Common Paradox Tech Blog

An anonymous reader writes “Computer security guru Matt Blaze takes a tour of a decommissioned ICBM complex in Arizona. Cool photos, insightful perspective on two man control, perimeter security, human factors and why we didn’t blow ourselves up. From the article: ‘The most prominent security mechanism at the Titan site, aside from the multiple layers of thick blast-proof entry doors and the fact that the entire complex is buried underground, was procedural: almost all activities required two person control. Everywhere outside of the kitchen, sleeping quarters and toilet were “no lone zones” where a second person had to be present at all times, even for on-duty members of the launch crews.’”

Read more of this story at Slashdot.

Computer security headlines are dominated today by the discovery over the weekend of the world’s first iPhone worm, dubbed Ikee.

No doubt the fact that it changed your lock wallpaper to a picture of 1980s pop throwback Rick Astley and displayed a message saying “Ikee is never going to give you up” didn’t do it any harm in catching attention.

The Ikee worm can only infect jailbroken phones (those iPhones which have been tinkered with by their owners to run applications not approved by Apple) that have installed SSH and not changed their default root password.

That may sound like quite a combination of factors, but it’s surprising how many people have chosen to jailbreak their phones to gain access to programs that Apple would prefer they didn’t run.

It didn’t take much Googling and internet detective work for me to determine that the author of the worm was 21-year-old Ashley Towns, a student living in Wollongong, New South Wales. He’d been pretty careless in covering his tracks and since his “outing” has been courting the media via his Twitter page.

Blame boredom

Inside the worm’s code Towns pre-empted a question that many were likely to ask about why the worm was written:

“Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn’t anyone RTFM anymore?”

But can it ever be right to write a virus?

I don’t think so.

Even if you are concerned about users being lax about computer security, it is still illegal to break into their devices and change data. It’s even more irresponsible to release a worm – that by its very nature spreads virally under its own steam. That means, even if the hacker regrets his past actions and doesn’t want his worm to spread anymore he can’t stop the attacks from happening.

There are ways of raising awareness about security issues without breaking into people’s property – a responsible computer enthusiast would have stopped well short of releasing a worm.

Worryingly, Towns told the media that he personally infected 100 jailbroken iPhones, which then would have gone on to try to infect other devices.

Furthermore, the code for the iPhone worm is now available for download from the internet. Ashley Towns’ original incarnation of the Ikee worm may have been mostly harmless compared to most of the financially-motivated malware we see today – but who is to say that more money-orientated hackers won’t write a more dangerous version?

A future version could be programmed to spread worldwide rather than just in Australia, and could silently steal private information from your iPhone.

My prediction is that we’re going to see more attacks like this in the future.

So, if you’re an iPhone user who has jailbroken their phone in order to add functionality that Apple may have denied to them, please change your root password and take security seriously. If you’re careless you could fall foul of a hacker.

——————————————————————————————————-

Graham Cluley is senior technology consultant at Sophos, and has been working in the computer security field since the early 1990s. When he’s not updating his blog on the Sophos website you can find him on Twitter at @gcluley.

When I think about all of the money I spent on college tuition only to find that the internet is riddled with free technology courses from prestigious schools like MIT.

To make things easier, OnlineCourses has put together a list of 100 open tech courses and broken them down into 10 categories: Computer Science and Engineering, Computer Security, Programming, The Web, Software, Information Technology, Communication Technology, Technology in Education, Tech Math and Technology and Society.

Looking over the list, about 98% of the courses come from MIT, so you know you are going to learn something valuable. Admittedly, some of the courses are a bit out of date, but they should provide you with a foundation on usefull topics like computer systems engineering, C++, Computer graphics, Flash and Database systems to help you decide whether or not to pursue your education further. Hit the link for the full course list. [OnlineCourses]

Another new virus is spreading through social networks, this time, via Facebook. This one – known as Bredolab – masks itself as a “Password Reset Confirmation Email,” appears to come from Facebook, and attaches a file that purports to contain a new password.

That file is actually a trojan horse that will download a host of nasty files from the Web and infect your computer with them. Email security firm MX Lab explains further:

“Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).”

The way to avoid this one: if you didn’t request your password from Facebook, there’s no reason you should be getting a password reset confirmation email, so don’t open it. Further, even if you did, Facebook would not send your new password as an attachment. Finally, f you’re still not sure, take a look at the full details of the email – if the mail server’s don’t belong to Facebook, you know the message is not legit.

Reviews: Facebook

Tags: facebook, security, social networking, virus

The webOS 1.2 update brought many much-appreciated new features, updated old features and software bug fixes. Of course, there are also a few issues to deal with (especially when it comes to Exchange), but overall most users are enjoying the update.

There is one one interesting, rather nondescript, mention on the 1.2 changelog:

Security
This release addresses several security issues with Palm webOS software.
We would like to thank Townsend Ladd Harris for his help in identifying some of the issues addressed in this release.

Townsend Ladd Harris runs this computer security blog and has reported several security issues with the WebOS in previous versions. What he found in 1.1 was pretty serious.

The security issue in question concerned the email application and malicious code in emails. Essentially an email with malicious code could provide remote access files on the WebOS device. Harris has even gone so far as to demonstrate the process in this flash video, showing how potentially devastating this malicious code could be; all your emails and contacts snatched simply by opening a malicious email.

In other words – thank heavens for webOS 1.2.  If you’re holding off on updating (or have downgraded back to 1.1 because of Exchange compatibility), we’re thinking it’s safer to get your Pre up to date.

Special thanks to Townsend Ladd Harris

Trailrunner7 writes “Bruce Schenier writes on Threatpost.com: ‘In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.’”

Read more of this story at Slashdot.

An anonymous reader writes with this excerpt from Help Net Security: “In the never-ending battle to protect computer networks from intruders, security experts are deploying a new defense modeled after one of nature’s hardiest creatures — the ant. Unlike traditional security devices, which are static, these ‘digital ants’ wander through computer networks looking for threats … When a digital ant detects a threat, it doesn’t take long for an army of ants to converge at that location, drawing the attention of human operators who step in to investigate. ‘Our idea is to deploy 3,000 different types of digital ants, each looking for evidence of a threat,’ [says Wake Forest Professor of Computer Science Errin Fulp.] ‘As they move about the network, they leave digital trails modeled after the scent trails ants in nature use to guide other ants. Each time a digital ant identifies some evidence, it is programmed to leave behind a stronger scent. Stronger scent trails attract more ants, producing the swarm that marks a potential computer infection.’”

Read more of this story at Slashdot.