Oct 06 2009
I’ve been incredibly busy and unable to blog much lately, mainly due to a new job at Verizon Business and my two little time sinks, aka children. After a little time off, it’s good to be working again, but it’s really cutting into my workout and blogging schedule. Of course, added to that is the fact that I really haven’t had much to say lately, but that’s never stopped me before. Once I get settled into the new routine, I hope you’ll be seeing a bit more from me again.
One of the biggest stories of the week is the release of the FTC guidelines governing endorsements, which includes ‘bloggers and other “word-of-mouth” marketers.’ Basically if you accept free product or money from a company, you need to disclose that you’re accepting a form of payment in return for promotion. I doubt this will have any impact on 99% of the security blogging community, but people who are tweeting or using Facebook to promote a company may need to take a long look at what they’re doing and have some sort of disclosure on their Twitter page. For the record, I once got a small palmtop computer from Nokia and Astaro used to be a sponsor of the podcast. I doubt I’ll have to disclose the huge pile of t-shirts from vendors that my wife is always nagging me to throw away.
Researchers at UC Santa Barbara are getting set to release a paper on the Mebroot botnet and how they tried to take control of it. I’d heard of a lot of botnets that automatically created domain names based on the date, but this is the first time I’ve seen one referenced that added an uncontrolled variable to the algorithm; Mebroot uses Twitter and the trending topic of the day to generate a random domain that can’t be guessed and blocked days or weeks ahead of time. This probably makes it a little harder on the bot herders and causes some drop off of infected machines, but it also makes it nearly impossible for anyone to register the domain names ahead of the botnet.
Yesterday Visa published a new best practices paper, Data Field Encryption. It’s important to realize that this paper is coming from Visa and not the PCI Council. This means that while the paper is important and will probably be adopted into the PCI DSS at some point in the future, it is not officially part of the PCI requirements. There’s a lot of good information in here, but one interesting point that was pointed out on Twitter is that they included SHA-224 under encryption algorithms. Why a one-way hashing function included in the encryption table is unclear, unless Visa is trying to subtly tell people that we shouldn’t be saving cardholder data any more than absolutely necessary.
What else? Well, a certificate for PayPal has been created based on Moxie Marlinspike’s research that was released at Black Hat. The scary thing is that the cert may be unrevocable if the research holds true. AVG Anti-virus has released a new version of their free Internet Security Suite to compete with MS Security Essentials. I’m using AVG Free 8 on my wife’s computer, so I’ll probably update to version 9 soon. The FBI has been investigating an activist who was exfiltrating federal court records that were put behind a paywall. Aaron Swartz ran a program that allowed him to download 18 million pages of federal court paper from a Chicago library when the Government Printing Office had allowed the library access. These are federal documents that should be freely available to start with, so Swartz had reason to see them set free. A surge in compromised email accounts is being disclosed by hackers for a number of email services, including Gmail and Yahoomail, as well as the previously disclosed Hotmail accounts. These appear to be the accounts that were gathered through phishing attempts, not a vulnerability in any of the mail services, but it’s definitely worth changing your passwords if there’s any chance you might be on this list.
That’s it for this morning. Time to start waking up the rest of the family and usher them off to school. It’s about the only way I ever get some quiet time around here.