Lost USB keys back in the spotlight in Privacy Commission report

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

In late 2011, we published our analysis of a bunch of USB keys we'd bought at a lost property auction.

We took $400 (about £260) to a public transport utility's annual auction and came home with 57 USB keys containing 4400 files.

We didn't find any Wikileaks-type information - there were no criminal plots, no rush orders for F-35 strike fighters, and no intelligence data from the diplomatic community.

But we did get several surprises, which we wrote about at the time:

* 66% of the keys had one or more malware infections.
* Many of the keys contained personal and work-related files.
* Not a single one of the 4400 files was encrypted.

Our report quickly put the data protection cat amongst the pigeons, with two sides emerging in the debate.

The Government Should Do Something About It camp castigated the transport operator (Railcorp New South Wales) for selling the keys in the first place. As @KineticPearl commented on Naked Security:

What I find interesting is that [RailCorp] are not wiping the keys prior to sale. In this case it made for a good story, but a better one would be that you found absolutely nothing at all due to the diligence of the authority. I feel that the seller should be responsible for preventing data leaking, even if it is not directly their data, after all they are profiting from selling the device.

Even though I'm a strong advocate for privacy (and a staunch believer that opt-out simply isn't good enough), I ended up in the Government Isn't There To Nanny-State You camp, and argued the opposite:

I have thought long and hard about this. I don't think that RailCorp should be obliged to wipe the data, in much the same way that I don't think that ISPs should be obliged to watch your internet traffic and block pirated stuff. It's not data which RailCorp collected for its own use, after all

Unsurprisingly, the debate quickly drew in the New South Wales Office of the Privacy Commissioner, the body which oversees how personal information is held and used by the State's government and public service.

We were delighted to get involved in the Privacy Commissioner's investigation, and had some fun at SophosLabs showing the investigation team how we automated the retrieval, recovery and reporting of the data on the keys we bought.

In particular, we were able to show that the recovery process, though lengthy (USB keys tend to be quite slow, and we loaded and stored every byte from 50 of the keys), could be completely automated, apart from the insertion and removal of each key in turn.

Cleaners, for example, could acquire USB data dumps whilst working their way through an office building overnight - without attracting attention by losing time on their regular job.

We were also able to recover files from two apparently-wiped test devices brought in by the investigation team. Even USB keys that most people would consider safely blanked out and suitable for re-use may still contain critical information.

The Privacy Commissioner's report has recently been published.

(Even if you're usually afraid of government reports, give this one a read. At just three pages it is concise, clear and uncompromising - but without being cynical or judgmental.)

The bottom line of the report - literally and figuratively - is that @KineticPearl was right, and I was wrong.

Railcorp made a proactive decision to destroy lost USB keys in future, rather than to try to wipe them and sell them, and the Privacy Commission was pleased:

The Privacy Commissioner considers that RailCorp's assessment of the risk to the privacy of individuals is correct and that the decision to cease auctioning USBs is the most reasonable outcome.

The Privacy Commissioner commends RailCorp's decision, made without waiting for the completion of this inquiry.

This begs the question, "What to do with your USB keys?"

Wiping USB keys that are being retired from service might not have the purgative result you want. Destroying them instead is an effective and simple alternative.

But how do you protect yourself from leaking data on USB keys which get lost? Or on keys which are transferred between users, departments and even companies?

One answer: only ever write encrypted data to your USB keys.

(Yes. We have crypto products to help you do just that. I'm not suggesting you use these products simply because we have them - it's the other way around. We have the products because we think they're the right way to solve this problem.)

The most shocking thing in our original research was not the high prevalence of malware, nor the fact that the keys got sold in the first place, nor that USB keys are so easy to lose.

The most shocking thing was that not one file on any of the keys we bought was encrypted - even those files which contained personally identifiable information or proprietary information from work.

Encrypt everything and you never have to worry about the stuff you didn't encrypt!

Follow @duckblog
-

PS. Why not try our free encryption tool?

It's an easy way to save and share files securely, whether you use removable devices or cloud-based internet services.

(Direct download; no registration required. Sorry, Mac users: this one's for Windows only.)

Tags: auction, data leakage, Encryption, IT, Malware, nsw, pii, privacy commissioner, railcorp, usb, usb keys

View the original article here

Macs and malware - See how Apple has changed its marketing message

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Up until just a few days ago, Apple's website was keen to point out that Mac OS X doesn't get PC viruses, and that the operating system "defends against viruses and other malicious applications, or malware" with "virtually no effort on your part".

Now, Apple's changed its tune a little and revised the wording on its "Why you'll love a Mac" webpage:

You can click on the image above to see a larger side-by-side comparison, but here's what the old page said:

It doesn’t get PC viruses.

A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part.

Safeguard your data. By doing nothing.

With virtually no effort on your part, OS X defends against viruses and other malicious applications, or malware. For example, it thwarts hackers through a technique called “sandboxing” — restricting what actions programs can perform on your Mac, what files they can access, and what other programs they can launch.

And now..

It’s built to be safe.

Built-in defenses in OS X keep you safe from unknowingly downloading malicious software on your Mac.

Safety. Built right in.

OS X is designed with powerful, advanced technologies that work hard to keep your Mac safe. For example, it thwarts hackers through a technique called “sandboxing” — restricting what actions programs can perform on your Mac, what files they can access, and what other programs they can launch.

I think it's pretty interesting that Apple has made this change to their messaging.

Clearly they've decided that pointing out the size of the Windows malware problem isn't going to look terribly convincing unless they are also open about that Mac malware also exists.

After all, it was only a couple of months ago that it was found one particular piece of Mac malware had infected 600,000 Macs worldwide, including 274 in Cupertino.

In short, people in glass houses shouldn't throw stones.

And there's no longer an emphasis on Apple customers having to "do nothing", to keep their Macs malware-free.

Mac malware is a reality these days, with regular users finding their computers are becoming infected. The problem may not be as significant as Windows malware, but it exists.

A recent analysis by Sophos found that 2.7% (one in 36) of Macs which downloaded our free anti-virus product were found to be infected by Mac OS X malware.

So, the problem is real. And Apple seems to be becoming a little bolder in acknowledging it. This week, for instance, Apple mentioned malware for the first time ever at a WWDC keynote address. I view the changes in the messages pushed out by their marketing department as some important baby-steps.

Let's hope more Apple Mac owners are also learning to take important security steps - such as installing anti-virus protection.

Follow @gcluley

Hat-tip: CRN

View the original article here

FBI claims that Tor stymied child abuse investigation

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

In at least one case, the US police's hunt for online child abuse images has been stymied by Tor, a Freedom of Information Act (FOI) request has revealed.

The FOI request, which was originally for all Justice Department records mentioning the Silk Road marketplace (a site that National Public Radio has referred to as the "Amazon.com of illegal drugs"), was made by MuckRock's Jason Smathers.

According to the FOI documents, a citizen reported stumbling on a cache of child abuse images while browsing anonymous Tor sites, viewable with specialized, hard-to-come-by tools and the .onion domain, while he was searching for the deep-web location of the Silk Road:

He visited the Tor directory at the following site: [expunged]. At this site, he noticed a link to 'adult' websites and clicked on it. He noticed a link on the next page for 'TSCHAN' which he recognized to be a hacking affiliated group. When he clicked on this link, he saw pictures he described as child pornography. He said it looked like child pornography because he could tell the subjects were very young with some in diapers. All were still images, no videos, and he said most showed the children posing for the pictures.

Investigators were unable to determine the origin of the pornography's host, as they described in a Detroit field office 2011 FBI Complaint/Assessment Form that was part of the FOI documents:

Because everyone (all Internet traffic) connected to the TOR network is anonymous, there is not currently a way to trace the origin of the website. As such no other investigative leads exist.

Tor, a free, open-source program, bestows online anonymity via a circuit of multilayered, encrypted connections routed through a worldwide volunteer network of servers in order to conceal a user's location or usage from anyone conducting network surveillance or traffic analysis.

In spite of the investigators' despair, however, it's quite possible to bust Tor communities.

One recent example is "The Farmer's Market," an online narcotics store that hid its operations with Tor. The Farmer's Market was brought down in April.

Granted, Tor was incidental to that bust.

As the indictment laid out, authorities were aware of the Farmer's Market's use of Hushmail - a service based in Canada that offers PGP-encrypted e-mail, file storage, vanity domain service, and instant messaging - before the operation was moved to Tor.

And as Naked Security reader HushFail commented at the time, Hushmail only protects users until law enforcement whips out a badge.

Hushmail has in the past turned over cleartext copies of private email messages associated with multiple accounts at the request of law enforcement agencies under a mutual legal assistance treaty between Canada and the US, such as in the case of US v. Tyler Stumbo.

Another factor in the Farmer's Market bust was payment processing via means that included PayPal - to an agent with the US Drug Enforcement Administration, no less.

Clearly, some law enforcement agencies find ways to track down their prey, even if the suspects are using Tor.

But as Tor Project development director Karen Reilly told Ars Technica on Tuesday, there are non-Tor-specific means of getting through Tor, beyond tracking suspects through Hushmail or PayPal.

Tor Project members regularly meet with law enforcement to explain how Tor works and to direct them to these vulnerabilities, Reilly told Ars in an email exchange:

Saying that you have no leads is ridiculous. … Hidden services are just like a street address. You can't break an address. You can break the doors or windows of the house at that address. An attack on a .onion and a .com are the same. The usual PHP vulnerabilities to SQL injection and the like are applicable.

And as Ars pointed out, such are the vulnerabilities Anonymous used to take down Tor sites in its Operation Darknet anti-child-abuse-websites effort.

That Anonymous operation succeeded in taking down 40 child abuse sites, including Lolita City, in October 2011.

Anonymous managed to crack Tor to not only bring down the abuse sites, but also to publish account details of 1,589 users from the site’s database.

Obviously, Tor anonymity is not foolproof.

Tor itself warns about one vulnerability on its site:

Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.

That means that a potential eavesdropper on an end user’s network may be able to analyze the patterns of data being returned and may be able to make a reasonable hypothesis about the source of the communication.

Such a technique wouldn't help the FBI unless they already knew enough about their suspects to plant an eavesdropper on their network, of course.

But in sum, it seems that there have been multiple unmaskings of Tor users, whether it's by the means employed by the multinational task force that cracked the Farmer's Market or the vulnerabilities exploited by Anonymous.

If they can do it, it's hard to see why the FBI can't.

Follow @LisaVaas

Child alone image, courtesy of Shutterstock.

Tags: anonymous, child porn, Encryption, FBI, FOI, Hushmail, Lolita City, Operation Darknet, pornography, The Farmer's Market, Tor

View the original article here

Gmail accounts targeted by 'state-sponsored attackers' using Internet Explorer zero-day vulnerability

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Both Google and Microsoft have put out alerts about an unpatched, zero-day hole in Internet Explorer that didn't get fixed on Patch Tuesday and is actively being exploited in the wild.

According to ZDNet, those attacks are apparently being launched by the "state-sponsored attackers" that Google warned Gmail users about last week.

Neither Google nor Microsoft referred to those state attackers in their respective security warnings. ZDNet attributed that particular detail to a source it said was "close to these investigations".

This source confirmed to ZDNet that the attacks motivated Google to warn Gmail users last week about the attackers.

As ZDNet pointed out, Gmail users have been reporting on Twitter that they've been hit by the Gmail warning.

Google security engineer Andrew Lyons wrote in the company's security blog that Google reported the vulnerability to Microsoft on May 30 and that the two companies have been working on the problem since.

He wrote on Tuesday:

Today Microsoft issued a Security Advisory describing a vulnerability in the Microsoft XML component. We discovered this vulnerability - which is leveraged via an uninitialized variable - being actively exploited in the wild for targeted attacks.

Lyons said that the attacks are spreading both from malicious web pages set up to snare Internet Explorer users and through Office documents.

Users running any flavor of supported Windows are vulnerable, from XP onwards up to and including Windows 7. All supported editions of Microsoft Office 2003 and Microsoft Office 2007 are also vulnerable.

The hole hasn't been stitched up yet, but Microsoft is suggesting a workaround that will help prevent it from being exploited.

Microsoft's security advisory recommends that IE and Office users immediately install a Fix it solution, downloadable with instructions from Microsoft Knowledge Base Article 2719615, until the company gets the final fix out.

The vulnerability crops up when Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 try to access an object in memory that hasn't been initialized, which can corrupt memory such that an attacker could execute arbitrary code on a hijacked machine.

A victim would have to visit a maliciously crafted site using IE to suffer an attack. An attacker might lure users into visiting a boobytrapped site by enticing them to click on a link in an email or via messaging.

A successful attack grants the intruder the same user rights as the logged-on user. Therefore, a mitigating factor is to configure accounts with fewer rights, as opposed to operating with administrative user rights.

Microsoft noted that by default, IE on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode known as Enhanced Security Configuration. That also mitigates the vulnerability.

As far as bolting down Gmail goes, Sophos's Graham Cluley has a collection of tips on how to stop your Gmail account from getting hacked.

It's definitely worth a read. Here's a quick cheat-sheet; Graham gives you more detail on these items in his article:

OK, that last one's not a tip, per se, but it's food for thought if you are, in fact, important enough that a state would want to attack your Gmail account.

If you are, think twice about using a free web email provider for sensitive information. If you're working for the government or the military, like Graham said, put all that sensitive information on secure systems instead.

Follow @LisaVaas
Hairy spider image, courtesy of Shutterstock.

Tags: 2719615, gmail, Google, IE, Internet Explorer, Microsoft, Microsoft XML Core Services, Office, security advisory, state-sponsored attackers, Windows, XML Core Services, Zero Day

View the original article here

Vanilla Ice 'dies in a car crash' - hoax spreads on Facebook

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Has Vanilla Ice really died in a car crash?

After all, plenty of people have been sharing the news on Facebook in the last 24 hours - so it must be true, mustn't it?

Messages like the following have been shared widely on the social network:

Vanilla Ice died in a single vehicle crash on Route 80 between Morristown and Roswell. He was pronounced dead at the scene by paramedics responding to the vehicle accident and was identified by photo ID found on his body. Alcohol and drugs do not appear to have been a factor in this accident - June 17, 2012

if you click on the link accompanying the messages you are taken to a website calling itself "Global Associated News".

What's interesting is that the url that people are clicking on includes "vanilla.ice" in the sub-domain. I wonder what happens if I change it to someone else?

My word - William Shakespeare has died in a car crash! No wonder he's been a little less prolific of late..

Let's have another go.

Eek! I've died in a car crash too - and I'm not even a celebrity!

The website, of course, is designed to allow you to play practical jokes on your friends - and not very funny ones at that. You should always think carefully before clicking on unknowing links, and don't believe breaking news just because someone has shared it with you on the net - check with a major news outlet instead.

After all, imagine if this website wasn't just monetising itself via advertising, but was designed to install money-making malware onto your computer instead.

Of course, this is not likely to be the last time that a rumour spreads quickly across the internet that a celebrity has died.

This year alone we've seen fake rumours of the death of 1980s pop idol Adam Ant, Margaret Thatcher and Mikhael Gorbachev.

And don't forget when Christian Slater was killed in a snowboarding accident. Or how Tom Cruise fell to his death off a cliff in New Zealand? Or poor Johnny Depp who also died in a car crash?

Make sure that you keep informed about the latest hoaxes, scams and malware spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 180,000 people regularly share information on threats and discuss the latest security news.

Follow @gcluley

View the original article here

Revealed! The top five Android malware detected in the wild

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The release of a brand new version of Sophos's free anti-virus for Android (it actually does much more than just anti-virus, hence our marketroids call it Sophos Mobile Security) makes this an opportune time to update users on the Android malware landscape.

SophosLabs has examined the stats produced by installations of Sophos Mobile Security, which is now being used on Android smartphones and tablets in 118 different countries around the world - and it's making for interesting reading about which malware is being most frequently encountered on the platform.

1. Andr/PJApps-C. When Sophos Mobile Security for Android detects an app as Andr/PJApps-C it means that we have identified an app that has been cracked using a publicly available tool. Most commonly these are paid for apps that have been hacked. They are not necessarily always malicious, but are very likely to be illegal.

2. Andr/BBridge-A. Also known as BaseBridge, this malware uses a privilege escalation exploit to elevate its privileges and install additional malicious apps onto your Android device. It uses HTTP to communicate with a central server and leaks potentially identifiable information.

These malicious apps can send and read SMS messages, potentially costing you money. In fact, it can even scan your incoming SMS messages and automatically remove warnings that you are being charged a fee for using premium rate services it has signed you up for.

3. Andr/BatteryD-A. This "Battery Doctor" app falsely claims to save battery life on your Android device. But it actually sends potentially identifiable information to a server using HTTP, and aggressively displays adverts.

4. Andr/Generic-S. Sophos Mobile Security generically detects a variety of families of malicious apps as Andr/Generic-S. These range from privilege escalation exploits to aggressive adware such as variants of the Android Plankton malware.

5. Andr/DrSheep-A. Remember Firesheep? The desktop tool that can allow malicious hackers to hijack Twitter, Facebook and Linkedin sessions in a wireless network environment? Andr/DrSheep-A is the Android equivalent of the tool.

As I'm here writing this run-down, I might as well document some of the other most commonly-seen Android malware:

Andr/DroidRt-A is a set of privilege escalation exploits that can allow someone to to obtain root access to an Android device.

Andr/Opfake-C is a fake Opera app which may install other malicious Android packages and send SMS messages to a premium line number, depending on country.

As you can see for yourself in the following video by SophosLabs researcher Vanja Svajcer, the Andr/Opfake-C malware has been spread via Facebook in the past.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

Andr/Boxer-A. Similar in terms of functionality to Andr/Opfake-C, this malware poses as a fake installer for an Opera browser update, Skype, Anti-virus software, Instagram and many other popular apps.

The malware may install other malicious Android packages and - predictably - send SMS messages to premium rate services numbers. It attempts to evade detection by adding a random number of images of "witness from Fryazino" therefore making the APK file binary different every few downloads.

It's quite clear that Android malware is a growing problem. If you think it's time to protect your Android smartphone or tablet against the threats, check out the free download of Sophos Mobile Security.

Follow @gcluley

Thanks to SophosLabs researcher Vanja Svajcer for his assistance with this article.

View the original article here

SSL certificate safety bolstered by standards that lessen dependence on CAs

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Filed Under: Featured, Privacy

2011 was a bad year for certificate authorities (CAs) and the privacy of internet users as multiple successful attacks against CAs resulted in a reduction in confidence of the basic structure of trust that SSL/TLS depend on.

Last summer Moxie Marlinspike proposed a new system called Convergence that puts the decision about who to trust in the hands of users. There are some technical challenges with Marlinspike's approach and to date not many people have embraced the technology.

Within the last 6 months, two new proposals have come forward that look to make a more gradual, compatible transition away from the current model possible.

One proposed by Google engineers is called Public Key Pinning Extension for HTTP, while another similar idea backed by Marlinspike and Trevor Perrin is called Trust Assertions for Certificate Keys (TACK).

Some browsers like Google's Chrome have already implemented a similar approach called certificate pinning, but the implementation doesn't scale. Google Chrome ships with a set of pre-defined high-profile certificates installed for services like Gmail that are "pinned" and do not rely on CAs to validate.

This is how the DigiNotar CA breach was discovered. Users of Chrome and Gmail in Iran began getting warnings that their traffic was being intercepted by a man-in-the-middle attack through falsely signed certificates.

Hard coding certificates for more than a handful of sites is highly impractical though, and these new proposals address the scalability problem in an elegant way.

Initial contact to an HTTPS server will work the same as it does now, relying on CAs to verify you are talking to the right site. However for sites that would support these new extensions they could offer an extra digital signature of their certificate signed by the site owner.

Your browser could keep a copy of this signature and "pin" it to identify a known public key that represents that site.

Subsequent visits would then check the signature of any certificates presented not only with the CAs, but also against the copy of the public key you pinned from a previous visit.

This means an attacker wishing to perform a man-in-the-middle attack would not only have to compromise a certificate authority, but also compromise the private key possessed by the web site operator.

Ultimately it lessens our dependence on the security of CAs by putting more power in the hands of web site operators and individuals.

This diversification of trust is a necessary step toward more independent verification of trust and potentially eliminating the need for CAs in the future.

Both proposals are in draft form with the IETF and there are many technical details not covered here. If you want to understand the differences and specifics, I recommend reading the proposals themselves as they are not terribly long.

http://twitter.com/chetwisniewski

SSL Padlock and Push pin images courtesy of Shutterstock.

View the original article here

Flame malware used man-in-the-middle attack against Windows Update

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Microsoft has released an emergency update for all versions of Windows to address a certificate flaw that was used to spread the Flame malware from machine to machine.

Of course you have to trust that your connection to Windows Update is not being attacked while you're retrieving the update that prevents you from being attacked.

This is not the first time we have seen malware abusing digital certificates, but this one is a bit more advanced than previous attacks.

What happened? The Flame malware needed a way to silently infect machines in the target environment, without making the mistake of spreading where it shouldn't like Stuxnet did.

Flame-infected computers can be instructed to impersonate a Web Proxy Autodiscovery Protocol (WPAD) server. Windows machines set for automatic proxy detection (the default) will try to contact a server called wpad.(company domain name) to check for instructions for when to use a HTTP proxy.

Flame would tell machines on the network that the infected computer was to be used for proxying requests to Microsoft's Windows Update service. Ordinarily this would not work, as Microsoft signs updates with their special digital certificates to ensure you only receive updates that are tamper proof.

But the Flame authors had discovered a critical flaw in Microsoft's certificate infrastructure. The Microsoft Terminal Server Licensing service is used for license management and authorization in many enterprise environments. Microsoft had been mistakenly issuing certificates for use on these servers that could be used to digitally sign code.

Flame appears to have used one of these certificates to sign its payload and perform a man-in-the-middle attack to inject it onto additional machines on the same network. It isn't clear whether it was a certificate obtained legitimately from Microsoft or whether weak ciphers were targeted.

Two of the three certificates Microsoft revoked in this update used the MD5 hashing scheme. It has been demonstrated in the past that MD5 is prone to collisions, which may have also aided the Flame authors in successfully making it look like the malware was from Microsoft.

Managing encryption, ciphers and digital signatures is no easy task and a simple mistake like Microsoft accidentally issuing certificates that can be used to sign code using outdated ciphers is enough to put everyone at risk.

The idea of someone with malicious intent impersonating Windows Update has been discussed for years in the security community. It is sort of a nightmare scenario and I suppose it is good news that it was being used in such a limited way.

Few computers were compromised using this malware compared to the impact we would see if traditional opportunistic malware exploited this flaw. Fortunately the average user will now be protected from this attack moving forward.

These certificates can also be used for signing software for Microsoft's Windows Mobile and Windows Phone 7 devices, but no patch is available as of yet.

I think a friend of mine in the local Vancouver security community put it best: "Maybe 'Genuine Microsoft Advantage' should check the *other* side of the transaction?"

http://twitter.com/chetwisniewski

View the original article here

Facebook privacy notice chain letter is a hoax

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Sorry folks, but posting a supposed legal disclaimer to your Facebook profile does not alter the Terms of Service (ToS) or privacy policies governing how your content is viewed on Facebook.

Many (dozens!) of Facebook users have submitted tips to Naked Security over the last week alerting us to a new chain letter/hoax circulating among well-meaning Facebook users.

The message reads as follows:

"Facebook is now a publicly traded entity. Unless you state otherwise, anyone can infringe on your right to privacy once you post to this site. It is recommended that you and other members post a similar notice as this, or you may copy and paste this version. If you do not post such a statement once, then you are indirectly a......llowing public use of items such as your photos and the information contained in your status updates.

PRIVACY NOTICE: Warning - any person and/or institution and/or Agent and/or Agency of any governmental structure including but not limited to the United States Federal Government also using or monitoring/using this website or any of its associated websites, you do NOT have my permission to utilize any of my profile information nor any of the content contained herein including, but not limited to my photos, and/or the comments made about my photos or any other "picture" art posted on my profile.

You are hereby notified that you are strictly prohibited from disclosing, copying, distributing, disseminating, or taking any other action against me with regard to this profile and the contents herein. The foregoing prohibitions also apply to your employee , agent , student or any personnel under your direction or control.

The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law. UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE. (M)"

Unfortunately taking control of your online identity is not as simple as making a declaration on your Facebook wall. Using any website to store content or personal details requires compliance with the site's Terms of Service.

These messages are simply another chain letter type hoax pinned upon wishful thinking.

If you are uncomfortable with Facebook monetizing your content or making your content available to the US government you either need to avoid posting the content to Facebook, or more carefully control your privacy settings and hope the authorities don't seek a court order for your information.

If you receive one of these messages from a friend, kindly notify them that it is not legally valid. You might also suggest they check with Snopes or the Naked Security Facebook page before propagating myths.

Follow @chetwisniewski

Terms and Conditions image courtesy of Shutterstock.

View the original article here

Browser wars - Microsoft says IE10 will support Do Not Track by default

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Filed Under: Featured, Privacy

On Thursday Microsoft announced that Internet Explorer 10 on Windows 8 will be the first web browser with a Do Not Track feature that's on by default.

Microsoft's Chief Privacy Officer Brendon Lynch explained the move in unequivocal terms:

We've made today’s decision because we believe in putting people first. We believe that consumers should have more control over how information about their online behavior is tracked, shared and used.

Consumers should be empowered to make an informed choice and, for these reasons, we believe that for IE10 in Windows 8, a privacy-by-default state for online behavioral advertising is the right approach.

When the World Wide Web Consortium (W3C) released its first drafts for Do Not Track standards in November 2011 I asked the question Will Do Not Track make a difference to web privacy?

In the article I explained that Do Not Track must be on by default if it's going to have an impact and at that time we just didn't know if that was likely to happen.

...users will need to upgrade to a new generation of DNT compliant browsers to get the ball rolling ... [we] don't know yet if the browser vendors are intending to switch DNT on by default...

Well now we know that one of them is. Microsoft are the first and their decision is important both practically and morally.

Practically the move is significant because it will greatly increase the pressure on websites to start honoring the Do Not Track standard.

Do Not Track relies on two distinct technical steps; web browsers that send out Do Not Track signals (in the form of HTTP headers) and websites that listen for and honor those Do Not Track signals.

So long as the volume of Do Not Track signals being received by websites is low there will be little pressure for them to implement their parts of the Do Not Track standard. Internet Explorer remains a very popular browser and a lot of people are going to end up using IE 10.

The moral impact of this decision is that it will change users' minimum expectations when it comes to trusting their web browsers.

Browser vendors don't really compete on features any more, they compete on performance and trust; the best browser is the fastest, most secure and most private.

All the major browsers already support Do Not Track in one form or another but up until now they have all left it to their users to switch it on.

As long as none of them enabled Do Not Track out of the box then none of them looked any more or less trustworthy as a result. Microsoft's decision to break the status quo makes its competitors look like they have something to hide and that isn't something I think they'll tolerate.

So I'm watching with interest to see how, and particularly how quickly, the other vendors respond.

Windows 8 doesn't have a release date yet but the rumor is that users won't get their hands on it until October.

Meanwhile Mozilla will push out a new version of its Firefox browser every few weeks between now and October. If Mozilla chooses to it can have a browser with Do Not Track on by default and in the wild long before Microsoft.

Although Do Not Track extensions are available for Chrome, Google is not intending to add support into its browser proper until the end of 2012. Even with that shameful bit of heel-dragging they still have enough time to beat Microsoft to the punch.

Google and Mozilla; a little piece of your thunder has been stolen, I dare you to take it back.

Follow @markstockley

Woman with laptop on mountain image, courtesy of Shutterstock.

View the original article here

Burglars notify Brooklyn police of crimes via Facebook status updates

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Just in case police in Brooklyn, New York, weren't aware that it was break-in day, accused burglars notified them via Facebook status update.

Here's the helpful way in which the day's events were posted by Derrin Dyson, one of 14 accused accomplices in a burglary gang known as the "Brower Boys":

"It's break-in day on the avenue."

Unfortunately for the Brower Boys, alleged gang members had unwittingly friended the Brooklyn Police Department's Officer Michael Rodriguez on Facebook.

Rodriguez's beat includes the Crown Heights section of Brooklyn, in which the gang over the past year has allegedly been prolific in activities such as climbing up onto roofs, jumping from roof to roof, climbing down fire escapes, entering windows, tying up victims, raping and impregnating one female resident, shooting a male resident, and robbery of electronics, which they then allegedly pawned or sold to bodegas and other stores.

One defendant, Terry Walley, 18, is accused of shooting a resident during a burglary.

The indictment, which includes 102 counts, also mentions that Walley got himself shot during the struggle, according to a press release put out on May 30 by the Kings County District Attorney's Office.

A Facebook feed fed clues to Officer Rodriguez in the form of status updates posted on the walls of Brower Boys members.

He didn't have to try particularly hard to fish for these clues, given that the defendants' updates included the likes of this one, from accused burglar Olurabu (aka "Sleepy") Henry:

"going to work."

Given such tip-offs, police were able to videotape several of the defendants climbing in and out of apartment windows, climbing up and down fire escape ladders and stairs, and running across rooftops.

Here's one such video of a defendant climbing into and out of a building's top apartment.

The defendants range in age from 13 to 19.

Police Commissioner Raymond Kelly said in a news conference (here's the video, posted by the New York Daily News) that the alleged burglars were too blasé to shut up about their exploits, even after two other Brooklyn gangs were busted for bragging about their exploits on Twitter and other sites.

Some of the Brower Boys even joked that they could be the next targets, Kelly said:

"They talked about the possibility of the Brower Boys being next, and they signed their messages with LOL: laughing out loud. Well, there was one person who was laughing out loud, and that was Police Officer Michael Rodriguez of the 77th Precinct."

Beyond brainless Facebook posting, the accused also allegedly haggled online over the money from selling stolen laptops, Kelly said.

One member did muse that they perhaps should take the conversation offline, Kelly said:

"There was at least one member among the gang friends who didn't have much stock in Facebook's confidentiality, because he posted, 'If they was coming after the Brower Gang, you would all just gave yourselves away.'"

Another gang member retorted, "Don't say that," Kelly said, and then changed his handle from BrowerBoysBodyBags to LowKeyBodyBags.

Is there any better demonstration of why you should be careful of who you friend on Facebook? I think not.

As it is, the American Medical Association has advised doctors not to friend patients, given how risky it is that they might expose confidential patient information or just risk undermining the professional nature of the doctor-patient relationship.

As for the non-medical amongst us, there are scads of stories about creepy would-be friends.

Take this one, from Sophos's Vanja Svajcer: back in February he got a Facebook friend request.

He checked out the person before deciding whether to accept the request.

In doing so, he found out that a link on the user's Facebook profile redirected his browser to a site that automatically downloaded malware onto his Android phone (check out the video).

Obviously, friending can be dangerous, as can bragging online about crimes. Be careful.

And wait. Before you tell us how the police shouldn't have given away their sleuthing procedures and that we likewise shouldn't write about them (as have many commenters on the news coverage), ask yourself this:

If criminals don't already know that police use Facebook, Twitter or other online media, do you really think they're smart enough to figure it out now?

Follow @LisaVaas

Burglar with laptop image courtesy of Shutterstock.

View the original article here

Online romantics targeted by dating site phishing attack

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

More and more people are looking for love online.

As a consequence, millions of people have created accounts on online dating websites, which they have filled with personal information and (typically) poorly lit webcam photographs of themselves.

One of the leading dating websites is Match.com, which means that many people might have been tempted to click on the link in this spammed-out email:

Subject: Match.com account verification

Message body:
Our Valued Customer,
You Have 1 New Security Message Alert !
Click here to resolve the problem
Thank you for helping us to protect you.

Yours Sincerely,
Match Online

Fortunately, the bogus website that potential victims are taken to is hardly the most convincing replica of the real Match.com website:

Of course, if you do mistakenly enter your login credentials onto the phishing website, you may not only be handing over control of your dating account to unknown cybercriminals.

They could see if you're one of the many people who use the same password on multiple websites, and explore whether your Match.com password might also unlock - say - your email account.

The bad guys could also line you up for a more convincing targeted attack, using your personal information to lure you into believing you are receiving a legitimate communication from Match.com, perhaps tempting you into clicking a link by showing you possible dates. That link could lead to malware, identity theft or further compromise of your online accounts.

The cybercriminals are not just interested in breaking into your bank accounts. Any information which they can mine from you for monetary purposes, or opportunity to infect your computer, is an attractive goal.

If you're engaged in online dating you're advised to take steps to protect yourself, and are wise to look before you leap. The same should be true if you want to avoid being phished. Always be wary of unsolicited email messages, and think before you click.

Follow @gcluley

Hat tip: Thanks to Naked Security reader Kevin for bringing this phishing campaign to our attention.

Mouse cursor on heart image courtesy of Shutterstock.

View the original article here

Ex-MI5 boss loses laptop at Heathrow airport

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Stella Rimington, the former Director-General of MI5 (Britain's Security Service), has had her laptop stolen according to media reports.

Dame Stella Rimington made the headlines in 1992 when she was publicly named as the first female chief of MI5, and is believed to have inspired Judi Dench's casting as spy chief "M" in the James Bond films. Dame Stella has since carved herself a career as a spy novelist.

The former boss of MI5 was said by The Sun newspaper to be "very upset" by the theft which occurred as she left Heathrow airport last Tuesday.

The Metropolitan Police's SO15 Counter-Terrorism division is reported to have been informed because of possible security concerns.

Although Dame Stella retired from MI5 in 1996, the concern will be that she may still have the contact details of former colleagues, and no doubt the authorities will want to quickly determine if strong passwords and encryption were in place on the laptop.

And that's an important consideration that all of us should bear in mind.

Chances are, of course, that whoever stole Dame Stella's laptop was not targeting her specifically and is more interested in selling the computer down the pub than attempting to uncover any secrets on her hard drive.

Three years ago, newspapers claimed that the incoming head of Britain's MI6 secret intelligence service, Sir John Sawers, could have had his security put at risk after his wife made publicly accessible posts on Facebook.

Follow @gcluley

Image source: www.stellarimington.com

View the original article here

Stuxnet: How USA and Israel created anti-Iran virus, and then lost control of it

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

There is a simply fascinating report in today's New York Times describing how the Stuxnet virus was created by the USA to target an Iranian nuclear facility, but accidentally escaped into the wider world.

The report comes from David E. Sanger, the Chief Washington correspondent at The New York Times and author of the upcoming book "Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power".

Here is a quick summary of the claims made in the report:

David Sanger says his account of the American and Israeli attempt to undermine Iran's nuclear program with malware is based upon interviews with current and former officials who were involved in the operation. None of them have allowed their names to be published.

We've reported before on how US defence chiefs have squirmed when quizzed about whether America was responsible for writing Stuxnet, and according to Sanger the operation remains highly classified.

One thing seems certain. Stuxnet is old news. Even the recently discovered (and much hyped) Flame malware isn't an effective weapon today. There seems little doubt that state-sponsored cyberweapons (if that is indeed what Stuxnet was) continue to be developed - and chances are that it's not just the USA and Israel who are developing them but other developed countries.

Read the full story on the New York Times website. It certainly makes for fascinating reading.

http://twitter.com/gcluley

Tags: barack obama, Cyberwarfare, George W Bush, Iran, israel, Malware, Natanz, New York Times, Olympic Games, Stuxnet, usa

View the original article here

Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

SophosLabs has been monitoring a new strain of the infamous ZeroAccess rootkit that has been hitting the internet over the last few weeks.

ZeroAccess is a sophisticated kernel-mode rootkit that enslaves victim PCs, adding them to a peer-to-peer botnet from which they receive commands to download other malware. The rootkit has undergone several revisions since its inception but this new version represents a major shift in strategy.

All previous versions have employed a kernel-mode component on 32-bit Windows. However, under 64-bit Windows there was no kernel-mode component - ZeroAccess operated entirely in user-mode memory.

And operating entirely in user-mode is exactly the shift in strategy that this new version employs.

ZeroAccess no longer has any kernel-mode component. Instead, a DLL is loaded into services.exe and explorer.exe and all functionality is performed inside those processes.

The previous generation of ZeroAccess would maintain reboot persistence by overwriting a Windows driver. This version uses the registry to ensure it will start again at the next boot.

ZeroAccess will create two files on an infected machine, either of which can launch the Trojan:

%WINDOWS%\installer\{GUID}\n

%profile%\local settings\application data\{GUID}\n

These two files are launched through the registry by hijacking an existing COM object and by abusing the load order of user COM objects under Windows.

The first file is launched by hijacking a COM object associated with WMI. The following registry entry is changed so that the malicious ZeroAccess DLL is loaded in place of the legitimate wbemess.dll:

HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32

Correct value:

%systemroot%\system32\wbem\wbemess.dll

Hijacked value:

\\.\globalroot\systemroot\Installer\{e051c979-bddd-5d1f-8953-4b8c940e9b4d}\n.

The second file is launched by creating the following COM object:

HKCU\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}

This object points to the file at:

%profile%\local settings\application data\{GUID}\n

This will ensure that the DLL is loaded because a legitimate COM object exists at:

HKCR\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}

This COM object belongs to MruPidlList which will load shell32.dll on Windows 7 and shdocvm.dll on Windows XP.

Because the COM object that ZeroAccess creates is a user object, Windows will load it before the legitimate object located in the registry under HKCR. The real benefit of this approach is that it will work under both 32 and 64-bit versions of Windows.

The peer-to-peer protocol used by the ZeroAccess botnet has also changed. Previously all communications were RC4 encrypted using a fixed key. That has now changed. The main encryption algorithm used is now much simpler, DWORD XOR is applied with a key that is adjusted on each round:

The actual commands involved in the protocol have been slightly modified too.

The previous version would start by issuing a 'getL' command to each peer contained in its bootstrap file of peers. The command is issued over TCP and usually to one of ports 22292, 34354, 34355, 21810.

The remote machine would then respond with a 'retL' command that contained its own list of peers and a listing of files that the bot has downloaded. The new bot would then check the list of files and download any new files by issuing a 'getF' command. These files are signed with a 512 bit RSA key:

The new version also starts by issuing a 'getL' command. But this time the command is sent out over UDP, the port numbers being used are different and the structure of the command header has changed.

The remote peer still sends back a 'retL' command, this time over UDP and this time the file information is accompanied by a signature produced by a new 1024 bit RSA key. Now, instead of sending a 'getF' command to the remote peer to retrieve files the local peer doesn't already have, the peer simply sends the encrypted file information (filename, length and timestamp value) to the remote peer over TCP on the same port number that the UDP communication took place.

The remote peer then sends back the file encrypted with RC4 and a key derived from the file information:

This new version of ZeroAccess is being aggressively distributed through the normal mechanisms - drive by downloads, fake keygens, fake game downloads, and new samples of the old variant have all but dried up.

It's clear that the malware's authors have decided on a more unified approach to supported platforms and to change the footprint of ZeroAccess both on infected machines and on infected networks.

This is most likely due to the increased attention that this malware family has been receiving from security companies, but also as more and more people are using 64-bit machines it makes sense for malware authors to focus on that platform, so maintaining a complicated kernel-mode component that only works on 32-bit systems seems less and less cost effective.

The goal of ZeroAccess remains the same: to download further malware onto the infected machine. The types of malware we are seeing downloaded are broadly the same: click fraud and spam bots, although a BitCoin miner has now been added to the mix.

SophosLabs will continue to monitor this threat and protect our customers. For more background information on ZeroAccess, be sure to read the technical paper we published earlier this year.

Follow @SophosLabs

Laptop with red bacteria image courtesy of Shutterstock.

Be the first to like this post.

View the original article here

Google wins, Oracle loses: Java API case closed - for now

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

The monster court case between Oracle and Google over copyright in the Application Programming Interface (API) of Java has concluded.

Oracle sued Google, accusing the search giant's Android platform of infringing the Java-related copyrights and patents that Oracle acquired when it bought Sun in late 2010.

Oracle lost; case closed.

The conclusions of the court, in a lawsuit described in the judgment as "the first of the so-called 'smartphone war' cases tried [in front of] a jury", seem clear enough. As clear, at least, as judicial prose can be to a lay reader.

Briefly put, Oracle's legal points seem to have been along these lines:

* Google didn't copy Oracle's code wholesale, but instead came up with its own implementations of the 37 Java API packages.

* Nevertheless, Google replicated the structure, sequence and organization of the overall code for those 37 API packages.

* The structure, sequence and organisation of those 37 API packages was copyrightable and thus Google infringed.

Taking Oracle's side, you might think that the inventor of a programming environment should enjoy protection over the API itself. After all, isn't the API part of the overall smarts of the system?

If you think of it as the entrance lobby of the building that is your codebase, then it's part of the complete edifice and thus as much private property as the corridors and offices themselves.

Taking Google's side, though, you might argue the other way around. The API isn't a strictly-private entrance lobby, but the public-facing doorway into the building: the part which actually opens onto the street.

The invention is the codebase represented by the building into which the doorway opens, not the doorway and the street frontage itself.

The judgment takes the latter viewpoint:

So long as the specific code used to implement a method is different, anyone is free under the Copyright Act to write his or her own code to carry out exactly the same function or specification of any methods used in the Java API. It does not matter that the declaration or method header lines are identical. Under the rules of Java, they *must be identical* to declare a method specifying the same functionality - even when the implementation is different.

When there is only one way to express an idea or function, then everyone is free to do so and no one can monopolize that expression. And, while the Android method and class names could have been different from the names of their counterparts in Java and still have worked, copyright protection never extends to names or short phrases as a matter of law.

Independent developers will no doubt welcome this judgment.

After all, if you're a software vendor trying to grow your business, persuading programmers to learn and write code for your API is what it's all about. The more clients who can connect to your service, the better. But once you've grown your business, there's something unappealing about being able to use the API alone to keep your clients locked in to your implementation.

Having someone rip off your implementation is clearly unacceptable. But being able to coast along with your current codebase whilst locking out competition doesn't really help anyone.

As long as independent software developers are free to challenge you by "building a better mousetrap" - one which is not a clone or a copy, but which does the same tasks in a better way - then you'll be under some sort of commercial pressure to continue to improve your own codebase.

If nothing else, this sort of pressure is good for security.

The proliferation and commercialisation of vulnerabilities and exploits over the past few years - sometimes in code which has been around for ages - gives weight to the argument that no widespread software system should ever be left unmaintained and unimproved.

Follow @duckblog
-

PS. Remember I said "case closed" above? For now, at any rate, the battle is over. According to The Verge, however, war remains declared:

* Google. "The court's decision...[represents] a good day for collaboration and innovation."

* Oracle. "This ruling, if permitted to stand, would undermine the protection for innovation and invention."

So an appeal seems likely. Wouldn't it be nice, though, if even a fraction of those lawyerly costs were spent on security and privacy instead?

View the original article here

Take a 666 chill pill: 'Barcode at birth' author was just joking

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Filed Under: Featured, Privacy

First item: science fiction writer Elizabeth Moon does not believe that all humans should be subcutaneously RFID chipped at birth.

This is contrary to what Slashdot contributor Bob the Super Hamste wrote last week.

It's not surprising that Bob the S.H. might come away from listening to the BBC "60 Second Idea to Improve the World" radio segment on Future Wars, for which Moon was one of three guests, thinking that Moon espoused the idea of everyone getting chipped or barcoded at birth, her reasoning being that it would prevent identification mistakes and even allow soldiers to identify combatants from non-combatants.

After all, that's what Moon said.

In doing so, she set off a firestorm of outrage, with hundreds of BBC Future Facebook page commenters alluding to the Nazis already having done it at Auschwitz, Dachau and Buchenwald.

From there, things got out of control. Rational outrage over Big Brother spiraled into nutty outrage over the Mark of the Beast supposedly being represented in UPC barcodes.

How do I know Elizabeth Moon isn't espousing Nazi-like Mark of the Beast chipping or barcoding, particularly given that she actually voiced support of such identification, which she would require if she were, in her words, "Empress of the Universe?"

Because I came across one lone voice of reason in the tidal wave of Facebook commenters. That voice of reason pointed to Elizabeth Moon's blog, in which the author explained how ludicrous it would be to take it all seriously.

As Moon explains it, the format of "The Forum" includes a 60-second "idea to change the world" segment. She was told it was the "entertaining, fun part" of the show.

She interpreted that to mean "light-hearted interlude." The BBC asks participants to come up with an idea, "however impractical, impossible, unnecessary, and/or undesirable," she writes.

The BBC staff picks an idea, and the person whose idea it was is then expected to present and defend it.

Moon actually came up with two ideas: the one about chipping, and another one about explosives that degrade into fertilizer instead of hanging around for years waiting to blow people up.

Her description of this idea:

"The other idea was time-limited munitions that wouldn't hang around for years being a hazard for anyone who walks across the ground...though as it was near midnight by then, and I'm a morning person, the complete concept of this didn't hit me until early morning. (Nitrogen-based explosives could be set - one way or another - to degrade to fertilizer. Could be controlled either by departing forces initiating the degradation or environmentally modulated. Maybe 'land-mine-casing-eating bacteria'??)"

Moon was taken aback when people actually took the chip-at-birth idea seriously:

"Seriously...you thought it was for real? … The term 'Empress of the Universe' wasn't a clue that this was a science fiction writer making something up?"

Which all leads us to the second item, directly related to the first: sometimes, journalists need to fill rigidly formatted little segments.

Typically, they want the material to be incendiary, since that will garner substantial page views. I refer to such material as "click candy."

Critical thinking doesn't fan the flames of viral outrage. Critical thinking doesn't lead to massive page views.

Critical thinking is apparently a tendency of the minority, given that even after the Facebook commenter had posted an admonishing note about Moon having made it all up, the 666-ers ignored him or her and continued to squawk.

Should all humans be chipped? There are solid reasons to implant data about medical history, medications, allergies and contact information for those with chronic medical conditions.

Are we there yet? No. Issues remain, including microchips leading to cancerous tumors at the site of implant, as well as other adverse tissue reaction and potential chip migration.

As far as the Mark of the Beast goes, fortunately for the internet, Sophos is on top of all matters Satan-related.

Paul Ducklin, from Sophos's Tribunal of the Holy Office of the Inquisition - oh, dear, I beg your pardon, that's a typo; Paul is actually Head of Technology, Asia Pacific - owns and, evidently, can read a Greek New Testament.

With said holy book, he has shed light on the appropriate Satanic usage of the number 666 in product version numbering and therefore, if you'll allow me to extrapolate, in human bar coding.

To wit: in 2009, Sophos released Sophos Anti-Virus for Linux SAV version 6.6.6, precipitating product management's move to ascertain whether the company was shipping out anti-virus marked with the Number of the Beast.

As it turns out, 666 is actually the number not for Satan him- or her-self (I am not convinced Satan has a gender and tend to associate the fictional entity more with, say, convoluted privacy policies), but for the name of the beast.

Here's what Duck told spooked product managers at the time:

"Product Managers, you may stand down from satanic alert. Firstly, 666 is properly the number of the name of the beast. I challenge you to make a numerological connection - or, indeed, any other sort of connection - between the text 'Sophos Anti-Virus for Linux, September 2009' and the number 666 (and, anyway, the beast is a man, not a computer program). Secondly, the tag we've given to SAV for Linux this month is not the number 666, but the text string 6.6.6."

Likewise, the beast is a gaseous emission, or perhaps a privacy policy, or maybe then again a man romantically involved with Saddam Hussein if you watch South Park, but most definitely not a barcode.

In short: let's leave Elizabeth Moon alone. She wasn't serious about chipping everybody.

A good lesson to take away from this goofball, faux controversy is that the world of security and privacy breeds sensationalistic headlines.

Unfortunately for Ms. Moon, internet hyperbole tends to have a longer shelf life than the quiet voices of reason, because quiet voices of reason don't culminate in click candy headlines and viral outrage.

But for her sake, let's hope that history gets it right.

Follow @LisaVaas

Barcode on forehead and click images courtesy of Shutterstock.
Elizabeth Moon photo credit: Nancy Whitworth

View the original article here