This week I gave a talk at SecTalks BNE0x18 about how I solved last month’s boot-to-root CTF. I’ve put the slides up now (you’ll need to enable JavaScript for the remarkjs slides to work).
Spam insights from Project Honeypot
Project Honeypot just published a report of their experience in processing 1 billion spam messages. Highlights for the impatient:
- For the past 5 years, spam “bots have grown at a compound annual growth rate of more than 378%. In other words, the number of bots has nearly quadrupled ever year.”
- The top 5 countries which host bots are: China (11.4%), Brazil (9.2%), United States (7.5%), Turkey (6.3%), and Germany (6.0%).
- Top 5 countries with the best ratio of security professionals to spam sources: Finland, Canada, Belgium, Australia (yay!), and the Netherlands.
- The corresponding bottom 5: China, Azerbaijan, South Korea, Colombia, and Macedonia.
- Top Spam harvesting countries: United States, Spain, the Netherlands, United Arab Emirates, and Hong Kong.
- Fraud is rising as a cause for spamming:
On the other hand “Fraud” spammers — those committing phishing or so-called “419” advanced fee scams — tend to send to and discard harvested addresses almost immediately. The increased average speed of spammers appears to be mostly attributable to the rise in spam as a vehicle for fraud rather than an increasing efficiency among traditional product spammers.
As an anecdote to reinforce this, on one site i administer, i set up a dedicated subdomain which was purely designed to catch spam. I placed some addresses in that domain on a web page, and within 1 day they had been harvested and 1 spam had been sent to each email address. No email to that subdomain has been seen since.
Check out Project Honeynet’s full analysis.
Source: libertysys.com.au
More grist for the "long passwords" mill
For a long time, i’ve told my clients and friends that the best way to make a password is to write a short sentence or phrase. A recent study linked from Slashdot IT reinforces this. The executive summary: if you make your password 13 or more characters long, as long as it’s not a single dictionary word, it’s likely to be pretty safe from anyone who’s got less than US$10 million to spend on the problem, assuming current market prices for cloud computing CPU time.
Without going through all of my previous advice, the simple rule for passwords is: think of something you relate to your password, or just something that you think about a lot, and then write a complete phrase or sentence about it. Of course, none of this will save you from a wrench password attack.
Source: libertysys.com.au
"Just say no!" to e-cards
Richard Bliss recently blogged at Novell and on his personal blog with some great advice: don’t click on e-cards from your friends, and think about asking them not to send them at all, since the risks of clicking on e-cards vastly outweigh the benefits. Here’s another thought: real money spent on real cards, envelopes, and stamps shows that you’ve actually made an investment in reminding your friends and family of your regard for them. It’s much better for your online security, too! (Of course, one could argue that it is less environmentally friendly, but you can find cards and envelopes made from recycled materials.)
Source: libertysys.com.au
Clever banking trojan
cnet has a really interesting article about a clever trojan horse application which steals money from online banking accounts while the user is logged into them, and displays false balance details to the user so they don’t know what’s going on. Currently it only affects Windows users. Check your balances regularly from multiple different platforms (including your bank’s ATMs).
Source: libertysys.com.au