Infogr.am. Threat Level - Privacy, Crime and Security Online. Posts by spaf. I’ve been delayed in posting this as I have been caught up in travel, teaching, and the other exigencies of my “day job,” including our 15th annual CERIAS Symposium. That means this posting is a little stale, but maybe it is also a little more complete. I try to attend the RSA Conference every year. The talks are not usually that useful, but the RSAC is the best event to see what is new in the market, and to catch up with many of my colleagues (new and old), touch base with some organizations, see CERIAS alumni, sample both some exotic cuisines and questionable hors d'oeuvres, and replenish my T-shirt supply.
It is a very concentrated set of activities that, when properly managed, fits in a huge set of conversations. This year, there was a boycott, of sorts, against the conference by various parties who were upset at the purported collaboration of RSA with US government agencies many years ago. Technical Track The conference every year has scores (hundreds?) Informal Connections Summary. What the 2013 Verizon Data Breach Report tells us about phishing. When I was a kid I’d thumb through my parents’ Newsweek magazines for cool graphics that explained a complex geopolitical or economic issue. If you saw my post about the Phishpocalypse, you might have guessed that I love infographics. As usual the RISK team over at Verizon did a fantastic job crunching, analyzing, and reporting on a mountain of data from 19 different contributors. This year ThreatSim was invited to contribute data to the report.
The ThreatSim team extracted some highlights from the report and illustrated it in the graphic below. Let’s look at what the data tells about about the state of data breaches and phishing: What the 2013 Verizon Data Breach Report says about phishing Download the infographic as a PDF Embed This Image On Your Site (copy code below): Researchers uncover Tor-powered Skynet botnet. Rapid7 researchers have recently unearthed an unusual piece of malware that turned out to be crucial to the formation of an elusive botnet - dubbed Skynet by the researchers - whose existence has been documented in a very popular Reddit "I Am A" thread. The Trojan in question has DDoS and Bitcoin-mining capabilities, but it's main function is to steal banking credentials. The botnet operator spreads the malware via the Usenet discussion forum, which is also a popular platform for distributing pirated content. In order to hide its malicious nature, the file "weighs" 15MB, a great part of which is junk data.
The rest consists of a ZeuS bot, a Tor client for Windows, the CGMiner bitcoin mining tool, and a copy of a DLL file used by CGMiner for CPU and GPU hash cracking. The malware creates and injects itself into new and existing processes, and adds a registry key to assure its persistence after a system reboot. In addition to all this, the botnet traffic is encrypted and difficult to detect. How to Win 5 State Fair Games. It’s state fair time once again all over the country.
And that means Ferris wheels, giant turkey legs, a visit from the world’s smallest horse, and, of course, the chance to try your hand at winning the carnival games that line the midway. If you love playing these games at the state fair, but usually find yourself walking away from the booths empty-handed or with a dinky Chinese finger trap as a consolation prize, then this post is for you.
Step right up, gentlemen! Today you’re going to learn the secrets to beating the carnies and winning a giant stuffed animal for your gal. General Guidelines Assume most games are gaffed. Gaffed is carnie speak for rigged. Bottom line, if a game looks really easy to win, assume that something’s been gaffed to make it harder. Watch before you put down your money.
Ask questions. Use the same equipment and stand where the carnie stood while playing. Have fun! How to Win Five Popular State Fair Games Milk Can Aim for the back of the rim. Rope Ladder Flukey Ball. Perceptual Edge. Books - The Visual Display of Quantitative Information. Physics Envy Redux. Richard Bejtlich's blog on Risk Assessment, Physics Envy and False Precision points out a number of important issues. Overweighting what be counted and underweighting what can't be counted is an easy trap to fall into. The seduction is amplified by the beauty of mathematics, the quest for certainty in an uncertain world. Unfortunately this leads to a number of problems brought on by overconfidence (because hey you counted and you're using math). As Dean WIlliams said: "Confidence in a forecast rises with the amount of information that goes into it.
Ths applies well beyond simply security and risk assessment, people are generally very uncomfortable with uncertainty and tend to obsess on it. E.O. Fortunately, exceptional mathematical fluency is required in only a few disciplines, such as particle physics, astrophysics and information theory. People obsess on data breaches, but these need to be seen in a context. Darkode leak. And you can thanks Nassef. I don't know if it's you who did this shit upaskitv1.org xylibox.biz krebsonsecurity.biz upaskitversion1.biz stevenk.biz briankrebs.biz upaskit1.biz researchsecurity.biz securityresearch.biz amatrosov.biz But seems you are related to this so i gave a fuck.
Also i can thank you for this: Got your Builder from Darkode and made my keygen. Nassef is also involved into POS sniffing. Trying to deal with carder shops: But i will not talk of Nassef here, but of 'darkode' This forum is know to be a 'elite' community of black hats, there is alot of (in)famous actors inside. Darkode login with a really gay captcha. And about the captcha they added it due to me: I don't live in Lyon and i never walked with you, get a life man. About the captcha something worry me: Seem he sniff passwords, i'm sure the login form is even backdoored to know passwords of his users.
Anyway i don't need this invitation. bx1: Threadfix - ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. The Dead-Curious Cat and the Joyless Immortal. I’ve been thinking a lot about curiosity lately. Specifically, about curiosity in the sense of the proverb curiosity killed the cat: a potentially self-destructive pursuit of knowledge for its own sake that leads to unnecessary risk-taking. In humans such risk-taking often threatens not just the individual or even family/immediate group, but the whole species. Some people just have to go around figuring out new ways to blow things up, often with the noblest of intentions. At a selfish gene level, the trait seems complicated, but not mysterious. Curiosity does not seem to be a fundamental drive, unlike what I am told are the three basic biological drives (seeking pleasure, avoiding pain and conserving energy), so it is probably derived.
I think it does, and I think the answer is that curiosity is primarily derived from pleasure seeking, not pain aversion. Let’s get the genetic level of analysis out of the way first, so it does not distract us further. Some curious cats get dead. Uncommon Sense Security. J4vv4D | Mild-mannered Security Consultant & Infosec Cynic. Tellows - The community for phone numbers and phone spam. PunkSPIDER. My RSA Keynote - Information Security That Works Until You Attack It. No they did not ask me to do a keynote (isn't security blogger hall of fame better tho?) , but here is what I would say and hey you are getting it before the conference even starts, and you don't even have to get on a plane to hear it.
Let's start with some historical perspective- all countries do it, especially emerging countries, including especially the US. China did not invent industrial espionage. After a decade spent warning people about credit card use, the infosec industry is now atwitter about intellecual property. For the most part that is good, the infosec industry is finally after all these years starting to get closer to protecting strategic assets. Let's put some context around protecting IP. (Internet "Percocet" via Pakistan photo courtesy Marcus Ranum) IP does not equal the ability to capitalize on what you know. The math is pretty simple, $400B imports to US, $100B exports to China. It looks like a sideshow and boondoggle to me. Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits. Private market growing for zero-day exploits and vulnerabilities.
This article can also be found in the Premium Editorial Download "Information Security magazine: Market for vulnerability information grows. " Download it now to read this article plus other related content. In 2011, vulnerability researcher Luigi Auriemma discovered more than six dozen vulnerabilities in a variety of enterprise software packages, selling each software bug for a modest bounty to the Zero Day Initiative, a group set up by TippingPoint, and now a subsidiary of Hewlett-Packard. A well-known white-market buyer for software vulnerabilities, HP’s TippingPoint, uses the information to protect its customers while working with the vendor whose software is affected to close the security hole. While the company does not disclose how much it pays researchers, payments typically fall between $1,000 and $5,000, with most less than $2,000, according to sources.
Auriemma is not alone. Vulnerability Researchers: In Pursuit of Compensation White, Gray, Black: Money and Morals. Welcome to Forbes. Another Forensics Blog: Finding and Reverse Engineering Deleted SMS Messages. Recovering deleted SMS messages from Android phones is a frequent request I get. Luckily, there are several places and ways to recover these on an Android phone. After working a case that involved manually carving hundreds of juicy, case making messages, I collaborated with cheeky4n6monkey on a way to automate the process. A huge thank you to Adrian, because I think the only way to truly appreciate the script is to do the manual work first. That being said, in my last post Dude, Where's my Data I explored the importance of knowing what your automatic tools are doing and digging deeper as there may be critical information these tools are not parsing.
Harlan Carvey contributed a great comment which I think sums it up nicely: “Tools provide a layer of abstraction over the data itself, often hiding the data from the analyst who is not curious.” I am not trying to give these tools a bad rap. In fact, I use my "all in one" tools every day. Where the Messages are hiding SMS Database Schema Message. The Eagle and the Dragon | Haft of the Spear. It doesn’t matter what day it is, year, or who the alleged perpetrator is, some constants will always remain true when it comes to reports about foreign cyber threats (especially those attributed to a State entity): At no point will any serious effort be made to draw alternative conclusions from the data provided.At no point will any attempt be made to put the hack-of-the-day/week/month in historical context.At no point will a serious, information-age approach to the problem be proffered. The latest report about alleged Chinese state-sponsored cyber espionage, and the hype surrounding it, is no different.
China is the boogie man, they’ve got a lock on every bit that leaves their country, they’re responsible for the “greatest transfer of wealth in history,” and we must apply the might of our military-industrial-congressional complex to combat this evil. Except that none of it is true. China is the boogie man. The Great Firewall Support Claims of Attribution. The Great Wealth Transfer. CyberSpeak's Podcast. SHODAN: Cracking IP Surveillance DVR. Prefect | Dec 02, 2009 | 3 comments We have been continuing to play around with the SHODAN Computer Search Engine after first looking at it last week.
We continue to identify a variety of devices we sometimes note on security engagements (although usually on internal networks) that should not be externally accessible and are either still using factory default credentials or are not using any credentials for access to administrative interfaces. Accessing the administrative panels of these devices would allow a bad actor to further compromise the organization running the device on its network. We can quantify that we are seeing results not just for poorly configured home offices or small businesses, but large and medium businesses who would experience significant negative effects when breached or their devices tampered with.
We’ll continue to blog about our findings until we get bored with it. HTTP/1.0 200 OK Connection: close Server: SQ-WEBCAM Content-length: 2936 Cache-control: no-cache. Monroe's Motivated Sequence - Presentation Skills Training from MindTools. Perfecting the Call to Act Be inspiring! © iStockphoto Is persuasion a gift? Are some people born with the ability to speak well and "sell" their ideas successfully? It sure seems that way when you're wowed by a motivational speaker, or galvanized into action by a thought-provoking presentation.
In your role, do you ever need to motivate, inspire, or persuade others? Whether you're a senior executive giving a presentation to the Board, a manager giving a morale-boosting speech to your team, or a production manager giving a presentation on safety standards, at some point, you'll probably have to move people to action. While there are certainly those who seem to inspire and deliver memorable speeches effortlessly, the rest of us can learn how to give effective presentations too. Monroe's Motivated Sequence: The Five Steps Alan H. This is a well-used and time-proven method to organize presentations for maximum impact. Step One: Get Attention Get the attention of your audience. Note: Key Points. Bruce Nikkel's Digital Forensics Page. Rud.is. Logging user access to Access Gateway. HII_Lessons_Learned_From_the_Yahoo_Hack.pdf (application/pdf Object) Toolsmith: Social-Engineer Toolkit (SET) - Pwning the Person. Prerequisites/dependencies Python interpreter Metasploit BackTrack 5 R3 also includes SET Introduction My first discussion of Dave Kennedy’s (@dave_rel1k) Social-Engineer Toolkit (SET) came during exploration of the Pwnie Express PwnPlug Elite for March 2012’s toolsmith.
It was there I talked about the Site Cloner feature found under Website Attack Vectors and Credential Harvesting Attack Methods. Dave is the affable and dynamic CEO of TrustedSec (@trustedsec) and, as SET’s creator, describes it in his own words: The Social-Engineer Toolkit has been an amazing ride and the support for the community has been great. Be sure to catch Dave’s presentation videos from DEFCON and DerbyCom, amongst others, on the TrustedSec SET page.
Quick installation notes It’s easiest to run SET from BackTrack. Alternatively, on any system where you have a Python interpreter and a Git (version control/source code management) client, you can have SET up and running in minutes. SET unleashed In Conclusion. Start [The Open Source Network Intrusion Framework ] Whitepaper: Security Flaws in Universal Plug an. This whitepaper details research conducted by Rapid7, which reveals that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device. We strongly recommend people to check whether they may be vulnerable, and if so, disable the UPnP protocol in any affected devices.
Further details on mitigation strategies are included in the executive summary section at the front of the attached whitepaper. The document also includes details on the methodology of the research, breakdown and analysis of the findings and insights into the implications. PULP-O-MIZER: the custom pulp magazine cover generator. HP Information Security Unique. HP 658553-421 ProLiant N40L MicroServer. Cool Tools. Use Cases. Hopper. TeamViewer authentication protocol (part 1 of 3) | Accuvant LABS Blog.
Explaining Information Security, Risk and Compliance to Your Mom. Information security. Quote by Bill Gates: I choose a lazy person to do a hard job. Becaus... The Official BackTrack Blog. Information Security « The Notepad. Home Of PaulDotCom Security Podcast. Security Tools and Exploits. PwnedList. Gain a shell remotely : F5 BIG-IP remote root authentication bypass Vulnerability. CESG Homepage. Is Security Awareness a Waste of Time? Start [VERIS Community] Cloud - Taking Simplicity Even Further. How to Manage Your Former Peers - Harvard Business Review Blog. Do Your Negotiating Techniques Create Value? - INSEAD. Various Social Engineering Laws and Principles. Social Engineering Demonstration. On Castles: Moats, Machicolations, Burning Oil and Berms Vs. The Trebuchet (or DMZ’s teh Sux0r!)
Cobbler. Commercial Hacking: The Mafia Returns | Enterprise Risk Management. Protection_information.pdf (application/pdf Object) Thirteen principles to ensure enterprise system security. IT Jobs: Permanent & Temporary IT Vacancies | Modis UK. Blog. Why It Pays to Submit to Hackers | Wired Business. They Cracked This 250-Year-Old Code, and Found a Secret Society Inside | Danger Room. 5 tips for top-notch password security | Microsoft Small Business Center. The Simplest Security: A Guide To Better Password Practices. Best Practices for Enforcing Password Policies. Password Management Best Practices. Gizoogle. Index of /material. C99Shell - Aldeid. Homepage | Meme Generator. Locksmith Blog | Locksmiths Blog | Blog. All Trades and Services: How to Repair a Lock in a uPVC Door.
Monkey - House: Google-Hacking Google's Safe Browsing List.
Amazon.co.uk Sign In. Attrition.org. Emergent Chaos | The Emergent Chaos Jazz Combo. (EDI) Turnhouse Airport Arrivals. Bullet points. How to Mold a Latex Face. Top 10 Social Engineering Tactics. The Combination of Ordinal Scales and Risk Matrices are Fatally Flawed | SIRA. Desktop Computers: Buy Cheap PC Online in UK, Deals Under £100 – SCH Trade. The Almost Useless Machine. Infosec Reactions. List of fallacies. The Failure Mode of Clever. Mr. Bartlett - Ramblings... Why you should consider Amazon's super cheap, super slow storage.
An Unexpected Ass Kicking. BBC. Ars Technica. Futility Closet.