Sunday, December 31, 2006

Spy Numbers Stations on Shortwave Radio

Grandma give you a shortwave radio for Christmas? Have some fun with it here.

"59372 98324 19043 78903 95320...". The mechanized female voice drones on and on... What have you stumbled on to? Instructions to spies? Messages exchanged between drug dealers? Deliberate attempts at deception and mis-information?

Chances are, all of the above! What you've tuned in to is called a "Spy Numbers Station". They've been on the air for several decades, and only recently have the mysteries started to unfold. But there's still much we don't know about these mysterious stations. With the information on these pages, you'll discover the little that we do know about these stations, what we're still trying to learn, and how you too can tune in to the spies.

ShmooCon Reminder

January 1, 2006 - second round of ticket sales

Register here.

Let's Hope for a Happy New Year...

In a span of a few hours, 2,973 people were killed in the Sept. 11, 2001, terrorist attacks. In a span of 45 months, the number of American troops killed in Iraq has exceeded that grim toll...

"An eye for an eye makes the whole world blind."

- Mahatma Gandhi

Friday, December 29, 2006

Daddy get you a new car for x-mas? Lockpicking - BMW decoder tool

Here is a video showing the demonstration of a BMW lock decoder tool and software that allows you to open almost any BMW lock.

You are going to put your Call Center where?

Indian banks, government and commercial sites have seen a very large increase in defacements and phishing attacks in 2006 according the the CERT-In.

Analysis of defaced Indian websites year-2006 (till June) (ciwp-2006-02)

Wednesday, December 27, 2006

CISSP, CISA, and SSCP Open Study GROUP Online Quizzer

An updated version of a handy online quizzer engine for CISSP, CISA, SSCP, HIPAA, and SOX.

More info here.

Tuesday, December 26, 2006

On the Tuesday before Christmas...

my mom accidentally gave to me - An MP3 player full of pornography.

On Tuesday, Chanell Martin gave her 12-year-old daughter an early Christmas present as a reward for helping out weekends at the family's Lincoln Mall store.

Her daughter, a sixth-grader, was delighted with the black Microsoft Zune media player Martin purchased earlier that day at the Evergreen Park Wal-Mart.

But not for long.

Martin went to her room while her daughter plugged the device, which can play music and video, into the family's computer.

"She said, 'Mom -- what's this?' " Martin said. "When she handed (the player) to me she was looking at a gay orgy."

On the Zune's hard drive, Martin discovered, was about 6-- hours of hardcore gay pornography and a "slideshow" of another 62 pornographic images.

Full story here.

Sunday, December 24, 2006

Secure Air Space - Track Santa

For more than 50 years, NORAD and its predecessor, the Continental Air Defense Command (CONAD) have tracked Santa.

NORAD Santa tracker here.

Saturday, December 23, 2006

Tis The Season - Christmas.exe

Tis that time of the year when the malware writers out there are going to send their holiday cheer packed in an seasonally named file. This time it's Christmas.exe...

There is a good article about it over on f-secure. Check it out here.

New Year - New Look

Figured it was time for a new look... Let me know what you think...

Happy Holidays!

Friday, December 22, 2006

Friday Fun - Tour XM

Some Washington Post's folks took a tour of DC-based XM Satellite Radio's New York Avenue complex. At blog.washingtonpost.com...

Tuesday, December 19, 2006

The Silver Bullet Security Podcast

In the ninth episode of The Silver Bullet Podcast, has Gary McGraw interviewing Bruce Schneier. In this episode, they discuss the connection between physical security its technological component, the idea of risk management, the intersection of economics and security, and the ideas of “wholesale surveillance” and “security theater.” They also discuss patch Tuesday, hack Wednesday, and Microsoft’s approach to software security...

XSS Intro/Demo

XSS stands for cross site scripting (CSS) Since CSS is already taken by Cascaded Style Sheets, it is named XSS X standing for a Cross. It is a kind of hacking which allows you to deface websites, loggin as another user etc.

More info here.

Friday, December 15, 2006

WALSTIB or Friday Fun!

Hermaphroditic deer with seven legs ‘tasty’

Hey you smell something?

Chainsaw Wake up

Sunday, December 10, 2006

Question of the day

Things that make you go hmmm...
"Wonder if any of the Allbrittons (Joe, Robert, Barbie) will be going to Chile for the funeral of Augusto Pinochet???"

Getting Hacked Results In Armed Police Raid

A Denver woman who didn't have adequate security on her home computer paid the price.Serry Winkler was visited by several officers with a search warrant who demanded that she turn over her computer.They were investigating a case of computer fraud. The woman's computer was apparently infected by a bot or robot.

Watch video.

Full story here.

nmap-4.20 released

Just what I wanted for xmas! Nmap-4.20 has been released.

Get it here.

Thursday, December 07, 2006

Guardian comments on ".bank"

The Guardian newspaper has a story about why do museums have a secure, restricted .museum top-level domain but banks don't have .bank?

You would think that banks get phished via fake domains much more than museums do...

"There are no safeguards whatsoever against someone registering a domain name and using it for nefarious purposes," says Richard Martin, a business security consultant at the UK clearing bank group Apacs. Barnaby Davis, director of electronic banking for Barclays, says: "We're well past the tipping point when something needs to be done that makes it harder to register URLs or makes the consequences for misuse harsher."

Full story here.

Wednesday, December 06, 2006

The Cheapskate’s Infosecurity Toolbox

From CSOonline.com

A list of free-to-download tools for the budget-pinched CISO

BartPE: Preinstalled Environment
Troubled by that incessant spyware or virus that just doesn't seem to go away? Need a way to troubleshoot a system without booting the operating system installed on it? BartPE and the right plug-ins will let you do this. www.nu2.nu/pebuilder

Snort: Open Source Intrusion Detection System
Arguably the world's most used Intrusion Detection System. Both Windows and Linux binaries are available. www.snort.org

VMWare Server: A virtual environment
It finally happened: VMWare is available for free. Patch management, QA, vulnerability remediation testing and other daily activities are now available without a significant capital investment. VMWare also offers images of various environments, configurations and operating systems available for download (they're called "appliances") and ready to use in conjunction with the main product. Just download, point VMWare to the image and test away! www.vmware.com/products/server

DataRescue's IDA Pro Freeware 4.3 disassembler and debugger
Although not posted on the DataRescue site anymore, the free version of their utility will turn up with a quick Google dig. Try www.programmersheaven.com/

OllyDbg disassembler and debugger
Probably the world's most used debugger disassembler. Gives most commercial debuggers a good run for their money. www.ollydbg.de

eEye Digital Security's Binary Diffing Suite
A good, free suite of binary diffing tools you can use to see the effect that a released patch may have on your environment. Read the website, as there are some platform dependencies. research.eeye.com/html/tools/RT20060801-1.html

Cygwin: Linux-like environment for Windows
Need to run some scripts or programs that previously ran only under Linux? Do you miss your Linux command line when running Windows? www.cygwin.com

Nagios: An open-source host, service and network monitoring program
Not for security only, but Nagios can be used to monitor for events that typically have security implications. This is one that you and your CIO will agree upon. www.nagios.org

iptables and Firewall Builder: Firewall and Management Interface
Don't have the deep pockets for a Checkpoint, Cisco or Juniper? Iptables comes with most Linux distributions. Not comfortable using a command line to manage it? Firewall Builder is an intuitive way to install and manage the rule set. Get a couple of credit card CDs, create a bootable distribution, and you've got a firewall in your pocket. www.iptables.org and www.fwbuilder.org

Apache SpamAssassin: Fight Spam at the Gateway
Not really a secret to most people. With the right configuration this is difficult to beat no matter how much you spend on an antispam solution. spamassassin.apache.org/index.html

OpenSSH for Windows: Secure Shell for Windows
Because FTP is so passé (and insecure), use OpenSSH on the server side coupled with "PuTTY" and WinSCP on the client side for a cheap way to secure your file transfers. sshwindows.sourceforge.net, www.chiark.greenend.org.uk/~sgtatham/putty and winscp.net

Cheops-ng: "The Network Swiss Army Knife"
A tool for mapping and monitoring your network. This is an excellent free way to track down most of the systems on your network. cheops-ng.sourceforge.net/download.php

ACID (Analysis Console for Intrusion Databases):
An analysis engine to search and process security events generated by various intrusion detection systems, firewalls and network monitoring tools. acidlab.sourceforge.net

Body of missing CNET editor James Kim has been located

The saddest part of this story is that if Mr. Kim would of stayed with his car and family, he would sill be here. Certainly his heart was in the right place, but almost every survival expert will tell you - to say with your car especially in the winter, cold and snow...

Kim, 35, left his family's stranded car Saturday morning searching for help and never returned. Kim apparently traveled in an 8-mile circle and was found less than a mile, separated by a sheer cliff, from where his family's station wagon got stuck in the snow. Officers said there was no way to determine whether he was trying to return to his starting point or if he became disoriented.

"He was very motivated...he traveled a long way," Josephine County Undersheriff Brian Anderson said.

Related Links:

http://jamesandkati.com

Mom, 2 kids survive

A commercial satellite-imagery company said Tuesday it is rerouting one of its satellites to fly over the Oregon wilderness where rescue crews search for CNET editor James Kim.

How To Survive If Lost In Wilderness - CBS News

Firewall for RFIDs

A Platform for RFID Security and Privacy Administration - This paper is a must-read paper for anyone who cares about electronic privacy and who wants to catch a glimpse of the future...

ShmooCon '07 Tickets On Sale Now!

The Early Bird tickets for December are already sold out! If you want $75 tickets, ck back on Jan 1st.

To register for ShmooCon, click here.

Important Dates and Deadlines:
  • December 1, 2006 - first round of ticket sales
  • January 1, 2006 - second round of ticket sales
  • February 1, 2007 - last round of ticket sales
2007 Ticket Price Structure:
  • Early Bird Tickets - $75, Overall Qty to be sold - 300
  • Open Registration - $150, Overall Qty to be sold - 450
  • I love ShmooCon Tickets - $300, Overall Qty to be sold 50

Monday, December 04, 2006

Christmas Themed Hacker Challenge

Ed Skoudis's Christmas Themed Hacker Challenge...

"Hey, challenge fans! To close out the year, I've posted a Christmas-themed hacker challenge, this one based on the movie, A Christmas Story. You remember that one... with the Messy Marvin kid, the interesting lamp, and the Red Rider Beebee gun. In this challenge, you get to help Ralphie explore his Old Man's network, trying to retrieve a copy of his parent's Christmas gift list. But, be careful, or else you'll hack your eye out! Entries are due by December 22, when we'll award three winners a copy of my book."

Sunday, December 03, 2006

Criminals find way to disable internet

Very interesting post detailing how criminals are hijacking portions of the internet and thousands of sites. The internet hijackers are re-directing sites to one-page spam sites where they collect ad revenue by people clicking on the ads. Sometimes the internet hijackers are just doing it for minutes at a time, other times for hours.

Fun with Google

Example on how to find +55,000 résumés

A Headhunter's dream...

Saturday, December 02, 2006

Machines of Loving Grace

It always amazes me that this was written in 1963...

All Watched Over by Machines of Loving Grace,
by Richard Brautigan (1963)

I like to think
(and the sooner the better!)
of a cybernetic meadow
where mammals and computers
live together in mutually
programming harmony
like pure water
touching clear sky.

I like to think
(right now, please!)
of a cybernetic forest
filled with pines and electronics
where deer stroll peacefully
past computers
as if they were flowers
with spinning blossoms

I like to think
(it has to be!)
of a cybernetic ecology
where we are free of our labors
and joined back to nature
returned to our mammal
brothers and sisters
and all watched over
by machines of loving grace.

Wednesday, November 29, 2006

psiphon to be released December 1st 2006

psiphon is a human rights software project developed by the Citizen Lab that allows citizens in uncensored countries to provide unfettered access to the Net through their home computers to friends and family members who live behind firewalls of states that censor.

Read about and download it HERE

A Couple of Free Password Generators

http://password.10try.com/

or

http://www.winguides.com/security/password.php

Friday, November 24, 2006

$3 Pen-Sized Digital Camera

How can you go wrong for $3 bucks? Stocking Stuffer here I come!

Check out the DigiCam's specs:

  • Sensor Type: CIF/CMOS

  • Interface Type: USB

  • Resolution: 640x480 VGA

  • Video: 9 fps hi-res, 20 fps low-res

  • Memory: 2Mb – 20 to 80 images

  • Dimension: 4.9" x 1.2" x 0.8"

  • Batteries: AAA x 2 Alkaline Batteries

  • Battery Capacity: Continuous Snapshots for 2 hours

  • Stand-by can work about 2 weeks

  • USB Power: When connected the camera draws its power from PC

  • Viewable Angle: 54 degrees

Thursday, November 23, 2006

Holidays are for Kids...

How easy is it to pick a lock you ask? Most locks you come in contact every day are so easy even a 9 year old child can pick a lock their first time if you show them how!

Watch this short video! 9 Year Old Lock Picker

Happy Thankgiving!

Monday, November 20, 2006

'Worm' attacks Second Life world

Virtual world Second Life had to close its doors for a short time on Sunday after a worm attack called grey goo.

The self-replicating worm planted spinning gold rings around the virtual world, which is inhabited by more than a million users.

Players treated the attack with a mixture of mirth and anger.

"Can this game get any more unpredictable and exciting?" asked one user, Loretta Lurra on the official Second Life blog.

As users interacted with the rings they replicated, resulting in a slowdown on the servers used by Second Life's creators Linden Lab, in California.

Second Life has become one of the most talked about developments in cyberspace in recent years.

Panty Raid

Portland Officer in Panties Case Admits, Resigns

ELIZABETH SUH
The Oregonian (Portland, Oregon)

A Portland police officer pleaded guilty Monday to two counts of official misconduct for asking two women to show him their underwear during a traffic stop in July.

In a plea bargain, John Alexander Wood, 31, agreed to resign, have his police certification revoked immediately and face two years of probation and 100 hours of community service.

Portland Police Chief Rosie Sizer said in a news conference that she was disturbed to learn of the allegations and praised the complaint and review system that acted swiftly to investigate.

The two women reported the incident to police July 26, five days after it happened. Police encouraged the women to file a complaint with the Independent Police Review Division. After the women did so, detectives began a separate investigation and Wood was placed on paid administrative leave. Wood was hired as a Portland police officer in January 2003 and was working as a district patrol officer at the time of the incident.

In the course of investigation, detectives contacted a third woman who also said that Wood asked her repeatedly to show him a tattoo on her groin.

"Community members should be able to trust sworn police officers," Sizer said. "It is my hope that the community will view this as the isolated case it was."

The Oregonian is not naming the two victims.

In a hearing Monday afternoon before Multnomah County Circuit Judge Jean Kerr Maurer, one of the women, who is from Spokane and in her early 20s, spoke of how the traffic stop plagues her every day.

"I have trouble sleeping, and I am still unable to drive at night alone," the woman said, reading from a prepared statement. "Every time I see a law enforcement official, I feel as though I can't breathe and I start to feel nauseous."

Wood wrote letters of apology to the two women, who read them after the hearing, said their attorney, John Allison.

The women told detectives they had spoken with Wood as they were leaving Dukes, a nightclub in East Portland, in the early morning hours of July 21, according to interview records released by police. Wood was in the parking lot in a marked patrol car.

The women claim Wood pulled them over while they were driving home on Interstate 205 at about 3:15 a.m. and told them to lift their skirts and show him their underwear or he would take them to jail for driving under the influence. The women said that Wood also asked them if they had breast implants and if they shaved their pubic hair.

The women said they complied with Wood's requests and he concluded the stop without writing a ticket.

Wood initially denied all allegations in interviews with detectives, saying he had contact with the three women but had not made inappropriate demands.

Allison, the attorney, said Wood couldn't be charged with sexual assault because he didn't touch the women. But, Allison said, Wood made a "full and complete admission" of his crimes in his letter to the women.

In the second incident, which occurred shortly after the first, a woman said Wood approached her and her boyfriend while they were parked in a van outside Ventura Park at Southeast 113th and Pine streets, according to police interviews.

She said she showed Wood a tattoo on her groin three times after he asked to see it under threat she would go to jail for failing to have proper identification on her. The woman is now in custody at the Multnomah County Detention Center for an unrelated probation violation.

Wood is the second law enforcement officer to come under scrutiny recently for inappropriate demands during traffic stops.

A criminal investigation begun in November 2004 found that Multnomah County Sheriff's Deputy Christopher Green asked several women he stopped to either lift their shirt up, remove their bra or unzip their pants while pretending he was searching for a suspect with a flower tattoo. The inquiry also showed Green lied about what he did when questioned by a supervisor.

Green remains on paid leave as the Oregon Department of Public Safety, Standards and Training board considers revoking his police certification. The Multnomah County district attorney's office also has renewed a criminal inquiry into Green's actions.

Game Consoles - High Risk?

Gartner: Crims will use PS3 to crack crypto

That's the opinion of Gartner's Steve Prentice, voiced yesterday at the firm's ITxpo/Symposium in Sydney.

Prentice said PlayStation 3 will pack an impressive 207 teraflops of power under its slim hood when released locally next year. By comparison, his research indicates that the .entry level. machine from supercomputer Cray offers 230 teraflops.

"There will be millions of PlayStation 3's sold, and they will all be online," he said, predicting that the sheer computing power available between the machines will be among the largest and most powerful computers ever assembled.

That power, he believes, will attract criminals.

Sunday, November 19, 2006

Hole-in-wall thief used MP3 player

A UK thief outwitted sophisticated banking security systems by using an ordinary MP3 music player to bug cash machines and steal customers’ credit card secrets.

Maxwell Parsons, 41, was the central figure in a gang who went on to steal goods worth hundreds of thousands of pounds in high street stores across Britain.

The banking industry was so alarmed by the gang’s method, believed to be unique in this country, that they immediately moved to plug the technological loophole.

Parsons, a well-known criminal figure, was jailed for 32 months after pleading guilty at Minshull Street Crown Court to deception and unlawful interception of a public telecommunications transmission.

The fraudster learnt how to carry out the fraud from the example set by criminal gangs in Malaysia where the method of fraud was used with devastating effect against the banking system.

Parsons or other gang members would use MP3 portable music players to record data transmitted from free-standing ATM cash machines. The data was then converted to readable numbers using a separate computer programme.

Friday, November 17, 2006

Friday Fun - Reflecto-porn

Instances Reflecto-porn have been growing on sites such as eBay. The idea is that you photograph something whilst wearing your birthday suit and ensure that an image of your nether regions appears reflected in a mirror or the product - e.g. a kettle - that you’re trying to sell.

Examples and more info here.

Sunday, November 12, 2006

Medusa Parallel Network Login Auditor

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible.

More info and download here.

Friday, November 10, 2006

Skill Crane from ShmooCon Lives!

At last year's ShmooCon they had the Hacker Arcade with a skill crane that was hooked up to a PC and available to control over the local wireless network and the Internet. Someone ended up winning most of the skill crane prizes by writing an automated script to hit every spot. I won a Shmoo ball from the dang thing (the old fashion manual way) and now its back online.

Cypherpunks: Its A Word

The Oxford English Dictionary has added cypherpunk. Along with bling, Disneyfied and hard-ass.

Tuesday, October 31, 2006

Info Sec Search Site - 100 Resources and Counting

After some more research and digging, www.searchinfosec.com now presents results from over 100 quality security resources, from a single search box.

Sunday, October 29, 2006

Boarding Pass for one Bin Laden/Osama

A computer security student says terrorists would have no trouble getting around the government’s no-fly list, and to prove it he set up a Web site (it’s down now) that prints fake boarding passes.

The passenger name on the fake boarding pass is “Bin Laden/Osama,” although travelers can put in their own name — or a fake one — and change the flight information, too.

Christopher Soghoian, a 24-year-old doctoral student at Indiana University, said he set up the site to prove that the Transportation Security Administration isn’t taking airline security seriously.

Soghoian said terrorists on the no-fly list could use a fake boarding pass to avoid the no-fly list because IDs are only checked when the passenger passes through TSA screening. So someone could use a fake boarding pass with an ID that matches and get through the screening.

Soghoian said he built his Web site to mimic Northwest Airlines boarding passes because he had one handy after flying Northwest earlier this week. He said he has nothing against the airline.

Soghoian said the fake boarding pass couldn’t get anyone onto a flight — as long as the airline’s computers were working — because the bar code wouldn’t match the other information on the pass.

At his blog he relates the tale of FBI visits following publication of his jest and his current status.

Monday, October 23, 2006

Q&A: Why Metasploit Publishes Hacker Tools

H.D. Moore, Metasploit founder, developer, and researcher talks about why it's important to publish security exploits, his organization's relationship to the cops, and more.

Certification Top 10 Lists Revisited

This is from CertMag.com and is getting a good bit of coverage. Go and see where your certs fit and plan you next few.

Here's the winners:

Best Hands-On Programs: Certified Professional Information Technology Consultant (CPITC)
Best Supporting Materials: (ISC)2 Certified Information Systems Security Professional (CISSP)
Best Specialty Certifications: Brocade Certified SAN Designer (BCSD)
Toughest Recertification Requirements: Cisco Certifications
Best Vendor-Neutral Credentials: Building Industry Consulting Services International (BiCSi)
Most Technically Advanced Programs: (ISC)2 Certified Information Systems Security Professional (CISSP)
Best New Programs or Certs: (ISC)2 Associate Program
Best Entry-Level Certifications: Certified Wireless Network Administrator (CWNA)

Tuesday, October 17, 2006

MySpace Predator Caught by Code


Five months ago, Wired News senior editor and former hacker Kevin Poulsen whipped up 1,000 lines of computer code that scoured MySpace’s 1 million plus profiles for 385,932 registered sex offenders in 46 states.

Kevin did a praiseworthy job. His detailed article at Wired is here.

Monday, October 16, 2006

Secure Future

Ophcrack LiveCD v.1.1.3 released

A new version of the LiveCD with the latest version of ophcrack 2.3.3 as well as bkhive2.

List of Podcasts with a 'Security" Focus

Name: PaulDotCom Security Weekly
Main Subject: anything related to computer security
Format: Casual
Approx. Updates Per Month: 4 to 5
Recent Subjects Covered: mobile malware, hacking ATM machines, tool that allows for hosts to communicate over wireless without being associated, Spamhaus in trouble, Filtering IM for kids, Hacking Web 2.0 Applications with Firefox
Justification: All kinds of good stuff week after week. Highly recommended.
Rss Link: http://pauldotcom.com/podcast/psw.xml

Name: Security Now!
Main Subject: computer security and basic technology concepts
Format: Formal
Approx. Updates Per Month: 4 to 5
Recent Subjects Covered: Parallels, Virtual PC, Application Sandboxes, Blue Pill, Vista's Virgin Stack
Justification: Despite the fact that Steve Gibson is a total tool who proves repeatedly that he knows alot less than he thinks he does, the show still touches on a number of interesting subjects that are worth tuning in for.
Rss Link: http://leoville.tv/podcasts/sn.xml

Name: Binary Revolution Radio
Main Subject: hacking, phreaking, computer security
Format: Casual
Approx. Updates Per Month: 4 to 5
Recent Subjects Covered: Toorcon, IPv6, Covert Channels, Phishing, Tunneling
Justification: Less organized but offers fresh information and interesting discussion each week
Rss Link: http://www.binrev.com/radio/podcast/

Name: PLA Radio
Main Subject: Phreaking
Format: Very Casual
Approx. Updates Per Month: 1 to 2
Recent Subjects Covered: Free Phone Calls, Beige Boxing, Deaf Relay Operators (IP Relay), Social Engineering
Justification: Covers topics related to "phone hacking". While the format is a bit strange, some of the older episodes had me laughing uncontrollably and are worth a listen.
Rss Link: http://www.phonelosers.org/rss.xml

Name: Off The Hook
Main Subject: General technology, phreaking, politics
Format: Semi-formal
Approx. Updates Per Month: 4 to 5
Justification: This show, hosted by Emmanuel Goldstein, has been running since the 80's and has become somewhat legendary in the Hacking and Phreaking communities as it's been there to document the evolution of technology. Definitely worth a listen.
Rss Link: http://www.2600.com/rss.xml

Name: SploitCast
Main Subject: new vulnerabilities, exploit code, security and technology news
Format: Casual
Approx. Updates Per Month: 1 to 4
Recent Subjects Covered: Interview with Johnny Long, ping tunneling, sensitive data on stolen laptops, Zfone, high level ISP hacks, darknets
Justification: They haven't been releasing much lately, but their episodes are usually pretty interesting. I can't find any other podcasts that discuss exploit code in great detail.
Rss Link: http://sploitcast.libsyn.com/rss

Name: Blue Box: The VoIP Security Podcast
Main Subject: VoIP Security, of course
Format: Semi-casual
Approx. Updates Per Month: 3 to 6
Recent Subjects Covered: Skype security news, interviews, VoIP fraud, recent vulnerabilities
Justification: Covers some great VoIP-related security-centered information.
Rss Link: http://feeds.feedburner.com/BlueBox

Name: TWAT Radio
Main Subject: All things technology with a slight security focus
Format: Casual
Approx. Updates Per Month: 10+
Recent Subjects Covered: Newsgroup readers, Wireless attacks for dummies, Eggdrop, Wake On Lan, Network Recon, VPNs, The GIMP, Cygwin
Justification: Covers a great deal of different technology subjects
Rss Link: http://www.twatech.org/wp-feed.php

Name: Basenet Radio
Format: Casual
Approx. Updates Per Month: 2 to 4
Justification: Underground feel, great information
Rss Link: http://www.basenetradio.net/rss2.xml

Name: LugRadio
Main Subject: Linux and Open Source
Format: Casual
Approx. Updates Per Month: 0 to 2
Recent Subjects Covered: the Portland Project, trusted computing, comparison of Linux distributions, Software Freedom Day
Justification: Possibly the most popular Linux-related podcast
Rss Link: http://www.lugradio.org/episodes.rss

Name: The Linux Link Tech Show
Main Subject: The cutting-edge in Linux-based technology
Format: Casual
Approx. Updates Per Month: 4
Recent Subjects Covered: Linux Home Automation, OpenWRT, Asterisk, Debian vs Mozilla, DRM
Justification: Lots of good Linux-related information
Rss Link: http://www.thelinuxlink.net/tllts/tllts.rss

Name: StillSecure, After all these years
Main Subject: All things related to information security with a focus on a business environment
Format: Formal
Approx. Updates Per Month: 2 to 5
Recent Subjects Covered: Interview with Steve Hanna of Juniper Networks, TCG/TNC, The IETF, 3rd party patching
Justification: This podcast includes some great interviews and information centered around enterprise security
Rss Link: http://clickcaster.com/clickcast/rss/1653

Name: Symantec Security Response Podcast
Main Subject: Security updates
Format: Formal
Approx. Updates Per Month: 2 to 4
Justification: A consistent source of security updates - great for people who are charged with defending a network for a living
Rss Link: http://www.symantec.com/content/en/us/about/rss/sr/sr.xml

Name: Network Security Blog
Main Subject: Network Security…
Format: Formal
Approx. Updates Per Month:
Rss Link: http://www.mckeay.net/secure/index.xml

Saturday, October 14, 2006

How to use your PC and Webcam as a motion-detecting and recording security camera

Web site Simplehelp has a tutorial for setting up your own motion-detecting security camera - all you need is a PC, a webcam, and a free, open source program called Dorgem.

Simplehelp's instructions are very detailed, and in the end you should have a security camera that can, for example, take pictures of intruders and upload them to a remote location via FTP (just in case the computer gets stolen). Or maybe you'll just end up with a lot of pictures of your son doing things in front of your computer that you never wanted to know about. Either way (well - not so much the second way), this is pretty cool. Works on Windows 98 and up.

Saturday, October 07, 2006

Hacking the Hacker

This "Hacker" site has Kevin Mitnick's "Art of Deception" book in pdf format. Kind of seems a little ironic...

VoIP Scanning

Interesting post on VoIP scanning...
What’s seems to be happening is that someone in France (from the IP address 82.234.27.188 from all the reports I’ve seen) is trying to find insecure SIP devices. They’re doing this by trying to make a call to 0033147310370, which appears to be a Fax machine or modem of some type in France. It’s a bit silly, actually, as ‘00′ isn’t a valid International code in lots of places - here in Australia, for example, the international dial prefix is ‘0011′, and in the US it’s ‘011′, so it’s always going to return a 404 here, no matter even if I do have a misconfigured device.
Full story here.

Friday, October 06, 2006

Friday Fun - DVD Rewinder

Time to start Christmas shopping! Get yours here.
Are you ready for HD-DVD? How about Blu-Ray? The DVD Rewinder works with any format! These new technologies can't get one up on this amazing device. Get your friends, and family out of the doldrums with the best and unique gifts on the internet. We are expanding our product line with truly unique and hard to find items.

Sunday, October 01, 2006

Non-Encrypted Hall of Shame

A list of companies who did not take prudent steps to guard their personal information.

Shopping Mall Security in the year 2017

Chris Oakley’s experimental short film, “The Catalogue” is a video scenario of what a shopping mall’s security would be like with the implementation of RFID tags used for real-time surveillance.



Saturday, September 30, 2006

In The News

Computerworld Article

Does Crime Pay? Reselling Stolen Information

From the folks at F-Secure:

Haxdoor rootkit-equipped backdoors are widely used - in the "Rechnungen" and "Räkningen" spam runs in Germany and Sweden for example.
A-311 Death
These changing Haxdoor variants are generated with a toolkit known as "A-311 Death".

The toolkit itself is sold on the Internet by its author, known as "Corpse" or "Korpsov".

Now, people who use such backdoors quickly collect a lot of information from infected computers. Information such as passwords, credit cards, and bank logons. Some of these attackers filter the logs they collect to find juicy information and then use it themselves. Others grep the data for e-mail addresses (to sell them to spammers) and for credit card numbers and bank logins (to sell them to fraudsters).

Then again, others take the easy way out and end up selling the logs as they are, by the megabyte. Here's a screenshot from one forum:

380mb of logs

Wednesday, September 27, 2006

Google for SQL Injection

Security expert Michael Sutton of SPI Dynamics wrote a little tool which uses the Google web search API to locate SQL injections, opening another chapter in the big book of Google hacking.

IMMUNIZING THE INTERNET, OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE WORM

An anonymous note in the Harvard Law Review argues that there is a significant benefit from Internet attacks:

This Note argues that computer networks, particularly the Internet, can be thought of as having immune systems that are strengthened by certain attacks. Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security. In essence, certain cybercrime can create more benefits than costs, and cybercrime policy should take this concept into account.

Tuesday, September 26, 2006

VR Gear Makes RC Airplane the Coolest Toy Ever

This is just too cool...

A Canadian RC airplane enthusiast shows us some sweet unanticipated convergence between a model RC airplane and virtual reality gear. It works like this: The airplane is a conventional one, controlled by a wireless remote control. On the airplane is a pan-and-tilt camera, controlled also wirelessly. Here's the cool part. The video is viewable through virtual reality goggles, which have a gyroscope built in to sense the movement of the goggles. When the wearer moves his head, the camera moves. Tragically, this is not a product you can buy, but a DIY project.

www.hak5.org - USB Password Leecher

"In this segment we'll overview a few of Microsoft Window's security weaknesses and show how to build a custom USB key that will retrieve vital information from a target computer, necessary for auditing password strength. A major flaw in the way Windows stores password information is the use of the legacy LM, or LAN Manager hash. While this hash is based on DES encryption it is vulnerable to time-memory trade-off attacks due to it's poor implementation. Our custom USB key uses new U3 technology to automatically and invisibly retrieve these weak hashes within seconds of being inserted into the target computer. From here the LM hashes can be tested against a set of rainbow tables using the popular rainbowcrack software and audited for password strength. We will also cover password best practices and prevention methods for this type of attack."

Episode 2×02 Release

Saturday, September 23, 2006

Proof of Global Warming

Friday, September 22, 2006

Fridays are for Fun - Securing World Peace

World Peace Through Male Restroom Etiquette - A much needed, eye-opening tutorial (using The SIMS) to create a safer, more respectable world....



Sunday, September 17, 2006

WirelessDefender.net

A support site for the Wireless Defender knuckleheads, with a community that is busy hacking on UsbWiSec.

http://www.wirelessdefender.net

Gone Phishing...

$163K Wow... It is hard to believe that there are that many gullible folks still around, but it is Kentucky...
Scam artists using fake e-mails purportedly from Fifth Third Bank have stolen $163,000 from the Northern Kentucky Chamber of Commerce's bank accounts. It's the highest-profile case since the Cincinnati bank - the nation's 11th-largest - became a target for "phishing" scams this summer. Phishing is the act of tricking someone into giving confidential information or tricking them into doing something they normally wouldn't. Crooks typically use banks' and other financial-services companies' IDs because of their large customer bases. According to the anti-virus company McAfee, Fifth Third made up 60.5 percent of all phishing attacks in August. Working with the FBI, the chamber has recovered $65,465 and has traced $43,541 more that is pending recovery. Chamber president Steve Stevens said in a news release that the chamber is financially stable.

Kevin Mitnick on NPR (audio)

Q&A with Kevin Mitnick (among others) on Talk of the Nation (September 14) about social engineering, pre-texting, and privacy issues in light of the recent HP scandal. His portion starts about nine minutes into the program.

Tuesday, September 12, 2006

NetCat Tips - Quiet Exploration of Ports

Let's go...

We all know about netcat, so I won't do an introduction about it. Instead I will talk about the use of netcat in the quiet exploration of ports. As Netcat can talk with a range of ports, an obvious use for it will be to use it as ports' explorer. The first impulse is to connect Netcat to a complete range of ports on the target system.

[root@peruvian nc]# ./nc target 20 - 80

This will not work. Remember that Netcat is not a port scanner. In this situation, Netcat will start at port 80 and will try to carry out TCP connections to any ports that respond. As soon as it receives an answer on a port, Netcat will wait for a standard response before continuing. This Behavior is not the one that we are looking for.

The option -z is the answer. This option will tell Netcat to send a minimum amount of data to obtain an answer from an open port. When the -z switch is used netcat will not be able to send data to the remote port and as soon as the port is open it is immediately shutdown and closed. This allows us to avoid waiting for a response before continuing.

The verbose switch (option -v) provides details on the connections that Netcat is carrying out so will be able to use this to see the results of its analysis of the ports. Without this option,… well…, it will not be able to see anything. An example follows next:

[root@peruvian nc]# ./nc -z 192.168.1.100 20-80
[root@peruvian nc]# ./nc -v -z 192.168.1.100 20-80
peruvian [192.168.1.100] 80 (www) open
peruvian [192.168.1.100] 23 (telnet) open
peruvian [192.168.1.100] 22 (ssh) open
peruvian [192.168.1.100] 21 (ftp) open
[root@peruvian nc]#

When using the -v switch, we can see the status of the ports of some of the usual services running on the remote machine. What will our scan look like in the logs of the target system?

July 16 16:15:12 peruvian sshd[21690] : Did not receive ident string from 192.168.1.105
July 16 16:15:12 peruvian telnetd[21689] : ttloop: read: Broken pipe
July 16 16:15:12 peruvian ftpd[21691] : FTP session closed

We see that traces of our activity have been left on the target system. The system tracks the moment we scanned and the list of consecutive processes (21689 to 21691) we explored. If we had scanned a greater range of ports it would have left a really huge track in the logs of the target system. Also certain services, for example sshd, are so bad-mannered that they will save the IP address of the scanner.

Even if we scan a port on which nothing is running (and therefore the connection will not be logged), most networks count on intrusión detection systems that will immediately indicate this type of malicious behavior and they will call the attention of the administrator. Some Firewall applications will also block an IP address automatically if they receive too many connections on in a brief period of time.

Netcat allows the execution of a more sophisticated way to avoid this :D. We will be able to use option -i and to form a test interval. It will take a little more time to obtain the data, but the exploration with this allows more events to happen between each connection to help keep us off of the radar.

If we use the option -r so that Netcat explores of random form these ports, this process will look even less like an exploration of ports:

./nc -v -z -r -i 42 192.168.1.100 20-80

The previous instruction tells Netcat to choose a random range of ports between positions 20 and 80 in the 192.168.1.100 address and to try to connect to each one of them every 42 seconds. This method should bypass any automated defensive system, but the evidence of the exploration will continue to exist in the registries of the target system; they will only be more disordered.

You can also use netcat to carry out a quiet exploration of ports using UDP. All you need to do is add the -u option to instruct netcat to explore UDP instead of TCP ports.

*Note1:
Scanning with the UDP protocal has a problem. Netcat depends on the reception of an Internet Control Mensajes Protocol (ICMP) to determine if a UDP port is open or closed. If the ICMP is being blocked by a Firewall or a filter, Netcat will falsely report that these UDP ports are open.

Netcat is not a very sophisticated port scanner. One of its main features is that it is a very good general tool and does not emphasize any specialty. For this reason it is better to use a specifically developed port analyzer.


*Note2:
If you're getting errors when trying to port scan, try to limit netcat to a specific IP address and a specific port by using the -s and -p switches. Choose a port below 1024 or a port that isn't used by any service.

More questions:

----------------------
root3d
system666x@gmail.com
Perú [16/07/2006]
16:44
----------------------

Personal Security - Wear A Bike Helmet, Get Hit!

Cyclists who wear helmets are more likely to be knocked down by passing vehicles, research suggests.

A study found that drivers tended to pass closer when overtaking cyclists wearing helmets than those who were bareheaded, by 8.5cm on average.

Dr Ian Walker, a lecturer at Bath University, used a bike fitted with a computer and an ultrasonic distance sensor to analyse 2,500 overtakings in Salisbury and Bristol. He was struck twice during the experiment, by a bus and a lorry, while wearing a helmet.

Saturday, September 09, 2006

Security at Disney?

So... How did they get the thing through the "security" checkpoint at the front gate?

A mannequin depicting a prisoner described as a Guantanamo Bay victim, was reportedly snuck into one of the dioramas alongside of Disneyland's Big Thunder Mountain last week.

Monday, September 04, 2006

Sandwich

Saturday, September 02, 2006

The "Janus Project"

The "Janus Project" is the brainchild of Kyle Williams of the Janus Wireless Security Research Group in Portland, Oregon.

Mounted inside an epoxy and silicone-sealed watertight case lives a 1.5GHz C7 powered EPIA EN 15000G motherboard, 2 x four-port PCI to mini-PCI adapters, 8 x 802.11a/b/g mini-PCI WLAN Modules, 2 x 1W 2.4Ghz WLAN amplifiers, a keyboard and a 17in LCD screen. The system can scan up to 300 wireless networks simultaneously, storing and AES encrypting in real time all the data onto its 20GB hard drive.

By focusing all 8 WLAN cards onto an access point and using a combination of common Linux tools, the Janus Project can crack a WEP key in under 5 minutes. WPA and WPA2 encryption aren't far behind - Kyle and his friend Martin Peck are optimising the software to use the Padlock hardware acceleration of the C7 chip to crack those too.

If Kyle gets captured in enemy territory and tortured, an "Instant Off" switch will render the captured data useless until a password is entered and a USB stick containing a 2000-bit passkey is inserted. Presumably during the torturing process.

Can you do it?

Enter

Friday, September 01, 2006

Friday Fun - Burning Man 2006 TV

Burning Man 2006 is now in full swing and Current TV has setup an online television station, TV Free Burning Man.

They have been shooting video, doing interviews and uploading a daily show from Black Rock City. They will be doing a live broadcast the burn on Saturday night (September 2nd) starting at 9 PM PST/12 AM EST.

Thursday, August 31, 2006

Turning IE into a private Adult Content Browser

Privacy View Software, LLC, announces the release of Privacy View 2.10, a new version of the company’s privacy software for adults. Privacy View is part privacy software and part content management software aimed at people who surf for adult content. The new version of the software was release August 31, 2006.

PI announces the 2006 Stupid Security Competition

Privacy International is calling for nominations to name and shame the worst offenders. The competition closes on October 31st 2006. The award categories are:

  • Most Egregiously Stupid Award
  • Most Inexplicably Stupid Award
  • Most Annoyingly Stupid Award
  • Most Flagrantly Intrusive Award
  • Most Stupidly Counter Productive Award

The competition will be judged by an international panel of well-known security experts, public policy specialists, privacy advocates and journalists.

The competition is open to anyone from any country. Nominations can be sent to stupidsecurity@privacy.org.

Details of previous award winners can be found below, or at http://www.privacyinternational.org/ssa2003winners.

WIFI Camera Prototype

Nice use for the cans from a favorite snack...

The WiFi Camera Obscura uses a directional WiFi antenna as an aperture for taking "pictures" the radio energy from WiFi use in a room, and paints those pictures as a movie on a nearby wall. The pictures are lovely oil-slicks of revealed radiation.

Wednesday, August 23, 2006

Blackjacking - 0wning the Enterprise via the Blackberry

Presented at Defcon 14 - Las Vegas, NV 2006 by Jesse D'Aguanno

Abstract:

Research in Motion's Blackberry technology has quickly become the defacto standard for executives and technical personnel alike to maintain unteathered remote access to critical data. Often regarded as inherently secure, most administrators deploy this solution without a full understanding of the technology or risks involved.

This presentation will demonstrate how an attacker could utilize many typical corporate blackberry deployments to directly attack machines on the internal network—behind your perimiter defenses! The tools and source code presented will be available for attendees. Techniques for reducing the risks associated with this technology will also be presented.

Materials:

Presentation Slides Blackberry Attack Toolkit (Including BBProxy)

Download

Download


Tuesday, August 22, 2006

Privacy Debacle Hall of Fame

Wired News lists what it considers to be the 10 greatest privacy disasters:

10. ChoicePoint data spill
9. VA laptop theft
8. CardSystems hacked
7. Discovery of data on used hard drives for sale
6. Philip Agee's revenge
5. Amy Boyer's murder
4. Testing CAPPS II
3. COINTELPRO
2. AT&T lets the NSA listen to all phone calls
1. The creation of the Social Security Number

Friday, August 18, 2006

Blackhat 06 Presentations

Didn't make it to BlackHat in Las Vegas this year? Well you can at least take a gander at the presentations online. They're available here as PDF's.

Cool speed test site

Speedtest.net is a general use broadband connection testing site with many geographically dispersed servers to test against. Plus it looks very cool...

Wireless networking source - .\\etrix Communication LLC

Interesting source for wireless networking software, parts, supplies and info.

Fridays are for fun! Secret Agent Earphones

Easy way to make FBI-escque earphones. This is very useful if you ever want to listen to music but also have one ear free (for instance while biking in the city)

Sunday, August 06, 2006

Mystery hole opens in Cisco firewall

Some vendors like CheckPoint do one thing and do it extremely well... Others like Cisco do lots of things with mediocrity...
A security researcher has demonstrated how an unpatched vulnerability in Cisco?s PIX firewall appliances could allow outside attackers to gain access to corporate networks. On the final slide of his presentation at the Black Hat show on VoIP security, Hendrik Scholz, a developer with Freenet Cityline disclosed a technique for bypassing the firewalls, according to an audio recording of the talk obtained by IDG News. "You can open up whatever port you want... and access internal servers from the outside," he said "It's really easy to do and we're talking to Cisco about how to get it fixed." By now Black Hat is old hat for Cisco. Last year conference organisers were sued by the networking giant and had to literally rip a presentation by researcher Michael Lynn out of last year's conference materials because it disclosed flaws in its IOS software.

Phone numbers stations mystery revealed at DEFCON

For three months, mysterious telephone numbers have been appearing on the Craigslist classified ad site which, when called, play recordings which sound much like shortwave numbers stations used by certain governments to communicate with intelligence agents in the field who are unreachable by other means. Now the secret behind these phone numbers stations has been revealed.

Read the whole story here.

Friday, July 28, 2006

Hak5




Hak.5 is a video podcast for the hacker, modder and do-it-yourselfer. Hosted by Darren Kitchen and Wess Tobler on the 5th of each month, the show is a hybrid of technology and geek humor.

TOOOL, The Open Organisation of Lockpickers

Weekend fun... Ck the blackbag blog for info from Hope # 6 and a look at the very nice Hope number six pickset...

Dilbert - funny in a scary way...

Tuesday's Dilbert (quoted below, copyright Scott Adams, Inc) funny in a scary way...

Dilbert: Is it more important to follow our documented process or to meet the deadline? I only ask because our deadline is arbitrary and our documented process was pulled out of someone's lower torso.

PHB: Where's your artificial sense of urgency?

Dilbert: Teamwork killed it.

Cool and Illegal Wireless Hotspot Hacks

Nice article / tutorial by wireless guru, Dan Hoffman of 'Live Hacking Video' fame. As he often does, here he takes you step-by-step through some sweet wireless hacks and then shows you how to protect yourself from them..

Wednesday, July 19, 2006

Shark Analyzer

At least now there shouldn't be an argument on how to pronounce the name...

The Ethereal network protocol analyzer has changed its name to Wireshark and ver. 0.99.2 has been released. Several security-related vulnerabilities have been fixed and several new features have been added.

For a complete list of changes, please refer to the 0.99.2 release notes. Official releases are available right now from the download page.

Tuesday, July 18, 2006

Phish Spoofs 2-Factor Authentication

The first ever case of using a man-in-the-middle attack against an online bank was reported by the Post's Brian Krebs on Tuesday.

The security industry has long predicted this type of man-in-the-middle attack; it was only a matter of time. The attack targeted Citibank's Citibusiness service and was designed to spoof the token key hardware device used by the bank's customers. The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim. Enter an invalid password, and you got an invalid logon page. A man-in-the-middle attack checks everything done at the phishing site against the original, so everything should look and feel more genuine.

Exactly the same kind of attacks can be used to target other types of two-factor authentication, including one-time password sheets.

Saturday, July 15, 2006

Stevens' net neutrality expertise

Eighty-two year old Sen. Ted Stevens' complete inability to comprehend the internet would be kind of cute, were it not for the fact that the following soundbites were taken from his 11-minute speech regarding a bill that would have increased network neutrality mandates.

In that light, this quote is sort of terrifying: "The internet is not something that you just dump something on. It's not a big truck. It's, it's a series of tubes.

Friday, July 14, 2006

VulnerabilityAssessment.co.uk

An information portal for Vulnerability Analysts and Penetration Testers. The Penetration test Mindmap is a treat...

Friday Fun - Spy Gadgets

"This is a collection of "spy equipment" we have found for sale around the internet. Everything here is completely real, is sold at online stores, and almost any item listed here costs less than $500, and often times can be bought for less than $200."

Wednesday, July 12, 2006

Long Hacker Sentence Upheld

A federal appeals court upheld a nine-year prison term Monday for a hacker who tried and failed to steal customer credit-card numbers from the Lowe's chain of home improvement stores.
Is this right? My problem with this is the scale of the sentence for eavesdropping on an unsecured network. Certainly what they were doing was a crime but 9 years? How much time should the folks responsible for securing the Lowes network(s) get?

The Politics of Paranoia and Intimidation

Floyd Rudmin, a professor at a Norwegian university, uses the mathematics of conditional probability, known as Bayes' Theorem, to demonstrate that the NSA's surveillance cannot effectively detect terrorists unless both the percentage of terrorists in the population and the accuracy rate of their identification are far higher than they are.

Monday, July 10, 2006

Dictionary of Information Security (Paperback)

Book Description

IT professionals and IT students will find this a handy reference to help them identify terms used in practice, in journals and articles, and on websites. The dictionary has complete coverage of security terms and includes cutting-edge technologies and newer terminology only now becoming accepted use amongst security practitioners. Certification candidates for security specializations like CISSP and Security+ will also find this a valuable resource. The dictionary has the most up-to-date terms, including those related to computer viruses, malware, and more recent technologies such as wireless networking.

From the Author
Their our lots of wurds in this book. Sum of the werds are big. They're are no pitchers in this book. If ewe like big wirds and no pitchers you will like this book.

The courier driver showed up at noon, today, with the box of author copies. So I can, with assurance (p. 13) state that the volume now actually exists in hardcopy. After four years of maintaining it mostly as a resource for those studying for the CISSP exam, it's now going to be available in bookstores for everyone.

It's been interesting, working with Syngress. Having worked with more traditional publishers, I was rather expecting the usual 2-3 months of contract negotiations, 2-3 months to get out the final manuscript (the book had, after all, already been basically finished: I'd been using it on the Website for some time), and the usual 4-6 months in copy editing and galley proofing. The contract negotiations took about a month and a half. I got the final contract May 18th. They wanted the manuscript on the 26th. I got the galley proofs on June 1st, and had them back to Syngress on June 4th. (Then there seems to have been some kind of hiccup with the printer: it's been "due" every day now for about three weeks.)

So now, I suppose, I'd better get a move on. I've already replaced the glossary page (http://victoria.tc.ca/techrev/secgloss.htm) with an errata page, and I've got about 60 entries that need to be added or corrected. So I hope you'll all actually buy the book, and Syngress will be moved to putting out a new edition fairly soon. (And
regularly, after that.)

copyright Robert M. Slade, 2006 BKDCINSC.RVW 20060528

Sunday, July 09, 2006

Being a good brake - Security as a stress reducer

From the Security Catalyst

You’ve probably heard the analogy that security is like having brakes on an automobile. Brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner.
Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.

In the paragraphs above, replace brakes with security (meaning security controls and processes) and driver with your organization’s name. Isn’t the concept the same? Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing.

The security team should be a stress reducer, not an inducer. Stress (in the negative connotation) comes when we feel out of control. Shouldn’t it be security’s job to introduce control and offer solutions for reducing risks and thereby reducing stress?

In recent years, the security group has gotten the bad reputation for being (a) a barrier to business, (b) an overhead without a quantifiable ROI, and (c) the hammer when there’s a breach or policy is not followed. In other words, they increased the stress for our organization. They weren’t being “good brakes.” This caused the organization to try to bypass security to get things done. (Don’t you try to avoid those things that cause you negative stress?)
Instead, we, the people in security need to be stress reducers. We need to be the brakes for our organization. However, there’s one difference: brakes are not normally seen, only felt; the security team needs to be both seen and felt. You do that by implementing proper controls and risk management processes.

Security should collaborate with the business in identifying and assessing the risks and then implementing the proper controls to ensure the risk is appropriately mitigated for the business. (No more security for security sake.) This puts the business in control guided by security and reduces negative stress for everyone.

Security professionals: Next time you implementation a new technology, process or policy, ask yourself, “Am I being a ‘good brake’ or am I really adding negative stress?” You’d be surprised at how much better you will be received if you reduce your customer’s stress. Next week we’ll cover key steps you can take to become a security stress reducer.

By working together and helping each other, we all become stronger.

A Chronology of Data Breaches

Here's a chronology of data breaches since the ChoicePoint theft in February 2005.

Total identities stolen: 88,794,619.

Should sensitive data be allowed to leave the nest at all, even if it is encrypted?

Qestion to ask your mgmt on Monday...

Why is so much private data allowed to be on laptops to begin with?
"It's pure laziness. There's actually no excuse for it," said Avivah Litan, a security analyst for Gartner Inc. "There's no good business reason for it."

If they absolutely need to analyze data out of the office, the employees should run programs that replace live credit card or Social Security numbers with random "dummy" figures whenever possible, since the actual numbers aren't always relevant.

Saturday, July 08, 2006

Coke case could spur review of security policies

In the Coke case, Joya Williams, 41, an administrative assistant who worked for the director of global brand marketing at Coca-Cola was the source of the trade secrets that were to be sold, prosecutors charged on Wednesday.
Video surveillance showed Williams at her desk going through files in search of documents and stuffing them in her bags, prosecutors said.

While the episode highlights the importance of simple security measures such as locking up confidential documents, it also puts the spotlight on thorough background searches of employees of all levels, surveillance experts said.

"A lot of times companies say 'This person is just a secretary and I don't need to do everything on them as far as screening,"' said Jason Morris, president of employee screening firm Background Information Services. "Your secretary may not have the keys to the safe but he or she may have access to your CEO's e-mails, which could have the formula for a Coke product in them."
Not the safe, just the master key...

Friday, July 07, 2006

More Friday Fun! Pen with built-in shredder and FM radio

The Girl Tech Password Journal Jam 'n Shred Pen is a pen with a miniature shredder (just right for getting rid of evidence) and an FM radio (for jamming to tunes) built in.

Hackers on Planet Earth July 21-23 in NYC

The 6th HOPE (Hackers On Planet Earth) will be held in NYC from July 21-23. It's produced by the hacker quarterly, 2600 magazine.
Over 100 speakers will have presentations on a variety of topics including computer hacking, phone phreaking, legal issues, wiretapping, cryptography, urban exploring, lockpicking, and spying. In addition we will present the return of a favorite panel: social engineering -- or how to get sensitive information from people who really ought to know better. A live demonstration of how to do this is planned.

Additional talks include how to decode New York City's MetroCard, hacker filmmaking techniques, and even a discussion of hacker cooking. A panel of famous hackers who have gone to prison is also scheduled as is a study of the European hacker scene. And, in a first, there will be a "broadcast" of the WBAI hacker radio show "Off The Hook" in "indecent mode," designed to demonstrate the absurdity of current FCC policies.

Also, Phil Torrone of Make will be speaking there, too. Link

Friday Fun! How to Deal With Being in Prison

You were accused of a crime and either after a trial or a plea bargain, you were found guilty and sentenced to do time in prison. You will spend most of your time in a locked building with people that have done despicable things, some worse than you can imagine. If you behave, it might go easier on you. Nonetheless, you will have to make the best of it if you are going to survive.

Important Tips:

"Don't get caught up in a jailhouse romance. The last thing you need is to be getting involved in a relationship."

"Do not become a 'punk' (girlfriend). While becoming a punk might give you some fleeting, temporary protection from other inmates, you will be a virtual slave to one."

Air Force budgets $450K to data-mine blogs

Your taxes at work...

The Air Force Office of Scientific Research recently began funding a new research area that includes a study of blogs. Blog research may provide information analysts and warfighters with invaluable help in fighting the war on terrorism. Drs. Brian E. Ulicny and Mieczyslaw M. Kokar, Framingham, Mass., will receive approximately $450,000 in funding for the 3-year project entitled “Automated Ontologically-Based Link Analysis of International Web Logs for the Timely Discovery of Relevant and Credible Information.”

Wednesday, July 05, 2006

nUbuntu Security Distro

Anything based on ubuntu is a winner... So thanks GP for this great find! nubuntu is a security distribution which is derived from the Ubuntu distribution, with added packages related to security testing and with unneeded packages, such as Gnome, Openoffice.org, and Evolution removed.

Download nUbuntu 6.06 here.

Top 10 Information Security Skills

What do you think... Is this a good list? How about the CISSP related comments?
1. Communicate - I think that this is the most important information security skill, without being able to communicate it is hard to move ahead anywhere. Even if you have the best ideas in the world, if you cannot communicate them, no one will ever know.

2. Application Penetration Skills - being able to despin and understand how applications work, what protocols they use to communicate, what information is input and output from those applications, and best of all, how to make those applications do things that the programmer did not intend the application to do. This is the next major battle front in information security, and being able to move effectively in this space is important for future job success

3. Network Penetration Skills - being able to understand and use network properties like ARP, ICMP and TCP/IP to map, understand, and find vulnerable nodes on the network is a core skill.

4. Knowing what is a viable attack and what is not - tools that we use often spit out false positives, IDS systems, IPS systems, even our network and application penetration test tools all spit out false positives. Knowing which attacks against what target are viable and then being able to prove that viability to the developers and users of the system is a core skill.

5. Knowing how data migrates around the network - how is data used, where is it used, and who uses it in normal day to day patterns allows the Information security person to know when data is being misused, or someone who should not have access is trying to get access to it.

6. Network engineering skills - just enough to know how each component works on the network, what its function is, what its strengths and weaknesses are, and how it can be exploited.

7. IDS/IPS interpretation of results - being able to work with the IDS/IPS that is on the network and knowing how to find out more information about the data presented is a core skill. There is no sense in spinning up the whole department for a false positive, know how that IDS/IPS works, and what its limitations are.

8. System Administration - know enough about system administration that if presented with a series of computers, you can safely secure them allowing the applications to run that need to be on the box.

9. Risk Management skills - being able to understand the concepts of risk management, and how they are applied in regards to the companies culture. Not all companies are the same when it comes to risk management; each company has their own tolerance to risk. Be able to work within the confines of the companies tolerance for risk

10. Be creative - of all the top 10 skills that I am looking for, the ability to be creative when doing work makes the employee much more flexible, and easier to go forth and do good things.

Tuesday, July 04, 2006

Month of Browser Bugs

Metasploit's HD Moore published a blog entry on Sunday stating that he plans to issue a new browser bug each day through the month of July. Two are out so far and it one of them is a tad ugly.
Ove the last few months, I have taken an interest in web browser security flaws. This interest has resulted in my collaboration on a few fuzzing tools (Hamachi, CSS-Die, DOM-Hanoi), a blog post, and a SecurityFocus article. The vendors have been notified and the time has come to start publishing the results. I will publish one new vulnerability each day during the month of July as part of the Month of Browser Bugs project. This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them. Enjoy!

Saturday, July 01, 2006

You’re killing Palestinians, we’re killing servers

When these guys get done with Israel, is the US next?
Unprecedented number of Israeli websites hacked: Hundreds of websites were damaged by hackers in recent hours, following IDF activity in the Gaza Strip. The hackers are members of the Moroccan “Team Evil” group, responsible for most of the website damage in Israel in the past year. This is the largest, most concentrated attack on Israeli websites in recent years.

A Ynet investigation revealed that more than 750 Israeli websites, on a number of different domains, were hacked into and damaged in recent days. Prominent among them were the Soldier’s Treasury Bank, Bank Hapoalim (not the main page), Rambam Hospital, the Society for Culture and Housing, BMW Israel, Subaru Israel, Jump Fashion, non-profit organization “Yedid,” Kadima’s youth website, and the Globus Group ticket center. Many of these sites have not yet returned to normal.

Hackers left the message: You’re killing Palestinians, we’re killing servers.

Wednesday, June 28, 2006

F-Secure Data Security Summary - January to June 2006

It's midyear and time for their semiannual data security summary...

Saturday, June 24, 2006

Job Security - Never Leave Your Desk

Internet Urinal

Shopping, gaming, chat rooms, cyber-dating - the internet is such an addictive and time-consuming force, who's got time to go? With the Internet Urinal, you'll never have to leave your computer again. Imagine the freedom - destroy your opponents on network Quake without taking a break; drink as many cans of Jolt as you want and still be able to make that last important trade before the market closes. Each urinal is made with hard plastic and comes with a handy female adapter. Holds 32 oz. of liquid (same as a Big Gulp!).

Wednesday, June 21, 2006

Candy From Strangers

Why do people pick up a USB stick and then insert it into their computer during a security audit as was written about here? Are USB sticks that cool? What else would you just pick up and insert?

Saturday, June 17, 2006

Chinese Mobile Execution Bus

China Makes Ultimate Punishment Mobile

The country that executed more than four times as many convicts as the rest of the world combined last year is slowly phasing out public executions by firing squad in favor of lethal injections. Unlike the United States and Singapore, the only two other countries where death is administered by injection, China metes out capital punishment from specially equipped “death vans” that shuttle from town to town.

Makers of the death vans say the vehicles and injections are a civilized alternative to the firing squad, ending the life of the condemned more quickly, clinically and safely. The switch from gunshots to injections is a sign that China “promotes human rights now,” says Kang Zhongwen, who designed the Jinguan Automobile death van in which “Devil” Zhang took his final ride.

SQL SA Password Tips

The sa account is created during the installation process and the sa account has full rights in the SQL Server environment. By default, the sa password is blank (NULL), unless you change the password when you run the MSDE Setup program. To conform with the best security practices, you must change the sa password to a strong password at the first opportunity.

Verify if the SA password is blank

1. On the computer that is hosting the instance of MSDE to which you are connecting, open a command prompt window.

2. At the command prompt, type the following command, and then press ENTER:

  osql -U sa
 

This connects you to the local, default instance of MSDE by using the sa account. To connect to a named instance installed on your computer type:

  osql -U sa -S servername\instancename
 

You are now at the following prompt:

  Password: 

3. Press ENTER again. This will pass a NULL (blank) password for sa.

If you are now at the following prompt, after you press ENTER, then you do not have a password for the sa account:

  1>

We recommend that you create a non-NULL, strong password to conform with security practices.

However, if you receive the following error message, you have entered an incorrect password. This error message indicates that a password has been created for the sa account:


"Login Failed for user 'sa'."

The following error message indicates that the computer that is running SQL Server is set to Windows Authentication only:

Login failed for user 'sa'. Reason: Not associated with a trusted SQL Server connection.

You cannot verify your sa password while in Windows Authentication mode. However, you can create a sa password so that your sa account is secure in case your authentication mode is changed to Mixed Mode in the future.

If you receive the following error message, SQL Server may not be running or you may have provided an incorrect name for the named instance of SQL Server that is installed:

  [Shared Memory]SQL Server does not exist or access denied.
[Shared Memory]ConnectionOpen (Connect()).

Change your SA password

1. On the computer that is hosting the instance of MSDE to which you are connecting, open the command prompt window.

2. Type the following command, and then press ENTER:

  osql -U sa

At the Password: prompt, press ENTER if your password is blank or type the current password. This connects you to the local, default instance of MSDE by using the sa account. To connect by using Windows authentication, type this command:

  use osql -E

Note If you are using SQL Server 2005 Express, avoid using the Osql utility, and plan to modify applications that currently use the Osql feature. Use the Sqlcmd utility instead.

3. Type the following commands, on separate lines, and then press ENTER:


sp_password @old = null, @new = 'complexpwd', @loginame ='sa'
  go

Note Make sure that you replace "complexpwd" with the new strong password. A strong password includes alpha-numeric and special characters, and a combination of upper and lower case characters.

You will receive the following informational message, which indicates that your password was changed successfully:

  Password changed.


 
Copyright 2017 e2e Security. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan