One of only two shows that we actually watch on television is “Murdoch Mysteries.”  Set in Toronto, circa 1900, it shows Detective Murdoch “inventing” much of modern forensics using the technology of the time.  Some of it might actually work 

The latest episode, “Invention Convention” (season 5 episode 9) had someone promoting “i-mail” (instant mail). which Gloria thought was Telex, and I figured was more akin to fax.  (For those in Canada, CityTV runs “Murdoch” a number of times during the week, but won’t say which ones are the current season, and which are older.  I’m pretty sure this episode will be relayed at 8 pm on Saturday.  For those outside Canada, I’m not sure whether you can watch the episode on the Website.)  Part of the plot turned on someone sending encrypted messages.

The code used by the group is a form of Ceasar cipher, aided by an Alberti disk.  In reality, by 1700 this probably would have been considered old hat: Casanova writes of breaking what must have been at least a shuffled alphabet cipher.  (In the episode an “analytical engine” is used to try and brute force the Ceasar cipher.)  Autocode and other forms were well established by 1900.  (De Vigenere created one form of autocode, rather than the cipher which bears his name, which he considered weak.)

In the end, the code turns out to be based on a keyboard layout, which probably was not completely standard by that time.  Which would, in any case, have been a simple substitution cipher, and easily breakable by frequency analysis (one case of which was said to have failed in the plot).

I have been interested in the LOCOG insistence that the 2012 games are the first “social media” games.  (Apparently 2010 didn’t count since the winter Olympics aren’t “real” Olympic games: ancient Greece had no curling sheets, and there were problems using Mount Olympus for the downhill events.)

It’s particularly interesting that so many people are having problems using networking to watch the “first social media games” …

Among other things …

The trouble with lists of ‘Top Umpteen’ most-used passwords like Mark Burnett’s is that they don’t really teach the everyday user anything. (Yes, I’m another of those sad people like Rob Slade who believe that education and reducing Security unawareness is actually worth doing.)

Since I’ve quoted Burnett’s top 500 and one or two other sources from time to time in blogs here and there, I’ve noticed that those articles tend to pick up a fair amount of media attention, and after the Yahoo! debacle I noticed several journalists producing lists of their own. But they’re missing the point, at least in part.

Not using (say) the top 25 over-used passwords will reduce the risk for accounts that are administered with a ‘three strikes and you’re blocked’ approach to blocking password guessing, but where authentication is less strict, 25 may not be enough. Heck, 10,000 may not be enough. At any rate, if an end user is expected to check that they aren’t using a common password, 10,000 is a pretty big checklist, and still doesn’t provide real protection against a determined dictionary attack. It’s the difference between static signature detection and heuristics: it might be useful to know that ‘password’ is a particularly bad choice because everyone uses it, but which of these approaches is more helpful?

(1)
Don’t use ‘a’
Don’t use ‘aa’
Don’t use ‘aaa’
…
Don’t use ‘aaaaaaaaaaaaaaaaaaaaaaa’
Don’t use ‘b’
Don’t use ‘bb’

(2) Don’t use any password consisting of a single character repeated N times

See A Torrent of Abuse for a flippant attempt at approach (2) implemented through parody.
But then, any password is only as good as the service to which it gives access: it doesn’t matter if the provider is incapable of providing competent security: Lessons in website security anti-patterns by Tesco. And I have some sympathy with the view that if you can find a decent password manager it saves you a lot of thinking and reduces the temptation to re-use passwords and risk a cascade of breaches when one of your providers slips up.

David Harley

BKYPENDM.RVW   20120125

“Young People, Ethics, and the New Digital Media: A Synthesis from the
GoodPlay Project”, Carrie James et al, 2009, 978-0-262-51363-0
%A   Carrie James
%A   Katie Davis
%A   Andrea Flores
%A   John M. Francis
%A   Lindsay Pettingill
%A   Margaret Rundle
%A   Howard Gardner
%C   55 Hayward Street, Cambridge, MA   02142-1399
%D   2009
%G   978-0-262-51363-0 0-262-51363-3
%I   MIT Press
%O   +1-800-356-0343 fax: +1-617-625-6660 www-mitpress.mit.edu
%O  http://www.amazon.com/exec/obidos/ASIN/0262513633/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0262513633/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0262513633/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P
%T   “Young People, Ethics, and the New Digital Media”

It is not until more than a tenth of this book has passed before the authors admit that this is, in essence, only a proposal for a study which they hope will be carried out in future.  No actual research or interviews have been conducted, so there aren’t really any results to be reported.  The authors hypothesize that five factors are involved in “media-identity”: “privacy, ownership and authorship, credibility, and participation.”  (Yes, I agree that it looks like four factors, expressed that way.  But the authors repeatedly express it in exactly that way, and insist that it makes five.)

The authors note that social networking (or social media, or new digital media) is a frontier, and thus lacks comprehensive and well-enforced rules and regulations.  Social media permits and encourages “participatory cultures,” with relatively low barriers to artistic expression and “civic” engagement, strong support for creating and sharing creations, and some type of informal mentorship whereby what is  known by the most experienced is passed along to novices.  The goals of the project are to investigate the ethical values and structures of new media and to create entities to promote ethical thinking and conduct.

The project is also to focus on “play,” with a fairly broad definition of that term, including gaming, instant messaging, social networking, participation in fan fiction groups, blogging, and content creation including video sharing.  Some of these activities may lead to employment, but are undertaken without support, rewards, and constraints of adult supervisors, and without explicit standards of conduct and quality.  “Good play” is defined as online conduct that is both meaningful and engaging to the participant and responsible to others in the community in which it is carried out.

A number of questions are raised in this book, but few are answered in any way at all.  While there is some review of existing work in related areas, it is hardly comprehensive, convincing, or useful.  It is difficult to say what the intent of publishing this book was.

copyright, Robert M. Slade   2012     BKYPENDM.RVW   20120125

Just in case you have been hiding under a (Higgs or non-Higgs) rock for the past few weeks, TomKat is breaking up [1].  Tom Cruise is a highly visible Scientologist.  Many people have been commenting on possible Scientology aspects of the breakup.  Scientology seems to break out in a rash whenever anyone mentions the cult.

So, someone has provided a simple means for Scientologists to try and ensure that any mention of Scientology, or the event, or anything, is removed.

The main thrust of the instruction is that everybody will have a “code of conduct” on their Website, and every code of conduct will ban anything that “defames, degrades… an individual or group,” or something similar.  So, you just blanket object to everything on that basis.

I think it should work pretty well.  I’d say that, following Lord Northcliffe’s dictum that “News is what somebody, somewhere wants to suppress.  All the rest is advertising,” any interesting posting could be seen, by someone, as defaming or degrading some individual or group …

Of course, there are many other forms of censorship.  Here in Canada, the government is using funding cuts, threats of funding cuts, and even direct diplomatic office intervention, in order to to block theatrical performances it doesn’t like.

BK11HCSG.RVW 20120210

“Eleventh Hour CISSP Study Guide”, Eric Conrad, 2011,
978-1-59749-566-0, U$24.95
%A Eric Conrad
%C 800 Hingham Street, Rockland, MA 02370
%D 2011
%G 978-1-59749-566-0 1-59749-566-2
%I Syngress Media, Inc.
%O U$24.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O http://www.amazon.com/exec/obidos/ASIN/1597495662/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1597495662/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1597495662/robsladesin03-20
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 196 p.
%T “Eleventh Hour CISSP Study Guide”

“Eleventh Hour” would seem to imply that this is a last minute option.  I would not rely on this book as a last ditch option if you haven’t studied. It’s a reviewers dream (or nightmare): an embarrassment of riches in terms of errors. But I should keep this review to a reasonable size, so I’ll only mention a few illustrative goofs.

Chapter one addresses security management. The coverage of risk management is superficial, facile, and disjointed. The author adds extra factors into the CBK (Common Body of Knowledge). He stresses ”return on investment” without addressing the controversy over whether ”return on security investment” actually exists. There are some references based on the NIST (US National Institute of Standards and Technology) which are good, but insufficient. Each chapter ends with a list of the “Top Five Toughest Questions” for that domain. Usually one (20%) is flatly wrong, and the rest address trivia, missing the concepts and ramifications which are the real objectives of the CISSP examination.

Chapter two looks at access control. No, integrity concerns are not limited to authorization issues. “Counter-based synchronous dynamic token” makes no sense: both counter and dynamic obviate the need for synchronization. No, most keyboard dynamics systems would not measure pressure. In regard to cryptography, in chapter three, yes, CBC (Cipher Block Chaining) would propagate errors, which is why it is only used with self-correcting algorithms (which DES – Data Encryption Standard – is). And, yes, using ECB (Electronic Code Book) identical data blocks produce identical cipher blocks, but similar data blocks produce vastly dissimilar cipher blocks. (That is part of the measure of a good cipher algorithm.) Chapter five deals with physical security. If you can still find a soda/acid extinguisher don’t try to use it on burning liquids: it doesn’t produce much foam, mostly a simple stream of water. And merely because a CRT (Cathode Ray Tube) is analogue does not mean it is incompatible with digital devices such as CCD (Charge Coupled Device) cameras: until I got my first laptop, all the monitors for my (digital) computers were CRTs. Respecting architecture (chapter five), “open systems” refers to the use of standard protocols, not parts. TOC/TOU (Time Of Check vs Time Of Use) is not a race condition, and does not require a change of state.  Polyinstantiation is not related to entity integrity. Chapter six reviews Business Continuity Planning: RPO (Recovery Point Objective) is the minimal level of operation the business needs to function, not the time taken to get there, and a hot site is not a mirror.

Studying telecommunications? It is the domain with the largest mass of information, and chapter seven is pathetically small: there is no mention of topologies, telephony, routing, and details of the protocols are scant to the point of being non-existent. The OSI (Open Systems Interconnection) model is a model, not a network protocol (although there is, also, an OSI suite of protocols), and can therefore be used to analyze any protocol suite. Neither ATM (Asynchronous Transfer Mode) nor Ethernet are restricted to the physical (which, in any case, does not deal with data, but with signals).

Chapter eight takes a stab at applications security. SDL (System Life Cycle) is not identical to SDLC (System Development Life Cycle) but contains it. The explanations in this domain are particularly poor, even by the low standards of this work. Similarly, the material on operations security, in chapter nine, is more random than in other chapters, and duplicates more content found elsewhere.

I was surprised to find that chapter ten, on law and investigations, wasn’t all that bad. There are still plenty of errors (no, only one of the four points given is one of the seven basics of the European Directives on privacy), but many of the base concepts are there, and presented reasonably. There is, however, almost nothing on management of investigations, and incident response isn’t even mentioned.

There are at least a dozen other options I’ve reviewed at http://victoria.tc.ca/techrev/mnbkscci.htm, and this actually isn’t the worst. But maybe I was a bit too hard at the beginning. You could use this book for a bit of last minute studying. If you can find at least one error per page, you are in good shape to write the exam.

copyright, Robert M. Slade 2012 BK11HCSG.RVW 20120210

I really don’t understand the people who keep yelling that security awareness is no good.  Here’s the latest rant.

The argument is always the same: security awareness is not 100% foolproof protection against all possible attacks, so you shouldn’t (it is morally wrong to?) even try to teach security awareness in your company.

This guys works for  a security consultancy.  He says that instead of teaching awareness, you should concentrate on audit, monitoring, protecting critical data, segmenting the network, access creep, incident response, and strong security leadership.  (If we looked into their catalogue of seminars, I wonder what we would find them selling?)

Security awareness training isn’t guaranteed to be 100% effective protection.  Neither is AV, audit, monitoring, incident response, etc.  You still use those thing even though they don’t guarantee 100% protection.  You should at least try (seriously) to teach security awareness.  Maybe more than just a single 4 hour session.  (It’s called “defence in depth.”)

Tell you what: I’ll teach security awareness in my company, and you try a social engineering attack.  You may hit some of my people: people aren’t perfect.  But I’ll bet that at least some of my people will detect and report your social engineering attack.  And your data isolation won’t.

Marc Goodman (who I believe is FutureCrimes on Twitter and the Web) gave a recent TED talk on trends in the use of high technology in crime.

The 20 minute talk is frightening, with very little in the way of comfort for the protection or security side.  He ends with a call for crowdsourcing of protection.

Now as a transparent society/open source/full disclosure kind of guy, I like the general idea.  But, as someone who has been involved in education, security awareness, and professional security training for some time, I see a few problems.  For crowdsourcing to work, you need a critical mass of at least minimally capable people.  When you are talking about a weather reporting app, that minimal capability isn’t much. When you are talking about detecting cyberwar or bioweapons, the capability levels are a bit different.

Just yesterday the PNWER (Pacific NorthWest Economic Region) conference became the latest to bemoan the lack of trained employees.  I rather suspect these constant complaints, since I see lots of people out of work.  But the people who are whining about employees are just looking for network admins and such.  We need people with more depth and more breadth in their backgrounds.  I get CISSP candidates in my seminars who are network admins who simply want to know a few ACLS for firewalls.  I have to keep telling them that security professionals need to know more than that.

Yes, I am privileged to be able to meet a number who *are* interested in learning everything possible in order to meet any need or problem.  But, relatively speaking, those are few.  And my sample set tends to be abnormal, in that these are people who have already shown some interest in training (even if only job related).  What Goodman is talking about is the general public.  And those of us who have actually tried security awareness know how little conceptual awareness we have to build on, let alone advanced technical knowledge.

I think awareness, self-protection, and crowdsourcing is probably the only good way to approach the problems Goodman outlines.  I just worry that we have a long way to go.

A few people asked me about the advisory posted on exploit db (Now also on SecurityFocus) that talks about a security vulnerability in beSTORM, which would be ironic since it’s a fairly simple vulnerability to find by fuzzing, and beSTORM is, after all, a fuzzer.

I always thought security holes in security products were especially funny. You expect security companies to know better, right? Well, as usual, it’s much less funny when it happens to you. Seeing reports about a vulnerability in beSTORM wasn’t amusing.

The thing is, the vulnerability is not in beSTORM, it is not remote, and on top of all – the exploit PoC does not work as advertised. Now comes the second irony: I’ve been on the management team of a security database for the past 14 years, and I’m sure more than one vendor cursed me to walk a mile in their shoes. Well, vendors: I am! Trying to explain to vulnerability databases that just because someone posted something doesn’t mean it’s true, is not easy. But you knew that already.

Now for the details:

The vulnerability described is a problem in WizGraphviz.dll, a graphic library that has been abandoned by its developer. It is not a part of beSTORM, and never was. You could, in early versions of beSTORM, install that DLL in order to view SVG files. beSTORM would have downloaded it on request. But it hasn’t been the case in a while now.

The vulnerability is also not remote. This ActiveX is marked not safe for scripting, which means you have to manually enable it to get the exploit code to run.

In other words, you need to download an ActiveX from the Internet, go into the settings to mark it safe for scripting (and ignore the huge warnings) and then you will be vulnerable to an ActiveX attack when visiting a rogue site. And all this is only true for an old version of beSTORM which is no longer available for download.

Life is full of ironies: This attack is simple enough that we could (should?) have found it by fuzzing this DLL ourselves. Hell, there’s a good chance the good guys that published this advisory did exactly that. For being lazy, we deserve the public flogging. But just to set the record straight, a security vulnerability it ain’t.

When it comes to deciding what security certifications to pursue, IT professionals should understand that they will be better off career-wise if they ask—and then answer—the right questions before choosing.

So says Chuck Davis, who as an adjunct professor at Harrisburg University of Science and Technology in Pennsylvania teaches ethical hacking and computer forensic classes. Currently a senior security architect at a Fortune 500 company, Prof. Davis has earned the Master of Science in Information Assurance at Norwich University, the Certified Information Systems Security Professional (CISSP) credential and the Information Systems Security Architecture Professional
(ISSAP) credential. He insists that there is no one-size-fits-all game plan for IT professionals looking for the right security certifications to earn.

“I would suggest that if you’re someone who is new to security, maybe just out of college or you’ve been working in IT and want to move into security, studying and working towards the CISSP is a good [move],” says Prof. Davis, who earned his CISSP and ISSAP from (ISC)². “I believe the CISSP is considered kind of the gold standard for a lot of professionals. What the CISSP does is it gives a very wide breadth of curriculum.”

According to Prof. Davis, IT professionals need to reflect on things such as where they are in their careers and what their objectives are before they can knowledgeably select the right security certifications. Josh Lochner, a senior risk management consultant at SecureState in Ohio, is also a proponent of this view. He insists that there are a handful of questions that IT professionals need to ask themselves before choosing. Meanwhile, Carmen Buruiana, human resource manager for Bitdefender in Romania, argues that possessing the right skill set and attitude is more important than having specific certifications.

While money certainly isn’t everything, many IT professionals who are weighing the pros and cons of different security certifications would no doubt factor salaries into the decision-making equation. And, fortunately, there are resources available that provide some indication of which security certifications can
be the most rewarding from a financial perspective.

For instance, Foote Partners’ “IT Skills and Certification Pay Index – Q3 2011 edition” indicates that the following security certifications translate into the highest pay premiums:

• Certified Information Systems Security Professional (CISSP)
• Information Systems Security Engineering Professional (CISSP/ISSEP)
• IACRB Certified Penetration Tester (CPT
• CyberSecurity Forensic Analyst
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• Cisco Security Solutions and Design Specialist
• IACRB Certified Reverse Engineering Analyst (CREA)
• GIAC Secure Software Programmer –Java
• GIAC Systems and Network Auditor (GSNA)
• Information Systems Security Architecture Professional (CISSP/ISSAP)
• Security Certified Network Architect
• Check Point Certified Master Architect (CCMA)

But salary, of course, is just one of the things IT professionals should contemplate. Lochner explains that there are certain questions he would ask IT professionals who come to him for advice on what security certifications to go after.

“Some of the questions that I might ask would be, ‘Are you looking for a broad basis of knowledge? What foundation are you building on right now?’” he says. “For example, if you wanted a broad basis you might start off by looking at the CISSP. But there’s also ‘Are you doing this so that you can apply to a new job or
are you doing this so that you can move laterally or perhaps vertically up within you own organization?’”

After answering these types of questions, IT professionals would do well to find mentors who are already in roles that they themselves would eventually like to end up in, says Lochner, who has been providing consulting services in security domains for over a decade.

If after careful consideration IT professionals decide to start off with the CISSP, which is designed to provide a broad overview of the “security landscape,” they will end up with skills that are attractive in the increasingly competitive job market, notes Prof. Davis.

“It gives employers or potential employers a level set to say, ‘Well this person at least has a really decent understanding across the entire security landscape,’” he says. The (ISC)² website, which details certification requirements, lists the following 10 security domains
covered in the CISSP curriculum:

• Access Control
• Telecommunications and Network Security
• Information Security Governance and Risk Management
• Software Development Security
• Cryptography
• Security Architecture and Design
• Operations Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Physical (Environmental) Security

While the CISSP is a “good foundation certification,” Lochner stresses that those who really want to invest in advancing their careers won’t want to stop there.

“If you’re going to be working in a particular area, it might behoove you to study a little bit more,” he explains. “CISSP is a good basis, and you can look at GIAC for some of the more specialized certifications. They have something they call…GSEC – GIAC Security Essentials.”

According to Prof. Davis, SANS certifications are good bets for those who really want to get technical in the security space; ISACA’s CISM and CISA certifications solid options for IT professionals interested in getting into auditing; and EC-Council’s Certified Ethical Hacker program is popular among those involved in pen testing.

Security certifications can definitely help IT professionals at any stage of their careers. But Buruiana from Bitdefender says that lacking security certifications isn’t necessarily a deal-breaker at the Internet security company.

“Bitdefender is an unconventional company seeking talented people with inquisitive minds, capable of taking a creative approach and finding solutions to the most common dilemmas of our industry,” says Buruiana. “Every year, we run human resources projects aimed at discovering these brilliant minds.

“As for the recruiting process, we value innovation and a passion for technology more than we do specific certifications. Certifications are, undoubtedly, an added value and an asset as far as professional credibility is concerned. They are key to the ’rounded know-how’ concept, but they do not count as an exclusive
criterion with us.”

That said, the company’s employees periodically take part in certification sessions adapted to the company’s ongoing business process, says Buruiana. The sessions focus on domains like project management, software development, testing and support services.

This post was originally written by Ian Palmer, a contributor to InfoSec Resources. InfoSec Institute is the best source for high quality information security training.

‘Lying eyes’ are a myth – looking to the right DOESN’T mean you are fibbing.

“Many psychologists believe that when a person looks up to their right they are
likely to be telling a lie.  Glancing up to the left, on the other hand, is said to
indicate honesty.

“Co-author Dr Caroline Watt, from the University of Edinburgh, said: ‘A large
percentage of the public believes that certain eye movements are a sign of lying,
and this idea is even taught in organisational training courses. … The claimed link
between lying and eye movements is a key element of neuro-linguistic
programming.

“According to the theory, when right-handed people look up to their right they
are likely to be visualising a ‘constructed’ or imagined event.  In contrast when
they look to their left they are likely to be visualising a ‘remembered’ memory.
For this reason, when liars are constructing their own version of the truth, they
tend to look to the right.”

“Psychologist Prof Wiseman, from the University of Hertfordshire, said: ‘The
results of the first study revealed no relationship between lying and eye
movements, and the second showed that telling people about the claims made by
NLP practitioners did not improve their lie detection skills.’

However, this study raises a much more serious question.  These types of “skills” are being extensively taught (and sought) by law enforcement and other agencies.  How many investigations are being misdirected and delayed by false suppositions based on NLP “techniques”?  More disturbingly, how many people are being falsely accused, dismissed, or charged due to the same questionable “information”?  (As I keep telling my seminars, when you get sidetracked into pursuing the wrong suspect, the real culprit is getting away free.)

(I guess we’ll have to stop watching “The Mentalist” now …)

In the wake of the recent account “hacks,” and fueled by the Yahoo (and, this morning, Android) breaches, An outfit called Avalanche (which seems to have ties to, or be the parent company of, the AVG antivirus) has launched https://shouldichangemypassword.com/

They are getting lots of press.

“If you don’t know, a website called ShouldIChangeMyPassword.com will
tell you. Just enter your email—they won’t store your address unless
you ask them to—and click the button that says, “Check it.” If your
email has been associated with any of a large and ever-growing list
of known password breaches, including the latest Yahoo hack, the
site will let you know, and advise you to change it right away.”

Well, I tried it out, with an account that gets lots of spam anyway.  Lo and behold, that account was hacked!  Well, maybe.

(I should point out that, possibly given the popularity of the site, it is pig slow at the moment.)

The address I used is one I tend to give to sites, like recruiters and “register to get our free [fillintheblank]” outfits, that demand one.  It is for a local community site that used to be a “Free-net.”  I use a standard, low value password for registering on remote sites since I probably won’t be revisiting that site.  So I wasn’t completely surprised to see the address had been hacked.  I do get email through it, but, as noted, I also get (and analyse) a lot of spam.

When you get the notification, it tells you almost nothing.  Only that your account has been hacked, and when.  However, you can find a list of breaches, if you dig around on the site.  This list has dates.  The only breach that corresponded to the date I was given was the Strategic Forecasting breach.

I have, in the past, subscribed to Stratetgic Forecasting.  But only on the free list.  (Nothing on the free list ever convinced me that the paid version was worth it.)  So, my email address was listed in the Strategic Forecasting list.  But only my email address.  It never had a password or credit card number associated with it.

It may be worth it as a quick check.  However, there are obviously going to be so many false positives (like mine) and false negatives (LinkedIn isn’t in the list) that it is hard to say what the value is.

For some years I have been peripherally involved (hired to research prior art, etc.) in some of the submarine patent/patent troll cases in the AV world.

I’ve got plenty of prior art.  Programs demonstrating and using technologies that were granted patents years after those programs were available.  Email discussions showing that concepts were obvious and well-known years before patent applications were filed.

Of course, as the “expert” I’m not privy to the legal strategy.  Bt I can figure it out.  US patent office issues patent that never should have been granted.  Troll sues Big Firm for $100M.  BF’s lawyers go to IP law firm.  IP lawyers find me.  IP lawyers ask me for the weirdest (and generally weakest) evidence.  IP lawyers go back to BF’s lawyers.  BF’s lawyers go back to BF.  (At this point I’m not privy to the discussions, so I’m guessing.  But I suspect that …)  IP and BF lawyers advise that evidence available, but patent fight expensive.  BF offers troll $100K to go away.  Troll happy with $100K, which is all he wanted anyway.  BF lawyers happy with large (and now more secure) salaries.  IP lawyers happy with $1M fees.  BF happy to have “saved” $99M.  The only person not happy is me.

Well, Kaspersky got sued.  Kaspersky fought.  Kaspersky won.

So, today I’m happy.  (I just wish I’d been part of *this* fight …)

(By the way, patent trolls cost money …)

I have been using Skype ever since it came out, so I know my stuff.

I know how to write strong passwords, how to use smart security questions and how to – most importantly – avoid Phishing attempts on my Skype account.

But all that didn’t help me avoid a Skype mishap (or more bluntly as a friend said – Skype f*ckup).

It all started Saturday late at night (about 2am GMT), when I started receiving emails in Mandarin from Skype, my immediate thought was fraud, a phishing attempt, so I ignored it. But then I noticed I got also emails from Paypal with charges from Skype for 100$ 200$ 300$, and I was worried, was my account hacked?

I immediately went to PayPal and disconnected my authorization to Skype, called in Transaction Dispute on PayPal and then went on to look at my Skype account.

I looked into the recent logons to my account – nothing.

I looked into email changes, or passwords – nothing.

I couldn’t figure out how the thing got to where it was, and then I noticed, I have become a Skype Manager – wow I was promoted and I didn’t even send in my CV.

Yeah, joke aside, Skype Manager, is a service Skype gives to businesses to allow one person to buy Skype Credit and other people to use that Credit to make calls. A great idea, but the execution is poor.

The service appears to have been launched in 2012, and a few weeks after that, fraud started popping up. The how is very simple and so stupid it shameful for Skype to not have fixed this, since it was first reported (which I found) on the 21st of Jan 2012 on the Skype forum.

Apparently having this very common combinations of:
1) Auto-charge PayPal
2) Never used Skype Manager
3) Never setup a Work email for Skype

Makes it possible for someone to:
1) Setup you as a Skype Manager
2) Setup a new work email on some obscure service (mailinator was used in my case), and have all Skype emails for confirmations sent there

Yes, they don’t need to know anything BESIDE the Skype Call name of your account – which is easy to get using Skype Search.

Once you have become a Skype Manager, “you” can add users to the group you are managing – they don’t need to logon as all they need to do is use the (email) link you get to the newly assigned Work Email, yes, it doesn’t confirm the password – smart ha?

The users added to your Skype Manager can now take the Credit (its not money, it just call credits) and call anywhere they want.

Why this bug / feature not been fixed/addressed since the first time it was made public on the Skype Forum (probably was exploited before then), is anyone’s guess, talking to the Fraud department of Skype – he mainly stated that I should:
1) Change my password for Skype – yes, that would have helped nothing in this case
2) Make sure I authorize Skype only on trustworthy devices

The bottom line, Skype users, make sure:
1) You have configured your Skype Manager – if you are using Auto-Charge feature – I have disabled my Auto-Charge and PayPal authorization since then, and don’t plan on enabling it anytime (ever)
2) You have configured your Skype Work email – yes, if its unset, anyone can change it – without needing to know your current password – is this company a PCI authorized company?

If you have more insight on the matter, let me know

- Noam

Apple has obtained a patent for “identity pollution,” according to the Atlantic.

I am of not just two, but a great many minds about this.  (OK, admit it: you always knew I was schizophrenic.)

First off, I wonder how in the world they got a patent for this.  OK, maybe there isn’t much in the way of prior art, but the idea can’t possibly be called “non-obvious.”  Even before the rise of “social networking” I was prompting friends to use my “loyalty” shopping cards, even the ones that just gave discounts and didn’t get you points.  I have no idea what those stores think I buy, and I don’t much care, but I do know that they have very little about my actual shopping patterns.

In our advice to the general population in regard to Internet and online safety in general, we have frequently suggested a) don’t say too much about yourself, and b) lie.  Isn’t this (the lying part) exactly what Apple is doing?

In similar fashion, I have created numerous socmed accounts which I never intended to use.  A number of them are simply unpopulated, but some contain false information.  I haven’t yet gone to the point of automating the process, but many others have.  So, yet another example of the US patent office being asleep (Rip-Van-Winkle-level asleep) at the technological switch.

Then there is the utility of the process.  Yes, OK, we can see that this might (we’ll come back to the “might”) help protect your confidentiality.  How can people find the “you” in all the garbage?  But what is true for advertisers, spammers, phishers, and APTers is also true for your friends.  How will the people who you actually *want* to find you, find the true you among all the false positives?

(Here is yet another example of the thre “legs” of the security triad fighting with each other.  We have endless examples of confidentiality and availability working against each other: now we have confidentiality and integrity at war.  How do you feel, in general, about Apple recommending that we creating even more garbage on the Internet than is already there?)

(Or is the fact that it is Apple that is doing this somehow appropriate?)

OK, then, will this work?  Can you protect the confidentiality of your real information with automated false information?  I can see this becoming yet another spam/anti-spam, CAPTCHA/CAPTCHA recognition, virus/anti-virus arms race.  An automated process will have identifiable signs, and those will be detected and used to ferret out the trash.  And then the “identity pollution” (a new kind of “IP”?) will be modified, and then the detection will be modified …

In th meantime, masses of bandwidth and storage will be consumed.  Socnet sites will be filled with meaningless accounts.  Users of socmed sites will be forced to spend even more time winnowing out those accounts not worth following.  Socnet companies will be forced to spend more on storage and determination of false accounts.  Also, their revenues will be cut as advertises realize that “targetted” ads will be less targetted.

Of course, Apple will be free to create a social networking site.  They already have created pieces of such.  And Apple can guarantee that Apple product users can use the site without impedance of identity pollution.  And, since Apple owns the patent, nobody else will be able to pollute identities on the Apple socnet site.

(And if Apple believes that, I have a bridge to sell them …)

OK, as some of you may be aware, LinkeDin had a semi-massive leak of passwords that came to light yesterday.

How are the markets taking it?

Well, today the stock is up, slightly.

That’s because ad revenues are up.  Since everyone is loggin on today, in order to change passwords …

Sometimes I wonder why we bother …