Monday, February 27, 2006

Cell Gunphone

Here a one for the "What were they thinking file"...
At first sight it looks like a regular cell phone — same size, same shape, same overall appearance.

But beneath the digital face lies a .22-caliber pistol, a phone gun capable of firing four rounds in quick succession with a touch of the otherwise standard keypad.

The US Department of Homeland Security and the FBI are aware of the device and have instructed baggage screeners to be on the lookout for suspicious mobile phones. This is especially after 9/11.

European law enforcement officials — stunned by the discovery of these deadly decoys — say phone guns are changing the rules of engagement in Europe.

Airport authorities across Europe are implementing systems to X-ray all cell phones

“We find it very, very alarming,” says Wolfgang Dicke of the German Police union. “It means police will have to draw their weapons whenever a person being checked reaches for their mobile phone.”

The FBI, the Bureau of Alcohol, Tobacco and Firearms, and the U.S. Customs Service say they’ve been briefed on the new weapons.

“This criminal invention represents a potentially serious threat to law enforcement and the public,” said U.S. Customs Service Commissioner Raymond W. Kelly.
“We received word about these guns last month. We have since alerted our field personnel to be on the lookout for ‘cell phone guns’ at U.S. ports of entry.”

Full story and video here.

Rootkit Pharming

Haxdoor is one of the most advanced rootkit malware out there. A recent Secure Science paper has a good explanation for how and why Hoxdoor works.

Sunday, February 26, 2006

E&Y Loses Four more Laptops

A group of Ernst and Young auditors took off for lunch on Feb. 9, leaving their laptops in an office building conference room. According to security footage, two men entered the conference room a couple of minutes after the Ernst and Young folks left and walked off with four Dell laptops valued at close to $8k the Miami Herald reported.

This theft follows a higher-profile incident earlier this month in which an Ernst and Young employee lost his laptop containing the social security numbers and other personal information of customers.

Ernst and Young appears set on establishing a laptop loss record in February...

Episode Six of the Sysadmin Sitcom The IT Crowd is now Downloadable

Episode six of Graham Linehan's wonderful, screamingly funny sysadmin sitcom, The IT Crowd, is online here.

Saturday, February 25, 2006

DIY Hardware keylogger

Looking for that extra special DIY project this weekend? Here's how to make a PS/2 keyboard line keylogger, also provided - the software application with full source code to download the recorded data.

DoD Staffer's Notes from 9/11 Obtained Under FOIA

Hours after a commercial plane struck the Pentagon on September 11 2001 the US defence secretary, Donald Rumsfeld, was issuing rapid orders to his aides to look for evidence of Iraqi involvement, according to notes taken by one of them.

"Hard to get good case. Need to move swiftly," the notes say. "Near term target needs - go massive - sweep it all up, things related and not."

The handwritten notes, with some parts blanked out, were declassified this month in response to a request by a law student and blogger, Thad Anderson, under the US Freedom of Information Act. Anderson has posted them on his blog at outragedmoderates.org.

Friday, February 24, 2006

New technique uses Photons, Physics to Foil Codebreakers

For governments and corporations in the business of transmitting sensitive data such as banking records or personal information over fibre optic cables, a new system demonstrated by University of Toronto researchers offers the protective equivalent of a fire-breathing dragon.

“Quantum cryptography is trying to make all transmissions secure, so this could be very useful for online banking, for example,” says Professor Hoi-Kwong Lo, an expert in physics and electrical and computer engineering at U of T’s Centre for Quantum Information and Quantum Control and the senior author of a new study about the technique. “The idea can be implemented now, because we actually did the experiment with a commercial device.”

The study describes the first experimental proof of a quantum decoy technique to encrypt data over fibre optic cable. In quantum cryptography, laser light particles (photons) carry complex encryption keys through fibre optic cables, dramatically increasing the security of transmitted data. Conventional encryption is based on the assumed complexity of mathematical problems that traditional computers can solve. But quantum cryptography is based on fundamental laws of physics — specifically, Heisenberg’s Uncertainty Principle, which tells us that merely observing a quantum object alters it.

Thursday, February 23, 2006

Taser Sets Florida Man On Fire

Sometimes you just can't wait for Fridays to have fun...
A man in Daytona Beach, Fla., was injured when a probe from a police Taser gun hit a butane lighter in his pocket and set him on fire, according to a Local 6 News report.

Police said Dennis Crouch, 54, apparently stabbed himself inside his home located in the 400 block of Grandview Avenue.

When officers arrived at the house, they found Crouch with a butcher knife threatening to kill himself.

Crouch apparently refused to comply with officers demands and was shot with a Taser gun.

A Taser probe hit a disposable butane lighter in his shirt pocket and ignited. Officers then rolled him to the ground to put out the flames.

Crouch was treated at Halifax Medical Center for burns and the stab wound.

The incident is under investigation to determine if additional safety requirements, Local 6 News reported.

[Full-disclosure] Gay Security Industry Experts Exposed!

I always thought JP was a bit of twit, but this? A rather bizarre, but kind of interesting read about antionline.com founder and former owner JP (john vranesevich).

Wednesday, February 22, 2006

Mini-Pentoo 2006.0 - Pentoo LiveCD Security Disk

This version is only 186 Mb fat and fits on mini-cd and 256 MB usb pen-drive.

It features the bare minimum tools for pentesting and support modules addition ala slax, allowing you to add some more stuff as you see fit.

You can also save your /etc, /root, ExploitTree and Nessus on a usb pen-drive, or anywhere else you want.

And last but not least, the Window Manager is the most sexiest available in the universe, providing you with genuine pen-testing pleasure.

DOWNLOAD

Download MPentoo LiveCD (HTTP).

Download MPentoo LiveCD (FTP).

Court Ruling Regarding Gramm-Leach-Bliley

This is somthing to think about...
In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands. Intrigued? Read on.
In a nut shell, an employee of Brazos Higher Education Service Corporation, Inc., had customer information on a laptop computer he was using at home. The computer was stolen, and a customer sued Brazos.

The judge dismissed the lawsuit. And then he noted...
Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute "does not prohibit someone from working with sensitive data on a laptop computer in a home office," and does not require that "any nonpublic personal information stored on a laptop computer should be encrypted."

Tuesday, February 21, 2006

Secure Flying - Tuesdays Can Be For Fun Sometimes!

Simple but a tad addictive. You must carefully pilot the helicopter,
avoiding the obstacles...

Click on the pic to begin!

Monday, February 20, 2006

A True Story: "How we caught an Identity Thief"

A interesting story about how an Identity thief was trapped and captured.
It all started with a phone call. "Someone has the likeness of our site, on a very similar sounding domain!" This is the story of how igxglobal worked in conjunction with the client and the FBI to identify and stop a would be Identity thief.

Sunday, February 19, 2006

Personal Security - Severed Arm Still Clutching Mobile Phone

A Letcher County woman suffered a horrible injury early Thursday when her arm was severed in a car crash on the Mountain Parkway in Clark County.

Jacqueline Dotson and her six-year-old daughter had to be cut out of their vehicle after the accident in which Dotson veered into the median and over-corrected, rolling her truck over the guardrail and landing upside down after flipping several times.

Several people stopped to help, and it turns out, the good samaritans may very well have saved Dotson's life. Sheila Vice, a nurse's aide, and an off-duty EMT from another county stopped to help, and put a tourniquet on Dotson's arm to stop the bleeding. Her arm was found near the accident still clutching a cell phone.

"Basically we stayed there and talked to them until the EMT drivers got there," said Vice.

Rescuers used the jaws of life to get the Dotson and her daughter out of the truck. Both were flown to hospitals, and Dotson is listed in serious condition at UK Hospital. Her daughter is not in the hospital, and sheriff's officials say they believe she's going to be fine.

Both were wearing seat belts.

Saturday, February 18, 2006

New episode of The IT Crowd, Very Cool SysAdmin Sitcom

Episode 5 of Graham "Father Ted" Linehan's funny British nerd comedy series "The IT Crowd" is available here.

Building a Forensics Computer

Not a ton of info, but here is a link to an interesting article on building a 'forensics computer' used for analyzing compromised machines and security research. Fun Stuff...

Friday, February 17, 2006

Friday Fun - Video Game Nostalgia

If you're a 1980s game geek, you could easily spend an entire day at this website, which has a comprehensive history of video games, beginning in the years that preceded Pong, and heading all the way up to the Vectrex/Atari 7800 years. The whole site is wonderfully put together, with old adverts, screen shots, and pictures of consoles, machines and designers.

I have a Pong game like this. Ah the memories...

Thursday, February 16, 2006

Personal Security - US and Canadian Skiers get Smart Armour

A futuristic flexible material that instantly hardens into armour upon impact will protect US and Canadian skiers from injury on the slalom runs at this year's Winter Olympics.

The lightweight bendable material, known as d3o, can be worn under normal ski clothing. It will provide protection for US and Canadian skiers taking part in slalom and giant slalom races in Turin, Italy. Skiers normally have to wear bulky arm and leg guards to protect themselves from poles placed along the slalom run.

Tuesday, February 14, 2006

Baby Hack

Todd Vanderlin documents an experiment: "I bought a $10 electronic baby in china town. I cracked it open and soldered a couple of switches to the the speaker. Now the baby is possessed and I have hacked a baby." Don't miss the video here.

Monday, February 13, 2006

Nmap 4.01 Released!

10 Days after the release of Nmap 4.0 and with over 100K downloads, 4.1 is released with even more improvements and some minor bug fixes.

You can find 4.01 at the normal location:
http://www.insecure.org/nmap/download.html

Sunday, February 12, 2006

Secure at Home...

Saturday, February 11, 2006

Secure Travel - Head Found in Luggage

If you are going to carry a spare head, make sure you declare it at customs!

US immigration officials have arrested a Haitian woman after baggage screeners found a human head in her luggage at a Florida airport.

Myrlene Severe, 30, has been charged with failing to declare the head on a customs form and transporting "hazardous material".

A spokesman for Miami's immigration and customs agency told the AFP news agency that the head was not simply a skull.

"It had teeth, hair and skin, and quite a lot of dirt," she said.

Privacy Watchdog: Beware Google Desktop

Time to block Google at the firewall?

The Electronic Frontier Foundation Thursday blasted a new feature on Google's Desktop Search product, which allows users to search their home computers from any computer. The group said that Google's caching of users' hard drives renders them vulnerable to subpoenas.

The new feature, dubbed "Search Across Computers," caches users' text contents--including PDFs, spreadsheets, Word documents, e-mails, and other documents--on Google's servers, so that users can search them from any computer with an Internet connection. The EFF, however, claims that the feature puts users' data at risk. "EFF urges consumers not to use this feature, because it will make their personal data more vulnerable to subpoenas from the government and possibly private litigants, while providing a convenient one-stop-shop for hackers who've obtained a user's Google password," the foundation said in a statement.

Friday, February 10, 2006

Friday Fun - Burglar Checks email

A burglar in West Bend, Wisconsin hung out for quite some time in the house he was robbing, apparently eating a meal, showering, watching TV, and checking his email. Police think they have identified the man but have yet to catch him. From the La Cross Tribune:
Lori Menzel of the town of Kewaskum said the burglar left his Yahoo account open after checking his personal e-mail on the computer at her home.

``He never logged out,'' she said, adding: ``He made himself at home here. He spent some time in our bedroom trying on my husband's clothes. I could tell he went through some of my clothes.''

John the Ripper 1.7 Release is out

The following major changes have been made since John 1.6:

* Bitslice DES code for x86 with MMX: more than twice faster than older non-bitslice MMX code.
* Bitsliced the LM hash code as well: now several times faster.
* Significant improvements to the generic bitslice DES code: +20% on RISC.
* PowerPC G4+ AltiVec support (Mac OS X and Linux): effective 128-bitness for bitslice DES, resulting in huge speedups.
* First attempt at generic vectorization support for bitslice DES.
* Two MD5 hashes at a time for extra ILP on RISC: up to +80% on Alpha EV5+.
* Generic Blowfish x86 assembly code in addition to the original Pentium version: +15% on the Pentium Pro family (up to and including Pentium III), +20% on AMD K6 (Pentium 4 and newer AMD CPUs are more happy running the original Pentium code for Blowfish).
* Verbose logging of events to the global or a session-specific log file.
* Better idle priority emulation with POSIX.1b (POSIX.4) scheduling calls.
* System-wide installation support for *BSD ports and Linux distributions.
* AIX, DU/Tru64 C2, HP-UX tcb files support in unshadow.
* New make targets for Linux/x86-64, Linux/PowerPC, FreeBSD/Alpha, OpenBSD/x86-64, OpenBSD/Alpha, OpenBSD/SPARC, OpenBSD/SPARC64, OpenBSD/PowerPC, OpenBSD/PA-RISC, OpenBSD/VAX, NetBSD/VAX, Solaris/SPARC64, Mac OS X (PowerPC and x86), SCO, BeOS.
* Bug and portability fixes, and new bugs.
* Bonus: "Strip" cracker included in the default john.conf (john.ini).

Thursday, February 09, 2006

Police Beat

Gee, seems like the Chief's wife should be rewarded for providing a public service, not arrested...

Ark. Police Chief, His Wife, Mayor Arrested

The town's mayor was arrested in a corruption probe, its police chief is accused in a drug-making scheme, and the prosecutor says the chief's wife took prisoners from jail to have sex with them - and more arrests could be coming...

It's a lot for an Arkansas town of fewer than 4,300 residents to stomach in one day.

Florida Deputy Uses Car-cam to Tape Women

A sheriff's deputy in Martin County is accused of dishonoring his badge after he was caught videotaping scantily clad women while he was on patrol.

Wednesday, February 08, 2006

A Day in The Life of Chinese Internet Police

Major daily duties include: searching for harmful information on the Internet, reviewing and supervising Internet units, supervising all the Internet bars in the district, monitoring the Internet bars through closed-circuit television, training Internet unit administrators.

Pen Test Live CD 'Arudius' Reaches v0.5

One more tool to play with...

Arudius is a Linux live CD with tools that try to address the network security aspect (penetration testing and vulnerability analysis) of information assurance. It is based on Slackware (Zenwalk) for i386 systems and targets the information security audience. It is released under the GNU GPL and contains only open-source software.

This release features the addition of some novel security tools - tools for passive network discovery by analyzing broadcast traffic, very fast SMB password cracking tool and a UPnP device discovery tool analyzing M-SEARCH packets, to mention a few among others.

You can find it here.

Black Hat Fingers Email As Easy Target

Users offer a sloppy, target-rich environment with nearly unlimited access to trouble. They form a poorly guarded bridge between the internal network and the Internet.

Admins who allow email clients to receive unadulterated HTML documents are opening a hole in network security that can be very difficult to defend... especially once an attacker is inside the network perimeter.

HTML makes it easy to duplicate the appearance of groups from whom the end user regularly receives HTML messages, like banks, credit card companies and online auction houses. And hiding links to phishing or malware sites beneath apparently legitimate URLs is elementary.

When you add the potential havoc caused by attachments, ActiveX, Java, VBscript, and javascript... well, you get the picture. You open the door to all manner of rootkit, backdoor, keylogger, etc.

Sleeper Bugs used to Steal 1million in France

Russian thieves have stolen more than €1m (£680,000) from personal bank accounts in France using "sleeper bugs" to infect computers. French authorities claim the thieves can take control of and empty a bank account in seconds. In one hit, a bank customer lost €40,000.

Police say the virus is embedded in emails or websites and remains dormant until the user contacts their bank online. When that happens, the bug becomes active and records passwords and bank codes which are then forwarded to the thieves. They then use the information to check the victim has money in the bank before transferring funds to the accounts of third parties, known as mules, who may have agreed to allow money to pass through their accounts in return for a commission of between 5% and 10%.

Police claim this is set up through fictitious companies, including one American firm named World Transfer, although the mules could be unaware that their computers are being used for theft.

Tuesday, February 07, 2006

BOA Allows ID Theft to Continue

Margaret Harrison, a young wife and mother living in San Diego, first noticed the problem four years ago when she applied for unemployment.

“They asked if I worked on a horse ranch in eastern Washington, and I said no,” laughs Harrison. “[I’m] not quite the rancher type.”

She investigated and found out a laborer named Pablo has been using her Social Security number. And while Margaret pays for credit monitoring, she says the Equifax credit reporting bureau never noticed the problem until she told the agency. Now Equifax has put a fraud alert on her account. And then there’s this: Last month, the Bank of America sent her a new debit card bearing her name and Pablo’s picture!

Margaret says the Bank of America claims it can’t take any action against Pablo because he pays his bills on time — that her case is in what they call “a reactive state.”

“Because currently it’s not negatively impacting my credit, so I have no legal recourse for any action,” says Harrison.

Customer Service?

The Topology of Covert Conflict

Interesting research paper by Shishir Nagaraja and Ross Anderson. Implications for warfare, terrorism, and peer-to-peer file sharing:

Abstract:

Often an attacker tries to disconnect a network by destroying nodes or edges, while the defender counters using various resilience mechanisms. Examples include a music industry body attempting to close down a peer-to-peer file-sharing network; medics attempting to halt the spread of an infectious disease by selective vaccination; and a police agency trying to decapitate a terrorist organisation. Albert, Jeong and Barabási famously analysed the static case, and showed that vertex-order attacks are effective against scale-free networks. We extend this work to the dynamic case by developing a framework based on evolutionary game theory to explore the interaction of attack and defence strategies. We show, first, that naive defences don’t work against vertex-order attack; second, that defences based on simple redundancy don’t work much better, but that defences based on cliques work well; third, that attacks based on centrality work better against clique defences than vertex-order attacks do; and fourth, that defences based on complex strategies such as delegation plus clique resist centrality attacks better than simple clique defences. Our models thus build a bridge between network analysis and evolutionary game theory, and provide a framework for analysing defence and attack in networks where topology matters. They suggest definitions of efficiency of attack and defence, and may even explain the evolution of insurgent organisations from networks of cells to a more virtual leadership that facilitates operations rather than directing them. Finally, we draw some conclusions and present possible directions for future research.

Sunday, February 05, 2006

BackTrack beta Released Today!

Distribution Info:
BackTrack is released in two flavours - Developer Edition and User Edition. These two CD's contain the same data, however have the following differences:
Developer Edition

* Built from the individual modules which create BackTrack.
* Boot time is slow, due to large number of modules.
* Modulatiry is high, so user customisation is easier.

User Edition

* Individual modules consolidated.
* Boot time is faster, due to few modules.
* Modulatiry is low, so user customisation is harder.

You can download it here.

UK ID Fraud Figures 'inflated to play on public fears'

The [British] Government was accused yesterday of playing on people’s fears by producing hugely inflated figures on the cost of identity fraud.

In a report published yesterday, the Home Office said that the annual cost of ID fraud had reached £1.7 billion. However, this figure was undermined by Apacs, the group that represents payment organisations such as banks and credit firms, which said that the cost had been grossly overestimated and that its own figures had been misrepresented.

Asked why the Home Office used the larger sum, she said: “I just think they think it is a good story to scare people with.”

Superbowl Sunday

To secure the real inside info on the teams in the Superbowl and other NFL activity read the Professional Cheerleaders blog!.

Friday, February 03, 2006

GPS-Enabled Dart

A little more Firiday fun...
With that street-cop psychology, Chief William J. Bratton unveiled Thursday a new and decidedly strange weapon in the LAPD's effort to halt high-speed pursuits.

It is an air-propelled miniature dart equipped with a global positioning device. Once fired from a patrol car, it sticks to a fleeing motorist's vehicle and emits a radio signal to police.

Bratton hailed the dart as "the big new idea" and said that if the pilot program was successful, Los Angeles' seemingly daily TV fix of police chases could be a thing of the past.

"Instead of us pushing them doing 70 or 80 miles an hour … this device allows us not to have to pursue after the car," Bratton said. "It allows us to start vectoring where the car is. Even if they bail out of the car, we'll have pretty much instantaneously information where they are."

Fridays are for Fun - Karate Experts Hired to Control Parrots

Organizers of a vintage car rally have hired karate experts to protect vehicles from marauding native parrots, a media report said Friday.

Around 40 members of a local karate club have been enlisted to protect around 140 classic cars due to visit an alpine village near Mt. Cook on New Zealand's South Island on Sunday, the New Zealand Press Association reported.

The karate experts will protect the cars from Keas, sharp-beaked native parrots which have been known to damage vehicles in their search for shiny items, NZPA said.

Thursday, February 02, 2006

Embarrassing Messages From Enron's Email

At the end of its investigation of the 2000-2001 Western Energy Crisis, the Federal Energy Regulatory Commission released its database consisting of 92% of Enron's staff emails. Why? Who knows? The point is, this might make you think twice before sending that silly corp. email.

A couple of swaths thru Andrew Fiore's searchable archive of Enron's email database is enough to remind us all that, no matter where you go or what you do, your email is forever...

Wednesday, February 01, 2006

Microsoft Officially Releases Internet Explorer 7 Beta 2 and Out Pops the first Advisory

Despite the leak that occurred two weeks ago, during which the whole world saw Microsoft’s brand new IE7 (or at least its beta), now, the company from Redmond has decided to officially release the first generally available beta for Internet Explorer 7, as well as Windows RSS Platform, a for-developers set of APIs for creating RSS-enabled applications.

Internet Explorer 7 Beta 2 Preview will only run on Windows® XP Service Pack 2 (SP2) systems, but will ultimately be available for Windows Vista, Windows XP Professional x64 Edition, and Windows Server 2003.

The Windows XP edition of IE 7 Beta 2 Preview can be downloaded from here.

And so it begins...
Advisory: sp-x23-advisory

So I saw that Microsoft released IE 7.0 Beta 2 to the public today. So, I figured I would give it a quick look at and I just happened to find something within the first 15 minutes into testing. Weird huh? So your probally thinking, why release an advisory on a beta product? Well, why not? Its Microsoft right? You can check out the advisory here, and the PoC here.. And for the ones not running windows, here is a screenshot if your interested...
 
Copyright 2018 e2e Security. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan