||Placing a Value on Passwords
- November 20, 2007
How much is your password worth? Talk about a difficult
question to answer! Back in 2004 a survey conducted at one
of the UK’s busiest railway stations revealed that 70% of
people would reveal their computer password for a chocolate
bar. What if I was to tell you that, today, ...
||Psst... wanna buy some credit
cards? - November 12, 2007
Of the millions of credit cards electronically stolen each
year, have you ever thought about where they go and what
happens to them once they reach their final destination?
Data leakage in the form of ‘lost’ credit cards and the
supporting identity information needed to ...
||XSOX.NAME and Proxy Bots -
October 22, 2007
Web proxies are an interesting beast. Within the corporate
environment they allow organizations to regulate access to
the Web as well as provide some degree of protection against
several classes of threat. Outside, elsewhere in the
Internet, Web proxies have ...
||RFID Worms - Fact or Fiction?
- October 16, 2007
A few weeks ago IBM ISS worked with the Georgia Tech
Information Security Center (GTISC) to release a paper
entitled “Emerging Cyber Threats Report for 2008”. As one
of the contributors to the report I subsequently received a
number of enquiries concerning some of the content;
||Anti-malware's backward brother
- October 15, 2007
A couple of weeks ago I was asked by a journalist to go in
to a little more depth about the increase in malware being
observed. As you’ve probably noted, the mid-year X-Force
threat report pointed out that nearly as much malware was
captured and analyzed within the first ...
||Charitable Donations on Your
Behalf - September 20, 2007 at 6:24 PM EDT. A colleague
in the UK pointed me to an interesting news story concerning
fraudulent donations that have been made to CastleCops (a
volunteer security community seeking to make the Internet a
||Phishing on the Fly -
September 17, 2007
There must have been something in the water somewhere,
because it looks like last week was an exceptionally active
week for the Phishers - in fact the busiest ever. In the
period running 10th through to the 17th September IBM
anti-spam gurus over in Kassel identified 453,932 ...
||Ultimate Data Storage -
Microfiche? - September 12, 2007
Over the last few years “security” has increasingly been
associated with the term “privacy”. It wasn’t always the
case though. At the turn of the millennium the first thing
that would have jumped in to an IT managers mind if you
mentioned the word “security” ...
||The Short Path to Deniability
- August 30, 2007
"When is identity theft advantageous to the victim?” That
was a question that came up in a recent hallway
conversation, and it got me thinking… Over the years I’ve
seen and heard plenty of excuses for various hack attempts
and fraudulent claims – all of which were geared ...
||Old Threats Never Die -
August 19, 2007
What kind of answer do you give if someone asks you “how
long did it take before the slammer worm ceased to be a
threat?” Slammer kicked off in the morning of January24th,
2003, and within its first 10 minutes of propagation had
managed to compromise an estimated 75,000...
||International Money Mule
Recruitment – Part II - The Recruitment Site -
August 15, 2007
Continuing yesterday’s international money mule theme and
the FAQ, I figured it would be worthwhile running through a
fairly typical mule recruitment website – in this case, one
that appears to have been around for quite some time (which
is pretty weird given how quickly...
||International Money Mule
Recruitment – Part I – The FAQ - August 14, 2007
My suspicion that not many people know what a money mule is
has definitely been confirmed these past couple of weeks
based upon the number of queries I’ve had about last months
posting on the topic. So, this evening I figured I’d do two
things – write up a short FAQ ...
||Social Network Hacking -
August 08, 2007
A couple of weeks back I stumbled upon some news postings
about the use of MySpace and Facebook in successful identity
theft crimes. Without filling up a paragraph with links to
the various news stories themselves, I’ll sum it up as
basically as I can. The victims had lots...
||The Vulnerability Brokers -
August 04, 2007
You’ve probably already read several postings from me over
the years about responsible disclosure and my views of the
ethics behind vulnerability-based services. So, today I’m
planning on going a little further – dispel a myth, and
propose something to the major...
||The Mule Trade - July
99.9 percent of the online world knows what spam is, and I’d
guess that around half of them know what phishing is. But
how many know what a mule is? Whatever this lowly figure is
(which I’d guess to be less than one percent), I’d postulate
that there are probably more ...
||Top-10 Vulnerable Vendors -
July 24, 2007
At the beginning of this year X-Force introduced a new style
annual security report – focusing on how threats developed
and matured throughout the year – based upon statistical
analysis of key data X-Force had accumulated.
||Phishing under the Microscope
- July 11, 2007
When discussing phishing, most people I meet are only
all-too familiar with the spam-based email flooding their
inbox and the cloned websites waiting out there to suck down
their banking credentials and steal their identity. But
many of them have no inkling as to the mechanics ...
||Heisenberg Uncertainty -
July 04, 2007
Some people feel that I tend to take an unduly harsh
position on signature protection engines. In fact, a quick
review of my blog entries so far throughout 2007 may reveal
to some people that I am not a huge fan of them – often
referring to them as “legacy” – while promoting ...
||Firewall Spring Cleaning -
July 01, 2007
You’d think that after nearly twenty years of firewalls
being the frontline defense for enterprises, all the kinks
would have been worked out by now. To be fair, as defenses
go, the good old firewall has stood up surprisingly well in
the face of increasingly complex networked...
||Spear Phishing and Whaling -
June 28, 2007
For all its simplicity, over the last decade the term
“phishing” has evolved from a particular attack vector into
a stratified class of online fraud and deception. This has
resulted in a number of colorful names for the various
sub-classes and vectors within Phishing.
||Web Browser Exploitation -
June 24, 2007
I guess Web browser exploitation started to get exciting
back in 2004 when SkyLined introduced everyone to the
concept of heap-spraying. All of a sudden, several years
worth of DoS vulnerabilities in Microsoft’s Internet
Explorer looked ripe for some real exploitation.
||Disclosure vs. Ethics -
June 13, 2007
Public disclosure of security vulnerabilities has been a
topic in which not many people have chosen to sit quietly
upon the fence. Like an Australian brushfire the heated
discussions on disclosure flair up at random locations, burn
brightly for a few days, consume the local tundra...
||Phishing Kits Classified -
June 06, 2007
Phishing attacks have evolved quite a bit over the last few
years. When I wrote my first whitepaper on the subject back
in 2004 – ‘The Phishing Guide’ – the vectors for attack were
already numerous, and since then many more vectors have
appeared. Starting with a “Ph..."
||Counting Vulnerabilities -
May 29, 2007
It would seem to me that, on a daily basis, I get asked way
too often “how many vulnerabilities are there in popular
software?” If you have read the 2006 Trend Statistics report
– you will have observed that X-Force tracked, analyzed and
researched 7,247 public vulnerability ...
||A Slowdown in Vulnerability
Disclosure? - May 24, 2007
It’s interesting to note that the total number of
vulnerabilities publicly disclosed so far this year has only
increased by 4.7 percent over the same period in 2006 – not
nearly as bad as the 39.5 percent annual increase observed
last year (2006 vs. 2005).
||Microsoft Vista Vulnerability
Ranking - March 19, 2007
Over the weekend I noticed an interesting article the
ComputerWorld site with the awe inspiring title “Microsoft
security guru wants Vista bugs rated less serious” covering
comments made by Microsoft’s Michael Howard (a senior
security program manager in their security engineering...
||Stopping Botnet C&C on the Wire
- February 21, 2007
The expectations of a network management team are often at
odds with the security management team, which are in turn at
further odds with the audit and compliance teams. You can
sometimes see these different expectations materialize
within enterprise-level RFI and...
||Targeted or Personalized
Attacks? - February 19, 2007
Like a catch phrase from an old Arnold Schwarzenegger movie,
the term “targeted attack” has swept the security industry
and can be heard reverberating around conference stands and
found scattered throughout this years glossy product
brochures. I haven’t seen this much ...
||Violent Crime, CSI
and Vulnerability Disclosure - January 14, 2007
It would seem that the Internet isn’t the only place in
which criminals can learn from the good-guy disclosures and
develop more successful ways to conduct their crime. With
the increased popularity of crime sleuthing shows such as
CSI: Crime Scene Investigation and Cold Case...