David Harley

I spend a lot of time defending educational as opposed to purely technical solutions to security. Not that I don’t believe in the usefulness of technical solutions. However, there are many people in the security business who believe that education is a waste of time because it isn’t 100-percent effective. Unfortunately, you can make the very same argument against any technological solution. Randy Abrams and I discussed that conflict of ideas at some length in a paper for AVAR: see People Patching: Is User Education Of Any Use At All? And Robert Slade made some excellent points more recently in post Security unawareness.

Static passwords are a pretty good example of a technology that’s proved to be less than 100-percent effective time and time again, yet is considered effective enough to remain the authentication mainstay of many a web service. Well, I could argue that it’s not so much about effectiveness, as a trade-off between effectiveness in terms of privacy, and the cost of implementing better authentication mechanisms. But that’s a discussion for another time.

Continue reading →

I received a sad report on the subject of PC support scams.

Yes, those same old scams where the perpetrator tells you that you have malware infections or system problems and tries to scare you into letting him or her connect to your PC so that he can install some software and fix it. For a price, of course, though that may not be immediately clear.

Continue reading →

While the ongoing floods of leaked account credentials from Formspring, LinkedIn et al. are potentially disastrous for the owners of those accounts, analysis of those data doesn't only provide a way of seeing whether our own accounts are at risk. It also provides an incentive for us all to re-examine our own password (and passcode) selection strategies by the insight they give us into whether we are using the same far-from-unique passwords as so many of the victims of these breaches.

My colleague Anders Nilsson's Eurosecure blog  looks at the data from the Yahoo! breach and refers to some detailed statistics. Rather than reproduce all those data here, I'd recommend that you read his blog, but as I've previously referred here and elsewhere to 'Top Umpteen' lists of insecure, over-used, easily guessed passwords, I can't resist reproducing the top ten he extracted here, as it comes from a more recent source than the Mark Burnett analysis I quoted in my previous post on the subject.

Continue reading →

The news and specualtion around Win32/Flamer is extensive and complex. While it is understandable that what appears to be a sophisticated threat found in several regions, some of them particularly politically sensitive, has excited so much interest. Conflicting conjecture and confusion over the "ownership" of the detection is muddying the waters somewhat.

According to the Iran National CERT, it had detection (but not removal) for the malware in early May, but Kaspersky claims it’s been in the wild since March 2010. This seems to be the same malware theat that the Laboratory of Cryptography and System Security (CrySyS) in Budapest calls sKyWIper (which they believe may have been active for 5-8 years or even longer).  However, it looks as if those assumptions on timing are incorrect: module compilation dates have been manipulated, presumably in order to hamper researchers in some way.

Continue reading →