Entries by Donald Tabone

Extracts from the original article found here... include some sane advice to those who get thrilled by the term 'hacker' by none other than the infamous Kevin Mitnick.

Reformed hacker-turned-security-consultant Kevin Mitnick served five years in federal prison for breaking into phone and software company networks. He talks about his past hacking exploits, computer security, and how he turned an illegal hobby into a useful career.

Learn the rules before you play the game. I knew hacking was sneaky when I started, but I didn't think it would get me into trouble. Back in my day, they didn't teach us about ethics in respect to hacking or using computers. Now, I tell kids to not follow in my footsteps. As computers become more accessible, there are more ethical ways to learn about computer security. Plus, there are laws now.

Use your powers for good, not evil.

Before, I was doing something exciting-but it was unauthorized and illegal. Now, I do the same thing that got me in trouble, except I do it with authorization. Clients hand me their network and tell me to break in so they can fix security vulnerabilities. To me, it's the same act but it helps my clients and it's legal and ethical, so it's a win-win situation.

Even hackers get hacked. Attackers found a way onto my Web server.

Source

The European Commission today granted its first privacy "seal of approval" to an online service, paving the way for e-businesses across Europe to certify their practices for protecting users' personal information.

The privacy seal, dubbed EuroPriSe (European Privacy Seal), is a detailed conformance and testing program designed to certify that an online service meets all of the European Union's laws and regulations regarding the handling of customer data.

In a nutshell, the seal assures the user that a Website or online business doesn't store personal data (including IP addresses) for long periods of time or monitor user behavior in ways that are not allowed under EU regulations. The seal also assures users that the personal information collected by the site is kept secure.

Is it a matter of time before we have to comply?

Continue reading "Europe Grants First Privacy Certification"

Google have added a cool feature for users of GMail - the ability to sign out from previously logged in sessions - therefore if you have the habbit of signing into GMail from multiple PC's and "forget" to logoff, scroll to the bottom of you current GMail screen and you will see the new feature titling "Last account activity: xx minutes ago on this computer. Details.."

Click the <details> link and you're presented with a list of previous sessions which allows you to quickly verify that all the GMail activity was indeed yours. To be extra cautious you can click on "Sign out all other sessions" - this way you prevent any unauthorised usage of previous sessions.

Full report can be read here

An article written for the Sunday Times of Malta - IT Supplement dated 8-6-2008

Often enough, most people tend to have their own way of perceiving how secure they actual are when doing things online. Indeed a lot of people tend to be naive and prefer not to think of what can go wrong right after they post or publish something personal about themselves or even others.

The way we perceive how secure we are, largely depends on past personal experiences. If you ever suffered some sort of data loss due to a virus - you would know exactly what I mean - in that - once bitten twice shy. So worst memory tends to prevail over your decisions and even perceptions of how secure you really are. More over, misconceptions surround us such as "I have antivirus software, so I am secure" or “I have a firewall, so I am safe”. The reality is that to be secure you need to employ a suite of tools (antivirus being one of them) to help you reduce your risk exposure to an acceptable level.

These days there is a lot of talk about Facebook. First off - it is a social networking tool which anybody can freely sign up for and use. So far so good! One of reasons it is so popular with people (in particular with youngsters) is that it allows for virtual social interactivity - therefore somewhat redefining the way people meet, talk and share things with each other. In many ways I feel it has affected our social culture. If you feel shy, then you can look for your soul mate online without having to sweat it out before you pluck up enough courage to go talk to a guy/girl face to face. One facility Facebook offers is the ability to check how compatible you are with different people and linkup to different friends through existing friends to build a spider web of friends. One idea might be - the more friends you accumulate online (say on Facebook) the more popular you are perceived to be. At face value, Facebook sounds cool especially if you are a budding teen. So where's the catch?

Continue reading "The perils of popular Facebook"

I am pretty sure that there are a number of you out there reading this blog over a wireless network. Given that wireless is so widely distributed these days, its not uncommon that users are unaware of how insecure their wireless setup maybe.

Unfortunately one other reality is that a number of ISP's install wireless modems without setting up any sort of security. What's worse is that if the client doesn't speak up - they don't quite advise the customer of what could be at risk. Basically as long as your laptop/device successfully connects to the wireless LAN that is setup up for you, they're out of there. SOO - this is where we come in to offer some advice.

If you connect to your wireless router without a password, its time to get hold of a technician who knows his business and set up some security on it. That's not all...

Recent developments published by Petko D. Petkov reveal some pretty nasty things an attacker can do to Thomson Speedtouch wireless modems - which is what a lot of us Maltese people have at home to connect to the internet.

Thanks to a friend of mine who first pointed out the article above, it is now possible that if an attacker sees your default network name (SSID) then it would be possible for him to crack your default password and use your internet connection. Therefore here are some healthy tips you could pass onto your technician if you're not confident to set them yourself.

Use WPA2 encryption rather than WEP/WPA.

Note that this will affect usage of early PDA's wireless and even computers with Windows XP. In fact you will need to download a patch for Windows XP to use WPA2. Also certain old wireless adapters (802.11b) might not have updated drivers, so do your homework to see if your adapter can use WPA2 before you start changing anything.

Change the default network name (SSID)

Change the default name of your router to something else. Invent an name.

Change the default password (preshared key)

If you don't have a password - PUT ONE. If the router is using a default password, its a good idea to change it unless you don't mind sharing your internet conenction with your neighbours.

Continue reading " Wireless modem considerations"

There are lots of ways business networks can be compromised, and more are developing all the time.

They range from technology exploits to social engineering attacks, and all can compromise corporate data, reputation and the ability to conduct business effectively.

Since we all like lists here are 10 such threats and some suggestions on what to do about them.

1. Virtual host security
2. Protecting the virtual machine monitor (hypervisor)
3. Botnets
4. Targeted attacks
5. Attacks via gaming and virtual reality sites
6. Browser threats
7. Mobile phone browser exploits
8. Lost mobile devices
9. Insecure Web applications
10. Rust-out

Read the full-article and grab the details here. Take a look at the NSA's published 10 best security practices.

In view of a recent article on the Times of Malta dated 9-4-2008 titled Some Visa cards replaced due to possible fraud we would like to take the opportunity to remind our readers about exercising caution to disclosing personal card details to untrusted people or websites through email or otherwise.

VISA provides a link with Fraud Prevention TIPS some of which are listed below - so there is no excuse for being negligent. Take your time to make sure you are duly diligent with personal details. There are many physical and logical attacks that can take place such as skimming, phising and even social engineering.

When providing payment information online, look for the 'padlock' icon on your browser's status bar - this signals that your information is kept secure during transactions.

Do not reply to unsolicited e-mails or telephone calls that request your personal information such as your SIN, password or bank account number.

When possible, keep an eye on your Visa card when it is swiped at the merchant's terminal to ensure information on the magnetic stripe is not copied through a skimming device.

Precautionary measures are good - but prevention is better than cure - and preceding that being aware is the first step. The hard part is getting the message out there - and that is where strive to make a difference.

Sources/References
http://www.timesofmalta.com/articles/view/20080409/local/some-visa-cards-replaced-due-to-possible-fraud
http://www.visa.ca/en/personal/securewithvisa/fraudprevtips.cfm
http://www.visa.ca/phishing/

We'd like to show you some big aspirations for Malta through SMART City - Malta!
Original source

Continue reading "SMART City - Malta"

PLEASE BEWARE:

This morning I recieved an SMS with the following text:

CONGRATS: YOUR MOBILE NUMBER HAS WON FOR YOU THE SUM 192,000 POUNDS IN THIS YEARS NOKIA MTN PROMO. FOR CLAIM CALL: +2347035278214 & E-MAIL: nokia@luckymail.com

Doing a little research, first thing to notice is that the number above (+234) is Nigerian. Already smells bad...
A little more research on google and you will find other reports of this message with people asking whether it is a hoax or not.
The sum, number and email vary accordingly - and it IS a hoax.

So readers BEWARE - as much as everybody likes the sound of it, don't bother calling or emailing or disclosing any personal information.

If you know of any other reports, feel free to comment below.

A joint group of people from Princeton have recently managed to prove the fact that RAM chips, when cooled to a very low temperature, can continue to retain the contents of RAM for up to several minutes after they have been physically removed from a computer.

The group, then built their own tools and programs to read off the contents of the memory after the computers were rebooted - proving that disk encryption technologies (such as Truecrypt for instance) can be defied. This is demonstrated in a video posted on youtube (see extended body of article)

The concept can also be also easily demonstrated following a simple experiment outlined on the groups page here.

Q. What can users do to protect themselves?
A. The most effective way for users to protect themselves is to fully shut down their computers several minutes before any situation in which the computers’ physical security could be compromised. On most systems, locking the screen or switching to “suspend” or “hibernate” mode does not provide adequate protection. (Exceptions exist; some systems may not be protected even when powered off. Check with the developer of your disk encryption software for further guidance.)

Following up this, according to Ivan Krstic, director of security architecture at OLPC (One Laptop per Child) - the recently announced MacBook Air is resistant to what is now known as the "Cold-Boot Encyption Attack" simply because the machines DDR2 RAM (2gb) is soldered on and cannot be physically removed. In addition, if Apple release an EFI firmware upgrade to zero the contents of the RAM at every boot, then the MacBook

"...would become one of the only—if not the only—mainstream laptop featuring full-disk encryption that's highly-resistant to the troublesome Princeton attack."

(source)

Microsoft also reacts to this vis-a-vis their BitLocker technology in Vista. Ryan Naraine reports on this here.

Microsoft suggests that the most secure method to use BitLocker is in hibernate mode and with multi-factor authentication.
According to Robert Hensing, a software engineer in Microsoft's SWI (Secure Windows Initiative) team, this class of attack is not new and was actually raised at the 2006 Hack in the Box conference in Kuala Lumpur, Malaysia.

The Register also has their views on this...BitLocker, meet BitUnlocker.

A question directed to Digital Forensic experts - Is this a blessing in disguise? What's your take on it?

Update: More information on the discussion can be found here Continue reading "Recovering passwords from RAM"

We acclaim another step in the right direction, in line with the scope of http://maltainfosec.org

In a bid to combat cyber exploitation of children, IT Minister Austin Gatt yesterday announced an intensive awareness campaign as students marked Safer Internet Day.

Dr Gatt also launched an information package, which will be distributed to all students from Year Four in primary schools right up to Year Five in secondary schools, as well as their teachers and parents.

Over 43,000 information packages and interactive CDs will start being distributed to parents and students this week, while posters, DVDs and CDs will be circulated in schools.

Attending an event organised by Aġenzija Appoġġ at the Playmobil Funpark in Ħal Far, Dr Gatt said that while children's education was sacred for the government, so was their security.

Echoing a post on the Times of Malta 27th Feb 2008

On February 1st, 2008 Microsoft offered $44.6 billion for Yahoo. A truly desperate attempt to catch Google.

As reported on MaltaMedia Dec 27,2007

In June 2005 Malta, as a Beneficiary Country, signed a Twinning Agreement entitled Capacity Building Programme in Information Security with the United Kingdom, as a European Union Member State for a period of 28 months.

The project implementation was entrusted to Malta Information Technology and Training Services Ltd (MITTS Ltd) as the Government’s designated INFOSEC Authority under the direction and guidance from the Ministry for Investment, Industry and Information Technology (MIIIT). The UK Twinning Partner was entrusted to Northern Ireland Public Sector Enterprises (NI-CO) in conjunction with QinetiQ Ltd which is an international defence and security company.

The purpose of this Twinning Agreement was to increase the understanding and facilitate the implementation of the EU Council Security Regulations 2001/264/EC issued on the 19th of March 2001 and to support Information Security measures in the Government of Malta Public Service to enable adherence to these regulations, which is a compulsory condition for all the Member States and thus of the Acquis Communautaire. In this light the project saw to the basic, advanced and specialised training of officials in the Public Service, government agencies and entities in particular areas related to Network Security, Wireless Security and Digital Forensics.

Study visits were organised for Maltese personnel to travel to various European countries to view operational security processes in practice with the aim of sharing good practices and acquire knowledge from other EU Member States.

The Twinning Agreement came to an end in October 2007 and has been mainly financed by the European Union.

The full article can be read here.

Have you been ever scammed on eBay? If so, read on...

Ask eBay users about auction fraud and payment scams, and you'll hear different stories with the same theme: While eBay can be a great marketplace, both buyers and sellers need to beware. Continue reading "How to buy and sell on eBay scam-free"

For those of you wondering what the title is on about, I invite you download this PDF presentation (E. H. Spafford 2001, 2002) and you'll know exactly what it refers to.

Albeit rather outdated, this 26 page presentation by the Center for Education and Research in Information Assurance and Security (CERIAS) talks about valid myths and misconceptions that these days still surround us.

After presenting a (humorous) pictorial time-line of the evolution of computers, he talks some of the causes of security problems, followed by their effect and a bunch of myths that we somehow are lead to believe. In that so, he then continues to explain the reality of things the way they actually are.

How about security expertise? Spafford again shows us the reality of things amidst general misconceptions that continue to float around us.

Still valid today --- Spafford concludes with the following points which we acclaim

- Security is an unattainable absolute.
- We should be seeking high levels of trust, based on sound methods of assurance.
- Assurance is an on-going process, not a set of add-on features.

Like I very often like to evangalise during security awareness sessions I hold from time-to-time, hopefully we are now a bit more aware that...

- Security is not simple.
- Security is not an add-on.
- Quality and security are closely linked.
- Training and knowledge are critical to counter superstition and folklore … but trends and lack of resources mean we are likely to face many challenges.

The European Union wants IP addresses to be considered personal information; the topic was discussed yesterday before the European Parliament's Civil Liberties Committee.

With IPV6 on our doorstep, it almost feels like their proposal implies that we're moving towards something like: "Hello, my name is ABCD:EF01:2345:6789:ABCD:EF01:2345:6789. Pleased to meet you" Next thing we know your ID card will have your IP address.

The issue prompted considerable debate, "From a U.S. perspective, there is no consensus over this issue," said U.S. Federal Trade Commissioner representative Pamela Harbour. Google Global Privacy Counsel Peter Fleisher said," There is no black or white answer: sometimes an IP address can be considered as personal data and sometimes not, it depends on the context, and which personal information it reveals."

Source article
More interesting reading can be found here

Beginning 2008 maltainfosec.org is pleased to announce a special deal for our readers through Computer Domain

Computer Domain Ltd are the local Maltese partners of the EC-Council and (ISC)2 Institute

Should you want to obtain more information about any of the security certifications listed on the Certifications Link, if your enquiry originates from our website and you DO decide to follow a course and take the exam through Computer Domain, you will be entitled to a 10% DISCOUNT on the course fee.

To be eligible for this offer, please follow the link at the top of the page and fill in the form to request more information about course content and dates. Computer Domain will be happy supply you with the information you need.

Our ultimate aim is to help promote security certifications with a view to increase overall awareness. Keep checking back to maltainfosec.org as we have more cool stuff in the pipe-line...

Hint: use your RSS reader !!

THE CONTACT FORM CAN ALSO BE FOUND HERE

Reading this article simply made me grin - for good reason ! As much as I love this guy on TV --- what was this guy thinking when he published his bank account details and sort code in a column in The Sun??? (Not to mention the clues to his address) After the recent issue of 25m bank account details going missing -- What's all the fuss about??? Why all the fuss??? Clarkson thought that the worst that could happen was that someone could pay money into his account (some Nigerian scam maybe...)

Heh --- talk about being aware of what the bad guys can or can't do --- the result was that some smart guy prankster set up a £500 direct debit from the presenter's account in favour of charity Diabetes UK.

"The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again," Clarkson said in a column published in the Sunday Times. "I was wrong and I have been punished for my mistake. Needless to say he is now hopping mad over the data loss

I can't help but to advise you to be diligent when divulging any kind of personal details - especially concerning bank details. You never know where your money might end up!

So it’s a new year… Another year, another thousand virii and worms released into the Internet ‘wild’ to attack our computers, millions of more Identites released, and untold more spams mails sent. Well if some of the powers that be would make some Infosec New Years Resolutions (and keep them!) those numbers wont be quite as high. Then again, if these New Years resolutions go like most of mine, the spammers, hackers and crackers have nothing to fear. So without further ado, I present the Fearless Security New Years Infosec Resolutions with something for everyone

- To the clueless large companies that lost our private information last year
- To the clueless companies that have yet to lose our information
- To the clueless small companies
- To the clueless retailers
- To the clueless credit bureau companies
- To our beloved clueless government and of course our favorite friends, the clueless users.

If you got so far as reading this short snippet, please read the original article found here!