« February 2008 | Main | April 2008 »

March 2008 Archives

March 12, 2008

Wireless attack against a heart device? Duh.

So someone announced a wireless attack against an implantable cardiac device. While it does make for good press, I can see many valid arguments against the required remediation step, namely authentication of cardiac device programmers. Authentication of the cardiac programmers may impede use of the programmers in an emergency by an ambulance crew, for example. Additionally, key revokation would require surgery. This would be bad news. Long story short: interesting class of attacks, but don't freak out about it to your cardiologist; you could give yourself a heart attack that way.

As a side-note, medical devices have a long history of spoofing attacks, though. I do remember Joe Grand built a Palm Pilot program to control IV drug infusers maybe a decade ago.

aodonnell@ABC News


abcnews_screenshot
Originally uploaded by Adam J. O'Donnell
Yes, that is my shell on ABC Nightly News on Tuesday, March 12th. No, I didn't really send spam; I was sending the GTUBE Test Vector to one of our test networks.

March 14, 2008

Dan Geer's SOURCEBoston Keynote

This is the best security-related talk I have heard in many years. Read it.

Moving RSS to FeedBurner

I am moving my RSS Feed over to FeedBurner. Please tell me if it breaks for anybody.

RSS Feed Redirect: Complete!

Okay readers, if you are reading this via RSS, the cutover to the FeedBurner Feed should be complete.

March 15, 2008

SOURCE Boston 2008 Wrap-up

SOURCE Boston 2008 was a huge success. We could not have hoped for a better outcome from a first-year conference. The conference hit great niches, namely application security and the business of security, as evidenced by our attendees' responses.

Some important points:

  • Dan Geer's talk made my trip. In what was probably the most intellectually stimulating hour I have had in a long time, Dan examined the current and future state of network security leveraging lessons from evolutionary biology and economics. It is a must read.
  • The L0pht panel was hugely successful, and it was probably the first time I have seen a standing-room only crowd at the last talk of a conference. Here are some solid pictures of the event.
  • All the attendees had a blast, as evidenced by multiple Flickr photo pools.
  • Twitter was the communication mechanism for the conference. Jennifer Leggio herded the numerous security cats into using it, and it worked extremely well. She has been continuously updating a list of security twits, many of whom you may know, if you want to get into the game. Here is my feed.

March 17, 2008

Best meme to come from SOURCE Boston...

Certified Pre-0wned. Think malware-infected picture frames.

March 18, 2008

Macs and AV Software

Mogull published an article on TidBITS discussing the issues surrounding Mac AV. It is a solid read. I threw some quotes his way based on some of my recent game theory work.

USA Today, KOMO Interview...

I was interviewed in the USA Today this week, along with friends Rick Wesson, Jose Nazario, and a large group of security researchers who are all far more intelligent than myself. The article lead to a radio interview for KOMO 1000 in Seattle. I slapped a photo onto the interview and voila, web 2.0 magic:

March 19, 2008

We will pay you to host malware.

Apparently InstallsCash's business model is to pay people to host malware. Fantastic. Thanks to a friend for the heads up.

Keynoting 2008 MIT Spam Conference

It appears that I will be giving the keynote of the 2008 MIT Spam Conference. Drop me a line if you will be in attendance.

March 20, 2008

Google Trends as an IDS

I use Google Trends as one of my tools for tracking emergent security threats. If a major spam attack hits SMS, for example, you can gauge the severity of the attack if the SMS Spam pops up on Google Trends.

I was pleasantly surprised when I saw that Rita's, a water ice chain in Philly, popped up on Google Trends. Rita's opens up for the season on the first day of spring, and gives out free small water ices.

I predict a massive DDoS on Rita's physical infrastructure, with large queues blocking monetized traffic.

PS: Yes, I know that the majority of ice most people encounter is composed of water and not carbon dioxide or methane hydrate. Water ice is a Philly thing, so don't ask.

March 22, 2008

Unusual blog spam vector exploited

Security Blog MCWResearch was hit by a large amount of spammy posts over the past day. It turns out the blog allowed posting via e-mail, and this feature has been subsequently disabled. I wouldn't be surprised if we see an enterprising spammer search for populations of e-mail to blog gateways. They can use their preexisting infrastructure to push spam into a new direction. Remediation for the population would be trivial, as e-mail-to-post functionality is not critical for the functioning of blogs.

Lesson learned: don't allow unauthenticated access to services unless you are required to do so (inbound MTAs, public web servers, etc).

March 27, 2008

Social Network Phishing

Phishing doesn't just happen against banks. It also hits social networks, including MySpace and Facebook. Phishing only occurs if the target can be monetized; in other words, the phishers have to make money. Early social networking phish were likely extensions of the ransomware methodology, where money would have to be exchanged for the account to be turned back over to the phished user. Nowadays these phished accounts are being used to send spam and phish to social network users, propagating the problem.

Newsflash, its an issue of market share, not security.

I have been saying, and recently presenting, for some time that Macs are not subjected to malware infestations because it is not economically worth while to do so. It has now been two years in a row where OSX has been compromised at CanSecWest. This year, Charlie Miller popped a MacBook Air using a client side exploit in about 2 minutes. Last year, Dino hammered on a QuickTime for hours and eventually made it in. I think it is pretty safe to say that the community has a stack of unreleased zero-days at this point, and they just need a small (3 pound?) incentive to use them in public.

P.S.: You can read Mogull's recent article if you want further background on the Mac Malware issue.

March 29, 2008

MIT Spam Conference 2008 Followup

Here are my slides from the spam conference keynote I mentioned earlier. These are a refinement of the ISOI slides I posted back in February.

It seems that SlideShare produced far nicer results with this type of content than YouTube.

About March 2008

This page contains all entries posted to NP-Incomplete in March 2008. They are listed from oldest to newest.

February 2008 is the previous archive.

April 2008 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.33