Friday, November 30, 2007

Treacherous malware: the story of Advatrix

While there are many lessons to learn from this malware, I would like to stress out one really important thing: when a machine gets infected, your only option is to reinstall it from scratch. With today’s malware phoning home and installing stealth, updated modules, this is really a no brainer.

Read the article HERE.

Whole disk encryption is a good idea

Computer security is hard. Software, computer and network security are all ongoing battles between attacker and defender. And in many cases the attacker has an inherent advantage: He only has to find one network flaw, while the defender has to find and fix every flaw.

Cryptography is an exception. As long as you don't write your own algorithm, secure encryption is easy. And the defender has an inherent mathematical advantage: Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.

Read the article HERE.

Reported malfunction in PayPal Security Key

When eBay rolled out the PayPal Security Key earlier this year, its executives hailed it as an important measure that would make users more secure. And it was. But according to Chris Romero, an IT administrator who has used the Security Key for several months now, a bug could allow phishers and others with bad intent to work around the measure.

Read the article HERE.

Yahoo! and! Adobe! sign! ad-packed! PDF! pact!

Yahoo and Adobe unveiled a plan today to serve contextual ads within PDF files - one of the last bastions of (mostly) ad-free space on the internet. [But as you already know, I use the Foxit Reader which is free, faster, and unbloated at only 2Mb]

Read the article HERE.

TechNet Magazine - December 2007

Communications - Security - Networking
Read the magazine HERE.

Thursday, November 29, 2007

'Friendly rootkits' for secure Web shopping?

Secure Socket Layer (SSL) certificates have made e-commerce more secure, according to VeriSign, but a US security researcher reckons benevolent rootkits served by the retailer might do a better job. SSL certificates are issued to merchants by Certificate Authorities to indicate to the consumer it is a legitimate business. The rootkit which Dan Geer, VP and chief scientist at security company Verdasys, has proposed would take over the security function of a customer during a transaction by placing it within the merchant's trusted environment.

Read the article HERE.

High speed password cracking

The Sony PlayStation 3 gaming console has been used to generate high speed MD5 hashes by a New Zealand security consultant. He claimed a rate of over 1.4 billion iterations per second in a presentation at the Kiwicon conference in Auckland. The researcher attributes this performance to both the parallelism available from the multi-core processor and the simplicity of the processor architecture.

Read the article HERE.

Preventing NAC Attacks

A Trusted Computing Group investigation has shown that Network Access Control (NAC) technology is vulnerable to a condition called the “lying endpoint problem.” If an endpoint becomes infected by a virus or other malware, the infection may cause the machine to lie about its health status. As a result, infected machines can then gain access to the network and infect other machines. With over 40,000,000 infected machines and more than 35,000 malware varieties, allowing network access to a lying endpoint should be a major concern to everyone involved in network security.

Read the article HERE.

Picking a good security consultant

During the ITEC MasterMinds Security Panel in Philadelphia, an attendee asked a great question. "Since I give these people the keys to my entire business, how do I pick a good security consultant?"

Read the article HERE.

Public Key Servers

Having previously played around with Seahorse (basically a gnome GUI application that sits over the top of GnuPG), I pondered what the point of generating my private and public keys were if nobody out there could independently obtain my public key for sending me messages.

Read the article HERE.

Web user sentenced for killing rival

And to finish off today, which is a very quiet news day, here is a story of how wonderful this thing they call the Internet is. A 48-year-old man entangled in an Internet love triangle built largely on lies was sentenced Tuesday to 20 years in prison for killing his rival for the affection of a woman he had never met. Thomas Montgomery, who posed as an 18-year-old Marine in online chats, pleaded guilty in August to gunning down Brian Barrett, 22, in a parking lot at the suburban Buffalo factory where they worked. The motive was jealousy, investigators said. Both were involved online with a middle-aged West Virginia mother -- who herself was posing as an 18-year-old student.

Wednesday, November 28, 2007

Comodo Firewall Pro version 3 a disaster

The long-awaited Comodo Firewall Pro version 3 was officially released on November 20. And it is a total flop. Even though it had problems during beta testing, it was released prematurely before everything was fixed, and is receiving scathing reviews everywhere. The Comodo support forums have also registered many complaints with most users opting to revert back to the excellent 2.4 version. I'm sure you will hear more once the mainstream media picks up on it.

Idiots and apps dominate threat index

Cyber criminals and spies have shifted their focus of attack in response to improved security defences. Facing improvements in system and network security, crackers have two new prime targets that allow them to evade firewalls, anti-virus, and even intrusion prevention tools: users who are easily misled and custom-built applications, according to the latest annual threat landscape report by the SANS Institute.

Read the article HERE.

Advanced SSH configuration and tunneling

This article will show a pragmatic implementation of SSH port forwarding by demonstrating how to use configuration files and conditional statements to create permanent, yet dynamic, SSH configurations for your home, office, and any virtual machines you may have on your systems.

Read the article HERE.

Pay Up, Or The Computer Gets It!

Ok, having been doing this stuff for a while I’ve seen a fair amount of questionable practices. It takes something pretty unique to get my goat (antivirus researcher pun intended) at this point. That said, what I found Micro Bill Systems doing had my jaw hitting the desk.

Read the article HERE.

Searching Video Lectures

Researchers at MIT have released a video and audio search tool that solves one of the most challenging problems in the field: how to break up a lengthy academic lecture into manageable chunks, pinpoint the location of keywords, and direct the user to them. Announced last month, the MIT Lecture Browser website gives the general public detailed access to more than 200 lectures publicly available though the university's OpenCourseWare initiative. The search engine leverages decades' worth of speech-recognition research at MIT and other institutions to convert audio into text and make it searchable.

Read the article HERE.

Microsoft sued over "Windows Vista Capable"

[Will there ever be a day when MS does not make the news] The problem, from the plaintiffs' perspective, is that Windows Vista Capable meant only that the machines had the ability to run Windows Vista Home Basic. This, the most basic version of Vista, doesn't support the Aero interface or plenty of other desirable goodies, and the plaintiffs claim that Home Basic "is not the 'real' Vista marketed by Microsoft." The entire OS version was little more than a "gimmick" that kept sales of XP-equipped laptops strong in the holiday season before Vista's launch.

Read the article HERE.

Ten things holding back technology

The pace of change in IT has never been faster — or has it? After 25 years of desktop computing and 15 years of the commercial internet, there are still plenty of frustrations, pains and throwbacks in our everyday technology experience. It's great having a terabyte hard disk, but not so great trying to manage it using interfaces and tools that have barely changed from the days when 40MB was respectable.

Read the article HERE.

MSDN Magazine Contents: December 2007

This month's top story shows you how to build an interactive application that maps demographic data. The magic is performed using Windows Presentation Foundation data-binding capabilities along with LINQ and new XML features in Visual Basic. John Papa picks up the WPF data-binding story as well.

Read the magazine HERE.

Tuesday, November 27, 2007

Microsoft 'serious' Windows flaw

Microsoft bug squashers are investigating reports of a serious security vulnerability in Windows operating systems that could allow attackers to take control of vast numbers of machines, particularly those located off US shores.

Read the article HERE.

GnuPG Shell

All of us like safety. The safety of our confidential information is always a special concern. It's always a good feeling when you know that everything is secure. With that said, information protection is a necessity and can be useful to companies and individuals who care about the confidentiality of their intellectual property. People who want their e-mails kept confidential and their e-mail attachments readable only to the intended recipient can appreciate information protection.

Read the article HERE.

Useful security and privacy for IM

Instant messaging (IM) is an increasingly popular mode of communication on the Internet. Although it is used for personal and private conversations, it is not at all a private medium. Not only are all of the messages unencrypted and unauthenticated, but they are all routedthrough a central server, forming a convenient interception point for an attacker. Users would benefit from being able to have truly private conversations over IM, combining the features of encryption, authentication, deniability, and forward secrecy, while working within their existing IM infrastructure.

In this talk, I will discuss "Off-the-Record Messaging" (OTR), a widely used software tool for secure and private instant messaging. I will outline the properties of Useful Security and Privacy Technologies that motivated OTR's design, compare it to other IM security mechanisms, and talk about its ongoing development directions.

Watch the video HERE.

Pirate Bay laughs off three-pronged legal assault

The Pirate Bay faces three separate legal challenges this holiday season, though site administrators tell Ars that they're not worried by any of the pending cases. A Swedish prosecutor wants to take down the site, though, and Prince has set his lawyers on the same task. We spoke with The Pirate Bay about what's in store for them in the new year.

Read the article HERE.

Privacy: What are we telling the kids?

While I understand the frustration of artists and performers whose recorded works are taken and distributed without consent or compensation, the MPAA and RIAA seem to be doing as much for the rights of those artists as the media consumers -- that is to say, not much. In fact, there's every indication that these trade federations are doing a whole lot more harm than good, ensuring short-term profits for their members at the expense of both their own longevity and the U.S. legal system as it concerns intellectual works.

Read the article HERE.

Cyber Security Bulletins: Release Date - Nov 26

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read this weeks bulletin HERE.

News, Hints, Tips, Tricks & Tweaks

Read this weeks articles at WXPNews HERE.

Monday, November 26, 2007

QuickTime - Remote hacker automatic control

A vulnerability exists in versions 7.2 and 7.3 of QuickTime (and possibly earlier versions) where the RSTP response can be manipulated to result in arbitrary code execution on a vulnerable system (despite attempts at filtering unwanted characters).

Read the article HERE.

Get Windows XP SP3 Through Windows Update

Well If you have read my previous Hack Attack on How you can download Windows Vista SP1 through a Hack and it worked for you then here is another Hack that will allow you to download Windows XP SP3 RC1 directly from Microsoft. Please note this hack is the exact way Microsoft expects its beta testers to try Windows XP SP3 out, so you don’t have to worry too much about Microsoft catching hold of you.

Read the article HERE.

Running queries on the HMRC database fiasco

When it comes to talking about last week's data loss by the HMRC, I was told not to use precious words outlining my feelings of rage and bafflement that a government body can be so cavalier with so much data because, presumably, we all feel the same. So I will simply note, for the record, that my gob has been totally smacked by this debacle. What I will do is to take a look at the technical elements of this case from the database/data perspective.

Read the article HERE.

Gadget Security

Last week I got my xmas gift. A Eeepc. Basically, it is a small laptop (7'' screen), running a linux version, called XandrOS, with a quite user-friendly interface, mostly for internet applications. Well, it is quite good, and I am really liking it, but, of course, I had to try its security. Fortunately it allows you to get a console, which allows you to instantly get a root access, by issuing 'sudo bash'. Well, this is not good, since if anyone can get it, it can change the root password, maybe letting you with the unique alternative, restoring the system. So changing the config to ask for password is a ‘must do’, imho...:) But let’s go to interesting stuff. I was curious to see which ports were open using nmap from a remote host on it.

Read the article HERE.

A cryptographic hash function reading guide

After a few years of spectacular advances in breaking cryptographic hash function NIST has announced a competition to determine the next Secure Hash Algorithm, SHA-3. SHA-0 is considered broken, SHA-1 is still secure but no one knows for how long, and the SHA-2 family are desperately slow. (Do not even think about using MD5, or MD4 for which Prof. Wang can find collisions by hand, but RIPEMD-160 still stands).

Read the article HERE.

Battle of the SSH protocols: SSHv1 v SSHv2

Telnet has been eclipsed by two feature-laden Secure Shell protocols. But which one is best? Many network administrators have stopped using Telnet for switch management in favor of the more secure Secure Shell (SSH) protocol. But there are two versions of SSH. Which one is best?

Read the article HERE.

Microsoft to clamp down on spam over IM

Microsoft's next version of its instant messenger application will have a new security feature to report users who send unsolicited messages, known as SPIM (spam over IM).

Read the article HERE.

Secure Java coding course

Developers are being invited to comment on a new draft for tests in writing secure code in Java. The exam framework, backed by the Secure Programming Council, a consortium of corporates pulled together by the SANS Institute, is designed to be a test of essential programming skills.

Read the article HERE.

Securing the Laptop: Mission Impossible?

Nearly every week, the report of a stolen laptop hits the news and, with it, a horror story of data loss, identity theft and corporate liability. With a downside that steep, it's no wonder that the laptop is the target of corporate IT security campaigns nationwide. Few corporate executives will sleep soundly until their IT managers have done all they can to lock down laptops and limit the sensitive data on them.

But that's easier said than done. Read the article HERE.

Sunday, November 25, 2007

Six Cybersecurity Nightmares

Most computer-security professionals don't believe in security. To those who know better, a computer network can never be "secure"--only "more secure." In other words: No data is absolutely safe.

Read the article HERE.

The State of Typo-Squatting 2007

By the end of 2007, at least 8,000 URLs using the word iphone will be registered, according to a well known domain expert. The most valuable – – is owned by Apple itself, but when Steve Jobs announced the product early in 2007, Apple didn’t own the iphone domain yet. One expert estimates that Apple paid at least $1 million to buy that piece of valuable Web real estate.

Among the 8,000 registered URLs incorporating iphone are community fan sites, rumor and hack sites and, of course, scam sites. Freeappleiphonesnow dot com claims to offer free iPhones and variants that don’t even exist (like the iPhone “shuffle” and “nano”.) The URL is nothing more than a redirect to royalsweeps dot com. When we tested the site, we received debt consolidation offers, get rich quick solicitations, “free” cell phone prizes and other questionable e-mail.

Read the article HERE.

Time to end parental spying?

Internet safety isn't just about technology, but the public nature of online communication brings a whole new set of challenges home for parents and adolescents. Teens have always had "secret lives," but they weren't shared with the general public until they went online. A computer in the home is still a relatively new portal for outbound and inbound communication with the rest of the world. This complicates the issues of friendship, gossip, bullying, dating safety, potentially predatory sexual interest, and other issues that have always come with growing up.

Read the article HERE.

Parents the winner in Leopard v Vista showdown
In a showdown of new parental controls in Apple's Leopard versus Microsoft's year-old Vista, there's one clear winner - the parent. Apple and Microsoft don't have numbers on how many customers use parental controls, but analysts say the feature will easily be a selling point for Leopard and Vista this holiday season.

Read the article HERE.

Freeware Antivirus Comparison

This article compares three freeware Antivirus (AV) products currently available: AntiVir by Avira, Avast by Alwil, and AVG by Grisoft. All three of these contenders are full featured resident antiviruses that offer both on demand scanning and active protection.

Read the article HERE.

Researchers warn of AV software risks

The vulnerabilities in antivirus software make the programs as much a threat, as a help, to corporate network security, two German security experts argued in a presentation released last week.

Read the article [and 46 PDF page report] HERE.

Defense in depth revisited
So as a result of my previous post on the use of multiple scanners as a supposed form of defense in depth I was pointed towards this set of slides for a presentation by Sergio Alvarez and Thierry Zoller at n.runs: the expectation was that I'd probably agree with it's contents, and some of them I do (eg. some of those vulnerabilities are taking far too long to get fixed) my blog wouldn't be very interesting if all I did was agree with people so thankfully for the reader there's a number of things in the slides I didn't agree with...

Read the article HERE.

PayPal and DoubleClick - Episode #119

Leo and I dissect the "Links" on PayPal's site with an eye toward reverse engineering the reason for many of them routing PayPal's users through servers owned by DoubleClick. We carefully explain the nature of the significant privacy concerns raised by this practice.

Read the article HERE.

Mac Security Freeware

Confidential Data Manager and Password Storage Utility
In a series of articles on Mac security freeware I will be covering a number of newly released security tools for Mac OS X. This time I am taking a look at two confidential data storage utilities - Pastor 1.7.5 and Pocket Cache 1.3.0.

Read the article HERE.

Saturday, November 24, 2007

Hackers cause loss of $400b a day

Hackers around the world could cause losses of a mind-boggling $400 billion every day, Bahrain-based Zain Chief Executive Officer Dr Saad Al Baraak revealed. Speaking at the third session of the Middle East Homeland and Global Security Forum, Dr Baraak said telecom companies lose anywhere between 10 to 15 per cent of their revenue every day because of violations committed by mobile phone users.

Now I have mused on a few occassions the $ numbers used in situations regarding potential or actual losses. Of course, up until now, my favourites has always been the RIAA and IPFI, whose piracy arguments and figures just don't add up. But, this new figure puts them both to shame. How does the average person get their head around a $400 billion loss EVERY DAY. I mean, we are talking numbers that put the Gross Domestic Product of most countries to shame.

Of course, this estimate comes with a disclaimer. Those two magic words - could cause - allow any dollar number to be used. Fact or fictional - it doesn't matter - because it is something that can never be proven or disproven. This statement has grabbed a few headlines, but with what credibility?

Cellphone Tracking Powers on Request

Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers. In some cases, judges have granted the requests without requiring the government to demonstrate that there is probable cause to believe that a crime is taking place or that the inquiry will yield evidence of a crime. Privacy advocates fear such a practice may expose average Americans to a new level of government scrutiny of their daily lives.

Read the article HERE.

University 'Toolkit' Raises Privacy Concerns

What we found was that depending on how a university's network is set up, installing and using the MPAA tool in its default configuration could expose to the entire Internet all of the traffic flowing across the school's network.

Read the article HERE.

VoIP hacking proof

An expert has released a proof-of-concept program to show how easy it would be for criminals to eavesdrop on the VoIP-based phone calls of any company using the technology.

Read the article HERE.

Privacy - not any more

New front in the battle against identity theft
Millions of young people have made themselves vulnerable to identity theft as well as putting their future academic and professional prospects at risk by recklessly posting personal information on the internet, Britain's privacy watchdog warns in a report published today. The ICO has already begun an investigation into Facebook after a member of the public complained that he was unable to delete his account.

Read the article HERE.

Privacy group shines light on Facebook’s Beacon
Online privacy group says that Facebook’s new social advertising campaign is a complete violation of user privacy because it monitors user activity on participating third-party sites. The thought of having your every move tracked is unnerving. Not many people would say ‘yes’ to broadcasting every time they bought a book, rented a movie, made a bid on eBay, but this is essentially what Facebook’s new social advertising service Beacon does — unless you specifically tell it not to.

Read the article HERE.

Friday, November 23, 2007

XP Has Same Bug As Win2K

Windows XP, Microsoft's most popular operating system, sports the same encryption flaws that Israeli researchers recently disclosed in Windows 2000, Microsoft officials confirmed late Tuesday.

Read the article HERE.

Russian Business Network - Additional Analysis

SANS Internet Storm Center has an item about David Bizeul, who has spent the past three months researching the Russian Business Network (RBN). The RBN is a virtual safe house for Russian criminals responsible for malicious code attacks, phishing attacks, child pornography and other illicit operations.

Read the 70 page [PDF] article HERE.

Online security: many passwords and many risks

Despite repeated recommendations not to do so, people typically write down their user names and passwords or recycle them from one site to the next. That means that if a thief gets hold of the list, or your core password, the Internet can become the world's window into your computer, your finances and your identity. Identity theft is a $55 billion-a-year concern, according to most leading estimates. Last year, Arizona had more identity-theft victims per capita than any other state, according to data compiled by the Federal Trade Commission.

Read the article HERE.

At your fingertips: Passwords to the past
Computer passwords could soon be a thing of the past. A survey by the organisers of Info-security Europe, the information security industry trade fair, found that the average number of passwords used at work is five per person – so, with personal passwords factored in, most people use about 12 passwords every day.

Read the article HERE.

Placing a Value on Passwords
How much is your password worth? Talk about a difficult question to answer! Back in 2004 a survey conducted at one of the UK’s busiest railway stations revealed that 70% of people would reveal their computer password for a chocolate bar. What if I was to tell you that, today, your password is worth something less than four cents?

Read the article HERE.

Skype encryption stumps German police

German police are unable to decipher the encryption used in the Internet telephone software Skype to monitor calls by suspected criminals and terrorists, Germany's top police officer said. Law enforcement agencies and intelligence services have used wiretaps since the telephone was invented, but implementing them is much more complex in the modern telecommunications market where the providers are often foreign companies.

Read the article HERE.

Thursday, November 22, 2007

TOR anonymisation network phished

By publishing his TOR hack, Swedish researcher Dan Egerstadt recently provided users with a timely reminder that The Onion Router (TOR) anonymisation network should be enjoyed with caution. By setting up five exit-nodes, Egerstad sniffed out large amounts of e-mail access data from embassies and government agencies and published some of this data on the internet. Since a user cannot know who operates the individual exit-node through which his traffic passes, TOR users are advised to always make use of additional encryption.

Read the article HERE.

BitDefender anti-virus scanner vulnerability

Anti-virus vendor BitDefender offers an online virus scanner, which installs ActiveX components onto the computer being scanned. A security vulnerability in one of these controls can be exploited by an attacker using crafted web pages to inject arbitrary code onto the computer.

Read the article HERE.

Converting an iPhone into a Spy Tool

Using a specially crafted Web page utilizing an iPhone exploit (now patched) he gained root level shell access to the phone — which in layman's English means that he could do anything that the iPhone is capable of from his laptop.

Read the article - and watch the video - HERE.

Is the Internet Governable?

No, there's no Internet Governmental Organization based in Switzerland that can order anyone around. What authorities there are can only focus on the high-profile stuff. Mostly, it's every man for himself.

Read the article HERE.

Pirating Costs Based on Futuristic Fantasy

If ever there was a time to question the Motion Picture Association of America's accounting of lost income to piracy, the time is now.

Read the article HERE.

Wednesday, November 21, 2007

UK's families put on fraud alert

Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25m people.

Read more HERE.

Testing TOR Node Attacks

People tend to think of the TOR network as a silver bullet, which is not the case. Even on TOR's distribution site it's clearly stated that TOR will not guarantee complete privacy.

Read the article HERE.

Vulnerabilities In Media Applications

eEye Digital Security has discovered 14 vulnerabilities in the processing of FLAC (Free-Lossless Audio Codec) files affecting various applications. Processing a malicious FLAC file within a vulnerable application could result in the execution of arbitrary code at the privileges of the application or the current user (depending on OS).

Read the article HERE.

Large Scale MySpace Phishing Attack

In need of a "creative phishing campaign of the year"? Try this, perhaps the largest phishing attack spoofing MySpace and collecting all the login details at a central location, that's been active for over a month and continues to be.

Read the article HERE.

MySpace hacker tells his story
If Samy Kamkar plays his cards right, he may be allowed to visit MySpace again in just a few months. For the time being, however, he's not even allowed to touch a computer, following a January 2007 guilty plea for creating what many consider to be the first Web 2.0 worm: the Samy worm. Samy's worm wasn't malicious, but it did force News Corp.'s MySpace social-networking site to shut down in late 2005 after forcing more than 1 million users to declare Samy a "hero" on their profile pages.

Read the article HERE.

PGP creator defends Hushmail

Phil Zimmermann, the coder who created the Pretty Good Privacy (PGP) email encryption scheme in 1991, defended encrypted online webmail company Hushmail's turning over of the unscrambled emails to the government when give a court order, arguing it is not reasonable to expect that online encrypted email storage is as safe as using encryption software on one's own computer.

Read the article HERE.

Making malware unprofitable

Two researchers take a look at blocking malware at the network level, and come to similar conclusions: it's hard, and getting harder. Our best bet may simply be to make our networks uneconomical targets for hackers.

Read the article HERE.

Tuesday, November 20, 2007

Apple Secretly Tracking iPhone IMEI and Usage

As I sit here applying a new layer of Reynolds tin foil to my international hat of conspiracy, its been proven that Apple tracks iPhone usage and tracks IEMI numbers of all their iPhones worldwide. Hidden in the code of the “Stocks” and “Weather” widgets is a string that sends the IMEI of your phone to a specialized URL that Apple collects.

Read the article HERE.

Steganos offers free encryption

The Inquirer tells us that the German vendor of industrial strength commercial encryption products, Steganos GmbH is offering an encryption software package suited for personal use at no charge. Called Steganos Safe One, the offer provides two 1GB volumes it terms Safes encrypted using the 256-bit Advanced Encryption Standard (AES) algorithm and secure passwords.

The Safe One package includes an integrated password generator that creates highly secure passwords. If you want to create your own passwords instead, it will check them with a built-in multilingual dictionary and warn you about insecure password sequences. The product also includes a visual password feature called PicPass that lets you secure your data with a unique sequence of images, should you have a very good visual memory.

Visit the Steganos website HERE.

The Ugly Truth About Online Anonymity

With the U.S. Government trying to shut down websites, I feel the need to discuss communications security, surveillance and anonymity as the U.S. collapses further into overt fascism.

Read the article HERE.

Be your own personal privacy czar

Like most journalists I know I'm very sloppy about keeping my online communications secure. I rarely encrypt e-mail messages, leaving them to be read by anyone in the electronic chain between me and the intended recipient. And I use public chat services like MSN Messenger and iChat, even though they send messages as plain text across the network. Partly this is because the tools needed to make communications secure can be cumbersome and complicated, even for someone with a technical background.

Read the article HERE.

Cyber Security Bulletins: Release Date - Nov 19

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read this weeks bulletin HERE.

Mozilla to fix 9-month-old Firefox bug

Mozilla will patch Firefox against a nine-month-old protocol handler bug, its chief security executive announced Friday, after researchers demonstrated that the vulnerability was more serious than first thought. The bug is another uniform resource identifier (URI) protocol handler flaw, and the news of an impending fix comes on the heels of Microsoft patching Windows to repair problems in the handlers it registers. Protocol handlers -- "mailto:" is among the most familiar -- let browsers launch other programs such as an e-mail client through commands embedded in a URL.

Read the article HERE.

News, Hints, Tips, Tricks & Tweaks

Read this weeks articles at WXPNews HERE.

Monday, November 19, 2007

USB Flash Drives

You've read the book, seen the movie, and even got the t-shirt.
What began life as a "toy" has exploded into something we probably never imagined. It's humble 256Mg storage capacity has grown to a 16Gb [8Gb review here] self contained shock proof, water resistant portable desktop. I'm not sure how many of you are using this device for that purpose. Some may just use it for easy transfer of large files. But if you like to take all your goodies with you, here's a starting point.

Portable apps
A portable app is a computer program that you can carry around with you on a portable device and use on any Windows computer. When your USB flash drive is plugged in, you have access to your software and personal data just as you would on your own PC. And when you unplug, none of your personal data is left behind.

Even the lightest laptops won't fit in your pocket. But these days, you don't need to lug around an entire computer just to get some work done. In fact, you can carry your entire PC desktop on a USB stick and gain access to your favorite applications, browser bookmarks, documents and even your e-mail no matter what computer you sit down in front of.
Wired article - Nov 8

Portable Freeware Collection
The wired WIKI article doesn't mention it, but the Portable Freeware Collection is the most extensive database of portable Windows software I know of. They even tell you just how portable a program is (whether it will still save settings to the %APPDATA% directory or need administrator access to write to the temp directory, for example) and how to make some non-portable programs portable.

Read the Lifehacker articles HERE.

U3 - The 'Official' Portable USB Apps Platform
U3 smart drives are traditional USB Flash Drives with a specific setup:
Two partitions: one for the U3 Launchpad, and one for U3 Programs and Data
U3 Launchpad Preloaded onto primary partition and set to autoplay
Optional: U3 Compliant Applications Preloaded

Visit the website HERE

USB Webites - Portable software for USB drives
List of portable software -
Everything USB... We Mean Everything!

Security/Hacking apps
I am not linking to the actual modified applications, primarily because although these can be used to assist in securing your network, can also be used for nefarious purposes … [of course they are not difficult to find ]

Nmap is a free open source tool used for network exploration and vulnerability auditing. Using Nmap a user can quickly scan large networks as well as target specific hosts. Nmap uses IP packets in unique ways to figure out what hosts are available on a given network and can determine what operating system it is running as well as determine what services (including versions) it is running and can also discover what type of packet filters and firewalls are in use.

Ethereal is a free protocal analyzer, also called a packet sniffer that is used for network troubleshooting, analysis and protocol development. The tool allows the user to see all traffic being passed over a network when putting a network card into what is known as “promiscuous mode”.

Showtraf is a tool that monitors network traffic on a network and displays the traffic continuously via a GUI.

TCPDump is similar in functionality to Ethereal, however works via the command line and does not have a graphical user interface. The application allows the user to intercept and display TCP/IP and other packets transmitted and received over a network.

Nemesis works on the command line and is used for packet crafting and injection. It is used primarily for testing Network Intrusion Detection Systems, firewalls and IP stacks and other networking tasks.

John the Ripper
John the Ripper is a password cracking tool which works to detect weak password. There are several other password cracking tools that run via USB, in fact most can. Interestingly many anti-virus applications will detect the presence of these files and quarantine them, however all one needs to do is temporarily disable the anti-virus which most users have the rights to do and it can be run without a problem.

Netpass is a utility used to recover network passwords on Windows 98/ME, however can also discover other passwords on XP such as .NET Passport passwords etc.

A “podslurping” application that allows users to copy large quantities files from a system in a matter of seconds. A version that simply audits a system as an example of how such an application works is downloadable from here.

This is just a sampling of security related applications that can be run directly from a USB drive, this is by no means complete. More applications are appearing on a daily basis that can run straight from a USB flash drive.

Portable USB Flash Drives - Formatting
All types of flash memory and EEPROM wear out after a certain number of erase operations, due to wear on the insulating oxide layer around the charge storage mechanism used to store data.

Warning! Windows XP provides a tool to format USB flash drives, but the results of that process are error-prone. In a worst case situation, it can even destroy the flash RAM in a USB flash drive.

USB Format Tool: This programme may be used to safely format most USB flash drives.

Click HERE to download.

Installation :
Download the .EXE file to a directory on your hard drive.
Execute the downloaded file and follow the on-screen instructions.

Utilities to make USB flash drives bootable
I found a couple of links for creating bootable flash drives that I found useful. How to boot from a USB device has good instructions, and this worked for me, and took about 20 minutes. Then I found this utility:
HP bootable flash utility. And it worked for me as well, and took about a minute. The best thing about this utility is that it is reported to work with many other flash drives - I tried it on a no-name USB 2.0 thumb drive, made it bootable with the HP utility on a 1.1 USB bus, and then used it to boot a computer.

USB Hacksaw
The USB Hacksaw is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account. Proof of concept code shows how to deliver the payload instantly with a U3 autorun hack borrowed from the USB Switchblade on Windows 2000 or higher computers running as administrator or guest. Automatic propogation to other USB devices is possible.

Visit the website HERE.

Buy or create security
There is now a reasonable choice of products if you wish to purchase your security over the counter. To mention a few : Stealth MXP [4Gb] is a complete standalone, portable, USB powered, secure, multi-functional product with on-board processor and seamless, hardware based encryption. IronKey [4Gb] is a USB flash drive with a dedicated hardware encryption chip and a self-destruct ability, bundled with secure means of accessing internet and storing your passwords.

Or, if you are not on your Fedaral Police Force "Midnight Visit List" you may just like to grab a 16Gb Corsair Flash Survivor GT [reviewed above], and instal TrueCrypt. While this is just a software solution, it should be enough protection for most users.

Sunday, November 18, 2007

Do you lock your computer

I encourage my coworkers to lock their computers. Security, after all, is everyone's business. But often gentle encouragement is not enough. Sometimes, more persuasive methods are necessary.

Read the article HERE.

Free Kiosk Utility for Windows

Microsoft released Windows SteadyState in late June, but you may not have been aware of it. It is a free program that allows you to lock down a Windows installation, and make it suitable for use in a public environment.

Read the article HERE.

The Death of Email

You can now send and receive every kind of message—texts, IMs, e-mails, and Facebook posts—with most new mobile phones. It's not hard to imagine a future communications command center where, on a single screen, you'll be able to choose between sending an e-mail, instant message, status note, or blog post—or sending all of them at once—and then have all those bits of text neatly and securely archived.

Read the article HERE.


Free DVD to MP3 Ripper
Freeware application Free DVD to MP3 Ripper rips DVD audio to your hard drive as MP3s.
It can also rip audio from MPEG files and VCD and SVCD movies.

Visit the website HERE.

Open Source Video Player Miro Hits 1.0
Cross-platform, open source video application Miro is now available in a full-featured, bug-fixed 1.0 version. The program formerly known as Democracy Player plays almost any kind of video file

Visit the website HERE.

Weekend Reading

The hack of the year
In August, Swedish hacker Dan Egerstad gained access to sensitive embassy, NGO and corporate email accounts. Were they captured from the clutches of hackers? Or were they being used by spies? Patrick Gray investigates the most sensational hack of 2007.

Take a look HERE.

How to lock up laptop security
Even before her state of California put a stake in the ground regarding public disclosure of data breaches, Christy Quinlan could see the wisdom in encrypting client data on mobile devices. Shortly after Quinlan became CIO of California’s Department of Health Care Services in 2005, one of the agency’s partners lost a computer.

The contractor had to notify everyone who might have been affected, at a cost of several hundred thousand dollars. And while Quinlan’s staff had not lost the laptop, they still spent much of the week before a holiday co-ordinating with the contractor to determine the possible scope of the security breach and then ensuring swift and proper notification. "Once information is on the loose, you can never get it back," Quinlan says.

Take a look HERE.

Google: In Search of Itself
In a span of four days earlier this month, Google launched an initiative to enable social networking tools to work across dozens of web sites and rounded up 33 partners to develop software to power a new generation of cell phones. While these efforts illustrate Google's determination to keep expanding its territory, they also increase the challenges faced by the $200 billion company. And they pose a question that seems to crop up more and more these days: Where is Google headed?

Take a look HERE.

Russia Casts A Selective Net in Piracy Crackdown
The newspaper Novaya Gazeta, one of the last outposts of critical journalism in Russia, suspended publication of its regional edition in the southern city of Samara on Monday after prosecutors opened a criminal case against its editor, alleging that his publication used unlicensed software. The case is part of a larger assault on independent news media, advocacy organizations and political activists, according to government critics. But it is one that is specifically tailored to deflect foreign criticism.

Take a look HERE.

Phone Phreaks Use Caller-ID Spoofing
An Ohio man has pleaded guilty to a federal conspiracy charge for being part of a gang of "swatters" -- one of them blind -- who used Caller ID spoofing to phone the police with fake hostage crises, sending armed cops bursting into the homes of innocent people.

Take a look HERE.

German amateur code breaker defeats Colossus
In an ironic twist, a British team operating a World War II codebreaking computer has been beaten in a cipher-breaking contest by a German.

Take a look HERE.

Saturday, November 17, 2007

The Strange Story of Dual_EC_DRBG

Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.

Read the article HERE.

Medusa 1.4 - Parallel Password Cracker

It’s been a long time coming but here it is, after almost a year (Remember Medusa 1.3?) finally version 1.4 is here! Version 1.4 of Medusa is now available for public download! What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services

Read the article HERE.

What Intel giveth - Microsoft taketh away

In practical terms, it means that performance advancements on the hardware side are quickly consumed by the ever-increasing complexity of the Windows/Office code base. Case in point: Microsoft Office 2007 which, when deployed on Windows Vista, consumes over 12x as much memory and nearly 3x as much processing power as the version that graced PCs just 7 short years ago (Office 2000).

Read the article HERE.

Live at USENIX '07

Today's video is a demonstration of Mobile Spyware.
It's a segment from Mikko's USENIX '07 presentation.

Watch the video HERE.

Lust But Don't Touch

The world is flat - except when it comes to getting a cellphone. The strict geographic borders of the mobile industry often keep enthusiasts from their dream phones. In much of the world, carriers dictate what models their networks will support. Handset makers have some say, too, customizing certain phones for various vendors. But consumers? Exactly what cellphone you can choose depends on where you live.

Read the article HERE.

UK Doctors To Encrypt Laptops?

Richard Thomas, the Information Commissioner in the UK, has told the Lords’ Constitution Committee that doctors who have their laptops stolen due to carelessness should end up in court. Of course, the matter is not as simple as it sounds.

Read the article HERE.

Hidden crime of ‘wi-fi tapping’

“Wi-fi tapping” or “piggybacking” has boomed in the past few years as hackers take advantage of unsecured computers to access the internet without paying for it. Police regard it as a serious offence because intruders can download pornographic materials and illegal images without being caught. Only the legitimate holder of the wi-fi account is likely to be tracked down.

Read the article HERE.

Friday, November 16, 2007

Secret Backdoor in New Encryption Standard?

Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.

Read the article HERE.

RIPA key decrypt demand

An animal rights activist has been ordered to hand over her encryption keys to the authorities. Section Three of the Regulation of Investigatory Powers Act (RIPA) came into force at the start in October 2007. Intended primarily to deal with terror suspects, it allows police to demand encryption keys or provide a clear text transcript of encrypted text.

Read the article HERE.

IN SECURE Magazine Issue 14 released

Download and read HERE.

Apple ships the first Leopard update

The first update to Mac OS X Leopard has arrived, with fixes for bugs in Time Machine and Finder, among other things. Version 10.5.1 is now available through Software Update or on Apple's Web site. It's a 110MB update that smooths out some of the more notable bugs reported in the first three weeks of Leopard's life on the planet, and it arrives just one day after Apple shipped what will probably be the last update for Tiger, Mac OS X 10.4.11.

Read the article HERE.

Storm Worm spams its own bots

Some 250,000 computer users, (((?))) who likely never knew their machines had been seeded with the notorious Storm Worm virus, received confirmation this week when a pop-up stock spam message appeared on their desktops.

Read the article HERE.

Windows Server 2008 versions revealed

With Windows Server 2008 nearing a final release in the coming months, Microsoft has whetted our appetites by announcing details and pricing about each specific edition of the upcoming server OS. As would be expected, Windows Server 2008 comes in a number of varieties, most of which are offspring from Windows Server 2003.

Read the article HERE.

Thursday, November 15, 2007

Paranoid - and proud of it

What a great week for the paranoid among us. News stories like "Help Desk Worker Pleads Guilty To Running Bot Net" and "Illegal immigrant finds work as spook for the FBI and CIA" justify our attitude towards security. Of course many will counter with the fact that these are isolated cases, but as we always reply, it only takes one isolated case. Where did you buy that new computer? Have you just had a tech repair your computer or perhaps instal something new? How much personal information was the tech able to access while it was in the shop for repairs/upgrades? Now tell the truth in answer to this next question. How many of you performed a basic security scan when you brought your new or repaired computer home?

Again, many will counter that they trust their techs and retailers - and that it's only in isolated cases we hear of indiscretions by these groups. Heard it twice this week - and as the first line on my website says - "There is now a definite need to create a culture of security". It seems that culture needs to become stronger with each passing moment.

Database servers 'have no firewall'

There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield.

Read the article HERE.

To catch a data thief

Collaboration between banks, the police and customers is crucial in helping financial services firms curtail the activities of identity fraudsters. Tom Young asked an expert panel for their views on this key area of IT security

Read the article HERE.

PandaLabs blog

Fake Microsoft Update and Video Spam 2.0

Read the articles HERE.

Popular Spammers Strategies and Tactics

An assessement of several different recent spam campaigns, demonstrating the key concepts spammers use, and providing concise strategic advice on how to undermine their current model.

Read the article HERE.

Microsoft revamps security suite

Microsoft is set to release a major update to its Windows Live OneCare security suite next week. That's according to Amazon, which has already begun accepting orders for OneCare 2.0.

Read the article HERE.

Wednesday, November 14, 2007


Released : Windows
Released : iPhone
Coming this week : Vista

Microsoft exec calls XP hack 'frightening'

A Microsoft executive calls the ease with which two British e-crime specialists managed to hack into a Windows XP computer as both "enlightening and frightening."

Read the article HERE.

Malware Response and Analysis

With the ever expanding use of the internet, and the availability of always on, high speed internet at the home, the threat of malware has never been greater. In the past viruses were passed from user to user through storage media, or as attachments to email. But today malicious software, or malware, is potentially on any website, or embedded in many files that appear harmless. In most instances, antivirus software or spyware removal software will detect the malware and protect the computer from infection, but not always. This paper examines the response needed when your computer is infected with malware, the effect of malware programs and how to determine the changes to an operating system.

Read the article and [33 page PDF] report HERE.

DoubleClick Serves Up Vast Malware Blitz

DoubleClick officials have recently implemented a security monitoring system to catch and disable a new strain of malware that has spread over the past several months. This system has already captured and disabled about 100 ads, the company said in a statement, although it didn't mention this episode in particular.
The bogus anti-spyware onslaught is only part of a bigger wave that's also included porno ads being swapped for normal ads on sites such as The Wall Street Journal. It's not yet clear whether the same fraudsters are behind both the porn and the fraudulent anti-spyware ads.

Read the article HERE.

Online thieves run amok

Since the outbreak of a cybercrime epidemic that has cost the American economy billions of dollars, the federal government has failed to respond with enough resources, attention and determination to combat the cyberthreat. Even as the White House asked last week for $154 million toward a new cybersecurity initiative expected to reach billions of dollars over the next several years, security experts complain the administration remains too focused on the risks of online espionage and information warfare,

Read the article HERE.

Pirate News

Infringement in perspective
It turns out that its cheaper to be the first person to upload The Simpsons Movie to the Internet than it is to share MP3s on KaZaA. $890 for The Simpsons Movie filmed on a cell phone and $9,250 for an MP3 of a Dream Theater tune. One of these penalties seems really out of proportion to the crime, and we'll leave it as an exercise to the reader to figure out which one.

Read the article HERE.

U.S. 'botmaster' faces up to 60 years prison
A Los Angeles man is facing up to 60 years in prison and fines of up to US$1.75 million after admitting to infecting at least 250,000 PCs with information-stealing malware.

Read the article HERE.

Torrent site is more popular than CNN
It is not often that a torrent search engine can overtake prime sites covered with multibillion dollar news organizations, where a single staffer has higher salary than these guys have budget.

Read the article HERE.

Pirate Bay targeted by Plod
The Pirate Bay is under attack once again, as Swedish prosecutors announce their intention to press charges against the site's five main admins.

Read the article HERE.

And my favourite comment - on this subject - seen today...
Couldn't they just sue Al Gore for inventing the internet?
I would say he is the most responsible for facilitating copyright infringement

Tuesday, November 13, 2007

Chinese Trojan on Maxtor HDDs

Confirmation that a Maxtor hard disk drive was infected with a Trojan by a manufacturing sub-contractor in China is spooking Taiwanese authorities, one of the countries where examples of the infected kit have begun to appear.

Read the article HERE.

Security loophole found in Windows

A group of researchers headed by Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa succeeded in finding a security vulnerability in Microsoft's "Windows 2000" operating system. The significance of the loophole: emails, passwords, credit card numbers, if they were typed into the computer, and actually all correspondence that emanated from a computer using "Windows 2000" is susceptible to tracking. According to the researchers, who have already notified the Microsoft security response team about their discovery, although they only checked "Windows 2000" (which is currently the third most popular operating system in use) they assume that newer versions of "Windows", XP and Vista, use similar random number generators and may also be vulnerable.

Read the article HERE.

Malware-pushing web sites on the rise

The number of malware-infected web sites has risen to 66,000 so far this month and continues to rise, despite the fact that the malicious application is detectable by most antivirus products on the market. A major culprit for all this malware is a malicious script from According to Mark Hofman at the SANS Internet Storm Center, the number of sites infected by the script has more than doubled.

Read the article HERE.

Cyber Security Bulletins: Release Date - Nov 12

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read this weeks bulletin HERE.

Windows 7 "top feature request list" leaked

An internal list of the most popular requests for improving Windows has been leaked, giving a glimpse of what users want in the next version of Windows. Strangely, 'make Firefox the default browser' is not one of them.

Read the article HERE.

News, Hints, Tips, Tricks & Tweaks

Read this weeks articles at WXPNews HERE.

Nikto 2 released

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it's fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

Read more HERE.

PHP 5.2.5 released

Version 5.2.5 of the PHP script language has been released to close some security holes and offer numerous improvements. According to the developers, stability has been improved and more than 60 flaws have been fixed. Consequently, the developers urgently recommend installing the new version.

Read more HERE.

Monday, November 12, 2007

Update: Russian hacker gang vanishes

The shadowy hacker and malware hosting network that only recently fled Russia to set up operations in China has now pulled the plug there and vanished yet again, researchers said late Friday.

The latest disappearing act of the Russian Business Network (RBN) has left researchers scratching their heads. "Where have they gone, that's the question," said an analyst with VeriSign's iDefense Labs, who wanted to remain anonymous, leery of retribution from the gang. "What's really interesting is how fast they shut everything down."

Read the article HERE.

Snort 3.0 Architecture Series Part 1: Overview

Snort 3.0 is the next generation Snort engine that is currently under active development at Sourcefire. I have been acting as lead architect as well as a contributing developer on the project for many months now. As one of the people who's driving development of the system I thought it would be worthwhile to start talking about what we're building because I know a lot of people are interested in learning more about this next generation Snort engine.

Read the article HERE.

First Look at Firefox 3.0

With the release of the much anticipated Firefox 3 looming just around the corner, we got our hands on the latest beta build of your favorite browser to get a closer look at exactly what changes and exciting new features you can expect from the upcoming release of the 'fox. From a snazzy design update and stability improvements to smart folders and bookmark tagging, you won't be disappointed with what you're getting.

Read the article HERE.

MSDN Magazine Contents: November 2007

Security is arguably the most important issue in computing today. Without the ability to secure your data and applications, there's little point in improving performance, user experience, or any of the other factors we're constantly nipping at.

With that in mind we bring you lessons we've learned since the inception of the trustworthy computing initiative, show you how to find the root cause of crashes in your applications and how they might result in security vulnerabilities, and provide pointers on performing effective code reviews. Finally we show how to build a fuzz testing application with Visual Studio Team Edition.

Read the magazine HERE.

Welcome to the Cisco Security Blog

The purpose of this blog is to make you aware of what makes the global internet more secure, keep you updated on some of the latest developments, and give you greater access to the Cisco security community. We plan to update the blog several time a month so add it to your favorites and subscribe to the feeds.

Read - and bookmark - the blog HERE.

CyberNotes: The Ultimate Sidebar

I’m always looking for ways to get things done a bit faster, and today we bring you what could very well be the ultimate sidebar. It’s actually more like a personalized homepage, a sidebar, and an application launcher all rolled up into one. That sounds pretty interesting, doesn’t it?

SideSlide is a free application for Windows that is sure to impress. You can tuck it away to any edge of the screen, and it will pop out at a moment’s notice. In your SideSlide workspace you’ll be able to add RSS feeds, program shortcuts, hyperlinks to websites, notes, images, reminders, and more!

Read the article HERE.

Ultimate Anonymity offers U-Products

In case you missed my previous post here are a few more sercices provided by Ultimate Anonymity.

U-Split Encrypted File Storage
Download the ultimate file storage solution. Encrypt files and securely & safely transport them. Use our program to take a single file of any size and split it into two secured, encrypted halves. Our software automatically generates a key-pair for each file you split setting new standards. One half of the encrypted pair is completely useless without the second half being present.

Anonymous proxy management
If you surf the web using anonymous proxies, our nifty proxy software will allow you to manage proxies and switch anonymous proxies on the fly with a single mouse click without ever having to change your web browsers settings! Your web browsers settings are not effected in any way. Surf in your regular fashion through your internet connection as you normally would. Then, when you want to be anonymous, simply launch our utility choose the proxy you want then launch a new browser window and you are anonymous, surfing under the desired web proxy! Never touch your browsers settings again!

Sunday, November 11, 2007

Even More Perfect paper Passwords

Leo and I discuss the updated second version of our Perfect Paper Passwords (PPP) system and examine a number of interesting subtle questions such as whether it's better to have fully random equally probable passwords or true one-time-only passwords; and how, whether, and why attack strategies affect that decision.

Read - or listen to - the article [Episode #117] HERE.

Trojan Writer Lusts for Money

Since the start of this past September, my daily tasks have included investigating Trojan.Farfli, which is updated frequently. On the dark side of things, the author of the Trojan has daily tasks that are closely related to mine: updating Trojan.Farfli.

Read the article HERE.

Go forth and buy our goods and services

<sarcasm>Go forth and buy our goods and services</sarcasm>

Read the article HERE.

Axxo and Pirate Bay

For those of you that recognise the name "Axxo" this is an interesting read. Especially for those that [used to] use Demonoid. This message has been up for 3 days now at Demonoid - "The CRIA threatened the company renting the servers to us, and because of this it is not possible to keep the site online. Sorry for the inconvenience and thanks for your understanding."

Read the article HERE.

How NOT to use TOR

You should not use TOR for the purposes of secure communications. You should be using TOR to anonymize routing. If you are passing identifiable information over the wire you need to use a secure end-to-end encrypted channel, like ssh, https, or ssl-imap.

Read the article HERE.

Weekend Reading

FBI Mined Grocery Store Records to Find Iranian Terrorists
Like Hansel and Gretel hoping to follow their bread crumbs out of the forest, the FBI sifted through customer data collected by San Francisco-area grocery stores in 2005 and 2006, hoping that sales records of Middle Eastern food would lead to Iranian terrorists.

The idea was that a spike in, say, falafel sales, combined with other data, would lead to Iranian secret agents in the south San Francisco-San Jose area.

The brainchild of top FBI counterterrorism officials Phil Mudd and Willie T. Hulon, according to well-informed sources, the project didn’t last long. It was torpedoed by the head of the FBI's criminal investigations division, Michael A. Mason, who argued that putting somebody on a terrorist list for what they ate was ridiculous — and possibly illegal.

A check of federal court records in California did not reveal any prosecutions developed from falafel trails.

[Only In America] Take a look HERE.

The Borrower Who Never Was
In May 2002, Las Vegas resident Adam Gregory went on a business trip to Phoenix. He stayed at the Ritz-Carlton and charged the $1,082 bill to his American Express card - or so financial records show. In fact, Mr. Gregory didn't live in Las Vegas, never held a job and wasn't even a real person.

Rather, Mr. Gregory was a "synthetic" identity - a person who appears real on paper but is actually a fraudster's concoction designed to trick financial institutions into granting loans and issuing credit cards.

Read the article HERE.

Another Way to Evade NIDS
Although online privacy is something we always need to take care of, the use of anonymous proxy services could lead to trouble as well. First of all, the use of SSL prevents NIDS and most desktop-based IPS from checking those resources visited through the proxy, leaving the desktop antivirus with the full burden of protecting the computer. Then, in an enterprise environment, these systems can bypass security policies through URL and traffic encoding, allowing internal users to browse resources that would otherwise be restricted. For example, this could lead to users checking their private Web emails and downloading those "funny jokes" sent by their friends, unfiltered by the corporate network.

Read the article HERE.

How to build a nuclear device in your home
First, obtain about 50 pounds (110 kg) of weapons grade Plutonium at your local supplier. A nuclear powerplant is not recommended, as large quantities of missing Plutonium tends to make plant engineers unhappy. We suggest that you contact your local terrorist organization, or perhaps the Junior Achievement in your neighborhood.

Take a look HERE.

In next month's column, we will learn how to clone your neighbor's wife in six easy steps. This project promises to be an exciting weekend full of fun and profit. Common kitchen utensils will be all you need.

Microsoft unwraps Windows Live desktop suite
Microsoft's Windows Live services are living up to their name by going live, losing the "beta" label and becoming available as a free, Windows suite of six Web-connected applications. The suite includes Windows Live Mail, which integrates with Hotmail and supports POP and IMAP. Among the other complete, desktop services are Windows Live Messenger and Windows Live Writer for composing blog posts. Windows Live Photo Gallery manages picture albums that can be uploaded to Microsoft Spaces, MSN Soapbox or Yahoo's Flickr.

Take a look HERE.

The latest on troubleshooting Leopard
While some of us are still waiting to get our hands on the new Apple OS, the guys over at APC mag have been putting the cat through its paces. They've published a couple of useful articles looking at the state of play with application compatibility and Leopard, as well as an interesting article looking at the features which Apple seems to have dumped from their new OS.

Take a look HERE.

Not all Russians Are Bad
Over the past few weeks thousands of Russian bloggers have united to combat a pharmaceutical scam that tried to persuade Russian pensioners to spend around half of their annual pension on a course of Gravikol 21 - ‘anti-arthritis’ drugs that were actually little more than vitamin pills.

In perhaps the most startling expression of their offline power, Russia’s bloggers made 21 million (!) phone calls to the offending company’s switchboard, forcing it into meltdown.

Take a look HERE.

Computer scientist fights threat of ‘botnets’
Computer scientist Paul Barford has watched malicious traffic on the Internet evolve from childish pranks to a billion-dollar “shadow industry” in the last decade, and his profession has largely been one step behind the bad guys. Viruses, phishing scams, worms and spyware are only the beginning, he says.

Take a look HERE.

Hacker Curriculum: How We Can Use It in Teaching
Dartmouth’s Computer Science Department has been offering a course in security and privacy since the 2000–2001 academic year. The class’s particulars have varied widely over the years in response to both the ever-shifting nature of the security landscape and the course instructors’ evolving interests. However, the goal has remained the same: give students a sense of the security and privacy issues that arise when software leaves the lab and gets exposed to the misuse and abuse of real users—malicious and otherwise. An introduction to the attackers’ view and methods is an irreplaceable part of this process.

Read the article HERE.

Saturday, November 10, 2007

Another Malware Outbreak Monitor

Such early warning security events systems always come as handy research tools for security analysts and reporters, and it's great to see that more and more vendors are continuing to share interactive threats data in real-time, type of data that used to be proprietary one several years ago. Commtouch's recently announced Malware Outbreak Center is another step in the right direction of intelligence data sharing, and building more transparency on emerging spam and malware outbreaks :

Read the article HERE.

The World's Biggest Botnets

What makes three of today's largest botnets tick, what they're after – and a peek at the 'next' Storm. You know about the Storm Trojan, which is spread by the world's largest botnet. But what you may not know is there's now a new peer-to-peer based botnet emerging that could blow Storm away.

Read the article HERE.

Cross-site scripting hole in Firefox

A vulnerability in Firefox enables cross-site scripting attacks which allow attackers access to a victim's login credentials on websites such as MySpace. While the problem has been recognised since the beginning of the year among Firefox developers and was even documented in an entry at Bugzilla, no changes have yet been made in Firefox to remedy the situation. But now, security specialist Petko Petkov says he has come across the flaw again and published it in his blog, forcing US-CERT to publish its own security advisory on the matter.

Read the article HERE.