who's watching who?

My son just received a a book yesterday called 'eats, shoots and leaves' - on one page it shows a cartoon of a Panda bear ... eating with the title of the book as a caption. On the next page is the same caption with a picture of a criminal at a diner. hmmm...



With that in mind, I just read an article describing how hackers can now use zero day exploits to put a trojan on your system that'll then open up brand new doors!

Once activated the Trojan installed a program that allowed such control of a computer that it could stream back live pictures via the computer's web cam (which it could switch on) or allow the hacker to record the sound from its microphone.

The picture could be of cloistered deviants watching you late at night working on your bank accounts with the caption "remote capture!"

or

The picture could be of your boss watching you during your telecommute work hours managing your fantasy football team with the caption "remote capture!"

ha!




so I'm sure whether to list this article under new threat - or new corporate management tool! it's funny when those two world collide
Hacker tool can watch you through webcam | News | TechRadar UK

UPDATE: 10-8-08 - Adobe has issued a press release, but other than that, it appears clickjacking will be around for a while!

Experts: US Is Not Prepared to Handle Cyber Attacks - Desktop Security News Analysis - Dark Reading

hmm, I'd like to say the article below is shocking - and a HUGE surprise, but for anyone that's in the industry it's really not.

I saw Michael Chertoff last year at the RSA conference and he was attempting to rally support for the Homeland Defense cyber efforts. I don't know him well, and he seems bright enough - but his capability to convince the largely private sector crowd to help out didn't go over very well. The recap of cybergames II was stunning in the lack of real warfare they didn't get too.

read it and weep
Experts: US Is Not Prepared to Handle Cyber Attacks - Desktop Security News Analysis - Dark Reading

ease of use vs. security

in cars, it's Horsepower (your Bugatti goes REAL fast) vs. Miles per gallon (the Prius just keeps on going)

in credential management - it's Security (NASA is asking you for advice) vs. Convenience of use (all my passwords are the same so I won't forget it)


Last year I was working on a system where we were implementing a 'shared secret' system - just like Yahoo and others, we wanted to allow a person that forgot their password an easy way to recover it. To do this we created a stack of questions so people can choose a few best suited to them. Somewhere in the middle of this design I had one of those "Homer Simpson" moments - DOH! The easier I make it for the embarassed user to recover his own password, the easier I make it for the hacker to take it over - DOH!!!

apparently I wasn't the only one ...
Yahoo, Hotmail, Gmail all vulnerable to Palin-style password-reset hack

How do hackers make money?

well - let's explore this

A hacker, let's call him Fred, once he has possession of identity can do many things

1. if Fred has your user id and password to your banking website, he could change the mailing address they have on record for you to a PO Box of his choice, and start receiving checks.
--> the downside to this one is, there will be some sort of paper trail on the PO Box, so he could get caught

2. if he doesn't have your computer IDs, but does have your statements - Fred can then try his best to use social engineering to convince some well meaning teller to 'help' him reset the password.
--> the downside to this one is, he'd have to either make a call (traceable) or see someone in person (on film) and therefore could get caught

3. or he could just use the assets in your account to BUY his favorite penny stock, and not have to bother transferring anything out. In this case, it's much harder to find him as

From Riches to Prison: Hackers Rig Stock Prices | Threat Level from Wired.com

better than a secret decoder ring ...

A few months back I tried the 'getyourFreeCreditReport' website and found out that it wasn't free, and it charged me every month!

This article sounds like someone came up with something much better - something that works

In a nutshell, the Debix puts a lock on your credit. Then it conditionally unlocks your credit if you answer your cell phone, and give it the right password when it automatically calls you. now THAT'S almost as cool as having your own robot watching your accounts! ... almost

Here's how Robert Vamosi describes it

So how does Debix work in the real world? Say you are at a car dealership and you need to finance a new car. Shortly after the salesperson leaves the showroom floor, your mobile phone should ring. That's Debix; you know it because it's your voice saying a secret code. Then Debix asks if you indeed are seeking to establish a new account. If yes, you type in a secret personal identification number.

pretty cool, eh? :)