Elamb Cybersecurity

Blog

  • Tired of your boss snooping on or blocking your web browsing?

    This article explains how to setup and use a proxy to route all your
    web surfing at work (or anywhere) through an encrypted tunnel to the
    connection at your house. Uses OpenSSH and Privoxy. Leaves no trace of
    the sites you visit and gets around any site blocking that may be setup.

    Cool article.  Its got me wondering if you can have the same level
    of privacy from an anonymous web proxy such as anonymizer.  I
    don't see why not. 

    As I recall from my old firewall DNS days, the traffic looked like that
    code in the Matrix because there was so much of it going through our
    server.  At the time, I was one of the “LAN Nazi's.”  We were
    “guarding all the doors and hold all the keys.”  We monitored (and
    stored all the traffic).  We'd see the occasional Titty sites but
    typically we didn't crack down unless there was extreme abuse of the
    security policy.  Usually, it was some guy working at the dead of
    midnight that thought he could surf child porn safely… “trouble” is
    not the word for what these guys were asking for.  In accordance
    with the Privacy Act of 1987, we weren't allowed to actively look for
    that type of stuff (as it would be in admissable in a court – due to
    infringement privacy.. of course if it was terrorist act.. all bet are
    off, IAW Patriot Act).  If we found such material while
    “monitoring” the system, that was a different story.

    Though I don't support violating security policies, I do support
    privacy of employees.  I believe another way to protect ones
    privacy might be to surf from an anonymizer

    Here are some free ones:

    More here –> http://anoniem-surfen.eigenstart.nl/
    Check out Effs Tor –> http://tor.eff.org/

    read more | digg story

  • How to bypass those annoying automated recordings at most major companies

    Strategies and how to get directly connected to someone with a pulse instead of listening to a damn recording at most major companies. Very interesting and helpful.

    read more | digg story

  • Steve Gibson Tells How to Take Down the Entire Internet

    Watch the Video from Call For Help when Leo talks to Steve Gibson about how to take down the entire Internet due to the weak and vulnerable DNS system and root servers. This is an amazing segment!

    read more | digg story

  • 6 Dumbest Ideas in Computer Security – Revisited

    Markus Ranum’s popular “6 Dumbest Ideas in Computer Security” is apparently accepted by many. I agree with a couple of his points, but have serious issues on the others.

    Here is what Mark had to say in a nutshell:

    1) Default Permit –

    Allow everything except bad processes and/or users.

    I Agree.

    There is a lot of this going around and it is dumb. And I say its dumb in total humility, we all do dumb things from time to time. With Windows XP service pack 2, which is basically a firewall implemented on top of the OS and though it is not perfect, I believe that more people are beginning to see the importance of DENY ALL.

    2) Enumerating Badness

    Listing a concentrating on the thousands of malware as opposed to concentrating on accounting for the legitimate software and getting rid of the rest. It’s a ploy by the man to keep security corporations afloat.

    I Agree and Disagree with this.

    I agree that it is important to have accountability for what is going great on your system and running as it should. You should know and maintain your “known good” baseline configuration. But it is like protecting your home. Shouldn’t you know what recent rash of crimes are going on in your neighborhood?

    Shouldn’t you keep note of those crimes and have a method or practice of protecting yourself. Although it is impractical to seek out every possible type of attack a criminal will use against your home, you should at least have protection against the MOST LIKELY methods that might be used against your home. I believe that being aware of some of the most possible known threats to your system and taking action is like personal insurance.

    3) Penetrate and Patch –

    Systems should be designed better so they don’t have to be patched.

    WTF (What the f*#@!!)

    Of course systems should be designed better… and humans should be designed so that we don’t go to war! And there shouldn’t be hunger anywhere on planet earth. Could have, Should have, would have. In a perfect world, I.E. WOULD HAVE been ABORTED. But Internet Explorer was released to all and controlled 95% of the browser for years. Mark, there are systems that need patches. Security isn’t just proactive its reactive. I understand and agree with what you are saying but in the real world millions of people by millions of badly designed and even hazardous products.

    4) Hacking is Cool

    Mark insists that saying “hacking is cool” or having popular series of “hack” books (i.e. Google Hacks, Mind Hacks) is glorifying criminals.

    I Strongly Disagree.

    This is yet another example of someone ignorant of what hacking actually is.

    I’ve had numerous arguments about this. I don’t care what you say Mark (or anyone else) hacking is and always will be cool. NO!… I don’t believe CRIME is not cool. Hackers are not always criminals. You would have to go to the Defcon to realize this. But Mark seems like the type that would look down his nose at Defcon and everyone there. Many of the vulnerabilities that are discovered before criminals exploit them are discovered by gray hats, hackers who actively or accidentally discover security holes. Many times these gray hats actually warn the companies and are told to sit down and shut.

    Even if you did believe that every hacker is a criminal and ALL hacking is a crime, would it not make sense to know your enemy and what he/she does? Criminal Profilers must not only know the tactics of criminals they have to UNDERSTAND them. I was a cop for five years. In my experience, the best cops & investigators understood not only how and why people commit crimes but also how they try and get out of it.

    Mark calls hacking “social problem.”

    Even TLC (the learning channels) does not take this stance on hacking. Check out their list of the famous & Infamous hackers.

    Hackers included on the TLC page:

    Steve Wozniak (co-founder of Apple)

    Richard Stallman (creator of GNU)

    Dennis Ritchie/Ken Thompson (created UNIX)

    TSutomu Shimomura (caught Kevin Mitnick)

    Linus Torvalds (creator of Linux)

     

    This is a good definition of what a hacker is:

    http://en.wikipedia.org/wiki/Hacker#History

    Most Information Security professionals (or those claiming to be) either completely understand what “hacking” is or do not understand it at all.

    5) Educating Users

    Users should be kept dumb.

    I disagree.

    Social Engineering is the best example of what happens when your users are blind. The biggest threat to any system is the people using them. Kevin Mitnick said, “There is no patch for stupidity.” Really funny, but I disagree the patch is Security Awareness. Check out what the folks at Security Awareness for MA PA and the Corporate clueless blog had to say. 

              6) Action is Better Than Inaction

    It really is easier to not do something dumb than it is to do something smart.

    I agree. Very well put.

     

    I would also add a seventh, brought up by Par Kris Buytaert at x-tend.be:

    7) Security Can be sold in a Box

             Everyone wants a push button solution to all their security issues.  The truth is that it does not exist.  The only way to beat the game is stay ahead of it.  That is not to say everyone should be security geeks, but they should have some understanding of spyware, malware and other filth (that is if they value there accounts, privacy and data).

     

    Over all, I feel that article has a lot to give to computer security community.  Its great that there are professionals that put that much thought on what they feel  is right.

     

     

  • Home Security Systems You Can Watch from Work

    Do you know what’s going on in your home when you’re away at work?
    Do you have a reliable home security system that can relieve you of
    your worries and concerns when someone is breaking into your home when
    you’re away? If you already have a home security system in place, how
    reliable and steadfast is it? Has anyone ever broken into your home
    even with your current home security system in place? Do you know that
    you can now install a home security system that utilizes the Internet
    so that the home security system can actually alert you of unusual
    activities at home?

    That’s how far the home security system
    technology has advanced. If you’re still having one of those old home
    security systems that blares a siren whenever there’s an intruder, then
    you’re not doing the best you can to protect your home. How many times
    have you heard one of those sirens cut through the silence of the night
    and ignored it because the siren is turned off about a minute later?
    Intruders who break into homes know how to turn off the old types of
    home security systems and they can usually break through any of those
    home security systems easily.

    With the advancement of technology,
    home security systems have developed into more than just an electronic
    alarm system that detects opened windows or doors. Conventional home
    security systems have sensors built into the home security units that
    detect interruption in the flow of electricity. Whenever the home
    security system detects the interruptions, it will either let out a
    deafening siren or activate strobe lights to attract attention.

    But have you ever thought about this – what if others choose to ignore the sirens and lights?

    What
    you really need is a home security system that will silently alert
    guards and you of the activities in the home. Combining the advancement
    of the technology used to create and develop home security systems
    together with the Internet, the home security system will silently send
    signals of the intrusion to a call center run by the home security
    company. It will also send a message to your cell phone or make a call
    using your telephone line to you to alert you of a possible break in.
    With the home security system’s silent method of alerting various
    parties, the intruder is not alerted but YOU are. Therefore, it will
    give the police and the relevant authorities enough time to act and
    catch the intruders in action.

    In fact, the latest home security
    systems in the market today allow you to activate and deactivate your
    home security system via the Internet or through your phone. This is
    what I call a TOTAL convenience to home security systems.

    Dakota
    Caudilla, journalist, and website builder Dakota Caudilla lives in
    Texas. He is the owner and co-editor of http://www.at-home-source.com
    on which you will find a longer, more detailed version of this article.

    Dakota Caudilla, journalist, and website builder Dakota Caudilla lives in Texas. He is the owner and co-editor of http://www.at-home-source.com on which you will find a longer, more detailed version of this article.

  • Beer Can Padlock Shim aka "Masterlock Master Key"

    How to build a better padlock shim using a very special hacker tool… A beer can.

    This was picked from Deviant Ollam at Defcon 13.  This is yet
    another reason I love Defcon.   I've heard the arguement that
    we [security professionals] should NOT “promote” hacking or do anything to suggest that it is cool.

    But I think that is a pretty stupid thing to say… because hacking IS
    cool.  Its not always bad and definitely not always good.  As
    far as going to events like Defcon… The IT and Security Industry are
    so slow and firewalled with corporate BS that they will actually hide
    things the consumners need to know.  Just look at CiscoGate
    Or, do like a typical government, know that there is a problems but be
    so filled with overhead and beauracracy that they can not do any thing
    about it even if they cared enough to.

    You don't have that kind of big brother crap at the Defcon.  If
    its broke you fix it and if it is fixed you break it to see if its
    possible. 

    If
    the locks on the doors into your house are no good don't you want to
    know about it ASAP?

    Ollams Site:
    http://deviating.net/

    read more | digg story

  • IEEE 802.20: Mobile Broadband Wireless Access (MBWA) vs. WiMax

    802.20 was approved by the IEEE in
    2002.  The Mobile Broadband Wireless Access Working Group has been
    working on the project.

    This 802.20 is a standard for “air interface” efficient packets that
    will be affordable and across multiple vendors.  802.20 will
    operate at 3.5 GHz at 1 Mbps. 

    802.20 will allow you to cheaply use the Internet while on the
    road.  This would be really great for long trips.  I can't
    tell you how many times I've on the road wishing I had access to
    Mapquest or Yahoo Maps.

    802.20 WG Documents:
    http://grouper.ieee.org/

    How is this different from WiMax?
    Although WiMax (802.16e) is similar to MBWA in that it focuses on air
    interfaces, WiMax will operate in the 2-6 GHz ranges versus MBWA's
    3.5.  WiMax will cover a smaller area than 802.20.

    WiMax Forum
    http://www.wimaxforum.org/home

    Resources:

    http://www.wi-fiplanet.com/

  • Email Security and the Necessity of Security Education for Small Business

    Email and document security is no longer just an option for
    companies, it is a necessity. Couple that with the costly user
    licensing of most enterprise software solutions and many small business
    operators can be locked out of taking advantage of Best Practice
    strategies that ensure the privacy of intellectual property and
    communication. Setting rights permissions to documents and encrypting
    email will be essential to future security practices for all businesses.

    Common
    knowledge has been that the less sophisticated small business operates
    on a pricing sensitivity and is more apt to take advantage of
    promotions, whereas the more sophisticated make security decisions
    based on perceived business necessities. Overall, small businesses tend
    towards waiting to implement internet security measures until after
    suffering an email breach or informational leak. By this time privacy
    and accompanying monetary loss may have already done irreparable harm
    to a company's intellectual property and reputation. Large enterprise
    solutions make it necessary to adopt complex IT infrastructures and
    processes that are usually dependent on an IT staff – a solution that
    does not fit well into the budgets of most small businesses.

    According
    to published reports in PCWorld.com, there are nearly 70 million small
    businesses worldwide and over 20 million in the U.S. alone. Small
    business is a major part of the global economy – that means it's time
    to replace a general passivity towards the possible threats from email
    and document theft with a look towards initiating security measures as
    a business standard. The increasing level of security risk due to email
    and intellectual property theft make it imperative for small businesses
    to raise their level of security knowledge and investment.

    Recent
    studies show that although information security is a high concern for
    small business owners, lack of actual knowledge and awareness of the
    economic impact of security incidents is equally high. Imparting an
    awareness to the small business community of the real threats in
    regards to security vulnerability should be top priority. Through
    education in this arena, small businesses can better enable them to not
    only determine their own level of risk but also choose the necessary
    email and document security solutions.

    The responsibility of
    raising awareness of security provisions needs to come not only from
    governing agency reports, but also from security solution vendors.
    Providers of business tool solutions are better equipped than any other
    entity to position themselves as leaders in educating businesses on not
    only the dangers but the appropriate basic security measures to
    complement a small company infrastructure. Especially here, being
    informed on which internet security products best suit a company need
    is important as the needs of small businesses are vastly different than
    that of enterprise businesses.

    Look to numerous market survey and
    analysis reports that specialize in studies on information security and
    small business. A little research will show they repeatedly state the
    same warning to small businesses – they need to change their attitude
    towards security and begin adopting a security plan.

    Taking the
    time to gather information on creating good internet security practices
    will lead to a decrease in the future cost of lost productivity, and by
    educating your workforce you create an even wider prevention of
    productivity loss.

    Nan Schwarz, Director of Corporate Marketing
    http://www.essentialsecurity.com

    Schwarz
    is the director of corporate marketing for Essential Security Software
    and is responsible for worldwide creative marketing strategy and
    execution, corporate branding, and public relations.

    Essential
    Security Software (ESS) is a provider of document and email security
    solutions. ESS has developed a premier, easy-to-use, peer-to-peer
    content protection and user rights management solution that enables
    small business owners and individuals to securely distribute sensitive
    email messages and documents while protecting the privacy, integrity
    and authenticity of their intellectual property. ESS believes that
    people have the right to affordable security software technology that
    is powerful, flexible, and easy-to-use.

  • Motorola RAZR 2 appears online

    It is still as svelte as it ever was, but the original Motorola RAZR V3
    is getting a little long in the tooth, if you know what we mean.

    A few people I've talked to said they didn't think the RAZR was worth
    the money because its not intuitive and its load time is slow.  I
    think I'll hold out for a PDA/Phone. 

    As for the RAZR II, it seems to look just like the first.

    read more | digg story

  • Get Free Acces to Lynda.com Video Tutorials

    Lynda.com is giving away free access to it's paid library of video
    tutorials .Don't miss this oppertunity.Tutorials cover products from
    Adobe,Apple,Discreet,Macromedia,Microsoft etc.Also included are easy to
    follow video tutorials on HTML,Php,CSS,Perl,Java,Photography etc. And
    yes it is *LEGAL*

    read more | digg story