InfoSec Daily Podcast Episode 419 [ 44:28 | 20.38 MB ] Play Now | Play in Popup | Download (696)

InfoSec Daily Podcast Episode 419 for June 30, 2011.  Tonight's podcast is hosted by Rick Hayes, Adrian Crenshaw, Karthik Rangarajan, and Varun Sharma.

Announcements:


2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org

My Hard Drive Died
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When:  Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org
CFP open now through July 1, 2011! Email submissions to Conference@gaissa.org   

EFF:

The ISD Podcast is participating in a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://eff.isdpodcast.com

Currently at $1913!  We will quit bugging you soon about this fundraiser.  The contest ends on July 5th so please get any donations you were planning to make in now!

Stories

Source: http://www.h-online.com/security/news/item/Attack-of-the-computer-mouse-1270018.html

Security firm Netragard has described an attack during which a modified computer mouse was used to infiltrate a client's corporate network. For this attack, the security experts equipped the mouse with an additional micro-controller with USB support (Teensy Board) to simulate a keyboard, and added a USB flash drive to the setup.

When connected to the PC, the Teensy Board's Atmel controller sent keyboard inputs to the computer and ran software that was stored on the USB flash drive. This allowed Netragard to install the Meterpreter remote control software, which is part of the Metasploit framework. To bypass the target system's McAfee virus scanner, Netragard says it used a previously undisclosed exploit.

The crux of the attack was to find a suitable company employee who would, upon receiving the computer mouse, connect it to a company PC without becoming suspicious. The client who ordered the pen test had excluded social engineering attacks via telephone, social networks and email, but Netragard managed to obtain a list of the company's employees via the Jigsaw service. The security experts selected one of the employees and sent the mouse in its original packaging – camouflaged as a promotional gadget.

Attacks that use specially modified USB devices have been around for a while; USB flash drives that are "accidentally" left lying around are often used in security tests. A current study by the US Department of Homeland Security found that 60 per cent of users will naively connect a USB flash drive to their PC to see what is stored on it.

However, using a computer mouse for such an attack is a new idea. Corporate IT security staff may in future be faced with the problem of having to test peripheral devices before they can allow users to connect them to their PCs. Specially modified Android phones can also present themselves as keyboards, and take control, when they are connected to a PC.

Source: http://www.businessinsider.com/navy-chinese-microchips-weapons-could-have-been-shut-off-2011-6

Last year, the U.S. Navy bought 59,000 microchips for use in everything from missiles to transponders that turned out to be counterfeits from China.

Wired reports the chips weren't only low-quality fakes, they had been made with a "back-door" and could have been remotely shut down at any time.

If left undiscovered the result could have rendered useless U.S. missiles and killed the signal from aircraft that tells everyone whether it's friend or foe.

Apparently foreign chip makers are often better at making cheap microchips and U.S. defense contractors are loathe to pass up the better deal.

The problem remains with these "trojan-horse" circuits that can be built into the chip and are almost impossible to detect — especially without the original plans to compare them to.
The Intelligence Advanced Research Projects Agency (IARPA) is now looking for ways to check the chips to make sure they haven't been hacked in the production process.
Expect to see a whole lot more funding directed to this goal. Or, considering  IARPA is the research and development section of the intelligence community — expect the money to be spent — don't expect to see where.

Adrian’s Note:  Business Insider got it wrong. The chips were not trojaned (as far as anyone seems to know at least), it was just a hypothetical “What if”. Guess they misread the Wired piece, and it ended up like the childhood game of telephone.  For more and better information on the case, see: http://www.wired.com/dangerroom/2011/06/chips-oy-spies-want-to-hack-proof-circuits/#more-49990
or
http://www.washingtonpost.com/wp-dyn/content/article/2010/09/14/AR2010091406468.html?nav=rss_business/industries

Source: http://www.pcworld.com/article/230842/icannt_believe_it_new_internet_rules_will_be_a_mess.html#tk.hp_new

Ladies and gentlemen, the Web as we know it is about to be flipped upside down. And not in a good way.

Have you heard about this impending disaster? ICANN, the group that oversees the Internet's domain name system, has decided to expand the Web's set of available domain suffixes — you know, the end parts of Internet addresses, where you typically see .com or .net.
       
Instead of having a limited number of defined suffixes, as we do now, ICANN will soon let anyone apply for their own custom suffix — anything from .microsoft to .manscapingmadness. The suffixes can be as long as 63 characters, meaning I could conceivably move my website from jrstart.com to jr.dancing-chickens-bok-bok-so-many-tiny-feet-look-at-them-shimmy. In fact, I think I might.
       
Now, there is a catch: The new custom Internet suffixes will cost a cool $185,000 apiece. That's a good bit more expensive than the standard 15-dollar-ish dot-com registration you see out there today. ICANN says it'll also require applicants to prove they have a legitimate reason to own the suffix in question. (I won't go into details, but let's just say my dancing-chickens name is a shoo-in for approval.) The idea is that squatters won't be able to go out and steal companies' trademarks only to try to resell them a short time later.
       
That's all fine and dandy, but think about what a mess this is going to become. Sure, any average Joe won't be able to grab .ibm, but what's to stop 5,000 different companies from clamoring for .computer? And how confusing is this going to get from a user perspective?
       
As it stands right now, the vast majority of Web surfers barely understand the structure of a domain; most non-techie people just assume everything is dot-com. What's it going to be like when everyone's suddenly faced with — for a hypothetical example — apple.com, buy.apple, apple.buy, and apple.store? It's going to be a mess.

For businesses, it's going to be an expensive mess, too. Instead of focusing on the current 22 generic suffixes (.com, .net, .org, and so on), companies will be pressured to "own their brands" by buying up every custom suffix that might come in handy. If nothing else, they'll want to buy them simply to prevent someone else from doing so.
       
Would Microsoft, after all, want any other company to own .microsoft? How about .windows, .software, or .clippymustdie? Okay, that last one might be a stretch — but you get where I'm going here. The point is, no matter how you look at it, this is a Pandora's box with virtually no limits; the only guarantee is chaos, confusion, and costliness.
       
As users, the one thing we can hope is that this will turn into another Internet innovation the world generally ignores. Past attempts to expand our dot-com-centric society have been forgettable flops (how many people do you know who regularly type .jobs, .museum, or .travel addresses into their browsers?). There's a good chance this could become another revolution in theory that's a failure in practice.
       
Still, I'm gonna go ahead and grab that dancing-chickens domain just to be safe. If anyone has $185,000 I can borrow, please let me know.

Source: http://www.theregister.co.uk/2011/06/28/groupon_india_privacy_breach/

Groupon subsidiary Sosasta.com accidentally published a database containing the email addresses and clear-text passwords of 300,000 users and the cache was indexed by Google.

The trove of personal data was discovered by Australian security consultant Daniel Grzelak as he plugged a handful of query terms into the search engine, he said Tuesday. He contacted Patrick Gray with security blog Risky Biz, which reported that the SQL database contained the details for 300,000 Sosasta account holders.

A Groupon spokesman confirmed that the digital coupon distributor “was alerted to a security issue” on Thursday night and corrected the problem immediately. The issue was limited to Sosasta, which uses its own servers and network and isn't connected to Groupon's systems in other countries.

“We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible,” the spokesman said in a statement. “We will keep our Indian subscribers fully informed as we learn more.”

At time of writing, there was no advisory on either the Groupon or Sosasta websites, although Sosasta's Facebook page contained a notice that came in the form of a JPG image that couldn't easily be indexed by Google or other search engines. Ah the irony.

According to Risky Biz, Grzelak found the massive cache as he was looking for additions to shouldichangemypassword.com, a side project that indexes email addresses included in more than a dozen high-profile privacy breaches carried out by LulzSec and other hacking groups. The query that hit pay dirt included the terms “filetype:sql” “password” and “gmail.”

“I started scrolling, and scrolling and I couldn't get to the bottom of the file,” Grzelak told Risky Biz. “Then I realised how big it actually was.”

The Groupon statement didn't say why passwords weren't encrypted or why such a sensitive file was publicly available.

The snafu is the latest to expose the folly of using the same password on more than one site, a practice still followed by a shockingly high number of people. If you're one of them, you ought to consider using a password-management program such as Password Safe or KeePass.
The Groupon subsidiary sure isn't the first to carelessly expose data it has promised to keep private, and judging from this Google search, it's probably not the last.

Source: http://www.myce.com/news/new-sony-lawsuit-blames-lay-offs-lax-security-as-causes-for-psn-hack-47486/

Following the disastrous attack on Sony’s PlayStation Network in mid-April and the subsequent announcement by the company that personal information tied to all customers with PSN IDs (said to number above 70 million) was compromised, many account holders understandably freaked out – especially when they considered Sony had waited nearly one week to divulge as much.

Some quietly changed passwords and carefully checked credit statements for signs of foul play, while others opted to file lawsuits against Sony. A new trio of aggrieved consumers has joined the latter.

According to a legal filing uncovered by video game news and business site Gamasutra, plaintiffs Felix Cortorreal, Jimmy Cortorreal and Jacques Daoud cited one witness, an ex-Sony Online Entertainment (SOE) worker, who said “lavish” spending by SCE on the PS DevNetwork – as well as the mass lay-offs which hit SOE in March – negatively impacted customer security. Perhaps ironically, the PS DevNetwork is essentially part of the greater PSN, albeit one only accessible by game developers.

The lawsuit boasts two other provocative witnesses, both also former Sony employees. One stated that Sony technicians knowingly disregarded implementing stronger security, opting instead for ad-hoc firewalls when necessary. The other admitted that PSN had in fact been breached prior to April.

As for the argument that the SOE lay-offs played a part in the PSN breach, a Sony spokesperson told ComputerWorld that “no [SOE] security people were fired.” The site also spoke with the trio’s legal counsel, Stuart Davidson, who said that while the focus is on earning damages for those who’ve demonstrably “had their identities or personal information compromised,” his firm – Robbins, Gellar, Rudman & Dowd – isn’t ruling out punitive damages as well. “We are always holding [that] in our back pocket,” Davidson said.

Since the April PSN attack, several others have filed complaints against Sony. Kristopher Johns of Alabama alleged several violations by the company within days of its admission that user data had been compromised. In May, a Canadian woman who admitted she was a big Sony fan and avid gamer also launched a class-action suit.

Sony, in an attempt to mollify consumer fear, offered free ID theft protection services (sign-up ended) to those affected by the breach. The company also crafted a “Welcome Back” package – a bevy of content at no cost.

MyCE will update this post with a copy of the legal document when it’s made publicly available.

Source: http://www.bloomberg.com/news/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy.html

The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.
Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.

“There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC)

The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers. The intruders’ ability to exploit people’s vulnerabilities has tilted the odds in their favor and led to a spurt in cyber crimes.
In real-life intrusions, executives of EMC Corp.’s RSA Security, Intel Corp. (INTC) and Google Inc. were targeted with e-mails with traps set in the links. And employees unknowingly post vital information on Facebook or Twitter.

It’s part of a $1 trillion problem, based on the estimated cost of all forms of online theft, according to McAfee Inc., the Santa Clara, California-based computer security company.
Rule No. 1

Hundreds of incidents likely go unreported, said Rasch, who previously headed the Justice Department’s computer crime unit. Corporate firewalls costing millions to erect often succeed in blocking viruses and other forms of malware that infect computers and steal data such as credit card information and passwords. Human error can quickly negate those defenses.

“Rule No. 1 is, don’t open suspicious links,” Rasch said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”

A full report on the Homeland Security study will be published this year, Sean McGurk, director of the department’s National Cybersecurity and Communications Integration Center, said at a June 16 conference in Washington.

Tactics such as spear-phishing — sending a limited number of rigged e-mails to a select group of recipients — rely on human weaknesses like trust, laziness or even hubris.
That’s what happened in March, when attackers used a clever ruse to exploit their discovery that RSA — the company that provides network-access tokens using random secondary passwords — was in a hiring campaign.

Source: http://www.net-security.org/secworld.php?id=11229

No stone is left unturned, no option unexplored when it comes to online spamming, and the latest approach has shown that malware authors are not the only ones who have taken advantage of the fact that Android apps are written in Java and are, therefore, easily cloned.

"We've been seeing a rash of repackaged applications posted on the official Android Market," says an F-Secure researcher. "The repackaged application has the same modules as the original, but includes an advertisement module."

He says that most of the spotted repackaged apps don't have any malicious code in them, and they are all made available for download for free. This means that the "developers" of these apps must make money off the clicks on the advertisements.

But, as the researcher points out, most (if not all) of these apps were cloned without the permission of their original developers.

Whether or not they can sue the people behind the repackaged apps is another matter, but technically those people are committing theft of intellectual property.

I wonder if this is going to make Google reconsider a vetting process for new apps.

InfoSec Daily Podcast Episode 418 [ 37:36 | 17.23 MB ] Play Now | Play in Popup | Download (566)

InfoSec Daily Podcast Episode 418 for June 29, 2011.  Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, and Varun Sharma.

Announcements:


2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

My Hard Drive Died
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When:  Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org
CFP open now through July 1, 2011! Email submissions to Conference@gaissa.org   

EFF:

The ISD Podcast is participating in a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://eff.isdpodcast.com

Currently at $1813!  We will quit bugging you soon about this fundraiser.  The contest ends on July 5th so please get any donations you were planning to make in now!

Stories

Source: https://allthatiswrong.wordpress.com/2011/06/23/os-x-%E2%80%93-safe-yet-horribly-insecure/

I have had this article planned since the end of 2009 and have had it as a skeleton since then. I wanted to point out the many problems with OS X security and debunk the baseless myth that OS X is somehow more secure. Despite 18 months passing by before I managed to finish it, not much seems to have changed. I think I am publishing at an interesting time however just as malware for OS X is increasing and Apple are starting to put effort into securing OS X with the soon to be released Lion. There is no FUD in this article, just an analysis of the available evidence and some speculation. My motivation to write this article was the hordes of OS X users who are either blind or have been mislead by false advertising into believing OS X is somehow immune to malware and attacks.

It is one of the most prevalent myths among the computer purchasing public and to a lesser extent those who work in IT, that Apple computers are far more secure than their Windows and perhaps Linux counterparts. The word myth is precisely accurate, as OS X and other Apple software is among the most vulnerable software on consumer devices today. Apple have an appalling attitude towards security which often leaves their users highly vulnerable while hyping their products as secure, simply because they are rarely targeted. It is important before going further to note the difference between a distributed attack and a targeted attack. A distributed attack is one not specific to any one machine or network, but will exploit as many machines as it can affected by a particular set of vulnerabilities, of which OS X has had many. An example of a distributed attack is a drive by download, where the target is unknown, but if the target is vulnerable the exploit should work. Distributed attacks are used to infect large amounts of machines easily, which are then generally joined into a botnet to earn cash.

A targeted attack is more specific, where a single machine or network is attacked. A targeted attack is not blind and is specific to the machine being attacked. Distributed attacks such as drive by downloads are impersonal by nature because they must compromise thousands of machines while the motivation behind a targeted attack tends to be more personal, perhaps to steal confidential files or install some sort of backdoor. The argument always seems limited to distributed attacks which admittedly are nowhere near the problem they are for windows. This is more than likely because Apple has a very low market share of PC’s, simply making it less than worthwhile to invest in writing software to attack as many machines as possible when money is the motivation. I go into this in further detail in a later section.

Using a Mac may certainly be a safer choice for a lot of people as despite being vulnerable they are not targeted. However this is not the same as Macs being secure, something Eric Schmidt erroneously advised recently. I may be able to browse impervious to malware on a Mac at the moment, however I personally would not be comfortable using a platform so easily compromised if someone had the motivation to do so. In this article I address just why OS X is so insecure including the technical shortcomings of OS X as well as Apples policies as a company that contribute to the situation.

InfoSec Daily Podcast Episode 417 [ 32:40 | 14.98 MB ] Play Now | Play in Popup | Download (1008)

InfoSec Daily Podcast Episode 417 for June 28, 2011.  Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, and Varun Sharma.

Announcements:


2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

My Hard Drive Died
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When:  Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org
CFP open now through July 1, 2011! Email submissions to Conference@gaissa.org   

EFF:

The ISD Podcast is participating in a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://eff.isdpodcast.com

Currently at $1813!  We will quit bugging you soon about this fundraiser.  The contest ends on July 5th so please get any donations you were planning to make in now!

Stories

Source: http://h.ackack.net/0day-xss-in-wordpress-core.html

I found a self-XSS in the wordpress core the other day, when you manage to succesfully exploit this vulnerability only imagination can stop you from owning the wordpress installation.
These self-XSS'es require some more user interaction than the classic click-bam-boom effect of a XSS.

The classic way of triggering the "bam" (exploitation of a XSS vulnerability) is by very properly slicing an iframe based on the victim's browser resolution and changing the CSS of the iframe to make it look like a part of the page and then convincing the victim to drag something to that sliced iframe.

The boom effect will automatically trigger after the bam was succesful in any situation which is the execution of the preferred payload – in our case an innocent Javascript alert box but which could just as well been DOM requests to change user passwords, add accounts, install malicious plugins or the process of stealing cookies.

The draggable element contains the payload, the code, the Javascript you would like to execute.

Source: http://www.multitasked.net/2011/jun/27/hacked-gmail-google-account/

On may 17th, in the evening, I received an email from the Gmail account of Charlotte, my significant other. It was written in french (which is normal for her) and looked like this :

How are you ? Would you have time to spend by email on a peculiar situation about me ? I am in deep problems and couldn't cope with your support.

Hoping to hear from you really soon.

Best, Charlotte

You'll find the french original text here under (so that people can find it on Google).

I was quite busy and so immediately dismissed this as spam, and did not bother to check where this email had been sent from. Faking email addresses is way to easy to bother for each suspect email. As many people with a public email address, I often receive fake emails from myself.

But this time, the problem was deeper, as I learnt when Charlotte, the real one, called me to warn me that she could not access her Gmail account anymore and that her phone was constantly ringing because of people worried about her. She also told me about a popup she had in the morning about suspect access to her account from the Ivory Coast. At the time, she was quite busy, clicked on some option that looked reassuring and went on with her day. Damn, that was bad.

<snip> (follow the link for many more details on the hack)

Source: http://www.theregister.co.uk/2011/06/27/google_user_data_subpoenas/

The US government filed more than twice as many demands for data about Google users than another other country in the past six months, according to figures the search behemoth supplied Monday.

What's more, according to the Google Transparency Report, Google fully or partially complied with the US demands in 94 percent of the cases, a rate that was higher than responses to any other government.

From July to December of last year, Google received 4,601 demands from US-based governments for information relating to one or more of its users, Monday's report stated. Brazil and India were second and third with 1,804 and 1,699 requests respectively.

Google at least partially complied with 94 percent of the demands received from US-based agencies. Japan, Singapore, and Australia had the second, third and fourth highest rates of compliance from Google, with 90 percent, 88 percent and 81 percent of demands honored respectively.

“Whenever we receive a request, we first check to make sure it meets both the letter and spirit of the law before complying,” the Google report stated. “When possible, we notify affected users about requests for user data that may affect them. And, if we believe a request is overly broad, we will seek to narrow it.”

Google is by no means alone in supplying information about its users to government agencies that file valid subpoenas or other legal documents demanding it for criminal investigations or other official purposes. What sets Google apart, however, is its reporting of how many times it receives such demands from each country and how many times it complied.

So far, Google competitors have steadfastly refused to say how many demands they receive and how often they are complied with.

The fact that Google on average complies with 19 of 20 US demands to turn over data about its users is cause for concern, but it's probably no more alarming than the compliance rates from Yahoo, Microsoft, and Facebook. Google was the only major search engine to challenge a 2006 Justice Department subpoena for two months of users' search queries.

Source: http://www.consumeraffairs.com/news04/2011/06/cloud-site-dropbox-drops-the-ball.html

The Dropbox data hosting service introduced a bug that unlocked its 25 million users' accounts and data for everyone to see, a class action lawsuit claims in California's Northern District.
In the suit filed in U.S. District Court in San Francisco, Dropbox customer Cristina Wong of Los Angeles said she did not learn about the incident until she read a news story about it several days later.

Dropbox, which claims to have more than 25 million subscribers, is a popular “cloud” storage service that lets Internet users easily keep all of their data online so that it is accessible to all of their devices.

The company also assures customers that it keeps their data secure from theft and unauthorized disclosure. “We believe that storing data in Dropbox is fare more safe than the alternatives,” the company said in an April 21 blog posting.

The suit notes that Dropbox actively encourages consumers to store their sensitive personal and business data on its system because of its supposedly superior security.

Yet, Wong says that on June 20, Dropbox announced via a blog post that it had “introduced a bug” on June 19, allowing users to log into other users' accounts and access their data but did not notify all of its clients of the problem.

Instead, in a breezily written blog, the company said:

“Hi Dropboxers, Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm.”

The company's blog posting said that only “a very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password.”

Dropbox said that as a precaution it ended all logged in sessions and launched an investigation of all activity at the time the system was compromised.

“If we identify any specific instances of unusual activity, we’ll immediately notify the account owner,” the posting said.

“This should never have happened,” the blog post said, words that may come back to haunt Dropbox.

The suit charges the San Francisco company with violating the California Unfair Competition Law, invasion of privacy and negligence.

Source: http://arstechnica.com/business/news/2011/06/firefox-update-policy-the-enterprise-is-wrong-not-mozilla.ars

Three months ago, Mozilla released the long-awaited Firefox 4. Last week, the organization shipped the follow-up release: Firefox 5. Firefox 5 was the first version of the browser to be released using Mozilla's new Firefox product lifecycle, which would see a new version of the browser shipping every three months or so. The new policy has been publicized for some months, and so the release of Firefox 5 was not itself a big surprise. What has caught many off-guard is the support, or lack thereof. With the release of Firefox 5, Firefox 4—though just three months old—has been end-of-lifed. It won't receive any more updates, patches, or security fixes. Ever. And corporate customers are complaining.

The major problem is testing. Many corporations have in-house Web applications—both custom and third-party—that they access through their Web browsers, and before any new browser upgrade can be deployed to users, it must be tested to verify that it works correctly and doesn't cause any trouble with business-critical applications. With Mozilla's new policy, this kind of testing and validation is essentially impossible: version 5 may contain critical security fixes not found in version 4, and with version 4 end-of-lifed, the only way to deploy those fixes is to upgrade to version 5. That may not be an issue this time around, but it's all but inevitable that the problem will crop up eventually.

Source: http://www.conceivablytech.com/8108/products/microsoft-may-add-eavesdropping-to-skype

The U.S. Patent and Trademark Office published a Microsoft patent application that reaches back to December 2009 and describes “recording agents” to legally intercept VoIP phone calls.
The “Legal Intercept” patent application is one of Microsoft’s more elaborate and detailed patent papers, which is comprehensive enough to make you think twice about the use of VoIP audio and video communications. The document provides Microsoft’s idea about the nature, positioning and feature set of recording agents that silently record the communication between two or more parties.

The patent was filed well before Microsoft’s acquisition of Skype and there is no reason to believe that the patent was filed with Skype as a Microsoft property in mind. However, the patent mentions Skype explicitly as an example application for this technology and Microsoft may now have to answer questions in which way this patent applies to its new Skype entity and if the technology will become part of Skype.

In the patent descriptions, the company justifies such a feature with the fact that monitoring of calls has been around for a long time for traditional calls, but devices that were used for plain old telephone service (POTS) simply do not work with VoIP anymore. Recording agents are designed to take the place of those outdated devices, but are – not surprisingly – much more capable, can be placed in different locations and automate call interceptions. For example, Microsoft says that recording will be triggered by “events”, or a “sequence of events” – for example when specific callers are involved.

The patent does not mention an eavesdropping module that is integrated into the client software. However, it describes recording agents that can be placed in a multitude of devices, including routers (see image, RA = recording agent). There is also the note of a recording agent software that represents “a software module that logically and/or physically sits between the call server and the network.” According to Microsoft, the agent will have access “to each communication sent to and from the call server,” which clearly refers to the general infrastructure of a VoIP service and network.

The patent lists the following process of a silently recorded call (we removed references to drawings in the description for easier reading):

1. A delivery endpoint is registered with a call server. For example, the intercept requestor may register an IP address/port for delivery of copies of recorded communications associated with a designated VoIP entity.
2. A request to monitor a selected VoIP entity is sent by the requestor to the call server. For example, the intercept requestor may request that the call server record communications for the VoIP entity.
3. An initiating entity negotiates candidate network paths with a media relay. For example, the VoIP entity may talk to a STUN, TURN, and/or other servers to determine what IP address/port of the VoIP entity is visible from the network. For example, if the VoIP entity is connected to a NAT, the NAT may translate IP addresses and port numbers. In STUN/TURN environments, the call gateway may act as a STUN and/or TURN server. The SDP parameters indicated previously are an example of what may result as the entity negotiates candidate communication points with a media relay.
4. The initiating entity sends an invite to the call server. The invite includes data regarding establishing a communication session between at least two entities via a switched packet network for a communication that includes audio. For example, the VoIP entity sends an invite (such as the SDP parameters mentioned previously) to the call server to communicate with a VoIP entity in the enterprise.
5. A copy of the invite is sent to the delivery point. For example, the call server may send a copy of the invite to the intercept requestor or another endpoint designated by the intercept requestor.
6. An invite with no local candidates is sent to the remote entity. For example, the call server  sends an SDP with the local candidates deleted to the remote entity of the enterprise . Having no local candidates is synonymous with having “no direct paths.” In STUN/TURN terminology, this means that the VoIP entity needs to employ a TURN server to communicate with the remote entity.
7. The remote entity responds to the invite by sending “OK.” For example, the remote entity in the enterprise  responds to the invite by sending an OK to the call server.
8. A copy of the OK is sent to the delivery point. For example,  the call server sends a copy of the OK to the intercept requestor  or another endpoint designated by the intercept requestor.
9. The OK is sent to the initiating entity. For example,  the call server sends the OK to the VoIP entity.
10. The agent that will be recording the subsequent communication between the entities is configured so that it will create a copy of the communication. For example, the call server, the call gateway, or some other server may configure the router to create a copy of the communication to and from the VoIP entity. Note, that the recorded may be configured to record a communication for an entity any time after a monitoring request for the entity is received.
11. The VoIP entity sends a packet to the media relay. For example, the VoIP entity may send a packet to the call gateway.
12. The packet passes to the recorder. For example, the packet may pass to the router.
13. The packet is sent to the remote entity. In addition, a copy of the packet is sent to the delivery point and/or stored for later sending to the delivery point or retrieval by a law enforcement agent. For example, the router sends the packet to the VoIP entity in the enterprise and sends a copy of the packet to the intercept requestor or another endpoint designated by the intercept requestor. This continues until the communication is terminated.
14. Upon termination, the delivery endpoint may be informed that the communication has terminated.

The patent clearly addresses the need of governments and law enforcement to record Internet calls. There is also a certain sense that especially closed networks are targeted with this technology, yet the clear notion that VoIP applications targeted by this patent “may include audio messages transmitted via gaming systems, instant messaging protocols that transmit audio, Skype and Skype-like applications, meeting software, video conferencing software, and the like” may raise privacy concerns and surely the question of how Microsoft intends to use such a patent now that it owns Skype.

So, Microsoft: Will Skype officially include eavesdropping capability in the future?
A request for clarification we sent to Microsoft has remained unanswered so far.

Source: http://www.afterdawn.com/news/article.cfm/2011/06/25/germany_launched_its_own_cyber-defense_center

Germany is the latest country to build itself its very own cyber-defense center to build a strategy to defend against cyber-warfare, a hot issue this year. The National Cyber-Defense Center is located in Bonn at the Federal Office for Information Security building.

For now, it had ten permanent employees with the German Federal Police, Federal Intelligence Service and Armed Forces to join the effort in the coming months. The Interior ministry said it recorded a record number of attempted cyber attacks last year, nearly double the number of attempts in 2009.

"At the heart of cyber-security is the protection of critical infrastructures," said Federal Interior Minister Friedrich. "Stuxnet and the most recent example of the hacker attack on the French nuclear company EDF (Electricité de France) have shown that IT systems represent critical infrastructure in the context of cyber-attacks."

Germany's move follows other's around the world, including the UK's Cyber Security Operations Center (CSOC) and the United States' Cyber Command center. Estonia, which was the victim of a country-wide cyber-attack in 2007 in a dispute over the moving of a soviet-era war monument, is also planning to build its own cyber defenses.                        

Geordy’s comments: This move oddly coincides with Germany recently banning “hacking tools”.  WTF Germany?!?

InfoSec Daily Podcast Episode 416 [ 32:52 | 15.07 MB ] Play Now | Play in Popup | Download (922)

InfoSec Daily Podcast Episode 416 for June 27, 2011.  Tonight's podcast is hosted by Rick Hayes, Beau Woods, Karthik Rangarajan, and Varun Sharma.

Announcements:


2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org

My Hard Drive Died
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When:  Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org
CFP open now through July 1, 2011! Email submissions to Conference@gaissa.org   

EFF:

The ISD Podcast is participating in a contest to see who can raise the most money for the Electronic Frontier Foundation.  For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:
http://eff.isdpodcast.com

Currently at $1813!  We will quit bugging you soon about this fundraiser.  The contest ends on July 5th so please get any donations you were planning to make in now!

Stories

Source: https://community.rapid7.com/community/metasploit/blog/2011/06/25/metasploit-framework-console-output-spooling

Sometimes little things can make a huge difference in usability — the Metasploit Framework Console is a great interface for getting things done quickly, but so far, has been missing the capability to save command and module output to a file. We have a lot of small hacks that makes this possible for certain commands, such as the "-o" parameter to db_hosts and friends, but this didn't solve the issue of module output or general console logs.

As of revision r13028 the console now supports the spool command (similar to database consoles everywhere). This command accepts one parameter, the name of an output file. Once set, this will cause all console output to be shown on the screen and written to the file. Calling the spool command with the parameter "off" will disable the spool. Even better, this command opens the destination file in append-only mode, so you can add the following line to your ~/.msf3/msfconsole.rc to automatically log all of your output for the rest of time:

spool /home/<username>/.msf3/logs/console.log

Thanks to oorang3 on freenode for the suggestion. To access the new command, use the msfupdate command on Linux (or just "svn update") or the Metasploit Update link on Windows.

If you are running a version of the Metaspoit Framework that used one of the binary installers prior to 3.7.2, we strongly recommend upgrading to take advantage of the improved auto-update capabilities and dependency fixes in that release.

Source: http://www.examiner.com/internet-in-national/internet-hacking-group-lulzsec-say-goodbye-50-days-of-lulz-statement

Internet hacking group LulzSec has released what appears to be a final statement. Using their twitter account to promote the announcement, the 50 Days of Lulz statement was recently posted to pastebin.com as well as the Lulz Security website.

From the statement posted to the Lulz Security website: "Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere."
Several weeks ago most folks who might have heard of the hacking group Anonymous probably didn't think much about them. LulzSec on the other hand, is a group that had just recently been formed. They stole the stage from Anonymous, and dominated the headlines hitting high profile targets like PBS, Sony and the CIA.

LulzSec was doing what they could to get attention, and every article on every individual hacking helped their cause. But after awhile they had proven their point. The Internet was not as secure as it should be, and many corporations and government agencies are vulunerable to attacks.

Perhaps LulzSec was smart enough to realize that you can wear out your welcome in the media and the time was right to "head for the horizon."

The bold actions, in defiance of the world's largest corporations, while thumbing their noses at international law enforcement, are the ingredients of great action adventure movies.  They were the villains that superheros are made to chase.

It is hard to believe we have heard the last of LulzSec.  Somewhere down the road, their members will resurface, as a result of the treasures they have yet to process, using stolen data to overthrow a government, or take down a corrupt corporation.

Perhaps the true story will be offered to the world in the form of a book and a movie deal. Maybe the adventures of The Lulz Boat and their crew of six, the analogy used in their remarks, will set sail one last time in the future on a big screen near you.
 

InfoSec Daily Podcast Episode 415 [ 42:21 | 19.41 MB ] Play Now | Play in Popup | Download (988)

InfoSec Daily Podcast Episode 415 for June 24, 2011.  Tonight's podcast is hosted by Rick Hayes, Karthik Rangarajan, Geordy Rostad, and Varun Sharma.

Announcements:


2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/

OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there

My Hard Drive Died
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011

SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When:  Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)

http://www.gaissa.org
CFP open now through July 1, 2011! Email submissions to Conference@gaissa.org   

EFF:

The ISD Podcast is participating in a contest to see who can raise the most money for the Electronic Frontier Foundation.  All donations are tax deducatable and for donationsPlease click the following link to donate to a vitally important cause:
http://eff.isdpodcast.com

Stories

Source: http://www.tomsguide.com/us/Defcon-Kids-white-hats-black-hats-anonymous-lulzsec,news-11631.html

Reuters reports that the first-ever Defcon Kids conference will take place this August in Las Vegas, and will teach children ranging from ages eight to sixteen the basics of computer hacking, and how to protect themselves against cyber attacks. It will also serve as a recruiting farm for U.S. federal agents looking for the next-generation of "digital crime fighters."

As the name implies, Defon Kids is a spinoff of the Defcon hacker convention which also takes place in Las Vegas every summer. This year's Defcon 19 will take place on August 4 – 7; Defcon Kids will only last for two days, August 6 – 7. This new kids version will reportedly focus on hacking as a "white hat," or rather, a hacker that uses their skills for good rather than the "black hats" who apply their knowledge for stealing money, stealing identities and so on (AKA "evil").
"Hacking isn't just fun and games," said a 16-year-old 'FS' who will be teaching kids how to defend against Internet spies. Outside the convention, he gets paid by companies for breaking into computer networks to uncover vulnerabilities. "It isn't about breaking into systems. It's about securing yourself and the people around you," he added.

Reuters said that some of the most elite hackers in the world have volunteered to teach at Defcon Kids. Courses will include basic computer programming, lock picking, puzzle solving, using Google's search engine to find confidential information, and even modifying a circuit board so that it can play a game of "Simon." A ten-year-old Girl Scout – aka "CyFi" — is reportedly one of the individuals organizing the conference – her identity has been stolen twice… and she's ten.
"Most of the time when people think of hacking, they think 'Oh that's a bad thing,'" she said. "I want to get more people to become good hackers and to have fun doing it."

Chris Hadnagy, one of the Defcon Kids instructors, said that the convention will give the kids an avenue to practice certain skills without the fear of getting into trouble. "We want to expose kids at an earlier age to the wonders of taking things apart and making them do things that they weren't intended to do," added Defcon founder Jeff Moss.

The first hacking convention for kids arrives while the hacking community is seemingly at civil war, with Anonymous and LulzSec serving on the offensive "black hat" team, and Web Ninjas and TeaMp0isoN serving on the defensive "white hat" team. The internet has literally been a cyber battleground since the attack and utter defeat of Sony's PlayStation Network.

Governments, corporations and even gaming websites have fallen under the wrath of Anonymous' political statements and LulzSec's sheer amusement.

That said, teaching and recruiting adolescents that can't even drive should show just how desperate things have become in securing our private, sensitive data.

Source: http://support.apple.com/kb/HT4561

The Mac OS X v10.6.8 Update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility, and security of your Mac.

You should back up your system before installation; you can use Time Machine.
Do not interrupt the installation process once you have started to update your system. You may experience unexpected results if you have third-party system software modifications installed, or if you've modified the operating system through other means.

Choose Software Update from the Apple () menu to check for the latest Apple software via the Internet, including this update.

If your computer is not up-to-date, other software updates available for your computer may appear, which you should install. When Software Updates states "Your software is up to date," you can be sure that all available updates have been installed.

Note that an update's size may vary from computer-to-computer when installed using Software Update. Also, some updates must be installed prior to others, so you should run Software Update more than once to make sure you have all available updates.

You can manually download the update installer. This is a useful option when you need to update multiple computers but only want to download the update once. These versions of the standalone installers are available from Apple Support Downloads.
What's included?

• Enhancements to the Mac App Store to get your Mac ready to upgrade to Mac OS X Lion.
• Resolves an issue that may cause Preview to unexpectedly quit.
• Improves support for IPv6.
• Improves VPN reliability.
• Identifes and removes known variants of MacDefender malware.
• Corrects timezone data in iCal for Lisbon-Portugal.
• Adds the ability to use Kerberos authentication to a web proxy server.
• Fixes an issue when saving documents from Xcode or TextEdit when using an NFS home directory.
• Fixes an issue when importing certain media files into Final Cut Pro.
• Includes RAW image compatibility for additional digital cameras.

Mac OS X v10.6.8 also includes fixes provided in the Mac OS X v10.6.7 Snow Leopard Font Update:

• Addresses an issue in which some OpenType fonts don't display correctly in certain applications.
• Resolves issues printing from Preview.
• Addresses an issue with PDF files not opening in third-party PDF viewing applications.
• Resolves invalid font errors when printing to PostScript printers.

Source: http://www.notanon.com/history/the-oldest-domain-names-on-the-internet/2011/06/24/

I recently came across a list of the first hundred domain names that were registered on the Internet.  As cool as it was, there was not a lot of information first off and second, I was curious about how many were still relevant to their original purpose.  For sake of your attention span, I’m going to focus on the first ten names that were ever registered:

1. 15-Mar-1985 SYMBOLICS.COM Hmmm, sounds kind of familiar but I don’t even recall why.   When you go there today, it’s a parking page that acknowledges that it was the first registered name and states, “We are seeking to develop this into a useful and beneficial organization for the betterment of humanity.”

2. 24-Apr-1985 BBN.COM Never heard of this one.  Now it’s a redirect to www.cdl.com which is a Singapore-based real estate conglomerate.

3. 24-May-1985 THINK.COM This one now points to www.thinkquest.com which is owned by oracle.  At a glance, it’s a bit unclear what their purpose is.  I have to wonder why point such a valuable domain at something like this and not explain it’s purpose a bit better.

4. 11-Jul-1985 MCC.COM Clearly another wasted historical domain.  This one points to www.stimulusgrantapproval.com

5. 30-Sep-1985 DEC.COM Here is the first one that I legitimately and fondly remember.  DEC was the maker of the Alpha family of processors and MANY other innovations before them.  In their final days, the DEC Alphas were affordable desktop supercomputers.  Affordable should have an asterisk because even the clones I was building in 1997 were roughly $10k but that’s another story.  Unfortunately for the computing world, DEC sold out to Compaq in the late nineties only to be later dissolved by HP which is where the domain now points.

6. 07-Nov-1985 NORTHROP.COM This is just a redirect for Northrop-Grumman, a sloppy and nasty redirect at that.  Click the link to see what I mean.

7. 09-Jan-1986 XEROX.COM Aha!  Here’s the first domain name on the entire list that is A) still relevant B) doesn’t redirect to another URL.

8. 17-Jan-1986 SRI.COM “SRI International is an independent, nonprofit research institute conducting client-sponsored research and development for government agencies, commercial businesses, foundations, and other organizations. SRI also brings its innovations to the marketplace by licensing its intellectual property and creating new ventures.” At least they appear to be the original domain owner.  Oddly, there is ANOTHER SRI which is also a research organization who owns the .org.

9. 03-Mar-1986 HP.COM Love ‘em or hate ‘em, HP has been around and on the internet for a long time.  This is the second out of all ten domains that still actually points to the same place it always has and is still the same company with the same purpose as in 1986.

10. 05-Mar-1986 BELLCORE.COM Bellcore redirects to www.telcordia.com/.

So out of 10 domains, 3 of them still point to the sites they were originally registered to.  Seems like a bit of a waste to me.

Source: http://www.theregister.co.uk/2011/06/24/keyspy_iphone/

Need help using your iPhone to spy on your spouse or children? Now there's an app which will show you just what they're typing, as long as they're on Windows.

Spykey is basically a Windows keylogger which will transmit every key pressed to an iPhone application (£2.99 from the iTunes store). The app justifies itself with the usual arguments about discovering cheating partners or protecting children, and appeared on iTunes yesterday to be spotted by Gizmodo (which also hosts a fun discussion between readers about who is/has the best parent).

Spying applications are always a problem for approval processes; some users (and developers) consider them legitimate applications, but the less paranoid tend to consider such software to be an unacceptable invasion of privacy.

Apple has delisted software that spies on iPhone use before: Retina's Mobile Spy, for example, is now restricted to jailbroken iPhones, though it will still happily monitor Android and Blackberry devices.

Spykey doesn't monitor the iPhone as such, just displays the result of desktop keylogging on the iPhone screen, so might avoid Cupertino's ire. The reviews also suggest that the desktop component (which is Windows only) will trip anti-virus software, and given the popularity of graphical user interfaces one has to question the legitimate value of keylogging anyway.

But putting aside the practicalities, the question is whether Apple will decide to kick the application out of iTunes, on moral grounds, or if the company is OK with an iPhone being used to monitoring the habits of those who've yet to see the Apple light.

Source: http://blog.makensi.es/post/6562251143/owning-wordpress-the-easy-way

According to security lore, relying on the secrecy of usernames to secure accounts is a bad practice. However, the premise of known usernames is not always the case for external attackers. For this reason, from a practical point of view (not the security utopian one) even poor passwords can withstand bruteforce attacks when paired with nonpredictable usernames. This is specially true on remote web logins where brute forcing is easily detected and thwarted by most IPS or CAPTCHAs.

On May 26th Veronica Valero of Talsoft S.R.L. posted a security advisory on the Full Disclosure mailing list outlining a username disclosure vulnerability. This was followed by Ryan Dewhurst commenting about the possibility of creating some username enumeration/bruteforcing tool for wordpress installations.

Apparently he will be releasing his tool for this purpose as a part of a more solid tool called WPScan but since I couldn’t wait to test it and because of the utility of such a script, I just couldn’t help trying to write my temporary solution to the problem. My coding skills are average at most and the bug feature will probably soon be patched on most wordpress base out there so don’t expect anything fancy.

Behold wpbrute3.py, a tool for enumerating usernames on WordPress installations and to bruteforce accounts using common mangled words (or even optionally custom wordlists). It is a very simple tool but I can tell you the results I am getting are astounding. *Lots* of testing unused accounts with admin privileges out there.

Source: http://www.darkreading.com/blog/231000379/are-lulzsec-anonymous-the-pissed-off-canary-in-the-coal-mine.html

I just finished a book titled "Robopocalypse," written by a Ph.D. in robotics, that I hope is far-fetched but accurately points out the problems with massive device connectivity. Those problems have to do with just how quickly hostile code can propagate — how skills regarding how to break into systems and knowledge about poorly protected systems can spread. In the book there are obvious signs that a major problem is being ignored and, as a result, really bad things can happen.

For months prior to the Sony breach, the Web was alive with how vulnerable Sony was; given how many entities were breached after Sony, many of them government institutions, Sony was hardly alone. It makes me wonder how many breaches we don’t know about are being made by people who, rather than making a protest or a point, want to secretly steal stuff.

In short, LulzSec and Anonymous, and perhaps partially intentionally, are playing the role of a canary in a coal mine, and rubbing our face in the fact we aren’t secure enough and our stuff is being stolen.

This became crystal clear to me a few months ago when my wife and I bought a used Ford Explorer SUV. This purchase was a surprise because we had no idea we’d done it. Someone had used both of our corporate cards to buy the truck. Problem is, she almost never uses her card, which means it is likely the card company, in this case, Citibank, was hacked.

But there was no report, no notification: We just saw two big charges show up on our bill for a truck. Interestingly, when we called the firm that validated the cards, it was located in the same building as the dealership that sold the car. I’m thinking that wasn’t a coincidence.

The charges were taken off of my card, but I wondered how much of the credit card theft that is going on that the card companies are writing off is coming from breaches in their own systems that aren’t being caught.

Thieves, if they are successful (I used to be a Sheriff — yes, who knew?), learn that it is best to steal things that folks won’t miss. That way you can fence them without concern for the fact that a law enforcement agency is looking for what was stolen. If you are stealing financial information like credit cards, the same rule applies because if people know you’ve taken the numbers and identifying information, they’ll close their accounts and you won’t have anything to sell or use.

Comparing Anonymous and LulzSec to real cybercriminals is also kind of like comparing male and female mosquitoes. I’m building a vacation home in Sanctuary Belize, and you quickly learn that the female mosquitoes that suck blood are quiet, and the male mosquitoes that don’t make lots of noise. So if you hear buzzing, you are OK, but if it gets quiet …

Seriously, these breaches are showcasing an appalling lack of strong security and suggesting there may have been undiscovered thefts going on at these agencies and companies for years.
The coal mine canary works because toxic gasses tend to knock out the canary first, giving the miners an early warning there is a problem. It might be nice, particularly for the bird’s continued existence, if it could run around screaming “GAS!” before it died. In effect, that appears to be a lot of what LulzSec and Anonymous are effectively doing. I’d hope that miners, once they got over the fact a canary could talk, would get the warning and run for their lives rather than just shoot the pissed-off canary to shut off the noise.

With LulzSec and Anonymous, I worry that we, and particularly those running the organizations that have been hacked, aren’t that smart and don’t recognize the very real warning that lies underneath these attacks.

Or put another way, if someone came up and slugged me in the mouth to get my attention with regard to a coming tsunami, I’d hope I’d be smart enough to run first and, assuming I survived, punch the guy back later as opposed to the other way around. Since I kind of like living, my hope is that those who protect my stuff are equally as smart.

But I’m not getting the warm and fuzzy feeling that comes when my hopes and reality align.