When it comes to security in IT, not a week goes by without a major discovery. We look at several stories that have cropped up recently to reveal the ongoing challenges invlved in protecting systems and data.
Bot solves Captchas using audio
Most popular webmail sites require new users to answer a Captcha challenge (which requires typing in obscured letters to validate) to activate a new address.
This is to stop malicious hackers and spammers from using the free service to send unauthorised content.
Spammers, in particular, have invented all sorts of ways to get around the Captchas.
Initially, they built very accurate OCR engines to answer the Captchas. Email vendors responded by making the text ever more difficult for OCR to identify.
In fact, it's so bad now that even though I have 20/20 vision, I often struggle to figure out which letter I should be typing in.
To meet the needs of the visually impaired, vendors now allow users to listen to an audio clip of the Captcha characters they need to retype.
In response, a new malware creation has emerged. According to The Register and confirmed by several antivirus companies, a new spam bot has built-in capabilities to listen to the audio files and simulate typing in the answer.
The bot is apparently quite accurate - a point goes to the spammers.
This approach is now my 'favourite' Captcha-bypassing technique. Before, it was spammers hiring people (often in third-world countries) to bypass the Captchas all day long.
Convicted hacker gets to keep most of what he stole
In a disappointing development, judges continue to hand out astoundingly insignificant punishment for cyber criminals.
While I'll admit I don't know all the facts in this popular case, it seems to me that a key player - who wrote the exploit code for one of the world's biggest hacks - got away with just a delicate slap on the wrist.
Twenty-nine-year-old Jeremy Jethro received $60,000 (£39,600) for writing exploit code that he gave to Albert Gonzales.
As punishment for his crime, Jethro got three years' probation and a $10,000 (£6,600) fine.
Gonzales is probably the most popular and well-known American hacker since Kevin Mitnick.
He has been charged with multiple crimes, including stealing 90 million credit card numbers and information from at least half a dozen of the biggest stores in the world. That's only what the authorities know about.
Jethro has, of course, found religion after being caught. That's all great. What I don't understand is why he doesn't even have to pay back the entire $60,000, not to mention the prosecution and court costs that it took to sentence him.
Help rob a physical bank or store and you can be assured you'll spend time in prison and have to pay back all of your ill-gotten gains. Why don't the same rules apply in cyber space?
NEXT PAGE: US setting sites on countries harbouring cyber criminals
- We look at the ongoing challenges of protecting systems and data
- Bot solves Captchas using audio
- US setting sites on countries harbouring cyber criminals
Comments
Most Orgs Enjoy Data "Security said: In David Scotts words everyone needs to be a mini-Security Officer in the org today I think hes right individuals and orgs enjoy Security largely as a matter of luck Anyone here reading IT WARS I had to read parts of this book as part of my employee orientation at a new job It talks about a whole new culture as being necessary an eCulture for a true understanding of security - most identitydata breaches are due to human errors It has great chapters on security as well as risk content management project management acceptable use various plans and policies and so on Just Google IT WARS check out a couple links down and read the interview with the author David Scott at Bostons Business Forum Full title is IT WARS Managing the Business-Technology Weave in the New Millennium For some free insight check out his blog The Business-Technology Weave you can Google to it or search on the site IT Knowledge Exchange which hosts it Great stuff