Spamzy

New research in the Netherlands uses cameraphone images to generate biometric data, in order to authenticate users on ad-hoc mobile networks. If you want to use a PDA or other device, just take a couple pictures, the system scans your face and you’re set to go.

Biometric data is generally regarded as being ill-suited for cryptography: each measurement, even when taken by the same device, of the same feature on the same person will differ slightly. This noise in the data makes it difficult to extract a cryptographic key in the traditional sense. Other recent work has shown that it’s possible to use just the noise in a biometric measurement to generate a cryptographic key—the new method relies on this principle.

Researchers put together a system that can be implemented on any device equipped with a camera. Facial recognition software is then used to produce biometric measurements of a person’s face, which should stay constant through changes in hairstyle, makeup, etc. Users take a picture of themselves, then uses a random string that, combined with the biometric information, forms the equivalent of a public key.

When two people need to establish a connection between their devices, they exchange these public keys, and each then takes a picture of the other device’s owner. The biometric data from this new picture is used to try to extract the random string from the public key.

It sounds a little like social networking in the cryptography world — and a bit hairier than just using a password. Do you think it’s a good idea?

Read the full article here.

Read the original here:

The new RSA wireless security survey was released today. It reveals that while New York has a very dense concentration of hot spots, Paris is growing dramatically, with its hot spots up 300% from last year. But what does the report say about security of those spots?

Adrian at Securosis has this comment:

If your [sic] an IT manager, you have very little way to assess risk from this report, so just assume wireless hotspots are compromised and that you need to deploy a system to thwart these attacks on externally accessible corporate WiFi. And as an end users, if you think you are safe just because you have established an encrypted connection at Starbucks, think again. The guy in the tiny corner apartment overlooking the store makes his living by sniffing personal information and passwords.

Good advice, I’ll be checking my bank accounts from home and not Starbucks.

Thought it might be interesting to find a report about ID Theft — what percentage is caused by data breaches, versus internal data theft, versus wifi hot spot sniffers, versus other methods, I wonder?

See original here:
That Guy Above Starbucks, Stealing Your Passwords

Blogger and infosec professional Kai Roar has a recent post about how all businesses should get professional design work done to make sure their web platforms are secure –

As an entrepreneur, it is very easy to think you will save some bucks by buying a cheap website from some some kid (your own, your neighbor+++), and focus only on saving cash.

This approach is wrong.

Again, this approach is wrong. Let me tell you why.

You are running a serious business, and your website is an increasingly important window towards your potential and existing clients.

I agree with the idea that a web site is important, and the design and content are important. But I disagree that ALL entrepreneurs need professionally designed web sites with tons of back-end bells and whistles and that security is a huge issue for all web sites.

Many web sites provide only content with minimal interaction. For many small businesses like restaurants, local retail stores, and so on, they will only be providing information about services, hours, maybe a product catalog. Their biggest security concern will be that their passwords get loose and their site gets hacked, or that someone enacts a phishing scam in their name. But as far as security goes, much of the “web security” rules are minimal here, because there’s no web application to secure.

This is a really different situation than a high-tech venture which will be built around user interaction, and will probably have several coders who are focused in different aspects of the site development. If there’s a web portal and user interface and customer database, that’s when security gets more complex, and of course professional designers need to be employed.

But I think for many businesses, it’s going over the top to say that security has to be a major focus of the site design. I do agree that businesses should consider what they want to achieve before building anything, and then build the site around those goals, with security, branding/design, and content in mind.

Credit:
How Much Does a Web Site Cost?

Help a child of the 80s!

The whole “Master Splyntr” affair was bumbling about in my brain for days before I realized the connection between the name, and the rat in the Teenage Mutant Ninja Turtles.

The leader of the site, know online as Master Splynter, was in fact FBI cybercrime agent J. Keith Mularski, part of an elite seven-agent cybercrime unit based at the National Cyber Forensics Training Alliance in Pittsburgh. He was not, however, a man-sized rat sensei to a group of turtles who were teenaged mutant ninjas. Would the FBI call that a conflict of interest?

Now I feel compelled to photoshop Agent Mularski AKA Splyntr, over a photo of Master Splinter…but I can’t find Mularski’s visage on the interwebs. If anyone has a photo, and it wouldn’t violate copyright laws, let me know?

See the rest here:
Master Splynter - No Pictures available?

Recently a high school teacher was let go after his fellow teachers and administration found that he was buddying up to kids on MySpace and making inappropriate, infantile comments –

Court documents seen by Ars show that Spanierman talked to his students this way:

Spanierman: “Repko and Ashley sittin in a tree. K I S S I N G. 1st comes love then comes marriage. HA HA HA HA HA HA HA!!!!!!!!!!!!!!!!!!!!!!!! LOL”

Student: “dont be jealous cuase you cant get any lol :)”

Spanierman: “What makes you think I want any? I’m not jealous. I just like to have fun and goof on you guys. If you don’t like it. Kiss my brass! LMAO”

The article doesn’t say how old the teacher was, although a brief note at the bottom states that “the age gap between student and teacher isn’t more than a few years, slipping into the kind of talk seen above isn’t difficult to imagine.”

The problem with this kind of behavior isn’t the internet exactly, although it’s easier for it to happen online. One of the problems is our educational system, which is in many places in dire need of reform and better training for teachers — not just in subject matter, but also in classroom management and behavior issues.

A friend of mine who teaches in the San Francisco Bay Area mentioned to me recently that in a nearby county (Napa I think), new substitute teachers only need to have their CBest test OR a Bachelor’s Degree. So, an 19 year old high school graduate could take this test, and go work in the schools. Standards for teachers have been getting lower, possibly because pay hasn’t increased much. My teacher friend predicts that soon, the State of California may just lower its standards to let high school grads with a CBest test teach school, as well as substitute.

If this happens, it’s likely we’ll see much more of the behavior outlined above, in the MySpace case. Let’s hope someone at the top pays attention to this issue, because it will impact our kids, our economy, and information security in the future. (Imagine those kinds of teachers having access to lots of kids’ and parents’ personal data, and what they could do with it).

See the original post:
Teacher Laid off over MySpace Misbehavior

This is a great idea, and I would love to see it pursued further, so that more sketchy web registrars are investigated and blocked.

Two Internet registrars who made KnujOn’s top 10 list of worst spam offenders have been sent breach-of-contract notices by the Internet Corporation for Assigned Names and Numbers and could lose their accreditation.

ICANN had sent enforcement notices to several domain registrars identified by KnujOn, an anti-spam organization, as having registered the majority of illicit Web sites using spam to generate traffic. KnujOn said 90 percent of Web sites are clustered on just 20 registrars. That represents only 2.5 percent of the 800 registrars accredited by ICANN.

Read more here.

Excerpt from:
Warnings for Shady Webmasters

Have you *ever* received genuine Russian comments on English blogs?
I receive many many of Russian comments everyday. Previously I used to translate them because my blog is multi-lingual and Russian is one of the 32 languages this blog is available, thanks to automated. Down the road, I realized that I never got a single genuine […]

Here is the original:
From Russia With Love

Data breaches and vulnerabilities are often fodder for bloggers, but it’s rare to see so many in my blog feed on the same day. So I’m assembling them for your easy reading. Here’s what to look out for:

• Local and State governments are losing data — A report from GCN says that standards have forced the feds to start improving their security, but lack of standards for local and state governments have left them open to hacks and data loss.
• VoIP still vulnerable — Voice of VOIPSA offers a podcast on vulnerabilities in several VoIP brands, from Cisco, Avaya, Nortel and more.
• Malware for the Mac has been growing — The latest is MacGuard, a malware threat posing as security software.
• No one’s immune to a hack — especially celebrities seem vulnerable. The latest is the French President, Nicolas Sarkozy. While he was “posturing as an international leader during this time of global financial crisis,” hackers have been withdrawing small amounts from his online bank accounts, says the Consumerist.
• But it’s not just celebrities, either. New and expectant mothers have one more thing to worry about, at least those who are patients at Mary Washington Hospital in Virginia. A computer breach caused the information for 800 maternity patients to be publically available on the site, says the Breach Blog.

Happy reading, and stay safe today.

Read the original post:
Vulnerability Blog Roll

DarkNet has a story about a list of Australian emails that were hacked and posted online, and how shocked the users were to learn their info had been compromised.

They’re also suggesting that users are advised to use Passhash, a Firefox extension that takes one master password and makes some key changes to extrapolate it into several passwords that can be used over separate accounts.

Personally I am not sure that is the answer. I have one or two passwords with many variations that I use online and it drives me crazy, since I can never remember which variant of the password I used on which account. Sometimes I get locked out of my accounts because I don’t know what password to try first.

But, maybe the script takes care of remembering that for you. If you check it out, let me know.

Go here to see the original:
Online List of Compromised Emails Shocks Users

Scammers are trying to get Windows users to install malware, in emails claiming they have an Experimental Security fix.

The e-mails then instruct the victim to download an attachment, which is actually a malicious Trojan Horse program known as Win32/Haxdoor. This software records sensitive information such as passwords and credit card numbers and sends this data back to the attackers who are running the scam.

The malware is detected by antivirus programs as well as Microsoft’s free Microsoft Malicious Software Removal Tool (MSRT).

So, keep it in mind that even when you want to educate your users about the importance of security, their quest for better security can be used against them, in these types of social engineering attacks as well.

Read the full article here.

Excerpt from:
Say No To Experimental Windows Upgrades