The third issue of (IN)SECURE

A free digital security magazine published in PDF format: http://www.insecuremag.com

The covered topics are:

- Security vulnerabilities, exploits and patches
- PDA attacks: palm sized devices - PC sized threats
- Adding service signatures to Nmap
- CSO and CISO - perception vs. reality in the security kingdom
- Unified threat management: IT security's silver bullet?
- The reality of SQL injection
- 12 months of progress for the Microsoft Security Response Centre
- Interview with Michal Zalewski, security researcher
- OpenSSH for Macintosh
- Method for forensic validation of backup tapes

shmoocon 2006 - Register Today!

An annual East coast hacker convention hell-bent on offering an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, as well as open discussion of critical information security issues. ShmooCon 2006 will be January 13-15, 2006, in Washington, D.C..

Pre-registration is open. $75 gets you in the door this year if you sign up by October 1st. Space is limited once again, so getting a seat early is encouraged.

a nonist public service pamphlet — Without question one of the best commentaries written about blogging you’ll ever see. Great stuff.

There is a growing epidemic in the cyberworld. a scourge which causes more suffering with each passing day. as blogging has exploded and, under the stewardship of the veterans, the form has matured more and more bloggers are finding themselves disillusioned, dissatisfied, taking long breaks, and in many cases simply closing up shop. this debilitating scourge ebbs and flows but there is hardly a blogger among us who has not felt it’s dark touch. we’re speaking, of course, about blog depression.

we here at the nonist have spoken before about the “blog life crisis” which is a natural part of any blog’s life-span. what we turn our attention to now, however, is the more insidious, prolonged strain of dissatisfaction which stays with a blogger, right below the surface, throughout a blog’s lifetime.

Bored on the phone? Beware the Jerk-O-Meter

Researchers at the Massachusetts Institute of Technology are developing software for cell phones that would analyze speech patterns and voice tones to rate people -- on a scale of 0 to 100 percent -- on how engaged they are in a conversation.

Anmol Madan, who led the project while he pursued a master's degree at MIT, sees the Jerk-O-Meter as a tool for improving relationships, not ending them. Or it might assist telephone sales and marketing efforts.

"Think of a situation where you could actually prevent an argument," he said. "Just having this device can make people more attentive because they know they're being monitored."

(Item sent in by regular reader - Thanks, Dan!)

Secure Planet?

Fear of a Warm Planet...

Here's the kind of stuff that can keep you awake at night. It's scary because it's real.

God Bless America - Video ode to the American hillbilly

A video montage of still photos set to the theme from Deliverance. I could watch it a 100 times...

Court Overturns Ruling Saying Reading Someone's Email Isn't A Wiretap

Last year, there was a big uproar over the fact that a court found that a bookseller who offered his customers free email accounts did not violate wiretapping laws by reading their emails in order to see what Amazon was offering as deals. The ruling hinged on the wording of wiretap laws. The judges in the case admitted they weren't comfortable with the decision, but the problem was in the way the law was worded. The law only applies to "intercepted" communications -- and since the messages were (temporarily) on a server, reading through them technically was not "intercepting" communications, since they already had them. It appears that a new ruling now reverses that ruling and says that it is wiretapping, and the original case can go on. While the end result may seem like a good thing, protecting the rights of individuals to keep their email private from their email providers, the decision is still questionable. The real problem here is the wiretap law that is not designed to handle this situation at all. The article above notes that the law hopefully will still be changed -- which would solve this issue. However, in the meantime, it does sound like the judges may have decided something not based on what the law actually says.

Summer read: Markoff's "What the Dormouse Said"

While there have been several histories of the personal computer, well-known technology writer John Markoff has created the first ever to spotlight the unique political and cultural forces that gave rise to this revolutionary technology. Focusing on the period of 1962 through 1975 in the San Francisco Bay Area, where a heady mix of tech industries, radicalism, and readily available drugs flourished, What the Dormouse Said tells the story of the birth of the personal computer through the people, politics, and protest that defined its unique era.

Here's an excerpt:

Bill Duvall at work on one of the Augment Group's yoga workstations.

Dave Evans was one of the Augment team members who had strong ties to the counterculture, and one evening Steward Brand brought Ken Kesey by for a look at the NLS system. It was several years after the Merry Prankster era and Kesey's legal problems over a marijuana arrest, and he had become a celebrity as a result of the publication of Tom Wolfe's The Electric Kool-Aid Acid Test, in which he was the main character. He was quarreling with Hollywood movie studios over the film based on his novel Sometimes a Great Notion and was preparing to retreat to a dairy farm in Oregon.

For an hour, Evans took the system through its paces, showing the writer how it was possible to manipulate text, retrieve information, and collaborate with others. At the end of the demonstration Kesey sighed and said, "It's the next thing after acid."

MD5 Used as a Defence

A team of Chinese maths enthusiasts have thrown NSW's speed cameras system into disarray by cracking the technology used to store data about errant motorists.

The NRMA has called for a full audit of the way the state's 110 enforcement cameras are used after a motorist escaped a conviction by claiming that data was vulnerable to hackers.

A Sydney magistrate, Laurence Lawson, threw out the case because the Roads and Traffic Authority failed to find an expert to testify that its speed camera images were secure.

The motorist's defence lawyer, Denis Mirabilis, argued successfully that an algorithm known as MD5, which is used to store the time, date, place, numberplate and speed of cars caught on camera, was a discredited piece of technology.

Password Crackers, Encryption Tools, Penetration Tester List

A website with list of available programs, websites, and companies that specialize in security, password hacking, cracks, security publications, computer forensics and more.

Gee, the Stuff from DefCon Just Keeps Comming...

Video from the DefCon WiFI Shootout event along with some photos and topographical information.

And it's not even Friday: WiFi Speed Spray

This revolutionary product enhances the transfer of computer data through the air. You'll be amazed! Why spend $$$ to upgrade your network when all you need to speed things up is WiFi Speed Spray!

Do you live in a polluted environment such as Los Angeles? If so, you've probably experienced the heartbreak of data transfer slow-down.

WiFi Speed Spray™ can overcome the effects of pollution, increase fidelity, and provide you with the fastest wireless data transfer possible. Compatible with ALL 802.XXx standards!

It's a scientific fact. Radio waves become sluggish under a variety of common environmental conditions. Besides air pollution, radio waves slow down in noisy environments, at night, and in "high emission" areas such as computer rooms, offices that use fluorescent lighting, and even in the kitchen (those pesky microwave ovens are to blame!).

WiFi Speed Spray™ is designed to eliminate these harsh conditions selectively. Only the radio wave path is affected. It's 100% SAFE to use, natural, no harmful toxic substances, and no side-effects. It's so safe, you can even BREATHE it in.

Hack Your Life

lifehack.org - Daily digest and pointer on productivity, getting things done and lifehacks

What if you applied the hacker mindset to your everyday life? Getting things done quicker and smarter than normal people. LifeHack is updated daily with the most recently notable articles being: the art of traveling with one bag, optimizing your bathing, note taking systems, and how to get a project up and running.

Too Much Security Can be Bad - Man's Testicles Locked In Padlock

According to the Portsmouth Herald, police reported that the 39-year-old man was intoxicated when they arrived at the scene on July 30 at about 3:40 a.m. The man, who was not identified, told them that he had the padlock around his testicles for two weeks.

The man said that a friend put the lock on while he was drunk and passed out. When he woke up, the friend was gone.

"Never in my 13 years have I seen anything like this," Cpl. H.D. Wood told the Herald.

The man told police that he tried to remove the lock with a hacksaw because the key had broken off in the lock.

He was taken to Exeter Hospital, where a locksmith removed the padlock. He was treated and released, and the hospital said he had no lasting injury.

Police said that they did not know the motive for the incident.

One More Last Tidbit from DefCon

The Shmoo Group's DefCon 13 presentation, "Shmoo-Fu", is available as PDF HERE.

While the presentation is interesting enough (prob should of been there). The sidebar/disclaimer for Law Enforcement Agents makes for a just as interesting read...

One Last DefCon Tidbit - Wireless Interception Distance Records

Don't believe wireless distance limitations. Again and again they're proven wrong.

At DefCon earlier this month, a group was able to set up an unamplified 802.11 network at a distance of 124.9 miles.

The record holders relied on more than just a pair of wireless laptops. The equipment required for the feat, according to the event website, included a "collection of homemade antennas, surplus 12 foot satellite dishes, home-welded support structures, scaffolds, ropes and computers".

Bad news for those of us who rely on physical distance to secure our wireless networks.

Even more important, the world record for communicating with a passive RFID device was set at 69 feet. (Pictures 69 here.) Remember that the next time someone tells you that it's impossible to read RFID identity cards at a distance.

Whenever you hear a manufacturer talk about a distance limitation for any wireless technology -- wireless LANs, RFID, Bluetooth, anything -- assume he's wrong. If he's not wrong today, he will be in a couple of years. Assume that someone who spends some money and effort building more sensitive technology can do much better, and that it will take less money and effort over the years. Technology always gets better; it never gets worse. If something is difficult and expensive now, it will get easier and cheaper in the future.

No Monad scripting in first Windows Vista

Just one day after the first public reports of viruses being written for an upcoming feature of Microsoft's Windows operating system, Microsoft has confirmed that it will not include theMonad Shell feature in the first generally available release of Microsoft Vista, expected in the second half of 2006.

The Monad Shell, provides a way for users to access the operating system using text-based commands rather than the traditional Windows graphical user interface. In the past, Microsoft has said that Monad will be part of "Longhorn," the code name for both the next client and server versions of Windows.

In an interview Friday, Microsoft Director of Product Management Eric Berg said Monad will not be included in the first commercial version of Windows Vista, expected in the second half of 2006. But the product is expected to be included in Windows over the next "three to five years," he said. "Our intention is to synchronize it with both client and server operating systems."

Security experts had worried that if Monad were to be included in a widely used client, it might become an attractive target for hackers, especially if the shell were to be enabled by default.

Ray was worried about this...

London Bombing Details

Interesting details about the bombs used in the 7/7 London bombings:

The NYPD officials said investigators believe the bombers used a peroxide-based explosive called HMDT, or hexamethylene triperoxide diamine. HMDT can be made using ordinary ingredients like hydrogen peroxide (hair bleach), citric acid (a common food preservative) and heat tablets (sometimes used by the military for cooking).

HMDT degrades at room temperature, so the bombers preserved it in a way that offered an early warning sign, said Michael Sheehan, deputy commissioner of counterterrorism at the nation's largest police department.

"In the flophouse where this was built in Leeds, they had commercial grade refrigerators to keep the materials cool," Sheehan said, describing the setup as "an indicator of a problem."

Among the other details cited by Sheehan:

The bombers transported the explosives in beverage coolers tucked in the backs of two cars to the outskirts of London.

Investigators believe the three bombs that exploded in the subway were detonated by cell phones that had alarms set to 8:50 a.m.

For those of you upset that the police divulged the recipe -- citric acid, hair bleach, and food heater tablets -- the details are already out there.

And here are some images of home-made explosives seized in the various raids after the bombings.

Normally this kind of information would be classified, but presumably the London (and U.S.) governments feel that the more people that know about this, the better. Anyone owning a commercial-grade refrigerator without a good reason should expect a knock on his door.

Remote-Controlled Humans

Now here is a way to secure/manage your staff...

NTT has demonstrated a remote-control system for people. The researchers outfit their subject with two electrodes behind the ears that "pull" her in one direction or another. As you can see in the video accompanying a Forbes article on the technology, the subject walks (and laughs) like she's just hammered.

2005 or 1984?

Cops can dig through your trash legally, says judge...

A Montana Supreme Court justice says it's within the law for police to sift through your garbage for incriminating stuff, even without a warrant or court approval. The Supreme Court of Montana ruled last month that police could conduct a warrantless "trash dive" into the trash cans in the alley behind the home of a man named Darrell Pelvit. The cops discovered pseudoephedrine boxes -- a solvent with uses including the manufacture of methamphetamine -- and Pelvit eventually ended up in prison.

Pelvit's attorney argued that his client had a reasonable expectation of privacy in his trash, but the court rejected the argument and said the trash was, well, meant to be thrown away.

What's remarkable is the concurring opinion of Montana Supreme Court Justice James C. Nelson, who reluctantly went along with his colleagues but warned that George Orwell's 1984 had arrived.

So dumpster diving is legal for everyone?

Wearable tech at Siggraph: Fridays are for Fun!

The fourth annual Cyberfashion show at SIGGRAPH took place this week in Los Angeles.

Wearable Environmental Information Networks of Japan, or WIN, showed several notable designs, including Report-the-World, a get-up designed for future stealth journalists. A retro trench coat hides 10 hidden cameras for capturing 360-degree panoramic images. The front pocket holds a small computer, a ring-embedded speaker transmits location-based audio instructions, and a head-mounted display is stylishly encrusted with Swarovski crystals, like an electric tiara.

WIN also demonstrated Dog @ Watch for children. The plushy-form device for the wrist hides a GPS sensor, a cell phone for voice-dialing parents and an alarm sensor to monitor the wearer's safety.

Kirsten McCall, a 9-year-old model, acknowledged the value of safety features to "protect against bad guy kidnappers," but was more excited about other potential features. "I'd like a jacket that has a TV on the sleeve, so I can watch shows all day -- but mostly, I want clothes that do my homework for me."

Elevator Hack: Press Two Buttons at Once and Head Straight for the Lobby

Here’s a hack that will put most elevators in a hidden “Express” mode that bypasses all the floors and sends you right to the lobby. Love it!

“The designers of some elevators include a hidden feature that is very handy if you’re in a hurry or it’s a busy time in the building (like check-out time in a hotel). While some elevators require a key, others can be put into “Express” mode by pressing the “Door Close” and “Floor” buttons at the same time. This sweeps the car to the floor of your choice and avoids stops at any other floor. This seems to work on most elevators that I have tried!

“Most elevators have the option for this to work, but on some of them the option is turned off by whoever runs them. This is a rather fun hack, so the next time you are on an elevator, give it a try, you have nothing to lose.” Source: The Damnblog.com

Elevators that have been tested and worked on:
–Otis Elevators (All But The Ones Made In 1992),
–Dover (Model Numbers: EL546 And ELOD862),
–And Most Desert Elevators(All, But Model Numbers ELD5433 And ELF3655)

More Lynn/Cisco Information

Jennifer Granick is Lynn's attorney, and she has blogged about what happened at BlackHat and DefCon. Photographs of and a .pdf of the slides Lynn actually used for his talk can be found here.

Sign of the Times? Better Wi-Fi than Wife! I always say...

UK Commissioner Wants 10-years for Refusing Access to Encrypted Data

Sir Ian Blair, Commissioner of the Metropolitan Police, will this week propose a 10-year mandatory minimum sentence for anyone refusing to provide police with details of how to access encrypted information on their computers.

Dozens of computers have been seized in the UK and Italy in the wake of the recent bombings. At present, police can hold suspects for a maximum of 14 days under terrorism legislation, often insufficient time to break into whatever information their computers may contain.

'A lot of the stuff that we have on computers is encrypted, and for that reason I am interested in creating an offence of refusing to reveal an encryption key,' Blair said. 'It has to be punishable by a term of at least 10 years.'

However, the civil rights group Liberty says the proposals are 'like suggesting that the police should be able to steam open your mail after you've put it in the post box'.

WiFi pistol shown at Defcon

Every year, smaller, more powerful processors come to market - hacker weaponry follows the same trend. Last year, the Shmoo Group and Flexilis demonstrated long-ranged WiFi and Bluetooth rifles, but this year, wireless weaponry becomes smaller, but much more powerful. The Shmoo Group, known for melding cool security gear into hardware, showed off their latest creation, a powerful 802.11 pistol, which can detect WiFi networks for miles.

The WiFi pistol consists of a Compaq IPaq PDA, a Compact Flash battery sleeve, a Senao wireless card, a 9db patch antenna, a rotary attenuator, one watt amp and an external battery pack.

The electronics are mounted on a slingshot frame that has an integrated pistol grip. The PDA runs Wellreiter, which is a network detection and auditing tool similar to NetStumbler or Kismet. With everything turned up full blast, the pistol can detect networks miles away. Beetle, a member of the Shmoo Group, says that the pistol usually detects 50-60 networks instantly.

The one watt amplifier, combined with the nine db antenna and the power coming the Senao card, produce an incredible amount of radiated energy. The rotary attenuator can reduce the power feeding the antenna, to prevent power swamping of close access points. Under normal usage, Beetle says that the pistol can last eight hours straight.

Phrack #63 (PHRACK FINAL) e-zine released!

Looks like Phrack #63 is available for download... From the introduction.txt file:

For 20 years PHRACK magazine has been the most technical, most original,
the most Hacker magazine in the world. The last five of those years have
been under the guidance of the current editorial team. Over that time, many
new techniques, new bugs and new attacks have been published in PHRACK. We
enojoyed every single moment working on the magazine.

The time is right for new blood, and a fresh phrackstaff.

PHRACK 63 marks the end of the line for some and the start of the line for
others. Our hearts will alwasy be with PHRACK.

Expect a new release, under a new regime, sometime in 2006/2007.

As long as there is technology, there will be hackers. As long as there are
hackers, there will be PHRACK magazine. We look forward to the next 20 years.

Hacking Hotel Infrared Systems

From Wired:

A vulnerability in many hotel television infrared systems can allow a hacker to obtain guests' names and their room numbers from the billing system.

It can also let someone read the e-mail of guests who use web mail through the TV, putting business travelers at risk of corporate espionage. And it can allow an intruder to add or delete charges on a hotel guest's bill or watch pornographic films and other premium content on their hotel TV without paying for it....

"No one thinks about the security risks of infrared because they think it's used for minor things like garage doors and TV remotes," Laurie said. "But infrared uses really simple codes, and they don't put any kind of authentication (in it).... If the system was designed properly, I shouldn't be able to do what I can do."

An anonymous Internet communication system

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

The Kegbot At DefCon 05

The annual hacker conference DefCon in Las Vegas this weekend has spawned some pretty innovative stuff, not the least of which is the Kegbot. DefCon attendee Phillip Torrone of Make Magazine writes:

One the coolest projects I’ve seen so far at DEFCON was the kegbot, a linux based keg that dispenses beer as long as you have an iButton key. The system keeps track of who you are, how much you’re drinking and in team mode- where you rank. the Kegbot crew built and deployed a kegbot on site at DEFCON, we were lucky enough to get there and document the building of it!

More pics and instructions on building your own Kegbot at the Make Magazine web site.

Microsoft "Genuine Advantage" cracked in 24 hours

This week Microsoft stopped providing updates to non-genuine versions of its Windows XP operating system. The company has switched over to a full launch of its Windows Genuine Advantage Program as part of its ongoing anti-piracy campaign.

Users will now have to join the WGA authentication program if they want to receive software updates from the Microsoft Download Centre or from Windows Update. However, MS says it will still provide security patches for pirated systems, which will be available via Automatic Updates in Windows.

Well, it was good while it lasted... The protection was cracked within 24 hours...

Before pressing 'Custom' or 'Express' buttons paste this text to the address bar and press enter:

CODE
javascript:void(window.g_sDisableWGACheck='all')

It turns off the trigger for the key check.

Gun Safety

A tale that snopes has verified of a DEA agent who’s caught on video accidentally shooting himself while lecturing on gun safety! He limps around, afterwards, and tries to turn it into some kind of object lesson.

Crap it's Friday Already!

Crap Cleaner may be a system cleaner but it has also removed browser hijacks when nothing else would. CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. But the best part is that it's fast (normally taking less that a second to run) and contains NO Spyware or Adware!

Cleans the following:

* Internet Explorer Cache, History, Cookies, Index.dat.
* Recycle Bin, Temporary files and Log files.
* Recently opened URLs and files.
* Third-party application temp files and recent file lists (MRUs).
Including: Firefox, Opera, Media Player, eMule, Kazaa, Google Toolbar, Netscape, Office XP, Nero, Adobe Acrobat, WinRAR, WinAce, WinZip and more...
* Advanced Registry scanner and cleaner to remove unused and old entries.
Including File Extensions, ActiveX Controls, ClassIDs, ProgIDs, Uninstallers, Shared DLLs, Fonts, Help Files, Application Paths, Icons, Invalid Shortcuts and more... Backup for registry clean.

Scandal at BlackHat?

Cisco Systems and ISS late Wednesday filed for an injunction against a former ISS researcher who exposed vulnerabilities in Cisco’s router operating system at the Black Hat conference at Caesars Palace, Las Vegas • July 23-28, 2005 earlier in the day.

Basically this adds a whole new twist to the router exploit field. Remote code executation via buffer overflow. That in general has not existed in the cisco world because no one had developed it. In the past most router vulnerabilities were denial of service vulnerabilities. See this CRN article for additional details on this event.

Also this year's Black Hat presentations are now online...

Border Security (Border XXX-ings)

Many of us here in the good old USA have gotten into the habit of thinking of Canada as our smarter cousin to the north: a society open to gay marriage, more relaxed attitudes towards (less harmful than alcohol) recreational drugs, health care that covers more people for less cost, etc. So when we find out that Canada can be a big old arrogant dolt like us, it's more shocking than it might otherwise be...

This week, The Smoking Gun got their hands on the "Admissible and Prohibited Titles" list from Canada's Border Patrol -- and, for some of us, (like one gp) it reads almost like a shopping list. (The document officially covers "obscenity, hate speech, and child pornography," but the only material listed is in the "obscenity" category.)

DefConTime

You still have time to head out- DefCon 13 will be held at the Alexis Park in Las Vegas, Nevada, July 29-31.

The folks at SANS have some Con-fu - good tips for protecting your system if you do go (or anytime for that matter).

Get there early and head over to the pre-DefCon Summit! TheSummit is a fund raiser for the EFF, a nonprofit group of passionate people - lawyers, technologists, volunteers, and visionaries - working to protect your digital rights.

Woman Accused of Groping Airport Screener

Things that make you go hmmm...

A 62-year-old woman who was upset about being searched at an airport shoved a security screener and then grabbed her breasts, federal prosecutors said. The woman said she reacted in self-defense to "an absolute invasion of my body."

Dintenfass denied that she shoved Gostisha, but admitted putting her hands on the agent's breasts.

"I was mortified that I had done that," she said. "I was reacting to what felt like an absolute invasion of my body."

WiFi Cantennas now “illegal”

What is disturbing about this article are comments like:

Known as "cantennas," they consist of a Pringles can and some hardware worth $5 to $10 but can be used to amplify a wireless signal several miles away.

"They're unsophisticated but reliable, and it's illegal to possess them," said Lozito of the Hi-Tech Crimes Task Force.

also...

It's also illegal to access wireless networks that aren't public. In other words, if you've ever been pleasantly surprised to open your laptop, pull up your browser and have Internet access, that likely means you've just intruded into someone else's unsecured network‚— and really aren't allowed to be there.

How do articles like this get published?

For a more intelligent view- CNet's News.com has one of its excellent FAQ pieces on whether it's legal to mooch WiFi. The bottom line: Uh, we dunno.

Russia’s Biggest Spammer Brutally Murdered in Apartment

Who said SPAM wasn't dangerous...

Vardan Kushnir, notorious for sending spam to each and every citizen of Russia who appeared to have an e-mail, was found dead in his Moscow apartment on Sunday, Interfax reported Monday. He died after suffering repeated blows to the head.

Currently the entire Russian population is being considered a suspect. ;)

Build Your Own Wardriving Box

Our friends at wardriving.ch did an amazing job in building an embedded PC based wardriving box. See the full article for instructions on where to get the materials and how to build the software distribution.

Congress Report: TSA Broke Privacy Laws

The Transportation Security Administration violated privacy protections by secretly collecting personal information on at least 250,000 people, congressional investigators said Friday.

The Government Accountability Office sent a letter to Congress saying the collection violated the Privacy Act, which prohibits the government from compiling information on people without their knowledge.

From the article: The GAO letter said that the TSA also said originally that it wouldn't use and store commercial data about airline passengers. It not only did that, it collected and stored information about the people with similar names.

"As a result, an unknown number of individuals whose personal information was collected were not notified as to how they might access or amend their personal data," the letter said.

It was only after meeting with the GAO, which is overseeing the program, that the TSA published a second notice indicating that it would do the things it had earlier said it wouldn't do.

Oberman said it's not unusual to revise such notices.

"We are conducting a test," he said. "I didn't know what the permutations would be."

Oberman also said that the test has no impact on anyone who travels and that the data will be destroyed when the test is over.

Anybody want to guess when the test will be over?

It's Friday.... Time for the Straight Poop

Big Brother? The rest of the family is lurking online

A lesson for London? Drop a bomb on the subway in Korea and they nab you quick!

If you no longer marvel at the Internet's power to connect and transform the world, you need to hear the story of a woman known to many around the globe as, loosely translated, Dog Poop Girl.

Recently, the woman was on the subway in her native South Korea when her dog decided that this was a good place to do its business.

The woman made no move to clean up the mess, and several fellow travelers got agitated. The woman allegedly grew belligerent in response.

What happened next was a remarkable show of Internet force, and a peek into an unsettling corner of the future.

One of the train riders took pictures of the incident with a camera phone and posted them on a popular Web site. Net dwellers soon began to call her by the unflattering nickname, and issued a call to arms for more information about her.

According to one blog that has covered the story, "within days, her identity and her past were revealed. Requests for information about her parents and relatives started popping up, and people started to recognize her by the dog and the bag she was carrying," because her face was partially obscured by her hair.

Online discussion groups crackled with chatter about every shred of the woman's life that could be found, and with debate over whether the Internet mob had gone too far. The incident became national news in South Korea and even was discussed in Sunday sermons in Korean churches in the Washington area.

Humiliated in public and indelibly marked, the woman reportedly quit her university.

Japanese Bank Hypes ATM “Slot Machine”

A Japanese bank is offering automatic tellers with a built-in slot machine to jazz up the “boring” experience of withdrawing money from a hole in the wall. Customers who get the words “Super Gold” three times in a line will win about £5, but can only collect the winnings from inside the bank during working hours.

Judging its customers to be financially astute, the bank will inform cash-machine users what odds are on offer. The chances of having a transaction fee waived are about 1 in 10, and the odds of hitting the 1,000 yen jackpot are 1 in 500.

Since the adoption rate for Online Banking has historically mirrored that of ATMs.... Can games at your favorite online banking site be far behind?

So Long Mr. Scott

James Doohan led a varied and eventful life. So much so that his biography "Beam Me Up Scotty!" is a very interesting read. Did you know that Scottys' middle name Montgomery actually comes from Jimmy Doohans' grandfather, a Scottish sea captain by the name of James Montgomery - Jimmy would also seem to have taken after him in that his mother was born when his grandfather was over seventy! Jimmy and his wife Wende were blessed with their youngest child when he was eighty.

On Wednesday 7/20 Doohan died at his home in Redmond, Wash., with his wife of 31 years, Wende, at his side. He had retired from public events last year, not long after announcing he had Alzheimer's disease.

Houston-based Space Services Inc., which specializes in space memorials, plans to send a few grams of Doohan's ashes aboard a rocket later this year. The remains, which will be sealed in an aluminum capsule, will eventually burn up when they re-enter Earth's atmosphere.

More Flash Demos of Hacks from WHAX

http://eks0.free.fr/whax-demos/

Also, here are some other demos incuding one using Whoppix/WHAX on WEP.

Event Log Explorer 1.2

Event Log Explorer allows administrators to view, monitor and analyze events recorded in the Security, System, Application and other logs. The program extends the features of the standard event log viewer by offering detailed filtering capabilities, that allow you to view events by category, event ID, event type, user, as well as by date or keyword match. Event Log Explorer can also export your evnts as HTML or printable text report.

And it is freeware...

Causes of Suicide Terrorism

Here's a very fascinating interview with Robert Pape, a University of Chicago professor who has studied every suicide terrorist attack since 1980.

Financial Security or Things Obaid Hasn't Told You

Deficit Falls

The projected federal budget deficit has decreased by nearly $100 billion thanks to unexpected increases in tax payments. Rising corporate profits, up 40 percent over 2004, provided most of the extra money.

Gas

Does the average price of a gallon of gas at $2.328 got you in the dumps? You should know this - We are still better off than we were in March 1981 when the real cost of fuel hit its all time high. Back them a gallon cost $1.417 the equivalent of $3.107 a gallon today in inflation adjusted dollars!
SUVs rock!

Unemployment Hits Four-Year Low

Unemployment in June fell to 5%, the lowest level in nearly four years. The drop of 224,000, was the greatest monthly decline in more than a decade.

Finger Scanning At Disney Parks Causes Concern

The addition of finger scanning technology at the entrances of Walt Disney World theme parks for all visitors has caused concern among privacy advocates.

"Disney World is now requiring all visitors to have their index and middle fingers scanned to gain entrance to the park. This started for season pass holders, but is now required for everyone." From the article: "'I think it's a step in the wrong direction,' Civil Liberties Union spokesman George Crossley said. 'I think it is a step toward collection of personal information on people regardless of what Disney says.'"

Disney always gave me the willies... This just adds to it. GP, just think of the germs!

The System Administrator Song

System administrators the world over, rejoice! A song has been sung in your honor. Wes from Three Dead Trolls is at it again with The System Administrator Song. Are you a sysadmin yourself,and/or do you annoy one on a regular basis?

Note: Just because you might have an Administrator account on your system does not necessarily make you a system administrator...

There's a guy who works in another room, or on another floor; He's the one you call, when your document ain't there no more; he's probably a boy, but he might be a girl, or something in between; he's the only one in the office who knows what 'PC Load Letter' means. He's your system administrator; he's probably into comic books; and you tremble in fear when you have to hear one of his 'what a dummy' looks.

Don't forget upcoming System Administrator Appreciation Day!

Fridays are for Fun - DIY Home Projector

Have $200-800 sitting around and some time for tinkering? InventGeek has a project suitable for the novice user. Now you can build your very own LCD projector...

Domain Name HIJacking: Incidents, Threats, Risks, and Remedial Actions

In a 48 page report the ICANN's Security and Stability Advisory Committee has outlined several famous and recent thefts of websites, including Panix.com, Hushmail.com and HZ.com, and listed where the system went wrong and what can be done to correct the flaws. It has made 10 findings and, in response, 10 recommendations for how the internet industry and consumers themselves can make sure that people don't steal their online property.

Most of the bad guys still aren't that smart (that's the good news)

Taiwan snares "evil dragon" criminal via online game

Taiwan police captured a heavily armed fugitive whom they had been tracking for more than a year on Wednesday after he exposed his whereabouts by playing online computer games. Taiwan evening newspapers said Chang Hsi-ming, wanted for murder, illegal possession of weapons and multiple kidnappings, was found via his Internet protocol address after police found out he often played games online. The head of Taiwan's Criminal Investigation Bureau personally led the siege against Chang's hideout in central Taiwan, with more than 130 police and two armoured vehicles as he was known to be armed with assault rifles and hand grenades.

Illinois Police Arrest Man Who Said He Was Driving To D.C. With Explosives

Terry Daniel, 44, of Cedar Rapids, Iowa, used the words ''bomb,'' ''explosive,'' ''Washington, D.C.'' and ''president,'' over a CB radio around 3 a.m. Wednesday 7/13 while driving eastbound on Interstate 80, Princeton police chief Tom Root told the (LaSalle) NewsTribune.

After hearing his comments, truck drivers alerted the authorities.

Police took the man into custody at a service station off I-80 in this central Illinois town, about 100 miles southwest of Chicago, when Daniel apparently stopped for gas. A search of the van turned up containers and other materials that lent credence to his threat, Root said.

''There were some maps, documents and other things that lead us to believe that he was headed in that direction and that location,'' he said.

KCPenTrix ver 1.0 released today

Lots of SLAX activity in the last few days...

KCPentrix is a new liveCD designed to be a standalone Penetration testing toolkit for pentesters and security analysts. KCPenTrix is based on SLAX, a Slackware live CD and gentoo,auditor and whoppix.

Whoppix is DEAD - Long live WHAX!

WHAX is the natural evolution of WHoppix - a live cd, standalone penetration testing toolkit. There are some major new features in WHAX which add huge functionality compared Whoppix, and may change the way we use live distributions.

The big change is that WHAX is so longer based on Knoppix, but on SLAX, a Slackware live cd. One of the main reasons for this change is the wonderful world of modularity which SLAX uses.

This modularity means that versions of WHAX can be easily customize to include whichever modules we like. All the tools have been compiled to "WHAX Modules" which can be easily added or removed, depending on your needs.

hackergames.net!

Someplace for George to play when he is done at my house. Within you'll find a comprehensive list of hacking and security related challenges, hackits, wargames, tools, and tutorials, along with user reviews.

Phrack Magazine says Goodbye (for now)

Phrack is an online news service for hackers that has been in business for over 20 years starting initially as a dial-up bulletin board before moving to the web.

The magazine offered insight into all types of hacking, including hijacking wireless base stations in later editions.

The website does note: "We are preparing for a hardcover and ezine release at a major hacker convention near you!". So maybe we have not heard the last from Phrack.

Internet chatroom helps keep City of London open

Does your business resumption plan have any out-of-band mechanisms in case some of your major systems fail? Even something simple as a published e-mail address not hosted on your own systems may be useful. Perhaps a Jabber server, or an IRC chat room somewhere?

A secret Internet chatroom run by Britain's financial regulators helped keep London's financial markets open after Thursday's bomb blasts, while financial firms activated security measures in case of further attacks.

A Bank of England spokeswoman said this was the first time the secure site had been used in an actual crisis situation since its creation in the wake of the Sept. 11, 2001 attacks on the World Trade Center in New York.

Fridays are so so special!

This weekend - spend some quality time searching for old pals, watch a little TV, make sure you are update-to-date with all your Microsoft patches via Firefox (yes it can be done), and for when you are all done, here's a bar of vibrating soap.

London Rocked by Four Blasts

An organized Flickr photo collection of London's terrorist attack on July 7, 2005.

Take a moment and send them some goodwill in whatever fashion you see fit... even if you're not one of the persons wondering if friends, coworkers or family are among lost or injured.

My Mom would probably suggest prayers...

Turn Yourself into a Walking Hotspot

How to article on turning yourself into a walking hotspot by using a mobile power source and a cellular-to-Wi-Fi gateway.

The Voltaic Systems backpack makes a great platform to build from due to all of the internal wiring and myriad power adapters included in the kit. The Junxion Box is a simple, clean appliance to handle the Wi-Fi to Cellular interface.

The Junxion Box requires a 12 volt power source. So, natch, a lead-acid battery would feed it the juice it needs. Starting with a 1.2 Amp-hour battery will let the whole kit run a few hours. (The Box draws between 200 mA and 500 mA of current while active.) Adding a bigger battery will lengthen your run time. Solar adds a bit of extra runtime and will keep your battery topped off when the system isn't running.

The full article gives step-by-step and a parts list for you to make your own.

Browser Identification For Web Applications

Browser Identification is not a new concept. With the focus having shifted to desktops from networks and servers, a topic such as remote browser identification needs to be revisited.

Browsers identify themselves to web servers in the USER_AGENT header field that is contained in requests sent to the server. Almost every release of browsers contains sloppy code that allows malicious servers or attackers to compromise user privacy and security.

This paper outlines techniques that allow users to determine client browser types remotely.

Download the paper in PDF format here.

In the stolen-data trade, Moscow is the Wild East

The most expensive wares in Moscow's software markets, the items that some Russians are calling a threat to their personal safety, aren't on public display.

It takes less than 15 minutes to find them, however, at the teeming Gorbushka market, a jumble of kiosks selling DVDs, CD-ROMs and an array of gadgetry in an old factory west of downtown.

One question -- Where can we buy databases of private information? -- and the young man selling rip-off copies of Hollywood movies leaps to his feet. He leads the customers to another vendor, who wears a bull's head on his belt buckle. This second man listens to the request, opens his cellphone, and punches a speed-dial number.

Moments later, a third vendor appears. He is jovial and blunt about his trade.

"What do you need?" he says. "We have everything."

Pop-up Smut Tops Spyware Chart

A strain of spyware that displays pornographic pop-ups has retained its place as the top spyware nuisance on the net last month. ISTbar was responsible for 3.5 per cent of infections detected by Panda Software's free online malware scanner, more than any other spyware or adware application.

ISTbar, which poses as an ActiveX control, acts as an entry-point for other malware, adware and dialers. It also displays pornographic pop-ups, installs a toolbar and changes the home page of browsers on infested PCs.

Cydoor, an adware program that downloads advertisements from a server and displays them on PCs, made runner-up spot on Panda's June list of spyware nasties as nabbed by Panda's ActiveScan service, which was recently upgraded to add spyware detection alongside its existing virus busting features. Panda's June spyware chart features only one new entry, an adware package called MarketScore.

Spyware refers to a class of invasive program that generates pop-ups, hijacks user home pages or redirects searches in an attempt to either monitor user activity or bombard surfers with unwanted messages. It's a fast growing category that is beginning to eclipse more clear-cut malware - such as computer viruses - in economic impact if not in prevalence.

Top spyware threats, as compiled by Panda Software

1. ISTbar
2. Cydoor
3. New.net
4. XXXToolbar
5. Dyfuca
6. BetterInet
7. Petro-Line
8. Altnet
9. BargainBuddy
10. MarketScore

Critical Information for the Traveling Public

Taking a trip this summer? Before you hop on that plane, you might want to check the latest info at AirSafe.com.

Real Homeland Security

Headed to that neighborhood BBQ or fireworks for the 4th... Check to see who might be back at your house going through your underwear drawer.

Security Skins - Better than Passmark?

Much has been written about the insecurity of passwords. Aside from being guessable, people are regularly tricked into providing their passwords to rogue servers because they can't distinguish spoofed windows and webpages from legitimate ones.

Here's a clever scheme by Rachna Dhamija and Doug Tygar at the University of California Berkeley that tries to deal with the problem. It's called "Dynamic Security Skins," and it's a pair of protocols that augment passwords.

First, the authors propose creating a trusted window in the browser dedicated to username and password entry. The user chooses a photographic image (or is assigned a random image), which is overlaid across the window and text entry boxes. If the window displays the user's personal image, it is safe for the user to enter his password.

Second, to prove its identity, the server generates a unique abstract image for each user and each transaction. This image is used to create a "skin" that automatically customizes the browser window or the user interface elements in the content of a webpage. The user's browser can independently reach the same image that it expects to receive from the server. To verify the server, the user only has to visually verify that the images match.

Friday Already? Time for Golf!

Having ball control issues? This should help secure a win!

LucidLink Releases Demo Chronicling Wi-Fi Hacker Attack

To truly understand a criminal, you have to get inside his mind and think as he does. Follow his steps. See what he sees. LucidLink Wireless Security has done just that, creating a Flash demonstration that chronicles the steps hackers follow while tapping into wireless networks to gain access to confidential information. In an attempt to raise awareness about the security implications of unsecured wireless networking, LucidLink has recently added the demonstration to its website.

The demonstration takes viewers through a step-by-step explanation of a hacker's activities, explaining how war drivers find wireless networks, gather information about them, and eventually infiltrate them in order to gain access to personal identity and company confidential information. The demonstration uses screen shots captured from freely available hacker programs so that viewers can see what hackers see as they click their way closer to breaking into even secured wireless networks.

Poop in the News

Man Arrested For Allegedly Hiding In Women's Toilet

Truth really was stranger than fiction in New Hampshire where a man was arrested for allegedly being inside a women's room toilet.

Summer vacationers were disgusted when a man was discovered hiding inside a toilet in the women's room at a rest stop along the Kancamagus Highway near Carroll City. Police said he was in the waste tank beneath a log cabin restroom.

Authorities said Gary Moody, 45, of Gardiner, Maine, somehow got inside a toilet in the women's restroom and stayed there undetected as women used the restroom until a young girl detected him. The teen apparently walked into the restroom and looked down into the toilet and saw Moody looking back up at her.

Police were called in to flush him out.

"It's a very filthy environment and before we put anybody in contact with him we wanted to decontaminate him. We treated him exactly like he was hazardous material," Capt. John Hebert of the Carroll City Sheriff's Department said. "I started in this business in 1980 and I have never in my career encountered anybody in this type of a situation."

Moody was charged with criminal trespassing in and was freed on bail. A court date of July 19 was scheduled in North Conway.

How to Deal with Pushy Security Vendors

Columnist Demetrios Lazarikos is losing patience with security vendors that are all hype and no substance. He offers a few tips on finding the right vendor for your company.

What if Operating Systems Were Airlines?

Kind of an airline theme of late... What traveling would be like if compared to using an operating system.

Interview with Marcus Ranum

There's some good stuff in this interview.

There's enough blame for everyone.

Blame the users who don't secure their systems and applications.

Blame the vendors who write and distribute insecure shovel-ware.

Blame the sleazebags who make their living infecting innocent people with spyware, or sending spam.

Blame Microsoft for producing an operating system that is bloated and has an ineffective permissions model and poor default configurations.

Blame the IT managers who overrule their security practitioners' advice and put their systems at risk in the interest of convenience. Etc.

Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and [the] right to privacy.

Inside or Outside? Or How Many Warren Lunches Would it Take...

Internal security breaches at the world's banks are growing faster than external attacks, as institutions invest in technology, instead of employee training.

According to the 2005 Global Security Survey, published by Deloitte Touche Tohmatsu, 35 per cent of respondents said that they had encountered attacks from inside their organization within the last 12 months, up from 14 per cent in 2004. In contrast, only 26 per cent confirmed external attacks, compared to 23 per cent in 2004.

The report, which surveyed senior security officers from the world's top 100 financial institutions, found that incidences of phishing and pharming, two online scams which exploit human behavior, are growing rapidly. These scams use bogus e-mails and websites to persuade people to reveal confidential information to hackers and fraudsters. "Completely malicious internal security threats are less likely than those caused through lack of training," said Gerry Fitzpatrick, enterprise risk services partner at Deloitte in Dublin, speaking to ElectricNews.net. "People need to understand how to classify data and treat it in a secure way."

Who Ordered the Curry on Wheat?
An undercover reporter was able to buy the details thousands of UK banking accounts, password particulars and credit cards numbers from crooked call centre workers in India, The Sun reports.

Airport Security

Note: If you want to pass through airport security faster - select a one-way ticket... Then, you get to go through the "very special" screening. BTW I don't think he was using just the back of his hand...

"Here is a story from Slate on how the current flavor of airport security is pointless, and if anything, actually increases risks - check it out."

Patriotic Ashes

Click here for the PODCAST (2mb MP3) of this post.

A constitutional amendment to ban the desecration of the U.S. flag moved closer to reality Wednesday 6/22 when the House of Representatives passed it 286-130. While this isn’t the first time this has happened, I’m still concerned by the notion of such a bill making it out of the Senate.

Here’s a quick blurb from the USA Today article:

The amendment reads, "The Congress shall have power to prohibit the physical desecration of the flag of the United States." Supporters say the flag should be protected because it symbolizes the freedoms many have died to defend. Flag burning "is a challenge to the institution that defends liberty," Rep. Phil Gingrey, R-Ga., said. "Our flag deserves to be respected and protected because it is more than just star-studded fabric."

Source: kevin pereira dot com

The Adaptability of Iraqi Insurgents

This Newsweek article on the insurgents in Iraq includes an interesting paragraph on how they adapt to American military defenses.

Counterinsurgency experts are alarmed by how fast the other side's tactics can evolve. A particularly worrisome case is the ongoing arms race over improvised explosive devices. The first IEDs were triggered by wires and batteries; insurgents waited on the roadside and detonated the primitive devices when Americans drove past. After a while, U.S. troops got good at spotting and killing the triggermen when bombs went off. That led the insurgents to replace their wires with radio signals. The Pentagon, at frantic speed and high cost, equipped its forces with jammers to block those signals, accomplishing the task this spring. The insurgents adapted swiftly by sending a continuous radio signal to the IED; when the signal stops or is jammed, the bomb explodes. The solution? Track the signal and make sure it continues. Problem: the signal is encrypted. Now the Americans are grappling with the task of cracking the encryption on the fly and mimicking it—so far, without success. Still, IED casualties have dropped, since U.S. troops can break the signal and trigger the device before a convoy passes. That's the good news. The bad news is what the new triggering system says about the insurgents' technical abilities.

The CIA is worried that Iraq is becoming a far more effective breeding ground for terrorists than Afghanistan ever was, because they get real-world experience with urban terrorist-style combat.

Deleting Stubborn Files

Do you have stubborn malware infecting your machine? This article offers advice on how to manually delete it without taking the reformatting route.

Airport Xrays Render You Naked!

After spending lots of time at the airport lately... Is an invasive pat-down a bad thing?

President Bush's proposed $2.57 trillion federal budget for Fiscal Year 2006 greatly increases the amount of money spent on surveillance technology and programs while cutting about 150 programs?most of them from the Department of Education. EPIC's "Spotlight on Surveillance" project scrutinized these surveillance programs.

Airport security has undergone significant changes since the terrorist attacks of Sept. 11, 2001. Recently, the Transportation Security Administration (TSA) announced a proposal to purchase and deploy "backscatter" X-ray machines to search air travelers at select airports. TSA said it believes that use of the machines is less invasive than pat-down searches. However, these machines, which show detailed images of a person's naked body, are equivalent to a "virtual strip search" for all air travelers. This proposal, along with the agency's controversial plan to profile air travelers, shows extraordinary disregard for the privacy rights of air travelers. The Department of Homeland Security is requesting $72 million to invest in detection systems, which includes funding for the backscatter machines, which cost between $100,00 and $200,000 each.

Read the rest at http://www.epic.org/privacy/surveillance/spotlight/0605.html, including pictures this technology produces....

Happy Fathers Day

Words of Wisdom:

Never Say Never...

Another G-Map Hack

Yet another Google Maps hack has been unleashed upon the unwashed masses. gCensus offers United States Census information merged with Google's powerful mapping tool. The result? Population density and other data sets accurate to a city block!

This is an impressive little hack built with XML, XSLT, CSS, AJAX and the kitchen sink (for good measure).

(IN)SECURE Magazine Issue 2 is out - free download

Source: Insecure Magazine

(IN)SECURE Magazine is a freely available, freely distributable digital security magazine in PDF format. Issue 2 brings topics such as: "Information security in campus and open environments", "Advanced PHP security - vulnerability containment" and "Clear cut cryptography". Get your copy today!

Picking Physicists' Locks

From Scientific American:

Measured to be equal to 1/137.03599976, or approximately 1/137, [the fine-structure constant] has endowed the number 137 with a legendary status among physicists (it usually opens the combination locks on their briefcases).

So now you know, too.

Take this Job and...

Stress what stress?

According to the 2005 Stress of Security Survey, 25% of IT decision-makers surveyed reported that protecting their company against malicious Internet security threats, such as viruses or spyware, is more stressful than a minor car accident. 13% stated that it is more stressful than starting a new job.

Furthermore, when asked about security breaches and the effects on their employment status, 45% of IT decision-makers surveyed believed that lost or stolen intellectual property as a result of an Internet security breach could put their job on the line.

Sysadmins Urged to Stop Child Abuse Downloaders

Karen should be so happy...

Sysadmins are urged to stop staff who download child pornography at work under a campaign due to host a free half-day conference in London on Wednesday (15 June). The 'Wipe it Out' event, backed by the Home Office and organised by the Internet Watch Foundation, aims to address the "practical, legal, ethical and corporate social responsibility" issues around the subject. Junior Home Office Minister Paul Goggins and various net security experts and lawyers are due to speak at the event.

The Sexual Offences Act 2003, which became law in May last year, changes the responsibilities and conditions for dealing with indecent images of children which might be found on corporate networks. The Act introduces a limited defence for making copies of child abuse images in order to stop offences, such as the distribution of these images, taking place.

Ice Cream Lock

Security isn't always about criminals and terrorists. Sometimes it's about your roommates or your co-workers. Here's a lock you can fit over your pint of ice cream so no one else eats it. Of course they can cut a hole through the packaging, but that's not the kind of criminal we're worried about here.

Now if we could just get one to fit Matt's soup cans...

A Computer Geek's History of the Internet

In case you didn't know and/or a couple of things Al Gore forgot to tell you...

WHAT THE HACK

Still time to get your tickets!

Every campsite should have this - Will there be network connectivity?

Yes. RJ-45 jacks are at least every 100 meters at the edges of most fields. You may want to bring that nice Ethernet switch you have lying around, as well as some larges lengths of CAT5 cable. Hookups will be 100 MBps, our DHCP server will pass out world-reachable IP-addresses, and there will be enough Internet bandwidth for all to share.

What The Hack is an outdoor hacker conference/event taking place on a large event-campground in the south of The Netherlands from 28 until 31 July 2005.

Events like What The Hack take place every four years, and originate from a group of people that was originally centered around a small hacker magazine called Hack-Tic. The magazine's last issue was published in 1993, but for reasons unknown the events have so far refused to die. 1989 Featured the Galactic Hacker Party, then in 1993 we saw Hacking at the End of the Universe, followed in 1997 by Hacking In Progress, and in 2001 there was Hackers At Large.

Pornography blamed for 52% of fraud cases between 2001 and 2004

Downloading porn from the internet is behind most cases of IT fraud and abuse by public sector workers, according to a just published survey.

Watchdog the Audit Commission discovered that 52% of identified cases of fraud or abuse between 2001 and last year were due to staff accessing pornography or other "inappropriate material" while at work. This was a 13% increase since the commission's last IT fraud and abuse survey four years ago. The increased need for internet access for public sector workers and the increase in access to website pornography made it difficult for organisations to control staff logging on to inappropriate sites, said the report, An Update on ICT Fraud and Abuse 2004.

5 Most Over-hyped Security Threats

Gartner, Inc. analysts identified five of the most over-hyped security threats during the three-day Gartner IT Security Summit taking place here in Washington DC this week.

While I can agree with the overspending related to SOX, I don't necessarily agree with the complete list. While many technologies on the list can be implemented securely that doesn't mean that they are secure by default (most are not). If over-hyped = heightened awareness, then lets all get hyper...

Gartner's five most over-hyped security threats are:

• Internet Protocol (IP) telephony is unsafe
• Mobile malware will cause widespread damage
• "Warhol Worms" will make the Internet unreliable for business traffic and virtual private networks (VPNs)
• Regulatory compliance equals security
• Wireless hot spots are unsafe
  

WEP Crack Part III – Securing your WLAN

WEP Crack Part 1 and Part 2 demonstrated that WEP cracking is easier than you may have thought. Switching gears, this last part of the WEP Crack How To will show you how to take a common sense approach to protecting your wireless networks.

Has it become cool to report a compromise?

It is not clear to me anymore that corporations are concerned at all about being in the news for security compromises (name the last five compromised companies that hit the news - how did it affect your impression of them? how did it affect their stock price? how did it affect the potential for future earnings?).

So I ask... Has it become cool to report a compromise?

Citigroup said Monday that personal information on 3.9 million consumer lending customers of its CitiFinancial subsidiary was lost by UPS while in transit to a credit bureau -- the biggest breach of customer or employee data reported so far.

Citigroup, the nation's biggest financial services company, said that UPS lost the tapes while shipping them to a credit bureau in Texas.

The tapes covered CitiFinancial customers and about 50,000 customers with closed accounts from CitiFinancial Retail Services. Customers of CitiFinancial's auto and mortgage businesses were not affected.

On the Police Beat...

Missouri Police: Officer Got Burger Laced With Meth

An you were worried about the doughnuts... An Officer's Christmas Quarter Pounder with Cheese tasted a little funny, and for good reason: It was laced with methamphetamine.

The incident happened in December in Desloge, Mo., about 50 miles southwest of St. Louis, but was not made public until this past Friday.

''He thought it tasted kind of funny so he looked at the burger,'' Bullock said. ''It looked like it had a foreign substance on it.''

The burger was sent to the Missouri Highway Patrol crime lab for testing and tested positive for meth.

Who knew? - Missouri is among the nation's hardest-hit states in terms of meth production and arrests. Police in Desloge and the surrounding counties make hundreds of meth arrests every year.

South Carolina Police Officer Pulls Over His Stolen Car

An off-duty Charleston, SC police officer on a Sunday drive in his police cruiser saw something awfully familiar - his recently stolen Volkswagen Jetta.

After passing his car on Limehouse Bridge shortly after 1 p.m. Sunday 6/5, North Charleston patrolman Ethan Bernardi whipped his cruiser around and pulled over the stolen vehicle. He called other deputies, who took possession of the car and arrested three suspects, Charleston County Sheriff's Capt. Dana Valentine said.

Robot can hit 300-km pitch, theoretically

Once it can run... We are getting one for the softball team!

A Hiroshima University researcher has developed a robot theoretically capable of hitting a baseball traveling as fast as 300 kilometers per hour by instantly analyzing its path using images captured with precision cameras.

Idaku Ishii, 35, an associate professor at the university's Graduate School of Engineering, said he plans to exhibit the robot at the Prototype Robot Exhibition opening next Thursday as part of the ongoing 2005 World Exposition in Aichi Prefecture.

Morpheus Is Dead

Monolith Productions, keeping it promise to make it worthwhile to play The Matrix Online, has gone and done the unthinkable. They went and killed off Morpheus, the main sage in the Matrix and the captain of the human hovership Nebuchadnezzar. Not only is Morpheus dead in The Matrix Online, but he is also now dead in all the future works set in the Matrix Universe after the trilogy. This is because anything that happens in Matrix Online is canon and automatically becomes part of the Matrix universe.

Has Ransomware Learned from Cryptovirology?

The next malware attack that involves holding data for ransom might not be a Trojan that affects a small number of users. The next attack might be a real cryptovirus or cryptoworm that holds the data of tens or even hundreds of thousands of users for ransom. What will people do then?

cryptome eyeball series

Not new, but if you have never made a visit and/or haven't been back for a bit this can be an interesting site...

The Eyeballing project was developed by activist John Young and uses publicly available maps to give a view into some of these secret and sensitive sites across America.

The project consists of series of individual 'eyeballing' web pages, each of which focuses on a particular military base, intelligence facility or other sensitive site, like nuclear power plants and dams. Eyeballing exploits the potential of hypertext to author a cartographic collage, piecing together a diverse range of aerial photographs, topographic maps at different scales, photographs, along with expert commentary by Young, annotated with corrections and clarifications emailed in from (anonymous) readers. There are also hyperlinks to supplementary documents and other relevant websites, while individual eyeballs pages are themselves cross referenced by hyperlinks. To produce the eyeballs Young only utilises public sources of maps and imagery, typically topographic mapping from MapQuest and aerial photography from Terraserver [1]. Even though the 'eyeballs' have an unpolished, almost amateurish look to them, the series represents a novel and valuable atlas of hidden places.

Is That a Puppy in Your Pocket?

A retired university lecturer in Australia has come up with the latest twist on Linux, fielding a distribution of the operating system that takes little memory and can boot directly off of a USB thumb drive.

Although Puppy Linux began life more as a demonstration than a full Linux distribution, it has rapidly evolved into a real workhorse distribution whose completeness is astonishing. Yet despite that evolution, Puppy Linux's focus on ease-of-use remains one of its major strengths -- to the point where it provides more hand-holding than some experienced Linux users might like.

No Need Privacy in Your Cube? Try an Electronic Silencer

Maxwell Smart's "cone of silence" is finally a reality.

Two people in an office here were having a tête-à-tête, but it was impossible for a listener standing nearby to understand what they were saying. The conversation sounded like a waterfall of voices, both tantalizingly familiar and yet incomprehensible.

The cone of silence, called Babble, is actually a device composed of a sound processor and several speakers that multiply and scramble voices that come within its range. About the size of a clock radio, the first model is designed for a person using a phone, but other models will work in open office space.

The voice scrambling technology used in Babble was developed by Applied Minds, a research and consulting firm founded by Danny Hillis, a distinguished computer architect, and Bran Ferren, an industrial designer and Hollywood special effects wizard.

Babble, which is intended to function as a substitute for walls and acoustic tiling, is an example of a new class of product that uses computing technology to shape sound. Already on the market are headphones that can cancel extraneous noises and stereo systems that can direct sound to a particular location.

The system will be introduced in June by Sonare Technologies, a new subsidiary of Herman Miller, the maker of the Aeron chair, as part of an effort to move beyond office furniture. The company plans to sell the device for less than $400 through consumer electronics and office supply stores.

Top 50 Security Tools

What is your favorite tool? Is it on the list?