10 reasons websites get hacked

List of top 10 web vulnerabilities classified by OWASP, here with a description of the problem and some examples.

Wait there is more! NSA is on your computer!

NSA LIKELY READING WINDOWS SOFTWARE IN YOUR COMPUTER

Sooner or later, a country that spies on its neighbors will turn on its own people, violating their privacy, stealing their liberties.

President Bush’s grab for unchecked eavesdropping powers is the culmination of what the National Security Agency(NSA) has spent forty years doing unto others.

And if you’re upset by the idea of NSA tapping your phone, be advised NSA likely can also read your Windows software to access your computer.

European investigative reporter Duncan Campbell claimed NSA had arranged with Microsoft to insert special “keys” in Windows software starting with versions from 95-OSR2 onwards.

And the intelligence arm of the French Defense Ministry also asserted NSA helped to install secret programs in Microsoft software. According to France's Strategic Affairs Delegation report, “it would seem that the creation of Microsoft was largely supported, not least financially, by NSA, and that IBM was made to accept the (Microsoft) MS-DOS operating system by the same administration.” That report was published in 1999.

The French reported a “strong suspicion of a lack of security fed by insistent rumours about the existence of spy programmes on Microsoft, and by the presence of NSA personnel in Bill Gates’ development teams.” It noted the Pentagon was Microsoft’s biggest global client.

And heck, who wouldn't belive the French?

More here.

Because George said NO!

More on GW's spying program -

According to documents released by lawmakers on Monday, major U.S. telephone carriers refused to answer questions from the Democratic-led Congress about their possible participation in President George W. Bush's warrantless domestic spying program...

More...

Pre-9/11 wiretap bid is alleged

Why is this a surprise to anyone?

A former Qwest Communications International executive, appealing a conviction for insider trading, has alleged that the government withdrew a $200-million contract after Qwest refused to participate in an unidentified National Security Agency program that the company's top lawyer said was illegal.

Nacchio's account, which places the NSA proposal at a meeting on Feb. 27, 2001, suggests that the Bush administration was seeking to enlist telecommunications firms in programs without court oversight before the terrorist attacks. The Sept. 11 attacks have been cited by the government as the main impetus for its warrantless surveillance efforts.

More here.

Same church different pew...

http://www.wired.com/science/discoveries/news/2006/04/70619

The Breach Blog

The Breach Blog has an interesting compilation of recent security breaches.

18th episode of The Silver Bullet Security Podcast

Gary talks with Dr. Eugene Spafford, better known as “Spaf.” Spaf is a professor of computer science and Electrical and Computer Engineering at Purdue University and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS). On this episode, Gary and Spaf discuss the role of software testing in computer security, commercial certifications and whether they obviate the need for academic training, how Spaf feels about so-called “ethical hacking,” and why auditing and compliance is an area of emerging specialization.

The IT Crowd

Season 2 is rolling along and they are are up to Episode Five: Smoke & Mirrors.

Get caught up here.

Tasers in the news...

Officer do the right thing?

Today (9/19) is International Talk Like A Pirate Day

Put a parrot on your shoulder, strap on a peg leg, hit the rum and start bellowing "Shiver me Timbers" -- Wednesday is International Talk Like A Pirate Day.

"Pirates of the Caribbean" star Johnny Depp is not the only over-the-top buccaneer allowed to have fun.

September 19 is your once-a-year chance to don an eye patch, sport a ridiculously large hat and keep on saying "Arrrrr.

It all started back in the 1990s as a cult joke between two American friends -- John "Ol Chumbucket" Baur and Mark "Capn Slappy" Summers -- but really took off when syndicated columnist Dave Barry got to hear about their surreal festival.

Crime does pay!

Internet crime has become a major commercial activity, reveals a report by computer security company Symantec.

The report said cyber crime had become increasingly professional and was now a multi-billion dollar industry.

The underground economy has its own auction sites and marketplaces that sell valuable data such as credit card numbers and bank accounts.

They also sell toolkits for novice cyber criminals who lack technical know-how to craft their own attacks.

BBC story.

Hackers hit US stockbroker TD Ameritrade

Only email addresses? Yea right...

Stock broking firm TD Ameritrade has revealed a breach to one of its databases resulting in the theft of user data.

The company confirmed that, while online account numbers and passwords were not compromised, customer names, email addresses and phone numbers had all been stolen.

The database also contains Social Security numbers, although TD Ameritrade claimed that there is no evidence to suggest that the numbers were among the stolen data.

A spokesperson for the company told vnunet.com that the compromised database stored information on all of the company's 6.3 million customer accounts. It is not yet known how many customers were directly affected.

Story here.

Osama bin Laden, drove a Canadian-flagged motorcade through two security checkpoints in Sydney

Members of an Australian comedy TV show, one dressed as Osama bin Laden, drove a Canadian-flagged motorcade through two security checkpoints in Sydney Thursday before being stopped near a hotel where U.S. President George W. Bush is staying.

The stunt-embarrassed Sydney police had imposed the tightest security measures in the city's history. The Australian city is hosting a summit of leaders from Pacific Rim countries, including Bush and Canadian Prime Minister Stephen Harper, who arrived Thursday.

Police arrested 11 cast and crew from the TV program, The Chaser's War on Everything, and impounded three vehicles, the Australian Broadcasting Corp., which airs the show, said on its website.

Full story here.

The First Amendment, Satellite Imagery and National Security

So what should MS of done?

Recently a photograph appeared on the Internet of the propeller on an Ohio-class ballistic missile submarine at Trident Submarine Base in Bangor. A key to the submarine's ability to deploy and remain undetected, propeller designs have been kept under wraps for years, literally. When out of the water, the propellers typically are draped with tarps.

The propeller image appeared on Microsoft's mapping tool, Virtual Earth. It was discovered accidentally by Dan Twohig, a deck officer with the Washington state ferry service who was using the program to examine real estate on the west side of Puget Sound.

More here.

ShmooCon '08

Start planning now... TSG is happy to announce that ShmooCon '08 will take place at the Wardman Park Marriott in Washington DC, February 15-17.

17th episode of The Silver Bullet Security Podcast

Gary talks with Eric Cole, CEO of Secure Anchor. Eric has written seven books on computer security, including books on steganography and network security. Gary and Eric discuss how to demostrate security ROI in different types of organizations (ranging from government to corporate), the academic approach to security versus practitioner certification models, and what kinds of training makes for good network security practitioners. They also discuss the difficulty of certifying software developers.

How the FBI Wiretap Net Operates

The FBI has quietly built a sophisticated, point-and-click surveillance system that performs instant wiretaps on almost any communications device, according to nearly a thousand pages of restricted documents newly released under the Freedom of Information Act.

The surveillance system, called DCSNet, for Digital Collection System Network, connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It is far more intricately woven into the nation's telecom infrastructure than observers suspected.

Wired story here.
EFF has the document here.

The Burning Man Project 07

Oh my... Premature burning...

(Black Rock City - August 28, 2007) The Man at the center of Black Rock City will be rebuilt after an overnight fire which damaged the effigy at the center of the Burning Man event. Rebuilding is expected to take about two days.

Black Rock City officials say there was structural damage to the figure of the Man, but relatively little damage to the art and exhibits at the base of the Man. No injuries were reported.

An arson investigation is underway, and one arrest was made shortly after the fire was set. No charges have been announced, and the name of the suspect is being withheld. There has been no discussion of motive in the episode.

Burning Man

No more vacation - Back to work...

Take the back roads when taking the back road...

Adulterers, beware: Your cheatin' heart might be exposed by E-ZPass. E-ZPass and other electronic toll collection systems are emerging as a powerful means of proving infidelity. That's because when your spouse doesn't know where you've been, E-ZPass does.

"E-ZPass is an E-ZPass to go directly to divorce court, because it's an easy way to show you took the off-ramp to adultery," said Jacalyn Barnett, a New York divorce lawyer who has used E-ZPass records a few times.

More here.

Friday Fun - The Vomit-Inducing Flashlight

Picking your favorite non-lethal weapon can be tough. I'm partial to the microwave-based Active Denial System that former PopSci editor Eric Adams had the, er, courage to stand in front of a few years ago. (An experience described in detail here.) Or I might give a nod to the paralyzing, hardening foam that momentarily holds down The Hulk in the 2003 movie, and has been used by the U.S. military with mixed results.

But a California company may be developing the real winner, an LED-based flashlight that shoots out incredibly bright pulses of light, and can potentially induce vomiting. The Department of Homeland Security is funding the study, and Penn State will begin testing it this fall at the Institute of Nonlethal Defense Technology.

Story from Popular Science Blog.

Footprinting/research tool

Evolution is a program that is the brain child of Roelof Temmingh of ex-SensePost fame. It’s a tool that “associates data found in multiple search engines and social-networking Web sites… to find information behind IP addresses, Domain Name System entries, domain registration and more.

William Gibson

The present has recently caught up with William Gibson. The great prophet of the digital future, who not only coined the word 'cyberspace' in his debut novel Neuromancer in 1984, but imagined its implications and went a long way to suggesting its YouTube and MySpace culture, has stopped looking forwards. 'The future is already here,' he is fond of suggesting. 'It is just not evenly distributed.'

More story here.
New book here.

ATM Theft

Louisiana police are on the look-out for three men who staged a 1 AM smash and grab robbery at a Target store. The men rammed a truck through the store's front doors, pulled an ATM from the wall and loaded it into their vehicle as the store's cleaning crew looked on...

Police have located the truck used in the crime, as well as the emptied ATM.

US Border Security

Bush interviewed as a Illegal Jumps the Border - video powered by Metacafe

Well, it is funny anyway...

A "Visit" to Diebold Elections Systems, Inc.

A peek into their deserted, but well-lit, warehouse brought home just how easy it would be for a company employee to take advantage of any number of the myriad sixty-second hacks found to be easily carried out by Election Insiders --- such as Diebold Employees or County Election Officials --- in Bowen's independent penetration report of Diebold's voting systems [PDF].

DEFCON 15 - 12year old Bumping Medeco's Biaxial

This past weekend at DefCon Tobias ran into Jennalynn, a 12-year-old girl who appeared in a YouTube video last year bumping a Kwikset lock. (Jennalynn's mother declined to give her daughter's last name because she preferred not to have it published.) Tobias asked her to try bumping Medeco's Biaxial lock, a more secure lock. She did it three times. Below is a video showing her bumping the lock, with Tobias next to her.

Wifi in the Wall

WEJ-11G-O Wall Box Wireless Access Point/Bridge

$129.95

Usually ships in 1-2 days

The Karo Technology WEJ-11g Series are uniquely designed to fit into a standard wall box and bring the benefits of both wired and wireless connection. The WEJ-11g are full-featured Access Points that support IEEE 802.11b and 802.11g. The WEJ-11g can be installed and configured easily into any new wireless network or integrated within an existing wired network resulting in a more flexible and cost-effective wireless deployment. And, a network administrator can centrally manage the WEJ-11g Series via a Web browser or an SNMP MIB browser.

Features

• High speed 54 Mbps wireless and/or 100 Mbps wired data rate
• RF transmit power settings (5 levels)
• Auto-channel selection setting
• Security: WEP, WPA-PSK, 802.1x, EAP, TKIP, AES
• MAC address filtering
• Wireless client isolation
• AP load balancing
• Association control
• Hardware watchdog timer
• Extensive management tools via browser-based configuration utility

Fudge Packer Arrested

Shortly after midnight, Thursday morning, the Annapolis Police Department received a call from a clerk at the downtown Maryland House Hotel, who reported that a woman had come into the lobby and said she had been the victim of a sexual assault.

Officers met with Greenbelt resident Catherine Anne Delgado, 35, and determined that her assault claim was unfounded. During the course of their conversation in the lobby, the officers noticed that Delgado, wearing slacks and a sleeveless white blouse, had large slabs of fudge bulging out of her pockets.

“Smudges of fudge showed up very well on her hands and white blouse,” Officer Hal Dalton said. “You don’t see something like that every day.”

More here.

DEFCON 15 - Aug 3-5

Reporter gets snapped...

A LOT OF MAKEUP can make you prettier, but it won't make you smarter. Michelle Madigan, Associate Producer for Dateline NBC found this out the hard way at Defcon.

According to sources at the show, she was there to do a piece called Hackers for Hire, with the goal of showing the criminal hacker underground and possibly outing an undercover fed. As Michelle was said to have said, "People in Kansas would be very interested in what is going on at Defcon". She was busted hours before she walked in the door, the first slide before the keynote was this, and the speaker asked to notify a goon (security) if she was spotted.

Full story here.

Secure your Future - Caffeine and Exercise Can Prevent Skin Cancer

Regular exercise and little or no caffeine has become a popular lifestyle choice for many Americans. But a new Rutgers study has found that it may not be the best formula for preventing sun-induced skin damage that could lead to cancer. Low to moderate amounts of caffeine, in fact, along with exercise can be good for your health.

According to the National Cancer Institute, sunlight-induced skin cancer is the most prevalent cancer in the United States with more than 1 million new cases each year. A research team at Rutgers, The State University of New Jersey, showed that a combination of exercise and some caffeine protected against the destructive effects of the sun’s ultraviolet-B (UVB) radiation, known to induce skin cancer. The caffeine and exercise seemingly conspire in killing off precancerous cells whose DNA has been damaged by UVB-rays.

Get the full story here. Get your caffeine here.

Google Fun - Phone # to map...

Google has implemented a nice little feature where you can type a telephone number into the search bar and if found, you will be given the option to map the related results... If you want to block Google from divulging your private information, simply click on your phone number. Removal takes 48-hours.

Friday Fun - Filled 1,000 gallon pool stolen

Not that big a surprise considering it was NJ. Capt Sullo perhaps or Aliens?

Someone stole 1,000 gallons of water from Daisy Valdivia's backyard. And they didn't spill a drop.

Valdivia woke Wednesday morning to find that her family's inflatable pool, hip high and 10 feet in diameter and filled with water, was stolen from her backyard in the middle of the night. There is no evidence that the water was poured out, pumped out, evaporated or drunk.

Or drunk?

Full story here.

One Laptop Per Child machines for sale this Xmas?

How about one for every one of our deployed military for their own use and let them distribute systems to the kids in the areas that they are in...

The non-profit group that designs low-cost computers for poor children hopes to start selling multimedia laptops to consumers by Christmas, a foundation executive reported on Monday.

The One Laptop Per Child Foundation's rugged XO laptop could initially sell for just $350, or twice its production cost, although the group is also considering a $525 price tag, said OLPC chief technology officer Mary Lou Jepsen.

Exploiting the iPhone

Researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.

Details here.

The Silver Bullet Security Podcast - Show 016

On the 16th episode of The Silver Bullet Security Podcast, Gary talks with Greg Hoglund, who runs the popular rootkit.com, CEO of HB Gary, and co-author of Rootkits: Subverting the Windows Kernel and Exploiting Software. In addition to shameless self-promotion of their new book, Exploiting Online Games, Gary and Greg discuss the natural tendency of certain types of code to allow exploits, how disclosure is a good thing when it comes to revealing exploits, and the use of rootkits by the “good guys.” Greg also makes us concerned that his 11-year-old daughter may 0wn our box.

Web Trend Map 2007 Version 2.0

This very large graphic, is an attempt to map the Internet onto a map of the London Underground rail system (the series of Tubes as a tube-map). There is a ton of info here and some very interesting stuff.

Details and more here.

Adult Film industry fights piracy

Gee, I guess piracy does hurt everyone... According to sources, the adult industry is losing $2 billion a year because of file sharing, pirate servers, hackers, and illegal duplication of its movies.

Incorporated in June 2007, Global Anti-Piracy Agency (GAPA) is an independent, non-profit trade organization with the singular mission of working on behalf of the adult entertainment industry to fight piracy of intellectual property.

Security History for Sale on eBay - Enigma Machine

The Enigma encryption machine was introduced in 1923 by the Chiffriermaschinen Aktien-Gesellschaft (Cipher Machines Stock Corporation). It was used by the Germans to encrypt messages during World War II. With just over eight days left, the current bid is $12,276.99 and the reserve has not been met...

Bid here.

Wikipedia entry.

The Athens Affair

How some extremely smart hackers pulled off the most audacious cell-network break-in ever.

Story here.

Deal of the Day - Dragon Fire 500,000 Volt Stun Gun

Surplus Computers has the Dragon Fire 500,000 Volt Stun Gun (500-K) for $33 with free shipping. It takes two 9V batteries (not included).

Buy here.

Friday Fun - Fake Officer Stops Real One

There were flashing lights atop his SUV and what appeared to be a police badge in his hand, but it was the man he tried to pull over who was the real police detective.

Robert Lane, 25, was arrested Tuesday on charges of criminal impersonation and aggravated unlicensed operation of a motor vehicle, Suffolk County police said.

More here.

Feds use key logger to thwart PGP, Hushmail

A recent court case provides a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect's home or office, implanting keystroke-logging software, and spying on what happens from afar.

cnet story here.

"I've Got Nothing to Hide" and Other Misunderstandings of Privacy

In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the "nothing to hide" argument. When asked about government surveillance and data mining, many people respond by declaring: "I've got nothing to hide." According to the "nothing to hide" argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The "nothing to hide" argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the "nothing to hide" argument and exposes its faulty underpinnings.

F-Secure On Cyber Crime

Mikko Hypponen, Chief Research Officer of F-Secure talks about the various aspects of Crimeware in this YouTube video.

Financial Institutions - the right to conduct a forensic analysis?

What if the user accessed his or her bank account using more than one computer, what if it was a company issued computer?

"However, under New Zealand's new banking code of practice, which came into effect on Sunday, financial institutions will reserve the right to conduct a forensic analysis of fraud victims' computers. If the system lacks operating system updates and security software, they may deny reimbursement claims."

More here.

Bank branch bandit wears tree disguise

Just as the Citizen Bank branch opened Saturday morning, a man walked in with leafy boughs duct-taped to his head and torso, and robbed the place.

CNN video here.

Secure your stuff (Ikea ads)

http://view.break.com/326690 - Watch more free videos

Nothing like another 12 or 16 nuclear ballistic missiles added to the planet.

A shiny new ballistic-missile submarine docked at a naval base in China has been spied publicly for the first time using Google Earth.

The new class of nuclear sub, called the Jin-class, had been rumoured to exist for some time, but the image recently uploaded to Google Earth is the first public glimpse of the vessel.

More here.

Secure Earth - 7.7.07

Friday "Fun" - WabiSabiLabi

Companies such as 3Com's TippingPoint division and VeriSign's iDefense Labs have offered cash for this type of research before, but..

Now a Swiss security firm called WabiSabiLabi has opened a web marketplace for zero-day security vulnerabilities.

According to Herman Zampariolo, CEO of WSLabi, We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.

Researchers can submit their findings to the exchange once they have registered. WSLabi will then verify the research by analyzing and replicating it at their independent testing laboratories. They will eventually then package the findings with a Proof of Concept; this can then be sold to the marketplace via three methods from the marketplace platform:

- Starting an auction, predefined starting price
- Selling to as many buyers as possible at a fixed price
- Selling it exclusively to one buyer

July 4th

U.S. Deaths Confirmed By The DoD: 3583
Reported U.S. Deaths Pending DoD Confirmation: 3
Total: 3586

Full list.

Weekend Warriors - Reverse Engineering

Old, but good...



OllyDbg

Hiew

Courthouse security camera reveals strange apparition

Are today's surveillance cameras so remarkable that they can actually capture images of spirits walking amongst the living? Sounds like the makings of an M. Night Shyamalan thriller, but a recent report out of New Mexico gives us reason to believe in specter surveillance.



Full story here.

So... Is there such thing as a good virus?

USB flash drive worm spreads information about AIDS.

Sophos is reporting a worm which spreads by copying itself onto removable drives such as USB flash drives, in an attempt to spread information about AIDS and HIV.

The W32/LiarVB-A worm hunts for removable drives such as floppy disks and USB memory sticks (as well as spreading via network shares), and then creates a hidden file called autorun.inf to ensure a copy of the worm is run the next time it is connected to a Windows PC. Once it has infected a system it drops an HTML file containing a message about AIDS and HIV to the user's drive.

11 Key - Lock Bumping Set

Forget picking, start bumping! BumpKey.US has a $35.00 package with the following lock bumping keys:

5 Pin Kwikset KW1, 6 Pin Kwikset KW10, 5 Pin Schlage SC1, 6 Pin Schlage SC4, 5 Pin Arrow AR1, 6 Pin Arrow AR4, 5 Pin Yale Y1, 5 Pin Dexter DE6, 5 Pin Weiser WR5, 4 Pin Master M1, 5 Pin Master M10

Minimal disclosure certificates: the case of SSO

Dr. Stefan Brands has some very interesting writings on minimal disclosure tokens (along with all kinds of excellent insight on digital identity mgmt) on his blog The Identity Corner.

The Hacker Crackdown, Podcast, Part 001

Cory Doctorow podcasts Bruce Sterling's "The Hacker Crackdown"

Bruce Sterling's classic work highlights the 1990 assault on hackers, when law-enforcement officials successfully arrested scores of suspected illicit hackers and other computer-based law-breakers. These raids became symbolic of the debate between fighting serious computer crime and protecting civil liberties. However, The Hacker Crackdown is about far more than a series of police sting operations. It's a lively tour of three cyberspace subcultures--the hacker underworld, the realm of the cybercops, and the idealistic culture of the cybercivil libertarians.

Inside The Mind Of A Suicide Bomber

This can't be true for children...

Suicide bombers are not mentally ill or unhinged, but acting rationally in pursuit of the 'benefits' they perceive from being part of a strict and close-knit religious enterprise, according to a University of Nottingham academic.

Research by Dr David Stevens, of the School of Politics and International Relations, suggests that the widely-held view of suicide bombers as brain-washed religious fanatics, vulnerable through youth and poverty, is not an accurate one.

Full story.

Man bursts into flames after being shot by a taser gun

Police are investigating the firey death of a man who burst into flames after dousing himself in petrol and then being shot with a taser gun. Officers used the gun after the man had poured gasoline over himself. Juan Flores Lopez, 47, died on Tuesday at a hospital in Texas.

Story here.

“Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security”

A House Homeland Security subcommittee held a hearing today into security breaches, hacking and IT security failure at the Department of Homeland Security, that totaled more than 800 incidents in two years..

Harsh words from the Committee's chair Bennie Thompson -

How can the Department of Homeland Security be a real advocate for sound cybersecurity practices without following some of its own advice? How can we expect improvements in private infrastructure cyberdefense when DHS bureaucrats aren’t fixing their own configurations? How can we ask others to invest in upgraded security technologies when the Chief Information Officer grows the Department’s IT security budget at a snail’s pace? How can we ask the private sector to better train employees and implement more consistent access controls when DHS allows employees to send classified emails over unclassified networks and contractors to attach unapproved laptops to the network?

The Silver Bullet Security Podcast

On the 15th episode of The Silver Bullet Security Podcast, Gary interviews Annie Antón, Associate Professor of Software Engineering at North Carolina State University and director of theprivacyplace.org. During their discussion, Annie and Gary focus on privacy. They start with an attempt to define what “privacy” is in the digital world, moving on to Annie’s work with The Privacy Place. Annie also discusses airlines’ pretty much pitiful privacy policies, the impact that a Google/Doubleclick deal would have on consumer privacy, crazy talk in EULAs, and the book Letters to a Young Catholic (which has nothing to do with privacy).

An Easier Way Of Finding WiFi?

WeFi was founded 18 months ago and is headquartered in Mountain View, with an R&D center in Tel Aviv, Israel.

The WeFi client replaces the Windows connection manager and finds and connects to free WiFi hotspots. The location of free hotspots is displayed on a map that also shows the location of other WeFi users. The maps are regularly updated as users discover and connect to WiFi. This is delivered without changing or modifying access points, delivering a complementary service to other WiFi sharing initiatives such as fon.

Computer Security Contract Awarded

So who did Uncle Sam pick to protect sensitive, unclassified data residing on government laptops?

The Office of Management and Budget, U.S. Department of Defense and U.S. General Services Administration awarded 12 contracts today for blanket purchase agreements (BPA) to protect sensitive, unclassified data residing on government laptops, other mobile computing devices and removable storage media devices. The BPA’s could result in contract values exceeding $79 million.

Awardees are MTM Technologies Inc.; Rocky Mountain Ram LLC; Carahsoft Technology Corp.; Spectrum Systems Inc.; SafeNet Inc.; Hi Tech Services Inc.; immixGroup Inc.; Autonomic Resources LLC; GTSI Corp.; GovBuys Inc.; Intelligent Decisions Inc. and Merlin International.

Products are Mobile Armor LLC’s “Data Armor”; Safeboot NV’s “Safeboot Device Encryption”; Information Security Corp.’s “Secret Agent”; SafeNet Inc.’s “SafeNet ProtectDrive”; Encryption Solutions Inc.’s “Skylock At-Rest”; Pointsec Mobile Technologies’ “Pointsec”; SPYRUS Inc.’s “Talisman/DS Data Security Suite”; WinMagic Inc.’s “SecureDoc”; CREDANT Technologies Inc.’s “CREDANTMobile Guardian” and GuardianEdge Technologies’ “GuardianEdge.”

More here.

Ohio man under house arrest since 2003

A man accused of hacking a computer and storing child pornography has spent almost four years cooped up in his parents' southwest Ohio home - by far the longest period of house arrest ever served in Hamilton County, authorities said.

Jesse Tuttle, 27, was charged in 2003 with hacking into the county's computer system and storing child pornography on his home computer. Tuttle said the charges stem from computer work he was doing as an FBI informant.

Here is the fun part...

In the last four years, Tuttle has become engaged, had a daughter with his fiance and gained 50 pounds. Hours of playing video games and watching television each day in his home near this Cincinnati suburb isn't particularly healthy, he said.

"I never really got into video games before," he said. "What else do you have to do?"

More here.

SecurityCartoon.com

http://www.securitycartoon.com/

VoIP Security Threats

Flash Back - Cliff Stoll

Clifford Stoll's role in catching hacker Markus Hess in the 1980s, while Stoll was employed at the Lawrence Berkeley National Laboratory in California, led to his authoring the book The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (1989, ISBN 0-7434-1146-3). That book was/is a fascinating read and should be required reading for every security practitioner.

His 1995 follow-up book Silicon snake oil: Second thoughts on the information highway was a much more skeptical look at technology and one that was critically reviewed by many. However, I found many of his views to be very poignant and as worthwhile noting today as they were a decade ago...

"When I'm online, I'm alone in a room, tapping on a keyboard, staring at a cathode-ray tube. I'm ignoring anyone else in the room. The nature of being online is that I can't be with someone else. Rather than bringing me closer to others, the time that I spend online isolates me from the most important people in my life, my family, my friends, my neighborhood, my community."

He currently sells Klein bottles on the Web, is a "mostly" stay-at-home dad and teaches eighth graders about physics at Tehiyah Day School, in El Cerrito, California.

"A box of crayons and a big sheet of paper provides a more expressive medium for kids than computerized paint programs."

"Why is it drug addicts and computer afficionados are both called users?"

- Clifford Stoll, Silicon Snake Oil, 1995

Drive-by Video Peeping

Ontario Canada Privacy Commissioner Ann Cavoukian has issued a 16-page order, with an extensive set of guidelines, and a fact sheet on responsible video surveillance following her inquiry into a privacy breach involving a methadone clinic in Canada.

In the incident that occurred a couple of months ago, a video image of a woman providing a urine sample at a washroom in a methadone clinic in Sudbury, Ont. was accidentally intercepted by a backup camera in a vehicle that was driving by the clinic.

TrueCrypt - Free Open-Source Disk Encryption Software

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g.., file names, folder names, contents of every file, free space, meta data, etc).

How to secure your USB thumbdrive - A TrueCrypt tutorial

PowerPoint Reveals Key to Classified National Intel Budget

Terri Everett of the Office of the Director of National Intelligence gave a Powerpoint presentation which was also hosted online, unfortunately some data behind his pie charts revealed rather more than intended. Writer R.J. Hillhouse found that she could open the chart object and extract the numbers from within.

Full story on Dr. Hillhouse's blog.

Secure Earth - Alien 'visitor' shot at Area 51

"As the jeep approached Gate 3, the OSI agent noticed the guard was missing from the required location outside the gate house. As the jeep stopped, the OSI Agent got out of the jeep to investigate.

The OSI agent walked up to the gate to check on the guard. As the OSI agent got closer to the front door of the gate, the OSI agent noticed the interior of the gate was blood splattered. The OSI agent noticed only small pieces of human body parts were left of a human being.

The OSI agent returned to the jeep and contacted the Central Security Control (main/primary security office for the complex) and reported the findings. The Director of Security contacted his office by way of a radio phone, mounted inside the jeep. The OSI agent, armed with only an automatic pistol, walked around the area searching for a perpetrator.

The OSI agent located the "Visitor," lying down near an underground water culvert. The OSI agent challenged the Visitor, ordering the Visitor to give up. The Visitor walked away, followed by the OSI agent. At some point, the OSI agent fired his weapon at the Visitor, as a warning. The Visitor, turned and pointed something at the OSI.

The OSI agent fired directly at the Visitor, hitting the Visitor directly in the chest with two rounds from the 45 caliber automatic pistol. The Visitor fell to the ground. It took about 18 minutes for additional security forces to arrive. The Visitor was placed inside a containment chamber and transported back to the S-2 facility. The Visitor recovered from the wounds."

More

Friday Fun - Stolen keys delay start of military mission

Start walking boys!

Poland's 1,200 troops assigned to NATO forces in Afghanistan will not achieve full combat readiness for up to several weeks due to stolen vehicle keys, the defense ministry said Thursday.

"We had been told a 10 percent theft rate was likely in convoys brought in from Pakistan, but we had not expected the spare car keys to go missing," defense ministry spokesman Jaroslaw Rybak told news channel TVN24.

"We shall have to send away for spares, so it may take from several days to several weeks for our contingent to become combat ready."

Full story here.

Teacher Gets New Trial on Classroom Porn

She may of been a dolt, but she didn't deserve 40 years...

Julie Amero, left, leaves the New London, Conn., courthouse with her husband, Wes Volle, Wednesday, June 6, 2007. A judge granted a new trial Wednesday for Julie Amero, a former Norwich substitute teacher convicted of allowing students to view pornography on a classroom computer. Amero, 40, of Windham, who had no previous criminal record, faced up to 40 years in prison after she was convicted in January of exposing students to pornography on her classroom computer.

Full story.

“There’s a problem. It’s called Net Neutrality”

Credit Union Don'ts

Priority One Credit Union recently sent election ballots to members. Printed on the outside of the envelope were some numbers...

Each member's account number and SSN.

Text from Letter of apology:

Important Security Message to Members

During the last week, we mailed our election ballots to members. Unfortunately, an error occurred during the distribution of this ballot, and personal information was inadvertently included above your address on the envelope. This information was not printed in a format that would be immediately recognizable, and we have no indication your personal information has been accessed or misused in any way.

We apologize for this distribution error, and deeply regret any inconvenience or concern it may cause you. Your privacy and security are our top priority, and we have taken precautionary measures to help ensure your protection.

New protocols are in place to thoroughly validate your identity before any account transaction can be made. New member authentication procedures will further ensure you are the only person who can open new accounts, apply for a loan or do business with our credit union.

We will provide, at no cost to you, a one-year membership in a credit monitoring service. Equifax will monitor your credit daily and immediately alert you if there is any unusual activity. You will soon receive a separate letter about Equifax explaining exactly how you can enroll and how the program works. If you have any questions, please call us at 626/441-1999 or 323/682-1999.

Additional operational and security enhancements will ensure this situation cannot happen again. We are committed to protecting your personal information, and will closely monitor your account for the next year. We are also happy to change your member number, upon your request.

We will take whatever steps are necessary to protect you and your confidential information, and your accounts remain safe and sound with your credit union. Please don’t hesitate to call us at 626/441-1999 or 323/682-1999 or visit your local branch if you have any questions or concerns about this issue.

In addition to the steps we are taking to protect you and your accounts, here are other security precautions you can take:

* Carefully review your accounts when you receive your statement for at least the next 12 – 24 months. You can also review your accounts online at www.priorityonecu.org. This is a good financial management practice, and an important part of keeping your financial information accurate and secure.
* Place a Security Alert on your credit bureau file. Security alerts provide added protection because they recommend creditors contact you before opening new accounts. To place a Security Alert or to obtain a copy of your credit report, please contact:
o Experian: 1-888-397-3742 www.experian.com,
o Equifax: 1-800-525-6285 www.equifax.com
o Transunion: 1-800-680-7289 www.transunion.com
* Contact the following resources for additional information and guidance relating to privacy and identity theft:
o Federal Trade Commission (FTC): 1-877-IDTHEFT www.consumer.govidtheft
o Social Security Administration’s Fraud Hotline: 1-800-269-0271
* Call us right away if you have any questions or concerns, or suspect any unusual activity, at 626/441-1999 or 323/682-1999.

We appreciate your continued support of Priority One Credit Union, and want you to know that “you are our first priority.”

Charles R. Wiggington, Sr. CEO/President

Michigan Man Fined for Using Coffee Shop's Wi-Fi Network

This story bugs me and personally, I think he should of fought this. I would think the EFF would of helped...

A Michigan man has been fined $400 and given 40 hours of community service for accessing an open wireless Internet connection outside a coffee shop.

Under a little known state law against computer hackers, Sam Peterson II, of Cedar Springs, Mich., faced a felony charge after cops found him on March 27 sitting in front of the Re-Union Street Café in Sparta, Mich., surfing the Web from his brand-new laptop.

"It wasn't anything we were looking for, and it wasn't anything that we frankly particularly wanted to get involved in, but it basically fell in our lap and it was a little hard to just look the other way when somebody handed it to us," said Lynn Hopkins, assistant prosecuting attorney for Kent County.

Under the statute, individuals who log on to a Wi-Fi network with the owner's permission, or who see a pop-up screen that says it's a public network, can assume they're authorized to use the network, Hopkins said.

If they don't, they could be subject to prosecution.

Peterson was given two choices: He could try to fight the felony charge and face a sentence of up to 5 years in jail or a $10,000 fine; or he could enroll in the diversion program, which would require paying a $400 fine, doing 40 hours of community service and staying on probation for six months.

Last week, Peterson chose to pay the fine instead as part of a jail-diversion program.

Full story.

Yoggie, an Israeli security vendor, has released USB device called Pico, a Linux-based computer on a stick that provides enterprise-level security on a home laptop or desktop PC.

Per Yoggie the Pico has:

Complete protection against

• Viruses
• Worms
• Identity theft
• Data theft
• Phishing
• Spyware
• Spam
• IP Spoofing
• Denial of Service attacks

All-in-one Security

• Anti Virus
• Anti Spam
• Anti Phishing
• Intrusion Detection
• Intrusion Prevention
• Firewall (Stateful Inspection)
• Web Filtering
• Parental Content Control
• Adaptive Security Policy™
• Multi-Layer Security Agent™
• Layer-8 Security Engine

Hacking Vista: Easier than you'd think

Honor Their Sacrifice

Why Are CC Numbers Still So Easy To Find?

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read Bennet's article.

Bloody Passwords …

Tool TIme - Drobo

This thing seems way cool to me, watch a demo here.

Drobo is a four drive array that connects via USB and employs "intelligent" software to handle all of the data management and disk swapping: one drive goes down? No problem, Drobo's already on it. Wanna swap out drives while you listen to music? Drobo keeps the tunes going even when you're down to one disk.

"Between Silk and Cyanide: A Codemaker's War"

I purchased this book based on a review by Robert Slade and have found it to be a great read. This book demands respectful attention, but in an often stale and text book filled library it is nice to have a security book that is both educational and fun.

Between Silk and Cyanide: A Codemaker's War, 1941-1945
Hardcover: 624 pages
Publisher: Free Press (June 9, 1999)
Language: English
ISBN-10: 0684864223
ISBN-13: 978-0684864228

Friday Fun - A Fair(y) Use Tale

Professor Eric Faden of Bucknell University created this humorous, yet informative, review of copyright principles delivered through the words of the very folks we can thank for nearly endless copyright terms.

- Had to of been a lot of work...

The 14th episode of The Silver Bullet Security Podcast

The 14th episode of The Silver Bullet Security Podcast features Peter Neumann, designer of the Multics OS file system, moderator of comp.RISKS, and Principal Scientist at the SRI Computer Science Laboratory. In this show, Gary and Peter discuss the most important changes in computer security since the 1960s, the discipline involved in early Multics engineering (”nodody writes a line of code without the approving authorities [having] read and understood the specification”), why DRM is the “wrong solution to the wrong problem,” and who was more interesting to meet: Albert Einstein or Norah Jones.

Hack My Son's Computer, Please

Can an elderly father give police permission to search a password-protected computer kept in his adult son's bedroom, without probable cause or a warrant? In April, a three judge panel of the 10th Circuit Court of Appeals said yes.

This week, the son's attorney, Melissa Harrison, an assistant federal public defender in Kansas City, will ask the court to reconsider the panel's ruling. At stake is whether law enforcement will have any responsibility to respect passwords and other expressions of user privacy when searching devices which contain the most sensitive kinds of private information.

Wired article here.

Sending Encrypted Emails With S/MIME Protocol

Nice article on how to programmatically send S/MIME encrypted emails.

SNL - TSA "Security"

Friday Fun - Tandy Computer Whiz Kids Comics

Corny in a fun way Whiz Kids is a comic book, handed out by Radio Shack in the 80s. More infomercial than anything, they provide a fun look back...

New Site for Data Loss Statistics - etiolated

"Shedding light on who's doing what with your private information" the new site, etiolated.org, takes the privacy breach data accumulated by attrition.org and creates some very cool statistics, trends charts, etc...

Surveilance Basics

Some interesting articles on mostly casino security, but there is plenty of info that is applicable outside of the gambling world.

1. Camouflaged Holes

2. Chain of Command

3. Murphy's Law

4. Surveillance Room: Policies and Procedures

5. The Observer's Instinct, or "JDLR"

6. Direction of Attention

7. Recording Observations

8. On Writing Reports

9. Put it in Writing

10. False Reports

11. Confidentiality

12. Teamwork Part I

13. Assisting Casino Management

14. Pit Help Requests

15. Shift Checklist

16. Teamwork Part II: The Surveillance Room Team

17. Job Descriptions

by Gary Powell and Jim Goding

eBay Scammer on Judge Judy

Judge Judy rocks! These types of scams are more prevalent than you might think.

Somthing to Think About

"The universe doesn't owe you anything but an education, and it gives you lessons every day."

- John Vorhaus

“Is your PC virus-free? Get it infected here!”

Would you click on this Google ad?

No? Sure? Because 409 persons did!

Story here.

Reminder: Monday is Wiretap the Internet Day

May 14th is the official deadline for cable modem companies, DSL providers, broadband over powerline, satellite internet companies and some universities to finish wiring up their networks with FBI-friendly surveillance gear, to comply with the FCC's expanded interpretation of the Communications Assistance for Law Enforcement Act.

Congress passed CALEA in 1994 to help FBI eavesdroppers deal with digital telecom technology. The law required phone companies to make their networks easier to wiretap. The results: on mobile phone networks, where CALEA tech has 100% penetration, it's credited with boosting the number of court-approved wiretaps a carrier can handle simultaneously, and greatly shortening the time it takes to get a wiretap going. Cops can now start listening in less than a day.

Wired story here.

Sex Toy Threatens Cyprus's National Security

Small, egg-shaped and promising 'divine' vibrations, a UK sex toy has been deemed a threat to Cyprus's national security. According to the company Ann Summers, the Love Bug 2 has been banned because the Cypriot military is concerned its electronic waves would disrupt the army's radio frequencies. Operated by a remote control with a range of six metres, it is described by Ann Summers as 'deceptively powerful'. The company said: 'The Love Bug 2 is available in Cyprus but we have had to put a warning out urging Cypriots not to use it.'

Story source.

Friday "Fun"

Man chops off head with chainsaw

A man cut off his own head with a chainsaw after stabbing his 70-year-old father to death in their apartment in the German city of Cologne, police said.

The body of the offender, 24, was found headless when police raced to the apartment after an emergency call, apparently from the dying father, had been broken off in mid-sentence.

Body found in bed after seven years

The decomposed corpse of a German man has been found alone in his bed after nearly seven years, police in the western city of Essen said today.

The police said in a statement the man was 59 and unemployed at the time of his death. He most likely died of natural causes on November 30, 2000, the date he received a letter from the Welfare Office found in the flat, police said.

The Attacks Against Estonian Servers

For a good summary on what's been happening so far, read this article from Helsingin Sanomat.

Russia's aggressive displays towards Estonia of late, in the wake of the moving of the "Bronze Soldier" Soviet war memorial, have not been confined to rioting by nationalists on the streets of Tallinn or the blockading of the Estonian Embassy in Moscow.
Estonian government websites and others have been the victims of denial-of-service attacks since Friday of last week [April 27th, the day the statue was moved, following a night of rioting that left one man dead].

Fed Worker Sues over Googling

What: A government worker claims a department official violated his "right to fundamental fairness" by using Google to research his prior work history in a dispute over the use of government property.

When: U.S. Court of Appeals for the Federal Circuit rules on May 4.

Outcome: Unanimous three-judge panel says no harm was done by using search engine.

More

Anti-Violence Electrode Shock Gun

What more could you want? The TW-ESG-Z1 Anti-Violence Electrode Shock Gun does it all. It has SNAP-ON CARTRIDGES that enable it to shoot "taser" probes, pepper powder, rubber bullets and paint bullets. It can also shock attackers without the probe, and even includes a Xenon flashlight. A a plus, the TW-ESG-Z1 even features a safety wrist strap that disables the gun if an attacker takes it from you.

Multi-Functions

1.With Cartridge of probes
Fire two probes up to a distance of 3.5M , which transmits pulsed energy that temporarily overrides the central nervous system of the target causing immediate incapacitation

2.With Cartridge of pepper powder
Pepper powder spray out up to a distance of 3 ~ 5M , and swells the veins in the which will cause a few people swells the mucous membranes to make breathing difficult,eyes, causing the tears dropped and the eyes to close

3. With Cartridge of rubber bullet
Used especially by military personnel and law enforcement officers in crowd control.10 ~ 15M effective distance

4. With Cartridge of paint bullet
Used especially by military personnel and law enforcement officers in crowd control.10 ~ 15M effective distance.

5.With Extended electric stick
For extending defense range to around 50cm

6.Capable of drive stun with or without cartridge of probes installed

7.Deployed Power ful Xenon light

Blind Man's Bluff

So how does Kent view/review the security cameras?

Don't try to dupe Kent Parker just because he's blind and operates a deli in the Hamilton County Courthouse.

Every once in a while, somebody tries to cheat him despite the security cameras trained on the cash register and about a dozen sheriff's deputies a few steps away.

In the past two weeks, two women offered bills smaller than they claimed and were arrested within minutes.

More here.

TJX was it Wardriving?

According to the Wall Street Journal, the biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.

There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

More here.

Secure Future - Earth

Earth Day Revisited with Lewis Black...

Friday Fun - Code Talkers

Tools to Really Erase a HD

We all know (or should know) that regular MS Windows methods for “deleting” files truly do not delete anything. However via the Center for Magnetic Recording Research and Dr. Gordon Hughes we have the Secure Erase standard.

Here is info on how really erase hard drive data:

Tutorial on Disk Drive Data Sanitization

Gordon Hughes - CMRR Secure Erase Page

Another alternative is an open source external block overwrite utility called Darik's Boot and Nuke ("DBAN").

Gartner: Hacking contests bad for business

A pair of Gartner analysts Tuesday denounced a recent hack challenge that uncovered a still-unpatched QuickTime bug, calling it "a risky endeavor" and urging sponsors to reconsider such public contests.

The research manager of TippingPoint, the company that paid $10,000 for the QuickTime vulnerability and its associated exploit, rebutted by saying that at no time was there any danger of the vulnerability escaping from responsible parties.

"Public vulnerability research and 'hacking contests' are risky endeavors and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," said analysts Rich Mogull and Greg Young in a research note published by Gartner on Monday.

Full InfoWorld story.

Certainly starts to blur the lines between the good guys, the bad and "responsible disclosure". How long before company A puts a bounty on "security research" of company B - their competitor?

Bodies Not Included

Secure Future - Coffee Drinking Health Benefits

Not so controversial anymore -- panel says moderate coffee drinking reduces many risks. Coffee contains hundreds of components including substantial amounts of chlorogenic acid, caffeine, magnesium, potassium, vitamin B3, trigonelline, and lignans. Limited evidence suggests that coffee may improve glucose metabolism by reducing the rate of intestinal glucose absorption and by stimulating the secretion of the gut hormone glucagon-like peptide-1 (GLP-1) that is beneficial for the secretion of insulin. However, most mechanistic research on coffee and glucose metabolism has been done in animals and in lab tubes and therefore metabolic studies in humans are currently being conducted. Further research may lead to the development or selection of coffee types with improved health effects.

More here.

The Very Secure F-22

On April 10, at Langley Air Force Base, an F-22 pilot, Capt. Brad Spears, was locked inside the cockpit of his aircraft for five hours. No one in the U.S. Air Force or from Lockheed Martin could figure out how to open the aircraft's canopy. At about 1:15 pm, chainsaw-wielding firefighters from the 1st Fighter Wing finally extracted Spears after they cut through the F-22's three-quarter inch-thick polycarbonate canopy.

Total damage to the airplane, according to sources inside the Pentagon: $1.28 million. Not only did the firefighters ruin the canopy, which cost $286,000, they also scuffed the coating on the airplane's skin which will cost about $1 million to replace.

More here.

Friday Fun w/John T Draper (AKA Captain Crunch)

Time to fire-up the wayback machine and get a little hacker history. John T. Draper (born 1944), also known as Captain Crunch, Crunch or Crunchman (after Cap'n Crunch, the mascot of a breakfast cereal), is a former phone phreak.

Read his stories here.