I looked over the FBI’s Internet Crime Complaint Center’s annual report covering 2009. There wasn’t a whole lot that was interesting (electronic crime is on the rise), but one thing caught my eye. One page 6 there is a chart showing the number of cases divided up by the monetary loss associated with it. Only 7.5% of the cases involved damages of more than $10,000 and only 1% involved damages of over $100,000. Gone I suppose are the days of the million dollar heists, replaced instead by the facilitation of many smaller crimes. The scammers are only making money because they steal in bulk.

Lest this blog turn into nothing more than a source of announcements, I figured I’d post something that has been eating me up for ages. Anyone who knows me knows that I hate passwords with a passion. They’re easy to break, easy to social engineer, and provide a false sense of security. People trade them for candy bars, reuse them, and don’t pick ones that are hard to guess. As soon as they become hard to guess, they also become hard to remember, leading to lots of helpdesk calls for password resets. All of these (and other) issues stem from one single root cause – passwords move the security role from the IT security department to the end users. We IT security people are constantly trying to make new rules for the end users to make sure they protect their passwords, but the problem is that while all these rules make sense to us, the end users are not IT security experts. They don’t have the background, experience, knowhow, etc. Expecting the end users to manage security of a system they don’t even understand is a huge mistake. And yet, for some reason, that’s what we do when we use passwords as the single factor needed to access sensitive data.

Although not strictly related to the infosec field, I’ve found that at least in the DC area a lot of infosec professionals need security clearances, and a lot of budding infosec professionals are always asking questions about them. The University of Fairfax has put out a very good security clearance handbook which addresses most of the issues you’d want to know about. You can download it directly from here.

If you’ve ever read 2600, you know that the letters usually make up a large part of each issue, and reflect a broad range of ideas and opinions. I recently found that 2600 is publishing a book reprinting letters from their last 25 years. Called Dear Hacker, it is scheduled to be published in July. I wonder how many of them will be from teenagers asking the editor how to hack into their high school?

We all know that very few people read the fine print before clicking the “I accept button”. It turns out that 12% of people do read it. I’m surprised it’s that high.

Bank of America recently discovered that one of its employees had planted malware on some ATMs and had stolen a little over $300,000. Two very obvious countermeasures come to mind – use embedded devices instead of COTS, and whitelisting. There is really no reason that arbitrary code should be run on an ATM, and therefore there’s no reason to allow it.

If you hire a criminal…

Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

Since the terrorist attacks of September 11 2001, a lot of money has been spent on fighting terrorism. People who want money, whether for their department budgets, federal grants, or to fund startups, have been casting themselves as terrorist fighters. It has simply become to word du-jour. In the information security field, one of the outgrowths of this is the complete and utter overuse of the phrase cyber-terrorism. Admittedly I saw a lot more of this when I was in government circles than I do now in the private sector, so I suppose this is a “leftover rant”, but it is also intermittently popular in the media. Let me say loud and clear: cyber-terrorism does not exist – now, or ever. (Cyber-warfare is a more complex issue which I’ll deal with in another post).

I remember one government run conference I was at where almost half the talks focused on cyber-terrorism in some way. About halfway through the conference I cornered an academic friend of mine and asked him if he had ever, in his entire life, heard of even a single case of cyber-terrorism. After a few moments of thought the best he could come up with was that if a terrorist was very good, they would have infiltrated something and would be biding their time and waiting. Although this is a popular story amongst fear-mongers, it is not how terrorists work. The goal of terrorism is to wage a campaign of terror. To do so you take credit for everything you do in order to make your targets feel like you control the situation and not them. In fact, terrorists frequently try to take credit for things they didn’t do, just to assert themselves as being in control. Their goal is to gain attention – not avoid it. A terrorist wants to get on the front page of every newspaper in the world – they don’t even care if they killed anyone or blew anything up. (See for example the fact that Umar Abdulmutallab, better known as the Christmas day bomber, is being hailed as a hero even though his plan failed!) For the terrorists the Abdulmutallab attempt was a success not because it killed people or caused damage, but simply because it got us Americans to panic – they inflicted terror. Computer hacking simply doesn’t elicit the same response. The Chinese-Google hacking case arguably caused more damage, but it did not elicit the same fearful response from the American population. It was also almost certainly a much larger expenditure of resources. Why would any terrorist group expend ten times the resources for one-tenth the result? (Again, using their definition of the word result). Cyber-terrorists may make good movies, but they simply don’t exist in real life.

A friend of mine dropped me a note to point out that Google has released an open source web application security scanner called skipfish. I haven’t used it yet (installing as I type), and will hopefully have some thought on it soon.

Another random Windows 7 fact I learned today – if you disable the Windows 7 firewall, it will also disable IPV6 and Service Hardening. Microsoft’s logic appears to be simply that if a system doesn’t have the Windows firewall enabled, then it should be treated as an insecure machine and not trusted to connect with an IPV6 IPSec tunnel. The obvious flaw in this logic is that many enterprises use other firewalls, which Windows will not account for. Those people will then have ot enable the Microsoft firewall and just put it into a completely accepting state if they want to use IPV6.