Geo IP Tool

Fun little online tool to view geographical information about any IP or Domain in the world.

Computer Networks: The Heralds of Resource Sharing

A 1972 documentary on ARPAnet, the early internet. A very interesting look at the beginnings of what is now a huge part of most of our lives. I especially liked the discussions related to banking...

Some Cool USB Toys

Not meant to be a product plug, but these folks have some cool stuff...

PC on a USB Stick Fights Child Pornography

The US 9th Circuit of Appeals recently made a ruling to allow police to search computer hard drives for child pornography if the PC owner is found to have subscribed to sites selling illegal images. To search a PC without knowing the password, the police can now turn to the Computer on a Stick Pro (COS).

The COS is a USB drive its own bootable operating system. To use it the police simply plug the COS into a vacant USB port on the suspect computer and allow the PC to reboot using the COS operating system, bypassing Windows passwords. Once booted the COS allows the files on the attached computer system to be viewed and copied to the USB COS hard drive.

Microsoft BlueHat Security Briefings Online

The spring Microsoft BlueHat Security Briefings event was held on March 8-10, 2006. Listen to podcast interviews with the presenters, and read the session descriptions and speaker bios here.

Shmoocon 2006 Follow-Up

Badges: The ShmooCon 2006 Badges were made of Stainless Steel. Some people thought the badges were a bit dangerous, but they were quite tame compared to the original design. There were 20 different badge designs, including Speaker, Staff, Shmoo & Attendee. Finding a complete set to put the puzzle together took a bit of work and the prize went to Grey Frequency who met over 200 attendees and traced badges to put it all together.

Video: Finally starting to get some movies online... Check out the speaker list to see if the movie you're looking for is online yet. They will be posting about 5 movies a day. Hopefully in a week or so they'll all be online.

A Good List of Live CD Distributions

10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) A good list for those who are interested and haven't seen it...

Secure Voice over IP: Zfone

For law-abiding Americans who don't care for those pesky involuntary three-way calls with the NSA, PGP creator Philip Zimmermann has released a new product for encrypting any SIP VoIP voice stream. His first release is Mac & Linux only.

Tool Time - USB, FireWire and PCMCIA Scanner

DeviceLock Plug and Play Auditor is a non-intrusive clientless freeware software solution that generates reports displaying the USB, FireWire and PCMCIA devices currently connected to computers in the network and those that were connected. Its multithreaded engine ensures fast, unobtrusive auditing of all activity on any computers in an organization.

The Bookmaker, the Wiz Kid and the Extortionist

Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this.

Ubuntu

Named after an African word for “humanity to others,” Ubuntu is a completely free distribution (based on Debian) fully developed by the Linux community. While this may be said for other Linux distributions, the real difference is in the ability (or right) that Ubuntu grants you to alter the software in any way that you want. To quote the developers, “Not only are the tools you need available free of charge, you have the right to modify your software until it works the way you want it to.”

Among the other public commitments the Ubuntu team makes, the team promises that the operating system will always be free, and there will be a new release every six months (each release is supported for 18 months).

More info and download here.

Prisoner 151716 of Cellblock 1A

Under the government of Saddam Hussein, Mr. Qaissi was a mukhtar, in effect a neighborhood mayor, a role typically given to members of the ruling Baath Party and closely tied to its nebulous security services. After the fall of the government, he managed a parking lot belonging to a mosque in Baghdad.

He was arrested in October 2003, he said, because he loudly complained to the military, human rights organizations and the news media about soldiers' dumping garbage on a local soccer field. But some of his comments suggest that he is at least sympathetic toward insurgents who fight American soldiers.

"Resistance is an international right," he said.

Weeks after complaining about the garbage, he said, he was surrounded by Humvees, hooded, tied up and carted to a nearby base before being transferred to Abu Ghraib. Then the questioning began.

Read the full story here.

Computer Security Awareness Video Contest Winners

The EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance would like to announce the winners of a computer security awareness video contest, which was held as part of a national campaign to raise awareness of and increase computer security at colleges and universities. The contest searched for two categories of short computer awareness videos that addressed a broad range of security topics or focused on a single security issue. Submissions were developed by college students for college students. The winning videos are featured here and will be used in campus security awareness campaigns and efforts.

The contest included 62 video submissions from 17 universities. Winners were selected for creativity, content, and quality of information; overall effectiveness of delivery; and technical quality. Cash prizes were awarded to winners in each category. The two gold winners received $1,000, the two silver winners received $800, and the two bronze winners received $500 in cash prizes. For additional information, please see the press release.

See the winners here.

Cracking Windows Passwords with BackTrack and the Online Rainbow Tables at Plain-Text.info

Irongeek Video: Cracking Windows Passwords with BackTrack and the Online Rainbow Tables at Plain-Text.info
Title says it all...

Happy Friday

ABA Journal - Stolen Lives

An American Bar Association article about the current state of the law regarding identity theft, and what you can do about the companies leaking your information.

The Analog Hole

A nice essay on the human dimension of the problem of securing information.

I try to avert my eyes when the person sitting next to me on the plane opens a laptop and displays a confidential memo. It may have been transmitted over a secure link (though it probably wasn’t), and it may be encrypted on disk (though it probably isn’t), but there it is in plain view, pouring out of the analog hole.

Spyware List

Here's a list of over 270 more spyware removal tools to avoid.

SecurityForest.com

SecurityForest.com is a collaboratively edited Forest consisting of Trees which anyone can contribute to. SecurityForest's trees are specific security repositories that are categorized for practical reasons.The technologies currently in use in these repositories are based on Wiki (http://en.wikipedia.org/wiki/Wiki) technology and CVS (Concurrent Versioning System) (http://www.cvshome.org/) technology. Depending on the species of the tree - the suitable technology will be used. SecurityForest.com is a collection of repositories (trees) for the community - by the community. In other words - the updating, modifying and improving can be done by anyone in the community.

Live Action Recreation of the intro to The Simpsons

Not security related, but this is cool... Watch the video here.

And while we are on a geek video kick, Google Video has some great stuff. You can find quite a range from "Fear of Girls" (True Love is but a +2 Broadsword away) to this ten minute video of Disneyland's Main Street USA, right after it opened in 1956.

Online Amateurs Crack Nazi Codes

Three German ciphers unsolved since World War II are finally being cracked, helped by thousands of home computers. The codes resisted the best efforts of the celebrated Allied cryptographers based at Bletchley Park during the war. Now one has been solved by running code-breaking software on a "grid" of internet-linked home computers.

More info here.

Fun with Stored Value Cards

This site goes into detail about how the FedEx Kinko's ExpressPay stored value card can be hacked. ExpressPay is a system developed by EnTrac Technologies, of Toronto. The system uses smart cards from Infineon, but does not secure data on the cards...

Hydra - A very fast Network Logon Cracker

HYDRA from THC is a dictionary based password cracker that works on the services listed below.

Number one of the biggest security holes are passwords, as every password security study shows.

Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

Currently this tool supports:
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, LDAP2, Cisco AAA (incorporated in telnet module).

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

Friday Fun - Jon Stewart on Larry King

The only reason to watch the Oscars this Sunday, will be Jon Stewart...

In case you missed Jon Stewart on Larry King the other night, Crooks & Liars has video and a partial transcript (but you really need to see or hear it, because a lot of the way Jon Stewart talks is lost in the literal written tranlsation.) Larry King made several feeble attempts to create controversy, and Jon Stewart kicked him square in the nuts each time. Witness this exchange:

KING: You don't want Medicare to fail?

STEWART: Are you insane?

KING: No.

STEWART: You're literally asking me if I would prefer -- yes, Larry, what I'm saying to you as a comedian I want old people to suffer, old and poor people to suffer. That is -- that is -- what we want is -- what seems absurd to me is the length that Washington just seems out of touch with the desires of Americans to be spoken to as though they are adults.

Nice try, Larry; too bad Jon didn't go for it. Maybe you can team up with Nancy Grace for a two hour Aruba Special to get back on familiar, more comfortable ground.

That question was just one of several "gotcha" attempts which failed spectacularly when Jon refused to take the bait, and instead turned the ludicrous question back on Larry King, who of course had no response other than this painful frozen half-smile that was equal parts fear and lothing. When Larry King wasn't completely controlling the tone and content of the show, you could feel how uncomfortable he was. Jon Stewart was so funny, and so quick-witted, and so smart and so insightful, if Larry King wasn't trying so hard to create controversy where there was none, you'd almost feel bad that he wasn't able to keep up.

Thanks to WWdN

Security Awareness Tips from DHS/US-Cert

The U.S. Department of Homeland Security has a new set of posters with info on how to report a suspicious cyber incident and some security best practices tips. The posters are available for download and can be put on the wall in the old coffee room, or your cubicle...

Simpsons 'trump' First Amendment

This is from a BBC story... Nice to see how they see us across the pond...

Americans know more about The Simpsons TV show than the US Constitution's First Amendment, an opinion poll says.

Only one in four could name more than one of the five freedoms it upholds but more than half could name at least two members of the cartoon family.

About one in five thought the right to own a pet was one of the freedoms.

Cell Gunphone

Here a one for the "What were they thinking file"...

At first sight it looks like a regular cell phone — same size, same shape, same overall appearance.

But beneath the digital face lies a .22-caliber pistol, a phone gun capable of firing four rounds in quick succession with a touch of the otherwise standard keypad.

The US Department of Homeland Security and the FBI are aware of the device and have instructed baggage screeners to be on the lookout for suspicious mobile phones. This is especially after 9/11.

European law enforcement officials — stunned by the discovery of these deadly decoys — say phone guns are changing the rules of engagement in Europe.

Airport authorities across Europe are implementing systems to X-ray all cell phones

“We find it very, very alarming,” says Wolfgang Dicke of the German Police union. “It means police will have to draw their weapons whenever a person being checked reaches for their mobile phone.”

The FBI, the Bureau of Alcohol, Tobacco and Firearms, and the U.S. Customs Service say they’ve been briefed on the new weapons.

“This criminal invention represents a potentially serious threat to law enforcement and the public,” said U.S. Customs Service Commissioner Raymond W. Kelly.
“We received word about these guns last month. We have since alerted our field personnel to be on the lookout for ‘cell phone guns’ at U.S. ports of entry.”

Full story and video here.

Rootkit Pharming

Haxdoor is one of the most advanced rootkit malware out there. A recent Secure Science paper has a good explanation for how and why Hoxdoor works.

E&Y Loses Four more Laptops

A group of Ernst and Young auditors took off for lunch on Feb. 9, leaving their laptops in an office building conference room. According to security footage, two men entered the conference room a couple of minutes after the Ernst and Young folks left and walked off with four Dell laptops valued at close to $8k the Miami Herald reported.

This theft follows a higher-profile incident earlier this month in which an Ernst and Young employee lost his laptop containing the social security numbers and other personal information of customers.

Ernst and Young appears set on establishing a laptop loss record in February...

Episode Six of the Sysadmin Sitcom The IT Crowd is now Downloadable

Episode six of Graham Linehan's wonderful, screamingly funny sysadmin sitcom, The IT Crowd, is online here.

DIY Hardware keylogger

Looking for that extra special DIY project this weekend? Here's how to make a PS/2 keyboard line keylogger, also provided - the software application with full source code to download the recorded data.

DoD Staffer's Notes from 9/11 Obtained Under FOIA

Hours after a commercial plane struck the Pentagon on September 11 2001 the US defence secretary, Donald Rumsfeld, was issuing rapid orders to his aides to look for evidence of Iraqi involvement, according to notes taken by one of them.

"Hard to get good case. Need to move swiftly," the notes say. "Near term target needs - go massive - sweep it all up, things related and not."

The handwritten notes, with some parts blanked out, were declassified this month in response to a request by a law student and blogger, Thad Anderson, under the US Freedom of Information Act. Anderson has posted them on his blog at outragedmoderates.org.

New technique uses Photons, Physics to Foil Codebreakers

For governments and corporations in the business of transmitting sensitive data such as banking records or personal information over fibre optic cables, a new system demonstrated by University of Toronto researchers offers the protective equivalent of a fire-breathing dragon.

“Quantum cryptography is trying to make all transmissions secure, so this could be very useful for online banking, for example,” says Professor Hoi-Kwong Lo, an expert in physics and electrical and computer engineering at U of T’s Centre for Quantum Information and Quantum Control and the senior author of a new study about the technique. “The idea can be implemented now, because we actually did the experiment with a commercial device.”

The study describes the first experimental proof of a quantum decoy technique to encrypt data over fibre optic cable. In quantum cryptography, laser light particles (photons) carry complex encryption keys through fibre optic cables, dramatically increasing the security of transmitted data. Conventional encryption is based on the assumed complexity of mathematical problems that traditional computers can solve. But quantum cryptography is based on fundamental laws of physics — specifically, Heisenberg’s Uncertainty Principle, which tells us that merely observing a quantum object alters it.

Taser Sets Florida Man On Fire

Sometimes you just can't wait for Fridays to have fun...

A man in Daytona Beach, Fla., was injured when a probe from a police Taser gun hit a butane lighter in his pocket and set him on fire, according to a Local 6 News report.

Police said Dennis Crouch, 54, apparently stabbed himself inside his home located in the 400 block of Grandview Avenue.

When officers arrived at the house, they found Crouch with a butcher knife threatening to kill himself.

Crouch apparently refused to comply with officers demands and was shot with a Taser gun.

A Taser probe hit a disposable butane lighter in his shirt pocket and ignited. Officers then rolled him to the ground to put out the flames.

Crouch was treated at Halifax Medical Center for burns and the stab wound.

The incident is under investigation to determine if additional safety requirements, Local 6 News reported.

[Full-disclosure] Gay Security Industry Experts Exposed!

I always thought JP was a bit of twit, but this? A rather bizarre, but kind of interesting read about antionline.com founder and former owner JP (john vranesevich).

Mini-Pentoo 2006.0 - Pentoo LiveCD Security Disk

This version is only 186 Mb fat and fits on mini-cd and 256 MB usb pen-drive.

It features the bare minimum tools for pentesting and support modules addition ala slax, allowing you to add some more stuff as you see fit.

You can also save your /etc, /root, ExploitTree and Nessus on a usb pen-drive, or anywhere else you want.

And last but not least, the Window Manager is the most sexiest available in the universe, providing you with genuine pen-testing pleasure.

DOWNLOAD

Download MPentoo LiveCD (HTTP).

Download MPentoo LiveCD (FTP).

Court Ruling Regarding Gramm-Leach-Bliley

This is somthing to think about...

In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands. Intrigued? Read on.

In a nut shell, an employee of Brazos Higher Education Service Corporation, Inc., had customer information on a laptop computer he was using at home. The computer was stolen, and a customer sued Brazos.

The judge dismissed the lawsuit. And then he noted...

Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute "does not prohibit someone from working with sensitive data on a laptop computer in a home office," and does not require that "any nonpublic personal information stored on a laptop computer should be encrypted."

Secure Flying - Tuesdays Can Be For Fun Sometimes!

Simple but a tad addictive. You must carefully pilot the helicopter,
avoiding the obstacles...

Click on the pic to begin!

A True Story: "How we caught an Identity Thief"

A interesting story about how an Identity thief was trapped and captured.

It all started with a phone call. "Someone has the likeness of our site, on a very similar sounding domain!" This is the story of how igxglobal worked in conjunction with the client and the FBI to identify and stop a would be Identity thief.

Personal Security - Severed Arm Still Clutching Mobile Phone

A Letcher County woman suffered a horrible injury early Thursday when her arm was severed in a car crash on the Mountain Parkway in Clark County.

Jacqueline Dotson and her six-year-old daughter had to be cut out of their vehicle after the accident in which Dotson veered into the median and over-corrected, rolling her truck over the guardrail and landing upside down after flipping several times.

Several people stopped to help, and it turns out, the good samaritans may very well have saved Dotson's life. Sheila Vice, a nurse's aide, and an off-duty EMT from another county stopped to help, and put a tourniquet on Dotson's arm to stop the bleeding. Her arm was found near the accident still clutching a cell phone.

"Basically we stayed there and talked to them until the EMT drivers got there," said Vice.

Rescuers used the jaws of life to get the Dotson and her daughter out of the truck. Both were flown to hospitals, and Dotson is listed in serious condition at UK Hospital. Her daughter is not in the hospital, and sheriff's officials say they believe she's going to be fine.

Both were wearing seat belts.

New episode of The IT Crowd, Very Cool SysAdmin Sitcom

Episode 5 of Graham "Father Ted" Linehan's funny British nerd comedy series "The IT Crowd" is available here.

Building a Forensics Computer

Not a ton of info, but here is a link to an interesting article on building a 'forensics computer' used for analyzing compromised machines and security research. Fun Stuff...

Friday Fun - Video Game Nostalgia

If you're a 1980s game geek, you could easily spend an entire day at this website, which has a comprehensive history of video games, beginning in the years that preceded Pong, and heading all the way up to the Vectrex/Atari 7800 years. The whole site is wonderfully put together, with old adverts, screen shots, and pictures of consoles, machines and designers.

I have a Pong game like this. Ah the memories...

Personal Security - US and Canadian Skiers get Smart Armour

A futuristic flexible material that instantly hardens into armour upon impact will protect US and Canadian skiers from injury on the slalom runs at this year's Winter Olympics.

The lightweight bendable material, known as d3o, can be worn under normal ski clothing. It will provide protection for US and Canadian skiers taking part in slalom and giant slalom races in Turin, Italy. Skiers normally have to wear bulky arm and leg guards to protect themselves from poles placed along the slalom run.

Baby Hack

Todd Vanderlin documents an experiment: "I bought a $10 electronic baby in china town. I cracked it open and soldered a couple of switches to the the speaker. Now the baby is possessed and I have hacked a baby." Don't miss the video here.

Nmap 4.01 Released!

10 Days after the release of Nmap 4.0 and with over 100K downloads, 4.1 is released with even more improvements and some minor bug fixes.

You can find 4.01 at the normal location:
http://www.insecure.org/nmap/download.html

Secure at Home...

Secure Travel - Head Found in Luggage

If you are going to carry a spare head, make sure you declare it at customs!

US immigration officials have arrested a Haitian woman after baggage screeners found a human head in her luggage at a Florida airport.

Myrlene Severe, 30, has been charged with failing to declare the head on a customs form and transporting "hazardous material".

A spokesman for Miami's immigration and customs agency told the AFP news agency that the head was not simply a skull.

"It had teeth, hair and skin, and quite a lot of dirt," she said.

Privacy Watchdog: Beware Google Desktop

Time to block Google at the firewall?

The Electronic Frontier Foundation Thursday blasted a new feature on Google's Desktop Search product, which allows users to search their home computers from any computer. The group said that Google's caching of users' hard drives renders them vulnerable to subpoenas.

The new feature, dubbed "Search Across Computers," caches users' text contents--including PDFs, spreadsheets, Word documents, e-mails, and other documents--on Google's servers, so that users can search them from any computer with an Internet connection. The EFF, however, claims that the feature puts users' data at risk. "EFF urges consumers not to use this feature, because it will make their personal data more vulnerable to subpoenas from the government and possibly private litigants, while providing a convenient one-stop-shop for hackers who've obtained a user's Google password," the foundation said in a statement.

Friday Fun - Burglar Checks email

A burglar in West Bend, Wisconsin hung out for quite some time in the house he was robbing, apparently eating a meal, showering, watching TV, and checking his email. Police think they have identified the man but have yet to catch him. From the La Cross Tribune:

Lori Menzel of the town of Kewaskum said the burglar left his Yahoo account open after checking his personal e-mail on the computer at her home.

``He never logged out,'' she said, adding: ``He made himself at home here. He spent some time in our bedroom trying on my husband's clothes. I could tell he went through some of my clothes.''

John the Ripper 1.7 Release is out

The following major changes have been made since John 1.6:

* Bitslice DES code for x86 with MMX: more than twice faster than older non-bitslice MMX code.
* Bitsliced the LM hash code as well: now several times faster.
* Significant improvements to the generic bitslice DES code: +20% on RISC.
* PowerPC G4+ AltiVec support (Mac OS X and Linux): effective 128-bitness for bitslice DES, resulting in huge speedups.
* First attempt at generic vectorization support for bitslice DES.
* Two MD5 hashes at a time for extra ILP on RISC: up to +80% on Alpha EV5+.
* Generic Blowfish x86 assembly code in addition to the original Pentium version: +15% on the Pentium Pro family (up to and including Pentium III), +20% on AMD K6 (Pentium 4 and newer AMD CPUs are more happy running the original Pentium code for Blowfish).
* Verbose logging of events to the global or a session-specific log file.
* Better idle priority emulation with POSIX.1b (POSIX.4) scheduling calls.
* System-wide installation support for *BSD ports and Linux distributions.
* AIX, DU/Tru64 C2, HP-UX tcb files support in unshadow.
* New make targets for Linux/x86-64, Linux/PowerPC, FreeBSD/Alpha, OpenBSD/x86-64, OpenBSD/Alpha, OpenBSD/SPARC, OpenBSD/SPARC64, OpenBSD/PowerPC, OpenBSD/PA-RISC, OpenBSD/VAX, NetBSD/VAX, Solaris/SPARC64, Mac OS X (PowerPC and x86), SCO, BeOS.
* Bug and portability fixes, and new bugs.
* Bonus: "Strip" cracker included in the default john.conf (john.ini).

Police Beat

Gee, seems like the Chief's wife should be rewarded for providing a public service, not arrested...

Ark. Police Chief, His Wife, Mayor Arrested

The town's mayor was arrested in a corruption probe, its police chief is accused in a drug-making scheme, and the prosecutor says the chief's wife took prisoners from jail to have sex with them - and more arrests could be coming...

It's a lot for an Arkansas town of fewer than 4,300 residents to stomach in one day.

Florida Deputy Uses Car-cam to Tape Women

A sheriff's deputy in Martin County is accused of dishonoring his badge after he was caught videotaping scantily clad women while he was on patrol.

A Day in The Life of Chinese Internet Police

Major daily duties include: searching for harmful information on the Internet, reviewing and supervising Internet units, supervising all the Internet bars in the district, monitoring the Internet bars through closed-circuit television, training Internet unit administrators.

Pen Test Live CD 'Arudius' Reaches v0.5

One more tool to play with...

Arudius is a Linux live CD with tools that try to address the network security aspect (penetration testing and vulnerability analysis) of information assurance. It is based on Slackware (Zenwalk) for i386 systems and targets the information security audience. It is released under the GNU GPL and contains only open-source software.

This release features the addition of some novel security tools - tools for passive network discovery by analyzing broadcast traffic, very fast SMB password cracking tool and a UPnP device discovery tool analyzing M-SEARCH packets, to mention a few among others.

You can find it here.

Black Hat Fingers Email As Easy Target

Users offer a sloppy, target-rich environment with nearly unlimited access to trouble. They form a poorly guarded bridge between the internal network and the Internet.

Admins who allow email clients to receive unadulterated HTML documents are opening a hole in network security that can be very difficult to defend... especially once an attacker is inside the network perimeter.

HTML makes it easy to duplicate the appearance of groups from whom the end user regularly receives HTML messages, like banks, credit card companies and online auction houses. And hiding links to phishing or malware sites beneath apparently legitimate URLs is elementary.

When you add the potential havoc caused by attachments, ActiveX, Java, VBscript, and javascript... well, you get the picture. You open the door to all manner of rootkit, backdoor, keylogger, etc.

Sleeper Bugs used to Steal 1million in France

Russian thieves have stolen more than €1m (£680,000) from personal bank accounts in France using "sleeper bugs" to infect computers. French authorities claim the thieves can take control of and empty a bank account in seconds. In one hit, a bank customer lost €40,000.

Police say the virus is embedded in emails or websites and remains dormant until the user contacts their bank online. When that happens, the bug becomes active and records passwords and bank codes which are then forwarded to the thieves. They then use the information to check the victim has money in the bank before transferring funds to the accounts of third parties, known as mules, who may have agreed to allow money to pass through their accounts in return for a commission of between 5% and 10%.

Police claim this is set up through fictitious companies, including one American firm named World Transfer, although the mules could be unaware that their computers are being used for theft.

BOA Allows ID Theft to Continue

Margaret Harrison, a young wife and mother living in San Diego, first noticed the problem four years ago when she applied for unemployment.

“They asked if I worked on a horse ranch in eastern Washington, and I said no,” laughs Harrison. “[I’m] not quite the rancher type.”

She investigated and found out a laborer named Pablo has been using her Social Security number. And while Margaret pays for credit monitoring, she says the Equifax credit reporting bureau never noticed the problem until she told the agency. Now Equifax has put a fraud alert on her account. And then there’s this: Last month, the Bank of America sent her a new debit card bearing her name and Pablo’s picture!

Margaret says the Bank of America claims it can’t take any action against Pablo because he pays his bills on time — that her case is in what they call “a reactive state.”

“Because currently it’s not negatively impacting my credit, so I have no legal recourse for any action,” says Harrison.

Customer Service?

The Topology of Covert Conflict

Interesting research paper by Shishir Nagaraja and Ross Anderson. Implications for warfare, terrorism, and peer-to-peer file sharing:

Abstract:

Often an attacker tries to disconnect a network by destroying nodes or edges, while the defender counters using various resilience mechanisms. Examples include a music industry body attempting to close down a peer-to-peer file-sharing network; medics attempting to halt the spread of an infectious disease by selective vaccination; and a police agency trying to decapitate a terrorist organisation. Albert, Jeong and Barabási famously analysed the static case, and showed that vertex-order attacks are effective against scale-free networks. We extend this work to the dynamic case by developing a framework based on evolutionary game theory to explore the interaction of attack and defence strategies. We show, first, that naive defences don’t work against vertex-order attack; second, that defences based on simple redundancy don’t work much better, but that defences based on cliques work well; third, that attacks based on centrality work better against clique defences than vertex-order attacks do; and fourth, that defences based on complex strategies such as delegation plus clique resist centrality attacks better than simple clique defences. Our models thus build a bridge between network analysis and evolutionary game theory, and provide a framework for analysing defence and attack in networks where topology matters. They suggest definitions of efficiency of attack and defence, and may even explain the evolution of insurgent organisations from networks of cells to a more virtual leadership that facilitates operations rather than directing them. Finally, we draw some conclusions and present possible directions for future research.

BackTrack beta Released Today!

Distribution Info:

BackTrack is released in two flavours - Developer Edition and User Edition. These two CD's contain the same data, however have the following differences:

Developer Edition

* Built from the individual modules which create BackTrack.
* Boot time is slow, due to large number of modules.
* Modulatiry is high, so user customisation is easier.

User Edition

* Individual modules consolidated.
* Boot time is faster, due to few modules.
* Modulatiry is low, so user customisation is harder.

You can download it here.

UK ID Fraud Figures 'inflated to play on public fears'

The [British] Government was accused yesterday of playing on people’s fears by producing hugely inflated figures on the cost of identity fraud.

In a report published yesterday, the Home Office said that the annual cost of ID fraud had reached £1.7 billion. However, this figure was undermined by Apacs, the group that represents payment organisations such as banks and credit firms, which said that the cost had been grossly overestimated and that its own figures had been misrepresented.

Asked why the Home Office used the larger sum, she said: “I just think they think it is a good story to scare people with.”

Superbowl Sunday

To secure the real inside info on the teams in the Superbowl and other NFL activity read the Professional Cheerleaders blog!.

GPS-Enabled Dart

A little more Firiday fun...

With that street-cop psychology, Chief William J. Bratton unveiled Thursday a new and decidedly strange weapon in the LAPD's effort to halt high-speed pursuits.

It is an air-propelled miniature dart equipped with a global positioning device. Once fired from a patrol car, it sticks to a fleeing motorist's vehicle and emits a radio signal to police.

Bratton hailed the dart as "the big new idea" and said that if the pilot program was successful, Los Angeles' seemingly daily TV fix of police chases could be a thing of the past.

"Instead of us pushing them doing 70 or 80 miles an hour … this device allows us not to have to pursue after the car," Bratton said. "It allows us to start vectoring where the car is. Even if they bail out of the car, we'll have pretty much instantaneously information where they are."

Fridays are for Fun - Karate Experts Hired to Control Parrots

Organizers of a vintage car rally have hired karate experts to protect vehicles from marauding native parrots, a media report said Friday.

Around 40 members of a local karate club have been enlisted to protect around 140 classic cars due to visit an alpine village near Mt. Cook on New Zealand's South Island on Sunday, the New Zealand Press Association reported.

The karate experts will protect the cars from Keas, sharp-beaked native parrots which have been known to damage vehicles in their search for shiny items, NZPA said.

Embarrassing Messages From Enron's Email

At the end of its investigation of the 2000-2001 Western Energy Crisis, the Federal Energy Regulatory Commission released its database consisting of 92% of Enron's staff emails. Why? Who knows? The point is, this might make you think twice before sending that silly corp. email.

A couple of swaths thru Andrew Fiore's searchable archive of Enron's email database is enough to remind us all that, no matter where you go or what you do, your email is forever...

Microsoft Officially Releases Internet Explorer 7 Beta 2 and Out Pops the first Advisory

Despite the leak that occurred two weeks ago, during which the whole world saw Microsoft’s brand new IE7 (or at least its beta), now, the company from Redmond has decided to officially release the first generally available beta for Internet Explorer 7, as well as Windows RSS Platform, a for-developers set of APIs for creating RSS-enabled applications.

Internet Explorer 7 Beta 2 Preview will only run on Windows® XP Service Pack 2 (SP2) systems, but will ultimately be available for Windows Vista, Windows XP Professional x64 Edition, and Windows Server 2003.

The Windows XP edition of IE 7 Beta 2 Preview can be downloaded from here.

And so it begins...

Advisory: sp-x23-advisory

So I saw that Microsoft released IE 7.0 Beta 2 to the public today. So, I figured I would give it a quick look at and I just happened to find something within the first 15 minutes into testing. Weird huh? So your probally thinking, why release an advisory on a beta product? Well, why not? Its Microsoft right? You can check out the advisory here, and the PoC here.. And for the ones not running windows, here is a screenshot if your interested...

Computer Forensics, Network Security and Computer Crime Podcast

Two former Federal Agents produce a podcast on computer crime etc...

This week's episode -

In this episode we interview President of Red Cliff Consulting, Mr. Kevin Mandia, about trends in incident response. Also we talk about the windows registry, what not to do when interviewing for a tech job, brief talk with Nicholas Harbour about new version of DCFLDD, and NSA document redaction guidelines.

NMAP 4.0 Released!

Nmap has undergone many substantial changes since their last major release (3.50 in February 2004). This is a great tool and it is well worth your time to upgrade...

British School Bans Raising Hands

Not a security story, but...

A school in London has banned children from raising their hands in class and teachers from calling on students with their hands raised.

"It is every child's instinct and every teacher's instinct as well because it is ingrained in us," said Andrew Buck, the school's principal.

"Some pupils are jiggling so much to attract the teacher's attention that it sometimes looks as if they need the lavatory, then when it is their turn they often don't know the answer. Boys -- and it is usually boys -- are seeking attention, so they put their hands up before they have had time to think about the question."

Buck said the same children often wave their arms in the air, but when teachers try to involve less adventurous pupils by choosing them instead, it leads to feelings of victimization, the Daily Telegraph reported Saturday.

To spare embarrassment of the students who do not know the answer, the school has incorporated a "phone a friend" system, allowing one child to nominate another to take the question instead.

TorPark: Anonymous Browsing on a USB Drive

TorPark is a fully configured combination of Tor (The Onion Router) and Mozilla's browser technologies. Both programs are in the zip files, fully configured. Just unzip them to a flash drive and run the setup file. This won't work for a CD because Tor needs a local directory to write to. Since you don't want to leave tracks on the computer you are using, Tor is set to write to their local directory. And since a CD can't readily be written to, the program will terminate. Once you are running, it may not bring up the start page correctly the first time, just hit the "Home" button.

Friday Fun - Old space-suit = Experimental Satellite

Astronauts on the International Space Station are turning an old Russian space-suit into a satellite by shoving it out the airlock with extra batteries. The suit will transmit a looped message that people with ham radios or police-band scanners can tune into, and there's prizes for people who spot the "SuitSat" from the ground.

Details here.

Black Hat Federal 2006 - Presentations

Black Hat Federal 2006 - Jan 23-26 in Washington DC just wrapped up and the presentations can be found here.

[IN]SECURE Magazine - Issue 5 (January 2006) Released

DOWNLOAD ISSUE 1.5 HERE

The covered topics are:

• Web application firewalls primer
  
• Review: Trustware BufferZone 1.6
• Threat analysis using log data
• Looking back at computer security in 2005
• Writing an enterprise handheld security policy
• Digital Rights Management
• Revenge of the Web mob
• Hardening Windows Server 2003 platforms made easy
• Filtering spam server-side

New Blog Worm Found!

Link here.

Software Security: Building Security In

The latest book from Gary McGraw...

ISBN: 0321356705; Published: Jan 23,
2006; Copyright 2006; Dimensions 7x9-1/4
; Pages: 448; Edition: 1st.

Software Security is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work. Inside you'll find detailed explanations of

• Risk management frameworks and processes
• Code review using static analysis tools
• Architectural risk analysis
• Penetration testing
• Security testing
• Abuse case development

In addition to the touchpoints, Software Security covers knowledge management, training and awareness, and enterprise-level software security programs.

Now that the world agrees that software security is central to computer security, it is time to put philosophy into practice. Create your own secure development lifecycle by enhancing your existing software development lifecycle with the touchpoints described in this book. Let this expert author show you how to build more secure software by building security in.

Users to Blame for Net Banking Woes

Maybe this attitude will transfer to this side of the pond...

The blame for online banking insecurity is as much down to user ignorance as banking inadequacy, the UK Financial Services Authority (FSA) has argued.

In its Financial Risk Outlook 2006, published today, the authority identified several groups of banking customers that it says present the greatest security problems.

These included a hardcore five percent of users who take no security precautions whatsoever when using banking websites, and a further 21 percent who think it unlikely that criminals could access their accounts without the user knowingly having supplied the login. Overall, the FSA found that the young tend to be less security conscious.

A surprisingly high 45 percent of customers surveyed believe that banks should take sole responsibility for online security. If the banks attempted to move all liability for online banking losses to customers, 77 percent say they would abandon Internet banking completely.

Botmaster

James Ancheta aka "Resjames" or "Botmaster" pleaded quilty in Los Angeles Monday for running a botnet and selling bots.

James seems to be offline nowadays... However, the court papers make a fun read.

Laptop Mini Wireless Antenna

A wireless antenna made from a standard ball point pen. This site has lots of wireless antenna examples and tips.

Thief Makes Off With $2,000 Toilet Seat

Dang, now there will be a CA law on toilet seat controls, then a federal regulation, then...

San Diego police are searching for a valuable, high-tech toilet seat taken from an unlocked storage closet.

Hamid Shoushtari bought the toilet seat on the Internet. He said the missing seat -- worth an estimated $2,000 -- is heated. He had planned to see whether he could market the seat in California when it was stolen.

"We may not use it in California, but in colder places like Chicago or New York, in the morning you can program it and it will heat up your toilet seat for about 15 minutes or whatever time you want," Shoushtari said. "You sit on it, you can adjust the water temperature if you want to make it warmer or colder."

Shoushtari said he did have concerns about how the toilet seat would work because it combined electricity and water, a potentially deadly situation for someone sitting on it.

The case is the first grand theft of a toilet seat in San Diego.

Microsoft Earns Patching Praise from IT Execs

More Friday fun! A little hughman quote to end the week...

Microsoft Corp. may take the most heat on security vulnerabilities, but other software vendors need to catch up when it comes to dealing with flaws found in their products, according to users and analysts interviewed last week.

“Their biggest problem now is trying to get past all of the negative legacy perceptions,” said Hugh McArthur, director of information systems security at Chantilly, Va.-based Online Resources Corp., which offers online banking and bill payment services to the financial industry. McArthur added that he would give Microsoft “an A for effort and a B+ for execution” on security issues.

Fridays are for Fun - But Watch Your Step...

www.biyosecurity.be

Annual FBI Computer Crime Survey

The FBI has just released their Annual 2005 Computer Crime Survey, and I don't think you will find any surprises...

One item that did catch my attention was that according to the survey "Just 9% of the participants said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response. And 81% said they'd report future incidents to the FBI or other law enforcement agencies."

I think the issue here is the general lack of understanding of what a threat is, how to judge what should be reported and/or why even bother at all...

Today the PC virus celebrates its 20th Anniversary

The PC virus celebrates its 20th year of existence following the detection back in January '86 of the boot sector virus, Brain, which infected computers via floppy disk. While the virus Brain itself was relatively harmless, it set in motion a long chain of events leading up to today’s virus situation.

Boot sector viruses, now long extinct along with the floppy disk, held a relatively long reign from 1986 to 1995. Since transmission was via disk from computer to computer, infection would only reach a significant level months or even years after its release. This changed in 1995 with the development of macro viruses, which exploited vulnerabilities in the early Windows operating systems. For four years, macro viruses reigned over the IT world and propagation times shrank to around a month from the moment when the virus was found to when it was a global problem.

Blacklisted411 - Online Edition 4 - 01.16.2006

Established over 20 years ago in October of 1983 as the first disk based hacker underground magazine (e-zine), Blacklisted 411 has become not only one of the oldest of the hacker quarterlies available today, but has positioned itself as the top selling print magazine in its market.

hacker. (towards an understanding of a word and a concept)

A very interesting site examining the hacker mythology and history.

Parrot Spilled the Beans and got the Boot

Having a Parrot might be a good home security investment. However, seems like being a whistle blower still has its risks...

Somewhere in Yorkshire, there lurks a proverbially nauseous parrot. Ziggy, an eight-year-old African Grey, had provided Chris Taylor with years of companionship until the fateful day when he opened his beak to mimic his owner's girlfriend and squawked out one word: Gary.

Ziggy's obsession with his latest impression grew and he began uttering "Hi Gary!" every time Suzy Collins' mobile phone rang. Chris's suspicions deepened after Ziggy started to make long kissing noises whenever he heard the name Gary on television or the radio.

Things between Chris and Suzy finally came to a head the night Ziggy decided to blurt out: "I love you, Gary" in her voice.

When Chris confronted Suzy about his pet's obsession, she admitted to having had a four-month affair with Gary, a former colleague.

Unable to bear the verbal taunts of his faithful bird, the 30-year-old computer programmer gave Ziggy to a local parrot dealer and asked him to find him a new home.

Russian Ultranationalist Party Says Hackers Could Help Fight Terror

Hey, maybe if these guys get day jobs they will leave the rest of us alone... (not)

Russia’s ultranationalist Liberal Democratic Party has called for enlisting services of computer hackers to fight extremism and terrorism.

A statement released by the party and obtained by the Interfax news agency on Tuesday read that hackers “should be widely involved in thwarting pro-terrorist and pro-extremist websites and encouraged to take part in such activities.”

Whatever the public attitude towards those individuals, “the Internet is the domain where hackers are omnipotent,” the statement reads. Therefore, their services should be enlisted to fight terrorism. “A hacker attack is a strong weapon that may be used not only for breaking into bank accounts or performing other illegal actions, but also for the benefit of the nation and the state,” the LDPR activists are convinced.

LDPR is led by Vladimir Zhirinovsky, deputy chairman of the State Duma, the lower house of Russian parliament. Zhirinovsky rose to prominence as a flamboyant politician, notorious for his extravagant ideas and eccentric behavior.

Covers come off UK Spy Plane

Raven, Corax, and DarkStar... I just posted this because of all the cool names...

Images of the UK's first prototype stealth surveillance aircraft have been unveiled.

The unmanned vehicle, which has been built by BAE Systems, is known as the Corax, or as the Raven.

The Corax bears some resemblance to a cancelled US military spy plane called DarkStar, analysts have said.

Jane's International Defence Review said the unmanned aircraft "indicated a new direction in combat vehicles for the UK's armed forces".

Insecurities of Online Banking

Symantec's Candid Wuuest has done some interesting research on the insecurities of E-banking, and a nice job in comparing the different security measures next to one another. His slides also provide a lot of useful info on the topic.

More info on the topic an also be found at:

Why eBanking is Bad for your Bank Balance
Risk Management Principles for Electronic Banking

Google + Public Knowledge + Sex Offenders

Enter your address and it will show your house on a map. All the little colored boxes are Sex Offenders near you. Click on them and you get a name, address & picture of the person along with his crime. It also shows you where they live in proximity to your home and the local schools...

OpenRCE

Founded in June of 2005 as the brainchild of Pedram Amini, the Open Reverse Code Engineering community was created to foster a shared learning environment among researchers interested in the field of reverse engineering. Heavily modeled on the architecture of Greg Hoglund's rootkit.com, OpenRCE aims to serve as a centralized resource for reverse engineers (currently heavily win32/security/malcode biased) by hosting files, blogs, forums articles and more.

ShmooCon 06

Just an all around great con/event! After spending all day Saturday at the Wardman Park Marriott I can tell you that there is not a better security event for your $s anywhere...

Compared to what you get for your money at say a SANS and/or a CSI event, ShmooCon is the clear winner.

The Post's Brian Krebs was quick to cover Simple Nomad's chat on "Hacking the Friendly Skies".

Fyodor did a great presentation on Nmap, a copy of his slides and a special ShmooCon dist can be found here.

I also liked kaos.theory and their Anonym.OS LiveCD. Anonym.OS is an OpenBSD 3.8 Live CD with strong tools for anonymizing and encrypting connections. Standard network applications are provided and configured to take advantage of the tor onion routing network. You can download it here.

Charlie Brown's Philosophy About Security

Charlie Brown and Peppermint Patty are sitting under a tree. Peppermint Patty asks Charlie Brown, "What do you think security is, Chuck?"

Charlie Brown: Security is sleeping on the back seat of the car when you're a little kid, and you've been somewhere with your mom and dad, and it's night, and you're riding home in the car, asleep. You don't have to worry about anything. Your mom and dad are in the front seat and they do all the worrying. They take care of everything.

Peppermint Patty: That's real neat.

Charlie Brown: But it doesn't last. Suddenly you're grown up, and it can never be that way again!

Peppermint Patty: Never?

Charlie Brown Absolutely never.

Peppermint Patty (horrified): Hold my hand, Chuck!

Forged Credentials and Security - Crooks Flashing Fake Badges

There doesn't seem to be an easy way to solve this. How do we effectively authenticate individuals? Especially when people aren't trained to do so...

When Frank Coco pulled over a 24-year-old carpenter for driving erratically on Interstate 55, Coco was furious. Coco was driving his white Chevy Caprice with flashing lights and had to race in front of the young man and slam on his brakes to force him to stop.

Coco flashed his badge and shouted at the driver, Joe Lilja: "I'm a cop and when I tell you to pull over, you pull over, you motherf-----!"

Coco punched Lilja in the face and tried to drag him out of his car.

But Lilja wasn't resisting arrest. He wasn't even sure what he'd done wrong.

"I thought, 'Oh my God, I can't believe he's hitting me,' " Lilja recalled.

It was only after Lilja sped off to escape -- leading Coco on a tire-squealing, 90-mph chase through the southwest suburbs -- that Lilja learned the truth.

Coco wasn't a cop at all.

He was a criminal.

Fridays Are For Fun! - Surveillance Video

When the masked man came into the Bethlehem gas station Tuesday night, pointed a knife at him and demanded cash, Kuldip Singh took only a second to realize he was tired of being robbed and was going to fight back.

''Oh, I'll give you the money,'' the store clerk said in mocking tones as he grabbed a wooden baseball bat and swung it at the would-be robber. Singh then charged from behind the counter, hitting the man six times in the head and shoulders before he ran off.

Wish some of the folks on the softball team could hit like this... Video from surveillance camera of an attempted robbery of the Bethlehem (Pa.) Exxon on Tuesday, Jan. 10.

Department of Homeland Security Promotes Vendor Video

The January 4, 2006 Dept. of Homeland Security Daily Infrastructure Report Highlighted a free online vendor video that shows the viewer the tools and procedures they need to hack into a person's computer as well as the vendors solutions/products.

The video is interesting and probably worth a viewing, but what bugs me about this is that DHS is basically giving a free add/plug for a particular vendor...

Burned CDs Last 5 years Max -- Use Tape?

Where is the Beef? It would be nice to have some stats, test results, etc...

Although opinions vary on how to preserve data on digital storage media, such as optical CDs and DVDs, Kurt Gerecke, a physicist and storage expert at IBM Deutschland GmbH, takes this view: If you want to avoid having to burn new CDs every few years, use magnetic tapes to store all your pictures, videos and songs for a lifetime.

But from the land of big glasses and smart dudes we get some different info...

NIST has found that recordable disks seem to last much longer than rewritable disks, Byers said, and even longer than manufactured disks such as CDs for installing commercial software.

General industry guidelines now estimate office-burned copies of CDs and DVDs could remain readable for 100 to 200 years.

Home Security - Flaming Mouse Burns Down House

Damn and it's not even Friday...

FORT SUMNER, N.M. -- You've probably heard of a house fire, but how about a "mouse fire?"

An 81-year-old Fort Sumner homeowner said he caught a mouse inside his house and just wanted to get rid of it.

The man threw the critter in a pile of burning leaves near his home, but it ran back to the house on fire.

Village Fire Chief Juan Chavez said the mouse ran to just beneath a window and the flames spread up the window and throughout the house.

All contents of the home were destroyed, but no injuries were reported, Chavez said.

Unseasonably dry and windy conditions have charred more than 53,000 acres and destroyed 10 homes in southeastern New Mexico in recent weeks.

US-CERT: 5,198 Software Flaws in 2005

Security researchers uncovered a record 5,198 vulnerabilities in software products this year, nearly 38 percent more than the number of flaws found in 2004, according to statistics published by US-CERT, a cyber security information-sharing collaboration between the Department of Homeland Security and the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

Data Mining 101: Finding Subversives with Amazon Wishlists

Tom Owad at applefritter.com has posted a detailed story on how he was able to use Amazon wishlists to profile thousands of people. By using the search function at Amazon, he accessed and downloaded over 260,000 publicly-available wishlists. He then searched the lists for "suspicious" books and authors, including Fahrenheit 451, Michael Moore, Rush Limbaugh, the Koran/Quran and, of course, Build Your Own Laser, Phaser, Ion Ray Gun and Other Working Space Age Projects.

At this point, Tom had a list of Amazon usernames and had identified any "suspicious" books and authors that appeared on each user's wishlist.

But there was still more to do. Amazon allows a user to include their city and state information on their wishlist, so Tom had the information to take it to the next level: plotting his suspects on a Google map.

Starbucks Little Secret

Here's a little secret that Starbucks doesn't want you to know: They will serve you a better, stronger cappuccino if you want one, and they will charge you less for it. Ask for it in any Starbucks and the barista will comply without batting an eye. The puzzle is to work out why...

Personal Security - USMC: Armor Shortfalls

A recent United States Marine Corps forensic study slams the Interceptor OTV body armor system, claiming "as many as 42% of the Marine casualties who died from isolated torso injuries could have been prevented with improved protection in the areas surrounding the plated areas of the vest. Nearly 23% might have benefited from protection along the mid-axillary line of the lateral chest. Another 15% died from impacts through the unprotected shoulder and upper arm," the report says.

Demonstration of WMF File Code Execution Vulnerability

Want to see how bad this latest Windows vulnerability is first hand? Have a look a this video by IronGeek.