Two-Factor Phishing

Phishers consider nothing sacred, not even two-factor authentication: at least one has already phished for the second factor.
If you visit the site and enter bogus information to test whether the site is legit — a tactic used by some security-savvy people — you might be fooled. That’s because this site acts as the “man in the middle” — it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

Citibank Phish Spoofs 2-Factor Authentication, Brian Krebs, 10 July 2006

This could be because the people behind such phishing scams are often pretty tech-savvy people themselves. Funny how that happens when there’s money in it.

-jsq

Is a Four-Fold Increase a Risk?

This one pretty much speaks for itself:
More than land-use changes or forest management practices, the changing climate was the most important factor driving a four-fold increase in the average number of large wildfires in the Western United States since 1970, the researchers concluded.

The average spring and summer temperatures were more than 1.5 degrees higher in Western states between 1987 and 2003 than during the previous 17 years. In fact, the seasonal temperatures were the warmest since record-keeping started in 1895, the researchers said.

While the researchers stopped short of linking increased wildfire intensity to global warming caused by rising levels of greenhouse gases, they were confident that they had documented a broad climate trend and not a fluke of natural weather variability.

Wildfire Increase Linked to Climate Higher temperatures over 34 years — rather than land-use changes — have led to more blazes, researchers say. They’re sure it’s not a fluke. By Robert Lee Hotz, Times Staff Writer, L.A. Times, July 7, 2006

Continue reading

Stemming the International Tide of Bad Spam Laws

Sure, spam is bad, and I’d like to get rid of it, too, but not at the cost of having ISPs and governments required to discard my mail based on content. That last is basically what a new ITU report, Stemming the International Tide of Spam seems to recommend.

The root problem with all such recommendations is their insistence on defining spam as commercial. I get spam from religious organizations, spam in languages I don’t even read, and, worst of all, spam from politicians. Spam is unsolicited bulk electronic mail. Confusing content with spam is, and has always been, a big mistake. If you let content leak into your definition of spam, quickly you’re into censorship and first amendment territory.

Continue reading

The arm of commerce has borne away the gates of the strong city.

Today I’ll defer to what Frederick Douglass said on the Fourth of July 154 years ago:
Nations do not now stand in the same relation to each other that they did ages ago. No nation can now shut itself up from the surrounding world, and trot round in the same old path of its fathers without interference. The time was when such could be done. Long established customs of hurtful character could formerly fence themselves in, and do their evil work with social impunity. Knowledge was then confined and enjoyed by the privileged few, and the multitude walked on in mental darkness. But a change has now come over the affairs of mankind. Walled cities and empires have become unfashionable. The arm of commerce has borne away the gates of the strong city. Intelligence is penetrating the darkest corners of the globe. It makes its pathway over and under the sea, as well as on the earth. Wind, steam, and lightning are its chartered agents. Oceans no longer divide, but link nations together. From Boston to London is now a holiday excursion. Space is comparatively annihilated. Thoughts expressed on one side of the Atlantic are, distinctly heard on the other. The far off and almost fabulous Pacific rolls in grandeur at our feet.

What to the Slave is the Fourth of July? Frederick Douglass, Rochester Ladies’ Anti-Slavery Society, Rochester Hall, Rochester, N.Y., 4 July 1852.

Today telephone, television, and the Internet are the chartered agents of intelligence, not to mention agents and drivers of the commerce whose arm has borne away the gates of the strong city. Fortifying perimeters works even less these days, for nations or for companies. Cooperation is essential for survival, not to mention risk management.

-jsq

Pipes or Bridges

I don’t usually post about specific politicians, but I did find Senator Ted Stevens’ explanation of the Internet rather remarkable:

It’s a series of tubes.

And if you don’t understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and its going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.

Now we have a separate Department of Defense internet now, did you know that?

Do you know why?

Because they have to have theirs delivered immediately. They can’t afford getting delayed by other people.

Your Own Personal Internet by Ryan Singel and Kevin Poulsen 26B Stroke 6, Thursday, 29 June 2006

This is the same senator who got Congress to approve a $223 million bridge to nowhere, that both the Sierra Club and the Heritage Foundation opposed; the latter referred to it as a National Embarrassment.

I guess he’s changed his expertise from bridge architecture to Internet pipe design. Anyway, this is why he says he voted against net neutrality.

Maybe it would be good risk management to elect some Congress members who have a clue about the Internet.

-jsq

Telco Double Dipping

Here’s a useful analogy for thinking about net neutrality:
On today’s Internet, sending and receiving data has already been paid for and what the ISPs that are resisting net neutrality are calling for is the ability to charge content providers a second time for access to their customers. An apt analogy would be the phone company attempting to take a percentage of any transaction that was done over the phone. The calling party has already paid for the phone call, the receiving party has either paid for the phone call (metered services or cell phone) or has paid for unlimited inbound calling through a subscription. However, the phone company sees that there is money being made by others transacting business over their phone lines and decides they deserve a cut.

Network neutrality is about control Gaige Paulsen, Monday, June 26 2006 @ 10:34 am EDT

If telcos want to provide their own value added services, as they have long done, that’s one thing. If they want to charge somebody else for providing value added services on top of the telco’s carriage, that’s another thing entirely. Gaige also addresses consumer control, content delivery networks, differential utlization, and why net neutrality is a regulatory issue; well worth a read.

-jsq

Framing Net Neutrality

Interesting bit of political framing here:
Put another way, if net neutrality passes, the AT&Ts of the world will be forced to pay for all of their equipment upgrades themselves and could not subsidize that effort by imposing premium fees for premium services. If net neutrality fails, they will be able to recoup more of those costs than they can now from the likes of Google Inc., Microsoft Corp. and other major users of the World Wide Web.

At its heart, then, the battle is commercial — over who pays how much for improvements to the Internet that we all use and sometimes love.

No Neutral Ground in This Internet Battle By Jeffrey H. Birnbaum Washington Post Monday, June 26, 2006; Page D01

I’d be more willing to believe that if the various incumbent carriers or their predecessors hadn’t already been promising us fast broadband for everyone for many years now, and if Japan and Korea hadn’t already managed it without this kind of finagle. Continue reading

21st Century Risk Management

Have I mentioned I wrote a book?
John Quarterman’s book Risk Management Solutions for Sarbanes-Oxley Section 404 IT Compliance is unique, as far as I know, as a very timely analysis on technical issues and their impact on risk management. The combined forces of technology, increased integration, business reliance on networks and systems, and the market/legal/regulatory forces set the context for this book.

All About Early 21st Century Risk Gunnar Peterson, 1 Raindrop, 22 June 2006

Gunnar mentions much of the content, and a useful context point: Continue reading

Leaves of FBI

Brian Krebs has an interesting post about the Leaves worm of 2001, which masqueraded as a Microsoft update and used the legion of zombies thus recruited to run up click counts on ads, thus generating revenue for its perpetrator. A perpetrator who has never been identified. Which leads to Krebs most interesting point:

Still, I have to wonder whether the case didn’t sour the FBI on investigating these types of crimes, given the resources they piled into an ultimately futile effort. Today, there are hundreds of guys around the world making money just like Mr. Leaves — with far more victim computers at their disposal — except that many of them operate out of countries which have far less cozy legal and diplomatic relations with the United States.

Lessons Learned from the ‘Leaves’ Worm? Brian Krebs on Computer Security, 22 June 2006

We need to find ways to get law enforcement evidence that is not so costly yet is more enforceable.

-jsq

A Muslim Seminary Has How Many Divisions?

Two American sheiks have formed a Muslim seminary:

Sheik Hamza Yusuf, in a groomed goatee and sports jacket, looked more like a hip white college professor than a Middle Eastern sheik. Imam Zaid Shakir, a lanky African-American in a long brown tunic, looked as if he would fit in just fine on the streets of Damascus.

U.S. Muslim Clerics Seek a Modern Middle Ground By LAURIE GOODSTEIN, New York Times, Published: June 18, 2006

The story goes on about how the two each understand both Islam and U.S. popular culture. Judging by the examples, they also understand both Islamic and Christian religious history. It continues:

Mr. Yusuf told the audience in Houston to beware of "fanatics" who pluck Islamic scripture out of context and say, "We’re going to tell you what God says on every single issue."

"That’s not Islam," Mr. Yusuf said. "That’s psychopathy."

Continue reading