Friday, November 27, 2009
Some Interesting Password Data from MS
Do and don’ts for p@$$w0rd$
Full story here.
Here is a top 10 list with the most common user names used in automated attacks:
| User names | Count |
| Administrator | 136971 |
| Administrateur | 107670 |
| admin | 8043 |
| andrew | 5570 |
| dave | 4569 |
| steve | 4569 |
| tsinternetuser | 4566 |
| tsinternetusers | 4566 |
| paul | 4276 |
| adam | 3287 |
And a similar list for passwords:
| Passwords | Count |
| password | 1188 |
| 123456 | 1137 |
| #!comment: | 248 |
| changeme | 172 |
| F**kyou (edited) | 170 |
| abc123 | 155 |
| peter | 154 |
| Michael | 152 |
| andrew | 151 |
| matthew | 151 |
Full story here.
Tuesday, November 24, 2009
Thursday, November 19, 2009
Monday, November 09, 2009
Sunday, November 08, 2009
Job Security
Every year, Americans eat 35 million cows, 115 million pigs, and 9 billion chickens and turkeys.
- The New Yorker
- The New Yorker
Monday, October 26, 2009
Saturday, October 24, 2009
Friday, October 16, 2009
Social engineering for penetration testers
Sharon Conheady's BruCON talk discusses the practical aspects of a social engineering attack, providing plenty of war stories from her career as a social engineer. The key to preventing social engineering attacks from being successful lies in education and awareness. This talk will give the audience an insight into the techniques used by social engineers, whether as part of an ethical social engineering test or as a malicious social engineering attack.
Social engineering for penetration testers - Sharon Conheady - BruCON 2009 from security4all on Vimeo.
Thursday, October 15, 2009
30 years of Failure: the Username/Password combo.
Interesting new study, which is being published by the Human Factors and Ergonomics Society.
"The use of alphanumeric usernames and passwords is the
most often used (and also the cheapest) method of computer
authentication. However, unfortunately human beings are
limited in their information processing capabilities (Cowan, et
al., 2008). People either use simple passwords that are easy to
remember but easy to crack or difficult passwords which are
difficult to remember. Results of our study have shown that
there are very few people who do not deviate from the best
practices for password use."
"The use of alphanumeric usernames and passwords is the
most often used (and also the cheapest) method of computer
authentication. However, unfortunately human beings are
limited in their information processing capabilities (Cowan, et
al., 2008). People either use simple passwords that are easy to
remember but easy to crack or difficult passwords which are
difficult to remember. Results of our study have shown that
there are very few people who do not deviate from the best
practices for password use."
Saturday, October 10, 2009
CNN Money - 50 Best Jobs in America
8. Computer/Network Security Consultant
Median salary (experienced): $99,700
Top pay: $152,000
Job growth (10-year forecast): 27%
Sector: Information Technology
What they do: Protect computer systems and networks against hackers, spyware, and viruses. "I consider myself a cybercrime fighter," says Gregory Evans, an independent computer security consultant in Atlanta.
Why it's great: No company or government agency can afford to have a serious breach in the security of its computer system. New technologies and an unending supply of creative hackers around the world keep the field challenging. Consultants can often work from home. And top-level pros command big paychecks.
Drawbacks: Talk about stress. If a system is infiltrated by a virus or hacker, it could mean lights out for the security consultant's career. "This is a job you can't afford to ever fail in," says Evans.
Pre-reqs: Mostly major geekdom, since the skills can be self-taught. Still, a computer science degree comes in handy. An information systems security professional certification (CISSP) is increasingly favored. Experience is key for better-paying positions: Most companies won't hire a consultant with less than five years of experience.
Story here.
Median salary (experienced): $99,700
Top pay: $152,000
Job growth (10-year forecast): 27%
Sector: Information Technology
What they do: Protect computer systems and networks against hackers, spyware, and viruses. "I consider myself a cybercrime fighter," says Gregory Evans, an independent computer security consultant in Atlanta.
Why it's great: No company or government agency can afford to have a serious breach in the security of its computer system. New technologies and an unending supply of creative hackers around the world keep the field challenging. Consultants can often work from home. And top-level pros command big paychecks.
Drawbacks: Talk about stress. If a system is infiltrated by a virus or hacker, it could mean lights out for the security consultant's career. "This is a job you can't afford to ever fail in," says Evans.
Pre-reqs: Mostly major geekdom, since the skills can be self-taught. Still, a computer science degree comes in handy. An information systems security professional certification (CISSP) is increasingly favored. Experience is key for better-paying positions: Most companies won't hire a consultant with less than five years of experience.
Story here.
Friday, October 09, 2009
Happy Meal?
Someone dressed an already dead deer in a clown outfit and wig, and dropped it for a family to see.
Saturday, October 03, 2009
Banking Trojan Infections Tripled.
Banking trojan infections almost tripled (up 186 per cent) between Q4 2008 and Q2 2009 according to APWG report.
Wednesday, September 30, 2009
Crooks, Trojans & Mules
Interesting report from finjan.
In the third issue of its Cybercrime Intelligence Report for 2009, Finjan shows how cybercrooks used a combination of Trojans and money mules to rake in hundreds of thousands of Euros and to minimize detection by the anti-fraud systems used by banks. After infection, a bank Trojan was installed on the victims’ machines and started communication with its Command & Control (C&C) server for instructions. These instructions included the amount to be stolen from specific bank accounts and to which money mule-accounts the stolen money should be transferred. The use of this Anti anti-fraud method signals a new trend in cybercrime.
Saturday, September 26, 2009
OWASP Podcast Series #41
David Rice, is an internationally recognized information security professional and an accomplished educator and visionary. For a decade he has advised, counseled, and defended global IT networks for government and private industry. David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. Additionally, David has authored numerous IT security courses and publications, teaches for the prestigious SANS Institute, and has served as adjunct faculty at James Madison University. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.
Listen
Listen
Friday, September 25, 2009
A Stick Figure Guide to the Advanced Encryption Standard (AES)
A very nice explanation of AES, even has example code with it...
Man sues BofA for "1,784 billion, trillion dollars"
More Friday Fun!
Dalton Chiscolm is unhappy about Bank of America's customer service -- really, really unhappy.
Dalton Chiscolm is unhappy about Bank of America's customer service -- really, really unhappy.
Chiscolm in August sued the largest U.S. bank and its board, demanding that "1,784 billion, trillion dollars" be deposited into his account the next day. He also demanded an additional $200,164,000, court papers show.
Reuters story here.Thursday, September 24, 2009
Couple's Lawsuit Against Bank Over Breach To Move Forward
So who is responsible the Bank/FI or the end user?
A U.S. District Court ruling in a lawsuit against a bank over a hacked online account has raised thorny questions about who's ultimately responsible for the breach of a customer's account.
An Illinois district court denied Citizens Financial Bank's request to dismiss a lawsuit that charges the bank was negligent in protecting a couple's bank account after their user name and password were stolen and used to pilfer $26,000 from their account. The ruling lets the couple, Marsha and Michael Shames-Yeakel, continue with their lawsuit, mostly based on their allegations that the bank failed to properly secure their account.
Full story here.
A U.S. District Court ruling in a lawsuit against a bank over a hacked online account has raised thorny questions about who's ultimately responsible for the breach of a customer's account.
An Illinois district court denied Citizens Financial Bank's request to dismiss a lawsuit that charges the bank was negligent in protecting a couple's bank account after their user name and password were stolen and used to pilfer $26,000 from their account. The ruling lets the couple, Marsha and Michael Shames-Yeakel, continue with their lawsuit, mostly based on their allegations that the bank failed to properly secure their account.
Full story here.
