Debian Firewalls

Sitting around like a Dan on the weekend with nothing to do? Then isn't it time you built that firewall you have been missing?

Most networks these days run behind some type of network router/firewall device. Most commonly home office and SOHO networks use small firewall/routers made by companies such as Linksys, D-Link, and Netgear to provide their network connectivity. The problem is these devices are often weak, underpowered, and feature limited. The solution? Building your own!

Sniffing the Air (or How I learned to stop worrying and love the Pig)

For anyone who wants to learn more about wireless network traffic "sniffing". Here is a pretty good how to guide.

Defeating Citi-Bank Virtual Keyboard Protection

Good site for vulnerability research, including PoCs.

Description: Early this year, Citi-Bank introduced the concept of Virtual Keyboard to defend against malicious programs like keyloggers, Trojans and spywares etc. However, the Virtual Keyboard concept can be easily defeated by using Win32 APIs to access HTML documents. Refer the PoC (Proof of Concept) for more details.

More details can be found at:

http://xforce.iss.net/xforce/xfdb/21727

http://www.us-cert.gov/cas/bulletins/SB05-222.html

http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=17684

http://www.virus.org/Article151.html

Download link of the PoC:
http://www.hackingspirits.com/vuln-rnd/defeat-citibank-vk.zip

BatteryUniversity.com

Things that every geek should know... Battery University is an on-line resource that provides practical battery knowledge for engineers, educators, students and battery users alike. The papers address battery chemistries, best battery choices and ways to make your battery last longer.

The presentations are easy-to-read and are limited to about 1000 words. The material is based on the book Batteries in a portable World - A handbook on rechargeable batteries for non-engineers, and is written in condensed form.

Gas Thief Found Asleep at the Scene of the Crime

A Swifty gas station in Muncie wasn't open for business when the driver of a white van attempted to fill up.

But 38-year-old Brad Hodson wasn't filling his tank. Police say a 55-gallon barrel was in the back of his van.

Muncie Police Chief Joe Winkle explains, "He had pulled up next to the underground tank and had put a homemade siphoning hose in the underground tank."

Hodson used batteries to do the actual siphoning. But in the process, Chief Winkle says Hodson apparently fell asleep. "The fact it was 5:30 in the morning, he may have just got tired trying to fill that large drum up with gasoline. I'm not sure how fast that happened, but it probably took a little while and he probably just sat back."

And that's how the station manager discovered Hodson when he came to open shop for the day just after five a.m.

Think Your Anonymizer is Foolproof?

Internet users hoping to protect their privacy by using Web anonymizers, false identities and disabled cookies on their computer's Web browser have something new to think about – a patent filed by the National Security Agency (NSA) for technology that will identify the physical location of any Web surfer.

A patent granted last week, describes a process based on latency, or time lag between computers exchanging data, of "numerous" known locations on the Internet to build a "network latency topology map" for all users. Identifying the physical location of an individual user could then be accomplished by measuring how long it takes to connect to an unknown computer from numerous known machines, and using the latency response to display location on a map.

Dolphin Assassins Menace Gulf of Mexico

Every once in a while, a story based on pure speculation starts circulating, and picked up and re-picked up by otherwise legitimate media outlets as if it were based on actual facts. Here comes a doozy. The UK's Guardian is reporting that killer dolphins, trained by the Navy in the art of DEATH and armed with poison darts may have escaped their tanks during Katrina and are now hunting down surfers and divers in the Gulf of Mexico...

Methods of Conducting Industrial Espionage

There is plenty of reason to believe that we do not notice many of the system intrusions that take place and that many of those that are noticed are not reported in a way that allows development of a statistical base. You can read a paper about this as an HTML file or as a PDF file.

The National Counterintelligence Center, which later became the Office of the National Counterintelligence Executive, has been reporting annually to Congress since 1995 about foreign economic collection and industrial espionage. Its reports are freely available as PDF files.

Personal Security - Katrina, When Poor People Have Lost it All

Last year, photographer Siege spent his life's savings on a trailer for his mom (above) and 13-year-old brother in Louisiana. Katrina destroyed their trailer home, and ate their belongings. Siege returned to Louisiana with his girlfriend to help them recover. He took this snapshot of his mom on Monday, September 12, and writes:

My mom was feeling very hopeful through all this. Then we met with FEMA this morning. After two hours waiting in line for it's cold bureaucratic embrace, her hope started to flicker.

This is what it looks like when poor people have lost it all, and are told to get in line. Which line? Did you fill out that form? I hear they suspended the vouchers. Who do I call for shelter? Call this 800 number to get your number. But sir, I don't have a phone. Go to this website to get a number. But sir, I don't have a computer, or a home to put it in, or a phone to connect it to.

Link to the blog where Siege is documenting the trip, and efforts to raise funds to buy his mom and brother a new home (he's auctioning off prints of his erotic, fashion, and portrait work for that purpose).

Homeland Security protecting a Honey Baked Ham store. I’ll sleep better tonight...

"All across the country, the ACLU is uncovering information about Americans engaged in peaceful protest being spied on by Homeland Security, the FBI and local police," said Debbie Seagraves, Executive Director of the ACLU of Georgia. "It is deeply disturbing that the government would use resources intended to protect national security to instead spy on innocent Americans who do nothing more than express their opinions on social and political issues."

Overall, Online Banking Sites are Laggards in Service Levels Compared to Credit Card and Stock Trading Sites

Keynote found banking industry Web sites as a whole performing poorly, lagging behind the performance of other financial services sites such as credit card and stock trading sites. On average, bank sites are unavailable to customers more than 15 hours per week because of technical issues. Bank of America, Wachovia and US Bank topped the Keynote ranking of customer experience. Washington Mutual, BankOne and Bank of America have the most reliable Web sites, Keynote says.

Crave privacy? New Tech Knocks out Dgital Cameras

Researchers at the Georgia Institute of Technology have come up with an inexpensive way to prevent digital cameras and digital video cameras from capturing that secret shot.

The technology they've devised detects the presence of a digital camera up to 33 feet away and can then shoot a targeted beam of light at the lens, according to Shwetak Patel, a grad student at the university and one of the lead researchers on the project.

That means that someone trying for a surreptitious snapshot of, say, a product prototype or an amorous couple gets something altogether less useful--a blurry picture (or a video) of what looks like a flashlight beam, seen head on. (Info and video of how the system works can be viewed here.)

Greyhats Security is Back

After a bit of a hiatus, the Greyhats site is back with some changes:

- New layout and navigation.
- A promise that: Bias is gone. No more criticism to either Microsoft nor Mozilla will be found on the website unless it is deemed as necessary for the progress of computer security.

You can find Greyhats Security at its old address, http://greyhatsecurity.org.

Magical Jelly Bean Keyfinder v1.41

Things that make you go hmmmm...

The Magical Jelly Bean Keyfinder is a freeware utility that retrieves your Product Key (cd key) used to install windows from your registry. It has the options to copy the key to clipboard, save it to a text file, or print it for safekeeping. It works on Windows 95, 98, ME, NT4, 2000, XP, Server 2003, Office 97, and Office XP. This version is a quick update to make it work with Windows Server 2003.

Linux-based Handheld that's Open, Powerful and Cheap

A Linux-based handheld that's open, powerful and cheap new Linux-based handheld computer/PDA called the GP2X:

It can play games. It can play your Movies. It can play your music. It can view photos. It can read Ebooks. It runs on just 2 AA batteries - And it can do all this in the palm of your hand or on your TV screen.

It runs the free Linux operating system. This means a whole world of Games, Utilities and Emulators are at your disposal. Quake, Doom, SNES, Megadrive, MAME, Media players and Applications to name just a few.

It's powerful - Two 200mhz CPU's with 64meg of RAM, custom graphics hardware and decoding chips. Takes SD cards and has 64M of NAND memory. Plenty to play with. One of the most powerful and advanced handhelds today.

It's cheap. Just $189.99.

It's open. You want to develop your own games for the GP2X? Go right ahead. The SDK is included with the system free. Not since the days of the Amiga has a system been so easy to develop for, commercially and for fun.

The GP2X isn't just another wannabe be Gameboy. Its a whole different design. A whole new idea for a handheld games system.

But wait, we're not new to the scene. Heard of the GP32? An accidental experiment in an open source handheld that went right. Some 30,000 units were sold worldwide, mostly in the UK and parts of Europe. The machine has an astonishing following. The GP2X is the successor.

An Introduction to Application Security Testing with Open Source Tools

A report on four open source tools: WebGoat, Firefox Web Developer, WebScarab, and Ethereal. By combining the tools in easy ways, testers can track down and close the gaping security holes that are often left in applications.

PASSWORDMAKER - Browser Extension

I am not promoting this software, but it seems like a handy password util...

How It Works

You provide PASSWORDMAKER two pieces of information: a "master password" -- that one, single password you like -- and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PASSWORDMAKER calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PASSWORDMAKER is that the resulting fingerprint (password) does "not reveal anything about the input that was used to generate it." In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won't help!

Hackers target VoIP

Let's dump that old PBX and get on the Voip bandwagon today!

Malicious hackers are turning their attention to the technology behind net phone calls, says a report.

The biannual Symantec Threat Report identified Voice over IP (Voip) systems as a technology starting to interest hi-tech criminals.

The report predicted that within 18 months, Voip will start to be used as a "significant" attack vector.

As well as prompting new attacks, Voip could also resurrect some old hacking techniques, warned the report.

Spam Map

Mailinator(tm) is a service that gives you free, disposable email anytime, anywhere. No need to ever sign up. Send first - come to the site later. Mailboxes are created when email arrives for them (see the FAQ for more information).

Mailinator is about saving you from spam. But in the process it ends up getting plenty of its own (averaging over a million emails a day!). This map shows (in semi-realtime) ip addresses that are currently sending the most spam to Mailinator.

LA Power Outage

The crew did exactly as they had been told...

An inaccurate work order led a crew to cut the lines that caused Monday's power outage to 2 million people in Los Angeles, the city's Department of Water and Power has determined.

"It was a case of miscommunication," Henry Martinez, an assistant general manager for the DWP, said Thursday.

DWP engineers who planned the replacement of a control system at a Toluca Lake receiving station specified that a bundle of three charged lines should be left intact, but work drawings handed to the crew called for the lines to be cut and removed, Martinez said.

The wire cutters used by the work crew closed a circuit between two live wires, triggering circuit breakers that shut down the receiving station and began the power outage, he said.

The agency is still trying to determine who drafted the work drawings that differed from the engineers' plans.

Nation's Critical Infrastructure Vulnerable to Cyber Attack

It's not Holloween yet... but - BOO

WASHINGTON, D.C., September 15, 2005 – In testimony before the House Science Committee today, the Chief Information Officers (CIOs) of major U.S. corporations warned Congress that the nation’s critical infrastructure remains vulnerable to cyber attack. The witnesses said the economy is increasingly dependent on the Internet and that a major attack could result in significant economic disruption and loss of life.

Urging action to address this vulnerability, the witnesses advocated increased funding for cybersecurity research and development (R&D) and greater information sharing between industry and government and among various sectors of industry. Witnesses also urged greater federal attention to cybersecurity and praised the creation of an Assistant Secretary for Cybersecurity at the Department of Homeland Security (DHS).

The Next 50 Years of Computer Security: An Interview with Alan Cox

Author's note: Alan Cox needs little introduction--most will know him for his long-standing work on the Linux kernel (not to mention his appreciation and promulgation of the Welsh language among hackers). Cox is one of the keynote speakers at EuroOSCON this October, where he will talk about computer security.

According to Alan Cox, we're just at the beginning of a long journey into getting security right. Eager for directions and a glimpse of the future, O'Reilly Network interviewed him about his upcoming keynote.

Fridays are for fun... Do You Like to Watch?

If yes, this is the site for you... Global Desktop is a webcamera portal and combines several LIVE images from Webcams all over the World in a one page view!

National Vulerability Database (NVD)

NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard.

Goolgle's Beta Blog Search Engine

Google has introduced its long awaited blog search service, becoming the first major search engine to offer full-blown blog and feed search capabilities. Google's new service (in beta, naturally) is available both at google.com/blogsearch and search.blogger.com. Google blog search scans content posted to blogs and feeds in virtually real-time, according to Jason Goldman, Google product manager for blog search.

Whax and Auditor Want to Merge

They are asking for help with a new name. One that can also be used in commercial environments and doesn't sound to hackisch.

Post your suggestions to the forum at: http://forum.remote-exploit.org/viewtopic.php?p=5488#5488

25 Mind-Numbingly StupiStupid Quotes about Hurricane Katrina

A listing of 25 stupid quotes made by various politicians and media personalities. Here's my favorite: "Brownie, you're doing a heck of a job." –President Bush, to FEMA director Michael Brown, while touring Hurricane-ravaged Mississippi, Sept. 2, 2005

Marcus Ranum's "The Six Dumbest Ideas in Computer Security"

Always interesting and entertaining and thought provoking... This is Marcus Ranum's latest essay: "The Six Dumbest Ideas in Computer Security."

School Security

12-Year-old Girl Shot with Stun Gun by Cops for Arguing at School

A Cincinnati-area mother says her 12-year-old daughter was humiliated and eventually stunned with a taser gun by Cincinnati Police inside Burton Elementary School Wednesday.

Nmap Port Scanner Gets an Upgrade

After more than 7 months of solid work, Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 3.90. Changes in this massive update include: the ability to send and properly route raw ethernet frames, ARP scanning (for faster and more reliable local LAN host discovery), MAC address spoofing, enormous version detection and OS detection updates, dramatic Windows performance and stability improvements, 'l33t ASCII art, OS/hostname/device type detection via service fingerprinting, dozens of bug fixes and much more. Read the Changelog for the full scoop. Or snag a copy from the download page!

Email Policy Enforcement Story from Australia

Secretaries sacked after cyber brawl...

TWO secretaries at one of Sydney's top law firms have been sacked after a catty email exchange that was circulated around the city's legal and financial district.

Allens Arthur Robinson has been rocked by the cyber brawl, which began over a missing ham sandwich and ended with one woman taunting the other for being unable to hold on to a boyfriend.

In a warning to everyone who uses email at work, Allens confirmed that Katrina Nugent and Melinda Bird had been sacked and other high-flyers were facing disciplinary action.

Survival of New Orleans Blog

This site is still providing a very interesting perspective on what is going on in NO (photos, live cam and story). Wanted to post it again so it would be at the top of the list.

also

FEMA Blocks Photos of New Orleans Dead. Apparently the First Amendment of the US Constitution is rescinded by decree. The fact is they do no want the public to witness the horror of their botched job. Where is the outrage? The bloggers will have to do it...

Nerd TV

PBS kicks off NerdTV - broadcast TV's first entirely downloadable series. It features PBS technology columnist Robert X. Cringely's interviews with personalities from the world of technology. NerdTV is available for download from pbs.org/nerdtv...

NerdTV is essentially Charlie Rose for geeks - a one-hour interview show with a single guest from the world of technology. Guests like Sun Microsystems co-founder Bill Joy or Apple computer inventor Steve Wozniak are household names if your household is nerdy enough, but as historical figures and geniuses in their own right, they have plenty to say to ALL of us. NerdTV is distributed under a Creative Commons license so viewers can legally share the shows with their friends and even edit their own versions. If not THE future of television, NerdTV represents A future of television for niche audiences that have deep interest in certain topics.

Who is Jamming Radio Communications in New Orleans?

Bloggers following the emergency communications flow in New Orleans report that some frequencies are being actively jammed. This post on Jacob Appelbaum's blog points to speculation that a government agency may be responsible for some of that activity.

Why?

It is hard to be sympathetic, when you see things like this...

He Picked the Victims From a Sheriff's Web Site

Satellite images to sex offenders, are we placing too much information for our own good on the web? In our zest to share, are we risking the safety of our workplaces and families?

Mullen told authorities he targeted at least one of the two men after checking the county sheriff's Web site July 13, according to the police statement.

Artists Against 419

Interesting site working to stop fake bank sites-

An international community of individuals dedicated to fighting advance fee "419" fraud through artistic means! The images on this site are loaded from fraudulent Web sites that are being used in active scams, defrauding people of their money; by visiting this site, you are costing a scammer money.

Everthing Comes in Threes - Ready for #3?

If FEMA goes three for three in its predictions — if the Big One rattles San Francisco — will we be ready?

In early 2001 the Federal Emergency Management Agency listed what it believed were the three most likely disasters to face the United States in coming years. One was a terrorist attack on New York City. The second was a hurricane-spawned flood of New Orleans.

Kind of makes you want to know what the third one is, doesn't it? The third is a major earthquake in San Francisco.

The first two have come to pass in under five years. And in both cases, the post-mortems have had two main elements: How could this have been prevented, and could it have been handled better once it occurred?

Who Would Ever do Such a Thing?

Personal Security - Bet Your Life?

What do you think? Is life as we know it ending?

Following these remarks is a brilliant piece of reporting by the American Progress Action Fund. It makes a clear case for what we are all now suspecting and seeing: the Bush administration is horribly mismanaging relief efforts along the Gulf Coast. Several things are now becoming clear. It is unlikely that New Orleans will ever be significantly rebuilt. When we talk about collapse as a result of Peak Oil, New Orleans is an exemplary – if horrifying – glimpse of what it will look like for all of us. In the case of New Orleans, however, it’s happening about two or three times as fast as we will see it when Peak Oil becomes an unavoidable, ugly, global reality. How long? Months. If we’re lucky, a year. As of August 2005 it’s not just a race to make sure that a particular region is not eaten by warfare and economic collapse. Mother Nature is obviously very hungry too. What region will be the next to go? What sacrifices can be offered before the inevitable comes knocking at our own personal door? Who can be pushed ahead of us into the mouth of the hungry beast in the hopes it will become sated?

How low can human beings sink? Keep watching the news. It’s not the first time civilizations have collapsed. This has all happened many times before. This behavior is not new. What is new — but is now dying — is our enshrined belief that there were to be no consequences of our reckless consumption and destruction of the ecosystem. What is now dying a horrible death is America’s grotesque global arrogance, brutality and cupidity.

(more)

Gumshoe chases Internet villains in Eastern EU

A good (albeit long) article about the 'good guys' chasing the 'bad guys' all over the virtual and real worlds.

Microsoft's Enforcement Team employs 65 people world-wide, including former policemen, lawyers and paralegals. The group, which gets a seven-figure annual budget, has 25 investigators including Mr. Fifka.

Hacking in Iraq, Interview with Jake Appelbaum

This is from back in April, but I think it makes for an interesting read.

Jake Appelbaum (ioerror) talks about the satellites he was setting up in Iraq on his vacation along with all sorts of hackery. A fascinating account of why he was over there and of hacking the border, internet connections, handing out Knoppix CDs, video blogging, and some other amazing stuff...

Incredible Tales Beginning to Emerge — told by bloggers

READ THIS NOW!

The Interdictor — A Live Journal Report from a blogger in New Orleans. These stories are going to get worse. I think blogging will be here to stay after these reports start to pile up.

More photos (here)

Cyberspace Law Web Guide

A very good resource for technology related legal issues.

Wil Wheaton runs a Poker Charity Tournament for Katrina

Wil Wheaton: "I sat in my living room, and flipped between CNN and The Weather Channel. My mind struggled to process the catastrophic devastation unleashed by Katrina. Tears filled my eyes and spilled down my face as the magnitude of this disaster set in. I realized that the last time I felt this way was during the tsunami, and 9/11 before that...."I have to do something," I thought, "but what?"...read on"

Will has all the information for anyone wanting to join the tournament.