Elamb Cybersecurity

Blog

  • Firefox Still Tops IE for Browser Security

    The number of security holes that occur isn't as telling as how they're handled.

    Here is the skinny.  FireFox actually has more security issues
    than Internet Explorer, but the thing is that it usually takes
    Microsoft weeks to fix security issues.  This gives malicious code
    writer PLENTY of time to create and distribute something juicy. 

    “Mozilla is forthcoming about vulnerabilities,” Levy said, whereas “it takes Microsoft far longer to acknowledge vulnerability.”

    Now here is another thing about Microsoft (and CISCO) they lie and
    cover up some of the security flaws.  This is probalby because of
    reputation and shareholder protection or who knows what other
    beauracracy and formalities.. but FireFox is very fast. 

    I was at Defcon 11 and I recall some Gray Hats found a few flaws in
    Microsoft products (serious ones… nothing new about that).  They attempted to submit these
    flaws to Microsoft and other companies and were completely
    ignored.  Sometimes it seems giant corporations can only put out
    fires instead of prevent them.

    Here is an example of how slow the Microsoft people are on security —> 6 Month old exploit.

    read more | digg story

  • Google Toolbars Phishing: How to avoid it phishermen

    Phisherman are targeting Google software:

    An Internet security specialist says a
    new threat forces computers to install faked Google software via
    Instant Messengers, which then goes phishing.

    If you have been in a coma for the last few years, phishing involves
    criminals setting up or send emails about fake sites that look exactly
    like they came from legitamate sources.  These sites usually
    attempt to collect personal information such as Login and Passwords of
    oooh, I don't know… say a PayPal or bank
    account.

    I get these phishing emails nearly everyday.  “How can you tell
    its a phishing account?”  you ask.  Well for one of my email
    accounts I don't even have a paypal account set up, and it receives
    repeat emails about my “paypal” account is going to expire, or my
    paypal account had someone added to it.  Another thing is that
    they companies such as eBay, PayPal, and banks won't ask you to
    login.  If they do, call the actual eBay service Rep and see what
    is going on DO NOT GO THERE FROM AN EMAIL LINK.. EVER.

    Another thing you can do is click the “Show Original Message” button or
    link on the opened email.  This will display the innerworkings of
    the email.  It will display the IP address where the email
    actually came from.  With Arin.net you can determine the location
    of any IP address.  And with a tool called SAM SPADE you can get
    even more information on IP addresses and DNS names.  Doing a
    simple “traceroute” command may also give IP address if all you have is
    the DNS name and want the IP.

    If you do go to the Phisher site,  first of all be careful, some
    of these sites are exploit sites meaning if you system is not patched
    and protected it could possibly load malicious code on your
    system.  Once you get to the site Right-click and “View the page
    Source” This will tell you what is really going on with the site in
    question.

    read more | digg story

  • Are You Prepared For A Hard Drive Crash?

    Its just a matter of time before you experience a hard drive problem. Are you prepared to loose your data? If your hard drive crashed right now do you have an action plan to follow?

    Most people only think of backing up their data after they experience a problem. Don't set yourself up for a data loss disaster.

    Your data integrity action plan should consist of the following:

    1) How often you will back up your data

    2) What data you will back up

    3) What back up procedure you will use

    How often you back up your data can only be determined by how important you feel it is. Answer this question “If my hard drive crashed right now, I would be alright if I had the data from at least (time) ago”.

    Of course you would want everything but if you could have the data from 1 month, or 6 months ago would that be sufficient? Whatever time is sufficient mark it on your calendar both a hard copy and set up a meeting on your PC to remind you.

    You change your smoke detector batteries when you turn your clock back and when you turn it ahead right? Well back up your data then too.

    If you don't change your clocks then pick some holidays or special dates that happen close to the timeframe you want to back up your data so you won't forget.

    What data you back up depends on how you use your PC. Some of the key directories, if you are using Windows, are the My Documents, Favorites and Desktop directories.

    Remember if you are using multiple profiles on your PC then the three directories above can be different for each profile and each one would need to be backed up.

    You will also want to include your email data. Don't forget to write down the email accounts you have. You should also write down any username and passwords so they are not lost. You should look at every directory to see if it has information that you would need.

    Make a list of all the software programs you are using. If you have the physical CDs put them all together in a safe location.

    Don't forget the CDs for your peripherals like your scanner, digital camera, PDA etc… Collecting these CDs may remind you of additional data that you need to back up.

    If you are running software that you installed from downloaded files, burn them to a CD-R and add it to your collection. If you use a CD-R or DVD-R you can update it as you download and install new applications.

    What procedure you use to back up your data can be determined by the amount of data you want to back up. Your data might fit onto a CD or DVD in which case you just need to burn it and you're done.

    If it spans multiple DVDs then you might want to consider getting a second hard drive to copy your data onto. If you are not comfortable with adding a second internal hard drive or you are using a laptop then you can purchase an external hard drive to back up your data.

    The information you have on your hard drive could disappear in a flash. If you don't want to spend up to $3,000 to have a data recovery company retrieve what information they can from your hard drive, then take a few minutes right now and create your back up action plan.

    If you ever have a data emergency your action plan will be your insurance policy. If you adhere to it, your valuable data will adhere to you!

  • Hak.5 Episode #3 Released

    In this episode of Hak.5 the crew explores ways to hack RSS into your morning routine with a custom alarm clock and newspaper. They make us all a little more paranoid about network security and a flaming-case-mod and a flame-proof blueberry hefeweizen.

    read more | digg story

  • Google says we don't need Windows

    Google boss Eric Schmidt worked at Sun Microsystems for 14 years, so it's no surprise he shares a vision for the future of computers and networks with Sun boss Scott McNealy. And it's no surprise that future doesn't include a place for Microsoft. Google is so hot right now that Schmidt doesn't have to say much of anything to make waves.

    read more | digg story

  • Disposable e-mail address roundup: mailiminator and others

    Here's a pretty nice roundup of some of the services available to create throwaway e-mail addresses to keep your inbox free from spam.

    There is a spam coutner-culture growing fast on the web.  With sites like mailiminator agressive on the front lines against spam I feel pretty good about the future.

    Here is how mailiminator works:  Say you see a really interesting $100K per day offer on the Internet! Surely, you can't pass it up.. this could be your big break.  The site even says so. The site wants you to simpply submit your email and the cash will come rolling in.   But your not sure because the last site you submited your email to offered $200K per day and as soon as you entered you email address you recieved 300K emails per day. 

    So instead of entering your address you just make up some junk mailiminator account and have all the traffic sent there instead.

    That is a good idea and here are many more antispam tools for you: 

    read more | digg story

  • Marine (naturalized philipine citizen) Spy caught in the White House!

    A Marine (naturalized citizen of the Philipines) stole 100 classified documents from FBI computers.  There is no telling what he took or who sold the information too.  This is bad.

    Top Secret information is information that if compromized could cause grave damage to National Security. 

    This is a wake up call to the entire intelligence community particularly in the area of determining personnel security.  There is perhaps no government employee as trusted as a Marine.  I suspect that this single act will make it more difficult for naturalized citizens of other countries to advance in high ranking government posistions for fear of allegiance to the same. 

    And you know what this means… no President Arnold Schwarznegger :(..     

     As for Mr. Aragoncillo, they will throw the book at him.  Call me crazy but this seems like the wrong administration to mess around with.  The Bush administration might start saying that the Philipines has WMD's. 

    Aragoncillo, a naturalized citizen from the Philippines and US marine, used his top secret clearance to steal classified intelligence documents from White House computers. Both the FBI and CIA are calling it the first case of espionage in the White House in modern history.

    In 2000, Aragoncillo worked on the staff of then-Vice President Al Gore. When interviewed by Philippine television, he remarked how valued Philippine employees were at the White House.

    “I think what they like most is our integrity and loyalty,” Aragoncillo said.

    read more | digg story

  • Decyphering…and cyphering…driver's licenses

    Site explains and provides tools to determine someone's DL#, and the reverse process as well.

    Before you consider creating fake ID's consider first that you could be charged with second-degree possession of a forged instrumentit is a Class D FELONY.

    Depending on how many count you get against you (or how many times you break the law) you could win a signifigant amount of time in PRISON. 

    Is getting into a club and have a few drinks worth the risk of being RAPED by a person of the same sex and being a Felon for the rest of your life?

    If you are willing to take that risk than go have fun but don't say you weren't warned when your in the prison shower debating on whether you should pick up your soap.

    read more | digg story

  • Devices can halt cars with tardy payments

    North Texas Motorcars has a buy-here/pay-here financing method for people with damaged credit.  How do a mitigate the risk of giving a car to a deadbeat that is not going to make payments:

    The box – called a starter interrupt unit – is used mostly at used-car dealerships that provide financing to customers with bad credit. But other segments of the auto industry may adopt it, particularly if consumers' credit ratings continue to decline.

    I think this could be a popular method of financing in the near future as the recent disasters subsequent to a $200 billion dollar war may put the U.S. on a recession from hell conveniently as Mr. Bush completes his final term forcing inevitable higher taxation.

    I think it is a good idea.  Its a win-win situation as it allows people with jacked credit to own a car and practically guarantees the sellers payment.

    read more | digg story

  • Fingerprint Payment System Becoming a Reality.. privacy issues

    O.k.  Imagine walking into WalMart, gathering $10 in groceries and then instead of swipping your card, you press your finger in to a finger sized scanner. 

    German grocery chain Edeka introduced a new method of pay system, the so-called 'digiProof' late in 2004 and into 2005.  And now an American company called Pay By Touch is doing the exact samething.   

    A San Francisco start-up, Pay By Touch Solutions, is expected to announce today $130 million in fresh financing for a novel way of paying for groceries and other goods and services: a machine that reads your fingerprint.

    This is very Cyberpunk.  Depending on the implementation, this may even be more difficult for ID Theft criminals to take advantage of.  If everything goes in that direction, house hold phones could actually get the devices and you could make authenticated bill payments from your house and get rid of all your credit cards.     

    Then again since the fingerprint is translated into a number, I imagine criminals could still get ahold of the information the traditional way (unless the number can only be accessed with the original persons print):

    Here's how it works: Customers sign up once, by registering a checking account or a credit card, and showing government identification such as a driver's license. The Pay by Touch technology records the lines and ridges of their fingerprints, and translates the data into a numerical algorithm that is stored in a secure database. The customers thereafter never have to carry a wallet or purse back to the store, and can use their finger to pay for goods across the Pay By Touch network, which now includes stores in 10 states.

    The capital raised — $55 million of it in convertible notes and $75 million in loans — will help the company build out its finger-reading payment systems at several nationwide retailers, including in California in the first quarter of next year.

    This may also be a much better way to track people by there fingerprints and accounts.  Could this raise privacy issues?!  After all, fingerprints could link criminal records if you have any.  And wasn't there something in the bible about this…?  Oh, no.. that was 666.

    It may be harder to hack but it will eventually be broken.  But that doesn't mean its no good.

    read more | digg story