Crash internet explorer in one line
The history of hacking...and more
This is a 50 minute video that I do not have the time to watch. Instead I an typing emails to people that take 50 minutes read. Hehehe. I will watch this video at somepoint but in the meantime, I am posting it here becuase some of the links google provides as being 'relevane' are just as intersting..
The history of hacking
The history of hacking
DNS Servers can't still be vulnerable ?!
According to this article (posted in October of 2005) one might be suprised. Wonder how many of those they found have been fixed by now...
DNS Servers still wide open
DNS Servers still wide open
CSS I mean XSS hack to steal a history
CSS means "Cascading Style Sheets" and XSS means "Cross site Scripting"
Anyway, I am a huge advocate of using firefox, but I also admit I do not believe it is 100% secure either. The best choice I know of for that is anonym.os and the free vmserver. But the problem with that solution is that it is too techy. Having to go through that level of effort signals a sad state in security for the web.
This posting is actually about a vulnerability found in firefox that allows an attacker to steal a users history.
Stealing History
Safe History (Firefox Extension, IE users are screwed)
Anyway, I am a huge advocate of using firefox, but I also admit I do not believe it is 100% secure either. The best choice I know of for that is anonym.os and the free vmserver. But the problem with that solution is that it is too techy. Having to go through that level of effort signals a sad state in security for the web.
This posting is actually about a vulnerability found in firefox that allows an attacker to steal a users history.
Stealing History
Safe History (Firefox Extension, IE users are screwed)
Faux Google Website Hides Trojan Horse
Short article discussing another example of a browser based infection technique. Some of the important general and common themes include:
a. Browser security features don't work that well
b. the exploit was poorly written so it won't work either
c. but it proves it can be done for someone else to try
An interesting little idea thrown in also; Quoted from the article:
"More recently, a Trojan attacked the companyÂs adsense advertisements, replacing them, in-browser, with fake ones on any PC infected with the malware."
I just thought adsense was annoying, now that I have tuned it out for the most part, there is a reason to have to pay attention to it again. Rats.
Faux Google Website Hides Trojan Horse
a. Browser security features don't work that well
b. the exploit was poorly written so it won't work either
c. but it proves it can be done for someone else to try
An interesting little idea thrown in also; Quoted from the article:
"More recently, a Trojan attacked the companyÂs adsense advertisements, replacing them, in-browser, with fake ones on any PC infected with the malware."
I just thought adsense was annoying, now that I have tuned it out for the most part, there is a reason to have to pay attention to it again. Rats.
Faux Google Website Hides Trojan Horse
Reminder: attacking is often about economics, that's all.
The driving force these days behind many attacks is the good old fashion need to make a buck. One of the problems faced in legal terms outside of obvious jurisdiction issues is the simple fact that some activities are just not considered illegal by everyone. That sounds funny. Since when did just anyone get to decide what is legal and what isn't? In this context, ethics also play a role that blurs the line where the letter of the law is supposed to be involved.
Corporations have been using the world economy to their advantage long since before the Internet. Consider for instance the economics of labor costs. Where its OK to pay someone a dollar a day if that's the "standard of living" in that community, even if the goods they create will be sold somewhere else that considers those wages below standard.
In other words the idea of creating ones own platform of law or ethics isn't new to business, so why would we expect the same condition would not be exploited by individuals? The internet allows consumers to take advantage of the same thing manufacturers have known how to do since the earliest days of trading. And they are doing it at all levels.
And so to will those engaged in 'creative' ways to assume new income, working the opportunity available to them, offering services that both enable crime and protect people (said with a wink). The article referenced below is one example that deals with "carding". When sites are referenced that are in another language, Russian for example, don't forget that you can use google translator to read it.
The nets not so secret economy
Corporations have been using the world economy to their advantage long since before the Internet. Consider for instance the economics of labor costs. Where its OK to pay someone a dollar a day if that's the "standard of living" in that community, even if the goods they create will be sold somewhere else that considers those wages below standard.
In other words the idea of creating ones own platform of law or ethics isn't new to business, so why would we expect the same condition would not be exploited by individuals? The internet allows consumers to take advantage of the same thing manufacturers have known how to do since the earliest days of trading. And they are doing it at all levels.
And so to will those engaged in 'creative' ways to assume new income, working the opportunity available to them, offering services that both enable crime and protect people (said with a wink). The article referenced below is one example that deals with "carding". When sites are referenced that are in another language, Russian for example, don't forget that you can use google translator to read it.
The nets not so secret economy
Scanning Usenet for Stego
I mention this site often in class; its a study on the use of steganography in images posted to usenet. As of this posting, they say they have not found a single message. What this means is:
1. Its there and they just haven't found it
2. Its not there but somewhere else
3. Stego isn't used on usenet
In other words, steganography does exist and is used, we just don't know where or how. If I were up to mischief, I would smuggle company secrets out in encrypted form hidden in family vacation photographs or better yet, pictures of my pet. I would show them to my boss and colleagues until they want nothing to do with them anymore (I estimate this would take 30 seconds tops), then carry them out on a USB stick. Whenever such photos are found, people would be more interested in avoiding having to see them then ever imagining they were a vehicle for industrial espionage.
Likely, these extra details would not even be necessary. Stego is tough to detect, and if its encrypted first....its almost impossible. Currently anyway ;)
Scanning USENET for Steganography
1. Its there and they just haven't found it
2. Its not there but somewhere else
3. Stego isn't used on usenet
In other words, steganography does exist and is used, we just don't know where or how. If I were up to mischief, I would smuggle company secrets out in encrypted form hidden in family vacation photographs or better yet, pictures of my pet. I would show them to my boss and colleagues until they want nothing to do with them anymore (I estimate this would take 30 seconds tops), then carry them out on a USB stick. Whenever such photos are found, people would be more interested in avoiding having to see them then ever imagining they were a vehicle for industrial espionage.
Likely, these extra details would not even be necessary. Stego is tough to detect, and if its encrypted first....its almost impossible. Currently anyway ;)
Scanning USENET for Steganography
The passwords on the wall of sheep
At defcon, the fun part of the black hat security conference in Las Vegas, they display a "wall of shame"; passwords of real people at the conference who have the nerve to check thier email and log in to protected accounts. As the passwords fly past the network they also fly past the monitors for all to see. This article discusses many of the various ways these passwords are captured.
Look at all of these passwords
Look at all of these passwords
The High Costs of Hacking
Almost every security presentation includes a slide or two that mentions the "70% of all attacks are internal" and the "$x Billions of dollars a year are lost to ..." commonly accepted stats. Those statements are loose and missing a lot of important detail. But the point is made, the fear sets in, and we move on.
The article below is a managment level (customer language) discussion about the costs of attacks. Focus less on the amounts and more on the different kinds of expenses, some of which are less obvious. The bottom line to one organization has nothing to do with losses on the broad plane of aggragate industries. So when doing risk management, stay objective and focused on the client.
The high costs of hacking
The article below is a managment level (customer language) discussion about the costs of attacks. Focus less on the amounts and more on the different kinds of expenses, some of which are less obvious. The bottom line to one organization has nothing to do with losses on the broad plane of aggragate industries. So when doing risk management, stay objective and focused on the client.
The high costs of hacking
50 Common job interview questions
...with advice on how to answer them.
Along with all of the other advice on resume writing and cover letters and so on and so forth, doesn't this whole thing seem ridiculous? Actually no. I interview people for instructor positions that make some outrageous errors, demonstrating that common sense isn't too common.
While I appreciate the fact that I am seeing the genuine article, I have to admit I expect a job candidate to have a minimum amount of interviewing savy. They should at least make an effort at pretending to be a perfect individual with a wellspring of positivity and love for my organization.
After that, its up to me as the interviewer to ask better questions than what is typical. There is no master list of those questions. They are in the moment and adjusted for the uniqueness of the candidate.
50 common interview questions
Along with all of the other advice on resume writing and cover letters and so on and so forth, doesn't this whole thing seem ridiculous? Actually no. I interview people for instructor positions that make some outrageous errors, demonstrating that common sense isn't too common.
While I appreciate the fact that I am seeing the genuine article, I have to admit I expect a job candidate to have a minimum amount of interviewing savy. They should at least make an effort at pretending to be a perfect individual with a wellspring of positivity and love for my organization.
After that, its up to me as the interviewer to ask better questions than what is typical. There is no master list of those questions. They are in the moment and adjusted for the uniqueness of the candidate.
50 common interview questions
Guide to internet piracy
Interesting article detailing the 'food chain' of piracy activity. Note the references to various tools and terminology.
Guide to Internet Piracy
Guide to Internet Piracy
Reading the bosses email
Huge gap in postings....
Blogger quit working one day, then I quit trying. Then I tried other things with infoSecond, and I wasn't satisfied with the blog anyway so it was fine.
Now blogger seems to be working again and I have given up worrying about wether or not the blog is particularly good. Instead of writting up lengthy articles rant and wisdom and other originally derivitive thinking, I will be satisfied with the original purpose of infosecond; to share links with students, clients and friends based on things I find and conversations that come up.
So yes, this blog is a link aggragator thingy, and anyone could find what it says by surfing for an hour a day across infosec and web-culture sites. Its a rehash blog in the minds of 'blogging pros'. At least until blogger quits working again.
In a month or two I will get around to figuring out why the feedburner xml feed quit working. Sigh. Thanks for still visiting.
Now blogger seems to be working again and I have given up worrying about wether or not the blog is particularly good. Instead of writting up lengthy articles rant and wisdom and other originally derivitive thinking, I will be satisfied with the original purpose of infosecond; to share links with students, clients and friends based on things I find and conversations that come up.
So yes, this blog is a link aggragator thingy, and anyone could find what it says by surfing for an hour a day across infosec and web-culture sites. Its a rehash blog in the minds of 'blogging pros'. At least until blogger quits working again.
In a month or two I will get around to figuring out why the feedburner xml feed quit working. Sigh. Thanks for still visiting.
