Hacking Vista: Easier than you'd think

Honor Their Sacrifice

Why Are CC Numbers Still So Easy To Find?

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read Bennet's article.

Bloody Passwords …

Tool TIme - Drobo

This thing seems way cool to me, watch a demo here.

Drobo is a four drive array that connects via USB and employs "intelligent" software to handle all of the data management and disk swapping: one drive goes down? No problem, Drobo's already on it. Wanna swap out drives while you listen to music? Drobo keeps the tunes going even when you're down to one disk.

"Between Silk and Cyanide: A Codemaker's War"

I purchased this book based on a review by Robert Slade and have found it to be a great read. This book demands respectful attention, but in an often stale and text book filled library it is nice to have a security book that is both educational and fun.

Between Silk and Cyanide: A Codemaker's War, 1941-1945
Hardcover: 624 pages
Publisher: Free Press (June 9, 1999)
Language: English
ISBN-10: 0684864223
ISBN-13: 978-0684864228

Friday Fun - A Fair(y) Use Tale

Professor Eric Faden of Bucknell University created this humorous, yet informative, review of copyright principles delivered through the words of the very folks we can thank for nearly endless copyright terms.

- Had to of been a lot of work...

The 14th episode of The Silver Bullet Security Podcast

The 14th episode of The Silver Bullet Security Podcast features Peter Neumann, designer of the Multics OS file system, moderator of comp.RISKS, and Principal Scientist at the SRI Computer Science Laboratory. In this show, Gary and Peter discuss the most important changes in computer security since the 1960s, the discipline involved in early Multics engineering (”nodody writes a line of code without the approving authorities [having] read and understood the specification”), why DRM is the “wrong solution to the wrong problem,” and who was more interesting to meet: Albert Einstein or Norah Jones.

Hack My Son's Computer, Please

Can an elderly father give police permission to search a password-protected computer kept in his adult son's bedroom, without probable cause or a warrant? In April, a three judge panel of the 10th Circuit Court of Appeals said yes.

This week, the son's attorney, Melissa Harrison, an assistant federal public defender in Kansas City, will ask the court to reconsider the panel's ruling. At stake is whether law enforcement will have any responsibility to respect passwords and other expressions of user privacy when searching devices which contain the most sensitive kinds of private information.

Wired article here.

Sending Encrypted Emails With S/MIME Protocol

Nice article on how to programmatically send S/MIME encrypted emails.

SNL - TSA "Security"

Friday Fun - Tandy Computer Whiz Kids Comics

Corny in a fun way Whiz Kids is a comic book, handed out by Radio Shack in the 80s. More infomercial than anything, they provide a fun look back...

New Site for Data Loss Statistics - etiolated

"Shedding light on who's doing what with your private information" the new site, etiolated.org, takes the privacy breach data accumulated by attrition.org and creates some very cool statistics, trends charts, etc...

Surveilance Basics

Some interesting articles on mostly casino security, but there is plenty of info that is applicable outside of the gambling world.

1. Camouflaged Holes

2. Chain of Command

3. Murphy's Law

4. Surveillance Room: Policies and Procedures

5. The Observer's Instinct, or "JDLR"

6. Direction of Attention

7. Recording Observations

8. On Writing Reports

9. Put it in Writing

10. False Reports

11. Confidentiality

12. Teamwork Part I

13. Assisting Casino Management

14. Pit Help Requests

15. Shift Checklist

16. Teamwork Part II: The Surveillance Room Team

17. Job Descriptions

by Gary Powell and Jim Goding

eBay Scammer on Judge Judy

Judge Judy rocks! These types of scams are more prevalent than you might think.

Somthing to Think About

"The universe doesn't owe you anything but an education, and it gives you lessons every day."

- John Vorhaus

“Is your PC virus-free? Get it infected here!”

Would you click on this Google ad?

No? Sure? Because 409 persons did!

Story here.

Reminder: Monday is Wiretap the Internet Day

May 14th is the official deadline for cable modem companies, DSL providers, broadband over powerline, satellite internet companies and some universities to finish wiring up their networks with FBI-friendly surveillance gear, to comply with the FCC's expanded interpretation of the Communications Assistance for Law Enforcement Act.

Congress passed CALEA in 1994 to help FBI eavesdroppers deal with digital telecom technology. The law required phone companies to make their networks easier to wiretap. The results: on mobile phone networks, where CALEA tech has 100% penetration, it's credited with boosting the number of court-approved wiretaps a carrier can handle simultaneously, and greatly shortening the time it takes to get a wiretap going. Cops can now start listening in less than a day.

Wired story here.

Sex Toy Threatens Cyprus's National Security

Small, egg-shaped and promising 'divine' vibrations, a UK sex toy has been deemed a threat to Cyprus's national security. According to the company Ann Summers, the Love Bug 2 has been banned because the Cypriot military is concerned its electronic waves would disrupt the army's radio frequencies. Operated by a remote control with a range of six metres, it is described by Ann Summers as 'deceptively powerful'. The company said: 'The Love Bug 2 is available in Cyprus but we have had to put a warning out urging Cypriots not to use it.'

Story source.

Friday "Fun"

Man chops off head with chainsaw

A man cut off his own head with a chainsaw after stabbing his 70-year-old father to death in their apartment in the German city of Cologne, police said.

The body of the offender, 24, was found headless when police raced to the apartment after an emergency call, apparently from the dying father, had been broken off in mid-sentence.

Body found in bed after seven years

The decomposed corpse of a German man has been found alone in his bed after nearly seven years, police in the western city of Essen said today.

The police said in a statement the man was 59 and unemployed at the time of his death. He most likely died of natural causes on November 30, 2000, the date he received a letter from the Welfare Office found in the flat, police said.

The Attacks Against Estonian Servers

For a good summary on what's been happening so far, read this article from Helsingin Sanomat.

Russia's aggressive displays towards Estonia of late, in the wake of the moving of the "Bronze Soldier" Soviet war memorial, have not been confined to rioting by nationalists on the streets of Tallinn or the blockading of the Estonian Embassy in Moscow.
Estonian government websites and others have been the victims of denial-of-service attacks since Friday of last week [April 27th, the day the statue was moved, following a night of rioting that left one man dead].

Fed Worker Sues over Googling

What: A government worker claims a department official violated his "right to fundamental fairness" by using Google to research his prior work history in a dispute over the use of government property.

When: U.S. Court of Appeals for the Federal Circuit rules on May 4.

Outcome: Unanimous three-judge panel says no harm was done by using search engine.

More

Anti-Violence Electrode Shock Gun

What more could you want? The TW-ESG-Z1 Anti-Violence Electrode Shock Gun does it all. It has SNAP-ON CARTRIDGES that enable it to shoot "taser" probes, pepper powder, rubber bullets and paint bullets. It can also shock attackers without the probe, and even includes a Xenon flashlight. A a plus, the TW-ESG-Z1 even features a safety wrist strap that disables the gun if an attacker takes it from you.

Multi-Functions

1.With Cartridge of probes
Fire two probes up to a distance of 3.5M , which transmits pulsed energy that temporarily overrides the central nervous system of the target causing immediate incapacitation

2.With Cartridge of pepper powder
Pepper powder spray out up to a distance of 3 ~ 5M , and swells the veins in the which will cause a few people swells the mucous membranes to make breathing difficult,eyes, causing the tears dropped and the eyes to close

3. With Cartridge of rubber bullet
Used especially by military personnel and law enforcement officers in crowd control.10 ~ 15M effective distance

4. With Cartridge of paint bullet
Used especially by military personnel and law enforcement officers in crowd control.10 ~ 15M effective distance.

5.With Extended electric stick
For extending defense range to around 50cm

6.Capable of drive stun with or without cartridge of probes installed

7.Deployed Power ful Xenon light

Blind Man's Bluff

So how does Kent view/review the security cameras?

Don't try to dupe Kent Parker just because he's blind and operates a deli in the Hamilton County Courthouse.

Every once in a while, somebody tries to cheat him despite the security cameras trained on the cash register and about a dozen sheriff's deputies a few steps away.

In the past two weeks, two women offered bills smaller than they claimed and were arrested within minutes.

More here.

TJX was it Wardriving?

According to the Wall Street Journal, the biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.

There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

More here.

Secure Future - Earth

Earth Day Revisited with Lewis Black...

Friday Fun - Code Talkers

Tools to Really Erase a HD

We all know (or should know) that regular MS Windows methods for “deleting” files truly do not delete anything. However via the Center for Magnetic Recording Research and Dr. Gordon Hughes we have the Secure Erase standard.

Here is info on how really erase hard drive data:

Tutorial on Disk Drive Data Sanitization

Gordon Hughes - CMRR Secure Erase Page

Another alternative is an open source external block overwrite utility called Darik's Boot and Nuke ("DBAN").

Gartner: Hacking contests bad for business

A pair of Gartner analysts Tuesday denounced a recent hack challenge that uncovered a still-unpatched QuickTime bug, calling it "a risky endeavor" and urging sponsors to reconsider such public contests.

The research manager of TippingPoint, the company that paid $10,000 for the QuickTime vulnerability and its associated exploit, rebutted by saying that at no time was there any danger of the vulnerability escaping from responsible parties.

"Public vulnerability research and 'hacking contests' are risky endeavors and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," said analysts Rich Mogull and Greg Young in a research note published by Gartner on Monday.

Full InfoWorld story.

Certainly starts to blur the lines between the good guys, the bad and "responsible disclosure". How long before company A puts a bounty on "security research" of company B - their competitor?

Bodies Not Included