Dragan on Security

Interesting article on popular topic at IEEE Security & Privacy: What Anyone Can Know: The Privacy Risks of Social Networking Sites.

Conclusion is:

The most frequently identified risk of morphing our social lives and personal communications into the digital era (in addition to the broad and indiscriminate dissemination of our every thought and compromising photo) is that there is no longer an expectation of privacy in the sphere that traditionally has been the core of our self-conceived private lives. If prospective employers or university admission officers want in-depth access to a candidate’s personal activity, they can access these sites (either directly or through college-age staff members), and readily get an uncensored, unflattering, and in many cases largely unrepresentative portrait of that candidate. Not only is this information unfiltered by the selective editing of context (it was not prepared to show a candidate in the best light for a job interview, but rather to impress beer-swilling friends), but it is often deliberately skewed toward the exhibitionist, provocative, and inflammatory, as schoolyard showboating should be. Bonding is not the same social process as applying for a responsible job. We don’t routinely bash chests with future employers. But if the very nature of the forum undermines our claim to privacy protection, the answer might be in PC Magazine’s advice to users of MySpace that “[c]ertain information is best withheld from the public.”5 If not, an entire MySpace generation could realize, when it is much too late to intervene, that the cyber personae they spawned in adolescent efforts to explore identity have taken on permanent lives in the multiple archives of the digital world.

For the many years the gap between the richest American’s and the rest of the work force continued to grow. US I.R.S numbers for 2003 show that only Americans in the top 1% of the income bracket, or those who make over $327,000 per year saw a significant income increase. The bottom 99% of the workforce only saw their incomes increase by less the 2%, which didn’t even match the overall inflation rate of 2.3%.

Gap between rich and poor people and societies might be one of significant generators of security problems. As this trend continues to grow, we can’t expect security problems to grow. Although this affects and applies to other security areas more, it is also case in computer and Internet security area. Internet, as one of the most important and democratic instruments for spreading news and knowledge, i.e. in media and learning space, shows this trend.

Some authors think that technology progress can help to democratize world and to create means which will help this gap to decrease. Their arguments are based on details such are:
• Availabity of modern technology to wider population
• Media coverage and availability of information
• Education and knowledge availability

This seems as true but only on first site. When we look into more details we can see that truth is different.

Will technology increase the gap between rich and poor? It will certainly increase the gap between the productive and the unproductive. For example, with a tractor an energetic farmer could plow six times as much land in a day as he could with a team of horses. But only if he mastered a new kind of farming.

For example, now high school kids could write software or design web sites. But only some of them will; the rest will still be scooping ice cream.

Improved technology made it possible for many people to buy a computer of their own as student, many years ago. Very soon, some of them were using it to make money as freelance programmers, web site designers etc. A few years before that, they couldn’t have done this. A few years before, there was no such thing as a freelance programmer.

As this example suggests, the rate at which technology increases our productive capacity is probably polynomial, rather than linear. So we should expect to see ever-increasing variation in individual productivity as time goes on. Will that increase the gap between rich and the poor? Depends which gap you mean.

But this gap is potentially dangerous. As in past, when people, armies, states were fighting for natural resources (land, water sources, oil, gas, mineral sources, forests), now people will fight for domination in information and communication world. It also produces more opportunities for those who want to make fraud. Information is important and others’ confidential data are relatively easy if owner of data failed to protect them in right way. Vital communication and information infrastructure can be target and way to harm interests of other groups, organizations and governments. It is also fact that increasing number of people believes that current division of natural resources and richness is not fair. Malcontent united with possibilities that new information and communication technologies give can lead to destructive ideas.

This becomes very important battle field in present time. In future we can foresee growth of this trend. It is probably important to understand that domination of small group of people over majority of others can be dangerous for them also.

Someone claims to have hacked the Bloomsbury Publishing network, and has posted what he says is the ending to the last Harry Potter book:

The attack strategy was the easiest one. The usual milw0rm downloaded exploit delivered by email/click-on-the-link/open-browser/click-on-this-animated-icon/back-connect to some employee of Bloomsbury Publishing, the company that’s behind the Harry crap.

I can’t believe it. Read mora here.

Many things are almost the same after ~260 years. See: Schneier on Security: We’re All a Little Nervous in a Post-1748 World

This is a new Operating systems course textbook. More details here. I contributed a little bit.

Note: Book is in Serbian language. Original title is UNIX arhitektura.

Thousands of Italian tourism Websites have been hit by a virus that infects the computers of visitors, then slithers through them in search of confidential information.

The attack, known as The Italian Job, has hit over 4,500 websites on travel in Italy. So-called Trojan software is installed on the computers of people visiting the sites, taking over that computer and sending bank records and other data to a server believed to be located in Chicago.

Only those using out-of-date versions of Microsoft’s Internet Explorer are vulnerable to the attack. The attack was apparently launched using Russian software that runs at about $700. It is controlled remotely by its programmers, who can redirect the flow of information if the current server destination is shut down.

This attack got a name HTML_IFRAME.CU and you can see more about it on TrendMicro Website (here and here).

There is new challenge for us who use WordPress as blogging tool. According Secunia, a new vulnerability in the AndyBlue theme for WordPress has been discovered. It can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed in the URL through the WordPress installation’s index.php script to searchform.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The vulnerability is confirmed in version 1.4. Other versions may also be affected. Solution is to edit the source code to ensure that input is properly sanitised.

Fortunately, my blog is not based on vulnerable theme, so I’m lucky again.

Read about this vulnerability here.

Michael Howard’s talks about SDL Crypto Code Review at his blog. He says:

When I review code for security bugs I basically do the following:

1) Run static analysis tools and compile with /W4 to see which source code files appear to have more warnings or errors. This may indicate more bugs.
2) Look for known issues, such as banned APIs and banned functionality. I hand review anything I spot in this pass, but the noise can be very high.
3) Drill down into the riskiest code (ie; line-by-line review) based on the threat models.

Michael decided to create a simple macro to help with (2) when reviewing code for potential crypto issues. You can read about it and donwload code at his Web log (here).

At the kickoff reception for the IT Security Summit in Johannesburg, there was a bit of industrial theater about identity theft. Someone tried to pretend he was Bruce Schneier; it was pretty funny, really. Also, someone captured discussion after on video.

Last night was the gala reception where we were treated to a short identity theft skit (industrial theater they called it) starring Bruce Schneier. An impostor burst in on the scene and claimed to be Bruce. He produced a passport that identified him self as Mr. Bruce Schneier. He then had his interlocutor check images on Google, FBI.gov and CIA.gov, all of which identified this bloke as Bruce. It was only after Bruce solved a simple block cypher of the words “I am Bruce” that the impostor fled the scene. Watch the video of Bruce describing the point of the exercise.

See more here.

Over two years ago, George Ledin wrote an essay in Communications of the ACM, where he advocated teaching worms and viruses to computer science majors. He stated in that essay:

Computer science students should learn to recognize, analyze, disable, and remove malware. To do so, they must study currently circulating viruses and worms, and program their own. Programming is to computer science what field training is to police work and clinical experience is to surgery. Reading a book is not enough. Why does industry hire convicted hackers as security consultants? Because we have failed to educate our majors.

This spring semester, George Ledin Jr. taught the course at Sonoma State University. He created a class that taught students how to design and execute malicious programs that can take over a computer, steal information, or cause the computer to erase vital information and need a complete overhaul. Ledin believes that teaching students how to write computer viruses will give them a better understanding of how malicious programs are made and the knowledge needed to create better defenses. The controversial class, which SSU officials call the first of its kind in the nation, has drawn heavy criticism from members of the computing community. Three security software development companies sent SSU hostile letters, according to Ledin, and have pledged not to hire SSU graduates. That threat did not stop 15 students from signing up for the course. To prevent any malware created during the course from endangering any computers on the Internet, all work was done in an isolated lab disconnected from the network. Ledin acknowledged that there is a danger that some student might maliciously release a virus, but like with other academic fields that deal with dangerous and controversial material, teachers must rely on the students’ ethics. To help reinforce those ethics, SSU assistant professor of philosophy John Sullins was added to the course as a second instructor, and continuously reminded students of the potential consequences. Ledin developed the idea for this class after writing an editorial emphasizing the need for better education on malware for an ACM publication. Ledin said that despite the criticism he plans to teach the course again. “There is a perception that this is a taboo topic and shouldn’t be taught,” Ledin said. “But if we are going to develop better security, we need to know how these programs work.”

It got a lot of press coverage. Here are some articles:

• Sonoma State University http://www.sonoma.edu/pubs/newsrelease/archives/001090.html
• The California State University http://www.calstate.edu/pa/clips2007/may/22may/virus.shtml
• PC World http://blogs.pcworld.com/staffblog/archives/004452.html
• Also here http://www1.pressdemocrat.com/apps/pbcs.dll/article?AID=/20070526/NEWS/705260309/1043
• And here http://www1.pressdemocrat.com/apps/pbcs.dll/article?AID=/20070522/NEWS/705220312/1033/NEWS01.

Bruce Schneier commented on this:

No one wrote a virus for a class project. No new malware got into the wild. No new breed of supervillian graduated.

Teaching this stuff is just plain smart.

One of comments on this course was:

I believe that anyone who criticizes Ledin should meditate whether the action of forbidding virus lessons could lead to a more secure computer world. This story remembers me something that I have experienced in my childhood. I was a teenager, I was supposed to have a lecture in human reproduction, but a group of parents have come to my school to complaint about the subject and the school representatives decided to eliminate the subject in the program. That was a similar situation, do those parents have educated their children with a strong moral? Do the companies who disagree with the classes would hire students with more strong ethics and moral because they couldn’t learn how to program a virus at the university? Do they know there are a lot of documents to do that? Are they trying to cover the sky with their hands?
Besides, the advantage of learning something with the guidance of someone with expertise is worth value. Should the academic members have the knowledge? Yes, they should!

So, should we teach students how to write viruses?

This will probably cause many discussions in future. But I think that it will end up with recommendation that we should teach students about viruses and worms, but also give those good advices and ethical guidance related to this area, as medical doctors get on human viruses.