How to Become the World’s No. 1 Hacker is purportedly written by Gregory D. Evans, an animated felon who went on to become CEO of Ligatt Security International, a publicly traded company worth about 0.0002 cent per share that bills itself as a full-service computer security firm. Released by the obscure Cyber Crime Media publishing house, the 342-page PDF is a comprehensive, step-by-step guide for consumers who want to learn how to harden their networks against attackers. Unix security, Wi-Fi cracking, and web service configuration are all covered.

But it turns out that huge chunks of the book weren’t written by Evans at all, even though no other authors are credited. For instance, virtually all of Chapter 12 – 5,894 words, to be exact – is identical to this tutorial on port scanning written by Armando Romeo and published on the hackerscenter.com website in early 2008. And 1,750 words found in Chapter 9 were lifted from this manual posted to ethicalhacker.net, including screenshots that make reference to Chris Gates, the original author.

In all, at least 13 of the e-book’s 26 chapters were lifted almost entirely word-for-word from other sources without attribution, according to this analysis from Ben Rothke, a senior security consultant for a professional services firm, who ran the portions through iThenticate, an online tool for spotting plagiarism. Other sources that were used without credit include Security Focus, Auditmypc.com, and Squidoo.com.

“Mr Evans has never asked any permission from me and I’m the only owner of the copyrights of my website,” said Armando Romeo, CEO of eLearnSecurity who says in all five Chapters in How to Become the World’s No. 1 Hacker “have been literally copied and pasted from my guides” on the Hacker Center website. He added that this is the second run-in he’s had with Evans, who regularly appears on local and national TV shows to talk about computer security.

Chris Gates and Donald Donzal, the author and editor respectively of the articles on the Ethical Hacker site, are also steadfast that Evans never had permission to use their content, which was first published published in 2007. Donzal said he’s in the process of filing a take-down demand under the US Digital Millennium Copyright Act.

Evans – who in 2002 was sentenced to 24 months in federal prison after pleading guilty to wire fraud – has vociferously defended his use of the previously published articles. In an interview with The Register, he said he began work on the book in 2008, and largely drew on ghost writers who by contract agreed to submit “original content.” He insisted the submissions were vetted for authenticity by a service he declined to name. But he nonetheless went on to challenge the authors who have stepped forward to complain their work has been misappropriated.

“What you’re doing is you’re saying Greg, you put other people’s stuff in your book, but if I go out on the internet, you cannot tell me who owns those other people’s stuff,” he said. “All you’re doing is you’re telling me that who owns a website where other people publish at that website, but they’re not the owners of the content.”

‘Mitnick under my wing’
Evans, who is African American, has pushed back equally hard against other people asking hard questions about the true origins of his book. In a reference to another company Evans leads, he published a this rebuttal headlined “National Cyber Security Uncovers Racism Within the Computer Security Industry,” and continued to refer to himself as the author of the book.

In an accompanying video blog that was posted late last week, Evans went on to defend his hacker credentials, noting the he was incarcerated on the same floor as Kevin Mitnick during the latter’s five-year prison stint for hacking and fraud crimes.

“When I get in there, I take Kevin Mitnick under my wing,” Evans said in the video. “We used to turn around and have contests like who can get free phone calls, who can get away with making a three-way call without getting caught.”

Evans went on to claim that he advised Mitnick on a plea bargain he was negotiating with federal prosecutors and was in the same room as Mitnick when he learned he was going to be interviewed on the CBS News show “60 Minutes.” Mitnick denies the account.

“He basically misrepresented our relationship, our meetings” Mitnick told The Register. “He certainly didn’t take me under his wing, whatever that means. I didn’t really discuss my case with him because you don’t discuss your case with other people in jail because they’ll become informants.”

According to Mitnick, by the time he was approached by “60 Minutes,” he had been transferred to the Lompoc Federal Correctional Complex and hadn’t seen Evans in months.

Evans “made that whole story up,” Mitnick said. “He was never there.”

Mitnick also challenged the hacking skills of Evans, whose previous books include Memoirs of A Hi-Tech Hustler and Hi-Tech Hustler Scrap Book 2004-2005.

“What I recall of him, he wasn’t too savvy with hacking, but he did understand phone phreaking,” Mitnick continued. Evans’s 1998 prosecution “was a typical fraud case. It wasn’t hacking or phone freaking, really. He seemed to be a nice guy, a very evangelist type personality. I kind of sized him up kind of like a hustler, a grifter.”

Indeed, in video blogs promoting Ligatt Security to potential shareholders, Evans comes across at some points as a high-pressure salesman and at others as a class clown. In this video from last year discussing a deal involving a property known as spoofem.com he shares this nugget:

“I got the news this morning on my way to work, got here late because I caused an accident when I was reading my email and I saw it and I started screaming and I swerved and then this tractor trailer fell over and hit this bus full nuns and it was just [a] mess, but I took off real quick because I got a fast car. They didn’t know it was me, so I’m here doing this video blog. Pray for me.”

Be like ‘Googles’
In the same video a few minutes later, he compared Ligatt shares to those of Google – which he mistakenly refers to as “Googles” – before the stock hit sky-high prices: “It’s just like buying Googles,” he said. “You could have bought Googles years ago. Just imagine if you bought Googles at a penny or less than a penny how trillionaire you’d be today. I’m trying to give you that same vision.”

But it’s fair to say Evans, who says he’s 41 years old, has a temper as well. About a half hour into his interview with The Register, after growing increasingly agitated with the questions, he abruptly stopped the conversation and, through a spokeswoman, refused to continue.

And according to this account from security blogger and podcaster Chris John Riley, someone left a post threatening “to go after you family [sic]” less than 15 minutes after he spoke with Evans on the phone to arrange a taped interview regarding the allegations of plagiarism.

“I will have my friend in your country tracked down [sic] everyone you are friends with and your family and see what you are all about,” the posting stated. The person didn’t sign the message, but the IP address used to leave the message belongs to a Bell South customer in the Atlanta area, where Ligatt Security is headquartered.

Evans – who often refers to himself as the “world’s No. 1 hacker” and is regularly interviewed by various Fox News anchors and affiliates – has yet to say whether he played any role in posting the comments. He terminated his interview with The Register before the issue could be addressed.

Riley said that nothing during his brief conversation with Evans on Wednesday gave any indication there were any hard feelings. But when the time they had arranged to conduct the podcast came, Evans was a no-show.

Said Riley: “I did log onto Skype and I did wait and nothing ever came around. I thought it was funny. To be honest, I think Greg is more bark than bite.”

Source

According to Milind Govekar, an analyst at Gartner, cloud has rocketed up the list from number 16 to number two in Gartner’s annual CIO survey of key technology investments. “Like with anything new, the primary concern is security,” he says. In fact, the vast majority of clients who inquire about cloud, he says, would rather create a virtualized data center on their own premises—what some call a private cloud—because they’re uncomfortable with the security issues raised by cloud computing and the industry’s ability to address them.

“We are in the early stages of a fascinating journey into a new computing model that, for all its purported advantages, from a security and risk point of view, is a difficult thing to deal with,” agrees Jay Heiser, an analyst at Gartner. “The things that make it easy and appealing—like the immediate plug-and-play productivity—also make it impossible to conclusively assess your relative risks.” Current certifications, such as SAS 70 and ISO 27001 and 27002, are not sufficient, he says, leading to frustration for both buyers and sellers.

For this reason, securing cloud computing environments will be a major focus of vendor efforts over the next year, says Jonathan Penn, an analyst at Forrester Research. In the short term, he sees users having to do a lot of the legwork, but over time, “cloud providers themselves will see the opportunity to differentiate themselves by integrating security,” he says. Security vendors accustomed to selling directly to the enterprise will find that they need these cloud providers as a way to reach the market, Penn says, and as the market matures, customers will want this stuff baked into the services they’re buying. “That will be quite a radical change and a disruption,” he adds.

In the meantime, organizations such as the Cloud Security Alliance (CSA) are working to put some shape around the security issues and the ways to address them. The CSA recently released a summary of the strategic and tactical security pain points within a cloud environment, along with recommendations on how to address them. The organization divided the domains into two broad areas: governance and operations.

Domains grouped under governance include:

governance and ERM
legal and electronic discovery
compliance and audit
information lifecycle management
portability and interoperability
Domains grouped under operations include:

traditional security, business continuity and disaster recovery
data center operations
incident response, notification and remediation
application security
encryption and key management
identity and access management
virtualization
The CSA also summarized the top threats of cloud computing, along with the cloud models each threat most pertains to and guidance for remediation.

The categories of tools that can help address these threats include XML, SOA and application security; encryption tools for data in transit and at rest; smart key management; log management; identity and access management; virtual firewalls and other virtualization-management tools; data-loss prevention; and more. “You’re translating the existing security architecture into the cloud, so there are a lot of different tools you’ll need, some of which already exist and other cases where you need new technology,” Reiser says.

For instance, malware scanning tools will need to look specifically for emerging malware that targets virtual platforms; identity management systems will need to authenticate not just users but also devices and applications; and security information management (SIM) systems will need to log billions of events and analytics.

Forrester also released a list of questions that enterprises should ask to secure their cloud implementation, covering the areas of security and privacy, compliance, and other legal and contractual issues.

Cloud layers

Experts also emphasize that the level of exposure and risk for the three cloud models are very different, and the way of addressing security also differs, depending on which layer you’re engaging with. “The security requirements are really the same, but as you go from SaaS to PaaS and IaaS, the level of control you have over security changes,” says Mike Kavis, founder of Kavis Technology Consulting and CTO at a startup company. “From a logical view, nothing has really changed, but how you physically do it changes dramatically.”

SaaS.

As the CSA explains, with SaaS, the provider’s applications run on a cloud infrastructure and are accessible through a Web browser. The consumer does not manage or control the network, servers, operating systems, storage or even individual application capabilities.
For this reason, the SaaS model integrates the most functionality directly into the offering, with the least consumer extensibility, and “security responsibilities are almost entirely up to the vendor,” Reiser says. “If the vendor doesn’t encrypt data, it’s not encrypted. If there isn’t activity monitoring, you won’t get any.”

PaaS.

With PaaS, consumers create applications using programming languages and tools supported by the vendor and then deploy these onto the cloud infrastructure, the CSA explains. As with SaaS, the consumer does not manage or control the infrastructure—the network, servers, operating systems or storage—but does have control over the deployed applications and possibly the application-hosting environment configurations.
There are fewer customer-ready or built-in security features with PaaS than with SaaS, the CSA says, and those that do exist are less complete, but there is more flexibility to layer on additional security. This means users need to pay attention to application security, as well as security issues surrounding the management APIs, such as authentication, authorization and auditing.

IaaS.

Here, consumers can provision processing, storage, networks and other fundamental computing resources, as well as deploy and run operating systems and applications, according to the CSA. While they don’t manage or control the underlying cloud infrastructure, they do have control over operating systems, storage and deployed applications, and possibly limited control of select networking components, such as host firewalls, the CSA says.
With IaaS, there are few integrated security capabilities beyond protecting the infrastructure itself, but there’s enormous extensibility, according to the CSA. This means users need to manage and secure operating systems, applications and content, typically through an API.

“A lot of the perimeter security is handled by the vendor, but they’re giving you access to virtual machines, so you still have to build the application and provide the infrastructure control,” Kavis says.

With IaaS, virtualization management is a big concern, says Heiser, particularly when it comes to intrusion detection and the integrity of partitioning virtual machines. “You need to mediate separation and make sure they don’t interact with each other,” he says.

Chris Barber, CIO at Wescorp, says he is concerned about multitenancy and hypervisor vulnerabilities. “Since you have multiple users on a single physical box, there may be a security vulnerability that one user could somehow access another user’s virtual machine,” he says.

Source

General Keith Alexander cautioned that Pentagon systems are “probed by unauthorized users approximately 250,000 times an hour, over six million times a day.” The remarks by Alexander, who is also at the helm of the main US spy organizations, the National Security Agency, was made in a Thursday address to a major Washington policy think tank, the Center for Strategic and International Studies.

“Our nation’s interests are in jeopardy,” he said citing “tremendous vulnerabilities” and threats from a “growing array of foreign actors, terrorists, criminal groups and individual hackers.”

Alexander emphasized that his main priority was to develop a real time picture of threats to US military networks and devising rules to fight back by conducting cyber attacks against enemies.

Alexander said that US military “depends on its networks for command and control, communications, intelligence, operations and logistics.”

“We at the Department of Defense have more than seven million machines to protect linked-in 15,000 networks,” he noted.

Source

Fortify Software found that 56% believe these flaws could allow hackers to exploit these software vulnerabilities. As a result, security professionals are making heavy investments in penetration and code testing, combined with application scanning, to try and build security into the software.

Half of the IT security professionals also admitted to hacking, with 73% of these respondents doing so to test the strength of their own network’s defenses, 13% for fun or out of curiosity, and 3% targeting their efforts at the competition.

Compiled at Infosecurity Europe, the survey also unearthed that, amongst the 300 IT security professionals interviewed (with the majority taken from companies employing 1,000 plus employees), 31% admitted to being victims of hacking. More interestingly, with 29% replying ‘don’t know’, this figure could be substantially higher! The majority of respondents cited the application layer to be the hackers’ main target.

57% of the IT security profession also confer that the best way to check that their software applications are free of vulnerabilities and secure is to combine all available techniques and solutions, including code and static analysis, web application firewalls, application scanners and pen testing. Only 5% of the survey respondents we spoke to said their organizations didn’t employ technology for software security.

Of those in this survey that admitted to previous hacking knowledge and experience, 42% learnt in their twenties and 14% in their teens. Most people learnt to hack at work — 29%; on the Internet, 26%; at University, 13%; and 8% gained their hacking skills whilst still at school and 8% used friends to help them hone their talent.

Source

The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.

A third file — which includes what appear to be Internet addresses assigned to the various Carders.cc users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file — which is accompanied by an ASCII art picture of a cat — includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group.

Ironically, the anonymous authors of the e-zine said they were able to compromise the criminal forum because its operators had been sloppy with security. Specifically, they claimed, the curators of Carders.cc had set insecure filesystem permissions on the Web server, which essentially turned what might have been a minor site break-in into a total database compromise.

Source

The system will identify and match hundreds of thousands of child abuse images located on suspects’ hard drives and stored in the Australian National Victim Image Library (ANVIL), and tie them to solved and cold cases.

Government technology agency Crimtrac estimates 20,000 new child exploitation images appear on the Internet each week through some 100,000 websites, paid portals and peer-to-peer sites. About 100,000 of the 500,000 images estimated to be in circulation are original.

State police agencies have no way of knowing if a seized image is original, or is part of a solved, open or cold case in another state.

Queensland Detective Senior Sergeant, Wayne Steinhart, said the system will image-match to determine if a suspect has duplicate images, or is involved in new acts of child abuse.

“Detectives spend hundreds of hours sifting through child abuse images to discover child exploitation on an offenders’ computer — it could be 100,000 images which is overwhelming, but our role is to identify victims,” Stienhart said.

“We won’t know if suspects have committed new offences unless we have eyeballed each image.”

The Child Exploitation System (CETS) is under trial by the Queensland Police and the Australian Federal Police. It uses image recognition and hash functions to identify groups of images that involve the same victim in order to gather evidence for investigation.

“It’s not nice work… the system saves the operator from that work,” Steinhart said, adding the CETS and ANVIL will provide a complete system from “seizure to storage”.

The system was built in 2005 by Canadian police services and regional Microsoft developers for more than $11 million, and is used by 25 of the nation’s police forces. The United Kingdom, the US and Italy are some of the countries that use and share data from the CETS, and according to CrimTrac national manager of law enforcement systems, Stewart Cross, has led to the dismantling of “at least” three international paedophile rings.

Steinhart said online child exploitation material is distributed evenly between websites and peer-to-peer networks and said the government’s Internet content filter will help restrict access to child porn websites.

It is expected to go live in Queensland after the trial business case is presented to Australia’s police ministers at the Ministerial Council for Police and Emergency Management Police in July.

Steinhart said there is no substance to rumours that Microsoft had planned to pull support for CETS.

Source

When conducted manually, penetration testing requires substantial knowledge of the systems that are tested. Thus, most penetration testers only feel comfortable testing web applications. Codenomicon’s penetration testing solution utilizes a unique fuzz testing technique, which learns the tested system automatically enabling penetration testers to enter new domains such as VoIP assessment or to start testing industrial automation solutions and wireless technologies. Test automation increases the test coverage of penetration tests.

One of the key components of the penetration testing solution is the Network Analyzer, which enables you to map real network traffic and to determine what really needs to be tested. It automates the work-flow for threat analysis and attack surface analysis. Thus, you can target your tests and reduce test run times without compromising test coverage.

The penetration kit is an adjustable package with flexible project-based licensing, answering your changing penetration testing needs. The test suite package contains a combination of systematic model-based fuzzers, which best suit your current testing needs. In addition, the Defensics Traffic Capture and XML Fuzzers enable you to test any protocol or XML application.

“You don’t need to be an expert to use Codenomicon solutions such as Defensics fuzzers or our Network Analyzer” says Ari Takanen, CTO of Codenomicon. “But professional security testers will also benefit from our new tools. The tools quickly find around 95% of easy flaws allowing specialists to focus on vulnerabilities that are harder to find.”

Source

Google “Massachusetts data security law, 201 CMR 17.00” and you’ll find plenty of facts about the new law. I also encourage you to read InformationWeek’s “States’ Rights Come to Security Forefront: Massachusetts’ new data protection law reaches beyond its borders. Are you ready?” It’s one of the best summaries I’ve seen. But even it falls short of helping you understand the profound impact of this law.

Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it’s persisted. Sending PII over HTTP instead of HTTPS? That’s a big no no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You’ll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted that’s $5,000,000. Yikes.

Perhaps just as much fun is the fact that to be compliant with the law your company will also need to maintain a Written Information Security Plan (WISP) and file it with the state of Massachusetts. The WISP must address and outline your business’s “technical, administrative, and physical safeguards” that are in place to protect the data. If you lost a laptop without a WISP being filed with Massachusetts, you’re potentially on the hook for a cool million even if the data was encrypted. Yikes again.

If I didn’t know better, I’d think the security czar of Massachusetts (or whatever the title is of the person who wrote this law) was a SQL Server sales executive because the law could sell a heck of a lot of SQL Server 2008 Enterprise Edition upgrades to get Transparent Data Encryption and other useful Enterprise Edition–only features in the OS and database stack.

By the way, this law doesn’t affect just businesses in MA. It also affects businesses that have PII for Massachusetts residents. Do you know if the application you’re building for a company in Virginia might ever store Massachusetts resident data? Unless you’re sure that it never, ever will, you better be compliant with Massachusetts data security law, 201 CMR 17.00. What if you’re sure and then one of your employees moves from Virginia to Massachusetts? Well, now you probably have PII for a MA resident. Yikes again. This law changes pretty much everything we need to do and think about with respect to building database applications.

I could wax eloquently on about the potential battle of states’ rights versus federal oversight and the potential for a Supreme Court challenge based on the Commerce Clause, but, this is an article for geeks, so I won’t go there. Instead, I’ll simply say once again: yikes.

Source

DNSSEC prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. Cache poisoning attacks are possible because of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

In order for Web site operators and end users to benefit from DNSSEC, the standard must be supported at every level of the DNS heirarchy.

At the top of this heirarchy, the DNS root servers will support DNSSEC on July 1.

Next are the registries that operate the back-end servers for the various top-level domains. The registries have announced rolling deadlines for their DNSSEC deployments: .org and .edu in June; .net in December; and .com by March 2011.
However, none of the top 10 domain name registrars in the United States has committed to a deadline for deploying DNSSEC.

“It’s sad that the registrars are not keeping up with the registries in their deployment schedules for DNSSEC,” says Paul Hoffman, director of the VPN Consortium and an active participant in DNSSEC standards development at the Internet Engineering Task Force. “If my registrar can’t tell me when they will support DNSSEC, then I can’t do the planning I need to do to upgrade my DNS software.”

U.S. corporations — such as banks and e-retailers — won’t be able to deploy the extra layer of security provided by DNSSEC until their registrars offer it as a service.

“It is a roadblock,” Hoffman says. “If my registrar doesn’t know how do to DNSSEC, I have to change registrars…Whichever registrar announces first is going to see people switching to them.”

Of the 10 largest domain name registrars in the United States, only four responded to queries about the status of their DNSSEC deployments. None of these registrars would commit to a deadline for when they will support this new security mechanism.

Network Solutions and Dotster appear to be furthest along with DNSSEC.

“We are supportive of the DNSSEC initiative and recognize its technical importance and its efficiency in securing directory data,” sais Network Solutions spokeswoman Susan Wade. “We are working closely with the registries and are actively engaged in market research to determine the demand for DNS Security. At the present time, we do not have a launch date for our DNSSEC offering.”

“Dotster is working with a number of registries to implement DNSSEC,” said Dotster’s IT Director Aaron Bathum. “This is on our product road map, and availability is currently under review.”

Go Daddy, the largest domain name registrar in the United States, was vague about its DNSSEC plans.

Source

The botnet “Mariposa,” which means butterfly in Spanish, first appeared in December 2008 and grew to be one of the largest botnets ever, The Associated Press reported. It spread the Butterfly worm via removable drives, MSN Messenger, and peer-to-peer programs and targets Windows XP and older systems.

Unlike many underground hackers, the alleged ringleaders of the operation were not skilled programmers, but had contacts who were, authorities said.

“They’re not like these people from the Russian mafia or Eastern European mafia who like to have sports cars and good watches and good suits–the most frightening thing is they are normal people who are earning a lot of money with cybercrime,” Cesar Lorenza, a captain with Spain’s Guardia Civil, which is investigating the case, told the news service.

In Spain, names and mug shots of arrested citizens are not released to protect their privacy, though they were identified by their Internet aliases: “netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25. They face up to six years in prison if convicted of the hacking charges.

More arrests are expected, authorities said. The botnet is no longer operating, according to the AP report.

Source