Archive for the ‘security’ Category.
March 15, 2004, 8:25 am
During the last round of virus innovation a couple of weeks ago (email viruses with encrypted payloads bearing passwords in the text, circa March 3), I predicted to a colleague that the next obvious step would be an embedded CAPTCHA image to make it harder for antivirus gateways to find the password for decoding encrypted attachments. It didn’t take long; I received my first CAPTCHA-bearing virus last Saturday (March 13).
Of course, this is only a novelty in email viruses. It’s old-hat for email spam; for example a significant proportion of the Russian-language spam I see is image-only, with an embedded phone number, and not even a single URI.
As for the virus,
Trend Micro OfficeScan identifies the extracted file as PE_BAGLE.N-O, here’s a snippet:
Delivery-Date: Sat Mar 13 20:00:06 2004
Received: from home-base.com (111.164.8.67.cfl.rr.com [67.8.164.111])
by antivirus2.its.rochester.edu (8.12.9/8.12.4) with SMTP id i2E0xxGf013039
for <latex-style@cs.rochester.edu>; Sat, 13 Mar 2004 20:00:00 -0500 (EST)
Date: Sat, 13 Mar 2004 19:59:56 -0500
To: latex-style@cs.rochester.edu
Subject: Re: Thank you!
From: Comm@aol.com
Message-ID: <dqjxudgvprblgdelosm@cs.rochester.edu>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------sbwkiqilgvsgqquhumfx"
Content-Length: 34491
----------sbwkiqilgvsgqquhumfx
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
Your file is attached.<br><br>
<BR>Password - <img src="cid:rjsdmyhbsf.bmp"><BR>
<br>
</body></html>
----------sbwkiqilgvsgqquhumfx
Content-Type: image/bmp; name="rjsdmyhbsf.bmp"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="rjsdmyhbsf.bmp"
Content-ID: <rjsdmyhbsf.bmp>
Qk2m...
----------sbwkiqilgvsgqquhumfx
Content-Type: application/octet-stream; name="Document.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Document.zip"
UEsD...
----------sbwkiqilgvsgqquhumfx--
February 2, 2004, 10:35 am
January 22, 2004, 9:57 am
Eric Rescorla: Is finding security holes a good idea?
actually analyzes the data on bug discovery. Conclusion of (the first draft of) the paper:
If finding security defects is a useful security activity, then it should
have some measurable effect on the software security defect rate. In this
paper, we have looked for such an effect and only found very weak evidence
of it. In the best case scenario we are able to make, the total defect
count has a half life of approximately 3.5 years. However, our data is
also consistent with there being no such effect at all. In either case,
the evidence that the effort being spent on bug finding is well spent
is weak.
January 15, 2004, 8:00 am
LA Times (requires regsitration):
China Authorities Battle Hard to Tighten the Web:
…The second approach uses technology to limit citizens’ ability to view what the government considers objectionable.
In recent months, China has become far savvier in this area, experts say. It wasn’t too long ago that it had to block an entire overseas website containing objectionable material, with questionable results. While blocking the Massachusetts Institute of Technology’s site prevented Chinese citizens from accessing encryption programs, for instance, it also frustrated future government engineers trying to apply to the institution.
Now Beijing can block access to a single page, or to links it finds objectionable.
“It sounds easy, but it’s been a deep technological problem,” said Ben Edelman with Harvard Law School’s Berkman Center for Internet and Society.
The firewalls around China require users seeking access to the rest of the Internet to go through a limited number of gateways controlled and monitored by Beijing. China also has improved its ability to divert or hijack requests for sensitive information, redirecting them to harmless sites or “timing out” the request. It’s also better able to block sites that constantly change their Web addresses, a tool used in the past to keep one step ahead of censors.
“With new technology, they’re now upgrading their system within a couple of months,” said Bill Xia, president of Dynamic Internet Technology, a U.S. company that develops technology to circumvent China’s filters. “They probably have to go through approvals, but I’m rather impressed by their speed.”
…
There are limits to the technology, however. You can’t block everything. So China has invested heavily in an expanded cyber police force that scours the Web looking for new sites to block, monitoring bulletin boards and identifying “undesirables.” Online rumor puts China’s cyber police at 30,000.
“That’s just a number,” said Michael Iannini, Beijing-based general manager with Nicholas International Consulting Services. “The point is they have a lot of people doing what they do to make sure you can’t do it.”
January 14, 2004, 10:23 am
Markus Kuhn:
Photoshop CS Adds Banknote Image Detection, Blocking?:
These little yellow, green or orange 1 mm large circles have been on European banknotes for many years. I found them on German marks, British pounds and the euro notes. In the US, they showed up only very recently on the new 20$ bill. On some notes like the euro, the circles are blatantly obvious, whereas on others the artists carefully integrated them into their design. On the 20 pound note, they appear as “notes” in an unlikely short music score, in the old German 50 mark note, they are neatly embedded into the background pattern, and in the new 20 dollar bill, they are used as the 0 of all the yellow 20 number printed across the note. The constellation are probably detected by the fact that the squares of the distances of the circles are integer multiples of the smallest one.
I have later been told that this scheme was invented by Omron and that the circle patter also encodes the issuing bank.
[via Ed Felten:
Freedom to Tinker: Photoshop and Currency]
Meanwhile, here is a bad trend. From
Techdirt:
The other disturbing part about this revelation is that Adobe admits that they don’t even know how the blocking software works. They were given the code
by the Central Bank Counterfeit Deterrence Group without details on how it works or what it really does. In other words, the software could do a lot more than blocking images of currency. I doubt it really does at this point – but the fact that they would simply dump in a software component that they don’t know what it’s really doing, and then not tell customers about it is a bit disturbing.
There are useful legal links (in eight languages) at
http://www.rulesforuse.org
site run by the European Central Bank.
January 9, 2004, 9:03 am
Luca Deri, in Improving Passive Packet Capture: Beyond Device Polling (pdf) shows
radical (and appalling) differences in packet capture performance among Windows, FreeBSD, and Linux machines, due to
differences in device drivers. The paper recommends use of device polling, and the author also implemented a ring-buffer version of libpcap.
[via TaoSecurity]
January 6, 2004, 12:00 pm
This might be affecting the University of Rochester (I’m looking into it):
Trouble with Chinese applicants/customers reaching your web site?
Maybe your DNS server is blocked.
See the excellent summary of the situation from Zittrain and Edelman:
Empirical Analysis of Internet Filtering in China.
Caltech, Columbia, MIT, and U.Virginia are known victims. NorthWestern U
is also affected.
Did this problem increase in November?
See notes in interesting-people
and
Politech.
Interestingly, as of today, only one (Columbia) of the five .edu zones listed above has off-site secondary DNS servers.
