infosec news / admin / All

USB Drives and Wax Seals

admin — Wed, 16 May 2012 15:26:06 -0400

Need some pre-industrial security for your USB drive? How about a wax seal? Neat, but I recommend combining it with encryption for even more security!...

1 Vote(s)

Security Vulnerabilities in Airport Full-Body Scanners

admin — Wed, 16 May 2012 09:26:04 -0400

According to a report from the DHS Office of Inspector General: Federal investigators "identified vulnerabilities in the screening process" at domestic airports using so-called "full body scanners," according to a classified internal Department of Homeland Security report. EPIC obtained an unclassified version of the report in a FOIA response. Here's the summary....

1 Vote(s)

U.S. Exports Terrorism Fears

admin — Tue, 15 May 2012 09:26:04 -0400

To New Zealand: United States Secretary of Homeland Security Janet Napolitano has warned the New Zealand Government about the latest terrorist threat known as "body bombers." [...] "Do we have specific credible evidence of a [body bomb] threat today? I would not say that we do, however, the importance is that we all lean forward." Why the headline of this...

1 Vote(s)

SEC Guidance Is a Really Big Deal

admin — Mon, 14 May 2012 17:26:07 -0400

In November I wrote SEC Guidance Emphasizes Materiality for Cyber Incidents, my thoughts after reading an article by Senator Jay Rockefeller and former DHS Secretary Michael Chertoff. They explained why the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC in October is a big deal. Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts. Here's what I heard at the conference. First, lawyers who read the language in the SEC guidance treated it as a "stop whatever you're doing and read this" moment. The lawyers I spoke to said the SEC guidance absolutely defined new reporting duties for companies, despite talk of it being merely a "clarification" or restatement of existing guidance. Clients bombarded insurance firms asking what lan

1 Vote(s)

New INFILTRATE 2012 Movie is up! With surprise introduction by Halvar!

admin — Mon, 14 May 2012 15:26:06 -0400

Posted by Dave Aitel on May 14OH: "So....static analysis! Let's talk about it!" (Long pause follows.)

That's pretty much straight out of most parties I go to! Luckily, there
are a few people who can go into static analysis to great levels of
depth, and some of them give talks at INFILTRATE. :>

http://www.immunityinc.com/infiltratemovies/movies/JulienVanegue.mp4

-dave

1 Vote(s)

Re: Mobile Phone Security Survey

admin — Mon, 14 May 2012 11:26:06 -0400

Posted by Hamid on May 14There were some issues regarding some optional questions that has been
marked as mandatory mistakenly. Thanks to quick feedbacks they are
fixed now.

Hamid

1 Vote(s)

The Trouble with Airport Profiling

admin — Mon, 14 May 2012 09:26:04 -0400

Why do otherwise rational people think it's a good idea to profile people at airports? Recently, neuroscientist and best-selling author Sam Harris related a story of an elderly couple being given the twice-over by the TSA, pointed out how these two were obviously not a threat, and recommended that the TSA focus on the actual threat: "Muslims, or anyone who...

1 Vote(s)

Friday Squid Blogging: New Book on Squid

admin — Fri, 11 May 2012 19:26:04 -0400

Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. And a review. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

1 Vote(s)

April 2012 Free Giveaway Winners of eLearnSecurity Training

admin — Fri, 11 May 2012 15:26:05 -0400

We Have Winners!!

On March 21, 2012 eLearnSecurity released a drastically improved verion of the course materials for their professional-level training course, Penetration Testing Course Professional. PTP2 now looks highly more sophisticated, polished and advanced than before with 4 hours of new up to date videos, 800 new slides and completely new modules. PTP2 aims at becoming the most hands-on training course on penetration testing with extremely in-depth course material and two different and highly advanced Virtual Labs integrated within the course itself: Coliseum for web application security and the newly announced Hera Lab. The Professional training course leads to the...

1 Vote(s)

Mobile Phone Security Survey

admin — Fri, 11 May 2012 15:26:02 -0400

Posted by Hamid on May 11Hello DD!

Few weeks ago I had a writeup about (in)security trends in mobile phones
and now I've reached to a point that I need results of a survey to
validate and confirm some facts that are going to be covered in paper.

I would appreciate your help by participating in this survey, or be even
more awesome and spread it among your friends that are not security geeks!

Survey link:

http://goo.gl/pQO02

Thank you!
Hamid

1 Vote(s)

Smart Phone Privacy App

admin — Fri, 11 May 2012 09:26:06 -0400

MobileScope looks like a great tool for monitoring and controlling what information third parties get from your smart phone apps: We built MobileScope as a proof-of-concept tool that automates much of what we were doing manually; monitoring mobile devices for surprising traffic and highlighting potentially privacy-revealing flows [...] Unlike PCs, we have little control over the underlying privacy and security...

1 Vote(s)

Security Fail

admin — Thu, 10 May 2012 07:26:03 -0400

Funny....

1 Vote(s)

A Foiled Terrorist Plot

admin — Wed, 09 May 2012 13:26:04 -0400

We don't know much, but here are my predictions: There's a lot more hyperbole to this story than reality. The explosive would have either 1) been caught by pre-9/11 security, or 2) not been caught by post-9/11 security. Nonetheless, it will be used to justify more invasive airport security....

1 Vote(s)

RuggedCom Inserts Backdoor into Its Products

admin — Wed, 09 May 2012 09:26:06 -0400

All RuggedCom equipment comes with a built-in backdoor: The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, "factory," that was assigned by the vendor and can't be...

1 Vote(s)

Overreacting to Potential Bombs

admin — Tue, 08 May 2012 09:26:05 -0400

This is a ridiculous overreaction: The police bomb squad was called to 2 World Financial Center in lower Manhattan at midday when a security guard reported a package that seemed suspicious. Brookfield Properties, which runs the property, ordered an evacuation as a precaution. That's the entire building, a 44-story, 2.5-million-square-foot office building. And why? The bomb squad determined the package...

1 Vote(s)

Naval Drones

admin — Mon, 07 May 2012 09:26:05 -0400

With all the talk about airborne drones like the Predator, it's easy to forget that drones can be in the water as well. Meet the Common Unmanned Surface Vessel (CUSV): The boat -- painted in Navy gray and with a striking resemblance to a PT boat -- is 39 feet long and can reach a top speed of 28 knots....

1 Vote(s)

Friday Squid Blogging: Squid Bicycle Parking Sculpture

admin — Fri, 04 May 2012 17:26:04 -0400

Neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

1 Vote(s)

Tampon-Shaped USB Drive

admin — Fri, 04 May 2012 15:26:07 -0400

This vendor is selling a tampon-shaped USB drive. Although it's less secure now that there are blog posts about it....

1 Vote(s)

Facial Recognition of Avatars

admin — Fri, 04 May 2012 09:26:03 -0400

I suppose this sort of thing might be useful someday. In Second Life, avatars are easily identified by their username, meaning police can just ask San Francisco-based Linden Labs, which runs the virtual world, to look up a particular user. But what happens when virtual worlds start running on peer-to-peer networks, leaving no central authority to appeal to? Then there...

1 Vote(s)

Criminal Intent Prescreening and the Base Rate Fallacy

admin — Thu, 03 May 2012 08:26:04 -0400

I've often written about the base rate fallacy and how it makes tests for rare events -- like airplane terrorists -- useless because the false positives vastly outnumber the real positives. This essay uses that argument to demonstrate why the TSA's FAST program is useless: First, predictive software of this kind is undermined by a simple statistical problem known as...

1 Vote(s)

Al Qaeda Steganography

admin — Wed, 02 May 2012 14:26:03 -0400

The reports are still early, but it seems that a bunch of terrorist planning documents were found embedded in a digital file of a porn movie. Several weeks later, after laborious efforts to crack a password and software to make the file almost invisible, German investigators discovered encoded inside the actual video a treasure trove of intelligence -- more than...

1 Vote(s)

Cybercrime as a Tragedy of the Commons

admin — Wed, 02 May 2012 10:26:04 -0400

Two very interesting points in this essay on cybercrime. The first is that cybercrime isn't as big a problem as conventional wisdom makes it out to be. We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority....

1 Vote(s)

May 2012 Free Giveaway Sponsor - iSWAT by FishNet Security

admin — Tue, 01 May 2012 13:26:04 -0400

Win 1 Free Training Seat at iSWAT 2012 Worth $3995!!

Information Security Warrior Authorized Training (iSWAT) (http://www.iswatevent.com/) event. During this training event, you will gain tactical insights and strategies to conquer your career and corporate goals with:

• Nationally recognized elite instructors offering multi-vendor training programs
• Network with industry leaders
• Onsite certification testing
• Reduced costs with a single training event

So what's in it for you? Not just a ticket to another security conference, but this month's chosen winner gets a full seat in the training course of their choice... and there are plenty from which to choose. To see...

1 Vote(s)

With a real team, it's not about the numbers

admin — Tue, 01 May 2012 11:26:01 -0400

Posted by Dave Aitel on May 01I find articles like the recent one in Forbes

quite funny in a way - and likewise talks about "rootite" and bug mining and so forth. Part of this is because
philosophically I know that teams who focus on the money tend to lose. Obviously you need a lot of money to get things
done in...

1 Vote(s)

When Investigation Fails to Prevent Terrorism

admin — Tue, 01 May 2012 09:26:05 -0400

I've long advocated investigation, intelligence, and emergency response as the places where we can most usefully spend our counterterrorism dollars. Here's an example where that didn't work: Starting in April 1991, three FBI agents posed as members of an invented racist militia group called the Veterans Aryan Movement. According to their cover story, VAM members robbed armored cars, using the...

1 Vote(s)

Interview with MAKE: The End of chumby, New Adventures

admin — Mon, 30 Apr 2012 21:26:10 -0400

Last week, the Internet discovered the end of chumby as you have known it. My exit from the company five months ago was deliberately discreet. It was a good run, but it was also time for me to move on. Upon hearing the news, my good friend Phil Torrone reached out to do an interview, [...]

1 Vote(s)

Course Review: Penetration Testing Professional v2 by eLearnSecurity

admin — Mon, 30 Apr 2012 13:26:06 -0400

second release of Penetration Testing Professional (affectionately known as PTP2) (http://www.elearnsecurity.com/course/penetration_testing/), which most notably contains expanded content and new lab environments.

The course is delivered through a web-based Flash interface. The presentation will be familiar to anyone who has experience with the first iteration of the course, but at the same time the overall feel is cleaner and more polished. A colleague was recently considering web app training, and he was torn between a book and this course. He stated something along the lines of, “My brain is telling me to be economical and just get a book, but my...

1 Vote(s)

JCS Chairman Sows Cyberwar Fears

admin — Mon, 30 Apr 2012 09:26:07 -0400

Army General Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, said: A cyber attack could stop our society in its tracks. Gadzooks. A scared populace is much more willing to pour money into the cyberwar arms race....

1 Vote(s)

Vote for Liars and Outliers

admin — Fri, 27 Apr 2012 21:26:06 -0400

Actionable Books is having a vote to determine which of four books to summarize on their site. If you are willing, please go there and vote for Liars and Outliers. (Voting requires a Facebook ID.) Voting closes Monday at noon EST, although I presume they mean EDT....

1 Vote(s)

Bringing the Unsexy Back: The Process of Selling SE Penetration Tests

admin — Fri, 27 Apr 2012 17:26:09 -0400

By Chris Hadnagy

For the past few months, I’ve brought you articles on launching your career as a social engineer, the psychology and history behind hacking humans and even some scams you can pull on your clients for their own good. As wonderful as it is to talk about the methods, the tricks and the sexy stories of social engineering pwnage, we need to take a step back and discuss the business end of this spectrum.

Yes, I said it… business side. After all, most of us reading this article either are in IT/Security or want to be....

1 Vote(s)

Friday Squid Blogging: Chesapeake Bay Squid

admin — Fri, 27 Apr 2012 14:26:02 -0400

Great pictures. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

1 Vote(s)

Attack Mitigation

admin — Fri, 27 Apr 2012 08:26:02 -0400

At the RSA Conference this year, I noticed a trend of companies that have products and services designed to help victims recover from attacks. Kelly Jackson Higgins noticed the same thing: "Damage Mitigation as the New Defense." That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop...

1 Vote(s)

72 hours

admin — Thu, 26 Apr 2012 19:26:06 -0400

Posted by Shari Bermudez on Apr 26Just a reminder that there are only 72 business hours remaining before
registration closes for the WebHacking and Master training classes.
Sign up today. Call 786-220-0600 or email training () immunityinc com
The 20% discount offer for re-tweeting still stands.

http://immunityinc.com/education-currentschedule.shtml

1 Vote(s)

Spooked at RSA 2012

admin — Thu, 26 Apr 2012 12:26:02 -0400

Posted by Dave Aitel on Apr 26So we put my RSA 2012 talk up, along with the comments from the viewers that RSA collected.

I 100% agree with every comment in the feedback form, which include such bon mots such as "You reek of pride". Frankly,
I am quite proud of what the offensive community has been able to do over the last ten years. And I was a bit hurried
during the actual talk (the one below is from my 6am-dry-run-in-hotel-room since they didn't record...

1 Vote(s)

Biometric Passports Make it Harder for Undercover CIA Officers

admin — Thu, 26 Apr 2012 09:26:02 -0400

Last year, I wrote about how social media sites are making it harder than ever for undercover police officers. This story talks about how biometric passports are making it harder than ever for undercover CIA agents. Busy spy crossroads such as Dubai, Jordan, India and many E.U. points of entry are employing iris scanners to link eyeballs irrevocably to a...

1 Vote(s)

Book Review: Metasploit The Penetration Tester's Guide

admin — Wed, 25 Apr 2012 17:26:06 -0400

“Metasploit – The Penetration Tester's Guide” (http://nostarch.com/metasploit) by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni is perhaps the most enjoyable book I have come across regarding the uses and functionality of Metasploit (http://www.metasploit.com). There were so many concepts it refreshed me on, many functions I didn’t know existed and other functions I did not correctly understand even with my years of using Metasploit. Let’s take an in-depth look into this stellar publication by No Starch Press.

Initially I skipped through the first chapter of the book, “The Absolute Basics of Penetration Testing.” However, I went back to the...

1 Vote(s)

What's happening at SyScan'12 Singapore

admin — Wed, 25 Apr 2012 11:26:04 -0400

Posted by Thomas Lim on Apr 25Dear Dailydave readers

Do you know what's going to happen at SyScan'12 Singapore next week?

BEER, BEER, BEER, BEER, BEER, BEER, BEER, BEER....

13 AWESOME SPEAKERS:
a. Stefan Esser (i0n1c)
b. Chris Valasek (nudeaberdasher)
c. Tarjei Mandt (kernelpool)
d. Alex Ionescu
e. Edgar Barbosa (0pC0de)
f. Jon Oberheide
g. Brett Moore (antic0de)
h. James Burton (Jayji)
i. Seung Jin Lee (Beist)
j. Ryan MacArthur (Backpacker)
k. Loukas (snare)
l....

1 Vote(s)

Fear and the Attention Economy

admin — Wed, 25 Apr 2012 09:26:03 -0400

danah boyd is thinking about -- in a draft essay, and as a recording of a presentation -- fear and the attention economy. Basically, she is making the argument that the attention economy magnifies the culture of fear because fear is a good way to get attention, and that this is being made worse by the rise of social media....

1 Vote(s)

Amazing Round of "Split or Steal"

admin — Tue, 24 Apr 2012 10:26:07 -0400

In Liars and Outliers, I use the metaphor of the Prisoner's Dilemma to exemplify the conflict between group interest and self-interest. There are a gazillion academic papers on the Prisoner's Dilemma from a good dozen different academic disciplines, but the weirdest dataset on real people playing the game is from a British game show called Golden Balls. In the final...

1 Vote(s)

Save yourself 20% by tweeting

admin — Mon, 23 Apr 2012 17:26:04 -0400

Posted by Shari Bermudez on Apr 23Want to come to our June Master or WebHacking class but do not want to
pay full price? You can save yourself 20% in ~5 minutes by following
these simple steps:

(1) If you are not already doing so, follow us on Twitter @immunityinc
and/or @infiltratecon.

(2) ReTweet this tweet from today: "RT and receive 20% off June
training classes when you sign up before 4/27! ow.ly/asvSG e-mail
admin () immunityinc for info!"

(3) Email training...

1 Vote(s)