Monday, October 31, 2011

hackers turn computer into bomb

from very demotivational

in case you aren't familiar with the seems legit meme, well, the phrase "seems legit" is used ironically - it's always FAR from legit.

total security ... seems legit

from here

i am totally unapologetic for what this implies about vendors who actually use the "total security" verbiage.

Friday, October 28, 2011

physician, heal thyself

from SC Magazine Australia

of all the boneheaded mistakes to make. with the variety of high profile false alarm problems that have plagued the anti-virus industry, you'd think avira would have at least done enough to make sure they didn't accidentally flag their own software. it kinda doesn't matter how good they rate in tests if their quality control is this messed up.

ass is denied

found on failblog

there are so many double entendres possible with this kind of tramp stamp: penetration testing, password cracking, brute force technique, backdoor access, etc. heck, you could probably even make some suggestive two factor authentication remarks involving something you have or something you are.

the title is of course a play on 'access denied', since i imagine an authentication tramp stamp signifies someone who's more selective than a traditional tramp - someone who isn't wide open to the world.

Thursday, October 27, 2011

security quantity vs. quality


found on the failblog

y'know, if that had just one security guard in good enough shape to actually run this kid down instead of a dozen slowly meandering in his general direction, it probably wouldn't have cost as much to deal with the incident. sometimes it doesn't pay to skimp on the quality of your security.

sheds new light on pocket protectors

from failblog

secret hiding places aren't just for office contraband, of course. hiding things is a tried and tested method of keeping things safe.

Wednesday, October 26, 2011

what's next? GTA:TSA?


when first heard about TSA taking to the roads i thought (and still think in all seriousness) that that couldn't end well, but i have to admit that @ryanlrussell's tweet made me smile. i think there should be a whole new class of bonus points for running those ones over.

don't cross a pirate

from learn from my fail

you might think that there'd be a certain amount of irony in getting pwned by a pirate for stealing his laptop, or perhaps you'd trot out that old line about no honour among theives. frankly i think the best way to look at it is that you get what you give - including respect.

Tuesday, October 25, 2011

high security building

from failblog

i have to admit, this security firm ad is pretty clever.

i find your lack of password strength disturbing

from failblog

no doubt some might wonder why vader would use passwords, but consider this: can you imagine him trying to use biometrics? his voice is altered, his face and eyes covered, and fingerprints would be a lot more useful if he still had his own fingers.

Monday, October 24, 2011

who's responsible for crime?

from the sydney morning herald (thanks to @donnolan and @paperghost for bringing it to my attention)

i know what they meant to say, but really, the way most people would interpret this is that those are the people committing the crime in your area. at a time when trust of authority figures is so low, that caption is really poorly worded. it makes me think the authorities are out of touch with the society they operate in, and that can't be good for their effectiveness.

Friday, October 21, 2011

if you use a windows account...

if you use a windows account capable of wiping your entire hard drive in order to play farmville, then you might be a security idiot.

... and all i got...



@chort0 tweeted about this merchandise he dreamt up and made at cafepress. before he made it on cafepress i almost did it for him because i thought it would be a cool thing to do and i certainly wanted to post about it here. so i almost did it, but then at the very last moment i decided it would be better if he made his ideas into reality himself - and besides, i've got enough of my own ideas for shirts and the like.

Thursday, October 20, 2011

backup early, backup often

backup early, backup often
one of the most overlooked, easiest, and most useful things you can do in security is maintain regular backups. maybe if this catch phrase actually catches we can change the first part of that and make this less overlooked.

count duqu

from here

i know i'm not the only making fun of the stuxnet derivative called duqu, in fact i think it might be it's own little meme all by itself.

Wednesday, October 19, 2011

nick helm's password joke

a little while back a comedian named nick helm won an award for funniest joke at the edinburgh fringe festival, and that joke happened to focus on one of the most recognized concepts in all of security - passwords.
I needed a password eight characters long so I picked Snow White and the Seven Dwarves.
apparently it wasn't the only joke referencing security concepts either. the top 10 list of them also includes one referencing crime, and another referencing the phone 'hacking' case that was attracting so much attention earlier this year.

SIRI how could you?

thanks to @ABlakeley for tweeting this

i think this underscores an important problem with speech recognition technology in mobile devices - the more sophisticated the capabilities become the worse the problem of unauthorized commands issued by those around you becomes. remember, speech recognition is not the same as voice recognition. one recognizes the words, the other recognizes who is saying them.

Tuesday, October 18, 2011

when spam hams it up

there isn't really a good way for me to share this one without simply linking to this cracked article on 100 unintentionally hilarious spam subject lines, but i still want to give you a taste of what you'll find there:
16. Look, random spam subject line writers, you need to know that there are certain words that just kill the porn mood...
  • chippendale champion auschwitz
it's all words, of course, so i think it's safe for work, but your mileage may vary.
(thanks to @javiermerchan and @panda_security for bringing it to my attention)

what a hackable world

thanks to @CiscoSecurity for tweeting this. nice to see that when some people do a parody they actually bother to record it, rather than just writing down the words (unlike me).

Monday, October 17, 2011

yo dawg, i heard you like viruses

from here

i just couldn't resist. it was too meta to pass up.

don't scan this meme

from here

i was trying to figure out which of the meme characters would be appropriate for this very old joke about the cascade virus (141$Flu was the signature a particular AV product used to detect the virus) and then it struck me - it's a pun, so lame pun coon becomes the obvious choice.

Friday, October 14, 2011

passwords are like dollars

passwords are like dollars, so stop trying to give the same one to many people or you'll pay more in the end.

(inspiration)

tricky malware just gives up

from here

that's something that amuses me about malware - as more and more of it uses virtual machine detection to try and fool analysts into thinking there's nothing bad in there, they're basically opting out of doing anything in the environment i'm increasingly doing my work in.

Thursday, October 13, 2011

add-ons

from memebase

well, usability/utility is part of the parkerian hexad; so even if none of those toolbars are spyware or potentially unwanted programs (the probability of which seems vanishingly small), there's still arguably a security issue here.

password hint

from memebase

while technologically impaired duck is sure to have some security related items from time to time, i really wish there was one specifically for lack of security awareness.

Wednesday, October 12, 2011

i'z in ur cockpit...

from here (source image)

it's hard to take the military seriously when they can't even defend themselves against malware

ai can haz anti-virus?

from here (source image)

(inspiration - yes, that's right, they've been hit by a virus and they haven't been able to get rid of it)

Tuesday, October 11, 2011

cybercrime fail parade

from here (original story on sophos' blog)

how badly can one guy fail at being a criminal? pretty badly, it seems.

system update broke system

from here

system images may seem like a hassle, but not as big of a hassle as trying to deal with a system that no longer functions properly.

Monday, October 10, 2011

i don't know where it's been

from dilbert.com

this is pretty much the reaction people ought to have to flash drives, but i know they never will.

security idiot

don't wanna be a security idiot
don't wanna use the same password everywhere
don't wanna let some stranger see my pin code
or infect my system with malware

welcome to a new kind of problem
constant threats and no one can stop them
where computers aren't meant to be ok
keyloggers, rootkits, spear phishing
kids are the ones we keep wishing
were still our primary foes

well maybe i'm infected with viruses
i'm not part of the protection business
finding threats in every nook and recess
our illusions have shattered into pieces

welcome to a new kind of problem
constant threats and no one can stop them
where computers aren't meant to be ok
keyloggers, rootkits, spear phishing
kids are the ones we keep wishing
were still our primary foes

don't wanna be a security idiot
clicking links controlled by the bad guys
installing updates that came unrequested
or falling for telephone support scams

welcome to a new kind of problem
constant threats and no one can stop them
where computers aren't meant to be ok
keyloggers, rootkits, spear phishing
kids are the ones we keep wishing
were still our primary foes

(this is, of course, a parody of the following song)

Friday, October 7, 2011

cyber protection rackets

from the knight life (thanks to anton chuvakin for tweeting it)

this is, no doubt, how some people view the security industry. it's not how i would characterize things, but it is in a similar vein.

(in)security glass

from there i fixed it

there's got to be a better way to secure that door than to (apparently) break the security glass windows so you can put a chain around the frames. maybe pulling that extension cord inside would allow you to actually lock the door properly instead of trying to use a bike security mechanism on a door.

it's bad enough we people try to use it on a car, but a door?

Thursday, October 6, 2011

protecting and serving

this seems to correspond to a line of merchandise on zazzle by liberty maniacs

with the nonsense that's been going on recently at the occupy wallstreet protest, as well as a few other instances in recent memory (toronto's G20 debacle stands out in my mind) it's hard not to question whether the motto "to serve and protect" has any meaning anymore.

which is not to say that i think we should get rid of police, but we seem to be witnessing one of the downsides to delegating our protection to a body of authority - abuse of power.

stopbadware stories

story telling is a memetic medium for the exchange of knowledge. not only are we prone to telling our own stories upon hearing other peoples (so we copy the story telling aspect), we also tend to copy the successful strategies those stories convey.

now i've told a security tale or two in my time, but the folks at stopbadware have created an entire site around the idea. if you're curious about how other people cope with security incidents or if perhaps you have a tale of your own to tell, go ahead a check it out.

Wednesday, October 5, 2011

infect evolve repeat

this silly little web game about viruses has been one of my favourite time killers for years now. go figure.

one of the ideas that gets bandied around in security circles is the notion that defenders need to think more like attackers. the argument being that defenders would be more successful if they could better anticipate how attackers act, what they target, and thus where our weak points really are.

i'd like to turn that on it's head and i think this game serves as a pretty good demonstration. i think we should examine the ways in which attackers need to think like defenders. they want their attacks to succeed so they need to do various things to defend their efforts. things like making their attack tools and techniques more immune to counter attack (immunity is one of the characteristics in the game that you can power up), or increasing the fault tolerance of their attack platform by adding redundancy (the game allows you to increase the reproduction rate of your virus so that your virus can become many viruses), or even reduce the window of exposure during which an attack is at it's most vulnerable (the latency characteristic in the game refers to how long your virus stays trapped within a cell where you can't move it out of the way when something dangerous comes near). these are the sorts of things one needs to think about in order to create or select effective countermeasures.

can you spot any more parallels between how attackers and defenders operate?

only you can stop spam on the internet

only you can stop spam on the internet
obviously a take off on smokey the bear and his "only you can stop forrest fires" message, but really it's just as true as the original.

if nobody bought merchandise from companies who engage in spamming then the spammers wouldn't get any money - and they're certainly not going to send those annoying messages for free.

do your part and spread the message. a failure by one of us has an impact on all of us.

Tuesday, October 4, 2011

malware papercraft

found on boing boing

this was apparently something put out by symantec, believe it or not. it's certainly a different approach to the topic of security awareness, but there's a tiny little gotcha - the link is broken. let this be a lesson to security vendors: don't move your shit around. leave it in one place so that people can continue to find it and benefit from it for a long time.

(it's not that surprising to me that a symantec link would go dead, though. the organization is so big that they easily run afoul of the 'left hand not knowing what the right hand is doing' phenomenon.)

anti-phishing phil


i originally heard about this through the stop badware blog but since then their link has gone dead and the project has been commercialized by wombat security. frankly, i think games are a really good way of teaching security concepts. they engage people in ways that other media simply can't.

Monday, October 3, 2011

cracking is easy

HACKING IS EASY! from Airwave Ranger on Vimeo.

found on boing boing quite some time ago if i could go in and rewrite the video to make it's terminology use better reflect what it's actually talking about, i would. you'll have to settle for blog title.

scareware localization fail

from here (original image found on the f-secure blog)

you'd think the people who made this would realize that the majority of the text is in english and at least one of the buttons (not sure about OK) appears to be in russian. oops. hopefully ridiculous errors like that helped people avoid getting infested.