Michael Gracie

There is a new plan afoot in the UK to deal with spammer and hackers - ban them from the internet.

The problem is a technological one, but now it is a political one. Next thing you know, companies will be getting fines for not having anti-spam measures on their email servers. While they’re at it, why not indict Microsoft for making an operating system that is weak on security (or offering even offering a release date for their next insecure product)? Not going to happen, but it wouldn’t surprise me if someone tried.

The biggest issues with banning a suspected spammer/hacker from the internet are 1) they are only accused, not found guilty of; 2) that in the age of anonymity, we will likely see a lot of false accusations as a result of header manipulation, IP spoofing, and other such technological means that juries have a hard time grasping; and 3) enforcement - it took years for the Feds to catch this guy - no law enforcement agency going to be able to keep up with the flood of “suspects” when Pandora’s Box is opened.

No. It probably will happen. Send the bill to the taxpayers.

Just a few years back, malicious code writers were meeting in stealthy IRC chat rooms, exchanging ideas on obscure forums, and doing their thing just for fun (and notoriety). Now, it is a money game, and in business you need efficiencies.

Couldn’t think of anything better to drive down time to market in the software game than going open source, and that is exactly what malware technicians are doing. They are leveraging tools like CVS to share code, and it wouldn’t surprise me if CVS and Subversion depositories start popping up all over the place. But how will we know when that happens?

There are now malware search engines as well.

AOL is now pitching it’s Total Care security protection for PC users. Everyone is pitching something like this, so you need a bold statement to wake people up. It would be nice if a marketing statement had some truth to it as well.

“The Internet is a confusing hostile place for anyone using a PC today,” says Andrew Weinstein, an AOL spokesperson.

Doesn’t get much bolder, or truthful.

With breaches of all shapes and sizes occuring at the government level, you would think someone would get their act together. You are hoping (if you’re a Democrat), you are praying (if you are a Republican), and you are drooling if you are either a security industry investor or an outside crisis public relations firm with a federal contract.

Nevertheless, don’t hold your breath that the latest encryption declarations are going to change things much - securing government data is going to take a while.

Microsoft just release new research on blog spam which points a big finger at Google’s Blogspot for exacerbating the problem. Microsoft used a proprietary search tool to separate the good links from the bad, and stated that other free blog sites are subject to the same problems as Blogger.

Brian Krebs of The Washington Post noted that the research suggested Google’s anti-spam efforts are pretty weak. The “nofollow” tag attribute seems to be the biggest effort to date, and it is easy to see why that hasn’t worked.

The “nofollow” attribute is voluntary, meaning a blogger has to chose to put it in their comment and trackback functions, so all the nice bloggers put it in, and all the bad guys leave it out. Simple - and yes, some blog software comes with it turned on by default, but it is easily removed. The tag does nothing for the individual blogger - all it does is cover the butts of the search engines. And with search engines in a constant bragging rights battle over the number of pages they have indexed, it comes as no surprise that some might decide to go ahead and follow anyway. Throw ever improving blog anti-spam measures into the mix, and legitimate blogs become even less inclined to use the tag, as it disenfranchises the cross-blog communication and linking that makes the blogosphere so…interesting.

Of course, Microsoft isn’t the first bigwig to bring this Blogspot (and other free blog service) thing to light. Mark Cuban has been screaming about it for a while (see here and here). Nonetheless, it is a problem that the search engines have to deal with, and the burden should not necessarily fall on the blogosphere to do their work for them. Microsoft knows this, and for the first time in a while I have to give them kudos, just for pointing it out once again.

A zero-day attack is underway against Powerpoint presentation software users.

I don’t know what the big deal is. I was setting up a meeting with a VC the other day, and I specifically noted we wouldn’t have a Powerpoint presentation with us. The guy sounded happy as a clam about it. Furthermore, Powerpoint has been under attack by this guy for a while now (in fact, he’s the one I learned to dislike it from).

A couple of weeks back, I had a chance to converse with Mandeep Khera, Vice President of Marketing for web application security vendor Cenzic . The company provides testing tools for systems administrators, allow the overworked to scan their web software for potential security vulnerabilities.

There are a myriad of products to test your applications for holes, but Cenzic takes the process to a higher level. Their base application, Hailstorm, tests for all the generic stuff like open ports, unpatched software, etc. Then, they dive into the application itself, beating it for cross-site scripting, cross-frame scripting, buffer overflow exploits, SQL disclosure, Windows command injection, and on and on and on. The output is an extremely detail report, noting the number and type of vulnerabilities, grouped by security policy type and by Cenzic’s opinion of severity. Basic testing scripts are reusable as changes are made to systems, so auditors can make minor modifications to coincide with changes to the app itself. The database of vulnerabilities/tests is updated as often as the user likes.

Not to be outdone by the growing number of services offering remote testing, Cenzic is now pushing that is well under the new “ClickToSecure” name. Their service uses the same testing library as their flagship Hailstorm product, but with a lower cost of ownership (and application of service fees towards Hailstorm purchase should you decide to take the process back in-house). Best of all, Cenzic thinks the web is only going to be safe when everyone has filled in their holes, so they are offering a one-time ClickToSecure scan to anyone who wants one, good through September.

Yea, you are probably asking yourself what Spamroll is doing plugging some company, but I say these guys impressed me. And by the way, up until now I was using a competing vendor for this kind of testing. I was offered the same free audit that Cenzic is presently providing to any server off the street, but after the hour chat and WebEx demo, I think I am going to round-a-bout with my crew and do a little more hammering on our application before we let Cenzic loose on it.

In other words, these guys know their stuff, and I’d hate to get embarrassed (I can do that any old day just by putting my foot in my mouth like I usually do).

With Microsoft pushing further into the security space via niche acquisition and rebranding, I suspect we are going to see more and more M&A activity to counteract the gorilla’s hunger.

The latest (via The Register), Secure Computing has purchased CipherTrust, a leader in messaging security. This comes just as Microsoft and Yahoo IM networks converge, along with threats from hackers.

Another - SurfControl gets BlackSpider, which adds appliance-based on-demand network security to SurfControl’s software portfolio.

That’s two less deals for the so-called predators to get hold of, but I doubt that will slow them down much.

If you are highly proficient with telecommunications and information technology, there is a job opening for you. Yes, the Department of Homeland Security’s Cybersecurity Czar post is still vacant, a year after the position was created.

Anyone with the talent to truly make a difference is almost certainly very busy nowadays, and would likely consider the position a demotion. Hence, I am not holding my breath as to its getting filled by someone competent and/or motivated to do the job, anytime soon.

As if we didn’t have better things to worry about, now we get to wonder whether an announced security threat is really a threat. The latest case to be overblown (or simple shilled) is that of VoIP phishing. The process has been labeled “vishing,” and portends danger from scammers using voice over IP to steal credit card information.

Unfortunately, VoIP isn’t the issue - it is the naivete of the person on the other end of the line. Telemarketing has long been a staple of scammers, dialing little old ladies to separate them from their social security money over a new home awning thingamajig or water purification doohickey. VoIP is being targeted because phone numbers, which are used for forwarding calls, are a little easier to come by and slightly more anonymous. Still, a VoIP number won’t be used any longer that the land line formerly connected to a bank of phones for the old time stock pump and dump shops.

Target credit card holders with a sense of false charges isn’t the only game being played out there either. The same is being done to PayPal users, only mention of VoIP is nowhere to be found in that news.

My notion is scammers are returning to their roots. They know online threats are well publicized, and that those people willing to pick up the phone are likely less inclined to have heard about them, and more inclined to follow through on some form of disclosure. Like the little old lady buying that new fangled inflatable porta-shed, sight unseen.

End note: It wouldn’t surprise me if the telcos were cheering on these VoIP “threat” announcements either.