Saturday, October 20, 2007

Redaction cat is out of the bag for Wells Fargo

From Risks Digest 24.82

This is just like when Starbucks used to redact all but the last 5 digits of your credit card number on receipts. So anyone with a Starbucks receipt + any other receipt could piece together the whole card number. D'oh!

From the juxtaposition wayback machine:

Date: Mon, 3 Sep 2007 14:12:06 -0700 (PDT)
From: Tom Watson
Subject: Redacted account numbers

My bank (Wells Fargo) in its infinite wisdom has decided to change the way
it attempts to redact account numbers. In looking over the transactions for
an infrequently used account (I only have it because my ex-wife is a signer,
and who knows when I'll need to cash a check with her name on it!) I noticed
that the method had changed from the July to August automatic transfers I
have to keep the account active. In July, the account number is listed with
THE LAST 3 digits as 'X'. In August, the method is now all 'X' EXCEPT FOR
THE LAST 4 digits. I just looked and said to myself "what is wrong with
this picture?". The risk: when you change methods of redacting, change ALL
occurrences, not just the new ones. You may just totally unredact what you
were attempting to hide.

Fortunately in my case, I know the account number anyway, so TO ME it is no
big deal (unless I print out something), but I'm aware, which is the the
thing to be.

I sent the bank a note as well. I don't hold out much hope for anything
constructive in return, but we will see.

[It seems pretty stupid to make such a change that completely exposes the
account number to anyone with records before and after sanitization. PGN]

Security Tools and Browser Extensions

This site has a huge list of Firefox Extensions (Add-Ons) that are security tools.,232.html

And then there's always this great list of general tools.

Top 100 Network Security Tools
After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don't know where to start”.

Gartner chides PCI SSC

Governance is an important part.  If the PCI SSC member companies want to ward off Government regulation, they need to be more transparent certainly.  How is it that they could end up with such milquetoast controls as simply "encryption" or "web application firewalls" being equivalent to "source code security review" is a testimony to what happens in the smoke-filled rooms there.

Gartner analyst chides PCI Security Standards Council - IT Security News - SC Magazine US
The Payment Card Industry Security Standards Council (PCI SSC) has taken two steps forward and one back by the creation of a new Board of Advisors, according to Gartner analyst Avivah Litan.

AV Fightclub

You get to talk about this Fightclub.  Kaspersky wins again. 

I would be somewhat wary of ClamAV though since it seems to suffer from loads of security holes: versus the Kaspersky results:

Also, refer back to the previous posting Juxtaposition: Antivirus bakeoff public results for another source of AV comparisons.

untangling the future… » Blog Archive » AntiVirus Fightclub Results!
Only three (Clam, Kaspersky, Norton) call all of these. Three others (F-Prot, Sophos, Mcafee) missed a few ranging from an 80-90% catch rate - not very good considering these are all really common viruses, but certainly better than others. GlobalHauri and the gateway appliances (Sonicwall, Fortinet, Watchguard) all performed poorly - catching about 60% and less of these common viruses. Watchguard would only catch one virus (the eicar test virus), which is odd because I thought they used the ClamAV engine.

Get Mitnick's "business" card - complete with lockpick tools

This is really cool.  I've got to send in for mine.  Which password should I send...

On a related note, I was running a table for the ISSA Puget Sound and we had a raffle where we asked for business cards or alternatively, a piece of paper with your name and contact information.  As a joke, we asked people for their email password and/or their Social Security Number.  There were actually some people willing to give them up.

Mitnick Security Consulting, LLC
Send a self-addressed stamped envelope, your IP address and password to:

2245 N. Green Valley Parkway
Suite 411
Henderson, NV 89014

Top 10 Craziest Conspiracy Theories

Hard to believe that people believe this stuff.  But in a country where 61% of people believe the story of Noah's Ark literally, I can believe it I guess. - Top 10 Wackiest Conspiracy Theories

Physical security lacks physical security

I can't believe that these systems have such a horrible design!

Basically, these guys showed how you can inject a tiny device that can record the data that the scanner reads in such that you can create devices to replay it later.

2 Screws, 1 Plastic Cover, How Many Airports Infiltrated?
besides a meat cleaver or, in the case of your eyeballs, a soup spoon, these systems are all laughably easy to bypass, thanks to a primitive protocol called Wiegand that just about all ACSes (access control systems) have inherited.

At the Defcon hackers conference here on Aug. 4, Zac Franken laid out on a table the components typical of a physical proximity card system, the essential elements of which, at least when you're talking about the way the ACS decides whether or not to let you in, are the same as a biometrics system. (Franken manages an IT company in London. Like many Defcon presenters, he asked for restricted identification.)

And then Franken proceeded to demonstrate how $10 worth of hardware will enable you to stick a quick connect microprocessor on a spliced wire, and flip the switch on whether the ACS thinks you've got access rights. The quick connect device contains a small, programmable microcontroller called a PIC chip. In a nutshell, pop the plastic cover, pull the wire, snip, snip, snap on your quick connect, seal it up, pass your proximity card, green blink, and—bzzzzt—you're in.

Run Linux from flash drive under windows using Qemu

Very cool.  I need to try this on my flash drive.

Using Ubuntu Linux on a flash drive and run it under Windows
The following article is going to tell you everything you need to know in order to make a USB flash drive with Ubuntu Linux installed, similar to the ones we sell here at

Thursday, October 18, 2007

Commerce Bank Database Hacked

Another article said that they thwarted the attack by "shut[ting] it (the database) down".

I wonder how they were able to have such poor security that someone could compromise their database yet they could respond in seconds to limit the unauthorized access to 20 out of 3000 records.  Something doesn't seem to add up to me, unless perhaps they detected a breach and were monitoring what the attackers were doing and only when they got into the database did they pull the plug on them.

Commerce Bank Thwarts a Major Database Hack
Commerce Bank NA, which operates in Missouri, Kansas, Illinois, Oklahoma and Colorado, last week said a hacker had breached a database with about 3,000 customer records and accessed 20 of them.

Tuesday, October 16, 2007

Bank of India's Website Compromised

Courtesy the F-Secure blog they show a case where the Bank of India website was compromised to include malicious iframes, one of which

"...contains an obfuscated JavaScript that uses exploits to download and run a file called loader.exe. This file is a small downloader which downloads additional files that are different password stealing trojans, additional downloaders, et cetera."

The stupid thing about this is that if the attackers had quietly compromised this site and done some intelligent money transfers, or web-based password capture, this may have gone unnoticed for some time.  But they took their compromise and used it to hammer user's PCs with known malware that I'm sure got Antivirus programs alarming.  Not too subtle.

Good case for SSL-encrypted pages and not clicking "okay" to the "allow unencrypted content to load in encrypted pages?" dialog boxes in the browser...  Also good case for using a browser other than IE6.

Bank of India's Website Compromised - F-Secure Weblog : News from the Lab

Monday, October 8, 2007

Summaries of State Breach Disclosure Laws

It is truly a fallacy the people putting forth the talking point that the differences in state breach notification laws need to be "fixed" with a federal law that usurps all state laws.  If you look at the two page chart, it really is not that difficult to know what to do.  You end up just taking the "expedient common denominator".  These are handy reference charts for your cube at work.

Emergent Chaos: Breach Laws Charts

Sunday, October 7, 2007

Best science images of '07

Too bad they don't have larger high-res versions.  These would make very cool desktop backgrounds.

National Geographic News Photo Gallery: Best Science Images of 2007 Honored

Filtering out press release spam

This may become useful.  I've actually gotten so annoyed at organizations that insist on sending at least one marketing email per day that I had to unsubscribe from all of their mailings to get some peace of mind.  Restoration Hardware, America's Test Kitchen, Costco are three of the big offenders that drive me crazy.

How to filter out press releases from your email - Boing Boing
If you get too many press releases emailed to you, try Merlin Mann's trick of creating a filter that diverts or deletes emails containing the string "For Immediate Release." I just found 11,000 messages in my mail with that string in it.

James Randi is taking on the Audiophiles

This is hilarious.  I feel sorry for people who either really have such extraordinary hearing that they can't use ordinary $19.99 cables in their home theater setup, or have deluded themselves into thinking that they can really tell the difference.

James Randi shows how ridiculous it is to spend $860 a foot for cables.

James Randi Calls Out Audiophile: I'm Sure the Crickets Will Sound Fantastic - Boing Boing Gadgets

James Randi’s Swift - October 5, 2007

Saturday, October 6, 2007

Appendix mystery solved.

Well, I had mine taken out two years ago so I hope I'm not at a disadvantage after the next GI bug.

Function of the appendix found? A good bacteria safehouse. - Boing Boing
"Immunologists from Duke University believe they've found the function of the supposedly useless and often dangerous appendix: It's a reserve store of good germs to 'reboot' your digestive system in case another bug wipes out the germs necessary for human survival."