InfoSec Tools, Tips & Thoughts

IBM X-Force handicaps future trends in security

William McBorrough — Sun, 29 Aug 2010 23:26:56 +0000

Looking ahead, the X-Force Research and Development team has identified some key trends to watch for in the future, including:

Cloud Computing — As an emerging technology, security concerns remain a hurdle for organizations looking to adopt cloud computing. As organizations transition to the cloud, IBM recommends that they start by examining the security requirements of the workloads they intend to host in the cloud, rather than starting with an examination of different potential service providers. Gaining a good understanding of the needs and requirements first will help organizations take a more strategic approach to adopting cloud services.

Virtualization – As organizations push workloads into virtual server infrastructures to take advantage of ever increasing CPU performance, questions have been raised about the wisdom of sharing workloads with different security requirements on the same physical hardware. X-Force’s vulnerability data shows that 35 percent of vulnerabilities impacting server class virtualization systems affect the hypervisor, which means that an attacker with control of one virtual system may be able to manipulate other systems on the same machine. This is a significant data point when architecting virtualization projects.

Sweet!! Yourr bootyy look awseome on thiss ivdeo!

William McBorrough — Sat, 14 Aug 2010 20:10:22 +0000

Gee Thanks! I’ve been working out! …..oh wait a minute! What video??? CLICK!!!!

That was probably the script the culprit had in mind …and who knows how many times it played out.

I received the following message in my email inbox earlier from a cousin on Facebook.

It was so obviously malicious. Never mind the spelling issues. That is a trick typically used to get by email filters. My first reaction was to log in to Facebook and verify that it was indeed the source. I was reminded of an article I read about a similar fake LinkedIN email attack. In this case, the message was right there with a slight difference. The link now was more obvious.

One of those shortened bit.ly links that could lead you anyway. Without clicking the link, I clicked “reply” asking ” Did you send this?” . I already knew the answer but hey! I immediately got the following response from one of the sender’s friends.

The plot thickens…

I sent the cousin a message advising a change of Facebook credentials. The message was apparently sent to many other users. I’ve read and blogged about compromised Facebook account being used to spread malware and/or lure users to malicious sites but this is my first such experience. I’m not the average Facebook user though, since I only use it to cross-post blog updates. I didn’t have to time to investigate what’s on the other side of that bit.ly link but just thought I’d share the experience.

Beware fellow Facebook users!

Government Involvement in Cyber war in the last year

securnetworks — Tue, 10 Aug 2010 22:07:12 +0000

sophos-security-threat-report-midyear-2010-wpna.pdf

Security On A Shoestring SMB Budget

William McBorrough — Thu, 08 Jul 2010 15:03:49 +0000

The e-mail appeared to be an invitation from an old, junior high school friend. Yet when the hospital employee clicked on the link, it instead led her to a malicious site that installed a Trojan horse on her computer. In a little over a week, international cybercriminals used that beachhead to steal more than $600,000 from the woman’s employer, according to a terse description of the incident on the Information Systems Security Association’s Web site.

A number of similar incidents to this one highlight the threats of online crime facing small and midsize businesses (SMBs), says Stan Stahl, president of Citadel Information Group and president of the Los Angeles chapter of the ISSA.

“Typically, they say, ‘We have firewalls in place and have AV on all the desktops, so I guess we are secure,’” Stahl says. “But today cybercrime is so sophisticated that is not enough anymore.”

Read full article at http://www.darkreading.com/smb-security/security/attacks/showArticle.jhtml?articleID=225702557&cid=RSSfeed

Moving data storage to the cloud? What’s your business continuity plan?

William McBorrough — Mon, 05 Jul 2010 18:59:41 +0000

Many trumpet increased availability as a reason to move to the cloud but what happens when your cloud provider is no longer available?

Some companies are faced with this very question this week as storage provider, EMC announced its plan to shut down its Atmos Online cloud storage service immediately, according to a posting on its website.

EMC launched Atmos Online in May 2009, calling it “Cloud Optimized Storage [with] capabilities that can scale effectively, coupled with security and management tools.” This placed EMC in direct competition with some of its service provider partners who used EMC’s Atmos technology to provide cloud storage to its customers.

EMC has now downgraded Atmos Online to a development platform and is offering no guarantee as to the availability of user data moving forward. EMC used its web posting to “strongly encourage [companies to] migrate any critical data or production workloads currently served via Atmos Online to one of our partners offering Atmos based services,”

The provider going out of business is one of the many risks companies have to address when considering moving their critical data into the cloud. In this case, companies now have to spend resources doing the necessary due diligence in selecting an alternative cloud storage provider.

According to Morris Cody, CIO at Washington D.C. based Information Security Services Firm, Secure Intervention, companies moving to the cloud better consider the following:

1) Disaster Recover Plan – The bottom line is that no cloud provider can guarantee 100% up time all the time. Even a cloud provider as large as Google has experienced an outage in it’s cloud environment. In that case, a solid disaster recover plan will help mitigate loses from several different perspectives (i.e., monetary, branding, current clients, new clients)

2) BCP – Having a business continuity plan in place that will work in conjunction with you cloud provide capabilities will mitigate the risk of an outage do to an scheduled / unscheduled event (not necessarily a disaster) in you cloud provider environment.

3) SLA – a strong SLA should be established with your cloud provider that will hold them accountable for losses or damages (define losses and damages) do to changes in their environment that effect your business. For example, if your cloud provider decides to shutdown the cloud hosting services, then they should be responsible for the cost to migrate your apps/data to the new hosting provider”

What is the values proposition for allowing users access to social networks?

William McBorrough — Mon, 21 Jun 2010 18:36:38 +0000

What is the values proposition for allowing employees access to web 2.0 resources such as social networks?

Every other day, we hear about the risks. Compromised Twitter accounts, phishing via LinkedIN, malicious Facebook apps were only a sample of an every growing landscape. Most enterprises, appreciating the threats these pose to an environment, simply deny access to social networks from company systems and networks.

Even within such organizations, there are user who need to access social networks to perform their job functions. LinkedIN has become a great tool for recruiting prospective new hires. More companies are using Twitter, Facebook, Myspace and others to promote their business an connect with customers.

But outside of that, is there a value in allowing employees, whose job function do not require it, access to social networks on company systems?

I’m prompted to ask this because last week I was at a meeting of the Northern Virginia chapter of the Information Systems Security Association (ISSA-NOVA) and the speaker was the deputy CISO of the IRS, Devon Bryan. He spoke about how the IRS was dealing with the security challenges posed by Web 2.0, particularly social networking, Their current stance is to block all access except for those employees who job function required it. Most security professionals would agree this is probably wise. However, he also added that they are looking at technology that would allow users to “view” social networking sites, but not allow them to “update” them. As he explained, or tried to, read vs. write/execute.

As this was an audience full of security professionals, it was quickly pointed out that drive-by malware downloads only require the user to browse the infected web page or one that is linked to an infected web page. To view is to infect, so to speak. There was then talk of how to mitigate that using virtual machines or proxies.

I have no doubt the technical challenges can be overcome. The hackers who now treat social networks as the new frontier will probably change tact to react as well. Besides wanting to keep employees happy, what’s the policy rationale for allow users to follow their subscribed tweets or friends updates? Never mind, the adverse effect this with have on productivity. Really, why bother?

Pentagon and Congress wants control of your network during cyberattack

William McBorrough — Sun, 06 Jun 2010 16:25:04 +0000

There has been a lot of chatter in the news lately about the possibility of a “widespread coordinated” cyber attack against our critical infrastructure and our ability to successfully defend against it. Most of this infrastructure ( eg. utilities, finance, transportation, etc) is owned by private companies. Those currently responsible to protecting these networks will tell you that we are already under attack. Is there a cyberwar going on? Howard Schmidt, the White House’s Cyber Czar says “No”. But let’s not argue semantics. War, skirmish, tomfoolery…call it what you may. Many experts will confess the US is unprepared for a major cyberattack.

What is the government’s role in protecting these private networks? Should it have a role at all? Although some in the private sector are still debating these questions, the government has already moved in action. Last month, the DoD launched its new Cyber Command, headquartered at Ft. Meade, Maryland. Military observers still aren’t quite sure what this supposed to do. The Pentagon’s number two, Deputy Secretary William Lynn, in a gathering of cybersecurity officials and defense contractors, floated the idea that the “Defense Department might start a protective program for civilian networks”.

According to Lynn, companies may “opt out ” of the program but by doing so would place us all at risk. Does that mean, by default, all companies are considered in the program?

The congress also is taking action. A draft bill, co-sponsored by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), gives the Department of Homeland Security authority to keep “critical infrastructure” up and running during a “cybersecurity emergency”.

It would be interesting to see the bill’s definition of cybersecurity emergency. All would agree that coordinated defense is essential. The federal government is probably the only entity able to provide that coordination on a national scale. Coordination is one thing. Control, however, well that’s another animal.

Many companies caught in the lurch as Microsoft ends support for Windows XP 2

William McBorrough — Wed, 02 Jun 2010 22:57:06 +0000

On July 13, Microsoft will officially retire Windows XP Service Pack 2 . Although it will continue to provide security updates for XP Service Pack 3, it will stop providing patches for the older SP2. Microsoft offers support for its products for five years and extended support for another five years. For XP SP2, that journey comes to an end on July 13. Windows XP 3 will be supported until April 2014.

Microsoft issues security updates and other core operating system patches every second Tuesday of the month, known as Patch Tuesday. Whereas most home users typically install these patches automatically, corporate users usually install service packs and security updates manually and only after extensive testing. For large corporate environments, operating system upgrades are often a very perilous and expensive exercise.

According to security risk and compliance management provider Qualys, 50 percent of the several hundred thousand PCs it monitors for its clients are still running Windows XP SP2. Most of these are probably user desktops, but some may also be applications and appliances that use Windows XP 2 as the base platform. Upgrading such systems may make them inoperable.

According to Sajed Naseem, principal at Washington DC based security firm, Secure Intervention,

” The longer these systems linger after the July 13 deadline, the more vulnerable they become. There will undoubtedly be many Windows XP 2 systems still out there and hackers know that. Only there will no longer be security patches coming from Microsoft as new holes are discovered and publicized.”

Pause your Google History

William McBorrough — Tue, 01 Jun 2010 19:40:37 +0000

Have you ever used your Google search history? If you are logged into any Google service, Google automatically keeps a history of your search queries ad web activities.

According to Google, Web History allows the following:

View and manage your web activity.
You know that great web site you saw online and now can’t find? From now on, you can. With Web History, you can view and search across the full text of the pages you’ve visited, including Google searches, web pages, images, videos and news stories. You can also manage your web activity and remove items from your web history at any time.
Get the search results most relevant to you.
Web History helps deliver more personalized search results based on the things you’ve searched for on Google and the sites you’ve visited. You might not notice a big impact on your search results early on, but they should steadily improve over time the more you use Web History.
Follow interesting trends in your web activity.
Which sites do you visit frequently? How many searches did you do between 10 a.m. and 2 p.m.? Web History can tell you about these and other interesting trends in your web activity.

If you don’t care to have that information recorded, you can and should “pause” it.

https://www.google.com/history

Google to Microsoft-” Don’t let the door hit ya,…!”

William McBorrough — Tue, 01 Jun 2010 17:13:22 +0000

Talk about throwing out the baby with the bath water. The Financial Times reported on Monday that Google has begun telling new employees that they are no longer able to request Windows PCs, giving them the choice of Mac or Linux systems. Google has long offered its employees their choice of work operating system but will no longer do so. According to a Google employee, any exceptions will require will require CIO approval. [ I find that assertion questionable though ].

Google is apparently making this decision in response to the hacking attacks on late last year in China. The attackers used vulnerabilities in Microsoft’s Internet Explorer 6 to go after Google’s intellectual property, believed to be source code. One could argue that if they had updated their browsers, the attacker would have had to find other vectors for attacks.

Could this be a strategic move by Google to prove that an Enterprise can survive WITHOUT Microsoft? With Google’s Chrome OS on the horizon, this may just be the warm-up act.

Source: http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html

Raise your hand if you use the same password for more than one online account

William McBorrough — Mon, 24 May 2010 18:29:59 +0000

I completed an Internet Forensics training course this past week where the instructor made that statement. Of the twenty students in the class, only the instructor raised his hand. To which he declared ” Anyone who didn’t raise their hand is a liar!!” He was probably right.

I often fault security professionals and educators who speak in absolutes when trying to increase security awareness. Human nature isn’t absolutist. Any security doctrine that doesn’t account for reasonable human behavior is doomed to failure. Never do this! Never do that! Never use the same password with more than one account! And be sure to change them periodically. Naturally they must be complex passwords including upper and lower case letters, numbers and special characters. Really?

It’s not unusual today for an average Internet user to have 10 or more online accounts. That would mean 10 complex, constantly changing passwords. That would also mean the user will write them all down in a place that is readily available. Oh, I forget the never write passwords down mantra. Sigh.

I’ve taught course where as I went through my list of “never do’s”, I would watch students’ eyes move from the gleam of interest to dull hopelessness. ” I could never do all THAT!”, someone would say. Another would chime in, :” That’s why I don’t do online banking!”

Is have the same password for your Facebook and Twitter accounts the harbinger of doom?? Probably not. Myspace and your online bank account? That’s an absolute NO NO.

How do we increase security awareness in average computer users thereby strengthening the “weakest link” in our security posture? We certainly can’t continue to do it by burying them in an avalanche of rules.

The real arguments for Cloud Computing

William McBorrough — Thu, 20 May 2010 19:07:11 +0000

As more vendors dive into the cloud computing market, every possible claim regarding the supposed benefits of moving to a cloud-based service is being made. I ran across an article titled ” Why Cloud-based Monitoring is more reliable and secure than Nagios. ” The auth0r, who represented a cloud-based network monitoring company, contended that the Software-as-a-Service (SaaS) model offered by his company was better for companies than Nagios and other open source products.

The question is not Cloud Computing vs. Open Source. In fact, there are open source SaaS providers like MindTouch out there. If considering a product like Nagios, a better comparison would be open source vs. commercial. In many cases, cost is the determining factor for companies to look to open source technologies. Other considerations include flexibility and security.

The more relevant comparison would be hosting and managing a network monitoring system on site vs. moving to a SaaS provider. For many organizations, IT is considered overhead and not the primary function of the organization. Companies move to the cloud for most of the same reasons companies out-source. Can someone else do it better for less? Cost is ually the easier consideration. Companies have to grapple with the ‘better’. Does it mean more security, availability, capacity? Many cloud providers would say ‘yes’ to all and then some. Organizations have to really consider and make that determination themselves. Make a real comparision between their options and not just follow the typical vendor hype.

Metasploit 3.4.0 Hacking Framework Released – Over 100 New Exploits Added

William McBorrough — Thu, 20 May 2010 17:24:06 +0000

Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals.

Update Summary

Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
Over 100 tickets were closed since the last point release and over 200 since v3.3

The full release notes can be found here.

Exploring Cloud Computing Information Leakage

William McBorrough — Mon, 17 May 2010 19:23:15 +0000

If you are in cloud computing security (or part of an organization with infrastructure in a public cloud), this paper is a must read. As more organizations seek to realizes the benefits of the cloud, it’s important that we continue to investigate the risks as well. Granted this research only applies to virtual machines on a shared host. Cloud Computing service provider usually provide “private” cloud offerings with only one client’s virtual machines per physical server.

Does the remote chance of your virtual server being attacked by another virtual server on the same host server justify the added cost of a private cloud deployment? That’s for each client to decide. Ensure you are doing your due diligence before making a decision one way or the other.

Abstract:

Amazon’s EC2, allow users to instantiate virtual machines (VMs) on demand and thus purchase precisely the capacity they require when they require it.In turn, the use of virtualization allows third-party cloud providers to maximize the utilization of their sunk capital costs by multiplexing many customer VMs across a shared physical infrastructure. However, in this paper, we show that this approach can also introduce new vulnerabilities.Using the Amazon EC2 service as a case study, we show that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.

Download paper: http://people.csail.mit.edu/tromer/papers/cloudsec.pdf

1000 hacked Facebook accounts for as low as 25 dollars

William McBorrough — Mon, 17 May 2010 17:02:43 +0000

Facebook claims to have identified the self-proclaimed Russian hacker calling himself ” Kirlios” . Newswire report over the weekend reported that Kirlios had succeed in hacking a large number of Facebook accounts. On hacker forums, Kirlios has been offering up Facebook accounts for sale in batches of 1000 – up to 1.5 million in total. The going price is between $25 and $45 a batch. Quite reasonable really.

Facebook claims they turned the information about the hacker to law enforcement authorities and that the hacker’s claims are grossly overstated. Even if this guy is caught, extradition to the US is unlikely. Russia’s stance on this sort of thing is ” show us the proof and we will prosecute him ourselves”.

HIPAA Audits could start this year

William McBorrough — Wed, 12 May 2010 22:14:10 +0000

The new federal HIPAA privacy and security rule compliance audits of healthcare organizations and their business associates likely will start later this year once a report on a model for the program is completed, a key federal privacy official says.

In the next few weeks, Booz Allen Hamilton will provide a status report on its compliance audit study for the Office for Civil Rights in the Department of Health and Human Services, the governmental unit that enforces the privacy and security rules, says Susan McAndrew, OCR’s deputy director for privacy.

Read Full Article: http://www.healthcareinfosecurity.com/articles.php?art_id=2517

Symantec warns that port 25 could be the problem. I disagree.

William McBorrough — Tue, 11 May 2010 23:42:28 +0000

I recently overheard a comment by a co-worker ( shoutout Ben A.) that we read and listen to news reports and assumed the report knows what they are talking about until they turn to a topic we are familiar with in some depth and realize that report spouting off to potentially millions of people don’t have a clue what they are talking about. How true!

I ran into this article today titled ” Botnet exploits Linux users’ ignorance“. The writer makes the point that ” a lack of knowledge and awareness about how to use Linux mail servers could be contributing to the disproportionately large number of Linux machines being exploited to send spam”.

I wholeheartedly agree with this. Companies see open source technologies as a means of saving money but do not have staff adequately trained to secure these systems.

The second point I noticed was that the report from Symantec’s Hosted Services referenced in the article pointed out that ” Linux based machines are 5 times more likely to send out spam than Windows based computers”.

The writer quotes a Symantec Malware Analyst as saying:

“…..one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers, and are using open-source software to keep costs down, have not realised that leaving port 25 open to the Internet also leaves them open to abuse.”

That is just misleading. It’s like saying shut down port 80 on your web server to prevent your web site from being defaced or hacked. Port 25 is not the problem, mis-configured web services are the problem.

McAfee to compensate businesses for buggy update

William McBorrough — Thu, 29 Apr 2010 17:02:18 +0000

McAfee will provide restitution to businesses hit by a faulty virus definition update that rendered computers unusable, the company has confirmed.

“Enterprise customers will get compensation tailored to each individual customer and will receive a combination including products, services and support,” a McAfee spokesman told ZDNet UK on Tuesday.

The concept of companies paying for damages caused by buggy software has been often discussed. Is this a step in that direction or is McAfee just doing some good customer management ?

Source: http://www.zdnet.co.uk/news/security-management/2010/04/27/mcafee-to-compensate-businesses-for-buggy-update-40088779/?s_cid=938

Hackers crack Ubisoft always-online DRM controls

William McBorrough — Wed, 28 Apr 2010 22:10:24 +0000

Saw this coming a mile away. Why didn’t Ubisoft?..

I couldn’t wait to get my hands on Assassin’s Creed II. It’s nice to be able to unwind for an hour or so at night, running across rooftops in 15th Century Venice, leaping on an unsuspecting Templar and burying my dual hidden blades in his neck. Well, it would be nice accept my wireless signal in my bedroom isn’t all that great (or maybe it’s a laptop hardware issue) and the game hangs every 2 mins for about 30 seconds because I lose my connection. Thanks to the Ubisoft’s always-online DRM. I have to be online at all times to play the game.

“Hackers have overcome Ubisoft’s controversial DRM system that relied on constant connection to the internet for games to function.

A crack for Ubisoft’s anti-piracy system published by a group called Skid Row allows gamers to circumvent the controls. A message from the group on a gamers’ forum sets out the group’s agenda: allowing legitimate copies of PC games to be played without an internet connection, rather than facilitating piracy. Skid Row cheekily thanks Ubisoft for posing an interesting intellectual challenge.”

I understand Ubisoft’s desire to protect its products from pirates but this causes a great inconvenience to legitimate customers like myself. Not to mention, it only took about a a dayto crack it. It causes me all this aggravation with controls that only held up for 24 hrs ?

Silent Hunter NFO:

Ü ß ßÜ ÜþßßßþÜ Û ÜþßßßþÜ ° ÛÜ ²Ü ° ÜÛÝ ß ²Ü ßßÛÛÛÜÜ ° ÜÛÜ ²ÛÜ ßÛÛÛÜ ²ÛÛÜ ÜÜÛÛÛÜÜß ° ²ÛÛÜÜÜÜÜÜÜÛÛÛÛÛÜ ° ÜÛÛßÛÛÜ ° ²ÛÛ² ° Ü ÜÛÛÛÛßßßßßß ²ÛÛ² ²ÛÛÛÛßÛ²²²Û ÜÜÜÜÜÜ²ÛÛ² ²ÛÛ² ²ÛÛ²ß ÜÛÛ² ²ÛÛÜ ²ÛÛ² °°° ÜÛ² ßßßßßß²²²²Üß²²²ßß²²²Ü ßßß Û²²²ß ²²²² ²²²²ßß²²²ÜÜ ²²²² ° ²²²² ²²²² °°° ²²²² ±±±±± Þ±±±±ÛÞ±± Þ±±±± ²²²²²Þ±±±± ° ±±±± ±±±± Þ±±±±ÛÜ±±± ° ±±±± ±±±± °°° ±±±± °°°°° ° °°°°°Ý°° ° °°°°°°°°°°Þ°°°° ° °°°° °°°° ° °°°°°°°°° ° °°°° °°°° Ü °°°° ±±±±± ° ±±±±±Ý±± ° ±±±±±Ü±±±±±±±±± ° ±±±± ±±±± ° ±±±±±Ý±±± ° ±±±± ±±²ßÜÛÛÛÜß²±± Þ²²²² °Þ²²²²²²²² °Þ²²²²²Ý²²²²Þ²²²²Ý ²²²² ²²²² °Þ²²²²²²²²² ° ²²²² ²²²²²ß ß²²²²² ßÛÛ² ÜÛ²ÛÛßÜÛÛß ²ÛÛÛÛ²ÛÛÛß ²ÛÛÛ²ÜÜ²ÛÛ²Ü²Ûß ²ÛÛÛ² ßÛÛ² ²ÛÛß ²ÛÛß ° ° ßÛÛ² ° ßÜÛÛßß Ûß ÜÛ²ÛÛß Ûß ° ÛÛÛÛÛßßß ß ° ÞÛÛ²ÛÝ ° ßÛÛÜÛÛß ° ²ß ° ßÛ Üßß ° ÜÛÛÛßß ° ßþÜÜþß ßßÛÛÛÛÜÜÜþß ° ßßÛÛÛÜÜÜÜÜÛÛß Eboy ßÜÜþß þßß ßßßßßß S K i D R O W

Üß -> T H E L E A D i N G F O R C E <- ßÜ ßÜ Üß ßßßßßßßßßßßßßßßßßßß ßßßßß ß proudly presents ß ßßßßß ßßßßßßßßßßßßßßßßßßß ° ÛÛÛ²²²²±±°° Silent Hunter 5: Battle of the Atlantic / Ubisoft °°±±²²²²ÛÛÛ ° ±ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ± ² ² ² RELEASE DATE : 03-03-2010 PROTECTION : Ubisoft DRM ² ² GAME TYPE : Submarine Simulation DISKS : 1 DVD ² ° ° ßÛ²ßßßßßßßßßßßßßßßßÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ßßß ß ßÛÝ Release Notes: ßÛÜ ° Û Üþ Þ² ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜ ± Û Û ÜÛß Û ² Û ßßß ° Û The Skid Rowdies are looking new blood to fill up the ranks. Û Û ± Û We're a professional team of dedicated sceners with big mark Û Û Û Û under sceners. We believe on the ground idealism of the root Û Û Û Û of the real old school scene. We do all this for fun and Û Û Û Û nothing else. We don't earn anything on our hobby, as we do Û Û Û Û this for the competition and the heart of what got the scene Û Û Û Û started in the mid eighties. Û Û Û Û Û Û Û Û If you think you got something to offer, then don't hold back Û Û Û Û on contacting us as soon as possible. Û Û Û Û Û Û Û Û _______ __ ___ _____ /__ Û Û Û Û / |/ /_/_| _ / /_ / / Û Û Û Û / /| / / //| | //_// / / / / / / Û Û Û Û / | / | |_ / / / /_/ / /// / Û Û Û Û ____/|_|___/|___/ / /_/_/__/_/____/ Û Û Û Û twice the fun / double the trouble Û Û Û Û Û Û Û Û ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Û Û Û Û Û Û Û Û On with the game release information: Û Û Û Û Û Û Û Û Silent Hunter 5 hails the return of the number one submarine Û Û Û Û simulation. For the first time the player will be able to play Û Û Û Û & feel as U-boat captain leading his crew from a first person Û Û Û Û view in a true dynamic campaign. Û Û Û Û Û Û Û Û Operate against Allied shipping on a vast area all across the Û Û Û Û Atlantic Ocean and Mediterranean Sea and participate in famous Û Û Û Û encounters with strong enemy warships. Can you do better than Û Û Û Û the best U-boat aces? Û Û Û Û Û Û Û Û Silent Hunter 5 raises the levels of interactivity and Û Û Û Û immersion inside the U-boat and outside Û Û Û Û Û Û Û Û For the first time the player will walk through highly Û Û Û Û detailed submarines in FPS view and be able to access every Û Û Û Û inside & outside part of the U-boot Û Û Û Û Û Û Û Û With the help of an advanced order system the player will Û Û Û Û interact with the submarine crew, watch them doing their daily Û Û Û Û jobs and experience the tension & fear inside the U-boot. Û Û Û Û Û Û Û Û Player actions will impact the outcome of battles and the Û Û Û Û scenario evolution in campaign. Depending on his approach the Û Û Û Û player can open new locations with upgrade and resupply Û Û Û Û possibilities, while the Allied response adjusts dynamically Û Û Û Û Û Û Û ° Û ° ßÛ²ßßßßßßßßßßßßßßßßÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ßßß ß ßÛÝ Install Notes: ßÛÜ ° Û Üþ Þ² ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜ ± Û Û ÜÛß Û ² Û ßßß ° Û 1. Unpack release Û Û ± Û 2. Mount image or burn it Û Û Û Û 3. Install Û Û Û Û 4. Copy the content from the SKIDROW folder on the DVD to your Û Û Û Û installation directory and overwrite Û Û Û Û 5. Play the game Û Û Û Û Û Û Û Û Additinal Notes: Û Û Û Û Û Û Û Û Don't install/use Ubisoft launcher, or simply block any Û Û Û Û connection to internet. Û Û Û Û Û Û Û Û Install game and copy crack, it's that simple! Û Û Û Û Û Û Û Û Support the companies, which software you actually enjoy! Û Û

Source: http://www.theregister.co.uk/2010/04/28/ubisoft_drm_cracked/

Blippy to hire a CSO after exposing credit card data

William McBorrough — Tue, 27 Apr 2010 19:11:06 +0000

So…. I made this post about the Social Media fallacy that is Blippy. Well true to form, here we are less than two months later finding out…

“Blippy, a social networking site that allows users to share their purchases and discuss shopping with others, will revamp its security plans and hire a Chief Security Officer after an embarrassing incident in which the site accidentally published a few of its members’ credit card numbers on Google.

Blippy Co-founder and CEO Ashvin Kumar said in a blog post this week that the slip-up occurred as a result of a technical oversight back in February that caused raw transaction data to appear within the HTML code on some Blippy pages for about half a day. ”

Who didn’t see this coming a mile away? Presenters at Shmoocon this year noted that penetration testers [and hackers] absolutely love this the Blippy platform because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: “I joined Blippy and all I got was jacked at the ATM.”"

Sigh

If Microsoft can do it, why not McAfee?

William McBorrough — Thu, 22 Apr 2010 18:54:06 +0000

Yesterday, a faulty McAfee anti-virus update labeled a critical Microsoft system file as a “virus” causing hundreds of thousands of computers around the world with Windows XP Service Pack 3 running to go into a continuous reboot cycle [duh!].

Today, however, Sophos is reporting hackers are compounding the problem by using blackhat SEO (search engine optimisation) techniques to create webpages stuffed with content which appears to be related to McAfee’s false alarm problem – but are really designed to infect visiting computers.

Sophos has identified malicious webpages which appear on the first page of Google results if users search for phrases associated with McAfee’s false positive.

“It’s bad enough if many of the computers in your company are out of action because of a faulty security update, but it’s even worse if you infect your network by Googling for a fix,” explained Graham Cluley, senior technology consultant for Sophos. “These poisoned pages are appearing on the very first page of search engine results, making it likely that many will click on them. If you visit the links you may see pop-up warnings telling you about security issues with your computer. The warnings are fake and designed to trick you into downloading dangerous software, which could result in hackers gaining control of your corporate computers or the theft of your credit card details.”

Top 10 Web Application Security Risks for 2010

William McBorrough — Tue, 20 Apr 2010 15:45:29 +0000

Yesterday, OWASP released its list of top ten web application security risks for this year. The list, which was first unveiled in November at the OWASP conference, is a departure from OWASP’s previous lists, which ranked the most commonly found weaknesses and vulnerabilities in Web applications. OWASP’s new list features the most exploitable and likely security risks found in these apps. The list includes:

A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards

Download the full report here.

Changing Internet passwords a waste of time??

William McBorrough — Thu, 15 Apr 2010 21:40:26 +0000

From the following article: http://wcbstv.com/seenat11/internet.passwords.microsoft.2.1633927.html

“The study concluded someone hacking into your computer and stealing your password is similar to a crook getting your house key.

The crook will likely use it right away and not wait until after you’ve changed the locks.

“As soon as they’ve got it, they’re using it and then they’re gone,” said Lance Ulanoff, editor of PC Magazine.

Ulanoff advises people to get stronger passwords in the first place. ”

The so-called “expert” advise: Use stronger, more complex passwords.

I guess he is not familiar with the fact that stolen account credentials are bartered and traded like goods in the hacker underground. Ofscourse you should use complex passwords. But it’s still a good practice to change it occasionally.

Nessus 4.2.2 now released

William McBorrough — Thu, 15 Apr 2010 17:05:53 +0000

Version version 4.2.2 released today brings the following fixes:

Nessus-fetch: Proxy issues have been resolved.
NASL: Fixed a memory leak in the NASL xmlparse() function.
Networking: Fixed IPv6 routing when talking to a remote host (FreeBSD, Mac OS X). Packet forgery was not always working on ES5 64 bits.
Packaging: Fixed the Debian /etc/rc init script. Upgraded OpenSSL to version 0.9.8n (Windows, Solaris)
Stability: Fixed a possible crash when using a badly written custom plugin. Fixed a possible crash when running out of BPFs on Windows.

Staying safe on public Wi-Fi

William McBorrough — Wed, 14 Apr 2010 17:04:02 +0000

Picture this: You’re at a café with your laptop and latte in hand, getting ready to review new sales leads and the quarterly financial projections. First you hop on the free Wi-Fi that the shop’s management provides. Then you connect your laptop to a projector so that the entire café can take a look, and finally you hand out some printed copies of your confidential product specifications to the other patrons so that they can follow along. That may sound ridiculous, but if you’re using public-access Wi-Fi without taking the proper precautions, you might as well be asking your coffee compatriots to partake in confidential company information.

That’s an abstract from a pretty good article in NetworkWorld. I previously also posted about the dangers of public wireless networks.

Consider however, how probably is it that a competitor or anyone else for that matter is lurking steal your data? You don’t know and neither do I. Just remember that it’s very easy to do so protect yourself.

Read full article: http://www.networkworld.com/news/2010/041310-how-to-stay-safe-on.html

IKEA Facebook scam cons 40,000 users

William McBorrough — Sun, 11 Apr 2010 22:47:25 +0000

These types of attacks have become the norm on Facebook. Last week, I posted on a similar scam involving Whole Foods Grocery.

This particular scam page had taken in more than 37,000 users by last Friday, offering them a $1,000 gift certificate in exchange for promoting Ikea to friends. At that time, the page was gaining new fans at the rate of about 5,000 per hour. The promotion, the page said, was only available for one day.

To participate, users must become a fan of the fake Ikea page, hosted on Facebook, and then invite all their friends to become fans. They are then directed to an affiliate marketing page hosted by GiftDepotDirect.com, where they are asked personal information such as name, address, date of birth and home telephone number.

After that step, the victim is told to sign up for two online marketing offers – these ones with legitimate websites such as Netflix and CreditReport.com – in order to claim the gift card.

The promised cards in these scams never show up. Who would have thunk it??

** Cross-posted from www.secur3t.com**

Google rolls out privacy reset for Buzz

William McBorrough — Mon, 05 Apr 2010 19:39:33 +0000

Google will ask users of its social network Buzz to review their privacy settings starting April 5.

This follows a series of privacy related concerns and updates following the initial launch of the service. I mentioned some of the concerns here in a post: Google Acknowledges Privacy Issues With Buzz amid FTC complaint

The latest tweaks will also show every aspect of a user’s profile, from public settings to the websites users are connected to, and who they are following or being followed by.

“Shortly after launching Google Buzz, we quickly realised we didn’t get everything right and moved as fast as possible to improve the Buzz experience,” said Buzz product manager Todd Jackson in a blog post.

“Offering everyone who uses our products transparency and control is very important to us.”, he continues.

The blogosphere has reacted positively to the proposed changes.

“While we can say that this is what we wanted at launch, it is heartening to see it now,” said Alex Wilhelm, of TheNextWeb.

Ben Parr, associate editor at social media blog Mashable, said that while the changes could not fix the damage already done, they might “help get Congress off [Google's] back”.

“If it can appease critics on the privacy issues, then it can tackle the bigger challenge: making Google Buzz into a competitive threat to Twitter and Facebook.”

The Google Buzz team has promised more updates in the future.

Cloud Computing Security: An Insider's View

Guest Blogger — Fri, 02 Apr 2010 22:40:33 +0000

As CSO of Qualys, Randy Barr is responsible for security, risk management and business continuity planning of the QualysGuard platform. In this video Randy talks about cloud computing security from an insider’s point of view. He illustrates what a security professional has to go through when building a security program for a cloud environment.

For more security-related material visit Help Net Security: http://www.net-security.org

Facebook error exposes users hidden email addresses for 30 minutes

William McBorrough — Wed, 31 Mar 2010 18:37:30 +0000

I swear I am not on an anti-Facebook crusade, but the endless drip, drip, drip of security issues is astounding. So is Facebook just worse than the rest when it comes to security? I think not. It’s just that they are the most popular and receive the most attention. In other words, ALL social networking sites have these issues.

“Last night during Facebook’s regular code push, a bug caused hidden email addresses to be visible briefly,” said a Facebook spokesman yesterday.

This new calamity lasted for 30 minutes.

Facebook to share your information with other sites

William McBorrough — Tue, 30 Mar 2010 17:52:03 +0000

Facebook users are expressing strong disapproval of proposed privacy changes will let the site share some user information with third-party Web sites and applications. Have you added your voice? These social networking sites have a captive audience which many businesses will pay a pretty penny to have access to and get information about.

When Google decided to unilaterally opt Gmail users into Buzz and share your contact information, it received bad press and an FTC filing. I can only hope the same and more happens here.

Under Facebook’s current rules you’re asked first if you want to share information (your name, photos and friends list) with third-party sites. The proposed policy, which Facebook hasn’t implemented yet, would bypass asking you for approval when visiting some sites and applications Facebook has business relationships with, sharing limited personal information automatically.

Tell Facebook how you feel about it here: http://blog.facebook.com/blog.php?post=376904492130