SECURITY ARTICLES
2018
SET Up Your Financial Accounts Like You're Going to Be Hacked We will all, inevitably, be affected by a data breach of some kind (you likely have been already).
Freezing your credit files means lenders can't check your credit, which helps prevents scammers from
opening credit lines in your name (you can still use your current credit accounts if your files are
frozen;
you just won't be able to open any new accounts). To be most effective, it's suggested that consumers
freeze
their reports at all three bureaus: Equifax, Experian and TransUnion.
The most important step is also the most obvious: Creating a strong password, Don't use an obvious
password
like your name, your kid's name or your birthday, and don't use the same password for everything. Use a
password manager. like LastPass and 1Password.
2017
Russian Hackers reportedly stole NSA information on how the US defends itself from cyberattacks The hackers were able to steal the information after a National Security Agency contractor took highly classified information from the agency and put it on his personal computer, multiple sources with knowledge told the Journal. The contractor was using antivirus software made by Russia-based Kaspersky Lab, the sources said, which was how the hackers were able to target the contractor. The Journal reported that the incident occurred in 2015 but wasn't uncovered until last year.
2016
Violation Tracker, a database of corporate crime and misconduct produced by the Corporate Research Project of Good Jobs First. It is available to the public for free at http://www.goodjobsfirst.org/violation-tracker
Discover Where Corporations are Getting Taxpayer Assistance Across the United States SUBSIDY TRACKER 3.0 is the first national search engine for economic development subsidies and other forms of government financial assistance to business.
The US gov's new Intelligence Transparency Council will, of course, meet behind closed doors "cult of classification, anyone?". obama-clinton-emails/ “What I also know, because I handle a lot of classified information, is that there are — there's classified, and then there's classified,” Obama told Fox News. “There's stuff that is really top-secret, top-secret, and there's stuff that is being presented to the president or the secretary of state, that you might not want on the transom, or going out over the wire, but is basically stuff that you could get in open-source.”
8/24/14 Breaking the Silk Road's Captcha
10/29/12 Killing the Computer to Save It By John Markoff
Many people cite Albert Einstein's aphorism “Everything should be made as simple as possible, but no
simpler.” Only a handful, however, have had the opportunity to discuss the concept with the physicist over
breakfast.
One of those is Peter G. Neumann, now an 80-year-old computer scientist at SRI International, a pioneering
engineering research laboratory here.
As an applied-mathematics student at Harvard, Dr. Neumann <neumann@csl.sri.com> had a two-hour
breakfast with Einstein on Nov. 8, 1952. What the young math student took away was a deeply held
philosophy
of design that has remained with him for six decades and has been his governing principle of computing and
computer security. For many of those years, Dr. Neumann (pronounced NOY-man) has remained a voice in the
wilderness, tirelessly pointing out that the computer industry has a penchant for repeating the mistakes
of
the past. He has long been one of the nation's leading specialists in computer security, and early on he
predicted that the security flaws that have accompanied the pell-mell explosion of the computer and
Internet
industries would have disastrous consequences. “His biggest contribution is to stress the 'systems' nature
of the security and reliability problems,” said Steven M. Bellovin, chief technology officer of the
Federal
Trade Commission. “That is, trouble occurs not because of one failure, but because of the way many
different
pieces interact.” Dr. Bellovin said that it was Dr. Neumann who originally gave him the insight that
“complex systems break in complex ways” — that the increasing complexity of modern hardware and software
has
made it virtually impossible to identify the flaws and vulnerabilities in computer systems and ensure that
they are secure and trustworthy. The consequence has come to pass in the form of an epidemic of computer
malware and rising concerns about cyberwarfare as a threat to global security, voiced alarmingly this
month
by the defense secretary, Leon E. Panetta, who warned of a possible “cyber-Pearl Harbor” attack on the
United States. It is remarkable, then, that years after most of his contemporaries have retired, Dr.
Neumann
is still at it and has seized the opportunity to start over and redesign computers and software from a
“clean slate.”
He is leading a team of researchers in an effort to completely rethink how to make computers and networks
secure, in a five-year project financed by the Pentagon's Defense Advanced Research Projects Agency, or
Darpa, with Robert N. Watson, a computer security researcher at Cambridge University's Computer
Laboratory.
“I've been tilting at the same windmills for basically 40 years,” said Dr. Neumann recently during a
lunchtime interview at a Chinese restaurant near his art-filled home in Palo Alto, Calif. “And I get the
impression that most of the folks who are responsible don't want to hear about complexity. They are
interested in quick and dirty solutions.”
An Early Voice for Security: Dr. Neumann, who left Bell Labs and moved to California as a single father
with
three young children in 1970, has occupied the same office at SRI for four decades. Until the building was
recently modified to make it earthquake-resistant, the office had attained notoriety for the towering
stacks
of computer science literature that filled every cranny. Legend has it that colleagues who visited the
office after the 1989 earthquake were stunned to discover that while other offices were in disarray from
the
7.1-magnitude quake, nothing in Dr. Neumann's office appeared to have been disturbed. A trim and agile
man,
with piercing eyes and a salt-and-pepper beard, Dr. Neumann has practiced tai chi for decades. But his
passion, besides computer security, is music. He plays a variety of instruments, including bassoon, French
horn, trombone and piano, and is active in a variety of musical groups. At computer security conferences
it
has become a tradition for Dr. Neumann to lead his colleagues in song, playing tunes from Gilbert and
Sullivan and Tom Lehrer. Until recently, security was a backwater in
the
world of computing. Today it is a multibillion-dollar industry, though one of dubious competence, and
safeguarding the nation's computerized critical infrastructure has taken on added urgency. President Obama
cited it in the third debate of the presidential campaign, focusing on foreign policy, as something “we
need
to be thinking about” as part of the nation's military strategy. Dr. Neumann reasons that the only
workable
and complete solution to the computer security crisis is to study the past half century's research,
cherry-pick the best ideas and then build something new from the bottom up. Dr. Neumann is one of the most
qualified people to lead such an effort to rethink security. He has been there for the entire trajectory
of
modern computing — even before its earliest days. He took his first computing job in the summer of 1953,
when he was hired to work as a programmer employing an I.B.M. card-punched calculator.
Today the SRI-Cambridge collaboration is one of several dozen research projects financed by Darpa's
Information Innovation Office as part of a “cyber resilience” effort started in 2010.Run by Dr. Howard
Shrobe, an M.I.T. computer scientist who is now a Darpa program manager, the effort began with a premise:
If
the computer industry got a do-over, what should it do differently?
The program includes two separate but related efforts: Crash, for Clean-Slate Design of Resilient Adaptive
Secure Hosts; and MRC, for Mission-Oriented Resilient Clouds. The idea is to reconsider computing
entirely,
from the silicon wafers on which circuits are etched to the application programs run by users, as well as
services that are placing more private and personal data in remote data centers. Clean Slate is financing
research to explore how to design computer systems that are less vulnerable to computer intruders and
recover more readily once security is breached. Dr. Shrobe argues that because the industry is now in a
fundamental transition from desktop to mobile systems, it is a good time to completely rethink computing.
But among the biggest challenges is the monoculture of the computer “ecosystem” of desktop, servers and
networks, he said. “Nature abhors monocultures, and that's exactly what we have in the computer world
today,” said Dr. Shrobe. “Eighty percent are running the same operating system.”
Lessons From Biology: To combat uniformity in software, designers are now pursuing a
variety of approaches that make computer system resources moving targets. Already some computer operating
systems scramble internal addresses much the way a magician might perform the trick of hiding a pea in a
shell. The Clean Slate project is taking that idea further, essentially creating software that constantly
shape-shifts to elude would-be attackers. That the Internet enables almost any computer in the world to
connect directly to any other makes it possible for an attacker who identifies a single vulnerability to
almost instantly compromise a vast number of systems. But borrowing from another science, Dr. Neumann
notes
that biological systems have multiple immune systems — not only are there initial barriers, but a second
system consisting of sentinels like T cells has the ability to detect and eliminate intruders and then
remember them to provide protection in the future. In contrast, today's computer and network systems were
largely designed with security as an afterthought, if at all. One design approach that Dr. Neumann's
research team is pursuing is known as a tagged architecture. In effect, each piece of data in the
experimental system must carry “credentials” — an encryption code that ensures that it is one that the
system trusts. If the data or program's papers are not in order, the computer won't process them. A
related
approach is called a capability architecture, which requires every software object in the system to carry
special information that describes its access rights on the computer, which is checked by a special part
of
the processor. For Dr. Neumann, one of the most frustrating parts of the process is seeing problems that
were solved technically as long ago as four decades still plague the computer world.
A classic example is “buffer overflow” vulnerability, a design flaw that permits an attacker to send a
file
with a long string of characters that will overrun an area of a computer's memory, causing the program to
fail and make it possible for the intruder to execute a malicious program. Almost 25 years ago, Robert
Tappan Morris, then a graduate student at Cornell University, used the technique to make his worm program
spread throughout an Internet that was then composed of about only 50,000 computers. Dr. Neumann
had
attended Harvard with Robert Morris, Robert Tappan Morris's father, and then worked with him at
Bell Laboratories in the 1960s and 1970s, where the elder Mr. Morris was one of the inventors of the Unix
operating system. Dr. Neumann, a close family friend, was prepared to testify at the trial of the young
programmer, who carried out his hacking stunt with no real malicious intent. He was convicted and fined,
and
is now a professor at M.I.T.
At the time that the Morris Worm had run amok on the Internet, the buffer overflow flaw had already been
known about and controlled in the Multics operating system research project, which Dr. Neumann helped lead
from 1965 to 1969.
An early Pentagon-financed design effort, Multics was the first systematic attempt to grapple with how to
secure computer resources that are shared by many users. Yet many of the Multics innovations were ignored
at
the time because I.B.M. mainframes were quickly coming to dominate the industry.
Hope and Worry: The experience left Dr. Neumann — who had coined the term “Unics” to describe a
programming
effort by Ken Thompson that would lead to the modern Unix operating system — simultaneously pessimistic
and
optimistic about the industry's future. “I'm fundamentally an optimist with regard to what we can do with
research,” he said. “I'm fundamentally a pessimist with respect to what corporations who are fundamentally
beholden to their stockholders do, because they're always working on short-term appearance.” That
dichotomy
can be seen in the Association of Computing Machinery Risks Forum newsgroup, a collection of
e-mails reporting computer failures and foibles that Dr. Neumann has edited since 1985. With hundreds of
thousands, and possibly millions, of followers, it is one of the most widely read mailing lists on the
Internet — an evolving compendium of computer failures, flaws and privacy issues that he has
maintained and annotated with wry comments and the occasional pun. In 1995 the list became the basis for
his
book “Computer-Related Risks” (Addison-Wesley/ACM Press). While the Risks list is a reflection of Dr.
Neumann's personality, it also displays his longtime interest in electronic privacy. He is deeply involved
in the technology issues surrounding electronic voting — he likes to quote Stalin on the risks:, “It's not
who votes that counts, it's who counts the votes” — and has testified, served on panels and written widely
on the subject.
Dr. Neumann grew up in New York City, in Greenwich Village, but his family moved to Rye, N.Y., where he
attended high school. J. B. Neumann, Dr. Neumann's father, was a noted art dealer, first in Germany and
then
in New York, where he opened the New Art Circle gallery after moving to the United States in 1923. Dr.
Neumann recalls his father's tale of eating in a restaurant in Munich, where he had a gallery, and finding
that he was seated next to Hitler and some of his Nazi associates. He left the country for the United
States
soon afterward. His mother, Elsa Schmid Neumann, was an artist. His two-hour breakfast with Einstein took
place because she had been commissioned to create a colorful mosaic of Einstein and had become friendly
with
him. The mosaic is now displayed in a reference reading room in the main library at Boston University. Dr.
Neumann's college conversation was the start of a lifelong romance with both the beauty and the perils of
complexity, something that Einstein hinted at during their breakfast. “What do you think of Johannes
Brahms?” Dr. Neumann asked the physicist. “I have never understood Brahms,” Einstein replied. “I believe
Brahms was burning the midnight oil trying to be complicated.”
nytimes.com/2012/10/30/science/rethinking-the-computer-at-80.html
Automatic lice nse plate readers, or LPR
Cameras are everywhere, some have an automatic sensor that will automatically run criminal records.
Specially assigned police officers have LPR's mounted on their cars that can scan up to 3,000 tag numbers
a
shift. Those sensors are called automatic license plate readers, or LPR's. More than 320 LPR's are in use
across Maryland. Information about every scanned license plate-even non-criminal-is stored at the Maryland Coordination and Analysis
Center. That concerns the ACLU. “As the data increases over time you get a more detailed picture of
Marylanders' movements. Tracking the moves of tens of thousands of Marylanders every single day. And that
is
information the government has no business knowing absent some particular law enforcement need,” said
David
Rohak, ACLU.
2012 Google recently launched a project to map out the flow of small arms, light weapons and ammunition transfers in and out of countries around the world. The result: An interactive visualization that lets the user examine the history of arms trading between 1992 and 2010. The Peace Research Institute Oslo (PRIO), a Norwegian initiative focused on the dealing of small arms, provided information for the undertaking, including "[m]ore than 1 million data points on imports and exports [...] across 250 states and territories," according to a post on the Google Blog. The project was developed by Google's Creative Lab and the Brazil-based Igarape Institute. The tool allows the user to search by country and view where imports come from and where exports go each year; it also shows how much each country spends and receives as a result of this trade. Civilian and military purchases are displayed as well. (Note: The Google Blog defines "light weapons" as revolvers, assault rifles and light machine guns. The blog also states that "three quarters of the world's small arms lie in the hand of civilians -- more than 650 million civilian arms.")
Anonymous - 4channel The Hero of the American People.
The introduction of Secure DNS by governments and other organizations.
Security How To Secure Wifi Wireless Lan tools
Friending A Spy On Facebook
Taylor Buley, 06.29.10, 05:00 PM EDT
One man's LinkedIn recommendation for a newly alleged Russian spy. Ten alleged spies appeared in
federal
court on Monday, accused by the FBI as being part of an East Coast spy network set up by the Russian
government. The foreign government is said to have provided the suspects fake names and ordered them to
take
on "deep cover" assignments to become "Americanized." It is perhaps telling, then,
that
Anna Chapman--one of the alleged spies--appears to have used websites like Facebook (see her page here)
and
LinkedIn to network with business colleagues
Facebook from the hackers perspective.
For the past few years we've (Netragard) been using internet based Social Networking tools to hack into our customer's IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we've decided to give people a rare glimpse into Facebook from a hackers perspective. Credit for designing this specific attack methodology goes to Kevin Finisterre and Josh Valentine both core members of our team.Inside The Brains Of A Professional Bank Hacking Team Desautels laid out a recent hacking operation that his SNOsoft research team was hired to perform on a bank client. Though he doesn't name the target, he describes step by step the social engineering involved in sussing out the bank's defenses, including staging a fake job interview with unwitting employees of the company. The technical strategy for breaching the bank's defenses--a targeted, booby-trapped PDF attachment--isn't a surprise. But the detailed description of the preparation for that exploit is a rare window into the hacking process.
2009 Anti Credit Card fraud step the U.S. Card Industry - Paul Kocher, chief research scientist at Cryptography Research Institute, says the fundamental limitation with PCI is that it attempts to distill security down into a static set of requirements, while adversaries aren't restricted to a rigidly-defined set of methods. "As a result, clever attackers will always find holes," he says. "PCI does provide some value by forcing merchants to put some effort into addressing the most common attacks, but the objective is to reduce total risk -- not stop all attacks."
iPhone encryption cracked in two minutes 7/27/09
http://it.slashdot.org/story/09/07/24/2218201/iPhone-3Gs-Encryption-Cracked-In-Two-Minutes
"In a Wired news article, iPhone Forensics expert Jonathan Zdziarski explains how the much-touted
hardware encryption of the iPhone 3Gs is but a farce, and demonstrates how both the passcode and backup
encryption can be bypassed in about two minutes. Zdziarski also goes on to say that all data on the iPhone
-
including deleted data - is automatically decrypted by the iPhone when it's copied, allowing hackers
and
law enforcement agencies alike [to] access the device's raw disk as if no encryption were present. A
second demonstration features the recovery of the iPhone's entire disk while the device is still
passcode-locked. According to a similar article in Ars Technica, Zdziarski describes the iPhone's
hardware encryption by saying it's 'like putting privacy glass on half your shower door.' With
the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with
such shoddy security?"
Skype Threatens Russian National Security? 7/27/09
http://yro.slashdot.org/story/09/07/25/0015250/Skype-Apparently-Threatens-Russian-National-Security
"Reuters reports that 'Russia's most powerful business lobby moved to clamp down on Skype and
its peers this week, telling lawmakers that the Internet phone services are a threat to Russian businesses
and to national security.' The lobby, closely associated with Putin's political party, cites
concerns of 'a likely and uncontrolled fall in profits for the core telecom operators,' as well as
a
fear that law enforcement agencies have thus far been unable to listen in on Skype conversations due to
its
256-bit encryption."
Spoofed Form Submissions - htmlspecialchars Convert special characters to HTML entities Filtering: Input Filtering at a Server Level and The Flip Side of the Coin: Output Escaping.
Nobel Laureate Richard Feynman from the Appendix to the Challenger Report For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.
VanBokkelen: 2006: The year of
the
breach
The year 2006 may go down in computer security history as the year of the breach. As of Dec. 1, more than
36
million people in the United States might have had their personal information compromised this year by
hackers, laptop computer theft or information security blunders. More than 97 million records are
potentially at risk of identity theft because of nearly 300 separate breaches, and the year isn't
over.
Dark Day Planning: Insuring
Against Data Loss
The list of data breaches involving sensitive personal information maintained by the Privacy Rights
Clearinghouse achieved a significant milestone Dec. 13, as the nonprofit group saw the total number of
records exposed in such events crest the 100 million mark.
ORGANISED crime is winning the internet security war, specialists warned at the world's foremost gathering of computer hackers in Las Vegas. The online peril is no longer brilliant young social outcasts penetrating networks for notoriety; it is international crime rings swiping billions of dollars with keystrokes and malicious computer codes, cyber cops agreed. Ironically, potential champions in the battle for internet privacy were sought among the thousands of hackers that made pilgrimages to the US gambling centre nicknamed " Sin City" for the three-day DefCon 14 conference. Online evil doers were crime rings working out of countries such as Russia, Romania and Brazil, and their nefarious technical skills were keeping ahead of computer security experts, veterans of the cyber-crime battle said. "We are getting our butts kicked, there is no doubt about it," said DanHubbard, vice president of security research at Websense. "There is a lot more of a bond and a sharing of tools in their society than in ours." DefCon, in its 14th year, was a neutral ground where hackers, computer security professionals and US government agents exchanged expertise, according to organisers. "The hacker is the good guy," Joe Grand, who described himself as an inventor by day and a hardware hacker by night, said. "A hacker is someone interested in figuring out how to make things work." Kenneth Geers explained that he was at DefCon to glean new hacking tactics and recruit talent to join him at his job hardening the US military's computer network. "If we are not getting into the weeds and hearing what the hackers are saying about weaknesses and vulnerabilities, we are absolutely screwed," Mr Geers said. "We seek out rock star hackers because they live and breathe this stuff". For Mr Geers, the goal was to prevent aircraft carrier's communications from being routed to enemies or missile guidance systems from being compromised. Online onslaughts were a relentless reality for ordinary computer users, said Gadi Evron, who managed internet security for the Israeli government before going to work for the firms SecuriTeam and Beyond Security. "A lot of it involves the mafia," Mr Evron said. "This is not about kiddies, hackers who sit around and tinker. It is about using the internet for real crime." More than two billion dollars will be stolen this year by online "phishing," using fake website and bogus emails to trick people into revealing personal information then used for identity theft, Mr Evron said. That loss will be multiplied by attacks involving the secret implanting of computer codes that can do things such as record keystrokes used for online banking or take remote control of computers, Mr Evron said. There is such a glut of stolen credit card data that it can be bought online for three dollars each, said special agent Andrew Fried of the US Internal Revenue Service. Fried estimated that one in five home computers in the country was infected with malicious computer code, or "malware".
Interview with Marcus Ranum - " I believe we're making zero progress in computer security [1] and have been making zero progress for quite some time." "If customers just openly refused to do business with vendors that produce non-interoperable systems, the whole thing would clear up really fast." "To really secure systems, everything needs to be done 100% right at application layer, kernel layer, network layer, and at the boundary of the network. That's a huge undertaking and nobody has made any effort to tackle it directly because the resulting system would probably be unusable." "It's not a technology problem, it's a management problem." " In order to build really secure systems you need to understand the trust relationships between your systems and then build your systems to enhance and support your mission based on those trust relationships. But that's hard work that very few people have the courage and patience to undertake. " also see and Intrusion Forensics
AOL search
history DB snafu 2006
You kissed your privacy goodbye a long time ago, right?
From Wikipedia:
On August 4th, 2006, AOL released a compressed text file on one of its websites containing twenty million
search keywords for over 650,000 users over a 3-month period, intended for research purposes.
AOL pulled the file from public access by the 7th, but not before it had been mirrored, P2P-shared and
seeded via BitTorrent. News filtered down to the blogosphere and popular tech sites such as Digg and Wired
News.
Whilst none of the records on the file are personally identifiable per se, certain keywords contain
personally identifiable information [1] by means of the user typing in their own name (ego-searching), as
well as their address, social security number or by other means. Each user is identified on this list by a
unique sequential key, which enables the compilation of a user's search history.
AOL acknowledged it was a mistake and removed the data, although the files can still be downloaded from
mirror sites. Additionally,several searchable databases of the report also exist on the internet.
[2]
Mistake? If betraying the trust of 2/3 of a million subscribers equals a mistake, how do they define
catastrophe?
Apart from the obvious PR quagmire that AOL now finds itself in, and the painful regret (or torn anus)
that
AOL users may be feeling (and should have been feeling since they signed up </rant>), the long-term
impact is immeasurable. Their stock is falling [3]. They're giving away BYOA accounts, [4] (they'd
have to at this point), a move which may cost Time Warner over a billion dollars by 2009. [5] They're
facing penalties, fines, not to mention lawsuits. [6] If there's abottom for any business to hit,
they're very close. [7]
They should take a cue from ValuJet and change their name (again). [8, 9]
AOL states they keep 30 days of user-identifiable search history, and that a research division may keep
three months or more of searchhistory, but not associated to specific accounts, (the latter echoes of what
was released on 4 August). Google has already stated they will continue to store search queries and
related
info, and that they won't make the same mistake AOL did. [10, 11] Predictably, Yahoo! Search! will!
do!
the! same! Considering the staggering amount of infrastructure Google possesses, (Great Caesar's
Ghost--Google has an estimated four PB of RAM alone), their data retention capabilities far exceed the 90
days of history AOL retains for research purposes. [12, 13]
That search you did recently for Paris' poodle porn may come back to haunt you. Even though you were
just doing it for a friend.[...]
AOL Releases Search Logs from 500,000 Users
A search for an SSN shaped regex on the full AOL search data returns a 191 results including repeat
searches. Many of these have full names, and at least a dozen include either an addresses, drivers license
number, date of birth or some combination of the three in the same query. There's no telling how much
more information an aggregation of other queries by those same user ID would yield. Latanya Sweeney, a
computer privacy researcher at CMU, has been looking at this sort of thing for several years now. For
example, many resumes posted to Monster and other job boards have SSNs in a standard format, along with
dates of birth and other revealing information. They can be found in PDFs as well as HTML pages quite
easily. The problem is even worse - at least those resumes are self-posted. There are government databases
and court records on line with some of the same information as well. CAIDA has indexed the AOL 500k User Session Collection in our Internet Measurement Data Catalog
(DatCat):DatCat does not store or distribute data, so we are not providing the AOL collection. Rather, we
provide a permanent record of the existence of the dataset, relevant metadata, and a permanent handle that
can be used to cite the dataset. In the near future, anyone who has used the data will be able to add
annotations describing the features of the dataset (and any other dataset in the catalog).
See Why Pay to be an
Identity Thief?
Experimental Software Makes It Free - Thieves purchased sensitive personal data from ChoicePoint, but a
Carnegie Mellon University researcher can get the same information free on the Web
Cult of the Dead Cow (cDc).
They are now adding a new chapter to their infamous history with the release of a new malware search
engine
that enables researchers to analyze over 31,000 "hostile" files. It's all part of an effort
the cDc calls "offensive computing." Originally founded in 1984, cDc and its members are well
known for a number of their efforts over the past 22 years. Perhaps most notably is their Back Orifice
application, which debuted in 1998 as a network backdoor that enabled full remote control of a system,
including process, passwords and file system (essentially a first-generation Trojan). Back Orifice was
updated in 2000 as B02K and is currently maintained as an open source project on the SourceForge.net code
repository. In cDc's new offensive computing strategy, the group is turning its skills toward hacking
malware. Part of the effort is the malware search engine, which is geared toward increasing the knowledge
around malware to better improve detection and removal. There is also a relationship between the Malware
search effort and that hatched last month by H.D. Moore of Metasploit fame; it uses Google to find
malicious
code. "We use Google from time to time, and we worked with H.D. Moore on his. Google malware search
project," Val Smith a cDc member and part of the offensive computing effort, told internetnews.com.
"We provided him signatures to search on)." Smith explained that his group has written some code
to do auto analysis of malware. "People upload it directly to the site, or provide me with archives
over e-mail, and then we load it into our auto analyzer," Smith said. "Once the analysis is
done,
that data gets put into the database which people can search. We have large collections of malware sitting
around waiting to be bulk processed." Access to the offensive computing malware search requires user
registration, though only a valid e-mail address is required for the registration.
While most of the major AV vendors, including McAfee, Symantec, Panda Labs, Sophos and others, provide
online libraries of vulnerabilities, there are a few things that offensive computing provides that the
commercial vendors do not. For one, offensive computing provides downloadable samples of the malware in
question. It also includes a clear warning to users: "This site contains samples of live malware. Use
at your own risk." Offensive computing also claims that the analysis is done in an open manner that
yields reproducible results. The results also detail multiple checksums md5, sha1, sha256, which should
help
to further improve identification. Smith's hope is that his group's effort will challenge the
security community to get more involved in publicly fighting the problem of malware.
"This problem is growing too fast and complex for the traditional methods to defend against it,"
Smith said. "We need to unite resources and knowledge in order to protect our systems. We have a lot
of
respect for several AV companies, but it's time to do more." "We have gone to houses and
done
search warrants only to find people's computers were being used without them knowing it," Fried
said. "Most of what I see is systems being compromised to be taken over." Armies of zombie
computers can be used to attack websites of companies that depend on internet business for their revenues,
the specialists explained. Criminals commanding such "botnets" can demand money from the
companies
inexchange for not crippling their online business. "The whole idea of extortion on the internet is
funny to me," Mr Evron said. "They won't protect you. If you pay them they will probably
attack you anyway, and they will be back." Cyber crime ranks only behind terrorism and
counter-intelligence as top priorities at the Federal Bureau of Investigation, special agent Thomas Grasso
said during the panel discussion.
Collaboration with counterparts such as Interpol and Scotland Yard are vital to combat crime rings that
often take refuge in countries with scant police resources, Mr Grasso said. The law and computer security
technology have lagged behind criminal techniques on the internet, Mr Grasso said. "The internet is
not
safe and your email is not safe," Mr Evron said. "It is an arms race and all we can do is enter
that arms race from all different angles."
- Chilling Effects Do you know your Online Rights? Have you received a letter asking you to remove information from a Web site or stop engaging in an activity? Are you concerned about liability for information that someone else posted to your online forum? Understand intellectual property laws and the First Amendment protections give to your online activities. We are excited about the new opportunities the Internet offers individuals to express their views, parody politicians, celebrate their favorite movie stars, or criticize businesses. Individuals and corporations are using intellectual property and other laws to silence online users.
- Do you know your Rights when crossing boarders? Laptop border searches
OK'd
The 4th Circuit ruled similarly last year. Broad searches at border crossings - including those of "expressive" electronic material - do not violate Fourth or First Amendments according to Fourth Circuit. The Fourth Circuit considered whether 19 U.S.C. 1581(a) - the statute authorizing searches of cargo at border crossings - encompasses detailed searches of electronic equipment. It held that the statutory language itself and the national interests involved require the broadest statutory construction possible, and therefore electronic equipment is readily included. The court further held that such expansive border searches are as old as the Fourth Amendment itself and do not violate its provisions against unreasonable searches. In fact, border searches are made reasonable by the very fact that they occur at the border, even absent a warrant or probable cause. Finally, the court refused to carve out a First Amendment exception for such searches where they involved examination of expressive material, finding that such requirements would unduly burden customs agents, and moreover create a sanctuary at border crossings for such "expressive" materials as terrorist plans, thereby undermining critical national security interests. U.S. v. Ickes, 393 F.3d 501 (4th Cir., 2005). - Can you be compelled to give a password?
As a former Assistant U.S. Attorney, allow me to comment.Information may be obtained by the government from a person in one of four ways: (1) it is voluntarily provided; (2) by regulation in a heavily regulated industry; (3) by subpoena; and (4) by a search and seizure warrant. We are concerned with number 3, the subpoena.
A person can refuse to produce incriminating information in response to a subpoena under the Fifth Amendment. Please note that the password is not protected. If it is written down somewhere, the document on which it is written is not protected by the privilege.
The *act* of producing the document or the password itself *may* be privileged, if such an act is itself incriminating. For example, if the password was used in a crime, and the fact that you have the password in your possession tends to show that you participated or conspired in the crime, and then the Fifth Amendment privilege is applicable to protect you from implicating yourself in the crime.
The Government *can* immunize you to the limited extent necessary to obtain the password - it cannot then use the fact that it got the password from you in order to prosecute you. This is known as "Doe" immunity, and there is an extensive line of cases that has developed in this area. Webster Hubbell, the former Associate Attorney General who was convicted of tax fraud by Ken Starr's IC Office, eventually had his conviction vacated because Starr's legal team failed to follow the rules when they obtained, from him (by subpoena), his tax records.
If the government is not investigating a crime, then it may use an administrative or civil subpoena to try and get the password. If the witness invokes the Fifth Amendment, then the government can immunize that person and compel production.
The second point, above, concerning a regulated industry, applies to such areas as Medicare and Medicaid, Government contractors for procurement matters, industrial health and safety mattes, environmental concerns, etc. The same analysis as above would apply.
Border searches are a different animal, since the government has the right to inspect items crossing the border without a warrant.
However, if the password is in the traveler's head, then that is not an "item" that can be inspected at the border. The information on the laptop might very well be such an item, however, and if the only way to convince the government to allow you to cross the border is to show the border guards what is on the laptop, then the traveler might very well face the choice of turning on the laptop and opening files, using the password, or not crossing the border. I do not
believe that, even here, the traveler would have to produce the password itself. ~Andrew Grosso, Esq. former Assistant U.S. Attorney
Andrew Grosso & Associates
1250 Connecticut Avenue, NW, Suite 200
Washington, D.C. 20036
(202) 261-3593
Email: Agrosso@acm.org
Web Site: www.GrossoLaw.com - Any pro who wanted to bring porn (or any other data) into the U.S. on a laptop would never leave the
data in an easily discovered form. But then again, why bother using the laptop? How about putting an
innocuous looking file on that cute keychain memory dongle? Or on an iPod? Porn could be easily rigged
to look like an mp3 file, that could even play properly. Or why not use some spare cell phone memory
area? Or how about that 2 Gig memory stick in the camera, or a miniSD memory card inserted into an
electric razor or the binding of a book? "OBIT" from the original '60s television series
"The Outer Limits": "The machines are
everywhere!"
- LEARN TO PROTECT YOURSELF and help free the world from CENSORSHIP. How to DISABLE YOUR BLOCKING SOFTWARE, Turn your home computer into a Web site that people can access to GET AROUND THEIR BLOCKING SOFTWARE. Defeats all Internet censorship programs, from Net Nanny to the national firewalls used by the government of China. Use Annonymous Email and Use Annonymous surfing.
ADDITIONAL INFORMATION AND ARTICLES
- What are the privacy rights of children in the K-12 School?
- Google Hack
- International Copyright Protection
- Internet Protocol Security
- All About Ethics
- About Amazon's Privacy Policy
- Can You Keep A Secret? John J. Fried 3/5/98
- CATASTROPHIC CYBER ATTACK
- EXPERT ELECTRONIC COMMERCE
- INTERNET SECURITY
- RESEARCHERS CRACK CODE IN CELL PHONES
- TRAPPED IN THE WEB WITHOUT AN EXIT
- E-COMMERCE and CYBERCRIME:
- New strategies for managing the risks of exploitation
- This document launched computer security within the DoD and ultimately, elswhere because it was widely distributed; it has the gracious nickname of "Ware report"
- BURY DEAD EDUCATION DOTS WITH DIGNITY Don't allow your education website to BECOME PORN.
*Peacefire has released a Bypass
Program
which can disable all popular Windows blocking software (Cyber Patrol, SurfWatch, Net Nanny, CYBERsitter,
X-Stop, Cyber Snoop, PureSight) with the click of a button.
JUNKBUSTER IS A FREE FILTERING PROGRAM
Junkbuster's primary purpose is to filter banner ads and other such stuff. Schools can claim that
it's all the filtering that they want, but you can configure it to filter other stuff as well.
COURT SAYS UNENCRYPTED DATA OKAY
A federal judge in Minnesota has dismissed a case alleging that a student loan company was negligent in
not
encrypting customer data. The case was filed by Stacy Lawton Guin after a laptop containing unencrypted
data
on about 550,000 customers of Brazos Higher Education Service was stolen from an employee's home in
2004. Although he was not harmed by the loss of his personal information--indeed, there have been no
reports
of any fraud committed with the stolen information--Guin argued that the Gramm-Leach-Bliley (GLB) Act
required Brazos to encrypt the data. Judge Richard Kyle rejected that claim, noting that the legislation
does not specifically require encryption. The law states that financial services companies must "protect the security and confidentiality of customers' nonpublic personal
information," but, according to Kyle's decision, "The GLB Act does not prohibit
someone
from working with sensitive data on a laptop computer in a home office."
COOKIES AND THEIR SECURITY HOLES
The first significant Internet worm appeared on this day 16 years ago November 3,
2004
http://news.com.com/16+candles+for+first+Internet+worm/2100-7349_3-5438291.html
The first significant Internet worm appeared on this day 16 years ago, and online security has never been
the same, security professionals say. At around midnight on Nov. 2, 1988, the Morris worm, written by a
23-year-old Massachusetts Institute of Technology student called Robert Tappan Morris, was released on the
embryonic Internet. Within hours, the worm's 99 lines of code overloaded thousands of Unix-based VAX
and
Sun Microsystems systems, forcing administrators to disconnect their computers from the network to try to
stop the worm from spreading. The Morris worm was part of a research project and was not designed to cause
damage, but it was programmed to self-replicate. Unfortunately, the code contained a bug that allowed the
worm to infect a single machine multiple times, which resulted in thousands of computers grinding to a
halt.
Morris' worm was the first to spread on the Internet. But the very first appearance of a worm was in a
1982 paper by researchers John Shoch and Jon Hupp of the Xerox Palo Alto Research Center, who described a
self-distributing program with a bug that managed to crash 100 machines in the research building. Morris
was
convicted for his research, but did not go to prison. He received a suspended sentence with community
service and was fined $10,000. At the time, the Internet was still a closed system used by universities
and
the military for research purposes, security experts say. Once it was opened to the public--and became
known
as the World Wide Web--attitudes to security had to change.
Sean Richmond, a senior technology consultant at Sophos Australia, said that since Morris, there have been
fundamental changes in the way networks and computers communicate with each other, and that will continue
to
evolve over the next 16 years.
"At that time, commands such as 'remote login,' 'remote shell' and 'remote
copy' were commonly used. The idea was that if you were logged into one machine, you could access
another system, and it wouldn't even ask you for a login password. There was a level of trust,"
Richmond said.
When Morris hit in 1988, academics would have lost some of their research. But when worms like Blaster or
Sasser start spreading on the modern Internet, it affects banks, government departments and even stops
kids
from researching their schoolwork from home, said Dircks.<SNIP>
"Security is being designed in the next TCP/IP version (IPV6), so the IP address will contain a
knowledge and expectation of security. The current version IPv4 was built with a much more open world in
mind. Security was not part of the initial design," he said. "In 16 years' time, the
potential for something to spread widely and rapidly across everything will be diminished just by the
underlying security."
"Part of the solution is to build security into the architecture. But there are systems that are 30
or
40 years old still running, and the companies using them will not get rid of them, because they still
work," Dircks said. "We are always going to have a heterogeneousworld, and without painting a
picture of doom, gloom and apocalypse, the problems are not going away." - Munir Kotadia of ZDNet
Australia reported from Sydney.