terriko: (Default)
2011-01-26 03:07 am

Web Insecurity: Ethical hacking? How about some ethical writing?

New post up at Web Insecurity but since it's short, you get the whole thing here:


Now, I haven't verified this at all, but here's an interesting link for you: Ankit Fadia / Manu Zacharia - "Network Intrusion Alert" Heavily Plagiarized.


An extremely detailed analysis has been performed for the first chapter (10 pages) to show the scope and method of plagiarism. Our analysis shows that roughly 90% of the first chapter, including the six graphics used, has been taken from other sources. Due to time constraints, notes are used for brevity for the rest of the material.


Given my experiences with plagiarism among my undergraduate students and the recent Cooks Source plagarism story (which attracted quite a lot of attention)... I'm sadly inclined to believe that this entire book may be plagiarized.

What's funny about this story is that the book in contention here is titled "Network Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection." Emphasis mine.
terriko: (Default)
2011-01-07 02:16 am

Recent writings: privacy, young scientists, academia

Some fun recent stuff:



And then some more sad stuff in the form of a round-up of the links I've seen lately about women leaving academia. Poignant for me given that I've got a contract that'll take me away from academia... although I'm actually leaving mostly for the "work that has impact" reason and not so much for the others.

And then one thing that I didn't write (but I wish I had):

Let's say that fighting sexism is like a chorus of people singing a continuous tone. If enough people sing, the tone will be continuous even though each of the singers will be stopping singing to take a breath every now and then. The way to change things is for more people to sing rather than for the same small group of people to try to sing louder and never breathe.


Isn't that just the way of it? Thanks Mary for sharing that one.
terriko: (Default)
2010-12-14 01:14 am

Web Insecurity: A brutally honest privacy policy

Short post up on Web Insecurity about a hilariously, brutally honest privacy policy. An excerpt from the policy:


So just to recap: Your information is extremely valuable to us. Our business model would totally collapse without it. No IPO, no stock options; all those 80-hour weeks and bupkis to show for it. So we’ll do our very best to use it in as many potentially profitable ways as we can conjure, over and over, while attempting to convince you there’s nothing to worry about.


You can read the whole policy here or you can read my summary and commentary on Web Insecurity.
terriko: (Default)
2010-11-03 12:22 pm

Web Insecurity: Security Costs vs Benefits: Should companies deploy SSL to deal with Firesheep?

Yesterday, I talked about why end-users don't care about security and how that actually makes a certain amount of sense for them since the cost of behaving more securely can overwhelm the cost of an actual breach.

However, what I didn't talk about is whether this is true for companies. A single security breach in a single user account maybe doesn't cost a company much, but if breaches get common enough that they start losing users, it could be a problem with a much higher cost.

While users trying to protect themselves from curious folk with firesheep are counseled to use a VPN, website owners can choose to do encryption right from their end using SSL. But it was thought that SSL was computationally costly and even environmentally costly due to the supposed need for extra electricity and machines.

But who's been looking at what those costs actually are?


Read the rest at Web Insecurity
terriko: (Default)
2010-11-02 01:49 pm

Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?


Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.




He was appalled that people, even when warned, would ignore a security flaw, but it's actually well known that people reject advice. The interesting part of the story comes with Cormac Herley's paper "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" -- it turns out that it makes perfect sense that people refuse to do security things, and fixing the flaws that firesheep draws attention to is just another example of where security advice just isn't worth following.

You can read the full version of this post on Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?
terriko: (Default)
2010-10-29 01:25 am

WebInsecurity:Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

Originally posted on Web Insecurity, but it's short so this is a full cross-post.

Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws



This maybe shouldn't surprise anyone, but Mashable is reporting that Facebook Lobbied to Kill Social Networking Privacy Act in the USA.


It's one thing to believe that privacy isn't important, or to make mistakes that expose users, but paying people to lobby against privacy legislation that might protect your users seems like a big step further. It makes me concerned as a user of the service.


Incidentally, Facebook has already broken Canadian privacy law (they're not the only ones), and likely the laws of several other countries, so I guess it makes sense that they wouldn't want to run afoul of further laws... but I really wish they'd do this by handling privacy issues better rather than paying people to make sure the laws don't come into effect. Maybe the law was simply ill-conceived (I haven't read it) but this really doesn't sound like the actions of a socially-responsible company. Very disappointing.
terriko: (Default)
2010-10-28 10:43 am

Recent writings: Geek Feminism, Web Insecurity, CU-WISE Blog

Tuesday's post on Geek Feminism entitled : "Quick Hit: Men, Medicine, and Meritocracy vs Affirmative Action" has some interesting discussion going on in the comments. The article is about how med schools in Canada are seeing more female applicants than male ones (and are accepting a lot of women) and some of the "stealth" affirmative action that's been taken to keep medicine from getting very disbalanced.

Wednesday's post on Web Insecurity is about firesheep. Nothing too insightful, just lauding the cleverness of it in a social hacking sense, and thinking, "why didn't we ever bother to build this in university?" (We did similar hacks for fun and education of our peers.)

Wednesday's CU-WISE blog post is on the subject of Dot Diva: The Webisode. (You can also see an extended version of the dot diva post on Geek Feminism.) We see a lot of outreach aimed at teaching girls computer science, but this is a project that tries to tackle the image of computer science. Their inspirations included the changed attitudes towards forensics thanks to shows like CSI. I'm torn because I found parts of the webisode awkward, but others fun, and I really think they've got some good brains and ideas behind this project.

Thursday's Web Insecurity post Why 12 year olds may be our best bug hunters is about this cool 12 year old boy named Alex Miller who collected on one of the Mozilla bug bounties. I always find adult reactions to smart kids can be a bit strange and sometimes condescending, so this is me musing on how the 12 year olds I've worked with are actually pretty awesome.

In non-blogging news, I'm working on some stuff about web standards vs attacks and vulnerabilities that I'll probably be posting privately soon for comments and ideas before I start putting together more comprehensive ideas for the IETF websec group. Their current discussion on dnssec irks me because it seems... mildly irrelevant to some of the real problems I assumed the group was destined to solve. I'm biased on the subject of DNSSec (see The Futility of DNSSec), but surely websec should be talking about more broad initiatives?
terriko: (Default)
2010-10-11 08:44 pm

Web Insecurity: Does expiring passwords really help security?

Yet another crosspost. Been a little while for the security blog, but there's always neat stuff coming out of ACM CCS. I expect I'll hear more about it when I head in to work this week.



Change is Easy
Originally uploaded by dawn_perry

I've heard a lot of arguments as to why expiring passwords likely won't help. Here's a few:


  • It's easy to install malware on a machine, so the new password will be sniffed just like the old.
  • It costs more: frequent password changes result in more forgotten passwords and support desk calls.
  • It irritates users, who will then feel less motivated to implement to other security measures.
  • Constantly forcing people to think of new, memorable passwords leads to cognitive shortcuts like password-Sep, password-Oct, password-Nov...

And yet, many organizations continue to force regular password changes in order to improve security. But what if that's not what's really happening? Three researchers from the University of North Carolina at Chapel Hill have unveiled what they claim to be the first large-scale study on password expiration, and they found it wanting.

(Read the rest here.)
terriko: (Default)
2010-09-22 12:43 am

Web Insecurity: Privacy and Twitter Lists

Crossposted from Web Insecurity. Please comment there if you want to comment!

privacyI think twitter may have among the simplest privacy settings of any social network. Your choices are either everything you post is public, or everything you post is private.

But simple does not mean that things will stay private. Just like everything on the internet, the minute you post something someone else might choose to share it. Some researchers have actually studied how often people retweet private content on Twitter.

Something I haven't seen studied, however, is how private information can leak out through twitter lists.

Twitter allows you to make lists of people who you'd like to have grouped together. For example, I have a list of technical women who I follow. These are women in technology who I've met in person or interacted with extensively online, and I really made it for my own personal use but since it's a public list others can (and do) follow it. Presumably they're looking for more cool women to expand their social networks.

Twitter allows you to see what lists a person has been added to, and this is where it gets interesting. Let's take a look at the lists of which I am a member and see what we can learn about me.

Here's a few things you can get a glance:



Wait... what? Despite the fact that I explicitly chose to say a more generic "Canada" in my profile information, my current city can be determined by the fact that it shows up in several of the lists I'm on. There's of course no way to be sure that any of this is true, but when more than one person lists me as being in Ottawa it seems fairly reasonable to guess.

I'm not personally concerned (obviously, since I'm talking about all this information in a public blog post!) but some folk are much more private than I am.

So what are your options if you want to hide this information? Well, if I don't like the lists I'm on, I can... uh... There's no apparent way to leave a twitter list. I suspect one could block the list curator, but the people revealing your location are most likely to be actual real life friends: people you wouldn't want to block. So you'd have to resort to asking nicely, but that's assuming you even notice: while you can get notifications of new followers, you do not get notified when you're added to a list. I've been asked about exactly two of the lists I've been put on (thanks @ghc!) so obviously it's not the social norm to ask (I certainly have never asked anyone I've listed!)

A quick check says I can usually get the current (and sometimes some former) cities for many of my friends, as well as information related to their occupations, interests, and events they've attended. For most of these people, I know this isn't information they consider private either. But it's obviously possible that this could be a problem... I wonder how many people it affects in a negative way?

Maybe this is a potential little workshop paper if I have time to analyse a whole bunch of twitter lists. Anyone want to lend me a student who's interested in social media privacy?

Edit: A note for those concerned about not being that privacy-violating friend. You can make twitter lists private if you want (it's just not the default), so just do that for the lists you think are sensitive and you're good to go!
terriko: (Default)
2010-08-23 03:23 pm

Visual Security Policy... or what Megashark and infographics have to do with web security

I've posted the web version of the presentation I gave at HotSec. I find it amusing, and so did my audience. Here's some sample slides to give you the, ahem, picture. This should be a 3x4 grid if you see it on my blog directly, but who knows what it'll look syndicated?

83% of web sites have had a serious vulnerability64% of all sites have a security flaw right nowWhat makes the web so hard to secure?
There are no restrictions within a web pageSeparation between components can mitigate attacksBut not many web developers use encapsulation
Infographics make complex data easier to understand using visualsEquations allow more detailed analysis... if you understand them.The people who make web pages... are also the people who make infographics
Visual Security PolicyMath is hard; let's draw boxes!Visual Security Policy (ViSP)

The whole presentation I gave at HotSec is here.
terriko: (Default)
2010-08-19 03:22 pm

Webinsecurity: Privacy: Not just for people who are doing bad things

This is a cross-post from my web security blog.

I'm happy to see that Gizmodo is already recommending that people disable Facebook Places in as much as you really can. And the article has a nice step-by-step on how to limit the amount your friends can (accidentally or intentionally) violate your privacy.

But I take issue with the fact that their examples were "you're lying to your girlfriend" and "you're cheating on your wife." Seriously? I know they were trying to be funny, but the implication you get from the article is that privacy should only matter in this way if you've got something to hide. But that's not the case:

What about a parent who doesn't want to advertise to strangers the exact geo-location of the parks his kids play in every day?

What about a woman who has received threats from unpleasant people who feel that women should not be involved in open source software?  (I wish I were kidding, but this happened to me, and other people receive threats from disturbed individuals online.)

What about someone shopping for an engagement ring who meets a friend at the mall?

There's plenty of reasons one might prefer privacy. I think maybe we would do well to include this sort of example in articles, so that even those living utterly honest lives will realize that privacy is important to them and people they care about.
terriko: (Default)
2010-05-21 08:23 pm

No Web Site Left Behind: Are We Making Web Security Only for the Elite?

I put up a big post at Web Insecurity detailing my presentation at W2SP yesterday.

No Website Left Behind: Are We Making Web Security Only For The Elite?

Here's some choice slides, but you should really check out the whole presentation, or read the paper! (It's only 4 pages long and should be pretty readable even for non-academics.)

Here's 9 slides to give you an idea (in theory this should be a nice square display, but if you're not viewing this post on dreamwidth it might not be.)

w2sp: Slide 0: No Web Site Left Behind: Are we making web security only for the elite?w2sp: Slide 1: Page Creators are not all Programmersw2sp: Slide 4: Professional web page creators often have artistic backgrounds
w2sp: Slide 6: Web Security is for Programmersw2sp: Slide 11: Tainting (Fix The Code)w2sp: Slide 16: Non-Programmers still need Security
w2sp: Slide 17: The Web is a Targetw2sp: Slide 19: So... Now What?w2sp: Slide 20: Security costs may outweigh risks
terriko: (Default)
2010-05-12 02:29 pm

Web Insecurity: Will privacy issues herald the end for Facebook?

New post up at Web Insecurity: Will privacy issues herald the end for Facebook?



We're starting to see suggestions that the facebook ecosystem actually could collapse, not just that some tech people wish it would.

...

The question for Facebook is "at what point will enough people leave?" and the answer right now may be, "when they have somewhere else to go." And that next big thing may have to provide some pretty strong privacy guarantees to woo over enough audience.





As usual, Facebook fascinates me as a social statement, as much as it horrifies me as a security person. But seriously, when the facebook games are talking jumping ship and students are saying that facebook is uncool, we might have to accept that this boat isn't going to float much longer. And for those who haven't heard, the new pretender to the throne is Diaspora although I admit I haven't looked at it seriously.
terriko: (Default)
2010-05-11 10:43 am

Web insecurity: The advertising social contract vs malvertisements

Wrote this post for Web Insecurity on the weekend and scheduled it for Monday... But on Monday I was busy drinking water and getting ready to donate blood, so I never posted something here. Oops.

The advertising social contract vs malvertisements: how can online advertisers earn your eyes?

It's mostly musing about how ad blocking actually makes you safer while web browsing, and whether advertisers will wind up rising to this challenge by giving us ads that are worth unblocking or ads that go beyond banners. I gave up my TV years ago, and I still have people telling me about great TV advertisements I missed. Very few people tell me about banner ads I missed. And I think the last time was those Evony ads which is an entirely different category of "you've got to see this!"

In other web security related news, or perhaps Terri-in-web-security related news, I found out last night that my W2SP talk has to be 5-10 minutes long rather than the 15-20 I expected. This presents a challenge, but I can rise to it. Just not in time to do a practice run at 3pm today as I'd planned. I actually have under 10 minute slides from my presentation the week before last, but I skipped some stuff in that talk that I need to put in to the final one, so we'll see how that goes.

Anyhow, if you're curious here's the W2SP schedule -- Apparently there's still space in the workshop if you're in the bay area and interested in attending a web security workshop next week.
terriko: (Default)
2010-05-08 12:18 pm

Web Insecurity: Why Facebook is like your psycho ex

Wrote a Web Insecurity post last night: Why Facebook is like your psycho ex.


But websites are about as trustworthy as the worst psycho ex: you never know when policies will change, the website will get bought out by someone who has different policies and now controls your data, or someone will exploit a security hole in the website. At least ex-friends aren't usually bought by megacorps who profit from selling all their mementos of your relationship. And probably, unlike websites, 64% of your friends don't have a security flaw.


Been a while since I wrote for that blog, but I'm going back into research mode since paper writing season is over for me, and I'm over my flu, so I'm hoping I'll be able to write more. But what really inspired me was an entertaining if spammy email from $security_company's social networking delegate claiming that I'm a "leading blogger" within the web security industry. Some "leading blogger" when I hadn't posted since February!
terriko: (Default)
2010-02-17 03:20 pm

Web Insecurity: How Foursquare can help people steal your stuff. Want to buy some privacy insurance?

New post to Web Insecurity:

How Foursquare can help people steal your stuff. PS - Want to buy some privacy insurance?

I talk a bit about the totally awesome PleaseRobMe.com and meditate a little on what it would take for people to care about privacy in a way that would keep them safe. Conclusion? They never will, so if I really want to make money I should be selling privacy insurance. If only I could figure out how to make that work... Can't you just imagine a team of lawyers descending upon your mother to do damage control when your friends' drunken antics get leaked through Facebook?
terriko: (Default)
2010-02-10 11:40 pm

Web Insecurity: Bank being sued for teaching customers bad security habits

Bank being sued for teaching customers bad security habits

Really short version: Turns out, it's a terrible idea to teach your customers bad habits.

Longer verison: And by bad habits, we mean the digital equivalent of saying, "of course our agents hang out in dark alleys. You should totally go there and give your wallet to strangers if they ask."
terriko: (Default)
2010-02-08 11:41 am

Web Insecurity: Amex thinks shorter passwords without special characters are more secure

Another post to Web Insecurity. This one is pretty much explained by the title:


Amex thinks shorter passwords without special characters are more secure

I was working on a background section of my thesis proposal and was talking about how some misconceptions regarding security policies can result in web sites being a lot less secure. But [American Express] takes security misconceptions to a new low...


(Read the rest. And weep. Or laugh. It's pretty terrible.)
terriko: (Default)
2010-02-07 01:19 pm

Web Insecurity: Barcodes for breaches

This post is so short that I figured I might as well copy the whole thing from Web Insecurity. Sorry about the full duplicate!


Barcodes for breaches



qrcode

Barcode: <script>alert("test")</script>

I'm highly amused by the XSS, SQL Injection and Fuzzing Barcode Cheat Sheet. Who knew security attacks could look almost... pretty? It's just standard XSS and SQL injection test code translated to bar codes, so they could be used as injection vectors. I know I've scanned codes to grab an app I want faster on my phone, and I'm seeing codes popping up in the free daily papers, which I find somewhat interesting given that early attempts to get people to use barcodes have met with commercial failure and ridicule. Oh well, it's all ok now that we have smartphones, right?

Anyhow. This is still an entertaining attack vector. Maybe governments (such as my own!) will ban bar codes as hacking tools next?