Data network connectivity developments, networking business news, and related computing items.
Wednesday, September 15, 2004
Let Your Mobile Do the Pointing
: Magnetic sensors make an electronic compass, at low cost. Added to GPS, you can point at things and get info about them. 9:50:49 AM
Collection of phones that support eavesdropping: "The telephone is programmed with a telephone number and when anyone calls the spyphone, it rings and operates as a normal telephone but when the phone is called using the previously programmed spyphone number, it automatically answers without any ringing or lights and the display appears as if it is on ordinary standby" 9:17:31 AM
Unpatched PCs compromised in 20 minutes: "According to the researchers, an unpatched Windows PC connected to the Internet will last for only about 20 minutes before it's compromised by malware, on average. That figure is down from around 40 minutes, the group's estimate in 2003.
The drop from 40 minutes to 20 minutes is worrisome because it means the average "survival time" is not long enough for a user to download the very patches that would protect a PC from Internet threats. .. The time it takes for a computer to be compromised will vary widely from network to network. If the Internet service provider blocks the data channels commonly used by worms to spread, then a PC user will have more time to patch
[One] school is now checking the status of computers before letting them connect to the Internet. If a machine doesn't have the latest patches, it gets quarantined with limited network access until the PC is back up to date. " 8:58:40 AM
A Model for When Disclosure Helps Security: "Open Source and encryption [communities] view that revealing the details of a system will actually tend to improve security, notably due to peer review. In sharp contrast, a famous World War II slogan says loose lips sink ships. Most experts in the military and intelligence areas believe that secrecy is a critical tool for maintaining security .. this Article provides the first systematic explanation of how to decide when disclosure improves security, both for physical- and cyber-security settings..
many computer and network security problems appear different from the traditional security problems of the physical world. The analysis focuses on the nature of the first-time attack or the degree of what the paper calls uniqueness in the defense. Many defensive tricks, including secrecy, are more effective the first time there is an attack on a physical base or computer system. Secrecy is far less effective, however, if the attackers can probe the defenses repeatedly and learn from those probes. It turns out that many of the key areas of computer security involve circumstances where there can be repeated, low-cost attacks. For instance, firewalls, mass-market software, and encryption algorithms all can be attacked repeatedly by hackers. Under such circumstances, a strategy of secrecy - of security through obscurity - is less likely to be effective than for the military case." It seems to me this model also applies to many types of public facilities where probes and attacks can be rehearsed. 8:53:47 AM
Shred, Burn, Erase: "I've purchased thrift-store PCs and junk-shop hard disks [and] I've scanned through their contents before repartitioning the drives. I've seen personal letters and business correspondence, contracts and legal papers, Social Security numbers and other customer data. All you need is to scan a few recycled hard disks to gain a healthy paranoia about junkers that contain valuable information. .. I've also seen the results of projects by researchers such as Simson Garfinkel at Sandstorm Enterprises, who found high-tech vendor source code, financial information from investment firms, thousands of credit card numbers and even internal Microsoft e-mails on secondhand hard disks he bought at swap meets and used-computer stores and on eBay. ..
Then there are recordable CDs and DVDs, the bane of any IT shop that's trying hard to keep from leaking data. They're high-capacity, unerasable, tough to destroy and easy to drop into the wastebasket -- which makes them easy pickings for anyone who decides to dig through your Dumpster. " The author recommends both in house erasure and use of a commercial recycler that charges $10-30 to erase, to elminate single points of failure. 8:49:57 AM
Website offers Caller I.D. falsification service: "Slated for launch next week, Star38.com would offer subscribers a simple Web interface to a Caller I.D. spoofing system that lets them appear to be calling from any number they choose. .. Caller I.D. spoofing has for years been within the reach of businesses with certain types of digital connections to their local phone company, and more recently has become the plaything of hackers and pranksters exploiting permissive voice over IP systems. But Star38.com appears to be the first stab at turning Caller I.D. spoofing into a commercial venture. The service will charge a twenty-five cent connection fee for each call, and seven to fourteen cents per minute.
SecurityFocus took the site for a test drive, and found it worked as advertised. The user fills out a simple Web form with his phone number, the number he wants to call, and the number he wants to appear to be calling from. Within two seconds, the system rings back, and patches the user through to the destination. The recipient sees only the spoofed number displayed on Caller I.D. Any number works, from nonsense phone numbers like "123 4567" to the number for the White House switchboard. ..
Jepson and his partners believe that collection agencies in particular will find the service invaluable for getting recalcitrant debtors to answer the phone. .. The service does not appear to violate any federal criminal law, says Orin Kerr, a law professor at the George Washington University Law School, and a former Justice Department computer crime lawyer. "It doesn't violate the Wiretap Act or the Computer Fraud and Abuse Act or anything like that," say Kerr. But Rozanne Andersen, general counsel at the Association of Credit and Collection Professionals, believes collection agencies would be barred from using a Caller I.D. spoofing service under two federal civil laws: the Fair Debt Collection Practices Act, which prohibits false or misleading representations and unfair practices in collecting debts, and the FTC Act, which outlaws deceptive trade practices in general." 8:41:48 AM