The appointment of Rod Beckstrom as the new head of the DHS National Cyber Security Center is interesting, if somewhat controversial. See, for example, the article Cybersecurity’s New Guard in BusnessWeek.

“The Bush Administration named Rod Beckström — entrepreneur, author, and decentralization expert — head of the National Cyber Security Center on Mar. 20. … Beckström, 47, is a Silicon Valley entrepreneur, a former derivatives trader, and a champion of conflict resolution in Africa. He’s better known as the founder of business collaboration software provider Twiki.net and as an author specializing in the agility of decentralized organizations than for connections inside the Beltway or expertise in cybersecurity.”

What’s somewhat controversial is his lack of a strong background in security or computer and communication technology — he’s an MBA. What’s interesting is his perspectives on and enthusiasm for decentralized and “leaderless” organizations, as articulated in his 2006 book The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations, which I’ve not read, btw.

“Brafman and Beckstrom, a pair of Stanford M.B.A.s who have applied their business know-how to promoting peace and economic development through decentralized networking, offer a breezy and entertaining look at how decentralization is changing many organizations. The title metaphor conveys the core concept: though a starfish and a spider have similar shapes, their internal structure is dramatically different—a decapitated spider inevitably dies, while a starfish can regenerate itself from a single amputated leg. In the same way, decentralized organizations, like the Internet, the Apache Indian tribe and Alcoholics Anonymous, are made up of many smaller units capable of operating, growing and multiplying independently of each other, making it very difficult for a rival force to control or defeat them.”

In this age of decentralized information and communication systems and asymmetric warfare, I think Beckstrom might have a positive impact in his new position.

Joe Hall forwarded an interesting news item to Dave Farber’s IP mailing list on a new Second Life security vulnerability, Exploiting QuickTime flaws in ‘Second Life’. The exploit allows an object with a multimedia link to inject malicious code into the victim.

“Researchers Charlie Miller of Independent Security Evaluators, and Dino Dai Zovi, turned their attention to Second Life during a Saturday morning presentation at ShmooCon, an East Coast computer hacking conference. The researchers didn’t exploit a flaw within Linden Labs’ Second Life, but within QuickTime. They showed how an attacker could make money stealing from innocent Second Life victims.” (link)

Their SmooCon talk was titled “Virtual Worlds - Real Exploits” and had the abstract

“Virtual worlds serve as a new way to deliver exploits to the masses. Besides traditional attacks, they also allow attackers to control the “avatars” of players, including being able to steal the player’s virtual money and possessions. When there is a link between the virtual money and real money, this can be an easy way for an attacker to profit. This talk will address these issues and illustrate the technical details of a Second Life exploit.” (link)

Apparently the general approach used in the exploit has been around for a while, as Vint Falken blogs in The Second Life Quicktime exploit soon redone?. Here’s how Miller and Zovi demonstrated the current version of the exploit.

“For their demonstration, they created “the most evil pink box you will ever see.” They could have linked their malicious code to attributes of an avatar’s hair, clothes, or anything else. They also could have buried the pink box underground or otherwise hidden it, but both researchers admitted they weren’t very good players within Second Life. … In the demo, the researchers were able to show that their avatar became infected when it came too near the pink box. The code they used raided the avatar’s Linden dollars and emptied the bank account.” (link)

Since Linden dollars have a known exchange rate with more traditional currencies, and may even be stronger that the US dollar these days, Second Lifers will have to be careful.

Today’s Washington Post has a story, Electronic Passports Raise Privacy Issues, on the new passport card that’s part of the DOS/DHS Western Hemisphere Travel Initiative. The program is controversial since the cards use “vicinity read” radio frequency identification (RFID) technology that can be read from a distance of 20 or even 40 feet. This is in contrast to the ‘proximity read’ RFID tags in new US passports that require that the reader be within inches. The cards will be available to US citizens to speed their processing as they cross the borders in North America.

“The goal of the passport card, an alternative to the traditional passport, is to reduce the wait at land and sea border checkpoints by using an electronic device that can simultaneously read multiple cards’ radio frequency identification (RFID) signals from a distance, checking travelers against terrorist and criminal watchlists while they wait. “As people are approaching a port of inspection, they can show the card to the reader, and by the time they get to the inspector, all the information will have been verified and they can be waved on through,” said Ann Barrett, deputy assistant secretary of state for passport services, commenting on the final rule on passport cards published yesterday in the Federal Register. src”

As described in the ruling published in the Federal Register, the Government feels that privacy concerns have been addressed.

“The government said that to protect the data against copying or theft, the chip will contain a unique identifying number linked to information in a secure government database but not to names, Social Security numbers or other personal information. It will also come with a protective sleeve to guard against hackers trying to skim data wirelessly, Barrett said.” src

Of course, if you carry the card in your purse or wallet, your movements can still be tracked by the unique ID on the card. There are also security concerns since the tag’s ID may be cloned.

“Randy Vanderhoof, executive director of the Smart Card Alliance, represents technology firms that make another kind of RFID chip, one that can only be read up close, and he is critical of the passport card’s technology. It offers no way to check whether the card is valid or a duplicate, he said, so a hacker could alter the number on the chip using the same techniques used in cloning. “Because there’s no security in the numbering system, a person who obtains a passport card and is later placed on a watchlist could easily alter the number on the passport card to someone else’s who’s not on the watchlist,” Vanderhoof said.” src

Sigh….

At the end of last week we had a catastrophic failure that resulted in our losing most of our posts. We had a security problem where someone had managed to compromise one of our blog accounts with administrative privileges. Some of the files were modified. We noticed it right away and decided to restore the site files and database from our nightly dump.

However … it turned out that when we did a major Wordpress update back in February 2006, we created a new database but failed to update our backup script. So, for the past 19 months, it’s been creating a nightly backup of the old database. Restoring the old database not only resulted in loosing 19 months worth of posts, but also left the database out of sync with the current Wordpress version.

One of our former students (thanks Filip!) wrote a script to recover the old posts from Google’s cache and reinsert them into the database. it was a tour de force demonstration of quick programming skill. There are still some problems that we’ll need to attend to — we’ve lost all of the new categories that we’ve added since 2/2006, the ‘related posts’ plugin is no longer working, I think the feed links aren’t all right, etc. But we recovered the posts.

We’ve tightened up our security but continue to see lots of malicious visitors knocking on the door and checking the locks.

It’s a jungle out there.

A good read at http://stopbadware.org, it seems to be a MEGA campaign by Google, Levono and Sun Microsystems.

“Several academic institutions and major tech companies have teamed up to thwart ‘badware’, a phrase they have coined that encompasses spyware and adware. The new website, StopBadware.org, is promoted as a “Neighborhood Watch” campaign and seeks to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. We want to work with both experts and the broader internet community (.orgs and .edus) to define and understand the problem.”

The Workshop on Models of Trust for the Web (MTW’06) will be a one-day workshop held on May 22 or 23, 2006 in Edinburgh in conjunction with the 15th International World Wide Web Conference. Tentative deadlines are January 10 for paper submission and February 1 for acceptance notification.

“There are three types of lies - lies, damn lies, and facts found on the Web.” — anon

“As it gets easier to add information to the web via html pages, wikis, blogs, and other documents, it gets tougher to distinguish accurate information from inaccurate or untrustworthy information. A search engine query usually results in several hits that are outdated and/or from unreliable sources and the user is forced to go through the results and pick what she/he considers the most reliable information based on her/his trust requirements. With the introduction of web services, the problem is further exacerbated as users have to come up with a new set of requirements for trusting web services and web services themselves require a more automated way of trusting each other. Apart from inaccurate or outdated information, we also need to anticipate Semantic Web Spam (SWAM) — where spammers publish false facts and scams to deliberately mislead users. This workshop is interested in all aspects of enabling trust on the web.”

The Semantic Web and Policy Workshop (SWPW) held at ISWC had some great presentations and discussions on policy-based frameworks for security, privacy, trust, information filtering, accountability, etc. The SWPW web site has the proceedings, papers, presentations and some pictures. Watch for announcements about a related workshop on Models of Trust for the Web that will be held at WWW2006.

CMU roboticist Daniel Wilson has apparently flipped and gone over to the other side. His new book reveals all:

Daniel H. Wilson, How To Survive a Robot Uprising : Tips on Defending Yourself Against the Coming Rebellion, 1 November 2005, Bloomsbury.

Wilson says “Any machine could rebel, from a toaster to a Terminator.”

Here’s a story on Wilson and the book.

Rob Clyde, Vice President of Technology, Office of the CTO @ Symantec Corporation presented his keynote today morning. Along with the usual security stuff he reported on some interesting statistics –

• Phishing is becoming an increasing threat as 3 to 4% of users respond to such mails — much higher than traditional e-mail spam.
• In the first half of 2005 phishing increased from 2.99 Million e-mails/day to 5.7 Million e-mails/day.
• 31% of online consumers are buying less due to increased web security threat.
• US leads in the number of hacked machine reports followed closely by Germany.
• Broadband penetration is actually increasing security threats. Many personal machines are now vulnerable to hackers using them as web bots for DOS attacks.
• DOS Attacks are now a business. Such attacks are now available for as low as US $300. Where?

Some other interesting comments ..

• The increasing speed at which worms propogate are now demanding better use of proactive measures.
• In the absence of such measures Akamai and it’s expandable bandwith pipes are the only solution against DOS Attacks. Looks like more revenues to Akamai in the days to come! Maybe Akamai’s stock is in for a ride.

Finally, and of importance to us — Symantec is now working on compating web (and blog) spam. They see this as being one of the next big security threat.

The Semantic Web and Policy Workshop will be held at the 4th International Semantic Web Conference on 7 November 2005 in Galway, Ireland. The workshop is focused on two research areas:

• policy-based frameworks for the semantic web for security, privacy, trust, information filtering, accountability, etc.
• applying semantic web technologies in policy frameworks for application domains such as grid computing, networking, storage systems, pervasive computing and specifying agent communities norms.

In addition to presentations of nine submitted papers, Ora Lassila will give an invited talk on “Applying Semantic Web in Mobile and Ubiquitous Computing: Will Policy-Awareness Help?” and a panel of policy researchers will initiate a discussion of “The 2005 Web Policy Zeitgeist”. The proceedings is available and participants can register at the online.

This is an interesting and accessible article on the DDoS extortion business and companies that offer protection services.

The Zombie Hunters — On the trail of cyberextortionists, Evan Ratliff, The New Yorker, 10 October 2005

“One afternoon this spring, a half-dozen young computer engineers sat in the headquarters of Prolexic, an Internet-security company in Hollywood, Florida, puzzling over an attack on one of the company’s clients, a penile enhancement business called MensNiche.com. The engineers, gathered in the company’s network operations center, or noc, on the fourth floor of a new office building, were monitoring Internet traffic on fifty-inch wall-mounted screens. Anna Claiborne, one of the company’s senior network engineers, wandered into the noc in jeans and a T-shirt. The MensNiche attacker had launched an assault on the company’s Web site at 4 a.m., and Claiborne had spent the night in the office fending it off. “Hence,” she said, “I look like hell today.”"
…more…

A Reuters article claims that Google is preparing to launch its own wireless Internet service, Google WiFi. Evidence includes several pages found at wifi.google.com including a FAQ for their Google Secure Access, a downloadable client application that allows users to establish a more secure WiFi connection. Some report that San Francisco Bay Area users will soon be able to connect freely to Google Wi-Fi hotspots using this VPN wireless client.

UPDATE: An anonymous source on Dave Farber’s IP mailing list says:

Google is doing two things:

1) promoting municipal Wi-Fi and working with the city of San Francisco and companies like EarthLink;

2) releasing a beta of a simple VPN client — “Google Secure Access” — which provides a tunnel to a Google VPN server exploiting the built-in VPN tool in Windows XP and 2000. This is useful on insecure Wi-Fi networks for those that have no VPN, but it is not a Wi-Fi service.

Offering a free VPN service might make sense as a new way for Google to put ads in front of eyes.