Wednesday, October 31, 2007

Leopard with chinks in its armour

Apple is using security in general and the new firewall in particular to promote Leopard, the latest version of Mac OS X. However, initial functional testing has already uncovered cause for concern.

Read the article HERE.

Leopard rejects latest version of Java
Apple faces yet more flack from the Mac faithful over the discovery that the operating system won't run the latest version of Java. It's one of several beefs relating to the OS X upgrade that is sparking vitriol among the normally docile crowd.

Read the article HERE.

Whois may be scrapped

Tech industry lawyer Mark Bohannon frequently taps a group of searchable databases called Whois to figure out who may be behind a Web site that distributes pirated software or tricks visitors into revealing passwords.

Some privacy advocates are proposing scrapping the system entirely because they can't agree with the people who use the system on how to give domain name owners more options when they register - such as designating third-party agents. Privacy advocates say individuals shouldn't have to reveal personal information simply to have a Web site

Read the article HERE.

Please leave us your money!

I came across an interesting website today while doing some analysis on Generic VB.b!e3cf12. In summary, it tried to redirect users trying to visit escrow.com to another spoofed website that is being hosted on the Verio network.

Read the article HERE.

Germany seeks expansion of computer spying

A proposal to secretly scan suspects' hard drives causes unease in a nation with a history of official surveillance.

Read the article HERE.

The myth of what anti-virus is

If you're like most folks the term "anti-virus" elicits images of a virus scanner methodically checking each and every file on a system for something that matches one of it's hundreds of thousands of signatures... obviously that is the most well known aspect of the anti-virus field, but if you (like many others in this day and age) thought that that was all there was to anti-virus then you'd be dead wrong...

Read the article HERE.


The anti-spyware market that never existed is officially dead
This is the ultimate confirmation, in my mind, that the fake anti-spyware market (that never really existed) is now dead. I never quite understood the difference between a spyware threat and a virus threat.

Read the article HERE.

Media's Malware Fiasco

After both TrendMicro and Sophos acknowledged the attack on Possibility Media's portfolio of online publications, added detection, further clustered the attack, as well as came up with a fancy graph to visualize the IFRAME-ing attack, the attackers changed the IFRAME code and directed it to another location.

Read the article HERE.

Tuesday, October 30, 2007

Data Security: Bit9

Top Popular Applications with Critical Security Vulnerabilities
Bit9 has released its annual list [PDF - Registration required] of the top popular applications with known vulnerabilities. Often running outside of IT’s knowledge or control, these popular applications, they say, can be difficult to detect and remove.

Read the article HERE.

AntiVirus Products Fail to Find Malware

When I found a malicious script riddled with 0×00 bytes, SANS handler Bojan Zdrnja explained to me that this was an old trick. When rendering an HTML page, Internet Explorer will ignore all zero-bytes (bytes with value zero, 0×00). Malware authors use this to obscure their scripts. But this old trick still packs a punch.

Read the article HERE.

Tool opens iPhone, iPod Touch via web

iPhone hackers have released a tool that allows owners of firmware 1.1.1 iPhones and iPod Touches to open up their devices to third-party apps - all without the need for a host Mac or PC.

Read the article HERE.


Apple restricts Iphone sales
Apple has ordered that no one may buy more than two iPhones and none can use cash. The move is widely seen as an attempt to control the rising sales of iPhones to modders who install chips to so that they do not have to use AT&T's network.

Read the article HERE.

Africa waiting for net revolution

More than a third of Africa's citizens should have access to broadband internet by 2012, a conference of technology leaders is set to hear. The conference features representations from organisations such as the World Bank, World Health Organization and United Nations, as well as high-profile technology leaders such as Intel's chairman Craig Barrett. The attendees were all invited to make financial commitments to improving technology and telecoms in the continent. More than $3bn has been pledged so far.

Take a look HERE.

Am I missing the plot here. $3bn so that Africa has better access to You Tube and Facebook [sic]. I would have thought sanitary living conditions,running water or perhaps even better health care might have taken the coveted number one spot. But, nevertheless, one must always look on the bright side. Now Nigerian 419 scammers will have access to a new target...Hi, if you send me a goat and a chicken I can send you 1,000 head of cattle.

News, Hints, Tips, Tricks & Tweaks

Read this weeks articles at WXPNews HERE.

Cyber Security Bulletins: Release Date - Oct 29

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read this weeks bulletin HERE.

Monday, October 29, 2007

Ultimate Anonymity

With Ultimate Anonymity, you will be able to Surf the web anonymously, send anonymous email and newsgroup messages, participate in P2P file sharing protocols, chat rooms, IRC and other popular protocols with complete privacy and anonymity. Mask your real IP address to others online.

Protect yourself from cyber stalkers, identity thieves, and others who might snoop on you and track your online activities in any online protocol. Everything you need to manage your online presence in a secure, private and anonymous fashion, all in one place.

As a 10th Anniversary Special they are offering a lifetime subscription (user ID never expires) for $58.

I have been a member since the one time fee was $14.95 [can't remember the date] and have never regretted joining. It is not something you may want [or need] to use on a daily basis, but it's always there when you need it. If this is a service you think you may use, then I suggest you take advantage of this great offer - which is even cheaper than the $59.95 price at 8/8/2006.

Visit the website HERE.

The Hanamaru Game - variant 2

Breaking this game is as hard as breaking the RSA cryptosystem.

Try your luck HERE.

HttpBee - Web Application Hacking Toolkit

HttpBee is a swiss-army-knife tool for web application hacking. It is multi-threaded, embedded with scriptable engine and has both command-line and daemon mode (if executed in daemon mode, HttpBee can become an agent of a distributed framework). This is a tool for more advanced users and there isn’t much documentation.

Read the article HERE.

Network Analysis - Wireshark On Ubuntu

Wireshark is a network protocol analyzer (or "packet sniffer") that can be used for network analysis, troubleshooting, software development, education, etc. This guide shows how to install and use it on an Ubuntu Feisty Fawn desktop to analyze the traffic on the local network card.

Read the article HERE.

How Quantum Cryptology Works

Traditional cryptology is certainly clever, but as with all encoding methods in code-breaking history, it's being phased out. Both the secret-key and public-key methods of cryptology have unique flaws. Oddly enough, quantum physics can be used to either solve or expand these flaws.

Read the article HERE.

Ubuntu Hard Drive Wear and Tear

This problem seems to be limited to laptop mode. Read This [link] if you want to see how to tell if you're affected. A recent bug report for Ubuntu Linux has confirmed that both the Feisty and Gutsy versions of Ubuntu cause some unnecessary wear and tear on a hard drive. The bug report reads:

Read the article HERE.

Sunday, October 28, 2007

BitTorrent Site Promises to Bring Back OiNK

The Pirate Bay said Friday that it was working on bringing back OiNK, a BitTorrent tracker that featured music files from "hundreds of thousands" of music albums.

Read the article HERE.


OiNK - The Pirate Bay - Demonoid - BOiNK [new guy on the block]. Names to cause nightmares amongst those that seek to protect the rights of movie studios to pay their "stars" ridiculous amounts of money. How anyone can justify $20 million to "act" in a movie [which later flops] just blows my mind. Is that why new dvd's cost three times more than they should? Remember in the old days when vinyl was copied to audio cassette tape. And original release cassettes were just copied and handed around like business cards. And no one really gave a ratz arze. But now, if you download five mp3's, the Gestapo wants to sue you for $4,000 [that's $750 per song]. If you download a movie I think the penalty is now execution - and a fine. You have to pay the fine first. They need the money to pay their star for his next movie role.

Free Zombie Detection Test

PineApp has released a free zombie test. It can instantly show whether a computer might be a spamming machine that can send spam messages without its knowledge.

CLICK HERE, enter the IP address and get an instant analysis.

Perfect Paper Passwords

During this week's second half of our discussion of GRC's new secure roaming authentication system, I reveal and fully describe the unique, simple, clean, and super-secure one-time password solution I designed to provide roaming authentication for GRC's employees. I also describe our own freely available software implementation of the "PPP" system, as well as several other recently created open source implementations.

Read [or listen] to the article [Episode #115] HERE.

Mac's Dreaded Blue Screen of Death

Apple support drones are getting an earful from Mac users who are getting the dreaded Blue Screen of Death while trying to update to the latest and greatest version of OS X. The thread on an official Apple support forum has more than 200 posts left in 25 hours at time of writing. A large percentage of the writers report getting a persistent blue screen that forces them to abort their installation of Leopard.

Read the article HERE.

HOW TO: create a bootable XP SP3 CD

It’s been a while since anyone’s had to slipstream a Windows XP service pack, but seeing as how SP3 is now available to play with, we thought we’d do a refresher course. To create your own bootable Windows XP SP3 CD, you’ll need the following:

Most Windows updates can be slipstreamed into installation media via the same process, so it’s worth keeping the folder structure and saving the Nero compilation so that you can just keep adding to the local cache. Using a rewritable CD will avoid wasting media, or it works just as well when updating a network install location.

Read the article HERE.

Beta Releases

Weekend Reading

Cannonball Run

[Now this is real Sunday Reading. Off topic...as are may other items here...but they cover the spectrum of human emotions]

And so the clock starts and the taillights flare, and they're off again, strapped down, fueled up, and bound on an outlaw enterprise with 2,795 miles of interstate and some 31,000 highway cops between them and the all-time speed record for crossing the American continent on four wheels.

Take a look HERE.

==================================================================
A tale of two decisions - how the FBI gets you to confess
Abdallah Higazy, was staying in a hotel in New York City on September 11 and the hotel emptied out when the planes hit the towers. The hotel later found in the closet of his room a device that allows you to communicate with airline pilots. Investigators thought this guy had something to do with 9/11 so they questioned him. According to Higazi, the investigators coerced him into confessing to a role in 9/11. Higazi first adamantly denied any involvement with 9/11 and could not believe what was happening to him. Then, he says, the investigator said his family would go through hell in Egypt, where they torture people like Saddam Hussein. Higazy then realized he had a choice: he could continue denying the radio was his and his family suffers ungodly torture in Egypt or he confesses and his family is spared. Of course, by confessing, Higazy's life is worth garbage at that point, but ... well, that's why coerced confessions are outlawed in the United States.

So Higazy "confesses" and he's processed by the criminal justice system. His future is quite bleak. Meanwhile, an airline pilot later shows up at the hotel and asks for his radio back. This is like something out of the movies. The radio belonged to the pilot, not Higazy

Take a look HERE.

==================================================================
Disgracefully unreliable software
Let's start with an analogy. How would you feel if you were in a restaurant, in the middle of your meal, and the waiter takes your food away? It's a breach of the rules; food isn't supposed to be removed while the customer is eating.

Windows XP is that waiter. It lets you delete a file while an application is using it.

Take a look HERE.

==================================================================
China's Cyber War
This documentary was originally aired on the Discovery Channel.

Take a look [at the 47 minute video] HERE.

==================================================================
MSDN Launches Tester Center
Is your role that of a software tester? Do you spend your days writing test code for your organization? Do you yearn for a central location where you can discuss practices, tools and testing in general with your peers?

MSDN has the site for you. Find videos and articles relating to the world of the software tester. On this site, you will also find a link to the Software Testing Discussion forum. This forum hosts a discussion and Q&A for software testers specifically.

You will also find links to various tester related resources and patterns and practices related links as well. This is a new site dedicated to the software tester so visit often, participate, and help make it a successful site that you will want to go back to time and time again.

Source :
My Thoughts (Good and Bad)

==================================================================
Microsoft Dives Into Unified Communications
In introducing Microsoft’s unified communications products, Bill Gates predicted a change in the way people work "as profound as the shift from typewriters to word processing".

Yep -in the same way tablet PCs were to replace pen and paper? We’re still waiting.

Take a look HERE.

==================================================================
Pentagon hacker's UK appeal moves forward
A trio of British judges has agreed that hacker Gary McKinnon can appeal his extradition order to the U.S. to the House of Lords.

Take a look HERE.

Let's hope he has more luck than this guy.

Saturday, October 27, 2007

Detect Changes to Windows Automatic Updates

There has been a lot of controversy lately over the Windows Automatic Update feature. First Microsoft made change some files used in the Auto Update mechanism on a users machine without ever making it an option. Now, Microsoft has been accused of making changes to the Windows AutoUpdate settings. Some claim during the last Windows update their configuration was changed to “Update Automatically”. Microsoft denies the accusations.

WinPatrol has a long history of monitoring unique settings that most other programs don’t worry about. Many new WinPatrol features are requested by users but a lot of changes are based on things I want for myself. I thought “Hey, I’d like to know if something changes my Automatic Update settings”.

Read the article HERE.

Storm worm can befuddle NAC

A newly discovered capability of the Storm worm could invalidate results churned out by NAC products. This new trick is Storm’s ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them. Users will see that, for example, antivirus is turned on, but actually it isn’t scanning for viruses.

Read the article HERE.

ExploitMe: Free Firefox Plug-Ins Test Web Apps

Canadian researchers have built a set of free exploit tools for Web applications that run as Firefox browser plug-ins; the so-called ExploitMe suite includes tools for cross-site scripting (XSS) and SQL injection, two of the most common vulnerabilities found on Websites. Nishchal Bhalla, founder of Security Compass, and his fellow researchers at the firm will demonstrate and release the new exploit tools -- aimed at facilitating penetration testing of Web applications -- at next month’s SecTor security conference in Toronto. The tools let researchers, Web app developers, and quality assurance staffers "fuzz" their Web apps for vulnerabilities to XSS and SQL injection attacks.

Read the article HERE.

XSSDetect Public Beta now Available!
One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE Team has been working on several projects to help mitigate and fix these issues, as well as detect them in the code bases that we review so that they can be fixed before going live.

Read the article HERE.

Windows Server 2008 Reviewed

Microsoft has used the time since the release of Windows Server 2003 very well. The new Server Manager simplifies system administration immensely. Unlike Windows Vista, whose new dialogues still confuse even experienced users, Windows Server 2008 makes the admin feel right at home and in control.

Related tasks and service are grouped together, so that they can be found quickly and easily. Also, the system points out configuration problems at the beginning of an installation of a server task, preventing many rookie mistakes. Services started by mistake are easily identified and stopped, thanks to the new view. Also, the Event Viewer filters the entries in such a way that only relevant information is displayed.

However, it's not all sunshine, either. Although our test system used a beefy Intel Core 2 Duo E6700 with generous 2 GB of RAM, the Server's user interface felt sluggish with Windows being drawn very slowly. Most likely, this is due to a lack of driver support - after all, the RC0 is still a work in progress.

Microsoft also gets low marks for failing to include SSH support in the operating system. On Linux servers, working without SSH is simply unthinkable. At least the Redmond company includes its encrypted remote shell WinRS. However, secure FTP is still a missing feature. The FTP client is being treated like an unloved stepchild, to the point where it is not even included in the Server Manager.

Read the 19 page article HERE.

San Diego's ToorCon keeps hackers current

ToorCon 9, a hacker's convention, kicked off with registration and a reception in the San Diego Convention Center. Keynotes and the talks were held Saturday and Sunday. This was my first time at ToorCon, and I learned why it is so highly regarded among the hacker community. It's good.

Read the article HERE.

Australian Daylight Saving

Just a reminder for Australian residents that Daylight Saving begins tonight.

[Queenslanders can go back to sleep][Tasmanians started 3 weeks ago]
[Please provide your own ad lib lines for the above two statements]

Don't forget to turn your clocks forward one hour at 2:00 am on 28 October 2007

Friday, October 26, 2007

Virtualization Decreases Security

In a fascinating story on KernelTrap, Theo de Raadt asserts that while virtualization can increase hardware utilization, it does not in any way improve security. In fact, he contends the exact opposite is true: 'You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.' de Raadt argues that the lack of support for process isolation on x86 hardware combined with numerous bugs in the architecture are a formula for virtualization decreasing overall security, not increasing it.

Source : Slashdot

Microsoft - always in the news

Microsoft update brings PCs to a standstill
Something seems to have gone horribly wrong in an untold number of IT departments on Wednesday after Microsoft installed a resource-hogging search application on machines company-wide, even though administrators had configured systems not to use the program.

Read the article HERE.

PC rebooting? The cause may be MS OneCare
Installing Windows Live OneCare, Microsoft's downloadable security suite, changes the settings of Automatic Updates without notifying users or honoring their update preferences. This behavior may explain reports that Windows has been mysteriously installing patches and rebooting itself, even though users had completely shut down the Automatic Updates function.

Read the article HERE.

Wi-Fi Detector Shirt

Here at ThinkGeek we're pretty lazy when it comes to technology. We expect our gadgets to do all the busywork while we focus on the high level important tasks like reading blogs. That's why we hate to have to crack open our laptops just to see if there is any wi-fi internet access about... and keychain wi-fi detectors, we would have to actually remove them from our pockets to look at them. But now thanks to the ingenious ThinkGeek robot monkeys you can display the current wi-fi signal strength to yourself and everyone around you...

Read the article HERE.

Are you secure? Prove it.

Are you secure? Prove it. These five words form the core of my recent thinking on the digital security scene. Let me expand "secure" to mean the definition I provided in my first book: Security is the process of maintaining an acceptable level of perceived risk. I defined risk as the probability of suffering harm or loss. You could expand my five word question into are you operating a process that maintains an acceptable level of perceived risk?

Let's review some of the answers you might hear to this question. I'll give an opinion regarding the utility of the answer as well. Read the article HERE.

Web 2.0's Privacy Concerns

Privacy may soon become a much bigger deal to the Web 2.0 world. That's because Web 2.0's ability to mash up components from different Web sites into one customized user experience can also lead to a disconnect between the privacy users expect and the privacy they actually receive.

Read the article HERE.

Online privacy? That's for old people

Reared on reality TV, paparazzi, cellphone cameras and the insatiable maw of the World Wide Web, it's no wonder teens and adults in their 20s think a little differently when it comes to privacy.

Read the article HERE.

Thursday, October 25, 2007

TechNet Magazine - November 2007

Windows Administration
Offline files allow users to be productive when disconnected. In Windows Vista, new Offline Files features make working off the network better than ever.

Desktop Deployment
BDD 2007 contains best practices, configuration files, scripts, and templates. All together they make desktop deployment faster, easier, and more scalable.

Communications
Once you've deployed Exchange Server 2007 Edge Transport servers to control spam and other unwanted e-mail, you'll want to implement logging and tracing and configure Edge Transport agents to perform the tasks you need.

Networking
ISA Server 2006 can serve as a remote access server. This article looks at ISA's VPN capabilities as a solution for providing VPN remote access and as a method for providing site-to-site VPN connections.

SQL Server
Hardware tuning isn't all there is to efficient operation of SQL Server. Often the way queries run can spell the difference between a fast application and real bottlenecks. Here's how to identify offending queries.

Read the magazine HERE.

iRubbish

iPhone security rivals Windows 95
As its popularity grows, experts worry about Apple's decision to build the iPhone's firmware on the same flawed security model that took rival Microsoft a decade to eliminate from Windows.

Read the article HERE.

Ipods are a major leap backwards
We have an Ipod. A style and lifestyle statement. We are the hippest of the hip. We are God's chosen people; the talk of the chattering classes. We have an Ipod Nano. How groovy is that? Not very.

What does an Ipod - or any other MP3 player offer? The chance to listen to sounds in a format that would offend a Finnish Death Metal band with its lack of quality. Sure, you could store a zillion albums on it, but you never will. Firstly you only possess a copy of Queen's Greatest Hits, The Best of Steps and James Blunt's Bluntastic! What are you going to store on the remaining 39.5GB of space?

Well. It's going to be stolen music, isn't it?
The Ipod is a triumph of marketing over technology.

Take a look HERE.

Not all patches are released on a Tuesday

Big kudos to Microsoft, really. Even my not overly tech savvy dad knows by now that he must make sure to get his patches on the second Tuesday of the month. While one might argue over the sorry state of software development that makes monthly patching a must, I still think that the concentrated effort and foghorn message of Microsoft for monthly patching has done a lot of good.

Read the article HERE.

Spammers use web redirection to avoid detection

Spammers are ramping up their use of redirection techniques to try to get around many anti-spam filters. The technique, most commonly found with pharmaceutical spam, sends a user to a web page and the user is then automatically redirected to another web page. This technique is specifically designed to get around databases of destination URLs that many anti-spam technologies rely upon.

Read the article HERE.

Notorious spyware purveyor shuts down

Less than a year after successfully negotiating a US$1.5 million wrist-slap to to settle charges that it used sneaky tactics to install spyware on millions of computers, DirectRevenue (also known as Best Offers) has shut down operations.

Read the article HERE.

Schneier: Beware security products

A leading security expert has warned businesses to beware of buying shoddy security products. Bruce Schneier issued the warning at the RSA Conference Europe 2007 in London on Tuesday. He told delegates that they should not necessarily trust security vendors to give a fair representation of the security of those products.

Read the article HERE.

Google News

Gmail delivers a knockout punch: IMAP
Google has sweetened its e-mail offerings by rolling out IMAP capabilities in all Gmail accounts, and for free. While casual users may not look twice, the addition makes Google's software-as-a-service much more attractive to businesses looking for easy e-mail solutions.

Read the article HERE.

Hands-on with Google's new stats-based translator
Google's translation service has changed from a rule-based one developed by humans to a statistical model generated by parsing multiple translations. We take a look at how often the statics lie, and what other improvements Google brings to online translation.

Read the article HERE.

Google's OCRopus open-source scanning software
The first alpha version of Google Code's open-source OCRopus optical character recognition scanning software is out. We put it to the test to see how it handles an assortment of text samples.

Read the article HERE.

Google loses Facebook
It's official: Microsoft will take a $240 million equity stake in Facebook during its next round of financing, valuing the company at a whopping $15 billion. CNET News.com reported earlier today that Microsoft had beaten out Google in the high-stakes bidding war for the slice of tasty Facebook cake. The final deal resulted in a 1.6 percent stake in the social networking company, notably smaller than the five to ten percent that had been talked about in recent weeks.

Read the article HERE.

Wednesday, October 24, 2007

Attack of the PDFs

Less than 24 hours after Adobe shipped a fix for a gaping hole affecting its Reader and Acrobat software, PDF files rigged with malware are beginning to land in e-mail spam filters. The discovery of the active attacks have underlined the need for Windows users to immediately scan machines for vulnerable software.

Read the article HERE.

Device driver updates causing Vista to deactivate

After weeks of gruelling troubleshooting, I’ve finally had it confirmed by Microsoft Australia and USA - something as small as swapping the video card or updating a device driver can trigger a total Vista deactivation. How can this crazy situation occur? Read on for the sorry tale.

Read the article HERE.

What should you validate?

All user controlled input should be treated malicious unless proven otherwise. There are three major categories you must validate to protect your web application.

Read the article HERE.

Identity thieves likely to be strangers

An analysis of identity-theft cases closed by the U.S. Secret Service in the past six years has found that identity thieves typically do not have a criminal record and are generally not known by their victims.

Read the article HERE.

Failure to encrypt proves costly

Careless use of Windows folders cost a Scottish student a lengthy prison stretch today, as an Edinburgh High Court Judge sentenced Mohammed Atif Siddique to eight years for possession of terrorism-related items. During his trial the jury had been told by Michael Dickson, a forensics analyst for the National Hi-Tech Crime Unit, that Siddique's laptop computer had contained material placed in a Windows folder where it would be difficult for an inexperienced user to find.

Siddique seems not to have encrypted the material. Read the article HERE.

Microsoft loves Linux

Microsoft has released some things it calls Virtual Machine Additions for Linux....But nonetheless, this smacks somewhat of the Vole getting desperate, as in, "Please, please keep Windows. You can run Linux under it."

Read the article HERE.

200,000 Notified of Lost Backup Tape

The state of West Virginia this week began notifying members of its insurance plans that their personal data may have been compromised through the loss of a system backup tape. The tape was lost when a third-party shipper discovered an empty package from the West Virginia Public Employees Insurance Agency. The package was bound for a Pennsylvania company that the agency uses for backup analysis. The agency believes the package came unglued in transit [as if we were looking for new ways to have our information stolen], and does not suspect theft.

Read the article HERE.

How Leopard Will Improve Your Security

With the release last week of the feature list for Mac OS X 10.5 Leopard, the security world is buzzing about some extremely important updates that should, if they work as expected, significantly improve Mac security and will make me less nervous about connecting to wireless networks in Internet cafes.

Read the article HERE.

Oops

Agnitum releases 2008 version of Outpost products

Agnitum has released Outpost Firewall Pro 2008 and Outpost Security Suite 2008, which now also run on Windows Vista. I have used Outpost from the beta stages up until a few weeks ago. Even though I use Opera as my primary browser, there are times that I need to use IE7. Since my last Outpost update this has become almost impossible [Internet Explorer Crashes wl_hook.dll message]. A few users have experienced other problems. Agnitum are aware of these issues but we are all still waiting for a repair. Even though I am entitled to free lifetime upgrades for this utility I would have no problem in dumping this firewall if it turned into a "Norton" [useless resource hog that does not perform].

Firefox 2.0.0.8 update to be updated
The 2.0.0.8 release fixed some 200 issues, but accidentally regressed a few things. Most users won’t see any difference or experience any problems, and those 200 fixes make the 2.0.0.8 update very valuable, but you should never have to choose functionality over security. So we’re working fast to understand and fix these problems, and will shortly be issuing a 2.0.0.9 update to address them.

Tuesday, October 23, 2007

Trojan.Netview: A dangerous trojan

With all the hoopla these days surrounding the "Storm Worm", our Research Team feels that there are some EXTREMELY DANGEROUS threats out there that are being overlooked. One such threat is Trojan.Netview. You may recall that it was observed being installed during the Bank of India hack.

One variant that we have recently found being distributed is actually detected quite well. Some appear to be general heuristic detections, but the malware itself is over one month old so most antivirus companies should be detecting it by now. It is interesting, however, that no attempts have been made to change it's signature in order to defeat security software.

Read the article HERE.

Revolutionary technique to recover lost passwords

ElcomSoft has discovered and filed for a US patent on a breakthrough technology that will decrease the time that it takes to perform password recovery by a factor of up to 25. ElcomSoft has harnessed the combined power of a PC's Central Processing Unit and its video card's Graphics Processing Unit. The resulting hardware/software powerhouse will allow cryptology professionals to build affordable PCs that will work like supercomputers when recovering lost passwords.

Read the article HERE.

I Was a Hacker for the MPAA

Promises of Hollywood fame and fortune persuaded a young hacker to betray former associates in the BitTorrent scene to Tinseltown's anti-piracy lobby, according to the hacker. In an exclusive interview with Wired News, gun-for-hire hacker Robert Anderson tells for the first time how the Motion Picture Association of America promised him money and power if he provided confidential information on TorrentSpy, a popular BitTorrent search site.

Read the article HERE.

Hackvertor

This script converts different characters and helps with pen testing XSS filters. Use the placeholder tags to convert your characters e.g. {uni}alert{/uni} will convert alert into unicode.

Try it HERE.

Russian Web Hoster Says Critics Are Rogues

A reportedly rogue Russian web hoster accused of being home to the web's worst scams says it's clean, but that its vocal and well-respected critics are anything but. Anti-spam group Spamhaus won't follow its own rules and strongarms innocent ISPs into violating contracts, while Verisign's research arm pumps out security misinformation to justify its security contracts with its customers, the company charges.

Read the article HERE.

Cyber Security Bulletins: Release Date - Oct 22

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read this weeks bulletin HERE.

News, Hints, Tips, Tricks & Tweaks

Read this weeks articles at WXPNews HERE.

Monday, October 22, 2007

What’s Russian for ‘Hacker’?

The hackers go by names like ZOMBiE and the Hell Knights Crew, and they inhabit such a robust netherworld that Internet-security firms in places like Silicon Valley have had to acquire an expertise in Russian hacking culture half a world away. The security firms have not received much assistance from the Russian government, which seems to show little interest in a crackdown, as if officials privately take some pleasure in knowing that their compatriots are tormenting millions of people in the West.

Read the article HERE.

Storm Worm Now Just a Squall

The Storm Worm botnet has been shrinking steadily and is about 10 percent of its former size. Brandon Enright, a network security analyst at UC San Diego, has been tracking Storm since July and said that, despite the intense publicity that the network of infected computers has received, it's actually been shrinking steadily and is presently a shadow of its former self. On Saturday, he presented his findings at the Toorcon hacker conference in San Diego.

Read the article HERE.

Less AV detects it

32 AV scanners failed to detect the variant of Storm worm last week and earlier today. Note that only few scanners detected it last week while some others find it as suspicious only or probably infected.

Read the article HERE.

Solving the Keylogger Conundrum

Available in either software or hardware form, keyloggers record every stroke made on a keyboard, and compile the data gathered to reconstruct login details, PINs, encryption codes, mothers’ maiden names or any other form of security information. From there it is but a short journey to inviting vistas of identity theft, industrial espionage, blackmail, or simple credit card misappropriation.

Read the article HERE.

25 encryption tools

It is obvious that there are hundreds of very expensive programs that may help you stay safe on the internet, but to me it really makes no sense to overinvest in tools that are similar to thos e that are completely free.

Read the article HERE.

Sunday, October 21, 2007

Inside The Matrix for Mobiles

Talk about the ultimate iPhone hack. Mobile Complete, a software-services company, has pulled an iPhone to pieces and lashed it to a remote-controlled server. Every input and output on the dissected iPhone is electrically hooked up to the net, providing access to would-be iPhone programmers over the web.

Read the article HERE.

A Hacker's Holiday Shopping List

Malicious hackers and other assorted bad guys looking for new tools for plying their trade this upcoming holiday season will have plenty of toys and services to choose from. Servicing them is a growing underground market bristling with botnets, Trojans, rootkits, spyware and all sorts of shady services aimed at everybody from the humble do-it-yourself hacker to sophisticated, organized criminal gangs.

Read the article HERE.

Online poker cheating blamed on employee

Updated : In a case that illustrates the perils of online betting, a leading Internet poker site said Friday that a hacker exploited a security flaw to gain an insurmountable edge in high-stakes, no-limit Texas holdem tournaments — the ability to see his opponents’ hole cards.

Read the article HERE.

Steganography on the rise

Until recently, steganography, the stealth technique of hiding text or images within image files, has mostly been considered too complex -- and conspicuous -- to be much of a threat. But some forensics experts now worry that the bad guys are starting to use the tactic more frequently, especially in child pornography and identity theft trafficking.

Read the article HERE.

Are E-Mail Addresses Private Data?

A database of e-mail addresses and other contact information stolen from business software provider Salesforce.com is being used in an ongoing series of targeted e-mail attacks against customers of several Salesforce.com business clients, including SunTrust and Automatic Data Processing Inc. (ADP), one of the nation's largest payroll and tax services providers.

Read the article HERE.

Guide to By-Passing Internet Censorship

This guide is meant to introduce non-technical users to Internet censorship circumvention technologies, and help them choose which of them best suits their circumstances and needs.

Read the article [PDF] HERE.

Firefox 2.0.0.8

Mozilla on Friday released version 2.0.0.8 of its popular Firefox browser. The new release includes support for Apple's upcoming Mac OS X 10.5 operating system, Leopard. The new Firefox release also addresses several security flaws.

Read the article HERE.

Mac OS X Leopard

Will be released next week with 300+ new features.
See what they are HERE.
Apple has also released a [QuickTime] video of OS X 10.5 Leopard.

Guide to Mac/Windows Interoperability

You've got a household full of PC's and you've stopped yourself from getting a Mac because you don't want to deal with incompatibility headaches. Eight years ago that would've been understandable, but today Mac OS and Windows can work together in harmony on the same home network, sharing files and printers, mounting one another's drives and using the same equipment, like wireless routers and USB drives. If you're considering a mixed Mac/PC home or office, here's a primer on how the two systems inter-operate (and the few instances when they don't.)

Read the article HERE.

Early Look: Microsoft Office Live Workspace

We have picked up a trio of screenshots of the forthcoming Office Live Workspace, which we're just thrilled beyond rational thought to share with you. Pre-registration for the beta version of Office Live Workspace opened at the beginning of October. Microsoft has positioned the service as an online complement to the desktop version of Microsoft Office.

Read the article HERE.

Windows gets a 'Mini-Me'

It's rare that anyone at Microsoft talks publicly about Windows 7, the next version of Windows. It's even rarer that anyone provides actual information about what might be inside the operating system, which is still in the planning stages. However, Microsoft has posted a video of a recent university lecture given by Distinguished Engineer Eric Traut in which he talks about, among other things, a new, slimmed down kernel known as MinWin that was created as part of the Windows 7 development process.

Read the article HERE.

Weekend Reading

Grossman: White Hat, Blue Belt
Jeremiah Grossman worries that Web security is nearing the breaking point. Web security expert Jeremiah Grossman talks Web security meltdown, the dangers of surfing – big waves and the Web – and Brazilian jiu-jitsu

Take a look HERE.

==================================================================
The future of DVDs
The format wars have been raging for 18 months, but there's little sign regular consumers are picking sides. There is no guarantee either of these formats will still be viable 12 months from now, so it's unclear why the casual movie fan would consider investing in either side at all.

Take a look HERE.

==================================================================
Google hears our pleas: Urchin Software resurrected
The company is preparing a significant update to the standalone Urchin weblog analysis tool at the same time that it is also announcing improvements to Google Analytics, its "on demand" stats service. As previously discussed, Google Analytics is based on Urchin's "on demand" software, which Google acquired along with the company back in 2005. Urchin's other killer product, a log-based analysis tool, was essentially ignored, leaving many customers feeling abandoned (and not a little ripped off).

Read the article HERE.

==================================================================
Man accused of hacking into 911
A 19-year-old hacked into the county’s 911 system from his home and placed a false emergency call, prompting a fully armed response to the home of an unsuspecting couple that could have ended tragically. Other law enforcement agencies have seen similar breaches into their 911 systems as part of a trend picked up by computer hackers in the nation called "SWATting".

Take a look HERE.

==================================================================
Swearing at work is good for you
Allowing staff to swear at work can benefit them and their employers, according to researchers at the University of East Anglia. They identified the relevance and even importance of using non-conventional and sometimes uncivil language at work and how it may have a positive impact. The study found regular use of profanity to express and reinforce solidarity among staff, enabling them to express their feelings, such as frustration, and develop social relationships.

Take a look HERE.

==================================================================
Proposed Law Could Be a Cold Shower for YouPorn
YouPorn is the highest trafficked adult website in the world and boasts a higher Alexa rating than both CNN and Weather.com, reports Portfolio. But YouPorn and other blue Web 2.0 startups could be out of business in the near future if proposed changes to 18 U.S.C. 2257 are accepted into law.

Take a look HERE.

==================================================================
End of Paying for Information on the Net?
A series of recent business moves—including a September 19 decision by the New York Times to no longer collect a fee for online access to selected articles, Internet service provider AOL’s ongoing push to garner revenue from advertising instead of subscription fees, and musings by Wall Street Journal owner Rupert Murdoch about eliminating charges for its online edition—appear to have upended a favorite saying of economists: TANSTAAFL, or There Ain’t No such Thing As A Free Lunch. But some faculty at Emory University and its Goizueta Business School say the role of advertising, Internet-related technologies, and the free market will eventually settle the issue of who pays for what over the Internet.

Take a look HERE.

==================================================================
Virtual security and digital panic
Despite news of high-profile attacks and security loopholes, many within Central and Eastern Europe are still woefully unaware of the many security and privacy issues facing them, foremost because most don't devote enough time to familiarizing themselves with such issues. Others, meanwhile, realize that security and privacy issues are important but have still not realized the full extent of the dangers they face. At a press conference held during the ITBN, representatives of Cisco, McAfee, ICON and Symantec revealed that small firms spend only between 30-60% of what large firms spend on data and network security.

Read the article HERE.

==================================================================
The FBI - Capabilities and Service
Take a moment to review the list of FBI priorities. What you see might surprise you. Top on the list is terrorism, intelligence threats, etc. The FBI mission has changed in recent years. The FBI does not typically investigate fraud until it hits the $150,000 mark. In the near future, the threshold may be extended to $500,000 due to resource constraints.

Read the article HERE.

==================================================================
On the Trail of Digital Secrets
After 31 years of eluding the police, the B.T.K. serial killer of Wichita, Kan., was tracked down and convicted in 2005 with the help of information left behind on a computer floppy disk. Scott Peterson’s conviction for murdering his pregnant wife, Laci, relied in part on his Internet research about the tides and water currents in the area where her body later turned up.

Read the article HERE.

==================================================================
Web exploits – from problem to solution
This article discusses the problem of web exploits and the dangers associated with them. Additionally, it details the necessary steps users should take to minimize their exposure to the risks posed by exploits.

Read the article HERE.

Saturday, October 20, 2007

Alternative browser users in trouble

There's bad news for users of alternative browsers this Friday, with both Opera and Firefox subject to security vulnerabilities. Secunia has a useful summary of the various flaws for both Opera and Firefox.

Read the article HERE.

RealPlayer zero-day flaw under attack

Hackers are actively exploiting a zero-day hole in RealNetworks’ RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide. The in-the-wild attacks target a previously unknown and unpatched ActiveX vulnerability in the way RealPlayer interacts with Microsoft’s Internet Explorer browser.

Read the article HERE.

Wi-fi security system is 'broken'

More holes have been picked in the security measure designed to protect the privacy and data of wi-fi users. The latest attack lets criminals defeat firewalls and spy on where someone goes and what they do online. It comes after a series of other attacks that, experts say, have left the basic protection in wi-fi comprehensively "broken".

Read the article HERE.

Trojan pickpockets eBay users

The Trojan installs a scaled-down webserver on an infected machine that masquerades as eBay and several third-party destinations frequently used to sniff out fraudulent offerings, including Carfax.com, Autocheck.com and Escrow.com.

Read the article HERE.

Web 2.0 Summit

The fourth edition of Web 2.0 Summit was held in San Francisco from the 17 - 19 October.
View the presentation files HERE.

eCrime Researchers Summit 2007

Some informative papers covering various aspects of analyzing and protecting against phishing attacks were made available at the beginning of this month, courtesy of this year's APWG eCrime Researchers Summit :

Read the article HERE.

NZ brewery offers beer for laptop

The BBC reports that a New Zealand brewery is reportedly offering a lifetime supply of beer for the return of a stolen laptop. Local media said the laptop was stolen from the Croucher Brewing Company in the central North Island city of Rotorua earlier this week.

Owners were desperate to retrieve the computer containing designs, contact details and financial information, the Rotorua Daily Post said. They have offered free beer to anyone giving clues leading to its recovery. Co-owner Paul Croucher said the company would provide a lifetime supply of about 12 bottles a month to anyone who could name the thief.

The company has back-up copies of the material stored on the laptop but these are not up to date, the newspaper said.

Friday, October 19, 2007

Unofficial patch needs a patch

In a somewhat shame-faced posting to Full Disclosure, KJK::Hyperion reports a bug in his original unofficial patch for the URI vulnerability, for which Microsoft finally accepted responsibility a week ago.

Read the article HERE.

All-in-One Malware Target

Opinion: Let's film people making Skype calls through MySpace IM and upload them to YouTube, and then maybe sell the clips on eBay and get paid with PayPal.

Read the article HERE
.

No Breach, No Foul

If you find a new security vulnerability on your Website, do you have to fix it? Not necessarily. As long as the vulnerability isn't detected in a compliance audit scan, or doesn't get exploited by an attacker, a business could theoretically just sit on a Website bug -- either for cost reasons, a lack of resources, or ignorance of its implications, security experts said this week.

Read the article HERE.

Secure USB flash drive self-destructs

IronKey recently launched Enterprise Special Edition of their secure flash drive designed for use on sensitive government, military and enterprise networks. The IronKey: Enterprise Special Edition has been designed to be the world's most secure USB flash drive, using onboard hardware encryption to protect the gigabytes of files that can be stored on the device. No software or drivers need to be installed on your computer to use an IronKey. A password is used to unlock your IronKey, and this is verified in hardware. If an IronKey is lost or stolen, attempts to unlock or tamper with the IronKey will trigger a self-destruct sequence, ensuring data is kept confidential.

Read the article HERE.

Seagate adds encryption to all drives

Seagate is to build automatic encryption into all its enterprise hard drives, the company announced at Storage Expo 2007 in London. All enterprise drives will be fitted with Seagate's Full Disk Encryption (FDE) as standard.

Read the article HERE.

Thursday, October 18, 2007

Myth vs. reality: wireless SSIDs

Do you ever wonder sometimes how it is that some ideas just won't die? Like the thought that not broadcasting your wireless network's SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure. Folks, there are fundamental differences between names, which are public claims of identities, and authenticators, which are secrets used to prove identities.

Read the article HERE.

Rogue Access Points: Back doors into your Network
Let's say that an employee in your company gets a new laptop. He's excited about the laptop's WiFi capabilities, but the company he works for doesn't have wireless capabilities. What's he do?

Read the article HERE.

Opera v9.24

This release is a recommended security upgrade.
Read more [and download] HERE.

Browsers and SSL Support

EV-SSL is a good thing, but it's more important to know when something's wrong than when it's right. Web browsers are such an important and, by now, mature application, you'd think they'd have error messages down. But in fact they're pretty bad at them. Even routine errors like mistyped addresses present messages that are confusing to novices. The Web is simple when everything works right. Of course, it doesn't always work out that way.

Read the article HERE.

Wolves in IT Administrators' Clothing?

There have been numerous studies that illustrate, in some detail, that even non-disgruntled IT administrators frequently abuse their access privileges to access unauthorized files, emails, and even personnel records. If you thought you could trust your IT security team with broad systems access and shared administrative passwords, think again.

Read the article HERE.

The Disillusionment of Network Security

I am frequently asked, "Will our networks ever be secure and safe for all to use?" My simple answer is: No. We will never be able to achieve total network security. I tend to use real "doors" as an analogy to make my point. Doors have been built and refined for thousands of years. Nevertheless, burglaries occur daily, even though we know how to build safe, burglar-proof doors. With the growth of the Internet, and its increasing importance for commerce, we have to keep in mind what is a reasonable means to achieve sufficient security. Absolute security should not be the goal.

Read the article HERE.

Serial-number free install of XP

PLUS: what's in XP SP 3
After four years in the making, Windows XP Service Pack 3 is almost ready for release. We've taken an in-depth look at it -- and one aspect of it jumps out as being particularly interesting: the ability to install XP without a serial number.

Read the article HERE.

Your online Identity supplier

This is an online fake-document shop. Here's the price list, plus an additional $500 is required to put the person's name into the government database so that the passport checks out online as well.

Read the article HERE.

Wednesday, October 17, 2007

Are the bank robbers winning?

Financial services is the sector that spends most heavily on IT, often taking on the role of new technology pioneer, but it is also the one where information security is under the greatest pressure. Phishers and hackers put plenty of energy into scams to defraud the banks’ customers and siphon off the money in their accounts.

Read the article HERE.

Bypass any firewall or throttling ISP with SSH

On some networks it’s impossible to use BitTorrent. For example, if you’re at work, school, or connected to Comcast or a public hotspot. But there’s an easy solution to overcome this problem. By using a secure connection (SSH), you can bypass almost every firewall or traffic shaping application.

Read the article HERE.

Ubuntu 7.10 Linux Desktop launch

Canonical, Ubuntu Linux distribution’s commercial sponsor, has announced that the release version of Ubuntu 7.10 Desktop Edition will launch October 18.

Read the article HERE.

A Look at Ubuntu 7.10 "Gutsy Gibbon" RC1
Experienced Ubuntu users know what to expect from this Thursday's release of Gutsy Gibbon, the love-it-or-hate-it code name for version 7.10 of the popular Linux distribution. It's not a major "Long Term Support" release, it's not a radical re-thinking of the system, but it is another step toward a Linux system that "just works."

Screenshot tour HERE.

The Russian Business Network Responds

An individual claiming to represent the Russian Business Network has denied media reports (including a Washington Post story I wrote that ran last week) the company provides Web hosting services to numerous cyber criminal operations.

Read the article HERE.

Spam reaches all-time high of 95%

Commtouch released its [PDF] Email Threats Trend Report for the third quarter of 2007, based on the automated analysis of billions of email messages weekly. The report examines the appearance of new kinds of attachment spam such as PDF spam and Excel spam together with the decline of image spam, as well as the growing threat of innocent appearing spam containing links to malicious web sites.

Read the article HERE.

Call for beta testers

Sunbelt Network Security Inspector
Sunbelt Software is putting a call out for beta testers for the new version of their network security tool, Sunbelt Network Security Inspector (this a tool for network security analysis, not for home/consumer use — think of tools like Nessus, etc.). If you’re involved in network security, they invite you to beta test this new release. Simply send an email to beta(at)sunbelt-software.com, with the subject “SNSI 2.0 BETA”.

Responding to Mobile Security Issues

Below I've provided a set of bulleted points to consider, covering each of the four types of organization involved in the ecosystem of cellular handset security. These are designed to improve security and relationships with researchers, while also preparing to be able to respond to security vulnerabilities in the future.

Read the article HERE.

The DMZ's not dead

When the "Exchange Ranger" came for a visit at a client site, his advice set the ball rolling for a much-needed upgrade from Exchange Server 2000. But when it came time to plan out the details, the network guys balked. Buried in the proposal was a recommendation to open a wide swath of internal firewall ports between e-mail services and the message store, essentially collapsing the inner network security barriers. The consultant's explanation? "The DMZ is dead."

Read the article HERE.

Microsoft Speaks

Lessons Learned from Five Years of Building More Secure Software
Security is not a static field—it constantly evolves as attackers attack, defenders defend, and each party learns more about the other's techniques. Security is an arms race. To stay ahead and anticipate the attackers, we the defenders must learn from our mistakes and create better ways to secure users from being compromised.

So what have we learned in the past five years? Most of these lessons are actually quite obvious, but like so many apparent things, sometimes it helps to have someone point them out.

Read the article HERE.

The Age of Software-Powered Communications
In an e-mail to customers, Bill Gates outlines his vision for how software-powered communications technologies will eliminate the boundaries between the various modes of communications we use throughout the day and provide the catalyst for the convergence of voice, video, text, and information."

Read the article HERE.

Tuesday, October 16, 2007

iPhone News

iPhone Security Researcher Unleashes Exploit
H.D. Moore has released instructions on writing a critical exploit that leverages a bug in how Apple's iPhone handles TIFF image files and, to enable the writing of exploits, has put out a new version of his Weasel debugger that can handle the peculiarities of the phone's ARM processors. At this point, the exploit can only take over phones that have been tinkered with, but Moore is promising to post instructions on how to exploit unmodified iPhones soon.

Read the article HERE.

iPhone's hazardous chemicals
Scientific tests, arranged by Greenpeace, reveal that Apple's iPhone contains hazardous chemicals. The tests uncovered two types of hazardous substances, some of which have already been eliminated by other mobile phone makers.

Take a look HERE.

Pirates take over anti-piracy website

IFPI.com, the domain that used to belong to The International Federation of the Phonographic Industry or (IFPI) - an infamous anti-piracy organization - is mysteriously transferred to The Pirate Bay. The Pirate Bay team says it will use the domain to host the newly founded International Federation of Pirate Interests.

Read the article HERE.

Update Vista and Office offline

Offline Update is currently the only solution available that provides owners of Windows PCs on a slow internet connection with the latest updates. Until recently, many users were able to download "update packs" that bundled the Microsoft updates in installation packets from a website operating under the name of Autopatcher, but the download site was taken down after Microsoft issued a warning to the project developers. The zip archive provided by Offline Update, however, does not contain any Microsoft code.

Read the article HERE.

Information security on the cheap

In various technology budget surveys information security is always top of the list. But how do you really do it cheaply to save a few bucks. This topic is a big one. While no CIO will admit he’s trying to secure IT on the cheap chances are good that budgets matter. With that in mind, here are some security tips that won’t cost you much.

Read the article HERE.

Researcher posts unofficial patch for Windows bug

A researcher beat Microsoft Corp. to the patch punch yesterday by publishing an unofficial fix for a critical flaw in Windows XP and Server 2003 on PCs with Internet Explorer 7. KJK::Hyperion, a.k.a. "Hackbunny," a researcher believed to live in Italy, posted a link to the 16KB patch on both his Web site and the Full Disclosure security mailing list Sunday. KJK’s patch, dubbed "ShellExecuteFiasco," blocks the execution of malformed URLs and forces normalization of valid URLs. URL normalization, which can include tasks such as changing a URL to all-lowercase and stripping out the "www" part of the address, is a technique used by search engines to reduce indexing of duplicate pages.

Read the article HERE.

Cyber Security Bulletins: Release Date - Oct 15

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read this weeks bulletin HERE.

News, Hints, Tips, Tricks & Tweaks

Read this weeks articles at WXPNews HERE.

BrowserFry Preview

I decided to launch a preview of my new project BrowserFry. It is in early development stages, but I thought it would be a good idea to show you a little preview of what it does. Currently it has a small set of features that allow you to quickly generate scripts or code in order to exploit browsers. Fuzzing will be a next phase, as well as general browser tests that I'm working on. It's full release will probably somewhere in the next month.

Read the article HERE.

Monday, October 15, 2007

Passwords on the loose

An unknown group has caused quite a hassle by publicly posting information about tens of thousands of user accounts.

Read the article HERE.

Are strong web passwords a waste of time?
Researchers at Microsoft and Polytechnic University suggest strong passwords for on line accounts are a waste of time. Their argument is that phishing and keylogging is the real threat to your password. Strength only helps against brute force and any website with a lockout policy should be safe against that.

Read the [PDF] article HERE.

Google News

Google tops charts in global search
Google topped global search charts in August, but search engines in China and South Korea are challenging the search company in their own countries, according to Internet research firm comScore Inc. This was the first time comScore evaluated online search activities on a worldwide basis, the company said in a statement.

According to comScore, more than 750 million people 15 years old or older, or about 95% of the Internet audience around the world, performed 61 billion searches in August. That's an average of 80 searches per users, comScore said.

According to the study, in the Asia-Pacific region, which includes China, Japan and India, 258 million users performed 20.3 billion searches, while in Europe, 210 million users performed 18 billion searches, and in North America, 206 million users performed 16 billion searches. In the Middle East and Africa, which ranked at the bottom of the pack, 30 million people conducted 2 billion searches, comScore said.

Read the article HERE.

Check out Google's latest ideas
Google is always experimenting with new features aimed at improving the search experience. Take one for a spin and let us know what you think. New! Join an experiment and you'll see that feature whenever you do a Google search. Note that you can only join ONE experiment

Read more HERE.

Discover the .EDU Underground
Little appreciated outside the world of academia, there are literally thousands of .edu (AU - or edu.au, of course) sites bursting with incredibly useful and interesting information and resources. Most of these sites won't pop up to the surface of the average search engine quest, and so they wait, neglected and underused...until now. Keep reading for a quick tour through the mysterious underground world of .edu

Read the article HERE.

iGoogle meets Desktop gadgets
Google Desktop now lets you run Desktop gadgets on your iGoogle homepage. And that means you can check your wireless signal, grow a beautiful plant, or play music right from iGoogle.

Read more HERE.

Google Friends
If you are a user of any Google product this monthly newsletter should be on your list.

Read the newsletter HERE.

Software

Net Tools 5.0.70
There are numerous choices when it comes to picking security software for network monitoring. Most of the time, you’d have to pay for these applications. What if I told you that you could get a truckload of security and monitoring tools for free?

Net Tools 5.0.70 is the swiss army knife of security and network monitoring utilities for your local area network or the internet. System administrators will love the application’s network scanning, security, file, system, network diagnostics, and extra features included.

Read more HERE.

mRemote
Connect to and manage multiple remote desktop connections — supporting RDP, VNC, SSH2, and Telnet protocols — in a friendly tabbed interface with free, open source application mRemote. While you could run multiple instances of the Windows Remote Desktop application along with your other remote connections, mRemote allows you to connect to and manage them all from one place without cluttering up your taskbar or running several different applications. Whether you're controlling your home computer on-the-go with VNC, you prefer Windows Remote Desktop connections (RDP), or you regularly use an SSH2 or even Telnet connections, mRemote is the perfect tool to manage and connect to them all.

Source :
Lifehacker

Inguma - A free Penetration Testing Toolkit
Inguma Version 0.0.4 has been released and is available for download. Inguma is a free penetration testing and vulnerability discovery toolkit entirely written in python. Framework includes modules to discover hosts, gather information about, fuzz targets, brute force usernames and passwords, exploits, and a disassembler.

Read the article HERE.

Auto Reboot Remover
This program enables or disables the automatic reboot 'feature' of windows XP SP2 after an update has been installed. Saves you from losing important work when you walk away from your computer at the wrong time - and XP decides it is going to close everything without saving.

Visit the website for this, and many other interesting programmes, HERE.

Mojopac Freedom [Only works with Windows XP, Vista version is being tested]

MojoPac is a technology that transforms your iPod or USB Hard Drive or Flash drive into a portable and private PC. Just install MojoPac on any USB 2.0 compliant storage device, upload your applications and files, modify your user settings and environment preferences, and take it with you everywhere.

Mojopac Video Demonstration HERE or Visit the website HERE.

Sunday, October 14, 2007

Mapping the Russian Business Network

The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of 'phishing' -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites.

Read the article HERE.

F-Secure: User education no security solution

Education is not a viable solution for preventing security issues, according to Patrik Runald, F-Secure's senior security specialist. Runald said systems are often compromised in spite of the user practising safe computing.

Read the article HERE.

Chinese internet censorship machine revealed

The Chinese government has instituted an elaborate system for Internet censorship that employs tens of thousands of censors and police responsible for maintaining control over the flow of information, a report released by international free press advocates showed..

Read the article HERE.

First Line of Defense for Web Apps – Part 1

Would you let a stranger in your home? Probably not, unless he’s been thoroughly vetted and screened. But developers often let strange users inject data into their application without any sort of checking.

Read the article HERE.

Roaming Authentication - Episode #113

In this first of a two-part series, Leo and I discuss my recent design of a secure roaming authentication solution for GRC's employees. I begin to describe the lightweight super-secure system I designed where even an attacker with "perfect knowledge" of an employee's logon will be unable to gain access to protected resources.

Read [or listen to] the article HERE.

Inside the Microsoft Security Response Center

Watch the video HERE.

Weekend Reading

ID thieves offer free translation
As cyber crime goes mainstream, a working knowledge of English is no longer a required skill for identity thieves trafficking in stolen credit card numbers and other personal data. Just ask Matthew Miller, a pharmacist from Pennsylvania, who recently learned miscreants had translated some of his personal details into French before blasting them out to a discussion group frequented by online con artists.

Take a look HERE.


==================================================================
Hackers to cause traffic chaos

Starting in 2009, police may be able to stop vehicles in their tracks with a simple phone call. The technology would come as part of something that most of us are already familiar with: General Motors' OnStar system. GM and OnStar demoed a prototype today of the new feature, called Stolen Vehicle Slowdown, which will be targeted at... well, stolen vehicles on the road.

Take a look HERE.


==================================================================
Goverment web sites invaded by smut and spyware
A slew of government organisations and corporations are unwittingly helping hackers promote porn sites. Targets as diverse as the Marin County Transportation Authority website in California and the Bank of Ghana have been unwittingly playing host to code that redirects surfers to smut as a result of insecure systems.

Take a look HERE.


==================================================================
Audio forensics experts reveal (some) secrets
Typically, audio forensic examiners are asked to authenticate recordings presented as evidence in criminal and civil court cases, such as undercover surveillance tapes made by the police, recordings presented by feuding parties in a divorce, or tapes from corporations seeking to prove employee wrongdoing or industrial espionage.

Some audio forensic examiners go to extraordinary lengths to validate recordings.

Take a look HERE.


==================================================================
Building Honeypots for Industrial Networks

Objectives : The short-term goal of the project is to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures. We plan to document the requirements and release proof of concept code (in the form of honeyd scripts) so that a single Linux host can simulate multiple industrial devices and complex network topologies.

Take a look HERE.


==================================================================
Of hackers and ego
The world of computer security can often be a strange and compelling one. Many outsiders, or those with little knowledge of computers, just don’t understand the whole uproar over various issues, such as whether Microsoft Vista is more secure then Linux or Mac. It’s all moot as far as the general population is concerned. But, for those of us who work in the industry, it is just more grist for the mill.

Take a look HERE.


==================================================================
More localized malware
Relative to the country’s size, it’s rather surprising that South Australia (SA) is ranked 26th in the world with regard to the amount of command-and-control servers it hosts. This fact is surely concerning, for it shows that SA is either extensively used by overseas attackers, or there has been an obvious increase in local bot masters.

[I did not realise that I lived in a crime capital] Take a look HERE.


==================================================================
Security: whacking hackers
In a single case this summer, an attack by hackers disabled a reported 1,500 Pentagon computers. And the siege is continuing. The Defense Department detects 3 million unauthorized "scans"—or attempts by would-be intruders to access official networks—on its computers every day, according to a Pentagon spokesman. Now the Bush administration, worried particularly about computer attacks from China, is aiming to beef up American defenses. According to officials in the cybersecurity industry, who like several sources quoted in this article did not want to be named discussing confidential programs, the White House is quietly preparing a major "cyberdefense" initiative to be announced later this year.

Read the article HERE.


==================================================================
What it's Like to Switch to Ubuntu
When Dell first announced that it would offer Ubuntu--a free open-source, Linux-based operating system--on select notebooks, millions of tech-heads unleashed victory cries. Linux, the longtime OS of choice for the hardcore techie, was poised to go mainstream. Finally, a larger worldwide audience would experience Linux and the "it just works" nature of Ubuntu, but we at LAPTOP had to ask: Is Ubuntu ready for the world?

Read the article HERE.

==================================================================
Internet gets first full census for 25 years
An electronic census of the internet's 2.8 billion addresses has been completed by US researchers. It is the first attempt to contact every web address since 1982 – the results could help tackle the problem of the supply of unique internet addresses running out.

Take a look HERE.