Monday, June 30, 2008

Mobile phone security awareness: Secure wipe and IPhone 2.0

Mobile phones, particularly smartphones are becoming ubiquitous, and many users are forwarding organizational email to their private devices. With sensitive data potentially accessible on these devices, the ability to wipe them securely has become a necessity. Vendors are starting to make progress - mobile device encryption is becoming more available, and wipe utilities that securely wipe data are being announced. The most recent? Apple's Iphone 2.0 firmware.

AppleInsider reports that the Iphone 2.0 firmware will include the ability to perform a secure wipe of the device. According to AppleInsider, "Unlike today's iPhone software, however, the revised function will wipe data in similar fashion to the "Secure Empty Trash" function of Mac OS X, by which all data is deleted, unlinked, and then overwritten several times to make it irretrievable by even the savviest of recovery tools."

This is far better than the current delete function, which leaves remnant data in place.

Apple will go one step further however, as the new firmware will also include a feature allowing remote wiping of a stolen or lost phone - a feature that both end users and enterprise security staffers will be delighted to have.

Friday, June 13, 2008

Spear Phishing and Taxes

A co-worker of mine recently received the following spear phishing message. It was more sophisticated - or at least, far less crudely constructed than many, and included details appropriate to his actual employment.

The phone number was the individual's employer's main switchboard, and it was sent to a work email address that he uses for notification from the IRS. Forms are referenced, and document numbers that look like official government numbers are included. A perceptive user should notice that the URL is from a .com address, and of course, the headers clearly showed that the email was not from a government system.

As is common in such email, there is a threat included to make reply more likely - in this case, a bill will be sent by the government.

Department of the Treasury Date of this Notice: May 23 2008
Internal Revenue Service Letter Number 531(DO)
District Director Form: 1040

(999) 999-9999
We have determined that you owe additional tax and other amounts, or both, for the tax year(s) identified above. This letter is your NOTICE OF DEFICIENCY, as required by law. The enclosed statement shows how we figured the deficiency. If you want to contest this determination in court before making any payment, you have 90 days from the date of this letter (150 days if addressed outside the United States) to file a petition with the United States Tax Court for a redetermination of the deficiency.

link to ( removed

If you decide not to sign and return the waiver, and you do not file a petition with the Tax Court within the time limit, the law requires us to assess and bill you for the deficiency after 90 days from the date of this letter (150 days if this letter is addressed to you outside the United States).

Thank you for your cooperation.
Sincerely yours,
Charles O. Rossotti
Commissioner by
Roger K. Burgess CR
District Director
Letter 531(DO)(Rev.9-96)

Wednesday, June 11, 2008

Tenable announces the end of the Nessus Registered Feed

Tenable has announced(PDF) that their Registered Feed for Nessus users will be discontinued. Organizations that relied on the plugin feed, despite the delay from their commercial Direct Feed will no longer receive updates for free. The Direct Feed subscription remains reasonably priced at $1200 a year, and Tenable is offering a discount during the transition.

Tenable also notes in their release that they will support teaching and training organizations, as well as charity with free Direct Feeds, which should mean that at least some of the groups that were using the registered feed will not lose their access. For most others, it means a yearly cost to continue using Nessus.

Interestingly, home users using Nessus for personal, non-commercial use will get access to a new "HomeFeed" service with no delay for plugin availability. That leaves Tenable a gateway for users to learn how to use Nessus, while forcing organizations that relied on the free feed to pay for a license.

A FAQ is available with more detail.

Monday, June 9, 2008

Here Phishy Phishy: Another Phishing Example

I've changed the original site name in this email - it is typically in capital letters, and is the domain of the user the email was sent to.

Giveaways this time? The capitalized domain, the request for password, date of birth, and country, the thank you, signature, and the warning code, as well as the headers showing a non-local email origin.

The good news is that most users won't fall for a phishing email like this - but I still see users fall for some of the more sophisticated bank and Paypal scams.

Dear YOURSITE.COM Email Account Owner,

This message is from YOURSITE.COM messaging center to all YOURSITE.COM email account
owners. We are currently upgrading our data base and e-mail account
center. We are deleting all unused YOURSITE.COM email account to create more
space for new accounts.

To prevent your account from closing, you will have to update it below so
that we will know that it's a present used account.


Email Username : .......... .....
EMAIL Password : ................
Date of Birth : .................
Country or Territory : ..........

Warning!!! Account owner that refuses to update his or her account within
Seven days of receiving this warning will lose his or her account

Thank you for using YOURSITE.COM!

Warning Code:XXXXXXXXX


PGP announces Mac full disk encryption

Macworld writes that PGP has announced their MacOS full disk encryption product with a July release date for PGP Whole Disk Encryption 9.9. Not quite here yet, but close!

Friday, June 6, 2008

Why My Printer Received a DMCA Takedown Notice

Michael Piatek, Tadayoshi Kohno, and Arvind Krishnamurthy of the University of Washington have released a very interesting research paper titled "Challenges and Directions for Monitoring P2P File Sharing Networks". They studied P2P clouds and monitoring methods, and succeeded in getting takedown notices sent to spoofed IPs and IPs of hosts that were not actually sharing files (but which did send in queries). The paper is well worth a read for staffers who have to deal with DMCA takedown notices, and will likely be of interest to those who are dealing with legal cases dealing with P2P based copyright infringement.

The New York Times' BITS section covered the article today as well.

Thursday, June 5, 2008

Cell Phones and Privacy: Is Location Data A Risk?'s recent coverage of the work done by a team from Northeastern University raises some interesting questions.

By monitoring the signals from 100,000 mobile-phone users sending and receiving calls and text messages, a team from Northeastern University in Boston, Massachusetts, has worked out some apparently universal laws of human motion.
This becomes a bit more scary in context - readers may remember the AOL search data scandal from 2006. As cell data is made available for research, probably without the knowledge of individuals, and without the opportunity to opt out, the same techniques that the New York Times used to hunt down searchers might be used to track down individual cell users. Would cell users turn their cells off if they knew they would be tracked and used for research when they go places they might not want others to know about?

What would you think if you were one of those whose data was used?
Barabási and his colleagues teamed up with a mobile-phone company (unidentified to protect customers' privacy), who provided them with anonymized data on which transmitter towers had handled the calls and texts for 100,000 individuals over the course of 6 months.
Does this protect the users? Or does it protect the company?

Update: CNN's article does a good job of discussing the researcher's take on privacy issues, as well as the ethical and privacy concerns third parties have raised.

Wednesday, June 4, 2008

Security Certifications Hold Value While IT Certifications Drop

EWeek's Deb Perelman notes in a recent article that compensation for those with IT certifications has fallen for the 7th straight quarter, but that security certifications are holding their value:

Foote found some exceptions to the decline of certifications as well, but only in the security arena, due to its heavily technical nature.

"Security is a deeply technical domain and certification is an important qualification in areas where technical skills dominate," he explained.

Will security certifications see a similar drop? It seems that as security becomes more of a commodity in the IT space that we will see a similar devaluing for the certificates and an increased focus on the skillsets and experience. Certificates will continue to be useful in technically focused positions, or those that need some basic form of filter for candidates. They will also continue to help mark out those candidates who are interested in continuing education.

Tuesday, June 3, 2008

Did you check "Yes" to "Terrorist"?

The BBC covered the US visa waiver program, which includes a form that asks about prior involvement with terror activities:

A Homeland Security spokesman said the new registrations would require the same information as the I-94 card, which is currently filled out by visitors to the US and turned in to customs on arrival in the country.

That information includes passport number, country of residence, and any involvement in terror activities.

This seems like a control that might cause more mistakes than benefits, or which could lead to interesting information based exploits. Of course, many forms ask for criminal record, so perhaps being involved in terror activities will also become a common checkbox on government forms. After all, screeners are identifying shirts with guns on them and jewelry in the form of guns as prohibited items.

Does a mistake on this form enter you as a terrorist in a database? How would you remove such a mistake, or prove that it wasn't you? Worse, can others submit a form in your name with "yes" checked?