Inside Dark Networks

DHS/SRI Identity Theft Council

Ken Baylor — Fri, 13 Jun 2008 12:54:26 +0000

Yesterday I attended the above meeting in the Bay Area. I joined two years ago and the group has gone from strength to strength.

We had an excellent presentation covering a study of 517 U.S. Secret Service cases, and their conclusions on current Identity Theft Perpetrators, Victims and Methodologies. It was followed by a Panel led by Jerry Archer, CISO Intuit, on Critical Emerging Threats. Definitely it was an engaging afternoon.

Security people some in all sorts and personalities. Normally we don’t put anything in writing about the people themselves. However, for two of the attendees, I will break this rule.

Jerry Archer led the panel. In all my time in the valley, and after meeting with half the countries CISO/CSO’s, I don’t think I have ever met such a genuine honest and all-round good security person. Jerry deeply cares about his company, his people, the profession, stopping the bad guys and keeping the average person safe. He gives up hundreds of hours per year to protect the man in the street and is a yardstick by which other CISOs should be measured by. Good to see him again.

The second person who deserves credit is the organizer, Robert Rodriguez. Robert since retiring from the USSS has tiringly build bridges between the public and private sectors. His list of contacts inside the US Government agencies is legendary, and he is driven by the goal of protecting the US infrastructure and its citizens. I have had the pleasure of knowing Robert these last 4 years.

Both men are a true credit to their profession, and it’s worth breaking the rules every now and then by calling this out.

McAfee, botnets, libel, Open Source and Tax day

Ken Baylor — Tue, 15 Apr 2008 22:45:00 +0000

What a day!

Leaving aside my pain in enriching the government with my checks yesterday, I received a rather interesting email in my inbox today.

It came from McAfee….apparently Matt Asay is saying McAfee has slandered open source by a comment I wrote in my white paper ( http://www.cnet.com/8301-13505_1-9917989-16.html) and (www.mcafee.com/us/local_content/white_papers/wp_botnet.pdf).

First Assumption: I am a McAfee minion employed to destroy open source. Let’s see…after I left McAfee I ran security at Symantec, so no…not a good minion of anyone.

Second Assumption: McAfee wanted that comment in there: No, based on the evidence I had at the time, it was a true statement. It still is.

Well, what did that comment actually mean? Quite simply, two of the nastiest bots out there…PhatBot and AgoBot had published source code. Many people got there hands on it and built uber-bots. We killed those variants, they built more. etc etc etc. Sophos clocked the variants of those two bots at well over a thousand.

Could these bots be described as Open-Source? I believe so.

Was the source code modified multiple times? Yes. Were open source techniques used? Absolutely

Were these bot modifiers core to the Open Source movement? No, just a few bad apples that taint the majority
Was the comment taken out of context? I think so too.

Has McAfee identified crimeware users who rely on Open Source? Absolutely…see David Marcus’s comments here ( http://www.pcadvisor.co.uk/news/index.cfm?newsid=6601)

Sorry Matt, McAfee is NOT your enemy, nor are they ignorant about open source.

Website Inquiry: Phishing Scam

Ken Baylor — Tue, 05 Feb 2008 17:03:25 +0000

If you own a domain name, you will likely have received a slew of emails similar to the one below.
They are part of a new phishing scam. Do NOT reply as they will only solicit further information from you, which will be used to rip you off.

Some points to note: The ‘from name’ has no relation to the ‘from email’, which is different from the person who signs the email and the ‘reply to email address’ is also different

Website Enquiry
From: Pearle Joyce (akanidaniels@virgilio.it)
You may not know this sender. Mark as safe | Mark as unsafe
Sent:Tue 2/05/08 1:37 AM
Reply-to:Pearle Joyce (bond.marketing@gmail.com)
To: XXXX.org (XXXXXX@hotmail.com)
Hello ,
My name is Richard Thompson and I am interested in having a link on your website (XXXXX.org).
I will be very thankful to you if you give me some prices for the following ads:
1) text link on your homepage/all pages
2) text box ad 120×60, 125×125 on homepage/all pages
Thank you in advance!
Richard Thompson

Technorati Tags: Ken baylor Phishing Scam Website Inquiry Security Alert

Building a powerful sub-$1000 VMWare ESX server

Ken Baylor — Sat, 02 Feb 2008 01:18:11 +0000

VMWare has recently released its ESX 3.5 server. While the ‘free’ server version has some benefits, the overhead to run it is way too high, so ESX is still the best way to virtualize.

After reviewing the forums, there still exist a number of problems when pursuing the home ESX server option. The main issue being version 3.X has very limited SATA support. While some support for EIDE exists, these cannot be used for hosting the actual VM images (which is the whole point of virtualization in the first place).

After a great amount of research, it turns out the LSI Logic MegaRAID 150-4, which supports SATA, uses the same VMWare driver (MegaRAID2) as it’s SCSI predecessor. It is also available cheaply on eBay (approx $120). The card supports up to 4 SATA drives. Another version of this card, the 150-6 supports 6 SATA drives.

With the difficult part out of the way, the next part was to find a motherboard that would support more than the typical 4GB of RAM and support a powerful processor, all on a budget.

Surprisingly, rather than build one of my own, the Gateway GT5630 came to the rescue. The machine is available from Frys for a mere $699. It comes with a quad-core Intel Q6600 processor and motherboard that supports 8GB of RAM. Fry’s again came to the rescue with 8GB for $150.

So, once I got my PC surgery was minimal. I simply opened the box, and took out the paltry amount of included RAM, replacing it with my 4×2GB sticks for 8GB. I then inserted my full length card in my normal length PCI slot. Make sure you upgrade your BIOS from the LSI web site as otherwise it will be quite unreliable in ‘degraded PCI mode’. Then connect the RAID card to your SATA drive and you are ready to boot.

Then I booted up the machine. Happily, it automatically detected the RAID card and automatically loaded the megaraid2 driver.

However, another problem came up. Despite booting off the ESX CD, the ESX installation decided that it could not read the included IDE CD-drive. My work around was as follows:

Luckily the GT5630 comes with an Intel NIC card for which ESX has drivers. So I ejected the installation CD, and stuck it into another machine. I then downloaded a free FTP server program and configured it to make the installation CD available on the second machine via FTP.
I went back to my GT5630. I told it to install via FTP. It received a DHCP address and I pointed it to the FTP server with the installation CD. It carried on installing flawlessly.

So despite a few minor hiccups, I now have ESX server running on a pretty powerful (quad core with 8GB RAM) server for less than $1000. Most likely, I will add a few hard drives to it soon.

Hardware Costs:

Gateway GT5630 = $699
8GB RAM            = $150
RAID Card          = $120
Total Cost           = $969

ISACA-SV Winter Conference

Ken Baylor — Fri, 25 Jan 2008 20:43:05 +0000

The ISACA Silicon Valley Chapter’s Winter conference is in full swing. This year it has been split into two separate tracks (Information Security and IT Governance) on consecutive days.

IT governance is really starting to get interesting in 2008. This is for a number of reasons. With the downturn in the economy, there are two things people are thinking about:

1) How is information security and IT spending my money? The concept of transparency, good management, regulatory compliance and showing value will become critical for most organizations in 2008 and 2009. Most likely this will result in a boom in IT governance.

2) 2008 will likely lead to layoffs and the freezing of InfoSec budgets. The IT targets are most likely the ‘old guard’, i.e. those who do not believe in business alignment and assisting the business grow revenue. This will likely result in many out of work admins, who have a grudge against their old employers, and are armed with network diagrams and root passwords. If they do decide to attack their employers, this may lead to a mandatory SB1386 disclosure, causing huge embarrassment. The good news is this will lead to the unfreezing of InfoSec budgets and an increase in InfoSec hiring and training…..roll on 2008.

Can IPS alleviate the botnet problem?

Ken Baylor — Wed, 25 Oct 2006 23:10:44 +0000

Botnets are back in the news. Leading experts have recently gone on record stating we are losing the war on botnets. Then yesterday, McAfee released a whitepaper showing startling success in Central America against botnets. This has ignited a debate in both the IPS and botnet sub-cultures of the Information Security World.

Botnets are problematic for a number of reasons:

1) We have no idea how many botnets are out there. Most of our results come from honeynets (http://www.honeynet.org/papers/honeynet/) which are globally distributed. However, honeynets are binary, they are either infected by a particular botnet or they are not. It is quite possible to have a huge botnet army in the wild that misses the honeynet traps.

2) We have no idea how big the active botnets are. Botnet armies have been reported which are smaller than 1,000 and others larger than a million. Bot herders will exaggerate their size, until they get caught, in which case they will lower their size attempting to get a lower sentence.

3) Size is not correlated directly to lethality. A small botnet which infects a computer in a sensitive network can do untold damage. The botnet may download keyloggers and password sniffers leading to confidential data leakage. The compromised bot may even be used as a launchpad for attacking other machines in the internal network.

4) Many botnets are programmable. When a 0-day exploit becomes available, a bot herder can push the code to the bots and get them to attack other machines, attempting to recruit them.

5) Bots create a lot of ‘network noise’ as they scan and attack other hosts. This extra traffic can disrupt the internal networks of enterprises, leading to slower application response and causing servers to crash.

Botnets have a complex life cycle. The life cycle below, however, is typical:

Figure 1: Anatomy of a typical botnet attack
Step 1: Bot herder loads remote exploit code on an ‘attack machine’, which may be dedicated for this purpose or an already compromised bot. Many bots use file-sharing and RPC ports to spread. Initial infection vectors ensure victim machines have sufficient configuration information to contact bot controller when compromised. Step 2: Attack machines scan for unpatched targets and launch attacks. An unpatched machine becomes a victim to the exploit. Steps 3 & 4: The victim machine is ordered to download binaries from another server (frequently a compromised web or FTP server). Step 5: These binaries are run on the victim machine and convert it to a bot. The victim connects to the bot controller and ‘reports for duty’. Step 6: The bot controller issues commands to the victim. These instructions may include commands to download new modules, steal account details, install spyware, attack other machines and relay spam. Step 7: The Bot herder controls all bots by issuing commands via the bot controller(s).

Just as in the Biological Sciences, by interrupting a pest’s life cycle we can stop them. Almost all quality IPS devices can stop Step 2 (see figure 1). There are many IPS devices deployed globally, but often there is a detection-only mindset held by some who call themselves information security professionals. This indifference allows botnets to spread deep inside networks.

Steps 5 & 6 can be stopped by Next-Generation IPS devices (that have up-to-date and comprehensive signatures, and can truly decode the protocols). These are not common and the successful deployment of these forms the basis of the McAfee case study (http://www.mcafee.com/us/local_content/white_papers/wp_botnet.pdf). Those with legacy IPS devices can only slow the growth of botnets only at step 2, and should be encouraged to do so. To destroy established botnets requires Next-Generation IPS devices.

Next-Generation IPS devices bring a number of extra benefits, and solve many of the botnet problems. When deployed at the network edge, IPS devices can see all traffic entering and exciting the network. This brings a number of advantages, we can:

i)                  see how many bots are on our network,
ii)                 see where their bot controllers are,
iii)                estimate the size of each botnet army
iv)                see which botnet variant the infected machines are using,
v)                 see deeply into the command and control structures including the commands being sent to individual bots.
vi)                  capture traffic from the small but lethal botnets and give visibility into their mission.
vii)                 capture traffic which may be used to secure bot herder convictions.

Is the botnet war over then?
Next-Generation IPS devices have proven themselves to be very helpful in the war on botnets. Bot herders and their botnets will however evolve, and seek to evade them. The cat and mouse game played so often in the past with virus writers will now come to the botnet world.

Nonetheless, IPS devices can pinpoint botnets, indicate their size, show where their controllers are and enable us to see their control & command traffic. We are much closer to putting bot herders behind bars, with the active assistance of law enforcement. Perhaps that is the message bot herders should take away.

Paper: Evolution of the hacker threat posted

Ken Baylor — Mon, 11 Sep 2006 23:10:41 +0000

During recent months I created a presentation which described the recent evolution of hackers, primarily covering their motivations. This we presented in the UK, France and Germany. There were follow up presentations in Poland and the Czech Republic. However, rather than create a world tour, I changed the presentation into the format of an article an published it here:

http://www.securitypronews.com/news/securitynews/spn-45-20060911EvolutionoftheHackerThreat.html

Although long (>2000 words) the article covers both opportunistic and targeted hacking and describes ’spring boarding’ which is used more and more in identity theft. The ability to ‘fence’ stolen identities online has lead to large profits being generated within hours. It also covers the step by step hacker methodology and the best practices for system security.

Happy reading

High School Security Initiative

Ken Baylor — Mon, 11 Sep 2006 18:46:04 +0000

There are a number of interesting security initiatives right now. Most of them are technical but one which has drawn my attention is educational.

There is a major initiative underway in the Bay Area to create a High School security initiative and have this taught in every California High School, eventualy as a mandatory core unit. While there are many excellent sites on the net which target this age group the problem is that it is purely voluntary. The end result is they are ignored.

I joined this committee three months ago and we hope to present the finalized and proposed curriculum late October 2006 in Sacramento. Quite a number of interested parties have come together to form this committee; the FBI, McAfee, Visa, Dept of Consumer affairs of California and last week, we were joined by ZoneLabs. In addition to this a number of third level institutions have joined, as well as a few all-important teachers and high-school students, who will have to deliver and receive the information respectively. It is great to see these different groups work for a common altruistic purpose.

The curriculum will cover such topics as boundaries of acceptable behavior, crimes against the person, crimes against property etc. The curriculum will educate students about threats, identity theft, etc and what to do about them. It will also educate would be perpetrators about the potential repercussions and hopefully make them think twice before committing.

If you have strong feelings about this project, or opinions please either add a comment or send me an email.

Wifi Security Law passes California assembly

Ken Baylor — Tue, 29 Aug 2006 23:06:02 +0000

California Assembly Bill 2415 ( by Speaker Fabian Núñez ) passed today and now goes to the Governor. What does it actually do?
http://democrats.assembly.ca.gov/members/a46/press/a462006116.htm

http://www.mercurynews.com/mld/mercurynews/15397371.htm
Hopefully it means more secure wireless networks. In the Bay Area almost 50% of consumer wireless access points have no encryption turned on. Many of these devices have their passwords still set to the defaults. This bill means that manufacturers of WiFi devices will have educate home users how to secure their networks, or at least alert them to the risks if they chose not to.

Identity theft is a major threat to Californians. Most WiFi devices lack protection, making home users easy prey for hackers. Once intruders gain access, they can wreak havoc inside your home network and steal personal information and install spyware. Consumers should be educated on the risks of wireless access and the additional steps needed for protection. These include:

1) Change default passwords on WiFi routers
2) Turn on the highest level of encryption possible (currently WPA2)
3) Turn off SSID Broadcasting (hiding the network)
4) Turn on MAC filtering (only pre-approved machines may join the network)
5) Install Anti-Virus, Anti-Spyware and desktop firewalls on all machines.

The law has been well covered below:
http://www.publicradio.org/columns/futuretense/2006/09/01.shtml
http://www.mercurynews.com/mld/mercurynews/business/15395913.htm
http://www.darkreading.com/document.asp?doc_id=102598&WT.svl=news1_3

Is Google Wifi/WiMax safe and secure?

Ken Baylor — Wed, 16 Aug 2006 18:51:16 +0000

Today Google finally opened their free GoogleWifi to all residents of Mountain View California. Tempted though I am to ditch my current provider and migrate to Google, I must question….How am I sure it is Google I am connecting to?

It could be an ‘Evil Twin’ access point masquerading as a legitimate Google Wifi Access point. To see how difficult it is to create an evil twin network, capable of stealing passwords, login information, instant messages and emails, I put one together.

The whole process took less than 15 minutes. The step by step approach I took has been fully documented here (http://www.darknetworks.org/uploads/WiMax.pdf). If you are going to use the Google Wifi network, perhaps you should think about installing their encryption client.

Otherwise you may fall prey to:

Victims, when they connect to the evil twin access point, become very vulnerable:

a) All the traffic between them and the real access point is unencrypted. This means that a recording device (such as a PC running a sniffer, such as the freeware tool ethereal) may capture their traffic and spy on them. Unencrypted passwords, instant messages, emails and credit card information are easily intercepted.

b) Machines that join the network via the evil twin may be directly scanned and accessed by the attack machine. Sensitive information may be stolen from shared folders.

c) The attack machine can easily be configured for phishing. Even when Google WiFi is fully operational, users will have to authenticate to the network. Users may be redirected to a fake login page on the attack server, which will steal the users credentials. This Google login gives access to user email and so may be used for identity theft later.

d) The attack machine may trick the end user into downloading spyware/malware, by modifying the logon page. This may allow the attacker to install keylogging software and access private files.

e) The hacking server may also act as a poisoned DNS server. This would redirect users to phishing sites rather than legitimate financial sites where their logons and account information could be stolen. Banks and eBay are logical targets. These servers would completely control where the victim is allowed to visit on the Internet.

SPAM..Blame the Irish!

Ken Baylor — Thu, 10 Aug 2006 18:50:17 +0000

So within the last two days, I have received three new spam/phishing atttempts. What is so bizarre about these? They all pretend to have links either with Ireland or at least use an Irish persons name, here’s two of the most interesting:

Return-Path: <elsa_dalton1@portugalmail.pt>
Received: from galadriel.portugalmail.pt (galadriel.portugalmail.pt [195.245.179.73]) by XXXXXXXXXXXXXXXXX with ESMTP id k7AETcrP030275 for XXXX@.xxx.com Thu, 10 Aug 2006 15:29:38 +0100Received: by galadriel.portugalmail.pt (Postfix, from userid 30) id 48DE0D4F6B; Thu, 10 Aug 2006 14:24:42 +0100 (WEST)Received: from 83.229.62.123 ([83.229.62.123]) by gold.portugalmail.pt (IMP) with HTTP for <elsa_dalton1@portugalmail.pt@localhost>; Thu, 10 Aug 2006 14:24:42 +0100Message-ID: <1155216282.44db339a48357@gold3.portugalmail.pt>Date: Thu, 10 Aug 2006 14:24:42 +0100From: elsa_dalton1@portugalmail.ptTo: elsa_dalton1@portugalmail.ptSubject: CONGRATULATIONS!!! X-Originating-IP: 80.89.176.36

IRISH WEB LOTTERY HEADQUARTERS.
THE OAKROOM LOUNGE.
21 PICCADILLY IRISH. W1B 0BH.

                                               IRISH WEB LOTTERY
IRISH GOVERNMENT ACCREDITED LICENSED
IRISH WEB LOTTERY
IS REGISTERED UNDER THE DATA PROTECTION ACT OF
(Registration Z720633X).
The Irish Lottery
47 Meadow Vale,
Sligo , Ireland .
Ref: LSUK/2031/8162/05
Batch: R4/A312-53

                                                         WINNING NOTIFICATION
CONGRATULATIONS!
We the Board and Management of the Irish Lottery London, UK
wishes to inform you theresults of the E-mail address ballot
lottery international program held on 1st day of August, 2006.
Your email accounts have been picked as a winner of £500,000 (
FIVE HUNDRED THOUSAND BRITISH POUNDS STERLING). This
result is today released to you and your email address attached
in the A Category. All email addresses were selected through a
computer ballot system in which your email address was selected
as one of the lucky winners.This results is today released to you
and your email address attached in the A Category. All email
addresses were selected through a computer ballot system in
which your email address was selected as one of the lucky winners.
Your lucky numbers are:   and bonus ball number:
CONGRATULATIONS!!!
Due to mix up of some numbers and names, we ask that you
keep your winning information confidential until your claims
have been processed and your money remitted to you.
This is part of our security protocol to avoid double claiming and
unwarranted abuse of this program by some participants.


All participants were selected randomly from World Wide
Web site through computer draw system and extracted
from over 100,000 companies. This promotion takes place
biannually.
To file for your claim/winning, please contact our Legal
Department through finance director (DR LEONARD WALTER)
via email as leonard_walter_00@yahoo.co.uk for
processing and payment of your claims/winning. Quote your
reference/batch numbers in your correspondence with us and
you are advised not to expose your numbers to avoid
double claiming or voiding of your winning.
Please note in order to avoid unnecessary delays and
complications quote your reference number and batch numbers
in all correspondence. Should there be any change of addresses
do inform our agent as soon as possible.
Furthermore your winning numbers fall within our IRISH
(London) region and you are required to contact our representative
office in LONDON via Leonard Walter through this email address
cc: leonard.walter00@yahoo.co.uk as soon as you receive this mail
to enable them file your papers for claim/payment of your prize.
ANYONE BELOW EIGHTEEN YEARS OF AGE CAN MAKE HIS/ HER
CLAIM IN PROXY THROUGH EITHER OF THE PARENTS. Once again
congratulations from our members and staff of the IRISH LOTTERY.
Thank you for being one of the winners of our promotional
program.Sincerely Yours
Elsa Dalton
International Relation Officer.
email: leonard.walter00@yahoo.co.uk
cc: leonard_walter_00@yahoo.co.uk
Phone:+44-703-192-8619(office hours monday-fridays 8am-6pm)
Phone::+44-702-407-6741
Fax: +44-8704783062
http://www.irishlotto.net/
BELOW ARE THE SPONSORS OF THIS PROGRAM


Executives:
Dr. P. Swier (CEO), Mr. Gerald Goodman (Manager Foreign
Operations), Mr. Franklyn Van Der Weijden (Manager Domestic
Banking Operations), Dr. James Williams (Director International
Credit Department), Mrs. Lonni K Anderson (Legal Representative), Mrs.
Lyudmyla Marchukova(Regional Manager), Mr. Stephen Boer
(Chairman), Mr. Chris Moritz(International Relation Officer).

Now, that’s a lot of names and information….IT MUST BE TRUE. But, of course, it is not. The IP address emanates from LEBANON, not Ireland. Why would they use free yahoo email addresses? The Irish Lotto does not give away free money to random email addresses, and if they did, they would give it away in EUROS. Ireland stopped being ruled by the British in 1922,And here’s another;

Return-Path: <shirleypatrick3@virgilio.it>
Received: from vsmtp4.tin.it (vsmtp4.tin.it [212.216.176.224]) by xxx.xxx.xx) with ESMTP id k78Kv7EV004308 for XXX@XXX.com; Tue, 8 Aug 2006 21:57:08 +0100Received: from pswm2.cp.tin.it (192.168.70.14) by vsmtp4.tin.it (7.2.072.1) id 44D349AF0041BECD; Tue, 8 Aug 2006 22:06:28 +0200Message-ID: <10cef6351c6.shirleypatrick3@virgilio.it>Date: Tue, 8 Aug 2006 21:04:58 +0100 (GMT+01:00)From: Elias Maclawrence <shirleypatrick3@virgilio.it>Reply-To: elias_lawrence1999@yahoo.co.ukSubject: Greetings,Mime-Version: 1.0Content-Type: text/plain;charset=”UTF-8″Content-Transfer-Encoding: 7bitX-Originating-IP: 80.89.176.36

Greetings, I am Mrs shirley patrick,Public relations officer for THE EXPORT COMPANY (UK) LIMITED a company based in United Kingdom corperated on 05/02/2001 and a Private Limited Company. We are searching for individuals/companies that can actually handle the affairs of our company in the Canada/America and Europe as we intend to extend our frontiers to the rest of the world at large. We want to employ your services as our agent in your country you could assist us to seek for companies that are ready to go into exportations of goods from United Kingdom as we would be willing to compensate your effort in this regards moreso you would be tagged as our agent in your region for any payments/supplies to come directly to our company you would have to handle the affairs of the supplies and the payment modalities. Furthermore note that you would have to be fully registered with our firm to ascertain the new position beckoned on you and also our terms and conditions would be availed to you based on our modalities of operation so that you would know the importance and significance of your duty to THE EXPORT COMPANY (UK) LIMITED. Please if you are interested in transacting business with us, we will be very glad but modalities of acceptance would be availed to you in subsequent correspondences to you . Please contact us for more information. if you are interested you are advised to contact my superior officer with the details below: THE EXPORT COMPANY (UK) LIMITED DELTA HOUSE 175-177 BOROUGH HIGH STREET LONDON SE1 1XP contact person: Mr Elias Maclawrence Managing Director, Fax: +448704796066 direct: +447040113994 email: elias_lawrence1999@yahoo.co.uk Contact should be made via fax or email and this should be done within 14 working days otherwise your application would be delected from our data base. We hope you enjoy doing business with us and from all staff of THE EXPORT COMPANY UK) LIMITED we wish you a happy day. Kind regards, Mrs shirley patrick Public relations officer for: THE EXPORT COMPANY (UK) LIMITED Tel: +447024021608 NOTE Do not reply to this email if interested reply to my Mr Elias Maclawrence for immediate attention Now, other than dreadful grammer, a non-existant company (checked it on http://www.companieshouse.gov.uk/WebCHeck/findinfopage/), use of free e-mail addresses, and an IP address ORIGINATING IN NIGERIA, why would I be suspicious…Hmm?

WPA PSK weaknesses are easily exploitable

Ken Baylor — Wed, 09 Aug 2006 23:42:31 +0000

WPA is slowly replacing WEP in the home. A quick wardrive around my suburban area of Silicon Valley produced some interesting results. On average, using a simple Netgear WG511T card (without external antenna), there were 8 wireless networks within reach. Of these approximately 60% were using WEP for encryption, 30% were unencrypted and 10% were using WPA. 10% may not sound like a lot, but last years results were 60% unencrypted and 40% using WEP.

WPA definitely offers stronger security. We have demonstrated this publicly, by breaking 128 bit WEP encryption in less than 2 minutes, even when when very strong passwords were used.

http://www.pcw.co.uk/personal-computer-world/news/2161974/mcafee-reiterates-wifi-security

http://labs.pcw.co.uk/2006/07/do_you_use_wpa_.html

However, WPA is still vulnerable when using a weak Pre-Shared Key (PSK), because WPA eavesdropping is possible and is easy. The hard part is ‘cracking’ what you have captured. Most consumers and many SMBs do not use an external authentication server, they instead use WPA-PSK (pre-shared key). If the pre-shared key used is ‘easy’ (as in likely to succumb to a dictionary attack), then it can be broken easily. However, if this is not the case, then it may be very very difficult to crack the password.WPA can be a powerful defensive tool, however it must be configured correctly. We also publically demonstrated how to crack a weak WPA within seconds. With a more powerful dictionary, it may be minutes. With a truly dificult passwords, it may be many many years.

Is Google evil?

Ken Baylor — Wed, 09 Aug 2006 17:30:36 +0000

For many years Foundstone has been teaching the dark side of Google in its Ultimate Hacking courses, and its “Hacking Exposed” series. Google is the number one search tool for hackers. It allows you to carry out full reconnaissance on your target. It is a goldmine of information for those interested in data theft, exploits, hidden company backdoors, identity theft etc. Without the intrusiveness of Google the world would be a safer place (if only by obfuscation). There are many articles on Digital Dirt and the fact that Google has ruined people’s careers, and yet, it is rare to hear anyone complain about them.
That Is why I read Gary McGraw’s article Google Is Evil (http://www.darkreading.com/document.asp?doc_id=100643&WT.svl=column1_1) with great interest. Here Gary explains the day to day use of Google to find exploits that enable criminal activities every day. Further, it allows criminals find victims.
However, the article concludes in the usual ending; “Google is not bad, it just exposes holes to the public, and it’s your problem to find them and fix them”. Pragmatic? Yes, but that is as far as it goes.

Big Brother is coming, thanks to AOL

Ken Baylor — Wed, 09 Aug 2006 16:33:32 +0000

Privacy on the internet is eroding…and eroding quickly.
A few months ago we had the Google search warrant debacle. Now we have the AOL release of very sensitive information on its subscribers.

Some of it is quite illuminating.

We have AOL User 2281868: Looking For Gay Black Superman With An Overbite

http://consumerist.com/consumer/aol/aol-user-2281868-looking-for-gay-black-superman-with-an-overbite-193001.php

More scary stuff at http://aohellsearches.ytmnd.com/

User 927 searches range from how long it takes broken legs to heal, to images that could send you to prison for a long time. One of this user’s searches look for questionable pictures of ‘virtual children’. In some countries, such as the UK these are classified as being the same as ‘real children’, and this carries severe penalties
http://www.consumerist.com/consumer/privacy/aol-user-927-illuminated-192502.php

You can search throught all their gory details right here: http://www.aolstalker.com/

While the AOL gaffe looks really embarrassing for them, it has a more darker side.

It is well known that in the USA we have no expectation of privacy at work: http://news.com.com/Court+rules+against+man+in+porn-at-work+case/2100-1030_3-6103544.html?tag=nefd.top
Many of the headline-grabbing cases involve the most egregious of subjects. None-the-less the rulings impact all people at work. So when you find out the local IT guy has been reading your files, he can hide behind company policy and bizarre precedent cases such as this one.

With the release of this information, the Justice Department may again pluck up the courage to demand more information on users. This would again be used to drive through an online anti-pornography law. And how can such a thing be enforced? Only by monitoring all search engines.

George Orwell’s Thought Police in the book 1984 were terrifying. We are in an age where we pass our thoughts into search engines, evaluate our results, then search again and again. A profile of how we think and what we think about can be extracted from these search engines. Do we really want to surrender that information and be judged upon it? Are these really our private thoughts or are they in the public record?

Patch Day!

Ken Baylor — Wed, 02 Aug 2006 02:33:44 +0000

Today is not a good day for security patches, and it’s not even Microsoft’s patch Tuesday.

One of the top two consumer security vendors has been in the news for not-so-positive reasons, but a patch for the affected products should be out after intensive testing. But those of us using wordpress, it is time to upgrade to version 2.04 as the previous versions have a very nasty security flaw:

WordPress 2.0.4, the latest stable release in our Duke series, is available for immediate download. This release contains several important security fixes, so it’s highly recommended for all users. We’ve also rolled in a number of bug fixes (over 50!), so it’s a pretty solid release across the board.

Upgrading is fairly simple, just overwrite your old files with the latest from the download. If you’d like more thorough instructions, the Codex is always the best spot.

Since this is a security release, if you have any friends with blogs make sure to remind them to upgrade and lend a hand if they’re not too savvy. We’re all in this together.

http://wordpress.org/development/2006/07/wordpress-204/