Welcome to the Tin-foil hat Club
May. 10th, 2007 09:41 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
walbournSpent today at a Microsoft's security training event: BlueHat. Some interesting presentations about the Underground Internet economy, Xbox 360 security exploits, Mobile device and Zune vulnerabilities, and general website security. It was scary enough to make one consider unplugging every internet device in the house and run for the hills to get off the grid, or at least disable wireless features of your mobile device.
A few tidbits:
- Anti-Virus has a hit rate of less than 30% on the approximately 12,000 samples of malware that float about the Internet every day. For older stuff, it peaks at about 50%. That means if you think AV is keeping you safe from random crap in your e-mail box or on websites, you're wrong. In fact, because AV tools are so invasive on the system and always hooked to the Internet for updates, the security tool itself is becoming the weakest link in personal computer security.
- Be sure to read the fine-print of your Electronic Banking agreement. It probably says if you get hacked because of your computer's security, you are screwed if they steal your money.
- Most people think that since Bluetooth is a short-range protocol that they are generally safe from anything more than a few feet away. Some crazy security researcher guys built a directional gun that will let them hack a Bluetooth-enabled phone from a mile away.
- If Microsoft releases a patch for Windows, be sure you apply it because the hackers just reversed engineered it within hours and are probably already deploying botnets using it by the time you hear about it.
- If you are annoyed about patches on Windows, just think about how few things get fixed on all the other Internet capable devices floating around. Mobile-device hotfixes are rare because the vendors don't bother, not because there's nothing wrong with them.
- Xbox 360 is probably the best secured gaming platform ever released, but it was hacked in about 14 months as compared to the usual 2 years for other consoles, primarily because it was too cool a device for hackers not to want desperately to run Linux on it. Pirates are lazy, and they don't actually fund the hack R&D but love to take advantage of it when it comes out. The vulnerability in the security came down to basically a single instruction chosen by the compiler because of C's crappy implicit promotion of integers. The C code appeared secure, but the resulting machine code was not and ran in the most trusted context.
A few tidbits:
- Anti-Virus has a hit rate of less than 30% on the approximately 12,000 samples of malware that float about the Internet every day. For older stuff, it peaks at about 50%. That means if you think AV is keeping you safe from random crap in your e-mail box or on websites, you're wrong. In fact, because AV tools are so invasive on the system and always hooked to the Internet for updates, the security tool itself is becoming the weakest link in personal computer security.
- Be sure to read the fine-print of your Electronic Banking agreement. It probably says if you get hacked because of your computer's security, you are screwed if they steal your money.
- Most people think that since Bluetooth is a short-range protocol that they are generally safe from anything more than a few feet away. Some crazy security researcher guys built a directional gun that will let them hack a Bluetooth-enabled phone from a mile away.
- If Microsoft releases a patch for Windows, be sure you apply it because the hackers just reversed engineered it within hours and are probably already deploying botnets using it by the time you hear about it.
- If you are annoyed about patches on Windows, just think about how few things get fixed on all the other Internet capable devices floating around. Mobile-device hotfixes are rare because the vendors don't bother, not because there's nothing wrong with them.
- Xbox 360 is probably the best secured gaming platform ever released, but it was hacked in about 14 months as compared to the usual 2 years for other consoles, primarily because it was too cool a device for hackers not to want desperately to run Linux on it. Pirates are lazy, and they don't actually fund the hack R&D but love to take advantage of it when it comes out. The vulnerability in the security came down to basically a single instruction chosen by the compiler because of C's crappy implicit promotion of integers. The C code appeared secure, but the resulting machine code was not and ran in the most trusted context.
