Dr. Dobbs Journal put up a story last week about several security researchers who showed how insecure Diebold voting machines are. This is one of the most important things affecting the current political realm, in my not so humble opinion. I’m putting the rest of the story below the following link, but please read all this and don’t just skip ahead. This really matters, and shows the need for voter verified paper print-outs to go along with the electronic vote entry for auditing purposes.
Category: Security
Books with murder verboten on planes?
Sometimes, I can’t figure out for sure if there is a collective complete brain shared among all the people making up the dumb rules we have to live with since authorities successfully used intelligence methods to stop a terrorist attack. This latest involves a man travelling from London to Berlin. Because he had forgotten to remove a cream from his luggage, he was subjected to extra security screening. I don’t like that (which you already know if you’ve read much of my recent posting) but I can live with it – that’s a rule we know about, and he made a minor error and had to pay for it.
While security officers were checking his back, they found a book titled “Murder in Samarkland” which greatly concerned them. This story of former British ambassador Craig Murray’s [bad] experiences in Tashkent (Uzbekistan). That is, it’s based on factual events. But that didn’t seem to matter security personnel.
“Is that about terrorism?”, asked the lady that examined my onboard luggage. “Humm, well, it contains mentions of that, but it’s about your former ambassador to Uzbekistan and more about diplomacy”, I replied politely. “Does it have al-Qaida in it?” I looked a bit confused. “What?” – “Well, I have to check this with my manager, the rest of your stuff is fine, though.”
The manager then came after a minute or two. “Hello Sir, can you tell me about this book?” “Sure, it is about Craig Murray, former UK ambassador to Uzbekistan.” “Where, if I may ask, did you buy this book?” – “Well, it is available at any Waterstones here in Britain. I just bought my copy in the Angel branch yesterday.”
“I am afraid you cannot take this onboard, Sir.” You must be kidding me. I just spent 20 pounds on a book that, despite arousing some controversy in the UK, should not be banned onboard a flight to Germany. I understand that the terror plot (which coincidentally seems to have an Uzbek dimension) makes for some overwrought nerves.
More wow moments in time. Yes, a book is allowed, unless it has a scary word in the title.
[tags]More troubles for air travellers, Book with “Murder” in the title not allowed on a plane[/tags]
T-Shirts can now be security risks
Poor Dave Osborne. Seems he was a threat to everyone on his flight. Thankfully, someone in security knew how to eliminate the threat.
A TOURIST was told to turn his T-shirt inside-out at an airport  as a picture of two guns on it was deemed a SECURITY RISK.
Dave Osborne, 21, was bound for Newark, New Jersey, when guards hauled him out of the queue for his Guns N Rollers T-shirt.
They told him the two pistols on the front could constitute a security risk and upset passengers.
He was ordered to turn his top inside out before boarding.
The design engineer from Lichfield, Staffs, said: “I am all for extra security but this was just plain stupid.â€Â
I agree, Dave. I agree.
Last night bosses at Birmingham International Airport apologised and said security guards “over-reactedâ€Â.
Gee, you think? You know, I’m really thinking I need to add a “Stupid people/procedures” category for my site.
I won’t post the image, as the site has a right-click blocker saying “Blah, blah, protected image.” Yes, this is easy to disable, but if they don’t want me posting their image, I won’t. Just hit the site to see the security risk just recently discovered by the amazingly brilliant people who are protecting us all.
[tags]Security providers proving dumber over time, T-shirt a security risk due to scary word[/tags]
Find business confidential documents online
(via boingboing)
This is handy. If you ever want to try to find out a bit about what companies are doing that they don’t want you to know, try searching for their confidential documents via Google. There’s no telling what will turn up.
[tags]Confidential documents online, Businesses post documents online that are not for public consumption[/tags]
Anti-Rootkit tools
In this day and age of malware everywhere, it’s nice to occasionally use tools that look a little deeper at your system to see if something bad is hidden there. From Sophos, you can get the Sophos Anti-Rootkit. From F-Secure, you can get F-Secure Blacklight. From SysInternals, you can get Rootkit Revealer. All of these tools look for certain abnormalities that appear on your system when you have a rootkit. They won’t catch everything, but they do pick up a lot of stuff not hidden perfectly. Rootkit revealer is the tool Mark Russinovich was testing when he discovered and publicized the Sony DRM Rootkit. The Rootkit Revealer download page has good information on how to read the output to tell if you have a rootkit.
While we’re dealing with anti-malware tools, why not head over to Grisoft’s web site and pick up the free version of AVG anti-virus (free for home use, that is)? And since we’re on that thread, there’s AntiVir PersonalEdition Classic, also free for private individual use. Or how about Avast Home Edition? Even if it weren’t already a great AV tool, it would be worth checking out for it’s name – anything pirate sounding deserves recognition.
In fact, there are so many free anti-malware and security tools out there, that you should just start checking more of them out. You should find something that works for you without being too intrusive. I recommend starting with Freebyte’s guide to anti-virus and anti-malware tools.
Thanks to Clif at Freewarewiki for pointing out the Sophos tool in the August 27th newsletter. This lead me to putting out some other recommendations for free anti-rootkit and anti-malware tools.
[tags]Free anti-rootkit tools, Free anti-virus tools, Free anti-malware tools[/tags]
IBM to buy ISS – $1.3 billion in cash
Having worked in computer security in the past, I like to know what’s going on in the security community in case I manage to get a job back in that industry. So when I read that IBM is buying Internet Security Systems, Inc. for $1.3 billion in cash, I figured I should post about it, in case either of my readers like to keep up with these things and haven’t heard yet. The article comes from an Australian paper, so I don’t know if that cost is in Australian or US dollars, but I’m guessing it’s US dollars.
With revenue growth sluggish at IBM Corp., Big Blue is buying its way to getting bigger.
The company’s recent acquisition roll continued Wednesday with a deal to spend $1.3 billion in cash for Internet Security Systems Inc., which performs network monitoring and analysis services for companies.
The deal values ISS at $28 a share, almost an 8 percent premium over its $26 closing price Tuesday on the Nasdaq Stock Market. If the acquisition is approved by shareholders, the companies expect it to close in the fourth quarter.
[tags]IBM, ISS, Internet Security Systems Inc., IBM buys ISS, Security news[/tags]
UK shares US show of security on flight policies
At least, according to the information we have on the supposed threat. Standard air terrorism discussion warning – skip ahead if you are just effing tired of reading about the terrorists
Continue reading “UK shares US show of security on flight policies”
The reality of our latest stupid restrictions on travel
(via boingboing)
People, understand this – the newest travel restrictions are absolutely not increasing your security. In fact, they are probably making things worse by fooling millions into thinking something positive is being done while simultaneously stripping away rights and increasing your potential exposure to dangerous materials at the airport instead of in the air. So, since our government is gladly giving us nothing while reducing our rights and taking away safety, isn’t it time to ponder just what it is that the enemy is really doing? Well, here is a bizarrely accurate view of what’s happening that no one in charge can seem to see.
[tags]Losing our rights for travel, Less safety under the guide of more, Terrorists disrupt America and the idiots in government are too stupid to get it[/tags]
How to get robbed
Well, if you’re going to be ballsy enough to steal a laptop in front of several employees, this looks to be the way to do it.
At 3:30pm today, I asked one of the other guys at work to setup a new machine we’d had delivered, he goes out to do it, and noticed that one of the laptops we have on display is missing, which he thinks is odd, because if anyone was going to sell one they would have sold one of the ones we have out the back, so he comes and asks me if I had sold it, or lent it to anyone, yadda yadda. We search the shop, workshop and our store, and can’t find it anywhere, so we resort to the video camera footage.
So we’re searching through the footage, rewinding hour by hour, at 2pm, it’s not there, at 1pm, it’s not there, at 12pm, it’s not there, but at 11am, it bloody is there! So we watch from there on in. We have a lady that works out in the shop, mainly receipting stock into our POS system, sales, accounts, banking, that sort of thing, and shes helping a couple of people with a hire purchase agreement, when this old dude, probably early 50s, walks in with a large coat on. I go out to serve him.
. . .
I go back out to the workshop, and think nothing of it. He walks around the shop a bit more, looks out the back to where he can see our security monitor, so he can see exactly what we’re recording, and then heads over to one of the laptops. He folds the lid down, then looks up at the counter where there’s still the couple and our retail lady are. He gets in between the line of view from those three and the laptop. He picks it up with one hand, walks away with it a bit, does a kinda swing around motion, and then slips it into his jacket, grabs his cellphone out of his pocket, and pretends to talk on it as he walks out of the shop!
So this video is all over the net now, and hopefully someone will know who this guy is and they’ll get the laptop back soon. The kicker for the thief is that this is a brand-new laptop with no battery. He didn’t get the charger, and because of a higher power drain and a new plug, the older HP laptop transformers don’t work, nor do current generic transformers. The laptop won’t work for this guy until he gets a battery and a transformer, and HP has put an alert out for any orders of batteries and/or transformers, and warned all their retail shops to do the same.
[tags]Laptop thief[/tags]
Your Blackberry can expose your company’s soft underbelly
(via Engadget)
That would be the internal company network, by the way. Discussed at DefCon 14 was some information on the newfound attack via Blackberry.
Jesse D’Aguanno, a consultant with Praetorian Global, has developed a hacking program that exploits the trust relationship between a Blackberry and a company’s internal server to hijack a connection to the network. Because the data tunnel between the Blackberry and the server is encrypted, intrusion detection systems at the perimeter of the network won’t detect the attack.
The technique is successful, D’Aguanno says, because most companies aren’t equipped to detect someone trying to deliver an exploit from inside the network. It also works because few companies view the Blackberry as a plausible attack vector.
Continue reading “Your Blackberry can expose your company’s soft underbelly”
Netscape.com hacked
(via F-Secure security blog)
I used to keep track of hacked web sites every day. It was a fun hobby until there were so many hacked sites every day I couldn’t keep up any more. That was over 4 years ago. Still, every once in a while, a major site gets hacked and makes the news. When it happens, I hate being so late finding out about it. Now that I have a site, though, I can at least post about it. That said, check it out:
Netscape.com has been hacked via a persistent Cross Site Scripting (XSS) vulnerability in their newly launched Digg-like news service. Attackers (who are obviously fans of Digg) have used the XSS vulnerability to inject their own javascript code snippets into pages on the website, including the homepage. As of now, it has only been used to display javascript alerts with “comical” messages and to redirect visitors to Digg.com!
Check out additional screenshots here and here.
Fortunately no one has tried to inject malcious code… yet.
We’ll finish our draft with more on the potential dangers of XSS for you soon.
[tags]Hacking, Hacked website, Netscape hacked, Netscape, F-Secure[/tags]
Sky marshals name innocents to meet quota?
(via Schneier’s Security Blog)
This is a story so absurd it’s hard to believe. On the other hand, this is a government organization we’re talking about, so who knows?
You could be on a secret government database or watch list for simply taking a picture on an airplane. Some federal air marshals say they’re reporting your actions to meet a quota, even though some top officials deny it.
The air marshals, whose identities are being concealed, told 7NEWS that they’re required to submit at least one report a month. If they don’t, there’s no raise, no bonus, no awards and no special assignments.
“Innocent passengers are being entered into an international intelligence database as suspicious persons, acting in a suspicious manner on an aircraft … and they did nothing wrong,” said one federal air marshal.
These unknowing passengers who are doing nothing wrong are landing in a secret government document called a Surveillance Detection Report, or SDR. Air marshals told 7NEWS that managers in Las Vegas created and continue to maintain this potentially dangerous quota system. “Do these reports have real life impacts on the people who are identified as potential terrorists?” 7NEWS Investigator Tony Kovaleski asked.
“Absolutely,” a federal air marshal replied.
. . .
Another federal air marshal said that not only is there a quota in Las Vegas for SDRs, but that “it directly reflects on (their) performance evaluations” and on how much money they make.
The director of the Air Marshal Service, Dana Brown, declined 7NEWS’ request for an interview on the quota system. But the agency points to a memo from August 2004 that said there is not a quota for submitting SDRs and which goes on to say, “I do not expect reports that are inaccurate or frivolous.” But, Las Vegas-based air marshals say the quota system remains in force, now more than two years after managers sent the original memos, and that it’s a mandate from management that impacts annual raises, bonuses, awards and special assignments.
. . .
One example, according to air marshals, occurred on one flight leaving Las Vegas, when an unknowing passenger, most likely a tourist, was identified in an SDR for doing nothing more than taking a photo of the Las Vegas skyline as his plane rolled down the runway.
. . .
Strange and other air marshals said the quota allows the government to fill a database with bad information.
A Las Vegas air marshal said he didn’t write an SDR every month for exactly that reason.
“Well, it’s intelligence information, and like any system, if you put garbage in, you get garbage out,” the air marshal said.
“I would like to see an investigation — a real investigation conducted into the ways things are done here,” the air marshal in Las Vegas said.
Although the agency strongly denies any presence of a quota system, Las Vegas-based air marshals have produced documents that show their performance review is directly linked to producing SDRs.
I have to agree with Schneier here, really, though. This seems too insane to be real. But with the Department of Homeland Security, stupidity seems to know no bounds. I hope it’s not real. I think it’s not real. But I just can’t be certain.
[tags]Sky marshals, Department of Homeland Security, Government stupidity[/tags]