SECURITY TOOLS
DOWNLOAD FREE APP SIGNAL.ORG
Speak Freely Say "hello" to a different messaging experience. An
unexpected focus on privacy, combined with all of the features you
expect.
SECURE YOUR CODE
LEARN HOW THE INTERNET WORKS - HUBS AND SPOKES - NETWORKS, BROADBAND, PORTS
Software companies should either make their products open source so buyers can see what they're getting and tweak what they don't like, or suffer the consequences if their software failed.
Searching the Deep Web - https://www.shodan.io/explore
If they get a really low score, “we can guarantee that … they're
doing so many things wrong that there are
vulnerabilities” in their code. — Sarah Zatko
Peiter Zatko and his wife, Sarah, a former NSA mathematician , have developed a first-of-its-kind method for testing and scoring the security of software — Cyber Independent Testing Lab . The technique involves, in part, analyzing binary software files using algorithms created by Sarah to measure the security hygiene of code.During this sort of examination, their algorithms run through a checklist of more than 300 items known as “static analysis” because it involves looking at code without executing it, the lab is not looking for specific vulnerabilities, but rather for signs that developers employed defensive coding methods to build armor into their code.
Software developers can
test their code for conformance to CERT secure coding standards by
using the CERT Program's
Source Code Analysis Laboratory
, or SCALe.
To learn more, watch a
free webinar about SCALe
.
Most software vulnerabilities stem from a relatively small number of
common programming errors.
Coding standards
encourage programmers to follow a uniform set of rules and
guidelines determined by the requirements of the project and
organization, rather than by the programmer's familiarity or
preference. Once established, these standards can be used as a
metric to manually or
automatically evaluate source code
.
Members of the
CERT Secure Coding Initiative
have analyzed thousands of vulnerability reports to identify
insecure coding practices and develop secure coding standards, which
software developers can use to reduce or eliminate vulnerabilities
before deployment.
The Hacking Technologies Used by Law Enforcement [code word: Tailored Solutions]
NIST Special Publication 800-88 Guidlines for Media Sanitization NIST/DOD instructions for wiping storage media.
Christopher Soghoian, Principal Technologist, ACLU first ever
law-school discussion panel on law enforcement hacking at Yale.
FBI hacking
, ACLU's comments to the federal rules committee is a must read.
TIPS
| Security Tools for beginners | |
|
PRIVACY ANALYSIS
|
SANS Institute
How To EliminateTop Ten Security Threats |
| SURF AND EMAIL ANNONYMOUSLY |
|
| LINUX | |
| How To Safely Integrate Technology Tools into the Classroom | |
|
Political Junkie
Campaign Contributions - who gave what to who |
NET CENSORSHIP
Censorware Companies and Saudi Arabia Censorship |
| How to Obscure Any URL | |
| Zone Alarm | |
| UCITA | |
| VIRUS ALERTS & URBAN LEGENDS | |
| LINKS |
NSA Playset Forget intrusion software, and get yourself some unregulated intrusion hardware! Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!
THE BEST VPN SERVICE - Snowden urges consumers to adopt more secure file storage systems which are less susceptible to government surveillance.
Drop Box
- Securedrop originally created by the late Aaron Swartz
-
Dropboxis hostile to privacy, - zero knowledge' Spideroak
Find and remove malware with the free Sophos Virus Removal Tool
Espionage
3/11/14 World's first 3-D acoustic cloaking device hides objects from sound "...Using little more than a few perforated sheets of plastic and a staggering amount of number crunching, Duke engineers have demonstrated the world's first three-dimensional acoustic cloak. The new device reroutes sound waves to create the impression that both the cloak and anything beneath it are not there. The acoustic cloaking device works in all three dimensions, no matter which direction the sound is coming from or where the observer is located, and holds potential for future applications such as sonar avoidance and architectural acoustics...."
Keyboard Sniffers
There are a ton of reasons why someone would need to record the
keystrokes of a keyboard including monitoring your child's internet
activity, an unfaithful spouse, an employee or just making sure no
one is monitoring you.
There are two types of sniffers, the hardware kind and the software
kind. With a software sniffer, you need to be able to access the
computer you want to monitor and install the software.
If the computer has a password you're out of luck. If you do manage
to log into the system, then chances are that whatever antivirus /
anti spyware system is running, it will detect your keylogger.
Hardware keyloggers only require that you have physical access to
the pc; you simply unplug the keyboard, plug the keyboard sniffer
into the computer, then attach the keyboard to the sniffer and walk
away.
A few days later, simply unplug the device and attach the keyboard
back to the computer and head home. Once you are on your computer,
you'll attach the device as before, enter your secret code and
you'll have access to all the recorded keystrokes. You can expect to
pay about $60 - $150 for a keyboard sniffers that you plug into the
keyboard, not free, but considering the hassle of installing a
software keylogger, it may just be the best route. If you're
interested in checking out the free keylogger BFK, visit
bfk.sourceforge.net
Breaking the Silk Road's Captcha
GNU
The GNU Privacy Handbook Copyright © 1999 by The Free Software Foundation
Even if you have nothing to hide , using encryption helps protect the privacy of people you communicate with, and makes life difficult for bulk surveillance systems. If you do have something important to hide, you are in good company; GnuPG is one of the tools that Edward Snowden used to uncover his secrets about the NSA.
Email Self-Defense learn how and why you should use GnuPG for your electronic communication.
Zimmerman's $20 a month Silent Circle encryption service . Facebook topping health insurers, banks, and even the federal government as today's No. 1 privacy threat.
SECURITY
How To Secure Wifi Wireless Lan tools
CVSS Score Distribution For Top 50 Vendors By Total Number Of Distinct Vulnerabilities
Defeat infected vulnerable content-management servers
with a customized version of the "itsoknoproblembro" DDoS toolkit,
likely using
a vulnerability
in the default Bluestork Joomla template.
[After years of focusing mainly on the malware used in data
breaches and financially motivated hacks, some security experts
have begun to turn the spotlight on the attacker himself. See
Turning Tables: ID'ing The Hacker Behind The Keyboard
.]
The New Norm
The average denial-of-service attack falls far short of the volume
of traffic leveled at targeted sites during Operation Ababil. While
Arbor declined to give bandwidth figures, DDoS mitigation firm
Prolexic stated that the attack reached 70 Gbps and 30 million
packets per second against some of its customers. Another source
familiar with the attacks, who asked not to be named, pegged the
bandwidth as high as 100 Gbps. "If someone said your core enterprise
publishing server is being used in an attack, (the security team)
would have to get management permission to shut down the server,
because it would have a business effect," he says.
http://www.darkreading.com/advanced-threats/167901091/security/perimeter-security/240008534/serious-attackers-paired-with-online-mob-in-bank-attacks.html
Man In The Middle
mitmproxy: a man-in-the-middle proxysendsafely.com SendSafely offers a radically new way to securely send and receive files. Share files in minutes using 256-bit PGP encryption. Upload files, share the link, grab a sandwich... you're done. It couldn't get any easier.
Do not install Amazon Browser Apps prevent Amazon Man in the
Middle Attack
2013 Insecure browser addons may leak all your encrypted SSL
traffic, exploits included
. Let me show you how you can view all SSL encrypted data, via
exploiting Amazon 1Button App installed on your victims' browsers.
Plaintext traffic is dead easy to sniff and modify
. how you can< view all SSL encrypted data, via exploiting Amazon
1Button App installed on your victims' browsers.
Encryption Tool
- * Free * Uses recognizable and known encryption algorithms
- * Works sensibly with a container file that can be treated as external data (i.e.: backed up to tape entire)
- * Source code available
- * No adware or "wouldn't you like to buy me now?"
- * Small footprint
-
Like anything, it has as many legitimate as illegitimate uses;
this is public information and, ironically, was brought to my
attention by some of the top security experts in the industry.
Creates a virtual drive inside of any object of your choosing. But goes one better. You can encrypt within the encryption in ways undetectable. Thus you can give a password and allow others to open it and inspect. Those looking will never know that within the encrypted space there is another deeper form of encryption. That said, I'd really hate to see the gov't or someone else shut this down. At the same time, for people traveling who are doing legitimate things that overreaching gov't officials have no right to see (and for which it is too late once compromise), this presents a valid solution. It is also incredibly useful for anyone carrying sensitive information b/c it gives you two layers of protection if your storage device or laptop is stolen. Know that if you mount it to a flash drive, it formats the entire drive. Most people create an object and mount it to that. Also, never, ever forget your password - did that once - and lost 50 megs worth of data. (might want to use roboform, which encrypts and protetcts your passwords). There's no getting inside of this. Ever. It's about as rock solid as it gets.
ENCRYPTION and SECURITY TUTORIAL (Security researcher Peter Gutmann.)
A Cost Analysis of Windows Vista Content Protection
by
Peter Gutmann
Dept. of Computer Science12/27/06
It details how Vista is intentionally crippled, to protect "premium
content". Also possible effects on OSS, drivers etc.
Executive Summary:
Windows Vista includes an extensive reworking of core OS elements in
order to provide content protection for so-called "premium content",
typically HD data from Blu-Ray and HD-DVD sources. Providing this
protection incurs considerable costs in terms of system performance,
system stability, technical support overhead, and hardware and
software cost. These issues affect not only users of Vista but the
entire PC industry, since the effects of the protection measures
extend to cover all hardware and software that will ever come into
contact with Vista, even if it's not used directly with Vista (for
example hardware in a Macintosh computer or on a Linux server).
This document analyses the cost involved in Vista's content
protection, and the collateral damage that this incurs throughout
the computer industry.
The Vista Content Protection specification could very well
constitute the longest suicide note in history. [...]
Disabling of Functionality
Vista's content protection mechanism only allows protected content
to be sent over interfaces that also have content-protection
facilities built in. Currently the most common high-end audio output
interface is S/PDIF (Sony/Philips Digital Interface Format). Most
newer audio cards, for example, feature TOSlink digital optical
output for high-quality sound reproduction, and even the latest crop
of motherboards with integrated audio provide at least coax (and
often optical) digital output. Since S/PDIF doesn't provide any
content protection, Vista requires that it be disabled when playing
protected content. In other words if you've invested a pile of money
into a high-end audio setup fed from a digital output, you won't be
able to use it with protected content. Similarly, component (YPbPr)
video will be disabled by Vista's content protection, so the same
applies to a high-end video setup fed from component video. [...]
Elimination of Open-source Hardware Support
In order to prevent the creation of hardware emulators of protected
output devices, Vista requires a Hardware Functionality Scan (HFS)
that can be used to uniquely fingerprint a hardware device to ensure
that it's (probably) genuine. In order to do this, the driver on the
host PC performs an operation in the hardware (for example rendering
3D content in a graphics card) that produces a result that's unique
to that device type. In order for this to work, the spec requires
that the operational details of the device be kept confidential.
Obviously anyone who knows enough about the workings of a device to
operate it and to write a third-party driver for it (for example one
for an open-source OS, or in general just any non- Windows OS) will
also know enough to fake the HFS process. The only way to protect
the HFS process therefore is to not release any technical details on
the device beyond a minimum required for web site reviews and
comparison with other products."
P2P
P2P What they will find out about you when you use p2p and are tracked. - See What You Share A Showcase of Material Found on Peer-to-Peer Networks throughout the World.
TorrentSpy "The intent behind TorrentSpy is to give the BitTorrent power-user all the information ... TorrentSpy is not meant to replace the normal BitTorrent client, ..."
BitTorrent search site hits back
"The MPAA is in essence trying to outlaw the torrent file format."
Nareos , a developer of p2p distribution technologies, announced the launch of PeerMind , a new peer-to-peer monitoring and data mining service for entertainment industry clients. The service, which the company says does not collect IP addresses of file-swappers, monitors P2P networks including eDonkey and Gnutella, and plans to add FastTrack (Kazaa) and BitTorrent soon. In addition to detailed reports and custom research, Beverly Hills, Calif.-based Nareos will also publish free weekly charts of the most-downloaded songs, movies, software, video games and ringtones on file-sharing services.
PCHelp's Network Tracer
TRACE.BAT is an MS-DOS batch process which uses standard network
query utilities to work up a handy report on a given Internet
address.
YaCy a p2p-based distributed Web Search Engine
DIGITAL RIGHTS MANAGEMENT
Digital Rights Management Tools
Insecure.org OpenDVD Project Launched and more.
Peer to Peer Technology
peer-to-peer computing is the sharing of computer resources and
services by direct exchange between systems. These resources and
services include the exchange of information, processing cycles,
cache storage, and disk storage for files. Peer-to-peer computing
takes advantage of existing desktop computing power and networking
connectivity, allowing economical clients to leverage their
collective power to benefit the entire enterprise.
Free CD-DA Extractor rips audio CDs and converts audio files. The application supports the following formats: MP3 (MP1, MP2, MP3), MPEG-4/AAC (M4A), OGG Vorbis (OGG), WAV, Monkey's Audio (APE), and FLAC formats.
EphPod is a full-featured, easy-to-use Windows application that connects with Apple's iPod. With a FireWire card and EphPod on a PC, it takes under 30 minutes to transfer 1,000 songs to an iPod. In addition, EphPod supports standard WinAmp (.M3U) playlists, includes powerful playlist creation features, and will synchronize an entire music collection with one click. It imports Microsoft Outlook contacts, in addition to allowing users to create and edit their own contacts. EphPod can also download the latest news, weather, e-books, and movie listings to an iPod.
CD / DVD Backup Workarounds or http://www.cdmediaworld.com/
- WCT/WPPT goals include preventing every unauthorized use
- DMCA goal -- preventing unauthorized copying or use of work
- DRM goal -- their products let publishers control every use of a work, right down to private home viewing.
Why Workarounds?
Copyright law doesn't give publishers the right to control or hinder
the public's exercise of their fair use rights by "preventing
unauthorized copying or use of work" Some unauthorized copying and
some unauthorized uses have always been legal and these workarounds
prevent turning copyright from a limited monopoly into an absolute,
unlimited monopoly by deciding what is "authorized".
I.R.C
. - Used to transfer big files that would be rejected by an e-mail
system without burning a disc and putting it in the mailbox. The
file-transfer capability in I.R.C. may be the most convenient way.
The F.B.I. is interested in the best way to monitor the traffic. IRC
started in the 1980's, communicate in real time chat rooms, known as
channels. The whole idea behind I.R.C. is freedom of speech. This is
where to find illegal software vaults on the Internet where pirates
generally used I.R.C. to communicate and coordinate with one
another. Warez, pronounced like wares, is techie slang for illegally
copied software. It is generally a text-only medium, it does not
require high-capacity Internet connections, making it relatively
easy to run a private I.R.C. server from home. I.R.C. server
software developed by William A. Bierman, known online as billy-jon.
Also find public I.R.C. networks, like DALnet, EFNet and Undernet.
Each typically ties together dozens of individual chat servers that
may handle thousands of individual users each. Rob Mosher, known
online as nyt (for knight), runs a server in the EFNet network.
First, the user downloads an I.R.C. client program the most popular
is a Windows shareware program known as mIRC (www.mirc.com). When
users run the I.R.C. program, they can choose among dozens of public
networks. Within a given network, it does not really matter which
individual server one uses. If users know the Internet address of a
private server, they can type in that address. Once logged in to a
public server, the user can generate a list of thousands of
available channels. On an unmoderated network, the most popular
channels are often dedicated to trading music, films and software.
In addition to supporting text-only chat rooms, I.R.C. allows a user
to send a file directly to another user without clogging the main
server. irc://undernet/gettogether see http://www.irc.org/
http://www.free-codecs.com/
http://www.codecsdownload.com/
VIDEO CODECS - K-Lite Codec Pack, Tsunami Codec Pack, Nimo Codec Pack, DivX Free, ACE Mega CoDecS, Koepi's XviD, Codec Pack All in 1
AUDIO CODECS - LAME MP3 Encoder, BladeEnc, Fraunhofer Radium MP3, AC3 Filter, Vorbis Ogg ACM Codec, AC3 Decoder, MPEG Layer-3 Codec
TOOLS - Real Alternative, QuickTime Alternative, BSplayer, Media Player Classic, GSpot, VideoLAN, Winamp
Traveling with a laptop
U.S. agents can seize travelers' laptops: report
"U.S. federal agents have been given new powers to seize travelers'
laptops and other electronic devices at the border and hold them for
unspecified periods"
Keep Your Data Safe at the Border
, CNet, May 5, 2008,
use cloud computing or your own home server or whatever, and
transfer it in encrypted form end-to-end.
Virtual Machine Ware - Run multiple operating systems simultaneously on a single PC
How-to create your own virtual machines
.
http://www.lorenzoferrara.net/old-site/blog/pivot/entry.php?id=73
http://www.hackaday.com/2005/10/24/how-to-vmware-player-modification/
The only "safe" way to get your laptop into the US would be to
create a VM containing your chosen OS and data and then leave this
at home. Travel without a laptop until you arrive at your
destination. At this point you can acquire a machine, generate a
keypair and export the public key. A trusted third party then
encrypts the VM and makes it available for download, probably with a
service like
Amazon's S3
.
Amazon S3 is based on the idea that quality Internet-based storage
should be taken for granted. It helps free developers from worrying
about how they will store their data, whether it will be safe and
secure, or whether they will have enough storage available. It frees
them from the upfront costs of setting up their own storage solution
as well as the ongoing costs of maintaining and scaling their
storage servers. The functionality of Amazon S3 is simple and
robust: Store any amount of data inexpensively and securely, while
ensuring that the data will always be available when you need it.
Amazon S3 enables developers to focus on innovating with data,
rather than figuring out how to store it.
The VM can contain all your actual data contained in encrypted
volumes to minimize the risk of having to trust a third party
(though this would require transporting a private key inside the
VM). This way you avoid the problem of taking data through the
border and also of taking a password through with you, the keys
don't exist yet so how could you reveal the password? Nothing
carried through and nothing concealed.
If you're willing to expose a port on your home network, then from
your destination you could use
scp
to transfer the VM to your location using password authentication.
Then you do not have to trust a third party.
- Electronic Frontier Foundation
- The Center for Democracy and Technology
- Peter Swire Privacy Senior Fellow, Center for American Progress
What Is Unicode
provides a unique number for every character, no matter what the
platform, no matter what the program, no matter what the language.
UNICODE
DSL ONLINE SECURITY running a test attack courtesy of Steve Gibson's (Gibson Research). To run this test, click on his Shields Up message. You will then be given an opportunity to initiate an immediate remote test attack on your computer's current defenses (fire walls) and ports.
IBM 4758 cryptographic coprocessor , designed to destroy itself if it detects an intrusion attempt. Coprocessor features "physical penetration, power sequencing, temperature, and radiation sensors to detect physical attacks against the encapsulated subsystem." The U.S. government has certified it to meet the FIPS 140-1 standard at level 4, the most secure.
StockCop.com
Not a law firm. Web Site Assists Defrauded Investors Ex-Wall
Streeters, who bring their expertise directly to the investing
public. Free proprietary service called Advanced Investor Response
they provide investors with an insider's view of how the brokerage
industry works.
CYPERTIP HOTLINE
FOR MISSING AND ABUSED CHILDREN - REPORT INTERNET SEXUAL MISCONDUCT
ONLINE AS IT is HAPPENING - 1-800-843-6578
SPYWARE TROJANS
The computer spy that steals your passwords and credit [
1
]
ABOUT three weeks ago, Cheryl Lambert bought a £179 surfboard on
eBay for her daughter. Soon after, she noticed her computer started
to behave erratically and within a few days it had ground to a halt.
"It just completely crashed," said Lambert, 38, a community worker
who lives in Helston, Cornwall. "The anti-virus software was saying
the computer was infected, but it just couldn't fight it. The
computer got slower and slower and then it just stopped."
A few days after her desktop machine was unplugged from the
internet, Lambert's personal details appeared on a Russian website.
Her home phone number, her address, her credit card number and her
e-mail address with Tesco were all listed on a forum where criminals
and computer hackers trade stolen identities. Lambert cancelled her
gold Lloyds TSB card when she was alerted by The Sunday Times to
what had happened, but one fraudulent transaction for £10.70 had
already been made.
Lambert is believed to have fallen victim to malicious "trojan"
software. This can be unwittingly downloaded from an e-mail
attachment or website and then quietly records details of passwords,
security codes and credit card numbers used on secure websites. The
information is relayed back to the author of the malicious software.
The Russian website
that posted Lambert's details, is one of a network of sites which
trade in stolen identities. Thousands of passwords for e-mail
accounts, security numbers for credit cards and access codes for
shopping websites are offered for sale online after being
"harvested" from trojan software.
In a four-week investigation a Sunday Times reporter approached
users on Russian websites who were offering stolen identities for
sale. The site includes a step-by-step guide to stealing identities
and using the information without detection.
The reporter was offered stolen data on British citizens ranging in
price from $2 to $5 per person. She requested a free sample and at
11.50pm on August 23 the details of more than 30 individuals were
posted online, 13 of whom were British.
Max Haffenden, 27, an IT worker from Bexhill-on-Sea in East Sussex,
was among those on the list and he confirmed last week that The
Sunday Times had obtained his secret password from the Russian
website. He uses the password - which has now been cancelled - for
his personal Yahoo! e-mail account, payment transfers using PayPal
and online shopping accounts.
"I am amazed someone could have got access to these details," he
said. "I have a good idea of how computers work and how to be as
secure as possible. I only trust a site with my details if it has a
"padlock" to show it is a secure server."
Haffenden, who used a computer firewall and anti-virus software,
said his computer's systems alerted him to malicious software, which
he said might have been a trojan, about a year ago. He was unable to
fix the problem but said it did not affect the performance of his
computer.
Others on the list said there had been no apparent problems with
their machines. Nick Riches, 40, from Basingstoke in Hampshire, who
also works in the computer industry, was among those targeted. He
confirmed his "standard secure password" had been obtained by the
Russian website, along with his Hotmail access, his home address and
details of a NatWest card. He said he regularly scanned his computer
for viruses but had not been aware of any malicious software.
There was evidence last week that the fraudsters had already used
some of the personal data to steal money. Cards belonging to
Haffenden and Riches had been used without their permission on an
internet gambling site, Unibet, in the past month with payments of
£400 and £512.50.
Stolen data offered on foreign websites is usually obtained from
hacking into the database of an online company to obtain customers'
details or from infiltrating a personal computer.
While nearly all computer users are alert to the threat from
viruses, many are unaware of trojans, which can covertly install
themselves via a website or e-mail attachment.
Carole Theriault, senior security consultant at Sophos, an internet
security company, said: "Viruses basically had bells and whistles to
say "we've got you" and spread rapidly around the internet. Trojans
are very different. They don't spread on their own and may not even
affect the performance of your computer, but when you go on sites
like eBay or check your account online, they can record the keys you
press.
"About 70% of the reports of new threats of malicious software are
trojans. The people who send them out don't hit so many computers
because they don't want to make the headlines."
Theriault said that a firewall and regularly updated anti-virus
software would help reduce the threat from trojans, but there was no
100% solution. "It's like driving a car," she said. "There's always
a risk. You just have to do everything you can to reduce it."
One of the problems is that some trojans are not always identified
by anti-virus software. One trojan, called A311 Death or Haxdoor,
has infected an estimated 35,000 computers worldwide, including
10,000 in Australia.
A warning from the Australian Computer Emergency Response Team
stated: "If your computer is already compromised with an
input/output monitoring trojan, SSL (encryption) cannot prevent the
trojan from capturing web form data, keystrokes, and passwords."
In the UK many people are unaware of the threat. An official Home
Office leaflet providing advice on identity theft does not even
mention the importance of computer security. The government does,
however, support a website, Get Safe Online, which provides
information on protecting a home computer.
Despite the warnings and security software available, obtaining
personal data stolen from British computers is easy. It is also
cheap, with passwords being traded online for as little as £1.
Using an internet Cyrillic keyboard to enter the word "carding" on
the Google search engine, a Russian-speaking Sunday Times reporter
was presented with an array of sites offering stolen data and bogus
identity documents.
One website - called carders0.tripod.com - had a virtual shopping
basket of identity fraud, with "buy now" icons next to every item.
The products on sale included credit cards - both fake and real -
driving licences, travellers' cheques, fake passports and machines
to make credit cards. The site included starter packs for fledgling
fraudsters as well.
The same site also offered a service called Rebirth in which
visitors were offered the chance to "buy a whole new identity from
Britain or Ireland". Costing £13,000, the package offered a new
passport and a birth certificate. The Sunday Times was unable to
confirm whether genuine documents would be exchanged for an online
payment.
At the lower end of the scale, a range of websites offered stolen
data that could be used to access subscription services, pay for
goods online or transfer funds. Some of the data are even posted for
free as samples to interested buyers. After using the data, one user
of http://www.carder.info commented on the website: "Thanks, found
some valid stuff. Put up more."
The batch of stolen data provided to the reporter included passwords
for e-mail accounts, credit card numbers and home telephone numbers
of people in Bishop's Stortford in Hertfordshire, Spalding in
Lincolnshire, Blackpool, Hartlepool and Glasgow.
A week after the reporter was given the sample, she was able to
retrieve the passwords for the PayPal accounts of 19 Britons from
the site. The information would enable fraudsters to gain access to
accounts and transfer funds.
The www.carder.info site is registered to 340 Pushkinskaya in
Moscow. The house number does not exist. The Russian-based company
that hosts the site, Net of National Telecommunications, would not
comment last week, but is understood to be in contact with police
about any suspected illegal transactions.
Lennart Ehlinger, group security controller for the London-based
Unibet, said it was difficult to detect fraudulent use of credit
cards if the fraudster was able to provide a security code, number
and home address.
A spokesman for Apacs, the UK payments association, said hackers who
stole personal information often evaded detection by using a network
of foreign websites.
A spokesman for PayPal said its servers were secure, but information
on passwords was sometimes compromised by trojan software and
"phishing", which uses spoof websites to obtain user information.
HOW TO STAY SAFE ONLINE
The risks can never be wholly eliminated, but experts recommend:
* Never go online without first ensuring your computer is protected
with a firewall and anti-virus software. An unprotected computer is
on average infected within 12 minutes of being plugged into the
internet, according to research by Sophos, the computer security
company.
* Always make sure you have the latest anti-virus software
* Consider installing software that scans your system for downloads that secretly monitor your computer use. Products such as Spybot Search & Destroy ( www.safer-networking.org ) can be downloaded free.
* Never download software from unknown sites. The downloads can harbour trojans. Similarly, never open e-mail attachments from unknown sources.
* When entering details on a banking website or payment service, such as PayPal, carefully check the website address. A trojan can direct a computer to a spoof site.
* If your computer is performing erratically or slowing down, then scan it with anti-virus software. SPYWARE ROOT KITS
Rootkit Removal Tools by Mark Joseph Edwards, News Editor, mark at
ntsecurity / net
Rootkits are a growing problem, and as you might expect, the list of
tools that can help you prevent rootkit infiltration is also
growing. The list of standalone tools that can help with rootkit
detection and removal is also expanding. This week, I give you a
list of the standalone detection and removal tools that I know
about.
The alphabetical list below can be a resource to help you add some
useful tools to your security toolkit. As with antivirus and
antispyware tools, using multiple rootkit detection and removal
tools is a good idea because not every tool can detect and remove
every rootkit.
Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight,
Sophos Anti-Rootkit, and IceSword, all of which are from entities
that I'm familiar with and trust to some extent or other.
A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker)
look interesting, but I have no idea who the authors are, nor do
their Web sites offer much information to lend insight. So although
I included them in the list, definitely use your own discretion.
There are undoubtedly other related tools available that I'm not
aware of; if you know of one, please send me an email with details.
If you've tried one of the tools below, let me know about your
experiences with it.
BitDefender RootkitUncover beta, from SoftWin
This tool is currently available as a free beta and looks promising,
particularly because it's from SoftWin, makers of BitDefender.
http://download.bitdefender.com/windows/desktop/internet_security/beta/
DarkSpy, from DarkSpy Security Group
This tool is from a group of Chinese security researchers that I'm
unfamiliar with. The download page for the tool says, "Use at your
own
risk," and you'd be wise to take that advice; however, it might
give you a little comfort to know that this tool was recently
mentioned in the SANS Internet Storm Center's Handler's Diary.
Click the second URL under the Helios entry below to link to that
mention.
http://www.fyyre.net/~cardmagic/index_en.html
GMER, from an unknown independent Polish developer
Although no information is readily available about who developed
this tool, its Web site has several screenshots and some movies
(in .wmv and .avi format) that show the tool in action. So you can
get a good idea of what it's like before using it.
http://www.gmer.net/
Helios, from MIEL e-Security
This is a new tool, currently in "alpha" development, that looks
promising. For some good insight into Helios, go to the second URL
below to read the SANS Handler's Diary entry for July 26, in which
you can also see some screen shots of the tool in action.
http://helios.miel-labs.com/
RKDetector, by Miguel Tarasco Acuna
This toolkit comes in two parts: A file system analyzer and an
Import Address Table (IAT) analyzer. The file system analyzer
scans the file system and registry, and the IAT analyzer scans
memory space for
alterations that would allow rootkits to hook into the system.
Screen shots are available to give you a good idea of what the
tool looks like.
http://www.rkdetector.com/
RootKit Hook Analyzer, from Resplendence Software Projects
Although most rootkit detection tools look at kernel hooks, the
file
system, the registry, user accounts, and so on, this particular
tool
focuses exclusively on kernel hooks.
http://www.resplendence.com/hookanalyzer
RootkitRevealer, from Sysinternals
A tool written by Mark Russinovich and Bryce Cogswell, two very
well
known Windows experts.
http://www.sysinternals.com/utilities/rootkitrevealer.html
System Virginity Verifier, FLISTER, and KLISTER, by Joanna
Rutkowska These tools specifically look for hidden files and at
various system
components that might be modified by various rootkit techniques.
Source
code is included. Rutkowska is a well-known researcher.
http://www.invisiblethings.org/tools.html
PRIVACY
10 security tips for protecting data while traveling
EFF Reveals Codes in Xerox Printers
The Electronic Frontier Foundation says it has cracked the tracking
codes embedded in Xerox Corp.'s DocuColor color laser printers. Such
codes are just one way that manufacturers employ technology to help
governments fight currency counterfeiting.
Public Key Cryptography in One Easy Lesson
Public key cryptography relies on two scrambling devices, called
"keys", that have the following relationship. There is a public key
P and a private key R. Suppose I write a sweet, sensitive love
letter, filled with spiritual values, genetic imperatives, and
sexual innuendo, to my current flame Veronica. Let's refer to this
letter as the message M. I encrypt it with Veronica's public key P,
producing the encrypted message P(M). Anyone looking at P(M) will
only see a string of meaningless symbols, gibberish. When Veronica
receives it, she will apply her private key R to the encrypted
message, producing R(P(M)) = M, turning the apparent randomness into
tears, joy, and erotic fantasy.
The key pairs P and R must have the relationship that for any
message M, R(P(M)) = M. In addition, it should be practically
impossible for anyone to determine M from P(M), without the
associated private key R. For any other private key R', R'(P(M)) is
not equal to M--it's still gibberish. The key pairs P and R also
have the commutative relationship P(R(M)) = M: if you encrypt a
message with your private key R, then anyone can decrypt it using
your public key P.
Being able to send secure messages is one function of public key
cryptography. Another function is authentication. Suppose you sent a
message M to Bill. He receives the message M*. Bill doesn't know
whether M* is really from you; or, even if it is from you, whether
it has been altered in some way (that is, if the M* he receives is
the same as the M you sent). The solution to this problem, using
public key cryptography, is that you also send Bill a digital
signature S along with the message M. Here is how this
authentication process works.
For simplicity, assume you don't even encrypt the message to Bill.
You just send him the plain message M, saying "Dear Bill: You are
wrong and I am right. Here is why, blah blah blah [for a few
thousand words]." Then you just sign it by the following procedure.
First you chop your message down to size, to produce a (meaningless)
condensed version, where one size fits all. To do this, you need a
message chopper called a "hash function." You apply the hash
function H to the message M to produce a "message digest" or "hash
value" H(M) which is 160 bits long. You then sign the hash value
H(M) with your own private key R, producing the signature S =
R(H(M)).
The receiver of the message, Bill, applies the same hash function to
the received message M* to obtain its hash value H(M*). Bill then
decrypts your signature S, using your public key P, to obtain P(S) =
P(R(H(M))). He compares the two. If H(M*) = P(R(H(M))), then he
knows the message has not been altered (that is, M* = M), and that
you sent the message. That's because the equality will fail if
either (1) the message was signed with some other private key R',
not yours, or if (2) the received message M* was not the same as the
message M that was sent [33].
By some accident, of course, it could be that Bill finds H(M*) =
P(R(H(M))) even if the message has been altered, or it is not from
you. But the odds of this happening are roughly 1 in 2^160, which is
vanishingly small; and even if this happens for one message, it is
not likely to happen with the next.
Keep hackers out of your business! PCWorld article
will show you how to encrypt your email using PGP Privacy. It will
show you how to download, install, and configure PGP on your system.
For those who are not familiar with PGP (Pretty Good Privacy), it's
software that scrambles your messages so that only the intended
recipient can read them. PGP has been around for quit some time and
has been proven reliable.
WEB BUGS
Web bug basics - A Web Bug is a graphic on a Web page or in an Email
message that is designed to monitor who is reading the Web page or
Email message. Web Bugs are often invisible because they are
typically only 1-by-1 pixel in size.
Destroying Web Bugs
Download Bugnosis
A privacy software package has been launched that specifically
targets a new form of Internet tracking.
The Privacy Foundation has unveiled Bugnosis, a special program to
detect webbugs. Webbugs are tiny image files which are being used
increasingly to identify and track computer users. Bugnosis, which
can be downloaded through the World Wide Web, is installed as a
plug-in to existing Internet browsers, causes individual computers
to say "uh-oh" when a webbug is encountered. It also logs the URL
associated with a given webbug as well as further details as to the
intruder's properties (such as whether the bug is connected to other
digital identification files, including cookies). Moreover, Bugnosis
places marks a viewed site so that the user can actually see the
exact location of a particular webbug on the page. If the program
discovers that a webbug is associated with certain well-known
companies (such as Internet advertising giant DoubleClick), it
allows the user to send an email message directly to the webbug
owner for further queries or outright complaints. The Foundation
hopes that this program will increase public awareness and openness
about these tracking devices. For example, the organization argues
that "Web site privacy policies should disclose the use of Web bugs.
In fact, the general practice of online profiling by third-party ad
networks should be disclosed in privacy policies, but is rarely
mentioned."
GOVERNMENT
Department of Justice
Offers Advice on how to protect against hackers and explains how to
report Internet crimes, includes links to Web pages on issues like
encryption and electronic privacy. The section on Internet crimes
notes which agencies handle which types of crime. The site's advice
for victims of computer crime, for example, boils down almost
entirely to three marginally helpful words: "Call the FBI." (Anyone
who has actually called a local FBI office and asked it to deal with
problems such as Internet intruders quickly learns that this is an
exercise in futility.) However, the site does contain lengthy
arguments for the regulation of cryptography, the expansion of
police powers, and the implementation of blocking technologies on
the Internet. The pages at http://www.cybercrime.gov/crypto.html,
which contain one-sided arguments against the availability of strong
encryption and contain serious technical errors (for example, the
difficulty of breaking encryption schemes such as single 56-bit DES
is grossly overstated), are typical.
FOREIGN TERRORIST ORGANIZATIONS
Designations by Secretary of State Madeleine K. Albright. Released
by the Office of the Coordinator for Counterterrorism October 8,
1999. Information from the Secretary of State's office listing and
describing which organizations are considered Terrorist Groups
according to the U.S. Government. (Subject(s): Terrorism &
United States. Department of State)
Computer Crime and Intellectual Property Section
(CCIPS)
Attorney staff consists of about two dozen lawyers who focus
exclusively on the issues raised by computer and intellectual
property crime. Section attorneys advise federal prosecutors and law
enforcement agents; comment upon and propose legislation; coordinate
international efforts to combat computer crime; litigate cases; and
train all law enforcement groups."The site includes press releases,
officials' speeches, testimony to Congress, legal texts, and Justice
Department reports among other things. They also cover information
on prosecuting electronic intruders, privacy, searching and seizing
computers, intellectual property piracy, encryption, and
international aspects of Cybercrime. Since keeping cyberspace safe
is of special interest to all of us, especially children, the site
also provides a link to the Internet "Do's and Don'ts" section of
the Justice Department's Kids' page.
FBI
and the
National White Collar Crime Center
a clearinghouse and training center that exists to keep law
enforcement agencies up to date on white-collar crime trends. Do you
have a complaint about any product, service or company and wish help
resolving the complaint from the Government? "File Complaints with
the right agency about products and services including online scams,
lost luggage, telephone service and more."
The U.S. Federal Bureau of Investigation is using a superfast system
called
Carnivore
to covertly search e-mails for messages from criminal suspects.
Cross-Border E-Commerce Complaints
http://www.econsumer.gov
The U.S. Federal Trade Commission and twelve other countries
including Australia, Finland, New Zealand, South Korea, and the
U.K., unveiled e-consumer.gov, a joint effort to gather and share
Cross-Border E-Commerce complaints.
The project has two components: a multilingual public Web site and a
government, password-protected Web site. The public site will
provide general information about consumer protection in all of the
participating countries, contact information for consumer protection
authorities in those countries, and an online complaint form. All
information will be available in English, Spanish, French and
German.
FTC: INTERNET AUCTIONS
Guide for Buyers and Sellers