This week one of my columns on CBC Radio sheds light on a story circulating in network security circles that depicts a new and rather alarming attack on the banking system's transaction process. I'm getting a lot of emails from CBC listeners asking for more info, so here's an article on Wired's Threat Level Blog that elaborates further. Here are some key highlights from the article:

The revelation is an indictment of one of the backbone security measures of U.S. consumer banking: PIN codes. In years past, attackers were forced to obtain PINs piecemeal through phishing attacks, or the use of skimmers and cameras installed on ATM and gas station card readers. Barring these techniques, it was believed that once a PIN was typed on a keypad and encrypted, it would traverse bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side.

But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process.

Information about the theft of encrypted PINs first surfaced in an indictment last year against 11 alleged hackers accused of stealing some 40 million debit and credit card details from TJ Maxx and other U.S. retail networks. The affidavit, which accused Albert "Cumbajohnny" Gonzalez of leading the carding ring, indicated that the thieves had stolen "PIN blocks associated with millions of debit cards" and obtained "technical assistance from criminal associates in decrypting encrypted PIN numbers."

But until now, no one had confirmed that thieves were actively cracking PIN encryption.

There are two fascinating developments in the world of online security that are so sensational as to seem right out of a cyberpunk thriller.

The first, which I've spoken about on CBC recently, is the resilience of the Conficker worm, which culminates in some kind of action on April 1st 2009.

The second is an incredible espionage initiative called GhostNet, which friends of mine at the Citizen Lab here in Toronto have helped unearth and expose to the public.

Combined these two stories depict something I've been describing as an open arms race, in which proxy forces develop new types of information based weapons and test them live on the internet. While it's never clear who the players are behind this perpetual information war, researchers are able to dissect the tools and compromised systems to portray a fascinating tale of computer-based cloak and dagger.

Last year I became fascinated with the rise and fall of the Storm Worm and in its wake a number of new super worms have emerged, the most recent being Conficker and Waledec.

It's not just the rate of infection and the speed by which they're able to spread, but the fact that these worms can be regarded as instant super computers. Out of nowhere they're able to harness the power of millions of computers and create the black market equivalent of the cloud computer providing on demand software as a service.

Worms often have an autonomy and sophistication that most other malware does not, inserting themselves into a system and disabling security software and the operating system's automatic updates.

It used to be that only Microsoft Windows systems were targetted but now too Apple systems are vulnerable, with a worm or two targeting OSX.

While it goes without saying that you should always be sure to run proper updates, and ensure your system is up to date, Microsoft does provide a free utility to identify and remove these worms.

One of the challenges however of these new breed of super worms is that detecting something that is otherwise invisible becomes quite a trick indeed. The advice I offer is to contemplate the use of a visual firewall that allows you to literally see what's going on within your network.

This can be done quite cheaply, using old hardware, and free software. There are a number of linux operating systems designed for just this purpose, including Coyote Linux and Devil Linux, and I add a utility like iptraf which makes it easy to see and control that network. Mind you there are better visualization tools than this, but I like to keep it simple.

While I do run Windows, I also took it upon myself long ago to learn Linux and other operating systems (like *BSD) so that I could make the most out of my computer hardware. When it comes to securing and controlling your home network it helps to have the knowledge and tools to do the job properly.

There are of course "easy" Linux systems like Ubuntu, which can get you started, but really there's no excuse for not giving it a shot. If you can run a Windows computer than you can run a Linux one. Got an old box kicking around the house? Why not give it a try...

Last week my CBC radio column covered the recent introduction of a 3D imaging surveillance system used at the Kelowna BC airport to screen passengers. Using millimetre waves the system is able to penetrate clothing and create a vivid 3D model of the passenger without clothes on. Thus it is a far more thorough system then the existing setup which only scans for metal.

Part of the focus of the column was on the privacy implications of such a system, and at the time CATSA (the Canadian Air Transport Security Authority) was claiming it had the support of the federal privacy commissioner. I mentioned this in my column, but also expressed skepticism that the current steps being taken to protect passenger's privacy was not enough.

Turns out, the privacy commissioner does not support the pilot project, and does indeed have concerns with how passengers privacy might be violated. Here's a quote from the Globe and Mail:

"However, the privacy commissioner's office said yesterday it is concerned about the implications of the new system and it never told CATSA officials that the body-scanning technology meets Canadian privacy standards.

"At this very early stage we certainly don't know enough to endorse the project, so the suggestion that we endorsed it is perhaps a bit off," commission spokeswoman Anne-Marie Hayden said. "I think we're going to have to watch it closely and we're going to want to ensure that individuals' privacy rights are protected."

Thanks to Blair Campbell for alerting me to this. Goes to show that even when an organization says it is protecting your privacy you should still question that assertion, and try and think of unforeseen ways in your rights my be violated.

This past week I was overwhelmed with responses from a number of media stories. A couple of Blackberry business articles, a couple of Facebook expert articles, an article about a Hong Kong sex scandal, as well as some TV and radio appearances, first about the bust of a child porn ring, and then about the bust of a Quebec based Hacker cell.

In general my policy is to respond to anyone who takes the time to get in touch with me. Yet I've now had to revise this policy to only reply to people who show respect rather than outright hostility. Something about the audience that reads the National Post that brings all sorts of trolls out from under the bridge.

The CBC audience on the other hand is a pleasure to interact with. Even when they strongly disagree with me I find CBC viewers and listeners to be intelligent and engaging. One particularly pleasant email I received was from a "middle-aged mother" who will remain nameless, but I suspect represents a typical Canadian, from an average family. For the sake of argument, let's call her Louise.

Computer security is a field I've always been interested in, both as a journalist, researcher, and system administrator. However I'm also often quite critical of the industry as a whole, and the manner in which they communicate with their customers.

Today a particularly symbolic and silly episode is transpiring that illustrates why the trust and power we put into security and anti-virus software is often misplaced.

Users of the CA eTrust software are being alerted that they've been infected by the JS/SNZ.a virus whenever they surf a website that runs any one of a few common javascript libraries. This includes my own site, which is causing some of my readers to get alerts, one of whom emailed me about it.

The problem of course is that this is not a virus at all, rather a false positive. Most users however won't know that, and instead are being scared away from thousands if not millions of legitimate websites.

In my latest article for cbcnews.ca I've taken a look back at 2007 as a profitable and successful year for cyber crime. Explicitly I take my analysis of the storm worm and draw out a thread that shows the larger socio-political implications of this emerging technology:

The organization of all this criminal activity manifests in the form of bot nets (see sidebar) such as the storm worm, networks of hijacked machines that allow criminals to engage in their activities without being traced or identified. The sophistication of these bot nets has increased so rapidly that many observers have begun speculating that we're witnessing the early stages of a new online arms race, a cyber cold-war in which new weapons and tactics are being developed and tested.

Today's my birthday, I was born 3.3 decades ago, at around 6:10 in the morning. I've always enjoyed my birthdays. I tend to take the time to reflect on this day, remembering where I came from, while thinking about where I'm going.

On some levels identity is fluid, always changing, yet on the other hand there are constants that go through our lives as threads that bend but remain relatively the same.

I've done a number of CBC segments recently around computer security and information warfare. While trying not to be sensational, these are subject areas that I feel require more attention, certainly from the news media, but also from the public at large.

On the one hand they are fascinating unto themselves, and don't require any added emphasis to denote severity, yet at the same time, the phenomena generally flourishes due to the ignorance and fear of average computer users.

When I got back from our mini-road trip to Chicago for American Thanksgiving I found that my windows workstation was infected with some kind of nasty malware. Initially from what I could see it was a type of rootkit that had taken over the machine and was using it to blast out spam to the world. From what I can tell neither the anti-virus nor anti-spyware software could detect it.