My view of the world

Dan Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website.
After publicly announcing a flaw in the DNS system and suggesting patches, Mr. Kaminsky, speaking at the Black Hat conference in here in Las Vegas, said fixes for the flaw in the net’s Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways.

In his lecture Mr Kaminsky detailed 15 other ways for the flaw to be exploited.

Kaminsky also said that 75% of Fortune 500 companies have fixed the problem while around 15% have done nothing.
—I wonder what happened to the other 10%?—

Taking a different tack, VeriSign which issues many of the security certificates used in SSL, said the whole thing was nothing but hype. They maintain 2 of the 13 master DNS servers and say they’ve long since engineered around the problem.
–That’s only 2 out of 13. And why do the “I’m invincible” statements worry me?–

Mr Silva at VeriSign went on to say that even though patches have been put in place, this doesn’t mean users can sit back and relax.

“The biggest gap in security rests between the keyboard and the back of the chair,” he said.
–Amen brother–

“Social engineering -because there’s no patch for stupid.”

From the Washinton Post:

Federal agents may take a traveler’s laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.

Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.

In April, the U.S. Court of Appeals for the 9th Circuit in San Francisco upheld the government’s power to conduct searches of an international traveler’s laptop without suspicion of wrongdoing. The Customs policy can be viewed at: http://www.cbp.gov/linkhandler/cgov/travel/admissability/search_authority.ctt/search_authority.pdf.

For the basis of the court’s ruling consider the Supreme Court decision in US v Flores-Montana, 541 US 149, which held that complete disassembly and reassembly of a car’s gas tank didn’t require reasonable suspicion.

Having traveled in and out of this country for years I had always assumed that everything you brought across the border was subject to search. I see no difference between a laptop and your suitcase.

What bothers me is the jack-boot mentality that exists and is encouraged by those people at the top.

The TSA once tried to confiscate a MacBook Air because they didn’t know what it was.

Are these people any better trained? And how much legitimate data will be lost and how many laptops will they lose or ruin?

I see nothing wrong with a reasonable search, but giving some technologically impaired knuckle dragger that kind of power is wrong.

Pretty soon business travelers will be taking lessons from the smugglers just to find ways to get their data home safe.

At the Black Hat computer security conference in Las Vegas next week, researchers will demonstrate software they’ve developed that could steal online credentials from users of popular Web sites such as Facebook, eBay and Google.

To the Web server, the file looks exactly like a .gif file, however a browser’s Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim’s browser. For its part, the browser treats this malicious applet as though it were written by the Web site’s developers.

There is one catch, however. The victim would have to be logged into the Web site that is hosting the image for the attack to work. “The attack is going to work best wherever you leave yourself logged in for long periods of time,” Heasman said. — Such as MySpace.

I see this this software as a stepping stone, merely a proof of concept, with a far more nefarious attack being developed as soon as the limitations of, and the counter measures to, the basic concept are discovered.

The bad guys are not only smarter than most security people they are by definition one step ahead. Your security person can only react to any new attack whereas the attacker can choose the time and place and type of attack.

If you’re a network administrator all you can do is try to ban MySpace and other social networking sites, which are tremendous resource hogs anyway, and find a way to force management to fire anyone who finds a way around the ban. This won’t prevent attacks but it will slow them down and show due diligence when you do get hacked and your customer’s data shows up for sale on a hacker site.

The game has become more serious than could be imagined just 2 or 3 years ago and unless a new approach to security that has vastly improved threat recognition is developed - It will get worse. -