In a follow up to the Bypassing Disk Encryption with BitUnblocker, Russ Humphries from Microsoft has put out the following commentary on his blog.
Could this be the same type of smoke that Apple put out a while ago about the wireless exploit?
I don’t know, you make your own decision.
Matthew “The Security Zealot” Becker (and newly appointed CISA)
According to Network World, the Cult of the Dead Cow, creators of BackOrifice and BO2K, have now created and Google open-source tool for novices called Goolag to help to scan Web sites for vulnerabilities.
The article does not clarify how versatile the tool is; however is states that: “It is based on techniques developed by Computer Sciences Corp. researcher Johnny Long”
Either way, it maybe worth adding to the arsenal.
Matthew “The Security Zealot” Becker
As I am gearing up for this years presentation for both the North Carolina Local Government Information Systems Association Spring Conference and my Toastmaster’s meetings; I realized that I need to update my bio. However; I ran into quite a bit of writer’s block and I needed find valuable some guidance.
So like any good Geek; I began by scouring trusty ol’ Google. As sifted through the results, I became aware that there was so much information. I decide that it would be easier if I would gather a majority of the information and “boil” it down into some quick bullets.
What has resulted, I believe, is to be a pretty valuable cheat sheet for writing a Professional Bio. So, I decided to share it. (more…)
According to a Princeton Web site, Seth Schoen has created a USB program called BitUnblocker that on cold boot or reboot can bypass several widely used disk encryption technologies, including Microsoft’s BitLocker, Apple’s FileVault, TrueCrypt, and dm-crypt.
“Requires no special equipment. When the system boots, the memory controller begins refreshing the DRAM, reading and rewriting each bit value. At this point, the values are fixed, decay halts, and programs running on the system can read whatever data is present using normal memory-access instructions” At this point they used a USB program to bypass the Disk Encryption.
The question is what is the next layer of defense to ensure your data is not compromised if you laptop is stolen? Well, Mr. Schoen and his team cover some great suggestions.
Great work!!
Matthew “The Security Zealot” Becker
Although this Phreaking technique of Caller ID Masking/Spoofing has been around since the golden years of Captain Crunch and Kevin Mitnick’ s earlier years, with the emergence of VoIP and web sites like Spoofcard.com it is no wonder why this technique has stood through the test of time.
Based on the article in Network World, Spoofcard provides you with a toll-free number in which a social engineer/pen tester is place a call to any 10-digit number and enter in any display number you desire. All of this for as little as $20 for an hour!!
With such a cheap cost and ease of use this site can provide almost any “script kiddie” with another attack vector. In the hands of a Penetration Tester or a “Tiger Team”, this may be a valuable testing/training tool.
Lastly this drives home the importance of an all exclusive Employee Security Awareness Training program, ensuring that your employees do not become the “weakest link” in the “security chain”
Matthew “The Security Zealot” Becker
Just as a history tidbits; based on Netcraft.com’s record this site has been in existence since August 2005, so this is not totally groundbreaking news, but interesting just the same.
Ironically, after posting yesterdays blog about our society and the prospect of living without cell coverage, RIM’s Blackberry Services experienced a “infrastructure outage” for 3 hours yesterday for reasons unknown.
The question I have is; How many of you were dramatically effected in your business or personal life or what this just an inconvenience? Do you think you could continue to conduct business without it if the service was out a week or month?
Leave a Comment.
Matthew “The Security Zealot” Becker
It has been a “household” fact that China and other countries around the world have been employing Elite Cyber Armies with the sole purpose of attacking foreign nations. Until this article, I have never seen any public recognition that the U. S. Government has been growing it’s own Hacker Teams.
As just a glance, these articles, linked with the latest CIA reports of Foreign SCADA Attacks in the news, raises some concerns of the emerging “Cyber Warfare”.
As we become more reliant on the embedding technology with every aspect of our life, ranging from the rifle systems and GPS navigation to the household items like refrigerators and our automobiles; we increase the threat level of compromise or denial-of-services.
Could a our society survive if we had to live without cell phones for a month? What about the Internet or TV and Radio Channels? Could you live without the World of Warcraft or Jessica Alba’s next flick?
What is there was a total loss service of water, electricity or wastewater for more than a few days? Could you and your family survive? Where would you get your food, water and shelter?
This are all real questions that need real answers.
Ironically, if you ask these same questions to your grandparents (or great grandparents) I would almost guarantee they are not the same as yours.
This is not a scare tactic or conspiracy spin, just some “food” for thought.
Matthew “The Security Zealot” Becker
Here is an fairly detailed article from Technology Review discussing the latest events with the Internet Outage in the Middle East. There still does not seem to be an explanation for the fiber cut, but according to the article, “ no ships had crossed the site of the breaks in the 12 hours before or after the incidents on Wednesday”, ruling out the anchor theory.
I am anxiously awaiting the truth to be revealed. But in till then I am certain that these incidents may cause several countries and business to re-evaluate their Incident Response/Business Continuity Plans.
Here’s another related story from Wired (Maybe it was a shark? )
Matthew “The Security Zealot” Becker
Hooray!!! I have finally received my Certified Information Systems Auditor (CISA) exam results and I am glad to say that I have passed. I am on to the next step of submitting my application package and waiting again another 8 week for it to be approved.
In other news, the Payment Card Industry Security Standards Council (PCI SSC) has release New Self-Assessment Questionnaire (SAQ) v1.1 today which has broken the v1.0 into 4 separate Questionnaires that will be based on how a merchant processes cardholder data. For more information: https://www.pcisecuritystandards.org/tech/saq.htm
Matthew “The Security Zealot” Becker