1 Million Dollar Prize

A professor at Harvard released a statement today that he has rated a new security format which is "Absolutely Unbreakable" in his opinion. And permanent privacy is putting it's money where it's clout is, 1,000,000.00 dollars to the first person who is able to crack the code of Permanent Privacy. The platform is based on 256 AES encryption method for the core data, and a more sinister trick for those trying to crack it. Essentially, prior to encrypting the email- you convert the text of the email into a series of non-sequential, non-repeating letters and numbers based upon a key you provide. You then contact the person you are contacting directly and provide them with the key to decrypt the data. You THEN use AES to encrypt the data, so if anyone is able to decrypt the AES cyphertext, they will have no idea of the next text to decrypt.

From the director of Permanent Privacy:"You can now send emails and store data with 100 per cent security. Even the Pentagon cannot read your secrets if they do not have the keys."

I give it two months before the code is cracked and some geek is one million dollars richer.

For more details on the contest:Go Here
You have to purchase a copy of the program to enter, which seems a little crappy to me- If you want to know how to improve your project you don't charge people to look at it.

British Health Records Stolen

This is really beginning to get to me. With the proliferation of laptops in our society, you would think that knowledge of security would begin to rapidly spread as well. However, this is the second story in less than a week of a laptop being stolen from a car. Now, if this was an office of some sort, with semi-inconsequential data it would be understandable. But it seems that more and more, Healthcare IT staff are carrying around patient data on their personal laptops. These are people who are carrying around credit card info, banking numbers, social security numbers, Names, dates of birth. And i still wouldn't have a problem with it if they would take some sort of rudimentary precautions to ensure the protection of the data. However, there have been cases of IT staff storing full system backup tapes, laptops, USB Crypto keys, and entire servers in the back of their cars. They are then completely amazed when these top-level security measures are thwarted by a crook with a crowbar. This latest incident occured after a British IT worker for the NHS trust left his laptop unsecured in his car, along with 21,000 patients details. To make things worse, none of the information was encrypted. So the thief now has complete access to any and all patient data. The NHS trust reinforced the now common perception that they were completely technologically incompetent by stating (trying to make the situation better) "the data will almost certainly by wiped by the thief"

What steps should you take in order to secure a system from theft?
A. Set a Bios Level Password
B. Set at least a 14 digit password.
C. Require some sort of Biometric Authorization for Access
D. Always keep your data in an encrypted folder
E. If practical, Hide private data inside of another file
F. Keep any backups in humidity controlled, insulated environment.
G. Rule of Thumb: If your system can be seen, its public data.
H. Thumb of Rule: If your system is in your car, it deserves to be stolen.

Is Windows the Problem?

Using virus and malware-laden software used to just be a bad for one's productivity. As it turns out, it can also be a bad idea for one's career.

Michael Fiola, formerly an investigator with the Massachusetts Department of Industrial Accidents, was charged with possession of child pornography. He lost his community's respect, many of his friends, and his family. His crime? He was given a Windows-based laptop that was riddled with vulnerabilities that were or became prey to malware.

An investigation showed he hadn't downloaded the pornography. His computer did:

When the DIA issued Fiola his Dell Latitude laptop in November 2006, it was so badly configured that it may well have already been hacked, said Tami Loehrs, a forensics investigator hired by Fiola's defense team. The Microsoft Systems Management Server software on the laptop was misconfigured and was not receiving critical software updates, and the laptop's Symantec antivirus software was either misconfigured or not working properly, she said.

"He was handed a ticking time bomb," she said.

In this case, it's called Windows. Or, more accurately, an IT department that inflicted a poorly implemented Windows environment on Mr. Fiola. Could this have happened with Linux or the Mac? Yes and maybe. Yes, because weak IT yields weak security. But maybe, because both of these Unix-based systems handle security much better than Windows traditionally has. But that's not really the point.

The real villain here, of course, is the pornography swine that would inflict themselves on unsuspecting users. There are enough losers out there interested in porn to not have to trick them into viewing it or distributing it.

We like to think of our computers as tools. In this case, however, it was Mr. Fiola that became the tool, however unwittingly.

This calls to mind just how critical it is to ensure our systems are secure. If, in fact, Linux or Mac are more secure from this sort of problem (a point that is debatable), then the "low cost" associated with Windows and ease of use must be balanced against the very real problems that can arise from using Windows (or, at least, older versions of Windows).

Did Microsoft create this problem for Mr. Fiola? No. If anything, it sounds like his IT department is to blame. But if it were me, I'd be asking for a Mac when joining a new company. With the Mac, my odds of having a Fiola-esque experience go down dramatically.

The Social Butterfly

In a world ripe with social networking sites such as Myspace, Facebook, LinkedIn, or any of the other 550,000 different sites allowing you to connect with people you are already friends with, there is bound to be a shady element. That underworld of exploitation, manipulation, and incredible social aptitude. Wait what?

Welcome to the world of the over-friendly and ‘single-minded' Trojan. Single-minded, as it seems to be inviting people to the site and start networking. A Trojan is a programme that appears to be desirable (like a free downloadable game or screen saver), but contains viruses or worms (self-replicating viruses) that can create havoc with the PC and the network.

However, in the case of these social networking sites, the Trojans that plant themselves on the users' computers and send invites to all mail IDs saved in the contact list, are harmless. The Trojan embeds itself in the user's computer when he/she logs on to a social networking site and sends invites to all listed in the contact list.

The receiver – believing it to be from a genuine friend – accepts the invitations and becomes a member of the social networking site. The sites use this to increase their membership, while hackers use the technique for their phishing attempts.

They do not crash the PC nor the network, an IT specialist with a leading BPO notes. But they sure can mar friendships, relationships or even lead to unwanted and unsolicited networking.

Internet Service Providers Association of India (ISPAI) president Rajesh Chharia says, "Even though these programmes only send spam and are quite harmless, at times it can lead to embarrassing situations".

"As most of these social networking sites are used for business networking and friendship, it is not possible for Internet Service Providers (ISPs) to block these sites. The best option is to put in good firewalls at the user's level," he said.
So the next time you log on to a social networking site, an invitation to join the site has gone to your super boss on your behalf. But without your knowledge!

MICROSOFT SCAMS AGAIN!

Businesses that skip Windows Vista and upgrade their computers directly from the XP operating system to Windows 7 could expose themselves to security risks and other problems, Microsoft says in a new white paper.

Bypassing Vista could have "implications for security, support, and regulatory compliance and reduce flexibility in the face of changing business requirements," writes Microsoft VP Mike Nash, in the paper.Specifically, Nash says that businesses that wait for Windows 7 -- set for release in late 2009 or early 2010 -- to upgrade from XP could find themselves using outdated applications that don't employ proper security safeguards or are no longer supported.

They also won't get the advantage of new security technologies and other improvements that Microsoft embedded in Vista, Nash says. "By not deploying Windows Vista, it means missing out on the proven benefits such as better security, productivity, search, mobility, manageability and infrastructure optimization," Nash says in the paper, which is titled "The Business Value Of Windows Vista."

Do you remember any similar pushes with previous operating systems? This could possibly be because of the absolute travesty that is Vista security, that has kept so many large businesses from switching to the operating system. After such an outcry from the IT community and backlash against their prettiest operating system, Microsoft has decided to switch their tactics from marketing to George Bush-esque "strategertizing". Overheard in a consultation, "OH so you don't want to upgrade to Vista? If you don't You will never be able to Upgrade again!!!" Basically they are trying to tell you that if you don't upgrade to Vista, You can't upgrade to 7. And you can bet that the software of 7 wont allow a install from XP. And will most likely have a discount upgrade to Vista. 49.99 so that you can upgrade to vista so that you can upgrade to 7 (It's a steal!!!)

ALERT: IS YOUR VOTE COMPROMISED?

Despite millions of calls to switch back to strictly paper ballots, lawmakers have still not heeded the calls and warnings of computer experts. It came to my attention this friday that in Pinellas County, Florida- A duo of viruses were introduced to the network of ballot stations, bringing into question the validity of the vote.

Two pieces of malicious software were recently discovered on voting stations across Pinellas County.The two bugs, known as Flush.G and W32.SillyDC, work in tandem and go from computer to computer redirecting Internet browsers to sites the user hasn't selected, officials said. The worm is carried through removable media like USB drives, is easily detected and, officials say, rather harmless.

Pinellas Deputy Supervisor of Elections Rick Becker said the worm isn't the kind of Trojan horse that would be used to corrupt a computer voting system and was unsure just where it came from.

Many E-Voting companies love to market the security of their products, stating that since they are not connected to an external internet, that they are exempt from exploitation. However, a proof of concept attack was done by Princeton students against the DieBold voting machines. In this attack, they introduced a virus which self-propogated throughout the systems and switched votes from candidate A or candidate B, and gave them to candidate C.

Are you tired of feeling like your vote doesn't matter? Write to your state or local congressman and encourage them to switch to strictly paper voting.

University Students Scammed- Is your info secure?

A data breach at United Healthcare Services Inc. has led to a rash of identity-theft crimes at the University of California, Irvine.

So far, Nearly 155 medical students have had their information stolen. The attackers stole the social security numbers stolen from an internal database. This breach affects nearly 1300 students, putting them at risk for Credit Card fraud as well as Tax scams. So far, the spammers have stolen 155 students Tax returns.

"In February, the police began getting reports from graduate students that when they filed their income tax returns, they were being told that their returns had already been filed using their Social Security numbers," she said.

So all that the attacker needed was a simple set of numbers, and they took students for hundreds, even thousands of dollars. All because of crappy security measures.

This is why people, This is why.

Checklist To ask your school IT Department
[] What security measures do you have in place for physical IT Infrastructre?
[] What security measures are in place to ensure the confidentiality of my information
[] If there is a unapproved access of my information- How promptly will I be notified?
[] Do you have set guidelines for partners of the university to follow in virtual exchanges?
[] WHO has access to my information and WHEN/WHY can they access it?

HP Support Hacked! UPGRADE NOW!

A customer support application that comes bundled with HP PCs have been found to harbour multiple security vulnerabilities.

The pre-installed software is designed to make it easy for users to keep drivers and HP software automatically updated. But flaws in ActiveX components within HP Instant Support give rise to multiple vulnerabilties that lend themselves to drive-by download malware attacks in cases where Windows users running the vulnerable software stray onto insecure or hacker controlled websites, CSIS Security Group warns.

HP Instant Support HPISDataManager.dll version 1.0.0.22 and earlier are vulnerable. Users need to upgrade to version 1.0.0.24 as explained in a security bulletin from HP here.

A CSIS advisory containing proof of concept demos of the flaws can be found here. And there's an easy to digest bit from Secunia here.

It's not the first trouble HP has had with rogue ActiveX controls in its pre-installed utilities. In December last year two ActiveX bugs created a mechanism for hackers to either thrash or inject hostile code onto HP PCs running either HP Software Update or HP Info Center, respectively.

Microsoft wants your Opinion?

In the continuing effort to improve computer and network security, Microsoft has developed the End to End Trust initiative. As a part of that initiative, Microsoft is seeking input from users and information security professionals to help answer the questions that need to be addressed in order to evolve computer security such as How should we enhance security on the Internet without undermining social values, such as privacy and anonymity? There are more questions to be answered in the End to End Trust Forums. Scott Charney, Microsoft's Corporate Vice President of Trustworthy Computing, has developed a white paper entitled Establishing End to End Trust which provides more details on Microsoft's vision.

While  it is not beyond the stretch of a reasonable person's imagination that a giant of the industry would want to keep it's users secure. The employees and designers of microsoft have showed a lack of willingness to address serious security issues, and wrap every tiny piece of security as the next big step in computing. Rather than the required software that all of this should have been back in Windows 98. It seems that every time Microsoft attempts security, it undoubtedly blows up in it's face. So I would encourage you to voice your opinion to microsoft- Let them know you value your security, as well as your wallet.

Alert: LinkedIN Scams Rampant

Have you heard of the professional networking site linkedin? Well, a number of professional users (Including Myself) have been using this site to increase their job prospects, clientele,  and associates. It seems that more and more, professional scam artists are trying to prey off of the unsuspecting users of LinkedIn. It seems that common sense isn't all that common. Just because someone has a LinkedIn profile- Doesn't mean that they are trustworthy.

     Unsuspecting professionals, driven by the urge to make quick millions off of a simple transaction, willingly turn over their bank information to a person who has made their acquaintance online. Why? Well, the scammers are using a '419 Scam'. What happens is the attacker claims to have inherited/ claimed a large sum of money, and is willing to give you a large fee to deposit the newly acquired funds into a US Bank account.

The best possible way to prevent this kind of attack is to: (A) Only accept mail from people you know, Or who have a related Interest (B) Never execute any financial transactions based solely upon knowledge recieved via virtual communications, Be it Email, Social Networking, Or other communications.  Unless you know the person, don't allow someone access to your account.

Dear God

Recently, I was browsing government websites to see if there were any new articles to read. However when I came to www.NSA.gov (National Security Agency), their website was offline. Baffled by this National Security Issue,  seeing as how the NSA is supposed to be the pinnacle of Intelligence and Technology, I decided to do some digging.

So who was the "Super hacker" that executed such a technologically advanced, planning intensive attack upon the US government? Well, as it turns out the super hacker was a incompetent mole. No, not a double agent. Someone who was hired,  because there was extra room in the Budget.  DNS misconfiguration in my NSA? Its more likely than you think.

              First, a web server was running on the same computer or the same IP address as one of the so-called authoritative name servers for nsa.gov. The authoritative name servers are the primary and secondary servers that translate the web addresses humans understand (i.e., NSA.gov) to machine-readable IP addresses (in the NSA.gov case, 189.182.93.126).

             Moreover, the primary and secondary authoritative name servers were both downstream from the Qwest edge access router in Washington, D.C. They should have been separated topologically within the network infrastructure, according to McPherson.

Come On Guys, thats basic network design. If the Top Security Agency can't design a network properly- what does that say about our national network infrastructure.

Microsoft Vista Security... Yeah Right!

Lately, Microsoft has been trumping the myriad of new security measures that have been included in Windows Vista. However, IT techs have been screaming their guts out that between the lack of any substantial changes (aside from a circular start bar), the forced User Account Control, and big brother like computing- That everyone should stay with XP. Well, now we have actual basis for this. Notice how that Microsoft is quick to shift ALL the blame to the incompetent user.  

                The claim that Vista is less secure than Windows 2000 was made last week by security vendor PC Tools, which said that over the past six months Vista had suffered 639 unique threats, whereas Windows 2000 has suffered 586. PC Tools's research was conducted by collecting data from customers using its ThreatFire behavioural detection software. "Ironically, the new operating system has been hailed by Microsoft as the most secure version of Windows to date," said Simon Clausen, the chief executive of PC Tools last week. "However, recent research conducted with statistics from over 1.4 million computers within the ThreatFire community has shown that Windows Vista is more susceptible to malware than the eight-year-old Windows 2000 operating system, and only 37 percent more secure than Windows XP," Clausen said.

        However, Microsoft strongly hit back at the claims, blaming users for executing malicious code on their machines. On Tuesday, Technet blogger and Microsoft evangelist Michael Kleef said the number of infections found by PC Tools was an indication of poor user behaviour


639 unique threats? This coming from the billion dollar brain-trust that spent four years to develop a circular start bar? I am truly, truly stunned.

Hi, Im Here to fix your computer.

How Many of us work in a hectic, stressed environment- where deadlines and bottom-lines rule your workweek? In the course of a day, How many idiotic requests do you get to do seemly mundane chores?  How Often has this happened?

You: {Bored and Seeking an excuse to take a break}
Phone Repairman: "Hi, Coorporate sent me over to do some work on your Phoneline"
You: "Oh, Alright- About How Long Will it take?"
PR: "Ten Minutes, Twenty Tops- I have some other stuff to do- so if your busy I can come back during lunch"
You: "Alright, Thanks!"

What happened here? You just gave a rival company full access to your office!
You: But he can't do anything! He doesn't Have My Password!
Me: *Hits You in the Head*

Lets go through this- He could (in Ten Minutes)
A. Steal A Hard Drive
B. Install a Hardware Keylogger

In twenty Minutes
A. Do a Stealth Boot Onto Your Computer
B. Install Software Keylogger and Screen Capture Device
C. Comb through trade secret documents, and walk out with them unquestioned.
D. Confiscate Hidden Bank documents, Client Credit cards, Even Blackmail.

Would You Give A Thief A Key? Would You Give a Murderer A Knife?
            Would You Give A Meth Addict A Pipe?

You wouldn't do it with a Hacker either, 10% of Hacking is Intelligence: 89% is Persistence: And 1% Is Technological Prowess.

Hackers won't be the typical grungy teen whilst looking for information:

When in doubt, the best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. Beyond that, most employees respond in kind, especially to women. Slight flattery or flirtation might even help soften up the target employee to co-operate further, but the smart hacker knows when to stop pulling out information, just before the employee suspects anything odd. A smile, if in person, or a simple “thank you” clenches the deal. And if that’s not enough, the new user routine often works too: “I’m confused, (batting eyelashes) can you help me?”



Need More Info/ Training?
Let Me Secure Your Network!
Gillis57@gmail.com

Or, If for some god-awful reason you actually want to know what I'm doing
twitter.com/Gillis57
gillis57.googlepages.com

Hacker Safe?

Please, don't be lulled into a sense of false security just because a website has the hacker-safe logo on it. "Why not?" You ask me, BECAUSE- *DURRRRR* NOTHING IS HACKER SAFE. But why specifically? The hacker safe certification is a subscription program through various Companies, and although your favorite "Adult" website may be hacker safe when you register. This doesn't mean it will be two weeks down the road. What they companies do is they test each registered website every day using a automatic program, and if they find problems they will tell the website. Thats it, they dont fix it, force the website to take down the certification, nothing- they just say "Hey theres a problem." Dont Believe me?

Geeks Get PwN3D

Geeks.com is a $150 million company specializing in the sale of excess inventory and manufacturers' closeouts. Its Web site says that it is tested on a daily basis by ScanAlert Inc., which offers a service that constantly monitors sites for vulnerabilities.

But ScanAlert spokesman Nigel Ravenhill said via e-mail last week that the vendor, which is being acquired by McAfee Inc., had withdrawn its Hacker Safe certification from Geeks.com "several times" last year after finding vulnerabilities in the retailer's systems. Geeks.com fell out of compliance last June and again in December, he said.

The compromised information included names, addresses, telephone numbers and Visa credit card numbers, according to a copy of the letter posted on The Consumerist blog.

Now, What are the implications of this break in? Am I telling you that you should be a paranoid schizo when doing business on the internet? DUH. A wise man once told me "Putting your credit card on the Internet is like putting your naughty parts in a wood grinder." Although its not the most glamorous quote in the world, its true. Listen to the man, dont stick your wah-wah in the wood grinder.

Calling All Hackers!

Digital Armaments January-February Hacking Challenge: Special 20.000$ Prize - Windows Vulnerabilities and Exploit
Challenge pubblication is 01.04.2008
http://www.digitalarmaments.com/challenge200801566321.html

I. Details
Digital Armaments officially announce the launch of January-February hacking challenge.
The challenge starts on January 1. For the January-february Challenge, Digital Armaments will give a SPECIAL PRIZE of 20.000$ for each submission that results in a Exploitable Vulnerability or Working Exploit for Windows or Windows Diffuse Application. This should include example and documentation.
The submission must be sent during the January/February months and be received by midnight EST on February 29, 2008. The 20.000$ PRIZE will be an extra added to the normal vulnerability payment (check the DACP scheme).

Password Security

As well as having commentary and occasional How-to's from the dark side of security as well as white-hats, I am going to use this as somewhat of a Venting forum for personal observations of idiocy. Okay, first let me say- Passwords are not that hard to remember- unless you have 8+ Numbers, Letters, and symbols in your password, it can very easily be shoulder surfed. Shoulder surfing is an act of seeming to be interested in one's meaningless conversation, in order to see them type their password. For businesses- this can be especially nasty- while that young kid who seems to be so interested in your business plan is watching you login to your systems- you are handing him the foothold to your bottom line. Solution? For 10 dollar's you can prevent all would be surfers: Monitor Mirror

Automated SQL Injection,

If your in a Jam and need to know what this is fast- A SQL Injection is defined as: A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet.

Basically a SQL Injection allows an attacker to bypass security measures such as Logons, Admin Panels, and/or retrieve sensitive customer Data from your web-attached database. An example of a SQL injection would be:
statement := "SELECT * FROM users WHERE name = '" + userName + "';"
This would allow an attacker to pull up stats on a specified username.
What this most recent attack (Listed below) does is it can automatically run a series of common SQL Exploits to gain access to your server and run malicious code giving them access to any of your customer's computers. More to come later



Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend.

View Story