Thursday, December 31, 2009

Feds Recommend Dedicated PC for Online Banking

The FBI and the American Banking Association are recommending that small businesses use a dedicated PC - not used for web browsing, email, or any other purpose - for online banking.

That's ridiculous.

At some point business owners need to begin holding accountable the vendors who provide inadequate security products, software developers and firms that release buggy, vulnerable operating systems, browsers, and applications, and users who don't follow safe computing and web browsing guidelines. And they need to demand more robust authentication and authorization mechanisms from their financial institutions.

It's absurd that money movement practices have not evolved in the face of increased threats and hundreds of successful exploits. From Wired:

The FBI says thieves have stolen about $40 million in this way in more than than 200 cases they’ve investigated in the last two years involving small to mid-size companies and organizations. Such companies generally do not employ dedicated computer security staff or have extensive knowledge about how to protect themselves with firewalls, anti-virus and other measures and policies.

It's a common attack strategy - aim for the weakest point in the system. Why attack a bank directly when the soft underbelly of naive business owners and employees remains exposed, ripe for the picking?

Small businesses need to come to terms with the fact that computer security is a mandatory cost of doing business. It isn't 1982 anymore. You can't ignore information security any more than you can keep a manual ledger or crank out your financials on an adding machine.

So let's say you take the advice of the FBI and ABA and set up a dedicated computer within your network for online banking only. Guess what? You're still connected to the internet, and you're still not 100% safe.

I can redirect your access to your online banking site via DNS cache poisoning. I can compromise another computer (that's not dedicated) within your network and use it to infect and take control of your dedicated PC.

I'm able to conduct IP address spoofs, or perform a man-in-the-middle attack to snag the traffic going between you and your financial institution.

If these don't work, there's always session hijacking, or replay attacks, or compromising weak encryption keys. And a dedicated PC doesn't prevent attacks via social engineering.

Here's a couple of things every small business should consider:

  • Use a non-Microsoft platform for conducting online banking transactions. Since Windows and Internet Explorer continue to have a dominant market share, they attract the most attention from attackers.
  • Don't use wireless for online banking. It's too difficult to secure for those without the correct technical expertise.
  • Use Mozilla Firefox, Opera, or some other browser.
  • Install good antivirus software and keep it updated.
  • Use a tool like Secunia CSI to make you aware of vulnerabilities and end-of-life software installed on your systems
If you're truly concerned about online banking, follow the guidelines I provided in my October 13, 2009 posting, Safer Online Banking Using a Live CD. It's certainly more manageable than setting up a dedicated PC, because a Live CD can be used for banking transactions from any computer.

Omelette in a Bag

-- Mobile post

Breakfast on Suicide Day

Egg patties - when you just don't care anymore.

-- Mobile post

Video Mashup - Top 25 Songs of 2009

Birds Are Stupid

Via BoingBoing

2010 - Watch Me

Via The Art of Non-Conformity

The Decade in Three Minutes

Via Crazy Days and Nights

Rachel Maddow Calls Out Cheney and Media Outlets

Maddow - Again, my friends and colleagues in the media have two choices in covering this. You can just copy down what the Republicans and Vice President Cheney are saying, and click "send," call it journalism, or you can actually fact-check those comments and put them into context. Your choice. It’s your country.

Gizmodo - The True Odds of Airborne Terror

Click the image for a larger view.

Via Gizmodo, Nate Silver from has run the numbers and collected the data, and Jesus Diaz has created this marvelous graphical representation of your true odds of being involved in an airborne terrorism incident.

The TSA should consider this before they decide I'm not allowed to pee on my way to the west coast. When will people learn about the difference between actual and perceived risk?

Trends That Need To End in 2K10

Natasha Vargas-Cooper has compiled a scintillating list of things she believes have outlived their usefulness and she's recommending that 2010 be the year that these cultural inanities be banished from our collective consciousness.

What sort of insipid things, you ask?

Ed Hardy

There was a 2012-style explosion of this gaudy, bedazzled bullshit in the middle of this year. What? How did this fashion line gain any traction? Who said, “Yes. I would love a tiger covered in glitter sprawled over some Microsoft Word Olde English font across my too-tight-around-the-belly-T-shirt?” Honestly, who said this? I would like their home address and a list of their fears.

Reality TV-hating

Criticizing reality television is just an overly simplistic way of saying that people themselves are gross. People have been gross forever! From Spartacus to Nitro, people have been gross. Are murderers like the Megan Wants a Millionaire psycho worse MURDERERS because they also go on reality dating shows? Are bad parents—who should just be abusing their kids in their own home, like the Heenes—somehow worse child abusers because their crazy balloon boy minds are trying to get them on television as well? Sex-slave dungeons are no less dungeon-y when the dungeon master is on TV! All reality TV does is put a big old spotlight on all the sordid behaviors have always existed.

Check out the entire posting for more goodies. The only thing that worries me is what cultural insanities will take their place.

Leggo My Eggo

Via Ishinoy's Stuff

Wednesday, December 30, 2009

White House Gives Dick Cheney A Bitch Slap

The Obama White House needs to do this more often.

To put it simply: this President is not interested in bellicose rhetoric, he is focused on action. Seven years of bellicose rhetoric failed to reduce the threat from al Qaeda and succeeded in dividing this country. And it seems strangely off-key now, at a time when our country is under attack, for the architect of those policies to be attacking the President.

Treat Cheney like a game of Whack-a-Mole. Every time he pops up, smack him back down.


Hypocrisy, Thy Name is GOP

It's simply astounding that Republican hypocrisy isn't getting more media play. These lawmakers need to shut up if they aren't going to take the lead in fixing our problems.

Via TPMtv

Bruce Schneier Discusses Security Theater on Rachel Maddow Show

I've been reading Bruce Schneier's blog and his books for years because I think he intrinsically understands the psychology of security and the difference between actual and perceived risk.

Check out this clip from the Rachel Maddow Show where the discussion revolves around the recent underwear bomber and our government's subsequent reaction.

Perhaps We've Never Been Safe?

If an underwear bomb means we're not safe under Obama, does a shoe bomb mean Bush didn't really keep us safe after 9/11? - David Kurtz, Talking Points Memo

Karl Rove Supports Marriage By Divorcing Twice

It's nice to see the conservative Republican practice of "do what I say, not what I do" is alive and well.

Where's the traditional family values outrage? Anyone? Anyone?

How The South Was Lost

Via The Best Defense

Green Screen Grannys

Via GawkerTV

Darth Vader Chokes the Chicken

Click the image for a larger view. Via XKCD

Does this mean hot coffee is not hot?

Lottery - A Tax On People Who Are Bad At Math

Tuesday, December 29, 2009

RoboCop 5 Wardrobe

Costume procurers would be wise to stock up at 60% off at Kohl's.

-- Mobile post

Fire the TSA

After yet another failure to keep radical elements from trying to blow up a commercial airliner, it's time to fire the TSA.

So says Joel Johnson in a Gizmodo posting.

I want our government to prevent terrorism and to make flights safer. But we are spending billions of dollars and man-hours to fight a threat that is less likely to kill a traveler than being struck by lightning. In the last decade, according to statistician Nate Silver, there has been "one terrorist incident per 11,569,297,667 miles flown [the] equivalent to 1,459,664 trips around the diameter of the Earth, 24,218 round trips to the Moon, or two round trips to Neptune." (Sadly, this does mean that in the future we can expect one out of every two round-trip flights to Neptune to be hijacked.)

The TSA isn't saving lives. We, the passengers, are saving our own. Since its inception, the TSA has been structured in such a way as to prevent specific terror scenarios, attempting to disrupt a handful of insanely specific tactics, while continuing to disenfranchise and demoralize the citizens who are actually doing the work that a billion-dollar government agency—an agency that received an additional $128 million just this year for new checkpoint explosive screening technology—has failed to do.

Imagine if the billions of dollars spent on the TSA fallacy were used on competent intelligence gathering and hardening the actual flight infrastructure.

Dare to dream.

Matt Taibbi - Onward Christian Warriors

Over at True/Slant, Matt Taibbi does his usual fine work in completely decimating David Brooks over his Obama's Christian Realism column in the New York Times.

Taibbi opines that Brooks is painting Obama with the very same religious warrior brush that he used on George W. Bush not long ago.

Brooks is a perfect example of the kind of spineless Beltway geek we always see beating the war drum at times like these. It’s because nebbishly little dorks like Brooks and Paul Wolfowitz and David Frum got their books dumped in high school that we end up dropping daisy cutters on Afghan sheep herds and shipping working class American kids halfway around the world to get their nuts blown off. That sounds like a simplistic explanation, but anyone who doesn’t have a keen ear for the pencil-pusher’s eternal quest for macho cred is going to have a hard time understanding Washington politics. Brooks’s columns have always been the easiest way to take the pulse of that particular dynamic, and it sure seems now that bureaucratic momentum for intervention and more intervention is re-inflating the chests of these Beltway generals.

Let's hope that Taibbi isn't misreading Obama, because the last thing we need is yet another administration that believes the US has a religious mandate to kill people in other countries.

Image via dullhunk's photostream on flickr

The 2000s - A Look Back

Phillip Niemeyer has put together this graphical representation of 2000-2009 for the Op-Ed section of the New York Times. Fascinating.

Click the image or the link for a larger view.

Farewell 2009

Try JibJab Sendables® eCards today!

Monday, December 28, 2009

GSM Crypto Code Broken

For over 20 years, up to 80% of the world's phone calls made on cellular phones have relied on the GSM algorithm for protection.

Now comes word that a German computer engineer claims to have broken the code, part of his broader effort to demonstrate how insecure wireless systems are around the globe.

Karsten Nohl detailed his achievement at the Chaos Communication Congress in Berlin. 64-bit encryption? Hey, cellular phone providers - are you freaking kidding me?

Back in August 2009 I wrote the GSM algorithm's epitaph when I first learned that Nohl launched his open-source project to crack GSM cellular phone encryption.

Karsten Nohl claims that he's looking to exploit a vulnerability that's been known for 15 years and affects 3 billion phones as a way to prod cellular phone manufacturers and carriers to get serious about security.

Cracking GSM encryption is nothing new, but previously the tools have been very complex, highly technical, and pretty darned expensive. Nohl hopes to change that via his open-source project. Ah, the joys of distributed computing.

Less than 5 months later, Nohl is claiming success. Imagine what groups motivated by financial gain, such as Russian organized crime syndicates or Chinese hackers, will do with this ability.

Even more frightening is what these cartels may have already achieved. The days when we could consider security as secondary to killer features and functionality are gone.

If you're not planning six steps ahead, you're already three steps behind.

Via ZDNet

Lieberman: We're Going to Yemen!

Droopy Dog says that if we don't immediately attack Yemen, we may someday be placed in the situation where we need to attack Yemen, so we should just go ahead and attack Yemen.

Lieberman will also not support any attack on Yemen that includes a public option, but he's ok if an attack on Yemen contributes to an increase in the deficit.

Old School Day Off

-- Mobile post

Terrorism Watch List is Like MySpace

Andy Borowitz on the terrorism watch list: It's like MySpace - it's there, but no one checks on it anymore.

Microsoft Comments on IIS Vulnerability

Security blogs and websites have been reporting a previously unknown vulnerability in Microsoft IIS that could lead to remote code execution.

From The Register:

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension ".asp." By appending ";.jpg" or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

Microsoft has responded via their Microsoft Security Response Center blog in very carefully crafted language that essentially notes they are still investigating this "claim", that they aren't aware of any "active attacks", and that the only systems at risk are in non-default, unsafe configurations that fail to follow Redmond's best-practice guidelines. There's the usual boilerplate language where Microsoft whines that the existence of the flaw was not "responsibly disclosed," which means the researcher didn't call Redmond with the details and give Microsoft coders a year to sit on the vulnerability before doing something about it.

Since it's likely that not every web server admin is following Microsoft's guidelines, and fewer still are security experts, odds are good that the number of sites vulnerable to exploit is large, and the clock is ticking on the bad guys launching attacks configured with the appended file suffix.

If you're not following the best practices outlined in Microsoft's blog posting, you should reexamine your web configs and begin testing in advance of any forthcoming patch. Running unsafe configurations is asking for trouble, and even if Microsoft releases a fix for this particular flaw, your web presence remains at risk until it's hardened.

Right Wing Racial Profiling Survives

Remember folks - a failure to follow established security procedures which leads to a singular, failed terrorism incident means it's perfectly acceptable to toss the constitution out the window because otherwise Conservatives will pee their pants.

Via ThinkProgress

Wednesday, December 23, 2009

Jay Leno - The Early Years

Found this in a variety store in Columbus, Ohio. I wonder if Jay gets a cut of every sale?

-- Mobile post

Happy Festivus 2009