Ransomware, although somewhat appropriately nicknamed, as it takes your data hostage demanding money for its release, has always implied an unnecessary emotional component.  It is unforgivably insensitive to compare this to any type of real world ransom regarding human life.  Furthermore, there are no "proof of life" concepts, such as sending back a "pinky" of data or letting you briefly see that your data is being safely kept in a Linux environment.

Read more

Assessment of corporate security is a difficult but essential task.  Regardless of industry, most companies allocate their IT resources to maintenance, upgrades, support and alignment with corporate strategy.  While the necessity for improved security continues to be recognized as an important goal, its implementation by in-house IT staff is often inadequate.  Therefore, outsourcing in forms of Security as a Service, auditing, and third-party penetration testing and vulnerability assessments are commonly utilized as solutions

However, microprocessor giant, Intel implements its own threat assessment in its companywide exercise of "war gaming".  Featured in the fourth (and most recent)  issue of Intel's own

Read more

Although this news item first broke several weeks ago, I have been awaiting public analysis regarding its impracticability.  Bereft of criticism, I will provide my own.

The Internet began as a "store-and-forward" packet switching network, connecting computers via Interface Message Processors.  In 1969, the first interconnected network, ARPANET, allowed communication between the first four nodes located at UCLA, Stanford, UCSB and University of Utah.  When the project was acquired by the Department of Defense in 1975, it became known as DARPANET (Defense Advanced Research Projects Network). 

Read more

Catching up on my reading of unscrupulous behavior, I came across some interesting information from the Federal Communications Commission (FCC).  Their Consumer Inquiries and Complaints Division is in charge of reviewing, mediating, responding and resolving the public inquiries, concerns, and complaints filed towards the FCC.   The results are published in quarterly reports and, believe it or not, are occasionally interesting.   One can track the historical spikes of complaints following incidents such as certain broadcasted radio comments by Howard Stern or the televised Jackson-Timberlake debacle of Super Bowl XXXVIII.

Read more

You purchased your clothes, you're wearing your clothes, but now someone else 0wns them.

Read more

Redmond has recently published their semi-annual recap on the (in)security of their leading products.  The Microsoft Security Intelligence Report (MSIR), released approximately two weeks ago, provides an "in-depth perspective" for the second half (Jul-Dec) of 2007.  As usual, a professional appearing report with statistics and graphs are presented to the reader.   Although, after successfully downloading and reading their Key Findings Summary, it appears to have been co-authored by

Read more

Hackers of the world will once again unite at DEFCON 16, this August 8th, one of the industry's top conferences.  The world's best and brightest security minds will deliver presentations and papers, sharing their latest research during the three day event.  As usual, DEFCON is home to a number of classic hacker contests, including the Phreaking Challenge, Capture the Flag, Mystery Challenge, Hacker Jeopardy and the once great, Spot the Fed contest.  A few new events debuting this year include, BuzzWord Survivor, Hardware Hacking Village and the unnecessarily controversial Race-to-Zero contest.

Read more

For those of you illiterate in British comedy, the Ministry of Silly Walks is a fictitious British organization, which only existed in the world of Monty Python in the 1970's.   The classical comedy sketch presents a man in need of funding to further develop his "silly walk", yet due to the government's economic constraints of financing Defense, Social Security, Health, Housing, Education and Silly Walks, he is told the Ministry of Silly Walks cannot help, due to their budgetary limitations.....and also because his walk was simply not silly enough.  (At the end he is offered a research fellowship)

What is the relevance of this s

Read more

Evidence of a new "attack pack" has surfaced, reports Shaun Nichols, providing further proof of the organized complexity of exploit code.  The web-based toolkit, called Tornado, is speculated to have been in operation for at least six months.  This attack tool supposedly exploits up to 14 browser vulnerabilities, although I am not certain which ones, nor can I verify the true number at this time.   While its php code was only recently released, it is believed to be responsible for numerous iframe injection attacks during the end of last year, according to Symantec.

Read more

The National Security Agency/Central Security Service (NSA/CSS) Information Assurance Directorate is currently holding its 8th Annual Cyber Defense Exercise.  It started on April 21st and will be coming to a close this Thursday (04/24/08)--the day officially open for journalist's media coverage. 

This annual competition, between numerous service academies, challenges student teams with the task of defending their computer networks from constant attack.  However, they're not just protecting their infrastructure from automated penetration platforms.  They'll be subjected to a barrage of attacks from a network offensive operations team (Red Team), composed of NSA and Department of Defense experts, during the four day hack-a-thon.

Read more

Once this vulnerability was submitted by Harry Sintonen to Wired's Threat Level last week, it's been spreading like wildfire throughout the web.  Discovery of a new XSS is nothing new, but does become noteworthy when it involves a domain like CIA.gov.  While not a site 0wning exploit, it is an embarrassing example of poor input validation. 

A search form at their site provides the unfiltered option to inject script running character strings.  The query is processed and your customized site appears (at least that seems to be what most people are using it for-for those with more malicious intent....good luck, you'll probably win a free ride

Read more

About a week or two ago, Network World ran a good segment by Jon Brodkin…actually it was more of a slideshow with accompanying text…called, 20 Useful IT security sites.  It did contain some of the best online resources for information security.  If anyone missed it, check it out here.

Read more

The exploitation of ActiveX controls is not new to the security community.  While initially designed to provide website authors with new embeddable features, and granting Internet Explorer (IE) users access to these new functional capabilities, the liabilities and damages, have almost surpassed its benefits.  Websites have been avoided and blocked, and alternative browsers to IE adopted.  In response to the frequently discovered vulnerabilities, numerous workarounds and security patches have been created. 

Read more

Initially, I set out to write this blog about the security risks involved with the misperception of numerical data, and the problems with conventional wisdom.  However, my internet readings led me slightly off course, in pursuit of understanding some recent malware statistics.

Read more

I may be a couple of days late with this one, but this is one of those few times, when I am truly amazed by the malicious intent of an internet exploit. Hackers defacing a website, frequented by epileptics, to intentionally cause seizures.

Read more

Today, I will actually get to covering BlackHat Europe 2008, which came to a close on Friday of last week.  The four day convention consisted of the usual training and briefings from some of the top technical experts in the security field. 

With the increasing frequency of security/hacker conferences, such as BlackHat and Defcon (and every other event that ends in "hat" or "con), there is a greater overlap of "new" research and discoveries.  The repetition of presentations at sequential events, is commonly observed in most scientific fields.

Read more

My last blog talked about Vancouver's CanSecWest, and I promised to give a wrap -up of BlackHat Europe today. But, I lied. Actually, I wanted to tie up some loose ends on CanSecWest before discussing BlackHat.

Read more

The past several days have been a busy and exciting time in the world of hacking.  There have been presentations, demonstrations, and uber-pwnage, happening across the globe. 

Well...mostly Vancouver and Amsterdam

Here are some highlights and personal favorites from Canada.

Read more

Cybercrime, primarily, begins with an intangible theft-strings of numbers and letters, that equate to valuable and personal information. When this data is illegally used, the affect on the victim is handled in the "real world", through the cooperation of banking institutions, and prosecution by federal authorities. (Or at least it's supposed to work that way)

But what if the roles were reversed?

What if....instead of cybercrime having real-world repercussions...real-world crime had cyber repercussions?

Let's find out.

Read more

The continued usage of WEP in wireless networks is staggering.

In fact, I'm not sure why it's allowed as an option at all.

You have two main security decisions to make when setting up a wireless network.

Do you want to implement security with your network? And if so, which security protocol will you support?

I have learned to accept that many people choose to forgo security, as a trade for ease of usage. Others, who want to secure their network from unauthorized users, have several security options, which differ in strength.

Read more