Security awareness sign at CERN
Wherever you are follow some simple rules to worry less. The only alternative is not to communicate.
Posts Tagged ‘IT security’
Being online means being at risk
Monday, September 15th, 2008
Beware of innocently “flashing” online advertisement
Wednesday, April 2nd, 2008While browsing your daily news over the morning coffee you might see dozens of adverts all over your favorite sites. Think twice before clicking on any of those. It was reported already in December 2007 by Stanford University Security Lab that clicking on a vulnerable file, created using Adobe Flash, could trick you into executing a malicious JavaScript code that would appear to come from a trusted Web site, thus bypassing the same-origin policy protection. The warning was repeated during the CanSecWest security conference last week in Canada, since Adobe has not yet released a patch for this issue (announced to be released sometimes in April). The problem is that developers of Flash applications will have a lot more work to do than just install the patch. The risk is that there is a high likelihood of the exploit, since 98% of Web users have flash player installed (I’m sure this statistics does not count mobile Internet users whose devices do not support Flash), and it costs $100 to get malicious advertisement to 100′000 users which makes this exploit more lucrative than renting a botnet. IT security is a process…
Googling you medical records?! You must be joking!
Friday, February 29th, 2008
Google unveils personal medical record service, claiming that it would bring more control of medical records to patients by providing centralized facility to control oneself records. In other terms, we would be able to login to that service and have a look in our medical records. So why would we need to look at our own medical records. The first thing that strikes me of course is who else could have a look at my own medical record. Google said, it would be password protected. How strong would that password be? It is up to each one of us to choose. Are we going to get alarmed if someone tries to brute-force our medical history records?
The advantage of this service, according to Google would be the central storage of now dispersed data. And Google promise not to use any advertising on accessing medical records, but when people do some other medical related searches.
Whenever I visit my doctor and get prescription I am wondering how pharmacist is able to decrypt those scribbles where hardly any letter could be identified. I frankly prefer that it stays like this, and that medical data is managed by those that need access to it, and it definitely not patients but medical service.
What does search engine has to do with storing and managing information? Give me please just one good reason…
Who tubes? Pakistan unblocks YouTube…
Wednesday, February 27th, 2008After couple of days of cyber-retorics on the Internet security and privacy, Pakistani government decided to unblock the YouTube (read my previous message here) claiming that incriminating video has been removed. So YouTube removed the video in order to stay on-line? Or in order not to offense anyone? Both reasons are valid. There are many offensive material on the Internet but not all of that on so popular sites like YouTube. In fact, sites like YouTube build their popularity by making waves. In the case of some mass media companies its their journalists, in the case of YouTube and similar, it’s citizen journalists (or at least this is what we think, but we can not know). I am only wondering if an ordinary cybernaut asks YouTube to remove an offensive material would that be done so quickly? I’d still prefer sharing my own videos on my own web site.
YouTube knocked out by Autonomous System number in Border Gateway Protocol
Tuesday, February 26th, 2008No more YouTube blockbusters? Well, not quite, but according to some Web statistics the popular video sharing site was not reachable for 2 hours on the 24th of February.
So what happened? Pakistan’s government ordered a state owned telecom company to restrict access to YouTube. Pakistan Telecom responded by broadcasting the false claim that it was the correct route for 256 addresses in YouTube’s 208.65.153.0 network space. Hong Kong-based PCCW, which provides the Internet link to Pakistan Telecom, did not stop the misleading broadcast. Because that was a more specific destination than the true broadcast from YouTube saying it was home to 1,024 computers, within a few minutes traffic started flowing to the wrong place. YouTube took countermeasures within minutes, first trying to reclaim its network by narrowing its 1,024 broadcast to 256 addresses. Eleven minutes later, YouTube added an even more specific additional broadcast claiming just 64 addresses–which, under the Border Gateway Protocol, is more specific and therefore should overrule the Pakistani one. Over two hours after the initial false broadcast, Pakistan Telecom finally stopped.
How could this have been prevented? First, Pakistan Telecom shouldn’t have broadcast to the entire world that it was hosting YouTube’s IP addresses. Second, Hong Kong-based PCCW could have recognized the broadcast as false and filtered it out.
Some solutions to prevent such incidents in the future are, to be automatically notified when the virtual location of an Internet address changes. Another is to treat broadcasts with changes of addresses as suspicious for 24 hours and then accept them as normal. Simple filtering of broadcasts may not always work because some networks provide connectivity to customers with thousands of different routes.
Probably the most extensive countermeasure would be a technology like Secure BGP, which uses encryption to verify which network providers own Internet addresses and are authorized to broadcast changes. But Secure BGP has been around in one form or another form since 1998, and is still not a widely-used standard, mostly because it adds complexity and routers that understand will add additional cost.