| |
| Current Topic: Computer Security |
|
RE: Data Theft Affected Most in Military |
|
|
|---|
| Topic: Computer Security |
7:33 pm EDT, Jun 7, 2006 |
finethen wrote: Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as identity theft.
Hotel.com had info stolen too in the last few days. Is there some fancy new trick to stealing info or are these just flukes?
Neither. These kinds of databases have been around a long time, but 20 years ago they'd require serious computing centers that couldn't be easily lost or stolen. They did get hacked into from time to time, but you can't take an IBM Mainframe with you in your carry on luggage. Today three things have occured: 1. Technology has advanced. The entire Veteran's Affairs database can run off of someone's laptop. That makes it easier for it to leave the building. 2. Technology has become more widespread. In the 80's these things were the exclusive domain of large businesses and government agencies. Now there are hundreds of thousands of dot com companies with customer databases that are directly connected to the internet, any one of which could get hacked into. 3. A larger criminal market has arrived. In the 80's very little actual theft occured as the result of computer crime. Today organized criminal groups have cropped up, largely situated in the anarchocapitalism that exists in Russia and the Eastern Block as they struggle to build real, sustainable economies. These groups target the wide array of potentially insecure information sources, collect identity data, and convert it into cash. Distributed international networks of operatives coordinated through the internet monetize the results of these thefts and funnel money back to central coordinators. There are three things that need to be done:
1. Organizations that deal in personal information need to continue to take computer security seriously. In particular, the credit card companies, and other organizations that deal with money, need to build better systems for determining whether or not you are you before they'll authorize a financial transaction with your money. 2. Organizations that deal in personal information need to have strict internal policies for access to information. People shouldn't have the database floating around on CD. 3. Some amount of regulation may be needed. However, IMHO the feds are 0 for 2 with SOX and HIPPA, so I'm not sure they've proved that they can regulate in an effective way. Real Computer Security is hard, because you have to prevent bad stuff without being noticed as the good guys go about their jobs. When you get noticed, you've done something wrong, either because there has been a breach or because someone can't do their job because your security system stopped them. There is a certain art to finding the balance and it depends greatly on the specific requirements of the people you are working for and your wisdom in being judicious about what you control. Things like SOX and HIPPA micromanage the problem with one size fits all policies that inevitably fail in the real world. Congress should operate on the level of incentivization and not on the level of specific requirements. For example, one of the reasons credit card fraud is so easy is that credit card companies don't bare the costs associated with fraud (the merchants do) and so they don't have any economic incentive to deploy technologies that are harder to subvert. In fact, credit card companies are making money on fraud by selling useless identity theft protection and credit report monitoring services. This is a problem lawyers can fix. They should focus on who is liable and leave computer security to the computer security professionals. RE: Data Theft Affected Most in Military |
|
anoNet: Cooperative Chaos |
|
|
|---|
| Topic: Computer Security |
3:17 pm EDT, Jun 6, 2006 |
In early 2005, a few people fed up with the way the Internet was heading, began in earnest to create a large wide area network that was secure and lived in its own space. On this new network anyone would be free to do as they saw fit - roam about, host services, or just be social without fear of being monitored or even worse censored. The first step to bring this network to fruition was to encrypt the information that normally travels across the Internet. What they ended up with is known as anoNet.
Something about turning the Internet inside out... Has anyone bothered to check out the wiki thats hosted behind tor? anoNet: Cooperative Chaos |
|
|
|---|
| Topic: Computer Security |
4:04 pm EDT, May 31, 2006 |
On or around May 8, the following personal ad appeared on the Internet classified ad site Craigslist. (It has since been removed.) For mein fraulein Mein Fraulein, I haven�t heard from you in a while. Won't you
call me? 212 //// 796 //// 0735 If you actually called the number, up until a couple of days ago you would have heard this prerecorded message (MP3). It's a head scratcher to keep you National Security Agency analysts occupied in your spare time. Each block of numbers is repeated twice; but below I have transcribed them only once for clarity.
Another use of VoIP to disconnect a phone number from a physical location, this time apparently for an intelligence purpose (although this seems an anachronistic way to deliver a ciphertext). "Group 415" might be a reference to the area code in San Francisco, where Craig's List is most popular. There is also a song in the recording. Identifying the song might aid analysis... The voice is clearly sampled. Voip cipher lines |
|
Academic freedom and the hacker ethic |
|
|
|---|
| Topic: Computer Security |
11:56 pm EDT, May 26, 2006 |
Hackers advocate the free pursuit and sharing of knowledge without restriction, even as they acknowledge that applying it is something else.
I wrote an article in this month's issue of Communications of the ACM. Its a typical Decius rant about freedom to tinker; really a hacker's perspective on the Bill Joy/Fukuyama argument that science needs to be centrally controlled and partially abandoned. The issue is a special issue on Computer Hackers with submissions from Greg Conti, FX, Kaminsky, Bruce Potter, Joe Grand, Stephen Bono, Avi Rubin, Adam Stubblefield, and Matt Green. Many folks on this site might enjoy reading the whole thing if you can get your hands on it. The articles mesh together well and there is some neat stuff in here. Academic freedom and the hacker ethic |
|
|
|---|
| Topic: Computer Security |
1:48 am EDT, May 22, 2006 |
My thoughts exactly on the new Mac ads. Ctrl Alt Del |
|
Binary Revolution - The Revolution will be Digitized! |
|
|
|---|
| Topic: Computer Security |
12:34 pm EDT, May 18, 2006 |
Episode 148 - Rainbow Tables #
Airdate: 2006-05-17
Length: 1:34:32
Size: 16.15 MB
Hosts: StankDawg & Decius
I was on BinRev Radio talking about Rainbow Tables on Tuesday night. Its hard to explain something like that without a whiteboard, but hopefully it comes across well. The key points are: Microsoft should have used salted hashes.
For password cracking, most passwords are dictionary based, and a hash table for a large dictionary is going to be smaller then a decent Rainbow table.
Rainbow tables are a neat technology nonetheless, but the most interesting application is cracking symetric ciphers. Binary Revolution - The Revolution will be Digitized! |
|
ATM_Vulnerabilities_04_10_06.pdf (application/pdf Object) |
|
|
|---|
| Topic: Computer Security |
2:00 pm EDT, May 5, 2006 |
Because these networks are often connected to the Internet, this introduces their customer’s sensitive data to greater risk.
Do not read while hold sharp objects or if you have a tendancy to bang your head against a table when presented with something unfathomably dumb. ATM_Vulnerabilities_04_10_06.pdf (application/pdf Object) |
|
Breach case could curtail Web flaw finders |
|
|
|---|
| Topic: Computer Security |
8:09 pm EDT, May 1, 2006 |
Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission.
Find a bug. Report it. Have the U.S. Attorney claim in court that you are liable for the costs associated with fixing the bug. Go to Jail. Dave Aitel has it right... Retarded... Breach case could curtail Web flaw finders |
|
|
|---|
| Topic: Computer Security |
12:47 pm EDT, Apr 26, 2006 |
A new law in Georgia on private investigators now extends to computer forensics and computer incident response, meaning that forensics experts who testify in court without a PI license may be committing a felony.
Coverage at Security Focus. Forensic felonies |
|
Georgia Law to put Computer Forensics experts in Jail -- HB 1259 |
|
|
|---|
| Topic: Computer Security |
12:39 pm EDT, Apr 23, 2006 |
dc0de wrote: For those of you who care about Computer Forensics, please see the current situation in Georgia. There is a bill before the GA Legislature -- HB 1259 If passed, it will make it a Felony to perform and testify in a State Court about any computer forensics performed, unless you are a licensed Private Investigator.
Here is some more discussion of the issue. Here is the actual text of the legislation. The Atlanta High Technology Crime Investigation Association is holding a meeting on this subject on May 8th. Calvin Hill, Representative who sponsored the bill, and John Villanes, Chairman, Georgia Board of Private Detectives will be at the meeting. Georgia Law to put Computer Forensics experts in Jail -- HB 1259 |
|
