Blog Archives

Hacking – The Card Game


An interesting and fun way to teach ethical hacking.

Control-Alt-Hack is based on Steve Jackson Games’ Ninja Burger, but from the characters to the mission cards to the entropy cards, the demystification of white hat computer security is the name of this game. Game co-designer, security researcher, and University of Washington Computer Security and Privacy Research Lab honorary member Adam Shostack said at the Black Hat 2012 confab here that when it comes to teaching ethical hacking, also known as white hat hacking, not enough educators “use carrots, not sticks.”

“Humor creates an open atmosphere,” that helps break down the shyness of learning, he said during the conference session about the game. He explained that people are more likely to ask questions about things that they think they should’ve already learned if it’s part of a game.

Games, he noted, have a spectrum from being as easy to learn as Go or dice games, all the way through Dungeons and Dragons or Settlers of Catan. Choosing a game to base Control-Alt-Hack on that involved humor and a bit of complexity would help keep the subject matter interesting for the target audience of teens and young adults.

In Control-Alt-Hack, you work as a researcher for a computer security company that gets hired to stress-test other companies. The deck of 156 cards includes 16 “person” cards to give you an identity during the game. The characters were given realistic traits, so there are no stereotypes of the obese, unkempt researcher covered in potato chip debris and pizza grease. Instead, you can play as one of eight men or eight women who have interests as varied as martial arts or rock climbing, and all are snazzily dressed in their artwork.

Source: Hacking, the card game, debuts at Black Hat | Security & Privacy – CNET News.

Look for it on store shelves later this year.



Computer Security Tips

Some great basic tips for the average user to protect your computer:

English: A candidate icon for Portal:Computer ...

English: A candidate icon for Portal:Computer security (Photo credit: Wikipedia)

Firstly, the most important computer security tip is to have anti virus software. These programs will not let your data be lost in case some viruses enter your system. They make backup files as well which allows you to retrieve any files that you lose. However, make sure that the anti virus you use is good software. Do not settle for any substandard program for it may harm your PC instead of doing any good to it.

Another very important point pertaining to computer security is that you should not open attachments with emails which you receive from unknown senders. Many of these emails are intended with the purpose of transferring viruses into your system. They can damage your files or the entire computer so better not open them.

Using strong passwords is also a very important tip to secure your computer. You should use long passwords with a mixture of digits and alphabets so that they cannot be easily hacked.

via it’s all About Computers

One major addition to this list that I would make is:

Change your user account so that it is NOT an Administrator account.

How to Break Into Security

Excellent interview over at “Krebs on Security” with security rock star, Christian Schneier.

First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don’t have to be a coder to be a security expert.

In general, though, I have three pieces of advice to anyone who wants to learn computer security:

Read the entire interview:  How to Break Into Security, Schneier Edition — Krebs on Security.

“Cybercrime moves to the cloud”

Proof that there is always risk with technology despite advances.

The same flexibility and freedom companies get from having their software and services hosted in the cloud is enabling cybercriminals to conduct highly automated online banking theft — without doing much of the necessary information processing on their victims’ own computers.Security and privacy experts have long worried that criminals would launch attacks on the servers storing the data in cloud environments. But, a report released this week from McAfee and Guardian Analytics shows that criminals are now using the cloud infrastructure itself to get more capability out of their campaigns.”They are leveraging the cloud,” Brian Contos, senior director of emerging markets at McAfee, said in an interview. “This is the first time we’ve ever seen this.”

Read all the details:  Cybercrime moves to the cloud | Security & Privacy – CNET News.

How to Break Into Security

Great series starting over at Krebs on Security on how to get into the field.

At least once a month, sometimes more, readers write in to ask how they can break into the field of computer security. Some of the emails are from people in jobs that have nothing to do with security, but who are fascinated enough by the field to contemplate a career change. Others are already in an information technology position but are itching to segue into security. I always respond with my own set of stock answers, but each time I do this, I can’t help but feel my advice is incomplete, or at least not terribly well-rounded.

I decided to ask some of the brightest minds in the security industry today what advice they’d give. Almost everyone I asked said they, too, frequently get asked the very same question, but each had surprisingly different takes on the subject. Today is the first installment in a series of responses to this question. When the last of the advice columns have run, I’ll create an archive of them all that will be anchored somewhere prominently on the home page. That way, the next time someone asks how they can break into security, I’ll have more to offer than just my admittedly narrow perspectives on the matter.

Read the whole interview:  How to Break Into Security, Ptacek Edition — Krebs on Security.

CompTia Security


Security is a major aspect of IT.  One of the great ways to take one’s IT security training to the next level is to obtain a CompTIA certification.  Here’s part of a great interview that Techopedia recently did with CompTIA’s director of product management, Carol Balkcom.

Techopedia: Many know CompTIA for its A+ certification. Tell us about your other security offerings.
Carol Balkcom: CompTIA Security+ is our first exam devoted entirely to security, and it was originally launched in 2002. All of our exams are “vendor neutral”, meaning that they aren’t tied to any one vendor’s products – and Security+ is no exception.
CompTIA A+ and Network+ also have security components in them, because of course today’s support technicians and network administrators must also be knowledgeable about security. As an aside, all three of these exams (A+, Network+, Security+) are on the U.S. Department of Defense Directive 8570 that requires certification for information assurance personnel. As a result, a large number of professionals have taken these certifications over the last few years.
To get back to our security offerings, earlier this year we formally launched the first in CompTIA’s “Mastery” series of exams, our CompTIA Advanced Security Practitioner (CASP).

Techopedia: Tell us more about Security+. What major subject areas are covered and who is the primary audience?
Carol Balkcom: The primary audience for Security+ is IT professionals with two or more years of hands-on, technical information security experience. There are Security+ certified professionals in all types of organizations, from the U.S. Navy to General Mills to the Archdiocese of Philadelphia. As to the subject areas in Security+, the broad knowledge “domains” are network security, compliance and operational security, threats and vulnerabilities, application, data and host security, access control and identity management, and cryptography.

Techopedia: What about CASP? Can you tell us more about the designation?
Carol Balkcom: For the CompTIA Advanced Security Practitioner (CASP), we recommend at least 10 years in IT and five years of hands-on technical security experience. It is intended for the security architect working in a large, multi-location organization. The CASP also looks at the security implications of business decisions, such as the acquisition of one company by another, as an example.

Be sure to check out the rest of interview, which includes Ms. Balkcom’s take on the certification vs. experience question.

Dirty little secrets …

As a IT security professional, do you think you learned everything in class?  Probably not.

In that case here’s a great presentation by security addict Rob Fuller on pentesting.

Proof that in the IT security field one is constantly learning in order to mitigate the risks of new threats.

Enhanced by Zemanta


Hackers to expand cybercrime activity

After a successful 2011 by those who exploit cybersecurity for a living, consumers and businesses need to be mindful of these potential security issues in 2012 according to security software provider Cenzic.

Top Cybersecurity Issues and Themes for 2012

1. Social Networking Threats Social networking security threats will continue to persist, but login information won’t be the target for hackers. Instead, hackers will use social networks like Facebook to mine the data of company employees. Using this information, cybercriminals will devise more sophisticated phishing attacks in order to infiltrate corporate environments to steal private data.

2. Mobile Threats Digital wallets will gain greater acceptance in 2012, making them a bigger target for hackers. Most mobile phones have built-in safeguards against data theft, but improvement is needed in the way mobile-payment information is transmitted from mobile phones to the Web. The expansion of mobile apps with potential security flaws will also lead to increased risk.

3. Cloud Threats Cloud technology has transformed from a buzzword into reality. As the growth rate continues in 2012, hackers will focus on companies storing data in the cloud. Organizations that hand off customer data to cloud providers will find themselves most at risk.

4. Cybercrime Policy For Victims Companies will face additional scrutiny from legislature designed to make disclosures around cybercrime a priority. New laws will be made to give businesses strict guidelines for disclosing when they have been hacked, the type of data stolen, and what their customers need to do to protect themselves.

5. Hacktivists Mature More hacker groups like Anonymous will begin to ally themselves to political causes. As protesters march for and against causes in the real world, hackers will form “digital marches” that cause chaos for their opposing parties.

These are just five area of concern.  What additional  ways do you think hackers  will “take advantage of” to gain access to business and consumer information?


Enhanced by Zemanta

Metasploit 4.0 means ….

more tools for IT security pros & penetration testers.

Security product provider Rapid7 has updated its widely used open-source Metasploit exploitation framework, expanding the software so it supports enterprise IT security staff as well as its core audience of penetration testers.

“Originally the framework was focused on just running exploits. Penetration testers were our core base,” said Rapid7 Metasploit chief architect H.D. Moore, referring to the security professionals who are paid by organizations to break into — and thereby document the weaknesses of — computer systems. “But now we are seeing a huge demand from organizations that just want to put all their existing vulnerability data in one spot and validate all those vulnerabilities.”

Not sure what Metasploit is?  Go to the source to learn more.


Enhanced by Zemanta

Security holes in mobile bank apps

This is not good.

A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps.

“Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws,” research firm viaForensics wrote in a post on its site. “The findings we published reflect testing completed on 11/03/2010. Since that time, several of the institutions have released new versions and we will post updated findings shortly.”

The company had reported its findings to The Wall Street Journal earlier in the day. Yesterday, viaForensics went public with problems in PayPal‘s iPhone app, spurring the online payment provider to action.

Specifically, viaForensics concluded that: the USAA’s Android app stored copies of Web pages a user visited on the phone; TD Ameritrade’s iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo’s Android app stored user name, password, and account data in plain text on the phone; Bank of America’s Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase’s iPhone app stores the username on a phone if the user chose that option, according to the report.

While most of the companies scrambled to update their apps this tidbit is concerning.

Spokespeople from several of the financial institutions told the newspaper that the supposed holes, in and of themselves, would not necessarily put users at risk because other safeguards are in place and that an attacker would need to know the user ID and password in many cases to access accounts.

As pointed out by Andrew Hoog of viaForensics:

“Our appWatchdog service clearly highlights the secure aspects of the financial apps we tested. Unfortunately, in the security world (especially when you access your bank account or provide credit card numbers), providing security most of the time is simply not good enough. For mobile app providers, there are no shortcuts to protecting customers’ data. It must be engineered from the start and thoroughly tested after any change in the app or underlying OS (i.e. iPhone iOS or Google Android).” (Source: CNET News)

While technology advancement has made life easier in many respects, security can not be sacrificed.


Powered by ScribeFire.

Enhanced by Zemanta


%d bloggers like this: