[SecurityRatty] tag: readiness

The opt-out from hell

Tue, 16 Sep 2008 15:22:03 +0000

One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after my griping).

Note that if I want to opt out of further communications, I have to do two separate things -- which actually becomes three things.

First I have to click the last link to opt out of future TechTarget spam. (Yes, I deleted the actual links. But certainly none of my trustworthy readers would attempt to re-subscribe me, right...?
But that isn't enough -- I also have to separately opt out of future Avaya spam! (Why does the no-more-from-Avaya link live on a techtargetmail.com server? Whatever.) Clicking on that link eventually does land me on an avaya.com page, where I have to confirm my email address and indicate they don't have my permission to send me spam. Hmm, too difficult to embed my email in that link, when the other techtargetmail.com link did embed my email?
Then after submitting it, another page pops up telling me that I'll soon receive an email with additional instructions! In this email there's a link -- to avaya.com with my email address embedded -- that I must click, I guess to double plus confirm that yes, I really really really do wish never to hear from you again. Clicking that link takes me to a page that promises my "permissions have successfully been set. Thank you."

A pox on both your houses, TechTarget and Avaya. I never asked for your stuff. Go away.

Spam, my friends, is only going to get worse. It was so easy to ban junk faxes in 1991. But even those regulations were weakened in 2005. So do you really think we'll see anything even remotely logical for outlawing spam? I doubt it, unless we the citizens foment a revolt. Let's get cracking!

Received: from SVC-EXGWY-E801.partners.extranet.microsoft.com (10.251.24.242)
by tk5-exhub-c102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft
SMTP Server (TLS) id 8.1.291.1; Tue, 16 Sep 2008 11:27:56 -0700
Received: from mail139-wa4-R.bigfish.com (216.32.181.113) by
mail04.microsoft.com (10.253.160.184) with Microsoft SMTP Server (TLS) id
8.1.291.1; Tue, 16 Sep 2008 11:27:55 -0700
Received: from mail139-wa4 (localhost.localdomain [127.0.0.1])    by
mail139-wa4-R.bigfish.com (Postfix) with ESMTP id 018C11184C2    for
; Tue, 16 Sep 2008 18:27:50 +0000 (UTC)
X-BigFish: ps16(zz18c1K1936K2b7wcak69jzzzz2af1jz2fh6bh5eh65h)
X-Spam-TCS-SCL: 4:0
Received: by mail139-wa4 (MessageSwitch) id 1221589667478982_28100; Tue, 16
Sep 2008 18:27:47 +0000 (UCT)
Received: from pp.techtargetmail.com (pp.techtargetmail.com [65.211.80.227])
    by mail139-wa4.bigfish.com (Postfix) with SMTP id 46566978071    for
; Tue, 16 Sep 2008 18:27:47 +0000 (UTC)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pp.techtargetmail.com; b=iOmibOrM91/1Ugy2gj3QbWo74T2m3GuhmwxZCXJQpFT+nwRES8QKg+4vjt48SNp7WWJExG61Ge+DtnKD3KVI3KwqTKzkPRVrEBF0DCHhYot6VAG/EyEr5vb5RhBz+91yvNhbIqITzGnuQ+uBDJzyc6gU0FHfBl0Fa3S/phcPELM=;
Message-ID:
Date: Tue, 16 Sep 2008 14:27:47 -0400
thread-index: a818b044.724694.236c8ee748f7dd97.1.n.4
Reply-To: Avaya
From: Avaya
To: Steve Riley
Subject: 7 Tips to Ensure Readiness for UC Deployment
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Return-Path: a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com
X-MS-Exchange-Organization-PRD: pp.techtargetmail.com
Received-SPF: Pass (SVC-EXGWY-E801.partners.extranet.microsoft.com: domain
of Avaya@pp.techtargetmail.com designates 65.211.80.227 as permitted sender)
receiver=SVC-EXGWY-E801.partners.extranet.microsoft.com;
client-ip=65.211.80.227; helo=mail139-wa4-R.bigfish.com;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.6916.600;SV:3.3.6916.813;SID:SenderIDStatus Pass;OrigIP:65.211.80.227
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-SenderIdResult: PASS

The following message was sent to you as a subscriber to third party offers from a TechTarget property, including our network of Search sites, Bitpipe.com, CIO Decisions Magazine, Information Security Magazine, Storage Magazine, KnowledgeStorm, TheServerSide.com and/or TheServerSide.NET. To unsubscribe, see below.
____________________________________________________________

How should you evaluate the move to unified communications (UC)? Who within which parts of an organization will benefit? Will UC reduce the time to market? Read this E-Guide for answers to these questions and a better look at how the value of UC will, at first, be less of a financial issue and more of a productivity improvement issue that translates into financial benefits. Download this white paper now: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

When implementing unified communications, there are a number of important issues to think about and questions to ask. This E-Guide analyzes seven phases to ensure you reap the full benefits of UC in each. If you're ready to take the plunge but you're not sure your business or your infrastructure is - download this E-Guide now.

Click here to learn more: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

"If you do not wish to receive future promotions directly from Avaya please forward this e-mail to {link removed} ; please note that there is a separate opt-out procedure below to be removed from the list from which this email originated."
____________________________________________________________

Please do not reply to this email. To unsubscribe from all future third party offers from all TechTarget properties, simply click here: {link removed}

TechTarget | 117 Kendrick Street, Suite 800 | Needham, MA 02494

CERT Warns About Phalanx Attacks Against Linux Servers

Wed, 27 Aug 2008 12:03:19 +0000

The US Computer Emergency Readiness Team (CERT) is warning about attacks in the wild against Linux systems with compromised SSH keys. The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as [...]

CISA and CISSP Preparation

Thu, 31 Jul 2008 09:14:07 +0000

Recently I have received a number of questions seeking preparation tips and insights for the CISA and CISSP certifications. I hold both of these certifications, and passed them both on the first attempt using very different preparation approaches. I took the CISA first, and based on a few lessons learned, I radically changed my preparation plan for the CISSP.

FYI, the official preparation information, qualification requirements, exam requirements, etc. can be found at:

Certified Information Systems Auditor (CISA) : http://www.isaca.org/cisa/
Certified Information Systems Security Professional : https://www.isc2.org/cissp

Are You Ready ?
A few basic questions to ask yourself to gauge how ready you are:

Do I meet the spirit, and not just the letter, of the experience requirements ?
Has there been sufficient diversity in my experience ?

Both of these exams cover a very broad spectrum of subjects. It is my personal belief that the experience requirements exist as an aid to whittle test takers down to candidates who have the professional experiences required to be successful, and to discourage people from taking the exams before they are ready. If you truly meet the background requirements, then you should have had some contact with many of the core topic areas for the exam.

If you are looking at the core content of the examination, and do not believe that you really have the breadth of exposure to be able to describe and discuss each domain at a high level, then you may be better served by delaying the exam in favor of working with your management to gain broader professional experience.

Five Step Approach to CISA or CISSP Exam Preparation

Perform an initial benchmark and assessment of your readiness
Read a “survey” level preparation guide cover to cover
Perform a secondary benchmark, and compare your readiness
Review official, or “deep dive”, preparation materials on areas identified as your weaknesses
Re-benchmark, and repeat targeted reviews until ready

For the first certification that I prepared for, I did not perform the first three steps outlined above. I went directly to the official source materials and began trying to review them cover to cover. I passed the exam, but I also spent a lot of time & energy reviewing things that I already knew “well enough”, and was burned out when reviewing the areas which could have been richer learning opportunities. No matter what your professional background, no one knows-it-all or does-it-all, so there is always an opportunity to learn new things while you are preparing for the certification exam. The goal of this five step approach is to focus your time where you have the greatest learning opportunities. Hopefully this focuses your time and energy in the most rewarding way.

Performing the Benchmarks

For the Benchmarks, I like to complete a timed half-length or full-length examination.

It is my feeling that a half-length exam is long enough that fatigue, maintaining focus, and pace are all stressed, as they will be on examination day. This of course requires access to a large set of test questions or sample tests, preferably with explanations of incorrect answers. In addition to commercial third-party test preparation tools, there are good (and free) test preparation quizzes available from www.cccure.org.

Survey Materials

I find the “Exam Cram” series to be very useful survey literature. I purchase books from this series when I want a high-level and quick handling of an entire subject matter area. As a result, I own survey books from the series in topic areas which I have no intention of pursuing certification for. Obviously the books I recommend for these certifications are:

Deep Dive Materials

There are exam preparation materials available from a variety of sources that fit the bill in this area. What we are looking for are books that contain solid coverage of the areas where benchmarking has shown the most significant need for improvement. In addition to the materials from (ISC)2 and ISACA that I list below, consult your local library - often they will have books that fit the bill. (And, of course, consider arranging a donation of good materials if they do not.)

Final Thoughts

Good luck on your journey toward Information Security or Audit certification. One word of caution: Make sure that you have realistic expectations about what actually being certified will mean. Although I do think being certified helps a person establish credibility more quickly, and is helpful when searching for new employment, often people are underwhelmed by the “Congratulations, that’s nice” from their current employer. If your expectation is that a big raise, bonus, promotion, etc. is hinging on your being certified, then I would strongly encourage you to reality-check that with peers in your organization.

Cheers, Erik

CISA and CISSP Preparation

Links List 7.25.08

Fri, 25 Jul 2008 08:28:47 +0000

The Wall Street Journal reports that the military is taking “Tech Lessons”. It seems that over the last few years, the DISA CIO has been visiting different tech companies to learn about cutting-edge technologies that might be able to help soldiers in the battlefield. CIO Garing identified social networks and mashups as great technologies for smaller projects with potentially more immediate impact than the traditional years-long IT projects of the past. He should check out NAPA and the Collaboration Project [link to Dan Munz Q&A] which highlights just how government agencies and orgs are already doing what he’s talking about.

Just what I was waiting for, open source takes on cloud computing.

We had a very interesting call this week with analyst firm, The 451 Group, about the cloud and who is really doing what in this space now. Trying to separate the hype from reality, just like everyone else.

After a disappointing (to analysts and the street) financial analyst call on Tuesday, VMware’s stock reached an all time low, almost back to the IPO stage. In a follow-up interview, Forbes asked the new CEO what he thinks about the stock price, the analysts saying VMware doesn’t have a solid or innovative growth plan for the future, and whether VMware should be part of EMC or not (their backhand way of bringing up the whole Diane Greene thing…he didn’t fall for it).

Wait for it…wait for it…we have been waiting for it. VMware announced plans to launch a free version of its ESXI hypervisor starting July 28. I have to question the timing on this one. Why didn’t they do this before Hyper-v came out and try to at least undercut the Microsoft announcement? VMware is and should be the leader in this space but they act like they’re playing from behind. And to Wall Street, perception counts for a lot.

Surprisingly, there hasn’t been a lot of coverage after the June 2008 OMB mandate on IPv6 readiness. But one interesting follow-up, a feature is set to be added to IPv6 which the upgrade was supposed to eliminate. One of the design goals for IPv6 was that it would rid the Internet of network address translation (NAT), gateways that match increasingly scarce public IPv4 addresses with private IPv4 addresses used inside corporations, government agencies and other organizations. NAT adds complexity and cost, but due to the length of time it’s taken to migrate from IPv4 to IPv6, engineers may create special NAT devices to translate between IPv4-only and IPv6-only hosts and hopefully nudge along the transition to IPv6. IEEE is all set to meet on this topic later this month.

ShareThis

Assessing the Security Benefits of Cloud Computing

Mon, 21 Jul 2008 03:00:15 +0000

With all this talk and reporting about security concerns, lets change the channel for a moment and assess the potential security benefits of Cloud Computing.

In my view, there are some strong technical security arguments in favour of Cloud Computing - assuming we can find ways to manage the risks.

With this new paradigm come challenges and opportunities. The challenges are getting plenty of attention - I’m regularly afforded the opportunity to comment on them, plus obviously I cover them on this blog. However, lets not lose sight of the potential upside.

In this post, I walk through seven technical security benefits. Some are immediate, others may arise over time and have conditions attached (some unstated for the sake of brevity). However, I’m including the longer-range benefits now to raise awareness. Some of the outcomes listed are available today without the Cloud, but they are either complex and slow to implement (and thus less likely to happen) or prohibitive for capital cost reasons. I don’t claim this is a definitive list - it reflects where my thinking is today.

Some benefits depend on the Cloud service used and therefore do not apply across the board. For example; I see no solid forensic benefits with SaaS. Also, for space reasons, I’m purposely not including the ‘flip side’ to these benefits, however if you read this blog regularly you should recognise some.

On a sidenote, I believe the Cloud offers Small and Medium Businesses major potential security benefits. Frequently SMBs struggle with limited or non-existent in-house INFOSEC resources and budgets. The caveat is that the Cloud market is still very new - security offerings are somewhat foggy - making selection tricky. Clearly, not all Cloud providers will offer the same security.

Seven Technical Security Benefits of the Cloud

1. Centralised Data

Reduced Data Leakage: this is the benefit I hear most from Cloud providers - and in my view they are right. How many laptops do we need to lose before we get this? How many backup tapes? The data “landmines” of today could be greatly reduced by the Cloud as thin client technology becomes prevalent. Small, temporary caches on handheld devices or Netbook computers pose less risk than transporting data buckets in the form of laptops. Ask the CISO of any large company if all laptops have company ‘mandated’ controls consistently applied; e.g. full disk encryption. You’ll see the answer by looking at the whites of their eyes. Despite best efforts around asset management and endpoint security we continue to see embarrassing and disturbing misses. And what about SMBs? How many use encryption for sensitive data, or even have a data classification policy in place?
Monitoring benefits: central storage is easier to control and monitor. The flipside is the nightmare scenario of comprehensive data theft. However, I would rather spend my time as a security professional figuring out smart ways to protect and monitor access to data stored in one place (with the benefit of situational advantage) than trying to figure out all the places where the company data resides across a myriad of thick clients! You can get the benefits of Thin Clients today but Cloud Storage provides a way to centralise the data faster and potentially cheaper. The logistical challenge today is getting Terabytes of data to the Cloud in the first place.

2. Incident Response / Forensics

Forensic readiness: with Infrastructure as a Service (IaaS) providers, I can build a dedicated forensic server in the same Cloud as my company and place it offline, ready for use when needed. I would only need pay for storage until an incident happens and I need to bring it online. I don’t need to call someone to bring it online or install some kind of remote boot software - I just click a button in the Cloud Providers web interface. If I have multiple incident responders, I can give them a copy of the VM so we can distribute the forensic workload based on the job at hand or as new sources of evidence arise and need analysis. To fully realise this benefit, commercial forensic software vendors would need to move away from archaic, physical dongle based licensing schemes to a network licensing model.
Decrease evidence acquisition time: if a server in the Cloud gets compromised (i.e. broken into), I can now clone that server at the click of a mouse and make the cloned disks instantly available to my Cloud Forensics server. I didn’t need to “find” storage or have it “ready, waiting and unused” - its just there.
Eliminate or reduce service downtime: Note that in the above scenario I didn’t have to go tell the COO that the system needs to be taken offline for hours whilst I dig around in the RAID Array hoping that my physical acqusition toolkit is compatible (and that the version of RAID firmware isn’t supported by my forensic software). Abstracting the hardware removes a barrier to even doing forensics in some situations.
Decrease evidence transfer time: In the same Cloud, bit fot bit copies are super fast - made faster by that replicated, distributed filesystem my Cloud provider engineered for me. From a network traffic perspective, it may even be free to make the copy in the same Cloud. Without the Cloud, I would have to a lot of time consuming and expensive provisioning of physical devices. I only pay for the storage as long as I need the evidence.
Eliminate forensic image verification time: Some Cloud Storage implementations expose a cryptographic checksum or hash. For example, Amazon S3 generates an MD5 hash automagically when you store an object. In theory you no longer need to generate time-consuming MD5 checksums using external tools - its already there.
Decrease time to access protected documents: Immense CPU power opens some doors. Did the suspect password protect a document that is relevant to the investigation? You can now test a wider range of candidate passwords in less time to speed investigations.

3. Password assurance testing (aka cracking)

Decrease password cracking time: if your organisation regularly tests password strength by running password crackers you can use Cloud Compute to decrease crack time and you only pay for what you use. Ironically, your cracking costs go up as people choose better passwords ;-).
Keep cracking activities to dedicated machines: if today you use a distributed password cracker to spread the load across non-production machines, you can now put those agents in dedicated Compute instances - and thus stop mixing sensitive credentials with other workloads.

4. Logging

“Unlimited”, pay per drink storage: logging is often an afterthought, consequently insufficient disk space is allocated and logging is either non-existant or minimal. Cloud Storage changes all this - no more ‘guessing’ how much storage you need for standard logs.
Improve log indexing and search: with your logs in the Cloud you can leverage Cloud Compute to index those logs in real-time and get the benefit of instant search results. What is different here? The Compute instances can be plumbed in and scale as needed based on the logging load - meaning a true real-time view.
Getting compliant with Extended logging: most modern operating systems offer extended logging in the form of a C2 audit trail. This is rarely enabled for fear of performance degradation and log size. Now you can ‘opt-in’ easily - if you are willing to pay for the enhanced logging, you can do so. Granular logging makes compliance and investigations easier.

5. Improve the state of security software (performance)

Drive vendors to create more efficient security software: Billable CPU cycles get noticed. More attention will be paid to inefficient processes; e.g. poorly tuned security agents. Process accounting will make a comeback as customers target ‘expensive’ processes. Security vendors that understand how to squeeze the most performance from their software will win.

6. Secure builds

Pre-hardened, change control builds: this is primarily a benefit of virtualization based Cloud Computing. Now you get a chance to start ’secure’ (by your own definition) - you create your Gold Image VM and clone away. There are ways to do this today with bare-metal OS installs but frequently these require additional 3rd party tools, are time consuming to clone or add yet another agent to each endpoint.
Reduce exposure through patching offline: Gold images can be kept up securely kept up to date. Offline VMs can be conveniently patched “off” the network.
Easier to test impact of security changes: this is a big one. Spin up a copy of your production environment, implement a security change and test the impact at low cost, with minimal startup time. This is a big deal and removes a major barrier to ‘doing’ security in production environments.

7. Security Testing

Reduce cost of testing security: a SaaS provider only passes on a portion of their security testing costs. By sharing the same application as a service, you don’t foot the expensive security code review and/or penetration test. Even with Platform as a Service (PaaS) where your developers get to write code, there are potential cost economies of scale (particularly around use of code scanning tools that sweep source code for security weaknesses).

Your Thoughts?

What benefits do you see that I haven’t included in the above list? Where do you agree/disagree and importantly, why?

Your 419 Mail Roundup

Wed, 25 Jun 2008 09:29:29 +0000

Are you ready for more 419 missives?

Of course you are. Plenty of winning lottery tickets, fictitious banks, a wonderfully sick "Robert Mugabe" themed mail and, er, someone called "Captain Frank Bojo" after the jump...
Subject:
HELLO DEAR
From:
"abavanagift13 Gazeta.pl"
Date:
Sat, 21 Jun 2008 12:26:24 +0000
BCC:

Hello Dear,

My name is Blessing Abavana, the elder daughter of Mr. paul Abavana of Zimbabwe, I am 17 years old with my younger brother (Micheal), we are in Ghana as refuge/asylum since we lost our parents because of the recent war that occurred in our country.please do go through this web page for better understanding with full details:

http://www.rte.ie/news/2000/0418/zimbabwe.html

I am looking for one who will honestly assist my younger brother and I to realize our inherited funds into your account and as well as invest it into a lucrative business.

During the recent war against the farmers in Zimbabwe from the supporters of our President, Robert Mugabe to claim all the white -owned farms to his party members and his followers, he ordered all the white farmers to surrender all their farms to his party members and his followers.

My father being one of the few rich and successful black farmers in our country was also victimized because of his opposition to Mugabe's policies. And because he did not support Mugabe's ideas, Mugabe's supporters invaded my father's farm and burnt everything in the farm, killed my father and made away with a lot of items in my father's farm. This action was taken because my late father felt the growing tension on the farm issue, but I guess he never anticipated the tragedy that brought their brutal and sudden death.

However with the benefit of hindsight, owing to the looming but deteriorating crisis in my country, Zimbabwe, my father, before his unfortunate death deposited with International Commercial Bank (ICB) here in Accra Ghana the sum of US$ 35MUsd (Thirty Five Million United States Dollars), with the sole aim of acquiring and buying some dredging equipments in setting up of a dredging firm with his partner. With his death and all his assets seized at home and accounts frozen, the family is now in a very difficult situation.

After the death of my father, my brother and I escaped to the Republic of Ghana where he had deposited the money in the Bank . And we were permitted to reside here as Political Refugees.

So Because of our present and unpleasant status here we decided to contact an overseas firm / individual that can assist us to move this money out Of Ghana because, as asylum seekers, we are not allowed to operate any financial transaction of such amount within Ghana and also to assist in providing me and my brother a permanent residential permit in your country after the money must have been transferred to your account.

We have agreed to offer you 30% of the total sum for your assistance, and the rest will be for my brother and I, to Invest in your country under your assistant

All I want you to do is to furnish me with the below information including your readiness to assist me achieve this transaction for investment purposes in your country under your supervision. Kindly re-confirm to me the followings:

1) Your Full Name:
2) Phone, Fax and Mobile
3) Profession, Age and Marital Status.
4) Nationality

I have to re-assure you that this transaction is 100% risk free and should be treated with absolute confidentiality. All the vital documentation/certification that has to do with the origin of the fund is with me for the security reasons.And I will send them to you when we progress.And I guarantee you that this fund is not government fund, drug money, or from arms deals.

I will detail you more about the bank immediately I receive your acceptance response. I hope this is the beginning of a prosperous relationship between us.Thanks and God bless you

Regards

Blessing/Micheal Abavana

(Wow, spectacularly sick. Not that we're expecting scammers to have any morals, of course).

*********************************************************************************************

Subject:
Lycos Online Lottery Notification
From:
"LHOUTY MOHAMMED HASSANE"
Date:
Sun, 22 Jun 2008 02:42:53 -0000
BCC:

LYCOS LOTTERY ONLINE
8th Floor
1 Stephen Street
London
W1T 1AL

WINNING NOTIFICATION
This is to inform you that your email address has won the Lycos Lottery for the year 2008. your email has won you the sum of ?952,350.00 (Nine Hundred And Fifty Two Thousand, Three Hundred And Fifty pounds sterling).
You are advised to keep this notice confidential to avoid misinterpretation of funds and unauthorize claims, cheating or fraud.
To claim your funds please contact us with the information below.
Name: Dr. George Stevenson
Tel:+447031991681
Email:lycosclaimsdpt@gmail.com

It is mandatory that you send us your full names, address, phone number,
age, sex and occupation to enable us arrange your claim.

Note: Winners were selected through a computer ballot system drawn from Microsoft users from company and individual email addresse users. All winning must be claimed not later than 21 working days from the time of notification. After this date all unclaimed funds will be returned to European Union Treasury as unclaimed funds.

Congratulations from mambers and staff of Lycos
Lhouty Mohammed Hassane.
Lycos Lottery Co-ordinator

(A "Lycos Lottery" and they're using a GMail address? Doh).

*********************************************************************************************

Subject:
Yukos Oil
From:
Mr. Timinskiy Vladimir
Date:
Wed, 25 Jun 2008 5:38:17 -0400
To:

I have a profiling amount in an excess of US$100.5M, which I seek you in accommodating for me. You will be rewarded with 4% .If intrested, please reply me for moredetails...
Regards
Mr. Timinskiy Vladimir

(Short. Sweet. Pointlessly fake).

*******************************************************************************

Subject:
Immediate Release of Your FUND Via ATM CARD
From:
"Mr. Mark Louis"
Date:
Wed, 25 Jun 2008 01:45:09 -0700
To:
undisclosed-recipients:;

SUBJECT: Immediate Release of Your FUND Via ATM CARD

Attention: ATM Card Beneficiary,

I wish to use this medium to inform you that your CONTRACT/INHERITANCE Paymen of USD$10,000,000.00 (Ten Million United States Dollars) from CENTRAL BANK
OF NIGERIA have been RELEASED and APPROVED for onward transfer to you via an ATM CARD which you will use to withdraw all the USD$10,000,000.00 in any
ATM SERVICE MACHINE in any part of the world, but the maximum you can withdraw in a day is USD$10,000.00 Only.

We have mandated IBTC CHARTERED BANK PLC, to send you the ATM CARD and PIN NUMBER which you will use to withdraw all your USD$10 Million Dollars in
any ATM SERVICE MACHINE in any part of the world. You are therefore advice to contact the Head of ATM CARD Department of IBTC CHARTERED BANK PLC;

Contact Person: Dr. Olu James
Office email address: pcfc_nigeria@yahoo.com
Private: +2347084501007
Office:018969906

Tell Dr. Olu James that you received a message from the CENTRAL BANK OF NIGERIA. Instructing him to send you the ATM CARD and PIN NUMBER which you will use
to withdraw your USD$10 Million Dollars in any ATM SERVICE MACHINE in any part of the world, also send him your direct phone number and contact address
where you want him to send the ATM CARD and PIN NUMBER to you. We are very sorry for the plight you have gone through in the past years. Thanks for adhering to this instruction and once again accept our congratulations.

Best Regards.
Mr. Mark Louis.
Executive Governor,

Central Bank of Nigeria {CBN}.

(Ah, the old "Let's lure them in with the magical bank card" trick).

******************************************************************************************

Subject:
CONTACT THE FEDEX COMPANY FOR YOUR FUNDS
From:
"SAMUEL DUNBAR"
Date:
Fri, 20 Jun 2008 12:33:43 +0100
BCC:

Dear Friend,

Compliment of the new year, I have been waiting for you since to come down here and pick your Bank Draft which my boss left with me before he travelled to England but I did not hear from you since that time till today. I went to the bank to confirm whether the draft is getting close to expire as it had been long time my boss issued the draft. The director of the bank told me that before the draft will get to you, that it will expire. Then I told him to help me and cash the cashier bank draft of $1,500.000.00 to cash payment.

However, I have successfully cashed the draft and packaged it in a box and have registered it in the Fedex Express Company Service here in Benin Republic because I will travell to see my boss in England and will not come back till August 20th 2008. You have to contact the Fedex Express Company Service to know when they will deliver your package to your address. I have paid for the delivering charges and insurance fees. The only money you have to send to them is their security keeping feeswhich is USD$135.00 USD to receive your package. Don't be deceived by any body.

This is their Contact Address;
Attn: Cheif Mr. George Kobra (Director)
Tel: +229-9799 2240
E-mail: fc.bj@sify.com

Send them your contacts information to enable them locate you
immediately they arrived in your country with your package.

This is the information they needed from you.

1. Your full name:.....
2. Your shipping/home address:.....
3. Your tel no #......
4. Your current office tel no #
5. A copy of your passport.

Try to contact them as soon as possible to avoid increasement of the security keeping fees Note; I didn't tell the Fedex Express Company Service that it's money inside the box, I registered it as a church of a Church Minister Materials. This is to avoid delay or any upfront problem during the delivery. So, do not let them know that the package contents money. Do let me know as soon as you received your package. You will contact me only through e-mail as my phone is no longe available now that I am out from our country. Contact me at samdunbar1986@yahoo.com and I will reply as soon as I can.
I wish you and your family Long Life,
Prosperity and Happy 2008.

Thanks and Remain Blessed.

Yours sincerely,
Mr.Samuel Dunbar
(Secretary)

(Honestly, if you contact FedEx they'll give you tons of money....)

****************************************************************************************

That's your lot for another week....

iPhone 3G's business-readiness still in question, Gartner says

Tue, 17 Jun 2008 09:00:00 +0000

More than a week after release of the iPhone 3G's features, analysts still can't get full details on security and management of the device.

US-CERT Gets New Boss

Thu, 05 Jun 2008 22:51:45 +0000

Former DOJ staffer Mischel Kwon to head up the US-CERT.

From Network World:

The U.S. Department of Homeland Security has chosen a new head of its U.S. Computer Emergency Readiness Team (US-CERT).

Mischel Kwon, will start as director of US-CERT on June 24, a DHS spokeswoman said Thursday. She is presently acting deputy director of IT security and the chief IT security technologist at the U.S. Department of Justice. She is also an adjunct professor at The George Washington University, where she runs the school’s Cyber Defense Lab.

She replaces Cheri McGuire, who left in March, and will report to Cornelius Tate, director of the DHS’s National Cyber Security Division.

Deducting 10 points for excessive use of the word “cyber”.

Article Link

DOJ staffer tapped to head US-CERT

Wed, 04 Jun 2008 20:00:00 +0000

The U.S. Department of Homeland Security has chosen a new head of its U.S. Computer Emergency Readiness Team (US-CERT).

Advisory: CiscoWorks Arbitrary Code Execution Vulnerability

Wed, 28 May 2008 21:56:52 +0000

Summary

Name: CiscoWorks Arbitrary Code Execution Vulnerability
Release Date: 28 May 2008
Reference: LSD003-2008
Discover: Dave Lewis
CVE Number: CVE-2008-2054
Vendor: Cisco Systems
Systems Affected: CiscoWorks Common Services (various versions): Cisco Unified Operations Manager (CUOM), Cisco Unified Service Monitor (CUSM), CiscoWorks QoS Policy Manager (QPM), CiscoWorks LAN Management Solution (LMS), Cisco Security Manager (CSM), Cisco TelePresence Readiness Assessment Manager (CTRAM)

Risk: High
Status: Published (Vendor Confirmed, Patch Available)

Description

CiscoWorks Common Services versions 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1, and 3.1.1 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.

This vulnerability exists due to an unspecified error in CiscoWorks Common Services. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code resulting in complete system compromise.

Impact: Arbitrary code execution with elevated privileges. Fire bad.

TimeLine

Discovered: 14 February 2008
Reported: 14 February 2008
Fixed: 22 April 2008
Patch Release: 28 May 2008
Published: 28 May 2008

Technical Details

The vulnerability exists due to an unspecified error in CiscoWorks Common Services when it processes attacker-supplied URLs. An unauthenticated, remote attacker could exploit this vulnerability through unspecified means to execute arbitrary code with elevated privileges.

Fix Information

This issue has now been resolved.

The patch may be obtained from:

http://www.cisco.com

Cisco Advisory
http://www.cisco.com/en/US/products/products_security_advisory09186a00809a1f14.shtml

I would like to thank Cisco for their professional response to this issue.

Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/

2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3