Resistance is futile - moving to Twitter...

After much deliberation, I have decided to move to Twitter as my main method of sharing information. I'm probably the last person to the party but I've finally realized that, "resistance is futile" ;-)

Twitter is much easier and quicker to share information and the recent debacle with Blogger losing hundreds of my images on this blog have made it obvious (even to me) that it's finally time to make the switch...

I will however continue to update the links list here as I run across new toolz and links. In fact thanks to a recent student who sent me a spreadsheet of all the sites I mentioned in class, the links are updated to include them all now.

Thanks to all of you for following this blog and I hope to see you on Twitter!

**MISSING IMAGES**

Hey everyone. Looks like Blogger has some issues and many of my images are missing. I'm investigating what happened and *hope* to have everything back soon :-)

Keep checking back...

Bryce

Hacker 'handshake' hole found in common firewalls

"Some of the most commonly-used firewalls are subject to a hacker exploit that lets an attacker trick a firewall and get into an internal network as a trusted IP connection.

NSS Labs recently tested half a dozen network firewalls to evaluate security weaknesses, and all but one of them was found to be vulnerable to a type of attack called the "TCP Split Handshake Attack" that lets a hacker remotely fool the firewall into thinking an IP connection is a trusted one behind the firewall."

Read more...

USPS.gov Website Infected with Blackhole Exploit Kit

"United States Postal Service website (http://ribbs.usps.gov) has been infected with the Blackhole Exploit kit. As we've discussed previously, the Blackhole Exploit kit, a commercial exploit kit developed by Russian hackers, is being seen in an increasing number of attacks. Last week, we reported on how it had been used to infect Worldfest, a Houston, Texas music festival and this week, it has penetrated the website of an independent US government agency, namely that of the postal service. RIBBS stands for Rapid Information Bulletin Board System and deals with Intelligent Mail services, such as barcodes that allow for better tracking and logistics. As with similar infections, the attack follows numerous phases, each being hosted on a separate domain, with each leveraging various obfuscation techniques to hide the attack. Here we will walk through the various phases to detail the attack."

Read more...

Recreating the Legendary Commodore 64

"It's back... and better than ever! The new Commodore 64 is a modern functional PC as close to the original in design as humanly possible. It houses a modern mini-ITX PC motherboard featuring a Dual Core 525 Atom processor and the latest nVidia ION2 graphics chipset. It comes in the original taupe brown/beige color, with other colors to follow."

Check it out...

How is SSL hopelessly broken? Let us count the ways.

"Analysis Every year or so, a crisis or three exposes deep fractures in the system that's supposed to serve as the internet's foundation of trust. In 2008, it was the devastating weakness in SSL, or secure sockets layer, certificates issued by a subsidiary of VeriSign. The following year, it was the minting of a PayPal credential that continued to fool Internet Explorer, Chrome and Safari browsers more than two months after the underlying weakness was exposed.

And in 2010, it was the mystery of a root certificate included in Mac OS X and Mozilla software that went unsolved for four days until RSA Security finally acknowledged it fathered the orphan credential.

This year, it was last month's revelation that unknown hackers broke into the servers of a reseller of Comodo, one of the world's most widely used certificate authorities, and forged documents for Google Mail and other sensitive websites. It took two, seven and eight days for the counterfeits to be blacklisted by Google Chrome, Mozilla Firefox and IE respectively, meaning users of those browsers were vulnerable to unauthorized monitoring of some of their most intimate web conversations during that time."

Read more...

What Location Tracking Looks Like

"Your cell phone company knows everywhere you go, twenty-four hours a day, every day. How concrete is this fact for you?

It's very concrete for Malte Spitz, a German politician and privacy advocate. He used German privacy law — which, like the law of many European countries, gives individuals a right to see what private companies know about them — to force his cell phone carrier to reveal what it knew about him. The result? 35,831 different facts about his cell phone use over the course of six months."

Read more...

Mozilla regrets keeping quiet on SSL certificate theft

"Mozilla today said that it regretted staying silent when it found out last week that hackers had stolen digital certificates for some of the Web's biggest sites, including Google, Skype, Microsoft, Yahoo and its own add-on site."

Read more...

2010: The year of the hacker

"It took about five minutes to cripple Visa.com. By the time Dutch police arrested the 16-year-old boy they say was responsible Thursday, the damage had been done. Of course, the boy wasn’t alone. He was aided by a volunteer army of thousands. The scary thing: They were using tools anyone can get.

If the WikiLeaks dump, and the subsequent cyberattacks, have made anything clear it’s this: 2010 belongs to hackers.

Hacking, the practice of getting your hands on computer tools, systems and documents – especially when it’s unauthorized – is nothing new: from MIT students in the 1950s to “phreakers” who manipulated telecom systems around the globe.

But their impact has suddenly skyrocketed. Over the past decade, the digital medium in which hackers operate has become the single most important driver of cultural, commercial and geopolitical change in the world. And online, the limbs of everything from credit card companies to national security agencies lay far more unguarded than their real-world counterparts.

From easily obtainable cyberwarfare tools to being glorified in Stieg Larsson novels to jailbroken iPhones, hacker culture is also cycling from the underground to the mainstream."

Read more...

Can Data Stored on an SSD Be Secured?

"Until a university study emerged last week, few experts suspected that it's more difficult to erase data stored on solid-state drives (SSD) than that on hard disk drives (HDDs).

Industry experts were taken aback by the study, but noted that there are SSDs with native encryption capabilities that can prevent data from being seen even after a drive's end of life, and that there are some SSD drive sanitation methods that are more successful than others."

Read more...

Black Ops: How HBGary wrote backdoors for the government

"On November 16, 2009, Greg Hoglund, a cofounder of computer security firm HBGary, sent an e-mail to two colleagues. The message came with an attachment, a Microsoft Word file called AL_QAEDA.doc, which had been further compressed and password protected for safety. Its contents were dangerous."

Read more...

FBI Pushes for Surveillance Backdoors in Web 2.0 Tools

"The FBI pushed Thursday for more built-in backdoors for online communication, but beat a hasty retreat from its earlier proposal to require providers of encrypted communications services to include a backdoor for law enforcement wiretaps.

FBI general counsel Valerie Caproni told Congress that new ways of communicating online could cause problems for law enforcement officials, but categorically stated that the bureau is no longer pushing to force companies like RIM, which offers encrypted e-mail for business and government customers, to engineer holes in their systems so the FBI can see the plaintext of a communication upon court order."

Read more...

Global Energy Industry Hit In “Night Dragon” Attacks

"In 2010 McAfee Labs processed an average of almost 55,000 pieces of new malware every day. That nearly mind-numbing amount makes it difficult for any particular attack to stand out. Today, however, I want to highlight one large scale attack that is a clear example of how cybercrime has evolved from something of a hobbyist affair to a very professional activity. We call this specific attack “Night Dragon.”

Starting in November 2009, covert cyberattacks were launched against several global oil, energy, and petrochemical companies. The attackers targeted proprietary operations and project-financing information on oil and gas field bids and operations. This information is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry."

Read more (PDF)...

International Monetary Fund (IMF) calls for a US Dollar alternative

"The International Monetary Fund issued a report Thursday on a possible replacement for the dollar as the world's reserve currency."

Read more...

Egypt's Assault on the World-Wide Web

"Not long ago it was unthinkable that any country with a major Web presence would completely disconnect from the Internet. Least of all Egypt. With 80 million people and high penetration, it has the largest number of users in the region.

That all changed with the flick of a switch on Jan. 28. At the height of demonstrations against President Hosni Mubarak's 31-year rule, the government forced all Internet service providers to pull the plug.

To be sure, other countries have meddled with the Internet when their own demonstrations have heated up—Iran, China and Tunisia, for example. But the governments..."

Read more...

Nmap 5.50 released! (major update)

"Hi folks!  It has been a year since the last Nmap stable release
(5.21) and six months since development version 5.35DC1, so I'm
pleased to release Nmap 5.50!  I'm sure you'll find that it was worth
the wait!

A primary focus of this release is the Nmap Scripting Engine, which
has allowed Nmap to expand up the protocol stack and take network
discovery to the next level.  Nmap can now query all sorts of
application protocols, including web servers, databases, DNS servers,
FTP, and now even Gopher servers!  Remember those?  These capabilities
are in self-contained libraries and scripts to avoid bloating Nmap's
core engine.

I'm so excited about NSE that I made it the topic of my presentation
with David Fifield last summer at Defcon and the Black Hat Briefings.
You can watch the video at http://nmap.org/presentations/."

Check it out...

Microsoft says RIP Windows XP AutoRun

"Microsoft has finally decided to push out a Windows update that should stop attempts to exploit AutoRun - a feature of its operating system that fires up any program once a USB or CD is inserted into a computer.

In recent years hackers have increasingly turned to AutoRun, which permits programmers to deliver instructions via Autorun.inf files to run programs without first gaining user permission.

The problem for Microsoft was that while the obvious solution was to disable AutoRun, it was considered a legitimate feature, which happened to be exploited by the Conficker worm, Rimecud and Taterf."

Read more...

TSA Told To Tell Children That Groping Them Is A Game... Horrifying Sex Abuse Experts

"Apparently TSA agents are being told that one way to handle the new groping pat downs for children is to try to make it out to be some sort of "game." This is apparently horrifying some sex abuse experts who point out that a common tactic in abuse cases is to tell the kids that they're just "playing a game." The TSA has said that the newer patdowns will not apply to children under 12, but the rules have been somewhat unclear -- leading to the statement from a TSA director, James Marchand:

    "You try to make it as best you can for that child to come through. If you can come up with some kind of a game to play with a child, it makes it a lot easier."

He also said that the idea of making it a game would become a part of the TSA's training. Ken Wooden, who runs an organization to try to stop sex abuse of children was not pleased:

    "How can experts working at the TSA be so incredibly misinformed and misguided to suggest that full body pat downs for children be portrayed as a game?" Wooden asked in an email. "To do so is completely contrary to what we in the sexual abuse prevention field have been trying to accomplish for the past thirty years."

Read more...

Pwn2Own lets Chrome in, after all

"The annual Pwn2Own hacking contest has been so merciless at thrashing the security of popular computing products that most vendors groan when they learn their wares will be entered.

Not Google.

When the search company recently learned that its Chrome browser wasn't going to be included in this year's competition, which is scheduled for next month, it asked organizers to reconsider – and even offered $20,000 in prize money – on top of the $15,000 already promised – to any contestant who successfully exploits the open-source browser. Chrome was originally going to be excluded because it is based on the same Webkit engine that runs another Pwn2Own entry, Apple's Safari browser."

Read more...

EFF Uncovers Widespread FBI Intelligence Violations

Once again we have the inevitable outcome of those that would disregard the Constitution. No one should be surprised, only more resolute in preventing more power grabs through fear mongering - old tactic folks. Don't be fooled. Big, powerful, unaccountable government is the scariest thing on Earth. History (and present - Egypt) leaves no room for ambiguity here.

"Any society that would give up a little liberty to gain a little security will deserve neither and lose both." -- Benjamin Franklin

Read more...

As Egypt goes offline US gets internet 'kill switch' bill ready

Anyone who cares about freedom or knows anything about history should be getting chills right about now...

Read more...

Interesting virtual machine escape hacking demo video from NSA

Never forget that the "V" stands for virtual...

Watch video...

Passenger cleared after TSA checkpoint stare-down (Papers please!)

"A Seattle man has been acquitted of all charges brought against him when he refused to show ID to TSA officials and videotaped the incident at an airport security checkpoint.

Prosecutors' case against Phil Mocek was so weak that he was found not guilty without testifying or calling a single witness, the Papers, Please! blog reported. The Daily Conservative said Friday's acquittal was the first time anyone has “successfully challenged the TSA’s assumed authority to question and detain travelers.”

Read more and watch video...

US cyberwar firing range to demo by July

"DARPA has previously specified that the Cyber Range is to be able to simulate a network on the same scale as the internet or the US military's Global Information Grid. In addition to the various kinds of machinery, the Range will also be populated by software "replicants" playing the part of human users, admins and other people whose actions would register on the network. The replicants' behaviour is to be affected realistically as the frightful code bombs and cyber missiles of tomorrow devastate their peaceful world, so modelling the war-warez' effects accurately."

Read more...

Erasing drives should be quick and easy

"In the past years, I have seen many many false and misleading statements about what is needed to securely erase or wipe a hard drive. The FUD surrounding this topic with many still purporting to have a means of recovering data using SEMs and AFM (electron microscopy will do) is incredible.

The problem is that it hurts us all.

This year alone (and we are not even through the first month) I have read supposedly reputable security professionals stating that X-Ray machines and scanners will erase a drive. I have read how you need to use a forklift to drive over them.

With the help of a few colleges, I tested the theory (as that was all it ever was) that a SEM or AFM could be used to recover data. There is a reason that NO organization has ever done this, it is not possible. Science is based on empirical testing. Before that point it is not science and is just a hypothesis. Data recovery from a single wipe is not possible. It is up to those who sell the snake oil to prove it. This is science people."

Read more...

Apple Plans Service That Lets IPhone Users Pay With Handsets (via RFID / NFC)

"Apple Inc. plans to introduce services that would let customers use its iPhone and iPad computer to make purchases, said Richard Doherty, director of consulting firm Envisioneering Group.

The services are based on “Near-Field Communication,” [ i.e. RFID ] a technology that can beam and receive information at a distance of up to 4 inches, due to be embedded in the next iteration of the iPhone for AT&T Inc. and the iPad 2, Doherty said. Both products are likely to be introduced this year, he said, citing engineers who are working on hardware for the Apple project."


Read more...

WSJ - What They (Smart phone apps) Know

"Marketers are tracking smartphone users through "apps" - games and other software on their phones. Some apps collect information including location, unique serial-number-like identifiers for the phone, and personal details such as age and sex. Apps routinely send the information to marketing companies that use it to compile dossiers on phone users. As part of the What They Know investigative series into data privacy, the Journal analyzed the data collected and shared by 101 popular apps on iPhone and Android phones (including the Journal's own iPhone app). This interactive database shows the behavior of these apps, and describes what each app told users about the information it gathered."

Read more...

Wall Street Journal: What They Know

Great resource on the Wall Street Journal's website about tracking techniques and practices.

Check it out...

IPv4 Exhaustion Report

"According to projections by APNIC Chief Scientist Geoff Huston, IANA's central IPv4 address pool is expected to run out any day now, leaving the internet with a very limited remaining supply of addresses. APNIC will probably request two /8s (33 million addresses) within the next few weeks. This will leave five /8s available, which will be immediately distributed to the five Regional Internet Registries in accordance with IANA policy. It's expected that APNIC's own address pool will run low during 2011, making ISPs and businesses in the Asia-Pacific region the first to feel the effects of IPv4 exhaustion. The long-term solution to IP address exhaustion is provided by IPv6, the next version of the Internet Protocol. IPv6 has been an internet standard for over a decade, but is still unsupported on many networks and makes up an almost negligible fraction of Internet traffic. Unless ISPs dramatically accelerate the pace of IPv6 deployment, users in some regions will be stuck on IPv4-only connections while ISPs in other regions run out of public IPv4 addresses, leading to a fragmented Internet without the universal connectivity we've previously taken for granted."

Read more...

Wikileaks volunteer detained and searched (again) by US agents

"Jacob Appelbaum, a security researcher, Tor developer, and volunteer with Wikileaks, reported today on his Twitter feed that he was detained, searched, and questioned by the US Customs and Border Patrol agents at Seattle-Tacoma International Airport on January 10, upon re-entering the US after a vacation in Iceland.

He experienced a similar incident last year at Newark airport.

An archive of his tweeted account from today follows."

Read more...

7 Cyber Crime Facts Executives Need to Know

"The bad guys are getting smarter. Whether they are terrorists who realize another way to hurt the world and advance their agenda is to destabilize the economies of developed nations, especially leaders like the USA, disgruntled insiders, or "ordinary" criminals with a predominant profit motive, cyber crimes are increasing and becoming more costly. In information technology security circles, there is some buzz about a July 2010 Cost of Cyber Crime Benchmark Study of a representative sampling of U.S. companies conducted by the Ponemon Institute. This organization conducts independent research on privacy, data protection, and information security policy."

Read more...

One-Third of All Malware in Existence Appeared in 2010

"More than a third of all malware that has ever existed was created by criminal gangs in 2010 alone according to the latest PandaLabs Annual Report.

To be precise, the company found that 34 percent of all existing malware has been concocted by cybercriminals in the last year, banishing forever the image of the disgruntled geek creating viruses in his bedsit."

Read more...