| |
| Current Topic: Computer Security |
|
Top 100 Network Security Tools |
|
|
|---|
| Topic: Computer Security |
7:11 pm EDT, Jun 23, 2006 |
I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way.
This is a handy list. Kudos to all the MemeStreamers who write tools on the list... There are several.. Top 100 Network Security Tools |
|
|
|---|
| Topic: Computer Security |
6:04 pm EDT, May 31, 2006 |
On or around May 8, the following personal ad appeared on the Internet classified ad site Craigslist. (It has since been removed.) For mein fraulein Mein Fraulein, I haven't heard from you in a while. Won't you
call me? 212 //// 796 //// 0735 If you actually called the number, up until a couple of days ago you would have heard this prerecorded message (MP3). It's a head scratcher to keep you National Security Agency analysts occupied in your spare time. Each block of numbers is repeated twice; but below I have transcribed them only once for clarity.
Another use of VoIP to disconnect a phone number from a physical location, this time apparently for an intelligence purpose (although this seems an anachronistic way to deliver a ciphertext). "Group 415" might be a reference to the area code in San Francisco, where Craig's List is most popular. There is also a song in the recording. Identifying the song might aid analysis... The voice is clearly sampled. Another code for Elonka? Voip cipher lines |
|
Academic freedom and the hacker ethic |
|
|
|---|
| Topic: Computer Security |
6:20 pm EDT, May 27, 2006 |
Hackers advocate the free pursuit and sharing of knowledge without restriction, even as they acknowledge that applying it is something else.
Decius has been published in this month's issue of Communications of the ACM. Its a typical Decius rant about freedom to tinker; really a hacker's perspective on the Bill Joy/Fukuyama argument that science needs to be centrally controlled and partially abandoned. The issue is a special issue on Computer Hackers with submissions from Greg Conti, FX, Kaminsky, Bruce Potter, Joe Grand, Stephen Bono, Avi Rubin, Adam Stubblefield, and Matt Green. Many folks on this site might enjoy reading the whole thing if you can get your hands on it. The articles mesh together well and there is some neat stuff in here. Academic freedom and the hacker ethic |
|
RE: Telling the Truth hurts... |
|
|
|---|
| Topic: Computer Security |
6:12 pm EDT, May 13, 2006 |
Decius chimes in on dc0de's situation:Dc0de has joined what we have started referring to as "the club." People we know who have received legal threats for saying true things in a public place. This seems to happen a lot to computer security people. In the United States, you're supposed to have a right to freedom of speech. This isn't just a matter of what the law technically says or means. As Rattle has pointed out before, freedom of speech is a core value in our society. It is a value that transcends what the law merely requires, providing a model for how a mature society addresses all sorts of conflicts: The appropriate way to respond to critics is within the realm of ideas and not within the realm of coersion. People who use the legal system to squash critics instead of appropriately addressing their criticism in print are operating in a manner that is out of sync with the core values of this nation. I hold this sort of behavior in very poor esteem. However, this happens all the time, so a more fundamental fix is required. The legal system should not allow itself to be used by wealthy parties as a weapon to coerce people who do not have the resources to defend themselves. This is fundamentally unjust. The legal system must be reformed. For a smart analysis of these issues see this paper about two other members of "the club," Billy and Virgil. dc0de wrote:
Part of the presentation includes a slide that shows the Insider Attack Variables, including, Corporate environment and culture. Since the IDR's previous incident was caused by someone not performing their due diligence on 50 fraudulent companies, thereby allowing these companies to freely PURCHASE data from the IDR and commit fraud, I used their loss as an example... The company that I work for now is terminating me, and claiming that I have to sign the IDR's document, (that they negotiated as part of their settlement), and of course, another document, forbidding me to speak about this issue.
There is no protection for whistle-blowers in the security industry. This is a major problem. There is a nitch for a lobby here that should be filled. RE: Telling the Truth hurts... |
|
Breach case could curtail Web flaw finders |
|
|
|---|
| Topic: Computer Security |
8:19 pm EDT, May 1, 2006 |
Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission.
Find a bug. Report it. Have the U.S. Attorney claim in court that you are liable for the costs associated with fixing the bug. Go to Jail. Dave Aitel has it right... Retarded... Breach case could curtail Web flaw finders |
|
|
|---|
| Topic: Computer Security |
4:32 am EDT, Apr 27, 2006 |
A new law in Georgia on private investigators now extends to computer forensics and computer incident response, meaning that forensics experts who testify in court without a PI license may be committing a felony.
Coverage at Security Focus. Forensic felonies |
|
Wired News: Bug Bounties Exterminate Holes |
|
|
|---|
| Topic: Computer Security |
2:05 pm EDT, Apr 17, 2006 |
Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem.
An interesting discussion of bug brokers. Wired News: Bug Bounties Exterminate Holes |
|
InformationWeek | Security | The Fear Industry | April 17, 2006 |
|
|
|---|
| Topic: Computer Security |
2:03 pm EDT, Apr 17, 2006 |
In January, a vulnerability in WMF surfaced that let attackers use the Windows' graphics rendering engine that handles WMF images to launch malicious code on users' computers via these images. A number of security researchers posted information about the vulnerability to their mailing lists. Within a few hours, researcher H.D. Moore posted a working example of a WMF exploit--a piece of code written to take advantage of a software flaw--on his Metasploit Web site. Some defended the action, saying it offered insight into the rules security pros needed to put on intrusion-detection systems to avoid getting hit. Others argued that what Moore did enabled the average hacker to more easily exploit the flaw.
Information Week published a long, sensational, and patently dishonest article on security research today. This text makes it seem as if malware authors used the information H.D. Moore published. The fact is that this vulnerability was being exploited by criminal organizations in the wild before anyone in the security research community knew about it. The article fails to make this fact clear because it doesn't fit into the narrative that the reporter is aiming for and undermines the questions the reporter is raising. Would any major news media organization be interesting in a peice that discusses whether intentially dishonest reporting is good or bad for society? InformationWeek | Security | The Fear Industry | April 17, 2006 |
|
RFID Viruses: Is your cat infected with a computer virus? |
|
|
|---|
| Topic: Computer Security |
6:56 pm EST, Mar 15, 2006 |
The prankster decides to unwittingly enlist his cat in the fun. The cat has a subdermal pet ID tag, which the attacker rewrites with a virus using commercially available equipment. He then goes to a veterinarian (or the ASPCA), claims it is stray cat and asks for a cat scan. Bingo! The database is infected. Since the vet (or ASPCA) uses this database when creating tags for newly-tagged animals, these new tags can also be infected. When they are later scanned for whatever reason, that database is infected, and so on. Unlike a biological virus, which jumps from animal to animal, an RFID virus spread this way jumps from animal to database to animal.
I ignored this article this morning but its actually pretty cool. SQL injection, CSS, and buffer overflows from data stored in RFIDs is a vector that few people have really looked at. I wonder if the new U.S. Passports are vulnerable? RFID Viruses: Is your cat infected with a computer virus? |
|
Slashdot | Interview With Cryptographer Elonka Dunin |
|
|
|---|
| Topic: Computer Security |
8:19 pm EST, Mar 14, 2006 |
"Whitedust is running a very interesting article with the DEF CON speaker and cryptographer Elonka Dunin. The article covers her career and specifically her involvement with the CIA and other US Military agencies."
Elonka continues to prove why she is the most famous user on MemeStreams. Rumor also has it she has been accepted into the Industrial Memetics Institute... Go Elonka! I truly cannot wait till I have a copy of her upcoming book. I expect it to be very well recieved by a very wide audience. I think the result will be suprising... Elonka should wind up on the talk show circut. We need to get Elonka on Oprah after her book comes out! It's imperative. Slashdot | Interview With Cryptographer Elonka Dunin |
|
