Jesper Johansson's Blog : Security Pontification

Fake Anti-Malware is Apparently Microsoft's Fault

Jesper's Blog — Sat, 24 Oct 2009 17:20:00 GMT

Munir Kotadia, an IT Journalist in Australia, has finally managed to figure out how to blame Microsoft for the fake anti-malware epidemic. Apparently, the reason is that "Microsoft could save the world from fake security applications by introducing...(read more)

Web Of Trust: RIP

Jesper's Blog — Wed, 14 Oct 2009 05:16:00 GMT

It's official. I just received an e-mail from Thawte notifying me that, as of November 16, 2009, the most innovative and useful idea in PKI since its inception, the Web of Trust , will die. Thawte was founded 14 years ago by Mark Shuttleworth. The...(read more)

And finally, standard user malware

Jesper's Blog — Tue, 01 Sep 2009 06:21:00 GMT

Today I finally got wind of my first piece of true standard user malware. MS Antispyware 2008 has turned standard user. The version in question installs the binaries in c:\documents and settings\all users\application data\<something>, and makes...(read more)

Is it ActiveX that is the problem?

Jesper's Blog — Sun, 09 Aug 2009 20:04:00 GMT

Last week, an expert from Verizon, nee Cybertrust, posted a note about the Active Template Library (ATL) security vulnerability over on the Verizon Business Security Blog . For home users, the phone company now advises you to use a different browser,...(read more)

Please do not e-mail my social security number

Jesper's Blog — Wed, 28 Jan 2009 05:38:00 GMT

Recently I had a very interesting incident. I wrote an article some time in 2008 and the publisher paid me a little bit of money for it. That means the publisher must send a report to the Internal Revenue Service (IRS - the U.S. tax department) reporting...(read more)

Kip Hawley: "No, the TSA is Necessary Because This is War!"

Jesper's Blog — Wed, 24 Dec 2008 10:44:00 GMT

CBS News did a story a few days ago on the Transportation Security Administration (TSA). Basically it was a tit-for-tat between Bruce Schneier , security pontificator extraordinaire, and Kip Hawley, the administrator of the TSA. Mr. Hawley's maintans...(read more)

One "Hacker" Attempts to Rule The World

Jesper's Blog — Wed, 24 Dec 2008 10:40:00 GMT

Wired, always a source for amusement and interesting literature, just carried a story on a "hacker" (the magazine's use of the term equates to "criminal") who attempted to dominate the market in stolen credit cards. It's a...(read more)

Believe it or not; DRM for Zune is down!

Jesper's Blog — Tue, 16 Dec 2008 06:21:00 GMT

Shocking, yes, I know, but in only four hours this evening Microsoft has managed to alienate over 150 additional customers with its insistence on Digital Rights Management (DRM). This time it is the DRM component of the Zune store that is down, according...(read more)

What do you think, should I do it?

Jesper's Blog — Sun, 16 Nov 2008 16:44:00 GMT

I get a fair bit of blog spam - comments advertising everything from sexual enhancers to fake anti-malware. This one just came in this morning: Sweet! I can turn off all the blog spam just by e-mailing the criminals? Or, could it possibly be that this...(read more)

Fun Experiences at Airport Security

Jesper's Blog — Sat, 15 Nov 2008 16:13:00 GMT

For a while I've been thinking about writing something about interesting times I've had at various airport security checkpoints; security theater, as they have come to be known. There is the obvious shoe removal arguments and the ill-defined rules...(read more)

Is MS08-067 Wormable?

Jesper's Blog — Tue, 04 Nov 2008 12:14:00 GMT

A couple of weeks ago Microsoft released an out-of-band security update in bulletin MS08-067 . Looking at the type of vulnerability and the fact that the issue was already being exploited in the wild at the time, this was a good decision. If you have...(read more)

Security is About Passwords and Credit Cards, Part 3

Jesper's Blog — Sun, 10 Aug 2008 06:14:00 GMT

The final installment in my series called " Security is About Passwords and Credit Cards " is now up on TechNet Magazine. This part of the series discusses updating technologies, including how not to abuse them, messaging about security, and...(read more)

Security is About Passwords and Credit Cards Part 2

Jesper's Blog — Thu, 03 Jul 2008 21:32:00 GMT

The second part of my " Security is About Passwords and Credit Cards " article just hit the web. This installment looks at logon processes, misleading security eye candy, and insecure communications with customers. As always, I'd love your...(read more)

Security is About Passwords and Credit Cards

Jesper's Blog — Fri, 20 Jun 2008 21:27:00 GMT

Security is About Passwords and Credit Cards. That's what a very nice lady told me a few months ago. At first I shrugged it off. Of course security is so much more than that. As I started to process it though I realized that is exactly what it is...(read more)

Thoughts on Security by Obscurity

Jesper's Blog — Tue, 13 May 2008 17:46:00 GMT

This has not really been that normal a week for me, but at least another article made it into print. The June 2008 issue of TechNet Magazine is headlined by an article I wrote with my friend Roger Grimes, Security Adviser for Infoworld , on Security by...(read more)

Warning! Don't run Anti-Malware Software on Your Research Machine

Jesper's Blog — Thu, 01 May 2008 19:20:00 GMT

I do not run any anti-malware software on my primary workstation. It's a habit I got into way back when I was doing penetration assessments. I showed up at the site, fired up ye olde laptop, and went to run some tool. ...went to run some tool. Hey...(read more)

Quantum Security

Jesper's Blog — Wed, 23 Apr 2008 01:37:00 GMT

The May 2008 issue of TechNet Magazine is out. It has an article in it that I have been wanting to write for a long time, called Quantum Security . In it I posit the argument that there are some fundamental laws of security, similar to the laws of physics...(read more)

How to remove the security warning, or should you?

Jesper's Blog — Mon, 21 Apr 2008 18:10:00 GMT

This morning there was an interesting question in the Windows Vista Security Newsgroup . The poster had written an application that users were downloading. However, when they ran the application they received a warning dialog, like this one: The poster...(read more)

Regulatory Silliness

Jesper's Blog — Mon, 10 Mar 2008 17:30:00 GMT

Susan just pointed me to a " Self-assessment questionnaire " for the Payment Card Industry Data Security Standard (PCI/DSS). While, on the whole, the intent of that standard is good, there are some areas of it that, as usual, stray into the...(read more)

Measuring Identity Theft

Jesper's Blog — Fri, 29 Feb 2008 23:20:00 GMT

Chris Hoofnagle, of the Berkeley Center for Law And Technology just published a fascinating report entitled " Measuring Identity Theft at Top Banks ." If you have not already, and you are at all interested in security and privacy, you owe it...(read more)