Educational CyberPlayGround ®

SECURITY ARTICLES

2018

SET Up Your Financial Accounts Like You're Going to Be Hacked We will all, inevitably, be affected by a data breach of some kind (you likely have been already).

Freezing your credit files means lenders can't check your credit, which helps prevents scammers from opening credit lines in your name (you can still use your current credit accounts if your files are frozen; you just won't be able to open any new accounts). To be most effective, it's suggested that consumers freeze their reports at all three bureaus: Equifax, Experian and TransUnion.
The most important step is also the most obvious: Creating a strong password, Don't use an obvious password like your name, your kid's name or your birthday, and don't use the same password for everything. Use a password manager. like LastPass and 1Password.

 

2017

Russian Hackers reportedly stole NSA information on how the US defends itself from cyberattacks The hackers were able to steal the information after a National Security Agency contractor took highly classified information from the agency and put it on his personal computer, multiple sources with knowledge told the Journal. The contractor was using antivirus software made by Russia-based Kaspersky Lab, the sources said, which was how the hackers were able to target the contractor. The Journal reported that the incident occurred in 2015 but wasn't uncovered until last year.

2016

Violation Tracker, a database of corporate crime and misconduct produced by the Corporate Research Project of Good Jobs First. It is available to the public for free at http://www.goodjobsfirst.org/violation-tracker

Discover Where Corporations are Getting Taxpayer Assistance Across the United States SUBSIDY TRACKER 3.0 is the first national search engine for economic development subsidies and other forms of government financial assistance to business.

The US gov's new Intelligence Transparency Council will, of course, meet behind closed doors "cult of classification, anyone?". obama-clinton-emails/ “What I also know, because I handle a lot of classified information, is that there are — there's classified, and then there's classified,” Obama told Fox News. “There's stuff that is really top-secret, top-secret, and there's stuff that is being presented to the president or the secretary of state, that you might not want on the transom, or going out over the wire, but is basically stuff that you could get in open-source.”

8/24/14 Breaking the Silk Road's Captcha

10/29/12 Killing the Computer to Save It By John Markoff
Many people cite Albert Einstein's aphorism “Everything should be made as simple as possible, but no simpler.” Only a handful, however, have had the opportunity to discuss the concept with the physicist over breakfast.
One of those is Peter G. Neumann, now an 80-year-old computer scientist at SRI International, a pioneering engineering research laboratory here.
As an applied-mathematics student at Harvard, Dr. Neumann <neumann@csl.sri.com> had a two-hour breakfast with Einstein on Nov. 8, 1952. What the young math student took away was a deeply held philosophy of design that has remained with him for six decades and has been his governing principle of computing and computer security. For many of those years, Dr. Neumann (pronounced NOY-man) has remained a voice in the wilderness, tirelessly pointing out that the computer industry has a penchant for repeating the mistakes of the past. He has long been one of the nation's leading specialists in computer security, and early on he predicted that the security flaws that have accompanied the pell-mell explosion of the computer and Internet industries would have disastrous consequences. “His biggest contribution is to stress the 'systems' nature of the security and reliability problems,” said Steven M. Bellovin, chief technology officer of the Federal Trade Commission. “That is, trouble occurs not because of one failure, but because of the way many different pieces interact.” Dr. Bellovin said that it was Dr. Neumann who originally gave him the insight that “complex systems break in complex ways” — that the increasing complexity of modern hardware and software has made it virtually impossible to identify the flaws and vulnerabilities in computer systems and ensure that they are secure and trustworthy. The consequence has come to pass in the form of an epidemic of computer malware and rising concerns about cyberwarfare as a threat to global security, voiced alarmingly this month by the defense secretary, Leon E. Panetta, who warned of a possible “cyber-Pearl Harbor” attack on the United States. It is remarkable, then, that years after most of his contemporaries have retired, Dr. Neumann is still at it and has seized the opportunity to start over and redesign computers and software from a “clean slate.”
He is leading a team of researchers in an effort to completely rethink how to make computers and networks secure, in a five-year project financed by the Pentagon's Defense Advanced Research Projects Agency, or Darpa, with Robert N. Watson, a computer security researcher at Cambridge University's Computer Laboratory. “I've been tilting at the same windmills for basically 40 years,” said Dr. Neumann recently during a lunchtime interview at a Chinese restaurant near his art-filled home in Palo Alto, Calif. “And I get the impression that most of the folks who are responsible don't want to hear about complexity. They are interested in quick and dirty solutions.”
An Early Voice for Security: Dr. Neumann, who left Bell Labs and moved to California as a single father with three young children in 1970, has occupied the same office at SRI for four decades. Until the building was recently modified to make it earthquake-resistant, the office had attained notoriety for the towering stacks of computer science literature that filled every cranny. Legend has it that colleagues who visited the office after the 1989 earthquake were stunned to discover that while other offices were in disarray from the 7.1-magnitude quake, nothing in Dr. Neumann's office appeared to have been disturbed. A trim and agile man, with piercing eyes and a salt-and-pepper beard, Dr. Neumann has practiced tai chi for decades. But his passion, besides computer security, is music. He plays a variety of instruments, including bassoon, French horn, trombone and piano, and is active in a variety of musical groups. At computer security conferences it has become a tradition for Dr. Neumann to lead his colleagues in song, playing tunes from Gilbert and Sullivan and Tom Lehrer. Until recently, security was a backwater in the world of computing. Today it is a multibillion-dollar industry, though one of dubious competence, and safeguarding the nation's computerized critical infrastructure has taken on added urgency. President Obama cited it in the third debate of the presidential campaign, focusing on foreign policy, as something “we need to be thinking about” as part of the nation's military strategy. Dr. Neumann reasons that the only workable and complete solution to the computer security crisis is to study the past half century's research, cherry-pick the best ideas and then build something new from the bottom up. Dr. Neumann is one of the most qualified people to lead such an effort to rethink security. He has been there for the entire trajectory of modern computing — even before its earliest days. He took his first computing job in the summer of 1953, when he was hired to work as a programmer employing an I.B.M. card-punched calculator. Today the SRI-Cambridge collaboration is one of several dozen research projects financed by Darpa's Information Innovation Office as part of a “cyber resilience” effort started in 2010.Run by Dr. Howard Shrobe, an M.I.T. computer scientist who is now a Darpa program manager, the effort began with a premise: If the computer industry got a do-over, what should it do differently?
The program includes two separate but related efforts: Crash, for Clean-Slate Design of Resilient Adaptive Secure Hosts; and MRC, for Mission-Oriented Resilient Clouds. The idea is to reconsider computing entirely, from the silicon wafers on which circuits are etched to the application programs run by users, as well as services that are placing more private and personal data in remote data centers. Clean Slate is financing research to explore how to design computer systems that are less vulnerable to computer intruders and recover more readily once security is breached. Dr. Shrobe argues that because the industry is now in a fundamental transition from desktop to mobile systems, it is a good time to completely rethink computing. But among the biggest challenges is the monoculture of the computer “ecosystem” of desktop, servers and networks, he said. “Nature abhors monocultures, and that's exactly what we have in the computer world today,” said Dr. Shrobe. “Eighty percent are running the same operating system.”
Lessons From Biology: To combat uniformity in software, designers are now pursuing a variety of approaches that make computer system resources moving targets. Already some computer operating systems scramble internal addresses much the way a magician might perform the trick of hiding a pea in a shell. The Clean Slate project is taking that idea further, essentially creating software that constantly shape-shifts to elude would-be attackers. That the Internet enables almost any computer in the world to connect directly to any other makes it possible for an attacker who identifies a single vulnerability to almost instantly compromise a vast number of systems. But borrowing from another science, Dr. Neumann notes that biological systems have multiple immune systems — not only are there initial barriers, but a second system consisting of sentinels like T cells has the ability to detect and eliminate intruders and then remember them to provide protection in the future. In contrast, today's computer and network systems were largely designed with security as an afterthought, if at all. One design approach that Dr. Neumann's research team is pursuing is known as a tagged architecture. In effect, each piece of data in the experimental system must carry “credentials” — an encryption code that ensures that it is one that the system trusts. If the data or program's papers are not in order, the computer won't process them. A related approach is called a capability architecture, which requires every software object in the system to carry special information that describes its access rights on the computer, which is checked by a special part of the processor. For Dr. Neumann, one of the most frustrating parts of the process is seeing problems that were solved technically as long ago as four decades still plague the computer world.
A classic example is “buffer overflow” vulnerability, a design flaw that permits an attacker to send a file with a long string of characters that will overrun an area of a computer's memory, causing the program to fail and make it possible for the intruder to execute a malicious program. Almost 25 years ago, Robert Tappan Morris, then a graduate student at Cornell University, used the technique to make his worm program spread throughout an Internet that was then composed of about only 50,000 computers. Dr. Neumann had attended Harvard with Robert Morris, Robert Tappan Morris's father, and then worked with him at Bell Laboratories in the 1960s and 1970s, where the elder Mr. Morris was one of the inventors of the Unix operating system. Dr. Neumann, a close family friend, was prepared to testify at the trial of the young programmer, who carried out his hacking stunt with no real malicious intent. He was convicted and fined, and is now a professor at M.I.T. At the time that the Morris Worm had run amok on the Internet, the buffer overflow flaw had already been known about and controlled in the Multics operating system research project, which Dr. Neumann helped lead from 1965 to 1969. An early Pentagon-financed design effort, Multics was the first systematic attempt to grapple with how to secure computer resources that are shared by many users. Yet many of the Multics innovations were ignored at the time because I.B.M. mainframes were quickly coming to dominate the industry.
Hope and Worry: The experience left Dr. Neumann — who had coined the term “Unics” to describe a programming effort by Ken Thompson that would lead to the modern Unix operating system — simultaneously pessimistic and optimistic about the industry's future. “I'm fundamentally an optimist with regard to what we can do with research,” he said. “I'm fundamentally a pessimist with respect to what corporations who are fundamentally beholden to their stockholders do, because they're always working on short-term appearance.” That dichotomy can be seen in the Association of Computing Machinery Risks Forum newsgroup, a collection of e-mails reporting computer failures and foibles that Dr. Neumann has edited since 1985. With hundreds of thousands, and possibly millions, of followers, it is one of the most widely read mailing lists on the Internet — an evolving compendium of computer failures, flaws and privacy issues that he has maintained and annotated with wry comments and the occasional pun. In 1995 the list became the basis for his book “Computer-Related Risks” (Addison-Wesley/ACM Press). While the Risks list is a reflection of Dr. Neumann's personality, it also displays his longtime interest in electronic privacy. He is deeply involved in the technology issues surrounding electronic voting — he likes to quote Stalin on the risks:, “It's not who votes that counts, it's who counts the votes” — and has testified, served on panels and written widely on the subject.
Dr. Neumann grew up in New York City, in Greenwich Village, but his family moved to Rye, N.Y., where he attended high school. J. B. Neumann, Dr. Neumann's father, was a noted art dealer, first in Germany and then in New York, where he opened the New Art Circle gallery after moving to the United States in 1923. Dr. Neumann recalls his father's tale of eating in a restaurant in Munich, where he had a gallery, and finding that he was seated next to Hitler and some of his Nazi associates. He left the country for the United States soon afterward. His mother, Elsa Schmid Neumann, was an artist. His two-hour breakfast with Einstein took place because she had been commissioned to create a colorful mosaic of Einstein and had become friendly with him. The mosaic is now displayed in a reference reading room in the main library at Boston University. Dr. Neumann's college conversation was the start of a lifelong romance with both the beauty and the perils of complexity, something that Einstein hinted at during their breakfast. “What do you think of Johannes Brahms?” Dr. Neumann asked the physicist. “I have never understood Brahms,” Einstein replied. “I believe Brahms was burning the midnight oil trying to be complicated.”
nytimes.com/2012/10/30/science/rethinking-the-computer-at-80.html

Automatic lice nse plate readers, or LPR
Cameras are everywhere, some have an automatic sensor that will automatically run criminal records. Specially assigned police officers have LPR's mounted on their cars that can scan up to 3,000 tag numbers a shift. Those sensors are called automatic license plate readers, or LPR's. More than 320 LPR's are in use across Maryland. Information about every scanned license plate-even non-criminal-is stored at the Maryland Coordination and Analysis Center. That concerns the ACLU. “As the data increases over time you get a more detailed picture of Marylanders' movements. Tracking the moves of tens of thousands of Marylanders every single day. And that is information the government has no business knowing absent some particular law enforcement need,” said David Rohak, ACLU.

 

2012 Google recently launched a project to map out the flow of small arms, light weapons and ammunition transfers in and out of countries around the world. The result: An interactive visualization that lets the user examine the history of arms trading between 1992 and 2010. The Peace Research Institute Oslo (PRIO), a Norwegian initiative focused on the dealing of small arms, provided information for the undertaking, including "[m]ore than 1 million data points on imports and exports [...] across 250 states and territories," according to a post on the Google Blog. The project was developed by Google's Creative Lab and the Brazil-based Igarape Institute. The tool allows the user to search by country and view where imports come from and where exports go each year; it also shows how much each country spends and receives as a result of this trade. Civilian and military purchases are displayed as well. (Note: The Google Blog defines "light weapons" as revolvers, assault rifles and light machine guns. The blog also states that "three quarters of the world's small arms lie in the hand of civilians -- more than 650 million civilian arms.")

Anonymous - 4channel The Hero of the American People.

The introduction of Secure DNS by governments and other organizations.

Security How To Secure Wifi Wireless Lan tools

Friending A Spy On Facebook
Taylor Buley, 06.29.10, 05:00 PM EDT
One man's LinkedIn recommendation for a newly alleged Russian spy. Ten alleged spies appeared in federal court on Monday, accused by the FBI as being part of an East Coast spy network set up by the Russian government. The foreign government is said to have provided the suspects fake names and ordered them to take on "deep cover" assignments to become "Americanized." It is perhaps telling, then, that Anna Chapman--one of the alleged spies--appears to have used websites like Facebook (see her page here) and LinkedIn to network with business colleagues

Facebook from the hackers perspective.

For the past few years we've (Netragard) been using internet based Social Networking tools to hack into our customer's IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we've decided to give people a rare glimpse into Facebook from a hackers perspective. Credit for designing this specific attack methodology goes to Kevin Finisterre and Josh Valentine both core members of our team.

Inside The Brains Of A Professional Bank Hacking Team Desautels laid out a recent hacking operation that his SNOsoft research team was hired to perform on a bank client. Though he doesn't name the target, he describes step by step the social engineering involved in sussing out the bank's defenses, including staging a fake job interview with unwitting employees of the company. The technical strategy for breaching the bank's defenses--a targeted, booby-trapped PDF attachment--isn't a surprise. But the detailed description of the preparation for that exploit is a rare window into the hacking process.

2009 Anti Credit Card fraud step the U.S. Card Industry - Paul Kocher, chief research scientist at Cryptography Research Institute, says the fundamental limitation with PCI is that it attempts to distill security down into a static set of requirements, while adversaries aren't restricted to a rigidly-defined set of methods. "As a result, clever attackers will always find holes," he says. "PCI does provide some value by forcing merchants to put some effort into addressing the most common attacks, but the objective is to reduce total risk -- not stop all attacks."

iPhone encryption cracked in two minutes 7/27/09
http://it.slashdot.org/story/09/07/24/2218201/iPhone-3Gs-Encryption-Cracked-In-Two-Minutes
"In a Wired news article, iPhone Forensics expert Jonathan Zdziarski explains how the much-touted hardware encryption of the iPhone 3Gs is but a farce, and demonstrates how both the passcode and backup encryption can be bypassed in about two minutes. Zdziarski also goes on to say that all data on the iPhone - including deleted data - is automatically decrypted by the iPhone when it's copied, allowing hackers and law enforcement agencies alike [to] access the device's raw disk as if no encryption were present. A second demonstration features the recovery of the iPhone's entire disk while the device is still passcode-locked. According to a similar article in Ars Technica, Zdziarski describes the iPhone's hardware encryption by saying it's 'like putting privacy glass on half your shower door.' With the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with such shoddy security?"

Skype Threatens Russian National Security? 7/27/09
http://yro.slashdot.org/story/09/07/25/0015250/Skype-Apparently-Threatens-Russian-National-Security
"Reuters reports that 'Russia's most powerful business lobby moved to clamp down on Skype and its peers this week, telling lawmakers that the Internet phone services are a threat to Russian businesses and to national security.' The lobby, closely associated with Putin's political party, cites concerns of 'a likely and uncontrolled fall in profits for the core telecom operators,' as well as a fear that law enforcement agencies have thus far been unable to listen in on Skype conversations due to its 256-bit encryption."

Spoofed Form Submissions - htmlspecialchars Convert special characters to HTML entities Filtering: Input Filtering at a Server Level and The Flip Side of the Coin: Output Escaping.

Nobel Laureate Richard Feynman from the Appendix to the Challenger Report For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.

VanBokkelen: 2006: The year of the breach
The year 2006 may go down in computer security history as the year of the breach. As of Dec. 1, more than 36 million people in the United States might have had their personal information compromised this year by hackers, laptop computer theft or information security blunders. More than 97 million records are potentially at risk of identity theft because of nearly 300 separate breaches, and the year isn't over.

Dark Day Planning: Insuring Against Data Loss
The list of data breaches involving sensitive personal information maintained by the Privacy Rights Clearinghouse achieved a significant milestone Dec. 13, as the nonprofit group saw the total number of records exposed in such events crest the 100 million mark.

ORGANISED crime is winning the internet security war, specialists warned at the world's foremost gathering of computer hackers in Las Vegas. The online peril is no longer brilliant young social outcasts penetrating networks for notoriety; it is international crime rings swiping billions of dollars with keystrokes and malicious computer codes, cyber cops agreed. Ironically, potential champions in the battle for internet privacy were sought among the thousands of hackers that made pilgrimages to the US gambling centre nicknamed " Sin City" for the three-day DefCon 14 conference. Online evil doers were crime rings working out of countries such as Russia, Romania and Brazil, and their nefarious technical skills were keeping ahead of computer security experts, veterans of the cyber-crime battle said. "We are getting our butts kicked, there is no doubt about it," said DanHubbard, vice president of security research at Websense. "There is a lot more of a bond and a sharing of tools in their society than in ours." DefCon, in its 14th year, was a neutral ground where hackers, computer security professionals and US government agents exchanged expertise, according to organisers. "The hacker is the good guy," Joe Grand, who described himself as an inventor by day and a hardware hacker by night, said. "A hacker is someone interested in figuring out how to make things work." Kenneth Geers explained that he was at DefCon to glean new hacking tactics and recruit talent to join him at his job hardening the US military's computer network. "If we are not getting into the weeds and hearing what the hackers are saying about weaknesses and vulnerabilities, we are absolutely screwed," Mr Geers said. "We seek out rock star hackers because they live and breathe this stuff". For Mr Geers, the goal was to prevent aircraft carrier's communications from being routed to enemies or missile guidance systems from being compromised. Online onslaughts were a relentless reality for ordinary computer users, said Gadi Evron, who managed internet security for the Israeli government before going to work for the firms SecuriTeam and Beyond Security. "A lot of it involves the mafia," Mr Evron said. "This is not about kiddies, hackers who sit around and tinker. It is about using the internet for real crime." More than two billion dollars will be stolen this year by online "phishing," using fake website and bogus emails to trick people into revealing personal information then used for identity theft, Mr Evron said. That loss will be multiplied by attacks involving the secret implanting of computer codes that can do things such as record keystrokes used for online banking or take remote control of computers, Mr Evron said. There is such a glut of stolen credit card data that it can be bought online for three dollars each, said special agent Andrew Fried of the US Internal Revenue Service. Fried estimated that one in five home computers in the country was infected with malicious computer code, or "malware". Glenn Chapman in Las Vegas August 07, 2006

Interview with Marcus Ranum - " I believe we're making zero progress in computer security [1] and have been making zero progress for quite some time." "If customers just openly refused to do business with vendors that produce non-interoperable systems, the whole thing would clear up really fast." "To really secure systems, everything needs to be done 100% right at application layer, kernel layer, network layer, and at the boundary of the network. That's a huge undertaking and nobody has made any effort to tackle it directly because the resulting system would probably be unusable." "It's not a technology problem, it's a management problem." " In order to build really secure systems you need to understand the trust relationships between your systems and then build your systems to enhance and support your mission based on those trust relationships. But that's hard work that very few people have the courage and patience to undertake. " also see and Intrusion Forensics

AOL search history DB snafu 2006
You kissed your privacy goodbye a long time ago, right?
From Wikipedia:
On August 4th, 2006, AOL released a compressed text file on one of its websites containing twenty million search keywords for over 650,000 users over a 3-month period, intended for research purposes.
AOL pulled the file from public access by the 7th, but not before it had been mirrored, P2P-shared and seeded via BitTorrent. News filtered down to the blogosphere and popular tech sites such as Digg and Wired News.
Whilst none of the records on the file are personally identifiable per se, certain keywords contain personally identifiable information [1] by means of the user typing in their own name (ego-searching), as well as their address, social security number or by other means. Each user is identified on this list by a unique sequential key, which enables the compilation of a user's search history.
AOL acknowledged it was a mistake and removed the data, although the files can still be downloaded from mirror sites. Additionally,several searchable databases of the report also exist on the internet. [2]
Mistake? If betraying the trust of 2/3 of a million subscribers equals a mistake, how do they define catastrophe?
Apart from the obvious PR quagmire that AOL now finds itself in, and the painful regret (or torn anus) that AOL users may be feeling (and should have been feeling since they signed up </rant>), the long-term impact is immeasurable. Their stock is falling [3]. They're giving away BYOA accounts, [4] (they'd have to at this point), a move which may cost Time Warner over a billion dollars by 2009. [5] They're facing penalties, fines, not to mention lawsuits. [6] If there's abottom for any business to hit, they're very close. [7]
They should take a cue from ValuJet and change their name (again). [8, 9]
AOL states they keep 30 days of user-identifiable search history, and that a research division may keep three months or more of searchhistory, but not associated to specific accounts, (the latter echoes of what was released on 4 August). Google has already stated they will continue to store search queries and related info, and that they won't make the same mistake AOL did. [10, 11] Predictably, Yahoo! Search! will! do! the! same! Considering the staggering amount of infrastructure Google possesses, (Great Caesar's Ghost--Google has an estimated four PB of RAM alone), their data retention capabilities far exceed the 90 days of history AOL retains for research purposes. [12, 13]
That search you did recently for Paris' poodle porn may come back to haunt you. Even though you were just doing it for a friend.[...]

AOL Releases Search Logs from 500,000 Users
A search for an SSN shaped regex on the full AOL search data returns a 191 results including repeat searches. Many of these have full names, and at least a dozen include either an addresses, drivers license number, date of birth or some combination of the three in the same query. There's no telling how much more information an aggregation of other queries by those same user ID would yield. Latanya Sweeney, a computer privacy researcher at CMU, has been looking at this sort of thing for several years now. For example, many resumes posted to Monster and other job boards have SSNs in a standard format, along with dates of birth and other revealing information. They can be found in PDFs as well as HTML pages quite easily. The problem is even worse - at least those resumes are self-posted. There are government databases and court records on line with some of the same information as well. CAIDA has indexed the AOL 500k User Session Collection in our Internet Measurement Data Catalog (DatCat):DatCat does not store or distribute data, so we are not providing the AOL collection. Rather, we provide a permanent record of the existence of the dataset, relevant metadata, and a permanent handle that can be used to cite the dataset. In the near future, anyone who has used the data will be able to add annotations describing the features of the dataset (and any other dataset in the catalog). The CAIDA DatCat Team info@datcat.org
See Why Pay to be an Identity Thief?
Experimental Software Makes It Free - Thieves purchased sensitive personal data from ChoicePoint, but a Carnegie Mellon University researcher can get the same information free on the Web

Cult of the Dead Cow (cDc).
They are now adding a new chapter to their infamous history with the release of a new malware search engine that enables researchers to analyze over 31,000 "hostile" files. It's all part of an effort the cDc calls "offensive computing." Originally founded in 1984, cDc and its members are well known for a number of their efforts over the past 22 years. Perhaps most notably is their Back Orifice application, which debuted in 1998 as a network backdoor that enabled full remote control of a system, including process, passwords and file system (essentially a first-generation Trojan). Back Orifice was updated in 2000 as B02K and is currently maintained as an open source project on the SourceForge.net code repository. In cDc's new offensive computing strategy, the group is turning its skills toward hacking malware. Part of the effort is the malware search engine, which is geared toward increasing the knowledge around malware to better improve detection and removal. There is also a relationship between the Malware search effort and that hatched last month by H.D. Moore of Metasploit fame; it uses Google to find malicious code. "We use Google from time to time, and we worked with H.D. Moore on his. Google malware search project," Val Smith a cDc member and part of the offensive computing effort, told internetnews.com. "We provided him signatures to search on)." Smith explained that his group has written some code to do auto analysis of malware. "People upload it directly to the site, or provide me with archives over e-mail, and then we load it into our auto analyzer," Smith said. "Once the analysis is done, that data gets put into the database which people can search. We have large collections of malware sitting around waiting to be bulk processed." Access to the offensive computing malware search requires user registration, though only a valid e-mail address is required for the registration.
While most of the major AV vendors, including McAfee, Symantec, Panda Labs, Sophos and others, provide online libraries of vulnerabilities, there are a few things that offensive computing provides that the commercial vendors do not. For one, offensive computing provides downloadable samples of the malware in question. It also includes a clear warning to users: "This site contains samples of live malware. Use at your own risk." Offensive computing also claims that the analysis is done in an open manner that yields reproducible results. The results also detail multiple checksums md5, sha1, sha256, which should help to further improve identification. Smith's hope is that his group's effort will challenge the security community to get more involved in publicly fighting the problem of malware.
"This problem is growing too fast and complex for the traditional methods to defend against it," Smith said. "We need to unite resources and knowledge in order to protect our systems. We have a lot of respect for several AV companies, but it's time to do more." "We have gone to houses and done search warrants only to find people's computers were being used without them knowing it," Fried said. "Most of what I see is systems being compromised to be taken over." Armies of zombie computers can be used to attack websites of companies that depend on internet business for their revenues, the specialists explained. Criminals commanding such "botnets" can demand money from the companies inexchange for not crippling their online business. "The whole idea of extortion on the internet is funny to me," Mr Evron said. "They won't protect you. If you pay them they will probably attack you anyway, and they will be back." Cyber crime ranks only behind terrorism and counter-intelligence as top priorities at the Federal Bureau of Investigation, special agent Thomas Grasso said during the panel discussion.
Collaboration with counterparts such as Interpol and Scotland Yard are vital to combat crime rings that often take refuge in countries with scant police resources, Mr Grasso said. The law and computer security technology have lagged behind criminal techniques on the internet, Mr Grasso said. "The internet is not safe and your email is not safe," Mr Evron said. "It is an arms race and all we can do is enter that arms race from all different angles." Sean Michael Kerner August 9, 2006

  • Chilling Effects Do you know your Online Rights? Have you received a letter asking you to remove information from a Web site or stop engaging in an activity? Are you concerned about liability for information that someone else posted to your online forum? Understand intellectual property laws and the First Amendment protections give to your online activities. We are excited about the new opportunities the Internet offers individuals to express their views, parody politicians, celebrate their favorite movie stars, or criticize businesses. Individuals and corporations are using intellectual property and other laws to silence online users.
  • Do you know your Rights when crossing boarders? Laptop border searches OK'd
    The 4th Circuit ruled similarly last year. Broad searches at border crossings - including those of "expressive" electronic material - do not violate Fourth or First Amendments according to Fourth Circuit. The Fourth Circuit considered whether 19 U.S.C. 1581(a) - the statute authorizing searches of cargo at border crossings - encompasses detailed searches of electronic equipment. It held that the statutory language itself and the national interests involved require the broadest statutory construction possible, and therefore electronic equipment is readily included. The court further held that such expansive border searches are as old as the Fourth Amendment itself and do not violate its provisions against unreasonable searches. In fact, border searches are made reasonable by the very fact that they occur at the border, even absent a warrant or probable cause. Finally, the court refused to carve out a First Amendment exception for such searches where they involved examination of expressive material, finding that such requirements would unduly burden customs agents, and moreover create a sanctuary at border crossings for such "expressive" materials as terrorist plans, thereby undermining critical national security interests. U.S. v. Ickes, 393 F.3d 501 (4th Cir., 2005).
  • Can you be compelled to give a password?
    As a former Assistant U.S. Attorney, allow me to comment.Information may be obtained by the government from a person in one of four ways: (1) it is voluntarily provided; (2) by regulation in a heavily regulated industry; (3) by subpoena; and (4) by a search and seizure warrant. We are concerned with number 3, the subpoena.
    A person can refuse to produce incriminating information in response to a subpoena under the Fifth Amendment. Please note that the password is not protected. If it is written down somewhere, the document on which it is written is not protected by the privilege.
    The *act* of producing the document or the password itself *may* be privileged, if such an act is itself incriminating. For example, if the password was used in a crime, and the fact that you have the password in your possession tends to show that you participated or conspired in the crime, and then the Fifth Amendment privilege is applicable to protect you from implicating yourself in the crime.
    The Government *can* immunize you to the limited extent necessary to obtain the password - it cannot then use the fact that it got the password from you in order to prosecute you. This is known as "Doe" immunity, and there is an extensive line of cases that has developed in this area. Webster Hubbell, the former Associate Attorney General who was convicted of tax fraud by Ken Starr's IC Office, eventually had his conviction vacated because Starr's legal team failed to follow the rules when they obtained, from him (by subpoena), his tax records.
    If the government is not investigating a crime, then it may use an administrative or civil subpoena to try and get the password. If the witness invokes the Fifth Amendment, then the government can immunize that person and compel production.
    The second point, above, concerning a regulated industry, applies to such areas as Medicare and Medicaid, Government contractors for procurement matters, industrial health and safety mattes, environmental concerns, etc. The same analysis as above would apply.
    Border searches are a different animal, since the government has the right to inspect items crossing the border without a warrant.
    However, if the password is in the traveler's head, then that is not an "item" that can be inspected at the border. The information on the laptop might very well be such an item, however, and if the only way to convince the government to allow you to cross the border is to show the border guards what is on the laptop, then the traveler might very well face the choice of turning on the laptop and opening files, using the password, or not crossing the border. I do not
    believe that, even here, the traveler would have to produce the password itself. ~Andrew Grosso, Esq. former Assistant U.S. Attorney
    Andrew Grosso & Associates
    1250 Connecticut Avenue, NW, Suite 200
    Washington, D.C. 20036
    (202) 261-3593
    Email: Agrosso@acm.org
    Web Site: www.GrossoLaw.com
  • Any pro who wanted to bring porn (or any other data) into the U.S. on a laptop would never leave the data in an easily discovered form. But then again, why bother using the laptop? How about putting an innocuous looking file on that cute keychain memory dongle? Or on an iPod? Porn could be easily rigged to look like an mp3 file, that could even play properly. Or why not use some spare cell phone memory area? Or how about that 2 Gig memory stick in the camera, or a miniSD memory card inserted into an electric razor or the binding of a book? "OBIT" from the original '60s television series "The Outer Limits": "The machines are everywhere!"
  • LEARN TO PROTECT YOURSELF and help free the world from CENSORSHIP. How to DISABLE YOUR BLOCKING SOFTWARE, Turn your home computer into a Web site that people can access to GET AROUND THEIR BLOCKING SOFTWARE. Defeats all Internet censorship programs, from Net Nanny to the national firewalls used by the government of China. Use Annonymous Email and Use Annonymous surfing.

ADDITIONAL INFORMATION AND ARTICLES

*Peacefire has released a Bypass Program
which can disable all popular Windows blocking software (Cyber Patrol, SurfWatch, Net Nanny, CYBERsitter, X-Stop, Cyber Snoop, PureSight) with the click of a button.

JUNKBUSTER IS A FREE FILTERING PROGRAM
Junkbuster's primary purpose is to filter banner ads and other such stuff. Schools can claim that it's all the filtering that they want, but you can configure it to filter other stuff as well.

COURT SAYS UNENCRYPTED DATA OKAY
A federal judge in Minnesota has dismissed a case alleging that a student loan company was negligent in not encrypting customer data. The case was filed by Stacy Lawton Guin after a laptop containing unencrypted data on about 550,000 customers of Brazos Higher Education Service was stolen from an employee's home in 2004. Although he was not harmed by the loss of his personal information--indeed, there have been no reports of any fraud committed with the stolen information--Guin argued that the Gramm-Leach-Bliley (GLB) Act required Brazos to encrypt the data. Judge Richard Kyle rejected that claim, noting that the legislation does not specifically require encryption. The law states that financial services companies must "protect the security and confidentiality of customers' nonpublic personal information," but, according to Kyle's decision, "The GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office."

COOKIES AND THEIR SECURITY HOLES

The first significant Internet worm appeared on this day 16 years ago November 3, 2004
http://news.com.com/16+candles+for+first+Internet+worm/2100-7349_3-5438291.html
The first significant Internet worm appeared on this day 16 years ago, and online security has never been the same, security professionals say. At around midnight on Nov. 2, 1988, the Morris worm, written by a 23-year-old Massachusetts Institute of Technology student called Robert Tappan Morris, was released on the embryonic Internet. Within hours, the worm's 99 lines of code overloaded thousands of Unix-based VAX and Sun Microsystems systems, forcing administrators to disconnect their computers from the network to try to stop the worm from spreading. The Morris worm was part of a research project and was not designed to cause damage, but it was programmed to self-replicate. Unfortunately, the code contained a bug that allowed the worm to infect a single machine multiple times, which resulted in thousands of computers grinding to a halt.
Morris' worm was the first to spread on the Internet. But the very first appearance of a worm was in a 1982 paper by researchers John Shoch and Jon Hupp of the Xerox Palo Alto Research Center, who described a self-distributing program with a bug that managed to crash 100 machines in the research building. Morris was convicted for his research, but did not go to prison. He received a suspended sentence with community service and was fined $10,000. At the time, the Internet was still a closed system used by universities and the military for research purposes, security experts say. Once it was opened to the public--and became known as the World Wide Web--attitudes to security had to change.
Sean Richmond, a senior technology consultant at Sophos Australia, said that since Morris, there have been fundamental changes in the way networks and computers communicate with each other, and that will continue to evolve over the next 16 years.
"At that time, commands such as 'remote login,' 'remote shell' and 'remote copy' were commonly used. The idea was that if you were logged into one machine, you could access another system, and it wouldn't even ask you for a login password. There was a level of trust," Richmond said.
When Morris hit in 1988, academics would have lost some of their research. But when worms like Blaster or Sasser start spreading on the modern Internet, it affects banks, government departments and even stops kids from researching their schoolwork from home, said Dircks.<SNIP>
"Security is being designed in the next TCP/IP version (IPV6), so the IP address will contain a knowledge and expectation of security. The current version IPv4 was built with a much more open world in mind. Security was not part of the initial design," he said. "In 16 years' time, the potential for something to spread widely and rapidly across everything will be diminished just by the underlying security."
"Part of the solution is to build security into the architecture. But there are systems that are 30 or 40 years old still running, and the companies using them will not get rid of them, because they still work," Dircks said. "We are always going to have a heterogeneousworld, and without painting a picture of doom, gloom and apocalypse, the problems are not going away." - Munir Kotadia of ZDNet Australia reported from Sydney.