During wartime, one of America’s most solemn duties is to take care of its veterans. So why do careless government workers keep putting our vets at risk? That happened last January at a Department of Veterans Affairs medical center in Birmingham, Alabama, when an employee’s portable hard drive containing Social Security numbers of more than [...]

Filed under: politics, privacy, security | No Comments »

Terry Childs, the former IT administrator accused of kidnapping the city of San Francisco’s data network, is ready to give up the administrative passwords to the system, his attorney said yesterday.
Childs is accused of changing all of the city’s network passwords so that only he could access the network, which contains email, payroll, law enforcement, [...]

Filed under: news, security | No Comments »

Jacob Appelbaum, one of the security researchers who worked on the paper cold boot attack on encryption keys (featured in a previous BBtv episode, above) tells us the code has just been released today at the [last] HOPE hacker con in NYC. It’s up, it’s signed, and here it is.
Memory Research Project Source Code

Filed under: codemonkey, security | No Comments »

A new kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks.

Filed under: malware, security | No Comments »

The following is a design for a CAPTCHA that is likely invulnerable to automated decryption. I originally developed this as part of an anti-spam system that was a very early progenitor of Receiver Initiated Authentication.  This CAPTCHA should be particularly invaluable given the recent reports that bots now have as high as a 35% successful [...]

Filed under: security | No Comments »

Last week’s dramatic rescue of 15 hostages held by the guerrilla organization FARC was the result of months of intricate deception on the part of the Colombian government. At the center was a classic man-in-the-middle attack.
In a man-in-the-middle attack, the attacker inserts himself between two communicating parties. Both believe they’re talking to each other, and [...]

Filed under: exploit, security | No Comments »

Not only generating private keys using an untrusted third-party, but sending them in the clear over http? Nice. I wonder where all these people are who are clever enough to need an SSH key, but too stupid to type ssh-keygen -t dsa?
I wouldn’t be surprised if this was some minor social engineering attempt; the server [...]

Filed under: pwned, security, ugh | No Comments »

AVG has rejiggered the fake traffic it’s spewing across the internet, causing new headaches for the world’s webmasters.
In late February, AVG paired its updated anti-virus engine with a real-time malware scanner that vets search engine results before you click on them. If you search Google, for instance, this LinkScanner automatically visits each address that turns [...]

Filed under: security, ugh | No Comments »

When it comes to security, maybe the end user isn’t always the problem.
That’s the conclusion of a study published today by technology reseller giant CDW Corp. The study notes some paradoxes between IT professionals’ views on their organizations’ security and their actual security status.
For example, when asked if their security systems were easy to use [...]

Filed under: lulz, security, ugh | No Comments »

An attack this week targeting the Metasploit Website redirected visitors to a phony page proclaiming the hack — but the hacking tool site’s servers remained intact.
HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems, says the attack didn’t actually touch the Metasploit servers themselves. The attacker or attackers instead infected another [...]

Filed under: exploit, hax, security | No Comments »

More XSS (Cross-site Scripting) fun! After yesterday’s post I realized that not everyone reads hacker blogs so I feel it as my duty to post it here. Stefano Di Paola and Giorgio Fedon have found a universal XSS in PDF. RSnake found also a vulnerability on local PDF file execution. This is bad people; Every [...]

Filed under: exploit, hax, security | No Comments »

Today I was toying with Apache and made a .htaccess for all of you; that prevents most used XSS and SQL injection vectors in the request uri. It looks at the request uri and sends the malicious user to a log file which sends an e-mail to the webmaster with all his information and what [...]

Filed under: b3st pract1c3s, codemonkey, exploit, security | No Comments »

Researchers have hacked a built-in maintenance application found on many smart phones that could open the door to hacking the cellular network itself.
David Maynor, CTO for Errata Security, this weekend at the Summercon security confab in Atlanta will demonstrate a tool built by Errata that provides a peek into the inner workings of the cell [...]

Filed under: hax, security | No Comments »

Ten days ago, a Debian Security Advisory (DSA-1571-1) was released that detailed a flaw in the OpenSSL cryptographic libraries that affects both Debian and other Linux distributions derived from Debian.
Unlike a buffer overflow or many other vulnerabilities, this flaw wasn’t introduced through insecure programming — quite the opposite. In fact, the programmer was using Valgrind [...]

Filed under: security | 1 Comment »

SAN JOSE, California (AP) — Todd Davis has dared criminals for two years to try stealing his identity: Ads for his fraud-prevention company, LifeLock, even offer his Social Security number next to his smiling mug.
Now, LifeLock customers in Maryland, New Jersey and West Virginia are suing Davis, claiming his service didn’t work as promised and [...]

Filed under: privacy, pwned, security | No Comments »