Interesting (disturbing?) news

Date March 14, 2008

Haven’t been posting a lot recently, mostly because I’ve been heads-down in work that I can’t really post about, and there’s not been a lot of news that has caught my interest.  I hope to have a good announcement of some things I’ve been up to in the next few weeks, but in the mean-time, these few articles have crossed my RSS feed that are interesting and in some ways "disturbing" to the security arena.

First up, and following on from a topic I find interesting, is the news that more evidence is being found that there’s an industry out that solving CAPTCHA’s by hand.  In the post I wrote a while back, I was skeptical on the "human" method of breaking CAPTCHA’s, because I didnt think it scaled very well, but seeing that post from RSnake with figures like "$1 for 1000 captcha codes" it looks like it might be a viable strategy.  However, unless these codes are being piped to these people (and that there are enough of them), I would still be swayed towards thinking that humans might be initially solving the CAPTCHA’s, but the solution cached to be reused later?

The other news that piqued my interest was the "Backdoor in G-Archiver" post from the vericode guys (who always have a great blog), and also discussed over at Coding Horror.  I think that many of us, even "security aware" people install small programs/utilities to help us with out day-to-day tasks and it doesn’t even pass our thoughts that the code itself could be Trojaned – we rely on our anti-virus products to catch malicious code, and something this targeted/specific/unique would just go by without warning.  It’s someone that is especially paranoid (with lots of time on their hands I might add) that can disassemble all the programs they use or monitor all the network traffic coming from their machine.

I’m really not sure what we can possibly do about this, other than use a "trusted" subset of programs (which is the idea behind corporations having a "standard build" for employee machines, but that generally doesn’t extend to everyone).  The reliance on open source or for programs to be reviewed just doesn’t work – there’s been lots of things said about even with open source software, very few people are actually looking at the code.  For my own example, if Paros was even trojaned, I dread to think about the data that could be gathered (credentials, known vulnerabilities, sensitive info, etc)from people performing security testing.

Despite the work a lot of good people are doing to move security forward, these two articles set a bad day for the industry.

Category Posted in Industry, Security

One Response to “Interesting (disturbing?) news”

  1. March 14th, 2008 at 11:23 pm

    anti virus » Blog Archive » Interesting (disturbing?) news said:

    [...] Read the rest of this great post here [...]


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>