security memetics

i can haz spyware?

2012-02-09T12:04:00.000-05:00

from here (image source)

y'know, by any reasonable, functional definition, downloading personal information without the user's knowledge or consent qualifies an app as spyware. i doubted path was the only company who did this, and in fact it turns out that many have, so it seems to me that there is in fact malware in the iOS app store right this minute. there's no anti-virus though, because apple won't allow it.

all hail the security of the walled garden.

if you wave people through security...

2012-02-08T15:30:00.000-05:00

if you wave people through security because they happen to have something resembling a badge then you might be a security idiot.

(inspiration)

adware in your pocket

2012-02-08T10:30:00.000-05:00

from here

whether or not things like android.counterclank qualify as malware or not (do the intricacies of malicious intent really matter when the unanimous consensus among users is that it's unwanted?) is of secondary importance to me. what really boggles my mind is that mobile app developers are actually falling for this con when desktop adware is still so fresh in people's minds (well, my mind, at any rate).

access all the things

2012-02-07T15:30:00.000-05:00

from here

i have it on good authority that some employers actually do give contractors more access than their own employees. pretty ridiculous if you ask me.

if you give outside contractors more access...

2012-02-07T10:30:00.000-05:00

if you give outside contractors more access than you give your own employees, then you might be a security idiot.

(inspiration - though you have to ask @diami03 for permission to be able to see it)

malware support

2012-02-06T10:30:00.000-05:00

from here

just taking a little pot shot at the citadel trojan that brian krebs detailed back in january

veribad, verisign. veribad indeed.

2012-02-03T15:30:00.000-05:00

so apparently verisign was breached back in 2010 and has yet to satisfactorily explain the details of what happened. not a good way to behave when much of the security of the web depends on you being trustworthy.

(unmodified image sources one and two)

if you think using a taser...

2012-02-03T10:12:00.001-05:00

if you think using a taser is an appropriate response to someone walking their dog without a leash, you might be a security idiot

(inspiration)

i don't always participate in DDoS attacks...

2012-02-02T15:30:00.000-05:00

from here

so apparently someone in anonymous finally figured out how to provide their DDoS minions with plausible deniability, even if they can't provide them with actual anonymity. low orbit ion cannon has been made into a web-based version that people can be tricked into visiting and launching attacks from their browser.

TrueSuccess

2012-02-02T10:30:00.000-05:00

from here

inspired by the news that a US court has decided that the 5th amendment can't be used when it comes to encryption

windows guilt accuser

2012-02-01T15:30:00.000-05:00

from here

sometimes the line between malware and legitimate software isn't as clear-cut as we'd like (such as opt-in adware, or spyware to monitor prison inmates) so i started to wonder (genuinely) whether windows genuine advantage could qualify as a kind of ransomware. after all, it does demand that you (if you have a pirated copy of windows) pay microsoft for a legal copy of their software and prevents certain functions until you do.

ransomware vs. backups

2012-02-01T10:30:00.000-05:00

from here

apparently ransomware (malicious software that demands a ransom in order to regain access to your computer or prevent notification of authorities to supposed illegal activity) is on the rise. we'll see if backup media will follow suit.

half-assed recovery

2012-01-31T15:30:00.000-05:00

from here

inspired by a usenet thread (remember those?)

mindlessly restoring drive images is kind of like hanging the target back up after the attacker knocked it down.

congrats on helping to kill SOPA

2012-01-31T10:30:00.000-05:00

from here

i actually played around with the idea of making this site go dark, but decided that somebody needed to help highlight the fact that there is a bigger picture than just SOPA itself. it's been suggested that there are a variety of different adversaries that people face online (and off), and unfortunately their own government (or for most of us in the case of SOPA, a foreign government) is one of them.

war on the unusual

2012-01-30T15:30:00.000-05:00

from here (image source one, two, and three)

the TSA are apparently not the brightest bulbs in the chandelier. they really did mistake an insulin pump for a gun. someone turn on a light for these guys.

failure is always on the list

2012-01-30T10:30:00.000-05:00

from here

the problem with the checklist is that it promotes the idea of following a simple sequence of steps rather than taking a more comprehensive approach. simple approaches often have simple ways to bypass.

privacy decay

2012-01-27T15:30:00.000-05:00

from here

inspired by bob rudis' tweet about the linkedin change

pwnAnywhere

2012-01-27T10:30:00.000-05:00

poor symantec. that source code leak from before may not have had any impact on it's anti-virus product yet, but apparently anonymous has found ways of exploiting pcAnywhere and symantec is warning people to stop using it.

(unaltered image source)

privacy policy beta

2012-01-26T10:30:00.000-05:00

this is in recognition of google's recent move to revise their privacy policies and the fact that they will likely piss people off and have to revise them again (and again). google gets away with a lot when they slap the word beta on things, though, so perhaps that's what they should do this time.

(source image)

if you chain your bike to nothing but itself...

2012-01-25T15:30:00.000-05:00

if you chain your bike to nothing but itself, then you might be a security idiot.

if you use a wire chain that can be easily broken with pliers, chances are exceptionally good that you're a security idiot.

and if you do all that not five feet from a bus stop where a thief can make a speedy getaway without even removing the chain, then you're definitely a security idiot.

(inspired by my morning commute to work)

mobile computing and shoulder surfing

2012-01-25T10:30:00.000-05:00

from here

mobile computing gives people the ability to access computing resources wherever they go. unfortunately, human nature is such that people go where there are other people. it's difficult to maintain the operational security necessary to even do something as simple as enter a password when you're in a public place surrounded by other people.

and infosec professionals think the only problem with the consumerization of IT is locking down the device (or the data on it)? ha! are they ever in for a surprise.

WTF anonymous?

2012-01-24T15:30:00.000-05:00

from here

are you like me, folks? did anonymous' retaliation for the megaupload takedown make you scratch your head and wonder what the heck they were thinking? it's not like the takedown harms filesharing at all, since file locker sites are a dime a dozen (heck, even google docs is a file locker of sorts). the takedown really seems to do more to harm the interests of SOPA/PIPA supporters than anything else, since taking down a foreign website and making arrests overseas highlights just how much of an unnecessary power-grab those proposed bills really were.

as some were suggesting on twitter, it seems like they're trying to snatch defeat from the jaws of success.

don't keep anything worth stealing

2012-01-24T10:30:00.000-05:00

found on failblog

one of my favourite anti-theft techniques is to not carry around anything worth stealing. it works in other contexts too, for example a great way for companies to avoid having customer credit card numbers stolen from them is to not keep the numbers in the first place.

i answer to a higher authority

2012-01-23T15:30:00.000-05:00

found on failblog

'i answer to a higher authority' - or at least a more northerly one. i think the only way santa and his elves would be above the law is when they're literally above them, while the sleigh is in flight. as far as our system of legal authority is concerned, it's representatives are the highest authority.

just because...

2012-01-23T10:30:00.000-05:00

found on very demotivational

just because it says police doesn't mean they are police. not unlike just because an email says it's from your bank doesn't mean it really is from your bank.