Tag: Security

Categories
Google Mozilla Spam

Phishing Unit Testing And Other Phishy Things

Seeing these results is pretty cool. I hope someone has/will come up with a way to have a test like this running periodically (at least weekly, if not daily or multiple times a day) which does an analysis on Phishing sites and how many are being blocked. I’d presume Google and other data services would have some interest in this. It could be as simple as an extension for browsers (yes IE too) which reads a feed and visits each site, and reports the results to a web service. Running in a confined environment (virtual machine, or dedicated box) free of tampering. I think the real advantage would be to see how effectiveness varies over time as phishers become more sophisticated.

Take for example spammers. First spam was pretty simple, now they are using animated GIF’s, sophisticated techniques to poison Bayesian analysis, botnet’s etc. I presume over time we’ll see the exact same thing with Phishing attacks. I doubt it’s going to get any better. On the positive side of things, this is still at it’s infancy, so we can start learning now, and be more aggressive than people were about the spam problem, which got way out of hand before everyone realized it was really something to worry about.

I’d ultimately like to see just percentages of different anti-phishing blacklists/software updated frequently, so we can keep a running tally. Perhaps it would be a good indicator of when phishing tactics require a software or methodology update. I think overall everyone would benefit from some industry collaboration rather than competition. The problem with phishing is to be effective your research must be good. To do good research you need to cast a wide net, and capture only one species of phish while not letting any dolphins get stuck in the net (sorry, couldn’t resist).

I’d be curious to know what others think of such testing, and efforts (from general users, as well as anti-phishing/spam vendors). Is the war against spam effective? Should the same techniques be used? Is it time for coalition building? Should we each go in alone? How do you monitor changes in techniques used by phishing?

I know Google is pretty serious about keeping up with the data in a very timely manner, and from what I can tell, most other vendors are as well. But I wonder how industry wide statistics could further benefit. Perhaps simply the competition of trying to have a higher average score. Perhaps simply the detection of changes in techniques (noted by everyones collective decline in detection rate).

I’d love to hear what others think of Phishing protection. It’s a rather interesting topic that many don’t give too much thought to, but it really is an important part of how browsers make the internet safer.

Categories
Around The Web Politics Security

Hacking The TSA

Everyone’s favorite security guru has a great blog post on how to prevent loss of an expensive camera that must be checked luggage rather than carry on. To summarize, you can pack it with a starter pistol so that the TSA takes extra precautions to prevent it’s loss (they don’t want to loose a gun, but don’t mind losing your expensive possessions).

This is really quite brilliant. Here’s some info on requirements. According to this you could also just carry a replica, or even bullet, or a piece of a gun.

That’s got to be the most clever solution to the problem. Finally we can all carry our laptops and expensive equipment around without fear of loss. You know the TSA won’t loose a gun, since that would spark a major controversy.

I must admit this solution is beyond clever, it’s outright brilliant.

Categories
Around The Web SafePasswd.com

20,000 Passwords Analyzed

An interesting perspective on 20,000 Passwords. As noted in the comments, the data collection skews the results a bit, since most people who fall for phishing scams aren’t knowledgeable enough to know a good password form a bad password.

But it’s possible to generate a safe password with ease even if your not a technically inclined ;-).

Categories
Accettura Media SafePasswd.com

SafePasswd.com Update

So it’s been about 10 days since I launched SafePasswd.com, and so far the response has been extremely positive. I made a few small changes to the system to improve the quality of “memorable” passwords, and I have now made the default length of passwords a minimum of 10, up from 8 (it’s actually is random between 10 and 14). A few slight UI fixes were also made.

Overall, very good first week. Thanks to those who gave feedback.

Categories
Accettura Media Internet SafePasswd.com Web Development

Introducing SafePasswd.com

SafePasswd

I don’t think I’ll ever get tired of tinkering. Way back when, I wrote a script to help me generate cool random passwords. I thought people wouldn’t mind one that didn’t suck… so recently I got to work on that.

The site is still in beta, and quite a few things aren’t quite done yet, and some things are still being tested out. There will be advanced options to further customize password creation, as well as some API’s for those who want to quickly plug in automated password generation into their “Web 2.0” applications. Those will be coming in the near future.

So check it out, and let me know what you think. It’s designed to be simple and helpful. It’s not Google and it’s not Digg. Just trying to make online life a little simpler.

Categories
Funny Politics

Monkey’s On A Plane

Oh boy would “Monkey’s On A Plane” be a blockbuster. Just a blank tape with that title would make millions. Film a real movie, and it’s [pinky in mouth] billions.

Well, apparently enough monkeys travel on commercial airlines every year to warrant their own section in on the TSA website. I’d love to have a monkey sitting near me, rather than a small crying child. Why do I get stuck with kids near me, instead of a chimp?

Excerpt copied below to ensure this gem is never lost:

Monkey Helpers

  • When a monkey is being transported in a carrier, the monkey must be removed from the carrier by the handler prior to screening,
  • The monkey must be controlled by the handler throughout the screening process.
  • The monkey handler should carry the monkey through the WTMD while the monkey remains on a leash.
  • When the handler and monkey go through the WTMD and the WTMD alarms, both the handler and the monkey must undergo additional screening.
  • Since monkeys may likely draw attention, the handler will be escorted to the physical inspection area where a table is available for the monkey to sit on.  Only the handler will touch or interact with the monkey.
  • TSOs have been trained to not touch the monkey during the screening process.
  • TSOs will conduct a visual inspection on the monkey and will coach the handler on how to hold the monkey during the visual inspection.
  • The inspection process may require that the handler take off the monkey’s diaper as part of the visual inspection.

Source: TSA.gov

Hat Tip to JWZ.

Categories
Funny Politics

Sierra Mist Commercial Inspiration For TSA Security Measures

The Consumerist points out that Sierra Mist TV commercial which recently aired is taking on a new relevance. If Pepsi Co. doesn’t step up this ad campaign a bit, it will be necessary to petition them to see this ad a bit more. I just love the irony. It needs to be kept on TV at all costs.

Sierra Mist

Categories
General Personal

Vacation

I’m back from vacation. Like two years ago, I spent some time in Holland visiting family, and then some vacation time in Spain (Mallorca to be exact), then back to Holland for a day and a half. Just starting to catch up on things, so be patient if your expecting a reply from me. I’m tired after an a long day with a flight at 9:30 (GMT +1) that landed 12:00 (GMT -5). So here are some random thoughts in bullet form:

  • Security wasn’t to bad considering all that has been happening. The only thing encountered was no liquids or gels in hand luggage… Interestingly every hour, or less a flight attendant came around with cups of water. I guess they are afraid someone could become dehydrated and sue. An obvious change from procedures prior (on the way over that happened no more than 2x as I recall).
  • Constantly check that that your flight isn’t delayed, so you don’t spend 11hrs in Schiphol Shithole (after 11hrs that’s an appropriate name for any airport). Definitely not a great way to spend a day. Teletext, Phone, Internet, Smoke signals. Whatever it takes. Check and check again.
  • Just because a hotel advertises that it has air conditioning doesn’t mean that it works, works well, or works constantly. Hotels that only let it run when your in the room (usually activated by room key) only can work if it’s very powerful and can cool off a room quickly. Yet another thing to be aware of
  • When traveling trans-Atlantic, wide body aircraft, such as a Boeing 767, 777, 747 are preferable to a Boeing 757. Because it’s seated 3 and 3 with 1 isle, and bathrooms in front and back of coach, that’s a lot of traffic in 1 isle. Wide body aircraft such as the 767 seem much more capable of handling a long haul without feeling so tiny. Just a personal preference.
  • I had this notion that most old stone structures remained semi-cool in hot weather, but the Cathedral in Palma completely ruinied that.
  • There should be First Class, Business Class, Kid-Free Class, and Family Class. For those who want to sleep on the plane, you options.
  • I ate way to much… and enjoyed it all.
  • Beautiful beaches
  • Did I mention the food?
Categories
Open Source Programming Security Web Development

Enhancing Security With Nonce

A little while back I read about how WordPress was implementing Nonce to help enhance security. What I like about this technique is that it doesn’t rely on referrer checking (which is faulty at best).

Today I implemented that on a project I’m working on, rather similar in style to WordPress. I think overall it’s a better approach to referrer checking. It seems the nonce approach is actually quite popular on the web looking at commercial sites, but not a technique often talked about.

Well done by the WordPress team. My implementation is pretty similar to theirs (my variables and salting is a little different based on the app) since it was pretty hard to improve upon. Not sure how long to make the Nonce, so I stuck with 10, which is what I believe they did as well. Not sure if I should go with something longer.

One of the great things about open source is the discussion of best practices and techniques. It also benefits closed source projects who can gain influence and knowledge from those discussions.

Categories
Mozilla Software

Windows Live OneCare

I’m curious if anyone has tried Windows Live OneCare (via Amazon note: affiliate link used) with Firefox, and especially with Thunderbird. I personally haven’t tried it. A quick Google search doesn’t turn up to much info. Is it detecting viruses in emails correctly and problem free? Or is it causing chaos? I’d love to hear from someone who has used it.

As a reminder, just because you don’t use Outlook doesn’t mean your immune from viruses. You still need a virus scanner.