6396

Wired, always a source for amusement and interesting literature, just carried a story on a "hacker" (the magazine's use of the term equates to "criminal") who attempted to dominate the market in stolen credit cards. It's a neat story about an unsavory character who is not going to get enough prison time.  If you are too busy to read it, here is a synopsis: — Once upon a time, there lived in a far away land an evil dark lord. He lived in a dark castle with all kinds of dark objects around him. His most priced possession was the … Continue reading One "Hacker" Attempts to Rule The World

Shocking, yes, I know, but in only four hours this evening Microsoft has managed to alienate over 150 additional customers with its insistence on Digital Rights Management (DRM). This time it is the DRM component of the Zune store that is down, according to the 164 posts so far over on the Zune forums. OK, so realistically, that probably means that about 100 times that many customers have been alienated, including my oldest son who is unable to use the $15 worth of Zune points that his mother just purchased for him because "Error C00D12F6: Can't verify your media usage rights. A … Continue reading Believe it or not; DRM for Zune is down!

I get a fair bit of blog spam – comments advertising everything from sexual enhancers to fake anti-malware. This one just came in this morning: Sweet! I can turn off all the blog spam just by e-mailing the criminals? Or, could it possibly be that this is a clever ruse find out what my e-mail address is so they can send their junk there too? Hmm. I think I'll just forward this to abuse@gmail.com.

For a while I've been thinking about writing something about interesting times I've had at various airport security checkpoints; security theater, as they have come to be known. There is the obvious shoe removal arguments and the ill-defined rules on electronics (my camera is larger and has more electronics than most laptops, but that can stay in the bag, laptops can't), but there have been more interesting stories. Got any of your own? Share them! Around November 2001 a colleague of mine and I flew to New York on business. On the way back we went through Kennedy airport. I … Continue reading Fun Experiences at Airport Security

A couple of weeks ago Microsoft released an out-of-band security update in bulletin MS08-067. Looking at the type of vulnerability and the fact that the issue was already being exploited in the wild at the time, this was a good decision. If you have not already installed this security update, you should stop reading this right now and return after you have installed the update. The problem fixed in MS08-067 is eerily reminiscent of the vulnerabilities that resulted in the Blaster and Sasser worms. Therefore, for obvious reasons, the question arises whether MS08-067 is wormable or not. Microsoft claimed in various … Continue reading Is MS08-067 Wormable?

The final installment in my series called "Security is About Passwords and Credit Cards" is now up on TechNet Magazine. This part of the series discusses updating technologies, including how not to abuse them, messaging about security, and the checkbox syndrome. It ends with the final comments about what we, as an industry, need to do better on to improve our users' ability to protect themselves.

The second part of my "Security is About Passwords and Credit Cards" article just hit the web. This installment looks at logon processes, misleading security eye candy, and insecure communications with customers. As always, I'd love your thoughts on it.

Security is About Passwords and Credit Cards. That's what a very nice lady told me a few months ago. At first I shrugged it off. Of course security is so much more than that. As I started to process it though I realized that is exactly what it is about to end-users. They don't care about the LMCompatibilityLevel, renaming admin accounts, UAC, SafeDllSearchMode, restricted tokens, or IDM. All they care about is to keep their credit cards safe, and the way they do that is by using a password. In the end, I started writing an article on it. When … Continue reading Security is About Passwords and Credit Cards

This has not really been that normal a week for me, but at least another article made it into print. The June 2008 issue of TechNet Magazine is headlined by an article I wrote with my friend Roger Grimes, Security Adviser for Infoworld, on Security by Obscurity. It is another one of those point-counterpoint pieces like we did in the Vista Security book where Roger argues one side of the issue, and I explain why he is wrong; or, rather, argue the other.

I do not run any anti-malware software on my primary workstation. It's a habit I got into way back when I was doing penetration assessments. I showed up at the site, fired up ye olde laptop, and went to run some tool. …went to run some tool. Hey, where did that tool go? It was there when I left home?!? Turns out the anti-malware software that the company shoved down on my laptop had removed the tools I needed to do my job because they were deemed to be malware. Today I had another reminder of why this is probably … Continue reading Warning! Don’t run Anti-Malware Software on Your Research Machine