The Educational CyberPlayGround Educational CyberPlayGround

 

SECURITY ARTICLES

 

Friending A Spy On Facebook
Taylor Buley, 06.29.10, 05:00 PM EDT
One man's LinkedIn recommendation for a newly alleged Russian spy. Ten alleged spies appeared in federal court on Monday, accused by the FBI as being part of an East Coast spy network set up by the Russian government. The foreign government is said to have provided the suspects fake names and ordered them to take on "deep cover" assignments to become "Americanized."

It is perhaps telling, then, that Anna Chapman--one of the alleged spies--appears to have used websites like Facebook (see her page here) and LinkedIn to network with business colleagues

Facebook from the hackers perspective.

For the past few years we've (Netragard) been using internet based Social Networking tools to hack into our customer's IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we've decided to give people a rare glimpse into Facebook from a hackers perspective.  Credit for designing this specific attack methodology goes to Kevin Finisterre and Josh Valentine both core members of our team.

 Inside The Brains Of A Professional Bank Hacking Team Desautels laid out a recent hacking operation that his SNOsoft research team was hired to perform on a bank client. Though he doesn't name the target, he describes step by step the social engineering involved in sussing out the bank's defenses, including staging a fake job interview with unwitting employees of the company. The technical strategy for breaching the bank's defenses--a targeted, booby-trapped PDF attachment--isn't a surprise. But the detailed description of the preparation for that exploit is a rare window into the hacking process.

2009 Anti Credit Card fraud step the U.S. Card Industry - Paul Kocher, chief research scientist at Cryptography Research Institute, says the fundamental limitation with PCI is that it attempts to distill security down into a static set of requirements, while adversaries aren't restricted to a rigidly-defined set of methods. "As a result, clever attackers will always find holes," he says. "PCI does provide some value by forcing merchants to put some effort into addressing the most common attacks, but the objective is to reduce total risk -- not stop all attacks."

iPhone encryption cracked in two minutes 7/27/09
http://it.slashdot.org/story/09/07/24/2218201/iPhone-3Gs-Encryption-Cracked-In-Two-Minutes
"In a Wired news article, iPhone Forensics expert Jonathan Zdziarski explains how the much-touted hardware encryption of the iPhone 3Gs is but a farce, and demonstrates how both the passcode and backup encryption can be bypassed in about two minutes. Zdziarski also goes on to say that all data on the iPhone - including deleted data - is automatically decrypted by the iPhone when it's copied, allowing hackers and law enforcement agencies alike [to] access the device's raw disk as if no encryption were present. A second demonstration features the recovery of the iPhone's entire disk while the device is still passcode-locked. According to a similar article in Ars Technica, Zdziarski describes the iPhone's hardware encryption by saying it's 'like putting privacy glass on half your shower door.' With the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with such shoddy security?"

Skype Threatens Russian National Security? 7/27/09
http://yro.slashdot.org/story/09/07/25/0015250/Skype-Apparently-Threatens-Russian-National-Security
"Reuters reports that 'Russia's most powerful business lobby moved to clamp down on Skype and its peers this week, telling lawmakers that the Internet phone services are a threat to Russian businesses and to national security.' The lobby, closely associated with Putin's political party, cites concerns of 'a likely and uncontrolled fall in profits for the core telecom operators,' as well as a fear that law enforcement agencies have thus far been unable to listen in on Skype conversations due to its 256-bit encryption."

Spoofed Form Submissions - htmlspecialchars Convert special characters to HTML entities Filtering: Input Filtering at a Server Level and The Flip Side of the Coin: Output Escaping.

Nobel Laureate Richard Feynman from the Appendix to the Challenger Report For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.

VanBokkelen: 2006: The year of the breach
The year 2006 may go down in computer security history as the year of the breach. As of Dec. 1, more than 36 million people in the United States might have had their personal information compromised this year by hackers, laptop computer theft or information security blunders. More than 97 million records are potentially at risk of identity theft because of nearly 300 separate breaches, and the year isn't over.

Dark Day Planning: Insuring Against Data Loss
The list of data breaches involving sensitive personal information maintained by the Privacy Rights Clearinghouse achieved a significant milestone Dec. 13, as the nonprofit group saw the total number of records exposed in such events crest the 100 million mark.

ORGANISED crime is winning the internet security war, specialists warned at the world's foremost gathering of computer hackers in Las Vegas. The online peril is no longer brilliant young social outcasts penetrating networks for notoriety; it is international crime rings swiping billions of dollars with keystrokes and malicious computer codes, cyber cops agreed. Ironically, potential champions in the battle for internet privacy were sought among the thousands of hackers that made pilgrimages to the US gambling centre nicknamed " Sin City" for the three-day DefCon 14 conference. Online evil doers were crime rings working out of countries such as Russia, Romania and Brazil, and their nefarious technical skills were keeping ahead of computer security experts, veterans of the cyber-crime battle said. "We are getting our butts kicked, there is no doubt about it," said DanHubbard, vice president of security research at Websense. "There is a lot more of a bond and a sharing of tools in their society than in ours." DefCon, in its 14th year, was a neutral ground where hackers, computer security professionals and US government agents exchanged expertise, according to organisers. "The hacker is the good guy," Joe Grand, who described himself as an inventor by day and a hardware hacker by night, said. "A hacker is someone interested in figuring out how to make things work." Kenneth Geers explained that he was at DefCon to glean new hacking tactics and recruit talent to join him at his job hardening the US military's computer network. "If we are not getting into the weeds and hearing what the hackers are saying about weaknesses and vulnerabilities, we are absolutely screwed," Mr Geers said. "We seek out rock star hackers because they live and breathe this stuff". For Mr Geers, the goal was to prevent aircraft carrier's communications from being routed to enemies or missile guidance systems from being compromised. Online onslaughts were a relentless reality for ordinary computer users, said Gadi Evron, who managed internet security for the Israeli government before going to work for the firms SecuriTeam and Beyond Security. "A lot of it involves the mafia," Mr Evron said. "This is not about kiddies, hackers who sit around and tinker. It is about using the internet for real crime." More than two billion dollars will be stolen this year by online "phishing," using fake website and bogus emails to trick people into revealing personal information then used for identity theft, Mr Evron said. That loss will be multiplied by attacks involving the secret implanting of computer codes that can do things such as record keystrokes used for online banking or take remote control of computers, Mr Evron said. There is such a glut of stolen credit card data that it can be bought online for three dollars each, said special agent Andrew Fried of the US Internal Revenue Service. Fried estimated that one in five home computers in the country was infected with malicious computer code, or "malware". Glenn Chapman in Las Vegas August 07, 2006

Interview with Marcus Ranum - " I believe we're making zero progress in computer security [1] and have been making zero progress for quite some time." "If customers just openly refused to do business with vendors that produce non-interoperable systems, the whole thing would clear up really fast." "To really secure systems, everything needs to be done 100% right at application layer, kernel layer, network layer, and at the boundary of the network. That's a huge undertaking and nobody has made any effort to tackle it directly because the resulting system would probably be unusable." "It's not a technology problem, it's a management problem." " In order to build really secure systems you need to understand the trust relationships between your systems and then build your systems to enhance and support your mission based on those trust relationships. But that's hard work that very few people have the courage and patience to undertake. " also see and Intrusion Forensics

AOL search history DB snafu 2006
You kissed your privacy goodbye a long time ago, right?
From Wikipedia:
On August 4th, 2006, AOL released a compressed text file on one of its websites containing twenty million search keywords for over 650,000 users over a 3-month period, intended for research purposes.
AOL pulled the file from public access by the 7th, but not before it had been mirrored, P2P-shared and seeded via BitTorrent. News filtered down to the blogosphere and popular tech sites such as Digg and Wired News.
Whilst none of the records on the file are personally identifiable per se, certain keywords contain personally identifiable information [1] by means of the user typing in their own name (ego-searching), as well as their address, social security number or by other means. Each user is identified on this list by a unique sequential key, which enables the compilation of a user's search history.
AOL acknowledged it was a mistake and removed the data, although the files can still be downloaded from mirror sites. Additionally,several searchable databases of the report also exist on the internet. [2]
Mistake? If betraying the trust of 2/3 of a million subscribers equals a mistake, how do they define catastrophe?
Apart from the obvious PR quagmire that AOL now finds itself in, and the painful regret (or torn anus) that AOL users may be feeling (and should have been feeling since they signed up </rant>), the long-term impact is immeasurable. Their stock is falling [3]. They're giving away BYOA accounts, [4] (they'd have to at this point), a move which may cost Time Warner over a billion dollars by 2009. [5] They're facing penalties, fines, not to mention lawsuits. [6] If there's abottom for any business to hit, they're very close.  [7]
They should take a cue from ValuJet and change their name (again). [8, 9]
AOL states they keep 30 days of user-identifiable search history, and that a research division may keep three months or more of searchhistory, but not associated to specific accounts, (the latter echoes of what was released on 4 August). Google has already stated they will continue to store search queries and related info, and that they won't make the same mistake AOL did. [10, 11] Predictably, Yahoo! Search! will! do! the! same! Considering the staggering amount of infrastructure Google possesses, (Great Caesar's Ghost--Google has an estimated four PB of RAM alone), their data retention capabilities far exceed the 90 days of history AOL retains for research purposes. [12, 13]
That search you did recently for Paris' poodle porn may come back to haunt you.  Even though you were just doing it for a friend.[...]

AOL Releases Search Logs from 500,000 Users
A search for an SSN shaped regex on the full AOL search data returns a 191 results including repeat searches. Many of these have full names, and at least a dozen include either an addresses, drivers license number, date of birth or some combination of the three in the same query. There's no telling how much more information an aggregation of other queries by those same user ID would yield. Latanya Sweeney, a computer privacy researcher at CMU, has been looking at this sort of thing for several years now. For example, many resumes posted to Monster and other job boards have SSNs in a standard format, along with dates of birth and other revealing information. They can be found in PDFs as well as HTML pages quite easily. The problem is even worse - at least those resumes are self-posted. There are government databases and court records on line with some of the same information as well. CAIDA has indexed the AOL 500k User Session Collection in our Internet Measurement Data Catalog (DatCat):DatCat does not store or distribute data, so we are not providing the AOL collection. Rather, we provide a permanent record of the existence of the dataset, relevant metadata, and a permanent handle that can be used to cite the dataset. In the near future, anyone who has used the data will be able to add annotations describing the features of the dataset (and any other dataset in the catalog). The CAIDA DatCat Team info@datcat.org
See Why Pay to be an Identity Thief?
Experimental Software Makes It Free - Thieves purchased sensitive personal data from ChoicePoint, but a Carnegie Mellon University researcher can get the same information free on the Web

Cult of the Dead Cow (cDc).
They are now adding a new chapter to their infamous history with the release of a new malware search engine that enables researchers to analyze over 31,000 "hostile" files. It's all part of an effort the cDc calls "offensive computing." Originally founded in 1984, cDc and its members are well known for a number of their efforts over the past 22 years. Perhaps most notably is their Back Orifice application, which debuted in 1998 as a network backdoor that enabled full remote control of a system, including process, passwords and file system (essentially a first-generation Trojan). Back Orifice was updated in 2000 as B02K and is currently maintained as an open source project on the SourceForge.net code repository. In cDc's new offensive computing strategy, the group is turning its skills toward hacking malware. Part of the effort is the malware search engine, which is geared toward increasing the knowledge around malware to better improve detection and removal. There is also a relationship between the Malware search effort and that hatched last month by H.D. Moore of Metasploit fame; it uses Google to find malicious code. "We use Google from time to time, and we worked with H.D. Moore on his. Google malware search project," Val Smith a cDc member and part of the offensive computing effort, told internetnews.com. "We provided him signatures to search on)." Smith explained that his group has written some code to do auto analysis of malware. "People upload it directly to the site, or provide me with archives over e-mail, and then we load it into our auto analyzer," Smith said. "Once the analysis is done, that data gets put into the database which people can search. We have large collections of malware sitting around waiting to be bulk processed." Access to the offensive computing malware search requires user registration, though only a valid e-mail address is required for the registration.
While most of the major AV vendors, including McAfee, Symantec, Panda Labs, Sophos and others, provide online libraries of vulnerabilities, there are a few things that offensive computing provides that the commercial vendors do not. For one, offensive computing provides downloadable samples of the malware in question. It also includes a clear warning to users: "This site contains samples of live malware. Use at your own risk." Offensive computing also claims that the analysis is done in an open manner that yields reproducible results. The results also detail multiple checksums md5, sha1, sha256, which should help to further improve identification. Smith's hope is that his group's effort will challenge the security community to get more involved in publicly fighting the problem of malware.
"This problem is growing too fast and complex for the traditional methods to defend against it," Smith said. "We need to unite resources and knowledge in order to protect our systems. We have a lot of respect for several AV companies, but it's time to do more." "We have gone to houses and done search warrants only to find people's computers were being used without them knowing it," Fried said. "Most of what I see is systems being compromised to be taken over." Armies of zombie computers can be used to attack websites of companies that depend on internet business for their revenues, the specialists explained. Criminals commanding such "botnets" can demand money from the companies inexchange for not crippling their online business. "The whole idea of extortion on the internet is funny to me," Mr Evron said. "They won't protect you. If you pay them they will probably attack you anyway, and they will be back." Cyber crime ranks only behind terrorism and counter-intelligence as top priorities at the Federal Bureau of Investigation, special agent Thomas Grasso said during the panel discussion.
Collaboration with counterparts such as Interpol and Scotland Yard are vital to combat crime rings that often take refuge in countries with scant police resources, Mr Grasso said. The law and computer security technology have lagged behind criminal techniques on the internet, Mr Grasso said. "The internet is not safe and your email is not safe," Mr Evron said. "It is an arms race and all we can do is enter that arms race from all different angles." Sean Michael Kerner August 9, 2006

ADDITIONAL INFORMATION AND ARTICLES

*Peacefire has released a Bypass Program
which can disable all popular Windows blocking software (Cyber Patrol, SurfWatch, Net Nanny, CYBERsitter, X-Stop, Cyber Snoop, PureSight) with the click of a button.

JUNKBUSTER IS A FREE FILTERING PROGRAM
Junkbuster's primary purpose is to filter banner ads and other such stuff. Schools can claim that it's all the filtering that they want, but you can configure it to filter other stuff as well.

Remarks by Chairman Alan Greenspan  Structural Change In The New Economy

COURT SAYS UNENCRYPTED DATA OKAY
A federal judge in Minnesota has dismissed a case alleging that a student loan company was negligent in not encrypting customer data. The case was filed by Stacy Lawton Guin after a laptop containing unencrypted data on about 550,000 customers of Brazos Higher Education Service was stolen from an employee's home in 2004. Although he was not harmed by the loss of his personal information--indeed, there have been no reports of any fraud committed with the stolen information--Guin argued that the Gramm-Leach-Bliley (GLB) Act required Brazos to encrypt the data. Judge Richard Kyle rejected that claim, noting that the legislation does not specifically require encryption. The law states that financial services companies must "protect the security and confidentiality of customers' nonpublic personal information," but, according to Kyle's decision, "The GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office."

COOKIES AND THEIR SECURITY HOLES

 

 

The first significant Internet worm appeared on this day 16 years ago November 3, 2004
http://news.com.com/16+candles+for+first+Internet+worm/2100-7349_3-5438291.html
The first significant Internet worm appeared on this day 16 years ago, and online security has never been the same, security professionals say. At around midnight on Nov. 2, 1988, the Morris worm, written by a 23-year-old Massachusetts Institute of Technology student called Robert Tappan Morris, was released on the embryonic Internet. Within hours, the worm's 99 lines of code overloaded thousands of Unix-based VAX and Sun Microsystems systems, forcing administrators to disconnect their computers from the network to try to stop the worm from spreading. The Morris worm was part of a research project and was not designed to cause damage, but it was programmed to self-replicate. Unfortunately, the code contained a bug that allowed the worm to infect a single machine multiple times, which resulted in thousands of computers grinding to a halt.
Morris' worm was the first to spread on the Internet. But the very first appearance of a worm was in a 1982 paper by researchers John Shoch and Jon Hupp of the Xerox Palo Alto Research Center, who described a self-distributing program with a bug that managed to crash 100 machines in the research building. Morris was convicted for his research, but did not go to prison. He received a suspended sentence with community service and was fined $10,000. At the time, the Internet was still a closed system used by universities and the military for research purposes, security experts say. Once it was opened to the public--and became known as the World Wide Web--attitudes to security had to change.
Sean Richmond, a senior technology consultant at Sophos Australia, said that since Morris, there have been fundamental changes in the way networks and computers communicate with each other, and that will continue to evolve over the next 16 years.
"At that time, commands such as 'remote login,' 'remote shell' and 'remote copy' were commonly used. The idea was that if you were logged into one machine, you could access another system, and it wouldn't even ask you for a login password. There was a level of trust,"  Richmond said.
When Morris hit in 1988, academics would have lost some of their research. But when worms like Blaster or Sasser start spreading on the modern Internet, it affects banks, government departments and even stops kids from researching their schoolwork from home, said Dircks.<SNIP>
"Security is being designed in the next TCP/IP version (IPV6), so the IP address will contain a knowledge and expectation of security. The current version IPv4 was built with a much more open world in mind.  Security was not part of the initial design," he said. "In 16 years' time, the potential for something to spread widely and rapidly across everything will be diminished just by the underlying security."
"Part of the solution is to build security into the architecture. But there are systems that are 30 or 40 years old still running, and the companies using them will not get rid of them, because they still work," Dircks said. "We are always going to have a heterogeneousworld, and without painting a picture of doom, gloom and apocalypse, the problems are not going away." - Munir Kotadia of ZDNet Australia reported from Sydney.

©1997 Educational CyberPlayGround, Inc.™ All rights reserved world wide.