UK planning to monitor and record every phone call, web page, and email sent by citizens

The Home Office will create a database to store the details of every phone call made, every email sent and every web page visited by British citizens in the previous year under plans currently under discussion, it has emerged.

The Government wants to create the system to fight terrorism and crime. The police and security services believe it will make it easier to access important data as communications become more complex.

Telecoms firms and internet service providers (ISPs) have already been approached by the Home Office, which would be given customer records if the plans were realized.

Only a matter of time before the same happens in the U.S. It might already be underway by the NSA. Who knows.

more at Telegraph.co.uk

Popularity: 2% [?]

Code cracking is the new pot of gold

If you think the password protection on your MS Word file is keeping it safe from prying eyes, you’re wrong. The time it takes to crack password-protected Microsoft Office files has tumbled from a 25-day average to a matter of seconds, thanks to a decades-old code-cracking technique that until recently was not viable.

read more | digg story

Popularity: 2% [?]

Former Pentester of FBI, hacks the FBI

This case is not the same as the Department of Veteran Affairs loss of records or the Department of Agricultures security failures.  In this case, a contracting consultant conducted a penetration test with out getting formal approval.  He expoited the FBI's vulnerabilities to gain elevated privledges.

Joseph Thomas Colon, 28, is a former employee of BAE Systems.  His pentest allowed him to obtain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.  According to Colon, the FBI field office in Springfield, Ill., he was attached to gave him approval.

However, every professional pentester and/or ethical hackers knows that you have to get formal approval from an authority. 

Colon's lawyer said in a court filing that his client was hired to work on the FBI's “Trilogy” computer system but became frustrated over “bureaucratic” obstacles, such as obtaining written authorization from the FBI's Washington headquarters for “routine” matters such as adding a printer or moving a new computer onto the system. 

As a result, Mr. Colon will likely serve about 18 months in prison. :(…

Pentesting and ethical hacking tools and techniques must be dealt with responsibly.  The bureacracies that might allow pentesting must be respected at all costs.  The first thing in Pentesting and ethical hacking that is taught is to ALWAYs, ALWAYS, ALWAYS get writen consent to procede from the owners of the system.

 

Popularity: 5% [?]

Password Hacking Programs: EBCD

One of my favorite Password hacking programs is the EBCD.  EBCD stands for Emergency Boot disk.  Since it operates on Linux, many people have a hard time using it.  Anytime, that I've had friends that have locked themselves out of their own system or some co-workers who forgot their login to the corporate laptop and I give them a copy of the EBCD they are at a loss on how to use it because to command line Linux.

So here is something I've been wanting to do for a while.  This is a simple walkthrough on how to use the EBCD.  I'm still working on it.  As with my in entire “hacked” series it is a work in progress.

The EBCD was created by Mikhail Kupchik.  Give him donation if you like his work.  One of these days I hope to have the coding skills necessary to bring to life tools as usefull as this.  These days I'm more into web applications and learning PHP.  Cools stuff.

Popularity: 4% [?]

Create A Password

Creating a Password is easy. Standard practice to create a password that is fairly difficult to crack consists of using at least 8 character with upper and lowercase letters, a number and a special character. So your password should look like this: M1k3@H0m3

This password says “Mike at Home”. It is a good idea to make the password something that is easy to remember. 53Xon+Be@ch

Here is another one that is hard to crack and easy to remember. It says “Sex on the Beach” (”the” is replaced with “+”)

@o15uX@55

If you are on AOL this one might be easy to remember as well.

+H1SismyBby

If you have to log on to a baby site, a password similar to this might help. It says “this is my baby”.

This is the general idea for generating good passwords. But if you have like 30-40 passwords and don't want them to all be the same here is another method that could help you.  READ more about how to create a password and MANUAL ENCRYPTION here.

Popularity: 3% [?]

She Cracked my Hotmail Password: a sad shoulder surfing story

Ever type in your password at work and notice that there is someone standing behind you watching your fingers very closely as if trying to decipher you password? This is known as “Shoulder Surfing.”

If you don't think it is possible to eyeball someone's keystrokes and know their password, think again.

In the '90s, I didn't know much about computers or computer security. I was a military cop well versed in physical security and air base ground defense and only used computers for screwing around. My passwords were as easy as possible so I could remember them.

I didn't fully appreciate the importance of having a strong password until my wife hacked my Hotmail account. No big deal right… WRONG. Like I said I was screwing around. I was big into flirting in chat rooms and on email. I was just having fun with what I thought were beautiful young ladies, but who (realistically) were probably neither beautiful or young or (shedding a tear) ladies.

I'd been spending so much time online with chatrooms and EverQuest (a.k.a EverCrack) that my wife started to get very jealous of the computer and suspected I was up to something. So she shoulder surfed me one night, got my password, and got into my account while I was at work.

To make a long story even longer, my wife went crazy. She called my job screaming, I had to respond to my own house, my weapon was taken away (this is like being neutered for a cop), and the beautiful young lady that I was chatting with…. It was a man (yeah, it was like a cyber Crying Game). Needless to say, I don't do much of ANY chatting these days. But I digress.

Tips to guard your hotmail account cracks, via shoulder surfers.

Popularity: 4% [?]

Strategies To Protect Yourself Against Identity Theft

Identity theft is a serious crime that is growing each year. If you're a victim of identity theft you may spend months, even years, trying to repair a ruined credit history. A seriously damaged credit report can compromise your chances of getting a new job, a bank loan, insurance or even rental housing. It's even possible to be arrested for a crime you didn't commit if someone else has used your identity to break the law.

Unfortunately, many of the methods that thieves use to steal identities are beyond your control to guard against. Although it's rare, even store clerks have been known to use their position to pass along information to identity thieves. There are some measures you can take, however, that will make it harder for a thief to steal your identity.

Protect Your Credit Card Number When Making Purchases

After you make a purchase and your credit or debit card has been swiped through a credit card terminal, check to make sure that the printed receipt hides all but the last 4 digits of your credit card account number (usually there will be Xs in place of the first 12 digits). Some terminals still print receipts that show all 16 digits of an account number, and may even include the expiration date as well. After your card is swiped, you're permitted by law to hide the first 12 digits of your account number on the copy of the receipt that the vendor keeps. Use any marking pen that will do the job.

When you go to a restaurant, it's especially important to make sure that the first 12 digits of your credit card number are hidden on your receipt. You might be in the habit of signing it and then leaving the restaurant's copy on the table after your meal. An identity thief can easily steal the signed receipt before the waitperson comes back around to pick it up from the table. Don't take any chances.

Do You Really Need To Give Your Social Security Number?

Another important way that you can guard against identity theft is to avoid giving out your social security number unless it's absolutely required. Although you need to share your social security number when you apply for credit or for a bank account, sometimes a store or an organization will want to use it as an ID number, simply to identify you within their system. This is a common practice even though the law says that social security numbers aren't to be used as ID numbers. In these situations, use your judgment. There's usually an alternative if you ask.

Destroy Documents That Contain Sensitive Personal Information

Buy a paper shredder and use it to destroy documents you're throwing away which contain personal information such as credit card numbers, social security numbers, phone numbers and dates of birth. This is important to do both at home and at work. Identity thieves aren't above going through someone's trash to find valuable personal information that can help them obtain credit in your name.

If The Worst Happens

If you do become a victim of identity theft, take the following steps immediately:

• Contact your credit card companies, close your accounts and ask to have new cards issued to you.
• Place a fraud alert on your file with any one of the three major credit bureaus. The other two will be notified automatically.
• File a police report. You may need it to show to creditors as proof of the crime.
• File a complaint with the FTC, which maintains a database of identity theft cases used by law enforcement agencies for their investigations.

Popularity: 5% [?]

CISCO LEAP (lightweight Extensible Authentication Protocol) Weak?

Light weight EAP is Cisco's proprietary version of Extensible Authentication Protocol (EAP, used mainly for wireless LANs).  Cisco graciously allowed vendors to support LEAP using Cisco Certified Extenstion (CCX). 

Cisco owns about 60% of the wireless market with 46% of those using Light Weight Extensible Authentication Protocol according to the research group nemertes. 

HAZZAAA!! Cisco is secure…

(except against Dictionary Attacks)

With such a large piece of the wireless market using LEAP, Cisco had sucessfully advertised LEAP as a secure protocol.  Unfortunately, LEAP is weak against Dictionary Attacks (Brewin).

At DEFCON 11, on August 1, 2003, Joshua Wright did a presentation on the weakness of LEAP. 

 

Here is Cisco's response to Leap Dictionary attacks:

To help our customers respond to the possibility of dictionary attacks, Cisco strongly recommends that all of our customers to review their security policies and institute the previously published best practices that are outlined below and in the Cisco SAFE White Papers.

•Use a strong password policy (as detailed below) and periodically expire user passwords (recommended at least every three months) giving users advanced warning to change passwords before they expire.

•If unable to implement a strong password policy, consider migrating to another EAP type like EAP-FAST, PEAP or EAP-TLS whose authentication methods are not susceptible to dictionary attacks:

–EAP-FAST is an authentication protocol that creates a secure tunnel without using certificates.

–PEAP is a hybrid authentication protocol that creates a secured TLS tunnel between the WLAN user and the RADIUS server to authenticate the user to the network.

–EAP-TLS uses pre-issued digital certificates to authenticate a user to the network.

 

FINAL NOTE:

“1 month of audits by l33t security companies: No vulnerabilities
1 month of architecture research by CCIE's: No vulnerabilities
2 days of hacking by DaBubble, Bishop, and Evol: Root.
There's some things that fackers should audit (WEBAPPS) for everything else, get a real hacker.” — SecurityFocus

Why doesn't Cisco become more hacker friendly.  They pissed off the Security Profesionals and Hackers alike with that CiscoGate fiasco, don't have any cool hacker parties at the Defcon.. I mean what is the deal, John Chambers?! 

John, I doubt you will ever read this blog, but here goes anyway, I think that Cisco has great products.  I believe in Cisco's amazing engineering, but if you guys don't aggressively attack security issues PROACTIVELY, you will drop from first class to third class quickly.  I'm not trying to tell you how to run cisco, I'm just saying, why not use hackers and their finding to your advantage. 

Take the IE browser as an example: they used to own 95% of the market, consumners got so fed up with its lack of security that now Firefox (co-created by Blake Ross Intern/Hacker) is doing something not even Netscape could do.  

 

Reference:

EAP. RFC 2284. Extensible Authentication Protocol.

EAP, Extensible Authentication Protocol Wiki. Wikipedia.org

George C. Ou. Leap: A looming disaster in Enterprise Wireless LANs.  Lanarchitecture.net

nemertes, Cisco Warns its WLAN Security can be Cracked. nemertes.com

Brewin, Bob. Cisco Warn its WLAN Security can be Cracked. computerworld.com

Cisco, Abusing 802.11: Weaknesses in LEAP Challenge/Response. Defcon 11/2003

Cisco. Cisco Response to Dictionary Attacks on Cisco Leap.

Popularity: 4% [?]

Good Password Tips and Password Management

These days a single computer user may have dozens of passwords. If you use computers at your job you may need to access secured databases, local workstations and numerous accounts online and each is supposed to have its own unique password. Though many people don't require a logon for their home PC, they will definitely have one for email or websites that they manage. Here is a guide to assist you in strengthening your passwords and password techniques.

After reading this article you will know the following:
-How to make good passwords
-Good password practices
-Techniques to manage all of your passwords

How to Make Good Passwords

Choose a password with the following criteria:
-At least 8 characters in length
-At least 1 number
-At least 1 special character
-Upper and lowercase.

Passwords with difficult combinations make it harder for tools like L0phtcrack, Brutus, John the Ripper, Cain and Able and other password crackers to decipher your password.

When creating a password, don't use personal information such as birthdays, children names, or first and last names. Avoid using words or phrases that can be easily guess or cracked with a “dictionary attack.” Do not use the same password on the different systems. If you work in a classified environment, passwords should be treated at the same level of classification as the systems they protect.

Good password practices

Never share your password with ANYONE including your Administrators, Help Desk personnel or System Administrators. IT professionals at your job or Internet Service Provider (ISP) will not normally ask you for your password. If they do need it then you should give it to them in person and ensure you change it as soon as they are done with their task. A common “Social Engineering” tactic used by malicious hackers consists of calling up unsuspecting users and pretending to be from the computer support staff. Another tactic is to have trusting users email the password or type it into what looks like a legitimate site; this is known as “phishing.”

Be aware of your surrounding when you are typing your password. Watch for “shoulder Surfing” or people watching what you type as you are entering your password. If you use the web to access critical information (such as online banking, or medical information) ensure that the site uses some type of secured method of encryption. You will know this if the site's URL begins with an “https.” SSL and Secure HTTP are sometimes indicated by a tiny lock in a corner of the page. If there is no encryption then it maybe possible for unauthorized users to view and/or capture the data you enter and later access the account using a “sniffer.” A sniffer is a tool that captures all “clear text” or unencrypted data. SSL and Secure HTTP encrypts data so that it looks like gibberish to tools like sniffers.

Techniques to manage all of your passwords

It is best to memorize your passwords however if you have literally scores of passwords from work, home, online business ventures and the bank and you do not have a photographic memory, you may want to write them down and put it in your wallet. This simple and practical task is what author of Beyond Fear, and system security phenomenon, Bruce Schneier, recommends as does Senior Programmer for Security Policy at Microsoft, Jesper Johannson.

Using Password Management applications such as Password Safe, a free Microsoft application for storing passwords, and Password Vault (also free) can help you to effectively manage your passwords.

Another management technique is to allow Windows (and other Operating Systems) to automatically fill in the data. This is great for trusted SECURE environments such as home systems in which you don not need to hide any account information from anyone, but not such a good idea for the work environment. It should also be noted that systems without a high level of Internet security (protected with firewalls, updated patches, NAT enabled, etc) should not use the auto fill features as the passwords are many times stored on the system in clear text making it easy for malicious code such as spyware, trojans and worms to steal your passwords and account information.

The greatest thing you can do to protect your password is to be aware that at every moment someone somewhere would love to access some or all of your accounts. It is not always cyber criminals looking for you banking information, sometimes it is just curious people who happen upon your username & password. It may even be someone you know. Be aware.

 

Other ways to protect your passwords:

.htaccess

PasswordSafe

Online Password Generators:

http://www.winguides.com/security/password.php

http://www.goodpassword.com/

 

 

Popularity: 3% [?]

Written by elamb.security · Filed Under Howto, Passwords, Security Awareness, Security Management, security