Hack The Planet

The last week or so has been pretty rough for Twitter. Not only has Twitter been DOS’d a number of times and kicked offline but it also came out that hackers were using Twitter to control a botnet. It seems that Twitter isn’t just dangerous because of the amount of time you can waste but also because it can be used for data and identity theft. Of course with all of the fake Twitter accounts and the previous issue of Twitter accounts being hijacked because of a Twitter employee with a weak password it makes me wonder what type of future Twitter has. My guess is a good one because the normal citizen doesn’t care about security breaches, only about what the new hot hairstyle their favorite celebrity is wearing.

In just over 10 days I will be heading out to BlackHat. Hopefully this year is even better than last year, though it will be tough to beat last year.

There is a constant battle in the world of computer and network security. The battle of usability. The more secure you make something the less usable it seems to become. Case in point: Firefox is a nice browser. All browsers are open to attack or open your computer to attack. You secure firefox by installing one or many secure add-ons. Firefox now is un-usable for a large population of users. While I enjoy the feeling of security having my Firefox locked down like Ft Knox not everyone does. So that is the question; How do you make security more usable.

Wolfram Alpha is quite possibly the coolest thing ever. More than sliced bread. This is knowledge given to the masses. This is changing how people think and learn. If you haven’t seen it go to: http://www.wolframalpha.com/screencast/introducingwolframalpha.html

That is all.

It is 9 am on April 1st in New Zealand, do you know where your Corn Flicker is? Apparently someone alerted the media and of course, this is armageddon. New Zealand has sunk back into the ocean under the weight of the conficker worm. Hide your women and children!

I love reading Schneier’s blog. This specific article was really good and I thought I should share it.

We live more and more in a world of censorship and worry. Will what we say or do be used against us at some later date? And not what we say online in a public forum, but what we say to a friend as we are walking down the street assuming we aren’t being monitored. There are less and less places that you can assume are private.

Russell Tice (the NSA whistleblower) hasgone into more detail about the activities of the NSA domestic wire tapping scandal. It seems that the good folks at the NSA have been doing a bit more than they said they were. I could be mistaken but aren’t they supposed to be the good guys?

If you haven’t heard of the enormous data breach at Heartland Payment Systems then you have been living under a rock. It makes me wonder just how much Heartland had paid for their compliance and how little they actually spent on security.

In the IDS market there are two different disciplines. The first uses signatures to determine if an attack is happening. The second is using network behavior to determine if an attack is happening. I am a firm believer that you have to at least have a signature based IDS to detect known attacks, virus’ and malware. Having a behavior based IDS is definitely useful but only after you have stopped everything that is known about in the wild.

A researcher at the University of California at Davis has been working on a very interesting way to use behavior based IDS to stop zero day worms.

Well, before you do your taxes maybe you should be aware how readily accessible your data is. The Government Accountability Office has called out the IRS for some pretty big security issues.

Fixing 49 of 115 big issues is pretty decent admittedly but when user IDs and passwords are “readily” available to any user on their network I think you need to reprioritize what you have fixed that was more important than that.

I don’t know if I am more offended by the lack of a good password policy or that the data isn’t always encrypted. “For example, the IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said.”

There has to be a better and faster way to get people to think about security because it is obvious that what we are doing isn’t working.