Monday, June 28, 2010
Still alive and kicking
I will soon start to publish again some notes on security standards. Stay tuned
Tuesday, April 21, 2009
Interesting concept: Open reliable messasing in a Web 2.0 world
See http://www.imatix.com/for more information
Friday, July 27, 2007
electronic Voting
Electronic voting is currently deploying at very high speed into both european and US countries, please share your views on this and the possible problems/advantages this could have for democracy.
questions: should we leave our democratic controls to computers and the govs?
questions: should we leave our democratic controls to computers and the govs?
Thursday, November 09, 2006
Viruses - not only for Windows
Until now, most, if not all, only plagued the Windows world, leaving other systems' users, like MacOS X, with a warm, comfy feeling of security. They were wrong. Last week, a new proof-of-concept virus that infects MacOS X executables was published. For those who want to get a peek on the technical details, see here.
Of course, it's only a proof-of-concept, never to be seen outside the labs, but it proves that a Mac virus is possible. In other, seemingly unrelated news, the Month of Kernel Bugs project has started. The first bug, published with proof-of-concept exploit code, attacks the wireless drivers of Mac systems.
So there you have it: an attack vector, and infection techniques. It's only a matter of time before someone puts the two together. So take the initiative: keep your Mac updated, enable the firewall, and install anti-virus software as soon as possible. It's not too late yet, but it's time...
Of course, it's only a proof-of-concept, never to be seen outside the labs, but it proves that a Mac virus is possible. In other, seemingly unrelated news, the Month of Kernel Bugs project has started. The first bug, published with proof-of-concept exploit code, attacks the wireless drivers of Mac systems.
So there you have it: an attack vector, and infection techniques. It's only a matter of time before someone puts the two together. So take the initiative: keep your Mac updated, enable the firewall, and install anti-virus software as soon as possible. It's not too late yet, but it's time...
Tuesday, August 22, 2006
Tuesday, August 08, 2006
Vista Security Blog did open this month
Hi folks,
just short notice to mention that a new security blog on vista security just opened this month...nice place to ask questions to MS Vista product management team about the effects of IE7+/Vista virtualization, UAC and the like...
regards,
just short notice to mention that a new security blog on vista security just opened this month...nice place to ask questions to MS Vista product management team about the effects of IE7+/Vista virtualization, UAC and the like...
regards,
Thursday, June 08, 2006
Why phishing works
If you only have ten minutes of free time today, spend them reading "Why phishing works" by Rachna Dhamija, J.D. Tygar and Marti Hearst. These researchers (from Harvard and Berkeley) have conducted an experimental study of people's reactions when faced with potentially fraudulent sites. The test subjects were showed 19 web sites, some of which being legit, while others were taken from phishing sites archives, and they were asked to distinguish which sites were legit or fake. To say that the results are appalling is an understatement.
On average, 11.6 sites were correctly identified. The worst score was 6 correctly identified sites, and the best was 18. Nobody got full marks. Interviews with the test subjects showed that little to no attention is paid to the security icons and other visual clues given by the browser (padlock icons, color changes when viewing SSL sites, ...). Knowledge of X.509 certificates were of course nil, and unsurprisingly, dialog boxes warning that an SSL certificate did not match the web site (or was self-signed) were clicked through without being understood (when read). Another interesting fact is that two legitimate sites were incorrectly identified as fake in 50 percent of the cases or more.
The test subjects were not computer illiterate. Some of them spent over 80 hours per week using computers for work or at home. They were just normal computer users, like your aunt Irma or your neighbour. The bottom line is that the current security user interface of browsers is not good. And no amount of pop up dialogs will make things better. There is a real need for a new paradigm in this field, and nobody's got the answer yet. So if you have anything to do with security software development or user interface, send this paper to your UI specialists. This will give them something to chew on.
On average, 11.6 sites were correctly identified. The worst score was 6 correctly identified sites, and the best was 18. Nobody got full marks. Interviews with the test subjects showed that little to no attention is paid to the security icons and other visual clues given by the browser (padlock icons, color changes when viewing SSL sites, ...). Knowledge of X.509 certificates were of course nil, and unsurprisingly, dialog boxes warning that an SSL certificate did not match the web site (or was self-signed) were clicked through without being understood (when read). Another interesting fact is that two legitimate sites were incorrectly identified as fake in 50 percent of the cases or more.
The test subjects were not computer illiterate. Some of them spent over 80 hours per week using computers for work or at home. They were just normal computer users, like your aunt Irma or your neighbour. The bottom line is that the current security user interface of browsers is not good. And no amount of pop up dialogs will make things better. There is a real need for a new paradigm in this field, and nobody's got the answer yet. So if you have anything to do with security software development or user interface, send this paper to your UI specialists. This will give them something to chew on.
Subscribe to:
Posts (Atom)
