After much deliberation, I have decided to move to Twitter as my main method of sharing information. I'm probably the last person to the party but I've finally realized that, "resistance is futile" ;-)
Tuesday, July 5, 2011
Tuesday, April 26, 2011
Hey everyone. Looks like Blogger has some issues and many of my images are missing. I'm investigating what happened and *hope* to have everything back soon :-)
Thursday, April 14, 2011
"Some of the most commonly-used firewalls are subject to a hacker exploit that lets an attacker trick a firewall and get into an internal network as a trusted IP connection.
NSS Labs recently tested half a dozen network firewalls to evaluate security weaknesses, and all but one of them was found to be vulnerable to a type of attack called the "TCP Split Handshake Attack" that lets a hacker remotely fool the firewall into thinking an IP connection is a trusted one behind the firewall."
Tuesday, April 12, 2011
"United States Postal Service website (http://ribbs.usps.gov) has been infected with the Blackhole Exploit kit. As we've discussed previously, the Blackhole Exploit kit, a commercial exploit kit developed by Russian hackers, is being seen in an increasing number of attacks. Last week, we reported on how it had been used to infect Worldfest, a Houston, Texas music festival and this week, it has penetrated the website of an independent US government agency, namely that of the postal service. RIBBS stands for Rapid Information Bulletin Board System and deals with Intelligent Mail services, such as barcodes that allow for better tracking and logistics. As with similar infections, the attack follows numerous phases, each being hosted on a separate domain, with each leveraging various obfuscation techniques to hide the attack. Here we will walk through the various phases to detail the attack."
Monday, April 11, 2011
Check it out...
"Analysis Every year or so, a crisis or three exposes deep fractures in the system that's supposed to serve as the internet's foundation of trust. In 2008, it was the devastating weakness in SSL, or secure sockets layer, certificates issued by a subsidiary of VeriSign. The following year, it was the minting of a PayPal credential that continued to fool Internet Explorer, Chrome and Safari browsers more than two months after the underlying weakness was exposed.
And in 2010, it was the mystery of a root certificate included in Mac OS X and Mozilla software that went unsolved for four days until RSA Security finally acknowledged it fathered the orphan credential.
This year, it was last month's revelation that unknown hackers broke into the servers of a reseller of Comodo, one of the world's most widely used certificate authorities, and forged documents for Google Mail and other sensitive websites. It took two, seven and eight days for the counterfeits to be blacklisted by Google Chrome, Mozilla Firefox and IE respectively, meaning users of those browsers were vulnerable to unauthorized monitoring of some of their most intimate web conversations during that time."
Monday, April 4, 2011
"Your cell phone company knows everywhere you go, twenty-four hours a day, every day. How concrete is this fact for you?
It's very concrete for Malte Spitz, a German politician and privacy advocate. He used German privacy law — which, like the law of many European countries, gives individuals a right to see what private companies know about them — to force his cell phone carrier to reveal what it knew about him. The result? 35,831 different facts about his cell phone use over the course of six months."
Friday, March 25, 2011
"Mozilla today said that it regretted staying silent when it found out last week that hackers had stolen digital certificates for some of the Web's biggest sites, including Google, Skype, Microsoft, Yahoo and its own add-on site."
Thursday, March 24, 2011
If the WikiLeaks dump, and the subsequent cyberattacks, have made anything clear it’s this: 2010 belongs to hackers.
Hacking, the practice of getting your hands on computer tools, systems and documents – especially when it’s unauthorized – is nothing new: from MIT students in the 1950s to “phreakers” who manipulated telecom systems around the globe.
But their impact has suddenly skyrocketed. Over the past decade, the digital medium in which hackers operate has become the single most important driver of cultural, commercial and geopolitical change in the world. And online, the limbs of everything from credit card companies to national security agencies lay far more unguarded than their real-world counterparts.
From easily obtainable cyberwarfare tools to being glorified in Stieg Larsson novels to jailbroken iPhones, hacker culture is also cycling from the underground to the mainstream."
Wednesday, March 2, 2011
"Until a university study emerged last week, few experts suspected that it's more difficult to erase data stored on solid-state drives (SSD) than that on hard disk drives (HDDs).
Industry experts were taken aback by the study, but noted that there are SSDs with native encryption capabilities that can prevent data from being seen even after a drive's end of life, and that there are some SSD drive sanitation methods that are more successful than others."
Sunday, February 20, 2011
Friday, February 18, 2011
"The FBI pushed Thursday for more built-in backdoors for online communication, but beat a hasty retreat from its earlier proposal to require providers of encrypted communications services to include a backdoor for law enforcement wiretaps.
FBI general counsel Valerie Caproni told Congress that new ways of communicating online could cause problems for law enforcement officials, but categorically stated that the bureau is no longer pushing to force companies like RIM, which offers encrypted e-mail for business and government customers, to engineer holes in their systems so the FBI can see the plaintext of a communication upon court order."
Saturday, February 12, 2011
"In 2010 McAfee Labs processed an average of almost 55,000 pieces of new malware every day. That nearly mind-numbing amount makes it difficult for any particular attack to stand out. Today, however, I want to highlight one large scale attack that is a clear example of how cybercrime has evolved from something of a hobbyist affair to a very professional activity. We call this specific attack “Night Dragon.”
Starting in November 2009, covert cyberattacks were launched against several global oil, energy, and petrochemical companies. The attackers targeted proprietary operations and project-financing information on oil and gas field bids and operations. This information is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry."
Read more (PDF)...
Friday, February 11, 2011
"The International Monetary Fund issued a report Thursday on a possible replacement for the dollar as the world's reserve currency."
Wednesday, February 9, 2011
"Not long ago it was unthinkable that any country with a major Web presence would completely disconnect from the Internet. Least of all Egypt. With 80 million people and high penetration, it has the largest number of users in the region.
That all changed with the flick of a switch on Jan. 28. At the height of demonstrations against President Hosni Mubarak's 31-year rule, the government forced all Internet service providers to pull the plug.
To be sure, other countries have meddled with the Internet when their own demonstrations have heated up—Iran, China and Tunisia, for example. But the governments..."
"Hi folks! It has been a year since the last Nmap stable release
(5.21) and six months since development version 5.35DC1, so I'm
pleased to release Nmap 5.50! I'm sure you'll find that it was worth
A primary focus of this release is the Nmap Scripting Engine, which
has allowed Nmap to expand up the protocol stack and take network
discovery to the next level. Nmap can now query all sorts of
application protocols, including web servers, databases, DNS servers,
FTP, and now even Gopher servers! Remember those? These capabilities
are in self-contained libraries and scripts to avoid bloating Nmap's
I'm so excited about NSE that I made it the topic of my presentation
with David Fifield last summer at Defcon and the Black Hat Briefings.
You can watch the video at http://nmap.org/presentations/."
"Microsoft has finally decided to push out a Windows update that should stop attempts to exploit AutoRun - a feature of its operating system that fires up any program once a USB or CD is inserted into a computer.
In recent years hackers have increasingly turned to AutoRun, which permits programmers to deliver instructions via Autorun.inf files to run programs without first gaining user permission.
The problem for Microsoft was that while the obvious solution was to disable AutoRun, it was considered a legitimate feature, which happened to be exploited by the Conficker worm, Rimecud and Taterf."
Monday, February 7, 2011
"Apparently TSA agents are being told that one way to handle the new groping pat downs for children is to try to make it out to be some sort of "game." This is apparently horrifying some sex abuse experts who point out that a common tactic in abuse cases is to tell the kids that they're just "playing a game." The TSA has said that the newer patdowns will not apply to children under 12, but the rules have been somewhat unclear -- leading to the statement from a TSA director, James Marchand:
"You try to make it as best you can for that child to come through. If you can come up with some kind of a game to play with a child, it makes it a lot easier."
He also said that the idea of making it a game would become a part of the TSA's training. Ken Wooden, who runs an organization to try to stop sex abuse of children was not pleased:
"How can experts working at the TSA be so incredibly misinformed and misguided to suggest that full body pat downs for children be portrayed as a game?" Wooden asked in an email. "To do so is completely contrary to what we in the sexual abuse prevention field have been trying to accomplish for the past thirty years."
Friday, February 4, 2011
"The annual Pwn2Own hacking contest has been so merciless at thrashing the security of popular computing products that most vendors groan when they learn their wares will be entered.
When the search company recently learned that its Chrome browser wasn't going to be included in this year's competition, which is scheduled for next month, it asked organizers to reconsider – and even offered $20,000 in prize money – on top of the $15,000 already promised – to any contestant who successfully exploits the open-source browser. Chrome was originally going to be excluded because it is based on the same Webkit engine that runs another Pwn2Own entry, Apple's Safari browser."
Wednesday, February 2, 2011
Tuesday, February 1, 2011
Thursday, January 27, 2011
Never forget that the "V" stands for virtual...
"A Seattle man has been acquitted of all charges brought against him when he refused to show ID to TSA officials and videotaped the incident at an airport security checkpoint.
Prosecutors' case against Phil Mocek was so weak that he was found not guilty without testifying or calling a single witness, the Papers, Please! blog reported. The Daily Conservative said Friday's acquittal was the first time anyone has “successfully challenged the TSA’s assumed authority to question and detain travelers.”
Read more and watch video...
"DARPA has previously specified that the Cyber Range is to be able to simulate a network on the same scale as the internet or the US military's Global Information Grid. In addition to the various kinds of machinery, the Range will also be populated by software "replicants" playing the part of human users, admins and other people whose actions would register on the network. The replicants' behaviour is to be affected realistically as the frightful code bombs and cyber missiles of tomorrow devastate their peaceful world, so modelling the war-warez' effects accurately."
Wednesday, January 26, 2011
"In the past years, I have seen many many false and misleading statements about what is needed to securely erase or wipe a hard drive. The FUD surrounding this topic with many still purporting to have a means of recovering data using SEMs and AFM (electron microscopy will do) is incredible.
The problem is that it hurts us all.
This year alone (and we are not even through the first month) I have read supposedly reputable security professionals stating that X-Ray machines and scanners will erase a drive. I have read how you need to use a forklift to drive over them.
With the help of a few colleges, I tested the theory (as that was all it ever was) that a SEM or AFM could be used to recover data. There is a reason that NO organization has ever done this, it is not possible. Science is based on empirical testing. Before that point it is not science and is just a hypothesis. Data recovery from a single wipe is not possible. It is up to those who sell the snake oil to prove it. This is science people."
Tuesday, January 25, 2011
"Apple Inc. plans to introduce services that would let customers use its iPhone and iPad computer to make purchases, said Richard Doherty, director of consulting firm Envisioneering Group.
The services are based on “Near-Field Communication,” [ i.e. RFID ] a technology that can beam and receive information at a distance of up to 4 inches, due to be embedded in the next iteration of the iPhone for AT&T Inc. and the iPad 2, Doherty said. Both products are likely to be introduced this year, he said, citing engineers who are working on hardware for the Apple project."
Monday, January 24, 2011
"Marketers are tracking smartphone users through "apps" - games and other software on their phones. Some apps collect information including location, unique serial-number-like identifiers for the phone, and personal details such as age and sex. Apps routinely send the information to marketing companies that use it to compile dossiers on phone users. As part of the What They Know investigative series into data privacy, the Journal analyzed the data collected and shared by 101 popular apps on iPhone and Android phones (including the Journal's own iPhone app). This interactive database shows the behavior of these apps, and describes what each app told users about the information it gathered."
Saturday, January 22, 2011
"According to projections by APNIC Chief Scientist Geoff Huston, IANA's central IPv4 address pool is expected to run out any day now, leaving the internet with a very limited remaining supply of addresses. APNIC will probably request two /8s (33 million addresses) within the next few weeks. This will leave five /8s available, which will be immediately distributed to the five Regional Internet Registries in accordance with IANA policy. It's expected that APNIC's own address pool will run low during 2011, making ISPs and businesses in the Asia-Pacific region the first to feel the effects of IPv4 exhaustion. The long-term solution to IP address exhaustion is provided by IPv6, the next version of the Internet Protocol. IPv6 has been an internet standard for over a decade, but is still unsupported on many networks and makes up an almost negligible fraction of Internet traffic. Unless ISPs dramatically accelerate the pace of IPv6 deployment, users in some regions will be stuck on IPv4-only connections while ISPs in other regions run out of public IPv4 addresses, leading to a fragmented Internet without the universal connectivity we've previously taken for granted."
Thursday, January 13, 2011
"Jacob Appelbaum, a security researcher, Tor developer, and volunteer with Wikileaks, reported today on his Twitter feed that he was detained, searched, and questioned by the US Customs and Border Patrol agents at Seattle-Tacoma International Airport on January 10, upon re-entering the US after a vacation in Iceland.
He experienced a similar incident last year at Newark airport.
An archive of his tweeted account from today follows."
"More than a third of all malware that has ever existed was created by criminal gangs in 2010 alone according to the latest PandaLabs Annual Report.
To be precise, the company found that 34 percent of all existing malware has been concocted by cybercriminals in the last year, banishing forever the image of the disgruntled geek creating viruses in his bedsit."