Info Sec News: Nov 11, 2008

Maybe we should revisit our Cybercrime Bill, which hasn’t been approved and is in our congress for a second reading after a scant 8 years. Why? because Pakistan’s version of the bill, includes cyber-terrorism being punishable by death.

If you’re interested on articles on the Philippine version of the Cybercrime bill, there’s one from MB.com.ph from Nov 2007 by Melvin Calimag, “Cybercrime Law for RP long overdue.” Another article by the same author came out in April of this year on, “NBI exasperated over delay of cybercrime bill, hits CICT.”

News about the former Intel employee who works for AMD, that stole information with an estimated cost of over $1 billion in R&D development, can be found in CNET, and USA Today.

“A New York man has been charged with aiding the alleged leader of the hacking gang accused of stealing more than 40 million credit and debit card numbers from stores owned by TJX Companies and other companies.” reports this article from The Register.

On the Mobile Security front, a researcher says Google’s Android may not need antivirus software. Btw, older versions of G1’s software were vulnerable to an exploit that allows telnet root access discussed here and here.

The New York Times reports that DDOS attacks have been growing more potent, increasing from around half a megabit 7 years ago, to around 40 gigabits.

Three people pleaded guilty to hacking Citibank ATM cards who were able to steal $2 million in a span of four months. Maybe Manny Pacquiao should think about learning how to hack when he retires, especially since the Philippines has no Cybercrime bill, hehehe 🙂

Two Los Angeles traffic engineers admitted to hacking related to contract negotiations. Aren’t we just happy in Manila that our traffic light system uses 60’s technology? 🙂

The Financial Times and SC Magazine US, have reported to computers that were breached in the White House. The prime suspect are Chinese hackers.

Other News:

Security experts reveal details of WPA hack, their 12 page paper can be downloaded in pdf format here.

Vietnamese teams won the first and second prizes in a contest called “Capture The Flags”, part of the Hack in the Box Security Conference 2008 (hackinthebox.org) in Kuala Lumpur, Malaysia in late October

Australian Federal Police have launched a high-level investigation into a security breach involving confidential Australian diplomatic cables and police documents that were left in open files on a computer and read by guests at a hotel in Nepal.

Wouldn’t our government employees wish they have a DRP Site like this on in Bermuda?

A former prison inmate has been arrested and charged with hacking the facility’s computer network, stealing personal details of more than 1,100 prison employees and making them available to fellow inmates.

Advertisement

Wireless Hacking part 2

Yesterday, I had a post on Using Nmap to detect Rouge Wireless Access Points. With that post were various links to tools on hacking wireless networks that are freely available on the net. This is of course to help inform the public on the perils of wireless network computing. However, I also posted a link on the advantages on wireless and how to secure it. As is often the case, one must seek a balance or prioritize among that OTHER security triad of COST vs SECURITY vs CONVENIENCE.

For the history buffs, there is a A Brief History of Wireless Security from SecurityUncorked.com. CSOonline, back in May 2008, also published a very informative article on Wireless Security: The Basics.

News from SC Magazine US, SecurityFocus.com and Heise Security just came out that WPA can now be cracked in around 15 minutes.

The SecurityFocus.com news item above talks about Recovering a WEP key in less than a minute using the aircrack-ptw tool that is used with the aircrack-ng toolsuite.

I remember a few months ago Risky Business podcasts interviewed the maker of Metasploit framework, HD Moore, regarding his evil Eee PC. It’s about the new KARMA+Metasploit 3 framework which is a set of tools that listens to all client probe requests and can then become a fake wireless AP for any requested network. The scary thing here is that you can possibly get owned as long as your wireless is enabled and its automatically looking for a wireless access point, without the user even knowing it. The older Karma framework is available here.

If the Risky Business podcast didn’t get you a wee bit paranoid, an interview by Network World on, Wireless security foiled by new exploits, just might do the trick. They interviewed Joshua Wright who writes the security blog WillHackforSushi.com and is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks.

I wonder what tools were used for the “Wall of Sheep” at the Defcon conferences, which was also at the BlackHat, this year. In case you’ve never heard of the “Wall of Sheep”, its a wall with a projection of Usernames and part of the passwords for the users foolish enough to not have enough security on their wireless connections. MySpace and Gmail accounts have also shown up (in spite of Gmail using the default https, but just for log-on) through the use of replay attacks. Apple iPhones and Window’s mobile phones have also shown up.

Since you’ll want to save some of the information from the KARMA+Metaploit 3 framework, I’m guessing newer mini-notebooks like the Acer Aspire One which retails for around $350, and Lenovo Ideapad S10 which retails for around $400, would both be great for this.

Since its related, there’s an On Demand Webcast sponsored by Nokia on, Corporate Mobility Policy and Device Management. In case your organization is PCI compliant or is looking forward (or dreading) compliance in the future, Network World will be having a webcast next month on PCI Wireless Compliance Demystified.