Daily Digs – 09.14.2009
Well, "daily" has been more like "weekly" as of late, but the digs are back.
I think this one is good on a few fronts, but mostly from a humorous perspective. Joe Lieberman and Susan Collins should stick to whatever they do best - and that doesn't include addressing "cyber crime". They're proposing a public / private relationship so that the government (really?) can help them defend against attacks. OK, didn't the FBIs website just get defaced recently? Unless the blunt plan is to put up some sort of subsidy (which I'm not at all endorsing) the government is just going to spin up more useless programs that are run by people who just-don't-get-it.
[Committee Examines Growing Cyber Threat to Businesses]
[FBI Jobs Site Gets Hacked]
Unique is not random is not secure. I'm not sure that's a complete sentence, but it sums up the article on Newsoft's Tech Blog rightfully. For a run down of examples on the differences in the three concepts hit up the link.
[Unique is Not Random is Not Secure]
The Consumerist ran a story this morning with video from LiveLeak on a man installing a skimmer. I'd have to say that I'm definitely more cognizant when using ATMs that are non-bank affiliated and portable. At one point in time I really didn't like ATMs that sucked the card into the machine, however today it makes sense as less risk to me.
[Guy Installing Skimmer on ATM]
I can honestly say I really didn't know much about 'RNS' before I read this article today, but the Fed seems to have cracked down a few of the key members. I'm not sure why the title references RNS as an '0Day' group however.
[Fed Crackdown on 'RNS' Signals Death to Oldest 0Day Group Online]
Don't have the cash or time to go to one of the big name cons? ChrisJohnRiley posted an article about the first online hacker con entitled SecurityTubeCon. There's a call for papers (& vid) out until October 20th, so get your talk ready to go!
[First Online Hacker Conference]
That's all the time we have for comments tonight, but we'll leave you with some other links to ponder. Thanks for stopping by!
[Windows Autoplay Behavior Updated]
[Gustav, the Hackerspace Twitter Bot]
[Loan Officer Indicted for Fraud and ID Theft]
[Dradis 2.4 Released]
[PhoneCrypt is Available for the iPhone (and entirely overpriced)]
[20 Temporary / Disposable Email Services]
[Hacker's Hideaway ARP Attack Tool Released]
[SourceFire's Vulnerability Report for September Screencast]
[Practical Intrusion Analysis Book Review]
Daily Digs – 08.12.2009
Good evening! Wednesday, the kernel, of my week - oh how I'm glad you've almost come to a close. The race for the weekend is all downhill from here. We've got lots of great commentary and links to share today so on to the digs.
Generally I'd like to stay away from vendors advertising new, must-have, fabulous, can't-live-without technology - but BreakingPoint posted something that just looks too damn cool. "Write and simulate your own network strikes" they say! So as not to break out into a commercial for them I'll just lead you to the link. I can't say I've ever had a chance to drive any BreakingPoint gear (I'll definitely take one for a test drive if they want to send me something though) so please don't take this as an actual advocation.
[Write and Simulate Your Own Network Strikes]
Gartner has a fun little graphic up with regards to the hype cycle of emerging technologies. While it's interesting to look at that's about all it's good for in my book. Really, if an analyst at Gartner could predict the peak appropriately they wouldn't need to work at Gartner. Then we get to the crux of the "inflated expectations with", hold your breath, e-book readers and cloud computing. There are more little nuggets of thought-provoking humor (microblogging on the edge of the trough of disillusionment) scattered in the colorful roller-coaster-of-a-graphic so check it out.
[Twitter Backlash Foretold]
UC Berkeley today disclosed they they may have disclosed roughly 493 SSN and other PII to a hacker. That gets me thinking -- are the bigger schools just better at realizing they've been breached, or are they just the bigger target?
[Hackers Strike UC Berkeley]
So I had a great laugh this morning with this one and then also learned an interesting tidbit of information from a coworker. At the surface of the story most news outlets are running the piece that Judge Leonard Davis of the U.S. District Court for the Eastern District of Texas issued a permanent injunction against Microsoft that prohibits them from selling or importing Word that, basically, has any XML functionality. That's what the mainstream press is running. What I learned was that Smith County in Texas has it's own story of shady shenanigans and now I have some "Murder She Wrote" style literature for my enjoyment this weekend. That's because in 1985 a book called "Smith County Justice" was published by a man named David Ellsworth. Let's just say that you can't get the book in print anymore because local authorities used pressure of sorts to have the book pulled from publishing and all unsold copies burned. Dum dum dum. Anyway, I'll leave it to you to solve the mystery of Smith County. Check out the links to get started!
[Judge Orders Microsoft to Stop Selling Word]
[Wikileaks - Smith County Justice]
Branden Williams informed me (well not directly) that MasterCard has finally gotten around to clarifying their previously ambiguous L1 and L2 merchant fine machine. MasterCard yells "All hail QSA!" while Heartland banters "QSA - thou are heretic!". Well, at this point I might as well post both links with this banter. Is it a full moon out tonight?
[MasterCard Clarifies Their Position]
[Heartland CEO on Data Breach]
Phish bombs away! Want to pwn your own Safari 4 "Top Sites"? Be prepared to get your electronica groove on with this screencast SecureThoughts has provided us with today. On to the show ladies and gents!
[Hijacking Safari 4 Top Sites with Phish Bombs]
Diebold is up to their same old same old, quietly patching "secure" vote counting software. If you like this story and are interested in more information on voting fraud and corruption I'd highly recommend watching "Uncounted - The New Math of American Elections". A coworker of mine helped produce and contribute research to the documentary and it's presented very well. After talking to him I learned that they actually had to chop out a few key segments because initial reactions were too strong from the public. Anyway, get your vote fraud news on.
[Diebold Quietly Patches Security Flaw in Vote Counting Software]
[Uncounted - The New Math of American Elections]
The mobile-phone attacks are coming, the mobile-phone attacks are coming! I didn't see this one on Gartner's hype cycle so it must be true. C'mon anyone who hasn't seen this one coming since the release of the iPhone is living in a fantasy world where BeOS is making a comeback. Ahh, the good old days of BeOS. All in all it's a good discussion to be having now. We're hitting the critical mass where it's becoming glaringly obvious why and where the monarchy approval system (i.e. Apple's App Store) fails, but at the same time why it's positioned well for sanity checks and balances of a completely open system that could easily be circumvented for the general populous.
[Android Security Chief: Mobile-Phone Attacks Coming]
From the you-may-not-have-known bin we pull out some Nmap goodness I learned from the fabulous VOIPSA blog. Nmap has a rather extensive set of fingerprints for VoIP devices! OK, so you already knew that fingerprinting was a big part of why you use Nmap in the first place, right? Well it struck me, while I was perusing the list, that I could (will) help by adding a few that I have access to that aren't in that list already. Truth be told is that I felt like I haven't contributed anything back to the Nmap project recently and I really should.
[Something Old, Something New: Nmap's VoIP Fingerprinting]
Wow there are lots of great links today! Unfortunately I'm already >20 minutes past due because of a busy evening. We'll leave you with a list in the grab bag tonight. If you find the daily digs useful, humorous or flat out lame feel free to let us know in the comments! Take care ya'll...
-windexh8er
[Dear Palm: Please Stop Tracking Me and My Pre Use]
[Typhoon Knocks Out Asia Telecom Cable]
[2Wire Routers Unauthorized Access]
[Energy Companies Say NERC Standards Inadequate]
[Technical Debt]
Daily Digs – 08.06.2009
Well, it's a late post but better than none! I hope everyone's week is winding down nicely and your Friday is more lax than the infrastructure folks had over at Twitter earlier today.
A week or two ago I asked the Twitterverse who Adobe's CSO was and if they didn't have one who was responsible for software security / quality. Either way I'm not sure any professional in the industry today would have very good things to say about the path Adobe has been on recently. That leads us to the CNet article comparing Adobe to Microsoft pre-2002.
[Is Adobe the Next (pre-2002) Microsoft?]
If you market yourself as a "security" company and the majority of your products revolve around securing end user desktops you might just want to be able to pass the VB100 test. El Reg ran an article this afternoon showing how CA and Symantec end up with a big fat fail.
[Top Vendors Flunk Vista Anti-Virus Test]
Dave Lewis posted an article on Liquid Matrix today about Shipley the Troll. OK, so Peter Shipley's not really a troll in the actual sense, but he's sure acting like one.
[Patent Trolls Go After Network Security Vendors]
Sometimes I wonder. Really, I do, if what people write really translates in their head or not to something actually being logically feasible. DarkReading has an article up about "weaponizing" an iPod Touch. They go on to talk about how a researcher has outfitted his Touch with Metasploit and some other tools. Even with Ruby 1.9.x Metasploit takes 5+ minutes to load and the fact that you're limited to wireless access only severely limits your success with regards to LAN race condition attacks. Really guys -- there are better small form factors out there. But, hey, if you like to shove square pegs in round holes for fun go for it!
[Weaponizing Apple's iPod Touch]
TrendMicro has a great review of KOOBFACE over on the blog today. The diagram by itself is worth the click through so head on over and read all about it.
[The Real Face of KOOBFACE]
We'll close out today's (short) post with a little bit of irony. I did a double take when I saw the title of this article and had to visit the actual site to validate it was even true. But, yes, Symantec is suggesting that people use VirusTotal "when in doubt". Yes, BigYellow throwing people over the fence to double check their awesome powers of AV.
[Symantec Says Check VirusTotal]
Well ladies and gents, this particular post has come to a close. Yes, it's a little light, but hopefully the link content is good quality reading! We even spared you one of thousands of links to the Twitter DoS. We know you already know, why bother? 
Thanks for stopping by and, as always, feel free to comment!
--windexh8er
Daily Digs – 08.03.2009
Welcome to the 3rd production of Daily Digs here at Security Stallions! It's been a long weekend with a relatively active Monday. We've got a slew of links for your enjoyment with almost-short-as-a-Twitter-update commentary to go along.
First of all I'd like to say that knowledge sharing is the key to >80% of what I've learned in the security industry. From the simple cases where I'm tipped off via a quick blurb on Twitter or all out full-disclosure, you just can't beat community sources. That being said Russ McRee has a great post over on HolisticInfoSe.org about his and Mike Bailey's talk around CSRF. Although Russ mentions vids in the post he didn't link them, so I did a bit of quick digging and found them - just for you. Hit up the links for more info.
[CSRF: Yeah, it Still Works]
[Netgear CSRF Attack Video]
UCSniff's authors Jason Ostrom and Arjun Sambamoorthy also presented at DEFCON 17 this year. The tool, which was previously only available via BackTrack3, has been more recently released as a SourceForge project with some significant new featureset. Another one for the toolbelt!
[UCSniff - UCS Attack Tool]
There's an article up on Silicon about CEOs needing to be less negligent with regards to security. Very true, so if you like to chase the rainbow the article can be had below.
[Optimistic CEOs Must Not Neglect IT Security]
Ryan Naraine is one of the first to break the story on ATM skimming at DEFCON this year. He goes on to tell us how Chris Paget of Google got scammed for $200 when debiting his account. Note to all: get your cash at a reputable banking institution (i.e. where ATMs are built into the wall of the bank), in a casino, or somewhere else security of money transactions would be extremely high.
[Fake ATM Skimmers Found in Las Vegas Hotels]
Do you know what Ippon means in Japanese? Well you better -- it's "game over", and it's the name of a new tool for exploiting automatic updates. Yes, this isn't anything earth shattering in terms of the base exploit, however the methods the tool can "win" at the game of insecure updates are pretty kick ass. Read more about it over at the following TechRepublic blog post.
[Automated Updates: May Not Be Such a Good Idea]
File this one under the category of "About Damn Time" and you have Mikko Hypponen dropping news of Twitter starting to inspect and reject malicious URLs. Although the article doesn't mention it Twitter is actually using Google's Safe Browsing API. It's a (slow) start, but at least it's a start!
[Twitter Now Filtering Malicious URLs]
There's an interesting post by Susan Brenner over at CYB3RCRIM3 about whether or not we should reconsider the notion that companies under attack are prohibited from investigating the attackers and trying to locate them.
[Private Cyber Investigators]
Addonics announced an inline hardware encryption solution for most any SATAI/II type drive system. What's great about the design is that there's also a removable cipher key to unlock operation of the unit and it is also small enough to be mounted in a 3.5" drive bay. The CCM35MK1 is also NIST and CES certified.
[Versatile Hardware Encryption for any Computer]
Although not directly related to security, but big news none the less, VoloMedia has somehow received a patent for podcasting. Really? Who works in the patent offices? Surprisingly, this hasn't been on many people's radar judging from Twitter activity today. Slightly odd considering everyone and their brother seems to have a podcast these days!
[Company Receives Patent for Podcasting]
And tonight we'll leave you with what will, from now on, be referenced as the grab bag. News that's worthy of reading, but we just didn't have time to comment on.
The links for the grab bag tonight are as follows...
[Hacking Surfpoint Terminals]
[DEFCON Air Traffic Control Hack]
[High-Security Locks Defeated]
[Opensourc3 Magazine Publishes First Issue]
[PayPal Suffers Outage]
[5 Tips to Stop Staff Snooping]
As always, thanks for stopping by and comments are always welcome!
--windexh8er
Daily Digs – 07.31.2009
Happy (sysadmin) Friday everyone! Yes, if you must ask, I'm still stuck in "not-Las-Vegas-for-DEFCON-ville". But anyway, on to the digs...
First up we have the top 10 threats for 2011. 2011? We're not even to 2010 yet -- but ISF has staked claims already. And the #1 threat for 2011 is... [drumroll] CRIMINAL ATTACKS! I knew, it blew my mind too. I wouldn't have actually posted this, but I'm wondering what good this information even is at this point? Feel free to comment.
[Top 10 Threats for 2011]
Shawn Moyer and Nathan Hamiel pushed out the bits for MonkeyFist yesterday. The tool is a new spin on CSRF, the new spin being of the 'dynamic' fashion. Check out the article over at DarkReading or just hit up the Hexagon Security Group's lab directly.
[MonkeyFist Launches Dynamic CSRF]
[Hexagon Security Group Labs]
The Thundercats are go over at Adobe finally. Flash is now patched, so if you haven't updated recently get on it!
[Adobe Flash Vulnerability Patched]
A slightly creepy video showing Equilibrium Networks UI showing the Slammer worm mixed in with other traffic on a gigabit testbed. I rescind, the video isn't creepy - just the voiceover.
[Slammer Video]
ThreatFire has an article up shedding some light on Clampi. Although not too technically deep it's an interesting short read if you're not in "the-Clampi-know".
[Clamping down on Clampi]
As Kaspersky says, "with great power comes great responsibility". How ironic. Anyway, they've been doing some research on shortened URLs and have posted some great info.
[Twitter Short URL Statistics]
Catchy article headlines always get a quick glance from me and this one was no exception. Although highly likely that the content is driven by product line the point is something I've seen not be an issue, when it should be a big one, over the past few years. The sprawl of today's growing LANs is, seemingly, becoming a big concern.
[Survey Says: IT Managers Concerned About LAN Sprawl]
Big red, big yellow, at the end of the day they both suck in my book. The Office of Inadequate Security is running an article that catches Steve Redman in his own words.
[McAfee Keeps Leaked Details to Itself]
Well, well, it was only a matter of time before research cleared that first step towards attacking AES with some level of reliability. While the practicality isn't there yet, and there are suggestions on the table to mitigate the problem found, AES as it stands shelf life has just lost a few years.
[Practical AES Attacks Get Closer]
And for this Friday we'll close out with a new (to me) packet generator. Like we need a new tool for that you ask? Hyenae has some cool features that may just come in handy over those other tools.
[Hyenae: Platform Independent Network Generator]
If you're at DEFCON consider yourself privileged. That's all we've got for today, so enjoy the weekend!
--windexh8er
Tags
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
Random Musings
Twitter: windexh8er
- Zoom whitening - more painful than expected but white white teeth!
- Inception in VIP at Showplace Icon FTW to celebrate resignation! Wooo hooo!
- Coke has hybrid electric delivery trucks, interesting. http://twitpic.com/27usw6
- Mog vs Rdio, the battle for my $10/month... (Mog is now on Android)
- Wow... TrueCrypt 7 benchmarks at 1GB/sec encrypt and decrypt on the i7 in the MBP. Too bad FileVault doesn't use AES-NI. :(