This is nothing more than a blatant advertisement for OWASP, but they have an upcoming conference in NYC in late September that might be of interest to people here.

A few other people have been all over this already, but TJ Maxx, victims of a rather large electronic break in a few years ago, has recently fired an employee for revealing many of their lax security policies. The issues he raised were not small ones either:

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers.

My store manager even posted the password and username on a post-it note.

Lest anyone think this employee started off on the wrong foot, he did try to tell management first, but to no avail. It was only afterwards that he mentioned these things in public. Now whether he should have done this or not is clearly a matter that could be the subject of much debate. The issue which I feel more strongly about is the way TJ Max responded.

Firing this employee is, in my opinion, the worst form of security-through-obscurity. Rather than realizing that lax policies lead to security problems, they think that it’s the revelation of lax policies that lead to security problems. A simple root cause analysis should reveal that it’s the policies, not their revelation, which is the source of security weaknesses, and it’s time for TJ Maxx to wake up.

Several news outlets are reporting that TippingPoint researchers have cracked the “kracken” botnet and have actually been able to commandeer at least a part of it. The researchers are now faced with an ethical dilemma – whether or not to use their control ability to automatically fix the infected computers. This is by no means the first time someone has had to make this decision, and it’s not the first time that they’ve reluctantly found themselves faced with almost this exact argument against doing so:

The most interesting of points that Dave brought up is the corner case of what happens if we accidentally crash the target system? What if that target system is responsible for someone’s life support? Yes the system is already infected with a SPAM delivering zombie capable of receiving arbitrary updates from malicious actors, but at least for now it’s running and carrying out the rest of it’s functionality.

Now the life support issue is a bit sensationalist, but it can be treated as simply a way of demonstrating his argument – that making an unauthorized change to someone else’s machine, no matter how well intentioned, has it’s risks and therefore should not be done. I also have a hunch, which has been confirmed by quotes in computerworld, that it is not so much the moral distaste for changing someone else’s machine as much as the legal liability which has scared of management. (As a parenthetical note, I would like to take a moment to lament the sad state we find ourselves in here in America where the word legal has almost universally replaced the word ethical).

While I don’t think that legal liability should trump all other concerns in matters such as this, it certainly plays a part. For that reason, automatically cleansing the machines may be impractical since I’m sure TippingPoint wants to stay on the right side of the law. However, if I’ve learned anything about engineering ethics, it’s to always try and find a technical method of avoiding the ethical dilemma in the first place. In this case, how about using the control they have to simply direct all the infected computers to a webpage which explains (in the simplest terms possible) that the person is infected and how to clean their machine, as well as a link to the MS patch which would prevent reinfection. That should satisfy all parties.

CERT (yes them) now has a blog.

Why am I only finding out about this now (also reported by wired)?

Oleksandr Dorozhko hacked a system containing information on IMS health that would negatively affect their stock price. (Or, possibly, someone else hacked the system and gave him the information). He invested in puts and netted himself about $300,000 in one day. The SEC noticed and tried to block it, but the court has ruled that a hacker is not an insider, and therefore insider trading does not apply. Mr. Dorozhko gets to keep every cent of his admittedly ill-gotten gains.

I know that many people have done many bad things on the internet, just as many people have done many bad things off of the internet, but this still surprises me.

Internet griefers descended on an epilepsy support message board last weekend and used JavaScript code and flashing computer animation to trigger migraine headaches and seizures in some users.

The attackers turned to a more effective tactic on Sunday, injecting JavaScript into some posts that redirected users’ browsers to a page with a more complex image designed to trigger seizures in both photosensitive and pattern-sensitive epileptics.

Although I had never heard of a Griefer before, I find this activity remarkable in it’s crude indifference to other human beings. Even stealing money from people’s bank accounts makes more sense – at least there human greed can be used as a motive. In this instance, there is no possible benefit to the attacker from causing physical harm to anonymous epilepsy sufferers, and there can be no motive other than the most malicious and reprehensible form of Schadenfreude.