School: Did you really name your son Robert'); Drop Table Students;--? Mom: Oh. Yes. Little Bobby Tables we call him School: Well, we've lost this year's student records. I hope your happy. Mom: and I hope you've learned to sanitize your database inputs.
HAHAHA! Sweet.
To be fair, you shouldn't sanitize user input, you should validate it.
The 2008 presidential contenders' online fund-raising tactics could encourage one gigantic phishing attack -- or at least a series of little debilitating nibbles that will destroy the campaigns' momentum online, says a noted online security researcher.
The growing volumes of money that the presidential campaigns are soliciting -- and receiving -- online are likely to prick up the ears of fraudsters sensing a great opportunity to cut in and divert passionate online politicos' financial support to their own pockets, says Christopher Soghoian, a graduate student in the school of Informatics at Indiana University in a new paper to be presented today in Washington, DC.
Germany basically banned all "hacking tools." "Hacking tools" are not defined. This is having a spectacularly destructive impact on computer security research world wide as German resources become unavailable and people are starting to avoid traveling there. (Image from this story.)
The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American officials.
The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, defence secretary, but declined to say who it believed was behind the attack.
Current and former officials have told the Financial Times an internal investigation has revealed that the incursion came from the People’s Liberation Army.
One senior US official said the Pentagon had pinpointed the exact origins of the attack. Another person familiar with the event said there was a “very high level of confidence...trending towards total certainty” that the PLA was responsible. The defence ministry in Beijing declined to comment on Monday.
The Pentagon is still investigating how much data was downloaded, but one person with knowledge of the attack said most of the information was probably “unclassified”. He said the event had forced officials to reconsider the kind of information they send over unsecured e-mail systems.
Um.. Thanks for the help with that?
To underscore the threat, he notes that no cyber red team – hackers enlisted to attack systems to help identify weaknesses – has ever failed to meet its objective.
To underscore the larger context of the threat, I should note that no elite US military unit - soldiers enlisted to look at ways to make shit go "boom" - has ever failed to come up with all kinds of ways to make shit go "boom".
Cyberspace is Spook Country these days... I imagine this is an interesting time to work in counter-intelligence. May ye' live in interesting times..
Indeed, such are the Beijing government’s efforts to control the activities of its citizens on the internet that any hackers operating from China are almost certainly working for the authorities. Yet it is probably also right to assume that the US and other western governments are busy infiltrating the computer systems of foreign governments. It is therefore disingenuous to complain too vigorously when those same foreign governments become good at doing it back.
The attractions of using cyberspace for spying are obvious. It is cheap and governments do not have to deal with the risks and insecurities associated with intelligence officers, agents and informers operating in foreign countries.
Lieutenant General Robert Elder, senior Air Force officer for cyberspace issues, recently joked that North Korea “must only have one laptop” to make the more serious point that every potential adversary – except Pyongyang – routinely scans US computer networks.
North Korea may be impotent in cyberspace, but its neighbour is not. The Chinese military sent a shiver down the Pentagon’s spine in June by successfully hacking into an unclassified network used by the top policy advisers to Robert Gates, the defence secretary. (link)
Now we get to AjaxWorld West 2007 and there are 5 presentations about security and all of them look great. Brian Chess from Fortify, Joe Stagner from Microsoft, Byran and I from SPI/HP, Danny Allen from Watchfire/IBM, and Pothiraj Selvaraj from CGE. I am absolutely floored by the turn out. And its not just more security speakers at Ajax conferences. There are other indications thats people are accepting Ajax Security. We are seeing a number of books on Ajax Security come out. Ajax frameworks are starting implement security features natively. In some cases framework developers are reaching out directly to the web security companies that seem to get it. For example SPI has been to Redmond multiple times this year working with the ASP.NET and Atlas teams. We see security vendors and consultants who were in denial about Ajax have toned down the rhetoric. Now vendors from the scanner and source code analysis spaces are joining SPI on stage this year on AjaxWorld. We've gone from a 20 something with long hair talking about Ajax security to CTOs and CEOs, and VPs spreading the message. And that is extremely satisfying.
I suppose if anything, AjaxWorld 2007 is a nice breath of fresh air. A cause SPI has been championing for nearly 2 years now is becoming more mainstream and finding acceptance in the Security and Development communities. I welcome my friendly competitors to the party, even if they were a little late and got lost along the way. :-) Because at the end of the day, more smart people working on tough problems helps everyone.
Kudos to the SIP crew. They have been instrumental in bringing attention to the security issues that must be dealt with when developing Ajax applications. I will not be attending this conference, but if your company develops Ajax apps, it's highly suggested that you send one of your engineers..
Who's on the Line These Days, It Could Be Everyone - washingtonpost.com
Topic: Computer Security
1:07 pm EDT, Aug 12, 2007
In the blink of an eye, you could miss it -- that scene in "The Bourne Supremacy" when Jason Bourne delivers a lightning-quick beat-down to a U.S. consulate official in Naples, then grabs the man's PDA, manipulates its micro-motherboard, and drives off listening to the man on this 21st-century wiretap. And in the latest film, "The Bourne Ultimatum," wiretapping is the very deed that drives the frenetic plot.
In these types of adrenaline-pumping portrayals of electronic eavesdropping, reality must step aside so that Bourne (when he's not crashing a car) or "24's" Jack Bauer (when he's not torturing someone) can eavesdrop in real time, real fast. And it's always for the good, you see, because Bourne's gotta find out what sinister spook programmed him to be a stone-cold killer and Bauer's gotta save the world. The ends justify the means. No time for questions.
Because the core of the public discourse about national security and privacy is ... Hollywood?
Sadly, it's probably the case..
Technology, 9/11 and the politics of the war on terror have shifted the paradigm on privacy, for better or worse. Perhaps that is why Americans have not been howling about the possible intrusion of wiretapping into their telephone use.
"You don't necessarily have the sense, when you see Jack Bauer, that it's wrong," says Barry Carter, a Georgetown law professor. Back in the 1970s, Carter investigated widespread NSA phone wiretapping and reading of telegrams as part of the Church Committee's probe of intelligence abuses. (The committee was named for its chairman, Democratic Sen. Frank Church of Idaho.)
Back then, "it was accepted that it was wrong that these things were being done," he says.
The argument eluded, is that we need an event that will humanize the issues surrounding illegitimate wiretaps. Just imagine if we caught the NSA in the act of monitoring Paris Hilton's phone calls without a warrant. Is that the point America would riot? Or do we need someone with more ... credibility?
For my tax dollar, I would be most entertained if the entire IC went after Scientology. Kill two birds with one stone.. Picture Tom Cruise on the cover of Vanity Fair with the tag line "they tapped my phone!" A Waco like fiasco going down in Clearwater.. Juliette Lewis testifying in front of congress. Maybe we could even get a Kristie Alley perp walk..
Air Force Draws Weekend Cyberwarriors From Microsoft, Cisco
Topic: Computer Security
12:28 am EDT, Aug 7, 2007
If the U.S. Air Force is ever ordered into a cyberwar with a foreign country or computer-savvy terrorist group, the 100-plus citizen cybersoldiers at the Air National Guard's 262nd Information Warfare Aggressor Squadron will boast an advantage other countries can't match: They built the very software and hardware they're attacking.
That's because the 262nd, based at McChord Air Force Base outside Tacoma, Washington, draws weekend warriors from Microsoft, Cisco Systems, Adobe Systems and other tech companies, in a recruitment model that senior military leadership is touting as vital to the Air Force's expanded mission to achieve "dominance in cyberspace."
Blackboard, the big Web 2.0 app on campus | CNET News.com
Topic: Computer Security
11:48 pm EDT, Aug 4, 2007
The multimedia or personal stuff that professors may think of as flashy filler is getting students to make an emotional investment in their education. "Sure, the content they offer is not as good as if a faculty member produced it. The content expert is always going to be better at creating the content, but that's not the point," said Knauff.
Some see the advent of Web 2.0-style tools in the classroom heralding a shift in everything from education theory to how schools are built. The bottom line: traditional lecturing may be on its way out, said Claire Schooley, an analyst at Forrester Research who follows learning trends at universities and corporations.
Seton Hall University uses social tools as a way to hook students even before they have officially started. A log-in is mailed to new students along with the acceptance materials, according to Jan Day, senior director of client engagement at Blackboard, an educational software company that worked with the university to implement the site.
"It's one thing to look at a discussion board, wikis and blogs. It's something else completely different to physically act in a 3D environment with others in your class. There is increased engagement and feelings of identity," said Jarrett.
"Just like with hybrids and the car industry a few years ago, I need to start building that car because if I wait three years, I'll miss that curve," Hartman said. "I'm building it now as a prototype, but I don't expect to take it out and race it."
Zac Franken, a DefCon goon (staffer), gave a brilliant presentation at the DefCon hacker conference today involving security access control systems and cards for building entrances that use electromagnetic coupling.
The hack involves exploiting a serious vulnerability inherent in the Wiegand protocol that allows an intruder to trick the system into granting entrance to a building to an unauthorized visitor, to lock out authorized visitors and to collect authorization data about everyone who has entered that door to gain access to other areas in a building secured with Wiegand-based readers.
The Wiegand protocol is a plain-text protocol and is employed in systems that secure not only some office buildings but also some airports. Franken has said that it's used at Heathrow airport. Retina scanners, proximity scanners and other access systems all use the Wiegand protocol so the vulnerability isn't device-specific. It's plain text and easily intercepted and replayed.
This is some straight-up Tilde Jones style physical security hackery. Very cool.
NBC Reporter with hidden camera in purse hoping to catch conference attendees committing to crimes (according to Defcon staff) flees Defcon 15 after being outed.
OMG FUCKING LOOOOOOLLLLL!!!!
For more information on this awesome totally ethical NBC program, see this.
I think DT handled that well. The role reversal that took place when the conference attendees were following her to her car was hilarious. "We just want to ask a few questions!"