Teknovis

Italian criminals are increasingly using Skype to make their business phone calls. They are not choosing Skype for the free PC-to-PC calls, or the video conferencing facilities :P They are choosing it for the security that it offers them compared to conventional phone systems (land line or mobile)!

I have no doubt that this is frustrating the authorities. However, I am a strong believer in privacy, and I would be appalled if I discovered that Skype was colluding with authorities to circumvent its security.

More details about this can be read in Italy police warn of Skype threat.

Tags: Italy, Skype

Today is supposed to be the most depressing day of the year. This is supposed to be due to a combination of credit card bills relating to Christmas shopping, pay-day still more than a week away, and bad weather :o

I am not sure how true this is, but the last few days were a bit depressing for me :o I think that one of my Windows 2000 computers might have become infected with a virus, and I cannot figure out how!

It all started when I noticed a file called a.exe that suddenly appeared in one of my folders. The creation time of this file was a few minutes before I noticed it. So my first reaction was to upload the file to VirusTotal. This is a really great web site that allows you to email or upload a file for free, and this file is then scanned by the most up-to-date versions of 39 different virus scanners. VirusTotal reported that 21 of the 39 virus scanners found a virus in my file :( You can read the full report.

VirusTotal most frequently identifies the worm as Pinit or Spamuzle. The best information I can find about these is from ThreatExpert and Symantec.

However, based on these descriptions my computer is not infected. This does not surprise me because only my administrator account has the privileges to make those changes. Furthermore, my hardware firewall would prevent the virus from communicating with the outside world. Blacknight also correctly identifies the file as a virus, and prevents it from passing through the email system.

So everything looks great, and it appears that I was not infected. However, the fact still remains that a.exe came from somewhere! This is really annoying me that I cannot find its source :|

The other aspect of this that is adding to my unease is the current rampage of the worm known as Conficker, Downadup, or Kido. See Windows worm numbers ‘skyrocket’ for more details about this worm. Is this a coincidence, or is my problem somehow related to this?

I would really appreciate if anybody can provide me with any insight in relation to any of this!

Tags: Blacknight, Conficker, Downadup, Email, Kido, Pinit, Smapuzle, Symantec, ThreatExpert, VirusTotal, Windows 2000

I read a really interesting news story today about an employee of the Irish national postal company. This employee’s job was to process social welfare recipients’ claims when they came into the post office. This consisted of scanning a date stamped voucher that covered the current time period (week or month I presume), and then paying out the correct amount of cash.

However, the employee discovered that she could also scan another voucher representing a future period from the recipients’ voucher books and that the system would allow her to make that payment. She simply pocketed this second payment :) The post office only kept records of payments for 21 days, so after that period the voucher could be used again!

This raises some very important security issues:

• The system designers should have built a check into the system to ensure that the vouchers were valid at the time they were being redeemed. This validity should consist of a valid from date and a valid to date.
• The system designers should have built a check into the system to ensure that the vouchers were not previously redeemed. This is substantially easier to do when the system checks the validity of the dates.
• For bonus marks the system designers could allow vouchers to be revoked, and consequently they would need to include a check in the system to ensure that the vouchers were not revoked. Again this is substantially easier to do when the system checks the validity of the dates.

The full article is Quirk in An Post system used in fraud, although I would not call it a quirk!

Tags: Ireland

This is definitely going to be my last post about the US election in 2008! However, I am writing this because it highlights a serious security risk!

It appears that when the election campaign ended John McCain’s organisers sold everything associated with the campaign. I think that would be normal. Included in the sale was John McCain’s PDA. I do not really understand this, because I could not survive without my PDA! However, not everybody needs one! Significantly, this PDA was not wiped, reset, or formatted before it was sold! Luckily (or unluckily – depending on which way you look at it) the PDA was bought by a journalist! I guess that all of this gives new meaning to transparent politics :)

For more details about this see McCain campaign sells unwiped Blackberry for $20.

Tags: PDA, US Election 2008

News about the latest security issue in Microsoft‘s Internet Explorer has made it into mainstream media, such as Security alert over Internet Explorer and Serious security flaw found in IE. More details about the security issue can be read in MS issues brown alert over unpatched IE 7 flaw and Microsoft issues emergency patch warning for IE.

I think it is great that users are being encouraged to switch to other browsers! Internet Explorer has been far too dominant for too long. I think that this caused browser innovation to be stifled.

It is times like this that make me feel happy to use Firefox :) Of course, I am not naive enough to believe that it never suffers from security issues!

Tags: Firefox, Internet Explorer, Microsoft

I am currently reviewing which bank I should give my business to, and as part of this review I am considering getting a new credit card. Actually, I am wondering if I should get a debit card instead.

Therefore, I was very interested in reading about a new credit card that Visa is releasing. The unique thing about this new card is that when a user wants to use it then he/she enters his/her PIN into the card. So the card has a small keyboard in it, and yet it is still the same size as a normal credit card. The card then generates a unique one use code that must be used as part of the purchasing process. This ensures that user is really in possession of the card.

The vagueness of the Data Protection Act legislation covering the usage and storage of credit card details in the UK is also very interesting:

appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

having regard to the state of technological development and the cost of implementing any measures

More details about all of this can be read in Visa’s digital credit card could raise legal stakes.

In terms of credit card security, the thing that really amazes me is that the CVV number is printed on the back of the card! This means that anybody who can get hold of a credit card (even for a few seconds) can later use the credit card for online purchases!

Tags: Credit Card, Debit Card, UK, Visa

Congratulations are due to Queen’s University in Belfast for securing £25 million for conducting security research. That should enable a lot of research!

The money will be used to establish and fund the Centre for Secure Information Technologies (CSIT). The research will cover all of the usual areas of security, although it appears to focus more on applied research.

More details about this can be read in Queen’s Uni nets £25m funds for cybersecurity research.

Tags: Queen's University Belfast

The Register describes some security vulnerabilities in two of Barack Obama’s websites in Congratulations, Barack – Now fix your websites. The most significant security issue that the article highlights is the fact that the administration pages load the Google Analytics JavaScrip file urchin.js. from the Google website. In theory, this means that Google can use this JavaScript file to do almost anything that they want with Barack’s websites. Not a good situation :(

Apparently, many readers did not share the author’s view on this security issue. So the author wrote a follow-up article that provides more details, and opinions of experts from OWASP, in Google Analytics – Yes, it is a security risk.

Independently, it seems that Barack is currently in negotiations in order to continue using his PDA! Apparently, communications devices are banned in the White House, and there are accountability and traceability issues associated with their use! That is an inconvenience! More details about this in Obama tries to stay connected.

Finally, I have heard that a considerable number of websites have appeared that are designed to help the Obama family choose what type of puppy they will get :) Gosh, it must be nice to have enough time to be able to create websites like this!

Tags: Barack Obama, Google, JavaScript, OWASP, PDA, The Register, US Election 2008

Sarah Palin’s webmail account was hacked during the US election campaign, according to Palin webmail ‘hack’ trial delayed. The interesting thing about this is that the attacker correctly answered the “secret question” that is used when the user forgets his/her password. The attacker, who is a University of Tennessee student, successfully found the correct answer to Sarah Palin’s secret question using Google :)

I think that the conditions of the attackers bail are slight humorous:

The University of Tennessee student remains free on bail with restriction that prohibit his use of a computer except for the purposes of internet email and college coursework.

Should his use of Internet email not be restricted to his own email accounts?

Tags: Google, Sarah Palin, US Election 2008, Webmail

A friend informed me that there is an OWASP (Open Web Application Security Project) meeting next week in Dublin. I never heard of this organisation before, but it seems to have good support from its industrial members.

The event is on next Tuesday evening, and there will be three different presentations:

• Potential risks of the offline Internet by David Rook (Realex Payments) and Conor McGoveran (onformonics)
• Internet insecurity and breaking the workflow by Eoin Keary (Ernst and Young)
• Implementing a Risk Based Approach to Developing Applications Securely by John Wood (Fortify)

The event is free, and everybody is welcome! The full event details can be found on the OWASP Ireland Local Chapter web page.

Tags: Ernst and Young, Fortify, Onformonics, OWASP, Realex Payments