Nuclear weapons aren't necessary...

Friend pointed me to the cartoon, about why countries in the world (in this case, China) no longer need nuclear weapons. Awesome!


Dramatic Increase in the number of malware variants...

Reading some of the details in Panda Labs' Annual Report for 2009 and came across these statistics...the math is pretty crazy...

Panda says that they have 40 million variants of malware in their database, collected over 20 years of business.
They indicate that they are collecting 55,000 variants a day.
If you do the math, that means that in the past 365 days, they collected 20 million variants.

So in one year, they collected as many variants of malware, as they have collected in the entire span of their business.

Neato.  Somebody has been busy.


Panda Labs reports (pt 1)...banking malware

Was skimming through some interesting reports by Panda Labs. One report (pdf) covers some basic information on banking malware (i.e. malware designed to gather your personal information associated with online banking). The Appendix is particularly interesting. They cover some details on the Zeus Trojan kit. None of the details are new, nor is the combination of them new - still - I found it fun. And available for the low, low price of only $700. For example:

The Trojan runs on the affected user's computer and can carry out the following actions:
  • Socket and Proxy server.
  • Auto update.
  • Using the polymorphic encrypter to generate different copies of itself.
  • Capturing certificates.
  • Changing local DNS.
  • Removing cookies to get the user to re-enter the passwords.
  • Capturing screenshots of the affected computers.
  • Receiving remote control commands.
  • Adding additional fields to a website and monitor the data sent.
  • Stealing passwords stored in several programs (Protected Storage data…) and pop3 and ftp passwords, regardless of the port.
Very cool.



Awesome debate on fear and security

Bruce Schneier has a great piece on fear and logic and the nuclear industry.

The best part is the comments. In the comments, you can really see some of the interplay between fears based on facts and logical reasoning and fear based on raw emotions.

It is interesting to see how some commenters compare the risks to other things that we accept as "normal" or "reasonable" VS those commenters who try to support their comments with gut feeling and fear-mongering.



Metasploit Tutorials...

Offensive Security is hosting a series of tutorials related to using the Metasploit framework.

I haven't had the chance to take a look yet...but they sound promising.

These are being released in support of the Hackers for Charity project that Johnny Long is associated with...from the tutorial homepage:

"This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework."


Most common passwords

Good article on Wired.com about the results of an analysis of passwords used by Hotmail users...
Out of about 10,000 passwords that were studied, the most common was:
Some of the others showed signs of cultural bias, that reveal potential geolocational evidence...i.e. the large number of Spanish names.



Battle against the dark side...

One of my students made a very interesting comment the other day...about wanting to engage in battle against the dark side.

So what does it mean to engage in battle against the dark side? There are very direct and flamboyants ways to do so. Presuming you work for the government, you may have these exciting jobs:

  • hack the computers of the enemy to steal info and plant malware in case of cyber-warfare
  • monitor the behavior of the enemy as they attempt to hack your systems and find ways to shut them out
Presume you don't work for the government? There are other ways to combat the enemy and even though they do not sound as glamorous, they are none-the-less critically important to the safety and well-being of the nation.
  • keep your own systems safe from the bad guys so they can't be used as a springboard to launch other attacks
  • improve the tools and training used by others in the field so that collectively there is a greater impact on the infrastructure as a whole
  • educate the computer illiterate on safe computing
One interesting issue about the dark side...that all depends on your perspective:

When sponsored by a government, the exact same behaviors go from being illegal to being completely legal. For example: if a U.S. civilian hacks the U.S. Department of Defense, it is a crime. If a U.S. soldier, while under orders, hacks the Russian Ministry of Defence, it is simply good military strategy and perfectly legal in the eyes of the U.S. Government. But...the Russians might not find it so entertaining...


Learn something new every day: NEAT

Recently read an article on Multiple Independent Levels of Security (MILS) which used an acronym whose concepts I was familiar with, but that I had not heard before: NEAT. It stands for:

  1. Non-bypassable
  2. Evaluatable
  3. Always-invoked
  4. Tamperproof
In a recent class, I commented on applying three of these to reference monitors and trusted computing bases:
  1. tamper proof
  2. non-bypassable
  3. small enough/simple enough that it can be thoroughly tested for correctness
In retrospect, I probably should have mentioned to them the idea of "always-invoked" (note to self: include that in next class revision) and I probably could have saved some bandwidth by substituting in the much shorter word "evaluatable".

Well...you learn something new all the time, and for me, that is NEAT!


P.S. NEAT gets mentions on page two of the four page article.

Lies, damn lies and statistics...

The following linked article from ComputerWorld UK has some interesting quotes about the growth of Windows operating systems in running a number of supercomputers. Apparently Windows has increased their market share by 400%, while in the same period, Linux only increased its market share by only 51%. This sounds pretty impressive, until you take the time to look at the numbers behind the numbers.

Read the article to see what I mean!

One of the principles I share with my students is to try to look at things with a critical eye. This is a great example of how numbers can be misleading.