Other Diversions

security

politics

religion

technology

news

friends

Science / Skepticism


Powered by MT Blogroll

Bookmooch!

Mooch/Give books at bookmooch.com

Current Reading List

Recently Read

Latest Music

Reading Queue

« October 18, 2007 | Juxtaposition Home | November 10, 2007 »

October 20, 2007

Redaction cat is out of the bag for Wells Fargo

From Risks Digest 24.82

This is just like when Starbucks used to redact all but the last 5 digits of your credit card number on receipts. So anyone with a Starbucks receipt + any other receipt could piece together the whole card number. D'oh!

From the juxtaposition wayback machine:  http://juxtaposition.axley.net/archives/2006/06/visa_prohibits.html

Date: Mon, 3 Sep 2007 14:12:06 -0700 (PDT)
From: Tom Watson 
Subject: Redacted account numbers

My bank (Wells Fargo) in its infinite wisdom has decided to change the way
it attempts to redact account numbers.  In looking over the transactions for
an infrequently used account (I only have it because my ex-wife is a signer,
and who knows when I'll need to cash a check with her name on it!) I noticed
that the method had changed from the July to August automatic transfers I
have to keep the account active.  In July, the account number is listed with
THE LAST 3 digits as 'X'.  In August, the method is now all 'X' EXCEPT FOR
THE LAST 4 digits.  I just looked and said to myself "what is wrong with
this picture?".  The risk: when you change methods of redacting, change ALL
occurrences, not just the new ones.  You may just totally unredact what you
were attempting to hide.

Fortunately in my case, I know the account number anyway, so TO ME it is no
big deal (unless I print out something), but I'm aware, which is the the
thing to be.

I sent the bank a note as well.  I don't hold out much hope for anything
constructive in return, but we will see.

  [It seems pretty stupid to make such a change that completely exposes the
  account number to anyone with records before and after sanitization.  PGN]

Posted by at 4:18 PM | | Comments (0) | TrackBacks (0)

Security Tools and Browser Extensions

This site has a huge list of Firefox Extensions (Add-Ons) that are security tools.

http://www.security-database.com/toolswatch/FireCAT-Firefox-Catalog-of,232.html

And then there's always this great list of general tools.

Top 100 Network Security Tools

After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don't know where to start”.

Posted by at 4:16 PM | | Comments (0) | TrackBacks (0)

Gartner chides PCI SSC

Governance is an important part.  If the PCI SSC member companies want to ward off Government regulation, they need to be more transparent certainly.  How is it that they could end up with such milquetoast controls as simply "encryption" or "web application firewalls" being equivalent to "source code security review" is a testimony to what happens in the smoke-filled rooms there.

Gartner analyst chides PCI Security Standards Council - IT Security News - SC Magazine US

The Payment Card Industry Security Standards Council (PCI SSC) has taken two steps forward and one back by the creation of a new Board of Advisors, according to Gartner analyst Avivah Litan.

Posted by at 4:12 PM | | Comments (0) | TrackBacks (0)

AV Fightclub

You get to talk about this Fightclub.  Kaspersky wins again. 

I would be somewhat wary of ClamAV though since it seems to suffer from loads of security holes:  http://secunia.com/product/2538/?task=statistics_2007 versus the Kaspersky results:  http://secunia.com/product/10470/?task=statistics_2007

Also, refer back to the previous posting Juxtaposition: Antivirus bakeoff public results for another source of AV comparisons.

untangling the future… » Blog Archive » AntiVirus Fightclub Results!

Only three (Clam, Kaspersky, Norton) call all of these. Three others (F-Prot, Sophos, Mcafee) missed a few ranging from an 80-90% catch rate - not very good considering these are all really common viruses, but certainly better than others. GlobalHauri and the gateway appliances (Sonicwall, Fortinet, Watchguard) all performed poorly - catching about 60% and less of these common viruses. Watchguard would only catch one virus (the eicar test virus), which is odd because I thought they used the ClamAV engine.

Posted by at 4:09 PM | | Comments (0) | TrackBacks (0)

Get Mitnick's "business" card - complete with lockpick tools

This is really cool.  I've got to send in for mine.  Which password should I send...

On a related note, I was running a table for the ISSA Puget Sound and we had a raffle where we asked for business cards or alternatively, a piece of paper with your name and contact information.  As a joke, we asked people for their email password and/or their Social Security Number.  There were actually some people willing to give them up.

Mitnick Security Consulting, LLC

Send a self-addressed stamped envelope, your IP address and password to:

2245 N. Green Valley Parkway
Suite 411
Henderson, NV 89014

Posted by at 4:01 PM | | Comments (0) | TrackBacks (0)

Top 10 Craziest Conspiracy Theories

Hard to believe that people believe this stuff.  But in a country where 61% of people believe the story of Noah's Ark literally, I can believe it I guess.

Hakspace.net - Top 10 Wackiest Conspiracy Theories

Posted by at 3:58 PM | | Comments (0) | TrackBacks (0)

Physical security lacks physical security

I can't believe that these systems have such a horrible design!

Basically, these guys showed how you can inject a tiny device that can record the data that the scanner reads in such that you can create devices to replay it later.

2 Screws, 1 Plastic Cover, How Many Airports Infiltrated?

besides a meat cleaver or, in the case of your eyeballs, a soup spoon, these systems are all laughably easy to bypass, thanks to a primitive protocol called Wiegand that just about all ACSes (access control systems) have inherited.

At the Defcon hackers conference here on Aug. 4, Zac Franken laid out on a table the components typical of a physical proximity card system, the essential elements of which, at least when you're talking about the way the ACS decides whether or not to let you in, are the same as a biometrics system. (Franken manages an IT company in London. Like many Defcon presenters, he asked for restricted identification.)

And then Franken proceeded to demonstrate how $10 worth of hardware will enable you to stick a quick connect microprocessor on a spliced wire, and flip the switch on whether the ACS thinks you've got access rights. The quick connect device contains a small, programmable microcontroller called a PIC chip. In a nutshell, pop the plastic cover, pull the wire, snip, snip, snap on your quick connect, seal it up, pass your proximity card, green blink, and—bzzzzt—you're in.

Posted by at 3:57 PM | | Comments (0) | TrackBacks (0)

Run Linux from flash drive under windows using Qemu

Very cool.  I need to try this on my flash drive.

Using Ubuntu Linux on a flash drive and run it under Windows

The following article is going to tell you everything you need to know in order to make a USB flash drive with Ubuntu Linux installed, similar to the ones we sell here at PenLinux.com

Posted by at 3:56 PM | | Comments (0) | TrackBacks (0)