Amazing "Threat Alert"

KcPentrix 2.0: LiveDVD

A liveDVD, It features a lot of new or up to date tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities

Kcpentrix is based on SLAX 5, a Slackware live DVD.

2006 Operating System Vulnerability Summary

Excellent summary of the 06 security scene and system vulnerabilities.

"The summarized coverage of 2006 vulnerabilities by SANS showed the most prevalent attack vectors were not directly against the operating systems themselves.4 However, this article approaches the operating system as an entity in and of itself for analysis of only the vulnerabilities of core features. As such, vulnerability scans were conducted against 2006's flagship operating systems in various configurations to determine weakness from the moment of installation throughout the patching procedure. From Microsoft, testing included Windows XP, Server 2003 and Vista Ultimate. Examinations against Apple included Mac OS9, OSX Tiger and OSX Tiger server.5 Augmenting Apple's UNIX representation, security tests were also performed on FreeBSD 6.2 and Solaris 10. Rounding up the market share, Linux security testing included Fedora Core 6, Slackware 11, SuSE Enterprise 10 and Ubuntu 6.10. Before delving into the specifics of the vulnerabilities, it is helpful to understand the security scene of 2006."

A Security Vendor Don't

One of the vendors (Core Impact) at ShmooCon got some unwanted attention this past weekend - they had a pretty string of USB light up hubs strung along the front of their table. Since the hubs needed to be powered to light up, they plugged the string into one of their laptops on the table...

RenderMan noticed this and happened to have a USB toolkit in his pocket. He was subsequently able to plug his USB key into the string of USB hubs unnoticed and retrieved it a bit later after it had collected password files and other assorted goodies.

The whole event was relayed to the entire audience at the closing ceremonies. It's a nice lesson on what not to do when exhibiting at events such as a "hacker" con...

Firefox Add-on - Tamper Data

Tamper Data 9.8.1 Kind of a handy dandy add-on - use tamperdata to view and modify HTTP/HTTPS headers and post parameters, trace and time http response/requests and security test web applications by modifying POST parameters, etc...

24-Point Identity Theft Recovery Checklist

Step 1: Take a deep breath and act rather than react.

The rest here.

Metasploit 3 is Out

http://framework-mirrors.metasploit.com/msf/download.html

ShmooCon 07 - Day 3

Last but not least the final day of ShmooCon 07. Not as many sessions today, but I wanted to hear Chuck Willis from Mandiant - Assess the Security of Your Online Bank (Without Going to Jail).

While his talk didn't really focus on Online Banking that much, it was a good primer on non-evasive testing of web facing applications. Chuck fits the Mandiant profile - clean cut - smart guy... The tool that Chuck used in many of his examples is Paros. Hs slides should be posted on his site soon.

I also sat in on on Joel Bruno and Eric Smith's (PSKL) talk on - VOIP, Vonage, and Why I Hate Asterisk. They have done some neat work on RTP playback and in particular Vonage VOIP calls. You can find the SIPinator v1.0 code here. They also made a nice/funny commercial for ShmooCon.

The work the folks at the OLPC project are doing is way cool. Not going into details here, but ck them out.

Quick Summary -

Can't say enough about what a great value ShmooCon is and while not every session was exceptional, the event as a whole was. More highlights in the coming days as I parse thru notes etc...

ShmooCon 07 - Day 2

First things first, the Wirefly Marathon messed-up traffic this AM royally!

The rest of the day was good - any Shmoo day is a good day...

One session was a bit different - Michael Schearer from The Church of WiFi presented: A Hacker in Iraq. A Naval Flight Officer - theprez98 talked about his experiences during his 9-month tour in Iraq embedded with Army units on the ground. He put his expertise in electronic warfare to good use against the biggest threat to coalition forces - the improvised explosive device (IED).

He also mentioned on how one of the best sources of real news from the war are the military blogs.

The Hacker Arcade was in full swing today along with Deviant and company's lock picking area. There are a couple of Nitro boxes running in the conf. NOC wonder who gave them that ideal.

Some of the security podcast folks were recording - I saw the CyberSpeak folks in action... look for Shmoo reports from Sploitcast and Hak.5.

More fun on Sunday...

ShmooCon 07 - Day 1

ShmooCon 07 started today and things got off to a good start - bigger space, more folks, but overall same great con. After Bruce Potter's opening remarks @ 15:30 there were six approx 20 min. long presentations before Aviel Rubin's keynote @ 19:00.

Eoin Miller and Adair Collins Auditing Cached Credentials with Cachedump and Johnny Long's No-Tech Hacking were probably my two favorites. Johnny's no-tech hacking talk was excellent in both content and presentation. A good deal of it focused on physical security and on demonstrating what an important hacking tool the power of observation can be.

Aviel Rubin ended things nicely with an exelent keynote. A copy of his presentation can be found here.

Dr. Rubin vs. Dr. Cole... my money is on Dr. Rubin

Tool Time - Nessj

Nessj is an application/network security scanner client for Nessus and Nessus compatible (OpenVAS etc.) servers. In addition to an improved user interface, it provides session management with templates, report generation using XSLT including charts/graphs, and vulnerability trending. It is cross-platform, with platform specific releases available for Linux, OSX, and Windows, written in Java using SWT for a native experience, and it is open-source. It's provided by Intekras, Inc. under the Clarified Artistic License.

Get it here.

Top 10 U.S. Government Web Break-ins of All Time

Network Security Journal has an interesting list of when hackers take on the feds.

Identity Theft is Getting more Businesslike

Speaking of business - can you think of a better way to sell your security products than to preach doom and gloom? How neutral do you think Symantec is when the worse things are, the better life is for them?

Via their semiannual Internet Security Threat Report - Symantec reported that much of the malicious computer code they identified was compiled, or translated into usable software, during standard, 9-to-5 work shifts in the country of origin.

"The hobby-horse hacker is a thing of the past. These guys work business hours,'' Huger said. "It's pretty organized, which is the scary part. Now we're seeing a well-oiled machine for stealing data.''

Among the other items reported was that China had 26 percent of the world's bot-infected computers, more than any country, a statistic mostly explained by the torrid growth of the Chinese technology industry. Also noted was that more than half of all underground economy servers known to Symantec were based in the United States.

However, a recent report from Symantec competitor McAfee tells us that Internet domains from Romania, Russia, and the tiny island of Tokelau are among the riskiest.

What we do know is that phishing and spam is up... now apparently we just need a way to figure out where it is coming from. Unfortunately it is more often the destination that counts, not the journey and the US might be the way and/or the means, but it certainly isn't the end.

Super Bowl Hack?

Prank or Hoax? What do you think? If a hoax, it's was a very nice job. If a prank, it was quite the stunt. Either way, it's worth a look.

"To promote the new ZUG book, PRANK THE MONKEY, we wanted to show how easy it would be to broadcast a secret terrorist message not just on national TV, but on TV's biggest event. "

Absolut

Friday Fun - WiFi Vibrator

I Make Projects posted plans for "giving yourself a sixth sense for wireless networks" through a small wearable device. It's made from a cannibalized Wi-Fi detector, microcontroller, vibrating motor, and a bit of custom electronics.

Hackers get bum rap for corporate America's digital delinquency

This is good stuff...

If Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame.

Howard and Erickson also found that:

• Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches.
• Likely as a result of California's law and similar legislation adopted by other states, the number of reported incidents more than tripled in 2005 and 2006 (424 cases) compared to the previous 24 years (126 cases).
• The education sector, primarily colleges and universities, amounted to less than 1 percent of all lost records, but accounted for 30 percent of all reported incidents.

Article here more related material at www.wiareport.org

File-sharing Software could Jeopardize National Security

A recently released report from the U.S. Patent and Trademark Office suggests that networked file and music sharing could harm children and threaten national security. The 80 page November, 2006, report, entitled "Filesharing Programs and Technological Features to Induce Users to Share," can be found here.

"This report also reveals that these filesharing programs threaten more than just the copyrights that have made the United States the world’s leading creator and exporter of expression and innovation: They also pose a real and documented threat to the security of personal, corporate, and governmental data."

"But such condemnations just beg a more fundamental question: Why do children, grandparents, and poor single mothers end up sharing hundreds or thousands of infringing files inadvertently?"

The Silver Bullet Security Podcast

How can you go wrong? When you have vicodin, music and security...

On the 12th episode of The Silver Bullet Security Podcast, Gary talks with Becky Bace, Advisor to Venture Capital firm Trident Capital. Becky spent twelve years at the NSA working on intrusion detection and cryptography from 1984 until 1996, followed by a stint at Los Alamos National Laboratory. Gary and Becky discuss growing up in rural America, explosives, and Becky’s Jimmy Hoffa sponsored college funding situation. They also talk about the evolution of security cirricula in academia, rampant commercialization of computer security, Becky’s involvement in tracking down the notorious Kevin Mitnick, vicodin-induced creativity, and eclectic music.

French Pick Ubuntu

Well they finally got something right... Ubuntu is a great Linux distro!

When French MPs and their assistants return from their summer break this June, they will conduct parliamentary business on PCs running Ubuntu. From the next session of parliament, 1,154 desks will feature the Linux-based PCs.

More here.

The 50 Most Important People on the Web

PC World's list of the 50 most important people on the web.

Personal favorites:

31. Bruce Schneier - Cryptographer
32. Kevin Rose - Founder, Digg
47. Leo Laporte - Creator, This Week in Tech (TWiT) podcast

Who did they miss?

Independent Comparatives of Anti-Virus software

The AV Comparatives Web site tested 17 AV products - including several free anti-virus programs as well.

Surprise! Microsoft's OneCare was on the bottom of the list...

BTW when the was the last time you had a virus on your system? Seems that a little common sense can go a long way in keeping a system clean, but don't tell the AV vendors that.

Network Information with Javascript

This is the second article in a series focusing on retrieving system (or client) information using JavaScript and presenting the same on a web page. You can directly copy and paste all of the code samples present in this article into a file with extension “.htm” and open them in Internet Explorer 5.5+.

Securing Dinner - Finding Nemo 2

Police use MySpace

He's about 60, with graying hair and a bald spot on the crown of his head -- and he looks forward to meeting "more bank tellers so that I can continue my crime spree!!!"

As police continue searching for a suspect in four bank robberies across Arkansas, one local department has taken the unusual step of creating the man a profile on the social networking Web site MySpace, hoping someone will recognize him.

Story here.

5,000 years of conquest in the Middle East.

See 5,000 years of history in 90-seconds...

True? BBC Reported Building 7 Had Collapsed 20 Minutes Before It Fell

Revealing, shocking video shows reporter talking about collapse with WTC 7 still standing in background. Google has removed the clip.

More here.

"Paranoia"

From here.

Friday Fun - School Security

Meth selling Principal Found Naked With Sex Toys Watching Gay Porn In Office...

As authorities stormed into a middle school office to arrest an alleged meth-dealing principal inside, they found an even more surprising scene inside.

Sources said 50-year-old John Acerra, of Allentown, was naked and watching gay pornography when they arrived at Nitschmann Middle School in Bethlehem to arrest him on Tuesday.

Acerra also had sex toys, drugs, cash and a pipe in his school office when authorities stormed his office, the sources added.

Story here.

What a day...

• Air Force Officer Found Guilty of Raping 4 Men
• Miracle U.K. Baby Comes Back From the Dead
• Rats Chew Off Newborn Baby's Nose, Upper Lip in Kansas City, Mo., Apartment
• Human Head, Hand Found Along San Diego Freeway After Unidentified Body Found in River
• Wolfgang Puck Catering May Have Exposed Sports Illustrated's Swimsuit Issue Party Revelers to Hepatitis

Some days, this world is a very strange and not so secure place...

Default Router Passwords

Handy little list here.

Hacking with Metasploit on a Nokia N800

Using a free utility from Maemo.org and a custom-built Ruby package, David Maynor has found that it is pretty easy to get Metasploit running on the $399.00 Nokia N800.

"Its not as fast as a laptop but it's still pretty quick," Maynor said, explaining that he was able to break into a Windows 2000 SP4 server using a Metasploit exploit.

David's blog here.

Lab Rats! Episode 61: Windows Security 101

This episode provides a nice primer on windows security...

Episode 61: Windows Security 101

Release date: February 19, 2007

In episode 61, Andy and Sean show you how to tighten security on Windows XP and Vista PCs.

Friday Fun - Foul-mouthed CDs get Blown in Church

Three CD players hidden under a cathedral's pews blared sexually explicit language in the middle of an Ash Wednesday Mass, leading a bomb squad to detonate two of the devices.

Authorities determined the music players were not dangerous and kept the third one to check it for clues, said police Capt. Gary Johnson.

The CD players, duct-taped to the bottoms of the pews, were set to turn on in the middle of noon Mass on Wednesday at the Roman Catholic Cathedral Basilica of St. Francis of Assisi.

More here.

Home Security - When one sword in hand deserves another...

Who said chivalry was dead...

"It was a woman screaming," he recalled Tuesday. "She was screaming for help."

Sword in hand, he bounded up the stairs, kicked in the door and confronted a man who turned out to be alone - watching a pornographic movie.

"Now I feel stupid," Van Iveren said.

Worse yet, police seized his sword - a family heirloom - carted him to jail and referred the case to a prosecutor who charged Van Iveren with three criminal counts.

Full story here.

Smokers may be the weak IT security link

This article from Infoworld talks about how smokers are being targeted in social engineering attacks during security testing. This same premise is valid (even maybe more so) for drinkers at the local watering hole, etc...

The company hired NTA to test if it was possible to get inside the premises without proper identification, Hills said. The penetration tester waited until the smokers finished their break, then slipped in through the unlocked door, which wasn't the main one but publicly accessible.

The tester -- who skirted past other employees by saying the IT department had sent him -- made his way to a meeting room, where he hooked up his laptop to the company's VOIP (voice over Internet Protocol) network, Hills said. The tester could have launched a denial-of-service attack or intercepted phone calls.

The Silver Bullet Security Podcast #11

On the 11th episode of The Silver Bullet Security Podcast, Gary talks with Dorothy Denning, a professor in the Department of Defense Analysis at the Naval Portgraduate School. Previously, Dorothy was a distinguished professor at Georgetown University and a professor at Purdue University. Gary and Dorothy discuss Dorothy’s involvement in the Clipper Chip controversy (which earned Dorothy the moniker “clipper chick”), the concept of geo-encryption, and a famous 1990 paper she wrote describing a series of interviews with malicious hackers.

Get it here.

Product Spotlight - USB Keylogger

Got a spare $80.00 bucks in your pocket?

2 Megabytes (16 Mbit) over 2,000,000 keystrokes
(around 1 years worth of intensive typing)

This keystroke recorder has up to 8 Megabytes memory capacity, organized into an advanced flash file system. Super fast data retrieve is achieved by switching into Flash Drive mode for download. Completely transparent for computer operation, no software or drivers required. Supports national keyboard layouts.

Buy it here.

Missing FBI Laptops Still a Problem

Nice example for the rest of us...

Three or four FBI laptop computers are lost or stolen each month and the agency is unable to say in many instances whether information on the machines is sensitive or classified, the Justice Department's inspector general said Monday.

Of the 160 laptops lost or stolen over a 44-month period, 10 contained sensitive or classified information. The bureau did not have records on whether 51 others contained such data.

In a report five years ago, the inspector general said 354 weapons and 317 laptop computers were lost or stolen during a 28-month review.

Full Story form the AP here.

Home Security - Apperanntly TV can Kill You!

Mummified body found in Hampton Bays home

Southampton police responding to burst water pipes in a Hampton Bays home found the mummified body of the owner -- dead for more than a year -- sitting in a chair in front of a television, officials said Friday.

The television was still on.

Vincenzo Ricardo, 70, appeared to have died of natural causes in his home on Wakeman Road, said Dr. Stuart Dawson, Suffolk deputy chief medical examiner.

The medical examiner's office considered his body mummified because the lack of humidity in his home preserved his features, morgue assistant Jeff Bacchus said.

Full Story.

Judge Limits New York Police Taping

Could this set a precedent for other cities?

In a rebuke of a surveillance practice greatly expanded by the New York Police Department after the Sept. 11 attacks, a federal judge ruled yesterday that the police must stop the routine videotaping of people at public gatherings unless there is an indication that unlawful activity may occur.

Four years ago, at the request of the city, the same judge, Charles S. Haight Jr., gave the police greater authority to investigate political, social and religious groups.

In yesterday’s ruling, Judge Haight, of United States District Court in Manhattan, found that by videotaping people who were exercising their right to free speech and breaking no laws, the Police Department had ignored the milder limits he had imposed on it in 2003.

NY Times story here.

Friday Fun - Batman Sighting Puts Schools on Lockdown

SCOTTSDALE, Ariz. (AP) -- To an Arizona middle school, Batman! Three schools in the north Phoenix suburb of Cave Creek were on lockdown for about 45 minutes Wednesday morning after a student at Desert Arroyo Middle School reported seeing a person dressed as Batman run across campus, jump a fence and disappear into the desert, Scottsdale police Sgt. Mark Clark said.

More here.

Wow, lockdown.... Holy panic Batman!

Fine for Stolen Laptop

The Nationwide Building Society has been fined £980,000 by the City watchdog over security breaches.

The fine follows the theft of a laptop from a Nationwide employee's home which contained confidential customer data.

The Financial Services Authority (FSA) found security was not up to scratch after the man had put details of nearly 11 million customers on his computer.

The FSA also found that the Nationwide did not start an investigation until three weeks after the theft occurred.

Full story here.

Do you think fines on this side of the pond would help?

Substitute Teacher Faces Jail Time Over Spyware

More on this previously posted story -

A 40-year-old former substitute teacher from Connecticut is facing prison time following her conviction for endangering students by exposing them to pornographic material displayed on a classroom computer.

Brian Krebs from the Washington Post, has an update on the case here.

Hiatus is over, posting returns....

This makes me smile...

TRENTON, Ohio -- Two Edgewood High School students were arrested Thursday and accused of hacking into the school district’s Web site to schedule an unplanned – and unauthorized – snow day.

School officials had originally planned a one-hour delay for Monday morning, following an established procedure, so they were surprised to see an announcement Sunday night that classes were canceled.

Full story here.

"I asked for a car, I got a computer. How's that for being born under a
bad sign?" - Ferris Bueller

Hack5 Episode 2×07 LIVE February 3rd

The folks from hak5 will be broadcasting live today...

We’re excited to be announcing that episode 2×07 will be broadcasted LIVE over the Internets this February 3rd at 3:00 PM EST (-5 GMT). This schedule should work better for our European viewers.

We welcome you to sign up at hak5.org/live if you have a question for the cast and would like to be a guest on the show. There you can also find information on the stream and connecting.

Friday Fun - Humvee driving in Iraq

On the one hand, the story with this video says that American soldiers have to drive like this to limit the risk of attack. Some in the comments say its arrogant, and it’s no wonder Iraqis hate Americans. Others says if the driver slows down, gunfire would start, and thats not safe for anyone. What do you think?

ShmooCon - Reminder!

The next (and last) round of tickets will go on sale today - Feb. 1st at noon EST.

Get yours here.

Airport Security Game

See if you can keep up with the ever-changing airport security rules.

Play here.

Securing a 'Buzz' - Just what the Doctor Ordered...

'Buzz Donut' offers sweet caffeine fix

Dr. Robert Bohannon wants you in his world. It's fast, upbeat, jovial and driven by caffeine -- lots of it.

But four to six cups of coffee a day aren't enough for Bohannon. And he believes others share his need for more options when it comes time to pursue that caffeine buzz.

So the molecular scientist who moonlights as a café owner developed a way to add caffeine to baked goods, one that eliminates the natural, bitter taste of caffeine.

"This gives people the opportunity if they want to have a glass of milk and want to have caffeine. It will get them going," Bohannon said.

The amount of caffeine in his creations can vary, but Bohannon can easily put 100 milligrams of caffeine -- the equivalent of a 5-ounce cup of drip-brewed coffee -- into the treats he plans to market under the "Buzz Donuts" and "Buzzed Bagels" names.

Full story here.

X-ray cameras 'see through clothes'

From across the pond...

The Government is considering installing X-ray cameras on lampposts to spot armed terrorists and other criminals.

According to a leaked memo seen by The Sun, "detection of weapons and explosives will become easier" if the scheme drawn up by Home Office officials is adopted.

However, officials acknowledged that it would be highly controversial as the cameras can "see" through clothing.

"The social acceptability of routine intrusive detection measures and the operational response required in the event of an alarm are likely to be limiting factors," the memo warned.

"Privacy is an issue because the machines see through clothing."

Full story here.

Kaspersky Lab releases an article about Vista and security

The Kaspersky Lab folks have released a new article entitled Vista vs. Viruses, in which Alisa Shevchenko, a Kaspersky Lab antivirus expert, analyzes various aspects of IT security with specific reference to Windows Vista.

You can read the full version of the article, Vista vs. Viruses, on Viruslist.com.

Vista Version - What would you pick?

National Security

What do you think... good thing or bad thing?

While you were sleeping (Bush took over the Government)

United States President stealthily took over the Federal Government last week through a new executive order last week that takes away all autonomy from Agencies, according to public interest organizations.

The order amends a series of previous executive orders that culminated in Executive Order No. 12,866, which the White House has used to give itself the power to review regulations before they can be officially published in the Federal Register.

Full story here:

Some "Brief" Friday Fun

From the website:

The "Brief Safe" is an innovative diversion safe that can secure your cash, documents, and other small valuables from inquisitive eyes and thieving hands, both at home and when you're traveling. Items can be hidden right under their noses with these specially-designed briefs which contain a fly-accessed 4" x 10" secret compartment with Velcro closure and "special markings" on the lower rear portion. Leave the "Brief Safe" in plain view in your laundry basket or washing machine at home, or in your suitcase in a hotel room - even the most hardened burgler or most curious snoop will "skid" to a screeching halt as soon as they see them. (Wouldn't you?) Made in USA. One size. Color: white (and brown).

To add realistic smell, check out "Doo Drops".

One Hacker Kit Accounts For 71% Of Dec Attacks

Tagged with the moniker "Q406 Roll-up," the attack kit was behind 70.9% of last month's attacks, reported Atlanta, Ga.-based Exploit Prevention Labs. Up to a dozen different exploits make up the kit, which includes several exploits derived from the proof-of-concept code that researcher HD Moore published in July 2006 during his "Month of Browser Bugs" project.

Exploit Prevention Labs launched a line of exploit detection tools -- LinkScanner Lite and LinkScanner Pro -- in November. The former is free, while the latter is priced at $19.99 for a one-year subscription.

More info here:

Low Tech Fix for High Tech Problem

Handheld Paper Shredder The Shredder Hand is the most convenient and compact way to get rid of those expired coupons, unwanted papers and old, confidential paper documents. At first glance it's just a pair of scissors, but with further exploration you will see that you can shred documents, or just parts of documents, without any electric or battery-operated power. Being the cheapest shredding option around it is amazing to think that it also has a long life and is small enough to be transported easily from the home to the office or classroom.

The Silver Bullet Security Podcast

The tenth episode of The Silver Bullet Security Podcast features a panel discussion with the Fortify Software Technical Advisory Board, several of whom have been featured on previous episodes. The group discusses what commercial software tools can learn from academic research, the state of software security in China, real world lessons learned while using static analysis tools, and software security pedagogy.

Aircrack-ng 0.7 is Released

aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, thus making the attack much faster compared to other WEP cracking tools. In fact aircrack is a set of tools for auditing wireless networks.

Aircrack-ng is the next generation of aircrack with lots of new features (planned and wanted).

Risky Business - Greynets

We know very well that many security breaches occur due to simple human error. While most people know by now, not to write down passwords and/or leave their laptops unprotected, they may not know about a relatively new threat: greynets.

A new FaceTime study reports -

2007's Biggest Risk: Employees Undermining Corporate Security

The danger of this new breed of malware is compounded by the increasingly risky behavior of today's employees, who frequently introduce consumer greynet applications onto the corporate network– most often without the sanction of their IT department. The user is squarely at the cornerstone of enterprise security concerns, according to FaceTime's Second Annual Greynets Survey (October, 2006). The survey revealed that:

• Four in ten end users (39%) believe they should be allowed to "install the applications they need on their work computers," independent of IT oversight or policy.
• Fifty-three percent of end users report they "tend to disregard" company policies that govern greynet usage, specifically IM and peer-to-peer file sharing.
• Eight in ten IT managers are at locations that have experienced greynet-related attacks within the last six months
• The number of greynet applications installed on a typical enterprise network have increased dramatically; work locations where eight or more greynet applications are in use have doubled, growing from 20 percent of all locations in 2005 to 41 percent in 2006.
• Sixty percent of managers report that within the past six months, security attacks have been more likely to have invisible effects (like keyloggers) rather than outcomes apparent to the end user, such as a hijacked browser, making compromised PCs more difficult to detect.

Swedish bank hit by 'biggest ever' online heist

Two take-aways from this story...

One - this wasn't an online bank heist, this was just a plain old dumb user heist.

Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users affected had not been running antivirus applications on their computers.

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea's security procedures.

"It is more of an information, rather than a security problem," said Ehlin. "Codes are a very important thing. Our customers have been cheated into giving out the keys to our security, which they gave in good faith."

Two - why should the bank be responsible for this? If I break into your house and steal your checkbook and/or a credit card, is the bank responsible? How is this different?

The bank has borne the brunt of the attacks and has refunded all the affected customers.

RF Jammer

Ninja Strike Force member Lady Ada has posted a design for a self-tuning, microprocessor controlled, wide band RF jammer.

This website details the design and construction Wave Bubble: a self-tuning, wide-bandwidth portable RF jammer. The device is lightweight and small for easy camoflauging: it is the size of a pack of cigarettes.

Lost HOPE?

2600 Magazine's hacker conference Hackers On Planet Earth (HOPE) has been held at the Hotel Pennsylvania since 1994...

HOTEL PENN THREATENED WITH DEMOLITION - HOPE CONFERENCES IN JEOPARDY

We received this disturbing news earlier in the month. Apparently the realty company that owns the Hotel Pennsylvania, site of our HOPE conferences, wants to tear down the historic hotel and replace it with a huge financial tower. Such a move could spell the end of HOPE.

The Hotel Pennsylvania was built in 1919 and has a very rich history. It has been home to many a "big band" concert in its early years and was the inspiration for the famous Glenn Miller song "PEnnsylvania 6-5000," a phone number that still rings at the Hotel Pennsylvania switchboard. The building itself, as any HOPE attendee knows, is filled with hidden corridors, rooms, and even floors. Being right across the street from Penn Station (New York's main train station), it's extremely easy to get to for those coming to New York for the first time. And because it's not an overly expensive place to stay, it's proven very popular for travelers from all over the world.

We've hosted five HOPE conferences at the Hotel Pennsylvania since 1994 and the next one is set for 2008. In preparation for this, and to discuss the fate of the hotel among other things, we are today launching a web-based forum for all things HOPE-related. You can reach this brand new forum at talk.hope.net.

Secure Relationship?

1 in 8 men would dump their girlfrend for an iPod

Yes, this is a fairly silly survey conducted on behalf of a company that wants you to use it to buy more gadgets. But still, the fact that one in eight men would apparently consider swapping their partner for the latest iPod, widescreen TV, home cinema system or fridge freezer is pretty shocking.

Full story here.

Verisign's ongoing Quarterly Vulnerability Challenge

Computer security firm Verisign (iDefense) is offering some hefty bounties on vulnerabilities reported in Microsoft's Windows Vista operating system and IE7 web browser. It's a part of Verisign's ongoing Quarterly Vulnerability Challenge, where hackers of the world are invited to exploit various categories of software for fun and profit...

Vulnerability Challenge Ground Rules:

• The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above
• The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied
• 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge
• The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party
• The vulnerability cannot be caused by or require any additional third party software installed on the target system
• The vulnerability must not require additional social engineering beyond browsing a malicious site

Security Now 74: Peter Gutmann On Vista Content Protection

Steve Gibson's Security Now podcast just aired a very good interview with Peter Guttman, the security researcher who wrote "A Cost Analysis of Windows Vista Content Protection".

Personal Security - Dirty Hospitals

Two million patients are infected in hospitals each year and 90,000 of those Americans die.

Of every 20 people who go into a U.S. hospital, one of them picks up something extra: an infection. It's a lousy card to draw. Infection stalls recovery, sometimes requiring weeks of intravenous antibiotics or a grueling round of surgeries to remove infected tissue. And for 90,000 Americans a year, the infections are a death sentence.

Full story here.

WTF or TGIF... It's Friday - Teacher found guilty of exposing kids to smut

State Prosecutor David Smith said he wondered why Julie Amero didn't just pull the plug on her classroom computer.

The six-person jury Friday may have been wondering the same thing when they convicted Amero, 40, of Windham of four counts of risk of injury to a minor, or impairing the morals of a child. It took them less than two hours to decide the verdict. She faces a sentence of up to 40 years in prison.

Full story here.

Those poor kids! I imagine they will be scared for life and their morals impaired forever...

Secure World? Not

George W. Bush told Americans he would send over 20,000 more U.S. troops to halt Iraq's collapse into civil war.

The surge in troops will do nothing to change the underlying dynamics that continue to drive the violence in Iraq: deep-seated religious, ethnic, and tribal divisions and hatreds; and a high and rising level of antipathy among Iraqis across the sectarian divide towards the continuing occupation of their country by Western armies...

Bedtime reading...

http://www.metaeye.org/

Metaeye defines itself as metamorphic security that relates to definite change in the structural components of computer security with the passage of time and to incarnate itself by providing protective and innovative solutions.The Metaeye generically sets an element of metamorphism to this present security world.

Did the NSA Fix Vista?

Things that make you go hmmm... Wonder what else they have stuck in there?

When Microsoft introduces its long-awaited Windows Vista operating system this month, it will have an unlikely partner to thank for making its flagship product safe and secure for millions of computer users across the world: the National Security Agency.

For the first time, the giant software maker is acknowledging the help of the secretive agency, better known for eavesdropping on foreign officials and, more recently, U.S. citizens as part of the Bush administration's effort to combat terrorism. The agency said it has helped in the development of the security of Microsoft's new operating system -- the brains of a computer -- to protect it from worms, Trojan horses and other insidious computer attackers.

Full story here.

That's Nice... Do Something That Looks Illegal, But Isn’t, Then Sue

Woman settles case over flour-filled condoms

A U.S. college student imprisoned for three weeks for trying to take flour-filled condoms onto an airplane has settled her lawsuit against Philadelphia for $180,000, a city spokesman said on Friday.

Janet Lee, 21, a student at Bryn Mawr College in Pennsylvania, was arrested at Philadelphia International Airport in 2003 after police and security officials thought the flour was an illegal drug.

She was held in Philadelphia on drug-trafficking charges and released only when tests proved the substance in the three condoms was flour.

The condoms, which are sometimes used to smuggle drugs, were a joke among the students, and Lee was taking them home to Los Angeles.

Her civil rights case against Philadelphia, which had been set to go to trial on Thursday, was settled for $180,000, said Ted Qualli, spokesman for Philadelphia Mayor John Street.

System/Software Inspection Tool

Secunia Software Inspector is a handy new online tool. Do you think this is a good thing? Or a great way to collect data?

Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

ShadowServer

The Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud.

Their recent Bot numbers here.

Early Warning Bark Worse Than Bite

An Israeli firm has designed a security system to ensure jailbreakers or intruders find a guard dog's bark can indeed be worse than its bite.

Harnessing technology that interprets barking -- to see if an animal is responding to a threat instead of just routinely woofing -- the company aims to replace or supplement expensive electronic surveillance systems.

"There is currently very little utilisation of the watchdog's early warning capabilities," says privately owned manufacturer Bio-Sense Technologies, based in the Israeli town of Petah Tikva,on its Web site.

Full story here.

Life and Death? Medical Identity Theft

Business Week has an article about the risk of “medical identity theft”.

When Lind Weaver opened her mailbox one day in early 2004, she was surprised to find a bill from a local hospital for the amputation of her right foot. Surprised because the 57-year-old owner of a horse farm in Palm Coast, Fla., had never had worse than an ingrown toenail.

WikiLeaks

WikiLeaks good or bad thing?

WikiLeaks is developing an uncensorable version of WikiPedia for untraceable mass document leaking and analysis. Our primary targets are highly oppressive regimes in China, Russia, central eurasia, the middle east and sub-saharan Africa, but we also expect to be of assistance to those in the west who wish to reveal unethical behavior in their own governments and corporations.

More Friday Fun with Tasers!

Nothing better than watching "B" celebrities get tasered!

Friday Fun - Police hold camel over murdering a buffalo!

The camel got it in the end anyway... Full story here.

Abdul Waris Ali Shah, a resident of the area, had tied up his camel he had bought for Rs 38,000 for sacrifice. Sometime later, another resident of the same area Gulfam tied his sacrificial buffalo near the camel.

In the night, the camel fell upon the buffalo, bit the latter in the chest and gave it numerous blows with its front legs and killed it.

The other day when Gulfam, reached the spot to pick up his buffalo, he found it dead and rushed to the nearby police station to lodge an FIR against Abdul Waris.

And, interestingly, the police took the camel into custody, apparently for murdering the fellow mammal!!

Domaintools.com

Like other sites like DNSstuff.com, etc. Domaintools.com offers some handy online tools - many are for free. One of the things I like about Domaintools is that you can subscribe to an alert service that will let you know when a new domain with certain keywords has been registered. This can be a helpful tool for identifying Phishing sites before the emails start to fly...

Check them out here.

Computer Hacker Steals $150,000 from Portage County Clerk of Courts Office

Read between the lines and I don't think this was a "hack" at all but just an old fashion case of fraud. This whole story seems a tad ignorant...

"With computers today you don't have to be anywhere close to the scene to commit some serious thefts..The ability to bank electronically is a major convenience to us but a huge security risk," said Stevens Point Police Chief Jeff Morris.

Chief advises that if you have an on line bank account check it daily. Also beware of people asking for your PIN, Social Security number or other information over the Internet.

Detecting temperature through clock skew

Steven Murdoch's presentation about how people can unmask an anonymous online publisher by remotely monitoring his computer's temperature.

Even if that computer moves location and changes ISP, it can be later identified through this clock skew. In addition to varying between computers, clock skew also changes depending on temperature. Thus a remote attacker, monitoring timestamps, can make an estimate of a computers environment, which has wide-scale implications on security and privacy.

Secure Future - Toddler Found Playing Along Busy Highway

Hopefully this scary event is the key to a safe and secure new year for this innocent boy and his sister...

(12-31) 12:22 PST Indianapolis (AP) --

Drivers swerved cars and trucks into other lanes to avoid a 3-year-old boy, wearing only a diaper and T-shirt, who was playing along a busy highway after wandering away from home while his mother slept, police said.

Some motorists stopped along Interstate 465 on the city's west side Saturday to take care of the boy until officers arrived, the Indiana State Police said.

Police said they traced the toddler to an apartment at a nearby complex, where they found his mother, Nancy Dyer asleep in a filthy apartment and his 2-year-old sister eating spaghetti off the floor.

Child Protective Services took the boy and his sister into custody, and investigators said the agency also had been called to the apartment Thursday because the boy was outside unsupervised.

Spy Numbers Stations on Shortwave Radio

Grandma give you a shortwave radio for Christmas? Have some fun with it here.

"59372 98324 19043 78903 95320...". The mechanized female voice drones on and on... What have you stumbled on to? Instructions to spies? Messages exchanged between drug dealers? Deliberate attempts at deception and mis-information?

Chances are, all of the above! What you've tuned in to is called a "Spy Numbers Station". They've been on the air for several decades, and only recently have the mysteries started to unfold. But there's still much we don't know about these mysterious stations. With the information on these pages, you'll discover the little that we do know about these stations, what we're still trying to learn, and how you too can tune in to the spies.

ShmooCon Reminder

January 1, 2006 - second round of ticket sales

Register here.

Let's Hope for a Happy New Year...

In a span of a few hours, 2,973 people were killed in the Sept. 11, 2001, terrorist attacks. In a span of 45 months, the number of American troops killed in Iraq has exceeded that grim toll...

"An eye for an eye makes the whole world blind."

- Mahatma Gandhi

Daddy get you a new car for x-mas? Lockpicking - BMW decoder tool

Here is a video showing the demonstration of a BMW lock decoder tool and software that allows you to open almost any BMW lock.

You are going to put your Call Center where?

Indian banks, government and commercial sites have seen a very large increase in defacements and phishing attacks in 2006 according the the CERT-In.

Analysis of defaced Indian websites year-2006 (till June) (ciwp-2006-02)

CISSP, CISA, and SSCP Open Study GROUP Online Quizzer

An updated version of a handy online quizzer engine for CISSP, CISA, SSCP, HIPAA, and SOX.

More info here.

On the Tuesday before Christmas...

my mom accidentally gave to me - An MP3 player full of pornography.

On Tuesday, Chanell Martin gave her 12-year-old daughter an early Christmas present as a reward for helping out weekends at the family's Lincoln Mall store.

Her daughter, a sixth-grader, was delighted with the black Microsoft Zune media player Martin purchased earlier that day at the Evergreen Park Wal-Mart.

But not for long.

Martin went to her room while her daughter plugged the device, which can play music and video, into the family's computer.

"She said, 'Mom -- what's this?' " Martin said. "When she handed (the player) to me she was looking at a gay orgy."

On the Zune's hard drive, Martin discovered, was about 6-- hours of hardcore gay pornography and a "slideshow" of another 62 pornographic images.

Full story here.

Secure Air Space - Track Santa

For more than 50 years, NORAD and its predecessor, the Continental Air Defense Command (CONAD) have tracked Santa.

NORAD Santa tracker here.

Tis The Season - Christmas.exe

Tis that time of the year when the malware writers out there are going to send their holiday cheer packed in an seasonally named file. This time it's Christmas.exe...

There is a good article about it over on f-secure. Check it out here.

New Year - New Look

Figured it was time for a new look... Let me know what you think...

Happy Holidays!

Friday Fun - Tour XM

Some Washington Post's folks took a tour of DC-based XM Satellite Radio's New York Avenue complex. At blog.washingtonpost.com...

The Silver Bullet Security Podcast

In the ninth episode of The Silver Bullet Podcast, has Gary McGraw interviewing Bruce Schneier. In this episode, they discuss the connection between physical security its technological component, the idea of risk management, the intersection of economics and security, and the ideas of “wholesale surveillance” and “security theater.” They also discuss patch Tuesday, hack Wednesday, and Microsoft’s approach to software security...

XSS Intro/Demo

XSS stands for cross site scripting (CSS) Since CSS is already taken by Cascaded Style Sheets, it is named XSS X standing for a Cross. It is a kind of hacking which allows you to deface websites, loggin as another user etc.

More info here.

WALSTIB or Friday Fun!

Hermaphroditic deer with seven legs ‘tasty’

Hey you smell something?

Chainsaw Wake up

Question of the day

Things that make you go hmmm...

"Wonder if any of the Allbrittons (Joe, Robert, Barbie) will be going to Chile for the funeral of Augusto Pinochet???"

Getting Hacked Results In Armed Police Raid

A Denver woman who didn't have adequate security on her home computer paid the price.Serry Winkler was visited by several officers with a search warrant who demanded that she turn over her computer.They were investigating a case of computer fraud. The woman's computer was apparently infected by a bot or robot.

Watch video.

Full story here.

nmap-4.20 released

Just what I wanted for xmas! Nmap-4.20 has been released.

Get it here.