(IN)SECURE Magazine Issue1.6 (March 2006)

DOWNLOAD ISSUE 1.6 HERE

The covered topics are:

• Best practices in enterprise database protection
• Quantifying the cost of spyware to the enterprise
• Security for websites - breaking sessions to hack into a machine
• How to win friends and influence people with IT security certifications
• The size of security: the evolution and history of OSSTMM operational security metrics
• Interview with Kenny Paterson, Professor of Information Security at Royal Holloway, University of London
• PHP and SQL security today
• Apache security: Denial of Service attacks
• War-driving in Germany - CeBIT 2006

Fridays Are For Fun - Sasquatch In A Box

Looking for that special family activity this weekend? Look no further, hop over to EBAY and grab a copy of "BIG FOOT Snow Monster Board Game" - Milton Bradley 1977.

Rumor is that this game is big in NJ...

Tool Time - Ophcrack 2.2 Is Out

Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.

The Code Room: Breaking Into Vegas

In this episode of The Code Room watch the White Hats and Black Hats battle for the security of Las Vegas. Jessi Knapp and Microsoft Security Guru Joe Stagner narrate as the Hackers try to gain control of The Plaza's online money management system and our Security Team tries to stay one step ahead

Harvard and Berkley Study: Why Phishing Works

When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators.

Firefox Bug Causes Breakup with Fiancé

Sure blame the browser. The bug report makes for a fun read...

How this particular privacy issue ended up in a relationship breakdown emerges from the bug report. The website designer that submitted the report writes that she had changed her mind when Firefox asked whether it should save the password for her website and dived into Password Manager to change her preference. What she found when she got there were the preferences of her fiancé: a list of dating and swinging websites that he had set to explicitly, and understandably, never save a password for…

News story here.

Hack Into Touch-Screen Voting Machine (undetected) and Win 10K!

If you can hack into a touch-screen voting machine undetected, Michael Shamos will give you $10,000.

Dr. Shamos, a professor of computer science at Carnegie Mellon University who has spent more than two decades testing electronic voting equipment, first made that offer several years ago. To this day, no one has tried to collect.

"Because they know they can't do it," he said last week.

Phishing With A New Twist

Phishing scammers recently hacked the web sites of three Florida banks and redirected their customers to spoof pages, marking an apparent milestone in phishers' use of bank web sites to construct more credible frauds. Previous scams have managed to manipulate financial sites through cross-site scripting and cross-frame content injection, but didn;t gain access to the server hosting the banks' site.

Not so for the attack on Capital City Bank, Wakulla Bank and Premier Bank in northern Florida. On March 14 hackers were able to break into the servers of ElectroNet, a Tallahassee, Fla. service provider which hosted the web sites for all three banks. The main business URL for the banks' were redirected to identical spoof sites on offshore servers, which asked customers to provide their login details.

The intrusion was detected about an hour after it started, ElectroNet CEO Allen Byington told the Tallahassee Democrat. Byington said that ElectroNet stores no confidential data on its computers and that the company was "working closely" with law enforcement agencies investigating the incident. The banks' sites were shut down for several days, and bank officials said the financial losses were "minimal," and that any customers who lost money were reimbursed by their respective banks.

Tool Time - EtherFlood

Testing your network and need to flood a switched network with Ethernet frames with random hardware addresses?

EtherFlood might be your answer. EtherFlood floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so you can sniff all traffic on the network.

Details here.

You Are What You Post

Happy Monday...

Companies are increasingly googling the names of employees and potential employees to dig up information on them. Is what one finds on google an accurate representation of a person? What would your next boss find?

Personal Security - Disney Film about Venereal Diseases

Originally Released in 1973

A general addressing his troops, which happen to be syphilis and gonorrhea germs. There are also characters representing ignorance and fear.

This is an educational short produced at the Walt Disney Studios.

In the News - SourceFire has been DPW'd. (Dubai Port World-ed)

Fallout from the Dubai port management deal as SourceFire is a big DoD supplier and CheckPoint is a foreign company. Check Point Software Technologies on Thursday said with consent of the U.S. government authorities it plans to withdraw its application relating to its acquisition of Sourcefire. Read more here.

From the Fridays Are For Fun Archives - You're In Control

The You're In Control system uses an array of piezoelectric sensors mounted to the back of a urinal to detect the position of a stream of water, allowing a person to play a video game while peeing. A video monitor is mounted above the urinal, and position on the back of the urinal corresponds to position on the screen. We created a custom video game (our interpretation of the carnival game "whack-a-mole") in which the player attempted to hit hamsters as they flew out of one hole and into another hole in the ground. A successful hit would turn the hamster yellow, make it scream and spin out of control, and give the player ten points.

IBM Demos ‘chip on a molecule’

The first computer circuit to be built on a single molecule has been unveiled by researchers in the US.

It was assembled on a single carbon nanotube, a standard component of any nanotechnologist's toolkit.

The circuit is less than a fifth of the width of a human hair and can only be seen through an electron microscope.

The researchers, from IBM and two US universities in Florida and New York, told the journal Science that the work could lead to faster computer chips.

Firefox 2.0 Alpha Download

Bon Echo Alpha 1 is a developer preview release of the next generation Firefox browser.

Download here.

Control your PC from an IRC room

IRC_slave can be a very powerful script if it's combined with a worm such as Perl.Santy giving the master an enviornment to work with. This code allows you, as the user, to execute commands on the host running the script.

You might find some other fun stuff on the related site - Script is here.

Cybersafety Campaign for Preschoolers Launched

Seems to me the parents should be taking extra classes, not the kids...

Parents have more to worry about than their child grazing their knee in the playground -- they now should be concerned their toddlers are being kept "cybersafe" as well, an internet safety group said today.

A campaign to keep preschoolers safe when playing on the internet and with other modern technology is to be launched this week.

"In addition to young children inadvertently finding inappropriate material or being exposed to online predators and cyber bullies, they observe and copy the online behaviour of their parents and older siblings to an extent often not realised by their families," Ms Balfour said.

She cited the example of a New Zealand family that was surprised to receive a parcel of videos ordered online by their four-year-old.

"This experience just goes to show how well youngsters can copy behaviour."

"Young children may appear skilled in internet use, but they will not have yet developed the understanding and judgment to always keep themselves cybersafe," Ms Balfour said.

Geo IP Tool

Fun little online tool to view geographical information about any IP or Domain in the world.

Computer Networks: The Heralds of Resource Sharing

A 1972 documentary on ARPAnet, the early internet. A very interesting look at the beginnings of what is now a huge part of most of our lives. I especially liked the discussions related to banking...

Some Cool USB Toys

Not meant to be a product plug, but these folks have some cool stuff...

PC on a USB Stick Fights Child Pornography

The US 9th Circuit of Appeals recently made a ruling to allow police to search computer hard drives for child pornography if the PC owner is found to have subscribed to sites selling illegal images. To search a PC without knowing the password, the police can now turn to the Computer on a Stick Pro (COS).

The COS is a USB drive its own bootable operating system. To use it the police simply plug the COS into a vacant USB port on the suspect computer and allow the PC to reboot using the COS operating system, bypassing Windows passwords. Once booted the COS allows the files on the attached computer system to be viewed and copied to the USB COS hard drive.