Create an Account
username: password:
 
  MemeStreams Logo

Spontaneous Sociability and The Enthymeme

search

Rattle
Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
  Music
Business
  Tech Industry
  Telecom Industry
Games
Health and Wellness
Holidays
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
Recreation
  Travel
Local Information
  SF Bay Area
   SF Bay Area News
Science
  Biology
  History
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Security
Sports
Technology
  Biotechnology
  Computers
   (Computer Security)
    Cryptography
   Cyber-Culture
   PC Hardware
   Computer Networking
   Macintosh
   Linux
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Current Topic: Computer Security

BREITBART.COM - State Dept. Suffers Computer Break-Ins
Topic: Computer Security 12:47 am EDT, Jul 12, 2006

The State Department is recovering from large-scale computer break-ins worldwide over the past several weeks that appeared to target its headquarters and offices dealing with China and North Korea, The Associated Press has learned.

Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking. These people spoke on condition of anonymity because of the sensitivity of the widespread intrusions and the resulting investigation.

The break-ins and the State Department's emergency response severely limited Internet access at many locations, including some headquarters offices in Washington, these officials said. Internet connections have been restored across nearly all the department since the break-ins were recognized in mid-June.

After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet. Hackers can exploit weaknesses in this technology to break into computers, and they can use the same technology to transmit stolen information covertly off a victim's network.

BREITBART.COM - State Dept. Suffers Computer Break-Ins


Top 100 Network Security Tools
Topic: Computer Security 7:11 pm EDT, Jun 23, 2006

I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way.

This is a handy list. Kudos to all the MemeStreamers who write tools on the list... There are several..

Top 100 Network Security Tools


XSS worm spreading through Yahoo webmail
Topic: Computer Security 4:33 pm EDT, Jun 12, 2006

This just in from Acidus. There is an AJAX/XSS worm carving through Yahoo! Mail.

I just received an email with an html attachment, on a yahoo account.

When I opened the mail, yahoo automatically displayed the html, and executed
the code within. What the hell. =) It forwarded the message to my contacts
list, (or some other set of addresses, dunno,) and redirected my browser to
a website.

XSS-based worm spreading through Yahoo's web mail. Looking an an email message causes the XSS to run. The XSS uses AJAX to make an HTTP POST to the URL on YAhoo for sending mail. The worm does this to send email containing the worm to everyone in your address book and sends your address book to a 3rd party. Probably to sell your email address to spammers.

This is a great example of XSS+AJAX=BAD! Even if Yahoo mail doesn't use AJAX, the XSS can use AJAX to make requests for you using your credentials.

Acidus has given presentations outlining exactly this threat several times in the past year at conventions including Outerz0ne, Shmoocon, and Blackhat Federal. Were we the only ones paying attention to him?

This is downright innocent and harmless when compared to some of the uses for this type of XSS exploit that he was concerned with.

XSS worm spreading through Yahoo webmail


RE: Data Theft Affected Most in Military
Topic: Computer Security 8:23 pm EDT, Jun  7, 2006

These comments from Decius in reference to the recent VA database theft are worth singling out:

Real Computer Security is hard, because you have to prevent bad stuff without being noticed as the good guys go about their jobs. When you get noticed, you've done something wrong, either because there has been a breach or because someone can't do their job because your security system stopped them. There is a certain art to finding the balance and it depends greatly on the specific requirements of the people you are working for and your wisdom in being judicious about what you control. Things like SOX and HIPPA micromanage the problem with one size fits all policies that inevitably fail in the real world.

Congress should operate on the level of incentivization and not on the level of specific requirements. For example, one of the reasons credit card fraud is so easy is that credit card companies don't bare the costs associated with fraud (the merchants do) and so they don't have any economic incentive to deploy technologies that are harder to subvert. In fact, credit card companies are making money on fraud by selling useless identity theft protection and credit report monitoring services. This is a problem lawyers can fix. They should focus on who is liable and leave computer security to the computer security professionals.

Indeed.

RE: Data Theft Affected Most in Military


Voip cipher lines
Topic: Computer Security 6:04 pm EDT, May 31, 2006

On or around May 8, the following personal ad appeared on the Internet classified ad site Craigslist. (It has since been removed.)

For mein fraulein

Mein Fraulein, I haven't heard from you in a while. Won't you
call me? 212 //// 796 //// 0735

If you actually called the number, up until a couple of days ago you would have heard this prerecorded message (MP3). It's a head scratcher to keep you National Security Agency analysts occupied in your spare time. Each block of numbers is repeated twice; but below I have transcribed them only once for clarity.

Another use of VoIP to disconnect a phone number from a physical location, this time apparently for an intelligence purpose (although this seems an anachronistic way to deliver a ciphertext). "Group 415" might be a reference to the area code in San Francisco, where Craig's List is most popular. There is also a song in the recording. Identifying the song might aid analysis... The voice is clearly sampled.

Another code for Elonka?

Voip cipher lines


Academic freedom and the hacker ethic
Topic: Computer Security 6:20 pm EDT, May 27, 2006

Hackers advocate the free pursuit and sharing of knowledge without restriction, even as they acknowledge that applying it is something else.

Decius has been published in this month's issue of Communications of the ACM. Its a typical Decius rant about freedom to tinker; really a hacker's perspective on the Bill Joy/Fukuyama argument that science needs to be centrally controlled and partially abandoned. The issue is a special issue on Computer Hackers with submissions from Greg Conti, FX, Kaminsky, Bruce Potter, Joe Grand, Stephen Bono, Avi Rubin, Adam Stubblefield, and Matt Green. Many folks on this site might enjoy reading the whole thing if you can get your hands on it. The articles mesh together well and there is some neat stuff in here.

Academic freedom and the hacker ethic


Reporting Vulnerabilities is for the Brave
Topic: Computer Security 3:51 pm EDT, May 23, 2006

As a consequence of that experience, I intend to provide the following instructions to students (until something changes):

1. If you find strange behaviors that may indicate that a web site is vulnerable, don’t try to confirm if it’s actually vulnerable.

2. Try to avoid using that system as much as is reasonable.

3. Don’t tell anyone (including me), don’t try to impress anyone, don’t brag that you’re smart because you found an issue, and don’t make innuendos. However much I wish I could, I can’t keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice. We all want to do the right thing, and help people we perceive as in danger. However, you shouldn’t help when it puts you at the same or greater risk. The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer — you’re a student!) is just too high. Moreover, this is a web site, an application; real people are not in physical danger. Forget about it.

4. Delete any evidence that you knew about this problem. You are not responsible for that web site, it’s not your problem — you have no reason to keep any such evidence. Go on with your life.

5. If you decide to report it against my advice, don’t tell or ask me anything about it. I’ve exhausted my limited pool of bravery — as other people would put it, I’ve experienced a chilling effect. Despite the possible benefits to the university and society at large, I’m intimidated by the possible consequences to my career, bank account and sanity. I agree with HD Moore, as far as production web sites are concerned: “There is no way to report a vulnerability safely”.

The problems remains, there is no way to report vulnerabilities to site owners without taking on a huge personal risk. I've seen security issues at the university I attend, and I've looked the other way. There is no incentive to point them out, and no whistleblower protections for security researchers.

Reporting Vulnerabilities is for the Brave


RE: Telling the Truth hurts...
Topic: Computer Security 6:12 pm EDT, May 13, 2006

Decius chimes in on dc0de's situation:

Dc0de has joined what we have started referring to as "the club." People we know who have received legal threats for saying true things in a public place. This seems to happen a lot to computer security people.

In the United States, you're supposed to have a right to freedom of speech. This isn't just a matter of what the law technically says or means. As Rattle has pointed out before, freedom of speech is a core value in our society. It is a value that transcends what the law merely requires, providing a model for how a mature society addresses all sorts of conflicts: The appropriate way to respond to critics is within the realm of ideas and not within the realm of coersion.

People who use the legal system to squash critics instead of appropriately addressing their criticism in print are operating in a manner that is out of sync with the core values of this nation. I hold this sort of behavior in very poor esteem.

However, this happens all the time, so a more fundamental fix is required. The legal system should not allow itself to be used by wealthy parties as a weapon to coerce people who do not have the resources to defend themselves. This is fundamentally unjust. The legal system must be reformed.

For a smart analysis of these issues see this paper about two other members of "the club," Billy and Virgil.

dc0de wrote:
Part of the presentation includes a slide that shows the Insider Attack Variables, including, Corporate environment and culture. Since the IDR's previous incident was caused by someone not performing their due diligence on 50 fraudulent companies, thereby allowing these companies to freely PURCHASE data from the IDR and commit fraud, I used their loss as an example...

The company that I work for now is terminating me, and claiming that I have to sign the IDR's document, (that they negotiated as part of their settlement), and of course, another document, forbidding me to speak about this issue.

There is no protection for whistle-blowers in the security industry. This is a major problem. There is a nitch for a lobby here that should be filled.

RE: Telling the Truth hurts...


Scott Moulton's report of the HTCIA Meeting
Topic: Computer Security 4:58 pm EDT, May  9, 2006

The following is from Scott Moulton, who was at the HTCIA meeting in Atlanta on Monday. A full copy of this can be found on forensiclicensing.com.

This meeting yesterday was somewhat contradictory. On one hand, the meeting was started by claiming that none of the people in the room were affected by this new law and that we are not PI's. But that seemed to change within a few minutes to all of us being affected and that it does apply to us.

It seemed apparent from the meeting yesterday they intend to push this PI bill though again. Many of the items in the PI bill are good for other reasons. Just not for anyone that practices any kind of "investigation" that is we did not consider a PI. Very graciously John Villines and Calvin Hill agreed to work with a committee from "our community" to get the correct verbiage in the bill with regards to our industry. Their point seemed to be that the PI bill was going to include us and that we would all somehow still have to be PI's but kind of be on our own terms if we help with the verbiage. Further questioning did not seem to clarify this. It seems that adding computer components to the PI exams was considered a "specialty" and was opposed when suggested to John C. Villines and Calvin Hill. It seemed clear that the qualifications for what it takes to become a PI were going to stay in place with regards to testing, training and educational hours. They stated that items for new laws need to be complete around the September time frame so that they can be submitted in February for new laws to be considered and that they were going to go ahead with this and submit it again. Our choice was to work with them on the wording.

It was also very apparent from statements made that under the current law that the misdemeanour still stands and that they were not offering any way to indemnify anyone during this time period that these issues need to be worked out and the law rewritten. They did claim that it was very unlikely anyone would be sought out for this issue being that it is a misdemeanour.

When it was suggested that we could create our own Professional Licensing board, it was pointed out to us that it would probably never happen. It was suggested by, I believe Calvin Hill, that we pick a board we fit best under and work with that board to get established and regulated under that board, and that it was unlikely with the current political system we have that we would be successful in setting up our own board.

RESEARCH ON "INVESTIGATOR"
The word "Investigator or investigation" seems to be a very big issue with PI's. Calling anything Forensic Investigation or a Computer Forensic Investigation are words that are subject to scrutiny as if Private Investigators as if PI's own the word investigate.

As matter... [ Read More (0.5k in body) ]

Scott Moulton's report of the HTCIA Meeting


[ale] IT Security (Evidence Collection) and HB 1259
Topic: Computer Security 1:35 pm EDT, May  9, 2006

The following quotes are from a reported posted to the Atlanta Linux Enthusasts mailing list by Greg Freemyer.

First some opinions (JV = John Villanes CH = Calvin Hill)

1) (JV) As it stands any third party that collects evidence for use in a criminal/civil suit is subject to the existing PI licensing law. The penalty is a misdemeaner and a relatively small fine. ie. a few hundred dollars I believe. They are starting to get complaints about Computer Forensic professionals not having there PI license.

Some more background on this would be useful. What is the basis of the complaints? And who is making them?

2) (CH) There is intense pressure on the legislature to regulate individuals with access to sensitive data.

From who? What is considered "access to sensitive data"?

3) (JV/CH) There is pressure to stop abuse of the GA PI law that allows PI companies to face minimal sanctions if they employ felons and allow them to carry guns. This is apparently the driver that caused HB 1259 to upgrade the offense of vialoting the PI license to be a felony.

They should handle this issue in a bill separate from any attempting to regulate the information security industry. This appears to have been the main driver, so handle it on its own. We don't need issues with felons carrying guns effecting the information security industry. These are issues that don't connect.

4) (JV/CH) HB 1259 will be back next near in some way shape or form.

See my above comment...

5) (JV) The PI Board has a written regulation (IIRC) that individuals covered by other GA licensing boards will not be covered by the PI board. (I'm not sure what this means if you are arrested. i.e You are still breaking the law, it is just a regulation that says that MDs/CPAs/Engineers/etc. are not required to have their PI license.)

This is one of the core problems that needs to be addressed. If you are a CPA, doctor, engineer, or information security expert, you should not be breaking the law in the process of practicing your craft in good faith.

6) (JV) My interpretation of what he said is that a IT consultant responding to a client issue that intentionally gathers evidence for potential use at a criminal/civil trial needs to be a PI today, and needs to be regulated in some manner in the future. His question was "Why not the PI board?"

7) (JV/CH) Employees of the violated company do not need to have a license. ie. If you are part of an inhouse IT security group you don't need a PI license, it is only if you are an outside consultant or work for a 3rd party (IT) security firm that you need a PI license.

Well, now a few reasons are being presenting as to why the PI board isn't th... [ Read More (0.2k in body) ]

[ale] IT Security (Evidence Collection) and HB 1259


(Last) Newer << 7 - 8 - 9 - 10 - 11 - 12 - 13 - 14 - 15 - 16 ++ 26 >> Older (First)
 
 
Powered By Industrial Memetics
RSS2.0