Hello, folks--earlier this month, at a well-known conference, there was announced a tool that can hack into any GMail account, regardless of how good your password is, as long as the data is flitting around unencrypted.
That's bad, m'kay?
Google has always had it so that your login credentials flit around encrypted, but once that's done, drops you to an unencrypted session (for long reasons that work out to "it's cheaper that way" for several kinds of "cheaper"). This will leave you quite open to this tool when it's released into the wild at the end of the month.
However, there's help! Google has just made it so that you can choose to have all your GMail traffic encrypted, and I would recommend this to any GMail user, even if you think "oh, my e-mail isn't that important". It's really easy to fix this. Actually, they should fix the dodgamn underlying bug, but leaving that aside for now, here's what you can do:
Simply log into GMail, and click on the Settings link over in the top right corner. At the bottom of this screen is a section labelled "Browser Connection", which by default is set to "Don't always use https". Change this to "Always use https", then click the "Save changes" button directly below. That "should" keep you safe from people using this fascinating new toy.
"Documental sobre los hackers" (documentary about hackers)
From DefCon 2006. 24 minutes long. Pretty watchable even for English-speakers, as most of the interviews are in English with Spanish subtitles.
I don't know the names of everybody that got interviewed, but overall it's a good piece. Covers all the main Def Con elements, from Capture the Flag, to the Wall of Sheep, to the Lockpicking Contest, clips of people from Adam Laurie to Johnny Long to Jeff Moss, and much of the partying in between. ;) Billy Goto can be seen showing off his black badge (permanent free admission, from winning Hacker Jeopardy in a previous year), and my own fleeting seconds of Argentinian fame are around 16:25 (wearing my IGDA T-shirt) and a somewhat inebriated interview clip at 18:05. ;) I love my title description: "Ilanka, diseñadora de juegos, hacker" ("Elonka: Game designer, hacker.") Only it sounds c00ler in Spanish. ;)
RE: Slashdot | Interview With Cryptographer Elonka Dunin
Topic: Computer Security
8:50 pm EST, Mar 17, 2006
noteworthy wrote: Elonka wrote:
Does anyone else have an idea how I'd get my name onto their radar screen?
Start by having your publisher send Oprah a preview copy of your book, along with some kind of glossy brochure that their ad agency would prepare. The brochure would outline the angle Oprah should take in making your book and personal story relevant to her audience.
Ideally, your book jacket would include "Advance Praise" from Dan Brown himself, or from James Sanborn, or something.
Have you met H. Keith Melton? Maybe your publisher could work on getting your book into the gift shop at the International Spy Musuem. It's mostly focused on espionage, but their web site does have a Games section that includes a "Codemaking & Breaking" Flash game.
Okay, the publisher sent me a PDF file, and I played with it a bit, and here's what the flyer's looking like so far: flyer.jpg (300K). How's that look?
And yes, Melton's a great guy! He's put me in touch with some people at the International Spy Museum in Washington DC, who may be inviting me to come out and do a booksigning. Melton also suggested that I make myself available to the 24-hour news channels, as a volunteer code expert who they can interview when they're looking for such a thing around the time of the release of the movie The Da Vinci Code. I hadn't even thought of that, and it's a bit daunting, but sure, why not? Though again, I have no idea of how to get my name into their rolodex. Is there a database of "people that CNN call" somewhere?
RE: Slashdot | Interview With Cryptographer Elonka Dunin
Topic: Computer Security
10:12 pm EST, Mar 14, 2006
Go Elonka! I truly cannot wait till I have a copy of her upcoming book. I expect it to be very well recieved by a very wide audience. I think the result will be suprising...
Elonka should wind up on the talk show circut. We need to get Elonka on Oprah after her book comes out! It's imperative.
Y'know, I've been wondering that, myself. I mean, Oprah is probably going to have a segment on "The Da Vinci Code" when the movie comes out in May, and it would probably be cool for her show to have a real-life crypto-geek girl (who just had a book come out).
The only thing is, I've never been a member of the "The Cult of Oprah", and I really have no idea how I would even go about getting the attention of her producers, other than just working the phones and relentlessly self-promoting myself. Does anyone else have an idea how I'd get my name onto their radar screen?
ToolbarCop is a browser extensions manager which can eliminate the following browser add-ons selectively from Internet Explorer: Browser Helper Objects (BHO) Toolbars Standard Toolbar buttons Context menu Extensions Third-party download managers & Third-party Protocol Handlers and their residual entries remaining in the registry. Horizontal / Vertical Explorer Bars (side-search bars) Startup applications originating from RUN registry keys
I've been getting a lot of "registry change denied" popups, related to the ITBarLayout "Browser Helper Object". It appears that the recommended solution is to get and run a piece of software called ToolbarCop. Has anyone else here played with it, or have the same problem?
. . . what Sony [did] is as interesting as it is nasty. An understanding of how the company's hidden software works is important to understanding what all the hubbub is about — and to protecting yourself. . . . Sony, like most music companies, wants complete control over how you use the music you buy. They want to prevent you from copying it, even to an iPod or a mix you take in your car.
But in its latest attempt to control its customers' use of music, Sony went overboard. . . . [Sony] hired a company called First4Internet to design a copy-protection system called XCP. If you tried to play a protected disk in your computer, you first had to agree to install a Sony music player to listen to it.
But what Sony didn't say out loud was that the software also included a rootkit.
Rootkits were invented for Unix systems (where you could log in as "root" to have complete control over a computer). They were designed by the bad hackers to let them log into a system as "root" without the owner knowing.
A rootkit effectively creates a hidden space on users' computers. In that space, Sony (or anyone else who knows how to access that space) could put anything it wanted to hide. In Sony's case, it hid its copy-protection software so users couldn't remove it.
But Sony and First4Internet did such a lousy job that the hidden space created by the rootkit could be used by anyone who knew about it. In other words, it created a huge security hole — a space on every user's computer that a virus writer could hide some nasty code. . . . Besides installing a player for the CD and copy-protection software, Sony also hid other code that contacted the company every time a user played a song.
Yes, you read that right.
Now you're starting to see why people got upset.
This article on USA Today gives a pretty good "plain English" explanation of the problem. They also link to Kaminski's research.
CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences.
One fears the impact of this will be trouble... What is the association between CMP and Defcon?!
If this is the same CMP Media that bought the Game Developers Conference (and it looks like it), you can expect that (1) whoever "owned" Black Hat made a lot of money; (2) that the price of the conference is going to go up; and (3) that there's going to be a different set of standards in terms of how speakers are chosen, since this responsibility is going to transfer over to CMP instead of the original organizers (we've had a lot of complaints about that at the GDC).
My own question, now, about the transition, is whether or not Black Hat is an established enough "brand" that it will continue to draw quality speakers and attendees, regardless of who owns/runs the conference, or whether some other conference that remains privately-owned is going to become the venue of choice.
Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.
It just so happens I have such a list, from the audits I've been running from http://deluvian.doxpara.com .
So what did I find?
Much, much more than I expected.
It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows...unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale Incident. The process of discovering this has led to some significant advances in the art of cache snooping. Here are some of the factors I've dealt with . . .
Memestreamer Abaddon Quits Job to Expose Cisco Security Hole at Black Hat Conference
Topic: Computer Security
11:48 am EDT, Jul 28, 2005
LAS VEGAS -- A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit. . . . Michael Lynn, a former research analyst with Internet Security Solutions, quit his job at ISS Tuesday morning before disclosing the flaw at Black Hat Briefings, a conference for computer security professionals held annually here. . . . Lynn closed his talk by directing the audience to his resume and asking if anyone could give him a job.
"In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."
Michael Lynn is a fellow Memestreamer, Abaddon. Pretty gutsy move, quitting his job to give the talk.
Speaking of Black Hat, and Def Con, I'm getting ready myself to head to the airport, as I write this. See y'all in Vegas!
Today's cybercrooks are becoming ever more tightly organized. Like the Mafia, hacker groups have virtual godfathers to map strategy, capos to issue orders, and soldiers to do the dirty work. Their omertà, or vow of silence, is made easier by the anonymity of the Web. And like legit businesses, they're going global. The ShadowCrew allegedly had 4,000 members operating worldwide -- including Americans, Brazilians, Britons, Russians, and Spaniards. "Organized crime has realized what it can do on the street, it can do in cyberspace," says Peter G. Allor, a former Green Beret who heads the intelligence team at Internet Security Systems Inc. in Atlanta.