Spliced feed for Security Bloggers Network |
The new golden age of comics [StillSecure, After All These Years] Posted: 21 Jun 2008 05:31 PM CDT The golden age of comics in the 30's and 40's saw the creation of the superhero. The good versus evil storylines mimicked the real life events of the day. It elevated the comic book to an art form. Comic style illustration and story telling in short dialog balloons had never before or since reached those heights. Than after WW II, with the advent of TV and one evil empire ending, comic books seemed to recede back into the background of young boys play things. Their numbers never again reached the levels seen during the war and many of the characters faded away. Over the years the comic industry tried to regain their former glory, but the age of the superhero was over. Yeah there was the TV cartoons, who didn't watch Superman or Batman when you were little. Some of you like me, may have even watched the Marvel Superhero Show that had short segments of many of the Marvel characters (check them out in the You Tube video), but they were campy and never appealed to an audience beyond young boys. The Superman movies with Christopher Reeves market a turning point on the return of the superhero and the Batman movies were very successful. But beyond those two, there were many flops. With better technology and better story lines, Spiderman, Iron Man and now the latest, The Incredible Hulk have brought comic book superheroes from the page to the screen in a big way. I know that I was not a big fan of the Iron Man movie, but seeing Tony Stark come in at the end of the Hulk movie did get even me excited by the possibilities. Also seeing the Hulk and Iron Man, I began to see that these movies are not aimed at adolescent boys with stories that I am used to from comic books and TV shows. These are movies aimed at adults with adult storylines. The technology is great, the heroes are played by big stars (I hear Brad Pitt is playing Thor) rather than unknowns and the productions are first class. Besides the movies already out, Thor, Captain America, and Namor, the submariner are all headed for the big screen. Once each of these and more have their movie debuts, the subsequent combinations and sequels are almost infinite. This could be the biggest movie franchise of all time and make the original comic book owners more money then they ever dreamed of! In the meantime, I am excited to see many of my boyhood heroes get this new big screen treatment! This posting includes an audio/video/photo media file: Download Now |
Resist Strictly Incremental Changes [The Falcon's View] Posted: 21 Jun 2008 11:06 AM CDT |
Classic [Random Thoughts from Joel's World] Posted: 21 Jun 2008 08:00 AM CDT I don't know who did it, but this is funny, knowing that I watch my logs, someone typed this in as a search string into Google and then came to my site with this as the referring string: "joel esler reads his logs too much" Sorry, just thought that was good. |
exploring my mac [remes-it] [Belgian Security Blognetwork] Posted: 21 Jun 2008 04:47 AM CDT yes ... I finally made the switch. I had to buy a new laptop and after careful consideration I opted for the Macbook 2,4, allthough the Air was tempting :-) This is my first post from the Mac and I must say I like it ... I'm still in the exploring phase and everything looks and feels a little different but it's ok. I'll get the hang of it. |
Posted: 21 Jun 2008 04:34 AM CDT |
OpenXPKI [Wouter Veugelen] [Belgian Security Blognetwork] Posted: 21 Jun 2008 04:26 AM CDT Ever wanted to setup your own CA? You can with OpenXPKI. OpenXPKI, the successor of OpenCA describes its objectives as: “The OpenXPKI Project aims at creating an enterprise-grade PKI/Trustcenter software supporting well established infrastructure components like RDBMS and Hardware Security Modules. Flexibility and modularity are the project’s key design objectives.” The even provide an alternative for the expensive Hardware Security Modules (HSM’s): ‘split the password for your encrypted software key into pieces using Shamir's secret splitting algorithm. In that way, you can If you want to find out more, check out their manual pages our download their livecd to play around with it. |
Setting up an SSH Server on Windows [Wouter Veugelen] [Belgian Security Blognetwork] Posted: 21 Jun 2008 04:23 AM CDT I have been trying alot of different solutions lately to run an SSH server on my Windows PC at home. One of the requirements was that it had to be a free solution. I came to the conclusion after trying a lot of different tools (which all turned out to have some issues) that the best solution is to stay with the trusted UNIX utilities and use Cygwin for setting up the SSH server. Here’s an overview of how you install and configure the SSH server in Cygwin:
$ ssh-host-config -y
Generating /etc/ssh_host_key Should privilege separation be used? (yes/no) yes Warning: The following functions require administrator privileges! Do you want to install sshd as service? The service has been installed under LocalSystem account. Host configuration finished. Have fun!
$ net start sshd
The CYGWIN sshd service is starting.
$ ssh 127.0.0.1
The authenticity of host ‘127.0.0.1 (127.0.0.1)’ can’t be established. Wouter Veugelen@veugelenw-pc ~
That’s it! |
Installing Nessus on Backtrack 3 final [Wouter Veugelen] [Belgian Security Blognetwork] Posted: 21 Jun 2008 04:20 AM CDT This week Backtrack 3 final was released. The first thing I wanted to do after downloading and running the Backtrack 3 vmware image, was installing Nessus. About a year ago at security4all a post was written to explain how to install Nessus on Backtrack 3 beta. While this did not work out for me on the final release, I did find some info on the remote-exploit forms which helped me out:
rpm2tgz Nessus-3.2.x-fc8.i386.rpm rpm2tgz NessusClient-3.2.x-fc8.i386.rpm
pkgtool
cd /opt/ nano /etc/ld.so.conf ldconfig
cd /opt/nessus/etc/nessus
/opt/nessus/sbin/nessusd
/opt/nessus/bin/NessusClient All credits to williamc for providing this guide. Source: forums.remote-exploit.org |
Posted: 21 Jun 2008 12:52 AM CDT This is a follow up to my previous blog post here http://miekiemoes.blogspot.com/2008/06/dutch-users-alert-beware-of-fake-tax.html Thanks to Jan (who was infected with this one) for sharing the samples. Some were detected by most Antivirus scanners. Others weren't detected at all, so I've sent them the samples. It is confirmed now.. This one spreads via IM (Messenger - Windows Live Messenger). And since this is a worm, a lot of others may be infected with this one as well. I don't know via which url yet (will find out later) Some of the files it drops: %systemdrive%\svchost.exe and %systemdrive%\smss.exe svchost.exe is already detected by most scanners as Backdoor.Win32.VB.bsf. The author is Dutch, that's for sure. As a matter of fact, Roel (Kaspersky) already posted about a variant of this one earlier. See here: http://www.viruslist.com/en/weblog?discuss=208187474&return=1 svchost.exe and smss.exe have several different loading points. The main ones are: * HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon C:\Windows\System32\userinit.exe,%systemdrive%\svchost.exe C:\Windows\System32\userinit.exe,%systemdrive%\smss.exe * HKCR\exefile\shell\open\command %systemdrive%\svchost.exe "%1" %* This means, the fileassociation for exefiles is replaced with the malicious file. So if the file is removed, the exeassociation will be broken en you won't be able to run exe files anymore. To fix this, go to start > run > type "command.com" (without the quotes). In the command prompt, type: ftype exefile="%1" %* This restores the default association for exefiles. * HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Generic Host Process for Win32 Services=%systemdrive%\svchost.exe Session Manager SubSystem=%systemdrive%\smss.exe + some extra policies: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windowsupdate DoNotAllowSPSP2=dword:00000001 DoNotAllowSPSP3=dword:00000001 In case you were infected with this one, please make sure you change all your passwords afterwards as they may be known. As a matter of fact, make sure you don't get infected with this one in the first place - so always be careful with clicking links in IM, even when they come from friends. Verify with the sender first if the link was sent intentionally or not. |
Day 1: Starting at the beginning [Jeremiah Grossman] Posted: 20 Jun 2008 08:25 PM CDT You're hired on at a new company placed in charge of securing their online business (websites). You know next to nothing about the technical details of the infrastructure other than they have no existing web/software security program and a significant portion of the organizations revenues are generated through their websites. What is the very first thing do on day 1? The idea here is to collect wisdom from the crowd (avoiding multiple choice), see if we can find reoccurring themes, order them accordingly, and then move onto the next step. And please don't say pour a cup of coffee. :) |
Information Security at Colleges and Universities [Kees Leune] Posted: 20 Jun 2008 04:36 PM CDT When you read the reports of information security breaches at The Breach Blog (see http://www.breachblog.com) and SC Magazine (see http://breach.scmagazineblogs.com), one of the most remarkable patterns is the frequency of breaches occurring in colleges and universities. Source: Scott Wright's Security ViewsWhile it is true that many of the published breaches took place at colleges and universities, it is important to realize that institutes for higher education are typically more open and willing to share information with the outside world than many corporations of a similar size would be. Do not forget that even a small college may have upwards of 10,000 users (students, faculty, administration and staff). Those numbers go up significantly when the larger universities are also included. The most important core value of research and education is Academic Freedom. Academic freedom is usually described as the right of each individual member of the faculty of an institution to enjoy the freedom to study, to inquire, to speak his mind, to communicate his ideas, and to assert the truth as he sees it. In the United States, the professor's academic freedom is often defined in terms of full freedom in research and in the publication of the results, in classroom discussion of his subject, and in the exercise extra-murally of his basic rights as a citizen [See: Dictionary of the History of Ideas] In other words, the nature of Academic Freedom almost requires that members of Faculty are provided with any access that they request. There is no need for administration to assess the request, or even do a risk analysis of the implications it may have. Academic Freedom provides faculty members with the right to study what they feel necessary, which usually also means in the way the feel necessary. Scott provides the example of restricting access to institutional directories. Even that is hard. The scientific method relies on peer-review is it primary means of quality control. Reaching out to peers to request reviews, participation in conferences, or otherwise provide constructive feedback to them is essential. For the administrative side of life, the same is true. Students are expected to be able to contact members of administration for a large variety of issues, ranging from financial aid to enrollment, or IT support. Restricting access to local users only, or requiring remote users to log on to a web site is often seen as a very unfriendly way of doing things. Especially private universities, which rely heavily on student tuition, will go to great lengths to keep students happy. Faculty will not adjust to information security policies and procedures. Rather, information security policies and procedures must adjust to Faculty. This realization may be the most important lesson that a university administrator must learn. Without it, he will fail. Scott also wrote: It can be a challenge to secure such a large and complex environment, but by breaking the problem down and addressing the issues one step at a time, the rate of security breaches can certainly be improved to a less embarrassing frequency.The most critical success factor when dealing with universities is patience. An information security professional typically spends most of his time away from his desk, talking to stakeholders and explaining what information security is about, and why they do it. Because of the high degree of autonomy that faculty members have, and the often decentralized nature of most colleges, implementing (technical) controls like restricting access to a directory is typically a very lengthy process that requires an enormous amount of awareness raising, lobbying, and convincing. The good news is that an increasingly growing number of schools have realized that information security is important. Not only because of increasing legislation and regulation (most colleges must comply with GLBA, HIPAA, PCI/DSS, FERPA, and a few more), but more so because of an increasing expectation of students that their information is secure, while at the same time having full and unlimited access to very high-speed networks. Remember, students are the largest source of revenue for universities, and that fact is very well known. Meeting students expectation is a critical success factor. Schools who fail to do that will be faced with dropping enrollment numbers, and as a direct result, with less revenues. |
SC Magazine Interview #2 [Random Thoughts from Joel's World] Posted: 20 Jun 2008 04:18 PM CDT I actually did two interviews with Dan Kaplan today. Here is the article as a result of the second interview. (It was one long conversation, two separate topics.) Also looks like I am going to record a podcast on Monday with SCMagazine about various vulnerabilities. More on that after it happens. |
hack of the day : chambre des notaires [belsec] [Belgian Security Blognetwork] Posted: 20 Jun 2008 02:49 PM CDT |
Electronic vote on the way out in Belgium ? [belsec] [Belgian Security Blognetwork] Posted: 20 Jun 2008 02:44 PM CDT After the hearings in the federal parliament two representatives of the PS, the frenchspeaking socialist party introduced a proposal to hold the elections in 2009 in paper format and not electronic. During the hearings there was a representative from the anti-electronic vote campaign from Holland and he seems to have made quite an impression, or should we say the decision by the Dutch governement to suspend Electronic voting and to concentrate on electronic counting of the paper votes. This was after the opposition groups showed that the anonimity of the votes could be broken and the researchers couldn't afterwards demonstrate clearly and without any doubt that one could build a system for electronic voting that would be authentic, safe and not too expensive. There are many good reasons to do that and it doesn't mean that electronic voting is out of the picture for allways. There is no way to guarantee that organising electronic voting in 2009 would be without any risk if one knows that the computers and the voting code are very old. Secondly the interuniversity study as it was presented now is not an acceptable basis for discussion and debate because it is not complete and not objective enough. It is even so obvious that you sometimes just think why they didn't hide their intentions better. And third it is impossible to have a new system that can be audited, tested and accepted by the time that the elections should be held. Another reason not to cry too quickly victory is that the regions may organize themselves their local and regional elections and so we can arrive at the situation in which flanders will organise its elections the electronic way while the other two regions may chose the paper vote or a combination. In flanders there is no tradition of debate and the flemish governement decided without any democratic debate in the parliament that it would invest 25 million Euro's in the development of the new model that the professors of the study presented to them. I think any firm would have a much more critical process before deciding such an investment and I can think of a thousand other things that could use that money. |
How to guide people with fixing their computers [miekiemoes] [Belgian Security Blognetwork] Posted: 20 Jun 2008 02:40 PM CDT Rule number 1: Always stay serious, don't try to laugh, no matter what. Here's a collection of funny quotes or subjects from people who needed help with their computer. They were posted at several different forums and via chat support. Most were collected from geekstogo forums, bleeping computers, SWI and some Dutch forums. My favorite top 10: 10: If I do get a new comp Good idea!! 9: Subject: "Problem with massages popping" I wouldn't mind the massages. 8: miekiemoes: Did you perform a scan or anything else before this happened? Guess what.. the brain was severly infected! 7: Internet explorer was changed to pizza SLICE. With extra anchovies, olives and mozzarella?? 6: Subject: "virus will not leave me alone!, please help me before my brain explodes!" Please format and reinstall your brain asap! 5: The 4 pins that are missing are around the edge of the 'gold triangle' in the corner of the CPU. I have tried replacing the pins by placing a piece of copper wire in the slot where the missing pins are but I think that might be the cause of my PC crashing so I have taken them out. It would have been better if you used electrical wire. 4: You know I hear something in the PC box going, like little dominos falling really fast all the darn time or like there is a bleeping little mouse in there playing a bleeping cadence on a bleeping little snare drum all the bleeping time... 3: From a Dutch forum: Heb een scan met verschillende progamma's gedaan maar niets gevonden. Als ik de pc opnieuw opstart krijg ik een soort alarm te horen wat een minuut lang blijft afgaan. Daarna wordt mn scherm zwart en verschijnt er een hele rij kaarsjes, die een voor een worden opgelicht.... translated: I scanned my system with several different programs but nothing was found. Happy NewYear!! 2: I am also thinking of making my monitor black and white to make those Best prevention ever! Thanks for the tip! And the Winner is: 1: Today I tried to hide my lunch bar chocolates from my brother by taping them to the inside of the side panel of my pc(total disregard for PC components I know but no way was he getting me booty) Any how the tape didn't hold and the chocolate wound up in one of the fans(not a pretty sight) -sigh-. Pc is still fine though (thank God) you forgot to add the milk for making the chocolate mousse Feel free to add more in the Comments section below :) |
Article in SCMagazine [Random Thoughts from Joel's World] Posted: 20 Jun 2008 12:47 PM CDT Did a short interview with SCMagaineUS.com this morning with Dan Kaplan. Article is here. Thanks Dan! |
Posted: 20 Jun 2008 11:52 AM CDT Interacting with law-enforcement is always a sensitive topic. Fears that are commonly voiced are that "The Feds will come in and take control of the case", undesired media exposure, the black hole effect, etc. Yesterday, I was able to attend a conference organized by the Federal Bureau of Investigation as part as their counter intelligence domain program. Some of my fears were countered by a case presentation in which the organization that was subject of a breach and reported it to the FBI presented their take on the collaboration, and was very positive about the nature and extent of the collaboration between them and the Bureau. Yet, while driving back home and listening to the radio, the main topic was the high-profile arrest of several Wall Street executives in "Operation Malicious Mortgage" (more here). Suddenly, the assurance that the Bureau would NOT go to the press seemed a lot less valuable. Funny how photographers snapping pictures and TV cameras taping an "unannounced arrest" can change your opinion on these things. But, I digress. The FBI is charged with a number of tasks. The top-3 of these tasks are: #1 counter-terrorism #2 counter-intelligence #3 cyber security One might argue that #3 is really a dimenion of #1 and #2, but it is interesting to see the objective clearly marked so high-up in the list of priorities. Yesterday's conference has made me think a bit more about things like intellectual property, trade secrets, etc. While it is the FBI's job to ensure that these "assets" do not leave the country, it is my job to make sure that they do not leave the organization I work for. There is definitely a gap between the point where an organization is willing to share information or technology, and the point where a country is willing to do so. After all, that's what export regulation is all about; companies develop a product or a service that they consider to be theirs to sell, but then a national government steps in to say that they cannot do that. Anyhow; conferences like these are definitely interesting and worth attending. If only to see how 6 FBI vehicles are inconspicously parked at parking meters. The "undercover" nature of these vehicles changes greatly when they are all dark blue with dark tainted windows, federal government license plates, blue and red flashers behind the wind shield, and "Special agent"-signs on the dashboard. The fact that FBI-agents seem to be all wearing dark blue or black suits, white shirts, red ties and a nice shiny badge (possibly accessorized with a gun) also does not help :-) Anyway; if you ever get a chance; get involved with some of these events. If you are eligible to become an Infragard member, that might be a way to go. If not, simply picking up your phone and giving your local field office a call before you have an incident also works. |
Top 5 questions to get webappsec threads spinning out of control [Jeremiah Grossman] Posted: 20 Jun 2008 09:55 AM CDT |
Listen to my PCI Podcast! [Branden Williams' Security Convergence Blog] Posted: 20 Jun 2008 09:50 AM CDT About a month ago an audio guy showed up to my house and pinned a tiny microphone to my shirt for a podcast on PCI. It is a joint podcast with John Pescatore of Gartner. The theme is on managing PCI Compliance. |
Backtrack 3 out - with VoIP security tools [SIPVicious] Posted: 20 Jun 2008 09:06 AM CDT The final Backtrack 3 is out and it features some VoIP tools in the /pentest directory:
Grab Backtrack from the official site. |
Call to students, researchers and profs [belsec] [Belgian Security Blognetwork] Posted: 20 Jun 2008 08:44 AM CDT We are integrated into one big international network of security bloggers that is being read in Belgium and far outside by researchers, journalists and professionals. To give an idea our newsfeed has been activated 250.000 times in 6 Months and to proof it all, some articles published here spread out afterwards all over the place. So if you have done research about ITsecurity, made your endwork or a presentation or are looking for projects or help with your projects, we would be more than happy to help you or to publish the publication or a link to it. Even if it would be for a limited time. We don't care if it is in french, flemish or english, we'll group them together somewhat if necessary. Don't forget you can even get a free open account here to do some responsable ITsec blogging yourself. Just send a mail (use the button) |
World top 10 with public WIFI hotspots [belsec] [Belgian Security Blognetwork] Posted: 20 Jun 2008 07:39 AM CDT |
After the electronic bracelet, the RFID chip ? [belsec] [Belgian Security Blognetwork] Posted: 20 Jun 2008 07:31 AM CDT Don't laugh Correctional facilities in California, Virginia, Michigan, Illinois, Ohio and Minnesota have deployed RFID tracking systems to help manage inmates. This spring, the Minnesota Department of Corrections is deploying an RFID tracking system in its 1,300-inmate, minimum- and medium-security facility in Lino Lakes that houses sex offenders. The 87 minimum-security Lino Lakes inmates will be fitted with an RFID device to ensure they don't escape. "Because they have no secure fence around their living area - because it's minimum security - they have the opportunity to leave illegally if they choose to, and we want to prevent that from happening," said David Crist, a Minnesota Department of Corrections assistant commissioner. "The offenders wear either an ankle bracelet or a wristband, and if they go outside that radio frequency perimeter, it sends a signal back to a computer at a security station telling us someone has left the radio frequency perimeter." RFID technology is strictly for security, and won't eliminate personnel |
the next biometric ID tattoo-ID [belsec] [Belgian Security Blognetwork] Posted: 20 Jun 2008 07:12 AM CDT A Michigan State University researcher has created an automatic image retrieval system, whereby law enforcement agencies will be able to match scars, marks and tattoos to identify suspects and victims.
In a world filled with homeland security concerns, identity fraud and natural disasters, the need to establish the identity of an individual based on something other than a driver’s license or demographic and personal data is vital, according to Anil Jain, MSU University Distinguished Professor of computer science and engineering. “Identity is usually established using passports, licenses or personal identification numbers, but these are easily forged, lost or stolen.” “A body can decompose quickly, particularly in adverse climate conditions, making it difficult to perform face or fingerprint identification,” Jain said. “Because tattoo pigments are deeply embedded in the skin, even severe skin burns often do not destroy tattoos. If there are distinguishing tattoos, it can be crucial evidence in identifying a victim.” Jain’s team is continuing its research to improve the tattoo image matching performance in collaboration with the Michigan State Police Identification Section, which has provided him access to its large tattoo image database |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment