Today we face popularity of QR-codes. Most tech-savvy people already actively use them to transfer encoded digital information into their devices, to follow links and to  input data into their devices with no manual typing.

Some inventive “hackers” already started using this technique by sticking false QR-codes over real ones. So in case you use code-recognition client, which is automatically following links, and your Android phone does not ask you before installing apps other than those from Android market, you are in trouble. Such QR-codes might drive you to the download of a false operating system update, being a virus.

So beware of too much automation in your QR-reading software.

This beautiful sunny day in Bielorus tends to be the final step about cutting off the Internet by the country’s borders. Now most worldwide resources, host providers and everyone else in the world, ever benefiting from *.by zone traffic will suffer clients loss. The President of Bileorus, Aleksandr Lukashenko introduced a law, penalizing everyone, who will access foreign servers for almost $100. Today this law enters into force.

On the other hand, in Ukraine, which is neighboring Bielorus people expect the same situation, as both countries present strong dictating regimes. Just Lukashenko’s one is more perfected. Seems, Europe will allow this to happen, seemingly not realizing the new USSR is going to be established.

Then, maybe real information security starts when there’s more security, then information?

I have heard many “safe” and “dangerous” stories about Skype. Being confused as to what I should believe in, I opened Google and understood two things right immediately. These are concerns about Skype:

1) Is your VoIP data secure with it;

2) Is all other data you own, secure, when Skype is installed at your device.

Considering the first, company is hardly trying to convince, that it is. Looking for the latter was a little trickier.

Recently a group of researchers at NYU Polytechnic Institute found out the fact - when you call a person on Skype, you can discover his/her IP address, even if the person doesn’t “pick the headset up”. There’s also a possibility to define which torrents are active at the target PC, and ability to track how one moves from point to point without any permission.

Up to now, providing your updated the previous Mac OS X exploited Skype, which allowed to remotely control your PC and network altogether, there are no more concerns about Skype as for now.

Still one more thing left unsolved in identification aspect of the Web. How do you prove, the person, sitting in front of the monitor is that very same she claims to be? I personally thought about it before, and today Defence Advanced Researh Projects Agency (DARPA) decided to solve this finally. They would identify a “digital signature” or “digital fingerprint” based on your habits of mouse usage or the way person normally types.

Now algorithms are going to be developed with the help of scientists, who are invited to send their proposals.

Active Authentication industry day on Nov. 18 is to encourage industry to submit authentication proposals. Proposed research should investigate innovative approaches that enable revolutionary advances in science, software, or systems in the areas related to determining the identity of the individual at the keyboard.

infosecurity-magazine.com

Some years ahead, we either will no longer be anonymous on the Internet, or will use anonymity tools for impersonation of our activity or to steal someone’s habits, recorded in the file. Probably viruses will be stealing our habits. Lots of interesting stuff still expects us in the eternal battle between the key and the lock.

Have recently read the new video of Madonna gone for web before the final release. And this was a demo-version, which raised a great tsunami of discussing on Twitter and other social places of the web.

I came up to the conclusion, leakage promotion techniques is a great way to reload the interest for some artist or public person on purpose. Especially when it is far too low.

Another leaks from Sweden remind us not to use one password at every site. They again do. But we continue to ignore.

Details of 210,000 Swedes - politicians and media figures, have been exposed to the Internet, which affected one person among 50 unaffected. That is called the greatest security breach in history of Sweden.

Once told, there’s no personal life today any more, came true and will never roll back again.

But that is the good - world needs InfoSec people each day more.

Saw cheap IPhone 5 today at the electronics market. Fashion rules, no doubt, and everyone wants the toy. Even though the 5-th even doesn’t exist yet. Strange feeling to witness the ghost.

I expanded my network of InfoSec specialists, analysts and geeks on Twitter. And got hinted to look at owasp.org project. I usually have numerous tabs open in Firefox, never timely reading them - so they grow. Now I have a couple more, promising myself to read them asap. We talked about ghosts, right? They say companies are divided into those which do know their web applications code is insecure and those which don’t.

This ghost chasing is rated well in OWASP’s top 10 rating of threats your company (and probably you) face during web information exchange.

Here is the link to the 2010 document. It appears, not much changes over time, so they don’t update the rating annually. Still it is very current, being reviewed by some top companies from the industry recently. 

http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf

There’s much to think about.

Facebook has revealed a security system called FIS (Facebook Immunity System). FIS controls every read-write action of each user on the social network. This defends 99% of Facebookers from spam, as stated by Facebook itself. The defense system happens to be the biggest in the world, equipped with 30 supervisors, enabled to learn and take actions on noticing suspicious behavior patterns.

The system, as it seems to me, is still far from the artificial intelligence. But is already able to combat massive viral script attacks within the network by blocking messages based on keywords once found and identified in spam chat messages.

Still unknown techniques make the system vulnerable. Social bots tend to fool the system, even adding thousands of friends and harvesting sensitive data like e-mail addresses. Due to peaking number of friend rejections spam bots receive, Facebook predicts improving FIS based on higher, than usual rejections amount.

I personally recently found out Facebook controls the speed of friends addition, if you add them too fast - you get considered to be a bot, even if you just re-add known people to the newly created account. If some people reject you, you already get blocked for a couple days, or a week without even a guess, who did it.

Still much job to do, but unless real artificial intelligence gets invented, we are going to face constant rules creating and breaking in this highly socialized world.

Today smartphones or tablet PCs are widespread. But what risks do we face? Lets check that out.

The most popular on the market Android OS tends to become an interesting target for world’s cutest brains. The simplicity of malicious applications distribution to phones and tablets brings evil ideas into everyday mobile life. Every unchecked application may be simply put on the Android market. This ensures quite high risk for end users.

IPads are insecure way to do business due to man-in-the-middle attacks vulnerability, and insecure cloud synchronization. Poor encrypting helps corporations, as they are main end users of IPads, loose their valuable data through the data leakage. Today these are the most dangerous devices in terms of security.

Jailbroken devices pose another risk. Most viruses work on such devices, as vendor jails prevent potentially unwanted activities. In most jailbroken IPhones the password for jailbreak hadn’t been modified, therefore viruses, fast spread with SSH, are very possible.

This is a truncated list of mobile insecurity. Currently no strong security is present for portable devices, using wireless connections.

High technologies have never been so influential as these days. Hard to imagine modern governments omit this possibility to control their countries one more, invisible on-line way.

So did Germany. But whatever you do, especially if its “not completely legal” thing, better think twice about whom to hire for that. Though usually we learn from our mistakes, one day they just publicly teach us. Here’s the story.

A famous German hacker organization Chaos Computer Club has obtained the software for German investigators use to spy on individuals. Surprisingly, it is reported to be full of defects and was using a United States server to transmit whatever it found. This software was encapsulated into a Trojan horse, but was insufficiently protected, so it’s elements could be used by well-qualified third parties. A real person could just get infected, opening an e-mail, as the report says.

If the CCC is right, the software contains some illegal functions, prohibited for use in Germany. Albeit, this is not the only concern. Now many computers had got searchable by “people with necessary technical skills”, as the software was buggy, opening personal and corporate data this way.

I assume, we don’t protest about what we don’t see. So wish all the Trojans you have at your hard disks were well-written and third-party leakage proof.

Recently on code.google.com the list of tested DNS-rebind affected routers had been updated.

The list is accessible by this link: http://code.google.com/p/rebind/wiki/TestedRouters

What is DNS rebinding and why is it dangerous for your router? If you will get tricked to enter a website, whose DNS A-record states two IP-addresses, one belongs to the site itself, another - is dynamically substituted with your IP, then using javascript at the attacker’s site your internal network will be accessibe via your browser for the attacker’s party. This is caused by merging both IPs into single domain of the hacker - therefore browser trusts communication between them.

Afterwards if the router’s inner web-interface isn’t secured with non-default password, and you use the standard IP for the router at the internal network - you get into troubles. Your router is under the total control.

To secure yourself, set a non-standard admin password, use different IP address, than the usual 192.168.1.1 for your router, patch the firmware to the latest version.

This should help in most cases, sometimes router’s inner web-interface may be exploited even if the password and inner IP are unknown to the attacker. So you must do your best to protect the web-interface, for example to disable HTTP and enable HTTPS if applicable at your router’s settings.