Network Security Blog

According to the SFGate, the intrusion that AT&T reported earlier this week was not aimed at stealing credit card information, it was aimed at providing the raw data to allow the crackers to perform targetted phishing attacks on a massive scale.  By seeding an email with information gathered from AT&T’s database, the phishers can add a level authenticity that makes even some of the most suspicious people on the Internet accept an email as authentic.

This is just one more reason to never respond directly to any request from a merchant or bank that comes to you in the form of an email.  As always, if you think an email alert is real, open a browser window and manually type in your bank’s URL, never click on the link in the email. 

Technorati Tags: security, McKeay, AT&T, phishing

I’ve been playing with the Nokia 770 for almost 2 weeks now, and while I’m impressed, it does leave a bit to be desired.  One issue I’ve run into is that the system gets unstable when you surf to sites with a lot of graphics.  Another issue is that the wireless connectivity is a little weak.  I like it the size, a lot, and I’m hoping to be able to get the system running several wireless testing tools, but one of the tools I’d really like to use, Kismet, is still not ready for prime time.  I will admit I’ve realy enjoyed using the 770 to wander around the house listening to Radio Paradise. 

Linux.com has a more comprehensive review of the 770 that pretty much paralles my own experiences.  I’m interested to hear if anyone else out there has had much of a chance to play with the Nokia 770.

Technorati Tags: security, McKeay, Nokia 770, Linux

What an evil, sneaky, underhanded way to social engineer a business!  I like it!  This company took twenty USB thumb drives, seeded them liberally with malware and pictures, and left them on the ground outside the credit union they were targeting.   People fell for it, and quite frankly I can’t say I blame them.  If I found a thumb drive laying around in the parking lot, I’d probably plug it into a system to see who it belonged to myself.  Or at least I would have before I read this article. 

This was done as part of a penatration test, with the full approval of the company that was attacked.  But is it really safe for anyone to assume that the any media you find laying around was lost, not placed there on purpose?  This really would be a good way to target almost any company you might want to mention.  It’s so much safer to always assume a malicious intent and take the proper precautions than it is to assume innocence.  This is why I always get so angry when businesses talk about stolen laptops and the thieves not knowing what they have.  You have to assume malicious intent and prove that none exists, not the other way around.

Technorati Tags: security, USB drive, social engineering

Comments I made on my ComputerWorld blog were quoted today in an article on SearchSecurity about the Black Frog/Okopipi project.  After talking to one or two members of the project, I think I oversimplified the challenges Okopipi will be facing, but I’m still dubious abou the project.  It’s something that’s going to have to be handled with great care, and I’m not sure an open source project is the way to go.  Every unsubscribe link is going to have to be verified by a real person, not just a program, and I still see several ways spammers could turn this project to evil.  I don’t think this is reason enough not to at least try, but I don’t believe I’ll be participating in a distributed, P2P anti-spam solution any time soon.

Technorati Tags: security, Okopipi, spam

It looks like the spammers have won the battle against Blue Security.  The company is closing down their service, having realized that their solution to spam isn’t going to do much more than create an ever-escalating war with the spammers.  I didn’t think an active, attack-back technology like Blue Security ever had much of a chance of being effective, but I’m still a little saddened to see them have to shut down the service.  On the other hand, give it a year or two and I’m sure some other company will try almost exactly the same thing. 

Technorati Tags: security, spam, Blue Security

Mikko at F-Secure had a good idea for fighting phishing.  A significant amount of phishing sites aren’t hosting the images they use, they’re directing the browser to download the real image from bank they’re imitating.  So what if the banks added some relatively simple code to instruct the web server to send a alternative image if they received a significant number of referals to the original image?  Using Mikko’s idea, the bank’s alternative image would include a stamp that would make it clear that the refering site was illegitimate and give the consumer a phone number to call.  The idea could be circumvented by smart phishers, but it would add one more hoop they’d have to jump through.  Even if it only stops the lazy phishers, that’s a couple more percentages of the total scams that wouldn’t work. 

Technorati Tags: security, phishing

One of the first things I always do when setting up any system, Linux or Windows, is review the services that are running by default and cut that list down to what I actually need running on the system.  Linux.com has an excellent article explaining the different Linux runlevels and how you can change your runlevel and modify what services start automatically.  I usually start by changing the default level to 3 (text-based multi-user mode) and disabling ISDN, PCMCIA, CUPS, cpuspeed and all rpc-related services.  After all, if it’s not running, it’s a lot harder for a hacker to exploit the service.

Technorati Tags: computer, linux, security

CheatSheet | SecGuru

You probably don’t need to these cheat sheets for Nmap and Nessus, I’m sure, but I do. I can never remember if it’s -o or -O I want, and and if -F is fast scan or fragmentation. Thanks to the Open Source Weblog for pointing me towards these.

O3: The Open Source Enterprise Data Networking Magazine

Check out the first issue of 03 magazine when you get a chance. There are several very good articles in the mix. I liked the article ‘Deploying Wifidog Captive Portal’ best. Why spend all the money to purchase a enterprise level wireless solution when you can accomplish the same thing with a $70 Linksys router and a little hard work?

Linux Security – Securing and Hardening Linux Production Systems (Linux Security Cookbook / HOWTO / Guide)

This is a great article with a lot of useful information on securing your Linux boxes. For me, it was worth reading if only for the portions on setting up password standards, like aging and complexity enforcement. The only thing I’d add to this is remote log storage with something like syslog-ng.