Thursday, May 28, 2009

An easier way to fully patch a rebuilt system

Create a do-it-yourself Windows update CD

Many people asked for a way to slipstream XP Service Pack 3 into their installation media or for an easier way to fully patch a rebuilt system.
The most obvious method is to build your own SP3 slipstream media. The Lifehacker site offers a good how-to page that describes the process step by step. An alternative is to create a patch CD. There are several options for doing this, one of which is presented on the PatchMate site.

The Windows Updates
Downloader site and AutoPatcher — a resources provide alternative approaches to the same end. Any of these sites will help you do what Microsoft is failing to do: give us a way to update our Windows installation media so we can legally and easily reinstall our operating systems on the same hardware when the machines become sluggish or need a refresh.

Undo accidental reformats of external drives

What to do when you reformat the wrong drive

The increasing use of digital cameras is making this type of error more common. You see, when you "initialize" a camera's memory, you're really formatting a solid-state hard drive. (Most cameras use utterly standard FAT16 or FAT32 disk formatting.)

People who would never reformat a PC's drive will almost surely "initialize" or reformat a digital camera's solid-state drive many times over the years they own the device. Sooner or later, almost everyone will have a reformatting.

In PCs and cameras, the trick to recover from an accidental reformat is to avoid using the drive — ideally, do nothing at all — until you can run an unformat tool. The more frequently you access the drive after an accident, the harder it may make it to get the data back.

The popular and clearly named RecoverMyFiles utility from GetData (U.S. $70) can handle both FAT and NTFS unformats. The vendor's site has more information about the program.

DiskInternals' NTFS Recovery also has a solid reputation, but it's pricey at $99. You can learn more about the utility on its page on the DiskInternals site.

The recovery may not be perfect, and you may have some manual cleanup to do afterwards, but if you haven't used the reformatted drive, there's at least a reasonable chance you'll be able to effect a useful recovery.

Monday, May 25, 2009

PCWorld published 9 best web sites for locating people

9 Sites That Find People and Their 'Sensitive' Information

At one time or another, you might need to get the goods on a stranger, like a prospective nanny or a business contact. Public records and people-finder sites are often the place to look; we list the best ones here. These sites use cool, Web 2.0 techniques to help you locate people, then (if need be) dig deep to find the "sensitive" intel about them you need

Refer here to read full details on PCworld.

Why Wikipedia is not yet trusted for source of information?

Parents warned of Wikiporn risk

Parents have been warned not to let children use the website Wikipedia unsupervised after an entry on a popular children's book was edited to contain pornographic material.

Sexual and violent acts between characters were added last week to the online plot summary for Mrs Frisby And The Rats Of NIMH, which is recommended for students in years 5 to 9. The edited page for the book, on the list for the Premier's Reading Challenge, was visible for about an hour before it was changed to the original text.

A Sydney mother was shocked to discover the article, after researching the book for her son. NSW Parents Council executive officer of communications, Michelle FitzGerald, said "all parents" should be concerned. It is a concern to the council that the internet, if used inappropriately or not supervised, can lead children into areas where they really should not be.

Wikipedia's Australian representative, Brianna Laugher, said vandalism was an continuing problem for the site."Wikipedia, in general, is not designed for a primary school audience," she said. "I don't advise any children to use it before they have had the pitfalls explained to them."

A NSW Education Department spokesman said the school attended by the woman's son had not advised students to use Wikipedia as a research tool. "The department has filters to block inappropriate material on websites being accessed from school computers."

But website expert Mat Hardy, who is doing a PhD on the use of Wikipedia in education, said filters generally worked on a domain basis and would not block sites like Wikipedia. The website used a program called a "bot", which automatically detects certain triggers, such as profanity or major edits. "If [the edited article] was only up for an hour or so, that demonstrates how robust the system is, even though that is one of the most obscure articles," Mr Hardy said.

Thursday, May 21, 2009

ICANN: apply public health response model to e-security

The idea is to attack the swamps, not the fever," - Paul Twomey

I attended AusCert Conference 2009 in Gold Coast, I got the chance to listen to the speech by Paul Twomey - President/CEO of ICANN, here are the interesting parts from his speach. He advised that the greatest threats to the Internet are not cyber threats, but the threat of inappropriate public policy.

"National security is driven by nation states," he said. "National security or economic policy is going to be the key discussion of our age. We can't risk the Internet by placing onto it more government control," Twomey said. "We need to think about the Internet's fundamental principles of collaboration, co-ordination and communication when dealing with cyber threats."

The proper response to cyber threats is not a national security approach but a public health approach, he said. "Governments have been waging war and espionage for the last 5000 years. There's no reason to think that they won't continue in the Internet age," he said.

The public health approach means accepting that there will be pandemics at some point. "The question is, how do you respond to that?" Twomey asked. "There are mechanisms of collaboration and co-ordination internationally which can do the job." The key for the public, he said, is to maintain a clean commons."The idea is to attack the swamps, not the fever," he said.

Tuesday, May 19, 2009

Answers to secret questions are easily guessed

Are Your 'Secret Questions' Too Easily Answered?

The "secret questions" that protect online accounts and passwords may be far less secure than commonly believed, largely because their answers are often far too simple, researchers say. Carnegie Mellon University and Microsoft researchers will present research at the IEEE Symposium on Security and Privacy, which highlights the vulnerabilities of the secret question systems used to secure the password-reset functions to numerous Web sites.

In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions, and even people not trusted by the participant had a 17 percent chance of guessing the correct answer. Secret questions alone are not as secure as we would like our backup authentication to be. Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords.

The least-secure questions are simple ones that can be guessed with no existing knowledge of the subject. Schechter says backup-authentication schemes should be reliable and allow only legitimate users to regain access to their accounts. They also should be secure, preventing unauthorized users from gaining access. The study found that secret questions fail on both accounts. We would eventually like to see these questions go away. Unfortunately, since we didn't find many questions that were conclusively good, it's hard to recommend simply changing questions.

Please refer here to read the security research and more details.

Friday, May 15, 2009

What Google knows about you

"Google knows more about you than your mother."

Kevin Bankston, senior staff attorney at the Electronic Frontier Foundation, recently made that statement to this reporter. A few years ago, it might have sounded far-fetched. But if you're one of the growing number of people who are using more and more products in Google's ever-expanding stable (at last count, I was using a dozen), you might wonder if Bankston isn't onto something.

It's easy to understand why privacy advocates and policymakers are sounding alarms about online privacy in general -- and singling out Google in particular. If you use Google's search engine, Google knows what you searched for as well as your activity on partner Web sites that use its ad services. If you use the Chrome browser, it may know every Web site you've typed into the address bar, or "Omnibox."

It's an interesting read. Refer here to read full article and research and let me know your thoughts? Whether your mum knows more about you or Google?

Visa begins testing new card to reduce online credit card fraud

Visa hopes the new card could reduce card fraud online.

A credit card with a built in screen and keypad could radically reduce online shopping fraud, Visa has claimed. The credit card firm today began testing the card with 500 Londoners.

When shopping online, customers enter their pin number into the card, which generates and displays a unique code each time it is used. This must then be entered into the website, and is checked by the bank's servers to prove the card and pin number are correct. Visa hopes the new card could reduce card fraud online.

Although chip and pin technology has reduced till fraud, online fraud, known in the industry as card-not-present or CNP fraud, is growing and now makes up more than 50% of all credit card fraud.

I quote from the article:

“The card needs to be globally compatible: that means embossed characters for mechanical swipes, a magnetic strip for systems that require a signature, the fixed three digit security code and now the unique four figure code. By embedding a battery, PIN pad and screen in a payment card, we believe we are offering the most innovative card product in the marketplace”

The new card can also generate codes to allow users to access corporate computer networks, and is being trialled by Deloitte employees. Basically, you can use your credit card to access your work network while you can use it for shopping as well. If bad guys come up with the way to break this new innovation so possibly they have access to your money plus your corporate network?

Monday, May 11, 2009

How Hackers Can Steal Secrets From Reflections

These attacks are difficult to defend against and impossible to trace

Even the best electronic security may not be enough to protect sensitive data from dogged hackers, and researchers have been able to extract information from the flashes of light-emitting diodes on network switches or the reflection of screen images off an eyeball. Swiss Federal Institute of Technology graduate students Martin Vuagnoux and Sylvain Pasini observe that commonplace radio surveillance equipment can pick up keystrokes as they are typed on a keyboard in a different room, and they are preparing a conference paper detailing four unique ways that keystrokes can be inferred from radio signals captured through walls at distances up to 20 meters.

These side-channel exploits are untraceable and very difficult to defend against, yet computer security researchers have devoted little attention to the problem. Although many of these attacks require specialized knowledge and equipment, Max Planck Institute for Software Systems fellow Michael Backes contends that reflection-based attacks can be carried out by anyone with a $500 telescope and a digital camera. Eyes and other curved surfaces are particularly useful in reading reflections as they reveal wide swathes of their surroundings. Privacy filters applied to laptop screens to prevent over-the-shoulder eavesdropping can aid reflection exploits, as the filters raise the brightness of the reflection on the viewer's eyes. It is doubtful that side-channel attacks will become as ubiquitous as spam, malware, and other network hacking tools.

As University of Cambridge Computer Laboratory scientist Markus G. Kuhn notes that "you have to be close to the target, and you must be observing while a user is actively accessing the information." These methods will probably be employed to infiltrate specially selected targets such as the computer systems of financiers and high-level corporate and government officials.

Refer here to read full coverage on this particular research.

Saturday, May 9, 2009

Infamous botnet known for stealing financial data - Exposed

Researchers Take Over Dangerous Botnet

University of California-Santa Barbara (UCSB) researchers temporarily commandeered an infamous botnet known for stealing financial data and found that the threat it represents is even greater than had been originally assumed.

The Torpig/Sinowal/Anserin mini-botnet targets organizations and users to steal bank account information or other sensitive personal data. It is considered more dangerous than big-name botnets because of its small scale and stealthiness. Torpig uses drive-by download attacks as its initial mode of infection, and upon infection the botnet can unleash crafty phishing attacks that produce bogus but authentic-looking Web pages and forms that trick users into exposing their credentials. The UCSB researchers accumulated approximately 70 GB of data for the 10 days they were in control of Torpig, and in that period the botnet stole banking credentials of 8,310 accounts from more than 400 financial institutions, including PayPal, Capital One, E-Trade, and Chase.

Nearly half of the 1,660 stolen debit and credit card accounts the researchers counted belonged to victims in the United States. "The level of sophistication, the amount of data that it is able to steal, and the fact that it has been active for more than three years is truly remarkable," says UCSB researcher Brett Stone-Gross. The researchers' disclosures provoked debate on whether the information they exposed about Torpig, its workings, and its victims could compromise efforts to eventually undo the botnet. "This [research] does create a road map ... for the [botnet] criminals to fix, and not just for others to exploit," says RSA's Sean Brady.

Refer here to read further coverage on this research.

Thursday, May 7, 2009

Communication between security professionals and management

Risk = Threat x Vulnerability x Cost

As professionals in security we are constantly researching new technologies to keep our skills sharp and up to date with latest threats. The most challenging part is how we communicate these risks to our key decision makers.

A recent example would be the Conficker April 1st situation. It was important to convey the sense of urgency we felt to have MS08-067 patched, as well as cross checking all our systems for updates being rejected, antivirus definitions up-to-date and so on.

My question to you is “did you communicate the risk effectively”? Were you able to give a complete and accurate risk assessment to your management?

Remember that risk assessment is the process of identifying a threat, understanding how that threat relates (vulnerability) to your organization, assessing the cost and providing that information to management.

The formula is simple, let’s break it down. Risk = Threat x Vulnerability x Cost

1. State the threat in language that is easily understood. It is your job to decrypt the threat for your management team.

2. Portray clearly and accurately what the threat could do and how it would possibly perform in your environment.

3. Identify the number of assets which may be affected by the threat. What is percentage of vulnerable devices in relation to the total devices? (Servers, workstations, operating systems, Internet exposure)

4. Identify the corrective measures which are available to be taken.

5. Calculate the SLE (Single Loss Expectancy). What is the dollar value of the cost that equals the total cost of the risk?

6. State how the remediation would lower the exposure to the organization and give a cost for those actions.

7. Recalculate the SLE with projected remediation included.

8. Provide status of the protection mechanisms already in place (anti-virus definitions, IPS signature detections, patching statistics).

9. Then allow management to make an educated decision based on risk to the enterprise, not just the security event itself.

By utilizing this concrete methodology, we can lessen the influence of media hype and provide a professional cost based opinion to those best equipped to make enterprise decisions.

There is no such thing as complete anonymity

Unmasking Social-Network Users

University of Texas at Austin researchers have found that, combined with readily available data from other online sources, social network data can reveal sensitive information about users. Using the photo-sharing site Flickr and the microblogging service Twitter, the researchers were able to identify a third of the users with accounts on both sites by searching for recognizable patterns in anonymized network data. Both Twitter and Flickr display user information publicly, so the researchers anonymized much of the data to test their algorithms.

The objective was to determine if it was possible to extract sensitive information on individuals using the connections between users, even if almost all of the personally identifying information had been removed. The researchers found that extracting information was possible provided they could compare patterns with those from another social-network graph in which some user information was accessible.

Texas professor Vitaly Shmatikov notes that social network data, particularly the patterns of friendships between users, can be valuable to advertisers. However, he says releasing that information also makes the networks vulnerable. The researchers found that non-anonymous social network data is easy to find. Every person does a few quirky, individual things which end up being strongly identifying. Carnegie Mellon University professor Alessandro Acquisti says the research points to the difficulty in maintaining privacy online. "There is no such thing as complete anonymity," Acquisti says. "It's impossible."

Refer here to read more details about this research.

Wednesday, May 6, 2009

New worm targeting Mac OS X spreads via email and network shares

New Mac OS X worm: time to get worried?

Symantec says a new worm targeting Mac OS X spreads via email and network shares. But is it really a threat? According to Symantec, the Tored worm spreads through network shares and by emailing itself to addresses gathered from the infected computer's Address Book.

It opens a back door to the computer, allowing it to be conscripted into distributed denial of service attacks as well as logging keystrokes (which could be used to steal passwords and other confidential information).

There is no indication that Tored can execute without user intervention. For example, Symantec does not seem to suggest that there are any issues with Mac OS X mail clients that could cause the code to be automatically executed when the message is opened.

The company says there are a very small number of Tored infections at no more than two sites, and that the worm is easily contained and removed, and does little damage.

Tored has been given a risk level of 1, the lowest on Symantec's scale.

Monday, May 4, 2009

An invention that could change the internet for ever

Revolutionary new web software could put giants such as Google in the shade..

The biggest internet revolution for a generation will be unveiled this month with the launch of software that will understand questions and give specific, tailored answers in a way that the web has never managed before.

The new system, Wolfram Alpha, showcased at Harvard University in the US last week, takes the first step towards what many consider to be the internet's Holy Grail – a global store of information that understands and responds to ordinary language in the same way a person does. Although the system is still new, it has already produced massive interest and excitement among technology pundits and internet watchers.

Computer experts believe the new search engine will be an evolutionary leap in the development of the internet. Wolfram Alpha could prove just as important as Google. It is really impressive and significant. In fact it may be as important for the web (and the world) as Google, but for a different purpose.

1969 The internet is created by the US Department of Defense with the networking of computers at UCLA and the Stanford Research Institute.

1979 The British Post Office uses the technology to create the first international computer networks.

1980 Bill Gates's deal to put a Microsoft Operating System on IBM's computers paves the way for almost universal computer ownership.

1984 Apple launches the first successful 'modern' computer interface using graphics to represent files and folders, drop-down menus and, crucially, mouse control.

1989 Tim Berners-Lee creates the world wide web – using browsers, pages and links to make communication on the internet simple.

1996 Google begins as a research project at Stanford University. The company is formally founded two years later by Sergey Brin and Larry Page.

2009 Dr Stephen Wolfram launches Wolfram Alpha.

Refer here to read more details.

Friday, May 1, 2009

Windows 7 RC1 made available for download

Windows 7 free for a year

Microsoft made the first release candidate of Windows 7 available for free download on Thursday. In an unprecedented move for the company, the software will run on a user's PC for more than a year.

Windows 7 RC1 can be downloaded now by MSDN, TechBeta and TechNet subscribers, and the general public will be able to download it on 5 May. There is no limit to how many copies can be downloaded. The software will run until 1 June 2010, in what a Microsoft marketing manager described to ZDNet UK as a "try before you buy" scenario. "There is no cap on the amount of downloads [of Windows 7 RC1]," Laurence Painell said in a pre-briefing session on Wednesday. "However, we only recommend that people with a reasonable amount of IT knowledge use it."

Windows 7, the successor to Vista, brings new features such as multi-touch interaction, a redesigned taskbar at the bottom of the desktop and an integrated search feature that allows the user to search across the client PC and corporate network at once. Power management has also been improved, as Microsoft has been keen to focus Windows 7 on portable computing.

The Release Candidate includes all the features that will be available in the final version. "The Release Candidate is the near-finished product. It's now just final regression testing and performance enhancements.

Microsoft refused to be drawn on the final release date of Windows 7, sticking to the company line that it will be ready by January 2010, although most observers are predicting a late summer/autumn 2009 launch.