Security Watch

Okopipi Takes BlueSecurity Concept Open-Source

Plus PostgreSQL injection vulnerability, the hype surrounding laptop thefts and more.

• By Russ Cooper
• 06/19/2006

Okopipi “rises like a phoenix” from the ashes of Blue Security's demise: Blue Security's business model was based on having a large network of clients opt out from identified spam. This was handled via the company's “Blue Frog” client identifying spam, reporting it back to Blue Security's centralized servers, and Blue Security then identifying how to opt out. Blue Security would provide this information back to its network of clients who would then each send an opt-out request. This process raised the ire of spammers, who in turn performed a significant DDoS against Blue Security. Blue Security subsequently decided to stop doing business. Okopipi intends to pick up where Blue Security left off and have named its client “Black Frog.”

This is an open source attempt to provide the same services. The stated aim of the new community-oriented project is to use a peer-to-peer network to allow participants to interact and report spam messages to the community of clients to enable a voting mechanism. The network would then coordinate opt-out requests from all participants to the opt-out address. Okopipi says it will throttle the opt-out requests to ensure the site they're being sent to is not overwhelmed.

The project is in its infancy, so it can easily sound better than it will end up. How will it prevent the network from being compromised by spammers? How will it ensure it isn't sending opt-out requests to the wrong place? There are many questions with few answers for now.

It's clear that ignoring spamming is not achieving the results we would hope. The volume of spam traffic alone is a burden, not to mention a complicating factor in strategies aimed at minimizing e-mail-borne malware. Cybertrust clearly does not promote the concept of attacking spammers in any way, as such actions are criminal in nature and must not be condoned. For now, Okopipi (aka Black Frog) states that it will abide by all laws and accepted practices, using the opt-out facility provided by spammers on a one-client equals one opt-out request model. If the project can keep to those goals, it may make an impact.

For those who wonder how Okopipi can possibly withstand the type of DDoS attack that put Blue Security out of business, the project states that by not using a single server (or server farm) to coordinate the network's actions, there will be no obvious target. Of course, the Okopipi Web site will be the target of choice, but this at least does not mean the actions of the network will cease.

Time will tell.

A U.K. man attempted to contact his local city council by e-mail to complain about a neighbor's building project. In his e-mail he used the word “erection,” obviously using the term in the context of construction. The city council's e-mail filtering product didn't understand the context and blocked two e-mails from the man, considering them inappropriate.

And herein lays the greatest problem with spam. Not only do we have to worry about inappropriate e-mails, we typically do nothing to inform the sender their messages have been ignored. With thousands of spam or inappropriate messages a day, responses to them have been shunned in recent years.

Of course, the man sending the e-mail should've followed up by phone to ensure his message was received, something many e-mail senders fail to realize. SMTP was never intended to be a reliable message transport, merely a best effort.

As a postscript, the local city council apologized to the man who sent the e-mail, but the neighbor building whatever structure was being complained about is still allowed to go ahead and construct it.

Hacking

PostgreSQL Encoding-Based SQL Injection Vulnerability: Two vulnerabilities have been reported in PostgreSQL involving encoding-based SQL injection. No patches are available.

As with all software that must parse user input, you must ensure that you have taken the appropriate measures to ensure the input you will parse is what you expect. PostgreSQL is widely deployed and therefore may provide a target-rich environment for would-be criminals.

Physical Security

Laptop thefts lead to numerous stories about identity theft. We are being deluged with stories about millions of people's sensitive information being “stolen” when the laptop the data resides on is stolen.

First, let us state clearly that sensitive personal information stored on a stolen laptop certainly represents a risk to the people the data is associated with. At the time of the theft, however, it's not clear whether the data was the target or simply the hardware. Far more laptop thefts occur than those that are being reported about, but we see the stories we do when the laptop contained “topical” information, such as the personal information of U.S. veterans. This is definitely hyping the “identity theft” story, and one has to wonder who's gaining from this campaign of misinformation.

By providing specifics about the data that a particular stolen laptop contained, are the media in fact raising the value of that stolen hardware? Might they not tip off the thief to the fact they have something people might want, where without such information the hardware would simply be wiped and a new OS installed? We think this has likely happened before, and as long as such reporting carries on, it may happen more and more.

Nobody is denying that all who have sensitive personal information must do more to protect it, such as full hard-disk encryption, but until proof exists that the information is actually being abused, Cybertrust will treat all such stories as simply physical theft of the hardware rather than a privacy theft of identities. A recent court case involving Wells Fargo attested to this belief, ruling that because no harm had come to an individual whose information had been stolen (together with hundreds of thousands of others), that person was not allowed to sue Wells Fargo for the loss of information.