Thursday, November 20, 2008

My thoughts on Biometrics / Face Recognition

What's your take on Face Recognition Technology?

Biometrics are biological authenticators, based on some physical characteristic of the human body. The list of biometric authentication technologies in still growing. Authentication with biometrics has advantages over passwords because a biometric cannot be lost, stolen, forgotten, lent, or forged and is always available, always at hand. Last and this year we saw heaps of laptops coming up with fingerprint reader as standard.

Now some of the
Lenovo notebooks are coming with face recognition software, which is actually a reemergence of an old idea. Now that some systems include integrated cameras with much better quality (1.3MP), facial recognition has become much better. In practice this works very well and is extremely fast at recognition.

The included software lets you log onto your Windows account simply by sitting in front of your system. Your face is your password.

Depending on the software used, face recognition uses multiple techniques to identify a person’s face. Some of the more advanced programs use texture mapping in which a person’s skin texture is analyzed and matched. Most however, define nodal points on a person’s face and then use software to mathematically represent those points. Things measured include distance between the eyes, width of the nose, length of the jaw line, or shape of the cheekbones. Together these concatenate a numerical code which is stored in a database for later retrieval.




Biometrics can become a single of failure though. Consider a retail application in which a biometric recognition is linked to a payment scheme:

As one user puts it, "If my credit card fails to register, I can always pull out a second card, but if my fingerprint is not recognized, I have only that one finger." Forgetting a password is a user's fault; failing biometric authentication is not.

Although equipment is improving, there are still false readings. I think biometrics as unique parts of an individual, forgeries are possible. The most famous example was an artificial fingerprint produced by researchers in Japan.

My thoughts are, forgery in biometrics is difficult and uncommon, forgery will be an issue whenever the reward for a false positive is high enough.

Sunday, November 16, 2008

Scammers now targeting Classified websites...

How scammers trick sellers and get money out of them...

I recently published a advertise on Australia's leading car selling website "Drive" to sell my car. I have sold couple of cars previously using this website and this company has really good selling rate.

I received few enquiries and most of them were "time wasters". After couple of weeks from the date i published my add i received an enquiry, which i found suspicious and thought of doing some research to see "how this scam works" and later on post it on my blog so other readers can protect them self. To start with, i received an enquiry which was like this:

Dear Shoaib Yousuf,

A Drive user has contacted you with a question about your car for sale on Drive.

Hello, My customer is much interested in your advert car. Pls kindly email me back if the car is still available stating it's present condition and your final price. Regards, Frank.L.Kennon Managing Director Leventis Motors Ltd

E-mail: agent_100brian@yahoo.com
Name Brian Anderson

I found this suspicious straight away and started digging about the company "Leventis Motors". I found no relevant information about the company and another point to note is, why managing directory sending an email using yahoo account?

Anyways, i responded to this add stating, yes - it is still available and i am interesting in selling my car for final price $29,000 AUD. (It was advertised for $29,990)

I received the following response:

from Brian Anderson
reply-to agent_100brian@yahoo.com
to Shoaib Yousuf
date Sat, Oct 18, 2008 at 11:27 PM
subject EXPECT MY MAIL.
mailed-by yahoo.com
signed-by yahoo.com

Reply

Hello,

Thanks for your response to my enquiry concerning your car.

Note that my client who resides here in London wants to conclude this transaction as soon as possible since he wants the vehicle as a present for his son who is resident in South Africa. So the car will be shipped to South Africa and my client bears responsibility for shipment.

Kindly exercise a little patience while i discuss your final price of $29,000 au and other necessary details with my client and also evaluate the on-line photos of the vehicle in question.I will get back to you later today or on Monday morning.

Brian Anderson.

Yeah right, car will be shipped to South Africa and "dad" will send me money from London. I don't need to think twice or guess where this is leading to, I find it quite interesting so i continued to play around with this bit more. So, i responded stating, "sounds like a plan and i would wait for your response as soon as possible". Guess what?, I received an email on Monday morning and it was:

from Brian Anderson
reply-to agent_100brian@yahoo.com
to Shoaib Yousuf
date Tue, Oct 21, 2008 at 12:04 AM
subject CONFIRM PAYMENT AND PICKUP ARRANGEMENT TODAY.
mailed-by yahoo.com
signed-by yahoo.com

Reply

Hello,

This is to inform you that my client has instructed me to proceed with the purchase of your car for his son. He said that I should inform you that the payment will get to you in an Australian bank cheque of ($36,900 AU) which is a refund payment of a cancelled order earlier made by him.

He informed me that he intends using the refund payment to pay for your vehicle.

He further explained that this bank cheque has to be made out in this amount($36,900 AU) to you because company policy only allows a refund payment on one bank cheque.So you are required to deduct cost of your car ($29,000 AU) when the payment gets to you and refund the balance of ($7,900 AU) to my client's agent via western union or moneygram international money transfer for the agent to be able to offset shipping /pickup charges ,contract fees for the pickup agent, taxes, commission and other handling bills.

After payment has reached you and balance is sent back to his agent,the agent will contact the pickup agent who will come for the pick up of the vehicle for shipping to my client's son.
My client is making some necessary arrangement with some shippers and will provide me with the pickup/test driver agent as soon as he decides the agent to contract for the pickup of the vehicle from it's present location.

NOTE: He also instructed that you are to deduct the transfer charges from the remaining balance($7,900 AU) which you will be sending down to his agent via western union or moneygram international wire transfer.

Confirm this whole arrangement and provide the details requested below for payment to be delivered to you.

PAYMENT INFORMATION:
1.YOUR LEGAL NAME IN FULL.........
2.POSTAL ADDRESS IN FULL..........................
3.PHONE NUMBER(S).................

Okay, if anybody use little bit of common sense they will understand that this is all bullshit and scam. Believe me, many people "Don't use their common sense" and still get victim of such scams.

Interesting part is not finished here, i went ahead and provided them with "fake details but real P O BOX details" and "prepaid sim" number.

Take another Guess? Surprise, i received a call from someone with Italian accent saying he has shipped me a cheque and when i will be able to send them money?

Anyways, now it was waiting period. I received a cheque after 3 weeks and i was right. It was shipped from Italy. You guys, won't believe the cheque was of "American Bank - JP Morgan".

I contacted my local bank and used my contacts to find out more details about the cheque. I didn't got much information so i contacted "J P morgan" local Representatives in Melbourne and found the cheque is real but fraudulently honoured. I informed them to take appropriate measures and make sure account holder in informed.

Now, let me tell you guys using my experience, what usually happens after this. Cheque get honoured, person get the money and as per agreement seller sent $7900 via Western Union. After few weeks or months, bank informs seller, "Sorry mate, that cheque was fraudulent" Please refund all the money back.

Bank gets their money back, scammer gets their money and account holder doesn't loose anything. In fact, seller looses $7,900 and still car is on the market or probably sellers sells the car to pay off the bank.

So - Please, i repeat PLEASE use your little common sense and be-aware of these scammers. They will try to scam you in all possible ways.

Friday, November 14, 2008

Patch your Flash player ASAP!

Adobe fixes 6 flaws in Flash

For the second time in two days, Adobe Systems Inc. has warned users of multiple vulnerabilities in one of its most-popular programs and issued a security update to plug the holes.

Wednesday's update was the fourth patch job on the ubiquitous Flash Player this year, and followed by one day an even larger collection of fixes for Adobe Reader, the Web's default PDF application.

The Flash Player update addressed six bugs in Version 9.0.124.0 that run the range from cross-site scripting and information disclosure vulnerabilities to flaws that could be used to inject malicious HTML code in Web sites and launch "DNS rebinding" attacks.

Goto adobe.com to update your flash player or follow the promts from auto-update.

Tor - How it works?

How to use Tor to audit networks

Tor is a software project that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

It is a security tool that permits anonymous Web surfing. While it's a tool that can be used both by white hats and gray hats alike, all information security pros should be aware of how it works.


In this screencast, Peter Giannoulis of The Academy.ca details how Tor can be used by individuals to ensure their surfing habits aren't recorded by malicious hackers, and how IT professionals involved in auditing networks can mask their location so that a more thorough audit can be conducted.

Refer here to watch video by SearchSecurity.

Gmail - a new voice and video chat plug-in

Google takes on Skype

GOOGLE IS EXCITEDLY announcing its latest mission to gain a bigger user count for its Gmail service – a new voice and video chat plug-in.

So far Google has been slowly creeping alongside the likes of other email giants including Microsoft Live which has 283 million users and Yahoo mail which is just slightly behind with 274 million.

Gmail was seemingly stuck in third place with just 113 million users, which is why it has come up with this new video and voice chat service which will come free as part of the Gmail package. Although both of Google’s main competitors also offer a video and chat service, it is not integrated into the mail section like Gmail’s is – which makes it marginally different.

*****Not security related*****

Thursday, November 13, 2008

Malicious Worm That Attacks Social Networks

Victims unknowingly spread the infection via wall posts to their friends' walls inviting them to view a YouTube video

PandaLabs has recently detected a new variant of the Boface family that affects the social networks Facebook and MySpace. In this case, the worm sends all the user's friends a message which contains a link to a supposed YouTube video.

In order to view the video, the user is required to download a Flash Player update. However, the downloaded file is not an update but a copy of the worm.

This shows that cyber-crooks are still interested in the social networks to distribute their creations. In fact, Facebook and MySpace with millions of registered users have become a profitable target for them.

Facebook has started taking measures to solve this problem. You can check it here.

Tuesday, November 11, 2008

4,000 Viruses in a month? Are we all using Anti-Virus?

Nearly 4,000 new viruses recorded in October

Up to 3,910 new types of computer viruses were recorded in Vietnam in October, including 3,905 of international origin and 5 of domestic origin.

According to the leading networks security agency in Vietnam, BKIS Network Security Centre, the bugs attacked more than 6.2 million computers in Vietnam during October. The most popular virus is X97M.XFSic, which infected over 73,000 computers.

BKIS said in October, 50 websites of Vietnamese companies and agencies were hacked. Of them, 24 sites were attacked by Vietnamese hackers and 26 by foreign hackers. BKIS also unveiled serious errors in websites of 11 businesses and government agencies.

According to BKIS, there is a new method of infection for virus to affect computers, which has swindle anti-virus software and resulted in the loss of standard files of the operating system. The users, thus, have to reset the whole system.

BKIS counted 92 new types of viruses which employed this way of infection and they attacked 41,600 computers in Vietnam.

All I can say, we need to make sure, we are using up to date anti-virus to protect ourselves from all these up coming threats plus make sure we are regularly backing up our data.

Kaminsky cache poisoning flaw

One in four public DNS servers insecure

One in four public-facing domain name system (DNS) servers on the internet are still vulnerable to the Kaminsky flaw, according to the fourth annual survey of DNS servers by network services vendor Infoblox.

The flaw allows hackers to sabotage DNS servers and send web users to sites set up to hack into their systems. Cricket Liu, architecture vice president at Infoblox, explained that the survey used the same tests as last year, but added a check on whether servers had patched against the Kaminsky flaw by performing source port randomisation.

"The number of name servers out there has increased slightly from 11.7 to 11.9 million, and firms are using more secure up-to-date versions of the Berkeley Internet Name Daemon package," he said.

Refer here to read full article.

Wednesday, November 5, 2008

Facebook and Privacy

Is Facebook Issue or People, who are using it?

I have blogged heaps of time about Facebook issues. I know, I have facebook account myself. I don’t want people to stop using Facebook or close their account in fact I would like them to be aware of all the possible security issues and treats available out there.

In the past, I have blogged about spammers are using facebook account to spam, spreading malware and social engineering. I advice my readers to make sure they really know the people they are adding and not to give out un-necessary information which can be used by someone to steal your identity or to harass you.

After 1 year on Facebook, I posted my picture couple of days ago. Several people and my friends asked me to upload a picture. I always refused to do so.

Let me tell you the reasons why I personally didn’t upload the picture.

1) My picture can be copied by anyone.

2)I have open profile because I am always looking to make contacts and friends. I tend to be bit reluctant to make sure what information I give to them.

Now I have uploaded my picture (just one), reason is;

1) My picture can be copied from my blogger profile anyway so there is no protection and I realize now that facebook friends can also see my picture from my profile if they are not visiting my blog.

2) I have uploaded only one picture though and that is also of “me alone” not with anyone else.

Okay, let me come to point. I have been investigating this particular "privacy issues with Facebook" for last couple of weeks. I will try to sum up my findings and concerns,

Consider this scenario:

I have a friend whose name is “Alisha” and she is added in my facebook friends list. She has a friend whose name is “Sarah”. I like her and I want to get her details but I notice her profile is restricted to her friends only. I sent a request to her but unfortunately she has not responded yet.

Suddenly, “Sarah” uploaded few photos of her friends and tagged “Alisha” in those photos. As soon, she tagged “Alisha” I was able to see all her photos in that particular album plus I was able to see her profile too. I found out more details and bingo I was able to harass her.

Now, consider another scenario:

I have my work friends, my family and my other friends in my facebook friend list. One of my friends uploaded a picture tagging me which is quite personal. As soon he tagged me, all my family members, my work colleagues and my other friends were able to see my personal picture plus all the pictures in that particular album.

Consider third scenario:

I have my neighbour added in my account as a friend. He uploaded few pictures in his profile of the party he had at his home. I commented on his photos and guess what my other friends see:

"Shoaib Yousuf commented on XYZ's picture"

Any of my friends can see my neighbours picture and infact his profile too. After commenting on his picture, i am really not giving any privacy to his personal party pictures.

So – what we learned from this?

Facebook is good social network tool but it doesn’t offer security or privacy what so ever. I suggest and advice all my readers to make sure if they upload pictures don’t tag them. If they still want to do, make sure you select the appropriate security permissions so all other people from your friend’s friend list cannot view it.

If you have any questions, suggestions or your past experience you would like to share let me know.