In many companies the marketing, public relations, HR and other “business” functions really don’t want anything to do with security.  It’s true.  We always get in the way by stopping money making and/or great marketing ideas with phrases like “If you do that…the hax0rs are going to pwn us!” or “No you can’t, that’s against our security policy.  Go away now.”  Unfortunately, all it takes is one bad experience from the “security people” and they won’t want to work with you ever again.  I’ve seen it happen many times and I’ve even been “that evil security guy” at various times in my career.

It’s because of this bull headed attitude that these departments start finding ways around your policies, procedures, website blocking and more.  Why? Because security people are increasingly impossible to deal with.  Too much red tape, policies, rules and most of all…lack of communication.  That’s right, I said it.  Lack of good communication.  When was the last time you talked to these people in your company?  When was the last time you offered to help them with a compromise or solution rather then saying no?  This might be a shock to some of you but these are the people helping make the business money.  All of us in security are just an extra expense to the business.  Don’t make our jobs harder!  Here are three steps to help communicate to these people better:

1. Get out of your shell
We love to hang out and network at security conferences and user groups.  It makes sense because we are comfortable around our own people.  However, take a step back and think about what the “business needs” for a minute.  You are there to help the business succeed.  So go out and help them!  One way to do this is to attend a marketing conference.  Seriously.  You get to meet and talk to people that want to help the business make money and know how to do it.  You also get to learn what the business wants.  This will get you thinking about how you as the “security person” can help make that happen while keeping the business and its information safe.

2. Learn something new
What does marketing have to do with security?  All kinds of things!  SEO, blogging, social networking, social media, brand reputation, monitoring and more.  These are hot topics right now and there are serious security and privacy issues to be concidered.  You need to be involved!  The best way to do this is to attend their conferences, read their blogs and communicate.  One good way to get involved is to look for a local social media club in your area.  We have a great one in Cleveland and there are others in cities all over the US and probably the world.  Attend, learn and network.  It can only benefit you and your company.  Same goes if you are a consultant.  Meeting marketing people is a great way to get new business because they usually have a direct line to upper management at a company.  They will also be so impressed that a security person actually took the time to show up to a marketing conference…they might call upper management for you.

3. Teach and Educate
We have all “beaten the horse to death” regarding security awareness.  Many in security say it doesn’t work and is a hopeless battle.  While there is no patch for human stupidity, you still need to make an effort.  If anything, by you as the “security person” showing up at the marketing departments monthly meeting it shows that security wants to be involved with what they are doing.  This alone says volumes!  Especially to management of those groups.  Get out there and explain why you have certain policies, how the security team functions or better yet…how you can help them market the business and do it securely.

Subscribe to the SBN from here via RSS or OPML.

Via Reuters:

“Its memory had names of al Qaeda members, fingerprints and suspects’ academic records as well as pictures of rocket launchers and missiles, the Sun newspaper reported.”

Opps… So did the camera have a “If lost, please call the following MI6 number” sticker on it? That is one big mistake for the British intel boys…

To start off…this was one busy and eventful week! I met so many people this week it was crazy. I am officially overflowed with business cards! I got lots of opportunities to not only meet some of the people that I admire in the security industry but also had a chance to network with a great many others that I just met. There were some really good parties (umm..networking opportunities) at both Black Hat and Defcon. Some worth mentioning that I was at were Mozilla, Core Impact, Ethical Hacker, and I-Hacked. I also attended a Security Twits meetup on Friday night at Sushi Roku and got to meet many of the Security Twits in person which was really cool. Thanks to @quine for organizing this event!

I attended several talks at both Black Hat and Defcon. I was able to attend everything that I wanted at Black Hat and even attempted to “live tweet” the Dan Kaminsky talk. You can see my updates through TweetScan or other Twitter search tools by searching for #blackhat and #defcon on my Twitter ID (agent0x0). Most of my time at Defcon was spent watching my wife win the Guitar Hero 3 Medium contest…(first woman to win this contest at Defcon) and improving my lock picking skills in the lock picking village. I have to say that I focused a lot of my time at Defcon just enjoying the contests and meeting new friends. I absolutely love Defcon. It’s the greatest meetup of the good, bad, and everyone in between. One talk that was a highlight for me was Jay Beale’s talk on “Owning the users with the Middler”. I interviewed Jay on the Security Justice podcast about a week ago where he talked about the tool. Jay’s talk was packed! Standing room only (goons were sent in to crowd control). He did a good job even though he couldn’t finish his talk because time ran out. If you get an opportunity to see Jay speak, I highly recommend it! Speaking of goons…I have to hand it to the Defcon goons this year for doing a great job with crowd control! I overheard one goon say that he was doing crowd control for a “f***ton” of people! Oh, and the badges were pretty cool as well…once I waited in a long line for mine on day 2. The badge is actually a “tv-b-gone”…I could turn the TV on and off in my hotel room with the badge. Neat!

Speaking of podcasts…I was fortunate to participate in the live podcast at Defcon 16 right before the I-Hacked party in one of the Sky Boxes. I podcasted with Chris and Jay from Securabit, Larry from PaulDotCom, Matt from SploitCast and Martin McKeay from the Network Security Podcast. Rob Fuller (@mubix) coordinated and hosted the event. Hopefully some of you were able to tune into the live video and audio and chat via IRC. Not sure if the recording will be released or not. I’ll post a link if it is.

Finally, lots of pictures were taken!! I will be posting mine to both my personal and the Security Justice podcast web site Flickr account soon.

It looks like my plane just arrived…I hope to post more stuff on Black Hat/Defcon in the coming days.

August 6th
10:00 to 11:00
Nmap: Scanning the Internet – Fyodor Vaskovich

If your a penetration tester, don’t miss this one…Fyodor is a legend (heck, even some girl at sexyhacking.com (NSFW!) thinks so…the man has stalkers! ) and I’m looking forward to hear about new and unique ways to use Nmap.

11:15 to 12:30
Black Ops 2008: Its The End Of The Cache As We Know It – Dan Kaminsky

Unless you have been living under a rock for the last month then you should know about this one. It will be crowded (like all of Dan’s talks) but well worth attending.

13:45 to 15:00
Client-side Security – Petko D. Petkov

Another not to miss talk in my book. Petko or better known as pdp heads up GNUCITIZEN which is one of the sites that I closely follow. GNUCITIZEN releases some amazing security research and are always on the cutting edge. As a bonus it looks like pdp will provide details of a QuickTime 0day for Windows Vista and XP.

15:15 to 16:30
Bluetooth v2.1 – a New Security Infrastructure and New Vulnerabilities – Andrew Lindell

This one should be different. I recently started gaining more of an interest in Bluetooth vulnerabilities. Andrew will “show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long”. Sounds interesting.

16:45 to 18:00
MetaPost Exploitation – Val Smith

This is one I am really looking forward to. This is one just for penetration testers. I saw Val Smith and HD Moore present last year on “Tactical Exploitation” and it was outstanding.

After hours…
The Pwnie Awards 2008

If I’m not totally beat I plan on attending this. Should be fun to check out before hitting some of the parties.

August 7th
10:00 to 11:00
Satan is on My Friends List: Attacking Social Networks – Shawn Moyer and Nathan Hamiel

I was tossed between this one and “Encoded, Layered and Transcoded Syntax Attacks”. However, I am really on a social network security kick as of late so I think I will attend this one. If it is lame, I’ll jump in the other talk.

11:15 to 12:30
Threats to the 2008 Presidential Election (and more) – Oliver Friedrichs

While not pentest specific…this one looks pretty interesting. The synopsis notes the following: “…we will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become. Secondly, we will discuss the potential impact of phishing on an election.” Sounds cool!

13:45 to 15:00
Hacking and Injecting Federal Trojans – Lukas Grunwald

The “infection proxy” demo seems worth seeing! The other talk that sounds cool is the one Joanna Rutkowska is doing. I saw her talk at Black Hat last year. Joanna is a brilliant mind, but a *fast* talker…with the amount of technical detail she usually covers…it’s tough to keep up.

15:15 to 16:30
…Continuing “Hacking and Injecting Federal Trojans”. If it seems to suck, I’ll be at the following:

The Internet is Broken: Beyond Document.Cookie – Extreme Client Side Exploitation – Nathan McFeters, John Heasman, Rob Carter

or…

Get Rich or Die Trying – Making Money on the Web, the Black Hat Way – Jeremiah Grossman, Arian Evans

I can’t decide between these two, perhaps I will attempt to see a little of both!

16:45 to 18:00
Methods for Understanding Targeted Attacks with Office Documents – Bruce Dang

We all have seen a rise in this type of attack over the last year. It’s true…there isn’t a ton of information about the technical details of these types of attacks. Hopefully this talk sheds some light on what’s behind them and help with introducing some new prevention methods.

Wow. Packed schedule with lots of great talks! Looking forward to Las Vegas as well! Always a good time (if I can break even…it would be better). Oh, and hopefully I will be able to hook up with some of the other Security Twits during the week. I’ll be at Defcon as well so if anyone wants to have a beer hit me up on Twitter…or, just stop by the Podcaster/Blogger Meetup at Defcon 16. I’ll be there representing the Security Justice podcast.

Stay tuned for my Defcon 16 “talks to attend” post in the next few days.

I guess in a way it’s good to be a bit “old fashioned” but if he was to become the president don’t you think that he should at least be competent with basic computer technology (like reading and responding to at least some of his email)? Perhaps we should send him a copy of this book to help him along?

So I was watching TV tonight and saw a commercial for WaMu (Washington Mutual Bank) advertising their “Online Banking Guarantee“. What I found interesting was the whole scenario that played out in the commercial…

Woman: “Hey, I’m using WaMu Online Banking…”
Man: “Online Banking?? That’s not safe!!”
Woman: “It’s safe…I have WaMu’s Online Banking Guarantee!”
Man: “Oh…cool.”

(Note: this wasn’t word for word but pretty close…you get the idea.)

As a security professional I find it disturbing that you would “guarantee” something (like online banking) is safe and secure without a ton of terms and conditions (I’ll get to this in a minute). We all know that nothing is 100% secure. Sure, online banking in general is safe to use..we all know banks are regulated to provide customer safeguards…etc…So how does WaMu pull this off? Here’s the deal:

“For any fraudulent or unauthorized transaction that has been initiated during an online banking session at wamu.com, WaMu will provide 100% reimbursement of the transaction amount plus any related account charges imposed by WaMu or lost account interest resulting from such transaction.”

Sounds good right? Here is the kicker…you as the customer have responsibilities which if you don’t live up to, you get no guarantee…check these out:

“You have protected your password by creating one that would be hard for others to guess and do not write down or share your password with anyone.”

Customer: Hard to guess password? So my dog’s name isn’t hard to guess?

“If you suspect a fraudulent or unauthorized transaction has occurred, you must contact WaMu within 60 days…”

Customer: I’m on it…I never, ever procrastinate about anything!

“If you knowingly share your username and/or password information with others, we will consider any direct or indirect transaction initiated online by this person as an authorized transaction.”

Customer: My wife knows my username/password does that count? Damn…I’m getting a ton of these pop-up’s on my PC…weird.

and…buried deep in the Online Services Agreement & Disclosure:

“You are responsible for the installation, maintenance, and operation of the Computer and browser software. The risk of error, failure, or non-performance is your risk and includes the risk that you do not operate the Computer or software properly. The Bank is not responsible for any errors or failures from any malfunction of the Computer or the software nor is it responsible for any electronic virus, viruses, worms, or similar software that you may encounter. The Bank has no liability to you for any damage or other loss, direct or consequential, which you may suffer or incur by reason of your use of the Computer or the software.“

Thus…no guarantee. Enjoy!

So why don’t more banks and financial institutions set this up for their customers? PayPal was able to do it right (not perfectly, but close)? It comes down to customer support and cost. One of the many ways a bank or financial institution makes money is by offering products that are user friendly and can be used by just about anyone. For someone using a two-factor authentication token with some technical skill it’s a cake walk…unfortunately, the average bank user (think about your mom or the person in your family with the least amount of technical skill…yes, the one that calls you to fix their computer…) will most likely be confused as how to use the device and that will be a call to the bank’s customer support center (calls cost $$) and lets not forget about the back end infrastructure (servers and IT staff cost $$) and all the additional red tape the institution has in regards to advertising and putting a friendly spin on it to customers.

Martin McKeay and Michael Santarcangelo on the Network Security Podcast (Episode 110) had some good discussion about this. In a nut shell the conversation was about how banks offer many different easy to use services and tying a two-factor solution to all of these products is just not worth the cost, time and effort (except for high wealth customers). Also, what happens when you have multiple accounts at multiple banks? Do you carry around multiple tokens? My opinion? Until there is something easier to use and more secure, I don’t see most banks or financial institutions going two-factor anytime soon.

“Blogsecurify was created to help individuals and organization to secure their blog infrastructures by testing them against a set of security tests. The project is still in alpha stage although I am quite happy with the actual framework which I believe is the only one of its kind. The same framework will be used for several other initiatives but I will talk about them when their time come.”

I tested it out and it works as advertised. Just make sure you enable/disable the template plugin that is required. I used the old security scanner that was on Blogsecurity.net and didn’t get a ton of value out of it in the past so this is great news! Actually, the old scanner told me that the WordPress installation that I was scanning was out of date and vulnerable even though I had the latest version installed! Blogsecurity.net has some really good resources for hardening your WordPress installation by the way. I recommend that if you have a WordPress blog you download the paper they have on hardening your WordPress installation. While some of these tips are easy (change the admin account name and use role based access) others are a bit complex and may break most of your plugins (.htaccess modifications) without significant testing. Either way, it’s worth checking out to make your WordPress installation more secure.

I guess you could say I am somewhat of a Black Hat n00b! This will only be the second time I have attended Black Hat in my security career. I have been to quite a few security related conferences in the past (most of these involved training as well as conferences all integrated into one event like SANS Fire) but since coming back from Black Hat last year I discovered the value of attending a conference like Black Hat. Three things come to mind as to why someone should go to Black Hat:

1. Great speakers! Seriously, if you want to “be there” when new vulnerabilities and exploits are released to the security community by some of the greatest security researchers in the world…that’s Black Hat! I liked how conference attendees were able to “vote” in advance for selection of the talks this year. I felt this added real value to the great speaker line up for this years conference!

2. Good mix of “black hat”, “white hat”, and everything in between (gray hat) attendees. With a little more on the side of “white hat”. This adds to the whole energy of the conference and allows some good networking opportunities. Black Hat is probably the one security conference where your company won’t think you are just going to another “hacker con”. For example, you can say to your boss “Hey, they have a vendor show with XYZ company that will be there!” Lucky for you if you are using the security product of XYZ company. Not to mention XYZ company will get you a pass to one of the cool after parties (for more networking of course…).

3. Free admittance to DefCon. As a paid Black Hat delegate you get into DefCon for free! How can you beat that? Stay at Caesars Palace in a luxury suite the whole week and attend one of the best hacker con’s in the world! I could do a whole post on how great attending DefCon is but in short it’s awesome to see even a more diverse crowd then Black Hat of the good, bad, and the plain ugly! Not to mention the “spot the fed” and all the other fun games and activities unique to DefCon.

Can’t wait to go this year and to also network with some of the other bloggers in the Black Hat bloggers network! Hope to see some of you there (and at DefCon 16).

If you have been reading my blog and others in the Security Bloggers Network recently then hopefully you should know about the really cool alliance this year between Black Hat and the Security Bloggers Network. If not, here is a quick and dirty overview…

Basically, there will be a Black Hat topic of the week based on one of the scheduled briefings. The bloggers can then blog on that topic to hopefully generate some interesting conversation prior to the conference. Since there are about 150 different security blogs covering every angle of security in the network it should make for some interesting blog posts.

In addition the Security Bloggers Network will be linked on the Black Hat web site and in various conference paraphernalia. Personally, I am really looking forward to blogging about some of the hot topics that will be talked about at Black Hat this year!

Be sure to follow all the Black Hat updates on Twitter and if you haven’t subscribed to the Security Bloggers Network OPML, check it out! You can also follow me on Twitter and FriendFeed as I will be at both Black Hat and Defcon 16 this year, hope to see some of you there…

Also, if you plan on attending this year don’t forget to register for the Black Hat “sneak peek” webcast on June 26th!

Amazing that security breaches like the one I am about to tell you about are becoming more common…so common that the mainstream media like CNN doesn’t even report it anymore. If you haven’t read about this pretty significant security breach yet…let me briefly tell you about it…

Bank of New York (BNY) Mellon and People’s United Bank of Bridgeport, CT may have Social Security numbers and bank account information lost when unencrypted backup tapes went “missing” from BNY Mellon. No big deal right? Only 4.5 million customers affected. From the Reuters article:

“…on February 27, Bank of New York Mellon was transferring back-up tapes with data, including names, addresses, birth dates and Social Security numbers, when it lost a box with six to 10 unencrypted tapes….an archiving vendor lost the tapes from its Shareowner Services unit, but there was no evidence any data had been inappropriately accessed or used.”sic

Basically People’s hired BNY Mellon Shareowner Services in 2007 to tabulate votes and process stock orders during its conversion from a mutual bank, which is owned by depositors, to one that is fully publicly traded.

Moving on…nothing to see here right?

The problem is that this data was not BNY Mellon’s customer data but the customer data from People’s United Bank, some Wachovia employees and some 64,000 MetLife shareholders…

“People’s United claims this was a BNY Mellon security lapse, as People’s United transmitted encrypted information to BNY Mellon who in turn created the unencrypted backup tape(s) that was lost.”

Good for People’s Bank for encrypting the data in the first place…but the problem lies with the vendor(s). It seems that more and more financial institutions are letting other financial institutions and other vendors process transactions and convert information for them. Trusting others with your sensitive data is not always the best idea (even though thats how business gets done these days), however, BNY Mellon should have encrypted these backup tapes in the first place! What about the vendor (Archive Systems Inc.) who actually lost the box of tapes? I would think that they are to blame as well. Sounds like a lot of vendor management issues here from many angles.

I would think that a large archive vendor like this would have some kind of policy stating some form of compensation for losing a box of tapes in transit. Almost how armored truck carriers transfer money from a bank branch to a financial processing center…if the armored car was compromised in transit and the bank lost all the money inside the car, it’s not the bank’s fault…thus the armored car carrier is responsible for the loss and would have to compensate the bank.

Looks like 4.5 million customers will get one year of crappy credit monitoring service as usual because of poorly managed vendor relationships. Nice.

I wrote an article some time ago about multiple platform password managers. At the time I talked about PasswordSafe and Password Gorilla. While both of these are really good password managers that work on Linux, Windows and OSX…Matt Neely talked about KeePass at the NEO InfoSec Forum last week and how KeePass is probably the best password manager available.

What is really cool about KeePass is that you can use it on just about anything including Blackberry and Windows Mobile devices. Having a password manager on the Blackberry just about sold me and I have yet to try it, however, what did sell me was the KeePass port called KeePassX for Linux and OSX! I downloaded and installed it on my Mac and it is way faster then the old Password Gorilla. The features are really great to with automatic clearing of your clipboard, a nice easy to navigate interface and a password expiration system. My only gripe was that I had to load up the Windows version to import my PasswordSafe formatted database file for use in the OSX version. The Windows version has a plugin you can download which will automatically import your database file from PasswordSafe. There is no PasswordSafe import plugin for OSX currently. Other then that, I am converted and love it!

“Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords.”

“…a store server that was running in administrator mode, making it far more susceptible to attackers…”

and my favorite…

“My store manager even posted the password and user name on a post-it note…”

So whats the issue here? Two things…sure, telling your management that there are security issues was the right thing to do. However, when nothing changes based on the information you told them then things need to be escalated to a higher level of management. I would hope that TJX has some sort of “ethics” or “privacy” hotline (most major companies have these and they are anonymous) that this guy could have called. How about doing some research within the company Intranet to find out who to contact…that would be an easy approach to take if your management is not listening to you. Secondly, not the brightest idea to post on a hacking forum to let the whole world know of these issues. This guy was easily tracked back to his real IP…heck he probably even posted from work which made tracking him even easier! If he was really serious about not wanting to be caught then he should have used Tor or some other anonymous proxy to setup the account and make those postings (keep in mind he was just a retail worker, no IT background so Internet anonymity was an afterthought). Either way, not a very smart thing to do.

I still find it hard to believe that the TJX information security department would have thought it was ok to have blank passwords to log on to servers! If so these are not security professionals in my book…heck, a bunch of script kiddies wouldn’t even use blank passwords! My guess is that the information security department never even knew about these issues. The “management” that he reported the issue to was actually the loss prevention department. The loss prevention department in retail and other companies mainly deal with preventing shoplifting and theft…really not the right people to handle information security issues. Regardless, TJX still seems like a security train wreck…they won’t be getting my business anytime soon.

If you happened to sign-up for the Black Hat USA 2008 Briefings early this year you will notice that as a paid delegate you are able to review and comment on all the current papers submitted to the Black Hat speaker review board. You can basically comment and rate each paper and also provide comments back to the person/group that submitted the paper.

Black Hat has always been a great security conference and I really like this new format as it gets the people that actually attend a chance to put input into what talks will be selected. One thing to note…there are some fantastic submissions, however, I was surprised to see all the junk that gets submitted as well! Reminds me a lot of getting resumes for open job positions…most resumes are 90% crap, 10% qualified.

If you are signed up for Black Hat USA 2008, you need to do your reviews quickly as the CFP closes May 1st.

Another point is that these types of targeted attacks are becoming more common. It’s getting easier for anyone to find detailed information about anyone (not just CEO’s) by using free tools like Maltego or by getting creative with your Google searches. This particular phish was very personalized and I would expect this trend to continue.

Check out the IT Security Events Calendar here.

From the pen testing side I require the testing team to document everything in at least some kind of document format like a text file to include time stamps to track when and what they did. Others find saving all the command shell activity to a file works just as well. It can be a pain when consolidating this data but having this documentation is better then tracking down who did what and when. As for process and procedure documentation I have just put everything in a centrally stored office document that the team can access. We can then track the revisions to this document by keeping it in this one location. Not a very sexy solution but it works for the team. One idea the team and I started to think about was putting together a Wiki (MediaWiki based) accessible to the team so each member could make updates and upload screen shots “on-the-fly”. I have used SharePoint, LiveLink, and Wiki’s for documentation in the past. The Wiki format seems to be the easiest to use and update.

One other thing to consider is how do you “securely” store all of this data (Wiki or not)? Our team stores this information on a encrypted file store (it was a strange third-party solution, nothing standard like TrueCrypt) but it can be difficult to access at times and tough to maintain the access control when team members come and go.

So how do others handle documentation as a pen test and/or security professional? Are you using a Wiki or other CMS type solution? What are some best practices regarding handling security documentation? Please add your comments and ideas…

<%image(20080110-password_gorilla.jpg|112|123|Password Gorilla Logo)%>

I blogged about this great program that allows you to securely store your passwords on multiple computers. In doing some further research I found a program that is based off of Password Safe called “Password Gorilla“. I had been using the Java version of Password Safe both on my PC and Mac. One of the things that bothered me with the Java version is that it was sometimes slow and sluggish performance wise, on my Mac Password Safe was leaving weird .tmp files in my Documents folder, and I also wanted something I could easily put on a thumb drive (meaning the entire program) so I could get my passwords from any computer if I needed to.

I am happy to report that Password Gorilla is running off of my USB thumb drive (Password Gorilla for Windows is just a .exe file), with my password database on the same drive. When I want my passwords on my Mac, I plug the USB drive in and fire up the OS X version of Password Gorilla and open up my password database stored on my USB thumb drive. Very easy. There is also a Linux version (using tlckit) which I still need to try out. If anyone has played with Password Gorilla in Linux, please add your comments.

“Sears.com is distributing spyware that tracks all your Internet usage – including banking logins, email, and all other forms of Internet usage – all in the name of “community participation.” Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software (“the proxy”) on your system, all data transmitted to and from your system will be intercepted.”

How this still even possible with privacy laws and other regulations? Especially from a major retailer like Sears. Super scary stuff! Reminds me of the Sony Rootkit issue awhile back….check out the links below for more information on this.

Digg – Sears: Come see the softer side of spyware

Updates to the original blog posting from Benjamin.

More updates with full screen shots of the spyware installation.

“Password Safe allows you to manage your old passwords and to easily and quickly generate, store, organize, retrieve, and use complex new passwords, using password policies that you control. Once stored, your user names and passwords are just a few clicks away.

Using Password Safe you can organize your passwords using your own customizable references—for example, by user ID, category, web site, or location. You can choose to store all your passwords in a single encrypted master password list (an encrypted password database), or use multiple databases to further organize your passwords (work and home, for example). And with its intuitive interface you will be up and running in minutes.”

So I gave it a try and I am happy to report that Password Safe is my new password management program. Things I like about this program:

- Java client available for OS X, Linux and Windows. This gives you the ability to use your password database on multiple OS’s.
- Portable Installation. The database can be placed on a USB thumb drive for portability.
- Secure encryption of the database.
- Random password generator built in.
- Ability to choose your own password policy and set expiration for your passwords.
- “Auto Type” feature.
- Easy to use, free, and open source!

Here is a screen shot of the easy to use interface when creating a new password entry:

<%image(20071206-pwsafe.gif|424|513|Password Safe Screenshot)%>

You can check out and download the application here. Now let’s see how my Mom likes it…I will share those results with you later.

I’m a pretty big Apple fan boy and love my iPod and my PowerBook G4 (hope to upgrade to a Intel Macbook Pro one of these days). One of the misconceptions about Mac’s is that they are more secure then Windows…while in a way this is true (they are not as targeted as Windows because of a lower market share), however, they are still vulnerable to recent OS exploits if not patched and other things that are easily overlooked by the average Mac user.

Here is a good article talking about basic security procedures you should use for your Mac. These are things easily overlooked like creating a non-administrator account for daily use and locking up your Mac with a security cable in a shared or public area.

So what’s up with the increase? Blame this one on Angelina Jolie “fake” nudes! Spammers have been sending out emails tempting users to view “nude” pictures of Angelina and other famous women. Clicking on the link gives you another surprise..the Pushdo Trojan!

“The trick of tempting users with scantily clad pictures of hot-looking girls is as old as the hills, but people still fall for it. This outbreak underlines that hackers have not turned their backs on using email as a vector for attack. “

It sounds funny, yet true! Goes to show that there needs to be an increase in user awareness around clicking on links in SPAM as well as opening email attachments. Many people think that if they have anti-virus installed then they are protected. This isn’t always the case as Trojans like these take time for the anti-virus vendors to develop signatures for and every anti-virus vendor is different.

Full article on this is here. ]]> http://www.spylogic.net/2007/10/angelina-jolie-nudes-increase-malware-in-september/feed/ 0 http://www.spylogic.net/2006/08/all-electronic-devices-soon-to-be-banned-on-airplanes/ http://www.spylogic.net/2006/08/all-electronic-devices-soon-to-be-banned-on-airplanes/#comments Thu, 10 Aug 2006 15:42:06 +0000 agent0x0 <%image(20060810-e112.jpg|191|230|Security?)%>

As I am sure all of you have heard in the news about the bomb plot that was recently uncovered in London. What is now starting to happen becuase of this is that all electronic devices with a battery will most likely be banned from all flights. This will dramatically change the way people fly…could you imagine a 6+ hour flight without your iPod or laptop? How would this change the entire business world as many people conduct lots of company business on long flights with a laptop? Lots of questions to answer with very few answers I am afraid.

CNN.com – Experts: Air security focuses on past threats – Aug 10, 2006

AOL search data identified individuals