Archive for July, 2007
FCC will Open the Air Waves

The FCC is going to open up the 700MHz frequency to the wireless market.

What does this mean to you and me? This:

    “The 700 MHz Band spectrum, which runs from 698-806 MHz, currently is occupied by
    television broadcasters and will be made available for other wireless services, including public
    safety and commercial services, as a result of the digital television (DTV) transition.”

    In implementing Congress’ directive to reallocate the airwaves, the Commission is
    focused on serving the public interest and the American people.

–News Information #202

We’ll see what that REALLY means in a short time.

Google proposed that the FCC force a completely leveled playing ground like the Internet: open applications, open devices, open services and open networks. AT&T lobbyists were violently opposed to this proposition. The FCC agreed to open applications & devices but denied the others.

I hope this isn’t another way of saying that AT&T/Verison will divy up the spectrum and force their proprietary BS down our collective throats. I hope “open devices/applications” means that I can use something like a Skype cell phone (or google iphone – if they ever decide to create it).

I’m bitter about the telecos.

It is because of the American Telecos and the FCC that we are so far behind Asia and Europe. I’ve been to parts of Korea and Italy and I’ve got to say that it is a damn shame its easier to get on the net there than here.

techcrunch on fcc – http://www.techcrunch.com/2007/07/31/fcc-fails-to-mark-their-place-in-history/

Hacking Chuckie Cheese Robots

Someone modified a flipping Chuckie Cheese Robot…

Ethical Hacking Official Course Material (Book)

As of July 2007, the official course material book on Ethical Hacking is going for $5 on Amazon.  The cover price is $70 in the US and over $100 in Canada.  This should tell you a lot about what people feel about this book.

The hate for this book is so profound that it makes me laugh.

Here are a few comments:

“I know this has been said but it really needs emphasis. This is perhaps the most poorly written and presented compilation of misinformation I have seen since the 5th grade.”

“If the author of this book isn’t going to take the time to correct the misspellings and grammar issues, that speaks volumes about the quality of the content.”

” The EC-Council has a great CUT and Paste method of publishing a book, they don’t even list the Author.”

“I agree with all the negative comments. This book is poorly written.”

It touches on all of the modules of the test, its just that there are so many issues with the way it is put together.  Its almost as if the EC Council had a week to put something together so they gathered all there slides and copied and pasted them in this book then expanded on each slide.

One of the Amazon readers put it well:

Here are a few notable indicators of the quality of the book:

* There is no reference section or bibliography and there are only a couple references made to outside works. Most of which is the legislation they quote and a couple quotes from notable manufacturers.
* They do not cite any of their quotes correctly. The closest they get is, “A quote from the Internet says…” or “(Reference: Cryptography FAQs published on the World Wide Web)” No web site, date or proper credit is ever given. I’m suprised they actually listed the URLs for the tools they discuss.
* The table of contents is very high level, there is no table of figures, or table of tables. There is also no index or list of terms.
* They attempt to redefine established industry terms in their own style, often incorrectly or in contradiction to earlier statements.
* As noted in previous reviews, grammar, spelling and typos are prevalent throughout the book. Most notably is the pres ence of sp aces in the midd le of wo rds.

When course material is this bad, it is very hard to take the certification seriously.

Certified Ethical Hacker Exam Prep (amazon review)
Found a good review of Mike Greggs book, Certified Ethical Hacker Exam Prep from Amazon reviewer, N. Rossino (NY) : 

 

   

The previous poster did bring up a good point: this book will not teach you how to hack. It WILL help you pass the CEH exam. It lays a very good foundation, and the only reason I give it 4 stars was because it was lacking the detail and depth to be fully comprehensive.

Keep in mind, that this book is meant for people who do have an administration background and who happen to be pretty familiar with Linux and Windows. The book is written for that group of people because without that experience, you probably won’t have the experience necessary to be a CEH.

I happen to read all 3 books for the CEH that are listed on Amazon. The Sybex book, the EC-council book, and this book. By far, this book was the best out of the 3. The Sybex book was a waste of money as it wasn’t as good as this book and it had even less depth. The EC-council book had a bit more detail in some topics, although it lacked cohesion and was poor at presenting the thought behind it. I think this book and the EC-council book compliment each other, and give you a pretty good idea of what you actually need to know. I would start with this book and finish up with the EC-council book and/or courseware. My reasoning is that you should set the foundation first and this book does that.

Also, as with hacking, google is an excellent resource. These two books won’t be enough to fill all the holes, but the internet is a damned good filler.

In conclusion this book provides for pretty good preparation for the actual test, and is a comfortable read.

ABOUT THE TEST:

150 questions, you have 4 hours. I took only 2 and scored an 86%. 70% is passing. I studied for only two weeks, but have extensive background in the subject area.

The test is very specific, and you are expected to know the material in detail – NOT just concepts. The test is geared towards people with security experience, and the test questions are true to that purpose. It will be very difficult to pass if you:
1) Don’t know linux
2) Don’t understand Microsoft’s OS and operations
3) never actually used any of the hacking tools

Linux is not a MAJOR part of the test, but there are enough questions on linux command line operations to make a difference.

Keep in mind, just reading alone will not let you pass this test. It is very important that you try out the most popular and important tools (firsthand!). You will be asked about specific commands, and be expected to know them. Know nmap, snort, hping2, tracert and tcpdump down cold. Know the ICMP codes and types. The only way you learn this stuff is to actually practice it.

Storm Worm Erupts Into Worst Virus Sustained Attack In the Last 2 Years

The Storm worm authors are waging a multi-pronged attack and generating the largest virus attack some researchers say they’ve seen in two years.”We are basically in the midst of an incredibly large attack,” said Adam Swidler, a senior manager with security company Postini. “It’s the most sustained attack that we’ve seen. There’s been nine to 10 days straight days of attack at this level.”

Swidler said in an interview with InformationWeek that the attack started a little more than a week ago, and Postini since then has recorded 200 million spam e-mails luring users to malicious Web sites. Before this attack, an average day sees about 1 million virus-laden e-mails, according to Postini. Last Thursday, however, the company tracked 42 million Storm-related messages in that day alone. As of Tuesday afternoon, Postini researchers were predicting they would see that day between 4 million and 6 million virus e-mails — 99% of them associated with the Storm worm.

more on the complete ad heavy Infoweek site 

Certified Information Privacy Professional

As the folks at TechCruch stated, “Privacy is the New Black” just ask the International Association of Privacy Professionals (IAPP).  Information is becoming more and more valuable, particularly YOUR personal information.  I would submit that in the Information Age personal data is the most important commodity.

With globalization upon us, products and serivces are the life blood of the worlds economy.  The economy is the framework on which we employed or become employers.  It is an endless cycle.  Those on top are the ones who can target their respective market the best.   

The Certified Information Privacy Professional (CIPP) is a certification for privacy professionals.  It is a certification for those that realize the impact of unsecured personal information.  There is a CIPP/g for government and a CIPP/C especially for Canadians.

 

TechCruch: Privacy the New Black

TechCruch posted an article that caught my eye.  Because Privacy is so important, I give you: Privacy is the New Black

After a week where Ask launched AskEraser, a product that allows users to erase their search history, and Google announced a reduction in retained data time from 2038 to 18 months, more privacy initiatives are on their way.

According to the Wall Street Journal, Microsoft will officially announce Monday “new policies and technologies to protect the privacy of users of its Live Search services” and Yahoo will announce plans for “a policy to make all of a user’s search data anonymous within 13 months of receiving it.”

Read more of http://www.techcrunch.com/2007/07/22/privacy-is-the-new-black/

Standard Desktop Configuration (SDC) News

The Department of Defense has implemented the Standard Desktop Configuration (SDC) environment which allow all systems to have a uniform level of security. 

ALL SDC all the time: https://afecmo.gunter.af.mil/default.aspx

Now the rest of the federal goverment is jumping on the Information Assurance Bandwagon with something called the Federal Desktop Core Configuration (FDCC).

SDC version 2 (Vista) is already in the works as well as Standard Server Configuration (SCC).

Tranax ATM Default Passcode is 123456

It reminds me of Space Balls.  The evil Space Balls kidnap Princess Vespa and force King Roland into giving up his password that will allow them to suck all the precious air off of planet Druidia.  That password it “12345” (which just happens be the same password Space Ball President Skroob has on his luggage).

 The Triton ATMs have two levels of password: an administrative passcode for routine daily operations, and a “master passcode” that also lets you change the cash machine’s basic configuration.  Mastrorocco says he changed the administrative code when he got the machine three years ago, but Cardtronics never told him to change the master passcode, which he didn’t normally use.

http://blog.wired.com/27bstroke6/2007/07/atm-reprogrammi.html – ATM Reprogramming Caper Hits Pennsylvania

 

Cell Network Hack – Athens

While this is the first major infiltration to involve cellphones, the scheme did not depend on the wireless nature of the network. Basically, the hackers broke into a telephone network and subverted its built-in wiretapping features for their own purposes. That could have been done with any phone account, not just cellular ones. Nevertheless, there are some elements of the Vodafone Greece system that were unique and crucial to the way the crime was pulled off.

Basically, the hackers broke into a telephone network and subverted its built-in wiretapping features for their own purposes.

Interactive Time Line: http://www.spectrum.ieee.org/jul07/5280/time

— More on this article from Spectrum – ieee.org