Create an Account
username: password:
 
  MemeStreams Logo

Spontaneous Sociability and The Enthymeme

search

Rattle
Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
  Music
Business
  Tech Industry
  Telecom Industry
Games
Health and Wellness
Holidays
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
Recreation
  Travel
Local Information
  SF Bay Area
   SF Bay Area News
Science
  Biology
  History
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Security
Sports
Technology
  Biotechnology
  Computers
   (Computer Security)
    Cryptography
   Cyber-Culture
   PC Hardware
   Computer Networking
   Macintosh
   Linux
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Current Topic: Computer Security

Richard Clarke sets tone for Black Hat 2007 | Tech news blog - CNET News.com
Topic: Computer Security 6:20 pm EDT, Aug  1, 2007

Clarke leveled the harshest language on the Bush administration. "The Bush administration has systematically reduced the work to secure cyberspace." Clarke cited recent cuts to the Defense Advanced Research Projects Agency as an example. While he doesn't believe that government is the solution--it is just a part of the solution--he said he thinks government helps set the tone. He said he thinks Bush is "setting an example how not to do cybersecurity."

Richard Clarke sets tone for Black Hat 2007 | Tech news blog - CNET News.com


SummerCon
Topic: Computer Security 4:00 am EDT, Jul 28, 2007

SummerCon 2007: August 24-26, 2007 Atlanta

Where: Wyndham Garden Hotel
125 10th Street NE
Atlanta, GA 30309
1 404-873-4800
(corner of Peachtree St & 10th)

I am happy about this...

SummerCon


DOMinatrix - The JavaScript SQL Injector
Topic: Computer Security 3:17 am EDT, Jul 26, 2007

Yeah, Billy has another toolkit for destroying the web.. Don't be too shocked or anything, there will most likely be another one next week.

This one is branted with more sexual innuendo then the last one though..

DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation.

XSS + Web worm + DOMinatrix = oh crap.

In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript.

These aren't a browser exploits.
These aren't buffer overflows.
These aren't something that affects only a single browser and only on pages that don't explicitly set a character set.

This is using JavaScript in perfectly valid ways to do extremely malicious things.

There is no way to patch this.
End users are pretty much screwed.

Here is a screen shot of DOMinatrix in action.

DOMinatrix - The JavaScript SQL Injector


SPI Labs advises avoiding iPhone feature
Topic: Computer Security 10:42 am EDT, Jul 17, 2007

The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including:

* Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
* Tracking phone calls placed by the user
* Manipulating the phone to place a call without the user accepting the confirmation dialog
* Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
* Preventing the phone from dialing

Oops, Billy did it again!

SPI Labs advises avoiding iPhone feature


How the Greek cellphone network was tapped
Topic: Computer Security 3:00 pm EDT, Jul 10, 2007

From the cryptography@metzdowd.com list:

A fascinating IEEE Spectrum article on the incident in which lawful
intercept facilities were hacked to permit the secret tapping of
the mobile phones of a large number of Greek government officials,
including the Prime Minister:

http://www.spectrum.ieee.org/print/5280

Hat tip: Steve Bellovin.

Perry
--
Perry E. Metzger perry@piermont.com

This is worth reading. An operation leverages the "lawful intercept" features of telephone switches, combined with rootkit malware specifically designed for the switches, and a collection of corrupt employees for some very unlawful intercepts. One, possibly two deaths. One of the most sophisticated computer intrusions I have ever heard of. Most likely a state intelligence organization. Americans widely suspected.

How the Greek cellphone network was tapped


Solving the Web security challenge | CNET News.com
Topic: Computer Security 9:58 am EDT, Jun 28, 2007

"We have information on security practices out there. The disconnect is that we don't have an intermediary that says how these things apply to you as you build Web 2.0 or other applications," Hoffman said. "Will a nonprofit or some other group arise that tries to publish standards? Probably. We definitely need a central clearing house of good information, because there is a lot of bad information out there."

Are there any articles on Web 2.0 security out there that are not made up of Billy Hoffman quotes? I hope not..

Solving the Web security challenge | CNET News.com


General: China taking on U.S. in cyber arms race - CNN.com
Topic: Computer Security 5:35 pm EDT, Jun 14, 2007

China is seeking to unseat the United States as the dominant power in cyberspace, a U.S. Air Force general leading a new push in this area said Wednesday.

"They're the only nation that has been quite that blatant about saying, 'We're looking to do that,"' 8th Air Force Commander Lt. Gen. Robert Elder told reporters.

Elder is to head a new three-star cyber command being set up at Barksdale Air Force Base in Louisiana, already home to about 25,000 military personnel involved in everything from electronic warfare to network defense.

The command's focus is to control the cyber domain, critical to everything from communications to surveillance to infrastructure security.

"We have peer competitors right now in terms of doing computer network attack ... and I believe we're going to be able to ratchet up our capability," Elder said. "We're going to go way ahead."

The Defense Department said in its annual report on China's military power last month that China regarded computer network operations -- attacks, defense and exploitation -- as critical to achieving "electromagnetic dominance" early in a conflict.

China's People's Liberation Army has established information warfare units to develop viruses to attack enemy computer systems and networks, the Pentagon said.

China also was investing in electronic countermeasures and defenses against electronic attack, including infrared decoys, angle reflectors and false-target generators, it said.

Elder described the bulk of current alleged Chinese cyber-operations as industrial espionage aimed at stealing trade secrets to save years of high-tech development.

He attributed the espionage to a mix of criminals, hackers and "nation-state" forces. Virtually all potential U.S. foes also were scanning U.S. networks for trade and defense secrets, he added.

"Everyone but North Korea," he said. "We've concluded that there must be only one laptop in all of North Korea -- and that guy's not allowed to scan overseas networks," Elder said.

In October, the U.S. Joint Chiefs of Staff defined cyberspace as "characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures."

General: China taking on U.S. in cyber arms race - CNN.com


DOMinatrix...
Topic: Computer Security 5:21 pm EDT, May 30, 2007

More from Acidus:

Based on methodology from the JavaScript vulnerability scanner Jikto, we will also demonstrate DOMinatrix, a JavaScript payload using SQL Injection to extract information from a website's database.

DOMinatrix: Spanking the DOM the way the DOM like it! I'd like to thank Dan Kaminski for the suggestion. He came up with the name and challenged me to come up with the spanking victim. You'll see it at Blackhat.

DOMinatrix...


Christopher Soghoian | Remote Vulnerability in Firefox Extensions
Topic: Computer Security 4:22 pm EDT, May 30, 2007

A vulnerability exists in the upgrade mechanism used by a number of high profile Firefox extensions. These include Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions.

The vulnerability is made possible through the use of a man in the middle attack, a fairly old computer security technique. Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong. While Firefox does at least prompt the user when updates are available, some commercial extensions (including those made by Google) have disabled this, and thus silently update their extensions without giving the user any say in the matter.

A demo video is available.

Christopher Soghoian | Remote Vulnerability in Firefox Extensions


Russia accused of unleashing cyberwar to disable Estonia | Guardian Unlimited
Topic: Computer Security 2:17 pm EDT, May 17, 2007

A three-week wave of massive cyber-attacks on the small Baltic country of Estonia, the first known incidence of such an assault on a state, is causing alarm across the western alliance, with Nato urgently examining the offensive and its implications.

While Russia and Estonia are embroiled in their worst dispute since the collapse of the Soviet Union, a row that erupted at the end of last month over the Estonians' removal of the Bronze Soldier Soviet war memorial in central Tallinn, the country has been subjected to a barrage of cyber warfare, disabling the websites of government ministries, political parties, newspapers, banks, and companies.

Nato has dispatched some of its top cyber-terrorism experts to Tallinn to investigate and to help the Estonians beef up their electronic defences.

"This is an operational security issue, something we're taking very seriously," said an official at Nato headquarters in Brussels. "It goes to the heart of the alliance's modus operandi."

Interesting. This is the first I've heard of this.

If it were established that Russia is behind the attacks, it would be the first known case of one state targeting another by cyber-warfare.

I'm not so sure about that part... I guess it depends on how you define cyber-warfare. I prefer to view this all as different flavors of information warfare, which very much includes espionage activity, which we have often seen.

The crisis unleashed a wave of so-called DDoS, or Distributed Denial of Service, attacks, where websites are suddenly swamped by tens of thousands of visits, jamming and disabling them by overcrowding the bandwidths for the servers running the sites. The attacks have been pouring in from all over the world, but Estonian officials and computer security experts say that, particularly in the early phase, some attackers were identified by their internet addresses - many of which were Russian, and some of which were from Russian state institutions.

"The cyber-attacks are from Russia. There is no question. It's political," said Merit Kopli, editor of Postimees, one of the two main newspapers in Estonia, whose website has been targeted and has been inaccessible to international visitors for a week. It was still unavailable last night.

At the moment, the big question may be if this type of attack qualifies as a military action in the same way that electronic warfare does. At this point, if only websites are being DoS'd, it's one thing. If the attacks are (or become) focused on key infrastructure, it would be more clear cut. If these attacks are driven by state conflicts, this is a dangerous grey area to play in.

Without more information, it is very hard to determine if these attacks are backed by the state, or just being done by rogue hackers that happen to be motivated by the row between Russia and Estonia.

Russia accused of unleashing cyberwar to disable Estonia | Guardian Unlimited


(Last) Newer << 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 10 - 11 ++ 21 >> Older (First)
 
 
Powered By Industrial Memetics
RSS2.0