Attack Computer Wiz

I found this video (LINK) over at Schnier on Security today and I thought it was worthy to share. It is a great example of social engineering. While watching this think about how one could implement similar techniques to gain access to restricted areas.

For more videos check out YouTube, start here (LINK). Read Kevin Mitnick’s first book, he is truly the master!

Posted by Mike Wright

Gmail has come out with new security enhancements for their Gmail service. Yesterday on the Gmail Blog Ariel Rideout announced that Gmail will now support https to encrypt all mail traffic as it travels from your computer to the Gmail servers. Of course Gmail has always used https to secure our logons, as do most every other free email service, but now all of your transaction using the Gmail service will be encrypted.

This is technology usually reserved for banking and financial institutions, web services that deal with Personally Identifiable Information or Personal Health Information, and paid email service (to name a few). But for a free email provider this is a very nice feature!

The good: using https will protect your entire Gmail session from logon to logoff. All of your traffic will be encrypted between your desktop and the Gmail servers. This will protect you from snooping or eavesdropping hackers who are trying to steal your data/emails. This is especially important when using open or public Wi-Fi access points. Keep in mind, this is not email encryption, your individual emails are not encrypted, all traffic between your computer and Google is encrypted.

The bad: using https ‘may’ make your connection slower. This is due to the extra overhead (extra packets of data and time it takes to encrypt/decrypt them). I highly doubt anyone will even notice a difference unless you are sending/receiving very large files.

It may not be rolled out to everyone just yet so login to your Gmail account, click on Settings, click on the General tab, and scroll to the bottom. There you should see “Browser connection: Always use https”. Click that radio button and save your changes then click your refresh button. You will now see your url changed to https://. IF that setting is not available you can simply type 'https://mail.google.com' (instead of http://) and you will be able to take advantage of this feature now.

https://mail.google.com/

Posted by Mike Wright

According to Sophos, Blogger, or blogspot.com, plays host to about 2% of the worlds web-based malware making it the number one single malicious code host worldwide. Blogger and other websites like it make it easy for anyone to create and publish websites. In doing so it is easy to post and distribute malware such as the ‘Mal/Iframe’ which accounts for 34% of infections.

How can we protect ourselves? Besides using current, up to date, and active antivirus (anti-malware) software there are a few other things to consider. Ensure that your operating system and Internet browser updates are being applied. Don’t be tempted by flashy new features in beta versions of your favorite web browser. These beta versions are for testing and should not be used for daily use and especially should not be used for confidential, sensitive, or financial information. And don't use un-reliable third party plug-ins or controls.

In a large environment, or domain, create good policy that prevents the installation and use of unauthorized web browsers. Lock your domain into the use of a single browser that you control and you can update. Security aside, locking the enterprise to a single browser also simplifies troubleshooting and support.

Press Release

White Paper

Posted by Mike Wright

It is all over the news today, how many banking web sites have been found to be insecure due to basic security flaws in Web site design. According to the reports the biggest security issues were;

Forwarding users to insecure domains occurs quite often with the use of advertisements for products and services that are not secure on the same pages as security content. IE 7 tip; when you are prompted that a website you are visiting has secure and insecure data and the message asks you if want to view the insecure data, click the "No" button. Often this insecure data are un-trusted domains, outside links, advertisements, or just poor design. No matter what it is if you choose yes you have broken the secure channel.

Log on options on insecure pages are very common on the web. You often see a log on/password box somewhere on the front page of web sites. Unless you see a valid certificate notification (the yellow padlock) your credentials may not be securely transmitted.

By displaying contact and security information on insecure pages it makes it easier for a thief to spoof the legitimate website and create fraudulent websites designed to fool a user.

Password polices are very important. A long password (or pass phrase) is best to use as they are hard, if not impossible to guess or break. American express is a bad example. Their password policy requires your password to be between 6 and 8 characters only and cannot contain any special characters! Bank of America on the other hand is a good example. On one page you are prompted for a user name and account type. Then you move to another page where you have an image called a 'site key' that you have registered and a quote. Only once you confirm all of this data do you enter in your password which is 8-20 characters. Not only that but the computer system you are using must be registered.

Regular email is not secure. Sending log on credential via email is a very bad practice and it should never happen whether is a bank, your work log on information, or your kids soccer users’ forum.

ars technica link

Full report link

Posted by Mike Wright

I pulled my hair out for hours trying to find the best way to get my Windows Vista Ultimate HTPC to support Blu-ray. Here are my requirements.

There are guides out there to help with this, like Revision3’s System. But their recommendations fell short of my needs because they suggested CyberLink PowerDVD 8. While this program is very nice, it does not support HD DVD, does not integrate with Media Center, does not integrate the Media Center remote (without the need for additional software **Update 9/17/2008: CyberLink now does function using the Media Center remote. But you still need the extra software to get the menu to pop-up**), and would not play the backups directly from the folder.

So, leaving the nuts and bolts out of it, and assuming you already have all the hardware you need installed and configured correctly, below are my steps and recommendations. I make no guarantees, but the below steps worked perfect for me and met all of my requirements listed above.
Two applications are all you need to get this job done. AnyDVD HD allow for the backup your DVD's to your hard disk drive. TotalMedia Theatre provides full Blu-ray and HD DVD playback and fully integrates with Media Center out of the box. Because of this integration the remote works flawlessly. TotalMedia also has the ability to play the backup videos from thier folders (Not launched from Media Center though. To play your backups you must launch them using the TotalMedia application not via Media Center).

Posted by Mike Wright

Here in Northern California we have been ravaged by wild land fires forcing the evacuation of tens of thousands of residents, over 80,000 acres and at least 140 homes have burned in my County alone. The local news channels are doing a decent job of keeping the community informed and now after a month we are finally in the recovery stage. Now the media is keeping us informed about fire safety, where to donate, and what to do to prepare yourself should this happen (when this happens) again.

One piece of advice they recently gave was to inventory your possessions and keep all of your important documents where you can get to them quickly. With this in mind they recommended a 'free' web site where you can upload photos, blueprints, and scans of important documents, cards and other paperwork. While it is a good idea to have the documents, photos, and inventory available; Should you take your local Medias advice and trust them to have researched the web site that they are recommending you upload your life to?

Here is what I found when I researched the site.

It is scary that media would recommend a web site like this. A large percentage of their views will take what they say as fact and upload their lives and possibly lose everything they have.

Posted by Mike Wright

Like others, I was waiting for 8am PST to roll around and make a grab at the new .me domain name that I so confidently thought I could get. Logged into GoDaddy I watched as the seconds until 8am ticked off. The clocked turned to 8am and I was off to the races. I typed in the domain I was after and added it to my cart and proceeded very quickly through the hosting and email plans they offer in hopes to just purchase the domain only at this time. Finally after going through all the other items I attempted to open the shopping cart to complete the purchase. As coined by GoDaddy itself, The "Super Bowl Effect" hits and I am stuck in shopping cart loading hell. After the shopping cart loaded I then proceeded with my purchase. After the purchase I was emailed my receipt for the domain. I noticed the domain was taking a while to show in my account, so I decided to investigate a little. Knowing it shouldn't show up on the web yet, I typed the URL into a browser only to find it had already been parked by someone else. I quickly did a whois (other than GoDaddy) on the domain only to see it had already been registered to someone else. I immediately called GoDaddy to discuss the issue. Their support staff was very courteous and explained that my purchase was in a "not likely state", but it was not a definite no yet. Shortly after talking to them I received the doom and gloom email that was a definite "No" at this point and my refund would ensue. So due to the "Super Bowl Effect" (shopping cart hell) I missed out on the domain by approximately 5-10 precious minutes.

Posted by Jason

Question: What would you call Microsoft if they only allowed their operating systems to be installed on Microsoft branded hardware and made that hardware/software available only from Microsoft branded stores.

Answer: Apple.

In a move that surprised no one, Apple is suing Psystar for violating its copyright. Psystar began selling ‘white box’ hardware with Apple’s OS X pre loaded earlier this year. Apple alleges that Psystar is selling a modified version of its OS X, providing unauthorized patches, misappropriating Apple’s ‘proprietary’ software, and selling (in their words) “…a poor product that is advertised and promoted in a manner that falsely and unfairly implies an affiliation with Apple.”

This to me is absurd. How has Apple gotten away with this for so long? Allowing the installation their OS only on their hardware, available only from their stores, at a price they see fit to charge. Let’s try this analogy; You purchase a phone that I sell my my store. But in order to use it you have to purchase a service plan that I control. Hey lets go one step further… You have to purchase that service plan from a single carrier that only I specify. And just for giggles, I am going to throw in a two year contract. Let’s call it the mPhone :)

Let us hope that Psystar wins this battle and Apple is forced to allow the sale of its operating systems on third party equipment, thus forcing them to fairly complete in a free market across hardware platforms from independent third parties, just like everyone else!

I grabbed a screen shot just in case they lose, see it here.

http://www.psystar.com/

http://en.wikipedia.org/wiki/Psystar_Corporation

Posted by Mike Wright

On June 26th 2008 Blizzard Entertainment announced enhanced two factor authentication for World of Warcraft user accounts. This is done via a light weight device that is small enough to attach to a key chain. They call this the Blizzard Authenticator. It is basically a small plastic device like a car alarm fob. It has a button and a digital display. Once you press the button the display will read a six digit numerical code. The device would be associated with a users WoW account. Once the device and the account are linked the user must enter the six digit code that is generated on the device while logging on to their WoW account. The generated code is only good for a single login and a new code must be generated every time. The device will be available for only $6.50 which is a small price to pay for this level of security.

My question is; Why have banks, credit cards, mortgage companies, and other online services not jumped on this band wagon? This is not new technology! I would love to have a token that preformed this function for every site I visited that dealt with any of my PII or PHI. (Notice I said A token for every site, not a token for each site!)

http://www.blizzard.com/us/press/080626-auth.html

Oh ya... They announced Diablo 3 too!!!

http://www.blizzard.com/diablo3/

Posted by Mike Wright

Netflix will soon be available on Microsoft’s Xbox 360 systems via the internet. Xbox 360 owners with the appropriate internet connection, Xbox live accounts, and Netflix subscriptions will be able to choose from the over 10K video on demand titles. While I do not personally own an Xbox 360 I do have a Home Theater PC and am a Netflix subscriber. I completely see the value of this service and the fact that current users will not need to purchase new hardware (such as an HTPC) to take advantage of Netflix on their TV’s is awesome.

LINK

Posted by Mike Wright

These are the things that I personally do not like about the new iPhone 3G and why I will not be purchasing one.

Once again Apple proves that they are marketing and advertising geniuses. Their devices are nothing special and are years behind the true leaders in the industry. They also prove that they are masters of keeping the consumer under their thumb by controlling what software they have to use and what software they are allowed to install. Forcing them buy a new device if the battery goes bad. Tricking them into thinking they are getting a great deal by slashing the price to $199, but working with their ONLY provider to sneak in rate increases to compensate the difference (and then some). Advertising how fast their phone is, which is fact, but not letting slip that the 3G network is very small and most people will not be able to take advantage of it. And lastly force their customers to a single service provider.

Posted by Mike Wright

Google has started to roll out a nice new security feature that allows users to view what IP addresses are currently logged into their Google account, what type of access they are using (i.e. mobile, browser, pop3, etc) and when the logon was made. It also allows you to disconnect all sessions that you see.

Why would this be useful? What if you logged in to a public computer somewhere and forgot to logout? Or maybe you think that someone may be reading your mail? In the case of an identity theft or someone reading your emails, you could use the information here to track the IP address(s).

Unfortunately not everyone has this option yet, which is ‘par for the course’ with Google, but keep your eyes on your Gmail main page. The information will be in the middle, at the bottom, in the Gmail footer located just above the “Gmail view:” options.

You can get more details and see some screen shots at the below link.

LINK

Posted by Mike Wright

Citibank has reported that “hackers” have broken into Citibank networks and stolen customer PIN numbers. These stolen numbers were used by the “hackers” to make fraudulent ATM withdrawals. They state that they accomplished this by “hacking” into Citibank’s backend servers which are “increasingly built on Microsoft Corp.’s Windows operating system.”

So here is my problem with this. So what if the backend servers are built on Microsoft OS’s. What difference does that make at all? Any operating system is vulnerable to attack if proper security controls are not in place! It does not matter if it is Microsoft, Linux, or any other flavor of OS out there. It just burns me that they have to point out that Microsoft is running on the servers… SO WHAT! I guess the press just needs to dumb it down for the masses and point out early on in the article when they have the reader’s attention that its Microsoft’s fault. I guess if Citibank had been running their ATM’s with an array of iPhone’s everything would have been just fine … Bad Citibank … Bad!

CNET, Yahoo, MSNBC
Better story: Wired.com

Posted by Mike Wright

"Microsoft WSUS Blocked from Deploying Security Updates to clients with Microsoft Office 2003." That directly from Microsofts Website.

Here is a nasty little tidbit from Microsoft I found today. If you are a Windows administrator, you are using Microsoft Windows Server Update Services (WSUS) Version 3.0 with or without SP1 AND you are running Office 2003 in your environment… read on.

Basically there is a bug that was found some time after the June 10, 2008 security updates that Microsoft sent out. This bug breaks communication between your clients and your WSUS servers. There is no fix for this yet but Microsoft has published a work around which you can find at the link below. The Long and short of it is: Find Office 2003 Service Pack 1 with the specific update id of “D359F493-0AAD-43FA-AF5C-6763326CD98F” in your WSUS servers, set it to Declined, and apply your changes. Then force your clients to detect updates using the “wuauclt.exe /detectnow” command from command line.


http://www.microsoft.com/technet/security/advisory/954960.mspx

Posted by Mike Wright