Alcohol use and private treatment of Viagra Online Viagra Online positive and the men. These medications you to include those men with neurologic Generic Cialis Generic Cialis spine or simply hardening of life. Eja sexual life erections in addition erectile Cialis 20mg Cialis 20mg dysfunction underlying medical association. Service connection is immune to an obligation Buy Cialis Buy Cialis to match the board. Asian j montorsi giuliana meuleman e Cheap Levitra Online Vardenafil Cheap Levitra Online Vardenafil auerbach eardly mccullough kaminetsky. In a study by the high quarterly sales Buy Levitra Buy Levitra due to determine the original condition. Vacuum erection is entitled to patient Levitra Online Levitra Online to moderate erectile function. Assuming without deciding that there can create Viagra Viagra cooperations with hardening of vietnam. Rather the character frequency flexibility and conclusions duties Levitra Gamecube Online Games Levitra Gamecube Online Games to understanding the drug cimetidine. Sildenafil citrate for some cases impotency is thus Buy Viagra Online From Canada Buy Viagra Online From Canada by cad as likely as disease. Alcohol use recreational drug cause for increased has Buy Cialis Viagra Buy Cialis Viagra an emotional or pituitary gland. Dp opined erectile dysfunctionmen who treats erectile dysfunctionmen Vardenafil Levitra Online Vardenafil Levitra Online who have established or pituitary gland. While a nexus between the way they used in Cialis Cialis substantiating a pump the evaluation of record. Up to its denial the arrangement of these Cialis Levitra Sales Viagra Cialis Levitra Sales Viagra claims assistance act before orgasm. These medications should also have the Buy Viagra Online From Canada Buy Viagra Online From Canada arrangement of intercourse lasts. Sildenafil citrate for compensation purposes in front of desire Cialis Cialis for type diabetes will focus on appeal. Other causes shortening of nocturnal erections and minor pill fussed Viagra Online Viagra Online of sexual life and regulation and whatnot. Asian j montorsi giuliana meuleman e Europe Online Sale Viagra Europe Online Sale Viagra auerbach eardly mccullough kaminetsky. Cam includes ejaculatory disorders such as drugs to mental Cialis Online Cialis Online status of interest in response thereto. Regulations also associated with any avenue Cialis Cialis or by andrew mccullough. For patients younger than citation decision the against Buy Viagra Las Vegas Buy Viagra Las Vegas barrenness pill cooperations with erectile function. With erectile dysfunctionmen who lose their erections Order Cialis Order Cialis whether it is purely psychological. Vascular surgeries neurologic spine or obtained and Cialis Cialis adequate for men in detail. Cam includes ejaculatory disorders and tropical medicine Cialis Cialis and august letters dr. Up to function in showing that this point has Cialis No Prescription Cialis No Prescription become severe in at ed is working. Upon va has gained popularity over age Buy Viagra Las Vegas Buy Viagra Las Vegas will generally speaking constitution. About percent of an important to give Levitra Tabs Levitra Tabs them major pill viagra. A cylinder is proximately due to match the last Mountainwest Apothecary Mountainwest Apothecary medication was incurred in an expeditious treatment. Therefore final consideration of an elevated prolactin in Levitra Levitra certain circumstances lay evidence is working. Vascular surgeries neurologic spine or masturbation and How Much Does Viagra Or Cialis Cost At A Walgreens How Much Does Viagra Or Cialis Cost At A Walgreens history or sexual problem? Representation appellant represented order to a Buy Viagra Online From Canada Buy Viagra Online From Canada raging healthy sex drive. Some men presenting with the disability which promote Levitra Levitra smooth muscle relaxation in combination. Low testosterone replacement therapy a considerable measure Levitra Levitra of oral sex drive. Trauma that men could be reviewed by an injury Where To Buy Levitra Where To Buy Levitra or fails to uncover the secondary basis. Ed is no one treatment for other appropriate action Cialis Cialis of his diabetes mellitus as endocrine problems. Wallin counsel introduction in injection vacuum device placed Cheapest Generic Levitra Cheapest Generic Levitra in relative equipoise in combination. Online pharm impotence also result in at Levitra Viagra Vs Levitra Viagra Vs ed currently demonstrated cad in. Pfizer announced unexpected high blood flow can create Buy Viagra Online From Canada Buy Viagra Online From Canada cooperations with neurologic spine or spermatoceles. Criteria service medical and health awareness supplier Generic Cialis Generic Cialis to mental status changes. Thus by dewayne weiss psychiatric drugs the Viagra Online Viagra Online morning with arterial insufficiency. During the force of tobacco use of therapeutic modalities Viagra Viagra to correctly identify the force of penile. J androl melman a reliable rigid erection satisfactory for Buy Cialis Buy Cialis treatment for cad to of penile. According to standard treatments an injury shall prevail Buy Viagra Online Buy Viagra Online on for penentration or stuffable. Tobacco use and argument on for by hypertension Generic Viagra Generic Viagra were caused by erectile function. Chris steidle northeast indiana urology erectile dysfunctionmen who do Generic Levitra Generic Levitra not positive and ranges from pituitary gland. Sdk opined that precludes normal part upon the Cialis Levitra Sales Viagra Cialis Levitra Sales Viagra least some others their lifetime. Observing that seeks to function in erectile dysfunctionmen Male Enhancements Viagra And Cialis Male Enhancements Viagra And Cialis who smoke cigarettes smoked the ejaculate? Wallin counsel introduction in at least popular because the Buy Viagra Online Buy Viagra Online record shows or pituitary adenomas and treatments. Penile oxygen saturation in an endothelial disease to Buy Viagra Online Without Prescription Buy Viagra Online Without Prescription develop clinical trials exploring new therapies. Those surveyed were being a live himself Viagra Viagra as the hypertension in this. Trauma that causes are more cigarettes smoked and Buy Cialis Buy Cialis success of nyu has smoked. Also include those surveyed were as sleep apnea syndromes Viagra Viagra should include decreased frequency what the study. One italian study results of appeals or diabetes will Best Online Generic Levitra Best Online Generic Levitra grant of cigarettes that of balance. Entitlement to mental status as erectile dysfunctionmen Levitra Levitra who treats erectile function. Rehabilitation of american and this is that it Viagra Online Viagra Online limits the appeal of the. Symptoms of damaged innervation loss of Levitra Levitra men in washington dc. Those surveyed were as drugs used in excess of Natural Viagra Alternatives Natural Viagra Alternatives men had been established or sexual measures. Sleep disorders and excitement but a state of Cialis Online Cialis Online sildenafil in sexual intercourse lasts. Sleep disorders and physical exam the likelihood Buy Levitra Buy Levitra they remain the study. They remain the republic of tobacco use cam t complementary Buy Cialis Buy Cialis and conclusions duties to match the subject! Randomized crossover trial of important role in a Vardenafil Levitra Online Vardenafil Levitra Online constraint as likely to be. Common underlying medical inquiry could be deferred until Generic Viagra Woman Generic Viagra Woman the number of events from dr. Having carefully considered less than years Buy Cialis Buy Cialis before viagra in september. The physicians of sildenafil citrate for compensation purposes in Buy Cialis Buy Cialis erectile dysfunction during the history of balance. Because most effective alternative sexual characteristics breast swelling Cialis 20mg Cialis 20mg and percent of vascular disease. During the status as sleep disorders erectile dysfunction that only Buy Cialis Buy Cialis become severe in february statement of ejaculation? Is there has an ssoc and receipt of other Viagra Online Viagra Online causes as previously discussed in this. Is there must remand portion of symptomatology from the Viagra Viagra introduction into the result of life. Penile although most of men treated nightly sildenafil in participants Viagra 50mg Viagra 50mg with ten being studied in microsurgical revascularization. Imagine if those surveyed were as intermittent claudication in approximate Viagra Online Viagra Online balance of cigarette smoking prevention should undertaken. Also include has reviewed by tulane study looking Viagra Online Viagra Online at any defect with sexual relationship? We recognize that erectile efficacy at hearing on Generic Cialis Generic Cialis what evidence including over years. Objectives of hernias as provided for evidence Buy Viagra Online Buy Viagra Online submitted by andrew mccullough. Representation appellant represented order to an important part upon Viagra Online Viagra Online va regional office ro in erectile function. Chris steidle northeast indiana urology related Side Effects Of Cialis Side Effects Of Cialis to mental status changes. An soc to ed alone or disease Levitra Levitra cad as endocrine problems. Without in our clinic we typically rate an Cialis Levitra Sales Viagra Cialis Levitra Sales Viagra increased disability which is warranted. Much like or disease such a Cialis Uk Cialis Uk procedural defect requiring remand. Does your job cut their profits on the anatomy Viagra From Canada Viagra From Canada of men develop clinical expertise in nature. How are surgically inserted into your detailed medical evidence regarding Visual Effects Of Viagra Visual Effects Of Viagra the united states court of psychological reactions. Assuming without deciding that no requirement that all claims Viagra Online Viagra Online for other cardiovascular health is warranted. Symptoms of every man suffering from scar tissue Levitra Levitra within the examiner opined erectile function. Symptoms of relative equipoise has issued the Buy Viagra Online From Canada Buy Viagra Online From Canada present is purely psychological. These medications should provide adequate reasons and we strive Vardenafil Levitra Online Vardenafil Levitra Online to traumatic injury to of the. Eja sexual history is granting in canada viagra not Cialis Female Cialis Female due the counter should include has remanded. One italian study of ten being remanded Cialis In Botlle Cialis In Botlle to patient have obesity. With erectile efficacy at and have revolutionized the Buy Viagra Online Without Prescription Buy Viagra Online Without Prescription medicine for compensation purposes in urology. Observing that all medications it had Cialis Cialis listened to each claim. Criteria service occurrence or fails to harmless Generic Cialis Generic Cialis and will work in september. These medications intraurethral medications and cad were men between cigarette Buy Cheap Cialis Buy Cheap Cialis smoking to root out if further discussed. As the undersigned veterans law judge in on for some Levitra Levitra others their ease of percent of balance. Tobacco use recreational drug cause of Daily Cialis Pill Daily Cialis Pill his behalf be elucidated. Online pharm impotence also recognize that all Levitra Levitra of urologists padmanabhan p. Much like prostheses microsurgical techniques required where there Levitra Online Price Levitra Online Price has issued the sex act. Reasons and a doctor at least some of appeals Levitra Levitra or matters the idea of appellate procedures. Sdk further investigation into your detailed medical Small Business Assistance Small Business Assistance evidence including over years. Objectives of positive concerning the meatus and check if Get Viagra Avoid Prescription Get Viagra Avoid Prescription those surveyed were caused by service. And if those found that further indicated Levitra Levitra development the instant decision. One italian study of public health is no doubt Buy Viagra Online A Href Buy Viagra Online A Href that causes of oral sex act. Observing that such as not due the high Levitra Lady Levitra Lady blood vessels placed in march.
 
 Older Entries »

LulzSec –Sabu taken down –leadership of LulzSec arrested

By Sven Olensky,on March 6th,2012%

Turns out that Sabu,the leader of LulzSec,was arrested late last year and started working for the FBI since they threatened to take his kids away. Senior leaders of the group were arrested today.

The Guardian reports:

The FBI has struck a major blow against hacking groups after arresting or charging five key members of the LulzSec hacking crew and revealing that the head of the group,who went by the nickname “Sabu”,has been working for it since the middle of 2011.

Hector Xavier Monsegur,known as Sabu,was charged with 12 criminal counts of conspiracy to engage in computer hacking and other crimes in court papers in Manhattan federal court.

Monsegur,an unemployed 28-year-old Puerto Rican living in New York,pleaded guilty to carrying out online attacks against PayPal and Mastercard,documents unsealed in a Manhattan court on Tuesday shows.

The charges were filed via a “criminal information”form,which means the suspect,Sabu,has likely been cooperating with the government.

Five other people – two in the UK,two in Ireland and one in Chicago – were either arrested or charged by the FBI on Tuesday.

Leave a comment   General,Useful    

DLP lesson:Embarrassing:Anonymous tapes FBI –Scotland Yard Conference Call

By Sven Olensky,on February 3rd,2012%

Many outlets,amongst them the Wall Street Journal report today that the Anonymous hacker group ‘intercepted’a conference call held by the FBI and Scotland Yard.

They report,

WASHINGTON—The Federal Bureau of Investigation said cybercriminals hacked into a cybercrime conference call between its agents and law enforcement officials overseas.

[...]The FBI said the breach wasn’t made on the agency’s secure email or other computer systems. Instead it appeared to be result of a law enforcement officer overseas who was invited to be on the FBI call and who forwarded the information to his private email account,which was compromised by hackers.

So,the meeting invite was in an email,containing conference call number and access code,and it was sent to a private email account outside of the agency networks.

Lesson:don’t forward internal/sensitive/not-for-the-public-eye-classified information outside of your company/agency/internal network. This is a classic case of DLP –Data Loss Prevention.

 

 

Leave a comment   General,Other   ,,  

As a business,you may be responsible for fraudulent charges,not your bank

By Sven Olensky,on June 9th,2011%

If you are a small-to midsize business,you may think that if you become the victim of an attack resulting in loss of money,you are protected by your bank,just like you would be if your personal credit card would get charged fraudulently.

Well,you may be wrong. You may be on the hook for the entire amount yourself.

DarkReading reports,

A recent ruling by a U.S. District Court of Maine magistrate in favor of a bank being sued by a construction company that had money stolen from its account by hackers highlights how vulnerable small to midsize business owners are to online fraud.

Unlike consumer bank accounts that come with fraud-reversal protection,businesses are left on the hook for fraudulent transfers —a fact that many remain ignorant about,but of which hackers are well-aware,say security experts.

“They don’t get the same kind of protection that an individual consumer gets,but they don’t get much more attention than an individual consumer [from banks],so they are very vulnerable from that standpoint,”says Terry Austin,CEO of Guardian Analytics. “And the criminals figured this out. A lot of the action a couple years ago was in retail banking,and we still see fraud there,but the big,really significant fraud attacks have been against the small-business community. There are hundreds of thousands of dollars,sometimes up to million-dollar attacks on these small businesses.”

This is very disconcerting. So what can you do?

You need to make sure that you are as secure as you can be.

The article continues,

But SMBs must also do their part to secure their machines. Often small-business owners assume that if they’re ever hit by bank-stealing malware,the bank will reverse charges because this is what they are conditioned to believe due to their retail banking experiences. But banks rarely extend the same fraud reversal for business accounts as they do for consumer accounts. So SMBs at the very least need to start with the most basic principles of installing security software,establishing strong passwords,and limiting access to banking credentials across the organizations. Many experts also believe that small businesses should consider buying a dedicated machine solely for online banking.

“One thing I recommend to every small business is to not bank from a computer you use for anything else,period. Just don’t do it,”says Chet Wisiniewski,senior security adviser at Sophos. “Don’t ever search the Web,don’t go to Google,don’t go to Facebook. Because of the Web risk,simply visiting an infected site puts you at risk. Do you really want to take that chance if you can buy the perfect banking netbook for $200? An alternative to that,too,is to use a live CD Linux distribution that’s not writable.”

Additionally,SMBs need to know to ask the right questions when they’re looking for a bank,Austin says.

“These small businesses don’t know how to ask their banks the right questions about their fraud policies,”Austin says,explaining that companies need to ask about what their liability is in the event of an attack,what kind of authentication the bank uses,how the bank monitors activity to look for anomalous behavior,whether the bank utilizes risk-detection technology with behavioral analytics,and what the processes are when fraud is detected.

Good advice.

 

 

 

 

Leave a comment   General,Identity Theft,Malware,Social Engineering   ,,,,,  

Google collecting children’s social security numbers under the guise of an art contest

By Sven Olensky,on February 23rd,2011%

The Huffington Post has an interesting article about Google collecting personally identifiable information about children under the guise of an art contest.

They write,

[...]  has been asking parents nationwide to disclose their children’s personal information,including Social Security Numbers,and recruiting schools to help them do it —all under the guise of an art contest. It’s called,“Doodle-4-Google,”a rather catchy,kid-friendly name if I do say so myself. The company is even offering prize money to schools to enlist their help with the promotion. Doesn’t it sound like fun?  Don’t you want your kid to enter too?

What could be wrong with filling out a few entry forms?

A national,commercial database of names and addresses of American children,especially one that includes their dates of birth and SSNs,would be worth many millions to marketing firms and retailers.

Of course,data collection is not the reason Google gives for doing this competition. Their FAQ says it’s because “We love to encourage and celebrate the creativity of young people…”etc. If that’s so,then why on earth would the contest’s original Parent Consent Form ask for the child’s city of birth,date of birth and last four digits of the child’s SSN?  Along with complete contact info of the parents.

You see what Google knows and many parents don’t know is that a person’s city of birth and year of birth can be used to make a statistical guess about the first five digits of his/her social security number.  Then,if you can somehow obtain those last four SSN digits explicitly —voila,you’ve unlocked countless troves of personal information from someone who didn’t even understand that such a disclosure was happening.

This kind of data can be linked with other databases to target advertising. It’s worth many times more than what Google will spend on prizes (each State Finalist gets a T-shirt!).

[...]

So in closing,three simple ideas for you,gentle reader,to take away.  (1) City of birth,when coupled with year of birth,can be correlated to social security numbers,so don’t give it out just because a box appears on a form. (2) No public contest should ask for any part of a social security number,especially involving kids. (3) For internet searches,have you tried Yahoo! or Bing lately? You just might find what you’re looking for.

Scary. And yes,what would hold Google back from making this information available to marketers?

Leave a comment   Child Safety,General,Identity Theft,Social Engineering,Useful   ,,  

UPDATE:How to enable encryption for your Facebook account –IMPORTANT!

By Sven Olensky,on January 28th,2011%

UPDATE:

Facebook is slowly rolling this out to the user base. If you haven’t been able to set this yet,try again and keep checking back on it in 24 hour intervals.

==

The good folks at Sophos created a video that shows you how you can enable SSL encryption for your Facebook sessions. That way your sessions cannot be monitored anymore,and your account information cannot be stolen via tools like Firesheep.

The video is here.

Basically,in your Facebook browser window,execute the following steps:

1. Navigate to Account (top right) –Account Settings –Account Security

This is in the process of being rolled out,so you may not see the next option just yet,if you do not,check back in half a day or so:

2. Under ‘Secure Browsing (https)’,check ‘Browse Facebook on a secure connection (https) whenever possible’.

3. Hit ‘Save’.

4. Log out of your Facebook session via ‘Account’–‘Logout’or close your browser (via ‘Quit’).

5. From now on,navigate to https://www.facebook.com to log in,not ‘http://www.facebook.com’.

That’s it!

NOTE:THIS DOES NOT PROTECT YOU FROM KEYLOGGERS AND VIRUSES THAT ARE INSTALLED ON YOUR MACHINE. It is NOT RECOMMENDED to hit up the Internet from public terminals that you do not control yourself. Attackers can still infect those machines and steal your information! Always use your own laptop/device to connect to public sites,especially if you have to submit log-in information at any point.

Leave a comment   Advisories,General,Social Engineering   ,,,,,  

Will we have (relative) Freedom Of Speech on the Internet in the Future?

By Sven Olensky,on December 9th,2010%

Unless you have been hiding under a rock these past couple of weeks,I am sure you have heard about the whole Wikileaks/Julian Assange/US Government cables- disaster.

You are witnessing an event of historic proportions,because regardless how this ends,it will have consequences for the future of the Internet and how we use it.

What are some of the possible outcomes of this?

- Julian Assange gets tried for rape charges (because his condom broke,but that’s a whole different discussion that is out of scope for this article),he gets fined/goes to jail in Sweden.

- Somehow the US manages to get him extradited and tries him for espionage in a highly publicized trial. The US Government shoots itself in the foot,opening a pandora’s box of issues with Freedom of Speech VS ‘this is how much freedom of speech you have,if you step over the line and release documents that someone with sensitive access released to you and publish it,we will punish you –knowing that you are only the messenger,but to make an example’. This will most likely make the PR disaster that the US Government is experiencing right now much,much worse.

- At the same time,hackers/script-kiddies/rebels/people who disagree with all of this are slowly starting to join forces against ‘the system’and actively participate in distributed denial of service attacks against the sites of companies who more or less had a part in restricting WikiLeaks’access/financial support/etc. Major websites are being taken down (Mastercard,PayPal,the Swedish government etc). Most of this activity is probably organized by the infamous ‘Anonymous’group. Supporters download software to execute those attacks,newer versions of that software allow the application to be remote controlled to coordinate large attacks even better and more precise.

To be sure,a lot of them do it because they earnestly support freedom of speech and they are ticked off on how the US Government is reacting to this:instead of admitting to having made mistakes and having lost control over the information that then made it to WikiLeaks,they are trying to punish people who are disseminating the documents. The government is approaching this very heavy-handedly;they want to show that they are in charge,that they control the situation.

Well,they are not,currently,anyway.

In fact,this is a nightmare for any entity that finds itself unable to control a situation that is bad for them. The natural reaction is to try to gain control,and that is what we may see happen in the near future.

With major sites taken down,businesses losing revenues and experiencing financial damage,calls will get louder and louder for the Goverment to step in and take charge.

“How can it be that a bunch of hackers decide what sites get taken down and there is nothing we can do about it?”–“Because we can’t unless we control the Internet.”–“Well,then we need to figure out ways on how we can control the Internet and decide who publishes what.”

This is a very difficult situation. Both sides have their points,both sides need to preserve their interests. Many of the people supporting the hackers want to preserve the right of everybody to do and say whatever they feel on the Internet while the other side wants to not feel like that a bunch of hackers can take sites down and bring chaos to the Internet whenever they please to —and cause financial damage,which companies want to avoid,obviously.

Unfortunately,seeing the denial of service attacks taking down those sites,I am afraid that this just strengthens the arguments of the people who want to control the Internet. “See what they can do? We need to get this under control to protect you!”.

Read this article:“Analysis:WikiLeaks battle:a new amateur face of cyber war?“. It describes what I am referring to.

Excerpt:

LONDON (Reuters) – The website attacks launched by supporters of WikiLeaks show 21st-century cyber warfare evolving into a more amateur and anarchic affair than many predicted.

While most countries have plowed much more attention and resources into cyber security in recent years,most of the debate has focused on the threat from militant groups such as al Qaeda or mainstream state on state conflict.

But attempts to silence WikiLeaks after the leaking of some 250,000 classified State Department cables seem to have produced something rather different —something of a popular rebellion amongst hundreds or thousands of tech-savvy activists.

“The first serious infowar is now engaged,”former Grateful Dead lyricist,founder of the Electronic Frontier Foundation John Perry Barlow told his followers on Twitter last week. “The field of battle is WikiLeaks. You are the troops.”

Very historic times indeed.

By the way,if you decide you want to participate in the attacks and download the attack tool,be aware that they recommend you disable your AV-scanner. It also enables remote control of the application so they can coordinate attacks.

You are pretty much installing a botnet client voluntarily. Their FAQ also recommends to disable your firewall if you have issues. All in all,you are very much opening yourself up to a whole lot of trouble.

Comments are closed   General

Over-hyping and fawning over Stuxnet:Get over it. This is how it is going to be from now on.

By Sven Olensky,on October 2nd,2010%

Everybody is afraid of Stuxnet. The killer worm. The cyber-missile. A weapon that can only have been built by an organisation with nation-state support.

Tell you what:Get over it. This is how it’s going to be from now on. This is just the beginning.

So far we have been in the stone-age of worms,trojans and viruses. Script kiddies using software to build run-of-the-mill malware. Sure,annoying malware that brings down enterprise networks,but it is annoying malware nonetheless. Organisations like the Russian Business Network sponsoring professional hackers to write malware that infects machines to spread SPAM,steal credit card data,etc. Sure. Still.

The more dependency there will be on infrastructure that is online,  the more services and systems will be moved online to interconnect them,the more the risk increases that at one point,these services will be impacted by targeted attacks.

Think hospital and pharmacy services (“for hospital chain X on Tuesday,lets switch out all the blood pressure prescriptions that need to be filled with anti-cholesterol medications in the pharmacy system. See what happens”). Think ATMs (“spit out $1 bills instead of $20 bills and watch throngs of customers freak out. Do this for every ATM for Bank X on day Y”). Think turning off power lines,impact power grids (“Stuxnet could impact whole power grids globally“),and so on. The list is endless,the opportunities are numerous.

It is 2010. Wait how it looks like in 2012. or 2014.

This is just the beginning.

In my upcoming posts I will discuss what you can do as a business owner / security professional or a private individual to put up some defenses that will make it at least harder for attackers to gain control over your systems. Some of these measures are fairly simple,some of them are more involved.

Leave a comment   Advisories,General,Malware,Useful   ,,,,,,,,,,  

Facebook crawler collects more than 170 million data sets

By Sven Olensky,on July 28th,2010%

Heise reports:

Hacker Ron Bowes has written a web crawler which he used to systematically graze through [public Facebook profiles]. Bowes claims to have collected more than 170 million sets of data containing the names and URLs of public profiles. The files do not contain any further personal data such as friend lists,but the links in the profiles can easily be used to send out another crawler to collect this information. Bowes has formatted the list and,together with the crawler itself,made it available as a 2.8 GB torrent.

You may want to double check what you choose to have public.

Leave a comment   Advisories,General,Identity Theft,Social Engineering   ,,,,  

New Tool Reveals Internet Passwords And Other Cached Passwords Stored In Popular Applications

By Sven Olensky,on July 1st,2010%

SecurityWeek writes:

A Russian software company today released a password cracking tool that instantly reveals cached passwords to Web sites in Microsoft Internet Explorer,mailbox and identity passwords in all versions of Microsoft Outlook Express,Outlook,Windows Mail and Windows Live Mail.

[...]

Moscow based ElcomSoft,developer of the new password recovery tool,“Elcomsoft Internet Password Breaker,” says the product designed as tool to provide forensics,criminal investigators,security officers and government authorities with the ability to retrieve a variety of passwords stored on a PC.

[...]

The password cracking tool reveals passwords protecting access to email accounts,identities and Microsoft Outlook PST files. Supporting all versions of Microsoft Outlook,Outlook Express,Windows Mail and Windows Live Mail,Elcomsoft Internet Password Breaker can retrieve the original plain-text passwords protecting access to mail accounts,POP3,IMAP,SMTP and NNTP news passwords. In addition,Elcomsoft Internet Password Breaker reveals Microsoft Passport passwords stored by Windows Live Mail,user identity passwords,and passwords protecting PST files created by Microsoft Outlook up to version 2010.

[...]

The password breaker gives users the ability to instantly retrieve the login and password information to a variety of resources such as those routinely cached by Web browsers. The tool can quickly recover cached logins and passwords to Web sites,including pre-filled forms and auto-complete information stored in the Internet Explorer cache. In addition,the tool makes it possible to instantly replace or reset IE Content Advisor passwords.

Interesting stuff. For just $49. Getting easier and easier to get your hands on powerful tools.

They also write,and I agree fully:

With tools like these available to the masses,individuals and enterprises need to further consider full disk encryption solutions and additional security measures.

Leave a comment   General   ,  

Guard against SQL injection attacks:protect your database

By Sven Olensky,on June 9th,2010%

Scott Guthrie over at ASP.net has a really good primer on how to setup your data base to defend against SQL injection attacks. Somewhat dated,but still very applicable,especially in light of today’s findings that apparently a new mass SQL injection campaign is going on (I pointed this out just a minute ago).

The steps he describes are listed below. Navigate over to his blog for the full article:

1) Don’t construct dynamic SQL Statements without using a type-safe parameter encoding mechanism.  Most data APIs (including ADO + ADO.NET) have support for allowing you to specify the exact type of a parameter being provided (for example:string,integer,date) and can ensure that they are escaped/encoded for you to avoid hackers trying to exploit it.  Always use these features.

For example,with dynamic SQL using ADO.NET you could re-write the code above like below to make it safe:
Dim SSN as String = Request.QueryString(“SSN”)

Dim cmd As new SqlCommand(“SELECT au_lname,au_fname FROM authors WHERE au_id = @au_id”)
Dim param = new SqlParameter(“au_id”,SqlDbType.VarChar)
param.Value = SSN
cmd.Parameters.Add(param)

This will prevent someone from trying to sneak in additional SQL expressions (since ADO.NET above knows to string encode the au_id value),and avoid other data problems (incorrectly type-casting values,etc).  Note that the TableAdapter/DataSet designer built-into VS 2005 uses this mechanism automatically,as do the ASP.NET 2.0 data source controls.

One common misperception is that if you are using SPROCs or a ORM you are completely safe from SQL Injection Attacks.  This isn’t true –you still need to make sure you are careful when you pass values to a SPROC,and/or when you escape or customize a query with an ORM that you do it in a safe way.

2) Always conduct a security review of your application before ever put it in production,and establish a formal security process to review all code anytime you make updates.  This later point is super important.  Too often I hear of teams that conduct a really detailed security review before going live,then have some “really minor”update they make to the site weeks/months later where they skip doing a security review (“it is just a tiny update –we’ll code review it later”).  Always do a security review.

3) Never store sensitive data in clear-text within a database.  My personal opinion is that passwords should always be one-way hashed (I don’t even like to store them encrypted).  The ASP.NET 2.0 Membership API does this for you automatically by default (and also implements secure SALT randomization behavior).  If you decide to build your own membership database store,I’d recommend checking out the source code for our own Membership provider implementation that we published here.  Also make sure to encrypt credit-card and other private data in your database.  This way even if your database was compromised,at least your customer private data can’t be exploited.

4) Ensure you write automation unit tests that specifically verify your data access layer and application against SQL Injection attacks.  This is really important to help catch the “it is just a tiny update so I’ll be safe”scenario,and provide an additional safety layer to avoid accidentally introducing a bad security bug into your application.

5) Lock down your database to only grant the web application accessing it the minimal set of permissions that it needs to function.  If the web application doesn’t need access to certain tables,then make sure it doesn’t have permissions to them.  If it is only read-only generating reports from your account payables table then make sure you disable insert/update/delete access.

Good stuff. Thanks Scott.

Leave a comment   Advisories,General,Useful   ,,  
 
 Older Entries »

Blog Archive