HOME WHAT'S HEADFRY? CONTACT
Security week in review
FUD
Hot topics
Tip of the week
Home users
Security in the movies
Week of September 19, 2005

Articles from last posting

DDoS attacks and extortion alive and well

Security software is a bug laden nightmare (too)

Hackers beat anti- phishing tools

A good week for Microsoft investigators

Can, or will, the credit card companies protect us?

News

Creator of evil greeting card on the run

The US Department of Justice has one Carlos Enrique Perez-Melara firmly in its sights. Mr Perez-Melara had a unique business model. He designed and sold a spyware product that users- presumably desperate for revenge, or just generally embittered- could send to potential victims in the form of a cheery greeting card.

Once opened, the in actuality not so cheery card unleashed a spyware programme that logged all PC activity and user keystrokes. It could also activate any web cameras installed to send photos back to the spy master. The purchaser of this handy tool could also, if he/she saw fit, annihilate files on the victims PC.

All for a mere $89. Who would have imagined doing evil was so cost-effective?

Another good reason to make more friends than enemies in life. Or to be obsessively paranoid.

Until the Feds put the finger on him, Mr Perez- Melara had sold 1000 of these handy kits, and purchasers had used them against 'nearly twice as many victims'- according to the 35-count indictment filed against him.

In the case of four purchasers, however, the cost of revenge has escalated. They have been charged with computer hacking offences. Live and learn.

Nasty teen behind bars

A 17 year old Massachusetts teen hacked T-Mobile, and posted Paris Hilton's cell phone directory online- replete with celebrity contacts. All just precocious good fun, you might say. Teen hormones run amok.

However, the teen- recently sentenced in a Boston court to 11 months in juvenile detention- followed by 2 years of supervised release - was not so benign. He broke into ISPs and telecos, stole phone airtime with his friends, and in March 2004, e-mailed bomb threats to a Florida school and a school in Massachusetts.

In both cases, the threats were taken very seriously - schools were closed, and various emergency services were dispatched, including bomb squads and sniffer dogs.

No laughing matter.

He also threatened another teleco with a denial of service attack, if they did not grant him access. When they refused, he made good on his threat- flooded them with traffic- and disabled a portion of their web site.

He was also responsible for the Lexis Nexis hack- covered by us in the past- where 310,000 sensitive records on Americans were exposed.

As he is a protected juvenile, we do not get to hear more about this anti- John Boy Walton. He was also banned from using any device that might allow him access to the Internet for 2 years.

Security vendor "puts money where its mouth is"

In what is believed to be a first, at least in the US, a security product vendor, Citadel Security Software, is offering a warranty on its software - free of charge- that is underwritten by an insurer, AIG Insurance.

Citadel is not the first company to break ranks and offer reimbursement, where no legal obligation exists to do so. In 2004, Internet Security Systems Inc. (ISS) offered a money back guarantee on its Managed Protection Service- up to the contract value.

However, the fact the Citadel limited warranty is insured is a new twist, as insurers have been reluctant to enter the fray, due to an absense of reliable data to underwrite security risks.

It is abundantly clear that Citadel has devised this offering to differentiate the company from security vendors, often slow to offer customer support in any meaningful way, yet alone some limited form of reimbursement if they fail to deliver.

May they be the first of many. A chink has finally emerged in the collective armour.

Hurricane may expose victims to ID theft

There may be more tragedy in store for victims of Hurricane Katrina, as looters and thieves make off with personal papers and important identification documents left behind in the deluge. In the wake of the catastrophe, very many people have had to abandon their homes, with little more than the clothes on their backs.

What is left behind, as this article rightly points out, could be a smorgasbord of information that unscrupulous individuals could use to steal the identities of the displaced masses.

Virtually as soon as the floods hit, the scammers were out in force, mass mailing 'phishing' emails to a shocked public with links to a fake Red Cross web site to supposedly elicit charitable donations. So much fraud has emerged that the US Justice Department has set up a task force 'to investigate identity theft and other types of fraud related to the Katrina'.

No doubt many of you have pondered what you would take with you in the face of impending doom: aliens on route, etc. The stuffed animal you got as a kid? Your collection of baseball cards or comic books? A favourite piece of art? The TV?

It may be that more mundane objects should take pride of place. Now where is that pile of credit card statements?

Definitely not mankind's finest hour.

Firefox browser not safe either

In case you thought that avoiding Microsoft Internet Explorer and using a funky upstart browser, such as Firefox, would solve all your security problems- think again.

Researchers, as they always will, have found critical flaws in Firefox that expose users to a variety of scenarios- all of them bad.

But help is (not) at hand.

The dazzling suggestion in this article that users ought ' not to browse untrusted websites as a precaution' exemplifies all that is currently wrong with our beloved Internet, and highlights the abject lack of imagination rampant amongst techies in trying to solve the problems.

What is 'an untrusted website', pray tell? One I have never visited before? One titled 'Website of the Romanian Hackers League'? One that just looks dodgy?

Many learned philosopher heads could be fried trying to solve this one. Or perhaps there is a simple and elegant solution out there that simply no-one has thought of?

Caution: no fine breath should be held, as suffocation could be imminent.

And what about the Mac?

The Mac is generally assumed to be hacker proof by its legions of fanatical devotees. Indeed, to a Mac-Head, bashing Windows and Microsoft (MS) is a veritable rite of passage- and they will neither hear nor speak evil of their hip- friendly loved one.

This article dares to throw doubt on the veracity of this god given mantra. It suggests that the Mac is 'secure by accident' rather than, as cult members would have it, 'by design'.

In other words, if more hackers had the faintest interest in attacking the Mac -not to mention the funds necessary to actually buy one of the expensive little devils -all bets would be off, and it would not be smelling like roses for long.

MS do not help matters by being perenially and seemingly congenitally uncool - e.g. running that ghastly ad campaign with the people in fake dinosaur heads - but I remain unconvinced that Steve Jobs' natural brilliance ran to devining the need for secure code when no-one else had thought of it.

But if he decides to go head to head with MS by selling the Mac operating system (OS) for use on Windows PCs- heresy up to now- all will be revealed. Now that the Mac can run on an Intel chip and techies are already figuring out how to port the OS to a $600 Dell- anything can happen.

UK CIO's mad at ISPs

Ten of silicon.com's 12-man CIO Jury IT user panel voted that ISPs should be accountable to users for zombie networks they host- on the basis that they can stop attacks at source coming over their pipes. Of course the same could be said for the telecos, many of whom are very much in the ISP business.

Some of the irate CIOs took aim at Microsoft for not doing more to stop spam from domains hosted by Hotmail servers. They mused that ISPs could make a compelling business case for selling secure connections, but were not confident that the penny has dropped, or that it will any time soon.

However, wishful thinking aside, with cutthroat competition from upstart VoIP operators, and a huge industry shakeout in motion, ISPs, and especially teleco ISPs, will try to squeeze every last penny out of every remaining business opportunity. They will sell - as AT & T have done- security to industry- for a price. They surely won't rush to give it away from free.

Even the experts get scammed

If it is any consolation, even the security experts come a cropper from time to time. The new Chief of Security for Microsoft UK - a veteran FBI guy- recently disclosed that he was the victim of a rogue dialling scam that cost him 450 sterling pounds in phone charges for calls he never made.

Rogue diallers- programmes that infest your PC and made sneaky unauthorised calls to Outer Mongolia and/or to 'premium numbers' on your tab- are such a big problem in the UK that the regulators and the big phone companies have had to enter the fray to protect unwary consumers.

Not soon enough it seems.

Michael Porter talking sense

Michael Porter is a Harvard Professor, the most famous business strategy guru on the planet, and a prolific author.

But unlike many self appointed business gurus, he generally talks (and writes) a lot of good sense.

During the Internet boom, he lost his lustre, as he was considered out of touch with the new economy, where everyone was encouraged to rush around like chickens without heads, chasing the next 'new new thing', fame and fortune, daft ideas, and generally spending money like drunken sailors.

Caught up with such euphoria, unimpeded by rationality, the boring business of defining long term business strategy seemed plain old fashioned. Not to mention hard to do. So it was generally considered that the painful, headfrying exercise was best avoided entirely.

But not any more.

Porter is back in fashion. As dot com businesses crashed and burnt and management at blue chip companies were caught with their collective hands in the till- all semblance of dignity and propriety thrown to the four winds- having a clue about what you are at in business is now considered a good idea.

In this interview with Porter in the September/October- Banking Strategies magazine online, he shares his thoughts on outsourcing mania - ‘If you’re laying off many functions to outside vendors, what’s your advantage? And he discusses the fragmented payment industry.

Well worth a read.

What has it got to do with security you may ask?

With all the M & A activity in the field right now- it behoves one to ask? What strategy goes there? Is there one, or is it just more 'bigger is better'?

To quote Confucious and Yoda: "An increase in gait does not invariably a smarter person make".

 

 

 
 

So what's headfry?

Headfry is a common, much used and loved expression in Ireland, the UK and Australia. read more...

 
 

Week of Oct 11, 04

Week of Oct 24, 04

Week of Nov 1, 04

Week of Nov 8, 04

Week of Nov 26,04

Week of Dec 31, 04

Week of Jan 4, 05

Week of Jan 14, 05

Week of Feb 21, 05

Week of Feb 28,05

Week of March 12,05

Week of March 22 05

Week of April 4, 05

Week of May 10, 05

Week of May 16,05

Week of May 22, 05

Week of June 29, 05

Week of July 9, 05

Week of July 19, 05

Week of August 2, 05

Week of August 21, 05

Week of August 29, 05

 
   

 



   
   
 
   
Home |  Security Week in Review |  FUD |  Hot Topics |  Tip of the Week |  Home Users |  Security in the Movies Copyright ©
Disclaimer Headfry Inc. 2004