I’ve been thinking of going to Defcon17 this year, but I’m reluctant because I keep remembering how lonely I was the last time I went Defcon14. There I was at the MECCA of all things security basking in the glow of technological brilliance and completely alone.

Everyone seems to have a crew there. All loners I meet are to paranoid to talk to anyone. So I end up going from lecture to lecture alone. Don’t get me wrong. I like learning new things.. But too often I feel like it was something I could have just watched on TV (if it was on TV). I want to get more involved, but I don’t have skills or the time to dedicate to another mega hobby like Hacking.

So I thought about rolling out with DC719 (my local defcon group), but I’ve yet to find them. dc719.org seems to have not paid their bill or something. I heard they are all crazy gun nuts, which I think is pretty awesome. Guns and hacking seems like my kind of crowd. Strange, huh?

Anyway, dc719.. if your out there hit me up .. I might want to roll with you guys [or at least say hi]. elamb[dot]security[at]gmail.com

This was an article that really cheered me up today. Al Qaeda websites are still getting hacked constantly. Sometimes it seems that the free world is WAY off on the “War on Terror”. With most resources going to Iraq, political rhetoric and pandering and the almost complete absence of anyone talking about capturing and/or killing Osama bin Laden, its easy to get discouraged. Its good to see that the cyberwar is still being waged on those who promote and or support terrorism.

Octavia Nasr | BIO
CNN senior editor for Arab affairs

A hacking war is raging on Jihadi websites. Radical Islamist sites have been attacking and getting attacked for quite some time. The website hacking practice was common in 2001 and 2002… Following the 9/11 attacks when al Qaeda used only one website to communicate its messages to supporters and foes alike. That website was called alneda.com. It was getting constantly hacked… sometimes several hackings a day. After every hacking the site managed to resurface on the net until it disappeared from the scene in 2004 to be replaced by other websites — What started as one al Qaeda-linked site mushroomed into dozens which branched out into hundreds of supporting sites that serve as dissemination centers over the internet.

More.

There’s a new way of stealing money from ATMs:

“Becki Turner got the call from her bank’s fraud department on Labor Day. The investigator wanted to know if she had withdrawn $500 from an ATM in California over the holiday weekend. She hadn’t. She couldn’t. Turner was home in Puyallup, Wash.

“I was just flabbergasted,” she says. “I had the card with me, the ATM was in another state, and the person using the machine had to have my security code.” Turner worried crooks had gotten into the banking system and stolen her password.

It wasn’t anything that complicated. Puyallup police say thieves snagged her account information — along with the debit card numbers and PIN codes of hundreds of other people — at two gas stations in the area.

They did it by installing their own hard-to-spot card reader, called a skimmer, on top of the card reader built into the pump. The skimmer is able to grab the account information from the card without interfering with the legitimate payment transaction.

The crooks used the stolen data to create (or clone) fake debit cards that were used at ATMs in Washington State over the Fourth of July weekend and in Northern California on Labor Day weekend. The bad guys like three-day holidays because it gives them more time to use the cards before the unauthorized withdrawals are spotted.”

MSNBC

I was wondering why conservative talk were accusing the Dems and/or liberals for hacking Palin’s account. Apparently, the guy who hacked into her account (gov.palin@yahoo.com) is the son of Rep. Mike Kernell, Tennessee state lawmaker. He simply used the “forgot my password” feature and then used publically available information to answer the security questions.

“Gov. Palin’s Alleged Hacker Indicted; Password Was ‘Popcorn’
A 20-year-old student at the University of Tennessee has been indicted for breaking into one of the email accounts of Gov. Sarah Palin and then posting screenshots of personal information obtained there to a public Web-site.

David Kernell, the son of a Democratic state lawmaker, was led into a Knoxville federal court wearing handcuffs and shackles on his ankles today and was released without posting bond, according to the Associated Press.”

Hope she’s changing all her passwords because more than likely they are all “Popcorn”.

http://voices.washingtonpost.com/cgi-bin/mt/mt-tb.cgi/25730

read more | digg story

That which does not kill us makes us stronger.
-Friedrich Nietzsche

In the November 2002, Information Security Magazine article, Infosec’s Worst NightMares, Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002. Mr. Skoudis is the founders of Intelguardians Network Intelligence, LLC and is a handler of the very popular Internet Storm Center.

Mr. Skoudis mentions that the Top five major destructive attacks of 1998 – 2002 made many industries “battle-tested” and more likely to be proactive rather than reactive. The 5 year Worst Skoudis list is based on exploits that shook our very faith in the Internet and security of e-commerce.

1. Code Red (2001). July 13 2001, the worm attacked Microsoft IIS systems. By 19 July 2001, the worm had affected over 350,000 systems. SANS and Honeynet Project set up honey pots to capture the worm. But E-eye Digital Security Programmers did the most intense research on the worm and also named it. The worm exploited a vulnerability in the indexing software distributed with IIS, described in Microsoft’s MS01-033 patch. It was a buffer overflow attack. Some of the lessons learned: Keep systems patched, use of honey pots to capture malware, coordinated response helps to contain worms.

2. Nimda (2001). Shortly after 9/11, the Nimda worm was unleashed. It caused more damage financially than Code Red. There were rumors that it was China that released it to hurt the US further, but this is unlikely due to the nature of Nimda.

While it was bad, it had the appearance of a being written by a determined amateur, not a nation-state that spends $1 Billion annually on cyberwarfare capabilities. – Skoudis.

Nimda affected Windows 95, 98, Me, NT, or 2000 and servers running Windows NT and 2000. It was so affective because it attacked IIS, e-mail, browsers and network shares. This multi dimensional attack method could mark a trend in future cyberfare.

Lessons Learned: The importance of an incident response capability, disabling arbitrary scripts in e-mail and browsers.

3. Melissa (1999) & LoveLetter (2000). Both of these exploited malware through e-mail propagation. Melissa used Microsoft Word Macro virus and LoveLetter (I Love You Virus). The worm harvested the victims address book to forward itself to more victims which killed a lot of email servers. Lessons Learned: Many companies got serious about implementing anti-virus applications throughout the network.

4. Distributed Denial-of-Service (DdoS) attacks (2000). After all the panic of pre-Y2K, a completely new and unexpected storm hit major sites: Yahoo!, Amazon, CNN, E*Trade ZDNet and eBay. All by a single child hacker nicked named Mafiaboy. He had spread zombie flooding agents to hundreds of machines around the world and used them to attack sites with billions of useless packets. Lessons Learned: employ anti-spoofing filters.

5. Remote Control Trojan Horse Backdoors (1998 – 2000). In 1998, the Cult of the Dead Cow hackers group created the Trojan, Back Orifice which initially targeted Windows NT/9x. The tool allowed unskilled attackers to attack any vulnerable system. It also marked the rise of the “script kiddies” and produced a bunch of spin offs such as Subseven, Netbus and Hack-a-Tack.

Phlashing allows you to damage hardware over the Internet. This is something new and consists of flashing, as in changing the firmware, or computer code in chips on your motherboard, controller cards or other hardware. Since more modern systems allow flashing firmware over a network for quick updates, this is now an exploitable vulnerability. Previously, you had to “flash” those computer chips from the machine that contained them.

There are security features in hardware to prevent this kind of vandalism, but unfortunately some flaws enable hackers to flash destructively. Phlashing code has already been developed by security researchers and hackers. Phlashing attacks are not easy and will likely not be common, however its a possible glimpse of the coming storm of weapons of cyber destruction.

“Phlashing” attacks could render network hardware useless
Most computer security coverage focuses on the PC realm, but Rich Smith, head of HP’s Systems Security Lab, has identified a potential security flaw within a network’s physical hardware rather than a typical desktop or server system. Smith’s report focuses on a class of devices he refers to as Network Enabled Embedded Devices (NEEDS for short), and how such systems could be attacked at the firmware level through a process he refers to as “phlashing.” – more at Arstechnica

untraceable movie

I just saw a movie called Untraceable. It is cyberterrorism meets Seven. Although it is very violent, it falls short of the pure “torture porn” genre (i.e. Hostel, Saw). They didn’t sensationalize the FBI computer crime team. They made the characters real people with real problems.

The best part of the movie is that it addresses hard societal questions that we are still struggling with. The killer’s greatest weapon was the Internet itself. He used the anonymity and distributed non-centralized power of the net to broadcast killings on the Internet. Once he captured a victim, he would put them in a contraption that would torture them to death based on how many people came to the site. The FBI is at a loss, because their equipment (while it can easily bait & hunt small time phishers, criminal hackers and adults soliciting sex from kids online) it is useless against this serial killers level of software, Internet, and electronics sophistication. They eventually call upon the NSA, who tell them that they are not allowed to use their resources for domestic issues. With the Patriot Act and NUMEROUS presidential NSA acts, I don’t believe this is entirely true. But the movie seems to suggest that it is.

Although, I disagree with the message of giving more power to the FBI & NSA to catch bad guys (as it would require the loss of more civil liberties of law abiding citizens), I definitely recommend this movie.

Movie fact:

The site used by the killer (www.killwithme.com) actually exists. It’s owned by the movie studio and it’s used to promote the movie. In it, users are taken to a replica of the FBI computer used by the character Jennifer Marsh. Her desktop gets hacked by the killer who provides the visitor with four test he/she must complete to deactivate his site.

[display_podcast]

I honestly think you ought to calm down; take a stress pill and think things over. – Hal, 2001 Space Odyssey

Information Systems will eventually have the infrastructure and ability to “socially engineer” its creators. This is far fetched science fiction blooming before our very eyes being created by our own hands.
It will happen when three criteria are in place: 1) The creation of laws that can completely disregard the privacy and sovereignty of human beings. 2) The advancement of Information Awareness System and 3) Smart Artificial Intelligence

LAWS
Lets discuss the situations that will give governments the pretext to implement laws to track their citizens. This is happening now. Laws and systems are being created for unchecked monitoring of individuals under the guise of security, safety and prosperity. Systems such as national ID cards.
They were implemented after the Sept 11 attacks on the World Trade Center and in the U.K. after the 7 July attacks in London.

It was 19th Century philosopher Samuel T. Coleridge who said, “In politics, what begins in fear usually ends in folly.”

Imagine it: The PATRIOT ACT IV is passed as a result of recent Critical Infrastructure cyber-terrorism attacks. International terrorists implement a globally synchronized Distributed Denial of Service Attack against the worlds Root nameservers and successfully cripple the Internet for three days. The impact is devastating as corporations lose billions.

Domestic Cyber Terrorists infiltrate hospitals by becoming apart of the staff only to socially engineer and infecting HIPPA protected networks with virus’ that wipe out databases and actually scramble prescriptions causing an array of death by misdiagnoses.

Local police and security personnel repeatedly thwart numerous attempts by religious fundamentalists to detonate suit case sized tactical nuclear weapons inside major United State cities but security professionals predict that it is only a matter of time before at least one slips through the cracks. All the enemy needs is one.
Patriot Act IV is the patron saint of lawmakers who have been screamed at by constituents to “DO SOMETHING NOW!” The new Patriot Act is eventually internationally accepted and allows for unrestricted Data Mine into commercial and state owned databases worldwide (US-EU). It of course has deferent names and variations world wide but its application is the same. In the United Kingdom it is called the Civil Contingencies Bill. The data mining would tap into the “transaction space” by accessing hospital, financial transaction and legal databases world wide to be shared by all law enforcement agencies (county, federal, city local and international). The system works like a global Amber Alert system that can track criminals anywhere in the world and notify the respective local agency immediately. The system works very, very well.
I honestly think you ought to calm down; take a stress pill and think things over. – Hal, 2001 Space Odyssey

Information Systems will eventually have the infrastructure and ability to “socially engineer” its creators. This is far fetched science fiction blooming before our very eyes being created by our own hands.
It will happen when three criteria are in place: 1) The creation of laws that can completely disregard the privacy and sovereignty of human beings. 2) The advancement of Information Awareness System and 3) Smart Artificial Intelligence

LAWS
Lets discuss the situations that will give governments the pretext to implement laws to track their citizens. This is happening now. Laws and systems are being created for unchecked monitoring of individuals under the guise of security, safety and prosperity. Systems such as national ID cards.
They were implemented after the Sept 11 attacks on the World Trade Center and in the U.K. after the 7 July attacks in London.

It was 19^th Century philosopher Samuel T. Coleridge who said, “In politics, what begins in fear usually ends in folly.”

Imagine it: The PATRIOT ACT IV is passed as a result of recent Critical Infrastructure cyber-terrorism attacks. International terrorists implement a globally synchronized Distributed Denial of Service Attack against the worlds Root nameservers and successfully cripple the Internet for three days. The impact is devastating as corporations lose billions.

Domestic Cyber Terrorists infiltrate hospitals by becoming apart of the staff only to socially engineer and infecting HIPPA protected networks with virus’ that wipe out databases and actually scramble prescriptions causing an array of death by mis diagnosis.

Local police and security personnel repeatedly thwart numerous attempts by religious fundamentalists to detonate suit case sized tactical nuclear weapons inside major United State cities but security professionals predict that it is only a matter of time before at least one slips through the cracks. All the enemy needs is one.
Patriot Act IV is the patron saint of lawmakers who have been screamed at by constituents to “DO SOMETHING NOW!” The new Patriot Act is eventually internationally accepted and allows for unrestricted Data Mine into commercial and state owned databases worldwide (US-EU). It of course has deferent names and variations world wide but its application is the same. In the United Kingdom it is called the Civil Contingencies Bill. The data mining would tap into the “transaction space” by accessing hospital, financial transaction and legal databases world wide to be shared by all law enforcement agencies (county, federal, city local and international). The system works like a global Amber Alert system that can track criminals anywhere in the world and notify the respective local agency immediately. The system works very, very well.

Information Awareness Systems

The system, developed under the direction of John Poindexter, then-director of DARPA’s Information Awareness Office, was envisioned to give law enforcement access to private data without suspicion of wrongdoing or a warrant. — Electronic Privacy Information Center.

Government funded unrestricted Data Mining and Information Awareness programs develop and run revolutionary Information Awareness Systems. Despite public opinion, these National Security systems continue to work to protect the nation against enemies foreign and domestic. The system extracts data from its transactional databases and recognizes patterns of behavior that would fit that of a terrorist. The system is so exhaustive that is works with 70% accuracy and seamlessly in conjunction with systems such as Next Generation Facial Recognition systems and Activity, Recognition Monitoring for enhanced surveillance.

Artificial Intelligence
Within thirty years, we will have the technological means to create superhuman intelligence. Shortly after, the human era will be ended. – Vernon Vinge, 1993, What is the Singularity?

Artificial Intelligence has been in use for many years. It is greatly relied upon for businesses, hospitals, military units and even in forms of entertainment such as video games. However Strong Artificial Intelligence, the development of cognitive systems simulating the human brain, have been developing quietly in research labs around the world under programs dedicated to the “scientific understanding of the mechanisms underlying thought and intelligent behavior and their embodiment in machines. (AAAI)”

Smart Information Awareness is Strong Artificial Intelligence merged with Information Awareness Systems. Smart Information Awareness seems to go beyond merely recognizing patterns of behavior as it predicts the future actions of a given psychological profile with over 75% accuracy allowing Law Enforcement to be like an all seeing eye with incredible new methods of forensics and counterterrorism. Crime as a whole will be greatly reduced. System that recognize criminal patterns have been around for some time, Smart Information Awareness systems are a new trend.

The Smart Information Awareness system is so accurate in determining human behavior trends that it is used to track and manipulate consumer buying habits for corporations. With its accuracy, the system will be able to determine what marketing tools can be used to influence the behavior of buyers.

With unfettered access to consumer’s personal transactions, buying habits, methods of payment, and credit history a system would be able to pin point buyers who demonstrate interests in certain products and offer “special deals” a specific group of highly interested buyers.

Inevitably the very system (laws, practices and technologies) that successfully protects humanity from itself is used to manipulate and exploit humanity.

Perhaps you believe that there is nothing wring with this level of target marketing. If so, I submit to you these questions: What will separate humanity from cattle if every man, woman and child is seen as nothing but a number and a consumer to the system that we rely on to survive? Since we are already regarded as merely numbers and consumers by the corporate beast, how much control and information will we allow them to have?

Perhaps this is a bit much. Perhaps I exaggerate the technology and extent of fear that will breed it.

http://www.p2pnet.net/issue03/page1.html

http://www.epic.org/

http://www.jbholston.com/weblog_discussion.php?post_id=74
Statewatch.com – Secret EU-US agreement being negotiated. http://www.statewatch.org/news/2002/jul/11Auseu.htm
http://www.eff.org/Privacy/TIA/20030523_tia_report_review.php

http://www.aaai.org/

nin – TheSlip (thanks Trent)

Ray Kurzweil @ Google Zeitgeist

Civil Contingency Bill

Eschelon TIA – Total Information Awareness

Gag Films has a great idea to get cheaper batteries. Get a 6v Lantern Battery (about $6), Take the label off, Pop the top, disconnect the wires. And you’ll find 32 AA batteries.

A 51-year-old sysadmin has gotten a record jail sentence after attempting (and failing) to write code that would have destroyed everything on one of his company’s servers.

Digger SalineMist:
You just know the other admin found it like this:

#
# SECRET CODE FOR REVENGE
# last change Andy Lin 4/20/2004
#

lol
Digger 89Vision:
Samir: I have a question.
Peter Gibbons: Yes?
Samir: In… in these conjugal visits, you can have sex with women?
Peter Gibbons: Yep, you sure can.
Samir: OK, I’ll do it.

read more | digg story