Café de Fallo

Rejection of security advice is entirely rational ! (not my words)

2010-04-16T22:42:00.000-07:00

OK, so here I am trying to educate students (and Internet) users of the need for better security practices, and then I see a paper that argues that "rejection of security advice is entirely rational". Humm, this should be an interesting read. The paper is available on Cormac Herley's site:

So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users
published at NSPW 2009.

I haven't read the paper carefully, as yet -- but in general I do agree (with some reservations) with the author, unless you are the victim, of course!. IT security these days is hard, especially since the number of users and the usage patterns are growing everyday...probably a reason (among several others) that the cost-benefit is poor when it comes to security advice. Until I read this article, I used to think security advice and awareness is a 2-wall problem.

wall 1: I don't know why this is a security problem
wall 2: ah, I know what the security problem is -- but I don't know how to solve it

Are we breaking these walls down now?

Cyber crime -- will it ever stop?

2010-03-05T11:17:00.001-08:00

An interesting article in today's news ..after the arrest of a ring of hackers who created "Mariposa" ..a botnet network to steal personal information. There seems to be a debate on whether it is better to go after the bad-guys? ..or protect ourselves in the long run by education/awareness? You decide :)

Click here for the complete article on CNN Tech

Advance-fee (a.k.a 419) Fraud

2009-12-08T08:45:00.000-08:00

Ever got those emails about a Nigerian businessman or merchant wanting to deposit money with you? or ..something on the lines of "I don't know where to keep all this money/treasure..I have so so much!", well..it is a bull****. and popularly known as 419 fraud, or called it the "Advance Fee Fraud". There some other forms of the same fraud too, and here is why it is a "fraud". Below incident prompted me to write this blog.

So my wife wanted to sell an iPod (we had an extra one, don't ask how), so we put it up on craigslist. Out of the 10 replies she got, 7 of them were strangely saying that they will pay MORE than what we have asked for. We were selling it for $70, ..the buyer (call him Charlie) was willing to pay $200. Strange? Yes. So here was the catch. Apparently, Charlie wanted us to pay him back the difference (why!) ..and then it would be all balanced. He messed with the wrong person though, since I was reading about this fraud that week (for a class that I teach). Here is how the fraud works.

1. Charlie requests that he will buy your item for $200 (even though you are selling for $70). Sometimes he may ask to keep a few dollars as reward for yourself (well..)

2. You agree, and ask Charlie for the money.

3. Charlie sends you a fake email that the money has been deposited.

4. Fake email says that you need to type in the mailing conformation number, or the bank confirmation number (for $200-$70=$130 difference you owe Charlie) for the deposit you made into Charlie's account.

5. You hit the bank submit button and pay $130 to Charlie (and record the confirmation #). You might have already shipped the item too!

6. Guess what! you've lost your money and also the item you shipped -- there is no Charlie, and neither has he deposited $200 into your account earlier. You check your account, and call your bank multiple times -- only to hear an angry voice that there has been no such deposit from Mr. Charlie!! "No deposits, no Charlie".

7. Now your item is enroute to some address (possibly someone waiting to picked up at a side walk) ..and your $130 is also gone. Heck!

WOW. genius! But these guys have been chased before -- some have been caught, and some are still at large. So if you get an email claiming to pay more (or ship item before confirming payment) ..please beware. I was lucky!

One last note. Most such email have someone named to be in Nigeria, or East Africa -- but I doubt all are true. Someone next door could writing these email, and claiming domicile in Nigeria..though this form of fraud apparently started here. Read more here:
http://en.wikipedia.org/wiki/Advance-fee_fraud

National Cyber Security Awareness Month 2009

2009-11-01T17:28:00.001-08:00

Yes, apparently there is one -- October is the National Cyber Security Awareness Month, and there has been a a lot of buzz about security this month.

Check: http://googleblog.blogspot.com/2009/10/celebrating-national-cyber-security.html

Oktoberfest is another kind of awareness month :) ..nothing to do with cyber security, but still fun!

Top 10 Reasons Why Mac OS X has No viruses, ..at least so far!

2009-09-16T20:18:00.001-07:00

So, I asked this question in the class I teach "Why Mac OS X has no viruses" -- it is a good question, since the Mac user-base is gradually increasing and most laptops and PCs (with Microsoft Windows-based OS) are so easily infected by malware, virus, adware, spyware, etc..unless you take proper security measures, of course.

One student answered: "..because Mac has a very small number of users, so hackers are not interested".

While this is a possible reason, but not the only reason -- so I decided to do my "homework". So below are my reasons why it is so. Oh..but I am still with a Dell running Windows XP...meanwhile, wifey has recently got a Mac Book Pro -- and flaunting it around the house right now. :-)

Top 10 Reasons Why Mac OS X has No viruses

1. OS X is built on UNIX (actually, FreeBSD) – which is a multi user system with a security architecture built into it at the beginning of design itself. WINDOWS came from single-user architecture with security and multi user capability as an “after thought”. Patching does not help much!

2. UNIX had networking built into it from the beginning; again in Windows this was included at a later date. Also, most of Mac OS X was developed after the Internet, so the vulnerabilities were addressed during the design of OS X. Most viruses exploit the Internet connections, email and file transfer.

3. Windows built Internet Explorer into the O/S at a very deep level, and allowed code execution within the browser. In OS X the browser is a completely separate application -- not an integral part of the OS. Most virus or hackers exploit this vulnerability, since some malicious code can be run in the browser itself.

4. In earlier Windows everything ran as the system user (what!), so the capability to compromise an entire system was easier. Simply during a breach, hacker=system user! Close your eyes.

5. Microsoft’s backward compatibility mantra does not do them any favors -- all Microsoft OS need to run old software, so they need so many old APIs, all of which can have holes in them. The patches help “patch” the holes, but the patches may have holes too! Like the chicken-and-egg problem?

6. OS X has no registry. Ah ha…this is one of the biggest mistakes Microsoft made though it helps in organizing the applications well – how about organizing the security?

7. OS X asks for your password before allowing you to run new software or install something. Not fool proof, but at least fool resistant. Well.

8. Where do viruses usually hang out in Windows:
a. At the root.
b. In the user’s local settings temp folder.
c. In these folders: \windows, \system, \system32 — the most common places where viruses hide.
d. As registry entries.

None of those areas are exposed to the environment (or users) in OS X. You can’t see those folders. Virus writers can’t access them. Thus, viruses can’t exploit those areas. A recent Mac virus may have tried to exploit this – not much success.

9. Earlier, Mac’s ran on PowerPC (by IBM and Motorola), so not many weaknesses were not exploited by viruses. Many PCs. Laptops run on Intel’s microprocessors. Note however that Mac has started to use Intel’s processors now – welcoming some possible viruses? You can say that Mac maintains a “clean and secure” gene-pool, but how long will it last?

10. Mac has a smaller user-base, so there is more incentive for hackers or virus coders to attack the “big-fish” Microsoft XP or Windows Vista ..but not a tasty one :)

Survey about Using Good Passwords (asking for your 2 minutes)

2009-09-15T19:28:00.001-07:00

This is a small survey which I plan to use as part of a research paper. It will less take less than 2 minutes. Please answer the following questions and hit submit.
Thanks for your participation and your time! Take care.

Link to the survey:
http://spreadsheets.google.com/viewform?hl=en&formkey=dEVhR3BkcUFobWM2VUZyUWV0Tmp2WEE6MA..

Microsoft Tool
http://www.microsoft.com/protect/fraud/passwords/checker.aspx

iPass Tool (best password will be highlighted in green)
http://sunrise.webfactional.com/ipass

...and another PHISHING attempt

2009-09-15T18:31:00.000-07:00

"bsnl" is an internet service provider in India. These crawlers are getting smarter..but phishing is still phishing!

I like the warning message:
"...you are required to do this before the next 48hrs of receipt of this e-mail, or your Web mail Account will be de-activated and erased from our database."

Thank you very much -- I would be happy if you delete me from the "phishing database" :)

DGTFX Virus Alert (yeah sure, ..it is an email phishing scam!)

2009-09-10T11:53:00.000-07:00

Received this in my INBOX today. It is a phishing scam obviously..actually -- it not that "obvious" since the email looks pretty legitimate at first examination. But the scammers forgot that I teach IT security courses here ..oops, so it is no use messing with the wrong guy :) Anyway -- be careful guys.

Good idea to alert your IT department, or consult a security alert focus group if you have any doubts. As the good man says "better safe, than sorry". Peace.

"Digital Life" after Death?

2009-09-07T11:12:00.001-07:00

Seems like an irrelevant discussion at first thought, ha? No, I thought the same..while I was browsing through the September 14, 2009 issue of the TIME magazine. But the article "Managing your Online Afterlife" caught my attention after reading a few paragraphs.

So, what happens all the digital data floating around the WWW after you die? Apparently, major companies do have some security policies now to give access to information or emails exchanged by loved ones. Facebook, MySpace, Google, Yahoo! all have a policy of their own.

I found this article particularly interesting because it shows how important we (or relatives of loved one) consider any kind of digital information. If it was of no value -- no one would fight for it. In my opinion, yes, there is a lot of "precious" - social, personal, emotional, and intellectual information out there ..stored on data servers quietly clocking away in a dark server room.

As the author points out ..soon we might see a clause in someone's Will that tells -- how and who can access, and share information in my "after life".

Humm. Do I need to start using my dairy again?

LOOKUP

2009-08-31T21:59:00.001-07:00

We can't imagine our lives without the Internet these days -- but hey, as they say..every story has 2 sides! Consider for example how easy it is for someone who wants to look you up (and possibly stock you, for whatever the reason) :) Gone are the days when you wanted to elope..and be in hiding for a few years.

There might be more services out there, but here is one that I ran into LookupAnyone.com

Oh come on..why do state/federal offices or other collecting agencies even sell their data to such websites! Why? What happened to privacy of citizens? I agree criminal and background checks are need when necessary -- but these can be done by offices specially delegated to do this. Why make the data 'public'? There is cost of course...seems like it is all about the money, at someone else's mercy.

Anyway -- if I ever move, or when I move..you know how to find me. :)

Fake faces ..real Identity?

2009-08-27T07:33:00.001-07:00

..and you thought that ID theft due to "dumpster diving" was a problem. Check out the look-alikes that resemble some famous people. I ran into this website:
http://www.fakefaces.co.uk/ recently that claims to have celebrity look-alikes.

Assuming that the images are not-morphed (which also is a possibility), the resemblance is pretty striking. Think what would happen if Mr. Beckham, or Mr. Austin Powers would walk into a Thailand resort for a vacation. VIP service?

Well..I wonder if there is a look-alike that exists for every one of us -- not just celebrities. Oh yes, I learned a new word too. Apparently, a person who is a look-alike, but not related to you is called a "Doppelgänger".

Need a friend -- a bio or genetics scientists to tell me how close a match can ever get? Spooky.

Tweet Tweet

2009-08-11T18:31:00.000-07:00

You think Facebook is intrusive? ..Checkout Twitter. I know Twitter started in 2006, but has been big only since the recent 1-2 years. There are pros and cons to such information (or status) broadcasts of course. Plus side -- you can be a social animal (only connected to the virtual world). The down side -- what about privacy? and what happened to the good old fashion in-person talk -- or even healthy gossip? :)

Here is a newscast where BU professor Azer Bestavros was recently interviewed. Nice discussion. By the way, President Obama also tweets.

My question is: How much should we tweet, but still enjoy the in-person experiences that usually become lasting memories?

P.S: I am not on Twitter. Will tweet for __ (not sure yet)

Data loss incidents -- Web portal

2009-08-07T12:26:00.000-07:00

DataLossDB -- a comprehensive website that documents data loss incidents that happen world-wide. The implications of data loss are severe of course, but knowing about such incidents is good too. TJX case with 94,000,000 records compromised holds the record so far.

From the website:
"DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation's DataLossDB.org, asks for contributions of new incidents and new data for existing incidents. For any questions about this site or the data contained within the site, please contact curators@datalossdb.org"

Da Vinci and Fibonacci

2009-08-05T08:50:00.000-07:00

I just finished reading the novel "The Da Vinci Code" by Dan Brown. Leaving the controversies surrounding the books aside, I was intrigued by the use of Fibonacci numbers as a password, or crypt.

Fibonacci numbers as you are from the sequence: 0, 1, 1, 2, 3, 5, 8, 13, 21, 34, ...

One could start with one of the numbers in the sequence, and use the rest of sequence (with minor modifications that are easy to remember) as a password. Brilliant - Jacques Saunière! Well, actually brilliant Leonardo of Pisa. I just learned that the Fibonacci sequence is named after Leonardo of Pisa, who was known as Fibonacci (a contraction of filius Bonaccio, "son of Bonaccio".)

If my password or PIN were: 131722 ...can you guess how I derived it?

Authentication (I am who I am)

2009-08-05T07:21:00.000-07:00

There are a plenty of ways to authenticating (proving that you are YOU) in this world. In everyday life we are asked to authenticate ourselves by showing an ID, typing a password, finger print, etc.

Someone recently recently asked me:
What is most secure form of authentication or to establish one's identity?

a) one based on what you are

b) one based on what you can do

c) one based on what you know

Tricky!

Paper published at SEKE 2009

2009-08-02T13:13:00.000-07:00

My paper titled "iPass: An Integrated Framework for Educating, Monitoring and Enforcing Password Policies for Online Services" was accepted at the 21st International Conference on Software Engineering and Knowledge Engineering (SEKE 2009), Boston, USA, July 2009.

Creating your own security lab

2009-08-02T13:00:00.000-07:00

Here is book on how you can create, set-up and practice + develop solutions.

Build Your Own Security Lab: A Field Guide for Network Testing (Paperback)
By Michael Gregg

I am in the process of develop some exercises, labs for my students -- let me know if you have any experiences :)

CS conference rankings

2009-05-05T09:08:00.000-07:00

..ran into this site that maintains the rankings of the top computer science conferences. Check here:

CS Conference rankings

the website claims that they update the ranking every 3 months, so use your discretion if you are really worried about which conference to submit your paper -- obviously every paper counts! :)

Strong passwords - what? ...Take a survey

2009-04-13T09:46:00.000-07:00

I am requesting you to participate in small survey for a project I am doing on -- understanding user perception, usage, and techniques for "strong passwords". Thanks. Click link below.

Password Policy Survey

It would take less than 1 minute, and hey -- this will not be used to hack into your system -- don't worry :)

Privacy in a Public world...of facebook

2009-03-05T19:41:00.000-08:00

Just ask around in your class or your office who is not on facebook or orkut or myspace or whatever your favorite WWW "space"...doubt if many will raise their hands. Well, with information floating around in the public world of FB, and the web in general -- there is not much you can do to hide, but there is some help...some help that will help keep your information more private to the circle of friends, and less public to the 'public'.

I ran into this neat article on how to use the security settings in Facebook -- worth reading, and surely worth configuring your profile accordingly: More here:
http://www.allfacebook.com/2009/02/facebook-privacy/

Rule of thumb: "Don't post anything that might embarrass/hurt/annoy/tick-off yourself or someone you may know" :)

security vs. usability

2009-03-03T20:51:00.000-08:00

Information assurance or security is always a balance between:
"Usability" and "the level of Security", Scott Adams sums it up pretty well in this cartoon. Enjoy!

Mirror mirror on the wall...which is the strongest password of them all

2009-03-03T18:30:00.000-08:00

Passwords are the one of the simplest and most easy-to-use forms of providing security. Everyone uses at least 5-6 passwords, some simple, some strong -- have you ever wondered how strong your password is? I can came across this really cool utility (Password Checker) that checks the strength of your passwords. Check here:
http://www.microsoft.com/protect/yourself/password/checker.mspx

Not a bad idea to check the strength here, before you create a new login/password when you enroll for any online service :)