The largest ongoing legal computer hacking trade event in the USA is no doubt Defcon, It's in its 14th year and running in Las Vegas this week. According to news reports, about 6,000 people will attend the Black Hat and Defcon conference, which runs Wednesday through Sunday.
This presentation caught my eye
Greg Conti, a computer science professor at the United States Military Academy, prepared a report that shows just how much information free Web services such as Google Inc. and Yahoo Inc. have about typical Internet users.
He wrote a program that allows anyone to see the kind of personal details including a complete list of every search item ever entered, every location surveyed on a map, and entries put in electronic calendars routinely stored by such sites.
"I was shocked, and I think other people will be shocked, to learn the information they've been handing over," Conti said in an interview ahead of his presentation. "What we're doing is implicitly trusting a handful of companies with a tremendous amount of our personal information."
see more here .
Significance: why it's important?
It's bad enough, that we now have Intelligent Agents roaming the net looking for any signs of an email address. This is used to generate email lists for spammers. Now it's merely an annoyance and time waster for many --deleting unwanted spam email that still gets through your spam filters.
From Mal-ware to SUPER BAD ware or Theftware
Now from another security conference, one team of university security experts are predicting the ultimate digital bad boy; a stealthy programmable intelligent intrusion engine or agent or what I simply call --a theft engine or Theftware. No point beating around the bush since that's what it is. I'm concealing the information for obvious reasons ---not to let too much out of the bag. If I found it, so could the bad guys if they tried... so don't write to me asking for more details because I won't respond to you on this issue, unless you are from the authorities.
The abstract of their presentation reads as follows:
“ A network is not secure unless it can ensure the three basic security concepts; confidentiality, integrity and availability… [..]… Here we show a highly personalized attack by the use of specialized [intelligent] agents whose purpose is to search and transmit specific information from a private network without authorized access.”
If that idea doesn't scare you enough, read on...
"This information may be in the form of a competitor’s marketing strategy, customers’ personal details, true financial status of an organization or any other information. We discuss that such an agent and its activity is different from common malware, describe its characteristics and design and show that such a scenario is a real possibility. We also discuss the related issues and the alarming effects posed by such an agent. It is possible that the agent we are discussing may already be in existence but is unreported."
My hunch. I bet this stuff already exists. Maybe even developed by government? Several foreign governments had been quietly hiring hackers en masse since 2004, so we should be seeing the fruits of their efforts by now. This is an obvious evolutionary target for malware.
We often forget that all technology is a double-edged sword, with positive and negative impacts. I mentioned this worst case scenario during my talk on The perils and promises of Smart Technologies at the WFS.org conference in Toronto. Several corporate execs came up to me later, quietly admitting that this was a distinctly plausible scenario, if indeed, it already doesn't exist.
....come to think of it, if I was in the spy game or the anti-terrorist game, this could become an irrestable tool set for goverment and military types too.
It also seems that your PDAs such as your Backberry devises are vulnerable according to New Scientist yesterday.
As well, your peripheral devices are at risk, due to a recently created Trojan called a Jitterbug. Researchers from the University of Pennsylvania School of Engineering and Applied Science warn against an entirely new threat to computer security: peripheral devices – such as keyboards, mice or microphones – which could be physically bugged in an attempt to steal data. Penn graduate student Gaurav Shah has identified a class of devices that could covertly transmit data across an existing network connection without the user's knowledge.
Jitterbugs are named for both the way they transmit stolen data in "jittery" chunks by adding nearly imperceptible processing delays after a keystroke and for the "jitters" such a bug could inspire in anyone with secure data to safeguard.
RFID chips appear to be vulnerable to worm attacks too.
Update: Aug 15, 2006
Forrester Research issued a security warning in their latest research report on RFID.
August 15, 2006
Anyone Who Says RFID Is "Completely Secure" Is Selling Something
What You Should Know About RFID Security To Protect Your Business
by Paul Stamp
EXECUTIVE SUMMARY
Radio frequency identification (RFID) technology is not mature enough yet to protect your company secrets. Weak security protocols risk compromising your infrastructure, and any business looking to implement RFID should review the inherent security risks of today's RFID systems. RFID will inevitably bring changes to business processes, and adopters need to anticipate the potential threats that can arise with these new changes and know the limitations of their RFID systems. As with any system, start by considering your need for confidentiality, integrity, and access to your RFID devices and data. If you can't maintain your security standards with the currently available hardware, wait until your RFID manufacturer improves its devices before you implement your system.
To purchase the report go here
Hang on to your hats...we are entering fun and interesting times. A little anticipatory scenario planning wouldn' t hurt the banking, insurance and medical sectors, who are likely to be primary targets of this theft engine technology. This would be disaster, say for any bank who became a vicitim of this type of attack. Once public, we would surely witness a run on deposits first thing next morning.
© 2005-2006
Expert, Consultant and Guest Speaker on emerging Smart Technologies, Strategic Planning, Business Development, Lateral Creative Thinking and author of an upcoming book on the Smart Economy "
To arrange for an in house presentation on smart technology see here
To explore the opportunities and threats of any new smart technology in your industry - Contact Me or explore how we can work together
.....Strategy without action is a day-dream; action without strategy is a nightmare"- old Japanese proverb
.......Ours is the age that is proud of machines that think and suspicious of men who try to. - H. Mumford Jones
"Without changing our patterns of thought, we will not be able to solve the problems we created with our current pattern of thought." A. Einstein
P. S. if this is your first visit to my blog, please go to our Welcome page
The August 2006 report from Canada’s Mounties describes malware’s shift from distributed destructiveness to targeted fraud. The fraud is growing fast, very fast, in most if not all sectors. Underpinning the fraud is ID abuse in which persons or organizations pose as something or someone they are not.
ID abuse threatens healthcare because it exposes patients not only to fraud, but also to health harm—like lethally incompatible blood transfusions enabled by electronic health records corrupted by ID abuse.
Thanks to effective lobbying, governments in many countries strongly believe that electronic health records are the solution to the enduring challenge of patient safety, among other things. In their enthusiasms, though, they’re playing down or ignoring ID abuse as a major threat to healthcare and the safety of its patients.
Is it time for the IT community to start asking tough questions about the security of electronic health records relative to the ID abuse risk?
Posted by: Gordon Atherley | August 16, 2006 at 02:25 PM