SECURITY TOOLS
DOWNLOAD FREE APP SIGNAL.ORG
Speak Freely Say "hello" to a different messaging experience. An unexpected focus on privacy,
combined with all of the features you expect.
SECURE YOUR CODE
LEARN HOW THE INTERNET WORKS - HUBS AND SPOKES - NETWORKS, BROADBAND, PORTS
Software companies should either make their products open source so buyers can see what they're getting and tweak what they don't like, or suffer the consequences if their software failed.
Searching the Deep Web - https://www.shodan.io/explore
If they get a really low score, “we can guarantee that … they're doing so many
things
wrong that there are
vulnerabilities” in their code. — Sarah Zatko
Peiter Zatko and his wife, Sarah, a former NSA mathematician, have developed a first-of-its-kind method for testing and scoring the security of software — Cyber Independent Testing Lab. The technique involves, in part, analyzing binary software files using algorithms created by Sarah to measure the security hygiene of code.During this sort of examination, their algorithms run through a checklist of more than 300 items known as “static analysis” because it involves looking at code without executing it, the lab is not looking for specific vulnerabilities, but rather for signs that developers employed defensive coding methods to build armor into their code.
Software developers can test their code for conformance to CERT secure coding
standards by using the CERT Program's Source Code
Analysis Laboratory, or SCALe. To learn more, watch a free webinar about SCALe.
Most software vulnerabilities stem from a relatively small number of common programming errors. Coding standards encourage programmers to
follow a uniform set of rules and guidelines determined by the requirements of the project and organization,
rather than by the programmer's familiarity or preference. Once established, these standards can be used as
a
metric to manually or automatically evaluate source
code.
Members of the CERT Secure Coding Initiative have analyzed
thousands of vulnerability reports to identify insecure coding practices and develop secure coding
standards,
which software developers can use to reduce or eliminate vulnerabilities before deployment.
The Hacking Technologies Used by Law Enforcement [code word: Tailored Solutions]
NIST Special Publication 800-88 Guidlines for Media Sanitization NIST/DOD instructions for wiping storage media.
Christopher Soghoian, Principal Technologist, ACLU
first ever law-school discussion panel on law enforcement hacking at Yale. FBI
hacking, ACLU's comments to the federal rules committee is a must read.
TIPS
| Security Tools for beginners | |
|
PRIVACY ANALYSIS |
SANS Institute
How To EliminateTop Ten Security Threats |
| SURF AND EMAIL ANNONYMOUSLY |
|
| LINUX | |
| How To Safely Integrate Technology Tools into the Classroom | |
| Political Junkie Campaign Contributions - who gave what to who |
NET CENSORSHIP
Censorware Companies and Saudi Arabia Censorship |
| How to Obscure Any URL | |
| Zone Alarm | |
| UCITA | |
| VIRUS ALERTS & URBAN LEGENDS | |
| LINKS |
NSA Playset Forget intrusion software, and get yourself some unregulated intrusion hardware! Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!
THE BEST VPN SERVICE - Snowden urges consumers to adopt more secure file storage systems which are less susceptible to government surveillance.
Drop Box
- Securedrop originally created by the late Aaron Swartz
Dropboxis hostile to privacy,- zero knowledge' Spideroak
Find and remove malware with the free Sophos Virus Removal Tool
Espionage
3/11/14 World's first 3-D acoustic cloaking device hides objects from sound "...Using little more than a few perforated sheets of plastic and a staggering amount of number crunching, Duke engineers have demonstrated the world's first three-dimensional acoustic cloak. The new device reroutes sound waves to create the impression that both the cloak and anything beneath it are not there. The acoustic cloaking device works in all three dimensions, no matter which direction the sound is coming from or where the observer is located, and holds potential for future applications such as sonar avoidance and architectural acoustics...."
Keyboard Sniffers
There are a ton of reasons why someone would need to record the keystrokes of a keyboard including
monitoring
your child's internet activity, an unfaithful spouse, an employee or just making sure no one is
monitoring
you.
There are two types of sniffers, the hardware kind and the software kind. With a software sniffer, you need
to
be able to access the computer you want to monitor and install the software.
If the computer has a password you're out of luck. If you do manage to log into the system, then chances
are that whatever antivirus / anti spyware system is running, it will detect your keylogger. Hardware
keyloggers only require that you have physical access to the pc; you simply unplug the keyboard, plug the
keyboard sniffer into the computer, then attach the keyboard to the sniffer and walk away.
A few days later, simply unplug the device and attach the keyboard back to the computer and head home. Once
you are on your computer, you'll attach the device as before, enter your secret code and you'll have
access to all the recorded keystrokes. You can expect to pay about $60 - $150 for a keyboard sniffers that
you
plug into the keyboard, not free, but considering the hassle of installing a software keylogger, it may just
be the best route. If you're interested in checking out the free keylogger BFK, visit
bfk.sourceforge.net
Breaking the Silk
Road's
Captcha
GNU
The GNU Privacy Handbook Copyright © 1999 by The Free Software Foundation
Even if you have nothing to hide, using encryption helps protect the privacy of people you communicate with, and makes life difficult for bulk surveillance systems. If you do have something important to hide, you are in good company; GnuPG is one of the tools that Edward Snowden used to uncover his secrets about the NSA.
Email Self-Defense learn how and why you should use GnuPG for your electronic communication.
Zimmerman's $20 a month Silent Circle encryption service. Facebook topping health insurers, banks, and even the federal government as today's No. 1 privacy threat.
SECURITY
How To Secure Wifi Wireless Lan tools
CVSS Score Distribution For Top 50 Vendors By Total Number Of Distinct Vulnerabilities
Defeat infected vulnerable content-management servers with a customized version of the
"itsoknoproblembro" DDoS toolkit, likely using a vulnerability in the default
Bluestork Joomla template. [After years of focusing mainly on the malware used in data breaches and
financially motivated hacks, some security experts have begun to turn the spotlight on the attacker
himself.
See Turning Tables: ID'ing The Hacker Behind The Keyboard.] The New
Norm The average denial-of-service attack falls far short of the volume of traffic leveled at
targeted sites during Operation Ababil. While Arbor declined to give bandwidth figures, DDoS mitigation firm
Prolexic stated that the attack reached 70 Gbps and 30 million packets per second against some of its
customers. Another source familiar with the attacks, who asked not to be named, pegged the bandwidth as high
as 100 Gbps. "If someone said your core enterprise publishing server is being used in an attack, (the
security team) would have to get management permission to shut down the server, because it would have a
business effect," he says.
http://www.darkreading.com/advanced-threats/167901091/security/perimeter-security/240008534/serious-attackers-paired-with-online-mob-in-bank-attacks.html
Man In The Middle
mitmproxy: a man-in-the-middle proxysendsafely.com SendSafely offers a radically new way to securely send and receive files. Share files in minutes using 256-bit PGP encryption. Upload files, share the link, grab a sandwich... you're done. It couldn't get any easier.
Do not install Amazon Browser Apps prevent Amazon Man in the Middle Attack
2013 Insecure browser
addons may leak all your encrypted SSL traffic, exploits included. Let me show you how you can view
all
SSL encrypted data, via exploiting Amazon 1Button App installed on your victims' browsers. Plaintext
traffic is dead easy to sniff and modify. how you can< view all SSL encrypted data, via exploiting
Amazon 1Button App installed on your victims' browsers.
Encryption Tool
- * Free * Uses recognizable and known encryption algorithms
- * Works sensibly with a container file that can be treated as external data (i.e.: backed up to tape entire)
- * Source code available
- * No adware or "wouldn't you like to buy me now?"
- * Small footprint
- Like anything, it has as many legitimate as illegitimate uses; this is public information and,
ironically, was brought to my attention by some of the top security experts in the industry.
Creates a virtual drive inside of any object of your choosing. But goes one better. You can encrypt within the encryption in ways undetectable. Thus you can give a password and allow others to open it and inspect. Those looking will never know that within the encrypted space there is another deeper form of encryption. That said, I'd really hate to see the gov't or someone else shut this down. At the same time, for people traveling who are doing legitimate things that overreaching gov't officials have no right to see (and for which it is too late once compromise), this presents a valid solution. It is also incredibly useful for anyone carrying sensitive information b/c it gives you two layers of protection if your storage device or laptop is stolen. Know that if you mount it to a flash drive, it formats the entire drive. Most people create an object and mount it to that. Also, never, ever forget your password - did that once - and lost 50 megs worth of data. (might want to use roboform, which encrypts and protetcts your passwords). There's no getting inside of this. Ever. It's about as rock solid as it gets.
ENCRYPTION and SECURITY TUTORIAL (Security researcher Peter Gutmann.)
A Cost Analysis of Windows Vista Content Protection by Peter Gutmann Dept. of Computer Science12/27/06
It details how Vista is intentionally crippled, to protect "premium content". Also possible
effects on OSS, drivers etc.
Executive Summary:
Windows Vista includes an extensive reworking of core OS elements in order to provide content protection
for so-called "premium content", typically HD data from Blu-Ray and HD-DVD sources. Providing
this protection incurs considerable costs in terms of system performance, system stability, technical
support overhead, and hardware and software cost. These issues affect not only users of Vista but the
entire PC industry, since the effects of the protection measures extend to cover all hardware and
software
that will ever come into contact with Vista, even if it's not used directly with Vista (for example
hardware in a Macintosh computer or on a Linux server).
This document analyses the cost involved in Vista's content protection, and the collateral damage
that
this incurs throughout the computer industry.
The Vista Content Protection specification could very well constitute the longest
suicide note in history. [...]
Disabling of Functionality
Vista's content protection mechanism only allows protected content to be sent over interfaces that
also have content-protection facilities built in. Currently the most common high-end audio output
interface is S/PDIF (Sony/Philips Digital Interface Format). Most newer audio cards, for example,
feature
TOSlink digital optical output for high-quality sound reproduction, and even the latest crop of
motherboards with integrated audio provide at least coax (and often optical) digital output. Since
S/PDIF
doesn't provide any content protection, Vista requires that it be disabled when playing protected
content. In other words if you've invested a pile of money into a high-end audio setup fed from a
digital output, you won't be able to use it with protected content. Similarly, component (YPbPr)
video
will be disabled by Vista's content protection, so the same applies to a high-end video setup fed
from
component video. [...]
Elimination of Open-source Hardware Support
In order to prevent the creation of
hardware emulators of protected output devices, Vista requires a Hardware Functionality Scan (HFS) that
can be used to uniquely fingerprint a hardware device to ensure that it's (probably) genuine. In
order
to do this, the driver on the host PC performs an operation in the hardware (for example rendering 3D
content in a graphics card) that produces a result that's unique to that device type. In order for
this to work, the spec requires that the operational details of the device be kept confidential.
Obviously
anyone who knows enough about the workings of a device to operate it and to write a third-party driver
for
it (for example one for an open-source OS, or in general just any non- Windows OS) will also know enough
to fake the HFS process. The only way to protect the HFS process therefore is to not release any
technical
details on the device beyond a minimum required for web site reviews and comparison with other
products."
P2P
P2P What they will find out about you when you use p2p and are tracked. - See What You Share A Showcase of Material Found on Peer-to-Peer Networks throughout the World.
TorrentSpy "The intent behind TorrentSpy is to give the BitTorrent power-user all the information ... TorrentSpy is not meant to replace the normal BitTorrent client, ..."
BitTorrent
search site hits back
"The MPAA is in essence trying to outlaw the torrent file format."
Nareos, a developer of p2p distribution technologies, announced the launch of PeerMind, a new peer-to-peer monitoring and data mining service for entertainment industry clients. The service, which the company says does not collect IP addresses of file-swappers, monitors P2P networks including eDonkey and Gnutella, and plans to add FastTrack (Kazaa) and BitTorrent soon. In addition to detailed reports and custom research, Beverly Hills, Calif.-based Nareos will also publish free weekly charts of the most-downloaded songs, movies, software, video games and ringtones on file-sharing services.
PCHelp's Network
Tracer
TRACE.BAT is an MS-DOS batch process which uses standard network query utilities to work up a handy
report
on a given Internet address.
YaCy a p2p-based distributed Web Search Engine
DIGITAL RIGHTS MANAGEMENT
Digital Rights Management Tools
Insecure.org OpenDVD Project Launched and more.
Peer to Peer
Technology
peer-to-peer computing is the sharing of computer resources and services by direct exchange between
systems. These resources and services include the exchange of information, processing cycles, cache
storage, and disk storage for files. Peer-to-peer computing takes advantage of existing desktop
computing
power and networking connectivity, allowing economical clients to leverage their collective power to
benefit the entire enterprise.
Free CD-DA Extractor rips audio CDs and converts audio files. The application supports the following formats: MP3 (MP1, MP2, MP3), MPEG-4/AAC (M4A), OGG Vorbis (OGG), WAV, Monkey's Audio (APE), and FLAC formats.
EphPod is a full-featured, easy-to-use Windows application that connects with Apple's iPod. With a FireWire card and EphPod on a PC, it takes under 30 minutes to transfer 1,000 songs to an iPod. In addition, EphPod supports standard WinAmp (.M3U) playlists, includes powerful playlist creation features, and will synchronize an entire music collection with one click. It imports Microsoft Outlook contacts, in addition to allowing users to create and edit their own contacts. EphPod can also download the latest news, weather, e-books, and movie listings to an iPod.
CD / DVD Backup Workarounds or http://www.cdmediaworld.com/
- WCT/WPPT goals include preventing every unauthorized use
- DMCA goal -- preventing unauthorized copying or use of work
- DRM goal -- their products let publishers control every use of a work, right down to private home viewing.
Why Workarounds?
Copyright law doesn't give publishers the right to control or hinder the public's exercise of
their fair use rights by "preventing unauthorized copying or use of work" Some unauthorized
copying and some unauthorized uses have always been legal and these workarounds prevent turning
copyright
from a limited monopoly into an absolute, unlimited monopoly by deciding what is "authorized".
I.R.C. - Used to
transfer big files that would be rejected by an e-mail system without burning a disc and putting it in
the
mailbox. The file-transfer capability in I.R.C. may be the most convenient way. The F.B.I. is interested
in the best way to monitor the traffic. IRC started in the 1980's, communicate in real time chat
rooms, known as channels. The whole idea behind I.R.C. is freedom of speech. This is where to find
illegal
software vaults on the Internet where pirates generally used I.R.C. to communicate and coordinate with
one
another. Warez, pronounced like wares, is techie slang for illegally copied software. It is generally a
text-only medium, it does not require high-capacity Internet connections, making it relatively easy to
run
a private I.R.C. server from home. I.R.C. server software developed by William A. Bierman, known online
as
billy-jon. Also find public I.R.C. networks, like DALnet, EFNet and Undernet. Each typically ties
together
dozens of individual chat servers that may handle thousands of individual users each. Rob Mosher, known
online as nyt (for knight), runs a server in the EFNet network. First, the user downloads an I.R.C.
client
program the most popular is a Windows shareware program known as mIRC (www.mirc.com). When users run the
I.R.C. program, they can choose among dozens of public networks. Within a given network, it does not
really matter which individual server one uses. If users know the Internet address of a private server,
they can type in that address. Once logged in to a public server, the user can generate a list of
thousands of available channels. On an unmoderated network, the most popular channels are often
dedicated
to trading music, films and software. In addition to supporting text-only chat rooms, I.R.C. allows a
user
to send a file directly to another user without clogging the main server. irc://undernet/gettogether see
http://www.irc.org/
http://www.free-codecs.com/
http://www.codecsdownload.com/
VIDEO CODECS - K-Lite Codec Pack, Tsunami Codec Pack, Nimo Codec Pack, DivX Free, ACE Mega CoDecS, Koepi's XviD, Codec Pack All in 1
AUDIO CODECS - LAME MP3 Encoder, BladeEnc, Fraunhofer Radium MP3, AC3 Filter, Vorbis Ogg ACM Codec, AC3 Decoder, MPEG Layer-3 Codec
TOOLS - Real Alternative, QuickTime Alternative, BSplayer, Media Player Classic, GSpot, VideoLAN, Winamp
Traveling with a laptop
U.S. agents can seize travelers' laptops: report
"U.S. federal
agents
have been given new powers to seize travelers' laptops and other electronic devices at the border
and
hold them for unspecified periods"
Keep Your Data Safe at the
Border, CNet, May 5, 2008,
use cloud computing or your own home server or whatever, and transfer it in encrypted form end-to-end.
Virtual Machine Ware - Run multiple operating systems simultaneously on a single PC
How-to
create your own virtual machines.
http://www.lorenzoferrara.net/old-site/blog/pivot/entry.php?id=73
http://www.hackaday.com/2005/10/24/how-to-vmware-player-modification/ The only "safe" way to
get
your laptop into the US would be to create a VM containing your chosen OS and data and then leave this
at
home. Travel without a laptop until you arrive at your destination. At this point you can acquire a
machine, generate a keypair and export the public key. A trusted third party then encrypts the VM and
makes it available for download, probably with a service like Amazon's S3.
Amazon S3 is based on the idea that quality Internet-based storage should be taken for granted. It helps
free developers from worrying about how they will store their data, whether it will be safe and secure,
or
whether they will have enough storage available. It frees them from the upfront costs of setting up
their
own storage solution as well as the ongoing costs of maintaining and scaling their storage servers. The
functionality of Amazon S3 is simple and robust: Store any amount of data inexpensively and securely,
while ensuring that the data will always be available when you need it. Amazon S3 enables developers to
focus on innovating with data, rather than figuring out how to store it.
The VM can contain all your actual data contained in encrypted volumes to minimize the risk of having to
trust a third party (though this would require transporting a private key inside the VM). This way you
avoid the problem of taking data through the border and also of taking a password through with you, the
keys don't exist yet so how could you reveal the password? Nothing carried through and nothing
concealed.
If you're willing to expose a port on your home network, then from your destination you could use scp to transfer the VM to
your location using password authentication. Then you do not have to trust a third party.
- Electronic Frontier Foundation
- The Center for Democracy and Technology
- Peter Swire Privacy Senior Fellow, Center for American Progress
What Is Unicode
provides a unique number for every character, no matter what the platform, no matter what the program,
no
matter what the language. UNICODE
DSL ONLINE SECURITY running a test attack courtesy of Steve Gibson's (Gibson Research). To run this test, click on his Shields Up message. You will then be given an opportunity to initiate an immediate remote test attack on your computer's current defenses (fire walls) and ports.
IBM 4758 cryptographic coprocessor, designed to destroy itself if it detects an intrusion attempt. Coprocessor features "physical penetration, power sequencing, temperature, and radiation sensors to detect physical attacks against the encapsulated subsystem." The U.S. government has certified it to meet the FIPS 140-1 standard at level 4, the most secure.
StockCop.com
Not a law firm. Web Site Assists Defrauded Investors Ex-Wall Streeters, who bring their expertise
directly
to the investing public. Free proprietary service called Advanced Investor Response they provide
investors
with an insider's view of how the brokerage industry works.
CYPERTIP
HOTLINE
FOR MISSING AND ABUSED CHILDREN - REPORT INTERNET SEXUAL MISCONDUCT ONLINE AS IT is HAPPENING -
1-800-843-6578
SPYWARE TROJANS
The computer spy that steals your passwords and credit [1]
ABOUT three weeks ago, Cheryl Lambert bought a £179 surfboard on eBay for her daughter. Soon after, she
noticed her computer started to behave erratically and within a few days it had ground to a halt.
"It just completely crashed," said Lambert, 38, a community worker who lives in Helston,
Cornwall. "The anti-virus software was saying the computer was infected, but it just couldn't
fight it. The computer got slower and slower and then it just stopped."
A few days after her desktop machine was unplugged from the internet, Lambert's personal details
appeared on a Russian website.
Her home phone number, her address, her credit card number and her e-mail address with Tesco were all
listed on a forum where criminals and computer hackers trade stolen identities. Lambert cancelled her
gold
Lloyds TSB card when she was alerted by The Sunday Times to what had happened, but one fraudulent
transaction for £10.70 had already been made.
Lambert is believed to have fallen victim to malicious "trojan" software. This can be
unwittingly downloaded from an e-mail attachment or website and then quietly records details of
passwords,
security codes and credit card numbers used on secure websites. The information is relayed back to the
author of the malicious software.
The Russian website that posted Lambert's
details, is one of a network of sites which trade in stolen identities. Thousands of passwords for
e-mail
accounts, security numbers for credit cards and access codes for shopping websites are offered for sale
online after being "harvested" from trojan software.
In a four-week investigation a Sunday Times reporter approached users on Russian websites who were
offering stolen identities for sale. The site includes a step-by-step guide to stealing identities and
using the information without detection.
The reporter was offered stolen data on British citizens ranging in price from $2 to $5 per person. She
requested a free sample and at 11.50pm on August 23 the details of more than 30 individuals were posted
online, 13 of whom were British.
Max Haffenden, 27, an IT worker from Bexhill-on-Sea in East Sussex, was among those on the list and he
confirmed last week that The Sunday Times had obtained his secret password from the Russian website. He
uses the password - which has now been cancelled - for his personal Yahoo! e-mail account, payment
transfers using PayPal and online shopping accounts.
"I am amazed someone could have got access to these details," he said. "I have a good
idea
of how computers work and how to be as secure as possible. I only trust a site with my details if it has
a
"padlock" to show it is a secure server."
Haffenden, who used a computer firewall and anti-virus software, said his computer's systems alerted
him to malicious software, which he said might have been a trojan, about a year ago. He was unable to
fix
the problem but said it did not affect the performance of his computer.
Others on the list said there had been no apparent problems with their machines. Nick Riches, 40, from
Basingstoke in Hampshire, who also works in the computer industry, was among those targeted. He
confirmed
his "standard secure password" had been obtained by the Russian website, along with his
Hotmail
access, his home address and details of a NatWest card. He said he regularly scanned his computer for
viruses but had not been aware of any malicious software.
There was evidence last week that the fraudsters had already used some of the personal data to steal
money. Cards belonging to Haffenden and Riches had been used without their permission on an internet
gambling site, Unibet, in the past month with payments of £400 and £512.50.
Stolen data offered on foreign websites is usually obtained from hacking into the database of an online
company to obtain customers' details or from infiltrating a personal computer.
While nearly all computer users are alert to the threat from viruses, many are unaware of trojans, which
can covertly install themselves via a website or e-mail attachment.
Carole Theriault, senior security consultant at Sophos, an internet security company, said:
"Viruses
basically had bells and whistles to say "we've got you" and spread rapidly around the
internet. Trojans are very different. They don't spread on their own and may not even affect the
performance of your computer, but when you go on sites like eBay or check your account online, they can
record the keys you press.
"About 70% of the reports of new threats of malicious software are trojans. The people who send
them
out don't hit so many computers because they don't want to make the headlines."
Theriault said that a firewall and regularly updated anti-virus software would help reduce the threat
from
trojans, but there was no 100% solution. "It's like driving a car," she said.
"There's always a risk. You just have to do everything you can to reduce it."
One of the problems is that some trojans are not always identified by anti-virus software. One trojan,
called A311 Death or Haxdoor, has infected an estimated 35,000 computers worldwide, including 10,000 in
Australia.
A warning from the Australian Computer Emergency Response Team stated: "If your computer is already
compromised with an input/output monitoring trojan, SSL (encryption) cannot prevent the trojan from
capturing web form data, keystrokes, and passwords."
In the UK many people are unaware of the threat. An official Home Office leaflet providing advice on
identity theft does not even mention the importance of computer security. The government does, however,
support a website, Get Safe Online, which provides information on protecting a home computer.
Despite the warnings and security software available, obtaining personal data stolen from British
computers is easy. It is also cheap, with passwords being traded online for as little as £1.
Using an internet Cyrillic keyboard to enter the word "carding" on the Google search engine, a
Russian-speaking Sunday Times reporter was presented with an array of sites offering stolen data and
bogus
identity documents.
One website - called carders0.tripod.com - had a virtual shopping basket of identity fraud, with
"buy
now" icons next to every item. The products on sale included credit cards - both fake and real -
driving licences, travellers' cheques, fake passports and machines to make credit cards. The site
included starter packs for fledgling fraudsters as well.
The same site also offered a service called Rebirth in which visitors were offered the chance to
"buy
a whole new identity from Britain or Ireland". Costing £13,000, the package offered a new passport
and a birth certificate. The Sunday Times was unable to confirm whether genuine documents would be
exchanged for an online payment.
At the lower end of the scale, a range of websites offered stolen data that could be used to access
subscription services, pay for goods online or transfer funds. Some of the data are even posted for free
as samples to interested buyers. After using the data, one user of http://www.carder.info commented on
the
website: "Thanks, found some valid stuff. Put up more."
The batch of stolen data provided to the reporter included passwords for e-mail accounts, credit card
numbers and home telephone numbers of people in Bishop's Stortford in Hertfordshire, Spalding in
Lincolnshire, Blackpool, Hartlepool and Glasgow.
A week after the reporter was given the sample, she was able to retrieve the passwords for the PayPal
accounts of 19 Britons from the site. The information would enable fraudsters to gain access to accounts
and transfer funds.
The www.carder.info site is registered to 340 Pushkinskaya in Moscow. The house number does not exist.
The
Russian-based company that hosts the site, Net of National Telecommunications, would not comment last
week, but is understood to be in contact with police about any suspected illegal transactions.
Lennart Ehlinger, group security controller for the London-based Unibet, said it was difficult to detect
fraudulent use of credit cards if the fraudster was able to provide a security code, number and home
address.
A spokesman for Apacs, the UK payments association, said hackers who stole personal information often
evaded detection by using a network of foreign websites.
A spokesman for PayPal said its servers were secure, but information on passwords was sometimes
compromised by trojan software and "phishing", which uses spoof websites to obtain user
information.
HOW TO STAY SAFE ONLINE
The risks can never be wholly eliminated, but experts recommend:
* Never go online without first ensuring your computer is protected with a firewall and anti-virus
software. An unprotected computer is on average infected within 12 minutes of being plugged into the
internet, according to research by Sophos, the computer security company.
* Always make sure you have the latest anti-virus software
* Consider installing software that scans your system for downloads that secretly monitor your computer use. Products such as Spybot Search & Destroy (www.safer-networking.org) can be downloaded free.
* Never download software from unknown sites. The downloads can harbour trojans. Similarly, never open e-mail attachments from unknown sources.
* When entering details on a banking website or payment service, such as PayPal, carefully check the website address. A trojan can direct a computer to a spoof site.
* If your computer is performing erratically or slowing down, then scan it with anti-virus software.
SPYWARE ROOT KITS
Rootkit Removal Tools by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Rootkits are a growing problem, and as you might expect, the list of tools that can help you prevent
rootkit infiltration is also growing. The list of standalone tools that can help with rootkit detection
and removal is also expanding. This week, I give you a list of the standalone detection and removal
tools
that I know about.
The alphabetical list below can be a resource to help you add some useful tools to your security
toolkit.
As with antivirus and antispyware tools, using multiple rootkit detection and removal tools is a good
idea
because not every tool can detect and remove every rootkit.
Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight, Sophos Anti-Rootkit, and
IceSword, all of which are from entities that I'm familiar with and trust to some extent or
other.
A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker) look interesting, but I have no
idea
who the authors are, nor do their Web sites offer much information to lend insight. So although I
included
them in the list, definitely use your own discretion.
There are undoubtedly other related tools available that I'm not aware of; if you know of one,
please
send me an email with details. If you've tried one of the tools below, let me know about your
experiences with it.
BitDefender RootkitUncover beta, from SoftWin
This tool is currently available as a free beta and looks promising, particularly because it's from
SoftWin, makers of BitDefender.
http://download.bitdefender.com/windows/desktop/internet_security/beta/
DarkSpy, from DarkSpy Security Group
This tool is from a group of Chinese security researchers that I'm unfamiliar with. The download
page
for the tool says, "Use at your own
risk," and you'd be wise to take that advice; however, it might give you a little comfort to
know
that this tool was recently mentioned in the SANS Internet Storm Center's Handler's Diary. Click
the second URL under the Helios entry below to link to that mention. http://www.fyyre.net/~cardmagic/index_en.html
GMER, from an unknown independent Polish developer
Although no information is readily available about who developed this tool, its Web site has several
screenshots and some movies (in .wmv and .avi format) that show the tool in action. So you can get a
good
idea of what it's like before using it.
http://www.gmer.net/
Helios, from MIEL e-Security
This is a new tool, currently in "alpha" development, that looks promising. For some good
insight into Helios, go to the second URL below to read the SANS Handler's Diary entry for July 26,
in
which you can also see some screen shots of the tool in action.
http://helios.miel-labs.com/
RKDetector, by Miguel Tarasco Acuna
This toolkit comes in two parts: A file system analyzer and an Import Address Table (IAT) analyzer. The
file system analyzer scans the file system and registry, and the IAT analyzer scans memory space
for
alterations that would allow rootkits to hook into the system. Screen shots are available to give you a
good idea of what the tool looks like.
http://www.rkdetector.com/
RootKit Hook Analyzer, from Resplendence Software Projects
Although most rootkit detection tools look at kernel hooks, the file
system, the registry, user accounts, and so on, this particular tool
focuses exclusively on kernel hooks.
http://www.resplendence.com/hookanalyzer
RootkitRevealer, from Sysinternals
A tool written by Mark Russinovich and Bryce Cogswell, two very well
known Windows experts.
http://www.sysinternals.com/utilities/rootkitrevealer.html
System Virginity Verifier, FLISTER, and KLISTER, by Joanna Rutkowska These tools
specifically
look for hidden files and at various system
components that might be modified by various rootkit techniques. Source
code is included. Rutkowska is a well-known researcher.
http://www.invisiblethings.org/tools.html
PRIVACY
10 security tips for protecting data while traveling
EFF Reveals Codes in Xerox Printers
The Electronic Frontier Foundation says it has cracked the tracking codes embedded in Xerox Corp.'s
DocuColor color laser printers. Such codes are just one way that manufacturers employ technology to help
governments fight currency counterfeiting.
Public Key Cryptography in One Easy Lesson
Public key cryptography relies on two scrambling devices, called "keys", that have the
following relationship. There is a public key P and a private key R. Suppose I write a sweet, sensitive
love letter, filled with spiritual values, genetic imperatives, and sexual innuendo, to my current flame
Veronica. Let's refer to this letter as the message M. I encrypt it with Veronica's public key
P,
producing the encrypted message P(M). Anyone looking at P(M) will only see a string of meaningless
symbols, gibberish. When Veronica receives it, she will apply her private key R to the encrypted
message,
producing R(P(M)) = M, turning the apparent randomness into tears, joy, and erotic fantasy.
The key pairs P and R must have the relationship that for any message M, R(P(M)) = M. In addition, it
should be practically impossible for anyone to determine M from P(M), without the associated private key
R. For any other private key R', R'(P(M)) is not equal to M--it's still gibberish. The key
pairs P and R also have the commutative relationship P(R(M)) = M: if you encrypt a message with your
private key R, then anyone can decrypt it using your public key P.
Being able to send secure messages is one function of public key cryptography. Another function is
authentication. Suppose you sent a message M to Bill. He receives the message M*. Bill doesn't know
whether M* is really from you; or, even if it is from you, whether it has been altered in some way (that
is, if the M* he receives is the same as the M you sent). The solution to this problem, using public key
cryptography, is that you also send Bill a digital signature S along with the message M. Here is how
this
authentication process works.
For simplicity, assume you don't even encrypt the message to Bill. You just send him the plain
message
M, saying "Dear Bill: You are wrong and I am right. Here is why, blah blah blah [for a few thousand
words]." Then you just sign it by the following procedure.
First you chop your message down to size, to produce a (meaningless) condensed version, where one size
fits all. To do this, you need a message chopper called a "hash function." You apply the hash
function H to the message M to produce a "message digest" or "hash value" H(M) which
is 160 bits long. You then sign the hash value H(M) with your own private key R, producing the signature
S
= R(H(M)).
The receiver of the message, Bill, applies the same hash function to the received message M* to obtain
its
hash value H(M*). Bill then decrypts your signature S, using your public key P, to obtain P(S) =
P(R(H(M))). He compares the two. If H(M*) = P(R(H(M))), then he knows the message has not been altered
(that is, M* = M), and that you sent the message. That's because the equality will fail if either
(1)
the message was signed with some other private key R', not yours, or if (2) the received message M*
was not the same as the message M that was sent [33].
By some accident, of course, it could be that Bill finds H(M*) = P(R(H(M))) even if the message has been
altered, or it is not from you. But the odds of this happening are roughly 1 in 2^160, which is
vanishingly small; and even if this happens for one message, it is not likely to happen with the
next.
Keep hackers out of your business! PCWorld article
will show you how to encrypt your email using PGP Privacy. It will show you how to download, install,
and
configure PGP on your system. For those who are not familiar with PGP (Pretty Good Privacy), it's
software that scrambles your messages so that only the intended recipient can read them. PGP has been
around for quit some time and has been proven reliable.
WEB
BUGS
Web bug basics - A Web Bug is a graphic on a Web page or in an Email message that is designed to monitor
who is reading the Web page or Email message. Web Bugs are often invisible because they are typically
only
1-by-1 pixel in size. Destroying Web Bugs
Download Bugnosis
A
privacy software package has been launched that specifically targets a new form of Internet
tracking.
The Privacy Foundation has unveiled Bugnosis, a special program to detect webbugs. Webbugs are tiny
image
files which are being used increasingly to identify and track computer users. Bugnosis, which can be
downloaded through the World Wide Web, is installed as a plug-in to existing Internet browsers, causes
individual computers to say "uh-oh" when a webbug is encountered. It also logs the URL
associated with a given webbug as well as further details as to the intruder's properties (such as
whether the bug is connected to other digital identification files, including cookies). Moreover,
Bugnosis
places marks a viewed site so that the user can actually see the exact location of a particular webbug
on
the page. If the program discovers that a webbug is associated with certain well-known companies (such
as
Internet advertising giant DoubleClick), it allows the user to send an email message directly to the
webbug owner for further queries or outright complaints. The Foundation hopes that this program will
increase public awareness and openness about these tracking devices. For example, the organization
argues
that "Web site privacy policies should disclose the use of Web bugs. In fact, the general practice
of
online profiling by third-party ad networks should be disclosed in privacy policies, but is rarely
mentioned."
GOVERNMENT
Department of Justice
Offers Advice on how to protect against hackers and explains how to report Internet crimes, includes
links
to Web pages on issues like encryption and electronic privacy. The section on Internet crimes notes
which
agencies handle which types of crime. The site's advice for victims of computer crime, for example,
boils down almost entirely to three marginally helpful words: "Call the FBI." (Anyone who has
actually called a local FBI office and asked it to deal with problems such as Internet intruders quickly
learns that this is an exercise in futility.) However, the site does contain lengthy arguments for the
regulation of cryptography, the expansion of police powers, and the implementation of blocking
technologies on the Internet. The pages at http://www.cybercrime.gov/crypto.html, which contain
one-sided
arguments against the availability of strong encryption and contain serious technical errors (for
example,
the difficulty of breaking encryption schemes such as single 56-bit DES is grossly overstated), are
typical.
FOREIGN TERRORIST ORGANIZATIONS
Designations by Secretary of State Madeleine K. Albright. Released by the Office of the Coordinator for
Counterterrorism October 8, 1999. Information from the Secretary of State's office listing and
describing which organizations are considered Terrorist Groups according to the U.S. Government.
(Subject(s): Terrorism & United States. Department of State)
Computer Crime and
Intellectual
Property Section (CCIPS)
Attorney staff consists of about two dozen lawyers who focus exclusively on the issues raised by
computer
and intellectual property crime. Section attorneys advise federal prosecutors and law enforcement
agents;
comment upon and propose legislation; coordinate international efforts to combat computer crime;
litigate
cases; and train all law enforcement groups."The site includes press releases, officials'
speeches, testimony to Congress, legal texts, and Justice Department reports among other things. They
also
cover information on prosecuting electronic intruders, privacy, searching and seizing computers,
intellectual property piracy, encryption, and international aspects of Cybercrime. Since keeping
cyberspace safe is of special interest to all of us, especially children, the site also provides a link
to
the Internet "Do's and Don'ts" section of the Justice Department's Kids' page.
FBI and
the
National White
Collar Crime Center
a clearinghouse and training center that exists to keep law enforcement agencies up to date on
white-collar crime trends. Do you have a complaint about any product, service or company and wish help
resolving the complaint from the Government? "File Complaints with the right agency about products
and services including online scams, lost luggage, telephone service and more."
The U.S. Federal Bureau of Investigation is using a superfast system called Carnivore
to
covertly search e-mails for messages from criminal suspects.
Cross-Border E-Commerce Complaints http://www.econsumer.gov
The U.S. Federal Trade Commission and twelve other countries including Australia, Finland, New Zealand,
South Korea, and the U.K., unveiled e-consumer.gov, a joint effort to gather and share Cross-Border
E-Commerce complaints. The project has two components: a multilingual public Web site and a
government, password-protected Web site. The public site will provide general information about consumer
protection in all of the participating countries, contact information for consumer protection
authorities
in those countries, and an online complaint form. All information will be available in English, Spanish,
French and German.
FTC:
INTERNET AUCTIONS
Guide for Buyers and Sellers