The RDV Group InfoSec Blog

Fundraising efforts for pianist Diane Moser to continue with special concert event Sunday afternoon, June 14 in Montclair, NJ

2009-06-01T10:54:00.000-04:00

Composer, pianist and bandleader Diane Moser has been a leading light in jazz and new music in the New York-New Jersey Area for nearly 20 years. As a writer the Montclair, NJ resident has received acclaim for her compositions, including a prestigious composition grant by Chamber Music America and a fellowship with the MacDowell Artists Colony. As a pianist, she has appeared with numerous top-flight musicians, such as Charles McPherson, Mark Dresser, Gerry Hemmingway among others, always lending her singular voice to the music. As a bandleader she has led numerous groups, most notably her Composer’s Big Band. Now she faces a new challenge, as she recovers from a rare form of cancer, in form of a gastrointestinal stromal tumor (GIST) and faces tremendous medical costs. In April her Composers Big band held the first of several fundraisers to help defray her medical expenses. A special concert benefit involving members of her local community as well as artists of international stature will be held on Sunday afternoon, June 14 at the Central Presbyterian Church in Montclair, NJ from 2:00-6:00 PM. There will be live auctions and a host of other activities that day to raise funds for Diane Moser.

Performers will include legendary jazz pianist George Cables, Double Bass Virtuoso and new music titan Mark Dresser, as well as several stalwarts of the NY-NJ Jazz scene (see below for full list) Additionally, several of Diane’s piano students will perform as well. Such a wide range of performers reflects Moser’s gifts as a performer, composer, and educator-in all these guises she has shared her love and enthusiasm for music.

A Celebration and Fundraiser for Diane Moser

Sunday June 14 2:00-6:00 PM

Central Presbyterian Church

46 Park Street Montclair, NJ 07042

There is no admission, but donations are encouraged

Guest artists will include: George Cables, Mark Dresser, Anton and Nicki Denner, the Mike Kaplan Nonet, the Diane Moser Quintet, the Erick Storckman Septet, and piano students of Diane Moser

For information, call 201-259-5865

For directions to Central Presbyterian Church, visit www.centralpresbyterian.net/contacts.html or call (973) 744-5340

Donations to cover Diane Moser’s medical costs can also be made online at

http://d-mo-zone.blogspot.com/. Just click on the “Donate” button in upper right hand corner to start the process.

Jazz Fundraisers for Pianist Diane Moser

2009-05-07T09:30:00.001-04:00

If you're in the Montclair New Jersey area May 11th, or the San Diego area May 12th, you might be interested in attending a special jazz event that's being held in each of those cities The band leader Diane Moser is recovering from a rare form of cancer, and since Moser has always been the first to help out artists who need help in paying onerous medical expenses, the music community gets to return the favor, with two special benefit concerts. The performances will reflect the many sides of Diane Moser, most notably the joy that is a trademark of her music and life.

Club/Date Info:

Monday, May 11, 8:00 PM
$10 cover, no minimum (full menu)
Trumpets
6 Depot Square
Montclair, New Jersey 07042
973.744.2600
Guest artists will include: Jim McNeely, Howard Johnson, Nicki Denner, Oliver Lake, Mike Kaplan, Russ Vines and others.

Tuesday, May 12, 7:00 PM
$20 cover
Dizzy's
San Diego Wine & Culinary Center
Harbor Club Towers ground floor
2nd & J Street
San Diego, CA 92169-1990
858.270.7467
Guest artists will include: Charles McPherson, Daniel Jackson, Mark Dresser, ESP Quintet, Rob Thorsen, Dave Millard, Mitch Manker, Duncan Moore, Yale Strom, Tripp Sprague, Gunnar Biggs, & more.

About Diane:
Composer, pianist and bandleader Diane Moser has been a leading light in jazz and new music in the New York-New Jersey Area for nearly 20 years. As a writer, she has received acclaim for her compositions, including a prestigious grant by Chamber Music America and a fellowship with the MacDowell Artists Colony. As a pianist, she has appeared with numerous top-flight musicians, such as Charles McPherson, Mark Dresser, and Gerry Hemmingway among others, always lending her singular voice to the music.

As a bandleader she has led numerous groups, most notably her Composers Big Band. Diane Moser’s Composers Big Band is a 17-piece big band formed for the purpose of developing and presenting new music for large ensembles. Presenting monthly concerts since January 1997, the CBB features the music of its resident composers along with guest composers and performers. The range of the featured artists collaborating with the band has been astonishing: Jim McNeely, Oliver Lake, Howard Johnson, Sy Johnson, Matt Wilson, Jackie Cain and Mark Dresser are but of few of the dozens to share the stage with the group. This breadth reflects the musical attitude of Diane Moser, whom the New York Times called “unfazable booster for improvised music.”

More about Diane:
http://www.myspace.com/dianemoserscomposersbigband
http://www.jazz.com/encyclopedia/moser-diane

If you can't make the concert, you can donate here: Flipped Kitty in the City

Hope to see you there!

April 1st Virus Attack

2009-03-31T13:23:00.005-04:00

I wrote a short piece for my company's newsletter about the Conficker virus, which is scheduled to go active 4/1/09:

Conficker

On April 1, the Conficker worm (aka Downadup) will expand its infection of Windows systems. Although exactly what payload this worm will execute is not known, it’s expected that, at the least, it will start taking more steps to protect itself. After 4/1, machines infected with the “C” variant of the worm may not be able to get security updates or patches from Microsoft and from many other vendors. The creators of the worm will also start using a communications system that is more difficult for security researchers to interrupt.

Security researchers don’t know the exact purpose of the Conficker worm. Today the worm has created an infrastructure that the creators of the worm can use to remotely install software on infected machines. Most likely, the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs, and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service; deletes previous restore points; disables many security services; blocks access to a number of security web sites; and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

Various versions of the software have spread widely around the globe since October, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.)

It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft’s security update service. It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers.

Be sure that all systems (workstations. laptops, servers, perimeter devices) are patched and scanned with the latest signatures.

Links:

A good backgrounder on Conficker (aka Downadup) from Symantec: http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm

Continual updates on Conficker via SANS: http://isc.sans.org/diary.html?storyid=6043&rss

Checkpoint Smart Defense Services offers a mitigating protection against this for when you don’t have time to patch: http://www.checkpoint.com/defense/advisories/public/announcement/012209-downadup-confiker-worm.html

More technical info from McAfee, http://vil.nai.com/vil/content/v_153464.htm, and McAfee’s latest AVERT Stinger app runs a quick scan: http://vil.nai.com/vil/conficker_stinger/Stinger_Coficker.exe

MS Security bulletin: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Also, a $250K reward offered by MS for arrest and conviction of the virus authors: http://blogs.msdn.com/wael/archive/2009/02/14/conficker.aspx

Germans Shut Down The Ohm Project

2008-07-10T12:57:00.003-04:00

In a move reminiscent of the recent ACLU revealing of the abuse of FBI "national security letters", The Ohm Project (ohmproject.org) was knocked off the Internet yesterday. Both The Ohm Project and E-Tunnels went dark on Wednesday about midday Central European time. Like the FBI letters, this creates a remarkable Catch-22 for the site's provider E-Tunnels:

"When an inquiry was made to the service provider, he said that "the German police" had made three complaints beginning about a month ago about unspecified "abuse" originating from one of the IP addresses assigned to E-Tunnels. The service provider, welcome2inter.net, claimed that he had been prohibited by the authorities from relaying the complaints to E-Tunnels even though they were the only party able to respond to the situation or correct it."

The Ohm Project is a highly recommended site providing information about threats to Internet privacy and freedom along with advice and tips about how to fight back against these encroachments.

This follows on the heels of last years strict German hacking law, that rules that even possessing computer security testing tools can be proof of intent to hack systems, which make Certified Ethical Hacking (the good guys) more difficult.

Boris Vilde has started "The Ohm Project in Exile" on blogger here. Please help him any way you can.

Can you get reimbursed when you purchase spyware?

2008-05-30T12:08:00.007-04:00

I thought it would be useful to see this back and forth I recently had with a reader. His question was:

"In your opinion, does being victimized by such intruders as "Antispywaremaster" constitute fraud if in fact you authorize a debit of your account? I am in the process of disputing my purchase of their spoof antispyware program which infected my computer & would like your opinion on what the likelihood is of recovering my losses. Thanks."

This was my response:

"Let me preface my answer by stating that I am not a lawyer, and my opinion carries no weight in a court of law. But I believe that your credit card company should reverse the charge, as most cards have a provision to contest services or products that do not perform as promised, and this is as clear a case of non-performance as you can find.

As far as continuing a charge of fraud, in an effort to recoup damages over and above the initial charge for the software, I'm not sure how good your chances would be. A large portion of these malware writers are overseas, and law enforcement types are reluctant to go after groups unless they have rung up large losses.

BTW: Two good anti-spyware programs I use are: Spybot S&D http://www.safer-networking.org/en/download/index.html and Lavasoft's Ad-Aware http://lavasoft.com/single/trialpay.php both are free. I have great dislike for programs that pretend to be spyware, then infect your computer."

His response was:

"Your reply will not be used to bolster a law suit as I do not intend to pursue one but rather aid me in my resolve to recover MC charges & fees to my account."

This is good news, as the credit card company should reimburse for the faulty software, but it would be nearly impossible to collect damages from a virus maker. And be sure to always check AV sites, like Symantec or McAfee, or other info sites, before you download software.

And you can keep up with security news and info on the RDV Group news feed, at:
http://www.rdvgroup.com/rdv1/pages/Headlines/Default.aspx

Bill Glennon has passed away

2008-02-12T17:21:00.000-05:00

My friend, Bill Glennon, passed unexpectedly this last Friday. He was a great friend, and a real person in every sense of the word. The world will be a lesser place without him.

Am I the Laziest Blogger Alive?

2007-06-08T10:59:00.000-04:00

Bill Glennon has shamed me into posting, as it' s been a year since my last post. And what a year it was!

I've just finished (with Dr. Ronald L. Krutz) my 10th book for John S. Wiley and Sons, the Certified Ethical Hacking Prep Guide, to be published this fall.

I've just started my next book, Composing Digital Music For Dummies, which should hit the bookstores in February. It's the first general audience guide to making your own digital music.

I'm an Ask The Experts for SearchSecurityChannel.com, answering questions related to Information Security Threats and Countermeasures, and I just finished a six-part piece on Penetration Testing techniques for consultants and VARs.

I'm continuing writing on a host of subjects for James Cramer's thestreet.com, varying from luxury automobiles to a video series on small business travel technology.

I've been interviewed and contributed pieces for many periodicals, web sites, podcasts and webcasts, like the Wall Street Journal, and SearchCIO.com.

So I've been busy, but I know that's no excuse. So I'll get back to work!

My Article on Traveling Security

2006-06-06T10:48:00.000-04:00

... was recently posted on the "Good Life" department of James Cramer's thestreet.com. Titled "Protect Your PC on the Road," it covers basic steps you can take to minimize your chance of exposing your or your company's data to bad guys.

From the article: "Staying connected while on the road is essential for many travelers, business or otherwise. However, it's hard to hold on to the good life when you pick up a computer virus on your journey. Using a computer at the airport, in coffee shops, hotels or other public places can complicate your life, not save it, if unprotected wireless computing gets you or your business in hot water."

Check it out ....

"Stephen Harper Eats Babies" ...

2006-05-08T10:49:00.000-04:00

... is what the scrolling reader board in the suburban Toronto commuter train said. Normally it reports on train schedules or public events, but this time it was referring to the recently elected prime minister of Canada. The problem was that this was not an authorized message, and the New York Times reports today that the Greater Toronto Transit Authority had received five other sightings of the bizarre notice.

Evidently the seven-year old transit reader signs had been hacked by an infrared hand-held, and the software was never configured to require a password. And it's not clear that the software has the capability to use passwords. The GTTA has since turned off the signs, and is installing password software.

And friends of Mr. Harper say he's never eaten a single baby that they know of.

House Passes Bill To Protect Phone Numbers

2006-04-26T19:20:00.000-04:00

In the "this is really needed and I'm surprised they're actually doing something about it" department, the National Journal describes a new House bill to restrict those web sites that buy and sell personal phone information: "... The House yesterday passed a bill designed to protect the privacy of telephone numbers. The measure, H.R. 4709, would make it illegal for online brokers to buy and sell individuals' monthly phone records. It would empower both the FCC and FTC to enforce new rules banning 'pretexting,' the practice of obtaining customers' personal information under false pretenses."

An interesting feature about the history of this bill is that the legislation that was introduced early this year after publicity generated by a blogger, John Aravosis of Americablog: " ... After he read an article about the issue, he decided to make cell-phone privacy a pet cause. Aravosis first bought his own records to prove a point, then he bought the records of someone who mattered: 2004 Democratic presidential candidate Wesley Clark . That ploy generated lots of publicity and jumpstarted the issue in Congress."

Here's a tip of the hat to the on-going, often losing. battle for personal privacy. And a great reminder of the power of the Internet!

Campaign Leaks Social Security Numbers

2006-04-26T19:18:00.000-04:00

I'm constantly amazed at how poorly privacy is protected by those who have access to personal information. Add this to the continuing litany of lost social security numbers. WBNS channel 10 from Ohio says that "... Millions of Social Security numbers are now in the hands of people who aren't supposed to have them...The private records were mistakenly released by the Secretary of State's office."

"Voter lists are crucial to political parties. They give campaign workers an efficient way to target potential supporters. The lists usually consist of the names of registered voters, their addresses, their party affiliation, and whether that person voted in the last election. Social security numbers aren't supposed to be revealed. But they have been because of a mistake by Secretary of State Ken Blackwell's campaign."

And it's not the first time: "... This is the second time this year private information has been compromised by Mr. Blackwell's office. In March, a link on the Secretary of State's website revealed hundreds of Social Security numbers listed on public documents."

Funny thing, Blackwell handily won his GOP primary for governor this week. Well, maybe not so funny...

I recently gave testimony ...

2006-04-26T08:41:00.000-04:00

.. to the Westchester County Board of Leglislators about the proposed "Public Internet Protection Act" which promotes wireless security in public places like hotels and cafes. While it's obviously not a complete solution, it's a good first step in helping protect data on the wired LAN.

A CNN posted a good AP article about the act, "N.Y. county mandates wireless security."

An interesting nugget from the piece is this: "Norman Jacknis, the county's chief information officer, said that when the law was being considered officials detected 248 wireless networks during a 20-minute drive through downtown White Plains. Nearly half had no visible security."

This is not uncommon stats for wireless nets. It's important for all wireless users, especially businesses using wireless routers, to aware of the threats and vulnerabilities to private data.

There are several good books out about Wi-Fi security, and one of them is my book: "Wireless Security Essentials."

Safe computing!

Sorry For Being So Behind ...

2006-04-24T10:37:00.000-04:00

... in my posting. Ron Krutz and I are just finishing up our CISSP Prep guide 3rd Edition (which is going to be a MONSTER book!) I did a long article for State Tech Magazine on Instant Message hacking (it'll be a couple of months before it's published,) finalizing other book proposals, and working on our information systems security training products.

I promise that I have several posts in the works that will get up this week. April has been a busy month for hacking!

Workers accused of fudging ’04 recount

2006-04-08T11:36:00.000-04:00

I occasionally post pieces about voting irregularities and issues with verified voting, because I feel that it's one of the biggest challenges we face as a democracy today. Avi Rubin has done a lot of good work in this area and has testified frequently before congressional panels about electronic voting problems. With many states rushing to implement HAVA requirements, reliable, verifiable, open-sourced and transparent voting systems are sorely needed.

So my interest was piqued when I read this item in the Cleveland Plain Dealer. A special prosecutor has charged that Cuyahoga County Ohio election workers secretly skirted rules designed to make sure all votes were counted correctly immediately following the 2004 presidential election, to prevent a recount from automatically kicking in.

At this time there isn't any proof that they were trying to sway the election one way or another, but rather were trying to save money: " ... While there is no evidence of vote fraud, the prosecutor said their efforts were aimed at avoiding an expensive - and very public - hand recount of all votes cast. Three top county elections officials have been indicted, and Erie County Prosecutor Kevin Baxter says more indictments are possible."

Evidently they were supposed to take a random sampling of 3% of the ballots and compare with the related machine totals: " ... If the hand and machine counts match, the other 97 percent of the votes are recounted by machine. If the numbers don't match, workers repeat the effort. If they still don't match exactly, the workers must complete the recount by hand, a tedious process that could take weeks and cost hundreds of thousands of dollars."

But they prepared the sample ahead of time, by opening ballots and eliminating any that didn't match the machine, to prevent a manual hand recount: " ... Kathleen Dreamer, manager of the board's ballot department, Rosie Grier assistant manager, and Jacqueline Maiden, Elections Division director and its third-highest-ranking employee, have been charged with misdemeanor and felony counts of failing to follow the state elections law. A May 8 trial date has been set."

It's going to be interesting to see what happens, and if this leads to bigger fish.

Phisher Kings Court Your Trust

2006-04-05T10:07:00.000-04:00

Brian Grow has another piece in Business Week that's worth a look. This is a fairly extensive article that quotes a lot of sources and makes some good points. He references some of the more busy worms, like Bagle, and some of the newer, less well-known Trojans, like Hearse: "... The attachment -- labeled lawsuit.exe -- is a new variant of a computer worm called Bagle. When worried victims open the attachment, malicious code embedded in its text downloads onto their PCs, and then swiftly harvests all their e-mail addresses to send out even more spam. That second wave uses the victim's personal e-mail address to send malicious code disguised as, say, a Paris Hilton sex video, to friends and associates."

There isn't a lot new and earth-shaking in the article, but he does hit the major point, that although more users are getting savvy to the basic email schemes, $ losses are increasing, as fraudsters get more sophisticated and mercenary: "... A 2005 survey by Gartner found that just 2.5% of phish recipients responded with personal or financial information, down from 3% in 2004. But fraud losses connected to the theft of such information off the Web still rose from $690 million in 2004 to $1.5 billion last year."

I tried to make the same point on Business Week TV on April 02, that phishers have progressed from badly spelled emails, to well-funded criminal enterprises, sometimes even operating with the blessing of their governments.

My Appearance on Business Week TV Today

2006-04-02T22:29:00.000-04:00

Brian Grow's piece about the rootkit Hearse was the lead story, and they used about 20 secs of my comments. You can stream the video at the Business Week Weekend TV site here.

One issue I have with these pieces is that they always explain the nuts and bolts of what’s happening very well, but never get into real info you can use to combat the threat.

For example, when Brian was asked what can a regular person do about protecting themselves from these threats, he said “Be more vigilant”.

Sounds like a Homeland Security recommendation, maybe we should duct tape our computer...

New Trojan Named rootkit.hearse

2006-03-30T09:37:00.000-05:00

Sana security was apparently the first to discover a new Trojan rootkit, which they named "Hearse", that sends financial info back to a central server. You can read about it on their site here (pdf).

Evidently the "... malware components work together to capture user information by discovering passwords previously used on the machine. The Trojan communicates with a server where the stolen information is stored. The Trojan is hidden through the rootkit technology and survives reboot, meaning it remains on the machine indefinitely. Types of information that can be compromised include bank accounts, email logins, and insurance information. "

Sana has some great screen shots of the bug. It's not a keylogger, but works a little differently: "... The Trojan does not rely on capturing keystrokes. Instead, it finds previously used account and password information, in particular through the Internet Explorer autocomplete feature. The types of information include any transaction that requires an account: banking, online auctions, insurance, airlines, etc."

The potential for big losses is great, as Sana says: " ... Rootkit.hearse has been active since March 16th, ... The logs contain almost 40,000 records of user account information, spanning 6,500 sites... Sana Labs estimates the number of unique accounts at 20,000."

This is the face of phishes to come. On this blog I've referred to how sophisticated the malware writes/distributors are becoming. While regular virus vandals and spoofed web pages are slowing down, the phishers are getting smarter and more mercenary.

For more info on Sana Security Advisories, look here. And for the latest security news, always go to the RDV Group's RSS Security News Reader.

My interview on BusinessWeek TV

2006-03-30T08:52:00.001-05:00

... will be broadcast this weekend (4/1-4/2), on BusinessWeek Weekend. I was interviewed about a phishing exploit that's just staring to hit some major financial institutions and costing in the millions. Next week's BusinessWeek magazine will have an article about the phish, but the TV show will have an advance piece.

Here in the NYC metro area, BusinessWeek TV airs Sunday AM at 11:30 on channel 7, WABC. To find out the times in your area, Business Week has a zip code finder on the web that locates stations that nationally syndicate the program.

I haven't seen it yet, and some of you will see it before I can, so I can't promise how much of me will be on the air vs. the cutting room floor. Although the NYC air time is fine, BWTV airs at some pretty odd times in other markets, owing to its syndicated nature. You might want to tape or TIVO it.

I'll have more later about this interesting exploit...

IRS warns taxpayers to beware ID theft scams

2006-03-28T10:41:00.000-05:00

It's that time of year, and the AP reports on the latest IRS warning to avoid tax-related phishing scams. A variation in the old email phish, these e-mails are "... purporting to come from the IRS (and) often tell taxpayers they're due a refund and direct them to a false IRS Web site. The e-mail address may include "irs.gov," such as tax-refunds@irs.gov or admin@irs.gov."

If you practice safe computing these phishes aren't too dangerous. Like much real financial email communication, "... The IRS does not communicate with taxpayers via e-mail, nor does the IRS ask people for passwords, personal identification numbers or other secret information about financial accounts."

But with all the problems with privacy violations by tax return preparers, exorbitant interest rates on "instant refunds", and re-sale of your personal information to third parties by the IRS, this is another in a long list of irritants that make April 15 even a bigger pain.

Illinois Man Fined For Piggybacking On Wi-Fi Service

2006-03-25T11:52:00.000-05:00

It's getting tougher to piggyback on Wi-Fi.

Yahoo recently noted that "...David M. Kauchak, 32, pleaded guilty this week in Winnebago County to remotely accessing someone else's computer system without permission ... a judge fined Kauchak $250 and sentenced him to one year of court supervision."

Evidently it's a precedent: "... Kauchak has the dubious distinction of being the first person to face the charge in Winnebago County, and prosecutors say they're taking the crime seriously. "We just want to get the word out that it is a crime. We are prosecuting it, and people need to take precautions," Assistant State's Attorney Tom Wartowski told the newspaper."

The bust is interesting ..."A police officer arrested Kauchak in January after spotting him sitting in a parked car with a computer. A chat with the suspect led to the arrest, Wartowski said."

I know piggybacking can be problematic, as I mentioned here, but I think this is kind of crazy.

Good Article on Phishing

2006-03-20T11:20:00.000-05:00

Crystal Ferraro recently posted this article on Searchsecurity.com about recent Phishing targets. It was originally a white paper she presented at the RSA conference last month, and posted this excerpt on 3/17. I have a short quote in the article, which is intended to convey the extent to which phishers are getting more sophisticated and efficient.

Ed Skoudis does a great job of explaining some of the latest trends: "[Attackers are] getting better at making the keystroke loggers difficult to find," Skoudis said. Some are embedded with rootkits, or they attack antivirus and antispyware tools. Some spyware and other malcode purposely try to foil their own analysis to buy time..."

I have more on keyloggers here and here...

Keylogging Basics Part II

2006-03-15T16:45:00.000-05:00

We looked at keylogging a little bit in Part I, let's continue (excerpted from "Phishing: Cutting the Identity Theft Line.")

"Once installed on the target machine, either direct through interaction with the user, or through a more stealthy means, the keylogger program runs continually in the background. After the keystrokes are logged, they can be hidden in the machine for later retrieval or transmitted to the attacker via the Internet. The attacker then examines the reports for passwords or information that can be used to compromise the system or engineer an attack. A keylogger may reveal the contents of emails composed by the victim."

"Some rare keyloggers include routines that secretly turn on video or audio recorders, and transmit what they capture over your Internet connection. Other products capture screens, rather than keystrokes. However, most criminal keyloggers are hoping to steal bank account numbers or other financial data."

“A software keystroke logger program does not require physical access to the user's computer. It can be installed intentionally by someone who wants to monitor activity on a particular computer or downloaded unwittingly as spyware and executed as part of a rootkit or a RAT.”

“A rootkit is a collection of software tools that a cracker uses to obtain administrator-level access to a computer or computer network. The intruder installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. The rootkit then collects userids and passwords to other machines on the network, thus giving the hacker root or privileged access. A rootkit may consist of utilities that also monitor traffic and keystrokes, create a "backdoor" into the system for the hacker's use, alter log files, attack other machines on the network, and alter existing system tools to circumvent detection.

I'll bring more later...

PINs Aren't a Magic Bullet

2006-03-09T15:15:00.000-05:00

Bob Sullivan, a top expert on Identity theft, has a dead-on piece in today's (03/09) MSNBC's Tech & Sci Security area. There's some interesting exploits afoot using what was previously thought to be a secure technology, pairing your ATM with it's PIN.

He and I have discussed this issue, and think there's interesting ramifications re: what I call "residual data". That is, all the little places personal data (in this case the PINs) can hide and resist scrubbing. Commonly called "data remanance" (you CISSP'ers know this term), it's like owning a home. Water is getting in somewhere and it's not obviously coming in from where it looks like it is.

Your CISSP'ers also know the drill: two-factor authentication is a combination of "something you have", the ATM card with "something you know", a password, or a PIN. But the PINs are supposed to be sacrosanct, and now we know they're not.

From Bob's article: "... The incident calls into question the security of the four-digit code that for years has made PIN-based transactions less subject to fraud than signature-based credit card transactions. 'This is the absolute worst hack that has happened, the biggest scam to date," said Gartner analyst Avivah Litan'"

Maybe it's from one source: "... In each case, the banks have blamed a third-party company — in some cases, more specifically identified as a merchant or retailer. Speculation has been rampant that the source of the stolen data is office supply store OfficeMax, starting with an article last month in the San Francisco Chronicle indicating 200,000 account numbers had been stolen from the firm. OfficeMax denies it's to blame."

But it's beginning to look like it's not: "... many merchants incorrectly store PIN information they should be destroying after customers enter the secret code on PIN pads in stores around the country. While the information is often encrypted into something called a PIN block, the keys necessary to decrypt the information are often stored on the same network, she said. That makes stealing the PINs as easy as breaking into an office computer using a password a careless employee has taped to the screen."

And here's where the data remanance comes in: " ...The software is storing PINS just because it can. No one is paying attention to this stuff, it's deep in the software... "

My wife knows this exploit, because she was a victim over the holidays. Her credit card and ATM card were stolen, and to her surprise, it was no problem to drain the $ out of her checking. The PIN was absolutely no barrier to the thief.

UPDATE: Bob was on NBC Nightly News tonight (03/09) to discuss this problem further. We definitely haven't heard the last of this yet.

Porn Billing Leak Exposes Buyers

2006-03-09T13:06:00.000-05:00

Quinn Norton of Wired has a post today (03/09) that probably sends shudders down the spine of many of my friends: "Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers ..."

Norton goes on to say that the compromised information was intentionally stolen, not lost through incompetence, and Wired got a look at it: "... The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included."

If credit card #s are not included, as Wired says, that's good. But the troubling thing about this loss is that it may have been perpetrated by the foundering company (or someone in the company) that was custodian of the data: " ... the company's troubles may have left them vulnerable to information embezzlement: The breach, they say, has all the markings of an inside job. The files appear to have been generated by exporting an SQL database into a CSV format -- a procedure that would be unusually extravagant for a quick, furtive hack attack.

"Moreover, at 4.5 gigabytes in size, the larger file would have been tough to download unnoticed over iBill's internet connection. Thomas speculates that an employee or other insider may have simply walked out of iBill with the transaction records to sell on the data black market."

The list is being used by spammers, and may be used for identity theft.

Be careful where you leave your personal info! And don't expect integrity from porn sites!

UPDATE: Keith Olbermann referred to this story as the #1 article on "Countdown" tonight (03/09), and made a funny: "Remember to keep it in your pants. ..Your credit card, that is."

The Danger of Wireless Piggybacking

2006-03-09T09:03:00.000-05:00

Michel Marriott had an excellent article in the NY Times on Sunday (03/05) about the growing phenomenon of "wireless piggybacking", using someone else's wireless router to jump on the Internet: "... Piggybacking, the usually unauthorized tapping into someone else's wireless Internet connection, is no longer the exclusive domain of pilfering computer geeks or shady hackers cruising for unguarded networks. Ordinarily upstanding people are tapping in. As they do, new sets of Internet behaviors are creeping into America's popular culture"

The hacker magazine 2600 frequently has pieces about wireless hacking, and one writer says that he often changes the default admin password after attaching to the router to prevent the real owner from disconnecting him later. Although this is easy to remedy through resetting the router to its default state and applying MAC address filtering, it shows how the proliferation of these devices has outstripped the ability of the common owner to control them. The admin password is easily found on the web, say by downloading a pdf of the manual for the router, and is the first thing the owner of the router should change when installing.

I admit I'll jump on my neighbor's Linksys when I'm having trouble with my router; the signal is weak but usable (remind me to tell him how to configure filtering on it some day). And there is a movement to allow free wireless access, not just in coffee shops, but in whole cities, like Cambridge and Philadelphia (I'll have a post about how to protect yourself while using public Wi-Fi later). Wififreespot.com even provides a directory of free wireless "hot spots": " ...The Wi-Fi-FreeSpot Directory is a listing of Wi-Fi enabled locations that offer Free Wireless High Speed Internet Access. USA State-by-State listings come first with Europe and other regions of the World listed further down the page.."

But a larger, more problematic issue arises from wireless piggybacking. Mr. Marriott briefly touches upon the issue in one paragraph: " ... savvy users could piggyback into unprotected computers to peer into files containing sensitive financial and personal information, release malicious viruses and worms that could do irreparable damage, or use the computer as a launching pad for identity theft or the uploading and downloading of child pornography."

But this needs to be really emphasized, because here's the rub: there is no way to convince the government that it wasn't you who accessed the pornography or terrorist site. Or the RIAA that it wasn't you downloading the latest hit music or video.

And especially that the Justice Department want to know what you're Googling, you really can't legally afford to let unknown parties surf the web through your router.

If determined hackers wanted to use your router, they'll be able to no matter what you do. A $89 Wi-Fi router from CompUSA is not going to have strong security, but please at least change the admin password and set up MAC filtering.