53cur!ty 6109
Girma Nigusse
Password guessing
November 29, 2006
"In the military use of passwords, guessing is not a problem. you show up at the door. You utter a word. If it's right word, they let you in; if it's the wrong word, they shoot you. Even if you know the password is the month in which the general was born, guessing is not an attractive pursuit."
source
source
Castanet.net - Computer Security
Castanet.net - Computer Security: "A recent study by Symantec found that as of July 2006, 54% of all email circulating the internet is spam. "
source
source
Shoppers pay price for terror | The Daily Telegraph
Shoppers pay price for terror | The Daily Telegraph: "'It would become a criminal offence under Section 139 to issue gift cards on an anonymous basis,' Westfield's submission said."
source
source
Metrics 2.0: Gartner: Nearly $2 Billion Lost in E-Commerce Sales in 2006
Metrics 2.0: Gartner: Nearly $2 Billion Lost in E-Commerce Sales in 2006: "Due to consumer’s concerns about the security of the Internet, nearly $2 billion in U.S. e-commerce sales will be lost in 2006, according to a survey by Gartner, Inc."
source
source
BetaNews | EU, US Laws Clash Once Again on Personal Privacy
BetaNews | EU, US Laws Clash Once Again on Personal Privacy: "Last Wednesday in Brussels, a working group comprised of leading European information privacy officials concluded that a major global financial transaction processing organization based in Belgium may have violated EU law in complying with subpoenas from the US Treasury Dept. for information."
source
source
Linksys WVC54GC Wireless-G Internet video camera & security cameras
Linksys WVC54GC Wireless-G Internet video camera & security cameras: "Internet video cameras come in all shapes and sizes."
source
source
Brussels declares war on spyware and spam | The Register
Brussels declares war on spyware and spam | The Register: "The European Commission called for stronger action against spammers and spy ware merchants today and said it may bring in further legislation to combat the problem."
source
source
ClickPress | Personal Security and Identity Theft Expert Warns that Laptops Bereft of GPS Are Easy Crime Targets
ClickPress | Personal Security and Identity Theft Expert Warns that Laptops Bereft of GPS Are Easy Crime Targets: "According to Symantec, a laptop computer is stolen every 53 seconds, and 97 percent of these machines lost to theft are never recovered.
...Siciliano encouraged owners to equip laptops with GPS tracking technology."
source
...Siciliano encouraged owners to equip laptops with GPS tracking technology."
source
Hackers ride on Web app vulnerabilities - Security - News - ZDNet Asia
November 27, 2006
Hackers ride on Web app vulnerabilities - Security - News - ZDNet Asia: "SINGAPORE--If you think your Web applications are secure, think again.
According to Mass.-based Watchfire, the most vulnerable area in the enterprise information ecosystem is Web applications. The company specializes in software and services to audit the security and regulatory compliance of Web sites."
source
According to Mass.-based Watchfire, the most vulnerable area in the enterprise information ecosystem is Web applications. The company specializes in software and services to audit the security and regulatory compliance of Web sites."
source
CCC | How to fake fingerprints?
CCC | How to fake fingerprints?: "In order to fake a fingerprint, one needs an original first. Latent fingerprints are nothing but fat and sweat on touched items. Thus to retrieve someone elses fingerprint (in this case the fingerprint you want to forge) one should rely on well tested forensic research methods. Which is what's to be explained here."
source
source
Network-wide control of portable storage media and consumer electronic devices
Network-wide control of portable storage media and consumer electronic devices: "Technology analyst Gartner warns that portable devices containing a USB or FireWire connection are a serious new threat to businesses. In their report, Gartner named removable media devices as a significant security risk in the workplace and advised that these can be used both to download confidential data, and also to introduce a virus into the company network."
Click here to view the webcast!
source
Click here to view the webcast!
source
Schneier on Security
November 25, 2006Vulnerability markets
November 24, 2006IE and Firefox blighted by fake login flaw | The Register
IE and Firefox blighted by fake login flaw | The Register: "Firefox's Password Manager, for example, fails to properly check URLs before filling in saved user credentials into web forms. As a result, hackers might be able to swipe users credentials via malicious forms in the same domain, providing users have already filled out forms on this domain."
source
source
RSA crypto attack poses threat to DRM | The Register
RSA crypto attack poses threat to DRM | The Register: "Security researchers have developed a new approach to breaking the RSA algorithm that creates new problems for the development of effective rights management software."
source
source
Crypto-Gram: June 15, 1998
Crypto-Gram: June 15, 1998: "Researchers have generalized these methods to include attacks on a system by measuring power consumption, radiation emissions, and other 'side channels,' and have implemented them against a variety of public-key and symmetric algorithms in 'secure' tokens. Related research has looked at fault analysis: deliberately introducing faults into cryptographic processors in order to determine the secret keys. The effects of this attack can be devastating."
source
source
Code Injection Beyond SQL
November 23, 2006
Code Injection Beyond SQL: "XML and LDAP could be as prone to a malicious injection of code as a SQL database on the backend of a web application. Command execution on a poorly secured application could happen as well."
source
source
3 Metrics To Gauge Security Spending
3 Metrics To Gauge Security Spending: "The idea that the Internet could fail never crossed my mind until Oct. 21, 2002. As acting CIO of NASA, I was informed that a computer at the Ames Research Center in California, operating as one of 13 global Internet domain name root-name servers—the master address controls for the entire Internet—was rejecting incoming traffic from California to as far west as India."
source
source
Computer Misuse Act could ban security tools | The Register
Computer Misuse Act could ban security tools | The Register: "The new Police and Justice Act, published today, could criminalise legitimate IT security activity. There are fears among security experts that changes it makes to the Computer Misuse Act will make it illegal to distribute some vital tools."
source
source
Lecture videos
November 22, 2006An Evaluation of Retinal Imaging Technology for 4-H Beef and Sheep Identification
An Evaluation of Retinal Imaging Technology for 4-H Beef and Sheep Identification: "Abstract: The study reported here evaluated retinal imaging technology as a means of permanent identification of 4-H beef and sheep."
source
source
Are Passwords Becoming Passé? - Computerworld Blogs
Are Passwords Becoming Passé? - Computerworld Blogs: "2005 Gartner Inc. report predicted: 'By 2007, 80 percent of organizations will reach the password breaking point and will need to strengthen user authentication with alternative security methods.'"
source
source
Ernst & Young Global Information Security Survey highlights concerns over Privacy and Personal Data Protection
Ernst & Young Global Information Security Survey highlights concerns over Privacy and Personal Data Protection: "A global Ernst & Young survey of 1,200 information security professionals from 350 organisations in 48 countries has identified five key security priorities that are critical to business success. The survey Achieving success in a globalised world – Is your way secure?, highlighted the issue of privacy and personal data protection as an increasing concern for businesses."
source
source
E-Commerce News: Small Business: IBM Targets SMBs With Identity Management Tools
E-Commerce News: Small Business: IBM Targets SMBs With Identity Management Tools: "Using Federated Identity Manager Business Gateway, an SMB's users can log on to a company's Web site and have that site confirm their identity when they connect to applications on related Web sites without having to log in again. The new single sign-on tools can help systems administrators control access to multiple services."
source
source
2600 NEWS: AUDIO FOR "PRIVACY IS DEAD" TALK NOW ONLINE
2600 NEWS: AUDIO FOR "PRIVACY IS DEAD" TALK NOW ONLINE: "We have all three hours of the audio for the recent 'Privacy is Dead' talk available at the HOPE Number Six site."
source
source
Bank-card PINs 'wide open' to insider attack | The Register
November 21, 2006
Bank-card PINs 'wide open' to insider attack | The Register: "Security researchers have highlighted how corrupt bank insiders might be able to obtain bank card PINs using as little as one or two guesses."
source
source
Rajiv Gupta, CEO, Securent Corp.
Rajiv Gupta, CEO, Securent Corp.: "Single sign-on, authentication, authorization: they're all significant pieces of the multi-billion-dollar identity management puzzle."
source
source
Top 10 data loss disasters
November 18, 2006
Top 10 data loss disasters: "4. Tenth Time's the Charm -- A man reformatted his hard drive not once, not twice, but 10 times before he realized there was some valuable information he needed recovered."
source
source
SANS Institute - SANS Top-20 Internet Security Attack Targets (2006 Annual Update)
November 17, 2006
SANS Institute - SANS Top-20 Internet Security Attack Targets (2006 Annual Update): "Unpatched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts."
source
source
Schneier on Security: Architecture and Security
November 16, 2006
Schneier on Security: Architecture and Security: "From medieval castles to modern airports, security concerns have always influenced architecture."
source
source
Schneier on Security: Airline Passenger Profiling for Profit
Schneier on Security: Airline Passenger Profiling for Profit: "But the very same system that is useless at picking terrorists out of passenger lists is probably very good at identifying consumers."
source
source
Schneier on Security: Total Information Awareness Is Back
Schneier on Security: Total Information Awareness Is Back: "In November 2002, the New York Times reported that the Defense Advanced Research Projects Agency (DARPA) was developing a tracking system called 'Total Information Awareness' (TIA), which was intended to detect terrorists through analyzing troves of information."
source
source
Schneier on Security: Perceived Risk vs. Actual Risk
Schneier on Security: Perceived Risk vs. Actual Risk: "I've written repeatedly about the difference between perceived and actual risk, and how it explains many seemingly perverse security trade-offs...
1. We over-react to intentional actions, and under-react to accidents, abstract events, and natural phenomena.
2. We over-react to things that offend our morals.
3. We over-react to immediate threats and under-react to long-term threats.
4. We under-react to changes that occur slowly and over time.
"
source
1. We over-react to intentional actions, and under-react to accidents, abstract events, and natural phenomena.
2. We over-react to things that offend our morals.
3. We over-react to immediate threats and under-react to long-term threats.
4. We under-react to changes that occur slowly and over time.
"
source
Personal privacy: on the web
November 15, 2006
Personal privacy: on the web: "An onion router is the most effective way to be anonymous on the internet; it allows you to:
* protect your location (that is, your IP address) from websites;
* mask the destination of packets you send;
* mask the origin of packets from sites and other nodes;
* protects the packet’s contents via encryption;"
source
* protect your location (that is, your IP address) from websites;
* mask the destination of packets you send;
* mask the origin of packets from sites and other nodes;
* protects the packet’s contents via encryption;"
source
Meet the world's most prolific spammers | The Register
Meet the world's most prolific spammers | The Register: "Spamhaus has published a revised list of the world's 10 worst spammers. According to the anti-spam organisation, 200 professional spam gangs are responsible for 80 per of the high volume of junk mail pumped onto the internet every day."
source
source
OneCare slaps viral warning on Gmail | The Register
OneCare slaps viral warning on Gmail | The Register: "Faulty signature updates resulted in Microsoft's Live OneCare anti-virus service falsely reporting Gmail's website was infected with a computer virus."
source
source
Web browsers to adopt enhanced SSL - Convergence - www.itnews.com.au
Web browsers to adopt enhanced SSL - Convergence - www.itnews.com.au: "Microsoft plans to add support for the upcoming Extended Validation standard for SSL certificates this January through a software update to Internet Explorer 7."
source
source
Hacker who targeted teens sentenced to prison
Hacker who targeted teens sentenced to prison: "He demonstrated his control of the girls' computers by remotely opening and closing the disc drive or turning off the monitor, while pressuring his victims to send naked photos of themselves."
source
source
Mutate, fragment, hide: The new hacker mantra
Mutate, fragment, hide: The new hacker mantra: "The most popular of these approaches involve code mutation techniques designed to evade detection by signature-based malware blocking tools; code fragmentation that makes removal harder; and code concealment via rootkits."
source
source
US-CERT Cyber Security Tip ST04-010 -- Using Caution with Email Attachments
US-CERT Cyber Security Tip ST04-010 -- Using Caution with Email Attachments: "While email attachments are a popular and convenient way to send documents, they are also a common source of viruses. Use caution when opening attachments, even if they appear to have been sent by someone you know."
source
source
Securing Your Web Browser
Securing Your Web Browser: "# ActiveX Controls
# Java
# Cross-Site Scripting
# Cross-Zone and Cross-Domain Vulnerabilities
# Malicious Scripting, Active Content and HTML
# Spoofing"
source
# Java
# Cross-Site Scripting
# Cross-Zone and Cross-Domain Vulnerabilities
# Malicious Scripting, Active Content and HTML
# Spoofing"
source
Trojan pervert jailed for child abuse | The Register
November 13, 2006
Trojan pervert jailed for child abuse | The Register: "Adrian Ringland, 36, from Ilkeston, Derbyshire, admitted blackmailing teenage girls into sending him increasingly exploit pictures after infecting their PCs with Trojan horse malware."
source
source
Biometric ID cards an insecure menace, says EU ID outfit | The Register
Biometric ID cards an insecure menace, says EU ID outfit | The Register: "The EU-funded FIDIS (Future of Identity in the Information Society) project has warned that implementation of the current generation of biometric travel ID will dramatically decrease security and privacy, and increase the risk of identity theft."
source
source
E-Commerce News: Security: Catching Up With Cybercriminals
November 12, 2006
E-Commerce News: Security: Catching Up With Cybercriminals: "It's estimated that 85 percent of malware today is created with profit in mind. The sobering corollary to that statistic: only 5 percent of cybercriminals are caught and prosecuted."
source
source
Framing Security as a Governance and Management Concern: Risks and Opportunities
Framing Security as a Governance and Management Concern: Risks and Opportunities: "This article briefly describes six 'assets' or requirements of being in business that can be compromised by insufficient security investment."
Asset #1: Trust
Asset #2: Stakeholder Value
Asset #3: Ethics and Duty of Care
Asset #4: Compliance and Legal Liability
Asset #5: Customer and Partner Identity and Privacy
Asset #6: Ability to Offer and Fulfill Business Transactions
source
Asset #1: Trust
Asset #2: Stakeholder Value
Asset #3: Ethics and Duty of Care
Asset #4: Compliance and Legal Liability
Asset #5: Customer and Partner Identity and Privacy
Asset #6: Ability to Offer and Fulfill Business Transactions
source
Security puzzle | IndyStar.com
Security puzzle | IndyStar.com: "Here's a piece of advice: Treat that little black notebook like it's a pile of cold green cash."
source
source
Australian Health Information Technology: The Australian National Identity Security Strategy – Unknown, Critical and Possibly Flawed!
Australian Health Information Technology: The Australian National Identity Security Strategy – Unknown, Critical and Possibly Flawed!: "Traditional computer security systems begin with a nearly metaphysical design goal of associating a single identifier with a single identity (whether a person’s name or pseudonym). Once the system verifies the identifier, all privileges associated with it become available to whoever possesses that identity. Rather than taking this unitary approach, however, credit-card authorization systems take a composite approach, in which the binding between an identifier (a credit-card number) and the associated privileges (access to credit) is established only after the system has completed statistically based antifraud checks. In other words, you aren’t actually recognized as the card holder simply for presenting the card or even after verification that the card token itself is genuine. You’re recognized as an authorized party only on the basis of traditional security checks combined with statistical verification that you’re likely to be who you say you are."
source
source
Computer Gurus - Computer News, Help and Articles » Sarbanes-Oxley: A Cross-Industry Email Compliance Challenge » Blog Archive
Computer Gurus - Computer News, Help and Articles » Sarbanes-Oxley: A Cross-Industry Email Compliance Challenge » Blog Archive: "Information security policies should govern:
* Network security
* Access controls
* Authentication
* Encryption
* Logging
* Monitoring and alerting
* Pre-planning coordinated incident response
* Forensics"
source
* Network security
* Access controls
* Authentication
* Encryption
* Logging
* Monitoring and alerting
* Pre-planning coordinated incident response
* Forensics"
source
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System: "The top 10 ports are ranked based on number of source IPs scanning a particular target port.
In order to rank ports by other criteria"
source
In order to rank ports by other criteria"
source
Voxilla - The Problem With VoIP Security Is Closer Than You Think
November 11, 2006
Voxilla - The Problem With VoIP Security Is Closer Than You Think: "The biggest problem with VoIP security is static passwords."
source
source
U.K. outlaws denial-of-service attacks | CNET News.com
U.K. outlaws denial-of-service attacks | CNET News.com: "A U.K. law has been passed that makes it an offense to launch denial-of-service attacks, which experts had previously called 'a legal gray area.'"
source
source
United Press International - Security & Terrorism - New computer virus unleashed via e-mail
United Press International - Security & Terrorism - New computer virus unleashed via e-mail: "A new virus is using the topics of the death of U.S. President Bush and nuclear war as bait."
source
source
Gartner: Consumers to lose $2.8B to phishers in 2006
November 10, 2006
Gartner: Consumers to lose $2.8B to phishers in 2006: "Phishers have hit more victims with their online attacks, and while fewer people are being scammed, successful attempts have been yielding bigger payoffs, said Avivah Litan, an analyst at Gartner. 'When they do succeeded, they're stealing five times more than they stole last year,' she said."
source
source
British Online Bank Fraud Increases Dramatically - Security Feed - Blog - CSO Magazine
British Online Bank Fraud Increases Dramatically - Security Feed - Blog - CSO Magazine: "U.K. banks reported a 55 percent increase in losses from fraudulent online transactions for the first half of the year, mostly from phishing scams, an industry trade group reported Tuesday."
source
source
Google accidentally sends out Kama Sutra worm
Google accidentally sends out Kama Sutra worm: "Google Inc. accidentally sent out e-mail containing a mass mailing worm to about 50,000 members of an e-mail discussion list focused on its Google Video Blog, the company said Tuesday."
source
source
How many wireless vulnerabilities are really out there?
How many wireless vulnerabilities are really out there?: "The Wireless Vulnerabilities and Exploits group has been cataloging security vulnerabilities on wireless networks, primarily Bluetooth and the various flavors of 802.11, for nearly a year. Started by Network Chemistry, it now has 134 wireless vulnerabilities documented on its Web site."
source
source
How to secure remote desktop connections using TLS/SSL based authentication
How to secure remote desktop connections using TLS/SSL based authentication: "This article shows how to enable computer based authentication using TLS/SSL, when establishing a remote desktop connection to a server running Windows Server 2003."
source
source
Undisclosed Flaws Undermine IT Defenses
November 06, 2006
Undisclosed Flaws Undermine IT Defenses: "Attacks targeting software vulnerabilities that haven’t been publicly disclosed pose a silent and growing problem for corporate IT. But responses to such threats have been largely misguided because of misconceptions about them, according to some analysts and security vendors. "
source
source
Phone Banking System Knows You By Your Voice - Software News by InformationWeek
Phone Banking System Knows You By Your Voice - Software News by InformationWeek: "Just as fraudulent online transactions are making problems for financial institutions, phone banking transactions can create a similar mess. Now RSA, the security division of EMC, says it's found a way to identify customers who bank over the phone by using new authentication software."
source
source
DriveSentry offers 'firewall' for hard drives
DriveSentry offers 'firewall' for hard drives: "DriveSentry Inc.'s software sets up a whitelist of trusted programs that are allowed to write to certain folders or file-types. Should another program try to write to the drive, DriveSentry generates a pop-up window and asks the user if this should be allowed."
source
source
Symantec: Future malware will seek true harm
Symantec: Future malware will seek true harm: "'While a few years ago many people were much more focused on attacking the machine and attacking the broad-based activities that were going on online, now all of a sudden we've noticed a significant shift in both the type of attack and the motivation of the attack,' he said. 'The attacks that we see today are more targeted and more silent and their objective is to create true financial harm as opposed to visibility for the attackers.'"
source
source
FTC settles with Zango over adware
FTC settles with Zango over adware: "The settlement, announced Friday, bars Zango from loading software onto consumers' computers without their consent, the FTC said."
source
source
E-voting grows, concerns remain - The Red Tape Chronicles - MSNBC.com
November 05, 2006
E-voting grows, concerns remain - The Red Tape Chronicles - MSNBC.com "open Notpad", hack democracy. it is that easy, Thompson said".
Source
Source
US.gov tunes out scathing RFID privacy report | The Register
November 03, 2006
US.gov tunes out scathing RFID privacy report | The Register: "An external security advisory committee reporting to the US Department of Homeland Security has produced a highlight critical report (PDF) advising against the use of RFID technology in government documents."
source
source
Quantum attacks worry computer scientists | The Register
Quantum attacks worry computer scientists | The Register: "two researchers who are working on ways of defending against the future possibility of malicious attack assume that any unauthorised access to a quantum computer constitutes a catastrophic failure."
source
source
Spammers go island hopping to bypass filter | The Register
Spammers go island hopping to bypass filter | The Register: "Anti-spam researchers at security company McAfee have discovered a new spamming trend nicknamed 'spam island-hopping'.
The new trend involves spammers using the domain names of small islands as website links in spam campaigns."
source
The new trend involves spammers using the domain names of small islands as website links in spam campaigns."
source
Google thanks bug hunters | Tech News on ZDNet
November 02, 2006
Google thanks bug hunters | Tech News on ZDNet: "a list of people and organizations that Google wishes to thank for reporting security vulnerabilities to it."
Wired News: The Virus That Ate DHS
Wired News: The Virus That Ate DHS: "A Morocco-born computer virus that crashed the Department of Homeland Security's US-VISIT border screening system last year first passed though the backbone network of the Immigrations and Customs Enforcement bureau, according to newly released documents on the incident."
Explosive device shatters window at PayPal headquarters
Explosive device shatters window at PayPal headquarters: "An explosive device blew out a thick plate-glass window Tuesday evening at the Silicon Valley headquarters of PayPal, the online payments unit of eBay Inc. "
Russian hacking case can be heard in England, says judge | The Register
November 01, 2006
Russian hacking case can be heard in England, says judge | The Register: "A case claiming that two Russian companies hacked into a London computer system can be heard in English courts, a judge has ruled. The Russian companies involved had argued that English courts had no jurisdiction."