Security group ranks human error as top security worry

Paller’s organization compiles an annual report on the top to Internet security targets. This year “human vulnerabilities” will make their first appearance on a list that is typically made up of software products like Internet Explorer, databases, and file sharing applications. That’s because the human factor is being exploited in a growing number of targeted attacks as more and more online criminals come online in Eastern Europe and Asia, Paller said.

[T]he U.S. Military Academy at West Point [studied] a group of 512 cadets, selected at random for a test called the Carronade. The cadets were sent a bogus email that looked like it came from a fictional colonel named Robert Melvillle, who claimed to be with the academy’s Office of the Commandant (The real Robert Melville helped invent a short range naval cannon called the Carronade nearly 250 years ago).

“There was a problem with your last grade report,” Melville wrote, before telling the cadets to click on a Web page and “follow the instructions to make sure your information is correct.”

More than 80 percent of the cadets clicked on the link, according to a report on the experiment.

Worse still, even after hours of computer security instruction, 90 percent of freshmen cadets still clicked on the link.

Here is an interesting article from The Register on data mining and how it can be used for commercial and government purposes.

“I have nothing to hide” – or the Sainsbury’s Lesson

How frightened would you be if you were secretly planning to get pregnant, without telling your husband, and discovered that someone had written to him telling him about it? Or, put the other way, how would you feel if you discovered your wife was pregnant only when someone dropped you a letter?

This is a scary article about the power of “bots” to bring down parts of the Internet, and the implications for business.

Wired 14.11: Attack of the Bots

The latest threat to the Net: autonomous software programs that combine forces to perpetrate mayhem, fraud, and espionage on a global scale. How one company fought the new Internet mafia – and lost.

New Scientist Tech

Behavior profiling is an interesting area with a lot of potential, but there are a lot of problems.

This article describes a system that automatically monitors surveillance cameras and attempts to infer the patterns of behavior seen in the footage. The striking thing is the accuracy claim:

“The system works quite accurately,” says Park. Tests were carried out on six different pairs of people performing a total of 54 different staged interactions including hugging, punching, kicking and shaking hands. On average, the system was 80% accurate at identifying these activities correctly.

Imagine all the false alarms as hundreds or thousands of interactions are monitored throughout the day. What will be done when, 20% of the time, an alarm is made about some behavior being observed? Is this any better than human monitoring or social controls that are already in place?

Recently, someone (or some bot, according to this article) has decided to use my domain name for sending spam. This means that when that spam is rejected, the rejection notices are coming back to me! This has increased the amount of spam that I am receiving a lot.

It turns out that I am not alone.

Bot nets likely behind jump in spam

Estimates of the magnitude of the increase in junk e-mail vary, but experts agree that an uncommon surge in spam is occurring. On the low side, Symantec, the owner of SecurityFocus, has found that average spam volume has increased almost 30 percent for its 35,000 clients in the last two months. Others have seen much more significant jumps: Spam black list maintainer Total Quality Management Cubed has seen a 450 percent increase in spam in two months, and the amount of spam filtered out every week by security software maker Sunbelt Software has more than tripled compared to six months ago.

While bulk e-mailers have, in the past, sent unwanted messages from a single server, increasingly the spam emanates from networks of compromised PCs, known as bot nets. The level of junk e-mail has increased almost in lock step with the number of compromised systems used for spam, said David Hart, the administrator for Total Quality Management.