Hak5

Hak.5 is a video podcast for the hacker, modder and do-it-yourselfer. Hosted by Darren Kitchen and Wess Tobler on the 5th of each month, the show is a hybrid of technology and geek humor.

TOOOL, The Open Organisation of Lockpickers

Weekend fun... Ck the blackbag blog for info from Hope # 6 and a look at the very nice Hope number six pickset...

Dilbert - funny in a scary way...

Tuesday's Dilbert (quoted below, copyright Scott Adams, Inc) funny in a scary way...

Dilbert: Is it more important to follow our documented process or to meet the deadline? I only ask because our deadline is arbitrary and our documented process was pulled out of someone's lower torso.

PHB: Where's your artificial sense of urgency?

Dilbert: Teamwork killed it.

Cool and Illegal Wireless Hotspot Hacks

Nice article / tutorial by wireless guru, Dan Hoffman of 'Live Hacking Video' fame. As he often does, here he takes you step-by-step through some sweet wireless hacks and then shows you how to protect yourself from them..

Shark Analyzer

At least now there shouldn't be an argument on how to pronounce the name...

The Ethereal network protocol analyzer has changed its name to Wireshark and ver. 0.99.2 has been released. Several security-related vulnerabilities have been fixed and several new features have been added.

For a complete list of changes, please refer to the 0.99.2 release notes. Official releases are available right now from the download page.

Phish Spoofs 2-Factor Authentication

The first ever case of using a man-in-the-middle attack against an online bank was reported by the Post's Brian Krebs on Tuesday.

The security industry has long predicted this type of man-in-the-middle attack; it was only a matter of time. The attack targeted Citibank's Citibusiness service and was designed to spoof the token key hardware device used by the bank's customers. The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim. Enter an invalid password, and you got an invalid logon page. A man-in-the-middle attack checks everything done at the phishing site against the original, so everything should look and feel more genuine.

Exactly the same kind of attacks can be used to target other types of two-factor authentication, including one-time password sheets.

Stevens' net neutrality expertise

Eighty-two year old Sen. Ted Stevens' complete inability to comprehend the internet would be kind of cute, were it not for the fact that the following soundbites were taken from his 11-minute speech regarding a bill that would have increased network neutrality mandates.

In that light, this quote is sort of terrifying: "The internet is not something that you just dump something on. It's not a big truck. It's, it's a series of tubes.

VulnerabilityAssessment.co.uk

An information portal for Vulnerability Analysts and Penetration Testers. The Penetration test Mindmap is a treat...

Friday Fun - Spy Gadgets

"This is a collection of "spy equipment" we have found for sale around the internet. Everything here is completely real, is sold at online stores, and almost any item listed here costs less than $500, and often times can be bought for less than $200."

Long Hacker Sentence Upheld

A federal appeals court upheld a nine-year prison term Monday for a hacker who tried and failed to steal customer credit-card numbers from the Lowe's chain of home improvement stores.

Is this right? My problem with this is the scale of the sentence for eavesdropping on an unsecured network. Certainly what they were doing was a crime but 9 years? How much time should the folks responsible for securing the Lowes network(s) get?

The Politics of Paranoia and Intimidation

Floyd Rudmin, a professor at a Norwegian university, uses the mathematics of conditional probability, known as Bayes' Theorem, to demonstrate that the NSA's surveillance cannot effectively detect terrorists unless both the percentage of terrorists in the population and the accuracy rate of their identification are far higher than they are.

Dictionary of Information Security (Paperback)

Book Description

IT professionals and IT students will find this a handy reference to help them identify terms used in practice, in journals and articles, and on websites. The dictionary has complete coverage of security terms and includes cutting-edge technologies and newer terminology only now becoming accepted use amongst security practitioners. Certification candidates for security specializations like CISSP and Security+ will also find this a valuable resource. The dictionary has the most up-to-date terms, including those related to computer viruses, malware, and more recent technologies such as wireless networking.

From the Author

Their our lots of wurds in this book. Sum of the werds are big. They're are no pitchers in this book. If ewe like big wirds and no pitchers you will like this book.

The courier driver showed up at noon, today, with the box of author copies. So I can, with assurance (p. 13) state that the volume now actually exists in hardcopy. After four years of maintaining it mostly as a resource for those studying for the CISSP exam, it's now going to be available in bookstores for everyone.

It's been interesting, working with Syngress. Having worked with more traditional publishers, I was rather expecting the usual 2-3 months of contract negotiations, 2-3 months to get out the final manuscript (the book had, after all, already been basically finished: I'd been using it on the Website for some time), and the usual 4-6 months in copy editing and galley proofing. The contract negotiations took about a month and a half. I got the final contract May 18th. They wanted the manuscript on the 26th. I got the galley proofs on June 1st, and had them back to Syngress on June 4th. (Then there seems to have been some kind of hiccup with the printer: it's been "due" every day now for about three weeks.)

So now, I suppose, I'd better get a move on. I've already replaced the glossary page (http://victoria.tc.ca/techrev/secgloss.htm) with an errata page, and I've got about 60 entries that need to be added or corrected. So I hope you'll all actually buy the book, and Syngress will be moved to putting out a new edition fairly soon. (And
regularly, after that.)

copyright Robert M. Slade, 2006 BKDCINSC.RVW 20060528

Being a good brake - Security as a stress reducer

From the Security Catalyst

You’ve probably heard the analogy that security is like having brakes on an automobile. Brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner.
Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.

In the paragraphs above, replace brakes with security (meaning security controls and processes) and driver with your organization’s name. Isn’t the concept the same? Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing.

The security team should be a stress reducer, not an inducer. Stress (in the negative connotation) comes when we feel out of control. Shouldn’t it be security’s job to introduce control and offer solutions for reducing risks and thereby reducing stress?

In recent years, the security group has gotten the bad reputation for being (a) a barrier to business, (b) an overhead without a quantifiable ROI, and (c) the hammer when there’s a breach or policy is not followed. In other words, they increased the stress for our organization. They weren’t being “good brakes.” This caused the organization to try to bypass security to get things done. (Don’t you try to avoid those things that cause you negative stress?)
Instead, we, the people in security need to be stress reducers. We need to be the brakes for our organization. However, there’s one difference: brakes are not normally seen, only felt; the security team needs to be both seen and felt. You do that by implementing proper controls and risk management processes.

Security should collaborate with the business in identifying and assessing the risks and then implementing the proper controls to ensure the risk is appropriately mitigated for the business. (No more security for security sake.) This puts the business in control guided by security and reduces negative stress for everyone.

Security professionals: Next time you implementation a new technology, process or policy, ask yourself, “Am I being a ‘good brake’ or am I really adding negative stress?” You’d be surprised at how much better you will be received if you reduce your customer’s stress. Next week we’ll cover key steps you can take to become a security stress reducer.

By working together and helping each other, we all become stronger.

A Chronology of Data Breaches

Here's a chronology of data breaches since the ChoicePoint theft in February 2005.

Total identities stolen: 88,794,619.

Should sensitive data be allowed to leave the nest at all, even if it is encrypted?

Qestion to ask your mgmt on Monday...

Why is so much private data allowed to be on laptops to begin with?

"It's pure laziness. There's actually no excuse for it," said Avivah Litan, a security analyst for Gartner Inc. "There's no good business reason for it."

If they absolutely need to analyze data out of the office, the employees should run programs that replace live credit card or Social Security numbers with random "dummy" figures whenever possible, since the actual numbers aren't always relevant.

Coke case could spur review of security policies

In the Coke case, Joya Williams, 41, an administrative assistant who worked for the director of global brand marketing at Coca-Cola was the source of the trade secrets that were to be sold, prosecutors charged on Wednesday.

Video surveillance showed Williams at her desk going through files in search of documents and stuffing them in her bags, prosecutors said.

While the episode highlights the importance of simple security measures such as locking up confidential documents, it also puts the spotlight on thorough background searches of employees of all levels, surveillance experts said.

"A lot of times companies say 'This person is just a secretary and I don't need to do everything on them as far as screening,"' said Jason Morris, president of employee screening firm Background Information Services. "Your secretary may not have the keys to the safe but he or she may have access to your CEO's e-mails, which could have the formula for a Coke product in them."

Not the safe, just the master key...

More Friday Fun! Pen with built-in shredder and FM radio

The Girl Tech Password Journal Jam 'n Shred Pen is a pen with a miniature shredder (just right for getting rid of evidence) and an FM radio (for jamming to tunes) built in.

Hackers on Planet Earth July 21-23 in NYC

The 6th HOPE (Hackers On Planet Earth) will be held in NYC from July 21-23. It's produced by the hacker quarterly, 2600 magazine.

Over 100 speakers will have presentations on a variety of topics including computer hacking, phone phreaking, legal issues, wiretapping, cryptography, urban exploring, lockpicking, and spying. In addition we will present the return of a favorite panel: social engineering -- or how to get sensitive information from people who really ought to know better. A live demonstration of how to do this is planned.

Additional talks include how to decode New York City's MetroCard, hacker filmmaking techniques, and even a discussion of hacker cooking. A panel of famous hackers who have gone to prison is also scheduled as is a study of the European hacker scene. And, in a first, there will be a "broadcast" of the WBAI hacker radio show "Off The Hook" in "indecent mode," designed to demonstrate the absurdity of current FCC policies.

Also, Phil Torrone of Make will be speaking there, too. Link

Friday Fun! How to Deal With Being in Prison

You were accused of a crime and either after a trial or a plea bargain, you were found guilty and sentenced to do time in prison. You will spend most of your time in a locked building with people that have done despicable things, some worse than you can imagine. If you behave, it might go easier on you. Nonetheless, you will have to make the best of it if you are going to survive.

Important Tips:

"Don't get caught up in a jailhouse romance. The last thing you need is to be getting involved in a relationship."

"Do not become a 'punk' (girlfriend). While becoming a punk might give you some fleeting, temporary protection from other inmates, you will be a virtual slave to one."

Air Force budgets $450K to data-mine blogs

Your taxes at work...

The Air Force Office of Scientific Research recently began funding a new research area that includes a study of blogs. Blog research may provide information analysts and warfighters with invaluable help in fighting the war on terrorism. Drs. Brian E. Ulicny and Mieczyslaw M. Kokar, Framingham, Mass., will receive approximately $450,000 in funding for the 3-year project entitled “Automated Ontologically-Based Link Analysis of International Web Logs for the Timely Discovery of Relevant and Credible Information.”

nUbuntu Security Distro

Anything based on ubuntu is a winner... So thanks GP for this great find! nubuntu is a security distribution which is derived from the Ubuntu distribution, with added packages related to security testing and with unneeded packages, such as Gnome, Openoffice.org, and Evolution removed.

Download nUbuntu 6.06 here.

Top 10 Information Security Skills

What do you think... Is this a good list? How about the CISSP related comments?

1. Communicate - I think that this is the most important information security skill, without being able to communicate it is hard to move ahead anywhere. Even if you have the best ideas in the world, if you cannot communicate them, no one will ever know.

2. Application Penetration Skills - being able to despin and understand how applications work, what protocols they use to communicate, what information is input and output from those applications, and best of all, how to make those applications do things that the programmer did not intend the application to do. This is the next major battle front in information security, and being able to move effectively in this space is important for future job success

3. Network Penetration Skills - being able to understand and use network properties like ARP, ICMP and TCP/IP to map, understand, and find vulnerable nodes on the network is a core skill.

4. Knowing what is a viable attack and what is not - tools that we use often spit out false positives, IDS systems, IPS systems, even our network and application penetration test tools all spit out false positives. Knowing which attacks against what target are viable and then being able to prove that viability to the developers and users of the system is a core skill.

5. Knowing how data migrates around the network - how is data used, where is it used, and who uses it in normal day to day patterns allows the Information security person to know when data is being misused, or someone who should not have access is trying to get access to it.

6. Network engineering skills - just enough to know how each component works on the network, what its function is, what its strengths and weaknesses are, and how it can be exploited.

7. IDS/IPS interpretation of results - being able to work with the IDS/IPS that is on the network and knowing how to find out more information about the data presented is a core skill. There is no sense in spinning up the whole department for a false positive, know how that IDS/IPS works, and what its limitations are.

8. System Administration - know enough about system administration that if presented with a series of computers, you can safely secure them allowing the applications to run that need to be on the box.

9. Risk Management skills - being able to understand the concepts of risk management, and how they are applied in regards to the companies culture. Not all companies are the same when it comes to risk management; each company has their own tolerance to risk. Be able to work within the confines of the companies tolerance for risk

10. Be creative - of all the top 10 skills that I am looking for, the ability to be creative when doing work makes the employee much more flexible, and easier to go forth and do good things.

Month of Browser Bugs

Metasploit's HD Moore published a blog entry on Sunday stating that he plans to issue a new browser bug each day through the month of July. Two are out so far and it one of them is a tad ugly.

Ove the last few months, I have taken an interest in web browser security flaws. This interest has resulted in my collaboration on a few fuzzing tools (Hamachi, CSS-Die, DOM-Hanoi), a blog post, and a SecurityFocus article. The vendors have been notified and the time has come to start publishing the results. I will publish one new vulnerability each day during the month of July as part of the Month of Browser Bugs project. This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them. Enjoy!

You’re killing Palestinians, we’re killing servers

When these guys get done with Israel, is the US next?

Unprecedented number of Israeli websites hacked: Hundreds of websites were damaged by hackers in recent hours, following IDF activity in the Gaza Strip. The hackers are members of the Moroccan “Team Evil” group, responsible for most of the website damage in Israel in the past year. This is the largest, most concentrated attack on Israeli websites in recent years.

A Ynet investigation revealed that more than 750 Israeli websites, on a number of different domains, were hacked into and damaged in recent days. Prominent among them were the Soldier’s Treasury Bank, Bank Hapoalim (not the main page), Rambam Hospital, the Society for Culture and Housing, BMW Israel, Subaru Israel, Jump Fashion, non-profit organization “Yedid,” Kadima’s youth website, and the Globus Group ticket center. Many of these sites have not yet returned to normal.

Hackers left the message: You’re killing Palestinians, we’re killing servers.