龙八8国际

          
          

                    Posts with keyword: security


                    Equifax and Correlatable Identifiers

                    We can avoid security breachs that result in the loss of huge amounts of private data by creating systems that don't rely on correlatable identifiers. Sovrin is built to use non-correlatable identifiers by default while still providing all the necessary functionality we expect from an identity system.
                    Continue reading...


                    Identity, Sovrin, and the Internet of Things

                    Building the Internet of Things securely requires that we look to non-hierarchical models for managing trust. Sovrin provides a Web of Trust model for securing the Internet of Things that increases security and availability while giving device owners more control.
                    Continue reading...


                    Sovrin In-Depth Technical Review

                    Sovrin Foundation has engaged Engage Identity to perform a security review of Sovrin's technology and processes. Results will be available later this summer.
                    Continue reading...


                    The Dangers of Internet Voting

                    I am serving on Lt. Governor Cox's iVote panel, which is looking at whether Internet voting might be used in Utah. I presented the following statement to the panel this morning:
                    Continue reading...


                    Redirectionless OAuth Credentials Exchange

                    Image via CrunchBase Am I missing something here? Twitter is working with select partners to test what is variously being called OAuth delegation or browserless OAuth credentials exchange method (not sure why browserless since it's not about the browser, it's about the redirection). The bottom line is that in an effort to be more user friendly, this removes the redirection to the Twitter site where you authoirize access by letting the third-party site (the site being delegated to) collect and then pass along the user's username and password to get the OAuth credentials. Abraham Williams captured the POST headers
                    Continue reading...


                    Securing a Cloud Infrastructure

                    George Reese (author of the new book Cloud Application Architectures: Building Applications and Infrastructure in the Cloud) is talking at Gluecon about securing cloud infrastructures. Two recent surveys found "security" was the number one concern of companies considering a move to the cloud. George says the key to making customers comfortable with cloud security is transparency. Without security: You cannot know if the infrastructure meets your requirements. You can't comply with critical regulatory requirements So...demand transparency. That ought to be a critical part of deciding what cloud infrastructure to use. Control isn't the real issue: people don't build their
                    Continue reading...


                    Contrasting Kynetx and Greasemonkey

                    Kynetx Network Service, or KNS, modifies a user's Web page using Javascript. The ability to customize pages in the browser is a powerful capability, but it goes well beyond that by allowing data from multiple sources, even other Web pages, to be used as part of that customization. Sure we can change change colors, fonts, and layout, but we can also mashup Web sites to produce completely new experiences. Described as I have, KNS is not unlike Greasemonkey, a popular plug-in for Firefox that allows user scripts to modify Web pages. In fact, in a recent post Paul Madsen
                    Continue reading...


                    Twitter Honeypots

                    Image by windley via Flickr When I was building the twitterbot for @utahpolitics, I set up a test account: @uptesting that I don't use for anything. It has 38 followers even though it's just test messages and hasn't had a tweet since early January. The followes are mostly a good list of Twitter spammers or people who follow a lot of people to get a lot of followers. Setting up a bunch of honeypots on Twitter and then adding anyone who follows them to a blakclist wouldn't be such a bad idea. Someone's probably already built it.
                    Continue reading...


                    SMS Phishing Attack

                    Image by Chaddycakes via Flickr I received several texts this morning, allegedly from my bank that said: FRM: FARWESTBANK MSG: Urgent Far West Bank message AUTHORIZATION. To verify call TOOL FREE 8662249038. Being the curious sort, I called and played around with it. The system was an IVR that asked for credit card information (all of it). I recorded the call so you can listen too. Click here for the MP3 file. The places with low audio are me typing my responses. Of course, I didn't give it a real credit card number but I did give it a
                    Continue reading...


                    OS X Leopard Technical Details

                    Jordan Hubbard, Apple's Director of Engineering of Unix Technologies, spoke at LISA '08 last week. Most people are commenting on the date he gave for the release of Snow Leopard (10.6), the newest version of OS X. I have to admit, I'm ready for some stability improvements, but I was much more intrigued by the details of his talk (PDF). He spent the bulk of his talk on technical features in Leopard (10.5) that many aren't aware of. He starts with a number of security improvements in Leopard: file quarantine, sandbox, package and code signing, application
                    Continue reading...


                    WPA Crack

                    WPA, or WiFi Protected Access, is one of the primary means of protecting Wi-Fi hubs. Ars Technica reports that Erik Tews, a PhD candidate from Germany is prepared to present a paper at PacSec this week that explains how he was able to crack it. The exploit doesn't actually crack WPA keys, but does allow an attacker to sniff a packet, make minor modifications to the checksum and then use the access point to check the results. This man-in-the-middle attack could allow attackers to make ARP poisoning or Even DNS poisoning attacks. Related articles by ZemantaWap Hacked!Once thought safe,
                    Continue reading...


                    Taking DNS Security for Granted

                    One of the hallway conversations I had yesterday was about how DNS is just hanging on by a thread from a security standpoint. The basic idea is that if I can control name resolution for you, I can phish you all day and you'll never know. Systems like OpenID are wholly dependent on the integrity of the DNS system. One method an attacker can use to insert themselves in the DNS resolution process is a Wi-Fi hub. Whether it's a free hub acting as bait, or one someone has broken into, Wi-Fi hubs are a perfect place to subvert
                    Continue reading...


                    Web Authentication with Selective Delegation using SRP

                    Bryant Cutler and Devlin Daley developed a methodology for adding selective delegation to relationship-based identity systems. This afternoon I presented that work at WWW2008. The talk went well. There were probably about 40 people in the room. There were some good questions afterwards, so all in all, I'm pleased. Here are the slides (PDF) if you're interested.
                    Continue reading...


                    Colorado Abandoning Electronic Voting

                    Colorado will decide to abandon electronic voting in the upcoming election. I believe that ten years hence no state will support electronic voting--specifically, I think that direct-record voting machines (DRE) will be gone. The opportunities for undetectable fraud (even with reasonably large audits) in small elections are too large and cannot be solved by applying technology.
                    Continue reading...


                    Virtualization Security Threats

                    Laurianne McLaughlin has an excellent article in CIO magazine about security threats in virtual machines and what you can do now to mitigate them. One that caught my eye was No. 4, "Understand the Value of an Embedded Hypervisor". The reason I was tuned into that was a conversation I had with Gregory Ness on a Technometria podcast where he went into some detail about the role of a hypervisor in VM security. As an aside, am I the only one who finds the interstitial page ads that IDG is placing in this online magazines completely annoying? I wouldn't
                    Continue reading...


                    Exploiting Online Games

                    I had a fascinating discussion with Gary McGraw last week about his latest book Exploiting Online Games: Cheating Massively Distributed Systems. For the next two days I was telling everyone about it. The issues surrounding online game security are representative of the kinds of security issues that plague any large-scale distributed system. I heartily recommend the interview and the book to anyone who plays games or is just interested in the larger security picture.
                    Continue reading...


                    Defrag: Web 2.0 and Security

                    I just put a piece on Michael Barrett's (CISO, Paypal) presentation at Defrag. He started by saying that Web 2.0 scares the hell out of him.
                    Continue reading...


                    Security on the Cheap

                    Larry Dignan at Between the Lines has posted some great tips for making your business more secure without spending much money. These are things everyone ought to be doing, but many aren't.
                    Continue reading...


                    Security at the South Jordan Library

                    If you visit the library in South Jordan Utah, you'll be pleased to find that there's free wi-fi. You might be less pleased to know that they've blocked the ports for IPSEC--making it impossible to use a VPN based on that protocol. The library's answer to queries about this is that "enabling IPSEC would lead to security problems. A hacker who knows what their doing could open up security liabilities for the library." This information from the librarian at the desk--who gets that question often enough to know the answer. Of course this ignores the security vulnerabilities that you
                    Continue reading...


                    My Mail Is Offline

                    I haven't received any email all day, so if you've sent me something and are waiting for a response, I probably won't get your email for a while. Seems that windley.com is the subject of a distributed, dictionary email attack--that is a spam botnet is hitting my email server with every email address they can generate from the dictionary in hopes of getting a few through. The effect is an effective denial of service for my email server. The services on the server have been turned off awaiting the zombies to find somewhere else to play. In the meantime,
                    Continue reading...


                    eVoting Reports Continue Negative News

                    I just put some pointers at Between the Lines to three new reports on the security problems inherent in eVoting systems.
                    Continue reading...


                    A Simple Solution to Form Spam

                    A few weeks ago, Britt Blaser sent me a link to a technique for using CSS to fight form spam. The idea is simple, you add an extra input field to your form and use the CSS visibility property to hide it. The input field won't be visible to humans, but will appear normal to a spambot crawling the Web filling in forms. On the back end, you look for values in that field. If the form returns a value for that field you assume that a bot filled it in and discard the session. If the field is
                    Continue reading...


                    Security and Virtualization

                    I've been a big proponent of virtualization over the last couple of years, but I'd never stopped to think how it changed the nature of computer security. This week on the Technometria podcast, I interviewed Greg Ness about security in virtualized environments. It turns out there are things that virtualization makes more difficult, but the ability to run a privileged "security shield" on the hypervisor presents a new, potent weapon in the fight for more secure enterprise computing. I found the conversation fascinating.
                    Continue reading...


                    Obfuscating Passwords in Forms

                    Most are familiar with password fields in Web forms. When you use a password field, anything the user types is obfuscated. This is, to my knowledge, to reduce the danger of shoulder surfers stealing the password by reading the screen as it's typed in. As long as I've used computers, this has been standard practice--the IBM Selectric terminals I used in 1976 would pre-print multiple characters on the paper before having you type your password so it couldn't be stolen from the printout. What would you think of a social networking Web site that in the interest of reducing
                    Continue reading...


                    Sun Supports OpenID and Opens the Question of Reputation

                    Sun announced (or at least Tim did) that Sun's supporting OpenID at openid.sun.com. Sun has taken the additional step of stating that only Sun employees will have IDs there. So, if someone presents an OpenID with a base domain of openid.sun.com, you can be assured that Sun is vouching that they are an employee of Sun. The biggest problem with this set up, of course, is that the attributes of an identifier ought to be transfered orthogonally to the identifier itself. The fact that the URL has a certain form should encode data like whether someone's an employee or
                    Continue reading...


                    Overdoing Security

                    I was registering for the FAA Medxpress program today. This program allows pilots to submit their flight physicals online. Once you've registered, the FAA requires that you change your password. Here's the requirements for the new password: You have accessed the FAA MedXPress site using a temporary password. You must change your password in order to continue. Passwords must contain between 8 and 12 characters and include at least three of the following four character groups: English upper case characters (A through Z); English lower case characters (a through z); Numerals (0 through 9); Non-alphabetic characters (such as !,
                    Continue reading...


                    Mikko Hypponen on Emergent Virus Threats

                    F-Secure is one of the leading companies devoted to the study and prevention of computer viruses, spam, and other types of malware. Last week we were lucky enough to get Mikko Hypponen, the company's Director of Anti-Virus Research, to join Scott and I in a discussion of the current status of the virus problem. Mikko first reviews his background and how he became involved in the study and prevention of malware. He discusses some of his experiences with both worms and early viruses and reviews some of the problems trying to prevent spam. He talks about how spammers are
                    Continue reading...


                    Speeding Up Crypt::DH

                    I was installing Crypt::DH, the Perl Diffie-Hellman library today. The tests took 20 minutes on a Macbook Pro. Then I noticed a comment on an OpenID forum about "making sure the GMP Perl bindings were enabled" to speed things up. Specifically this means install Math::BigInt::GMP, as I found out, after some searching. The same tests ran in less than 10 seconds using the GMP library. That's impressive.
                    Continue reading...


                    Welcome Sploggers!

                    Chuck Knutson accidentally put out the welcome mat for sploggers and got a lot of unwelcome visitors. The first big problem was that we had installed the multi-user version of WordPress. Why did we do that? I teach a class called Computers and Society, and I have students deliver their thoughts and reactions as short posts on actual blogs in the actual blogosphere. It's an interesting experience for students to submit their homework to the world where the instructor and TA are two of a potentially larger number of random readers (including the entire class). Strangely it tends to
                    Continue reading...


                    Q and A With Mac Hacker

                    At last week's CanSecWest conference in Vancouver, British Columbia, Dino Dai Zovi (DDZ) successfully hacked into a 15 inch Mac Book Pro in response to a challenge to find exploits on the machine. Ryan Naraine has published a Q and A interview with DDZ. Interesting stuff.
                    Continue reading...


                    2.9 Million Georgians at Risk for Identity Theft

                    ZDNet news reports that "A CD containing personal information on Georgia residents has gone missing, according to the Georgia Department of Community The CD was lost by Affiliated Computer Services, a Dallas company handling claims for the health care programs, the statement said. The disc holds information on 2.9 million Georgia residents, said Lisa Marie Shekell, a Department of Community Health representative." When I was Utah's CIO, identity theft on this kind of grand scale didn't make the news as much as it does now. If I were in that position today, I'd be very scared. It's not so
                    Continue reading...


                    Reputation for OpenID

                    I'm teaching a graduate class on reputation this semester. I did the same thing last year and the class project was building a reputation framework. The ideas surrounding reputation intrigue me, if you haven't figured that out from reading this blog. I've had various ideas for this semester's project, but finally settled on the idea of reputation for OpenID. With OpenID gaining steam, there are concerns on user side about how to know whether to trust an OpenID provider. Even if you pick someone with obvious standing, like AOL, how do you know if the site you've been redirected
                    Continue reading...


                    Man In the Browser Attack

                    Russ Jones, a professor at Arkansas State University gave a presentation on phishing and mentioned a term I'd not heard before the "man-in-the-browser attack." The idea is to install a trojan on the browser that presents a small, borderless window in the browser that overlays the login fields of the target site in a way that can't be detected by the user. The user is at the real site (so the cert will check out), but the credentials are stolen when the user tries to login. Here's a paper that describes the attack and some potential countermeasures.
                    Continue reading...


                    Would You Like to Update Now?

                    This morning Michael Sullivan of Booz Allen Hamilton was speaking about bar codes and his computer flashed a "Would you like to update..." message. I had to laugh at the inappropriateness of the message in the context. Vista is supposed to be smarter about knowing that you're giving a presentation and not interrupting, but in truth there's almost no context where I want to be interrupted to answer that question. Of course, systems need to be updated and without reminders, we're unlikely to remember. What I really want is an interface to my todo system so that such tasks
                    Continue reading...


                    Two Factor Authentication with a Bookmarklet

                    I've been meaning to write about this all week, but kept forgetting. Ben Adida has proposed a two-factor authentication scheme using a bookmarklet which looks pretty cool. Ben calls this a "bookmark," but I prefer "bookmarklet" since it's a bookmark that contains a runnable Javascript. The solution seems pretty cool. My biggest question centers on usability. When you imagine this scenario with one site, it seems simple enough, but if every place you wanted to log into on the 'Net needed a bookmarklet, you'd have a bookmarks file full of entries to allow you to log in. What a
                    Continue reading...


                    eVoting Machine Secrets for $82

                    Princeton computer science professor Andrew Appel paid $82 to acquire five Sequoia electronic voting machines from a government auction site. This is the first time anyone's examined a Sequoia machine without signing an NDA. Here's his story.
                    Continue reading...


                    Security Indicators Are Largely Ignored

                    A paper to be presented at the IEEE Symposium on Security and Privacy in May called "The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies" (PDF) shows that users largely ignore security indicators like whether a site is using HTTPS, customer-selected images, and even warning pages. I believe a large part of the problem is inconsistent user experiences. For example, if you go to a Web site and picture you selected to indicate that this site is real isn't there for some reason, most people would just assume that
                    Continue reading...


                    Securing Vermont's Networks

                    Vermont's governor has called for a complete audit of security across executive branch agencies. "The problems discovered over the last several months are entirely unacceptable to me because they were preventable," Douglas said. "I expect the department to look at every area and aspect of our Internet security protocols to be sure we are employing all the available resources to protect the integrity of our systems. And I expect a higher standard to be set in IT departments throughout state government." From Vermont Governor Calls for Full Internet Security Audit - Feb 02, 2007Referenced Tue Feb 06 2007 09:14:42
                    Continue reading...


                    Superbowl Exploits

                    Ryan Naraine reports that the Superbowl XLI site was hacked and seeded with exploits that will install a keylogger and backdoor that give the crooks access to the compromised machine. This is doubling interesting to me since Ross Jardine and I did the first two Superbowl sites on the Web for Superbowls XXIX and XXX. We even owned the domain name superbowl.com at one point. For Superbowl XXIX (1995) we ran a contest and gave away Superbowl merchandise each day with a grand prize of two Superbowl tickets. In 1994, that was a great way to build traffic and
                    Continue reading...


                    NIST Report Condemns DRE Voting Machines

                    In what may be the biggest blow for electronic voting machines yet, NIST, the National Institute of Standards and Technology issued a draft report this week that concluded that paperless direct-record equipment (DRE) voting machines cannot be made secure and recommends optical scan systems (Washington Post story). The report will be debated next week in a meeting of the Technical Guidelines Development Committee (TGDC). This is the committee that makes recommendations to the Federal Election Assistance Commission. Next week's meeting will be webcast. The report (PDF) stresses the need for "software independence." From the report A voting system is
                    Continue reading...


                    Bot Nets and Spamming

                    You've probably been deluged by Spam in the last month or so selling penis enlargement pills or trying to get you to buy penny stock. A fascinating eWeek article gives details about the sophisticated bot net that's behind the Spam. The bot net is capable of sending over 1 billion email messages a day. That's quite a resource. Like anyone with a valuable asset, the bot herders have put considerable time and effort into growing, managing, and protecting it. The accompanying slide show is worth looking at as well.
                    Continue reading...


                    Breaking Into My Mac

                    Over the weekend, I somehow unclicked the "Allow use to administer computer" box on my Mac for my own account. I was playing around with some account stuff, trying to set up a role account for SVN and didn't notice my mistake until I'd quit System Preferences. At that point, I was using an account that was a system administrator, so I couldn't correct my mistake. I had another administrator account on the computer that I'd set up some time ago when the computer was in the shop and they needed access, but I couldn't remember the password. I
                    Continue reading...


                    Hacking the Vote

                    There's an HBO documentary on tonight called Hacking the Vote (see the trailer on YouTube). I don't have HBO, but wish I could watch it.
                    Continue reading...


                    Scary Voting Videos

                    Diebold AccuVote-TS voting in Princetons Voting Studies Lab Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten have completed a security study using an Actual Diebold AccuVote-TS voting machine. The study will no doubt provide some good information for people, but what's really eye-catching is the video they prepared showing how you can install software in under a minute that not only steal votes, but is also viral so that it spreads from machine to machine as workers update software. These kinds of results make one wonder how any elections official can remain sanguine about the security of elections
                    Continue reading...


                    Pretexting

                    The word for the week is pretexting.
                    Continue reading...


                    Jim Harper on Identity

                    Jim Harper is the author of Identity Crisis: How Identification is Overused and Misunderstood. Jim is an analyst at the Cato Institute, a non-profit thinktank with Libertarian leanings. Phil Becker introduced him by saying his book was a great introduction to the theory of identification. He uses the discussion of a national ID card to launch into a discussion of identification and it's theory. There are serious challenges in identification and policy makers will do a better job if we do a better job of articulating what identification is, how it works, and why it fails. Surveillance is easier
                    Continue reading...


                    Hacking Diebold

                    Nick Barker sent me a link to a web page that shows (in about the most annoying way possible) how a Diebold electronic voting machine can be hack in 4 minutes with $12 worth of tools. I didn't look over the last Diebold machine I was in close proximity to in enough detail to remember whether it used this method of securing the memory card or not. Anyone else remember? And while we're on the subject of electronic voting, Diane Rehm is interviewing Avi Rubin about his new book Brave New Ballot today. Avi does a great job of
                    Continue reading...


                    Silver Deodorant Status

                    Yesterday Delta notified me that I'm Silver Medallion status now. I used to be Gold every year, but since 2001 or so, I haven't flown as often as I once did. Now that you have to check a bag just to get your toiletries to the same place you're going, there's not as much advantage to boarding first and securing a good overheard bin. I'd be really excited about being Silver if it meant I could bring deodorant on board in my carry on luggage.
                    Continue reading...


                    eVoting Security Holes

                    I put a piece about Black Box Voting's report up at Between the Lines. The report found significant security problems. The investigation is a result of Bruce Funk's courageous action in letting independent security experts look at his Diebold machines. Should we panic? No. But we ought not to dismiss this security concern out of hand either as Diebold seems to hope we will. More states should subject more voting machines to independent tests by real computer security experts. If there's nothing to hide, then this should be a relatively painless thing to do. The fact that Diebold and
                    Continue reading...


                    SSNs and Security

                    A colleague of mine is taking his son to Washington D.C. with him on business and they decided they wanted to tour the White House. To get approval, he sent a note to his Senator's office. They asked him to send his and his son's Social Security Numbers via email so that they could do a security clearance. He objected and said he'd prefer to fax them the information. They responded that this was OK, but that they'd be sending the SSNs to the offices of other Senators and Representatives to coordinate their tour with other groups. Of course,
                    Continue reading...


                    Using the Law to Stop Electronic Voting

                    A group called Vote Action is suing California to stop the use of touch screen voting systems citing security and integrity concerns. The suit, put together by the voting rights group Voter Action, asks a San Francisco Superior Court to nullify February's conditional certification of Diebold Election System's AccuVote-TSx electronic voting system and ban the purchase or use of the system for the November statewide election. "We can't have trustworthy elections with Diebold's voting machines,'' said Lowell Finley, co-director of Voter Action who is an attorney in the case. "They are insecure and easily hacked." The suit also names
                    Continue reading...


                    TinyDisk: Lessons for Web Applications Builders

                    At the CTO Breakfast, someone also brought up TinyDisk, a complete, shared filesystem built on to of TinyURL. If you're not familiar with TinyURL, it's a URL mapping service that let's you create a small, easily emailed URL to replace a long complicated one. Nice service that I've used several times. TinyDisk is a demonstration by Acidus. TinyDisk shows that anything that stores anything on the Web can be used to store something else by encoding the something else into the Web-based storage system. In the case of TinyDisk, it's a Web-based file system that slices up a file,
                    Continue reading...


                    Perimeter Defenses

                    Peter Coffee wrote an article referencing my book, Digital Identity. It's hard to admit that you've been doing things wrong, especially when you've gotten really good at it. When a company--or even an entire industry--gets built on the foundation of a fatally flawed idea, something really big and obvious may need to happen before people are willing to move together toward a different approach. I found an excellent example of this behavior in Phillip Windley's newly published book, "Digital Identity," from O'Reilly Media. Most good computer security metaphors have been overused to the point of dreary familiarity, but Windley
                    Continue reading...


                            
                            

                                      亚盘 大球

                                      王者竞猜

                                      大家赢即时比分

                                      梦之城登录

                                      澳门赌博平台最好的

                                      足彩加app官方

                                      090彩票登录-首页

                                      幸福彩票官方

                                      幸福彩票app网址