Tuesday, December 21, 2004

EFF-sponsored anonymizer

According to this press release, The EFF is sponsoring the TOR project.

If you're not familiar with TOR, it uses a concept called "Onion Routing" to forward TCP traffic from your computer, though a complex series of semi-anonymous hops, and finally to the packet's ultimate destination. The idea is that you can run the TOR client on your computer, which exports a SOCKS proxy interface. Then any SOCKS-compatible application can use the proxy to route it's traffic through the onion network.

Check it out, it's super cool, and free (as in speech AND beer), so you have nothing to lose.

I love the EFF!

Monday, December 20, 2004

Spying on the Google desktop search tool

According to The New York Times a group of researchers from Rice University have discovered a method of spying on your Google desktop search results. Of course, being written for a general audience, the article is a little light on details, but it doesn't take too much reading between the lines to figure out what's going on.

Sheesh! Google employs about 50 gajillion PhDs and some of the best and brightest in the tech world, but somehow they seem to have failed to do even the most rudimentary security prep work on this software.

Thursday, December 16, 2004

Viral Spyware!

Ok, this is a blow too low. Viruslist.com is reporting a new variant of CoolWebSearch that actually infects executable files, causing ordinary programs to become new infection vectors for their spyware. Even if you clean the original spyware off your computer, you can still be re-infected just by running another infected program.

Spyware and viruses have finally started to really converge. I hope, then, that this means we can finally get some credible anti-spyware tools from the major anti-virus vendors. Where the hell have they been all this time?


Wednesday, December 15, 2004

Why you shouldn't trust cell phones

I saw this link today on one of the security lists I monitor. For a mere $1,800 you can own a modified Nokia cell phone that will appear to be turned off, but will in reality accept incoming calls from a number you specify, and turn on the speaker without giving any indication that the phone has been turned into a stealthy bugging device.

The same email also included this link, which has information about an Israeli company selling devices to alert you to just such an occurrence.

Tuesday, December 14, 2004

Cracking Windows passwords for free

I just sent the following to the pen-test mailing list, and I thought I should post it here for others to find as well. Someone on the list had asked whether it was possible to replicate LC5's functionality for free. Of course it is!

You can replicate most of the functionality (if not the ease of use) of LC5 with Open Source. For capturing hashes from remote registries, use pwdump3. Once you've got the hashes, feed them into John the Ripper to crack them. If you prefer, you can also use Rainbow Crack to recover the passwords more quickly, although this requires substantial pre-computation and a lot of storage space.

I've managed to get all of the above running under Linux. John and Rainbow Crack are native Unix applications (windows versions also exist), and pwdump3 is simple enough to run well under Wine.

Monday, December 13, 2004

Which nmap scan options are right for you?

skill2die4 has just published a blog thread entitledNMAP - Learn its strength. He's trying out all the different types of scans to see firsthand which are best for various circumstances. It's quite an interesting read.

Tuesday, November 23, 2004

Anti-spyware products go head-to-head

Want to know how well your anti-spyware software does against a collection of some of the nastiest spyware out there? Eric Howes wanted to know, so he tested a bunch of them. His comprehensive report is here. Consider this mandatory reading, though I wish he had done a little more analysis of the results.

Monday, November 08, 2004

Pen Testing Explained

Ever wondered just what a penetration test is, or how it is performed? Wonder no more. Infosec Writers has posted an interesting presentation by Debasis Mohanty entitled Demystifying Penetration Testing. This is really well done, and I highly recommend it.

Monday, November 01, 2004

Oxford Suspends Two Over "Hacking"

I've commented on this story before, but SecurityFocus.com is reporting that Oxford University has suspended two students for "hacking" their network, then publishing the results in the school paper. The students claim they did it to point out the school's lousy security, but that's a weak excuse at best. They violated the policy without permission, and got busted. Score one for the Oxford IT department.

Sobig Author Identified?

A year after the big virus bounty was announced, authorities still have yet to make an arrest in the Sobig case. One group of anonymous forensic programmers has released an exhaustive analysis of the code and related factors. Their research even leads them to name a specific individual. I don't know if their conclusions are correct or not, but the paper showcases an amazing investigative effort. It's well worth reading.

Thursday, October 28, 2004

Kismet 2004-10-R1 Released

It seems like it's been forever, but there's finally a new stable release of Kismet available. Many of the changes are relatively minor, since the main purpose of the release is just to snapshot the kismet-devel CVS branch. One of the potentially biggest changes, though, is the addition of Centrino support.

Friday, October 15, 2004

Report: FAA Cybersecurity Sucks

Raise your hand if this surprises you. SecurityFocus.com is running an article entitled U.S. Air Traffic Control Found Vulnerable. Some of the key points:


  1. The FAA certifies the security of computers systems as tested by their lab, not as deployed in the field.
  2. Vulnerability assessment is performed only on servers, leaving "tens of thousands" of vulnerable targets
  3. The FAA's IT security sucks

Ok, you probably guessed that I added that last item myself, but it's a pretty accurate summary of the article.

Friday, October 08, 2004

"Suki?"

A case of "television commercial imitates life". SecurityFocus has an article talking about how manufacturing machines on factory floors often have abysmal cybersecurity, because they've grafted ancient protocols meant for dedicated serial communication onto modern LAN hardware. My favorite part is the hardcoded default passed "hihihi".

Thursday, October 07, 2004

Scottsdale F33R5 Wardrivers

I don't know whether to laugh or cry: The Arizona Republic reports that some Scottsdale residents are becoming concerned about the level of wardriving in their area. Apparently they've been noticing more and more people leeching free Internet access via home access points, and are concerned that this could lead to a higher level of identity theft.

Leeching access and poking around on other peoples' networks are the kind of things that give legal wardriving a bad name. I only hope the Scottsdale police department (who will be creating a cybercrime unit "next year") can tell the difference between a crook and a hobbyist.

Wednesday, October 06, 2004

Zaurus auditing tools

I'll keep this brief, since I don't like promoting my own work in this blog. I just got a new Zaurus, intending to use it for wireless security auditing. None of the commercially-available CompactFlash WiFi cards offer external antenna jacks, which is a problem. So I've created a HOWTO for using a more powerful 200mW PCMCIA card with antenna hookups. I've also created an installable package for nmap v3.70. Interested? See my Zaurus page.

Tuesday, October 05, 2004

North Korea's Cyberarmy?

I don't know if this is true or not, but the Financial Times is reporting that North Korea has trained a force of 600 information warriors. Personally, I find it plausible, even credible. It wouldn't take much for any nation-state to produce a crop of skilled attackers, and although this would only be a small part of a coordinated intelligence or offensive campaign, it could be quite a useful one indeed.

On a related note: I can't quite put my finger on why, but this North Korea story somehow puts me in mind of an earlier story about Singapore.

Thursday, September 30, 2004

Using NetFlow for security monitoring

SecurityFocus published a great two-part article entitled Detecting Worms and Abnormal Activities with NetFlow (part 1 & part 2). If you have Cisco or other NetFlow-capable network equipment, I highly recommend these articles. They're not terribly technical, but they are a great overview of what NetFlow is and how you can use it to look for some common signs of malicious activity.

Wednesday, September 29, 2004

Wireless Penetration Testing

Here's another SecurityFocus article for you today: Wireless Attacks and Penetration Testing (part 1 of 3). This is not a technical how-to article, but more of an overview of the process.

BTW, for more a more thorough treatment of this subject, I can highly recommend Wi-Foo: The Secrets of Wireless Hacking by Andrew Vladimirov, Konstantin V. Gavrilenko and Andrei A. Mikhailovsky. I recently picked up a copy and was quite impressed. Expect a review soon at my other blog InfosecBooks.Com.

Detecting Honeypots, Part 1

SecurityFocus has published a piece called Defeating Honeypots: Network Issues, Part 1. In this case, "defeating" means to identify the system as a honeypot. The article is a bit light on technical details at first, but it gets a little more interesting near the end. It's a good read if you're planning to deploy a honyepot.

Thursday, September 23, 2004

MS is holding a gun to our heads...

... and, according to CNet's News.Com, this gun is called "IE patches". Apparently, Microsoft has decided to no longer issue IE updates for Windows versions older than XP. If true, this will be a major blow to over 200,000,000 users of older Windows products.

I checked the Microsoft website and couldn't find a press release or other documentation about this, so I hope it's a false rumor. If anyone can point to information either confirming or denying this, please let me know.

Update 2004/09/23 14:58 Just to be clear, this is only about new security features, not about security patches. So the XP SP2 improvements, for example, won't be backported. As far as I know, security patches for existing features will still continue.

Tuesday, September 21, 2004

WarGames

Yeah, ok, this isn't my usual fare on this blog, but I just finished watching my newly-acquired WarGames DVD. I'm astounded at how well this movie holds up two decades after it's original release. Soviet era FUD aside, you could almost shoot the same script today. The computers would be smaller (no 8" IMSAI floppy drives) but hacking really hasn't evolved as much as you might think. We still use war dialers to find rogue modem lines, and people still use weak, guessable passwords for important accounts.

Ok, I'm off the soapbox now. I love this movie...

AOL offers two-factor authentication

I wasn't originally going to post about this, but then I came to realize how incredibly significant this is. AOL, ISP to the digital huddled masses, has decided that passwords will no longer cut it, and is moving to RSA's SecurID tokens.

Everyone knows it's the right thing to do. Password technology hasn't changed much in the last few decades, and with increasing amounts of CPU power, RAM and disk space, the future is looking grim for single-factor authentication.

Most organizations have been holding off two-factor authentication, though, due to both the extra cost and the perceived deployment difficulty. If giant AOL can work it out, this could clear the way for a lot of smaller-scale deployments.

I can't wait to read a case study on this.

Monday, September 20, 2004

VMWare solves the endpoint problem?

I just saw this article today, entitled "VMWare Takes Virtual Machines Mobile". At first I thought it was about VMWare access from Windows CE or something, but that's not it at all. Apparently VMWare has leveraged their virtual machine technology to provide locked-down endpoint workstation images that can be centrally managed to ensure compliance with IT and security policies.

Here's the scenario I found most interesting: Apparently, you can load OS + applications onto a single DVD, then install that on an untrusted computer, like an employee's home PC. He can run that OS in a VMWare virtual machine, and use the 'trusted" image to connect back to the secure corporate LAN, without fear of some virus or other malware leaking through.

Of course, this isn't perfect security, since an attacker could still log your keystrokes or even theoretically modify or break into the VM image, but it seems like a useful layer of extra security, provided the endpoint hardware is up to the task.

Wednesday, September 15, 2004

I've got to get one of these jobs...

While I'm posting news clippings, here's a great one. These guys are not just being paid to hack, they're being paid to hack critical public infrastructure. To all you guys (and girls?) at INEEL: You have my dream job. Take good care of it.

Quantum security for networks

This article has been popping up over most of the security sites today. Basically, some researchers at Harvard, Boston University and BBN have created an optical network
that serves up web pages and basically acts like a regular LAN, by all accounts. The difference is that the simple act of eavesdropping on a communication disrupts it, so if your information makes it across the network, you know it remained private.

Actually, it's a bit more complex than this. Apparently all the data is encrypted using conventional symetric encryption and sent via a conventional network. The article implies that the photons are carried over a separate network, and are used to exchange encryption keys. This doesn't seem very practical right now, since we already have good algorithms for exchanging private key data over public networks. Also, good encryption is easy to come by, and fairly fast on today's hardware. Presumably the researchers in this project have bigger plans. I'm really looking forward to hearing what they are.

Thursday, September 09, 2004

USA Today: "Are Hackers Using Your PC?"

Statistically speaking, the answer is probably "yes". But how? USA Today looks into the answer.

Tuesday, September 07, 2004

Spotlight on the Internet Storm Center

NetworkWorldFusion has a neat article about what it's like being the ISC's handler for a day. It's not as high-tech as you might think, but it sounds cool nonetheless.

Thursday, September 02, 2004

Trouble ticket system for Incident Response teams

Wow. RTIR looks just like what I need. It's a full-blown trouble ticket reporting system that's been customized to handle Incident Response duties. It has a fully scriptable engine, and does neat things like automatically correlate IP addresses between incidents or investigations, integrate whois/traceroute lookups and provide workflow management. You can even add custom scripts into it to extend it to features in your own environment. This looks nice to me. Does anyone else know of anything similar?

Wednesday, September 01, 2004

Specifics about what the hash breakages mean

This is a very good, simple Q&A about the recent controversy about hashes being broken (or not broken, as the case may be). This is by far the most simple explanation I've found about what this means for those of us who are not cryptographers, but use hashes every day. Think "digital signatures", "tripwire" and the like. Read it. Really.

Tuesday, August 31, 2004

RedHat to Add ExecShield, NX and Other Security Technologies in Next Update

I just read this whitepaper about new security features in RedHat Enterprise Linux Update 3. I use this distro extensively at work, and it's pretty good. I'm happy to see that NX support, ExecShield and other technologies they've already added to Fedora will finally be coming to RHEL.

There's a section at the end of the paper that claims these additional security measures would have stopped 75% of all the security issues for which patches were released from November 2003 to August 2004. That's a pretty impressive number. Of course, you still need to apply the vendor security patches in a timely fashion, but this looks to be a very handy safety net.

Wednesday, August 25, 2004

An Illustrated Guide to Cryptographic Hashes

Hey, this is pretty cool! UnixWiz.net has a great article entitled An Illustrated Guide to Cryptographic Hashes. If you're having trouble following the recent talk about cryptographic hash collisions being found, this might be just the thing to show you why this could be a big deal someday.

[Thanks to joatBlog for pointing this out.]

e-Jihad? "e-Yeah, right."

Well known Russian anti-virus vendor Kaspersky Labs is feeding the FUD machine. Its head, Yevgeny Kaspersky, is quoted in this article about the coming cyber-jihad. Apparently, tomorrow (Thursday, August 26) there will be a "large scale virus attack" that "might be delivered by Islamic terrorists".

I don't know about you, but I go through every day thinking, "There might be a large-scale virus attack today." And a lot of the time, I'm right. Either I've somehow got a psychic connection with Islamic terrorists, or this isn't news because it happens all the time. You choose. Kaspersky, you are better than this.

Update 08/26/04: Although this story was widely reported, Kaspersky Labs says it was just a misunderstanding of what Mr. Kaspersky was actually saying. See this story for more details.

Friday, August 20, 2004

XP SP2 ADS Feature No Cause For Alarm

F-Secure's AntiVirus Research Weblog has a good article explaining one of the less publicized features of SP2. Now, whenever you download a file through IE, it creates an Alternate Data Stream (ADS) attached to that file that specifies which network zone the file came from. The idea here is that if you download an executable file from an untrusted zone (ie, the Internet) and save it on your hard drive, the system won't later let you run it unless you first submit to a popup dialog acknowledging that you know it might be dangerous.

This feature only works on NTFS filesystems, so floppy disks and USB dongles are still vulnerable, but it seems like a good idea overall. Unfortunately, as this advisory points out, there are ways to get around this restriction.

Thanks to joatBlog for pointing out the F-Secure article.

Thursday, August 19, 2004

Will a firewall at the South Pole melt through?

Ok, this is a little weird. Apparently, a National Science Foundation research station at the South Pole was hacked earlier this year. Although the NSF disputes the claim, US Attorney General John Ashcroft and the FBI have at various times claimed that the attack placed the lives of the scientists there at risk, because the life support system was compromised. That may or may not be true, but it's certainly a convenient excuse for them to tout the USA PATRIOT Act and how they say it saved 58 lives.

I have no way to verify the claims on either side, but if you're interested in more information, SecurityFocus.com has the scoop.

Wednesday, August 18, 2004

CIS Releases FreeBSD Scoring Tool

The Center for Internet Security is well known for their series of security benchmark tools. They've recently released their new FreeBSD tool, as well as an update to their Solaris version.

If you're not familiar with them, you should be. They scan a system for common configuration errors and provide you with plenty of good feedback about what you can do to improve your security posture. Perhaps more importantly, they also calculate a numeric "score" you can use to as an executive educational tool.

Versions of the scanner are available for various Unix and Windows systems as well as Cisco's IOS and the Oracle database.

Tuesday, August 17, 2004

SHA-0 Broken. SHA-1, MD5 Next?

Here's another story that's been widely reported. Apparently the SHA-0 cryptographic hash function has been broken. In this sense, "broken" means that somone found a way to take a message and it's associated hash, then create a different message that has the same hash. This could be a Very Bad Thing, since these sorts of functions are used as the basis for a lot of encryption and digital signature protocols. Check out the /. version of this story here.

Monday, August 16, 2004

NIST PDA Forensics Guidelines Posted

Everyone and their brother is posting about this, but
what the heck, it's good stuff and you should read it.
The National Institute of Standards and Technology (NIST) has posted a draft of their new Guidelines on PDA Forensics. They cover analysis of PalmOS, PocketPC and Linux-based PDAs. Give it a read, and be
sure to comment on the draft if you have anything to
add.

Friday, August 13, 2004

Emergency Alert System Vulnerable

Ok, this one is actually a little scary. You know about the Emergency Alert System that allows the government to
interrupt radio and TV broadcasts to put out... well... Emergency Alerts. According to an article over at SecurityFocus.com, this thing has more holes than Swiss cheese, and is vulnerable not only to Denial of Service, but to spoof attacks which might allow someone to inject false messages that are sent out without any sort of human review whatsoever. I can only speculate about what sort of havoc this could cause in the wrong hands and under the wrong circumstances.

Monday, August 09, 2004

Metasploit Framework 2.2 released

Metasploit is a great tool, and version 2.2 promises several soon-to-be indispensable features, including DLL injection payloads, VNC support, and support & documentation for creating your own custom exploit modules.

Friday, August 06, 2004

Tor: Anonymous TCP

Tor is an anonymizing layer on top of TCP. It uses a concept called "onion routing" to keep your online activities anonymous. Basically, packets are routed at random through a network of Tor servers (provided by the Tor user community), making it very difficult to trace their real origin. The contents are encrypted separately for each server, so only the final Tor server will be able to read your payload data, just before it is sent to it's final destination, but by that time the IP information tying that packet to you will be lost.

In short, Tor is to TCP what Mixmaster is to email.

If this all sounds too confusing, check out the nice article on Wired's website.

Thursday, August 05, 2004

Hack the Vote

I don't think much of hacking challenges in general.
They can prove a system is vulnerable, but they cannot
prove that it is not. In other words, if you're successful, there's obviously a problem, but if you're unsuccessful, maybe you just didn't hit on the magic combination.

That being said, here's a hacking challenge that might be worth looking into. Rebecca Mercuri's challenge to e-voting machine vendors to open themselves up to scrutiny by the security community is on the money, even without the $10,000 prize.

Wednesday, August 04, 2004

Singapore needs hackers... why?

I'm more than a little suspicious of this AP article. It seems that Singapore is holding a national hacking contest to "help shed light on ways to prevent actual computer attacks". They could do this more cheaply and effectively by visiting their local bookstore and picking up a copy of Hacking Exposed or something. It's just a feeling I have, but their stated reason doesn't seem on the level.

Monday, August 02, 2004

HTTP tunneling for pen testers

SecurityFocus has published a nice article detailing the basics of HTTP tunneling. Tunneling is a technique that encapsulates network traffic inside other network traffic. In this case, you can encapsulate your attack traffic inside HTTP traffic, which is most likely allowed through your target's perimeter defenses.

Friday, July 30, 2004

NIST Withdraws DES

It's about time! NIST has published its intention to withdraw its approval for using the DES encryption algorithm to protect federal gov't information. The short announcment encourages DES users to switch to AES, but also notes that DES used as part of triple DES implementations is still OK.

Web threat taxonomy published

The Web Application Security Consortium has published a new taxonomy of web security threats. It's 87 pages long and contains detailed descriptions, examples and references for over 20 types of attacks. Is it rocket science? No. Is it useful? Maybe, but only if enough people actually read it and start referencing it.

A taxonomy is a good thing, in my opinion. I need to read in more detail before I can say whether I'll be using it on a daily basis, though.

joatBlog mentions that there might be a trust issue with using a copyrighted taxonomy, but I've read the OpenContent license this document uses, and it seems quite reasonable and very Open Source-like.

The best hacking tools you've never heard of (Part 1)

Reading this article about a Blackhat presentation on Metasploit gave me the idea for this entry.

If you haven't tried Metasploit, you should. Right now. Their motto, "Hacking like it is in the movies", is pretty accurate. They've got a good database of reliable cross-platform exploits and payloads all wrapped up in a convenient point-n-click GUI. It's extremely useful as a tool for security testers and admins who want to verify the security of their systems, but unfortunately, it can also easily be used for Evil.

You really do owe it to yourself to check this out. Trust me.

OpenSSL programming is easier than you thought

IBM's developerWorks has published Kenneth Ballard's fine article on basic OpenSSL programming. This is the clearest, most straightforward explanation of how to program the OpenSSL library in C. Although the documentation does a good job of hiding it, it's really trivial to work OpenSSL into your own applications.

Wednesday, July 28, 2004

Ethical worms: What crack is Slate smoking?

Slate has an article entitled Fight Virus With Virus - That's the only way to stop MyDoom. The author's idea is that if we can't stem the tide of malware with our current technology, then we should fight fire with fire, or "virus with virus", by creating worms that exploit widespread security holes in order to spread around and automatically fix security holes.

This idea is not just bad, it is disastrous. It's hard enough sometimes for legitimate administrators to patch their systems and have them still run reliably (pre-production testing, anyone?) and the idea of trusting my systems to an anonymous piece of code that has no local knowledge about my configuration, requirements or schedule is simply ludicrous.

Let me be clear: No way in hell.

Sunday, July 25, 2004

Kids may be more security-savvy than we think

The SANS Internet Storm Center's diary entry for today talks about something I find, frankly, amazing. Scott Weil, the head of SANS' Local Mentor training programs, spoke with a group of school children about Internet safety issues. He asked some of the students to design an attack against their school's network, and the rest to design defensive measures to protect their network against attackers. I'm amazed by the sophistication their responses displayed.

Saturday, July 24, 2004

Detecting altered digital photos

Slashdot has a pointer to a a couple of articles showcasing Dartmouth Assistant Professor Hany Farid's work on detecting altered digital images. Apparently, he and his graduate student, Alin Popescu, have developed a mathematical model that can determine whether or not various common image editing techniques (cloning, averaging, resizing, etc) have been applied.

How is this related to Information Security, you may ask? For one thing, it may have potential ramifications for the admissibility of digital photos as evidence in a court of law. Also, and neither article mentions this, it sounds like it may also have the potential to help identify images which contain steganographic content.

Thursday, July 22, 2004

DNC convention network vulnerable?

The Boston Globe has an article showcasing possible vulnerabilities in the network setup planned for the Democratic National Convention. Apparently, some of the hackers over at Newbury Networks have keyed in on the fact that although the DNC is deploying an exclusively-wired network, the influx of thousands of laptops pretty much guarantees some of them will be misconfigured to act as as bridges to their built-in wireless networks. The article describes an attack whereby a Bad Guy could set up a high-power access point near the convention site and trick unwary laptop users into associating with his malicious network, and then use the attendees laptops as jumping-off points into the wired network.

This attack has a reasonable chance of succeeding but it's nothing new. You see this type of thing any place lots of people bring laptops (conventions, conferences, heck even hotel networks). The real question in my mind is about the potential risk. I'm not familiar enough with what goes on at these conventions to know what's on the network or evaluate what the potential loss could be. Anyone care to comment?

Wednesday, July 21, 2004

Should we train hackers?

InfosecWriters.com has a good paper exploring the issues (pro and con) of teaching "ethical hacking." As you probably know, any yahoo with $$ can sign up for a number of "Super Ultimate Megaleet Hacking" courses and learn most of the same techniques the Bad Guys use against us. The concern is, of course, are we the ones teaching the Bad Guys? My take is that truly dangerous blackhats don't need our help to learn anything, so the benefit to the security community far outweighs the possible downside. But check out this paper and see if you agree.

Creating a vulnerability-scanning capability in an academic environment

Check out Eliot Lim's excellent paper, Design and Deployment of a Rapid Response Security Vulnerability Scanning Infrastructure. It's a fascinating case study of implementing a vulnerability scanning program in an environment which is usually downright hostile towards security, the university and academic research facility.

Tuesday, July 20, 2004

CAUTION: This network protected by Casey Jones

El Reg has an amusing article surveying the musical tastes of various types of IT pros. Apparently, security pros are supposed to be fond of 60's rock classics like The Dead, Jimi Hendrix and The Doors. While I do have
Hendrix and The Doors on my iPod, I'm more of a blues man myself. Guess I'll have to get another job...

Towards a worm creation language

Immunity's Dave Aitel has posted slides from his recent talk, entitled Advanced Ordnance. The presentation explores the idea of creating a description language and compiler for implementing the next generation of platform-independent worms. Lest you think this is just pie-in-the-sky, I should mention that it's based on his freeware MOSDEF tool, so parts of what he describes already exist, or are withing cat-hurling distance of existing. It's interesting stuff, though the implications are a little on the scary side.

(Note: The presentation is in an OpenOffice format)

Monday, July 19, 2004

419ers get nasty

The Register has this story about Nigerian scammers skipping the wasteful "please we really need your help" schtick and getting down to business: "Pay up or we'll kill you."

Saturday, July 17, 2004

Athens Olympics Steps Up Cybersecurity

The Associated Press has an interesting story about cybersecurity measures for the upcoming Olympic games. It's a little light on technical details, but there are some interesting nuggets nonetheless. I'd like to know how large of a staff they have working on this part, but unfortunately the article doesn't say.

Friday, July 16, 2004

A dramatic example of the business need for Information Security

I've just read that Los Alamos National Lab has temporarily suspended all classified research due to a continuing pattern of Information Security problems. Specifically, in this last incident they lost two ZIP disks containing classified weapons-related information.

Classified research counts for a lot of their business, so I hate to think how much this is affecting a) their scientific mission, and b) their bottom line. It's nice to hear that they are finally taking decisive actions to clear up the problem, though.

On that note, here's my favorite quote from the article:

Nanos said people at the lab sometimes have an attitude of impunity, expressed in the phrase, "They can't fire us all."

Speaking to those who had behaved with a cavalier attitude, Nanos said, "We're going high and right on this one. And the fact of the matter is, if we have to, we will fire you all."

joatBlog

joatBlog is another of my favorite security blogs. He's got a good head on his shoulders, and he also reads extensively. It's always interesting seeing what he comes up with.

Oxford University Students Break Network, Law

In a brash display of... well, I'm not sure what, but it certainly wasn't brains, two Oxford students apparently hax0r3d the school's network and then published the results in the school's newspaper.

The law is the law, folks, and the difference between an administrator and a hacker is permission. If you don't have it (in writing!), you're just asking for trouble pulling this kind of stunt.

Here's a writeup from El Reg, and here's the students' original article.

Stupid Security

One of my favorite blogs is Stupid Security. Their tag line, Exposing Fake Security Since 2003 pretty much says it all. I just wish it could be updated more frequently, but I guess the less stupid security, the better.

Phrack #62 Released

Phrack issue #62 was released this week. This is a pretty Windows-oriented issue. As usual, it's well worth reading if you can get past the juvenile "I'm 133T33R than you" attitude.