BKSCPRO2.RVW   20121122

“Security and Privacy for Microsoft Office 2010 Users”, Mitch Tulloch,
2012, 0735668833, U$9.99
%A   Mitch Tulloch info@mtit.com www.mtit.com
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2012
%G   0735668833
%I   Microsoft Press
%O   U$9.99 800-MSPRESS fax: 206-936-7329 mspinput@microsoft.com
%O  http://www.amazon.com/exec/obidos/ASIN/0735668833/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0735668833/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735668833/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   100 p.
%T   “Security and Privacy for Microsoft Office 2010 Users”

Reducing the complex jargon in the introduction to its simplest terms, this book is intended to allow anyone who uses the Microsoft Office 2010 suite, or the online Office 365, to effectively employ the security functions built into the software.  Chapter one purports to present the “why” of security, but does a very poor job of it.  Company policy is presented as a kind of threat to the employee, and this does nothing to ameliorate the all-too-common perception that security is there simply to make life easier for the IT department, while it makes work harder for everyone else.

Chapter two examines the first security function, called “Protected View.”  The text addresses issues of whether or not you can trust a document created by someone else, and mentions trusted locations.  (Trusted locations seem simply to be defined as a specified directory on your hard drive, and the text does not discuss whether merely moving an unknown document into this directory will magically render it trustworthy.  Also, the reader is told how to set a trusted location, but not an area for designating untrusted files.)  Supposedly “Protected View” will automatically restrict access to, and danger from, documents you receive from unknown sources.  Unfortunately, having used Microsoft Office 2010 for a couple of years, and having received, in that time, hundreds of documents via email and from Web sources, I’ve never yet seen “Protected View,” so I’m not sure how far I can trust what the author is telling me.  (In addition, Tulloch’s discussion of viruses had numerous errors: Concept came along five years before Melissa, and some of the functions he attributes to Melissa are, in fact, from the CHRISTMA exec over a decade earlier.)

Preparation of policy is promised in chapter three, but this isn’t what most managers or security professionals would think of as policy: it is just the provision of a function for change detection or digital signatures.  It also becomes obvious, at this point, that Microsoft Office 2010 and Office 365 can have significantly different operations.  The material is quite confusing with references to a great many programs which are not part of the two (2010 and 365) MS Office suites.

Chapter four notes the possibility of encryption with a password, but the discussion of rights is unclear, and a number of steps are missing.

An appendix lists pointers to a number of references at Microsoft’s Website.

The utility of this work is compromised by the fact that it provides instructions for functions, but doesn’t really explain how, and in what situations, the functions can assist and protect the user.  Any employee using Microsoft Office will be able to access the operations, but without understanding the concepts they won’t be able to take advantage of what protection they offer.

copyright, Robert M. Slade   2012     BKSCPRO2.RVW   20121122

Recently therewas some discussion about “self-service” password resets.  The standard option, of course, is to have some sort of “secret question” that the true account holder should be able to answer.  You know: super-secret stuff like your pet’s name.  (Yes, Paris Hilton, I’m talking about you.)

The discussion was more detailed, turning to policy and options, and asked whether you should turn off “custom” questions, and stick to a list of prepared questions.

I would definitely allow custom questions.  The standard lists never seem to give me options that I can both a) remember, and b) that wouldn’t be immediately obvious to anyone who was able to find out some minimal information about me.

If I can make up my own question, I can ask myself what my favourite burial option would be.  The answer, “encryption,” is something I will remember to my dying day, and nobody else is ever going to guess.  (Well, those who have read the “Dictionary of Information Security” might guess that one, so I guess I won’t actually use it.)

Go ahead: try and guess what is the only pain reliever that works for me.

What sits under my desk and keeps the computers running in the case of a power failure?

What is Gloria’s favourite ice cream flavour?

Finish the following sentence: Don’t treat Rob as your _______ ___.  (This is a two-factor authentication: you also have to fill in the standard response to that statement.)

The thing is, all of these oddball questions have special meaning for Gloria and I, but for very few other people in the world.  They rely on mistakes or quirks that have become “family phrases.”  For example, what do you need before bed to get to sleep?  Answer: “warum melek,” coming from an elderly lady of our acquaintance from a northern European background.

Yeah, I like “custom questions” a lot.

(OK, yes, you do have to do a bit of security awareness training to indicate that “who is my sweetie poo” may not be as secret as some people seem to think …)

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:

http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf

I have been reviewing security books for over twenty years now.  When I think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson first published “Security Engineering” I was delighted to be able to tell everyone that it was a worthwhile read.  If you are, in any way, interested in, or working in, the field of security, there is something there for you.  Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and then published the second edition, I was delighted to be able to tell everyone that they should buy the second edition, but, if they didn’t trust me, they should read the first edition free, and then buy the second edition because it was even better.

Now Ross has made the second edition available, online, for free.

Everyone should read it, if they haven’t already done so.

(I am eagerly awaiting the third edition 

PCAVAST7.RVW   20120727
Comparison Review

Company and product:

Company: ALWIL Software
Address: Trianon Office Bldg, Budejovicka 1518/13a, 140 00, Prague 4
Phone:   00 420 274 005 777
Fax:     00 420 274 005 888
Sales:   +42-2-782-25-47
Contact: Kristyna Maz nkov /Pavel Baudis/Michal Kovacic
Email:   mazankova@avast.com baudis@asw.cz
Other:   http://www.avast.com
Product: AVAST! antiviral

Summary: Multilayered Windows package

Cost: unknown

Rating (1-4, 1 = poor, 4 = very good)
“Friendliness”
Installation      3
Ease of use       4
Help systems      1
Compatibility           3
Company
Stability         3
Support           2
Documentation           1
Hardware required       3
Performance             3
Availability            3
Local Support           1

General Description:

Multilayered scanning, activity-monitoring, and change-detection software.  Network protection including Web and email monitoring.

Comparison of features and specifications

User Friendliness

Installation

The product is available as a commercial package, but also as a free download for home or non-commerecial use.  As previously noted in other reviews, this is highly desirable not simply as a marketing and promotional effort by the company, but because making malware protection available to the general public reduces the malware threat for the entire computing and network environment.  One important
aspect is that the free version, unlike some antivirus products which reduce available functions, appears to be complete.  Scanning, disinfection, network protection, reporting, and management functions all seem to be included in the free version, making Avast a highly recommended product among free downloads.

I downloaded the free version, and installed it with no problem.  It was compatible with Windows 7, as well as previous versions.  The basic installation and configuration provides realistic protection, even for completely naive users.

Ease of use

With ten basic, and a larger number of minor, functions now included in the program, the interface is no longer very easy to figure out.  For example, one of the first things I (as a specialist) need to do is to turn off scanning of my “zoo” directory.  I initially thought this might be under the large “Maintenance” button.  No, “maintenance” is reserved for upgrading and buying additional features.  I did finally find the function I wanted under a much smaller “Settings” tab.  However, as noted, most users will not require any additional functions, and need not worry about the operation of the program.  The default settings provide decent protection, and updating of signatures, and even the basic program, is almost automatic.  (The updates for the free version do push the user to “upgrade” to the commercial version, but it is not necessary.)

I located (eventually) some great functions in the program which I found very helpful.  Admittedly, I’m a very special case, since I research malware.  But I really appreciated the fact that not only could I turn scanning off for a particular directory (my “zoo”), and that I could pull programs out of the quarantine easily, but that I could also turn off individual network protection functions, very easily.  Not only could I turn them off, but I was presented with options to stop for 10 minutes, 1 hour, until the next reboot, or permanently.  Therefore, I could turn off the protection for a quick check, and not have to remember to turn it on again for regular work and browsing.

However, I cannot commend Avast for some of the reporting and logging functions.  Late in the review period it reported an “infected” page, but refused to tell me where/what it is.  In addition, recently Avast has been blocking some of my email, and the message that an email has been blocked is the only available information.

Help systems

Help is available onscreen, but it is not easy to find.  There is no help button on the main screen: you have to choose “? Support,” and then, from a list of six items choose the last one, “Program Help.”  (The standard Windows F1 key does bring up the help function.)  Most other help is only available online via the Web, although there is a downloadable PDF manual.

Compatibility

The system scores well in malware detection ratings from independent tests.  I have been running Avast for over a year, and have not seen a false positive in a scan of the computer system.  I have observed only one false positive blockage of “known good” Websites or email, although this is of some concern since it involved the updating of another malware package under test.

Company Stability

Avast has been operating (previously as Alwil Software) for over twenty years.  The program structure is thoughtful and shows mature development.

Company Support

As noted, most is via the Web.  Unfortunately, in the recent case of a false positive the company, even though I had alerted them to the details of both the review and the warning I had noted, there was no useful response.  I received email stating that someone would review the situation and get back to me, but there was no further response.

Documentation

The documentation available for download is primarily for installation and marketing.

System Requirements

The system should run on most extent Windows machines.

Performance

The antivirus system has minimal impact on the computer system.  When performing a full scan, there are other programs that run faster, but Avast runs very well unattended.

As noted above, the free version has complete and very useful functionality.

Local Support

None provided.

Support Requirements

Basic operation and scanning should be accessible to the novice or average user.

copyright Robert M. Slade, 1995, 2012   PCAVAST7.RVW   20120727

Apparently it’s all our fault. Again. Not only is anti-virus useless, but we’re responsible for the evolution and dramatic increased volume of malware. According to something I read today “If it wasn’t for the security industry the malware that was written back in the 90’s might still be working today.”

I guess that’s not as dumb as it sounds: we have forced the malware industry to evolve (and vice versa). But you could just as easily say:

“The medical profession is responsible for the evolution and propagation of disease. If it wasn’t for the pharmaceutical industry illnesses that killed people X years ago might still be killing people today.”

And to an extent, it would be true. Some conditions have all but disappeared, at any rate in regions where advanced medical technology is commonplace, but other harder-to-treat conditions have appeared, or at least have achieved recognition.

I can think of plenty of reasons for being less than enthusiastic about the static-signature/malcode-blacklisting approach to malware deterrence, though I get tired of pointing out that commercial AV has moved a long way on from that in the last couple of decades. Even so, if pharmaceutical companies had to generate vaccines at the rate that AV labs have to generate detections (even highly generic detections) we’d all have arms like pincushions.

However, there are clear differences between ‘people’ healthcare and PC therapeutics. Most of us can’t trust ourselves as computer users (or the companies that sell and maintain operating systems and applications) to maintain a sufficiently hygienic environment to eliminate the need to ‘vaccinate’. It’s not that we’re all equally vulnerable to every one of the tens or hundreds of thousands of malicious samples that are seen by AV labs every day. Rather, it’s the fact that a tailored assessment of which malware is a likely problem for each individual system, regardless of provenance, region, and the age of the malware, is just too difficult. It’s kind of like living at the North Pole and taking prophylactic measures in case of Dengue fever, trypanosomiasis and malaria.

Fortunately, new or variant diseases tend not to proliferate at the same rate that malware variants do, and vaccines are not the only way of improving health. In fact, lots of conditions are mitigated by better hygiene, a better standard of living, health-conscious lifestyles and all sorts of more-or-less generic factors. There’s probably a moral there: commonsense computing practices and vitamin supplements – I mean, patches and updates – do reduce exposure to malicious code. It’s worth remembering, though, that even if AV had never caught on, evolving OS and application technologies would probably have reduced our susceptibility to antique boot sector viruses, macro viruses, and DOS .EXE infectors. Is it really likely that they wouldn’t have been replaced by a whole load of alternative malicious technologies?

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

Concentrating on malware and phishing, this is a very decent guide for “average” computer users with little or no security background or knowledge.  Three sections in a kind of dictionary or encyclopedia format: malware and threats, protection technologies, and a (very brief but still useful) history of malware (1949-2012).

Available free for download, and (unlike a great many “free” downloads I could name) you don’t even have to register for endless spam from the company.

Recommended to pass around to family, friends, and your corporate security awareness department.

I really don’t understand the people who keep yelling that security awareness is no good.  Here’s the latest rant.

The argument is always the same: security awareness is not 100% foolproof protection against all possible attacks, so you shouldn’t (it is morally wrong to?) even try to teach security awareness in your company.

This guys works for  a security consultancy.  He says that instead of teaching awareness, you should concentrate on audit, monitoring, protecting critical data, segmenting the network, access creep, incident response, and strong security leadership.  (If we looked into their catalogue of seminars, I wonder what we would find them selling?)

Security awareness training isn’t guaranteed to be 100% effective protection.  Neither is AV, audit, monitoring, incident response, etc.  You still use those thing even though they don’t guarantee 100% protection.  You should at least try (seriously) to teach security awareness.  Maybe more than just a single 4 hour session.  (It’s called “defence in depth.”)

Tell you what: I’ll teach security awareness in my company, and you try a social engineering attack.  You may hit some of my people: people aren’t perfect.  But I’ll bet that at least some of my people will detect and report your social engineering attack.  And your data isolation won’t.

‘Lying eyes’ are a myth – looking to the right DOESN’T mean you are fibbing.

“Many psychologists believe that when a person looks up to their right they are
likely to be telling a lie.  Glancing up to the left, on the other hand, is said to
indicate honesty.

“Co-author Dr Caroline Watt, from the University of Edinburgh, said: ‘A large
percentage of the public believes that certain eye movements are a sign of lying,
and this idea is even taught in organisational training courses. … The claimed link
between lying and eye movements is a key element of neuro-linguistic
programming.

“According to the theory, when right-handed people look up to their right they
are likely to be visualising a ‘constructed’ or imagined event.  In contrast when
they look to their left they are likely to be visualising a ‘remembered’ memory.
For this reason, when liars are constructing their own version of the truth, they
tend to look to the right.”

“Psychologist Prof Wiseman, from the University of Hertfordshire, said: ‘The
results of the first study revealed no relationship between lying and eye
movements, and the second showed that telling people about the claims made by
NLP practitioners did not improve their lie detection skills.’

However, this study raises a much more serious question.  These types of “skills” are being extensively taught (and sought) by law enforcement and other agencies.  How many investigations are being misdirected and delayed by false suppositions based on NLP “techniques”?  More disturbingly, how many people are being falsely accused, dismissed, or charged due to the same questionable “information”?  (As I keep telling my seminars, when you get sidetracked into pursuing the wrong suspect, the real culprit is getting away free.)

(I guess we’ll have to stop watching “The Mentalist” now …)

In the wake of the recent account “hacks,” and fueled by the Yahoo (and, this morning, Android) breaches, An outfit called Avalanche (which seems to have ties to, or be the parent company of, the AVG antivirus) has launched https://shouldichangemypassword.com/

They are getting lots of press.

“If you don’t know, a website called ShouldIChangeMyPassword.com will
tell you. Just enter your email—they won’t store your address unless
you ask them to—and click the button that says, “Check it.” If your
email has been associated with any of a large and ever-growing list
of known password breaches, including the latest Yahoo hack, the
site will let you know, and advise you to change it right away.”

Well, I tried it out, with an account that gets lots of spam anyway.  Lo and behold, that account was hacked!  Well, maybe.

(I should point out that, possibly given the popularity of the site, it is pig slow at the moment.)

The address I used is one I tend to give to sites, like recruiters and “register to get our free [fillintheblank]” outfits, that demand one.  It is for a local community site that used to be a “Free-net.”  I use a standard, low value password for registering on remote sites since I probably won’t be revisiting that site.  So I wasn’t completely surprised to see the address had been hacked.  I do get email through it, but, as noted, I also get (and analyse) a lot of spam.

When you get the notification, it tells you almost nothing.  Only that your account has been hacked, and when.  However, you can find a list of breaches, if you dig around on the site.  This list has dates.  The only breach that corresponded to the date I was given was the Strategic Forecasting breach.

I have, in the past, subscribed to Stratetgic Forecasting.  But only on the free list.  (Nothing on the free list ever convinced me that the paid version was worth it.)  So, my email address was listed in the Strategic Forecasting list.  But only my email address.  It never had a password or credit card number associated with it.

It may be worth it as a quick check.  However, there are obviously going to be so many false positives (like mine) and false negatives (LinkedIn isn’t in the list) that it is hard to say what the value is.

Apple has obtained a patent for “identity pollution,” according to the Atlantic.

I am of not just two, but a great many minds about this.  (OK, admit it: you always knew I was schizophrenic.)

First off, I wonder how in the world they got a patent for this.  OK, maybe there isn’t much in the way of prior art, but the idea can’t possibly be called “non-obvious.”  Even before the rise of “social networking” I was prompting friends to use my “loyalty” shopping cards, even the ones that just gave discounts and didn’t get you points.  I have no idea what those stores think I buy, and I don’t much care, but I do know that they have very little about my actual shopping patterns.

In our advice to the general population in regard to Internet and online safety in general, we have frequently suggested a) don’t say too much about yourself, and b) lie.  Isn’t this (the lying part) exactly what Apple is doing?

In similar fashion, I have created numerous socmed accounts which I never intended to use.  A number of them are simply unpopulated, but some contain false information.  I haven’t yet gone to the point of automating the process, but many others have.  So, yet another example of the US patent office being asleep (Rip-Van-Winkle-level asleep) at the technological switch.

Then there is the utility of the process.  Yes, OK, we can see that this might (we’ll come back to the “might”) help protect your confidentiality.  How can people find the “you” in all the garbage?  But what is true for advertisers, spammers, phishers, and APTers is also true for your friends.  How will the people who you actually *want* to find you, find the true you among all the false positives?

(Here is yet another example of the thre “legs” of the security triad fighting with each other.  We have endless examples of confidentiality and availability working against each other: now we have confidentiality and integrity at war.  How do you feel, in general, about Apple recommending that we creating even more garbage on the Internet than is already there?)

(Or is the fact that it is Apple that is doing this somehow appropriate?)

OK, then, will this work?  Can you protect the confidentiality of your real information with automated false information?  I can see this becoming yet another spam/anti-spam, CAPTCHA/CAPTCHA recognition, virus/anti-virus arms race.  An automated process will have identifiable signs, and those will be detected and used to ferret out the trash.  And then the “identity pollution” (a new kind of “IP”?) will be modified, and then the detection will be modified …

In th meantime, masses of bandwidth and storage will be consumed.  Socnet sites will be filled with meaningless accounts.  Users of socmed sites will be forced to spend even more time winnowing out those accounts not worth following.  Socnet companies will be forced to spend more on storage and determination of false accounts.  Also, their revenues will be cut as advertises realize that “targetted” ads will be less targetted.

Of course, Apple will be free to create a social networking site.  They already have created pieces of such.  And Apple can guarantee that Apple product users can use the site without impedance of identity pollution.  And, since Apple owns the patent, nobody else will be able to pollute identities on the Apple socnet site.

(And if Apple believes that, I have a bridge to sell them …)

No!  I’m *not* asking for validation to join a security group on LinkedIn!

Apparently several million passwords have been leaked in an unsalted file, and multiple entities are working on cracking them, even as we speak.  (Type?)

So, odds are “low but significant” that your LinkedIn account password may have been cracked.  (Assuming you have a LinkedIn account.)  So you’d better change it.

And you might think about changing the password on any other accounts you have that use the same password.  (But you’re all security people, right?  You’d *never* use the same password on multiple accounts …)

Today is Tuesday for me, but it’s not “second Tuesday,” so it shouldn’t be patch Tuesday.  But today my little netbook, which is set just to inform me when updates are available, informed me that it had updated, but I needed to reboot to complete the task, and, if I didn’t do anything in the next little while it was going to reboot anyway.

Yesterday, of course, wasn’t patch Tuesday, but all my machines set to “go ahead and update” all wanted to update on shutdown last night.

This is, of course, because of Flame (aka Flamer, aka sKyWIper) has an “infection” module that messes with Windows/Microsoft Update.  As I understand it, there is some weakness in the update process itself, but the major problem is that Flame “contains” and uses a fake Microsoft digital certificate.

You can get some, but not very much, information about this from Microsoft’s Security Response Center blog.  (Early mention.  Later.)

You can get more detailed information from F-Secure.

It’s easy to see that Microsoft is extremely concerned about this situation.  Not necessarily because of Flame: Flame uses pretty old technology, only targets a select subset of systems, and doesn’t even run on Win7 64-bit.  But the fake cert could be a major issue.  Once that cert is out in the open it can be used not only for Windows Update, but for “validating” all kinds of malware.  And, even though Flame only targets certain systems, and seems to be limited in geographic extent, I have pretty much no confidence at all that the blackhat community hasn’t already got copies of it.  (The cert doesn’t necessarily have to be contained in the Flame codebase, but the structure of the attack seems to imply that it is.)  So, the only safe bet is that the cert is “in the wild,” and can be used at any time.

(Just before I go on with this, I might say that the authors of Flame, whoever they may be, did no particularly bad thing in packaging up a bunch of old trojans into one massive kit.  But putting that fake cert out there was simply asking for trouble, and it’s kind of amazing that it hasn’t been used in an attack beofre now.)

The first thing Microsoft is doing is patching MS software so that it doesn’t trust that particular cert.  They aren’t giving away a lot of detail, but I imagine that much midnight oil is being burned in Redmond redoing the validation process so that a fake cert is harder to use.  Stay tuned to your Windows Update channel for further developments.

However, in all of this, one has to wonder where the fake cert came from.  It is, of course, always possible to simply brute force a digital signature, particularly if you have a ton of validated MS software, and a supercomputer (or a huge botnet), and mount a birthday (collision) attack.  (And everyone is assuming that the authors of Flame have access to the resources of a nation-state.  Or two …)  Now the easier way is simply to walk into the cert authority and ask for a couple of Microsoft certs.  (Which someone did one time.  And got away with it.)

But then, I was thinking.  In the not too distant past, we had a whole bunch of APT attacks (APT being an acronym standing for “we were lazy about our security, but it really isn’t our fault because these attackers didn’t play fair!”) on cert authorities.  And the attacks got away with a bunch of valid certs.

OK, we think Flame is possibly as much a five years in the wild, and almost certainly two years.  But it is also likely that there were updates during the period in the wild, so it’s hard to say, right off the top, which parts of it were out there for how long.

And I just kind of wonder …

I’ve used Ad-Aware in the past, and had it installed on my machine.  Today it popped up and told me it was out of date.  So, at their suggestion, I updated to the free version, which is now, apparently, called Ad-Aware Free Antivirus+.  It provides for real-time scanning, Web browsing protection, download protection, email protection, and other functions.  Including “superfast” antivirus scanning.  I installed it.

And almost immediately removed it from the machine.

First off, my machine bogged down to an unusable state.  The keyboard and mouse froze frequently, and many programs (including Ad-Aware) were unresponsive for much of the time.  Web browsing became ludicrous.

There are some settings in the application.  For my purposes (as a malware researcher) they were inadequate.  There is an “ignore” list, but I was completely unable to get the program to “ignore” my malware zoo, even after repeated efforts.  (The interface for that function is also bizarrely complex.)  However, I’m kind of a non-typical user.  However, the other options would be of little use to anyone.  For the most part they were of the “on or off” level, and provide almost no granularity.  That makes them simple to use, but useless.

I’ve never used Ad-Aware much, but it’s disappointing to see yet another relatively decent tool “improved” into non-utility.

Well, I thought it was ironic that the biggest solar storm in years is hitting the earth tonight … while CanSecWest is on …

So far today we have had talks on security (and vulnerabilities) during the boot process, a talk on pen testing (and the presenter seemed to be alternately talking about how to choose a pen tester, and how to do pen testing), and social authentication.

The social authentication talk was by Alex Rice from Facebook.  He noted that, even though Facebook only challenges a small fraction of a percent of logins, given the user base that means more then a million every day.  When a login is challenged, a standard response has been the good old “security questions”: mother’s maiden name, birthdate, and other pieces of information that might not be too hard for someone intent on breaking into your account to find out.

Alex went through the limitations of security questions, and then moved to other possibilities.  Security questions comes under the heading of “things you know,” so they looked at “things you have.”  For example, you have to have an email address, so there is the possibility of a challenge sent to your email.  (Google, of course, figures that everyone in the world has a cell phone that can receive text messages.)

Recently, Facebook has started to use the photos that people post on their pages, particularly those that have been tagged.  Basically, if your login gets challenged, you will be shown a series of pictures, and you should be able to identify who is, or is not, in the picture, out of your list of friends.  This is the subject of a blog post noting that it isn’t perfect.

There are additional problems.  As the post notes, the situation is less than ideal if you have a huge number of “friends.”  (As Bruce Schneier’s new book notes, if you have more than 150 friends, you probably aren’t friends with many of them.)  Even if you do know your “friends,” there is nothing to say that any given picture of them will be recognizable.  In fact, since the system relies on tagging, there are going to be pictures of weird objects that people have deliberately tagged as themselves, in joking fashion.

Therefore, this system is definitely not perfect, as the questions at the end pointed out.  Unfortunately, Alex had passed, rather quickly, over an important point.  The intent of the system, in Facebook’s opinion, was to reduce the amount of account spam sent via accounts that had been compromised.  In that regard, the system probably works very well.  False logins get challenged.  Some of the challenges are false positives.  The photo system is a means of allowing a portion (a fairly large portion, probably) of users to recover their accounts quickly.  For the remaining accounts, there are other means to recover the account, even though these are more time-consuming for both Facebook and the user.  This system does reduce the total amount of time spent by both users (in the aggregate, even if individual users may feel hard done by) and Facebook.

I first saw this, appropriately enough, on Improbable Research.  It’s appropriate, because, when you see it, first it makes you laugh.  Then it makes you think.

This guy has created a paper safe.  Yeah, you got that right.  A safe, made out of paper.  No, not special paper: plain, ordinary paper, the kind you have in your recycling bin.  He’s even posted a video on YouTube showing how it works.

Right, so everyone’s going to have a good laugh, yes?  Paper isn’t going to provide any protection, right?  It’s a useless oddity, of interest only to those with an interest in origami, and more free time on their hands than any security professional is likely to get.

Except, then you start thinking about it (if you are any kind of security pro.)  First off, it’s a nice illustration of at least one form of combination lock.  And then you realize that the lock is going to be useless unless it’s obscured.  So that brings up the topic of maybe security-by-obscurity does have a function sometimes.

Then you start thinking that maybe it isn’t great as a preventive control, but it sure works as a detective control.  Yeah, it’s easy to smash and get out whatever was in there.  But it’ll sure be obvious if you do.

So that brings up different types of controls, and the reasons you might want different controls in different situations, and whether some perfectly adequate controls may be a) overkill, or b) useless under certain conditions.

It’s not just a cute toy.  It’s pretty educational, too.  No, I’m not going to keep my money in it.  But it makes you think …