I cover security, but it takes a real expert to make a convincing case against the proponents of fake security. Bruce Schneier has made a powerful case in his latest Wired blog post. The most important point he makes — and this is critical — is that the "choice" so often offered between security and privacy is not a choice that need be made. In most cases, the acts and systems that provide security don’t impinge on freedom and privacy.

We haven’t seen candidates asked questions about this in any meaningful way, but perhaps it’s past time for that to change. The way the next administration views privacy and security will have a significant impact on our lives for years to come.

Powered by ScribeFire.

hello friend

    first,i am sorry i am not a good man,I am a computer hacker,so when you seeing this email,your computer Already infected my virus.

    i want nothing,i just want a few money,so you must send 150 US dollar to my e-gold  (http://www.e-gold.com) account.

    if you dont do this, I will activate my virus in a week, then your computer will be able to be paralysed and to appear the pornographic procedure.

    this is not a joke,think about it.

    check this link to send money to me:   http://XXXXXXXXX.com

    i just can only wait you 5 days

          when you send money to me,call me at: jznglskq@gmail.com

              see you very soon

I’ve redacted the link to send money, but I’ve left the poor schmuck’s e-mail address. This sort of e-mail should forever put to rest the “all computer criminals are geniuses” meme. Needless to say, there was no malicious payload (unless you count bad grammar), and no one should ever respond to something like this.

I have left a message for the eGold security team–it should be interesting to see if they get back in touch with me. If they do, I’ll let you know.

Instapundit properly, I think, identifies these as practice attacks. In that regard, they’re no different that hundreds of other attacks that take place against institutions, routers, and servers each week. The attacks are designed to show proof of concept for exploiting new vulnerabilities, and to allow the attacker to watch the response–the better to design attacks that can operate longer without an effective response.

Here’s my fearless prediction of the day: There will be a hit that people notice, because it makes some significant part of the Internet unavailable for a period of time. We’ve seen it before. I suspect that the next time, though, the Internet attack will be to facilitate or distract from some other attack, quite possibly against financial or economic infrastructure targets. This is old news to Internet security folks, but we still don’t see the level of information sharing and response coordination between different security areas that we should. It’s time more people tool these reconnaissance attacks seriously–and time we started learning as much from them as do hackers do.

Cisco has issues a security alert about each of the vulnerabilities, and has made patches available. If you’re in a company with a “we never patch our router” policy, it’s well past time that you changed your policies and procedures. If you don’t have Cisco routers in your infrastructure, don’t get complacent. Cisco is a target for folks looking for vulnerabilities for the same reason Microsoft is a target: it’s where the big numbers are. That doesn’t mean that other equipment doesn’t have vulnerabilities. You should be checking for software and firmware updates to your network infrastructure on a regular basis, whether you’re supporting the network for a large company or a small family. The risks are just too great to let this one slide.

 The CNet story referenced above isn’t the only coverage of this. You might find it interesting to look at ComputerWorld’s take from the IDG News Service; a take from Light Reading; and a view from The Register that ranks the severity of the vulnerabilities.

The Storm Worm hit European users on the heels of a severe winter storm. Attached to an e-mail message with the subject “230 Dead as Storm Batters Europe”, the worm will turn an infected computer into a zombie on a botnet, or allow personal data to be storlen from the system. Time worked to the advantage of most North American computer users–many system administrators had placed the subject and payload into blocking filters by the time the Atlantic Seaboard hit office hours.

What’s the takeaway? This worm, like so many others, relied on social engineering, rather than a flaw in the operating system or application, to compromise a computer. Anti-malware software can help, but computer security begins with understanding how the bad guys will try to use a weakness in front of the keyboard to gain access to a computer. Don’t open attachments or click on links in an e-mail message if you aren’t absolutely certain about the orginator. Pick up the phone to call and verify if you need to–your computer, and those of many other users, will thank you for the effort.