data encryption is certainly a major downfall, but I believe that there are viable uses for this technology (a quick exchange of contact information/virtual business cards, for example). I am uncertain as to its popularity in the professional world, but would bet it has its place.
Sources:
http://compnetworking.about.com/od/homenetworking/g/bldef_infrared.htm
http://www.contrib.andrew.cmu.edu/~rgockley/legos/ir.html
http://technet.microsoft.com/en-us/library/cc775941.aspx
http://linkevolution.e-globaledge.com/english/infrared/aboutir.html
Reportedly, Infrared technology allows computing devices to communicate via short-range wireless signals (approximately 5 meter range limit). The infrared transmission technology used in computers is similar to that used in consumer product remote control units. In comparison with about 100Mbps maximum communication speed in wireless communications, there is a possibility of 1Gbps with infrared communications (due to its much shorter wavelength than wireless communications, broadband communications are available). In this way, infrared communications are suitable for transmitting large amounts of data such as animations. The most common use for infrared ports is to transfer files between devices. For example, you can transfer files between a Windows CE device and a desktop PC or between two notebook PCs.
The two main problems with Infrared are the sun and line-of-sight (similar to a TV remote, devices must be point directly at eachother to communicate). The sun gives off a lot of infrared light. In direct sunlight, the IR receiver can be "flooded" and won't be able to see any incoming messages (best used indoors).
Now onto security issues - Because infrared operates at such a short distance (and a narrow angle), it is relatively difficult for an attacker to intercept data that is being transmitted. Infrared communication is secure with high concealment in its ability to specify its receivers, based on the strong directivity of infrared communication. However, infrared does not provide data encryption. Because data is sent in plaintext, it is vulnerable to packet sniffing attacks.
There is a plethora of communication options available; Infrared's lack of data encryption is certainly a major downfall, but I believe that there are viable uses for this technology (a quick exchange of contact information/virtual business cards, for example). I am uncertain as to its popularity in the professional world, but would bet it has its place.
Sources:
http://compnetworking.about.com/od/homenetworking/g/bldef_infrared.htm
http://www.contrib.andrew.cmu.edu/~rgockley/legos/ir.html
http://technet.microsoft.com/en-us/library/cc775941.aspx
http://linkevolution.e-globaledge.com/english/infrared/aboutir.html
Tuesday, December 2, 2008
Empire State Building Stolen
Apparently releasing prisoners from jail isn't the only thing that has slipped through the cracks:
The Daily News, in an attempt to expose New York City's vulnerability to deed-, mortgage-, and property-fraud, drew up fake notarized documents and filed them with the city; effectively transferring ownership of the Empire State Building from Empire State Land Associates to the fake "Nelots Properties LLC" (Nelots="stolen" spelled backwards).
This was a part of a larger expose by the Daily News aimed at illuminating the very real possibility of more modest property fraud that can go unnoticed or unchecked by the City of New York.
The FBI has found a 31% rise in mortgage fraud and Suspicious Activity reports and over $813 million in loses has been sustained by lenders since 2006.
Here's the story:
Subscribe to:
Posts (Atom)
Posts
