Sunday, September 23, 2007

Show #48 - 09.23.2007



[Download Show #48 as MP3]

News
  • OJ Jailed
    • To a court record that runs from suspected double murderer to accused DirecTV pirate, O.J. Simpson on Sunday added another chapter: At 60, he's accused of armed robbery, assault, burglary and conspiracy charges, according to police.
    • Last Sunday, Simpson was arrested in his hotel room at The Palms hotel and casino.
    • Police said Simpson would be held without bail.
    • Court date set for Sept. 20.
  • Tor server admin arrested
    • The police were investigating a bomb threat posted to an online forum for German police officers.
    • The police traced one of the objectionable posts on the forum to the IP address for Janssen's server.
    • Up until his arrest, Alex Janssen's Tor server carried more than 40GB of random strangers' Internet traffic each day.

    • Showing up at his house at midnight on a Sunday night, police cuffed and arrested him in front of his wife and seized his equipment.

    • In a display of both bitter irony and incompetence, the police did not take or shutdown the Tor server responsible for the traffic they were interested in, which was located in a different city, more than 500km away.

    • Janssen's attempts to explain what Tor is to the police officers initially fell on deaf ears.

    • After being interrogated for hours, someone from the city of Düsseldorf's equivalent of the Department of Homeland Security showed up and admitted to Janssen that they'd made a mistake. He was released shortly after.

  • OpenOffice 2.3 Released
    • New chart wizard, with support for 3D Charts
    • Revamped Toolbars
    • Export documents as Wiki pages on OpenOffice 2.3 Writer
    • Enhanced Autosum on OpenOffice 2.3 Calc
    • Report Builder on OpenOffice 2.3 Base
  • Winamp Goes Where iTunes Dosen't Dare
    • Winamp, that staple of media players, will soon turn 10!
    • On the 10th of October at 10:10am, Winamp 5.5 (PC-only) will be released sporting two new and potentially controversial features
      • support for mp3 blogs
        • also knowns as musicblogs or audioblogs
        • an MP3 blog is a type of blog in which the creator makes music files, normally in the MP3 format, available for download.
        • increasingly popular since 2003.
        • music posted ranges from hard-to-find rarities to more contemporary offerings, and selections are often restricted to a particular musical genre or theme.
        • some blogs offer music in Advanced Audio Coding (AAC) or Ogg formats, as well as MP3.
      • the ability to stream your music collection over the Internet
        • This turns WinAmp into a local media server
        • your tracks and videos are cataloged and accessable from other devices, including
          • other PCs running Winamp
          • a web browser
          • various mobile devices
          • game consoles (Playstation 3, XBox 360 or Nintendo Wii)
        • Unlike iTunes, sharing isn’t restricted to devices on the local network, instead you can also share your music over the Internet.
        • To make this relatively simple, Winamp prompts you to send an email, or SMS text message, to a friend allowing them access to your playlists from their computer, they’ll need to create a free account to verify their identity, but only once. In this regard, Winamp Remote makes iTunes’ network sharing features seem rather puny and inflexible.
    • Also new to version 5.5 is the “Bento” skin. This is a move away from Winamp’s traditional multi-windowed interface (the default skin), which can be confusing and cluttered at times. Instead, the new skin only has one window which is more in keeping with other media management software.
    • See it first HERE!
  • iTouch vs. iPod
    • The Good
      • Slim profile, lightweight
      • iTunes Store well implemented
      • 3.5" display is great for video
      • Snappiness of UI
      • Built-in web browser
      • WiFi support
      • iTunes Wi-Fi Music Store is pretty pimp
    • The Bad
      • No e-mail client
      • Lack of ability to edit calendar items
      • Screen quality isn't as good as the iPhone
      • Negative black effect
      • Only 16GB of storage
      • Can't use 802.11b/g to sync
      • No iPod disk mode
    • The Ugly
      • The fingerprint smudges covering nearly the entirety of the iPod touch's shiny surfaces

Software / Hardware / Power Web Picks
Security & Privacy
  • Password Security
    • How Password Cracking Works
      • LophtCrack
        • Dictionary Attacks
        • Brute Force
        • Hybrid Attacks
      • Social Engineering
        • This is one of the most difficult types of attacks to detect, and thus to defend against!
        • We as humans are natually helpful, polite, supportive, a team player, and trying to get the job done.
        • Social psychologist Brad Sagarin, PhD, who has made a study of persuasion, describes the social engineer’s arsenal this way: “There’s nothing magic about social engineering. The social engineer employs the same persuasive techniques the rest of us use every day. We take on roles. We try to build credibility. We call in reciprocal obligations. But unlike most of us, the social engineer applies these techniques in a manipulative, deceptive, highly unethical manner, often to devastating effect.”
        • Role Stereotyping - The social engineer exhibits behavioral characteristics of the role he or she is masquerading in. Most of us tend to fill in the blanks when given just a few characteristics of a role, a good example is when we see a man dressed like an executive and assume he’s smart, focused, and reliable... or that he IS an executive. Add speaking with a commanding authority or acting a certain way and you can make people believe you. The role may be as an IT technician, customer, new hire, or any others that would ordinarily encourage compliance with a request. Common stereotyping includes mentioning the name of the target’s boss or other employees, using company or industry terminology or jargon. For in-person attacks, the attackers choice of clothing, jewelry a company pin, an athlete’s wristwatch, an expensive pen, a school ring, or grooming for example, hairstyle, are also trappings that can suggest believability in the role that the attacker is claiming. The power of this method grows from the fact that once we accept someone as an executive, a customer, a fellow
          employee, we make inferences attributing other characteristics an executive is wealthy and powerful, a software developer is technically savvy but
          may be socially awkward, a fellow employee is trustworthy. How much information is needed before people start making these inferences? Not much.

          EXAMPLE: How many times have you called your credit card company and been asked for the account number, your birthday, and other verification information? Have you ever been called due to a large purchase to make sure it was yours? What if the person calling you wasn't from the card company, that is how its done!
        • Credibility - Establishing credibility is step one in most social engineering attacks for everything that is to follow. There are three common methods that an attacker will use:
          • The attacker says something that would seem to be arguing against his or her self interest. Found in Chapter 8 of "The Art of Deception" in the story “One
            Simple Call,” when the attacker tells his victim, “Now, go ahead and type your password but don’t tell me what it is. You should never tell anybody your password, not even tech support.” This sounds like a statement from someone who is trustworthy.
          • The attacker warns the target of an event that, unbeknownst to the target, the attacker causes to occur. In the story, “The Network Outage,” appearing in Chapter 5 of "The Art of Deception", the attacker explains that the network connection might go down. The attacker then does something that makes the victim lose his network connection, giving the attacker credibility in the eyes of the victim.
          • The prediction tactic (above) is often combined with when the attacker further proves he or she is credible by helping the victim solve a problem. That’s what happened in “The Network Outage,” when the attacker first warned that the network might go out, then caused the victim’s network connection to fail, as predicted, and subsequently restored the connection and claimed that he had “fixed the problem,” leaving his victim both trusting and grateful.

            EXAMPLE: Setup the phone in the target office to forward to the attackers cell phone when a certain extension is called, update the website to provide an internal extension when a problem is encountered, then when the person calls tell them to enter their password but not tell you what it is (the attacker could be capturing it at this point anyway), and gaining trust once the attacker gets it to work by telling the person that if they have problems with their network connection in a few minutes to call the same extension, he unplugs the network, the victim calls, the attacker puts the victim on hold, plugs in the network cable, asks if that worked and then asks for a favor like, "you know, I can't remember the name of the server that we store the financials on, I need to do backup maintenance on that box"
        • Forcing the Target into a Role - The social engineer puts his or her target into the role of, usually, helper. Once a person has accepted the helper role, he or she will usually find it awkward or difficult to back off from helping. An astute social engineer will try to gain a sense of a role that the victim
          would be comfortable in and then manipulate the conversation to maneuver the person into that role.
        • Next Week (Sep 30th)
          • Distracting from Systematic Thinking
          • Momentum of Compliance
          • The Desire to Help
        • Week After Next (Oct 7th)
          • Attribution
          • Liking
          • Fear
          • Reactance
        • Countermeasures
          • Developing clear, concise security protocols that are enforced consistently throughout the organization
          • Developing security awareness training
          • Developing simple rules defining what information is sensitive
          • Developing a simple rule that says that whenever a requestor is asking for a restricted action (that is, an action that involves interaction with computer-related equipment where the consequences are not known), the requestor’s identity must be verified according to company policy
          • Developing a data classification policy
          • Training employees on ways to resist social engineering attacks
          • Testing your employee’s susceptibility to social engineering attacks by conducting a security assessment

Protect Yourself Against Identity Theft:
Identity Theft Resource Center

How Identity Theft Happens:
  • Stealing mail or rummaging through rubbish (dumpster diving)
  • Stealing payment or identification cards or the information on them (pickpocketing, "drive-by" scanning of RF-enabled cards/tags)
  • Eavesdropping on public transactions to obtain personal data (shoulder surfing)
  • Stealing personal information in computer databases (Trojan horses, hacking)
  • Infiltration of organizations that store large amounts of personal information
  • Impersonating a trusted organization in an electronic communication (phishing)
  • Obtaining castings of fingers for falsifying fingerprint identification.
  • browsing social network (MySpace, Facebook, Bebo etc) sites, online for personal details that have been posted by users
  • Simply researching about the victim in government registers, at the internet, Google, and so on.

How Much Identity Theft:
US$56.6 billion in 2006. The average fraud per person rose from $5,249 in 2003 to $6,383 in 2006

  • Only 15% of victims find out about the theft through proactive action taken by a business
  • The average time spent by victims resolving the problem is about 40 hours
  • 73% of respondents indicated the crime involved the thief acquiring a credit card
  • The emotional impact is similar to that of victims of violent crimes

In a widely publicized account, Michelle Brown, a victim of identity fraud, testified before a U.S. Senate Committee Hearing on Identity Theft. Ms. Brown testified that: "over a year and a half from January 1998 through July 1999, one individual impersonated me to procure over $50,000 in goods and services. Not only did she damage my credit, but she escalated her crimes to a level that I never truly expected: she engaged in drug trafficking. The crime resulted in my erroneous arrest record, a warrant out for my arrest, and eventually, a prison record when she was booked under my name as an inmate in the Chicago Federal Prison."
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)