never-ever-****-with-my.net

Just as Google releases Spreadsheets (a total non-event for serious Excel users), an interesting discussion surfaced on Slashdot.  The article links to an interesting paper by Raymond R. Panko at University of Hawai'i about what is known about spreadsheet errors.  The conclusion says:

"All in all, the research done to date in spreadsheet development presents a very disturbing picture.  Every study that has attempted to measure errors, without exception, has found them at rates that would be unacceptable in any organization.  These error rates, furthermore, are completely consistent with error rates found in other human activities.  With such high cell error rates, most large spreadsheets will have multiple errors, and even relatively small "scratch pad" spreadsheets will have a significant probability of error."

Also, the article links to the European Spreadsheet Risks Interest Group (EuSpRIG) and its collection of public reports of spreadsheet errors.

Wired published an interesting article on Narus' deep packet-inspection technology said to be the basis of the NSA's internet surveillance:

"Narus' product, the Semantic Traffic Analyzer, is a software application that runs on standard IBM or Dell servers using the Linux operating system. It's renowned within certain circles for its ability to inspect traffic in real time on high-bandwidth pipes, identifying packets of interest as they race by at up to 10 gigabits per second.

Internet companies can install the analyzers at every entrance and exit point of their networks, at their "cores" or centers, or both. The analyzers communicate with centralized "logic servers" running specialized applications. The combination can keep track of, analyze and record nearly every form of internet communication, whether e-mail, instant message, video streams or VOIP phone calls that cross the network.

Brasil Telecom and several other Brazilian phone companies are using Narus products to charge each other for VOIP calls they send over one another's IP networks. Internet companies in China and the Middle East use them to block VOIP calls altogether."

According to the Web Application Security Consortium (WASC), XSS and SQL injection remain the most popular attack vectors being exploited in public incidents. Further details can be found in the Web Hacking Incidents Database (WHID), which was updated today.

The chart below illustrates the number of public incidents registered per year:

A broader list of vulnerabilities is listed in OWASP Top Ten, which ranks the most critical web application security flaws.

Computerworld reports that:

"Researchers at Australia's Edith Cowan University have proved that first-generation radio frequency identification (RFID) tags can be breached to cause a denial-of-service attack on the tags, using cheap store-bought radio transmitters."

FlexiSpy sells a monitoring application that records the activity of Symbian OS-based mobile phones (incoming/outgoing SMS as well as call history).

According to PC Inpact (in French), the publisher works on PocketPC and Blackberry ports of the application, and on a professional version that would record conversations.

Well, I now love my vintage Nokia phone even more.

As reported by Computerworld, three regional banks in the US were hacked in new spoofing attack:

"Earlier this month, attackers were able to hack servers run by the Internet service provider (ISP) that hosted the three banks' Web sites.  They then redirected traffic from the legitimate Web sites to a bogus server, designed to resemble the banking sites, according to Bob Breeden, special agent supervisor with the Florida Department of Law Enforcement's Computer Crime Center.

Users were then asked to enter credit card numbers, PINs (Personal Identification Numbers) and other types of sensitive information, he said.

According to Breeden, the affected banks are Premier Bank, Wakulla Bank, and Capital City Bank, all small regional banks based in Florida."

As reported by Computerworld, the US Army is using SRS Technologies' Document Detective to sanitize documents and avoid inadvertent exposure of sensitive or extraneous information.

The product's functionalities clearly go beyond metadata cleansing (i.e. Microsoft's free Remove Hidden Data tool for Office) as it is possible to convert embedded objects into safer object types (i.e. when an entire Excel workbook ends up in a PowerPoint presentation although you only intended to paste a summary chart). Document Detective also implements workflows to transfer documents from one security domain to another.

It should be noted that SRS Technologies maintains a suggested reading list that contains articles and information regarding electronic document security and incidents that occurred because of improper or incomplete reviews.

Update 2006/10/14: Marco Casario points out a number of interesting resources to remove sensitive information from Acrobat PDF documents. In particular, have a look at Adobe's Technical Note on Redaction of Confidential Information in Electronic Documents (Acrobat PDF).

Viviane Reding will love this: SecurityFocus reports that three researchers from the Vrije Universiteit in Amsterdam released a paper outlining the potential risks of viruses using the small amount of memory contained in everyday RFID tags. And yes, they have a proof of concept.

In today's European edition of the Wall Street Journal, Lee Gomes wrote an interesting column on Under the Radar's Why Web 2.0 Matters conference where start-ups presented their business plans to a panel of VCs and other judges.

"The advice came in the form of the sorts of probing questions (...) such as:

1. Is what you are doing really a company or just a feature that will end up as part of some existing product?
2. If you are trying to take on an incumbent player--Google, MySpace--do you do something 10 times better than they do?
3. If you are developing something for the Web, what is to stop spammers from ruining everything you are trying to do?"

As reported by Reuters, the existence of the previously rumored GDrive online storage service surfaced after a blogger discovered apparent notes in a presentation supposedly published by error on Google's site after its analysts presentation day last Thursday.

"With infinite storage, we can house all user files, including emails, web history, pictures, bookmarks, etc and make it accessible from anywhere (any device, any platform, etc)," the notes in the original Google presentation state.

Chief Executive Eric Schmidt in his presentation made a cryptic comment that one goal of Google was to "store 100 percent" of consumer information.

This interesting paper (Acrobat PDF) looks at worm propagation strategies in the 128 bits address space of IPv6.

Microsoft released an anti-cross site scripting library for its .NET Framework. It can be freely downloaded here.

As reported by Computerworld, the FTC settled with CardSystems over last summer's data breach, which may have exposed 40M credit cards.

CardSystems must adopt security measures, undergo independent audits for the next 20 years. It still faces potential liability for millions of dollars in private lawsuits for losses.

CNET's News.com reports on a panel discussion at the RSA Conference 2006:

"We have recently seen a move away from stealing user name and passwords," Shipp said.  The new "bank-stealing Trojans" wait until the victim has actually logged in to their bank.  "It then just transfers the money out."

"All of the authentication, little keys you have to have in your hand, biometrical things, it doesn't matter.  The bad guy just waits until you're there and then takes the money out," Shipp said.

This new type of Trojan is on the rise and is currently No. 3 on the list of most common threats, according to Shipp who works at MessageLabs as senior antivirus technologist.

I guess we will all end up surfing with VMware's Browser Appliance.

This interesting article (in French) warns webmasters about the "latest" spammers' techniques to exploit e-mail forms (i.e. FromMail.pl).  It consists in injecting recipients in the From: field.  We told you before: you shall never trust user input. :-)