“There’s a problem. It’s called Net Neutrality”

Credit Union Don'ts

Priority One Credit Union recently sent election ballots to members. Printed on the outside of the envelope were some numbers...

Each member's account number and SSN.

Text from Letter of apology:

Important Security Message to Members

During the last week, we mailed our election ballots to members. Unfortunately, an error occurred during the distribution of this ballot, and personal information was inadvertently included above your address on the envelope. This information was not printed in a format that would be immediately recognizable, and we have no indication your personal information has been accessed or misused in any way.

We apologize for this distribution error, and deeply regret any inconvenience or concern it may cause you. Your privacy and security are our top priority, and we have taken precautionary measures to help ensure your protection.

New protocols are in place to thoroughly validate your identity before any account transaction can be made. New member authentication procedures will further ensure you are the only person who can open new accounts, apply for a loan or do business with our credit union.

We will provide, at no cost to you, a one-year membership in a credit monitoring service. Equifax will monitor your credit daily and immediately alert you if there is any unusual activity. You will soon receive a separate letter about Equifax explaining exactly how you can enroll and how the program works. If you have any questions, please call us at 626/441-1999 or 323/682-1999.

Additional operational and security enhancements will ensure this situation cannot happen again. We are committed to protecting your personal information, and will closely monitor your account for the next year. We are also happy to change your member number, upon your request.

We will take whatever steps are necessary to protect you and your confidential information, and your accounts remain safe and sound with your credit union. Please don’t hesitate to call us at 626/441-1999 or 323/682-1999 or visit your local branch if you have any questions or concerns about this issue.

In addition to the steps we are taking to protect you and your accounts, here are other security precautions you can take:

* Carefully review your accounts when you receive your statement for at least the next 12 – 24 months. You can also review your accounts online at www.priorityonecu.org. This is a good financial management practice, and an important part of keeping your financial information accurate and secure.
* Place a Security Alert on your credit bureau file. Security alerts provide added protection because they recommend creditors contact you before opening new accounts. To place a Security Alert or to obtain a copy of your credit report, please contact:
o Experian: 1-888-397-3742 www.experian.com,
o Equifax: 1-800-525-6285 www.equifax.com
o Transunion: 1-800-680-7289 www.transunion.com
* Contact the following resources for additional information and guidance relating to privacy and identity theft:
o Federal Trade Commission (FTC): 1-877-IDTHEFT www.consumer.govidtheft
o Social Security Administration’s Fraud Hotline: 1-800-269-0271
* Call us right away if you have any questions or concerns, or suspect any unusual activity, at 626/441-1999 or 323/682-1999.

We appreciate your continued support of Priority One Credit Union, and want you to know that “you are our first priority.”

Charles R. Wiggington, Sr. CEO/President

Michigan Man Fined for Using Coffee Shop's Wi-Fi Network

This story bugs me and personally, I think he should of fought this. I would think the EFF would of helped...

A Michigan man has been fined $400 and given 40 hours of community service for accessing an open wireless Internet connection outside a coffee shop.

Under a little known state law against computer hackers, Sam Peterson II, of Cedar Springs, Mich., faced a felony charge after cops found him on March 27 sitting in front of the Re-Union Street Café in Sparta, Mich., surfing the Web from his brand-new laptop.

"It wasn't anything we were looking for, and it wasn't anything that we frankly particularly wanted to get involved in, but it basically fell in our lap and it was a little hard to just look the other way when somebody handed it to us," said Lynn Hopkins, assistant prosecuting attorney for Kent County.

Under the statute, individuals who log on to a Wi-Fi network with the owner's permission, or who see a pop-up screen that says it's a public network, can assume they're authorized to use the network, Hopkins said.

If they don't, they could be subject to prosecution.

Peterson was given two choices: He could try to fight the felony charge and face a sentence of up to 5 years in jail or a $10,000 fine; or he could enroll in the diversion program, which would require paying a $400 fine, doing 40 hours of community service and staying on probation for six months.

Last week, Peterson chose to pay the fine instead as part of a jail-diversion program.

Full story.

Yoggie, an Israeli security vendor, has released USB device called Pico, a Linux-based computer on a stick that provides enterprise-level security on a home laptop or desktop PC.

Per Yoggie the Pico has:

Complete protection against

• Viruses
• Worms
• Identity theft
• Data theft
• Phishing
• Spyware
• Spam
• IP Spoofing
• Denial of Service attacks

All-in-one Security

• Anti Virus
• Anti Spam
• Anti Phishing
• Intrusion Detection
• Intrusion Prevention
• Firewall (Stateful Inspection)
• Web Filtering
• Parental Content Control
• Adaptive Security Policy™
• Multi-Layer Security Agent™
• Layer-8 Security Engine

Hacking Vista: Easier than you'd think

Honor Their Sacrifice

Why Are CC Numbers Still So Easy To Find?

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read Bennet's article.

Bloody Passwords …

Tool TIme - Drobo

This thing seems way cool to me, watch a demo here.

Drobo is a four drive array that connects via USB and employs "intelligent" software to handle all of the data management and disk swapping: one drive goes down? No problem, Drobo's already on it. Wanna swap out drives while you listen to music? Drobo keeps the tunes going even when you're down to one disk.

"Between Silk and Cyanide: A Codemaker's War"

I purchased this book based on a review by Robert Slade and have found it to be a great read. This book demands respectful attention, but in an often stale and text book filled library it is nice to have a security book that is both educational and fun.

Between Silk and Cyanide: A Codemaker's War, 1941-1945
Hardcover: 624 pages
Publisher: Free Press (June 9, 1999)
Language: English
ISBN-10: 0684864223
ISBN-13: 978-0684864228

Friday Fun - A Fair(y) Use Tale

Professor Eric Faden of Bucknell University created this humorous, yet informative, review of copyright principles delivered through the words of the very folks we can thank for nearly endless copyright terms.

- Had to of been a lot of work...

The 14th episode of The Silver Bullet Security Podcast

The 14th episode of The Silver Bullet Security Podcast features Peter Neumann, designer of the Multics OS file system, moderator of comp.RISKS, and Principal Scientist at the SRI Computer Science Laboratory. In this show, Gary and Peter discuss the most important changes in computer security since the 1960s, the discipline involved in early Multics engineering (”nodody writes a line of code without the approving authorities [having] read and understood the specification”), why DRM is the “wrong solution to the wrong problem,” and who was more interesting to meet: Albert Einstein or Norah Jones.

Hack My Son's Computer, Please

Can an elderly father give police permission to search a password-protected computer kept in his adult son's bedroom, without probable cause or a warrant? In April, a three judge panel of the 10th Circuit Court of Appeals said yes.

This week, the son's attorney, Melissa Harrison, an assistant federal public defender in Kansas City, will ask the court to reconsider the panel's ruling. At stake is whether law enforcement will have any responsibility to respect passwords and other expressions of user privacy when searching devices which contain the most sensitive kinds of private information.

Wired article here.

Sending Encrypted Emails With S/MIME Protocol

Nice article on how to programmatically send S/MIME encrypted emails.

SNL - TSA "Security"

Friday Fun - Tandy Computer Whiz Kids Comics

Corny in a fun way Whiz Kids is a comic book, handed out by Radio Shack in the 80s. More infomercial than anything, they provide a fun look back...

New Site for Data Loss Statistics - etiolated

"Shedding light on who's doing what with your private information" the new site, etiolated.org, takes the privacy breach data accumulated by attrition.org and creates some very cool statistics, trends charts, etc...

Surveilance Basics

Some interesting articles on mostly casino security, but there is plenty of info that is applicable outside of the gambling world.

1. Camouflaged Holes

2. Chain of Command

3. Murphy's Law

4. Surveillance Room: Policies and Procedures

5. The Observer's Instinct, or "JDLR"

6. Direction of Attention

7. Recording Observations

8. On Writing Reports

9. Put it in Writing

10. False Reports

11. Confidentiality

12. Teamwork Part I

13. Assisting Casino Management

14. Pit Help Requests

15. Shift Checklist

16. Teamwork Part II: The Surveillance Room Team

17. Job Descriptions

by Gary Powell and Jim Goding

eBay Scammer on Judge Judy

Judge Judy rocks! These types of scams are more prevalent than you might think.

Somthing to Think About

"The universe doesn't owe you anything but an education, and it gives you lessons every day."

- John Vorhaus

“Is your PC virus-free? Get it infected here!”

Would you click on this Google ad?

No? Sure? Because 409 persons did!

Story here.

Reminder: Monday is Wiretap the Internet Day

May 14th is the official deadline for cable modem companies, DSL providers, broadband over powerline, satellite internet companies and some universities to finish wiring up their networks with FBI-friendly surveillance gear, to comply with the FCC's expanded interpretation of the Communications Assistance for Law Enforcement Act.

Congress passed CALEA in 1994 to help FBI eavesdroppers deal with digital telecom technology. The law required phone companies to make their networks easier to wiretap. The results: on mobile phone networks, where CALEA tech has 100% penetration, it's credited with boosting the number of court-approved wiretaps a carrier can handle simultaneously, and greatly shortening the time it takes to get a wiretap going. Cops can now start listening in less than a day.

Wired story here.

Sex Toy Threatens Cyprus's National Security

Small, egg-shaped and promising 'divine' vibrations, a UK sex toy has been deemed a threat to Cyprus's national security. According to the company Ann Summers, the Love Bug 2 has been banned because the Cypriot military is concerned its electronic waves would disrupt the army's radio frequencies. Operated by a remote control with a range of six metres, it is described by Ann Summers as 'deceptively powerful'. The company said: 'The Love Bug 2 is available in Cyprus but we have had to put a warning out urging Cypriots not to use it.'

Story source.

Friday "Fun"

Man chops off head with chainsaw

A man cut off his own head with a chainsaw after stabbing his 70-year-old father to death in their apartment in the German city of Cologne, police said.

The body of the offender, 24, was found headless when police raced to the apartment after an emergency call, apparently from the dying father, had been broken off in mid-sentence.

Body found in bed after seven years

The decomposed corpse of a German man has been found alone in his bed after nearly seven years, police in the western city of Essen said today.

The police said in a statement the man was 59 and unemployed at the time of his death. He most likely died of natural causes on November 30, 2000, the date he received a letter from the Welfare Office found in the flat, police said.

The Attacks Against Estonian Servers

For a good summary on what's been happening so far, read this article from Helsingin Sanomat.

Russia's aggressive displays towards Estonia of late, in the wake of the moving of the "Bronze Soldier" Soviet war memorial, have not been confined to rioting by nationalists on the streets of Tallinn or the blockading of the Estonian Embassy in Moscow.
Estonian government websites and others have been the victims of denial-of-service attacks since Friday of last week [April 27th, the day the statue was moved, following a night of rioting that left one man dead].

Fed Worker Sues over Googling

What: A government worker claims a department official violated his "right to fundamental fairness" by using Google to research his prior work history in a dispute over the use of government property.

When: U.S. Court of Appeals for the Federal Circuit rules on May 4.

Outcome: Unanimous three-judge panel says no harm was done by using search engine.

More

Anti-Violence Electrode Shock Gun

What more could you want? The TW-ESG-Z1 Anti-Violence Electrode Shock Gun does it all. It has SNAP-ON CARTRIDGES that enable it to shoot "taser" probes, pepper powder, rubber bullets and paint bullets. It can also shock attackers without the probe, and even includes a Xenon flashlight. A a plus, the TW-ESG-Z1 even features a safety wrist strap that disables the gun if an attacker takes it from you.

Multi-Functions

1.With Cartridge of probes
Fire two probes up to a distance of 3.5M , which transmits pulsed energy that temporarily overrides the central nervous system of the target causing immediate incapacitation

2.With Cartridge of pepper powder
Pepper powder spray out up to a distance of 3 ~ 5M , and swells the veins in the which will cause a few people swells the mucous membranes to make breathing difficult,eyes, causing the tears dropped and the eyes to close

3. With Cartridge of rubber bullet
Used especially by military personnel and law enforcement officers in crowd control.10 ~ 15M effective distance

4. With Cartridge of paint bullet
Used especially by military personnel and law enforcement officers in crowd control.10 ~ 15M effective distance.

5.With Extended electric stick
For extending defense range to around 50cm

6.Capable of drive stun with or without cartridge of probes installed

7.Deployed Power ful Xenon light

Blind Man's Bluff

So how does Kent view/review the security cameras?

Don't try to dupe Kent Parker just because he's blind and operates a deli in the Hamilton County Courthouse.

Every once in a while, somebody tries to cheat him despite the security cameras trained on the cash register and about a dozen sheriff's deputies a few steps away.

In the past two weeks, two women offered bills smaller than they claimed and were arrested within minutes.

More here.

TJX was it Wardriving?

According to the Wall Street Journal, the biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.

There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

More here.

Secure Future - Earth

Earth Day Revisited with Lewis Black...

Friday Fun - Code Talkers

Tools to Really Erase a HD

We all know (or should know) that regular MS Windows methods for “deleting” files truly do not delete anything. However via the Center for Magnetic Recording Research and Dr. Gordon Hughes we have the Secure Erase standard.

Here is info on how really erase hard drive data:

Tutorial on Disk Drive Data Sanitization

Gordon Hughes - CMRR Secure Erase Page

Another alternative is an open source external block overwrite utility called Darik's Boot and Nuke ("DBAN").

Gartner: Hacking contests bad for business

A pair of Gartner analysts Tuesday denounced a recent hack challenge that uncovered a still-unpatched QuickTime bug, calling it "a risky endeavor" and urging sponsors to reconsider such public contests.

The research manager of TippingPoint, the company that paid $10,000 for the QuickTime vulnerability and its associated exploit, rebutted by saying that at no time was there any danger of the vulnerability escaping from responsible parties.

"Public vulnerability research and 'hacking contests' are risky endeavors and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," said analysts Rich Mogull and Greg Young in a research note published by Gartner on Monday.

Full InfoWorld story.

Certainly starts to blur the lines between the good guys, the bad and "responsible disclosure". How long before company A puts a bounty on "security research" of company B - their competitor?

Bodies Not Included

Secure Future - Coffee Drinking Health Benefits

Not so controversial anymore -- panel says moderate coffee drinking reduces many risks. Coffee contains hundreds of components including substantial amounts of chlorogenic acid, caffeine, magnesium, potassium, vitamin B3, trigonelline, and lignans. Limited evidence suggests that coffee may improve glucose metabolism by reducing the rate of intestinal glucose absorption and by stimulating the secretion of the gut hormone glucagon-like peptide-1 (GLP-1) that is beneficial for the secretion of insulin. However, most mechanistic research on coffee and glucose metabolism has been done in animals and in lab tubes and therefore metabolic studies in humans are currently being conducted. Further research may lead to the development or selection of coffee types with improved health effects.

More here.

The Very Secure F-22

On April 10, at Langley Air Force Base, an F-22 pilot, Capt. Brad Spears, was locked inside the cockpit of his aircraft for five hours. No one in the U.S. Air Force or from Lockheed Martin could figure out how to open the aircraft's canopy. At about 1:15 pm, chainsaw-wielding firefighters from the 1st Fighter Wing finally extracted Spears after they cut through the F-22's three-quarter inch-thick polycarbonate canopy.

Total damage to the airplane, according to sources inside the Pentagon: $1.28 million. Not only did the firefighters ruin the canopy, which cost $286,000, they also scuffed the coating on the airplane's skin which will cost about $1 million to replace.

More here.

Friday Fun w/John T Draper (AKA Captain Crunch)

Time to fire-up the wayback machine and get a little hacker history. John T. Draper (born 1944), also known as Captain Crunch, Crunch or Crunchman (after Cap'n Crunch, the mascot of a breakfast cereal), is a former phone phreak.

Read his stories here.

Uncle Sam Issues "Final" Report on Identity Theft

The President’s Task Force on Identity Theft was established by Executive Order 13402 on May 10, 2006 and the task force has just released its "final" report on identity theft. A good use of resources this task force? Maybe not so much, after looking at the IC3 report noted in the prior post below...

Top 10 Internet Crimes of 2006

According to the Internet Crime Complaint Center's 2006 annual report, auction fraud and non-delivery of items purchased are far and away the most common Internet crimes. Number three is good old fashion check fraud. Identity theft is way down near the bottom...

Virginia’s IC3 2006 Internet Crime Report.

Chicago Man Exonerated; Becomes 200th Exoneree Nationwide

This must keep some people awake at night...

In 200th DNA Exoneration Nationwide, Jerry Miller in Chicago Is Proven Innocent 25 Years After Wrongful Conviction

Innocence Project launches “200 Exonerated, Too Many Wrongfully Convicted,” month-long national campaign to address and prevent wrongful convictions

(CHICAGO, IL; April 23, 2007) – With new DNA tests proving that Jerry Miller did not commit a brutal rape in Chicago for which he was convicted in 1982, the Innocence Project said today that Miller is the 200th person in the nation exonerated through DNA evidence.

In 1981, Miller was arrested and charged with kidnapping, raping and robbing a woman in downtown Chicago. He was convicted in 1982 and served 24 years in prison. Eleven months ago, he was released on parole as a registered sex offender, requiring him to wear an electronic monitoring device at all times and prohibiting him from answering his door on Halloween or leaving his job for lunch. Miller, who served more than three years in the military, was 22 years old when he was arrested and is now 48. DNA testing on semen from the rape proves that Miller did not commit the crime – and instead implicates another man as the actual perpetrator.

Silvert Bullet Podcast - Episode 13

On the 13th episode of The Silver Bullet Security Podcast, Gary chats with Ross Anderson, Professor of Security Engineering at the Computer Laboratory at Cambridge University and author of the book Security Engineering. Gary and Ross discuss the effect of posting his excellent book on the net for free, the simple reasons why most systems fail, the economic imbalance between engineers/developers and a system’s users (with respect to who should address security), and why publicly describing attacks is essential to security engineering. They close out by examining the security implications of wearing a kilt.

Mail BITS

BITS, the business strategy and technology group for the Financial Services Roundtable, announced that it is urging its member companies to adopt three key email security protocols within the next eighteen months. In a white paper published today, entitled The BITS Email Security Toolkit: Protocols and Recommendations for Reducing the Risks, BITS also urges member financial institutions to continue working with Internet Service Providers and other business partners to tackle the problem of unwanted email or spam, phishing and email-deployed malware.

Finding Webcams w/Google

Try using the following queries:

inurl:/view.shtml

or

intitle:”Live View / - AXIS” | inurl:view/view.shtml^

The Hole - video powered by Metacafe

Friday Fun - Lady Taser

Now your Taser can match your shoes!

The TASER C2 can stop a threat up to 15 feet (4.5 meters) away, allowing you to protect yourself and your family from a safe distance. You can also use the C2 as a contact stun device to repel someone - a powerful backup capability.

TASER® technology has proven itself as the safe self-defense choice with over 500,000 uses worldwide. TASER technology is supported by dozens of independent medical reports attesting to its general safety.

Get yours here.

The Right Way

Salient comments from Sheriff Andy Taylor.

FAA Advisory - Boeing 787 Hacking

Gee, no worries here... The Federal Aviation Administration issued an advisory outlining possible wireless security threats to Boeing's 787-8 aircraft.

On-board wired and wireless devices may also have access to parts of
the airplane's digital systems that provide flight critical functions.
These new connectivity capabilities may result in security
vulnerabilities to the airplane's critical systems. For these design
features, the applicable airworthiness regulations do not contain
adequate or appropriate safety standards for protection and security of
airplane systems and data networks against unauthorized access.

Last year was a hot one for UFO sightings

One of Canada’s leading UFO researchers says there were 736 reported sightings across the country last year.

Chris Rutkowski says the 2006 Canadian UFO Survey recorded the third largest number of sightings in its 17-year history and shows there’s still a great deal of interest in unexplained phenomena in the sky.

cDc Launches - Cowfeed

A feed aggregator of all cDc-related content everywhere!

"Based in Lubbock, Texas, CULT OF THE DEAD COW (cDc) is the most-accomplished and longest-running group in the computer underground. Founded in 1984 and widely considered to be the most elite people to ever walk the face of the earth, this think tank has been referred to as both "a bunch of sickos" (Geraldo Rivera) and "the sexiest group of computer hackers there ever was" (Jane Pratt, _Sassy_ and _Jane_ magazines). The cDc is a leading developer of Internet privacy and security tools, which are all free to the public. In addition, the cDc created the first electronic publication, which is still going strong."

Virginia Tech rampage

I wish I could find the appropriate words to explicitly express how underly pathetic and sensationalistic the media coverage of this tragedy has been in general.

In my mind the only issues that should be covered at this juncture are that there has been a terrible and senseless loss of human life and that the only one at fault/to blame here - is the one who pulled the trigger...

Note: on average there are 2.4 US military fatalities every day in IRAQ - 3,308 total so far. Most the same age or younger as the VT students.

Rock Phish

A phishing demo from F-Secure showing examples created with Rock Phish - a phishing kit that allows non-technical folks to create and implement phishing attacks.

Red Tape Chronicles

Red Tape Chronicles is MSNBC.com's effort to unmask government bureaucracy, corporate sneakiness and outright scam artists.

Secure Future? Are mobile phones wiping out our bees?

No bees, no pollination, no food...

If it is phones, then why now?

It seems like the plot of a particularly far-fetched horror film. But some scientists suggest that our love of the mobile phone could cause massive food shortages, as the world's harvests fail.

They are putting forward the theory that radiation given off by mobile phones and other hi-tech gadgets is a possible answer to one of the more bizarre mysteries ever to happen in the natural world - the abrupt disappearance of the bees that pollinate crops. Late last week, some bee-keepers claimed that the phenomenon - which started in the US, then spread to continental Europe - was beginning to hit Britain as well.

Full story here.

Geek Accused of Videotaping Woman in Her Shower

Their mom called Best Buy's Geek Squad for help with their computer. Now two sisters are suing Best Buy, claiming the technician who showed up secretly taped one of them in the shower.

Full story here.

Happy Friday - One From the Vault

"The only winning move is not to play. How about a nice game of chess?"

Credit Union - Laptop Theft

"The computer was protected by two layers of security, a unique user-identifier and a multiple-character, alpha-numeric password."

Whew, that's a relief! Press release here.

The laptop was lost by a consultant from Protiviti:

"Protiviti is a leading provider of independent internal audit and business and technology risk consulting services."

Now I know where not to bank and who not to pick as my auditor...

ShmooCon 07 Videos

http://www.shmoocon.org/2007/videos/

2 Years - 709 Posts - we are still here...

From Russia with Love

I just love Russia...

An interview with a former cyber gangster, who claims to have now joined the “white hats” and was prepared to share his experience anonymously. His first name is Victor, but his last name will be kept secret. He is 30 years old and a resident of St. Petersburg, Russia.

TAOF - The Art Of Fuzzing

This website provides some useful tools for fuzzing.

A Phishing Attack Demo Against the BOA SiteKey Authentication

A demonstration of a "deceit-augmented man in the middle attack" against the SiteKey ® service used by Bank of America.

From the slight paranoia blog:

Executive Summary

We present this demonstration of a "deceit-augmented man in the middle attack" against the SiteKey ® service used by Bank of America (the underlying technology is also used by other companies). This, or a similar attack, could be used by a phisher to deceive users into entering their login details to a fraudulent website. BoA's own website tells users: "[W]hen you see your SiteKey, you can be certain you're at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."

See the demo here.

In the News

Sometimes GP you have to blow your own horn... Otherwise who will?

Microsoft Defends Effort to Patch Flaw
IT execs, researchers split over pace of work on ANI fix

Hugh McArthur, director of information systems security at Online Resources Corp. in Chantilly, Va., said that in general, Microsoft’s 100-day turnaround time for patching the so-called ANI vulnerability doesn’t seem all that unusual.

It wasn’t as if the software vendor was “just sitting back and doing nothing,” McArthur said. “My take is that Microsoft was hoping they could get the fix written and tested prior to an exploit being written. In this case, they didn’t make it.”

Despite all the hoopla, the vulnerability “ultimately wasn’t a big issue” for Online Resources, McArthur said. But he added that the online bill-processing company treated the threat “very seriously” and made sure that its antivirus software was up to date and that its monitoring tools were configured to detect any exploit attempts on its systems.

Hak.5 - Episode 2×09 Release (ShmooCon)

In this special episode of Hak5 the crew heads to Washington DC for ShmooCon, the only annual security conference with complementary foam balls.

Debian GNU/Linux 4.0 released

While Ubuntu is my favorite these days, these guys were the first Linux distro that I felt comfortable with...

The Debian Project is pleased to announce the official release of Debian GNU/Linux version 4.0, codenamed etch, after 21 months of constant development. Debian GNU/Linux is a free operating system which supports a total of eleven processor architectures and includes the KDE, GNOME and Xfce desktop environments. It also features cryptographic software and compatibility with the FHS v2.3 and software developed for version 3.1 of the LSB.

Using a now fully integrated installation process, Debian GNU/Linux 4.0 comes with out-of-the-box support for encrypted partitions. This release introduces a newly developed graphical frontend to the installation system supporting scripts using composed characters and complex languages; the installation system for Debian GNU/Linux has now been translated to 58 languages.

How to get it here.

Happy Easter! Whitehouse Security - Cheney Style

Opening Desk Lock with Jiggler Key

So prOn is Dangerous After all

Three Japanese naval officers who swapped pornography on their computers triggered a scandal over a possible leak of sensitive data linked to Japan's missile defence system, a newspaper said on Thursday.

Police launched a probe last week after a navy officer married to a Chinese woman was found to have taken home a computer disk containing information about the high-tech Aegis radar system, domestic media said.

Aegis is used on Japanese destroyers that are to be fitted with SM-3 missile interceptors from this year as part of the missile defence program. The officer told police he accidentally copied the confidential data onto his computer's hard disk when copying porn from a computer belonging to a crew member from another destroyer, the Yomiuri newspaper reported.

Story here.

Below the Hole

Think there might be a hacking opportunity here?

The no-tolerance policy fits Augusta National's image. The club fancies itself as the most tradition-bound of golf bodies, one that prohibits anything high-tech from disturbing the peace on its grounds. The scoreboards for the Masters are all manually operated. The only prominent clock at Augusta National is a sundial dedicated to Bobby Jones. Blimps are forbidden in the skies overhead. Even electric vacuum cleaners are taboo in the clubhouse.

All of this makes for great theater, as golfers, visitors, and TV viewers are transported back to a world free of Jumbotrons and Gnarls Barkley ringtones. But while the Masters brass has carefully cultivated a technology-hating image, all this Luddism is a façade. Beneath the club's manicured greenery lies an arsenal of technological wonders that keeps the course looking timeless and pristine. Indeed, take a deep enough divot at Augusta National and you'll unearth the most technologically advanced setup in golf.

The greens, for one, are state-of-the-art. Beneath each putting surface is a latticework of pipes, pressurized valves, electric motors, and radio controls.

I asked exactly what he was up to, all he would say was, "data collection." The club's PR department wouldn't elaborate.

Full story here.

From root kit to boot kit: Vista's code signing compromised

Good Stuff...

At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making "on the fly" changes in memory and in files being read. In a demonstration, the "boot kit" managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista RC2 (build 5744), even without a Microsoft signature.

Experts say that the fundamental problem that this highlights is that every stage in Vista's booting process works on blind faith that everything prior to it ran cleanly. The boot kit is therefore able to copy itself into the memory image even before Vista has booted and capture interrupt 13, which operating systems use for read access to sectors of hard drives, among other things.

More here.

Softer flashlights for LA cops

Los Angeles police have unveiled their latest tool in the fight against crime - a flashlight powerful enough to stun suspects but too lightweight to beat them with.

The new flashlight, developed specifically for the Los Angeles Police Department and expected to be acquired by police forces around the world, replaces the heavy 13-inch (33-cm) metal flashlights controversially used by city officers to strike a car theft suspect three years ago.

More here.

The 7060 LED will be available to the general public in June. More information on Pelican's 7060 is available at www.pelican7060.com.

Survey Shows Public Feels Safer in City Spaces Lit by LEDs

Seems like these type of lights would be a win/win for both improved safety/security and power consumption.

"When “LED City” Raleigh and Cree Inc. turned on new light-emitting diodes (LEDs) in the Avery C. Upchurch Government Complex’s parking garage, people’s opinions about the quality of the lighting improved threefold."

More here.

NRO: 40 Years of Reconnaissance

Forty Years of Reconnaissance. This is actually a music video about the NRO. Sample lyrics:

"And we'll be there when you call
Even Friday night's all right
We'll see and hear it all
Taking it on with all our might."

[5min, 37sec]

Go here for the video at the Internet Archive and here for more NRO videos at the Memory Hole.

Amazing "Threat Alert"

KcPentrix 2.0: LiveDVD

A liveDVD, It features a lot of new or up to date tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities

Kcpentrix is based on SLAX 5, a Slackware live DVD.

2006 Operating System Vulnerability Summary

Excellent summary of the 06 security scene and system vulnerabilities.

"The summarized coverage of 2006 vulnerabilities by SANS showed the most prevalent attack vectors were not directly against the operating systems themselves.4 However, this article approaches the operating system as an entity in and of itself for analysis of only the vulnerabilities of core features. As such, vulnerability scans were conducted against 2006's flagship operating systems in various configurations to determine weakness from the moment of installation throughout the patching procedure. From Microsoft, testing included Windows XP, Server 2003 and Vista Ultimate. Examinations against Apple included Mac OS9, OSX Tiger and OSX Tiger server.5 Augmenting Apple's UNIX representation, security tests were also performed on FreeBSD 6.2 and Solaris 10. Rounding up the market share, Linux security testing included Fedora Core 6, Slackware 11, SuSE Enterprise 10 and Ubuntu 6.10. Before delving into the specifics of the vulnerabilities, it is helpful to understand the security scene of 2006."

A Security Vendor Don't

One of the vendors (Core Impact) at ShmooCon got some unwanted attention this past weekend - they had a pretty string of USB light up hubs strung along the front of their table. Since the hubs needed to be powered to light up, they plugged the string into one of their laptops on the table...

RenderMan noticed this and happened to have a USB toolkit in his pocket. He was subsequently able to plug his USB key into the string of USB hubs unnoticed and retrieved it a bit later after it had collected password files and other assorted goodies.

The whole event was relayed to the entire audience at the closing ceremonies. It's a nice lesson on what not to do when exhibiting at events such as a "hacker" con...

Firefox Add-on - Tamper Data

Tamper Data 9.8.1 Kind of a handy dandy add-on - use tamperdata to view and modify HTTP/HTTPS headers and post parameters, trace and time http response/requests and security test web applications by modifying POST parameters, etc...

24-Point Identity Theft Recovery Checklist

Step 1: Take a deep breath and act rather than react.

The rest here.

Metasploit 3 is Out

http://framework-mirrors.metasploit.com/msf/download.html

ShmooCon 07 - Day 3

Last but not least the final day of ShmooCon 07. Not as many sessions today, but I wanted to hear Chuck Willis from Mandiant - Assess the Security of Your Online Bank (Without Going to Jail).

While his talk didn't really focus on Online Banking that much, it was a good primer on non-evasive testing of web facing applications. Chuck fits the Mandiant profile - clean cut - smart guy... The tool that Chuck used in many of his examples is Paros. Hs slides should be posted on his site soon.

I also sat in on on Joel Bruno and Eric Smith's (PSKL) talk on - VOIP, Vonage, and Why I Hate Asterisk. They have done some neat work on RTP playback and in particular Vonage VOIP calls. You can find the SIPinator v1.0 code here. They also made a nice/funny commercial for ShmooCon.

The work the folks at the OLPC project are doing is way cool. Not going into details here, but ck them out.

Quick Summary -

Can't say enough about what a great value ShmooCon is and while not every session was exceptional, the event as a whole was. More highlights in the coming days as I parse thru notes etc...

ShmooCon 07 - Day 2

First things first, the Wirefly Marathon messed-up traffic this AM royally!

The rest of the day was good - any Shmoo day is a good day...

One session was a bit different - Michael Schearer from The Church of WiFi presented: A Hacker in Iraq. A Naval Flight Officer - theprez98 talked about his experiences during his 9-month tour in Iraq embedded with Army units on the ground. He put his expertise in electronic warfare to good use against the biggest threat to coalition forces - the improvised explosive device (IED).

He also mentioned on how one of the best sources of real news from the war are the military blogs.

The Hacker Arcade was in full swing today along with Deviant and company's lock picking area. There are a couple of Nitro boxes running in the conf. NOC wonder who gave them that ideal.

Some of the security podcast folks were recording - I saw the CyberSpeak folks in action... look for Shmoo reports from Sploitcast and Hak.5.

More fun on Sunday...

ShmooCon 07 - Day 1

ShmooCon 07 started today and things got off to a good start - bigger space, more folks, but overall same great con. After Bruce Potter's opening remarks @ 15:30 there were six approx 20 min. long presentations before Aviel Rubin's keynote @ 19:00.

Eoin Miller and Adair Collins Auditing Cached Credentials with Cachedump and Johnny Long's No-Tech Hacking were probably my two favorites. Johnny's no-tech hacking talk was excellent in both content and presentation. A good deal of it focused on physical security and on demonstrating what an important hacking tool the power of observation can be.

Aviel Rubin ended things nicely with an exelent keynote. A copy of his presentation can be found here.

Dr. Rubin vs. Dr. Cole... my money is on Dr. Rubin

Tool Time - Nessj

Nessj is an application/network security scanner client for Nessus and Nessus compatible (OpenVAS etc.) servers. In addition to an improved user interface, it provides session management with templates, report generation using XSLT including charts/graphs, and vulnerability trending. It is cross-platform, with platform specific releases available for Linux, OSX, and Windows, written in Java using SWT for a native experience, and it is open-source. It's provided by Intekras, Inc. under the Clarified Artistic License.

Get it here.

Top 10 U.S. Government Web Break-ins of All Time

Network Security Journal has an interesting list of when hackers take on the feds.

Identity Theft is Getting more Businesslike

Speaking of business - can you think of a better way to sell your security products than to preach doom and gloom? How neutral do you think Symantec is when the worse things are, the better life is for them?

Via their semiannual Internet Security Threat Report - Symantec reported that much of the malicious computer code they identified was compiled, or translated into usable software, during standard, 9-to-5 work shifts in the country of origin.

"The hobby-horse hacker is a thing of the past. These guys work business hours,'' Huger said. "It's pretty organized, which is the scary part. Now we're seeing a well-oiled machine for stealing data.''

Among the other items reported was that China had 26 percent of the world's bot-infected computers, more than any country, a statistic mostly explained by the torrid growth of the Chinese technology industry. Also noted was that more than half of all underground economy servers known to Symantec were based in the United States.

However, a recent report from Symantec competitor McAfee tells us that Internet domains from Romania, Russia, and the tiny island of Tokelau are among the riskiest.

What we do know is that phishing and spam is up... now apparently we just need a way to figure out where it is coming from. Unfortunately it is more often the destination that counts, not the journey and the US might be the way and/or the means, but it certainly isn't the end.

Super Bowl Hack?

Prank or Hoax? What do you think? If a hoax, it's was a very nice job. If a prank, it was quite the stunt. Either way, it's worth a look.

"To promote the new ZUG book, PRANK THE MONKEY, we wanted to show how easy it would be to broadcast a secret terrorist message not just on national TV, but on TV's biggest event. "

Absolut

Friday Fun - WiFi Vibrator

I Make Projects posted plans for "giving yourself a sixth sense for wireless networks" through a small wearable device. It's made from a cannibalized Wi-Fi detector, microcontroller, vibrating motor, and a bit of custom electronics.

Hackers get bum rap for corporate America's digital delinquency

This is good stuff...

If Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame.

Howard and Erickson also found that:

• Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches.
• Likely as a result of California's law and similar legislation adopted by other states, the number of reported incidents more than tripled in 2005 and 2006 (424 cases) compared to the previous 24 years (126 cases).
• The education sector, primarily colleges and universities, amounted to less than 1 percent of all lost records, but accounted for 30 percent of all reported incidents.

Article here more related material at www.wiareport.org

File-sharing Software could Jeopardize National Security

A recently released report from the U.S. Patent and Trademark Office suggests that networked file and music sharing could harm children and threaten national security. The 80 page November, 2006, report, entitled "Filesharing Programs and Technological Features to Induce Users to Share," can be found here.

"This report also reveals that these filesharing programs threaten more than just the copyrights that have made the United States the world’s leading creator and exporter of expression and innovation: They also pose a real and documented threat to the security of personal, corporate, and governmental data."

"But such condemnations just beg a more fundamental question: Why do children, grandparents, and poor single mothers end up sharing hundreds or thousands of infringing files inadvertently?"

The Silver Bullet Security Podcast

How can you go wrong? When you have vicodin, music and security...

On the 12th episode of The Silver Bullet Security Podcast, Gary talks with Becky Bace, Advisor to Venture Capital firm Trident Capital. Becky spent twelve years at the NSA working on intrusion detection and cryptography from 1984 until 1996, followed by a stint at Los Alamos National Laboratory. Gary and Becky discuss growing up in rural America, explosives, and Becky’s Jimmy Hoffa sponsored college funding situation. They also talk about the evolution of security cirricula in academia, rampant commercialization of computer security, Becky’s involvement in tracking down the notorious Kevin Mitnick, vicodin-induced creativity, and eclectic music.

French Pick Ubuntu

Well they finally got something right... Ubuntu is a great Linux distro!

When French MPs and their assistants return from their summer break this June, they will conduct parliamentary business on PCs running Ubuntu. From the next session of parliament, 1,154 desks will feature the Linux-based PCs.

More here.

The 50 Most Important People on the Web

PC World's list of the 50 most important people on the web.

Personal favorites:

31. Bruce Schneier - Cryptographer
32. Kevin Rose - Founder, Digg
47. Leo Laporte - Creator, This Week in Tech (TWiT) podcast

Who did they miss?

Independent Comparatives of Anti-Virus software

The AV Comparatives Web site tested 17 AV products - including several free anti-virus programs as well.

Surprise! Microsoft's OneCare was on the bottom of the list...

BTW when the was the last time you had a virus on your system? Seems that a little common sense can go a long way in keeping a system clean, but don't tell the AV vendors that.

Network Information with Javascript

This is the second article in a series focusing on retrieving system (or client) information using JavaScript and presenting the same on a web page. You can directly copy and paste all of the code samples present in this article into a file with extension “.htm” and open them in Internet Explorer 5.5+.

Securing Dinner - Finding Nemo 2

Police use MySpace

He's about 60, with graying hair and a bald spot on the crown of his head -- and he looks forward to meeting "more bank tellers so that I can continue my crime spree!!!"

As police continue searching for a suspect in four bank robberies across Arkansas, one local department has taken the unusual step of creating the man a profile on the social networking Web site MySpace, hoping someone will recognize him.

Story here.

5,000 years of conquest in the Middle East.

See 5,000 years of history in 90-seconds...

True? BBC Reported Building 7 Had Collapsed 20 Minutes Before It Fell

Revealing, shocking video shows reporter talking about collapse with WTC 7 still standing in background. Google has removed the clip.

More here.

"Paranoia"

From here.

Friday Fun - School Security

Meth selling Principal Found Naked With Sex Toys Watching Gay Porn In Office...

As authorities stormed into a middle school office to arrest an alleged meth-dealing principal inside, they found an even more surprising scene inside.

Sources said 50-year-old John Acerra, of Allentown, was naked and watching gay pornography when they arrived at Nitschmann Middle School in Bethlehem to arrest him on Tuesday.

Acerra also had sex toys, drugs, cash and a pipe in his school office when authorities stormed his office, the sources added.

Story here.