Friday, March 31, 2006

(IN)SECURE Magazine Issue1.6 (March 2006)


The covered topics are:

  • Best practices in enterprise database protection
  • Quantifying the cost of spyware to the enterprise
  • Security for websites - breaking sessions to hack into a machine
  • How to win friends and influence people with IT security certifications
  • The size of security: the evolution and history of OSSTMM operational security metrics
  • Interview with Kenny Paterson, Professor of Information Security at Royal Holloway, University of London
  • PHP and SQL security today
  • Apache security: Denial of Service attacks
  • War-driving in Germany - CeBIT 2006

Fridays Are For Fun - Sasquatch In A Box

Looking for that special family activity this weekend? Look no further, hop over to EBAY and grab a copy of "BIG FOOT Snow Monster Board Game" - Milton Bradley 1977.

Rumor is that this game is big in NJ...

Tool Time - Ophcrack 2.2 Is Out

Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.

Thursday, March 30, 2006

The Code Room: Breaking Into Vegas

In this episode of The Code Room watch the White Hats and Black Hats battle for the security of Las Vegas. Jessi Knapp and Microsoft Security Guru Joe Stagner narrate as the Hackers try to gain control of The Plaza's online money management system and our Security Team tries to stay one step ahead

Harvard and Berkley Study: Why Phishing Works

When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators.

Tuesday, March 28, 2006

Firefox Bug Causes Breakup with Fiancé

Sure blame the browser. The bug report makes for a fun read...

How this particular privacy issue ended up in a relationship breakdown emerges from the bug report. The website designer that submitted the report writes that she had changed her mind when Firefox asked whether it should save the password for her website and dived into Password Manager to change her preference. What she found when she got there were the preferences of her fiancé: a list of dating and swinging websites that he had set to explicitly, and understandably, never save a password for…

News story here.

Hack Into Touch-Screen Voting Machine (undetected) and Win 10K!

If you can hack into a touch-screen voting machine undetected, Michael Shamos will give you $10,000.

Dr. Shamos, a professor of computer science at Carnegie Mellon University who has spent more than two decades testing electronic voting equipment, first made that offer several years ago. To this day, no one has tried to collect.

"Because they know they can't do it," he said last week.

Phishing With A New Twist

Phishing scammers recently hacked the web sites of three Florida banks and redirected their customers to spoof pages, marking an apparent milestone in phishers' use of bank web sites to construct more credible frauds. Previous scams have managed to manipulate financial sites through cross-site scripting and cross-frame content injection, but didn;t gain access to the server hosting the banks' site.

Not so for the attack on Capital City Bank, Wakulla Bank and Premier Bank in northern Florida. On March 14 hackers were able to break into the servers of ElectroNet, a Tallahassee, Fla. service provider which hosted the web sites for all three banks. The main business URL for the banks' were redirected to identical spoof sites on offshore servers, which asked customers to provide their login details.

The intrusion was detected about an hour after it started, ElectroNet CEO Allen Byington told the Tallahassee Democrat. Byington said that ElectroNet stores no confidential data on its computers and that the company was "working closely" with law enforcement agencies investigating the incident. The banks' sites were shut down for several days, and bank officials said the financial losses were "minimal," and that any customers who lost money were reimbursed by their respective banks.

Monday, March 27, 2006

Tool Time - EtherFlood

Testing your network and need to flood a switched network with Ethernet frames with random hardware addresses?

EtherFlood might be your answer. EtherFlood floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so you can sniff all traffic on the network.

Details here.

You Are What You Post

Happy Monday...

Companies are increasingly googling the names of employees and potential employees to dig up information on them. Is what one finds on google an accurate representation of a person? What would your next boss find?

Saturday, March 25, 2006

Personal Security - Disney Film about Venereal Diseases

Originally Released in 1973

A general addressing his troops, which happen to be syphilis and gonorrhea germs. There are also characters representing ignorance and fear.

This is an educational short produced at the Walt Disney Studios.

Friday, March 24, 2006

In the News - SourceFire has been DPW'd. (Dubai Port World-ed)

Fallout from the Dubai port management deal as SourceFire is a big DoD supplier and CheckPoint is a foreign company. Check Point Software Technologies on Thursday said with consent of the U.S. government authorities it plans to withdraw its application relating to its acquisition of Sourcefire. Read more here.

From the Fridays Are For Fun Archives - You're In Control

The You're In Control system uses an array of piezoelectric sensors mounted to the back of a urinal to detect the position of a stream of water, allowing a person to play a video game while peeing. A video monitor is mounted above the urinal, and position on the back of the urinal corresponds to position on the screen. We created a custom video game (our interpretation of the carnival game "whack-a-mole") in which the player attempted to hit hamsters as they flew out of one hole and into another hole in the ground. A successful hit would turn the hamster yellow, make it scream and spin out of control, and give the player ten points.

IBM Demos ‘chip on a molecule’

The first computer circuit to be built on a single molecule has been unveiled by researchers in the US.

It was assembled on a single carbon nanotube, a standard component of any nanotechnologist's toolkit.

The circuit is less than a fifth of the width of a human hair and can only be seen through an electron microscope.

The researchers, from IBM and two US universities in Florida and New York, told the journal Science that the work could lead to faster computer chips.

Wednesday, March 22, 2006

Firefox 2.0 Alpha Download

Bon Echo Alpha 1 is a developer preview release of the next generation Firefox browser.

Download here.

Control your PC from an IRC room

IRC_slave can be a very powerful script if it's combined with a worm such as Perl.Santy giving the master an enviornment to work with. This code allows you, as the user, to execute commands on the host running the script.

You might find some other fun stuff on the related site - Script is here.

Monday, March 20, 2006

Cybersafety Campaign for Preschoolers Launched

Seems to me the parents should be taking extra classes, not the kids...
Parents have more to worry about than their child grazing their knee in the playground -- they now should be concerned their toddlers are being kept "cybersafe" as well, an internet safety group said today.

A campaign to keep preschoolers safe when playing on the internet and with other modern technology is to be launched this week.

"In addition to young children inadvertently finding inappropriate material or being exposed to online predators and cyber bullies, they observe and copy the online behaviour of their parents and older siblings to an extent often not realised by their families," Ms Balfour said.

She cited the example of a New Zealand family that was surprised to receive a parcel of videos ordered online by their four-year-old.

"This experience just goes to show how well youngsters can copy behaviour."

"Young children may appear skilled in internet use, but they will not have yet developed the understanding and judgment to always keep themselves cybersafe," Ms Balfour said.

Sunday, March 19, 2006

Geo IP Tool

Fun little online tool to view geographical information about any IP or Domain in the world.

Computer Networks: The Heralds of Resource Sharing

A 1972 documentary on ARPAnet, the early internet. A very interesting look at the beginnings of what is now a huge part of most of our lives. I especially liked the discussions related to banking...

Saturday, March 18, 2006

Some Cool USB Toys

Not meant to be a product plug, but these folks have some cool stuff...

PC on a USB Stick Fights Child Pornography
The US 9th Circuit of Appeals recently made a ruling to allow police to search computer hard drives for child pornography if the PC owner is found to have subscribed to sites selling illegal images. To search a PC without knowing the password, the police can now turn to the Computer on a Stick Pro (COS).

The COS is a USB drive its own bootable operating system. To use it the police simply plug the COS into a vacant USB port on the suspect computer and allow the PC to reboot using the COS operating system, bypassing Windows passwords. Once booted the COS allows the files on the attached computer system to be viewed and copied to the USB COS hard drive.

Microsoft BlueHat Security Briefings Online

The spring Microsoft BlueHat Security Briefings event was held on March 8-10, 2006. Listen to podcast interviews with the presenters, and read the session descriptions and speaker bios here.

Friday, March 17, 2006

Shmoocon 2006 Follow-Up

Badges: The ShmooCon 2006 Badges were made of Stainless Steel. Some people thought the badges were a bit dangerous, but they were quite tame compared to the original design. There were 20 different badge designs, including Speaker, Staff, Shmoo & Attendee. Finding a complete set to put the puzzle together took a bit of work and the prize went to Grey Frequency who met over 200 attendees and traced badges to put it all together.

Video: Finally starting to get some movies online... Check out the speaker list to see if the movie you're looking for is online yet. They will be posting about 5 movies a day. Hopefully in a week or so they'll all be online.

Thursday, March 16, 2006

A Good List of Live CD Distributions

10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) A good list for those who are interested and haven't seen it...

Wednesday, March 15, 2006

Secure Voice over IP: Zfone

For law-abiding Americans who don't care for those pesky involuntary three-way calls with the NSA, PGP creator Philip Zimmermann has released a new product for encrypting any SIP VoIP voice stream. His first release is Mac & Linux only.

Tuesday, March 14, 2006

Tool Time - USB, FireWire and PCMCIA Scanner

DeviceLock Plug and Play Auditor is a non-intrusive clientless freeware software solution that generates reports displaying the USB, FireWire and PCMCIA devices currently connected to computers in the network and those that were connected. Its multithreaded engine ensures fast, unobtrusive auditing of all activity on any computers in an organization.

Monday, March 13, 2006

The Bookmaker, the Wiz Kid and the Extortionist

Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this.

Saturday, March 11, 2006


Named after an African word for “humanity to others,” Ubuntu is a completely free distribution (based on Debian) fully developed by the Linux community. While this may be said for other Linux distributions, the real difference is in the ability (or right) that Ubuntu grants you to alter the software in any way that you want. To quote the developers, “Not only are the tools you need available free of charge, you have the right to modify your software until it works the way you want it to.”

Among the other public commitments the Ubuntu team makes, the team promises that the operating system will always be free, and there will be a new release every six months (each release is supported for 18 months).

More info and download here.

Prisoner 151716 of Cellblock 1A

Under the government of Saddam Hussein, Mr. Qaissi was a mukhtar, in effect a neighborhood mayor, a role typically given to members of the ruling Baath Party and closely tied to its nebulous security services. After the fall of the government, he managed a parking lot belonging to a mosque in Baghdad.

He was arrested in October 2003, he said, because he loudly complained to the military, human rights organizations and the news media about soldiers' dumping garbage on a local soccer field. But some of his comments suggest that he is at least sympathetic toward insurgents who fight American soldiers.

"Resistance is an international right," he said.

Weeks after complaining about the garbage, he said, he was surrounded by Humvees, hooded, tied up and carted to a nearby base before being transferred to Abu Ghraib. Then the questioning began.

Read the full story here.

Friday, March 10, 2006

Computer Security Awareness Video Contest Winners

The EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance would like to announce the winners of a computer security awareness video contest, which was held as part of a national campaign to raise awareness of and increase computer security at colleges and universities. The contest searched for two categories of short computer awareness videos that addressed a broad range of security topics or focused on a single security issue. Submissions were developed by college students for college students. The winning videos are featured here and will be used in campus security awareness campaigns and efforts.

The contest included 62 video submissions from 17 universities. Winners were selected for creativity, content, and quality of information; overall effectiveness of delivery; and technical quality. Cash prizes were awarded to winners in each category. The two gold winners received $1,000, the two silver winners received $800, and the two bronze winners received $500 in cash prizes. For additional information, please see the press release.

See the winners here.

Cracking Windows Passwords with BackTrack and the Online Rainbow Tables at

Irongeek Video: Cracking Windows Passwords with BackTrack and the Online Rainbow Tables at
Title says it all...

Happy Friday

ABA Journal - Stolen Lives

An American Bar Association article about the current state of the law regarding identity theft, and what you can do about the companies leaking your information.

Wednesday, March 08, 2006

The Analog Hole

A nice essay on the human dimension of the problem of securing information.
I try to avert my eyes when the person sitting next to me on the plane opens a laptop and displays a confidential memo. It may have been transmitted over a secure link (though it probably wasn’t), and it may be encrypted on disk (though it probably isn’t), but there it is in plain view, pouring out of the analog hole.

Spyware List

Here's a list of over 270 more spyware removal tools to avoid. is a collaboratively edited Forest consisting of Trees which anyone can contribute to. SecurityForest's trees are specific security repositories that are categorized for practical reasons.The technologies currently in use in these repositories are based on Wiki ( technology and CVS (Concurrent Versioning System) ( technology. Depending on the species of the tree - the suitable technology will be used. is a collection of repositories (trees) for the community - by the community. In other words - the updating, modifying and improving can be done by anyone in the community.

Sunday, March 05, 2006

Live Action Recreation of the intro to The Simpsons

Not security related, but this is cool... Watch the video here.

And while we are on a geek video kick, Google Video has some great stuff. You can find quite a range from "Fear of Girls" (True Love is but a +2 Broadsword away) to this ten minute video of Disneyland's Main Street USA, right after it opened in 1956.

Saturday, March 04, 2006

Online Amateurs Crack Nazi Codes

Three German ciphers unsolved since World War II are finally being cracked, helped by thousands of home computers. The codes resisted the best efforts of the celebrated Allied cryptographers based at Bletchley Park during the war. Now one has been solved by running code-breaking software on a "grid" of internet-linked home computers.

More info here.

Friday, March 03, 2006

Fun with Stored Value Cards

This site goes into detail about how the FedEx Kinko's ExpressPay stored value card can be hacked. ExpressPay is a system developed by EnTrac Technologies, of Toronto. The system uses smart cards from Infineon, but does not secure data on the cards...

Hydra - A very fast Network Logon Cracker

HYDRA from THC is a dictionary based password cracker that works on the services listed below.
Number one of the biggest security holes are passwords, as every password security study shows.

Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

Currently this tool supports:
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, LDAP2, Cisco AAA (incorporated in telnet module).

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

Friday Fun - Jon Stewart on Larry King

The only reason to watch the Oscars this Sunday, will be Jon Stewart...

In case you missed Jon Stewart on Larry King the other night, Crooks & Liars has video and a partial transcript (but you really need to see or hear it, because a lot of the way Jon Stewart talks is lost in the literal written tranlsation.) Larry King made several feeble attempts to create controversy, and Jon Stewart kicked him square in the nuts each time. Witness this exchange:

KING: You don't want Medicare to fail?

STEWART: Are you insane?


STEWART: You're literally asking me if I would prefer -- yes, Larry, what I'm saying to you as a comedian I want old people to suffer, old and poor people to suffer. That is -- that is -- what we want is -- what seems absurd to me is the length that Washington just seems out of touch with the desires of Americans to be spoken to as though they are adults.

Nice try, Larry; too bad Jon didn't go for it. Maybe you can team up with Nancy Grace for a two hour Aruba Special to get back on familiar, more comfortable ground.

That question was just one of several "gotcha" attempts which failed spectacularly when Jon refused to take the bait, and instead turned the ludicrous question back on Larry King, who of course had no response other than this painful frozen half-smile that was equal parts fear and lothing. When Larry King wasn't completely controlling the tone and content of the show, you could feel how uncomfortable he was. Jon Stewart was so funny, and so quick-witted, and so smart and so insightful, if Larry King wasn't trying so hard to create controversy where there was none, you'd almost feel bad that he wasn't able to keep up.

Thanks to WWdN

Wednesday, March 01, 2006

Security Awareness Tips from DHS/US-Cert

The U.S. Department of Homeland Security has a new set of posters with info on how to report a suspicious cyber incident and some security best practices tips. The posters are available for download and can be put on the wall in the old coffee room, or your cubicle...

Simpsons 'trump' First Amendment

This is from a BBC story... Nice to see how they see us across the pond...

Americans know more about The Simpsons TV show than the US Constitution's First Amendment, an opinion poll says.

Only one in four could name more than one of the five freedoms it upholds but more than half could name at least two members of the cartoon family.

About one in five thought the right to own a pet was one of the freedoms.
Copyright 2018 e2e Security. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan