tag:blogger.com,1999:blog-52924973562129501672024-03-13T08:39:00.997-07:00Cyber-JutsuA blog about the art of cyber-jutsu: information security as a martial art.Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.comBlogger41125tag:blogger.com,1999:blog-5292497356212950167.post-21030116247251337942018-01-30T11:05:00.000-08:002018-01-30T11:11:16.032-08:00Nokia Disables Feature and Removes Customer Data From their Phones during "over-the-air update"<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="tr_bq">
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="clear: left; float: left; font-family: "calibri" , sans-serif; font-size: 11pt; margin-bottom: 1em; margin-right: 1em;"><img border="0" class="header-image" height="160" id="_x0000_i1025" src="https://media.health.nokia.com/email/permanent/nokia-lifecycle/scales/header-bodycardio.jpg" style="border-top-left-radius: 15px; border-top-right-radius: 15px; display: block;" title="logo" width="320" /></span></div>
I received important news from Nokia concerning my Body Cardio scale on the 24th of January, 2018. The company informed me that it had disabled a feature on my in-home scale during an over-the-air update. Nokia also removed the feature from my iPhone, and removed all of the corresponding data. The feature provided "Pulse Wave Velocity" readings.</div>
In the email, Nokia writes,<br />
<blockquote class="tr_bq">
<a href="https://media.health.nokia.com/email/temporary/201801/pwv-deactivation/timeline-us.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="phone" border="0" class="phone-image" id="_x0000_i1025" src="https://media.health.nokia.com/email/temporary/201801/pwv-deactivation/timeline-us.png" title="" width="240" /></a> <span style="color: #4d5766; font-family: "roboto"; font-size: 12pt;">"After routine review, we now believe that this feature may require a
different level of regulatory approval. In light of this, we have decided to
deactivate the Pulse Wave Velocity feature on January 24. </span><span style="color: #4d5766; font-family: "roboto"; font-size: 12pt;">As a result, Pulse Wave Velocity readings will no longer appear on the
scale screen nor will they be viewable in the Nokia Health Mate app. Your data
will be retained and is downloadable." </span></blockquote>
With such a drastic and draconian measure being taken to remove the feature from all devices already purchased and deployed in customers' homes, the first question that came to my mind was if this was a move to avoid potential fines for failure to pay for additional FDA testing and approval - or if the move is designed to head off potential law suits for currently unknown damages to the users of this product from the Pulse Wave Velocity measuring process that was used.<br />
And while all of that is interesting, especially if I come to find out that the scale somehow damaged my family or myself; right now, I'm just in awe at how something I bought at Best Buy, from a manufacturer named Withings, who sold the ownership of the product line to Nokia could be materially changed "over-the-air" during an update from the company, across the Internet. And similarly, how the application on my iPhone could be, without my consent, changed and my data deleted from my device as a part of this update.<br />
We are living in a world governed by End User License Agreements (EULA) that the average customer does not read. The acceptance of the EULA is, of course, either obligatory to proceed in using the product, or assumed as accepted for using the product.<br />
<h3 style="text-align: left;">
Somewhere in all of this we are lacking an "informed consent". </h3>
While there are certainly some benefits from allowing a manufacturer to modify the firmware or software of their products, the power they have - which could be misappropriated by a malicious hacker - does appear to be absolute.<br />
On the plus side, if this Pulse Wave Velocity process is in fact harmful to myself or my children, whose small and developing bodies might be more readily impacted by passing an electrical current through their bodies to take these measurements, I certainly would want the manufacturer to be able to disable the hazard they created in my home. In a likewise situation, we could imagine the maker of a toaster-oven who realized a flaw in their firmware programming could lead to an in-home fire able to update and correct that hazard. These would be a good application of this unsolicited reprogramming with or without consent, in my humble opinion.<br />
On the other hand, if a malicious hacker was able to turn my expensive digital scale into an even more expensive door-stop, by disabling all of the features over-the-air; or if a less scrupulous manufacturer decided to impair features to ensure future sales of their next model... I think we all would find such abilities needing oversight.<br />
It is my hope that by publishing this information and these ideas, that we can come together at some point to put forth some basic rights for the customer. I'm not a lawyer, and for all I know there are already laws governing this sort of thing. But, I suspect they have not been keeping pace with the advances of technology.<br />
And, perhaps, in a more perfect world, we won't need more laws. Perhaps, if we, as customers, demand more, the product and service providers will meet us on the road to sanity. In such a more perfect world, perhaps a product would request our permission to remove a feature before the digital code butchering could begin. And if the current vendors are not willing to provide us this level of ownership of the things we buy from them - then perhaps new start-ups will emerge to take their place.<br />
<br />
<span style="font-family: "calibri" , sans-serif; font-size: 11.0pt;"></span><br />
<br />
<br /></div>
Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com2tag:blogger.com,1999:blog-5292497356212950167.post-81541803032690928602014-04-24T13:24:00.003-07:002014-04-24T13:24:49.407-07:00Cry Me A River - But Don't Make My Heartbleed<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
I am the organizer for a local <a href="http://www.meetup.com/Ethereum-Syracuse/" target="_blank">Ethereum Meetup</a> at this time. There was a recent comment of the hhos (ha ha only serious) variety posted about the potential for Ethereum code to have a backdoor included in it that would lead to World Domination. I chuckled, as was no doubt intended, and then countered with a serious reply about the need for such projects to be Open Source. Ethical Hacker, <a href="https://twitter.com/skillfulhacking" target="_blank">Mark Scrano</a>, a colleague and friend replied in the <a href="http://www.meetup.com/Syracuse-Innovators/events/177543432/?comment_table_id=173907252&comment_table_name=reply" target="_blank">meet up conversation</a> saying:<br />
<br />
<blockquote class="tr_bq">
<span style="background-color: #f4f4f4; color: rgba(0, 0, 0, 0.670588); font-family: Whitney, helvetica, arial, sans-serif; font-size: 16px; line-height: 22px;"><i>"If critical mature open source software (openssl) can't audit it's code properly. I fail to see open source saving Ethereum or any open source project from including a bug or two of potentially critical nature ;-)"</i></span></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.loadthegame.com/wp-content/uploads/2014/04/OpenSSL_Heartbleed-660x330.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.loadthegame.com/wp-content/uploads/2014/04/OpenSSL_Heartbleed-660x330.jpg" height="160" width="320" /></a></div>
<br />
<span style="background-color: #f4f4f4; color: rgba(0, 0, 0, 0.670588); font-family: Whitney, helvetica, arial, sans-serif; font-size: 16px; line-height: 22px;"><br /></span>
<span style="background-color: #f4f4f4; color: rgba(0, 0, 0, 0.670588); font-family: Whitney, helvetica, arial, sans-serif; font-size: 16px; line-height: 22px;">To which I replied, </span><br />
<span style="background-color: #f4f4f4; color: rgba(0, 0, 0, 0.670588); font-family: Whitney, helvetica, arial, sans-serif; font-size: 16px; line-height: 22px;"><br /></span>
<br />
<blockquote class="tr_bq">
<span style="background-color: #f4f4f4; color: rgba(0, 0, 0, 0.670588); font-family: Whitney, helvetica, arial, sans-serif; font-size: 16px; line-height: 22px;"><i>"Clearly new processes need to be employed by companies who have decided to base their business on "free" software. Open Source "IS" the solution. The failure, imho, was not that the source code was obfuscated or unavailable. It was a failure to review the code. The notion that only the teams building the software should be reviewing it for bugs is a false one. The underlying problem here, as can be said for many of our societal woes in the US today, is GREED. (I think I smell a blog post brewing. ;) )"</i></span></blockquote>
<br />
And so, now you are caught up. Here we are.<br />
<br />
Greed is nothing new to the human condition. There are those who suggest that all errors of character are learned behavior attributable to our environment. As a father, now watching two little girls grow up, I have a different opinion.<br />
<br />
This post is perhaps less about greed as it is the Heartbleed bug and moreover the state of Information Technology in Corporate America in general. There are some things which are in fact self-evident to anyone who cares to look. Perhaps the first is that greed exists. Let's not sugar coat reality. While we all enjoy community, and we all need and want friends (regardless of the anti-social's admonitions to the contrary), we also have a deep desire to be satisfied. It takes a larger mind to get past that obstacle, and <i><b>that</b></i> is an entirely different blog post.<br />
<br />
As a young man leaving the United States Air force<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://upload.wikimedia.org/wikipedia/commons/7/77/Shield_Strategic_Air_Command.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><img border="0" src="http://upload.wikimedia.org/wikipedia/commons/7/77/Shield_Strategic_Air_Command.png" height="200" width="200" /></a></div>
<div style="text-align: left;">
and learning "the ways of the world" in the late 80s, I was often shocked to see differences between how the Military and Corporate America did things. I was stationed at Yokota AB, Japan; and, was a proud member of the Tech Control Facility there. While, admittedly, my time there had its ups and downs, I learned more there in just over two years than I suspect some learn in four years of college. We handled military communications. It was a high stress, highly technical job. Trouble-shooting was our business. We kept countless communications circuits up and running to help maintain global communications for all branches of the armed forces. Aiding us in this task was something that at the time I took for granted. It was documentation. </div>
<div style="text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
In the military there is often upward mobility that happens at almost a predictable rate of time. For others, a four year hitch has them in, trained, working, and out in as many years. Documentation is clearly required as enlisted men and women move into and out of increasingly technical jobs. How could the military function without documentation? It couldn't. I suggest, especially with a high turn over rate, or increasing lay-offs, down-sizing, and firing that takes place in the American job market today, that neither can companies continue to do business as they have. Documentation cannot be an after-thought or something to do when your work is done. In deed, it is a vital part of any IT professional's work, and a requirement for management if they are to gain or maintain any level of situational awareness.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let's consider a company in America that relies on technology for conducting business in some way. This is really just about every company in America today which at least uses electronic mail. As a consultant, I have performed Information Security Assessments for many companies across the United States. What I have found nearly everywhere, is a lack of current documentation detailing the creation, storage, and flow of information through their organization. This is because documentation is often viewed in Corporate America as a "nice to have" or an "extra" - rather than a requirement of doing business with computers and networks.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The first time this became painfully apparent to me was when I assisted a well known Fortune 500 Company during the Code Red and Nimda Worms cyber-crises. The company, like many in the world, was hit hard. The infection spread quickly from host to host, with each new infection in turn reaching out to infect more systems. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
One would think that it should be easy to simply turn off infected systems as they were discovered. However, I found that there were no current network maps to help us actually locate the infected systems. This was a big problem. This company's intranet was global. Even the local area spanned multiple campuses and buildings. In short, we couldn't physically locate infected systems in many cases. Of course I designed a solution to that issue and worked with a team of programmers to code a preemptive strike option; but the point is that there was not adequate documentation to manage the environment during a crisis. Why?</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
Enter greed and corporate politics. The simple reality I have found across the country is that while the armed forces have "<b>Winning</b>" as an underlying goal, American businesses have <b>"Profit"</b> as an underlying goal. The basic problem I see with this is that profit for profit's sake is greed by any other name. While I have no problem with profit, profits, and profitability, I believe that companies should first be focussed on winning. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Winning in this sense means doing everything needed to properly manage Information Infrastructures. Networks and Computer Systems that house and protect customer and company information should be treated like a battle-field that needs to be secured, not a place to 'manage risk', unless the risk being managed is the potential to lose. Too many companies lose everyday, and they don't even know it.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If there was ever a time when it was acceptable to say, "We have nothing attackers want", it has long since past. The reality is that in a hyper-connected world, and the plausible theory of six degrees of separation, you have a customer who has some access to something or someone an attacker wants. And this is even beyond the reality that an attacker may merely want your processing power, storage and bandwidth.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Taking complex ideas and boiling them down into simple phrases is always fraught with peril. So, I'll add this as an open comment to the businesses of these United States: Until a true Artificial Intelligence is created, you cannot run computer systems without proper oversight. Many of you have continued to buy more computer systems and roll-out new "features", even while laying off IT staff. People can complain about a lack of educated IT Security professionals available in the work-force, but the reality is that businesses don't even have enough Systems Administrators and Network Engineers on staff to manage their Information Infrastructures properly. Further, it is irresponsible, if not grossly negligent, to continue to roll-out new systems and applications when existing infrastructure is not documented to a state that can be demonstrated to facilitate managing a crisis.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Lastly, if your company is going to run Open Source software as a part of your business. Then it is your responsibility to either review the code you run, or pay someone to do it for you. While it might be understandable for a start-up with limited capital to leverage Open Source without such investments, clearly the largest of companies turning profits while taking advantage of otherwise "free" software should know better. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And, allow me to preempt any of my colleagues' comments to the effect that "this isn't how businesses run" or "it isn't reasonable to suggest this" or "Ken you are an optimist" with the simple fact that the way things are working is not sustainable, and terribly broken from a vulnerability standpoint. If improvement is to be made, and if companies are to win in cyberspace, they must invest in people. They must hire more people to manage and secure their systems. If we are to rely on technology, then our work-force must be technical. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If Heartbleed is a wakeup call, then it is only such because of the wide-spread consumer awareness that it is generating. The reality is that the intellectual property of our nation has been hemorrhaging for many years. Things must change. As consumers begin to wake up to the realities of negligence, there will be law-suits. I hope companies re-think how they manage IT before that happens. Perhaps it is already to late for that. Perhaps those few people who actually have a clue inside companies that continue to place profits above people will jump ship to start better companies. That would be very American, in my humble opinion. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In closing let me quote a great football coach: "Excuses only satisfy the people that make them."</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Yours in Information Security,</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Ken Walling</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Kenneth R. Walling Jr., CISSP</div>
<div class="separator" style="clear: both; text-align: left;">
President</div>
<div class="separator" style="clear: both; text-align: left;">
CyberCede Corporation</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://www.cybercede.com/">www.cybercede.com</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
PS</div>
<div class="separator" style="clear: both; text-align: left;">
In case you don't really have a clue about Heartbleed, I recommend this ...</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
<iframe align="middle" frameborder="0" height="320" hspace="0" marginheight="0" marginwidth="0" scrolling="no" src="http://twit.tv/embed/15323" width="640"></iframe></div>
Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-46367721232470052652013-06-28T04:01:00.001-07:002013-06-28T04:01:36.723-07:00Litecoin is perhaps more than just the silver to Bitcoin's gold<div dir="ltr" style="text-align: left;" trbidi="on">
The cryptocurrency economy has blown wide open. There may be twenty or more different cryptocurrencies competing for dominance in this emerging technology.<br />
<br />
While bitcoins are holding a more or less steady value of $100/BTC, one of the favorite alt-coins, Litecoin (LTC) is currently undervalued at around $3/LTC. Based upon six month trend reports, the value deviated from the difficulty graph which it had been clinging close to. When the coin is able to correct, it should be worth approximately $5/LTC. Currently hungry speculators are holding the value of the coin down.<br />
<br />
Mt. GoX announced they have plans to have LTC trading on their site in July. When that happens, if the litecoin has not already corrected, we can expect a correction and a surge in value as new traders will have access to it on the largets bitcoin market in the world.<br />
<br />
I am working on pulling together a screencast to help Mac OS X users get the recently updated Litecoin client software installed.<br />
<br />
In the mean time, you can check out <a href="http://litecoin.org/">litecoin.org</a>.<br />
<br />
If you want to buy some LTC, you can check out <a href="http://btc-e.com/">btc-e.com</a>. You can sometimes find me on the trollbox there, as the user "kewal". Happy trading!<br />
<br />
<br /></div>
Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-41784592440047994262013-06-28T03:38:00.000-07:002013-06-28T03:49:18.276-07:00Install GPG on Mac OS X <div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
Hi.<br />
<br />
We are working on getting a site up for cyberjutsu.com.<br />
<br />
The plan is to have both free and premium screencasts to help folks learn how to survive in cyberspace. It will probably take us a while to get any premium content up. It may also take a while to get the site live.<br />
<br />
In the mean time, as we start to create screencasts, we will publish them here. They may not be as polished as we would like. Sometimes information needs to be more current than polished. For example, it is time to upgrade the Litecoin client, for those who use Litecoins (and we recommend that you do!)<br />
<br />
The screencast linked below is a prerequisite to upgrading your Litecoin client. In this screencast, we go over installing GPG on Mac OS X. Linux users will most likely already have gpg software installed, but this is not the case for Mac users.<br />
<br />
I hope this video is helpful. It does include steps to verify the SHA1 digital fingerprint of the downloaded binary file to be used in the installation of GPGtools. It does not represent the lowest we will set the bar for learning. I intend to do some much more basic screencasts to help folks understand the basics of using Terminal and the BASH shell, for example.<br />
<br />
In the mean time - please feel free to get your GPG on!<br />
<br />
<br /></div>
<object height="344" width="425"><param name="movie" value="http://www.youtube.com/v/jq8M1jRCjH4&hl=en&fs=1"></param>
<param name="allowFullScreen" value="true"></param>
<embed src="http://www.youtube.com/v/jq8M1jRCjH4&hl=en&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" width="425" height="344"></embed></object></div>
Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-23124592228129832732013-04-03T14:27:00.002-07:002013-04-03T14:32:17.816-07:00Bitcoin Price Check - 3 April, 2013<div dir="ltr" style="text-align: left;" trbidi="on">
Here is a very short screencast that takes you on a tour of checking the latest price for bitcoins on Mt. Gox exchange.<br />
<br />
This is my first embedded video, here on blogger - so this is a bit of a test.<br />
<br />
You should be able to run this at full screen, to see the details better that you might in your current windowed rendering.<br />
<br />
<object height="344" width="425"><param name="movie" value="http://www.youtube.com/v/xvPNYGyj308&hl=en&fs=1"></param>
<param name="allowFullScreen" value="true"></param>
<embed src="http://www.youtube.com/v/xvPNYGyj308&hl=en&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" width="425" height="344"></embed></object>
</div>
Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com0tag:blogger.com,1999:blog-5292497356212950167.post-29738596788485098582012-01-25T04:19:00.000-08:002012-01-25T08:31:04.695-08:00Password Management Software: KeePassX<div dir="ltr" style="text-align: left;" trbidi="on">
For the progressing student of cyber-jutsu, it will be evident that the number of usernames and passwords one needs to manage can become extreme. From a white-belt level we learn that human nature must be observed if we are to win in cyberspace. Human nature, in this case, is the simple fact that most people will take the path of least resistance. If something is difficult to do - then they will not do it. If it is easier to do the wrong thing, then most people will do that thing - even to their own detriment. So our goal in this is simple: make it easy to do the right thing.<br />
<br />
Social networking sites, Blogging sites e-Bay, PayPal, pandora (music site), other web sites and just about any system you need to log into, all require usernames and passwords to access. The common, but unsophisticated and unacceptable solution many people who have not been initiated into the ways of cyber-jutsu adopt is, to re-use the same password for every site they log into.<br />
<br />
The practicing cyber-jutsu student will quickly see the problem with this. If the password for any one of these sites is compromised or somehow revealed to a malicious person - then all of the accounts with the same password are thus compromised. The result can be described as a cyber-tsunami.<br />
<br />
While the reality is that there is "no silver bullet"; and, we must be perpetual students and develop on-going processes to maintain our cyber-security, we can talk here about one part of the overall process. Let us look at the pros and cons to employing a software tool category known as password managers. In particular, I'll talk about a free tool called KeePassX.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-rNku0nzu-AM/Tx_zGmIkENI/AAAAAAAAAGw/6oAKBiv279E/s1600/KeePassX-website.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://3.bp.blogspot.com/-rNku0nzu-AM/Tx_zGmIkENI/AAAAAAAAAGw/6oAKBiv279E/s400/KeePassX-website.png" width="400" /></a></div>
<br />
<br />
<a href="http://www.keepassx.org/">KeePassX</a> is a cross-platform password management program. It is available for Windows, Mac OS X, and our favorite operating system, Linux. OK. So, what does it actually do?<br />
<br />
The program creates an encrypted database (256 bit key based on either the AES or Twofish algorithms) to store your usernames, passwords, links, and additional related information. What that means practically, is that even if someone were to get ahold of your database file, they would have a hard time cracking it to get your information. Additionally, KeePassX gives you what we call a "two-factor" authentication option to access your stored information.<br />
<br />
Two-factor authentication, in this case, can be thought of as factor 1. something you know, and optionally factor 2. something you have. And, in this case, the "something you have" is any file you would like to use. You identify a computer file that needs to be present to log into the password database. If this sounds too technical for you - trust me - it takes more brain power to understand the philosophies behind its operation than it does to use the very intuitive user interface.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-rgOyf6EM5gQ/Tx_l58O5pwI/AAAAAAAAAGI/XDcxd4NLz40/s1600/KeePassX-login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="http://2.bp.blogspot.com/-rgOyf6EM5gQ/Tx_l58O5pwI/AAAAAAAAAGI/XDcxd4NLz40/s400/KeePassX-login.png" width="400" /></a></div>
<br />
To use the "second factor", one need only click the "Key File" check-box, and then the "Browse..." button to select the file you want to use. I recommend using a file on removable media, such as a usb drive. In this way, whenever you want to log into this program, you have to supply the file that is on the removable media. This makes your password management database very secure.<br />
<br />
Once you are logged in, you can create groups to help classify the different sites or systems you need to log into. Then you create the accounts within those groups. When you want to log into a site, you select it in the main window, then click on the "user" button along the top (which looks like an icon of a person). This copies the username into your clipboard, so you can paste it into the login box on the website (ctrl-v on Windows and cmd-v on Mac OS X). Then you do the same thing to enter your password. Click on the password button at the top of the screen (which looks like an icon of a key) and then paste it into the password field on the website.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-7IlqkRk_LJE/Tx_nvvo530I/AAAAAAAAAGQ/WDPdH35A4IA/s1600/KeePassX-working.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="http://4.bp.blogspot.com/-7IlqkRk_LJE/Tx_nvvo530I/AAAAAAAAAGQ/WDPdH35A4IA/s400/KeePassX-working.png" width="400" /></a></div>
<br />
On Linux systems, you can automate the whole process such that you can select the site you want to log into, double-click it, and your default web-browser will automatically launch and the username and password will automatically populate the fields and log you in. This takes a bit of configuration, and may be considered a brown-belt level task.<br />
<br />
Alas, we are trying to make this an easy process - and so far - it just seems to be more work. So where do we get our win?<br />
<br />
The major win is found in this applications ability to generate random and complex passwords for you. These passwords that are generated will never need to be remembered, and never need to be typed out. The only password you will ever need to remember is the password you need to get into KeePassX, when you first launch it (as described above).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-x4S5SoSLi6I/Tx_p74w5a_I/AAAAAAAAAGY/oJ-RDTfr4gI/s1600/KeePassX-pw-gen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="396" src="http://4.bp.blogspot.com/-x4S5SoSLi6I/Tx_p74w5a_I/AAAAAAAAAGY/oJ-RDTfr4gI/s400/KeePassX-pw-gen.png" width="400" /></a></div>
You can adjust your settings within the Password Generator window to meet your desired complexity and the capabilities of the site you are using. You may be surprised to find some of the sites you use will not allow special characters in the password. Similarly, many sites have unsatisfactory length restrictions. As a general rule, more complex and longer passwords are the way to go.<br />
<br />
The program collects "entropy" based upon your random key-strokes and mouse movements, to ensure that the password that is generated is truly random.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-srbVNSppdzE/Tx_rx7Dx7sI/AAAAAAAAAGg/dHTwY8GPLzk/s1600/KeePassX-entropy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="http://3.bp.blogspot.com/-srbVNSppdzE/Tx_rx7Dx7sI/AAAAAAAAAGg/dHTwY8GPLzk/s400/KeePassX-entropy.png" width="400" /></a></div>
<br />
<br />
The "New Password" field (see image below) will populate with a complex password after enough entropy has been gathered. This is a fast process.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-7Gb8h1qZAJY/Tx_r5pGlqfI/AAAAAAAAAGo/nc-sf88-77s/s1600/KeePassX-complex-pw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="397" src="http://1.bp.blogspot.com/-7Gb8h1qZAJY/Tx_r5pGlqfI/AAAAAAAAAGo/nc-sf88-77s/s400/KeePassX-complex-pw.png" width="400" /></a></div>
<br />
And there is your benefit. That long and ugly password is not crackable in any reasonable amount of time, given current technology. If you are securing your bank accounts - then a good policy will be to change that password on a regular basis. As long as you change the password more frequently than the amount of time it would take to crack the password, your account will not be cracked. The exact frequency will be an increasing quality as technology continues to increase computing power. At this time, changing your password in this manner once per month should be more than sufficient.<br />
<br />
Changing a password that you don't need to remember in your brain should be less of a chore than coming up with new passwords you have to recall from memory every month.<br />
<br />
You should also recognize that so many people use a word or a name for their password (often simply appending or prepending a number) that the majority of attackers use "dictionaries" to attack accounts. You might note that the password listed above, will NEVER be found in a dictionary. This is important. It means that an attacker has to "brute force" your password one character at a time. This is a very time-intensive process, which requires many many computing cycles.<br />
<br />
You may note that in the image above, I have NOT selected the option to ensure that the generator includes characters from every group. Forcing the program to include characters from every group actually reduces the overall randomness of your password. If an attacker doesn't know exactly what your password is composed of - nor exactly how many characters your password it - this makes the job of cracking the password even harder.<br />
<br />
You should use this program, or one like it, for as long as you have to use passwords. Ultimately, passwords may be replaced by other means such as biometric devices (e.g. fingerprint readers, iris readers, etc.) <br />
<br />
Using a program like this means you have to keep your KeePassX database safe and secure. You can actually keep the entire database on a usb key. If someone gets your database, and guesses your password, and figures out what file you are using as the second authentication factor - then you still lose. So, care must be taken. But - like your house keys, or your car keys - having a small device to keep safe seems to be something we are capable of doing. Long, complex passwords, on the other hand - are simply better off being managed by a computer program.<br />
<br />
How do you come up with a good password for the database itself? I always suggest that folks use the first letter of each word in a long phrase they can recall easily. The typical example is the phrase, "four score and seven years ago..." which would or could yield the password: 4#&7ya<br />
<br />
In my humble opinion, that password is too short - but it is good as an example to teach how to come up with a complex password. Another good thing to do is to come up with a positive affirmation as the phrase for your password. In this way, you achieve true cyber-jutsu.<br />
<br />
"Dissatisfaction with life arises from desiring to have what cannot be had, and desiring to avoid what cannot be avoided." - The Buddha<br />
<br />
"dwLafd2hwcbh,&d2awcba."-TB<br />
<br />
If you are a brainiac - perhaps you could take a phrase like that and use the second letter in each word - or the last letter of each word. I think you get the idea now. Your goal should be to come up with a password for your KeePassX login that is more than 8 characters in length, and uses upper and lower case letters, numbers, and at least one special character.<br />
<br /></div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-70134002346301214612012-01-25T01:04:00.000-08:002012-01-25T02:10:15.030-08:00Anonymous DDoS Attack: OpIreland<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
Last night, into early this morning, Anonymous hacktivists launched a successful DDoS (Distributed Denial of Service) attack against http://justice.ie, the Department of Justice and Equality in Ireland website as a "warning shot across the bow", in response to an announcement that "<span class="Apple-style-span" style="font-family: 'Trebuchet MS', Trebuchet, Verdana, sans-serif; font-size: 13px; line-height: 18px;">the Irish government plans, <a href="http://www.thejournal.ie/readme/column-will-ireland-block-the-internet-to-save-cds/" style="text-decoration: none;">before the end of January</a>, to bring in a law which would allow Irish courts to block access to websites accused of infringing copyright..."</span>. (See: http://www.tjmcintyre.com/2012/01/irelands-sopa-faq.html and search for the twitter tag #OpIreland)</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
These activities raise many questions about citizenship, the law, liberty on the Internet, intellectual property rights, civil disobedience, and more.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
When you think about and research these operations, there are some things that you should keep in mind. Not the least of which is that, according to information published by Anonymous, OpIreland was intentionally conducted "after business hours" when the need for the website would be less critical for anyone seeking to use it. The goal was to raise awareness, and it seems they have succeeded in that.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Some will denounce these activities out of hand as illegal and wrong. They will attempt to say that support for these Anonymous Operations is taking a side against intellectual property rights. I'm not sure that is a fair assessment. There are already laws on the books which can be used to prosecute those who steal other's work. What is being attacked here, is the notion that wide-sweeping new laws are required to combat online piracy. The danger is that these laws are so wide sweeping, that they will end up being used to censor law-abiding netizens and their online content.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
In a perfect world, there would be no need to temporarily, forcibly, shut down a government website to direct attention at questionable legislation that, much like our own Patriot Act, is being pushed through the Irish legislature in a timeframe that will not allow proper analysis and debate. But it is clear that we live in a world that is far less than perfect.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-VRdy_wCVAFU/Tx_IYQ69iwI/AAAAAAAAAGA/vPIfJ7qrpWY/s1600/19974-xlarge.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="http://2.bp.blogspot.com/-VRdy_wCVAFU/Tx_IYQ69iwI/AAAAAAAAAGA/vPIfJ7qrpWY/s320/19974-xlarge.jpg" width="320" /></a></div>
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
As I write this, http://justice.ie is back online. The site was not damaged, and it was down for probably less than two hours as a result of the DDoS. The Anonymous threats are far more dangerous. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
A message dropped onto Pastebin advised, "</div>
<ol style="font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Bitstream Vera Sans Mono', Courier, monospace; font-size: 12px; line-height: 21px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 48px; padding-right: 0px; padding-top: 0px; text-align: left;">
<li>If SOPA/PIPA/ACTA passes we will wage a relentless war against the corporate internet, destroying dozens upon</li>
<li>dozens of government and company websites. As you are reading this we are amassing our allied armies of</li>
<li>darkness, preparing boatloads of stolen booty for our next raid. We are sitting on hundreds of rooted servers</li>
<li>getting ready to drop all your mysql dumps and mail spools. Your passwords? Your precious bank accounts? Even</li>
<li>your online dating details?! You ain't even trying to step to this."</li>
</ol>
<span class="Apple-style-span" style="font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Bitstream Vera Sans Mono', Courier, monospace; font-size: 12px; line-height: 21px;"></span><br />
<div class="de2" style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Bitstream Vera Sans Mono', Courier, monospace; line-height: 21px; margin-bottom: 0px; margin-left: -7px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 5px; padding-right: 5px; padding-top: 0px; position: relative; vertical-align: top;">
<span class="Apple-style-span" style="font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Bitstream Vera Sans Mono', Courier, monospace; font-size: 12px; line-height: 21px;"><br /></span></div>
<span class="Apple-style-span" style="font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Bitstream Vera Sans Mono', Courier, monospace; font-size: 12px; line-height: 21px;">
<span class="Apple-style-span" style="font-family: Times; font-size: small; line-height: normal;">This may seem like techno-babble to many of you - if that is the case, take my word, it is threatening.</span></span><br />
<div>
<br /></div>
<div>
If the Anonymous Hacktivists move into the above noted phase of operations, I fear they will have gone too far. There is a difference between raising awareness through a more or less peaceful DDoS demonstration and cracking into accounts and distributing private bank account information. The DDoS operations can clearly be compared to a physical-world protest on a city street that would impede movement through the area for a time because so many people have flooded the street that there is no clear path for traffic to flow. Cracking into accounts and distributing bank account information is theft. One could argue, depending upon the owners of the bank accounts, that such operations would be akin to the illegal activities of Robin Hood - but they are clearly illegal, nevertheless.</div>
<div>
<br /></div>
<div>
I have one last thing for you to consider about this most recent, and in fact all hacktivist DDoS activities. I have heard folks say that because it takes a very large number of computer systems to pull off a DDoS, that there is wide-spread and popular support for Anonymous. This simply isn't the case. If it were, the DDoS wouldn't be necessary to raise awareness. The reality is that the hacktivists who are actually "pulling the trigger" to execute the DDoS are what we refer to as "bot herders". These are people who have control of hundreds, thousands, and in some cases tens or hundreds of thousands of compromised home and business computers. When these computers are compromised, software is installed "enlisting" these systems into a "bot army". The systems continue to function as normal; but, they also wait and listen for the command to attack. When that attack command is received, it is often a simple command telling the system to repeatedly "ping" the target system. The target system is quickly overwhelmed by "ping" requests, and can no longer respond to legitimate traffic. The site, in effect, is taken offline in this manner.</div>
<div>
<br /></div>
<div>
Perhaps a more democratic way to implement a popularly supported DDoS protest campaign, would be to invite folks to join the cause, rather than draft them into unknown participation. That would be better cyber-jutsu. ;)</div>
<div>
<br /></div>
<div>
Sensei Metajunkie<br />
<br />
<div style="text-align: left;">
<br /></div>
</div>
</div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com0tag:blogger.com,1999:blog-5292497356212950167.post-6047345718234943742011-06-20T12:05:00.000-07:002011-06-20T12:05:08.452-07:00The Rich Seize Internet Name-space!<div dir="ltr" style="text-align: left;" trbidi="on">ICANN (the controlling authority for the Internet) will accept applications ($185,000) for new root domain names (i.e. website suffixes like .com and .net), for 90 days, beginning Jan 12, 2012. Winners awarded their domain name (e.g.: .ipod, .apple, .cisco, .pepsi, .democrat, .republican, .healthcare, .books, .worldbank, etc.) must pay $25,000 annually. These new root domain names can be in "nearly any word in any language, including in Arabic, Chinese and other scripts", this was decided at a meeting today in Singapore. (Source: Associated Press)<br />
<br />
What does this mean? It means that .com just became a "second class" root domain. I'm not sure that this is good for small businesses in any way - but, that obviously isn't a concern for ICANN. Anyone who can afford the process can apply for any root domain name they want. If two people or entities want the same domain name, they can bid on it - so who ever has more money wins. If, for example, Pepsi and Coke, in addition to applying for .pepsi and .coke, both wanted .drink or .beverage or .pop or .soda - they could fight it out in good ol' greenbacks via public auction.<br />
<br />
That is all well and good for Pepsi and Coke; but, what about a small Information Security Company, like CyberCede Corporation? What are the chances that web traffic going to cybercede.com will decrease in favor of being directed to whomever owns .infosec, or .security? <br />
<br />
The face of the Internet is about to change - perhaps more drastically than it has changed since its inception.<br />
<br />
This also means that there are sites you just won't be able to reach without knowing a foreign language, or without having a modification to your keyboard to allow you to type in non-Romanic characters. I think this is significant. Up until this point, the Internet has been a global unifying movement. Sure, you can find pages that have foreign language content today - but you can at least read the address of that page in English. I would go so far as to believe that Internet use could have been contributing to the adoption of English as a global standard language for international communication.<br />
<br />
While some might scream "mono-culture" - that simply isn't what I'm talking about here. It is a well documented fact that a national language goes far in unifying a people. In the same way, English has unified many people around the world via the Internet. In some very small way, we were, in my humble opinion, rolling back the damage done by the Biblical tale of the Tower of Babylon. The world has been "getting smaller", and in large part that has been because of the Internet. I think this move will reverse that perception.<br />
<br />
To sum it up - we can expect big money to create great domain space names, and attempt to market .com into obscurity; and, using a US English keyboard, where previously it was a gateway to information in every corner of the world, will now become a limiting factor - barring entrance to foreign sites for the average American. But hey - who cares, right? Most Americans don't actually get world-wide information from the Internet. Their computers are the little brother to their massive television sets, that broadcast 'truth' directly into their subconscious minds. After all - TV is only meant for mindless relaxation and reassurance; and, the Internet is just for Facebook games and Porn, right? As long as I can order my pizza online - I don't care what they do. Mmmm pizza and sitcoms - the American Dream. Go back to sleep .... go back to sleep. OH?! incoming facebook message on my phone! Oh it's just a someone using facebook to promote their blog... go back to sleep.... go back to sleep. zzzzz<br />
<br />
<br />
<br />
</div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com2tag:blogger.com,1999:blog-5292497356212950167.post-3011970660557764442011-03-23T13:37:00.000-07:002011-03-23T13:57:27.128-07:00Cyber Attack From IranA well prepared attacker with an IP address originating in Tehran, Iran (212.95.136.18) compromised a user account in an RA (Registration Authority) at comodo.com, created themselves a new userID, and quickly generated CSRs (Certificate Signing Requests) for nine certificates. Comodo is a certification authority present in the Trusted Root Certification Authorities Store on Microsoft Windows, as well as all modern web browsers such as Mozilla Firefox and Google's Chrome.<br />
<br />
Given proper circumstances, the resulting certificates could be used to spoof content, conduct phishing attacks, and/or perform man-in-the-middle attacks against all popular browsers, across many platforms. Using these certificates, the attacker could redirect a victim to a forged Firefox plug-in download page, and deliver them malicious add-ons to install. The certificate would appear valid to the the browser, so there would be no warning to the user that something was amiss. At that point, the attacker could control the lion's share of computer's in American homes.<br />
<br />
However, upon discovery, all certificates were revoked. This will make using the forged certificates much more difficult, and much less far reaching (unless other key components of our Internet infrastructure are also compromised, namely our DNS systems). Comodo could only verify that one of the certificates generated was actually received by the attacker. Comodo reported, "Our systems indicate that when this one certificate was first tested it received a 'revoked' response from our OCSP responders. The site in Iran on which the certificate was tested quickly became unavailable."<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh5.googleusercontent.com/-c6aMuM6IV98/TYpZ4cP908I/AAAAAAAAAF4/iTXbNUECq4c/s1600/USA_Iran.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://lh5.googleusercontent.com/-c6aMuM6IV98/TYpZ4cP908I/AAAAAAAAAF4/iTXbNUECq4c/s320/USA_Iran.jpg" width="320" /></a></div><br />
It is believed that "this was likely to be a state-driven attack".<br />
<br />
At least it looks that way. Of course - in cyberspace - things aren't always what they seem. The attack could have just as easily been conducted by an American Warhawk, who compromised a system in Iran, and launched the attack from there. However, Comodo reported that, "The Iranian government has recently attacked other encrypted methods of communication."<br />
<br />
In order to use these certificates maliciously, there would have to be additional DNS tom-foolery. Do the attackers already have that piece of the attack 'in the bag'? <br />
<br />
You may recognize some of these domain names. It looks like this was an attack against communications, as opposed to banks or online-shopping sites, as a criminal might attempt.<br />
<br />
<br />
In any event - even though the certificates in question were revoked, <a href="http://www.microsoft.com/technet/security/advisory/2524375.mspx"><b>Microsoft released a patch</b></a>. If you are running windows, you should <b>apply that patch</b>.<br />
<br />
<br />
From the comodo release:<br />
<br />
<h1>Fraudulently issued certificates</h1><div class="MsoNormal">9 certificates were issued as follows:</div><div class="MsoNormal">Domain: mail.google.com [NOT seen live on the internet]</div><div class="MsoNormal">Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Domain: <a href="http://www.google.com/">www.google.com</a> [NOT seen live on the internet]</div><div class="MsoNormal">Serial: 00F5C86AF36162F13A64F54F6DC9587C06</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Domain: login.yahoo.com [Seen live on the internet]</div><div class="MsoNormal">Serial: 00D7558FDAF5F1105BB213282B707729A3</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Domain: login.yahoo.com [NOT seen live on the internet]</div><div class="MsoNormal">Serial: 392A434F0E07DF1F8AA305DE34E0C229</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Domain: login.yahoo.com [NOT seen live on the internet]</div><div class="MsoNormal">Serial: 3E75CED46B693021218830AE86A82A71</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Domain: login.skype.com [NOT seen live on the internet]</div><div class="MsoNormal">Serial: 00E9028B9578E415DC1A710A2B88154447</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Domain: addons.mozilla.org [NOT seen live on the internet]</div><div class="MsoNormal">Serial: 009239D5348F40D1695A745470E1F23F43</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Domain: login.live.com [NOT seen live on the internet]</div><div class="MsoNormal">Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Domain: global trustee [NOT seen live on the internet]</div><div class="MsoNormal">Serial: 00D8F35F4EB7872B2DAB0692E315382FB0</div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com2tag:blogger.com,1999:blog-5292497356212950167.post-77870768743443581222011-03-10T08:44:00.000-08:002011-03-10T08:44:29.816-08:00New Definition: TMH is Too Much Help <u><b>TMH: Too Much Help</b></u><br />
<br />
Every now and again we need to come up with new words to describe something in our ever-changing world. In the Digital Age, we often use abbreviations. Some abbreviations, such as "LOL", for "Laughing out Loud" and "BRB", for "Be Right Back" have moved from what we might call "geek-space" into everyday use. Cell phones, and their ability to send text messages have spread these sort of practices far and wide. This new abbreviation is derived from an already popular abbreviation used in verbal communications: "TMI", which stands for "Too Much Information".<br />
<br />
Because many of us have become very impatient, as well as very reliant upon spell checkers, some "auto-correct" features have been built into many mobile phone text message clients. The "auto-correct" features, as anyone who has used them will attest, sometimes offer "too much help". <br />
<br />
It is because of this shortcoming that I have the distinct honor of bringing you a new abbreviation. TMH<br />
<br />
TMH stands for too much help. The reason it is a useful abbreviation is because the person who has become a victim of the helpful auto-correct feature is often oblivious to the fact that their text messages was auto-corrected into obscurity.<br />
<br />
Here is an example text message session to illustrate the point:<br />
<br />
<span style="color: red;">Bridget:</span> <i>we'd paper</i><br />
<br />
<span style="color: blue;">Metajunkie:</span> <b>tmh</b><br />
<br />
<span style="color: red;">Bridget:</span> We need paper<br />
<br />
<span style="color: blue;">Metajunkie:</span> OK, I'll pick some up on way home<br />
<br />
Here is another example text message:<br />
<br />
<br />
<span style="color: red;">Bridget:</span> <i>Innuendo</i> and her husband can't come out on Friday<br />
<span style="color: blue;">Metajunkie:</span> Who is innuendo?<br />
<span style="color: red;">Bridget:</span> Bonnie<br />
<span style="color: blue;">Metajunkie:</span> why do you call her innuendo?<br />
<span style="color: red;">Bridget: </span> <b>tmh</b><br />
<span style="color: blue;">Metajukie:</span> oic<br />
<br />
and one last one for good measure:<br />
<br />
<span style="color: red;">Bridget:</span> pick up milk<br />
<span style="color: blue;">Metajunkie:</span> <b>tmh</b>?<br />
<span style="color: red;">Bridget:</span> ha ha. no - really - pick up milk<br />
<br />
I think we will all be able to put the abbreviation "tmh" to good use.<br />
<br />
Happy texting!<br />
<br />
MetajunkieMetajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-13906668709236541912011-01-28T05:41:00.001-08:002011-01-28T05:41:35.033-08:00Qwiki Entries for some Malware related terms<div xmlns=''><p style='margin-bottom: 0in'>Rather than searching with Google, to get an understanding of some key terms regarding cyber-jutsu, and the threats to your computer, check out these links to Qwiki.com articles.</p><p style='margin-bottom: 0in'> <br/> </p><p style='margin-bottom: 0in'>Qwiki.com is a new way to learn about a topic quickly. Perhaps best of all, for many of us who have tired eyes from reading our computer screens all day – or those of us who are just plain lazy... Qwiki.com reads the entry to you. It should be noted that the pronunciation of all words is not quite “spot on” yet. The site is very cool – but unquestionably - “in the works”. </p><p style='margin-bottom: 0in'> <br/> </p><p style='margin-bottom: 0in'>Some terms all computer users should be familiar with:</p><p style='margin-bottom: 0in'> <br/> </p><p style='margin-bottom: 0in'> <a href='http://www.qwiki.com/q/#!/Malware'>http://www.qwiki.com/q/#!/Malware</a> </p><p style='margin-bottom: 0in'> <br/> </p><p style='margin-bottom: 0in'> <a href='http://www.qwiki.com/q/#!/Botnet'>http://www.qwiki.com/q/#!/Botnet</a> </p><p style='margin-bottom: 0in'> <br/> </p><p style='margin-bottom: 0in'> <a href='http://www.qwiki.com/q/#!/Trojan_horse_%28computing%29'>http://www.qwiki.com/q/#!/Trojan_horse_%28computing%29</a> </p><p style='margin-bottom: 0in'> <br/> </p><p style='margin-bottom: 0in'> <a href='http://www.qwiki.com/q/#!/Keystroke_logging'>http://www.qwiki.com/q/#!/Keystroke_logging</a> </p><p style='margin-bottom: 0in'> <br/> </p><p style='margin-bottom: 0in'> <a href='http://www.qwiki.com/q/#!/Rootkit'>http://www.qwiki.com/q/#!/Rootkit</a> </p><p style='margin-bottom: 0in'> <br/> </p><p style='margin-bottom: 0in'> <br/> </p><br clear='left'/></div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-48253769647125414992010-09-02T16:14:00.000-07:002010-09-02T16:14:23.596-07:00Book: Professional Penetration Testing (Purchased)<iframe align="left" frameborder="0" marginheight="0" marginwidth="0" scrolling="no" src="http://rcm.amazon.com/e/cm?t=cyberjutsu-20&o=1&p=8&l=bpl&asins=1597494259&fc1=000000&IS2=1&lt1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="height: 245px; padding-right: 10px; padding-top: 5px; width: 131px;"></iframe>I'm reading a book I recently purchased, called Professional Penetration Testing. I'm using this as a first try at using the tools available for Amazon Associates on Blogspot. Feel free to hover over the image/link, and click for more information on the book. I believe I only generate some sort of commission, when there is a sale.<br />
<br />
I pledge to my readers never to offer products that I don't own myself. I hope to give meaningful reviews of these products as well.<br />
<br />
So far, my experience with Professional Penetration Testing is a positive one. While I admit that the price tag is a little steep, you should understand that it comes with a DVD that contains not only instructional video, but also some system images to be used in training. These images are suitable for loading into VMWare for example.<br />
<br />
Another thing about the book that put it onto my "buy it now" list, is that in addition to covering the technical aspects of Penetration Testing, it also covers ethics as well as "the business" of Penetration Testing.<br />
<br />
I hope you all don't get sick of this advertisement, but I'll keep posting it while I'm going through this book. I know there is an awful lot of information that is redundant for me, personally. That happens when you are at the stage of your career that I am in (I think they call it getting old). There aren't many books I can pick up and not have to go through some amount of information that I'm already familiar with. But this is as much a part of Cyber-Jutsu as anything else. One needs to learn to dig through the proverbial weeds, in order to find the gems that will be useful.<br />
<br />
Another really good reason for me to pick up this book, is that I expect that CyberCede, my company, will be hiring within the year. I think this might be a great tool for my new recruits. If you are in college and looking for a co-op position or if you recently graduated and desire a position as a entry/junior level information security analyst, drop me an email and/or shoot me your resume. If you are eager to get started on this path - you might want to purchase this book (and keep your receipt).Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-35090104467469705792010-09-02T13:25:00.000-07:002010-09-02T15:12:40.465-07:00The State Of The Current SNAFU vs. The Good Old DaysI sit and write this post, which is long overdue, and slightly off topic, while I watch my HP Pavilion dv9000 "running" Windows Vista Ultimate "welcome" me forever. It is just sitting there with its very stylish shining circle spinning like its grandfather, the hourglass used to do. I'll be honest. It is still spinning - and spinning, and I'm getting the sinking feeling that this system isn't going to come back up without a hard boot. Luckily, I'm barefoot right now.<br />
<br />
While I enjoy the many terabytes of storage that store movies, pictures, and other data of all kinds in my home and home office, there is a part of me that longs for "the good old days". Which good old days might those be? How about a time when, if I had a problem with my operating system disk, I reached over and grabbed one the the other copies that I had in a pile of 5.25" floppy disks.<br />
<br />
That was the way my first IBM clone worked. It didn't come with a hard drive, it didn't even have a pre-established space to mount one. I had the deluxe model, it had not one, but two five and a quarter inch floppy drives. This allowed me to boot the computer off of the MS DOS disk, and leave it in the drive while I put my application floppy disk in the second drive.<br />
<br />
Others, who didn't have this deluxe model would have to, from time to time, pull out their application disk, and re-insert their Operating System disk for a required file. One of my most-used applications in those days was a word processor called "Word Star", another was dBase, a database I taught myself to use (it may have been dBase II). Ah, the time I saved by having that second floppy drive was well worth the price. :)<br />
<br />
I purchased that first IBM clone while I was in the US Air Force, and stationed in Japan (1987-1989). It was a Commodore PC10. The "10" stood for the speed. It ran at an amazing 10Mhz. This was a vast improvement over the actual IBM PC computers I had the opportunity to use in the Artificial Intelligence lab at the on-base satellite-campus for the University of Maryland. Those beasts were running around 4.77 Mhz as I recall, and the speed difference while running the expert system I had written in Prolog was significant. I recall my first reaction to seeing the IBM logo on those systems. I was ecstatic. "Oh man," I had said, "real IBMs!" My instructor asked me if I had a computer back in my dorm, and I told him what I had. "You will want to use that when you can," he advised; and, he was right.<br />
<br />
While I was very skeptical at first, tinkering (or hacking) with the computer hardware started almost immediately. I had a friend who was disgusted by the notion that I was only using two floppy drives to run my system; and he helped me upgrade my IBM clone to include a hard drive. It was the first time I had ever taken the cover off of a computer. I was shocked and appalled when my friend pulled a drill out of his bag. "This is a computer," I said, as if he was not aware of that obvious fact. "It is a delicate piece of electronics," I continued as he moved closer to the system and plugged the drill in. He spun the drill's motor up and grinned at me. "I don't think this is the way it should be done," I pleaded. He was mildly amused at first, but quickly annoyed. I was perhaps 18 or 19 years old, and my friend was probably in his mid to late 30s. He was perfectly content not to use the drill. But he advised me, if we didn't, he couldn't help me install the hard drive I had just purchased with his help.<br />
<br />
I bought the hard drive at the same location I bought the PC. There was an electronics shop on base that had all of the wonders of the world, most of which would not be seen in the Continental United States for about four years. Most Americans aren't aware of the consumer technology lag between Japan and the United States which is still around four years. I think that is an effect produced by the unquestionable pseudo-truth that all Americans grow up with; namely, that the United States is the best country in every way. But I digress.<br />
<br />
My friend had suggested that I purchase the 10, or 20 Megabyte hard drive. "You will probably only ever use ten megabytes," he advised. "You might use ten, you probably won't ever even need more than ten," he continued as I held the forty megabyte box in my hands. "You will never in your life use forty megabytes. You are wasting your money," he urged. I bought the 40MB hard drive, and never looked back.<br />
<br />
Having been pushed up against the cliff of not getting that monster hard drive installed if I refused to allow my evil computer-doctor friend to use his barbaric drilling instrument, I gave the go-ahead. He did an outstanding job. That hard drive, a Seagate, is still mounted securely in that 8088 system to this day - and the last time I spun it up, it was still working.<br />
<br />
While I've been typing away - my HP laptop did finally boot, and I was able to log into my desktop. However, Internet Explorer refuses to run. Only God knows what the system was doing for all the time it took it to boot. I'm attempting to remove Windows Live Once Care (which was a really good Microsoft offering that is no longer supported). It refuses to be removed in Safe-Mode, and everything is just hanging (or taking unbelievable lengths of time to complete).<br />
<br />
There were updates that seem to have failed to load - but kept trying each time I shut down. I've been round and round with this system now for longer than I care to admit. Is it a virus? Perhaps. An intermittent drive failure? Perhaps. A heat issue? Perhaps. Is it a pain in the arse? Definitely. Can I easily swap out some parts to troubleshoot? Definitely not. :(<br />
<br />
Until next time,<br />
<br />
MetajunkieMetajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-43196454430103544282010-03-02T07:59:00.000-08:002010-09-02T15:14:36.618-07:00Accumulated PermissionsOne thing that every company should look at is the effect called "Accumulated Permissions". This is often caused by individuals within a company moving from one department to another. The knowledge worker has permissions to do job A, and when they are promoted, or transferred into a new role (job B), the permissions to create, read, update, and/or delete information concerning job A might not be removed.<br />
<br />
If a person works for an organization long enough, they can accumulate quite a large quantity of technically unnecessary permissions. This obviously creates a potential for abuse from such accumulated permissions, if they belong to a disgruntled, malicious, or unscrupulous employee. Even when under the control of the most loyal and trustworthy employee, such accumulation of permissions are still a danger to the organization because of accidental use of permissions no longer expected to be active, or in the event of an account compromise by someone who means the organization harm.<br />
<br />
A yearly, or quarterly, manual review of all roles within an organization, and the actual permissions associated with each account is the only fool-proof way of handling Accumulated Permissions. Such a review requires a joint effort between managers, data owners, data custodians, and information security professionals.<br />
<br />
Information Security Companies such as <a href="http://www.cybercede.com/">CyberCede Corporation</a>, can assist an organization with internal permission reviews.Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-21333010377018917402010-01-27T12:05:00.000-08:002010-09-02T13:33:22.150-07:00Another new device from Apple: iPad<a href="http://images.apple.com/ipad/home/images/hero2_20100127.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><br />
</a><br />
Apple has done it again. They have released details of a new device called the iPad at an Apple Keynote in San Francisco, CA. There have been mounting rumors and expectations for a while, about an Apple Tablet device. It is finally here - and to use a Steve Jobs phrase, it looks "insanely great".<br />
<div><br />
</div><div>You can get an excellent video overview of it on apple's website for the <a href="http://www.apple.com/ipad/#video">iPad</a>.</div><div><br />
</div><div>There isn't anything that I can say about it here that you won't be able to learn about it from that video linked above.</div><div><br />
</div><div>Enjoy!</div><div><br />
</div><div>Sensei Metajunkie</div><div><br />
</div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-57859322664334646842010-01-26T10:31:00.001-08:002010-01-26T10:32:41.763-08:00Google Wave Invitations AvailableI have some invitations for the Preview of Google Wave available.<div><br /></div><div>Let me know if you are interested.</div><div><br /></div><div><br /></div><div>Sensei Metajunkie</div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-59311553584870724082010-01-25T16:13:00.000-08:002010-01-25T16:20:16.616-08:00Sharing with the TaoSecurity BlogI recently posted a comment which I'd like my readers and students to take a look at on Richard Bejtlich's <a href="http://taosecurity.blogspot.com/2010/01/look-beyond-exploit.html">TaoSecurity Blog</a>. <div><br /></div><div>You will find several of Richard's books on our reading list. He is, in my opinion, a thought leader in the field of Information Security. This is especially true of his ideas concerning Network Security Monitoring (NSM).</div><div><br /></div><div>I encourage you all to take a look at the whole threaded conversation, but below is a copy and paste of my comment:</div><div></div><blockquote><div><br /></div><div><span class="Apple-style-span" style="font-family: Verdana, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); line-height: 16px; ">Richard,<br /><br />I'm not sure I'm really following you on this one. Are you suggesting that the 'point in time' doesn't matter?<br /><br />I generally find your 'out of the box' thinking refreshing (and often inspiring); but, I think I'm missing your point. Or, perhaps I'm just not agreeing with you.<br /><br />I can agree that we are facing 'on-going' campaigns of cyber-threats in many arenas, and that we need to plan with the big picture in mind. But even in a <i>physical</i> campaign of war; while we must have high level strategy that leads battlefield level tactics, we must win the individual 'point in time' conflicts (at least the key ones) in order to win the war. Wouldn't you agree?<br /><br />How does IT Security, or if you will allow the term cyber-warfare, differ? I have spent quite a bit of time converting <b>Sun Tzu's The Art of War</b> into IT Security wisdom. To me - his warfare consulting applies in cyberspace as well as physical terrain.<br /><br />While Sun Tzu does advocate that the war is won or lost in the planning stage, before the enemy is even physically engaged; in the end, the best planning won't amount to a hill of beans if the boys in the trenches can't overcome their foes. That is IMHO the Zen aspect of IT Security - you have to be 'in the moment'.<br /><br />From a Sun Tzu point of view, I believe that the lesson of his which most American companies that I've worked with are failing to heed is the "Know the Enemy, Know yourself." And of those two suggestions - it is actually the "know yourself" which is hurting the most. I could probably go on at the length of a book on that one... so I'll quit here ;)</span></div></blockquote><div><span class="Apple-style-span" style="font-family: Verdana, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); line-height: 16px; "></span><br /><div>Sensei Metajunkie</div><div><br /></div><div><br /></div></div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-22454531946754464742010-01-25T08:08:00.001-08:002010-09-02T15:15:46.907-07:00Governments and the InternetA cyber-friend of mine mentioned that I was curiously quiet on this blog about the recent events between Google in China and and the evil hoard of malicious hackers seemingly putting political pressure via cyber-attacks.<br />
<div><br />
</div><div>The short story is that Google has been working with the Chinese government to censor google results which the Chinese Government doesn't want their citizens to see. In perhaps what was a moment of Liberty-Clarity, Google recently came out with a statement that they were going to stop censoring these results. To the best of my knowledge, they haven't actually implemented this change in policy - but they said they were going to.</div><div><br />
</div><div>After releasing their statement, they came under cyber-attack.</div><div><br />
</div><div>In other news, a law-firm that is representing an American company that is suing the state of China also came under cyber-attack.</div><div><br />
</div><div>Within the last few evenings, I saw Secretary of State, Hillary Clinton giving a long speech about "Internet Freedom". </div><div><br />
</div><div>Of all of the events noted above, listening to Secretary Clinton talk about the importance of a Free Internet caused me the most concern. I have a hard time believing that she has had a change in what I perceive to be her core beliefs. In order to understand why this of all things concerns me the most, you should probably do a google search on clinton, gore, PMRC, and the v-chip. ((if you don't get any interesting results - none of this will matter any more. ;) ))</div><div><br />
</div><div>My memory lumps all of these things together in a time when: <a href="http://www.philzimmermann.com/EN/background/index.html">Phil Zimmerman</a> was being put on trial by the US Government for making his free encryption program (PGP) available on servers that were connected to the Internet, the Clinton Administration was ensuring that the v-chip would be put into every television in America, and Tipper Gore and Hillary Clinton were dabbling in their own game of PMRC censorship, while I was the sysop (system operator) of the CIA (Central Information Agency) BBS trying to raise awareness about the decline of Liberty in America.</div><div><br />
</div><div>My judgement is that our Secretary of State is just fine with censorship, as long as she is in a position of decision. I further judge that she is no friend to true Internet Freedom; and, prefers the perception of freedom to the real thing. I am willing to be wrong about this, and I'd love to hear your thoughts on the subject.</div><div><br />
</div><div>I'm waiting to see all of the legislation that will follow, to ensure the "Freedom (R)" of the Internet.</div><div><br />
</div><div><br />
</div><div>Sensei Metajunkie</div><div><br />
</div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com0tag:blogger.com,1999:blog-5292497356212950167.post-76222049552905960382010-01-25T07:51:00.000-08:002010-01-25T08:07:53.018-08:00More Internet Explorer WoesThis is just a quick heads up - if not a tad late...<div><br /></div><div>Internet Exploder... errr "Explorer" has more serious security flaws in it. The last I heard, Microsoft was still trying to come up with a patch.</div><div><br /></div><div>Have you looked into using an alternative web browser yet?</div><div><br /></div><div><a href="http://www.mozilla.com/en-US/firefox/firefox.html">Firefox</a> is FREE. </div><div><br /></div><div>There is also a free email client called <a href="http://www.mozillamessaging.com/en-US/thunderbird/">Thunderbird</a>.</div><div><br /></div><div>While we are at it... You should already be familiar with <a href="http://www.openoffice.org/">OpenOffice.org</a>. It is a free suit of programs for word processing, spread-sheets, presentations, etc. I'm amazed how many people I run into who are using old pirated versions of Microsoft Office. Live and let live; but, for the small business this is a really poor choice of roads to travel. Why not adopt the open-source and completely free to use for personal and business uses alternative? OpenOffice has been around for a long time now. Unless you have all sorts of custom-coded MS Office VBA Applications and/or a serious Access Database, there really isn't a good reason not to switch to Open Office. And if you are one of the few companies that are truly leveraging the power of MS Office, good for you - now pay the piper. ;)</div><div><br /></div><div>Surf safe,</div><div><br /></div><div> Sensei Metajunkie</div><div><br /></div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com0tag:blogger.com,1999:blog-5292497356212950167.post-2595957703583866462010-01-13T15:08:00.000-08:002010-01-13T15:17:36.467-08:00Cyber-Jutsu Style: Free Music is Nice!All work, and no play can make your cyber-jutsu rigid like the dance steps of a less than articulate automaton. Free Internet Music is a sure-fire way to keep you in the rhythm of things.<div><br /></div><div>I recommend all cyber-jutsu practitioners check out Pandora internet radio at <a href="http://www.pandora.com">www.pandora.com</a>.</div><div><br /></div><div>Pandora is free to use through your browser, though they have also released a fee-based version which strips out the advertisements and provides a native windows and/or Macintosh application. The paid service cost $36/year. Some simple math shows us that their premium music service would only end up costing $3/month. There are a bunch of other reasons to purchase the premium membership - but I'll leave that up to them to convince you with.</div><div><br /></div><div>In any case - I just created my own radio station based upon Generation X to listen to. This is pretty neat stuff! :)</div><div><br /></div><div>Enjoy!</div><div><br /></div><div>Sensei Metajunkie</div><div><br /></div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com0tag:blogger.com,1999:blog-5292497356212950167.post-38242909021516052042010-01-06T07:42:00.001-08:002010-01-06T07:59:52.078-08:00Anti-Virus software companies statistically evaluated<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.shadowserver.org/wiki/pub/shadowServer_transp_2-500x167.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 500px; height: 113px;" src="http://www.shadowserver.org/wiki/pub/shadowServer_transp_2-500x167.png" border="0" alt="" /></a><br /><br /><div><br /></div><div><br /></div>I just finished reviewing some statistical data on <a href="http://www.shadowserver.org/wiki/pmwiki.php/Stats/Viruses">AV products</a> at <a href="http://www.shadowserver.org/wiki/pmwiki.php/Main/HomePage">Shadow Server</a>. Shadow Server has been an excellent source of information for me on the Conficker outbreak. From their home page:<div><br /></div><div><span class="Apple-style-span" style=" ;font-family:Verdana, Geneva, Helvetica, Arial, sans-serif;font-size:13px;"><blockquote><span class="Apple-style-span" style="font-size:medium;"><i><span class="Apple-style-span" style="font-family:arial;">"Established in 2004, The Shadowserver Foundation gathers intelligence on the darker side of the internet. We are comprised of volunteer security professionals from around the world. Our </span></i></span><a class="wikilink" href="http://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/Mission" style="color: rgb(0, 0, 153); "><span class="Apple-style-span" style="font-size:medium;"><i><span class="Apple-style-span" style="font-family:arial;">mission</span></i></span></a><span class="Apple-style-span" style="font-size:medium;"><i><span class="Apple-style-span" style="font-family:arial;"> is to understand and help put a stop to high stakes cybercrime in the information age."</span></i></span></blockquote><span class="Apple-style-span" style="font-size:medium;">What was most striking, regarding the AV information I reviewed, was the surprisingly low identification rate for AV products that I had previously held in high regard. I'm not sure if this data is proof that some of the more mature AV companies are sitting back on their laurels, or if it is indicative of a malware epidemic growing out of control. It is probably a bit of both.</span></span></div><div><span class="Apple-style-span" style="font-family:Verdana, Geneva, Helvetica, Arial, sans-serif;"><span class="Apple-style-span" style="font-size:medium;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:Verdana, Geneva, Helvetica, Arial, sans-serif;"><span class="Apple-style-span" style="font-size:medium;">I recommend all cyber-jutsu practitioners check out Shadow Server.</span></span></div><div><span class="Apple-style-span" style="font-family:Verdana, Geneva, Helvetica, Arial, sans-serif;"><span class="Apple-style-span" style="font-size:medium;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:Verdana, Geneva, Helvetica, Arial, sans-serif;font-size:100%;"><span class="Apple-style-span" style="font-size:13px;"><br /></span></span></div>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-85824432458223815322009-12-10T10:20:00.000-08:002009-12-10T10:26:56.904-08:00Internet Explorer and Adobe Flash player updateIt is time to make sure your patches have been run again. You will want to make sure that all of your Microsoft Windows patches have been applied. You will also want to check on any Adobe software installed on your system. Most notably Flash Player, which just had an important security fix released this past Tuesday.<br /><br />The bug fixed in Internet Explorer was also a critical security issue, and should be addressed right away. This issue affects just about all versions of Internet Explorer. You can find more details about the issue on the Microsoft <a href="http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx">Security Bulletin page</a>.<br /><br />Humbly yours,<br /><br /><br /> Sensei MetajunkieMetajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-61230128082076400672009-12-10T09:50:00.000-08:002009-12-10T10:02:49.357-08:00Google Launches A Public DNS ServiceGoogle recently launched a public DNS service which is an experiment in improving both the speed of DNS queries (which are required for all of your web browsing) and the security of the caching and DNS transactions (which is a major problem on the Internet today).<br /><br />You can get introductory information about their Public DNS <a href="http://code.google.com/speed/public-dns/">here</a>.<br /><br />When you are ready to set your DNS server configuration to point to the Google Public DNS Servers, you will want to check out this page on <a href="http://code.google.com/speed/public-dns/docs/security.html">Using Google Public DNS</a>.<br /><br />For those of us who are particularly interested in the security aspects of these google DNS servers, we will want to read the information posted about the <a href="http://code.google.com/speed/public-dns/docs/security.html">Security Benefits</a>.<br /><br />You all will no doubt want to read about the <a href="http://code.google.com/speed/public-dns/privacy.html">Privacy Issues </a>, and how Google is addressing them. In short they are promising to only keep personally identifiable information for no more than 48 hours.<br /><br />May all your holiday DNS queries be fast and secure!<br /><br />Sensei MetajunkieMetajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com0tag:blogger.com,1999:blog-5292497356212950167.post-88789406832542860242009-11-25T20:42:00.000-08:002009-11-25T20:55:21.966-08:00Survey Says 2/3 of Websites Have a Serious Security FlawAccording to a recent SecurityFocus <a href="http://www.securityfocus.com/brief/1036">report</a>, "<span class="body">nearly two-thirds of Web sites have at least one serious security issue that would allow someone to remotely attack the site."<br /><br />The number of known vulnerabilities increases with time. Every day we learn of new flaws in software. For the average business owner today, in this troubled economy, the flawed cyber-jutsu tactic is the old "head in the sand" trick. Unfortunately, unless you are sticking the attacker's head in the sand, this generally doesn't help.<br /><br />Organizations without dedicated internal security teams must partner with Information Security Service Providers such as <a href="http://www.cybercede.net">CyberCede Corporation</a>. A company like CyberCede can assist a CIO or business owner in improving their situational awareness. Without knowing what is going on, you can't make informed decisions. Your chosen Information Security provider should employ individuals with well known and useful certifications such as the CISSP. <br /><br />An Information Security professional should help you to know yourself and know the enemy. Many of the website vulnerabilities come from improper configuration. These issues can usually be remedied quickly. For organizations with large amounts of custom code, including web applications, and dynamic sites based upon database back-ends, the work can take longer; but, is even more important to accomplish.<br /><br />How often should a vulnerability assessment be performed? Only you can decide; but, your Information Security Professional should help you assess the risks to your organization so you can make an informed decision.<br /><br />Don't forget to breathe!<br /><br />Sensei Metajunkie<br /><br /></span>Metajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1tag:blogger.com,1999:blog-5292497356212950167.post-79906893756859120102009-11-25T18:11:00.000-08:002009-11-25T18:31:01.731-08:00Zero-Day exploit for Internet ExplorerHere is a security advisory issued by Microsoft: <a href="http://www.microsoft.com/technet/security/advisory/977981.mspx">http://www.microsoft.com/technet/security/advisory/977981.mspx</a><br /><br />If you are running MS Internet Explorer, you should keep an eye out for when they actually patch this zero-day vulnerability. In the mean time, practice safe cyber-jutsu.<br /><br />This was originally posted to the Bugtraq mailing list last Friday. At the time, the exploit code was said to be "unreliable". It is getting more reliable, and the threat is growing.<br /><br />The attack will probably come in the form of malicious websites being set up with the exploit code, as well as hacked websites being made use of as un-knowing agents of the malicious hackers. The style of attack is sometimes referred to as a "drive-by". If you visit the site with the vulnerable Internet Explorer browser, you will be compromised.<br /><br />So, the safe cyber-jutsu move here would be to use an alternative browser, at least for the time being. Both <a href="http://www.mozilla.com/en-US/firefox/personal.html">Firefox</a> and Safari are availble for the Windows platform. Knowing how to use more than one browser shouldn't stress your cyber-jutsu too much.<br /><br />If you love Internet Explorer, it will still be there after Microsoft finds, implements, and rolls out a fix. It is said that the latest version of IE is not impacted by this. So, you could update to IE 8 as well. I still recommend having more than one brand of web-browser.<br /><br />If you had two cars, and one of them had a recall for the breaks - you would drive the other car until the flawed one was fixed. This is really no different. Except the alternative browsers aren't going to cost you a dime.<br /><br />Sensei MetajunkieMetajunkiehttp://www.blogger.com/profile/09116799709930780786noreply@blogger.com1