Security Watch | Matt Hines » November 2006

November 28, 2006 | Comments: (0)

Email, spam, spam, spam, spam, spam, spam, spam, spam, spam

TAGS: Security

Okay, I thought I'd give you a little visual representation of where spam is coming from these days.

A more accurate representation of my post's subject line would be 91% to 94% of all email traversing the 'net is spam. At least according to email security vendor Postini.

Yes, that means that 6% to 9% of all SMTP traffic yields valid email and everything else has to do with enlargement, staying power, hair growth, pr0n or making you rich with Nigerian loot.

If archaeologists ever take a look at our electronic communications a thousand years from now, they're going to think we had some serious problems. There will be no doubt as to why we vanished from the planet - we obviously had an overly active libido (which we couldn't sustain), too little money and way too little hair on our heads.

Anyways, it seems that CNN has picked up this story with a vengeance this week. I really don't know why, considering the fact that this announcement came out several weeks ago.

A buddy of mine let me know that out of 700,000 emails his company received last month, roughly 40,000 were valid.

What a world we live in. And we haven't even touched on image spam...

And did I mention that over the past 12 months the daily volume of spam has risen by 120%?

Hey, take a look at this email I just got, I won the lottery in the UK! Now all I have to do is send my new friends across the Atlantic a small amount of US $$ to handle the paperwork and I'm off to travel the world!

If you're interested in spam and what some of the stats are like these days, take a look at Postini's StatTrack.

Posted by Victor R. Garza on November 28, 2006 03:31 PM

November 16, 2006 | Comments: (0)

Just a rant about DTS that has nothing to do with security whatsoever

TAGS: None

I've dealt with a lot of software and hardware in my day. And I'd like to say I know good from bad, at least in general. A year or so back I had the (mis)fortune to take the training class for DTS, the Defense Travel System, which is supposed to save the government money while allowing DoD travelers to make, in some cases, last minute travel reservations and arrangements.

I won't get into what I think is a colossal waste of time when it comes to the payment and reimbursement process for government travel, but hey, I'm just an occasional government civilian employee. Of course, after taking the training and thinking about how poorly designed the web-based system was overall, I still can't pin down if it was the whole reimbursement process or DTS in general that just didn't do it for me.

Jon Udell, having a more sophisticated programming background might have more elegant words, but I thought the whole DTS process sucked. Of course, I come from, what is to me, the more logical world of private industry. You make travel plans. You make them ahead of time and you try to save money. Or you get a nasty gram from the company CFO.

Anyway, it seems that the whole DTS is under review with less that twenty percent of those government employees who are supposed to be using the Defense Travel System actually doing so.

I guess I just feel a slight bit vindicated when I made comments about how poorly the process seemed in comparison to others travel search sites like Expedia and Orbitz. Especially since, in my experience, many government employees fly at the last minute and incur exorbitant prices (where we, as taxpayers, foot the extra bill).

And for a cost of half a billion dollars for DTS I would have expected much more...

Posted by Victor R. Garza on November 16, 2006 04:39 PM

November 11, 2006 | Comments: (0)

In Remembrance

TAGS: None

Is been my honor to have friends and students who have served and are serving in the military.

Thanks again for your service.

Posted by Victor R. Garza on November 11, 2006 09:38 AM

November 10, 2006 | Comments: (0)

Space Shuttle Discovery suffers serious bug

TAGS: Security

I was under the impression that most computer systems on this planet had already suffered through Y2K.

Alas, this time the problem is not on our planet.

I remember where I was December 31, 1999 - holding my breath wondering if the data center lights around me were going to shut down and whether the generators that were geared to provide emergency power to hundreds of servers were going to come on like they were supposed to.

As we have seen since that fateful date, we survived with nary a scratch, at least compared to the possible doomsday scenarios that could have shut down our worldwide power grid, telecommunications network and our overall infrastructure.

Unfortunately, no one at NASA seems to have learned from this lesson. I was watching CNN Headline News yesterday and saw a story that indicates NASA is yet again behind the eight-ball.

If the shuttle is in space during the transition to the new year, very bad things could happen to the shuttle and it's operation. Although no one is saying what that could really mean to the shuttle and its crew.

NASA is pushing to launch the Shuttle Discovery by December 7th so that they can bring it back before the end of the year. I wasn't aware of this, but it seems shuttles have never been in space while the transition from year to year has occurred.

I won't harp on the government regarding this lack of forethought since a federal agency helps me pay my bills most of the year. But you get where I was going with this...

Hasn't NASA had at least six years to deal with this problem? I hope we'll have Discovery back and on Terra Firma by the end of the year so that they can continue to fly in their 'normal certified mode'.

Just because it's Friday

Seems that laptop personal security took on a whole new meaning when Denise Richards used laptops to disuade the paperazzi from bothering her.

And in the I wish I could do that department

Magician David Copperfield was easily able to hide his valuables and fool thieves during a recent robbery. Too bad we can't use this trick for data security.

Posted by Victor R. Garza on November 10, 2006 09:18 AM

November 07, 2006 | Comments: (0)

Hack the Vote

TAGS: Security

Hack the Vote.

Literally.

I was out grabbing quick bite to eat this morning and happened to see a snippet of this documentary on one of the TV's in the restaurant where I was waiting for my order. Hacking Democracy came out on HBO last Thursday, 11/2, but I hadn't seen a promo for the show until this morning. I've already got my Tivo set to record because it looks like a very interesting history / commentary on electroninc voting machine deficiencies.

I saw a great snippet in the show about how the Diebold system passes all these tests, page after age of approval checkmarks, then on the last page there's one small comment on how computer system penetration testing was not performed. Hummm, this is a computer, right?

One of the most frustrating things is the secrecy part of it. Diebold made everything a proprietary secret. So every time you ask a question, they either ignore you altogether, or say, I'm sorry, that's proprietary. And then when you speculate if something is true, Diebold would say that's not how it works. Well, how does it work? Well, that's a secret. So that was very frustrating. The bottom line of this whole problem is that if we don't have the ability to authenticate our own elections as citizens, we don't live in a democracy.
Bev Harris

Posted by Victor R. Garza on November 7, 2006 11:17 AM

November 05, 2006 | Comments: (0)

Voting machines subject to being hacked

TAGS: Security

Bill Clinton just called me.

No, seriously. He just called my cell phone about five minutes ago.

Of course, I hung up on our former president. With all due respect, I was in the middle of a blog entry.

Unfortunately, I didn't have a chance to tell him about Diebold and the fact that their voting machines can be hacked. Even though 90% of Americans will be voting via these machines on Tuesday, many are fearful that there exists a potential that their votes won't be counted, and because of that fear, a multitude of people in Maryland are voting via absentee ballot.

Check out the three minute MSN video above for the lowdown, and this ten minute video below expands on the MSN video above. A more detailed paper on the Princeton research can be found here.

Security Analysis of the Diebold AccuVote-TS Voting Machine

Posted by Victor R. Garza on November 5, 2006 07:41 PM

November 03, 2006 | Comments: (0)

IE7 chokes on Symantec

TAGS: Security

I find myself, once again, wiping a medical practitioners machine because of severe trojan/spyware/malware/badware infestation.

I had to go through several sweeps before I was able to clean off this particular machine and, still not content with the results, I decided to completely wipe the machine and start fresh.

Was there a Ghost image of this machine, or even a recent backup? Of course not, but at least I had all the manufacturer's disks for this Dell laptop. I can't tell you how happy I was about that, (except that Dell still get me by not even allowing for generic networking after an XP install and making me download networking drivers on another machine and transfer said files over before I can connect out to the Internet). At least we have fat USB drives now, which make this driver transfer pain a little more bearable and makes for quick backups.

But enough about that.

Okay, this machine belongs to a cosmetic surgery office, and in the past few days I've learned more about tummy tucks, ultrasonic liposuction and breast augmentation than I care to handle. And please don't ask me about about getting you a discount on that lipo you've been thinking about having done because I really don't have any pull here.

Anyway, after the requisite 2 1/2 hours of XP, service pack and security updates (thanks Microsoft, I love blowing three hours of my life every time I do a fresh install) I decided to go ahead and install IE 7 with anti-phishing and all the rest of the bells and whistles. Of course, I had installed the client's Norton Internet Security 2006 before I did the IE7 install.

My mistake.

Yes, I know that Internet Security 2006 isn't a business solution, but it was what the customer had on hand, and I thought it was better than nothing in the short run.

Yes, I also know that I should wait until I complete installing every Windows component before installing third party apps, but what fun (read frustration) would that be?

Well, after slamming my fist into the closest solid object (nothing broken, didn't even break the skin, and at least I was near medical care should I have done any real damage) I went over to Symantec's site to solve the problem.

I actually like the way that Symantec handles issues with their products, unlike many competitors who just drop documentation on their site willy-nilly, Symantec has a task oriented approach to fixing problems. I've found that, many times, it works right off the bat. But when the troubleshooter or documentation doesn't work, you're as stuck as you can get, because I have yet to get a problem resolved with Symantec via other consumer oriented means. But, as noted above, I have little patience for products that don't work with major Windows product upgrades when I think they should.

Lucky for me the Symantec Troubleshooter fixed the problem. A few reboots later, and anticlimaticly, everything works. Yes, that's right, I can reach the Internet with no problems at all. Okay, maybe I've overreacted here. But it's still too bad that enterprise products don't have this type of troubleshooting process. I would have loved to have had this technology handy when I was having problems with creating a site to site VPN tunnel with a new vendor's product a while back.

How are your experiences going with IE7? And who do you think has the most useful support site for enterprise products? Let me know, it might save me from breaking my hand next time.

Posted by Victor R. Garza on November 3, 2006 09:39 PM