"The company plans to launch a penetration-testing service for businesses in October that will use the same techniques as hackers to gain access to its customers' machines. However, the exploit code it will use will be controlled and will not propagate itself as a worm would, HP said on Tuesday."
Sounds like a bunch of pentesting/ethical hacker type jobs are going to open up. I think that other corporations will follow suit. I know some guys who do forensics and pentesting on the side. As vulnerabilities are found quicker by criminals, pentesters/ethical hackers seem to be becoming more signifigant.
"Don't let a malware attack ruin your business. A little planning and the right responses can make it a minor annoyance instead of a major catastrophe."
This is a pretty good article. The mentions how to "prepare" for and attack but I would go a step further and submit how to "prevent" an attack from ever occuring. It is possible to avoid an attack:
1) Get a firewall that used network address translation.. use network address translation
2) Use firefox
3) Don't surf shady sites: serial crack, pirated software, some porn sites, screen savers
4) Watch out for dirty downloads. Some p2p application and the wares loaded on them are loaded with trojans, worms and other malware
5) Don't surf the Internet with administrative privledeges.
This case is not the same as the Department of Veteran Affairs loss of records or the Department of Agricultures security failures. In this case, a contracting consultant conducted a penetration test with out getting formal approval. He expoited the FBI's vulnerabilities to gain elevated privledges.
Joseph Thomas Colon, 28, is a former employee of BAE Systems. His pentest allowed him to obtain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. According to Colon, the FBI field office in Springfield, Ill., he was attached to gave him approval.
However, every professional pentester and/or ethical hackers knows that you have to get formal approval from an authority.
Colon's lawyer said in a court filing that his client was hired to work on the FBI's "Trilogy" computer system but became frustrated over "bureaucratic" obstacles, such as obtaining written authorization from the FBI's Washington headquarters for "routine" matters such as adding a printer or moving a new computer onto the system.
As a result, Mr. Colon will likely serve about 18 months in prison. :(...
Pentesting and ethical hacking tools and techniques must be dealt with responsibly. The bureacracies that might allow pentesting must be respected at all costs. The first thing in Pentesting and ethical hacking that is taught is to ALWAYs, ALWAYS, ALWAYS get writen consent to procede from the owners of the system.
"Chinese authorities intend to police and control instant messaging, cell phones, blogs and search engines."
If they continue to apply more and more pressure the People Republic of China is going to break. It is an interesting experiment to see how long people will stand for having zero freedom of speak. Even though America is going the way of Chinese with privacy (as in no citizens having any) it is good to know there is still some freedom of speach left.
A recent change to AT&T's privacy policy for broadband and video users is overbroad and likely will leave the courts or Congress to decide whether the company's practices are standard or sinister, legal experts said this week.
This is why I switched to Vonage. I am so sick of telco's abuse of power. As soon as I can I'd like to also get rid of my Cable service as well. I believe Vonage and other VoIP services are being preped to give all data to the NSA but AT&T and Verizon are going nuts.
I hope WiMax opens up new small business to compete with the current telcos.
Computer viruses are like real-life viruses: When they're flying around infecting every PC (or person) in sight, they're scary. But after the fact...well, they're rather interesting, albeit in a gory kind of way. With this in mind, we shamelessly present, in chronological order, the 10 most destructive viruses of all time.
a start-to-finish how-to on creating Flash video for displaying embedded video on your website... Using freely available tools, you can create videos for your site that will be viewable by anyone who has a Flash enabled browser (which is just about everyone)...If done correctly, your FLV video should now be viewable on your site...
Ophcrack is the fastest Windows NT, 2000, XP and 2003 password cracker. Download and burn!! Ophrack 2.1 comes with a GTK+ Graphical User Interface and runs on Windows as well as on Linux.
Network manageres are using tubes of super glue to protect their systems from data theft. Outfits are getting so hot and bothered at the loss of corporate data that they are removing writable drives and ordering network staff to pour superglue into USB ports. Nothing a little "cut and paste" won't fix!
The war for privacy may be lost. But the battle over what to do with all that data has just begun. As governments increase their prying, businesses are struggling to keep a lid on their records.
The Jerusalem Post said about 700 Web sites were shut down early Wednesday. Their home pages were replaced by the message, "Hacked by Team-Evil Arab hackers u KILL palestin people we KILL Israeli servers."
When Microsoft issues their last patch July 11, Windows 98 and Me will be complete. How can you keep running them safely without security updates from Microsoft?
This article looks at the potential security risks associated with using gmail, especially in the workplace where traffic may be monitored. It investigates how to keep the HTTP-SSL connection open for more then just login credentials, but for the whole gmail session to read, write and chat without worrying about prying eyes.
This article describes how you can run Windows XP images on Ubuntu Dapper if you have a processor supporting Virtualization Technology, the new hardware based VM acceleration technology from Intel. Despite being extremely new it seems stable and quite usable for testing or dev. Very cool technology.
A security researcher with expertise in rootkits has created a working prototype of new technology that is capable of creating malware that remains "100 percent undetectable," even on Windows Vista x64 systems.
Security analysts have detected a new piece of malware that appears to run as a Microsoft Corp. program used to detect unlicensed versions of its operating system.
The malware has been classified as a worm and spreads through AOL LLC's Instant Messenger program.Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family of malware.
Here is another reason that I've decided to start using Linux more.
Microsoft was considering adding an update to Windows OS users around the world that would inventory their system and lock their it down it it was pirated. The patch would be called Windows Genuine Advantage (WGA). If users refused the patch, they'd have thirty days to comply.
"While WGA doesn't seem nearly as bad as the Sony rootkit, Microsoft's slow response to complaints could create backlash against the company in the same way that Sony BMG faced a ton of backlash."
RSA Security, the digital security firm behind the popular RSA encryption and security tokens, is close to closing a deal with data storage behemoth EMC.
A stolen laptop computer containing sensitive information on more than 26 million U.S. military veterans has been recovered and a preliminary review indicated no data was taken...
This group of three short videos shows you how to download GNU/Linux, make a bootable Linux CD, and how to boot Linux on your computer without going through a tedious installation routine. We used Ubuntu for this demonstration, but the steps shown apply to all live CD Linux distributions.
I recently loaded and installed ubuntu 6.06. It was as easy to install as Windows (if not easier). It also looks pretty. Not sure about the functionality and compatibility yet; I have yet to get down and dirty with ubuntu. But my experience with Linux & slackware variants has been that finding compatible hardware, drivers and software for them is a pain in the "ACE". Much of those compatibility issues have been resolved with the newer variants (red hat for example). But since so much of the industry (gaming, wi-fi etc) make their products for windows, compatibilty is likely to be an issue for a while.
You have Linux installed and running. The GUI is working fine, but you are getting tired of changing your desktop themes. You keep seeing this "terminal" thing. Don't worry, we'll show you what to do.
Unix: Shell Programming, by Kochan Wood, is a great place from which to learn shell scripting. It will tell you how it works and why.
Scripting is a lot easier to learn then programming and in some cases it is better use. Scripting can do a lot of things programming can do but with WAAAY more overhead (ie sucks up more CPU/Mem resouces). So it is not practical to do if your creating a large program.
Almost every piece of personal information that Americans try to keep secret -- including bank account statements, e-mail messages and telephone records -- is semi-public and available for sale. Congress gnashing teeth.
I believe that the Chinese government will ultamitely not be capable of supressing the Chinese people's thirst for unrestricted knowlege. Although, it is human nature to do what is easiest and follow the heard like sheep, it is also human nature to resist repression.
There is only so much human beings can take. I'm reminded of Shawshank Redemption in wich the title character mentions "time and pressure". Time and pressure is all it takes for a person to break. Time and pressure.
I'm sure the Chinese government would not call what they are doing "repression". They'd probably called it "protection". Or maybe they don't call it anything! Internet censorship is not restricted to China. The U.S. government also has restrictions on certain pages and content on the Internet. Do enough searches about "terroism" and you might even get contacted by the FBI. Fear is the driving factor for security in this country. Blanket censorship is something I definitely DO NOT support.
I guess only individuals can be free and only truly free in their own heart, souls and minds. With all the breaches of privacy (or should I say complete lack of privacy) between the individual citizens in the US and the US gov't, how "free" and different is the U.S. government from the China govenment at the fundamental level?
The is a difference (freedom of speech for example) no doubt, but it seems as China moves toward freedom (with its entrance into the WTO and movement toward capitalism) the U.S. seems to be moving toward more control over its citizens as it seeks to sift though its sheep to find the wolves in sheeps clothing.
See what the International Current Affairs Society had to say:
"A group of intrepid H4X0rz have discovered how to easily bypass the Chinese governments censorship of words like 'democracy'."
Google has 79 billion billion billion IPv6 addresses, is buying up massive amounts of dark fiber, and building a massive data center. Just what is Google up to?
Hi-tech fraudsters have begun using recorded telephone messages in a bid to trick users into handing over confidential account information. The tactic has been adopted as a variant of recently detected phishing attacks targeting customers of the Santa Barbara Bank & Trust.
Soliders in Iraq lack many of the most basic amenities, including Internet access, because there are only 6 to 12 computers for every 1,000 troops. So enterprising soliders have set up their own "Hajjinets," troop-owned ISPs on just about every base in the country.
The Defense Department has tightened policies on the use of wireless local-area networks (WLANs), in a memo released earlier this month, which requires beefed up encryption and security since the last DOD wireless policy memo was released in April 2004.
"A secret program that allowed U.S. officials to examine hundreds of thousands of private banking records from around the world in search of terrorist ties has been "absolutely essential" to protecting the country from further attacks, Vice President Cheney said yesterday."
When I was in high school, I read this book called Ender's Game, by a man named Orson Scott Card. The book is about a strategic prodigy named Ender who is the only hope for saving humanity from an alien invasion. It was a great book.
In the bookd Ender's brother and sister, Peter and Valentine, are just as bright
as he. Peter convinces Valentine to collaborate in his grand scheme
of controlling the planet Earth. They start by creating a huge following on the Internet.
I think that the comment system created by Kevin Rose and the Revision 3 team is going to be copied enough to make it an unofficial standard. The one thing that is very powerful about digg is that it harnesses the power of the collective masses participating. Some topics that are supercharged with emotion moving hundreds of commenters on digg into action. The site becomes like a loaded gun.
Perhaps it won't be digg that starts catapults the current online revolution but it will almost definitely be something very similar.
Hashapass automatically generates strong passwords from a master password and a parameter. Given the same master password and parameter, Hashapass will always give you the same result. That's so you don't have to store your generated passwords anywhere: just come back here with your master password and the parameter.
Episode 2 of the Security Roundtable is up and available. Michael Santarcangelo from the Security Catalyst, Alan Shimel from StillSecure, After All These Years and Martin McKeay discuss how the VA and the loss of 26.5 Million records.
"As more people turn to Web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said."
The company claims their web browser is a tool for privacy protection, but according to Panda Software it's got some hidden adware. ''It's being used deceptively to get more hits on their site,'' Schoch says. ''This adware opens a series of adult web pages, although they are not visible to the user.''
A HACKER may have stolen personal information for 26,000 current and former US Agriculture Department employees.
The department announced the security breach shortly before midnight on Wednesday, nearly three weeks after it occurred. It offered one year of free credit-monitoring services to the potentially affected employees.
The Site included their names, birth dates, and Social Security Numbers. The information has been taken down, and the site is under investigation by Naval CIS.
I'll admit, I really stereotyped the Federal Information Security Conference (FISC). I saw the speakers and saw director, senior and thought manager... they don't have anything to teach me that I want to know. While there were a lot of manager types talking about some high level stuff (i.e. DoD 8570 and its affect on GS Civilians), mostly the FISC is about Government employees and their contractors getting exposure to the commercial market.
The great thing about it is that it brings together so much information security talent. I learned more from casual conversation then I did from four seperate briefings.
I don't think that the FISC is worth paying more than maybe $20 for. The reason I say this is because even though you learn somethings, those that benefit most from the FISC are the vendors who are actually doing most of the speaking.
Prices for the FISC:
Federal Government - stationed in Colorado:
$50 per person
Federal Government - out of state:
$245 per person
Industry:
$345 per person
On-line preregistration after March 31, 2006
Federal Government - stationed in Colorado:
$100 per person
Federal Government - out of state:
$295 per person
Industry:
$395 per person
On-line preregistration closes June 15, 2006 at 12:00 p.m. The cost to register on site is:
Wells Fargo is sending me mail from... updateit@meinesdomainsins.de <--- Deutcheland?!
This idiot doesn't even have enough brains to mask his REAL E-mail: updateit@meinesdomainsins.de
Dear valued WellsFargo ® member:
Due to concerns, for the safety and integrity of the wellsfargo account we have issued this warning message.
It has come to our attention that your WellsFargo ® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.
Once you have updated your account records your wellsfargo account service will not be interrupted and will continue as normal.
I get so many scam letters and spam that 95% of my email is worthless. Here is a scam from Mr. Danmisi.
Submit Mr. Danmisi to some free stuff!! Here is his email: nelsondanmisi@walla.com
Sir,
I am Dr. Nelson Danmisi., the Regional computing auditor of (FNB OF SOUTH AFRICA) JOHANNESBURG BRANCH (SBSA).There is an account opened in this bank in 1985 and since 1992 nobody has operated on this account again. After going through some old files in the records I discovered that if I do not remit this money out urgently it will be forfeited for nothing according to South Africa laws and act of 1993, the money will be reverted to the government treasury after 15 years if there is, no valid claim to the money or account.
I need a foreign partner that I will present as a relative to this late man. The owner of this account is Mr. Daniel B.Jones, a foreigner, and a Miner at Kruger Gold Co. A geologist by profession and he died since 1992. The account has no other beneficiary and my investigation proved to me as well that this company does not know anything about this account and the amount involved is US$24,000,000 Twenty Four Million US Dollars Only.
I am only contacting you as a foreigner, I will use my influence to effect legal approvals and onward transfer into your account At the conclusion of this business, you will be given 50% of the total amount, 50% will be for me and my family. I await to hear from you.
Yours truly, Dr. Nelson Danmisi. FNB OF SOUTH AFRICA.
Submit Mr. Danmisi to some free stuff!! ProductTestPanel.com
Some of my colleagues in the information security profession think that hacking is evil. They strongly rebuke any information security professionals for condoning hacking.
I think that is a ridiculous position to take. How can we be any good at our job (particulary the more technical information security professionals) if we ignore the skills that malicious hackers use to exploit the very systems we protect? Why would we bind our own hands from finding vulnerabilities before our enemys?
Not knowing the darker side of security is like a Drug Enforcement Agent who can't recognize drugs because he or she has never had any exposure to controlled substances. It is not my position that cops should rob a bank or abuse crack to REALLY know the criminal mind. I'm just saying that security is not just about implementing secuirty practice, it is about knowing the exploits, vulnerabilities and threats and knowing them well.
Hacking is cool. It is not all evil or criminal. Sometimes I have to hack my system after locking myself out. I've attempted to hack my own network to find vulnerabilities.
I think hacking is about mastering systems, finding easier ways to do things in life, being clever. The dangerous thing about hacking is that sometimes individuals are smarter than the systems that they interface with (or control them). It is the mutant strain that changes everything, the revolution that forces change, the rebel refuses to submit and any of those can be very good or very bad.
Unfortunately, it is easier to destroy than to create, so some weak, ignorant, sociopaths give in to the darkside. This is true of any method, skill, talent, profession ect. It is a part of human nature to have users and abusers in our ranks. You may even have some in your family! It is my personal belief that what you reap is what you sow (karma); those who do bad will get theirs. I choose to hack ethically lest I incur the wrath of the universe.
The first ethical-hacking course was started six years ago. Today, there are some half-dozen organizations offering similar instruction around the world
This document describes Public Key Infrastructures, the PKIX standards, practical PKI functionality and gives an overview of available open–source PKI implementations. Its aim is foster the creation of viable open–source PKI implementatations.
"Starting next week, MySpace, the popular online hangout, will make it harder for strangers to send messages to younger teenagers. The site has been under pressure because members are frequently subjected to lewd or inappropriate messages and occasionally lured into dangerous real-world encounters."
If you have a UV light handy, you'll discover a world of secret messages printed on licenses, credit cards, and other official documents as an anti-counterfeiting measure. This web page has some nice photos of the UV ink on a Visa Card, a Master Card, and a CA driver's license.
Civil liberties advocacy group the Center for Democracy and Technology and New Yorkers for Fair Use, comprised of businesspeople and technology advocates, both released net neutrality proposals Tuesday, two days before the U.S. Senate Commerce, Science and Transportation Committee is set to debate the issue.
While fine groups like the Electronic Frontier Foundation, the Free Software Foundation, Creative Commons, and Doctors Without Borders have been fighting these battles for a long time with us, no political party in United States has made the reform of intellectual property and privacy laws their top priority.
Course leader professor Lachlan McKinnon: "We will monitor students closely because we want them to become ethical hackers. But there is no guarantee. Harold Shipman qualified as a doctor, after all, before deciding to become a murderer."
I hope Defcon does not suck. When I go, I will definitely take pictures and report the cool stuff I see.
I went to Defcon 11 in 2003 and it was great even though the lines were ridiculous and some of the better events could only allow a certain number of people. The ideas and talent I was exposed to put me into a whole different way of thinking. I met up with a guy who claimed to work for the maphia! He wasn't happy about it and he said that his employer's didn't come out and say they were maphia, but he had very strong feelings that they were.
Being the only brotha at the defcon willing to drink a (highly, highly overpriced) beer with him, he'd singled me out. What is funny is this guy look A LOT like DMX. We hung out and met some GS (civilian government) employees that claimed to be too old to party. I could have crashed at his hotel (which was right in the center of it all) but I knew my wife would lose her flippin' mind if I didn't go back home (in laws house) and sleep with her.
I was there strictly for the briefings so I really didn't party too much. I do recall that some kid ODed, there was a very cool Hacker Jeapordy that was completely Hedonistic (i.e. naked women and Kevin Mitnick). It was out of control.
Before Defcon I saw all hacking as borderline or full blown criminal. But now I know that all "hacking" is not criminal (although most people believe different).
My love for technology and security were what drove me to check it out. I went on my own. Three years later with a degree and a high level of respect from my employers, I still can't get them to pay my way to Defcon. (what is funny is that it would probably be easier to get them to send me to Black Hat, which is like $2000 as opposed to $100 for the Defcon. Maybe I'll work that angle next year when they have more money).
I'm excited about going but I sincerely hope that it doesn't suck. It would be much more fun if I could participate in an event. But my skills are not even close to good enough.
Outsourcing to IndiaOnce a county's records are digitized, it's very easy — and incredibly cheap — for data compilers like Axciom and DataTrade to purchase the files and sell them to information brokers like Choicepoint, says Bloys. That's because under most states' Open Records laws, counties cannot charge more than the cost of copying the documents — which means a computer disk containing 10,000 records can be had for as little as a few dollars. What's more, Bloys explains, the companies that actually scan the documents for the county — the so-called wholesalers — often ship the images to foreign countries, like India or China, where outsourcers index the records much more cheaply than could be done in the United States. "[Our public information] is being distributed instantly all over the world," says Bloys.
Smartmoney did an article featuring B.J. Ostergen. I've been trying to get an interview with B.J. But she is no doubt busy with the big boys.
Ostergren has made it her full-time job as the founder of Virginia Watchdog to alert legislators and the general public about what's out there. "It's dangerous, and it's just reckless of those clerks to have these records online," she says. According to a November 2004 report by the Government Accountability Office, as many as 28% of U.S. counties post their records — including people's Social Security numbers — on the Internet.
No cries of outrage, not even a peep from the American public about this. More than likely it is because they don't know about it. I guess they'll find out when someone steals their Identity and destroys their credit.
