The Security Skeptic

Imagine my amazement when I received a call from a reporter asking for an interview regarding the Internet disruption in Egypt from the New Jersey Star Ledger. In addition to discussing how businesses should react to disruptions of this sort (calmly, they are rare and recoverable events, largely due to the fact that *survivability* was one of the most important, original design objectives for the Internet), I wandered off topic with staff writer Kelly Heyboer about the role her newspaper played in my high school days. "The Ledger" always had great wrestling coverage for most Bergen County High Schools. Kelly was quick to point out that the wrestling blog the Ledger hosts is one of the most active and popular on their site. Kelly's article is a nice piece, balancing local and global interest, with very little F.U.D. Read it here.

Archived at http://www.securityskeptic.com/arc20080101.htm#BlogID668 by Dave Piscitello  

My SSAC committee's Advisory on Fast Flux Hosting and DNS is now available.

Fast flux hosting is an evasion technique used by phishers, identity thieves and other e-criminals to frustrate incident response team and law enforcement agency efforts to track down and take down illegal web sites. The fast flux technique closely resembles a 3 card monte or shell game scam, where a tosser lays three folded playing cards on a table and a victim is lured into betting on his ability to "follow the red queen" (Brits call this scam "Find the Lady"). The tosser moves all three cards at blinding speed while simultaneously distracting the victim with conversation, clever quips, and sleights of hand. Fast flux, however, is a high stakes trick, and has become a worrisome and omnipresent attack technique. In fast flux hosting, the tosser rapidly changes web site *and* DNS name server addresses, so quickly that there is virtually no time for investigators to respond.

The SSAC Advisory describes variations of fast flux hosting, identifies current measures to detect and combat fast flux, and offers additional measures. You can find SAC 025, Fast Flux Hosting and DNS, here.

Archived at http://www.securityskeptic.com/arc20080101.htm#BlogID669 by Dave Piscitello  

Voting is a privilege in the United States (our Constitution does not guarantee a "right to vote", only that our Congress is elected by "The People"). Voting is conducted as a secret ballot to assure integrity of the process, i.e., to ensure that a citizen is not coerced into voting for a particular candidate.

We hold primary elections to choose candidates for presidential elections As we approach the dates for South Carolina primary elections, campaigners and pollsters are as numerous, annoying, and *destructive* as locusts.

Destructive? Absolutely.

IMO, asking a citizen to disclose who he (or she) intends to vote for compromises the intended private act of casting a ballot. It's no different from asking an individual to share what he'll use as a password or PIN. Aggregating responses by citizens who treat the privilege of voting so lightly that they willingly disclose their vote undermines the integrity of the vote in several, destructive ways.

• No pollster or campaigner has asked me if I am citizen and entitled to vote, nor can they repudiate any claim that I make in this regard. This taints the sampling.
• Pollsters and campaigners have no way to determine if I lie or if I will change my vote; this, too, taints the sampling.
• Pollsters and campaigners can demonstrate statistically that the stated margin of error used to compensate for invalid responses is accurate. The skeptic in me concludes that the published margin of error is one that seems plausible to people who put faith in polls.
• People who put faith in polls may change their vote or decide not to vote if their candidate is too far behind (or ahead). This is a negative influence that elections can do without.

Primaries will continue for months, candidates will be nominated, and the polling process will persist until and beyond Election Day, November 2008. Don't answer pollsters and campaigners except with the following, "Are you aware that we use a secret ballot in US elections assure that my and every voter's choice is *confidential*? How are my interests served by disclosing my vote to you?"

Archived at http://www.securityskeptic.com/arc20080101.htm#BlogID667 by Dave Piscitello  

Suppose you attempt to to purchase a product with a credit card on a site you've never visited before. You find the product you want, add it to your cart, and proceed to checkout.

You connect with HTTPS:// for that warm and comfy feeling everyone gets when they begin a *secure transaction*,-) But - oh my! - your browser warns you that some aspect of the certificate is suspicious; for example, the name of the server does not match the name in the server's certificate. This sometimes occurs when a company issues certificates from its own certificate authority, and that authority is not included in your browser's built-in list of trusted authority store. A similar warning may pop up if an e-merchant's certificate lifetime has expired. At this point, you can conclude that the merchant's web administration is possibly lax but the merchant may be reputable.

You are now faced with several choices. Abandon the purchase or restore your shaken confidence in this merchant by inspecting the certificate. If you choose the latter, and before you click on the popup that says, "yes, accept this certificate, get out of my face", you might want to try this.

Complete the checkout form, but fill in some of the personal and credit card fields with incorrect data; in particular, provide an incorrect credit card number. If the merchant accepts the purchase, you probably shouldn't trust the site and you ought to report the site to an antiphishing group. If the site tells you that the credit card (and personal) information is incorrect, try again, you can feel better about proceeding with the transaction.

This check is no guarantee against a very sophisticated deception. If you are uncertain, and especially if the buying opportunity is too good to resist, be suspicious and abandon the transaction.

Archived at http://www.securityskeptic.com/arc20080101.htm#BlogID666 by Dave Piscitello