"The company plans to launch a penetration-testing service for businesses in October that will use the same techniques as hackers to gain access to its customers' machines. However, the exploit code it will use will be controlled and will not propagate itself as a worm would, HP said on Tuesday."
Sounds like a bunch of pentesting/ethical hacker type jobs are going to open up. I think that other corporations will follow suit. I know some guys who do forensics and pentesting on the side. As vulnerabilities are found quicker by criminals, pentesters/ethical hackers seem to be becoming more signifigant.
"Don't let a malware attack ruin your business. A little planning and the right responses can make it a minor annoyance instead of a major catastrophe."
This is a pretty good article. The mentions how to "prepare" for and attack but I would go a step further and submit how to "prevent" an attack from ever occuring. It is possible to avoid an attack:
1) Get a firewall that used network address translation.. use network address translation
2) Use firefox
3) Don't surf shady sites: serial crack, pirated software, some porn sites, screen savers
4) Watch out for dirty downloads. Some p2p application and the wares loaded on them are loaded with trojans, worms and other malware
5) Don't surf the Internet with administrative privledeges.
This case is not the same as the Department of Veteran Affairs loss of records or the Department of Agricultures security failures. In this case, a contracting consultant conducted a penetration test with out getting formal approval. He expoited the FBI's vulnerabilities to gain elevated privledges.
Joseph Thomas Colon, 28, is a former employee of BAE Systems. His pentest allowed him to obtain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. According to Colon, the FBI field office in Springfield, Ill., he was attached to gave him approval.
However, every professional pentester and/or ethical hackers knows that you have to get formal approval from an authority.
Colon's lawyer said in a court filing that his client was hired to work on the FBI's "Trilogy" computer system but became frustrated over "bureaucratic" obstacles, such as obtaining written authorization from the FBI's Washington headquarters for "routine" matters such as adding a printer or moving a new computer onto the system.
As a result, Mr. Colon will likely serve about 18 months in prison. :(...
Pentesting and ethical hacking tools and techniques must be dealt with responsibly. The bureacracies that might allow pentesting must be respected at all costs. The first thing in Pentesting and ethical hacking that is taught is to ALWAYs, ALWAYS, ALWAYS get writen consent to procede from the owners of the system.
"Chinese authorities intend to police and control instant messaging, cell phones, blogs and search engines."
If they continue to apply more and more pressure the People Republic of China is going to break. It is an interesting experiment to see how long people will stand for having zero freedom of speak. Even though America is going the way of Chinese with privacy (as in no citizens having any) it is good to know there is still some freedom of speach left.
A recent change to AT&T's privacy policy for broadband and video users is overbroad and likely will leave the courts or Congress to decide whether the company's practices are standard or sinister, legal experts said this week.
This is why I switched to Vonage. I am so sick of telco's abuse of power. As soon as I can I'd like to also get rid of my Cable service as well. I believe Vonage and other VoIP services are being preped to give all data to the NSA but AT&T and Verizon are going nuts.
I hope WiMax opens up new small business to compete with the current telcos.
Computer viruses are like real-life viruses: When they're flying around infecting every PC (or person) in sight, they're scary. But after the fact...well, they're rather interesting, albeit in a gory kind of way. With this in mind, we shamelessly present, in chronological order, the 10 most destructive viruses of all time.
a start-to-finish how-to on creating Flash video for displaying embedded video on your website... Using freely available tools, you can create videos for your site that will be viewable by anyone who has a Flash enabled browser (which is just about everyone)...If done correctly, your FLV video should now be viewable on your site...
Ophcrack is the fastest Windows NT, 2000, XP and 2003 password cracker. Download and burn!! Ophrack 2.1 comes with a GTK+ Graphical User Interface and runs on Windows as well as on Linux.
Network manageres are using tubes of super glue to protect their systems from data theft. Outfits are getting so hot and bothered at the loss of corporate data that they are removing writable drives and ordering network staff to pour superglue into USB ports. Nothing a little "cut and paste" won't fix!
The war for privacy may be lost. But the battle over what to do with all that data has just begun. As governments increase their prying, businesses are struggling to keep a lid on their records.
The Jerusalem Post said about 700 Web sites were shut down early Wednesday. Their home pages were replaced by the message, "Hacked by Team-Evil Arab hackers u KILL palestin people we KILL Israeli servers."
When Microsoft issues their last patch July 11, Windows 98 and Me will be complete. How can you keep running them safely without security updates from Microsoft?
This article looks at the potential security risks associated with using gmail, especially in the workplace where traffic may be monitored. It investigates how to keep the HTTP-SSL connection open for more then just login credentials, but for the whole gmail session to read, write and chat without worrying about prying eyes.
This article describes how you can run Windows XP images on Ubuntu Dapper if you have a processor supporting Virtualization Technology, the new hardware based VM acceleration technology from Intel. Despite being extremely new it seems stable and quite usable for testing or dev. Very cool technology.
A security researcher with expertise in rootkits has created a working prototype of new technology that is capable of creating malware that remains "100 percent undetectable," even on Windows Vista x64 systems.
Security analysts have detected a new piece of malware that appears to run as a Microsoft Corp. program used to detect unlicensed versions of its operating system.
The malware has been classified as a worm and spreads through AOL LLC's Instant Messenger program.Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family of malware.
Here is another reason that I've decided to start using Linux more.
Microsoft was considering adding an update to Windows OS users around the world that would inventory their system and lock their it down it it was pirated. The patch would be called Windows Genuine Advantage (WGA). If users refused the patch, they'd have thirty days to comply.
"While WGA doesn't seem nearly as bad as the Sony rootkit, Microsoft's slow response to complaints could create backlash against the company in the same way that Sony BMG faced a ton of backlash."
RSA Security, the digital security firm behind the popular RSA encryption and security tokens, is close to closing a deal with data storage behemoth EMC.
A stolen laptop computer containing sensitive information on more than 26 million U.S. military veterans has been recovered and a preliminary review indicated no data was taken...
This group of three short videos shows you how to download GNU/Linux, make a bootable Linux CD, and how to boot Linux on your computer without going through a tedious installation routine. We used Ubuntu for this demonstration, but the steps shown apply to all live CD Linux distributions.
I recently loaded and installed ubuntu 6.06. It was as easy to install as Windows (if not easier). It also looks pretty. Not sure about the functionality and compatibility yet; I have yet to get down and dirty with ubuntu. But my experience with Linux & slackware variants has been that finding compatible hardware, drivers and software for them is a pain in the "ACE". Much of those compatibility issues have been resolved with the newer variants (red hat for example). But since so much of the industry (gaming, wi-fi etc) make their products for windows, compatibilty is likely to be an issue for a while.
You have Linux installed and running. The GUI is working fine, but you are getting tired of changing your desktop themes. You keep seeing this "terminal" thing. Don't worry, we'll show you what to do.
Unix: Shell Programming, by Kochan Wood, is a great place from which to learn shell scripting. It will tell you how it works and why.
Scripting is a lot easier to learn then programming and in some cases it is better use. Scripting can do a lot of things programming can do but with WAAAY more overhead (ie sucks up more CPU/Mem resouces). So it is not practical to do if your creating a large program.
Almost every piece of personal information that Americans try to keep secret -- including bank account statements, e-mail messages and telephone records -- is semi-public and available for sale. Congress gnashing teeth.
I believe that the Chinese government will ultamitely not be capable of supressing the Chinese people's thirst for unrestricted knowlege. Although, it is human nature to do what is easiest and follow the heard like sheep, it is also human nature to resist repression.
There is only so much human beings can take. I'm reminded of Shawshank Redemption in wich the title character mentions "time and pressure". Time and pressure is all it takes for a person to break. Time and pressure.
I'm sure the Chinese government would not call what they are doing "repression". They'd probably called it "protection". Or maybe they don't call it anything! Internet censorship is not restricted to China. The U.S. government also has restrictions on certain pages and content on the Internet. Do enough searches about "terroism" and you might even get contacted by the FBI. Fear is the driving factor for security in this country. Blanket censorship is something I definitely DO NOT support.
I guess only individuals can be free and only truly free in their own heart, souls and minds. With all the breaches of privacy (or should I say complete lack of privacy) between the individual citizens in the US and the US gov't, how "free" and different is the U.S. government from the China govenment at the fundamental level?
The is a difference (freedom of speech for example) no doubt, but it seems as China moves toward freedom (with its entrance into the WTO and movement toward capitalism) the U.S. seems to be moving toward more control over its citizens as it seeks to sift though its sheep to find the wolves in sheeps clothing.
See what the International Current Affairs Society had to say:
"A group of intrepid H4X0rz have discovered how to easily bypass the Chinese governments censorship of words like 'democracy'."
Google has 79 billion billion billion IPv6 addresses, is buying up massive amounts of dark fiber, and building a massive data center. Just what is Google up to?
Hi-tech fraudsters have begun using recorded telephone messages in a bid to trick users into handing over confidential account information. The tactic has been adopted as a variant of recently detected phishing attacks targeting customers of the Santa Barbara Bank & Trust.
Soliders in Iraq lack many of the most basic amenities, including Internet access, because there are only 6 to 12 computers for every 1,000 troops. So enterprising soliders have set up their own "Hajjinets," troop-owned ISPs on just about every base in the country.
The Defense Department has tightened policies on the use of wireless local-area networks (WLANs), in a memo released earlier this month, which requires beefed up encryption and security since the last DOD wireless policy memo was released in April 2004.
"A secret program that allowed U.S. officials to examine hundreds of thousands of private banking records from around the world in search of terrorist ties has been "absolutely essential" to protecting the country from further attacks, Vice President Cheney said yesterday."
When I was in high school, I read this book called Ender's Game, by a man named Orson Scott Card. The book is about a strategic prodigy named Ender who is the only hope for saving humanity from an alien invasion. It was a great book.
In the bookd Ender's brother and sister, Peter and Valentine, are just as bright
as he. Peter convinces Valentine to collaborate in his grand scheme
of controlling the planet Earth. They start by creating a huge following on the Internet.
I think that the comment system created by Kevin Rose and the Revision 3 team is going to be copied enough to make it an unofficial standard. The one thing that is very powerful about digg is that it harnesses the power of the collective masses participating. Some topics that are supercharged with emotion moving hundreds of commenters on digg into action. The site becomes like a loaded gun.
Perhaps it won't be digg that starts catapults the current online revolution but it will almost definitely be something very similar.
Hashapass automatically generates strong passwords from a master password and a parameter. Given the same master password and parameter, Hashapass will always give you the same result. That's so you don't have to store your generated passwords anywhere: just come back here with your master password and the parameter.
Episode 2 of the Security Roundtable is up and available. Michael Santarcangelo from the Security Catalyst, Alan Shimel from StillSecure, After All These Years and Martin McKeay discuss how the VA and the loss of 26.5 Million records.
"As more people turn to Web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said."
The company claims their web browser is a tool for privacy protection, but according to Panda Software it's got some hidden adware. ''It's being used deceptively to get more hits on their site,'' Schoch says. ''This adware opens a series of adult web pages, although they are not visible to the user.''
A HACKER may have stolen personal information for 26,000 current and former US Agriculture Department employees.
The department announced the security breach shortly before midnight on Wednesday, nearly three weeks after it occurred. It offered one year of free credit-monitoring services to the potentially affected employees.
The Site included their names, birth dates, and Social Security Numbers. The information has been taken down, and the site is under investigation by Naval CIS.
I'll admit, I really stereotyped the Federal Information Security Conference (FISC). I saw the speakers and saw director, senior and thought manager... they don't have anything to teach me that I want to know. While there were a lot of manager types talking about some high level stuff (i.e. DoD 8570 and its affect on GS Civilians), mostly the FISC is about Government employees and their contractors getting exposure to the commercial market.
The great thing about it is that it brings together so much information security talent. I learned more from casual conversation then I did from four seperate briefings.
I don't think that the FISC is worth paying more than maybe $20 for. The reason I say this is because even though you learn somethings, those that benefit most from the FISC are the vendors who are actually doing most of the speaking.
Prices for the FISC:
Federal Government - stationed in Colorado:
$50 per person
Federal Government - out of state:
$245 per person
Industry:
$345 per person
On-line preregistration after March 31, 2006
Federal Government - stationed in Colorado:
$100 per person
Federal Government - out of state:
$295 per person
Industry:
$395 per person
On-line preregistration closes June 15, 2006 at 12:00 p.m. The cost to register on site is:
