GDT::Security::Watchdog::Archive::Year 2009

Security Watchdog

Howard Schmidt To Be Cybersecurity Czar
Howard A. Schmidt has been named Cyber-Security Coordinator of the Obama Administration (i.e. Cybersecurity Czar). Schmidt was a cyber-adviser in President George W. Bush's White House.

The only thing I know about Howard Schmidt is that he is not the father of Google's CEO Eric Schmidt.

When it comes to computer security I try to listen to Bruce Schneier, Gene Spafford, Phil Zimmermann and Edward Felten; therefore, I am interested in what these computer security gurus have to say about Howard Schmidt. To date, I haven't been able to find much, but I did find the following.


   "Reporters are calling me for reactions and opinions, but 
    I just don't know. Schmidt is good, but I don't know if 
    anyone can do well in a job with lots of responsibility 
    but no actual authority. But maybe Obama will imbue the 
    position with authority -- I don't know."

From Spafford via

   "Well, to be correct about it, neither Bruce nor I was ever 
    contacted about taking the position or about suggesting anyone 
    to fill it."

I find this (neither Bruce nor I [Gene] was ever contacted) beyond amazing.

Spafford continued via

   "This may or may not say something about the search itself. 
    I do not know of anyone with a primarily cyber technology 
    background who was contacted -- only people with business 
    and/or military backgrounds.  This is another factor that 
    made me believe that the view of this position is skewed 
    in a direction that will limit its effectiveness."

Keyphrases... Schneier: "a job with lots of responsibility but no actual authority." Spafford: "this position is skewed in a direction that will limit its effectiveness."

[24 December 2009, top]
Using Face Recognition At Malls
Via on 2009.12.10...
   "The Sydney Morning Herald reports that face recognition is 
   being considered at Westfield's Sydney mall to catch offenders."

No place face to hide. place for crooks to hide

[10 December 2009, top]
Are the Russians Responsible for Climategate?
Critical FYI to Climategate was the result of crackers cracking into computer systems. Granted, the crackers might have been hackers, but we need to differentiate between hackers and crackers. Only a small percentage of hackers are crackers. And it is possible (probably downright easy) to be a cracker without being a hacker. Russian secret service blamed for hack

[08 December 2009, top]
Hackers Fail To Crack Brazilian Voting Machines
Potentially good news when it comes to e-voting. Fail To Crack Brazilian Voting Machines

[15 November 2009, top]
Who was Fred Cohen?
The first episode of Sesame Street aired on 10 November 1969. Fast forward 14 years...
   "1983: Fred Cohen, a University of Southern California graduate 
    student, gives a prescient peek at the digital future when he 
    demonstrates a computer virus during a security seminar at 
    Lehigh University in Pennsylvania. A quarter-century later, 
    computer viruses have become a pandemic for which there's 
    no inoculation." 10, 1983: Computer 'Virus' Is Born

[10 November 2009, top]
Conficker Remains a Problem
I had forgotten about Conficker, but it appears as though it is "alive" and doing well.
    "On Thursday [2009.10.29], researchers at the volunteer-run 
     Shadowserver Foundation logged computers from more than 7 
     million unique IP addresses, all infected by the known 
     variants of Conficker.'

7,000,000 seems like a lot of "infected" computers. After 1 Year, Conficker Infects 7M Computers

[01 November 2009, top]
A Bit About Hotmail Passwords has been a favorite website for crackers for a long time.

In a nutshell: passwords are still important. Common Hotmail Password Revealed!

[07 October 2009, top]
Cybersecurity Requires Real-Time Processing
The headline read: "Cybersecurity debate touches a nerve."

The AP (Associated Press) report started with...

   "There's no kill switch for the Internet, no 
    secret on-off button in an Oval Office drawer."

The AP report included the following quote by Melissa Hathaway, former White House cybersecurity adviser: "We need a system to identify, isolate and respond to cyberattacks at the speed of light."

In the computing world, speed of light implies real-time.

[29 September 2009, top]
Password Hackers Are Crackers
Yikes! Even technologists at the EFF (Electronic Frontier Foundation) are calling crackers hackers.
   "This is an important point that people haven't grasped," 
    said Peter Eckersley, a staff technologist for the Electronic 
    Frontier Foundation in San Francisco. "We've been using e-mail 
    for years, and it's been insecure all that time. . . . If you 
    have any hacker who is competent and spends the time and 
    targets you, he's going to get you." Hackers Are Slippery To Collar

[11 September 2009, top]
Microsoft and FTP Defects
First, and most importantly, hackers who crack (attack) computer systems are crackers.

Second, crackers are using defects found in FTP (File Transfer Protocol)?

   "Microsoft confirmed a bug in several versions of its Windows 
    operating system that could leave the door open to malicious 

   "Microsoft confirmed that hackers are actively using exploits 
    of the FTP bug to attack Web servers." in the FTP Service in Internet Information Services

[Extra] 114 - File Transfer Protocol [1971.04.16]

[09 September 2009, top]
OSDV - Open Source Digital Voting Foundation
I tweeted the following on 6 September 2009.
   nanofoo I'm following @OSDV i.e. #OpenSourceDigitalVotingFoundation 
   "Fundamentally re-inventing digital voting technology." #evoting

I like how the ODSV Foundation describes itself as "a meritocratic community of technology and policy geeks, developing open source guidelines, specifications, and prototypes of high assurance digital voting systems and services." Source Digital Voting Foundation

[Extra] Recent news item concerning evoting.

   "Computer scientists from the University of California, 
    San Diego (UCSD), the University of Michigan, and Princeton 
    University have demonstrated that a Sequoia electronic-voting 
    machine could be hacked, and votes stolen, using a programming 
    technique that had not yet been invented when the machine 
    was designed."
[06 September 2009, top]
There's No One Definition For Spam
The following is hard to believe, yet I believe it.
   "[...] a student who, after sending a respectful and serious 
    e-mail to select members of the faculty about the university's 
    decision to reduce the school year by several days, was brought 
    up on charges of spamming."

The student was found guilty, but the EFF (Electronic Frontier Foundation) and others came to the student's defense and the charges were dropped. State University: Serious Student Complaints = Spam

[30 August 2009, top]
Politicians and Biometrics
I get nervous when politicians create bills that involve the use of biometrics. One Arizona politician got a biometrics related Letter to the Editor published in the Arizona Republic and posted the following comment.
   Biometrics is the future and it is refreshing to see a 
   couple of Arizona politicians doing something that hints 
   of the 21st century. I feel good about Giffords ability 
   to learn about 21st century technologies, but I can't 
   say the same for Harry.

   I looked at the "full text" of the New Employee Verification Act 
   and the term "biometrics" is used a total of five times; however, 
   no specific biometric details are given. It's almost as if the bill 
   wants to be buzzword-compliant. Granted, biometrics is an emerging 
   technology and it would be unwise to restrict it to specific types 
   (e.g. face recognition, DNA, voice, nose hair [humor], etc.), but 
   leaving it blank makes me nervous.

   Another item that bothers me is that H.R.2028 states biometric 
   data will be encrypted, but it defines zero minimal encryption 
   requirements.  In other words, the biometric data could be encrypted 
   using ROT13 encryption and that would be 100% unacceptable.

[side-bar] claims it is Arizona's homepage, but my experience with respect to hyperlinking is that they like to cause linkrot. In other words, the following hyperlink might stop working at some point and time. does tout biometrics for firms

[30 August 2009, top]
What Exactly Is a Cybersecurity Emergency?
My heart rate exponentially increases every time I read about politicians considering bills that are related to computing. It appears that at this point and time, the definition for "cybersecurity emergency" gives the the President of the United States of America way too much power. would give president emergency control of Internet

[29 August 2009, top]
Is Malware Growing Exponentially?
The following tweet from Pingdom prompted this posting.
   pingdom Google malware stats: 
   "The number of entries on our malware list has more than 
   doubled in one year"

Sounds like malware is experiencing exponential growth. Statistics Update

[Extra] I tweeted the following the day prior to receiving the Pingdom tweet.

   I saw this first on the TV news... Crackers are using 
   some actress named Jessica Biel to crack computers.

Typical headlines found the web.

   "Cybercriminals Favor Jessica Biel as Malware Bait"

   "Obsessions with Jessica Biel lead to a world of malware hurt"

The headline "Jessica Biel Causes Malware?" at is a bad headline because it makes it sound as if Jessica Biel is a cracker.

[27 August 2009, top]
Healthcare IT Crackers--Get Ready
Two tweets by @nanofoo.
   nanofoo Great document... "How To Become a Hacker" by 
   Eric S. Raymond;
   "hackers build things, crackers break them"~esr #quote

   nanofoo "New Epidemic Fears: Hackers" The headline 
   should read "Crackers" not "Hackers."
   #HealthCareReform #computing

There lots of work that needs to be done in healthcare IT and I have zero doubts that will be a gold mine for crackers.

[17 August 2009, top]
Cyber-Attacks Are a Form of Cyber-Warfare
It appears as though North Korea wants to gain some experience in cyberwarfare. The US government currently has 32 czars, but no cybersecurity czar (yet). 'cyber attacks' hit S Korea

[09 July 2009, top]
Western Technology Usage in Iran
Two tweets from John Perry Barlow (co-founder of the EFF) posted on or around 22 June 2009.
   johnperrybarlow EFF 101. We've long held that tools to 
   guard copyright, etc. can serve tyranny. WSJ vindicates:

   johnperrybarlow Western companies sell "deep packet inspection" 
   technology to Iran government (via @mkapor)
[22 June 2009, top]
Obama Admits Cybersecurity is a Huge Issue
I agree with Obama with respect to the following...
   "America's economic prosperity in the 21st century 
    will depend on cyber-security."--Barack Obama

Obama is also correct when he says, "acts of terror could come from a few keystrokes on a computer."

It was also refreshing to read that Obama continues to "remain firmly committed to net neutrality." on cyber-crime: "It has happened to me"

[29 May 2009, top]
Bullfoo = Meier Cyberbullying Prevention Act?
Q: What is one way bullfoo can be defined?

A: The Megan Meier Cyberbullying Prevention Act [H.R. 1966]

[05 May 2009, top]
Beware of Bots
This is old, but I have finally got around to posting... Robot Network Seeks to Enlist Your Computer

[Extra] IT World ponders an interesting question... A Company Folds, Who Guards Your Data's Privacy?

[03 May 2009, top]
Crackers Drawn To DoD Systems
The Wall Street Journal (on 2009.04.21) reported that "Computer spies [crackers] have broken [cracked] into the Pentagon's $300 billion Joint Strike Fighter project. WSJ went on to report the following.
   "The Joint Strike Fighter, also known as the F-35 Lightning II, 
    is the costliest and most technically challenging weapons program 
    the Pentagon has ever attempted. The plane, led by Lockheed Martin 
    Corp., relies on 7.5 million lines of computer code, which the 
    Government Accountability Office said is more than triple the 
    amount used in the current top Air Force fighter."

7.5 million lines of code sounds like a lot of code. Spies Breach Fighter-Jet Project

[21 April 2009, top]
South Africa Has Biometric Passports
They are a couple of years behind schedule, but South Africa now has biometric passports.
   "The new passports have an embedded RFID chip which stores 
    the owner's biometric information, including personal details, 
    a high-resolution colour photograph and fingerprint information." Africa rolls out biometric passports

[20 April 2009, top]
Using Buffer Overflows to Crack the Smart Grid?
Lots of money is going into the development of the "Smart Grid" for distributing electricity, but some security experts are concerned that it won't take lots of smarts to crack the Smart Grid.
   "According to network security researchers and product 
    specialists alike, the Smart Grid may also be a breeding 
    ground for the types of cyberattacks that could leave it 
    not only hacked, but blacked out entirely."

Build it and they will crack it and it is being built.

   "According to IOActive, there are more than 2 million Smart 
    Meters used in the country already, and an estimated 73 
    utilities nationwide have ordered 17 million more of them."

Hard to believe, but I believe it when I read that even the Smart Grid has buffer overflow defects.

   "Research conducted throughout the industry has independently 
    concluded these technologies are susceptible to common security 
    vulnerabilities such as protocol tampering, buffer overflows, 
    persistent and nonpersistent rootkits, and code propagation." National Smart Grid Vulnerable To Attacks

[23 March 2009, top]
Dot-Gov Goofiness
Security by obscurity doesn't combat serious crack attempts.
   "Despite a presidential promise of openness in government, GSA 
    officials decline to release the full list for fear of cyberattack."

GSA is the General Services Administration.

   "The GSA claims that 'release of the requested sensitive but 
    unclassified information presents a security risk to the top 
    level Internet domain enterprise.'"

This does not reflect positively on the SysAdmins of dot-gov systems. Keeping Its .Gov Domain Names Secret

[03 March 2009, top]
Crackers + Flashmob + ATMs = $9 Million
I posted the following to my on 8 February 2009.

Back on 17 December 02008 I had a posting titled "Twitter and flash mobs" in which I wrote: "I don't hear about flash mobs these days, but it sure seems as though Twitter would be a great tool for flash mobbers."

I hadn't heard of the following when I did my posting...

A computer system is cracked (not hacked) by a cracker (not hacker). Information obtained (stolen) from the cracked system is distributed to a flashmob. The flashmobbers steal $9 million from "over 130 different ATM machines in 49 cities worldwide in a 30-minute period on 8 November 02008." [source: FBI]

People who use computers for criminal activity are crackers; not hackers. Granted, some crackers are hackers, but it is easy to be cracker without being a hacker. True hackers do not use computers for criminal activity.

The following was copied from Eric Raymond's "How To Become A Hacker" essay.

   "Unfortunately, many journalists and writers have been fooled into 
    using the word 'hacker' to describe crackers; this irritates real 
    hackers no end.  The basic difference is this: hackers build things, 
    crackers break them." -- Eric Raymond To Become A Hacker

[08 February 2009, top]
Coming Soon? Cybergeddon
This is the first time I've ever hear the term cybergeddon.
   "Cyber attacks pose the greatest threat to the United States 
    after nuclear war and weapons of mass destruction, and they 
    are increasingly hard to prevent, FBI experts say."
    --ABC News (Australian Broadcasting Corp.) security experts fear 'cybergeddon'

[10 January 2009, top]
Are University Computer Systems More Secure?
A few years ago the Security Watchdog had numerous postings about university computer systems being cracked, but it appears as though university systems have gotten more secure.

But then again... 10 Threats to Computer Systems Include Professors and Students

[10 January 2009, top]
About the Security Watchdog
The Security Watchdog starts 2009 with 468 postings. This blog was started during March of 2000 and the current world of computer security is worse now than it was then. Needless to say, there will always be content for the Security Watchdog for at least the next couple of years.

Security Watchdog Archives: 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000

[01 January 2009, top]

Creator: Gerald Thurman []
Last Modified: Saturday, 05-Jan-2013 11:17:40 MST

Thanks for Visiting