From lyger at attrition.org Sat Aug 8 04:58:15 2009 From: lyger at attrition.org (lyger) Date: Sat, 8 Aug 2009 04:58:15 +0000 (UTC) Subject: [attrition] review: Book: The Security Minute :01 Message-ID: The Security Minute :01 Robert Siciliano - Amazon.com ISBN: 978-0964812673 Safety Zone Press, Copyright 2003 Review by: Lyger Sat Aug 08 00:52:17 EDT 2009 Editor: Chris Roerden Illustrator: Ken Tango Disclaimer: I "virtually" know Robert Siciliano through email contact over the last 2-3 years. During that time, he has shown wit and charm in his responses to our questions and observations. However, my opinion as to his actual experience / expertise with security as it relates to computers and networks will not be touched on in this review; do your own research and come to your own conclusions. Backstory to this review: Robert sent a message to his LinkedIn contacts regarding the possible rental of his home on the east coast, and offered a copy of his book to anyone willing to repost it on other forums. Lyger was a recipient of the message and responded: ----------- From: lyger (lyger at attrition.org) To: "Robert Siciliano Robert at IDTheftSecurity.com" Date: Sun, 14 Jun 2009 20:30:21 +0000 (UTC) Subject: Re: 3br Ocean Front Apt For Rent, Boston Area, SAVE THIS EMAIL if we post this on attrition, can we have a book? ----------- >From there, it was easy: On Sun, Jun 14, 2009 at 4:37 PM, lyger (lyger at attrition.org) wrote: > CMON WE HAVE A MAIL LIST TOO > > attrition mailing list administration > Membership Management... Section > > 472 members total > > > On Sun, 14 Jun 2009, Robert Siciliano wrote: > > ": " oh god > ": " > ": " Robert Siciliano > ": " http://IDTheftSecurity.com [...] From jericho at attrition.org Mon Aug 10 02:56:44 2009 From: jericho at attrition.org (security curmudgeon) Date: Mon, 10 Aug 2009 02:56:44 +0000 (UTC) Subject: [attrition] Errata: Security Company Spam Message-ID: Previously, Errata tracked security companies that resorted to unsolicited email (spam) on the regular Security Companies page. Today, we broke it out to its own page and standardized the HTML / formatting used: http://attrition.org/errata/spam.html While the list looks a bit small right now, the next task will be to finally sort through the backlog of over 100 mails saved that may end up on the page. In addition, several members of the FunSec mail list regularly post spam they get to the list, which we will incorporate. As always, if you get spam from a security company, please send it with full headers to errata at attrition.org. From jericho at attrition.org Mon Aug 10 06:20:28 2009 From: jericho at attrition.org (security curmudgeon) Date: Mon, 10 Aug 2009 06:20:28 +0000 (UTC) Subject: [attrition] Errata: Security Company Spam In-Reply-To: References: Message-ID: And if you refresh.. the list has already doubled. Still more to go through in my archive, as well as FunSec. While working on it, also received a submission from Daniel which we will add to the list. Thanks! On Mon, 10 Aug 2009, security curmudgeon wrote: : : Previously, Errata tracked security companies that resorted to unsolicited : email (spam) on the regular Security Companies page. Today, we broke it out to : its own page and standardized the HTML / formatting used: : : http://attrition.org/errata/spam.html : : While the list looks a bit small right now, the next task will be to finally : sort through the backlog of over 100 mails saved that may end up on the page. : In addition, several members of the FunSec mail list regularly post spam they : get to the list, which we will incorporate. : : As always, if you get spam from a security company, please send it with full : headers to errata at attrition.org. : : : From jericho at attrition.org Tue Aug 11 10:24:38 2009 From: jericho at attrition.org (security curmudgeon) Date: Tue, 11 Aug 2009 10:24:38 +0000 (UTC) Subject: [attrition] Reporting terrorism, affect your credit? (we're doomed) Message-ID: http://attrition.org/security/rant/fbi01.html Reporting terrorism, affect your credit? (we're doomed) Tue Aug 11 05:49:16 EDT 2009 security curmudgeon Right as I am about to wind down for the night, ISN rolls in, filling the inbox of most people before they wake. One of the last articles caught my attention and I read the first few paragraphs. Sandia to boot behemoth botnet This article (full GCN article) was disturbing to say the least. A couple of academia researchers, cut-off from the real world, out of touch with reality and how the 'world' works, decide they need to control a bot net. Not a 10k node botnet, not a 100k node botnet.. but a 1 million node notnet. In case you haven't read lately, the threat of a botnet is serious. Some men are charged in botnet related crimes, and the threat of a million-pc botnet is a threat to consumers. (Still don't believe? Google 'botnet threat'). [..] Uh, really? "Terms and conditions"? I actually have to agree to all of this about "notification to my credit card company" and any complaint is "initiated at the discretion of the law enforcement and/or regulatory agency receiving the complaint information"? In short, there is a "click-wrap" license invoked on reporting a threat to national security that may relate to my credit, and that law enforcement MAY initiate an investigation. If I call 911, they initiate an investigation even if it's a hangup. Yet telling the FBI about a threat to national security MAY initiate an investiation? [..] From jericho at attrition.org Fri Aug 14 09:40:23 2009 From: jericho at attrition.org (security curmudgeon) Date: Fri, 14 Aug 2009 09:40:23 +0000 (UTC) Subject: [attrition] Top Security Firm RSA Tries to Silence Blog Message-ID: http://www.wired.com/threatlevel/2009/08/rsa-tries-to-silence-blog/ By Kim Zetter Top Security Firm RSA Tries to Silence Blog RSA security, one of the top security firms in the country, has sent takedown notices to a blogger and his hosting company in an effort to silence his discussion of a vulnerability found on a bank web site that RSA helps monitor, according to the blogger. The firm has accused the blogger of trademark infringement a common tactic of companies like Wal-Mart and Farmers Insurance Group to silence criticism and of running a fraudulent web site that misleads the banks customers. In its efforts to shut down the blog, RSA even claimed that the bloggers site could become a host of phishing and other fraudulent scams against the bank clients according to a company correspondence posted by blogger Scott Jarkoff. A spokesman for RSA told Threat Level that the company had no response at this time. [..] From lyger at attrition.org Sat Aug 15 04:36:10 2009 From: lyger at attrition.org (lyger) Date: Sat, 15 Aug 2009 04:36:10 +0000 (UTC) Subject: [attrition] postal: Strap-on Saturday!! Message-ID: http://attrition.org/postal/p0019.html it always starts on CraigsList no wiggle room making it clear what else needs to be said? wtf, over? sorry john (probably our fault) HI (was re: i like spaghetti) all gestapo on his SMTP ass Captain Asspants (our hero!) six years later... well, ok [...] From jericho at attrition.org Thu Aug 20 01:55:47 2009 From: jericho at attrition.org (security curmudgeon) Date: Thu, 20 Aug 2009 01:55:47 +0000 (UTC) Subject: [attrition] Gartner Gartner Gartner Gartner Gartner Gartner (morons) Message-ID: Gartner is a company that provides research and analysis to stuff. I've never taken them seriously, because they are mostly analysts that spend time writing about technology, not using or troubleshooting it. Gartner also does predictions on technology trends. Gartner charges for this research for the most part. Gartner's insight is often about the same as you would get from a first year MCSE or first year CISSP. Gartner. See their name? We cannot say it, or so they claim. This mail will be archived on the attrition site, and I believe we have other pages that mention their name. Wonder if we get a C&D from Gartner. Gartner, analysts turned morons turned impotent lawyers. Big surprise. - http://www.networkworld.com/community/node/44252 When censorship goes too far, we cannot say Gar-ner anymore Gar-ner gets what it deserves, all blogs deleted with company name in it as an act of protest By Larry Chaffin on Sun, 08/09/09 - 10:36am. From jericho at attrition.org Fri Aug 21 23:18:46 2009 From: jericho at attrition.org (security curmudgeon) Date: Fri, 21 Aug 2009 23:18:46 +0000 (UTC) Subject: [attrition] Security Companies that send Spam Message-ID: http://attrition.org/errata/spam.html Four updates: [09.08.21] - Radiant Global Inc. (radiant-global.com) Spams [09.07.20] - IT-Harvest (it-harvest.com) Spams [09.06.15] - Fiberlink Communications Corp. (fiberlink.com) Spams [09.04.24] - Stelar Global Inc. (sgius.com) Spams From jericho at attrition.org Sun Aug 23 03:59:21 2009 From: jericho at attrition.org (security curmudgeon) Date: Sun, 23 Aug 2009 03:59:21 +0000 (UTC) Subject: [attrition] Music Review: Cat Power & Juliette Lewis Message-ID: http://attrition.org/music/concert/cat_juliette.html Cat Power & Juliette Lewis Concert: Denver Botanical Gardens Chatfield 2009-08-22 I'm back from seeing Cat Power and Juliette Lewis in concert. They were both opening acts for The Pretenders, but I skipped the main act. They performed at the Denver Botanical Gardens Chatfield location, in the open air amphitheatre. [..] From jericho at attrition.org Wed Aug 26 00:50:48 2009 From: jericho at attrition.org (security curmudgeon) Date: Wed, 26 Aug 2009 00:50:48 +0000 (UTC) Subject: [attrition] Event: Mangle-A-Thon Boston, September 19th, 2009 Message-ID: ---------- Forwarded message ---------- From: David Shettler To: dataloss at datalossdb.org, dataloss-discuss at datalossdb.org Date: Tue, 25 Aug 2009 20:45:35 -0400 Subject: [Dataloss] Event: Mangle-A-Thon Boston, September 19th, 2009 http://mangleathon.opensecurityfoundation.org/ Join OSF in Somerville, MA on September 19th, 2009 from 8am to midnight, and help us mangle vulnerabilities into the Open Source Vulnerability Database (OSVDB), and mangle data loss incidents and primary sources into the DataLossDB. The event, hosted by Midnight Research Labs Boston, is free and sponsored by Voltage Security (http://www.voltage.com), which will assist us in providing food and drink for attendees. OSF moderators will walk participants through the projects and teach participants how volunteers maintain the entirety of both data sets. Our goal is to get as much new and accurate data into both databases as possible, possibly add a couple of new recruits into the fold, and have a good time doing it. Have suggestions regarding the projects? The lead developer (Dave) will be there, as will lead content guys for both projects (Kelly and Craig). You can actually see your suggestions implemented right there at the event... but only if you attend. :) Where: Midnight Research Labs Boston 30 Dane Street Somerville, MA When: Saturday, September 19th, 2009 8am to midnight (three time slots: 8am - 1pm, 1pm - 6pm, 6pm - midnight, register for all or some) Register via the "Register" link at: http://mangleathon.opensecurityfoundation.org/ -- Dave Shettler Volunteer, CTO and Vice President Open Security Foundation http://opensecurityfoundation.org http://datalossdb.org http://osvdb.org _______________________________________________ Dataloss Mailing List (dataloss at datalossdb.org) Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php From jericho at attrition.org Thu Aug 27 03:59:39 2009 From: jericho at attrition.org (security curmudgeon) Date: Thu, 27 Aug 2009 03:59:39 +0000 (UTC) Subject: [attrition] Errata - Auto Fail: Automatic Update Mechanism Failure Message-ID: [We're sure there are a lot more incidents. If any come to mind, please submit them to errata[at]attrition.org.] http://attrition.org/errata/autofail.html Auto Fail: Automatic Update Mechanism Failure New update available! Click here to download now! >From virus signature updates that identify competing products as a trojan, to operating system updates that break core functionality, there has been no shortage of quality control failures in updates released by vendors. Many of these updates are delivered to the user's computer via automatic update mechanisms. That means these problematic updates are delivered to millions of computers quietly and efficiently, typically without user interaction. It's always welcome to see security bugs fixed or better rules released in the products we use. But when the price of that fix is at best an annoyance and at worst a complete system failure, we're not so sure it's worth it. At the very least, users should be aware of the various types of failures and the frequency with which they occur. While mistakes happen to everyone, we'll leave it as an exercise to the reader to notice any trends from repeat offenders. [..] From jericho at attrition.org Sat Aug 29 01:48:35 2009 From: jericho at attrition.org (security curmudgeon) Date: Sat, 29 Aug 2009 01:48:35 +0000 (UTC) Subject: [attrition] PGP.Com Sucks (OSX support) Message-ID: ---------- Forwarded message ---------- From: Richard Forno Snow Leopard comes out for OSX users today. OSX 10.6. Hurray! While watching the Redskins-Patriots on the big screen, I go about trying to upgrade my test laptop only to discover the Apple DVD is not recognizing the hard drive as something that can support OSX. WTFO? Resourceful as ever, I begin to Google for answers. As I Google, an email[1] arrives from PGP.COM saying that their current product is incompatible with 10.6 and if users want to use PGP they should not upgrade but that if we "intend to upgrade to Snow Leopard, you must decrypt all PGP encrypted drives and uninstall PGP Desktop before upgrading the system to Mac OS X 10.6." They go on to say that 10.6 support is forthcoming in their next major release but offer no details on when it will be, except to say they're accepting beta applications now. *blink* Taking beta applications now? There are freeware and shareware developers whose products are fully compatible with 10.6 and PGP only now is soliciting beta testers? Did the company just realize that OSX 10.6 was coming out today? Didn't they get the memo? Are there no OSX users at PGP Headquarters? So back to my stalled Snow Leopard upgrade on my laptop: Thanks to Google's timely archiving of the Apple support boards[2] I found out that not only did I have to uninstall PGP, repair disk permissions, and reboot (which still didn't fix the problem), but since PGP apparently does something to the OSX partition table, I had to enter Disk Utility and dynamically resize my laptop's hard drive a few megabytes in size just so a new partition table could be written --- at which point I was able to install OSX 10.6 just fine. (Note that I had installed, but did not use, PGP on this computer, and certainly did not use their Whole Disk Encryption.) What kind of stuff did PGP have to write to my partition table to make it unreadable by Apple's own installation disk? Unfortunately, after many years of dealing with their quirky product registration system and hiccups with routine OS upgrades, tonight's news has forced to say that PGP has lost me as a customer --- their annoying corporate quirks aside, I cannot trust any security product that tweaks (nay, borks) my system in such a troublesome manner and certainly one that seems to treat Mac users as third-class citizens. [3] I'm not the only one who feels this way, either -- indeed they are correct in titling their concerns the Audacity of Hopelessness. [4] Accordingly, I will follow the lead of my coworkers and other securitygeek friends and embrace GPG for my encryption needs. Alas, PGP, I bid thee a sad adieu. -rick [1] http://blog.pgp.com/index.php/2009/08/sneak-peek-pgp-whole-disk-encryption-for-snow-leopard/ [2] http://discussions.apple.com/thread.jspa?messageID=10063151 [3] How about their officially-unsupported but unofficially-supported Mail.App plug-in? After nearly a decade of OSX in the marketplace they still don't officially support Apple's Mail program? [4] http://pgpsucks.wordpress.com/