[SecurityRatty] tag: link

Education and the willingness of parents ot insure their childs online safety is paramount

Tue, 02 Sep 2008 19:58:11 +0000

I agree with alot of both the Point and Counterpoint articles by Alan and Mary.
The Counterpoint article is at this link.
http://www.internetevolution.com/author.asp?doc_id=162622&f_src=ieupdate

clipped from www.internetevolution.com

One problem is that content filtering software simply isn’t good enough.?Yes, software blocks many child porn sites, but it also allows some sites to get through.?Also, child porn sites are typically very good at evading filters.?Just as importantly, the software mandated for schools and public libraries doesn’t just ban child porn, it bans thousands of sites.?Does the software company investigate the thousands of sites it blocks??Does it know whether a child engaged in illicit activity on a Website is 16, 18, or 21 years old?

Epic Cash Vs Zango - Legal Action Incoming?

Mon, 01 Sep 2008 14:58:06 +0000

Over the last few days I've seen a scan doing the rounds on a couple of adult webmaster sites & forums, like here (Warning: there may be NSFW content on that forum). There's another link here regarding some follow up information which seems to be safe for work, but the forum it links to most definitely isn't. Just a heads up.

Anyway, the source of all the commotion is this scan, the contents of which read:

Epic Cash Files Lawsuit Against Zango and Adult Friend Finder

On August 26, 2008, Epic Cash LLC filed suit against Zango, Inc. and the owners of AdultFriendFinder.com for Unfair Business Practices, Unfair Competition, Tortious Interference with Prospective Economic Advantage, Unjist Enrichment, and Conversion.

Check the scan for full details - the root of the problem seems to be Epic Cash claiming Zango Adware diverted traffic away from Epic Cash websites and "converted Epic Cash's business to their benefit". This could prove to be interesting...

MadMACs seems to have an issue with the Intel Wireless WiFi Link 4965AGN chipset

Sun, 31 Aug 2008 11:51:26 +0000

I've added the following note to the MadMACs page: A patron of my website pointed out that MadMACs, and other similar tools, seem to have a problem randomizing the MAC address under Windows Vista if you are using the Intel Wireless WiFi Link 4965AGN chipset. It will work with the 4965AGN if you randomize only the last two digits, and start it with the prefix 1234567890. It will also let you set the whole MAC address to DEADBEEFCAFE, or even let you randomize all 12 hex digits. However, if you take the default prefix of 00, MadMACs will make a random address up and put it in the NetworkAddress registry value, but the 4965AGN chipset drivers will not honor it. If anyone knows why, please contact me.

Thieves Target Homeowners and Builders

Fri, 29 Aug 2008 15:51:00 +0000

We have written about thefts of copper wire and even street manhole covers in the past. It appears that new homes and those being foreclosed upon are ripe targets for unscrupulous thieves.

Thankfully, there are many more solutions than in days past. Global Positioning Systems can now be hidden in materials and the thieves can be tracked in real time and the Police notified by the security consultant who has been hired to monitor their movements.

The highlighted link from "The New York Times", tells the sad story of a young couple and their 7 month old child who had to live onsite at their new house for many months in order to deter thieves.

We have spoken with home builders in the past regarding supplying security officers to monitor unfinished homes. One of the hurdles has been the cost of security. The escalating cost of these thefts may now make Home Builders think twice though.

The National Association of Home Builders claims that $5 BILLION a year is being stolen nationally by theives from homes under construction. That would purchase a lot of security services. Not to mention the cost of labor to replace that missing copper wire, plumbing fittings, doors & windows, etc.

Like we always say, thieves are opportunists. If you give them an opportunity such as leaving valuable building supplies unprotected, they will take them. On the other hand, if you put an obstacle in their path such as a site that is monitored by security cameras (with somebody on the other end of the camera - you'd be surprised how many businesses put in cameras but have nobody to monitor them)or a roving security vehicle, they will move along and ply their trade elsewhere.

That is called "target hardening". Quite literally, you make yourself (or your property) a harder, more difficult target. They then move along to some other target. Bad for someone else, but good for you.

Don't Panic

Fri, 29 Aug 2008 13:03:16 +0000

Sometimes it's easy to believe that every last thing online is going to eat into your PC, burn your house down, kill your cat and so on. The last few days I'd been hearing rumblings about some "Youtube rap video" and a file that would start hijacking your PC - well, thanks to a tipoff from a forum-goer at Spywarewarrior, I can hopefully put this one to rest.

In short, a video promoting a rap mix-tape supposedly took you to a file that "hijacked your PC with Spywarestop". In actual fact, there's no file to hijack you. Let's take a look - here's the Youtube page in question:

Click to Enlarge

As you can see, there's the mix-tape being advertised and a link to Mediafire, where the mix-tape is hosted. Click the Mediafire link, and all that happens is you'll see an advert for various antispyware tools - some of them on the Rogue Antispyware list, some of them not on the list but known to be of little worth to the end-user.

Click to Enlarge

In this particular case, it's an advert for Adware Alert. It's not hijacking you, or breaking things or making your browser fly around the screen, nor is it a "virus". It's just an (admittedly loud) advert. If you're running a browser compatible with Adblock Plus, all you'll see beneath the Mediafire logo is a blank space. Even if you're vaguely alarmed by the advert, all you have to do is click the "Continue to Mediafire.com" message at the top right of the screen (missing from the above screenshot as I cropped the image too small - whoops) and you'll be taken to the file you requested.

Like the title says - don't panic. This really isn't something to worry about too much. Even the most obnoxious rogue antispyware advert (the ones that do resize your browser, throw up endless popups and make annoying "Woop woop" noises) can usually be escaped by simply hitting CTRL+ALT+DEL and using Task Manage to close your browser session.

#6 on the list is the best. Never click that link.

Fri, 29 Aug 2008 12:21:47 +0000

You would do well to read and remember the list posted here at this site.
It could save you from a case of ID theft.

clipped from www.thetechpedia.com

10 Usefull Tips to Stop Junk(Spam) E-mails

clipped from www.thetechpedia.com

I used to suffer from a common problem that many people on the net complain of .Spam E-mails.I don’t get spam any more because I managed to take control of my email.

I’ve gathered together the then best defences that will help you to fight against Spam.

Border Gateway Protocol (BGP) Attacks

Fri, 29 Aug 2008 02:40:47 +0000

This is serious stuff. (Kim Zetter's posts on the topic are excellent; read them.)

It's a man-in-the-middle attack. "The Internet's Biggest Security Hole" (the title of that first link) has been that interior relays have always been trusted even though they are not trustworthy.

Forgot your password? may be weakest link in web security

Wed, 27 Aug 2008 09:27:57 +0000

Almost everyone forgets a Web site password once in a while. When you do, you click on the familiar Forgot your password? link. As an experiment, Thompson recently asked a few friends for permission to "hack" into their bank accounts. Using only information gathered from Web sites such as Facebook, he found his way in to each account within minutes

Nortel uses USB drive to secure remote work

Tue, 26 Aug 2008 20:00:00 +0000

Nortel hopes to tackle the security of remote work with an "office on a stick," a USB drive that can link an employee's PC with a corporate VPN and keep all the information from a session...

Thoughts on Token Security

Tue, 26 Aug 2008 12:35:23 +0000

RSnake has a piece up on Token Security which raises some good points, but also misses some perspective. Firstly any article that makes a serious attempt at mitigating FUD is most welcome, especially in a space that is as overloaded as identity. That said, I think RSnake is taking too narrow of a view, specifically B2C, on federation and tokens. It is true that works on the web eventually filters into the enterprise, but it is also true that sometimes that things that start out as enterprise technologies later become cost effective on the web. So I would not assume that the current status quo on the web will hold. I don't think it will, the identity problems are too big and there is too much money at stake.

I encourage you to read his article, here are some of my thoughts

"consumers hate tokens."

Except that people use atm cards every day. Consumers will absolutely be inconvenienced, if there is some value created. The problem today is not the token, its the lack of a value proposition to the person you are inconveniencing.

"Everyone wants to be the single federation platform for everyone else."

This will never work. and that's a good thing. i think most companies already realize this though. I think the walled garden model has gone the way of the dodo.

"Federation will never work. It won’t work because the single most important consumer Web applications in the world are scared of it. Banks hate the concept because it becomes a weakest link in the chain problem."

Federation works quite well. have a look at google for one example. The reason banks hate federation is that their infosec people have a mainframe mindset, they are focused only on resource protection. the problem is they dont run mainframes on closed networks, they went and connected it to the web and so now they need to think about subject and claim security not just resource security. its not hatred its a lack of understanding stemming from a legacy mindset.

Linking up identity providers and relying parties into a federation has been a solved problem for quite some time.

"Tokens don’t actually solve most security problems, like man-in-the-middle, phishing, and keystroke-logging malware."

Rule 1. there are no silver bullets in security

Rule 2. dont forget rule 1

but...

...there is a rule 3

rule 3. just because a security mechanism doesnt solve all of our problems doesnt mean its worthless.

I see this with security consultants all the time, they playa hate on static analysis or some scanning tool where they can find hundreds of things the tool doesn't. Fair point except 99.9999% of IT can't and won't find them. Engineering is about solving one incremental problem at a time.

"Oh yes, and finally, consumers are going to have to carry around 13 of them just to make sure they can log into whatever they need to log into since no one will federate."

This misses the point of federation. i carry around one atm card its up to banks, Visa, Cirrus and so on to make sure i get my cash. the funny thing about banks not understanding federation is that they have the bet example right in front of their noses, the problem is its in a different department so they never see it.

"Global federation is nowhere near a solid concept in the consumer space, despite what the vendors will try to sell you."

rule 4. do your own due diligence

Tokens and federation are important building blocks for our digital future. I will leave you with a story that Robert Morris Sr. told at Defcon several years ago:

"This is a long term problem. If you work on it and make any progress against it, you'll find yourself much smarter at the far end, than you were at the near end.

When I was in Norway about 5 years ago, I was there very close to the summer solstice. I was wandering around town at 2 o'clock in the morning and there was plenty of light out. You come to a sign that says New Minsk about 60 km and it points south.

And I ask the lady "what country is this?"

She scratched her head for a bit, and said "well I think its Norway"

I said "well who plows the roads?"

"well Norway does, but he have to pay them."

There is a triple boundary in this town that I was in between Norway, Finland and Russia.

But what I did there, was, I had a card about wallet size, I stuck it into a machine, I punched in four digits, and it gave me about 2,000 krone, whatever the hell that is.

Now there are a lot of participants in that transaction. When I put a card into that machine, punch in a pin, and it gurgles for awhile, and finally gives me, a fairly large amount of money. There are a lot of participants in that transaction. The bank that owned the machine that gave me the money, it gave some money away -- that bank wants it back. The pin is necessary to convince my own bank that I'm me. But I don't want my pin to be broadcast all over the world. My bank in the us, it hasn't really given out or taken in any money, really. But there is a lot of credits involved here. Somebody needs to charge somebody else for having more money available. Even though there was actually no cash transfer.

And the problem that I have in mind is
- who are all the participants in an ATM transaction?
- what do those participants need to satisfy their problems?
- how is that in fact done?

In a general way, does the atm system actually work in some reasonable sense? To which the answer is by the way: yes. The atm system damn well works. With extremely high reliability and accuracy. It surprises me. Its quite a bit different than voting machines.