(reprinted from: Slashdot)
WHiTe VaMPiRe writes "When IT staff are terminated under duress, there is often justification for a complete infrastructure audit to reduce future risk to a company. Here is an exploration of the steps necessary to maintain security." Of course the first piece of advice is to basically assume you've been rooted. Ouch.
Read more of this story at Slashdot.
(reprinted from: Lifehacker)
(reprinted from: Boing Boing)
Glenn Reynolds of Instapundit has a piece in Popular Mechanics about the growing trend of cops bullying photographers who take pictures in public places, and why officials who believe such photography is against the law are mistaken.Taking Photos In Public Places Is Not A Crime: Analysis (popularmechanics.com, Illustration by Rui Ricardo, courtesy Popular Mechanics)I believe there is a good case to be made that having lots of cameras in the hands of citizens makes us more, rather than less, safe. Here's how bad it has gotten: Not long ago, an Amtrak representative did an interview with local TV station Fox 5 in Washington, D.C.'s Union Station to explain that you don't need a permit to take pictures there--only to be approached by a security guard who ordered them to stop filming without a permit.
Legally, it's pretty much always okay to take photos in a public place as long as you're not physically interfering with traffic or police operations. As Bert Krages, an attorney who specializes in photography-related legal problems and wrote Legal Handbook for Photographers, says, "The general rule is that if something is in a public place, you're entitled to photograph it." What's more, though national-security laws are often invoked when quashing photographers, Krages explains that "the Patriot Act does not restrict photography; neither does the Homeland Security Act." But this doesn't stop people from interfering with photographers, even in settings that don't seem much like national-security zones.
(reprinted from: Boing Boing)
A freelance photographer who was taking pictures of a BP refinery in Texas was detained by a BP security official, local police and a man claiming to be with the Department of Homeland Security, according to nonprofit news org ProPublica. The photographer was working on a story about multiple large toxic releases at the BP refinery which happened just before the big Gulf oil blowout. From NBC News:
The photographer, Lance Rosenfield, said he was confronted by the officials shortly after arriving in Texas City, Texas, to work on a story that is part of an ongoing collaboration between PBS and ProPublica.
Rosenfield was released after officials looked through the pictures he had taken and took down his date of birth, Social Security number and other personal information, the photographer said. The information was turned over to the BP security guard who said this was standard procedure, ProPublica quoted Rosenfield as saying.
Rosenfield, a Texas-based freelance photographer, said he was followed by a BP employee after taking a picture on a public road near the refinery, and then cornered by two police cars at a gas station. The officials told Rosenfield they had the right to look at the pictures taken near the refinery and if he did not comply he would be "taken in," the photographer said according to ProPublica. Photographer detained by police, BP employee near refinery (NBC Field Notes)
Image: The BP refinery in Texas City, one of the largest in the country, is nearly two square miles. (Lance Rosenfield)
(reprinted from: Boing Boing)
The U.S. Military's new "Cyber Command" logo contains a hidden code. Noah Shachtman at Wired News says, "Help us crack it!"
Related reading today: Bruce Schneier says "The Threat of Cyberwar Has Been Grossly Exaggerated."
(reprinted from: Lifehacker)
When you need to make sure your data is truly destroyed, use one of these.
Manual Hard Drive Destroyer
Government specifications require that in an emergency situation a hard drive needs to be destroyed so that a person or persons can not spin the drive. This must be done quickly and reliably. The MHDD meets this requirement. It takes less than 15 seconds to destroy each hard drive. All one needs to do is to insert the proper drive height adaptor (if applicable) into the slot and crank the handle 8 rotations. The internal workings of the unit press down on the drive, bending it approximately 90 degrees. The MHDD then pushes the destroyed hard drive out for easy disposal.
Coding Horror has written an informative article on Rainbow Tables, and why Windows servers can be particularly vulnerable.
The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. The Geekwisdom password strength meter rates it “mediocre”.
Why is Ophcrack so fast? Because it uses Rainbow Tables. No, not the kind of rainbows I have as my desktop background.
This Firefox extension makes the saved passwords feature of Firefox safer by forcing you to click on the Secure Login button in order to fill in your login name and password on forms. This helps prevent cross-site scripting attacks on malicious sites that try to steal your passwords.
Secure Login provides you with a number of Security enhancements and helps protecting you from phishing:
Disabling the prefilling of login forms prevents malicious JavaScript code to automatically steal your login data.
This is due to the fact that no login data is inserted in form fields before the user clicks on the login button or logs in using the keyboard shortcut.
To make sure you login to the right website, the second level domain of the login url is compared to the second level domain of the current page.
If they do not match a dialog prompt is displayed before login.Secure Login provides you with an optional setting to protect you from all JavaScript code during login.
This can prevent cross-site scripting (XSS) attacks without having to deactivate JavaScript completely.
If you enable this option, your login data will never be inserted in any form fields nor will the login form be submitted.
Instead your credentials will be sent to the login page using internal Firefox methods.
Not all login forms will work this way, e.g. not those using JavaScript routines. Therefore, you can add such websites to an exception list.
Just like CRTs, someone can eavesdrop on the electromagnetic emissions from your LCD display.
Back in 1985, Wim Van Eck proved it was possible to tune into the radio emissions produced by electromagentic coils in a CRT display and then reconstruct the image. The practice became known as Van Eck Phreaking, and NATO spent a fortune making its systems invulnerable to it. It was a major part of Neal Stephenson’s novel Cryptonomicon.
CRTs are now well on the way to being history. But Kuhn has shown that eavesdropping is possible on flat panel displays too. It works slightly differently. With a flat panel display the aim is to tune into the radio emissions produced by the cables sending a signal to the monitor. The on-screen image is fed through the cable one pixel at a time. Because they come through in order you just have to stack them up. And Kuhn has worked out how to decode the colour of each pixel from its particular wave form.
The latest update to the TrueCrypt encryption utility is now available.
We are pleased to announce that TrueCrypt 4.3 has been released. Among the new features is full compatibility with 32-bit and 64-bit Windows Vista, support for devices and file systems that use a sector size other than 512 bytes (such as new hard drives, USB flash drives, DVD-RAM, MP3 players, etc.), auto-dismount when a host device (e.g., a USB flash drive) is inadvertently removed, and many more. In addition to new features, there are many significant improvements. Some portions of the TrueCrypt device driver have been completely redesigned and several bugs have been fixed. For a comprehensive list of changes, please see http://www.truecrypt.org/docs/?s=version-history
Engadget has a fascinating series of articles on lock security and lock picking.
The most popular locking mechanism in the world utilizes the pin tumbler design, first developed 4000 years ago in Egypt and then rediscovered and perfected a century and a half ago by Linus Yale. There are billions of these locks in the world and they come in all sizes, configurations, and security ratings. Some are secure; most are not, and even some high security rated cylinders can be easily compromised. All that is required to open many times of pin tumbler cylinders — the kind of lock that probably keeps the bad guys out of your home — is a bump key and a tool for creating a bit of force. The bump key shown above opens an extremely popular five pin lock, and the plastic bumping tool is produced by Peterson manufacturing, although many others are now being offered for sale. With these two cheap implements, anyone — and I do mean anyone — can get into your home or business in a matter of seconds.
Related:
A new tool has been announced in the piracy arms race. This tool can be deployed by network administrators to monitor network traffic in order to identify people using P2P services, and can automatically boot them off the network. The question is whether or not it can distinguish legitimate uses of those P2P technologies. The price: “$1 million price tag for installation and $250,000 yearly operation costs.”
Red Lambda says that cGrid monitors “a large variety of different P2P clients, in addition to other avenues of file-sharing including Windows file sharing, FTP, IM, and others,” and that cGrid does not perform content inspection but instead focuses on the behavior of the protocols being monitored. But the company does not expand on how it differentiates between legitimate uses of those technologies and illegal ones, raising questions of its effectiveness in an academic setting where students may be using P2P and other services potentially flagged by the system for legitimate, academic reasons.
TaskList.org can tell you whether or not a process in your Windows task list is spyware.
An aide for a Montana congressman was fired for trying to solicit hackers from attrition.org to boost his college GPA. The hackers merely led him on through a series of hilarious emails, including some asking him to take pictures of squirrels.
From: Todd Shriber (nascar24_08530@yahoo.com) To: lyger@attrition.org Date: Wed, 9 Aug 2006 12:58:29 -0700 (PDT) Subject: Question for you or other Attrition members Lyger - I came across Attrition.org for the first time. I enjoyed the site though I am not an expert with computers. That brings me to my next point: I need to urgently make contact with a hacker that would be interested in doing a one-time job for me. The pay would be good. I'm not sure what exactly the job would entail with respect to computer jargon, but I can go into rough detail upon making contact with a candidate. Thanks for your help.
This is a visual guide to lock picking in comic book format. This guide is easier to read than the classic MIT Guide to Lock Picking.
Locksport International is proud to provide a simple, visual guide to lock picking. It is our hope that beginners will find this useful in learning the basic skills of picking pin tumbler locks.
Some useful tools to keep your data away from prying eyes.
Everyone wants to be a badass. Whether you want to admit it or not, if you are a self respecting geek, you want to protect your sensitive information in a way so the CIA can’t even read it. You probably wouldn’t look, considering you live in your basement
and don’t have anything to hide besides that gigantic Mountain Dew Machine and the codes for free Whopper Sandwiches. So I’ve looked for you.
This is a hilarious transcript of a naive script-kiddie being baited into trashing their own machine.
<Elch> You’re a real computer expert
<bitchchecker> shut up i hack you
<Elch> ok, i’m quiet, hope you don’t show us how good a hacker you are ^^
<bitchchecker> tell me your network number man then you’re dead
<Elch> Eh, it’s 129.0.0.1
<Elch> or maybe 127.0.0.1
<Elch> yes exactly that’s it: 127.0.0.1 I’m waiting for you great attack
<bitchchecker> in five minutes your hard drive is deleted
<Elch> Now I’m frightened
I found this great little overview on defending your ssh server from script kiddies. This should be required reading for anyone running a ssh server.
During 2005, bute force attacks on the ssh (secure shell) service became pretty popular. These attacks are based on a rather simple idea: use an automated program for trying, one after the other, many combinations of standard or frequently used account names and likewise frequently used password (e.g.: guest/guest).
Defence methods
There are a number of methods to defend against such brute force attacks. The following list is intended to give an overview of them, and briefly mention their respective advantages and disadvantages.
- Strong passwords
- RSA authentication
- Using ‘iptables’ to block the attack
- Using the sshd log to block attacks
- Using tcp_wrappers to block attacks