AV is dead … again …

Antivirus software only catches 45% of malware attacks and is “dead”, according to a senior manager at Symantec.”

85.4% of statistic can be interpreted in the opposite way, and AV has been declared dead regularly since 1987.

Symantec “invented commercial antivirus software in the 1980s”?  That must come as news to the many companies, like Sophos, that I was reviewing long before Symantec bought out their first AV company.

“Dye told the Wall Street Journal that hackers increasingly use novel methods and bugs in the software of computers to perform attacks.”

There were “novel attacks” in 1986, and they got caught.  There have been novel attacks every year or so since, and they’ve been caught.  At the same time, lots of people get attacked and fail to detect it.  There’s never a horse that couldn’t be rode, and there’s never a rider that couldn’t be throwed.

“Malware has become increasingly complex in a post-Stuxnet world.”

So have computers.  Even before Stuxnet.  I think it was Grace Hopper who said that the reason it is difficult to secure complex systems is because they are complex systems.  (And she died a while back.)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Disasters in BC

The auditor general has weighed in, and, surprise, surprise, we are not ready for an earthquake.

On the one hand, I’m not entirely sure that the auditor general completely understands disaster planning, and she hasn’t read Kenneth Myers and so doesn’t know that it can be counter-productive to produce plans for every single possibility.

On the other hand, I’m definitely with Vaugh Palmer in that we definitely need more public education.  We are seeing money diverted from disaster planning to other areas, regardless of a supposed five-fold increase in emergency budget.  In the past five years, the professional association has been defunded, training is very limited in local municipalities, and even recruitment and “thank you” events for volunteers have almost disappeared.  Emergency planning funds shouldn’t be used to pay for capital projects.

(And the province should have been prepared for an audit in this area, since they got a warning shot last year.)

So, once again, and even more importantly, I’d recommend you all get emergency training.  I’ve said it beforeI keep saying itI will keep on saying it.

(Stephen Hume agrees with me, although he doesn’t know the half of it. )

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

New computers – Windows 8 Phone

I was given a Win8Phone recently.  I suppose it may seem like looking a gift horse in the mouth to review it, but:

I must say, first off, that the Nokia Lumia has a lot of power compared to my other phone (and Android tablets), so I like the responsiveness using Twitter.  The antenna is decent, so I can connect to hotspots, even at a bit of a distance.  Also, this camera is a lot better than those on the three Android machines.

I’m finding the lack of functionality annoying.  There isn’t any file access on the phone itself, although the ability to access it via Windows Explorer (when you plug the USB cable into a Windows 7 or 8 computer) is handy.

I find the huge buttons annoying, and the interface for most apps takes up a lot of space.  This doesn’t seem to be adjustable: I can change the size of the font, but only for the content of an app, not for the frame or surround.

http://www.windowsphone.com/en-us/how-to/wp8 is useful: that’s how I found out how to switch between apps (hold down the back key and it gives you a set of
icons of running/active apps).

The range of apps is pathetic.  Security aside (yes, I know a closed system is supposed to be more secure), you are stuck with a) Microsoft, or b) completely unknown software shops.  You are stuck with Bing for search and maps: no Google, no Gmail.  You are stuck with IE: no Firefox, Chrome, or Safari.  Oh, sorry, yes you *can* get Firefox, Chrome, and Safari, but not from Mozilla, Google, or Apple: from developers you’ve never heard of.  (Progpack, maker(s) of the Windows Phone store version of Safari, admits it is not the real Safari, it just “looks like it.”)  You can’t get YouTube at all.  No Pinterest, although there is a LinkedIn app from LinkedIn, and a Facebook app–from Microsoft.

It’s a bit hard to compare the interface.  I’m comparing a Nokia Lumia 920 which has lots of power against a) the cheapest Android cell phone Bell had when I had to upgrade my account (ver 2.2), b) an Android 4.3 tablet which is really good but not quite “jacket” portable, and c) a Digital2 Android 4.1 mini-tablet which is probably meant for children and is *seriously* underpowered.

Don’t know whether this is the fault of Windows or the Nokia, but the battery indicators/indications are a major shortcoming.  I have yet to see any indication that the phone has been fully charged.  To get any accurate reading you have to go to the battery page under settings, and even that doesn’t tell you a heck of a lot.  (Last night when I turned it off it said the battery was at 46% which should be good for 18 hours.  After using it four times this morning for a total of about an hour screen time and two hours standby it is at 29%.)

(When I installed the Windows Phone app on my desktop, and did some file transfers while charging the phone through USB I found that the app has a battery level indicator on most pages, so that’s helpful.)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Card fraud and other details

A family member recently encountered credit card fraud.  That isn’t unusual, but there were some features of the whole experience that seemed odd.

First off, the person involved is certain that the fraud relates to the use of the card at a tap/RFID/proximity reader.  The card has been in use for some time, but the day before the fraudulent charges the card was used, for the first time, at a gas pump with a “tap” reader.

(I suspect this is wrong.  The card owner feels that gas pumps, left unattended all night, would be a prime target for reader tampering.  I can’t fault that logic, but the fact that an address was later associated with use of the card makes me wonder.)

At any rate, the day after the gas was purchased, two charges were made with the credit card.  One was for about $600.00, and was with startech.com, a supplier of computer parts, particularly cables, based in Ontario.  The other charge was for almost $4000.00, and was with megabigpower.com, which specializes in hardware devices for Bitcoin mining, and operates out of Washington state.  (Given the price list, this seems consistent with about 8 Bitcoin mining cards, or about 20 USB mining devices.)  The credit card company was notified, and the card voided and re-issued.

A few days after that, two boxes arrived–at the address of the cardholder.  One came from startech.com via UPS and was addressed to John Purcer, the other was from megabigpower.com via Fedex and was addressed to Tom Smyth.  Both were left at the door, refused and returned to the delivery companies.  (At last report, the cardholder was trying to get delivery tracking numbers to ensure that the packages were returned to the companies.)

As noted previously, this is where I sat up.  Presumably a simple theft of the card data at a reader could not provide the cardholder’s address data.  An attempt might be made to ensure that the “ship to” address is the same as the “bill to” address (one of the companies says as much on its billing page), but I further assume that a call to the credit card company with a “hey, I forgot my address” query wouldn’t fly, and I doubt the credit card company would even give that info to the vendor company.

One further note: I mentioned to the cardholder that it was fortunate that the shipment via UPS was from the Canadian company, since UPS is quite unreasonable with charges (to the deliveree) involving taking anything across a border.  (When I was doing a lot more book reviews in the old days, I had to add a standard prohibition against using UPS to all my correspondence with companies outside Canada.)  When UPS was contacted about this delivery, the agent reported that the package was shown as delivered, with a note of “saw boy,” presumably since the cardholder’s son was home, or in the vicinity of the house, at the time of delivery.  The cardholder was understandably upset and asked to have that note taken off the record, and was then told a) the record could not be changed, and b) that was a standard code, presumably built-in to the tracking devices the drivers carry.

Just a note to those of you who care anything about privacy …

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

REVIEW: “Rainbows End”, Vernor Vinge

BKRNBSND.RVW   20130525

“Rainbows End”, Vernor Vinge, 2006, 0-312-85684-9, U$25.95/C$34.95
%A   Vernor Vinge
%C   175 Fifth Avenue, New York, NY  10010
%D   2006
%G   0-312-85684-9
%I   Tor Books/Tom Doherty Assoc.
%O   U$25.95/C$34.95 pnh@tor.com www.tor.com
%O  http://www.amazon.com/exec/obidos/ASIN/0312856849/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/0312856849/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   364 p.
%T   “Rainbows End”

It is always a pleasure to read something from Vinge.  His characters are interesting, his plots sufficiently convoluted, and his writing clear and flowing.  In addition, for the geek, his understanding of the technology is realistic and fundamental, which makes a change from so many who merely parrot jargon they do not comprehend.

Of course, this is future technology we are talking about, so none of it is (currently) real.  But it could be, without the wild flights of illogic that so abound in fiction.

In this book, we have a future with interconnectedness around the globe.  Of course, this means that there are dangers, in regard to identity and authentication.  The new technology protects against these dangers with a Secure Hardware Environment.  (Or SHE, and, since the DHS mandates that everyone must use it, does that make it SHE-who-must-be-obeyed?)

Encryption is, of course, vital to the operations, and so is used a lot, often in multiple layers.  It is probably a measure of the enjoyability of Vinge’s work that I really didn’t take note of the fact that two of the characters were named Alice and Bob.  Not, that is, until late in the volume, when the author also briefly introduces a character named Eve Mallory.

copyright, Robert M. Slade   2013   BKRNBSND.RVW   20130525

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

CyberSec Tips – “Computer Maintenance Department”

I got a call today from “James,” of the “computer maintenance department.”

I suppose this may work better against those who actually have a computer maintenance department.  Since I’m self-employed, it’s pretty obvious that this is phony.  Sometimes, though, “James” or his friends call from Microsoft or other such possibilities.

Just in case anyone doesn’t know, these are false, attempts to get you to damage your own computer, or install something nasty.  They can then charge you for spurious repairs, add you to a botnet, or mine your computer for account information.

Oh, and also, as chance would have it, today I got my first completely automated spam/fraud/telemarketing call: a computer generated voice and voice response system, asking how I was, and then, when I didn’t respond, was I there.  Probably would have been fun to try and push the limits of it’s capability, but I didn’t have time …

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Cyberbullying, anonymity, and censorship

Michael Den Tandt’s recent column in the Vancouver Sun is rather a melange, and deserves to have a number of points addressed separately.

First, it is true that the behaviours the “cyberbullying” bill address, those of spreading malicious and false information widely, generally using anonymous or misleading identities, do sound suspiciously close to those behaviours in which politicians engage themselves.  It might be ironic if the politicians got charged under the act.

Secondly, whether bill C-13 is just a thinly veiled re-introduction of the reviled C-30 is an open question.  (As one who works with forensic linguistics, I’d tend to side with those who say that the changes in the bill are primarily cosmetic: minimal changes intended to address the most vociferous objections, without seriously modifying the underlying intent.)

However, Den Tandt closes with an insistence that we need to address the issue of online anonymity.  Removing anonymity from the net has both good points and bad, and it may be that the evil consequences would outweigh the benefits.  (I would have thought that a journalist would have been aware of the importance of anonymous sources of reporting.)

More importantly, this appeal for the banning of anonymity betrays an ignorance of the inherent nature of networked communitcation.  The Internet, and related technologies, have so great an influence on our lives that it is important to know what can, and can’t, be done with it.

The Internet is not a telephone company, where the central office installs all the wires and knows at least where (and therefore likely who) a call came from.  The net is based on technology whish is designed, from the ground up, in such a way that anyone, with any device, can connect to the nearest available source, and have the network, automatically, pass information to or from the relevant person or site.

The fundamental technology that connects the Internet, the Web, social media, and pretty much everything else that is seen as “digital” these days, is not a simple lookup table at a central office.  It is a complex interrelationship of prototcols, servers, and programs that are built to allow anyone to communicate with anyone, without needing to prove your identity or authorization.  Therefore, nobody has the ability to prevent any communication.

There are, currently, a number of proposals to “require” all communications to be identified, or all users to have an identity, or prevent anyone without an authenticated identity from using the Internet.  Any such proposals will ultimately fail, since they ignore the inherent foundational nature of the net.  People can voluntarily participate in such programs–but those people probably wouldn’t have engaged in cyberbullying in any case.

John Gilmore, one of the people who built the basics of the Internet, famously stated that “the Internet interprets censorship as damage and routes around it.”  This fact allows those under oppressive regimes to communicate with the rest of the world–but it also means that pornography and hate speech can’t be prevented.  The price of reasonable commuincations is constant vigilance and taking the time to build awareness.  A wish for a technical or legal shortcut that will be a magic pill and “fix” everything is doomed to fail.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

CyberSec Tips: E-Commerce – tip details 2 – fake sites

Following on with some more of the tips from an earlier post, originally published here:

The next three tips are pretty straightforward, and should be followed:
Don’t click on offers in email.
If it sounds too good to be true, don’t fall for it.
Don’t fall for fake eBay or PayPal sites.

Good advice all around.  In terms of fake eBay or PayPal sites, check the URLs, if you can see them, or the places you end up.  Often fraudsters will try and register sites with odd variations on the name, such as replacing the lower case letter l in PayPal with a digit 1, which can look similar: paypal.com vs paypa1.com.  Or they will send you to a subdirectory on either a legitimate site (for example, googledocs.com/paypal) or on a straight scam site (frauds.ru/paypal).  Or sometimes the URL is simply a mess of characters.  If the site isn’t pretty clearly the one you want, get out of there.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.