Clifford Stoll’s TED talk argues for the value of curiosity — computers should not be in school, and computer security is now tedious work best done by technicians.

I find computer security to be kind of boring. It’s tedious. The first time you do something it’s science. The second time, it’s engineering. The third time, it’s just being a technician.

A case study by Zynamics illustrates the trouble with assuming each new discovery of malware is new, unique or sophisticated. They used a 50% litmus of similarity and discovered descendants came from only a few bots:

Files, which exhibit a mutual similarity of more than 50 % have been assigned to the same family. The next step was to have the files named by an anti-virus-program (ClamAV). We replaced the MD5 sums with the names in the tree. The result was this graph.

The graph enables us to draw interesting conclusions:

1. We could clearly assign several bots to a family even though ClamAV did not identify them.
2. Many “distinct” bots show a strong similarity to other bots and should actually be assigned to one single family (e.g. Trojan.GoBot and Trojan.Downloader.Delf as well as Worm.Korgo.Y and Worm.Padobot.I). This seems to be due to problems in the naming-process.
3. Basically, all bots are representatives of two big (GoBot, PadoBot) and 3 small families (Sasser, PoeBot, Crypt-8) as well as some “repairs”.

Two new Firefox plugin options for DNSSEC validation

1) DNSSEC Validator 1.1.4 from CZ.NIC Labs is available on the Mozilla plugin site

DNSSEC Validator gets DNS records for a domain name used in page address and compares them to IP addresses Firefox used to download the page. If the records contain DNSSEC signatures which can be validated, the user is protected by DNSSEC. Otherwise the user could have been a victim of DNS spoofing. The result of the comparison is displayed as green/orange/red key right in the address bar.

2) Alpha code tested with beta Firefox 4 is available from os3sec.org

Extended DNSSEC Validator is an add-on for the Mozilla Firefox 4 beta web browser, which allows you to check the existence and validity of DNSSEC signed DNS records for domains. If a valid DNSSEC chain to the domain has been found, it checks for the existence of TXT or TLSA records that can store a copy of the hash of the HTTPS certificate. The results are shown in the address bar using the same scheme that Firefox already employs (identity box). This allows owners of DNSSEC enabled domains to securely deploy self-signed certificates or provide additional trust in their CA-signed certificates.

Invincea has posted a live demo of malware targeting users who are interested in the “birther” controversy in America.