ItoolBox Whitepaper Network and Infrastructure—InComparison Network and Voice Management Software
SANS Information Security Reading Room—Developing a Snort Dynamic Preprocessor
Category: Tools
Paper Added: August 20, 2008
The Register - Security—Microsoft's IE 8 puts giant web hole on notice
Tell us if you've heard this one before?
Engineers in Microsoft's Internet Explorer group are devising a new means to stamp out one of the web's biggest security banes: attacks that steal email, bank account credentials and other sensitive information by injecting malicious code into trusted websites.…
Fergie's Tech Blog—Security Fix: Web Fraud 2.0 - Validating Your Stolen Goods
If there is any truth to the old saying that there is no honor among thieves then it is doubly true for thieves who transact with one another yet never actually meet face-to-face. Perhaps that explains the popularity of certain services in the underground cyber crime economy that make it easy for crooks to purchase stolen credit and bank accounts in bulk and check whether the accounts are legitimate and active.More here.
From the many hours Security Fix spent skulking around some of the more active cyber crime communities online recently, I saw a site called sh0pp0rtal.net mentioned quite a bit. I managed to acquire an account on this exclusive service, and found some 78,628 individual MasterCard and Visa credit and debit accounts for sale at various prices there.
Schneier on Security—Nice Article on Personal Surveillance
Nice article on personal surveillance from the London Review of Books.
SANS Internet Storm Center—From the mailbag, Opera 9.52..., (Wed, Aug 20th)
Cheers,
Adrien de Beaupr
intru-shun.ca
Emergent Chaos—Write Keyloggers Professionally!
GetAFreelancer.com has a job for you if you need some high-paid work -- write a remote keylogger.
Here are the project requirements:
We need a keylogger that can be installed remotely.Description:
The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.
They only want to pay $250 to $750, which seems fair given that the requirements don't include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.
Photo "Keylogger 1.0 Beta" by soulrift.
Emergent Chaos—The Omnivore's Hundred
I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore's Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you would never try or try again.
I found it via Cygnoir, who also gave a pointer to an easy-to-fill-out web page that will give HTML.
My results of that page are below.
-----------------------------------------
The Food tasting meme
- Copy this list into your blog or journal, including these instructions.
- Bold all the items you.ve eaten.
- Cross out any items that you would never consider eating (or eating again)
- Optional extra: Post a comment http://www.verygoodtaste.co.uk linking to your results.
To make the filling out of this form and generating the HTML for it a bit easier, ![[info]](http://stat.livejournal.com/img/userinfo.gif){kind=small}
reddywhp has played around with some PHP. Go to http://reddywhip.org/lj/foods/ and fill it out there. After filling it out, you will be given the code to copy and paste into your blog.
Livejournal users, remember to use your LJ-Cuts!
- Venison
- Nettle tea
- Huevos rancheros
- Steak tartare
- Crocodile
- Black pudding
- Cheese fondue
- Carp
Borscht- Baba ghanoush
- Calamari
- Pho
- PB&J sandwich
- Aloo gobi
Hot dog from a street cart- Epoisses
- Black truffle
- Fruit wine made from something other than grapes
- Steamed pork buns
- Pistachio ice cream
- Heirloom tomatoes
- Fresh wild berries
- Foie gras
- Rice and beans
- Brawn, or head cheese
- Raw Scotch Bonnet pepper
- Dulce de leche
- Oysters
- Baklava
- Bagna cauda
- Wasabi peas
- Clam chowder in a sourdough bowl
- Salted lassi
- Sauerkraut
- Root beer float
- Cognac with a fat cigar
- Clotted cream tea
- Vodka jelly
- Gumbo
- Oxtail
- Curried goat
- Whole insects
- Phaal
- Goat's milk
- Malt whisky from a bottle worth $120 or more
- Fugu
- Chicken tikka masala
- Eel
- Krispy Kreme original glazed doughnut
- Sea urchin
- Prickly pear
- Umeboshi
- Abalone
- Paneer
McDonald's Big Mac Meal- Spaetzle
- Dirty gin martini
- Beer above 8% ABV
- Poutine
- Carob chips
- S'mores
- Sweetbreads
- Kaolin
- Currywurst
- Durian
- Frog's Legs
- Beignets, churros, elephant ears or funnel cake
- Haggis
- Fried plantain
- Chitterlings or andouillette
- Gazpacho
- Caviar and blini
- Louche absinthe
- Gjetost or brunost
- Roadkill
- Baijiu
Hostess Fruit Pie- Snail
- Lapsang souchong
- Bellini
- Tom yum
Eggs Benedict- Pocky
- Tasting menu at a three-Michelin-star restaurant
- Kobe beef
- Hare
- Goulash
- Flowers
- Horse
- Criollo chocolate
Spam- Soft shell crab
- Rose harissa
- Catfish
- Mole poblano
- Bagel and lox
- Lobster Thermidor
- Polenta
- Jamaican Blue Mountain coffee
- Snake
Symantec Security Response Weblog—Tall Latte, Hold the Malware
SecurityFocus Vulns—Bugtraq: Folder Lock <= 5.9.5 Local Password Information Disclosure
SecurityFocus Vulns—Bugtraq: [ MDVSA-2008:174 ] kernel
SecurityFocus Vulns—Bugtraq: ToorCon 10 Call For Papers
WifiNetNews—American Launches In-Flight Broadband Pilot
Welcome back, mile-high Wi-Fi: American Airlines has turned on Internet service in its fleet of 15 767-200s today. These aircraft ply routes between New York's JFK and three cities: San Francisco, Los Angeles, and Miami. Service is $13 per flight, and bandwidth is expected to be 1.5 Mbps (uncompressed) upstream and downstream, although the service provider, Aircell, claims some advantages above that.
This is a big day for Aircell, which spent tens of millions to acquire the exclusive spectrum license that allows them to shoot Mbps to and from planes. My big question will be whether coverage remains seamless across an entire flight--how often one has to reconnect their VPN would be a big issue. If Aircell has architected the network correctly, passengers should never be reassigned an IP address, and connections shouldn't be dropped even if there's a hiccup in air-to-ground communication.
I chatted via Skype--text only, thank you--with Aircell CEO Jack Blumenstein this morning who is quite literally walking on air on an American flight. Blumenstein said it's remarkable even to him to be communicating with other airborne people across "a veritable airforce of AA planes spread out across the skies." Aircell has been working towards this in one form or another for many, many years. And now they get bragging rights at being first, even if it's a pilot project.
I've covered in-flight broadband for several years, and I've been wondering lately whether we'd be waiting until 2009 to see real production service. American is calling this a 3-to-6 month pilot to see what their passengers think. Just yesterday, I wrote up veteran travel writer Joe Brancatelli's frustration with the lack of information and some misinformation about in-flight broadband.
You can read more background on American's plans and Aircell's technology in a post I wrote for BoingBoing on 24-June-2008.
Suzanne Marta of the Dallas Morning News was liveblogging this morning from a flight to Los Angeles, as was Peter Ha at Crunchgear, who measured 1.7 Mbps downstream. Ha's broadband test relies on having no other active users on a network slowing down the test, so the real speeds up and down could be much higher.
Copyright ©2008 Glenn Fleishman. All rights reserved. Please notify us if you find this content anywhere but at wifinetnews.com or wimaxnetnews.com. Reproduction of full articles from RSS feeds is prohibited without permission.
BufferOverrun—Email Prioritizer for Microsoft Outlook
I think I've been looking for this...
Email Prioritizer is a plug-in for Microsoft Office Outlook 2007 (running on Exchange Server) that helps you manage email overload. This concept test provides a “do not disturb” button that temporarily pauses new email arrival, and prioritizes email with a 0-3 star rating system. We hope this prototype helps you focus on the emails that are most important to you.
Installing now.
CNET News.com - Security—Bigfoot site stuns the world: It was a hoax
Featured links from the CNET Blog Network
Bigfoot Web site stuns the world: It was a hoax--Outside observers discover that the alleged cadaver was merely a gorilla costume. The rubber foot was a dead giveaway.
Free-to-play, ad-supported games the winners?--Getting gamers addicted is the key to monetization, according to PC Gaming Alliance's chief technology officer. But the business model hasn't proven popular outside Asia.
Why can't Firefox print as well as IE?--Printing seems to be at the bottom of Mozilla's priority list. It's time to make Firefox the equal of Internet Explorer in terms of printing Web pages.
New Byrne/Eno album streams free--David Byrne and Brian Eno have made their entire album, Everything That Happens Will Happen Today, available as a free online stream and are encouraging fans to embed it.
BufferOverrun—What Makes for a Good Blog? | 43 Folders
Merlin Mann has a good post up about what makes a good blog. I don't pretend that this is a good blog, but it's mine and it's here for my friends to read.
My blog exists for 2 (major) reasons.
1. I share stuff I find interesting. That includes mostly computer stuff and news about my family. The reason I ended up moving it from here, is because it was getting pretty family heavy and I didn't want to mix too much of that into my corporate blog.
2. I use this blog as a personal note keeping system. I've got a few others, but a lot of times, when I want to find something again, I just search my old blog posts and I can find the note or the link I'm looking for. (Steve has a few posts up around this idea on furrygoat.)
So getting back to Merlin's post. If you want a good blog, follow his advice. Number 1 is my favorite because I've had to talk marketing teams at Microsoft into putting names on blogs they were otherwise planning not to. Boring. (It's worth noting that MS has gotten really good at understanding blogs and social networking.)
What Makes for a Good Blog? | 43 Folders
As I think about the blogs I’ve returned to over the years — and the increasingly few new ones that really grab my attention — I want to start with, ironically enough, a list. Here’s what I think helps make for a good blog.
- Good blogs have a voice. Who wrote this? What is their name? What can I figure out about who they are that they have never overtly told me? What’s their personality like and what do they have to contribute — even when it’s “just” curation. What tics and foibles fascinate make me about this blog and the person who makes it? Most importantly: what obsesses this person?
SecurityFocus Vulns—Bugtraq: [USN-636-1] Postfix vulnerability
Securosis—The Best Incident Response Training You Can Buy. For Free.
Next week I’ll be out of the office on one of my occasional stints as a federal emergency responder. I haven’t had the opportunity to do much since we responded to Katrina, and, to be honest, am surprised the team still lets me hang on (it’s in Colorado, I’m in Arizona, and I don’t get to train much anymore). Who knows how much longer I’ll get to put a uniform on- the politics of domestic response are a freaking mess these days, with all the cash funding the war, and I won’t be surprised if some of the more expensive (and thus capable) parts of the system are dismantled. Hopefully we can hang on through the next election.
Anyway, enough of my left wing liberal complaints about domestic security and on to incident management.
Although I haven’t written much about it on the blog (just the occasional post), one area I talk a lot about is incident response and disaster management. Translating my experiences as a 9-1-1 and disaster responder into useful business principles. I’m frequently asked where people can get management level training on incident management. While SANS and others have some technology-oriented incident response courses, the best management level training out there is from FEMA.
Yes, that FEMA.
For no cost you can take some of their Incident Command Systems (ICS) courses online. I highly recommend ICS 100 and ICS 200 for anyone interested in the topic. No, not all of it will apply, but the fundamental principles are designed for ANY kind of incident of ANY scale. If nothing else, it will get you thinking.
And while I’m at it, here’s a definition of “Incident” that I like to use:
An incident is any situation that exceeds normal risk management processes.
Although I’ve sat through a lot of the training before, I never actually went through the program and test. I’m fairly impressed- these are some of the better online courses I’ve seen.
-Rich
eWEEK Security—Browsers And Unsigned Certificates
- by Larry Seltzer Read Larry Seltzer's article on The Untrustworthiness of Self-Signed Certificates. As part of a philosophy of making web surfing quot;safe by default quot; modern web browsers are suspicious of SSL web sites (those that use an https:// prefix) that use certificates not s...
eWEEK Security—The Untrustworthiness of Self-Signed Certificates
- User interface changes in some newer browsers have gotten some in the security community riled up. The issue is self-signed certificates. Some folks don't like users being told that their roll-your-own certificates aren't as good as the non-free ones. But the fact is that they aren't as good, esp...
sunbeltblog—The problem with TCP/IP
Good stuff.
The TCP/IP protocols were conceived during a time that was quite different from the hostile environment they operate in now. Yet a direct result of their effectiveness and widespread early adoption is that much of today’s global economy remains dependent upon them.
While many textbooks and articles have created the myth that the Internet Protocols (IP) were designed for warfare environments, the top level goal for the DARPA Internet Program was the sharing of large service machines on the ARPANET [Clark, 1988]. As a result, many protocol specifications focus only on the operational aspects of the protocols they specify and overlook their security implications.
Though Internet technology has evolved, the building blocks are basically the same core protocols adopted by the ARPANET more than two decades ago. During the last twenty years many vulnerabilities have been identified in the TCP/IP stacks of a number of systems. Some were flaws in protocol implementations which affect only a reduced number of systems. Others were flaws in the protocols themselves affecting virtually every existing implementation [Bellovin, 1989]. Even in the last couple of years researchers were still working on security problems in the core protocols [Gont, 2008] [Watson, 2004] [NISCC, 2004] [NISCC, 2005].
Alex Eckelberry
sunbeltblog—New blog look -- Cancel button pushed
Well, we got lots of positive feedback on the new look of the blog, but we did keep getting reports of problems in Opera. Right now, we’re back to the old look until we can get a handle on what’s going on.
Alex
Martin McKeay's Network Security Blog—Force Gmail to use HTTPS
If the possibility of ending up on the Wall of Sheep at Defcon and Black Hat wasn’t enough for you, Mike Perry is about to release a tool that automatically steals the Gmail ID’s of any non-encrypted sessions it finds. If you’re surfing on the free, public wi-fi at your local coffee shop, anyone with a modicum of computer skills will be able to sniff your traffic with this tool and take over your account. Of course, this has been possible for quite some time, but this tool brings the difficulty down to something the average script kiddy can do rather than having to be Robert Graham.
Gmail has been capable of running on SSL for quite some time, but it’s not something that’s enabled by default. I always typed the https in by hand, but I don’t completely trust that method. I’ve used Better Gmail2 in the past, but that doesn’t like FireFox 3 for some reason. There are also a number of scripts for GreaseMonkey that force Gmail to use SSL, but now Gmail has made it an option on the settings page. It’s on the bottom of the page and easy to miss if you’re not looking closely.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
hackaday—Micro battery assembled by virus
Filed under: news
MIT researchers have used a viral assembly method to create a battery at half the size of a human cell. They've successfully developed the anode and electrolyte, leaving only the cathode unfinished. each electrode is only 4 micrometers in diameter.
The construction process involves taking a rubbery base and creating a pattern of tiny posts through lithography. Then they add different layers of polymers that act as an electrolyte. Finally the virus preferentially self-assembles on top of the polymer creating the anode. Pictured above is a test plate. The battery itself is too small to be seen.
[via BoingBoing]Read | Permalink | Email this | Linking Blogs | Comments
Schneier on Security—A Security Assessment of the Internet Protocol
PrefaceThe TCP/IP protocols were conceived during a time that was quite different from the hostile environment they operate in now. Yet a direct result of their effectiveness and widespread early adoption is that much of today's global economy remains dependent upon them.
While many textbooks and articles have created the myth that the Internet Protocols (IP) were designed for warfare environments, the top level goal for the DARPA Internet Program was the sharing of large service machines on the ARPANET. As a result, many protocol specifications focus only on the operational aspects of the protocols they specify and overlook their security implications.
Though Internet technology has evolved, the building blocks are basically the same core protocols adopted by the ARPANET more than two decades ago. During the last twenty years many vulnerabilities have been identified in the TCP/IP stacks of a number of systems. Some were flaws in protocol implementations which affect only a reduced number of systems. Others were flaws in the protocols themselves affecting virtually every existing implementation. Even in the last couple of years researchers were still working on security problems in the core protocols.
The discovery of vulnerabilities in the TCP/IP protocols led to reports being published by a number of CSIRTs (Computer Security Incident Response Teams) and vendors, which helped to raise awareness about the threats as well as the best mitigations known at the time the reports were published.
Much of the effort of the security community on the Internet protocols did not result in official documents (RFCs) being issued by the IETF (Internet Engineering Task Force) leading to a situation in which "known" security problems have not always been addressed by all vendors. In many cases vendors have implemented quick "fixes" to protocol flaws without a careful analysis of their effectiveness and their impact on interoperability.
As a result, any system built in the future according to the official TCP/IP specifications might reincarnate security flaws that have already hit our communication systems in the past.
Producing a secure TCP/IP implementation nowadays is a very difficult task partly because of no single document that can serve as a security roadmap for the protocols.
There is clearly a need for a companion document to the IETF specifications that discusses the security aspects and implications of the protocols, identifies the possible threats, proposes possible counter-measures, and analyses their respective effectiveness.
This document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point of view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to performing a security assessment of the relevant IETF specification but also offers an assessment of common implementation strategies.
Whilst not aiming to be the final word on the security of the IP, this document aims to raise awareness about the many security threats based on the IP protocol that have been faced in the past, those that we are currently facing, and those we may still have to deal with in the future. It provides advice for the secure implementation of the IP, and also insights about the security aspects of the IP that may be of help to the Internet operations community.
Feedback from the community is more than encouraged to help this document be as accurate as possible and to keep it updated as new threats are discovered.
eSecurityPlanet—PCI Standard Widened for Better Security
LinuxSecurity.com - Articles—Attacking PHP Weak PRNGs: mt_srand and "Random Numbers"
hackaday—Parents beware of "digital drugs"
Filed under: news
In what some might call a sensationalist article, USA Today reporter [Kim Komando] warns parents of a new danger to their kids: digital drugs. Throughout the article, [Kim] tries to explain how binaural beats (idosers) can effect the brain in many different ways, claiming that some even emulate the effects of illegal drugs. Furthermore, she claims that the "digital drugs" can act as a gateway to trying real drugs. While it seems unapparent to [Kim] that I-Doser has been around for years, it's not surprising that this article is only being published now. While I understand her argument, parts of it just seem illogical. If anything, wouldn't binaural sounds provide kids an alternative to illegal drugs? If these sounds really provide the same effects as drugs, wouldn't they act as a safer option to kids? While this story seems to be one of many sensational stories warning parents to protect their kids, it seems as though parents should really be warned about these sensational stories that are concocted solely to sell newspapers.
[via Woot]
[photo: BrittneyBush]Read | Permalink | Email this | Linking Blogs | Comments
The Register - Security—Googlephone security team seeks bug hunters
Android needs You
Google's Android security team has appealed to bug hunters to help it iron out flaws in the platform.…
Internet Security and Programming—Web Fraud 2.0: Validating Your Stolen Goods
Heise Security—US-CERT warns of Tomcat vulnerability
ItoolBox Networking and Infrastructure—Techie Culture and one issue
ItoolBox Networking and Infrastructure—Monitoring Team Morale
ItoolBox Networking and Infrastructure—Navigating Microsoft Blogs
hackaday—Hack Guitar Hero DS into a guitar controller
Filed under: handhelds hacks, playstation hacks, daily
[Eric Ruckman] sent us this awesome Guitar Hero hack. He wanted to get a more "true to the series" game play out of his DS when playing Guitar Hero: On Tour. If you've seen the adapter that comes with it, you'll understand his desires. He found a wireless PS2 Guitar Hero controller on EBay to hack.
He's cut a hole in the controller and removed all the guts. In the picture above the DS fits in the hole to allow strumming in the correct position. The controller buttons are connected to the DS by wiring into the adapter. He's added an FM transmitter to the controller so he can play the sound through his home sound system.
[Eric] Really put some care into this. You can see that he wanted this to be something he could actually use and show off. The integration of the FM transmitter into the unit was very well done. The transmitter is controlled through the controller's start and select buttons and powered from the controller's battery compartment. He mounted the transmitter's display into the controller as well.
This modification fits nicely in the Guitar Hero hacking tradition. We've seen several before like the real guitar controller and the home made wireless one. Don't forget the touch screen and better switches mods. Of coarse, for many of us hacking it is actually more fun that playing it so we'll leave the rocking out to deep note.Read | Permalink | Email this | Linking Blogs | Comments
ItoolBox Networking and Infrastructure—Engineering Windows 7
Dominic White's Blog—Dan Kaminsky's BlackHat USA '08 Talk on the DNS Flaw
Dan's talk at Black Hat on 'The DNS Bug' aka CVE-2008-1447 was packed. By this time I had worked out that BH attendees, much like Catholics fill up from the back, so you can usually just walk to the front and find a seat. I did and ended up three rows away from Dan and his podium, a decision I later regretted.
It's a long entry, so I've bold'ed the key parts of my rant.
With all the hype, my plan was initially to not attend Dan's talk and go to something more interesting. My next thought was that most of the talk get completely dissected after BH anyway, so I would rather take advantage of the 'being there' factor and go watch the soap opera unfurl live.
He started off pretty well, gave some insight into how he had discovered the flaw, how the sooper sekret multi-vendor discussions had gone etc. He pointed out that Pieter de Boer was the first to 'rediscover' the bug 51hrs later. He also showed an awesome video of the patch rates around the world.
I was interested that by speaking to Trustwave, the fear and loathing of PCI was used to drive many corporates into patching.As Dan pointed out 'probably the first time compliance has been used to accomplish anything useful.' I'd restate that as 'probably the first time compliance has been used to drive rapid response to a tangential security incident.'
After that things went downhill. Dan decided to use the rest of the talk to provide illustrative situations of what a MITM can do. He went on at length describing all of the various protocols, services etc. that can be MITM'ed. He also pointed out that bugs don't need to be 'sploited in isolation which gave him more time to go into scenarios. He could have used this time to go into more interesting discussions around the usability of DNSSEC, practically solutions, more details about the bug etc. Anyone who knows what a MITM is should have been bored.
During this time I started to get irritated, but I mean really physically irritated. I couldn't work out why, until I realised it was some element of his stage personality that was pissing me off. At first I ignored this as me just being judgemental of a socially akward geek with a podium and media; and chided myself. However, after unpacking this in rants at anyone who would listen during the course of BH and DC I realised what was bugging me.
Dan was show boating. His entire approach to the thing was show boating. His 'wait for blackhat' plea, which irked me because it was just too obviously a media stunt combined with his 'ra ra, hand wave' presentation made it very clear. What's worse, his claim that he was trying to help people and get things fixed ASAP was hurt by his method of disclosure. By the end of the talk, I had switched to red pen (I wan in rant mode) to document why I felt his disclosure method was at fault for the 90 day patch window.
There are two things required for patches to be deployed, a working patch, and a willingness to install the patch. To drive the willingness, security people (or admins charged with patch responsibility) need to understand the risk so they can make a proper risk decision relevant for their circumstance and organisation. Dan's work to coordinate the release of the patch was great, we got multiple patches all at once without in-the-wild exploits. However, how urgent was this patch? Should we divert resources from existing stuff to test and deploy it? Is there a significant risk difference between external DNS and internal DNS etc.? The delay in patching NAT'ted DNS servers illustrates how this lack of information hurt patching. When a client phoned me to ask how urgent the patch was, all I could say was I'm not sure and to include it as part of the normal test/deploy cycle. If we had this information, if the security community had it, we could have properly understood the bug and known what the risk was.
This does make Dan look a little hypocritical. The reason I choose hypocrisy and not 'a failure of unintended consequences' if for two reasons. The first is that Dan actively crusaded to keep discussion off public lists, this goes far beyond whatever NDAs he was probably slapped with. When one hippy posted to full-disclosure with a hypothesis, Dan personally mailed him and asked him not to discuss this stuff publicly. While it is silly to tell one of the most inquisitive communities in the world not to talk about something, it is antagonistic to the goals of 'get everyone to patch' as well (because it prevents an intelligent risk-based decision from being made). I also don't think Dan has an excuse for not understanding models of disclosure and their implications. We've seen vendors semi-secretly patch bugs before, and we know the outcomes, and the debate is a couple of decades down the line. Finally, the reason I think Dan should take responsibility for this criticism is because he made such a big play to put himself in the centre of it.
I'm probably being a little unfair to someone who spent a lot of time working on something and who in the end got the world a little safer (and who I have never met personally). So take this as a commentary on his methods and media image, and not him personally. Ideally, take this as a lesson of how not to disclose bugs, ever.
SecuriTeam.com—VMware Workstation (hcmon.sys) Local DoS Vulnerability
Fergie's Tech Blog—China Restricts Domain Registrations of Olympians' Names
China has banned the use of its Olympic gold medalists' names as Internet addresses by anyone but the athletes themselves.More here.
The move announced Tuesday came after companies registered the names of winning Chinese athletes at the 2004 Athens Olympics as Web addresses, prompting an outcry by sports fans.
"The move will better protect the interests of the Olympic gold medalists," said an official of the government's China Internet Network Information Center, quoted by the state Xinhua News Agency. It identified him only by the surname Hu.
The Chinese government controls the awarding of Web addresses using the ".cn" suffix but has no power over those assigned in other countries.
The General Administration of Sport gave the agency a list of Chinese Olympians ahead of the games and registered all possible domain names using their names, Xinhua said.
Note: China is setting a very good example in this case -- there are currently about 300 registered domain names that contain "Michael Phelps" in their name, and I'm quite sure that not all of them are "above-board", so to speak. -ferg
Window Security—Installing and Using the Remote Server Administration Tools (RSAT) for Vista
Heise Security—MIT students unmuzzled
Fergie's Tech Blog—Citizens' U.S. Border Crossings Tracked
The federal government has been using its system of border checkpoints to greatly expand a database on travelers entering the country by collecting information on all U.S. citizens crossing by land, compiling data that will be stored for 15 years and may be used in criminal and intelligence investigations.More here.
Officials say the Border Crossing Information system, disclosed last month by the Department of Homeland Security in a Federal Register notice, is part of a broader effort to guard against terrorist threats. It also reflects the growing number of government systems containing personal information on Americans that can be shared for a broad range of law enforcement and intelligence purposes, some of which are exempt from some Privacy Act protections.
While international air passenger data has long been captured this way, Customs and Border Protection agents only this year began to log the arrivals of all U.S. citizens across land borders, through which about three-quarters of border entries occur.
Fergie's Tech Blog—UK: Bletchley Park - A National Disgrace
Via The Independent.
Sixty-six years ago in Block B of the old Bletchley Park, a discovery was made that saved thousands of lives. A young woman, doing the filing, noticed a lot of coded messages, all concerning fuel deliveries to a small village in northern Germany called Peenemünde.More here.
She didn't think much of them at the time. But she reported the information upwards – and the Allies stumbled on the concealed factory site where the Germans were constructing the V1 and V2 flying bombs. An air strike later and the factory was destroyed. Proof, if ever it was needed, that a well-run filing system can help win a war.
Today moss, weeds and wild flowers have taken over in Block B, a place where the course of history was changed. Nature has reclaimed its ceiling and its floor, and unless something is done soon it will either collapse or be pulled down.
Bletchley Park is one of the world's greatest and most neglected wartime monuments. But large parts of it are being left to rot. The north wall of the main building, a 19th-century country house, is now covered in scaffolding, and part of the roof is missing. The Bletchley Park Trust scraped together £100,000 to repair a quarter of the roof. The rest of the building also needs attention, but the money is not there.
Image source: The Independent / David Sandison
Martin McKeay's Network Security Blog—5 years of blogging
Someone asked me about blogging today and I realized I missed my own 5 year anniversary. Not my wedding anniversary, that’s next week, but the fifth anniversary of the day I wrote my first blog post “Here goes nothing“. I’d had a site about security for quite a while before that, but it was all manually coded HTML, it was ugly and, quite frankly, nearly impossible to update in anything resembling a timely manner. Then I found Movable Type, fought with it for about a week to get it installed, suffered the ridicule of my co-workers and started writing. Or maybe it was started writing and then suffered the ridicule, someone ask Ron Kehoe. Either way, it was definitely the start of a long and interesting journey.
The journey has definitely been worth it. I can say, without conceit, that I am one of the top security bloggers. Don’t believe me? Type “security blog” into Google and see for yourself. In the same vein, if you enter “security podcast“, the Network Security Podcast is the first entry you’ll see. I guess I should beware of hubris, since Google is a fickle mistress and that could change in a moment. I’ve been told the name of the blog was a brilliant stroke of SEO, but then I had to have search engine optimization explained to me, since I’d never heard the term before.
But blogging and writing was never about where I sit in the search results. It’s always been about learning for me. I had ideas when I started blogging, and even then I knew some were good, some were bad. I wanted to throw some of my ideas against the digital wall and see what would stick and what would stink. I’ve had a lot of ideas that people have agreed with, more that people have let flow by without comment and a few that have caused people to tell me that I’m an idiot at best. And some days I agree with them.
There’s three things about blogging that I’m thankful for. The first, and least important, is what it’s done for my writing skills. I never was a bad writer, but just writing on a daily basis has helped my writing immensely. I’m still an informal writer and never will be asked to write a book or anything, but five years of writing on a nearly daily basis has enabled me to at least express my thoughts in a way that most people can understand. I was good enough that Computerworld invited me to blog for them for a year, which would probably still be going on if other factors in my life hadn’t intervened. I like writing and blogging gives me a chance to do it on a regular basis.
The second thing I’m thankful for is some of the opportunities that blogging has opened for me. I already mentioned Computerworld, but there have been a lot of other doors that opened simply because I put myself out there with the blog. I never would have had an opportunity to work with Alan and Mitchell if Alan hadn’t contacted me after a particularly interesting blog post (I wish I could remember which one). I’ve been to RSA, Defcon, Black Hat, Shmoocon, IANS and more because I got press passes or people wanted me to see what they’re offering. I got an chance to do some video blogging for Podtech, which quite frankly was a heck of a lot more work than I ever thought it could be. A couple of years ago Symantec even flew me down to SoCal for a day trip to their headquarters, which just happen to be a couple of blocks from the Playboy office. It’s amazing what you find when you wander around in SoCal. And let’s not forget the annual RSA Security Bloggers Meetup, which I somehow ended up helping host!
But the most important thing about blogging is some of the friends I’ve made along the way. First off is my co-host, Rich Mogull. Without Rich there to keep me in the game, the podcast probably would have died a year ago, even if the blog continued. It’s hard to do a weekly podcast and having someone to take part of the load, to bounce ideas off of and just have a little energy when your tired can’t be overstated. With Rich’s help I hope to be blogging and podcasting for years more to come and maybe one day we can have a cage with Leo and Steve for a show on NPR. I’d bet on us; Leo’s getting old and Steve would probably get distracted by something bright and shiny mid-fight.
I’ve made more friends than I can list thanks to blogging, but I’m going to try anyways: Michael Farnum, Cutaway, Chris Hoff, Mike and Melina Murray, Jennifer Leggio, Jeremiah Owyang, David Mortman, Mike Rothman, Michael Santarcangelo, Rob Fuller, Alan Shimel, Mitchell Ashley, Michael Henry, Ryan Russell, Adam O’Donnell, Jack Daniel, Andy Willingham, Lori and Don MacVittie, Dan Kuykendall, Robyn Tippins, Paul Asadoorian, Larry Pesce, Ron Gula, Brian Krebs, Jennifer Jabbusch and Michael Dahn, just to name a few. I’ve probably missed as many as I’ve included and I apologize to those I left out; it’s been a long week and it’s only Tuesday. But I never would have met most of these people if it wasn’t for the blogging. I put myself out there for the world to see and these are some of the people who’ve responded with friendship. I actually get a little choked up thinking about it. Seriously.
Blogging has helped me grow as a security professional and as a person. I’ve put my ideas out there and people have responded. I’ve been able to use that feedback to learn and grow. People have recognized the willingness to communicate and opened doors that I never even knew existed before. And I’ve made such a wide ranging, supportive group of friends that I know I never could have made without the blogging. I’m truly thankful, if not exactly humbled.
I’m looking forward to blogging for the foreseeable future. It feels like I blinked and five years have gone by. I hope I’m still blogging in another five years, but who knows what the future will bring. If it’s anything like the last five years, I can’t imagine where I’ll end up, but it’ll definitely be an amazing journey. And I’ll learn a lot along the way.
Fergie's Tech Blog—Unhappy Hackers Hit Brazilian Olympic Website
Disgruntled hackers targeted the Brazilian Olympic Committee's website to complain about the country's poor performance at the Beijing Games.More here.
The hackers replaced regular content with criticisms of Brazilian athletes, the committee said.
"Brazil stinks in these Olympics" was one of the messages posted, according to the Universo On Line news service of the Folha de S. Paulo newspaper.
Brazil was in 39th place with one gold and five bronze medals yesterday.
The site was not operating for several hours, including during the Brazil-Argentina semifinal football match which Argentina won 3-0.
Martin McKeay's Network Security Blog—Network Security Podcast, Episode 116
I was on the road today and let Rich handle this week’s podcast, a decision I may regret if it earns us an ‘explicit’ tag in iTunes! Rich has posted our twelfth and final interview from the Black Hat/Defcon adventure, and appropriately this is an interview with Rich and everyone else from the panel he was on. There was drinking (and Larry) involved, so some of the language might be a bit more than we usually use on the podcast. It was a ton of fun and I might just be recovered by this time next year.
Network Security Podcast, Episode 116
NYC Resistor—NYCResistor 1.0
A year ago, NYCResistor was conceived by a few folks around a table in the C4 hacker space in Cologne Germany. We needed a hacker space in NYC and we started building the infrastructure for our space by getting the website started, getting a jabber server up, and putting together email lists. A few months later we had 9 people committed to the idea and we incorporated so we could have a collective checking account for paying bills. A few months after that, we moved into our space in Brooklyn.
This hacker space thing is growing. It seems like every day new hacker spaces are popping up on the hackerspaces.org site.
This group is a really special blend of smarts, respect, consideration, and genuine friendship. It feels really special that exactly one year later from conception, we’ve collectively invested in a laser cutter. We still have to pay it off, but we’re doing it together. We also like cake.
Zero in Bit—MBTA Hacking Injunction Lifted
Earlier today, the US District Court dealt a victory to the MBTA hackers and the EFF, lifting the injunction issued on August 9th to prevent the three MIT students from presenting their findings at DEFCON 16. In summary:
The lawsuit claimed that the students’ planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.
“The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk,” said EFF Staff Attorney Marcia Hofmann. “A presentation at a security conference is not some sort of computer intrusion. It’s protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security — the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not.”
This sets a good precedent for future cases, and perhaps next time a similar situation arises, a judge will not be so quick to issue a gag order. It’s not a happy ending yet though, as the original lawsuit is still in effect.
As Chris Wysopal pointed out last week, the MBTA’s ire is misdirected. Rather than suing the vendor who sold them the defective system, they sued and attempted to silence the students who discovered the weakness. This is 2008, not 1988 — did they honestly think a gag order would prevent the information from reaching the general public? The DEFCON presentation was already available on the Intertubes prior to the injunction being issued, and the MBTA attorneys included a copy of the confidential whitepaper with their filing, thereby making it public.
I guess you wouldn’t expect that a transit authority would have paid any attention to theCiscogate fiasco from a few years ago. That presentation never got out either, did it? All that taxpayer money the MBTA spent on ridiculous lawsuits and restraining orders could have been put toward fixing the security flaws. What a concept.
Fergie's Tech Blog—Russian Rocket Launches New Communications Satellite
The third and last Inmarsat 4 mobile-broadband satellite was successfully placed into orbit Tuesday by an International Launch Services (ILS) Proton Breeze M rocket, ILS and Inmarsat announced.More here.
The launch completed a decade-long, $1.5 billion investment by London-based Inmarsat and returned ILS to commercial service five months after a failure that forced a redesign of the Proton Breeze M upper stage.
The 13,139-pound (5,960-kg) Inmarsat 4 F3 satellite will be operated from 98 degrees west. Once its operations begin there, the two other Inmarsat 4 satellites will be moved to new orbital slots to optimize global broadband data services from the three-satellite system. Moving these two satellites will cause partial shutdowns of Inmarsat broadband services for a five-week period as the Inmarsat 4 F2 is moved from 53 degrees west to 25 degrees west, and then for a three-week period during the relocation of Inmarsat 4 F1 from 64 degrees east to 143.5 degrees east.
Operating three satellites in geostationary orbit will permit Inmarsat to offer broadband data and hand-held telephone access globally, except for the polar regions. The two previously launched Inmarsat 4 satellites, in orbit since March and November 2005, have provided services to 85 percent of the Earth's land mass but have left broad coverage gaps in the Pacific Ocean region.
Securosis—Network Security Podcast, Episode 116 (With A Lot Of Bad Words)
A bit of a different episode this week. Since Martin is traveling, rather than a guest host this week we’re posting the last of the interviews recorded at DefCon- but this one is a doozy. David Mortman, Dave Maynor, Chris Hoff, Robert “Rsnake” Hanson, and Larry Pesce joined us immediately after we all finished our DefCon panel. Martin, as the sober one, interviews us as we record what is our first clearly explicit podcast. Yes folks, we hit all 7 dirty words plus a few bonuses. Not to worry, we do include some content as we discuss what we covered in the panel and whatever other topics flew into our adult-beverage-addled brains. We had a heck of a lot of fun putting the DefCon back into DefCon, and we hope you enjoy this little slice of the unfiltered.
Yes, this really is an explicit episode, so consider yourselves warned.
Network Security Podcast, Episode 116
Length: 24:00 (or so)
