April 23, 2007
RU: Even with trained security people, it seems like they make an awful lot of errors. It seems like America, over the past few years, really has that “Can’t Do” spirit. Is there anything you can tell us about trained security people, and how they could improve their efforts.
BS: Well, they’re always going to make errors. Fundamentally, that’s a problem in the mathematics called the base rate fallacy. There are simply so few terrorists out there that even a highly accurate test, whether automatic or human-based, will almost always bring false alarms. That’s just the way the math works. The trick is to minimize the false alarms.
You’ve got to look at the false alarms versus the real alarms versus the real attacks missed — look at all the numbers together. But terrorist attacks are rare. They almost never happen. No matter how good you are, if you stop someone in airport security, it’s going to be a false alarm, overwhelmingly. Once every few years, it’ll be a real planned attack… maybe not even that frequently.
With training, you’re less likely to stop someone based on a dumb reason. When airport security stops a grandma with a pocketknife, that’s a false alarm. That’s not a success. That’s a failure. It’s, of course, ridiculous. So the trick is to alarm on things that are actually suspicious so you’d spend your time wisely. But the fact that almost everybody will still end up being a false alarm — that’s just the nature of the problem.
There is so much more. I'm glad to see he's taken an interest in this:
...I’m looking into how people make security decisions, how they react to security. Why is it that we’re getting security wrong? Why is it that people fall for security theater instead of doing what makes sense?...
While I am much in agreement with Bruce about the way airport security is handled. I see so many people who think that the current inefficient system is actually keeping them safe from terrorists. These are the people interviewed in airport lines when the latest security crackdown is enacted. As this generally happens after a well publicized incident, I must conclude that the outward show of "something being done" makes them feel safer. Even if the reality is totally different. In any case, I can't wait to see the book that comes from this new direction.
I've read all of his other books. Yes, even most of "Applied Cryptography"... although I still have to go back and look up passages if someone asks a specific question. For some reason I have great difficulty keeping the various bits of cryptography straight. It makes my eyes cross.
Now go read the article - it's well worth your time and I promise it won't make your eyes cross!
Hat Tip Instapundit
April 12, 2007
Oh joy, the spammers are attacking.
April 12, 2007 (Computerworld) -- A massive spam outbreak that tries to trick recipients into opening a file attachment that can hijack their computers has already broken records, security companies said today.
According to researchers at Postini Inc., the spam run is the largest in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. "We're seeing 50 to 60 times the normal volume of spam," said Adam Swidler, senior manager of solutions marketing at Postini.
So if you've noticed a bit of a slowdown today, this would be the reason. Spam, already a big internet clogger - has just expanded to even bigger globs. It's on par with a giant hairball clogging your drain... yuck!
Here's what to look for:
Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the "Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers.
Now, there's a bit of difficulty with antivirus software... so please note the following!
Because the Storm Trojan has been assigned several different names by antivirus vendors, it's difficult to determine which security companies reacted first. Some, however, have already created new signatures to sniff out the malicious payload. Symantec, for example, noted the new strain on its Web site, but said there that it won't update customers with the detection fingerprint until tomorrow.
Back to basics people. Please be careful when opening attachments. If you aren't expecting it, check back with the sender first.
I get a ton of spam, I don't remember seeing any of this today, but that doesn't mean it didn't come to me, just that I know it as spam and disposed of it accordingly. I have some ideas of what we can do when we finally catch these spammers... I'm thinking along lines of tar and feathers, honey and ants, that kind of thing.
Oh yeah, last but not least... nobody sends out patches for your system. EVER! That should be the only warning you need to tell you it's spam.
April 04, 2007
You see the government has been doing auditing of its many and varied departments, especially since 9/11. The supposed goal is to make the computer systems more secure.
However, as our government doesn't seem to have any real system in place to effect change, they go out every year, hand out "grades" to various departments, news is made and... nothing... Everyone continues to collect pay checks from inspectors to department heads. We all shake our heads, and life continues on as usual.
This year's fiasco seems to have captured the eye of a NYT reporter. (we will, for the moment, assume that the reporter is actually giving us the facts instead of making them up a possibly risky assumption with this newspaper). It looks like there are some computers floating about that can not be accounted for.
WASHINGTON, March 30 — The office in charge of protecting American technical secrets about nuclear weapons from foreign spies is missing 20 desktop computers, at least 14 of which have been used for classified information, the Energy Department inspector general reported on Friday.
Now you will notice it says "desk top" computers... I want to know how in the world it's possible to walk out the door with a desk top computer. It's not like you can slip it into your briefcase (although some women carry purses that are almost large enough...). A desk top is usually a box or tower of some sort. One would think that it would attract some little notice if a person was walking out the door with a computer in their arms.
It could be poor record keeping and the computers were properly decommissioned, but the fact was never recorded, it could be that the computers they have weren't properly identified...
Aside from the computers it cannot find, the department is also using computers not listed in its inventory, and one computer listed as destroyed was in fact being used, the audit said.
I realize that our government is a huge place, but these people are charged with a serious security task. Yet, they can't seem to keep track of desk top computers. This does not put a favorable light on their ability to conduct their real work.
But the office involved in this breach has a special responsibility, tracking and countering efforts to steal bomb information. Its computers would have material on what the department knew about foreign operatives and efforts to steal sensitive information.
So I wonder... how can they figure out whether our bomb information is being stolen? They can't even keep track of their own computers, computers with very sensitive data on board.
You may be wondering, so what happens now?
The report includes a response from the security agency that generally agrees with the findings. But the inspector general, Gregory H. Friedman, noted in his report that “the comments did not include planned corrective actions with target completion dates.”
There endeth the report. I would venture to say we'll be seeing yet another report, nearly identical in content, next year. Unless of course a terrorist gets hold of stolen bomb information and makes use of it. There is such a thing as a vested interest, a concept that seems to have escaped those working in this department.
And yet our government continues to lurch onward. It staggers the imagination and puts 24 to shame.
It's a cursor bug which can be exploited in several ways, such as...
An attacker may be able to exploit this vulnerability by convincing a user to display a specially crafted HTML email. This can happen automatically if the preview pane is enabled in your mail client. Configuring Outlook to display email in plain text can help prevent exploitation of this vulnerability through email. Consider the security of fellow Internet users and send email in plain text format when possible.
If you have your settings automated, the patch has very likely been installed already.
If you aren't sure and want to double check, using IE, go to Microsoft click on Security & Updates, when the box pops up, click on Microsoft Updates, then select either the express or custom button to let it scan your system.
So, do yourself a favor and install the patch. You'll be glad you did.
70 queries taking 0.0136 seconds, 236 records returned.
Powered by Minx 1.1.6c-pink.