The Dark Tangent (Jeff Moss) president of the DEF CON hacker conventions is interviewed on CyberSpeak podcast and talks about the change in venue from Alexis Park to the Riviera Hotel and Casino. In response to the question, “who will protect our privacy from big business?”, he responds, “we are all doomed!”. Great interview!
read more | digg story
“Watch where you leave your fingerprints – soon they could be the target of thieves looking to break into your bank account.” — digg
Reminds me of that scene on Space Balls where Lone Star knocks out of the Space Ball guards and places his hand on the biometric palm pad.
read more | digg story
“An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows, according to data collected by iDefense, a Verisign company.”
read more | digg story
“Craigslist posters robbed at gunpoint in Walnut Creek
An advertisement on the Craiglist.org Web site led to an armed robbery in a Walnut Creek Target store parking lot Sunday night, Lt. Mark Covington of the Walnut Creek Police Department reported.” – found via digg.com
This kind of thing is sure to become worse as more and more of the criminal element get online and see how easy it is to exploit people doing business on the Net. I suspect that eventually bloggers who are too open with their names’ and address’ will eventually be big targets for all manor of deception. There are many services online that you may be completely exposing yourself on: ebay, flickr, craigslist, myspace, your blog, a website, google (via a website), yahoo! just to name a few. I’m not saying you should not use them. I’m just suggesting you give yourself a buffer for the more insane and evil parts of humanity who seek to harm you.
Here are 3 steps to protecting your Internet Persona:
1) Google yourself. Corporations and business’ are starting to do this prior to hiring new employees. So why not google yourself and make sure you don’t have pictures on myspace of that wild St. Patrick party you were at last year? Don’t wait. Do it NOW. Check Yahoo!, MySpace, Altavista, dogpile and visimo.com. Even if you don’t do much of anything on the Internet, remember many of your friends do. They might have post pictures of you with your full name and DOB!
2) Use a Pseudo name. With only your real name and a past or present address, anyone can get all kinds of very personal information for about $7 on sites such as:
– PublicRecordNow – http://www.privateeye.com
– People Finder – http://www.peoplefinders.com
– AnyWho – http://www.anywho.com/
For more money they can also get extremely personal data (divorce papers, marriage, mortgage documents ect.). The laws in the U.S. which offer almost ZERO protection for personal privacy make all this totally legal. A psuedo name will give you a little bit of what is called “Security through obscurity”.
3) Use a private domain. If you have registered domain, you will notice that most domain sellers (such as godaddy) offer a way to make your new domain private for a small additional fee. Get that privacy! If you don’t your address, will be put in a database as a primary point of contact for that domain. It is made publicly available all over the world via Arin.net.
*One of the first steps any security hacker uses is Arin.net to get more information on there target. Tools like SamSpade make it even easier to get information from registered domains and IP addresses.
4) Use a P.O. box. Instead of your actual home address go to your local post office and get a P.O. box. It only costs about $25 bucks a year (depending on what kind of box it is). If your really parnoid get it in another county.
*If you set up a corporation or non-profit this is also important as a corporation is treated just like an individual and is almost immediately advertised all over your local area to other corporations and eventually finds its way on the Net with your full home address and possibly your full name.
5) Use an 1-800 number. If you absolutely have to give a phone number out on the Internet, use an 1800 number. They are great because it can be thrown away or changed easily if it gets hit with telemarketers and political lobbyists.
*If you use your real number and it gets in the hands of Bangalore, India call centers, be prepared to get tons of caller trying to sell you Viagra. Trust me, it is NOT fun. Your real number is also easier to trace directly to your real name and real home address.
5) Don’t publish your primary e-mail address. A great way to get lots and lots of spam is to put your real email address on a webpage or blog. Spammers have tools that allow them to automatically scoure the internet and gather email address (this is also easy to do with a search engine). The best thing to use is a throw away email account such as the following:
What many people do is “elamb [DOT] security [ AT] gmail.com” to fool the automated systems, but I suspect this won’t be enough in the near future.
6) Don’t meet anyone you just met online. This should be common sense but as you read in the example above some people still don’t see how dangerous the Internet can be. Do NOT do meet up with people you just met on the Internet. Just be aware that there are a lot of predators on the Internet.
Are you on the Internet?
Here are some good places to look:
Search engines: google, yahoo!, dogpile, altavista, msn, metacrawl, visimo (search top 5 pages)
http://dexonline.com (go to residential tab | enter your name, city and state)
You’ll have to send these people mail to get out of their database. You may want to check your local Yellow pages (online) as well.
Publicly listed information sold to the highest bidder:
Dex Media, through its Dex Direct marketing division, sells two types of lists:
Publicly available name, address and telephone (NAT) listings that Dex Corporation’s customers agree to have published in White and Yellow Pages, and
Additional marketing lists – beyond name, address and telephone numbers – that are provided to Dex Media by other companies not associated with Qwest, and then resold to Dex Media customers.
Here is a good reason to use a pseudo name, untraceble phone number, private domain and a P.O. box on the Internet.
While it is important to establish a good connection with your customers and readers by being open and honest about who you are it is more important to protect yourself and your family from the likes of crazies, criminals and shameless solicitous spammers who have no respect for themselves let alone any for you.
read more | digg story
TrustedSource – gathers data on the behavior of senders across the Internet.
Enter an IP address or range, and find information regarding the amount of spam sent from it. You can also use a color-coded map.
read more | digg story
What is scary, is that my blogs are on google above some of the most informative pages about DIACAP.  For this reason, the government should have secured blogs and or forum (.mil/.gov only) to allow faster access to this kind of extremily important information.  C & A, security engineering and IA officers get information much faster than the Gov’t can publish. A security forum or secure blogs would allow some email that we get on the latest news on IA issues to be posted immediately without fear of giving out unauthorized data over the Internet.  Just one mans oppinion.
DoD 8510.bb is signed and will supercedes DoDI 5200.40 and DoDI 8510.1-M. Â
The DIACAP Knowledge Service site is up and ready to go:
https://diacap.iaportal.navy.mil. (.gov, .mil only)
More information on the DIACAP – http://www.sdissa.org/downloads/Revised_DIACAP_KS_eMASS_Brief ISSA_10-28-05.ppt
What I don’t get is how to get to eMASS.Â
Unless I have read wrong, the “Enterprise Mission Assurance
Support System” (eMass)  is supposed to be the main feature for automating and streamlining the Certification and Accreditation process. It seems that you have to get some sort of software to get access to eMass. Not sure, I’m researching this while reading up on the new DIACAP documents. Â
Here is some contact information on how to get on eMass – https://diacap.iaportal.navy.mil/ks/links2/emass.aspx
Â
“The company plans to launch a penetration-testing service for businesses in October that will use the same techniques as hackers to gain access to its customers' machines. However, the exploit code it will use will be controlled and will not propagate itself as a worm would, HP said on Tuesday.”
Sounds like a bunch of pentesting/ethical hacker type jobs are going to open up. I think that other corporations will follow suit. I know some guys who do forensics and pentesting on the side. As vulnerabilities are found quicker by criminals, pentesters/ethical hackers seem to be becoming more signifigant.
“Don't let a malware attack ruin your business. A little planning and the right responses can make it a minor annoyance instead of a major catastrophe.”
This is a pretty good article. The mentions how to “prepare” for and attack but I would go a step further and submit how to “prevent” an attack from ever occuring. It is possible to avoid an attack:
1) Get a firewall that used network address translation.. use network address translation
2) Use firefox
3) Don't surf shady sites: serial crack, pirated software, some porn sites, screen savers
4) Watch out for dirty downloads. Some p2p application and the wares loaded on them are loaded with trojans, worms and other malware
5) Don't surf the Internet with administrative privledeges.
This case is not the same as the Department of Veteran Affairs loss of records or the Department of Agricultures security failures. In this case, a contracting consultant conducted a penetration test with out getting formal approval. He expoited the FBI's vulnerabilities to gain elevated privledges.
Joseph Thomas Colon, 28, is a former employee of BAE Systems. His pentest allowed him to obtain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. According to Colon, the FBI field office in Springfield, Ill., he was attached to gave him approval.
However, every professional pentester and/or ethical hackers knows that you have to get formal approval from an authority.
Colon's lawyer said in a court filing that his client was hired to work on the FBI's “Trilogy” computer system but became frustrated over “bureaucratic” obstacles, such as obtaining written authorization from the FBI's Washington headquarters for “routine” matters such as adding a printer or moving a new computer onto the system.
As a result, Mr. Colon will likely serve about 18 months in prison. :(…
Pentesting and ethical hacking tools and techniques must be dealt with responsibly. The bureacracies that might allow pentesting must be respected at all costs. The first thing in Pentesting and ethical hacking that is taught is to ALWAYs, ALWAYS, ALWAYS get writen consent to procede from the owners of the system.
“Chinese authorities intend to police and control instant messaging, cell phones, blogs and search engines.”
If they continue to apply more and more pressure the People Republic of China is going to break. It is an interesting experiment to see how long people will stand for having zero freedom of speak. Even though America is going the way of Chinese with privacy (as in no citizens having any) it is good to know there is still some freedom of speach left.