Category: Security

To me, this business with comparing malware and anti-measures in the IT security world with biological systems and in particular immune systems is nonsense on so many levels. People draw parallels with monoculture versus diversified cultures, and immunizing systems and so on. I say: Bah!

First, biological systems have no designer or design targets, no requirements specs, no whitepapers, no nothing. The only thing it has is a testing department. It also has gobs of time and material at its disposal. The entire evolutionary thing is based on “code monkeys” hacking out random code by the ton, then throwing it out on the “market” only expecting a random small fraction to succeed.
Continue reading “Biological comparison nonsense”

So, what’s wrong with using hardware tokens for banking? Well, by themselves, they don’t actually protect you. And this is why.
Continue reading “Securing bank transactions”

There was a discussion on a forum about how to save on IT costs, and the question of consolidating servers came up. So, I had a few little somethings to say, and some of that saying I cleaned up and presented here.
Continue reading “Give me a RAIS, anytime”

Bruce Schneier pointed to a sneaky feature present in some color printers, like in Xerox DocuColor series. They print a code on every page, allowing the authorities to track when the document was printed and with which printer.

A little while ago, I ordered some keyrings with my company name engraved on them, to give out to customers. Just a PR gadget. Now it turns out that they’re probably close to perfect to check color printouts for those hidden codes. Some color printers include hardly visible light yellow dots in the printout that code for date and time, including the printer’s serial number. That expensive color laser you paid for with your hard earned cash is ratting on you. Check out this picture and you’ll see that they’re using blue LED flashlights very similar to the light built into the keyrings I got. How incredibly opportune.

To see how my keyrings look, see the logo at the top of my www.ssdes.com page. That “logo” is simply a photo of the keyring. The round insert on the left, with the black button at the center, is the blue LED flashlight. It’s strong enough to light your way on a dark night with. And, I’m sure, blue enough to detect those yellow dots with, even though I have no printouts here to test with.

Banks use several systems to let their customers log into their internet banking sites. The worst (security wise) by far are the password based systems, very common in the US. Much better are (were!) the one-time password systems, based on scratch cards or electronic tokens, fairly common in Europe. However, the latest phishing expedition launched against the Nordea bank in Sweden showed how trivial it is to get users to scratch those cards and divulge the one-time passwords, making this system no better than regular password systems.

Actually, I’m convinced it’s worse. Most users will have less resistance against giving out a one-time password to a site, since they are convinced it will become unusable after the first try. That’s what the bank told them.

Yet again, bad security proves to be worse than none at all. Especially if it’s touted to be good and isn’t. (Now, I have to add that since no actual case of money being lost has been publicized, that last part is conjecture on my part.)

For more, see The Register.

Rapid Application Development systems tend to promote the writing of bad code. In what follows I’m going to use VS.NET (2003) as an example, simply because it’s probably the most used. I’m also going to take the writing of client database code as the main example, because it is so important and because it represents a large part of development time, if done the right way and hardly no development time if done the VS.NET way.
Continue reading “VS.NET promotes bad code”

I just read a letter to the editor by Richard Stallman in Communications of the ACM, May 2005, where he points out that whatever the privacy policy of a website, the USA PATRIOT act (or USA PAT RIOT act as he calls it) allows collection by law enforcement of any private information without a warrant. His point is that the “privacy seal” advocated by some, means nothing.

US companies are subject to this act in any case, but for us non-US residents and non-US companies, it seems an utterly bad idea to host our data on American based ISPs, since all of a sudden our data can be collected by the US government without a warrant or even without us knowing about it. The ISP can’t even tell us, can they?

Does this mean that applying prudent IT security principles would prohibit any non-US based company from using any US-based hosting provider? Or maybe even any hosting provider with a US-based company anywhere in the ownership chain?

It seems that way to me.
Continue reading “Is it due diligence to avoid US hosting providers?”

I just read an article in IEEE Computer, June 2005, called “Security Technologies Go Phishing”. It’s about new ways of stopping phishing attacks. Among other things, they present a system that lets a bank (for instance) have their users choose a picture from an album. That picture is then included in email that the bank sends out, so the user knows that the email is for real and not spoofed. To me, there are many things wrong with this idea and any similar developments. (Please note: the article mentions other interesting systems and the given company has other interesting products. I’m only picking on this one idea, here.)
Continue reading “Have they forgotten about PKC’s and SSL?”

Two-factor authentication using hardware tokens to log on to internet banking sites (among other things) is intended to make banking over the Internet more secure. It turns out that it isn’t as great as it seems to be on first blush. Bruce Schneier has talked about this problem several times. Why is this problem so difficult?
Continue reading “Authenticating transactions, not people”

If you’re a member of some organization, or have some certification that entitles you to sign up for services somewhere, you need to be able to prove that you have that credential somehow. In real life, you’d carry a plastic card issued by a reliable organization and that you could flash in the face of whomever needs to see it. But how do you do this in the Etherworld?
Continue reading “Proving membership online”