http://isc.sans.org/
A virus is a computer program that is intended to do harm. A virus can delete information on your computer or use your e-mail to send viruses to other computers.
Malware is a computer program such as a Trojan Horse or a Worm.
A Trojan Horse is when a computer virus pretends to be something that it is not. EX: screen savers or computer games. If something sound too good to be true, then don’t trust it.
A Worm is a computer virus that moves through ports and uses the computer network.
A DNS code is an address that changes the number code into words so we can remember them.
A router is a device that ships and delivers information and a router switch is the same thing but it is more efficient.
If you get an unexpected email from somebody you don’t know don’t open it.
If there is an attachment to an email you can open it as long as you have the file checked with Anti-Virus protection software.
There are many ways to be protected from a virus like thru a firewall and anti-virus programs like Norton, and Mac-Updates that are already on a Mac.
Firewalls don’t accept some things because they don’t fit the criteria.
Be careful when going to game sites or other sites that let you download things because you may get a virus.
Remember, nothing is free. Beware of free stuff, programs, games, etc. that are offered on the Internet. These usually contain viruses.
Anything that connects to the internet can contact a virus this includes your cell phone and Xbox.
Tuesday, December 22, 2009
Friday, December 18, 2009
China Jails Trojan Virus Authors in Cybercrime Crackdown
A Chinese court Wednesday sentenced 11 members of a malware ring for writing and distributing Trojan horse viruses meant to steal online game account passwords, according to state media.
The people, who stole login information for more than 5 million game accounts, were given prison sentences of up to three years and were fined a total of 830,000 Chinese yuan (US$120,000), China's Xinhua news agency said. Dozens of other members of the ring, which is suspected of 30 million yuan ($4.4 million) in crime, are expected to be sentenced soon, Xinhua said.
http://www.pcworld.com/businesscenter/article/184909/china_jails_trojan_virus_authors_in_cybercrime_crackdown.html
The people, who stole login information for more than 5 million game accounts, were given prison sentences of up to three years and were fined a total of 830,000 Chinese yuan (US$120,000), China's Xinhua news agency said. Dozens of other members of the ring, which is suspected of 30 million yuan ($4.4 million) in crime, are expected to be sentenced soon, Xinhua said.
http://www.pcworld.com/businesscenter/article/184909/china_jails_trojan_virus_authors_in_cybercrime_crackdown.html
Friday, December 11, 2009
Shmoocon 2010
Feb 5 - 7, Wardman Park Marriott, Washington DC, USA
Different • ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks, One Track Mind. The next two days, there are three tracks: Break It!, Build It!, and Bring It On!.
Affordable • ShmooCon is about high-quality without the high price. Space is limited! ShmooCon has sold out every year, so unless taking a chance on an eBay auction to get your ticket sounds like fun, register early!
Accessible • ShmooCon is in Washington, D.C., at the Marriott Wardman Park Hotel, just a few steps from the D.C. Metro. Fly into DCA, IAD, or BWI, or take a train to Union Station, and you are just a quick cab ride away from the con.
Entertaining • Brain melting from all the cool tech you are learning? Check out some of the contests running at ShmooCon, including the Hacker Arcade and Hack-Or-Halo. In years past, we have also thrown massive parties at a local area hot-spot, so expect that to happen again too!
http://www.shmoocon.org/registration.html
Different • ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks, One Track Mind. The next two days, there are three tracks: Break It!, Build It!, and Bring It On!.
Affordable • ShmooCon is about high-quality without the high price. Space is limited! ShmooCon has sold out every year, so unless taking a chance on an eBay auction to get your ticket sounds like fun, register early!
Accessible • ShmooCon is in Washington, D.C., at the Marriott Wardman Park Hotel, just a few steps from the D.C. Metro. Fly into DCA, IAD, or BWI, or take a train to Union Station, and you are just a quick cab ride away from the con.
Entertaining • Brain melting from all the cool tech you are learning? Check out some of the contests running at ShmooCon, including the Hacker Arcade and Hack-Or-Halo. In years past, we have also thrown massive parties at a local area hot-spot, so expect that to happen again too!
http://www.shmoocon.org/registration.html
Thursday, December 3, 2009
BlackBerry Products PDF Distiller Code Execution Vulnerabilities
Hackers can use maliciously rigged PDF files to hack into corporate systems hosting the BlackBerry Attachment Service, according to a warning from the makers of the popular smartphone.
Research in Motion (RIM) issued an advisory with patches for multiple flaws in the PDF distiller service and warned and an attacker could exploit the issues by simply e-mailing a booby-trapped PDF file to a BlackBerry user.
These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server, could cause memory corruption and possibly lead to a Denial of Service (DoS) condition or arbitrary code execution on the computer that hosts the BlackBerry Attachment Service component of that BlackBerry Enterprise Server.
Affected versions include the BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows version 2003 or 2008, BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows 2000, BlackBerry Enterprise Server software versions 4.1.3 through 4.1.7, and BlackBerry Professional Software 4.1.4.
http://blogs.zdnet.com/security/?p=5030&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ZDNetBlogs+%28ZDNet+All+Blogs%29
Research in Motion (RIM) issued an advisory with patches for multiple flaws in the PDF distiller service and warned and an attacker could exploit the issues by simply e-mailing a booby-trapped PDF file to a BlackBerry user.
These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server, could cause memory corruption and possibly lead to a Denial of Service (DoS) condition or arbitrary code execution on the computer that hosts the BlackBerry Attachment Service component of that BlackBerry Enterprise Server.
Affected versions include the BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows version 2003 or 2008, BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows 2000, BlackBerry Enterprise Server software versions 4.1.3 through 4.1.7, and BlackBerry Professional Software 4.1.4.
http://blogs.zdnet.com/security/?p=5030&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ZDNetBlogs+%28ZDNet+All+Blogs%29
Tuesday, November 24, 2009
New Banking Trojan Horses Gain Polish
Criminals today can hijack active online banking sessions, and new Trojan horses can fake the account balance to prevent victims from seeing that they're being defrauded.
Traditionally, such malware stole usernames and passwords for specific banks; but the criminal had to access the compromised account manually to withdraw funds. To stop those attacks, financial services developed authentication methods such as device ID, geolocation, and challenging questions.
Unfortunately, criminals facing those obstacles have gotten smarter, too. One Trojan horse, URLzone, is so advanced that security vendor Finjan sees it as a next-generation program.
Greater Sophistication
Banking attacks today are much stealthier and occur in real time. Unlike keyloggers, which merely record your keystrokes, URLzone lets crooks log in, supply the required authentication, and hijack the session by spoofing the bank pages. The assaults are known as man-in-the-middle attacks because the victim and the attacker access the account at the same time, and a victim may not even notice anything out of the ordinary with their account.
http://www.pcworld.com/article/182889/banking_trojan_horses.html?tk=rss_news
Traditionally, such malware stole usernames and passwords for specific banks; but the criminal had to access the compromised account manually to withdraw funds. To stop those attacks, financial services developed authentication methods such as device ID, geolocation, and challenging questions.
Unfortunately, criminals facing those obstacles have gotten smarter, too. One Trojan horse, URLzone, is so advanced that security vendor Finjan sees it as a next-generation program.
Greater Sophistication
Banking attacks today are much stealthier and occur in real time. Unlike keyloggers, which merely record your keystrokes, URLzone lets crooks log in, supply the required authentication, and hijack the session by spoofing the bank pages. The assaults are known as man-in-the-middle attacks because the victim and the attacker access the account at the same time, and a victim may not even notice anything out of the ordinary with their account.
http://www.pcworld.com/article/182889/banking_trojan_horses.html?tk=rss_news
Sunday, November 22, 2009
Microsoft Internet Explorer CSS Handling Code Execution Vulnerability (0day)
Title : Microsoft Internet Explorer CSS Handling Code Execution Vulnerability (0day)
VUPEN ID : VUPEN/ADV-2009-3301
CVE ID : GENERIC-MAP-NOMATCH
CWE ID : VUPEN VNS Only
CVSS V2 : VUPEN VNS Only
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2009-11-21
A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.
VUPEN has confirmed the vulnerability on fully patched Windows XP SP3 systems with Internet Explorer 7 and 6.
Affected Products
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Solution
Disable Active Scripting in the Internet and Local intranet security zones.
VUPEN Security is not aware of any vendor-supplied patch.
References
http://www.vupen.com/english/advisories/2009/3301
VUPEN ID : VUPEN/ADV-2009-3301
CVE ID : GENERIC-MAP-NOMATCH
CWE ID : VUPEN VNS Only
CVSS V2 : VUPEN VNS Only
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2009-11-21
A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.
VUPEN has confirmed the vulnerability on fully patched Windows XP SP3 systems with Internet Explorer 7 and 6.
Affected Products
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Solution
Disable Active Scripting in the Internet and Local intranet security zones.
VUPEN Security is not aware of any vendor-supplied patch.
References
http://www.vupen.com/english/advisories/2009/3301
Tuesday, November 17, 2009
Windows SMB Subject to Denial-of-Service Attack Windows 7
Microsoft is continuing to investigate holes in its Server Message Block (SMB) file-sharing protocol used in Windows.
Late Friday, Microsoft put out a yet another Security Advisory, saying it was looking into "new public reports of a denial-of-service vulnerability" in SMB.
The reported exploits touch SMBv1 and SMBv2 on Windows 7 and Windows Server 2008 R2 operating systems, according to the software giant.
Vista, Windows Server 2008, XP, Windows Server 2003 and Windows 2000 are not affected.
"Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable," said Dave Forstrom, a spokesman for Microsoft Trustworthy Computing. "If exploited, this DoS vulnerability would not allow an attacker to take control of, or install malware on, the customer's system but could cause the affected system to stop responding until manually restarted."
Last Friday's advisory is the second such advisory since Redmond released one in September. This also marks the second time in as many months that news about vulnerabilities in the SMB program has emerged.
Forstrom said the default firewall settings on Windows 7 will help block attempts to exploit this latest DoS issue.
He added that while Microsoft is not currently aware of active attacks, customers should "review and implement the workarounds outlined in the advisory until a comprehensive security update is released."
http://mcpmag.com/articles/2009/11/16/windows-smb-subject-to-denial-of-service-attack.aspx
Late Friday, Microsoft put out a yet another Security Advisory, saying it was looking into "new public reports of a denial-of-service vulnerability" in SMB.
The reported exploits touch SMBv1 and SMBv2 on Windows 7 and Windows Server 2008 R2 operating systems, according to the software giant.
Vista, Windows Server 2008, XP, Windows Server 2003 and Windows 2000 are not affected.
"Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable," said Dave Forstrom, a spokesman for Microsoft Trustworthy Computing. "If exploited, this DoS vulnerability would not allow an attacker to take control of, or install malware on, the customer's system but could cause the affected system to stop responding until manually restarted."
Last Friday's advisory is the second such advisory since Redmond released one in September. This also marks the second time in as many months that news about vulnerabilities in the SMB program has emerged.
Forstrom said the default firewall settings on Windows 7 will help block attempts to exploit this latest DoS issue.
He added that while Microsoft is not currently aware of active attacks, customers should "review and implement the workarounds outlined in the advisory until a comprehensive security update is released."
http://mcpmag.com/articles/2009/11/16/windows-smb-subject-to-denial-of-service-attack.aspx
Friday, October 30, 2009
New Vulnerabilities Microsoft / Adobe
* Microsoft .NET Framework Remote Code Execution Exploit (MS09-061)
This remote code execution exploit takes advantage of a vulnerability
in Microsoft .NET Framework when processing certain code e.g. in
a XAML browser application (XBAP).
CVE ID: CVE-2009-0091
* Adobe Reader U3D Clod Declaration Code Execution Exploit (APSB09-15)
This code execution exploit takes advantage of an array indexing
vulnerability in Adobe Reader when processing U3D Clod Declarations
within a PDF file.
CVE ID: CVE-2009-2994
* Microsoft Internet Explorer Remote Memory Corruption PoC (MS09-052)
This code demonstrates a memory corruption vulnerability in Microsoft
Internet Explorer when processing certain HTML elements.
CVE ID: CVE-2009-2531
This remote code execution exploit takes advantage of a vulnerability
in Microsoft .NET Framework when processing certain code e.g. in
a XAML browser application (XBAP).
CVE ID: CVE-2009-0091
* Adobe Reader U3D Clod Declaration Code Execution Exploit (APSB09-15)
This code execution exploit takes advantage of an array indexing
vulnerability in Adobe Reader when processing U3D Clod Declarations
within a PDF file.
CVE ID: CVE-2009-2994
* Microsoft Internet Explorer Remote Memory Corruption PoC (MS09-052)
This code demonstrates a memory corruption vulnerability in Microsoft
Internet Explorer when processing certain HTML elements.
CVE ID: CVE-2009-2531
Tuesday, October 27, 2009
Mozilla Firefox Code Execution and Information Disclosure Vulnerabilities
Multiple vulnerabilities have been identified in Mozilla Firefox,
which could be exploited by attackers to manipulate or disclose
certain data, bypass security restrictions or compromise a vulnerable
system.
The first issue is caused by an error within the form history, which
could allow malicious web sites to trick a vulnerable browser into
auto-filling form fields with history entries and then reading the
entries.
The second vulnerability is caused due to a predictable file naming
scheme being used to download a file which already exists in the
downloads folder, which could allow an attacker with access to a
vulnerable system to place a malicious file in the world-writable
directory used to save temporary downloaded files and cause the
browser to open it.
The third issue is caused by a memory corruption error within the
processing of recursive web-worker calls, which could be exploited to
crash an affected browser or execute arbitrary code.
The fourth vulnerability is caused by a memory corruption error within
the parsing of regular expressions used in Proxy Auto-configuration
(PAC) files, which could allow attackers to crash an affected browser
or execute arbitrary code on a system where PAC has been configured
with specific regular expresssions.
The fifth issue is caused by a heap overflow error in the GIF image
parser, which could be exploited to crash an affected browser or
execute arbitrary code.
The sixth vulnerability is caused due to the XPCOM utility
"XPCVariant::VariantDataToJS" unwrapping doubly-wrapped objects before
returning them to chrome callers, which could result in chrome
privileged code calling methods on an object which had previously been
created or modified by web content, leading to the execution of
malicious JavaScript code with chrome privileges.
The seventh issue is caused by a heap overflow error in the string to
floating point number conversion routines, which could be exploited to
crash an affected browser or execute arbitrary code.
The eighth vulnerability is caused due to a same-origin policy bypass
via the "document.getSelection" function, which could be exploited to
conduct cross-domain scripting attacks.
The ninth vulnerability is caused by an error when downloading a file
with a name containing a right-to-left override character (RTL), which
could be exploited to obfuscate the name and extension of a malicious
file to be downloaded and opened.
The tenth issue is caused by memory corruption errors in the
JavaScript and browser engines when parsing malformed data, which
could be exploited by attackers to crash a vulnerable browser or
execute arbitrary code.
Other memory corruption errors related to liboggz, libvorbis, and
liboggplay have also been reported, which could be exploited by
attackers to compromise a vunerable system.
Affected Products
Mozilla Firefox versions prior to 3.5.4
Mozilla Firefox versions prior to 3.0.15
which could be exploited by attackers to manipulate or disclose
certain data, bypass security restrictions or compromise a vulnerable
system.
The first issue is caused by an error within the form history, which
could allow malicious web sites to trick a vulnerable browser into
auto-filling form fields with history entries and then reading the
entries.
The second vulnerability is caused due to a predictable file naming
scheme being used to download a file which already exists in the
downloads folder, which could allow an attacker with access to a
vulnerable system to place a malicious file in the world-writable
directory used to save temporary downloaded files and cause the
browser to open it.
The third issue is caused by a memory corruption error within the
processing of recursive web-worker calls, which could be exploited to
crash an affected browser or execute arbitrary code.
The fourth vulnerability is caused by a memory corruption error within
the parsing of regular expressions used in Proxy Auto-configuration
(PAC) files, which could allow attackers to crash an affected browser
or execute arbitrary code on a system where PAC has been configured
with specific regular expresssions.
The fifth issue is caused by a heap overflow error in the GIF image
parser, which could be exploited to crash an affected browser or
execute arbitrary code.
The sixth vulnerability is caused due to the XPCOM utility
"XPCVariant::VariantDataToJS" unwrapping doubly-wrapped objects before
returning them to chrome callers, which could result in chrome
privileged code calling methods on an object which had previously been
created or modified by web content, leading to the execution of
malicious JavaScript code with chrome privileges.
The seventh issue is caused by a heap overflow error in the string to
floating point number conversion routines, which could be exploited to
crash an affected browser or execute arbitrary code.
The eighth vulnerability is caused due to a same-origin policy bypass
via the "document.getSelection" function, which could be exploited to
conduct cross-domain scripting attacks.
The ninth vulnerability is caused by an error when downloading a file
with a name containing a right-to-left override character (RTL), which
could be exploited to obfuscate the name and extension of a malicious
file to be downloaded and opened.
The tenth issue is caused by memory corruption errors in the
JavaScript and browser engines when parsing malformed data, which
could be exploited by attackers to crash a vulnerable browser or
execute arbitrary code.
Other memory corruption errors related to liboggz, libvorbis, and
liboggplay have also been reported, which could be exploited by
attackers to compromise a vunerable system.
Affected Products
Mozilla Firefox versions prior to 3.5.4
Mozilla Firefox versions prior to 3.0.15
Monday, October 19, 2009
DHS Web sites vulnerable to hackers, IG says
The Homeland Security Department’s most popular Web sites appear to be vulnerable to hackers and could put department data at risk of loss or unauthorized use, according to a new report from DHS Inspector General Richard Skinner.
“These vulnerabilities could put DHS data at risk,” Skinner wrote in the report issued Oct. 8. “In addition, DHS can make improvements in managing its system inventory and providing technical oversight and guidance in order to evaluate the security threats to its public-facing Web sites.”
Read More...
“These vulnerabilities could put DHS data at risk,” Skinner wrote in the report issued Oct. 8. “In addition, DHS can make improvements in managing its system inventory and providing technical oversight and guidance in order to evaluate the security threats to its public-facing Web sites.”
Read More...
Wednesday, October 14, 2009
Snow Leopard bug deletes all user data
Computerworld - Snow Leopard users have reported that they've lost all their personal data when they've logged into a "Guest" account after upgrading from Leopard, according to messages on Apple's support forum.
The bug, users said in a well-read thread on Apple's support forum, resets all settings on the Mac, resets all applications' settings and erases the contents of critical folders containing documents, photos and music.
The MacFixIt site first reported the problem more than a month ago.
Read more...
The bug, users said in a well-read thread on Apple's support forum, resets all settings on the Mac, resets all applications' settings and erases the contents of critical folders containing documents, photos and music.
The MacFixIt site first reported the problem more than a month ago.
Read more...
Wednesday, September 30, 2009
Typhoon Ondoy Victims, Philippines
Typhoon victims in Philippines are in need of you help. Please visit www.redcross.org to help.
You tube video
You tube video
Friday, September 18, 2009
Zeus is the #1 botnet ?
Zeus is a financial malware. It infects consumer PCs, waits for them to
log onto a list of targeted banks and financial institutions, and then steals
their credentials and sends them to a remote server in real time.
Additionally, it may inject HTML into the pages rendered by the browser,
so that its own content is displayed together (or instead of) the genuine
pages from the bank’s web server. Thus, it is able to ask the user to
divulge more personal information, such as payment card number and
PIN, one time passwords and TANs, etc.
Zeus uses some rootkit techniques to evade detection and removal.
Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e.
approximately 1% of the PCs in the US)
Read More...
log onto a list of targeted banks and financial institutions, and then steals
their credentials and sends them to a remote server in real time.
Additionally, it may inject HTML into the pages rendered by the browser,
so that its own content is displayed together (or instead of) the genuine
pages from the bank’s web server. Thus, it is able to ask the user to
divulge more personal information, such as payment card number and
PIN, one time passwords and TANs, etc.
Zeus uses some rootkit techniques to evade detection and removal.
Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e.
approximately 1% of the PCs in the US)
Read More...
Friday, September 4, 2009
eBay reaches deal to sell Skype
Skype is to be majority-owned by a group of private investors, including Netscape co-founder Marc Andreessen and private equity firms.
EBay will keep a 35% stake in the firm, which it has been trying to sell for some time. It has said that Skype had "limited synergies" with it.
Read more...
EBay will keep a 35% stake in the firm, which it has been trying to sell for some time. It has said that Skype had "limited synergies" with it.
Read more...
Wednesday, September 2, 2009
Trojan Targets Skype Users
TrendLabs researchers were alerted of a newly released Proof-of-Concept (PoC) that listens and records voice calls carried out via Skype. Trend Micro detects this as TROJ_SPAYKE.C. Skype is a popular application used for making voice over IP (VoIP) calls.
Read more
Read more
Magic numbers in files
Examples
Some examples:
* Compiled Java class files (bytecode) start with hex CAFEBABE. When compressed with Pack200 the bytes are changed to CAFED00D.
* GIF image files have the ASCII code for "GIF89a" (47 49 46 38 39 61) or "GIF87a" (47 49 46 38 37 61)
* JPEG image files begin with FF D8 and end with FF D9. JPEG/JFIF files contain the ASCII code for "JFIF" (4A 46 49 46) as a null terminated string. JPEG/Exif files contain the ASCII code for "Exif" (45 78 69 66) also as a null terminated string, followed by more metadata about the file.
* PNG image files begin with an 8-byte signature which identifies the file as a PNG file and allows detection of common file transfer problems: \211 P N G \r \n \032 \n (89 50 4E 47 0D 0A 1A 0A). That signature contains various newline characters to permit detecting unwarranted automated newline conversions, such as transferring the file using FTP with the ASCII transfer mode instead of the binary mode.
* Standard MIDI music files have the ASCII code for "MThd" (4D 54 68 64) followed by more metadata.
* Unix script files usually start with a shebang, "#!" (23 21) followed by the path to an interpreter.
* PostScript files and programs start with "%!" (25 21).
* PDF files start with "%PDF" (25 50 44 46).
* Old MS-DOS .exe files and the newer Microsoft Windows PE (Portable Executable) .exe files start with the ASCII string "MZ" (4D 5A), the initials of the designer of the file format, Mark Zbikowski. The definition allows "ZM" (5A 4D) as well but this is quite uncommon.
* The Berkeley Fast File System superblock format is identified as either 19 54 01 19 or 01 19 54 depending on version; both represent the birthday of the author, Marshall Kirk McKusick.
* The Master Boot Record of bootable storage devices on almost all IA-32 IBM PC Compatibles has a code of AA 55 as its last two bytes.
* Executables for the Game Boy and Game Boy Advance handheld video game systems have a 48-byte or 156-byte magic number, respectively, at a fixed spot in the header. This magic number encodes a bitmap of the Nintendo logo.
* Zip files begin with "PK" (50 4B), the initials of Phil Katz, author of DOS compression utility PKZIP.
Some examples:
* Compiled Java class files (bytecode) start with hex CAFEBABE. When compressed with Pack200 the bytes are changed to CAFED00D.
* GIF image files have the ASCII code for "GIF89a" (47 49 46 38 39 61) or "GIF87a" (47 49 46 38 37 61)
* JPEG image files begin with FF D8 and end with FF D9. JPEG/JFIF files contain the ASCII code for "JFIF" (4A 46 49 46) as a null terminated string. JPEG/Exif files contain the ASCII code for "Exif" (45 78 69 66) also as a null terminated string, followed by more metadata about the file.
* PNG image files begin with an 8-byte signature which identifies the file as a PNG file and allows detection of common file transfer problems: \211 P N G \r \n \032 \n (89 50 4E 47 0D 0A 1A 0A). That signature contains various newline characters to permit detecting unwarranted automated newline conversions, such as transferring the file using FTP with the ASCII transfer mode instead of the binary mode.
* Standard MIDI music files have the ASCII code for "MThd" (4D 54 68 64) followed by more metadata.
* Unix script files usually start with a shebang, "#!" (23 21) followed by the path to an interpreter.
* PostScript files and programs start with "%!" (25 21).
* PDF files start with "%PDF" (25 50 44 46).
* Old MS-DOS .exe files and the newer Microsoft Windows PE (Portable Executable) .exe files start with the ASCII string "MZ" (4D 5A), the initials of the designer of the file format, Mark Zbikowski. The definition allows "ZM" (5A 4D) as well but this is quite uncommon.
* The Berkeley Fast File System superblock format is identified as either 19 54 01 19 or 01 19 54 depending on version; both represent the birthday of the author, Marshall Kirk McKusick.
* The Master Boot Record of bootable storage devices on almost all IA-32 IBM PC Compatibles has a code of AA 55 as its last two bytes.
* Executables for the Game Boy and Game Boy Advance handheld video game systems have a 48-byte or 156-byte magic number, respectively, at a fixed spot in the header. This magic number encodes a bitmap of the Nintendo logo.
* Zip files begin with "PK" (50 4B), the initials of Phil Katz, author of DOS compression utility PKZIP.
Friday, August 21, 2009
VA IG finds abuse of authority and ethical breaches in IT office
The Veterans Affairs Department’s inspector general believes that high-ranking officials abused their authority, misused their positions, engaged in prohibited personnel practices, improperly administered awards and engaged in nepotism while working in the department’s information technology office.
IG investigations of the conduct of people in the IT office substantiated the claims of ethical violations, according to two heavily redacted reports released Aug. 18.
Read more...
IG investigations of the conduct of people in the IT office substantiated the claims of ethical violations, according to two heavily redacted reports released Aug. 18.
Read more...
Thursday, August 13, 2009
Microsoft ordered to stop selling Word
* By Trudy Walsh
* Aug 12, 2009
"A federal court in Texas has ordered Microsoft to stop selling Microsoft Word.
Judge Leonard Davis of the U.S. District Court for the Eastern District of Texas, Tyler Division, ruled yesterday in favor of Toronto-based i4i, stating that Microsoft unlawfully infringed the Canadian company’s patent.
At a jury trial that began on May 11, representatives for i4i said that Microsoft’s use of Word 2007 for processing XML documents with custom XML elements “willfully” infringed i4i’s Patent 449.
The ruling prohibits Microsoft from selling or importing to the U.S. any Word products that have the capability of opening XML, .DOCX or DOCM files that contain custom XML.
The ruling is set to go into effect in 60 days. The judge has also granted an award and damages of $290 million to i4i."
More on FCW's
* Aug 12, 2009
"A federal court in Texas has ordered Microsoft to stop selling Microsoft Word.
Judge Leonard Davis of the U.S. District Court for the Eastern District of Texas, Tyler Division, ruled yesterday in favor of Toronto-based i4i, stating that Microsoft unlawfully infringed the Canadian company’s patent.
At a jury trial that began on May 11, representatives for i4i said that Microsoft’s use of Word 2007 for processing XML documents with custom XML elements “willfully” infringed i4i’s Patent 449.
The ruling prohibits Microsoft from selling or importing to the U.S. any Word products that have the capability of opening XML, .DOCX or DOCM files that contain custom XML.
The ruling is set to go into effect in 60 days. The judge has also granted an award and damages of $290 million to i4i."
More on FCW's
Monday, August 10, 2009
More attacks on Facebook, YouTube, adn Fotki
Massive attack on a Georgian blogger who goes by the name "Cyxymu" was identified per F-Secure.
The attack included at least these components:
• DDoS attack against Cyxymu's Twitter account (http://twitter.com/cyxymu)
• DDoS attack against Cyxymu's Youtube account (http://www.youtube.com/cyxymu)
• DDoS attack against Cyxymu's Facebook account (http://www.facebook.com/cyxymu)
• DDoS attack against Cyxymu's Livejournal account (http://www.livejournal.com/cyxymu and http://cyxymu1.livejournal.com)
• DDoS attack against Cyxymu's Fotki account (http://public.fotki.com/cyxymu/)
• An e-mail "Joe Job" campaign against Cyxymu
The effects of some of these attacks are still visible. For example, Livejournal and Facebook are still not accepting connections to Cyxymu's pages.
More on F-Secure..
The attack included at least these components:
• DDoS attack against Cyxymu's Twitter account (http://twitter.com/cyxymu)
• DDoS attack against Cyxymu's Youtube account (http://www.youtube.com/cyxymu)
• DDoS attack against Cyxymu's Facebook account (http://www.facebook.com/cyxymu)
• DDoS attack against Cyxymu's Livejournal account (http://www.livejournal.com/cyxymu and http://cyxymu1.livejournal.com)
• DDoS attack against Cyxymu's Fotki account (http://public.fotki.com/cyxymu/)
• An e-mail "Joe Job" campaign against Cyxymu
The effects of some of these attacks are still visible. For example, Livejournal and Facebook are still not accepting connections to Cyxymu's pages.
More on F-Secure..
Thursday, July 16, 2009
Nmap 5.00 is Out
New features:
Ncat tool aims to be your Swiss Army Knife for data transfer, redirection, and debugging. We released a whole users' guide detailing security testing and network administration tasks made easy with Ncat.
The addition of the Ndiff scan comparison tool completes Nmap's growth into a whole suite of applications which work together to serve network administrators and security practitioners.
Nmap Network Scanning, the official Nmap guide to network discovery and security scanning. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. More than half the book is available in the free online edition.
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features.
Visit and download the new version @ http://nmap.org/5/#changes-nse
Ncat tool aims to be your Swiss Army Knife for data transfer, redirection, and debugging. We released a whole users' guide detailing security testing and network administration tasks made easy with Ncat.
The addition of the Ndiff scan comparison tool completes Nmap's growth into a whole suite of applications which work together to serve network administrators and security practitioners.
Nmap Network Scanning, the official Nmap guide to network discovery and security scanning. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. More than half the book is available in the free online edition.
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features.
Visit and download the new version @ http://nmap.org/5/#changes-nse
Monday, July 13, 2009
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
We are aware of attacks attempting to exploit the vulnerability.
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.
Read more...
We are aware of attacks attempting to exploit the vulnerability.
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.
Read more...
Monday, July 6, 2009
Microsoft warns of hole in Video ActiveX control
"Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious Web site.
There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.
This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files."
There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.
This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files."
Thursday, July 2, 2009
US job losses worse than expected
Totally not IT or security related but everyone is pretty much affected one way or another....
The number of jobs lost in the US last month came in at 467,000, which was much more than had been expected.The jobless rate rose to 9.5% in June, from 9.4% in May, as the US economy continued to struggle.
Since the start of the recession in December 2007, the number of jobless people has risen by 7.2 million, the Department of Labor said.
The unemployment rate was slightly lower than had been expected, but was still the highest since August 1983.
In its separate weekly jobs report, the Department of Labor said that the number of newly laid-off workers applying for employment benefits last week fell to 614,000, while the number of people continuing to claim benefits unexpectedly fell to 6.7 million.
Read more...
The number of jobs lost in the US last month came in at 467,000, which was much more than had been expected.The jobless rate rose to 9.5% in June, from 9.4% in May, as the US economy continued to struggle.
Since the start of the recession in December 2007, the number of jobless people has risen by 7.2 million, the Department of Labor said.
The unemployment rate was slightly lower than had been expected, but was still the highest since August 1983.
In its separate weekly jobs report, the Department of Labor said that the number of newly laid-off workers applying for employment benefits last week fell to 614,000, while the number of people continuing to claim benefits unexpectedly fell to 6.7 million.
Read more...
Wednesday, July 1, 2009
Kon-Boot
"Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as 'root' user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems :) Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far :) Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0."
Read more...
Read more...
Tuesday, June 30, 2009
Snort Setup Guide
A new set-up guide based on Nick Moore's June 12 webinar "Installing Snort on FC 10" is now available on Snort.org.
The document is posted at: http://www.snort.org/docs/setup-guides/
The document is posted at: http://www.snort.org/docs/setup-guides/
Saturday, June 6, 2009
Virginia patients warned about hacking of state drug Web site
By Bill Sizemore
The Virginian-Pilot
© June 4, 2009
State officials are notifying more than a half-million Virginians that their Social Security numbers may have been contained in a prescription drug database that was targeted by a computer hacker April 30.
The hacker gained access to the Prescription Monitoring Program computer system, which is designed to deter prescription drug abuse, and demanded a $10 million ransom. The hacker has not been identified.
A criminal investigation has not yet determined what, if any, personal information was put at risk in the incident, said Sandra Whitley Ryals, director of the Virginia Department of Health Professions, on Wednesday.
Nevertheless, the state is mailing individual notifications to 530,000 people whose prescription records may have contained Social Security numbers, in order to alert them to the potential for identity theft, Ryals said.
Read more...
The Virginian-Pilot
© June 4, 2009
State officials are notifying more than a half-million Virginians that their Social Security numbers may have been contained in a prescription drug database that was targeted by a computer hacker April 30.
The hacker gained access to the Prescription Monitoring Program computer system, which is designed to deter prescription drug abuse, and demanded a $10 million ransom. The hacker has not been identified.
A criminal investigation has not yet determined what, if any, personal information was put at risk in the incident, said Sandra Whitley Ryals, director of the Virginia Department of Health Professions, on Wednesday.
Nevertheless, the state is mailing individual notifications to 530,000 people whose prescription records may have contained Social Security numbers, in order to alert them to the potential for identity theft, Ryals said.
Read more...
Monday, June 1, 2009
Tory MP hacked on Facebook
IT security and control firm Sophos is reminding computer users to be on their guard against phishing attacks following news that the Facebook account of Conservative MP for Lichfield, Michael Fabricant, has been hacked.
According to reports, the MP fell foul of a phishing campaign that stole his username and password, and hackers then sent messages to Fabricant's 1,500 friends saying "Look at this!" and pointing recipients to a malicious webpage. Facebook has now suspended the politician's page.
Read more...
According to reports, the MP fell foul of a phishing campaign that stole his username and password, and hackers then sent messages to Fabricant's 1,500 friends saying "Look at this!" and pointing recipients to a malicious webpage. Facebook has now suspended the politician's page.
Read more...
Saturday, May 30, 2009
Critical Windows vulnerability under attack, Microsoft warns
Posted in Anti-Virus, 28th May 2009 22:37 GMT
Microsoft has warned of a critical security bug in older versions of its Windows operating system that is already being exploited in the wild to remotely execute malware on vulnerable machines.
The vulnerability in a Windows component known as DirectX is being targeted using booby-trapped QuickTime files, which when parsed can allow attackers to gain complete control of a computer. Because many browsers are designed to automatically play video, people can be compromised simply by visiting a site serving malicious files. Vista, Windows Server 2008 and the beta version of Windows 7 are not affected, and neither is Apple's QuickTime player, Microsoft said.
Read more...
Microsoft has warned of a critical security bug in older versions of its Windows operating system that is already being exploited in the wild to remotely execute malware on vulnerable machines.
The vulnerability in a Windows component known as DirectX is being targeted using booby-trapped QuickTime files, which when parsed can allow attackers to gain complete control of a computer. Because many browsers are designed to automatically play video, people can be compromised simply by visiting a site serving malicious files. Vista, Windows Server 2008 and the beta version of Windows 7 are not affected, and neither is Apple's QuickTime player, Microsoft said.
Read more...
Thursday, May 21, 2009
NARA suffers data breach
An external hard drive with personally identifiable information from the Executive Office of the President during the Clinton administration is missing from a National Archives and Records Administration facility near Washington, government officials have said. Read more...
Wednesday, May 13, 2009
Tools and Config: Configuring Squid Proxy
Here's a good documentation on configuring squid proxy on Fedora.
http://www.labtestproject.com/linnet/squid_proxy_server.html
http://www.labtestproject.com/linnet/squid_proxy_server.html
Monday, May 11, 2009
Hacker demands $10M ransom for data
May 07, 2009
A hacker who claims to have stolen 8 million records from a database that tracks prescription drug abuse in Virginia is demanding a $10 million ransom for the information's return, according to media reports.
"I have your s@*t! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions," the WikiLeaks note reads. "Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("
Read more...
A hacker who claims to have stolen 8 million records from a database that tracks prescription drug abuse in Virginia is demanding a $10 million ransom for the information's return, according to media reports.
"I have your s@*t! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions," the WikiLeaks note reads. "Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("
Read more...
Will Craigslist Have to Crack Down?
South Carolina joins other states in calling for tighter Craigslist ad scrutiny, which could threaten Craigslist's low-cost, laissez faire business model he pressure is on Craigslist to clean up its act. If the online classified ad site doesn't remove a section devoted to erotic services in South Carolina by May 15, the state's attorney general, Henry McMaster, says he'll open a criminal investigation into the company's executives, including Chief Executive Jim Buckmaster. Read more...
Craigslist founder Craig Newmark Chip Somodevilla/Getty Images
Wednesday, May 6, 2009
Cyberwarfare unit operating out of North Korea?
Monday, April 27, 2009
ATM PAYMENT DEPARTMENT,IMMEDIATE ORDER FOR YOUR PAYMENT
Just got this one today...
****
OFFICE OF THE HEAD OF SENATE
FEDERAL REPUBLIC OF NIGERIA
COMMITTEE ON FOREIGN PAYMENT
(RESOLUTION PANEL ON CONTRACT PAYMENT)
ATM PAYMENT DEPARTMENT
IKOYI-LAGOS NIGERIA
Urgent Beneficiary,
This is to officially inform you that we have verified your inheritance file and found out that why you have not received your payment is because you have not fulfilled the obligations given to you in respect of your inheritance payment.
Secondly we have been informed that you are still dealing with the none officials in the bank your entire attempt to secure the release of the fund to you. We wish to advise you that such an illegal act like these have to stop if you wish to receive your payment this week since we have decided to bring a solution to your problem. Right now we have arranged your payment through our swift card payment center Asia pacific that is the latest instruction from MR. PRESIDENT, ALHAJI UMARU YAR’ADUA (GCFR) FEDERAL REPUBLIC OF NIGERIA. AND EFCC NIGERIA As well the INTERPOL and FBI.This card center will send you an ATM CARD which you will use to withdraw your money in any ATM MACHINE in any part of the world, but the maximum is twenty thousand dollars per day, so if you like to receive your fund this way please let us know by contacting the card payment center: contact person DR DANIEL WATAC:My Direct Telephone Phone number+234-80-50685399
email address:danielwatac.watac@gmail.com
And also send the following information:
1. Your full name
2. Phone and fax number
3. Address were you want them to send the atm card
4. Your age and current occupation
5. Attach copy of your identification
The ATM CARD PAYMENT CENTER has been mandated to issue out $4,000,000.00 as part payment for this fiscal year 2009. Also for your information, you have to stop any further communication with any other person(s) or office(s) to avoid any hitches in receiving your Payment. For oral discussion, call and email me back as soon as you receive this important message for further direction and also update me on any development from the above-mentioned office.
Note that because of impostors, we hereby issued you our code of conduct, which is (ATM-822) so you have to indicate this code when contacting the card center by using it as your subject.
Best Regards.
YOUR PAYMENT AGENT,
Dr. DAVID MARK
SENATE PRESIDENT
(Federal Republic of Nigeria)
****
****
OFFICE OF THE HEAD OF SENATE
FEDERAL REPUBLIC OF NIGERIA
COMMITTEE ON FOREIGN PAYMENT
(RESOLUTION PANEL ON CONTRACT PAYMENT)
ATM PAYMENT DEPARTMENT
IKOYI-LAGOS NIGERIA
Urgent Beneficiary,
This is to officially inform you that we have verified your inheritance file and found out that why you have not received your payment is because you have not fulfilled the obligations given to you in respect of your inheritance payment.
Secondly we have been informed that you are still dealing with the none officials in the bank your entire attempt to secure the release of the fund to you. We wish to advise you that such an illegal act like these have to stop if you wish to receive your payment this week since we have decided to bring a solution to your problem. Right now we have arranged your payment through our swift card payment center Asia pacific that is the latest instruction from MR. PRESIDENT, ALHAJI UMARU YAR’ADUA (GCFR) FEDERAL REPUBLIC OF NIGERIA. AND EFCC NIGERIA As well the INTERPOL and FBI.This card center will send you an ATM CARD which you will use to withdraw your money in any ATM MACHINE in any part of the world, but the maximum is twenty thousand dollars per day, so if you like to receive your fund this way please let us know by contacting the card payment center: contact person DR DANIEL WATAC:My Direct Telephone Phone number+234-80-50685399
email address:danielwatac.watac@
And also send the following information:
1. Your full name
2. Phone and fax number
3. Address were you want them to send the atm card
4. Your age and current occupation
5. Attach copy of your identification
The ATM CARD PAYMENT CENTER has been mandated to issue out $4,000,000.00 as part payment for this fiscal year 2009. Also for your information, you have to stop any further communication with any other person(s) or office(s) to avoid any hitches in receiving your Payment. For oral discussion, call and email me back as soon as you receive this important message for further direction and also update me on any development from the above-mentioned office.
Note that because of impostors, we hereby issued you our code of conduct, which is (ATM-822) so you have to indicate this code when contacting the card center by using it as your subject.
Best Regards.
YOUR PAYMENT AGENT,
Dr. DAVID MARK
SENATE PRESIDENT
(Federal Republic of Nigeria)
****
Saturday, April 25, 2009
Facebook users say yes to changes
Facebook users have voted to back changes which give them control over data and content they post on the site. Read more...
Wednesday, April 15, 2009
Tech Review: Kanguru e-Flash drive
GCN review
The Kanguru e-Flash is the Clark Kent of flash drives. It looks ordinary at first but use it to transfer a gigabyte or two of data and you’ll realize that it almost has super powers. The interesting aspect of its design is that it has a USB port on one end of the key drive, and an eSATA port on the other. Read more...
The Kanguru e-Flash is the Clark Kent of flash drives. It looks ordinary at first but use it to transfer a gigabyte or two of data and you’ll realize that it almost has super powers. The interesting aspect of its design is that it has a USB port on one end of the key drive, and an eSATA port on the other. Read more...
Wednesday, April 8, 2009
Tips: Vi Editor Usage
:q! abort without saving
:wq write changes and quit
a append text after cursor
i insert text before cursor
o open a new line below current line
O open a new line above current line
x delete character
dd delete line
1p restore most recently deleted text at cursor
u undo last change (repeat to undo undo)
10G go to line 10 (can use any line number)
G go to last line
0 move to beginning of current line
$ move to end of current line"Tuesday, April 7, 2009
What's the point of security certs?
From FCW.
We have heard from a number of readers who see little value in requiring cybersecurity workers to have security-related industry certifications.
We have heard from a number of readers who see little value in requiring cybersecurity workers to have security-related industry certifications.
They were responding to our report about a Senate bill that would require contractors to license and certify anyone providing cybersecurity-related services to a federal agency.
Several of these readers are not impressed specifically with Certified Information Systems Security Professional (CISSP) certifications. But certification, in general, is a bit of a red herring they said, because it does not reflect work experience, which is more valuable than test experience.
Blog Results:
* I've been certified since 2003 and have contact with many "certified" folks who have no experience with actual skills on the job. The cost of getting certified is high for both individuals and companies, yet the government still wants to award to the low bidder. Companies can't afford to spend a lot of money and not get a return on their investment in the people. It is also very difficult to retain trained 'professionals' no matter if they are trained while under government sponsorship or by their company. There is a lot of job hopping to increase salaries without remaining long enough to actually learn/perfect skills or truly contribute to the agency's mission.
* Great. Another worthless paper certification. And I include CISSP in that. Took me 45 minutes to parse the exam questions for the correct answers to pass that test then ISC2 wanted "maintenance" fees throughout the 3 year certification period. Those fees were not disclosed when I got the CISSP cert. Now I have to pay the "overdue" fees to re-certify since the 3 years ended. WTF? ISC2 is just about the money and they are going to exploit this one for all it's worth.
Monday, April 6, 2009
Phishing E-mail
Dear Client,
Your VISA account has expired. You must renew it immediately or your account will be closed. If you intend to use this service in the future, you must take action at once!
To continue (link) login to your VISA account and follow the steps.
Thank you for using VISA!
VISA Services DEP.
COPYRIGHT VISA Solutions 2009 (C)
*******************
High level analysis
The site (v001.nexlink.ch) contains a script that contains credit card and PIN code validator.
Site per whois
inetnum: 80.86.200.0 - 80.86.203.255
netname: CH-NEXLINK-NET3
descr: green.ch AG Brugg Switzerland
descr: Shared Hosting
country: CH
Tuesday, March 31, 2009
Job Offer Scams
Just got another job scam thru my account. Here are the details.
Good tidings to you as you read.
Please permit me to write you irrespective of the fact we have not met before. I got your contact through network online
hence I decided to write you. I would be very interested in offering you a part-time paying job in which you could earn up to $7,000 a month as extra
income. opening an account would have been my best choice if I was not working on a deadline that must meet a 24 hour turn around time, other options are
not on my side due to time, money, and requirements. This is why I am offering a part time opportunity to someone responsible who can supply prompt assistant
and service. JOB DESCRIPTION: Work as my payment assistant in charge of collecting and processing the payments from the associates.
1. Receive payment (inform of money orders/checks) from my Clients/Associates.
2. Cash the Payments at your Bank
3. Deduct 10%, which will be your percentage/pay on Payment processed.
4. You will then forward the balance via Western Union Money Transfer
according to my instruction. REQUIREMENT: 18 years or older. Responsible, Reliable and Trustworthy Available to work a minimum 3-4 hours per week. Able to
check and respond to emails often. Easy telephone access. IS THIS LEGAL? YES It is very legal, Doing this job is 100% safe and legal. I would be glad if
you accept my proposal for an opportunity to make up 10% of each transaction completed. Please reply via email with complete information as requested:
A. NAME,==============
B. STREET ADDRESS (NOT P.O BOX),=================
C. CITY:===============================
D. STATE:=============================
E. ZIP CODE============================
F. COUNTRY============================
G. MOBILE NUMBER, ====================
H. AGE, ===============================
I. SEX, ==================================
J. OCCUPATION============================
K. E MAIL==================================
All replies should be sent to dr.davidewalk1@gmail.com
Regards,
DR David Walker
Good tidings to you as you read.
Please permit me to write you irrespective of the fact we have not met before. I got your contact through network online
hence I decided to write you. I would be very interested in offering you a part-time paying job in which you could earn up to $7,000 a month as extra
income. opening an account would have been my best choice if I was not working on a deadline that must meet a 24 hour turn around time, other options are
not on my side due to time, money, and requirements. This is why I am offering a part time opportunity to someone responsible who can supply prompt assistant
and service. JOB DESCRIPTION: Work as my payment assistant in charge of collecting and processing the payments from the associates.
1. Receive payment (inform of money orders/checks) from my Clients/Associates.
2. Cash the Payments at your Bank
3. Deduct 10%, which will be your percentage/pay on Payment processed.
4. You will then forward the balance via Western Union Money Transfer
according to my instruction. REQUIREMENT: 18 years or older. Responsible, Reliable and Trustworthy Available to work a minimum 3-4 hours per week. Able to
check and respond to emails often. Easy telephone access. IS THIS LEGAL? YES It is very legal, Doing this job is 100% safe and legal. I would be glad if
you accept my proposal for an opportunity to make up 10% of each transaction completed. Please reply via email with complete information as requested:
A. NAME,==============
B. STREET ADDRESS (NOT P.O BOX),=================
C. CITY:=========================
D. STATE:========================
E. ZIP CODE==========================
F. COUNTRY=======================
G. MOBILE NUMBER, ====================
H. AGE, ==============================
I. SEX, ==============================
J. OCCUPATION====================
K. E MAIL==========================
All replies should be sent to dr.davidewalk1@gmail.com
Regards,
DR David Walker
Monday, March 30, 2009
Conficker Tools
Felix Leder and Tillmann Werner
The following page contains the tools and analysis results described in our "Know your Enemy" paper "Containing Conficker - To Tame a Malware". The paper is published by the 
All tools are to be considered as proof of concepts. Even though most of them run stable, they are not meant for use in production. They don't come with any warranty.
All tools are available including source code and are licences using GPL.
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Friday, March 27, 2009
Nmap 4.85BETA 4
From Fyodor
4.85BETA4 (compared to 4.76) includes our new Ncat and Ndiff tools, a ton of new NSE scripts for superior network discovery, more than 5,000 version detection signatures and nearly 2,000 OS fingerprints, improved scan performance, and much more! You can read about all the changes at http://nmap.org/changelog.html. Be sure to read all the way down to 4.85BETA1, as that includes some of the most dramatic changes.
4.85BETA4 (compared to 4.76) includes our new Ncat and Ndiff tools, a ton of new NSE scripts for superior network discovery, more than 5,000 version detection signatures and nearly 2,000 OS fingerprints, improved scan performance, and much more! You can read about all the changes at http://nmap.org/changelog.html. Be sure to read all the way down to 4.85BETA1, as that includes some of the most dramatic changes.
Thursday, March 26, 2009
Firefox critical vulnerability patched in 3.0.8, due next week
A new vulnerability has just been found in Firefox. The vulnerability, discovered by security researcher Guido Landi, was published on several security sites on Wednesday the 25th. The flaw could be used by an attacker to remotely execute code on a users machine using remote memory corruption after a user views a specially crafted malicious XML file. Read more...
Wednesday, March 25, 2009
Beware of "Local Breaking News"
March 16, 2009 (Marshal News)
Over the past month, botherders have been using fake coupon websites to host Waledac malware. Today, these criminals have updated their theme to use "Reuters breaking news" with localized content to easily captivate unwary users. It uses IP geolocation services to achieve content localization which we have mentioned before in our previous blog. As usual, a link from the fake website point to a Waledac binary and to make it more legitimate looking, "Related Links" to Wikipedia and Google Search were added. Read more...
Tuesday, March 24, 2009
Senator says his office computers were hacked
"One of attacks looked "pretty serious, and it [was] talking to a computer in some international arena,” Nelson said during the March 19 hearing". Read more
Thursday, March 12, 2009
Linux Tips: Removing Directory
rmdir command
Remove folder(s), if they are empty.
SYNTAX
rmdir [options]... folder...
OPTIONS
--ignore-fail-on-non-empty
ignore each failure that is solely because the directory is non-empty
-p, --parents remove explicit parent directories if being emptied
--verbose output a diagnostic for every directory processed
--help display this help and exit
--version output version information and exit
Related Linux Bash commands:
ls - List information about files (use ls-al to see if they are empty)
rm - Remove files (rm -rf will recursively remove folders and their contents)
Remove folder(s), if they are empty.
SYNTAX
rmdir [options]... folder...
OPTIONS
--ignore-fail-on-non-empty
ignore each failure that is solely because the directory is non-empty
-p, --parents remove explicit parent directories if being emptied
--verbose output a diagnostic for every directory processed
--help display this help and exit
--version output version information and exit
Related Linux Bash commands:
ls - List information about files (use ls-al to see if they are empty)
rm - Remove files (rm -rf will recursively remove folders and their contents)
Wednesday, March 11, 2009
Michael Jackson and Green Card lottery scams come together
"At the bottom you'll see a banner advert inviting people to live and work in the USA. The advert is served up by a division of Jackson's record company, Sony BMG, who themselves get it from an advertising network called Advertising.com. Nothing bad or dangerous so far.
But what I'm especially interested in is what happens when you click on the advert. You get taken to a website called www.usafis.org, which offers you the opportunity to enter the lottery for an American Green Card (essentially the authorisation to live and work in the United States).".
Posted on March 11th, 2009 by Graham Cluley, Sophos
Tuesday, March 10, 2009
Recent exploits evade Adobe's countermeasures; patch not ready
March 6, 2009 (Computerworld) An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.
Last week, a researcher who works at the Danish vulnerability tracker Secunia said he had come up with an exploit that didn't rely on JavaScript. Read more..
Last week, a researcher who works at the Danish vulnerability tracker Secunia said he had come up with an exploit that didn't rely on JavaScript. Read more..
More about Conficker Worm
Users can protect themselves from the worm by installing Microsoft's MS08-067 security update, using strong passwords and disabling Windows' Autoplay and Autorun features.
Read More ...
Read More ...
Thursday, March 5, 2009
Configuring LILO
LILO is the Linux Loader, the most popular boot loader for Linux. It is used to load Linux into memory and start the operating system. On a machine with multiple operating systems, LILO can be configured to boot the other systems as well.
Normally LILO is initially configured for you during the Linux installation process. However, you may find that default configuration is not correct, or you wish to customize it. And there may even come a time when you need to remove LILO from your computer. Here are some instructions that should help you on your quest.
Tuesday, March 3, 2009
Friday, February 27, 2009
Tuesday, February 24, 2009
Starbucks sued after laptop data breach
The lawsuit was filed Thursday in federal court in Seattle. Starbucks has offered employees one-year's free credit monitoring and protection, but Krottner is asking the court to extend that to five years. She is also seeking unspecified damages and asking that Starbucks be ordered to submit to periodic security audits of its computer systems. Read More...
Sunday, February 22, 2009
Conficker B++?
"From late November through December 2008 we recorded more than 13,000 Conficker infections within our honeynet, and surveyed more than 1.5 million infected IP addresses from 206 countries. More recently, our cumulative census of Conficker.A indicates that it has affected more than 4.7 million IP addresses, while its successor, Conficker.B, has affected 6.7M IP addresses"
Read more on SRI's Analysis Report
Read more on SRI's Analysis Report
Friday, February 13, 2009
IPhone Jailbreak hack Violates Law
February 13, 2009 (Computerworld) Hacking an iPhone is against the law, Apple Inc. has argued in comments filed with the U.S. Copyright Office.
According to the Electronic Frontier Foundation (EFF), a freedom-of-speech advocacy organization, this is the first public statement from Apple about its legal position on "jailbreaking," the term used to describe hacking an iPhone to install third-party applications not sold via Apple's own App Store. Read more...
Heartland Data Breach
February 11, 2009 (Computerworld) The number of financial institutions that have said they were affected by the data breach disclosed last month by Heartland Payment Systems Inc. is growing longer by the day and now includes banks in 40 states as well as Canada, Bermuda and Guam, according to the BankInfoSecurity.com news portal. Read more...
Thursday, February 12, 2009
New Vulnerability Found in Blackberry's
Feb 11, 2009 | 05:29 PM
By Tim WilsonDarkReading
Just a few weeks after President Obama won his fight to keep his BlackBerry, the handheld's security is causing concern again.
BlackBerry maker Research In Motion this week is warning users about a newly discovered vulnerability that could potentially enable an attacker to gain remote control of the device or crash its browser.Read More...
Work around and Fixes
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB16248
Tuesday, February 10, 2009
FAA files hacked... again
Hackers have once again gained entry to the US Federal Aviation Administration's (FAA's) computers.
Tom Waters, president of union Local 3290, and an FAA contract attorney, revealed that FAA officials told union leaders that hackers had gained entry to 48 files. Two of them may have provided the bad guys with names and social security numbers of 45,000 employees and retirees. However, another file they got their hands on, which contained medical information, was encrypted. Read more...
Monday, February 9, 2009
ShmooCon '09
It was definitely another great ScmooCon!!! Kudos to all the organizers, staff, and presenters. For those of you who missed it, it was a blast. Great speakers, number of attendees grew, and of course the cool giveaways. Tons of fun!!!!
Read more...
Read more...
Wednesday, February 4, 2009
Federal Workers Notified After SRA Virus Breach
February 03, 2009 — IDG News Service — Employees at federal security agencies are being notified that their personal information may have been compromised after hackers planted a virus on computer networks of government contractor SRA International.
SRA began notifying employees and all of its customers after discovering the breach recently, company spokeswoman Sheila Blackwell said Tuesday. The malicious software may have allowed hackers to get access to data maintained by SRA, including "employee names, addresses, Social Security numbers, dates of birth and health care provider information," the company said in a notification posted at the Maryland Attorney General's Web site. Read more...
Monday, February 2, 2009
Symbian trojan steals money from mobile accounts
According to media reports, Kaspersky is trying hard to damp down the effects of a warning about a new trojan for Symbian-based smart phones. Earlier this week, Kaspersky warned of a trojan which was able to transfer small sums, of between 45 and 90 cents, by texting. To do so, it makes use of a prepaid service from an Indonesian mobile phone provider. The malware, which has been christened SMS.Python.Flocker, spreads via Bluetooth and is written in Python. Read more...
Thursday, January 29, 2009
IEC Web Site Compromised
Websense Security Labs™ ThreatSeeker™ Network has discovered that a subdomain of the International Electrotechnical Commission (IEC) Web site has been compromised. The IEC is an international standards organization that prepares and publishes International Standards for all electrical, electronic, and related technologies. Member countries include Japan, Australia, U.S.A., central European countries, and numerous others. Read more...
Taps vs Span Ports
Tao of Security provided a great discussion regarding taps or SPAN ports.
- Taps free SPAN ports for tactical, on-demand monitoring, especially intra-switch monitoring. Many switches have only two ports capable of SPAN, and some offer only one. If you commit a SPAN port for permanent monitoring duties, and you need to reassign it for some sort of troubleshooting on a VLAN or other aspect of the traffic, you have to deny traffic to your sensor while the SPAN port is doing other work. Keep your SPAN ports free so you can do intra-switch monitoring when you need it.
- Taps provide strategic, persistent monitoring. Installing a tap means you commit to a permanent method of access to network traffic. Once the tap is installed you don't need to worry about how you are going to access network traffic again. Taps should really be part of any network deployment, especially at key points in the network.
- Selected taps do not permit injected traffic onto the monitored link. Depending on the tap you deploy, you will find that it will not be physically capable of transmitting traffic from the sensor to the monitored link. This is not true of SPAN ports. Yes, you can configure SPAN ports to not transmit traffic, and that is the norm. However, from my consulting days I can remember one location where I was told to deploy a sensor on a box with one NIC. Yes, one NIC. That meant the same NIC used for remote SSH access also connected to a switch SPAN port. Yes, I felt dirty.
- What taps see is not influenced by configuration (as is the case with SPAN ports); i.e., what you see is really what is passing on the link. This is key, yet underestimated. If you own the sensor connected to a SPAN port, but not the switch, you are at the mercy of the switch owner. If the switch owner mistakenly or intentionally configures the SPAN port to not show all the traffic it should, you may or may not discover the misconfiguration. I have seen this happen countless times. With a network tap, there's no hiding the traffic passing on the monitored link. Many shops have been surprised by what is traversing a link when the finally take a direct look at the traffic.
- Taps do not place traffic on a switch data plane, like a SPAN port does. This point is debatable. Depending on switch architecture, SPAN ports may or may not affect the switch's ability to pass traffic. By that I mean a SPAN port may not receive all traffic when the switch is loaded, because forwarding may take precedence over SPANning.
The Veterans Affairs Department has agreed to pay $20 million
The Veterans Affairs Department has agreed to pay $20 million to settle a lawsuit filed by veterans over the risk of potential identity theft when a VA laptop PC that contained their sensitive information was stolen in 2006. The laptop contained files with personally identifiable information on millions of veterans, such as names, birth dates and Social Security numbers. Read more...
Wednesday, January 28, 2009
How-to Install Snort on Ubuntu 8.10
Haven't tested this as of yet. I'll make a post as soon as a got it configured.
http://baronne.mouton.co.uk/snort-on-ubuntu-server-810-intrepid-ibex/
http://baronne.mouton.co.uk/snort-on-ubuntu-server-810-intrepid-ibex/
Tuesday, January 27, 2009
Serious security alert for Monster.com and USAJobs.gov users, Sophos reports
Job websites struck by hackers once again, putting identities at risk
IT security and control firm Sophos is advising all users of careers website Monster.com and USAJobs.gov, the official job site of the US Federal Government, to change their passwords following news that both sites have been the victim of a serious hacking attack which has compromised both and usernames and passwords.
Furthermore, as research has discovered that 41 percent of people use the same password for every website they access, many Monster and USAJobs users are likely to be at risk of their accounts on other websites are at risk of being hacked. Read more...
Obama smartphone conforms to military standards
Contrary to some media reports, Obama won’t simply be trading in one BlackBerry — the ubiquitous e-mail and smartphone device made by Research In Motion (RIM) — for a more secure version. Rather, he’ll be switching altogether to a maximum-security smart phone — most likely the Sectéra Edge made by General Dynamics C4 Systems Group.
The Sectera Edge is actually a re-purposed Palm Treo 750 that has been reconfigured to send and receive wireless classified e-mail messages and attachments, as well as access Web sites on the government’s Secure IP Router Network (SIPRnet). It features a single-touch button that permits authorized users to toggle between SIPRnet and government’s non-secure network, NIPRnet. And it would allow the president to have secure voice conversations. Read more...
My personal opinion. I think L-3 guardian is much better.
http://www.l-3com.com/cs-east/ia/smeped/ie_ia_smeped.shtml
The Sectera Edge is actually a re-purposed Palm Treo 750 that has been reconfigured to send and receive wireless classified e-mail messages and attachments, as well as access Web sites on the government’s Secure IP Router Network (SIPRnet). It features a single-touch button that permits authorized users to toggle between SIPRnet and government’s non-secure network, NIPRnet. And it would allow the president to have secure voice conversations. Read more...
My personal opinion. I think L-3 guardian is much better.
http://www.l-3com.com/cs-east/ia/smeped/ie_ia_smeped.shtml
Sunday, January 25, 2009
Hoax that claims Apple CEO Steve Jobs has had a heart attack
"A widely-circulated URL which points to an image that purports to be a wired.com story about Steve Jobs health is a hack job," Wired.com said. "We won't provide the URL here but the Twitterverse quickly surmised that the item was not correct." It appears to have first been reported by Mashable.
Someone created a legitimate-looking Web page using Wired's public upload image viewer, which generates a page containing an image under a Wired logo banner, Wired.com said. The hole has been patched, the news site added. Read more...
Friday, January 23, 2009
Trojan Attack Masquerades as E-ticket notice
Jan 22, 2009 | 05:19 PM
By Tim WilsonDarkReading
Security researchers have spotted a new attack designed to fool users into thinking that airline tickets have been purchased with their credit cards.
The attack, which was first spotted as an email from Northwest Airlines, and subsequently as a message from United Airlines, is a realistic-looking "receipt" that contains an attachment bearing the name Your_ETicket.zip or eTicket.zip, according to researchers at security vendor Sophos. Read more...
Wednesday, January 21, 2009
To disclose or not to
Security researchers should stop publishing vulnerabilities in the traditional way because cyber-criminals are using the code to generate zero-day exploits at record speeds, says a recent report. Read more...
Cheap cracks
Modern cryptological attacks can crack mobile phone calls, as well as debit and credit card systems, in seconds. The trick is to find a practical compromise between computing time and memory space with the help of precomputed tables. Probably no algorithm is immune to such an approach, but special techniques can thwart such attacks. Read more...
ARIZONA MAN INDICTED FOR SELLING COUNTERFEIT SOFTWARE ON EBAY
PHOENIX- A federal grand jury returned a 7-count indictment on Wednesday, January 13, 2009, against Kurt Kunselman, 44, of Waddell, Ariz., for violations of wire fraud, criminal copyright infringement and destruction of records with intent to obstruct a federal investigation. Kunselman was issued a summons and is set to appear before U.S. Magistrate Judge Lawrence O. Anderson at 10:45 a.m. on January 28, 2009. Read more...
Friday, January 16, 2009
Preemptive Blocklist and More Downadup Numbers
Updated Downadup from F-Secure.
The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing. Read more...
The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing. Read more...
Wednesday, January 14, 2009
RealVNC 4.1.2 'vncviewer.exe' RFB Protocol Remote Code Execution Vulnerability
RealVNC Viewer is prone to a remote code-execution vulnerability because it fails to adequately handle certain encoding types.
An attacker can exploit this issue to execute arbitrary code in the context of the vulnerable process. Failed exploit attempts are likely to result in denial-of-service conditions.
This issue may be related to the vulnerability discussed in BID 30499 (RealVNC 4.1.2 'vncviewer.exe' Remote Denial of Service Vulnerability).
RealVNC 4.1.2 is vulnerable; earlier versions may also be affected.
Read more...
An attacker can exploit this issue to execute arbitrary code in the context of the vulnerable process. Failed exploit attempts are likely to result in denial-of-service conditions.
This issue may be related to the vulnerability discussed in BID 30499 (RealVNC 4.1.2 'vncviewer.exe' Remote Denial of Service Vulnerability).
RealVNC 4.1.2 is vulnerable; earlier versions may also be affected.
Read more...
Tuesday, January 13, 2009
Serious security vulnerability in Safari web browser reported
An open source software engineer with a history of uncovering flaws in Mac OS X, claims to have uncovered a security vulnerability in Apple’s web browser Safari, affecting both Windows and Apple Mac users. Read more...
Monday, January 12, 2009
Mysterious credit card charge may have hit millions of users
Several Internet complaint boards are filled with comments from credit card customers from coast to coast who have noticed a mysterious charge for about 25 cents on their statements. Read more...
CheckFree warns 5 million customers after hack
January 6, 2009 (IDG News Service) CheckFree Corp. and some of the banks that use its electronic bill payment service are notifying more than 5 million customers that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. Read more...
Friday, January 9, 2009
F-Secure Warns about a new Worm
Downadup uses several different methods to spread. These include using the recently patched vulnerability in Windows Server Service, guessing network passwords and infecting USB sticks. As an end result, once the malware gains access to the inside of a corporate network, it can be unusually hard to eradicate fully.
Typical problems generated by the worm include locking network users out of their accounts. This happens because the worm tries to guess (or brute-force) network passwords, tripping the automatic lock-out of a user who has too many password failures.
more technical details
Typical problems generated by the worm include locking network users out of their accounts. This happens because the worm tries to guess (or brute-force) network passwords, tripping the automatic lock-out of a user who has too many password failures.
more technical details
Thursday, January 8, 2009
Friendster Users Beware!!!
A lot of Friendster users have been complaining about receiving lots of invitations to view a fake video from their contacts (who presumably would not usually send malicious content to their friends). Read more....
Wednesday, January 7, 2009
Subscribe to:
Posts (Atom)
