Hacking Does Pay! US Law Let’s Hacker Keep Fraudulent Earnings

darknet.org Ah I think it’s time for controversy on a Tuesday, what do you think about this case where a hacker got some info on a company about it’s soon to be plummeting share prices by breaking into their computer. By investing $41,000 in stock potion trading on the shares that were about to drop - he pocketed almost $300,000!

Even so the story has changed slightly, they said it wasn’t him that broke into the network - but it was someone else. Either way a hacker got the info and he exploited it.

For the rest of the story CLICK HERE

Has GMail's CAPTCHA Been Cracked?

pcmag.com Security software company Websense is reporting that the CAPTCHA protecting signups for Google's GMail has been cracked. Bots are now signing up with a success rate of 1 in 5. The attack is complicated and creative.

The goal would be to create a network of Google accounts. These could have great value because Google and it's domains are unlikely to be blacklisted and access to other Google services is available on the same account.

A CAPTCHA is a test that attempts to force a human to interact with the program as opposed to an automated script. Typically a word is presented as a graphic with distortions and stray lines to impede automated character recognition. There have been a few famous CAPTCHA cracks; obviously some CAPTCHAs are more sophisticated that others.

As are the cracks themselves. This attack uses two bot systems on the same network operating in tandem to crack the CAPTCHA. The two systems attack with different strategies.

Websense is still investigating. In the process of investigating this bot they found a web site (in Russian) with a money-making service for breaking CAPTCHAs. The net is always spawning new business models I guess.

PayPal: Steer clear of Apple's Safari

If you're using Apple's Safari browser, PayPal has some advice for you: Drop it, at least if you want to avoid online fraud. Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer.

read more | digg story

SOPHOS releases their security threat report

Among the findings of SOPHOS, one of the top security vendors:

Web threats – one new infected webpage discovered by Sophos every 14 seconds, or 6,000 a day
Cybercrime reaches Apple – Mac users being targeted by financially motivated hackers for the first time, proving malware is not just a Windows problem

Threats to mobile and Wi-Fi users – iPhones, iPod Touches, ultra-mobile PCs and others at greater
risk of attack and may encourage exploitation of
browser vulnerabilities
Information theft soars – scammers using stolen data to craft targeted emails

Read the entire report - CLICK HERE

Identity theft study reveals HSBC, Bank Of America, Wash. Mutual top targets

Customers of HSBC, Bank of America and Washington Mutual suffer the highest rates of identity theft in the banking industry, according to an an investigative study released today by a UC Berkeley Law School researcher.

read more | digg story

Man Records Phishing Call

A man in Virginia who apparently likes to record suspicious phone calls captured a 10-minute talk with the world's clumsiest phisher who called his house trying to get his bank account number.

read more | digg story

Comodo hails malware removal guarantee

Security outfit Comodo has become the first vendor to offer 'guaranteed' malware removal from PCs protected by its software.

The 'A-VSMART' warranty costs $79 per PC, per year, which the company claims removes the burden on a non-expert user of having to remove complex malware types such as spyware and rootkits, which can be tricky to get rid of using automated routines. Instead, each subscriber will be given access to a remote Comodo engineer to do the job manually on a 24/7 basis, on an incident-by-incident basis

For the rest of the story CLICK HERE

An excellent interview with a security guru

Watch out for scary new hacker tools like KARMA, plus exploits in Bluetooth and 802.11n, says Joshua Wright in this recent Network World chat.

Just when you thought your wireless network was locked down, a whole new set of exploits and hacker tools hits. WPA2, PEAP, TTLS or EAP/TLS can shore up your network, if configured properly. Securing clients is a lot more difficult. These topics and more were addressed by Joshua Wright in this recent Network World chat.

For the interview transcript CLICK HERE

Security experts warn of potential malicious AIR code

On Monday, Adobe Systems rolled out its new Web 2.0 development tool, Adobe Integrated Runtime, or AIR. Following its release were some concerns from the security community.

read more | digg story

YouTube outage underscores big Internet problem

Sunday's inadvertent disruption of Google's YouTube video service underscores a flaw in the Internet's design that could some day lead to a serious security problem, according to networking experts.

The issue lies in the way Internet Service Providers (ISPs) share Border Gateway Protocol (BGP) routing information. BGP is the standard protocol used by routers to find computers on the Internet, but there is a lot of BGP routing data available. To simplify things, ISPs share this kind of information among each other.

To read the rest of the story CLICK HERE

Man accused of stealing 7-year-old's ID

CARPENTERSVILLE, Ill. - Police in a Chicago suburb say the Internal Revenue Service has told a 7-year-old boy he owes back taxes on $60,000 because someone else has been using the youngster's identity to collect wages and unemployment benefits.


Officers in suburban Carpentersville said Friday the second-grader's identity has been in use by someone else since 2001. To read the rest of the story CLICK HERE

Hackers ramp up Facebook, MySpace attacks

Image Uploader AcFive-exploit toolkit includes code aimed at AtiveX control

February 23, 2008 (Computerworld) Hackers are actively exploiting an Internet Explorer plug-in that's widely used by Facebook and MySpace members with a multi-attack kit, a security company warned Friday.

The exploit directed at Aurigma Inc.'s Image Uploader, an ActiveX control used by Facebook, MySpace and other social networking sites to allow members to upload photos to their profiles, is just one of five in a new hacker toolkit being used by several Chinese attack sites, said Symantec Corp. To read the rest of the story CLICK HERE

Do You Trust Your Computer Repair Firm?

Recently I ran across a link to this video from a news team that told how they made a simple adjustment to a working PC to see how honest various computer repair facilities were in analyzing, and what they would charge for a very simple repair. Here are the results: Wow, does anyone trust BestBuy any more?

Credit reporting firm sues LifeLock over fraud alerts in consumer history files

Experian's lawsuit claims that identify theft protection service is itself engaging in fraud

February 21, 2008 (Computerworld) LifeLock Inc., which touts itself as one of the largest providers of identity theft protection services in the U.S., is being sued by Experian Inc. for allegedly placing false fraud alerts on consumer credit-history files maintained by Experian as part of its credit reporting business.

Experian filed its lawsuit in the U.S. District Court for the Central District of California, which has its main office in Los Angeles. In the suit, the Costa Mesa, Calif.-based company claimed that LifeLock is itself engaging in deceptive and fraudulent behavior. Lifelock's business model is built around false and misleading advertising and fraudulent practices that are causing millions of dollars in monetary damages to Experian and that eventually could reduce the effectiveness of fraud alerts, according to the suit.

For the rest of the story CLICK HERE

Google to Store Patients' Health Records

Google Inc. will begin storing the medical records of a few thousand people as it tests a long-awaited health service that's likely to raise more concerns about the volume of sensitive information entrusted to the Internet search leader. For the rest of the stoy CLICK HERE

Google says 'ISP glitch' exposes Gmail data in Kuwait

A glitch with an ISP in Kuwait has allowed at least one user to access other peoples' Gmail accounts, Google said on Wednesday.

read more | digg story

Phishers cash in on genuine warning with vishing scam

Cybercriminals clone bank switchboard to trick worried customers. IT security and control firm Sophos is warning computer users to be extra vigilant about any emails which claim to come from financial institutions, no matter how genuine the correspondence appears.

read more | digg story

50 Percent Of the Internet Used By Hackers!!

Ian Cook, Security Evangelist with Team Cymru Research, told delegates at the `Regional Cybersecurity Forum' yesterday: "We monitor the Internet for bad stuff and half of the Internet is used by hackers as well as for criminal activity."

read more | digg story

Information Security Breach Of Desktop Hard Drive At Massachusetts School Department

It had to happen sooner or later. A hard drive, on what I assume to be a desktop computer, was stolen from the Malden headquarters Department of Education, in Massachusetts. An auditor for the department arrived to work last week only to find that his computer wouldn’t work. Assistance was requested, and the technical workers identified the problem by pointing out that whole disk was missing. To read the rest of the story CLICK HERE

Phishers cash in on genuine warning with vishing scam

Cybercriminals clone bank switchboard to trick worried customers. IT security and control firm Sophos is warning computer users to be extra vigilant about any emails which claim to come from financial institutions, no matter how genuine the correspondence appears.

read more | digg story

Microsoft scrambles to quash 'friendly' worm story

Microsoft is moving to counter scathing comments over a security paper authored by researchers at its Cambridge facility,which suggests computer worms can be used for good...

read more | digg story

Sophos horrified at Microsoft 'good worm' notion

Computer viruses and worms are incredibly good at spreading their payload across the Internet, infecting PCs. But what if that payload was beneficial, rather than harmful? A Microsoft Research paper suggests these ‘friendly worms’ could be helpful – but Sophos says this is pure ‘nonsense’ – and we heartily agree!

read more | digg story

Americans' e-Commerce Conundrum

internetnews.com New report finds that U.S. consumers love the convenience of shopping online, but worry about security. A new study from the Pew Internet Project casts light on the love-hate relationship many Americans have with e-commerce.

In response to the survey, 78 percent of U.S. Internet users said that online shopping is convenient, and 68 percent said it saves time. Yet, 75 percent said they don't like giving out personal information like a credit card number over the Internet. To read the rest of the story CLICK HERE or visit:
http://www.internetnews.com/ec-news/article.php/3728301/Americans+eCommerce+Conundrum.htm

How to Hack Into a Boeing 787

The FAA's worried bad guys could break into the navigation system of Boeing's new 787; Boeing says the problem's already fixed, but won't say how.

read more | digg story

Google finds evil all over the Web

The Web is scarier than most people realize, according to research published recently by Google. The search engine giant trained its Web crawling software on billions of Web addresses over the past year looking for malicious pages that tried to attack their visitors. They found more than 3 million of them, meaning that about one in 1,000 Web pages is malicious, according to Neils Provos, a senior staff software engineer with Google.

read more | digg story

FREE Computer Security Software From Compusec

If you own a notebook, you need to have some form of protection on that computer should it get lost or stolen. There is some good software out there and I happen to run across one this morning that looks like it is a very good choice for the person who wants to encrypt data without spending a fortune doing so. That software is Compusec. There is a free version that has a very complete set of features like

Encryption for Hard disk using 256-bit AES algorithm and in hibernation mode
Encryption for CD / DVD for secure publishing and sharing of CD data using CDCrypt
Encryption for Diskettes and Removable Media Devices such as ZIP drives, USB thumb drives or Memory sticks

There are many other features as well. It comes in a Windows and Linux version. Best part of all is it's completely FREE. There are no limitations, there's online support and everything is a full function. You can get your copy HERE

Or browse to their website at:
http://www.ce-infosys.com/english/index.html

P2P Dangers -- Great News Story

Here's a great news report on the myriad dangers of P2P file sharing and how you can get hijacked without even knowing it. You parents, pay attention please, your teenagers are exposing you to the world!!

Beware of Caller ID Spoofing

There exists on the internet tools that people can use to effectively use any Caller ID that they want. Add to that the ability to change your voice from a man to a woman, or of course vice versa. These tools can be used for any number of ways to fool a person that receives the call. I will refer you to an article that came up today that explains how one person used one of these tools. He used it for reasons of his own that were unethical, but there are more sinister uses for it. Bottom line, don't give out personal information over the phone to anyone. To read the story CLICK HERE

Or goto:
http://www.networkworld.com/columnists/2008/021408-net-buzz.html?fsrc=rss-security

There could be malware lurking inside that Clinton 'video'

Update 11:45 a.m. PST: This blog incorrectly described part of what the link downloads. It downloads a Trojan horse. The link does not take viewers to a video.Moving beyond Valentine's Day as a social-engineering theme, online criminals have started sending out e-mail with a supposed link to a recent interview with Senator Clinton

read more | digg story

SecureWorks: Attacks Against Healthcare Up 85%

FEBRUARY 13, 2008 | ATLANTA -- SecureWorks, one of the leading Security-as-a-Service providers, has seen an 85% increase in the number of attempted attacks directed toward its healthcare clients by Internet hackers. Attempted attacks have increased from an average of 11,146 per healthcare client per day in the first half of 2007....

read more | digg story

Browser Security Test

I found this today and tried it. It is a very thorough test that will tell you if you have any vulnerabilities in your browser. Be warned, it might crash your browser, so close any other tabs you might have open before running it. I currently use Firefox 2.0.0.12 and I passed all the tests. See how you make out CLICK HERE, or the website address is: http://bcheck.scanit.be/bcheck/index.php

Most Mobile Users Don't Know if They Have Security

McAfee-sponsored research finds mobile users expect vendors to pre-install 24 x 7 protection.

February 13, 2008
By David Needle

Security vendor McAfee released results of a survey of mobile users focused on their awareness and concerns related to security threats, which showed more than three quarters of respondents don't have any security at all. Read the rest of the story....Click Here or visit the website:

http://www.internetnews.com/security/article.php/3728001

Don't fall victim to the St Valentine's Day malware massacre

Sophos reports on a storm of emails with cruel intentions. Companies and consumers have been warned to be aware of the dangers of emailed Valentine's in the run-up to romantic celebrations on February 14th. Millions of emails are expected to be sent in the run-up to St Valentine's Day, and some of them will include malicious viral attachments or link to dangerous websites. Full Story

Felonspy - How Well Do You Know Your Neighbors?

This site let's you know if there are any convicted felons living near you. Not sure how they determine accuracy, but maybe you might see someone you know living near you.
Click Here to be redirected or visit www.Felonspy.com

Older Software Leaves the Popular Eee PC Vulnerable to Attack

The Eee PC sub-notebook from Asus is wildly popular, but according to RISE, a security firm based in Brazil, the ultra portable is also remarkably easy to compromise.

The Eee PC ships with a version of Xandros Linux installed, making the laptop one of the most popular Linux devices to date. But regrettably it turns out that the version of Xandros used in the Eee PC includes an out-of-date version of Samba, which leaves the machine open to attack.

Is it time to consider PDF a threat?

The 8.12 patch for Adobe Reader that Adobe released last week fixed a number of security holes—but not before malware capable of exploiting them had been on the market for weeks. The end result is tough questions on whether it is time to consider PDF a security threat.

There is a great alternative to Adobe Reader. It's called Foxit. It is a much smaller application and does a very good job. I've used it for several months now and I don't think I'll ever go back to Adobe Reader. You can find a link to the download by Clicking Here

read more | digg story

Rule by fear or rule by law? Please Take The Time To Read This Carefully

Since 9/11, and seemingly without the notice of most Americans, the federal government has assumed the authority to institute martial law, arrest a wide swath of dissidents (citizen and non-citizen alike), and detain people without legal or constitutional recourse in the event of "an emergency influx of immigrants in the U.S.

read more | digg story

The day the wiretaps go dead

While there are so many scary things being done by intelligence and law enforcement, hope is not far away. Easy to use privacy technologies are upon us, and with them, comes a radical shift in the balance of power.

read more | digg story

Let's See How Mac Keeps Up

We are beginning to see the vulnerabilities in the MAC OS. Apparently there are people out there that are trying to crack into the holes, slowly. Apple has come up with some patches to the MAC OS X. This article from NETWORK WORLD explains for the full story CLICK HERE or goto http://www.networkworld.com/news/2008/021208-patches-keep-coming-as-apple.html?fsrc=rss-security

Web 2.0: Unsafe At Any Speed?

People who specialize in Web security are saying Web 2.0 as it is now can't be secured. Should we keep on this path? Paul Ferguson, a network architect with antivirus vendor Trend Micro, summed up Web 2.0 as thus: "We're basically training our online users to be exploited."

read more | digg story

IBM X-Force Security Report: Web Browsers Under Siege

IBM (NYSE: IBM) today released the findings of the 2007 X-Force Security report, detailing a disturbing rise in the sophistication of attacks by criminals on Web browsers worldwide. According to IBM, by attacking the browsers of computer users, cybercriminals are now stealing the identities and controlling the computers of consumers...

read more | digg story

New Research Confirms Identity Fraud Is On Decline

New Research Confirms Identity Fraud Is On Decline Overall Fraud Down 12%, Criminals are Trapping Victims Over the Phone Critical New Regional Findings Illustrates How Fraud Varies State-to-State

read more | digg story

Google, Yahoo, others rally around new antiphishing weapon

Some of the Internet’s most powerful companies -- including Yahoo, Google, PayPal and AOL -- are brandishing a new weapon in the ongoing battle against e-mail fraud. DKIM is an emerging e-mail authentication standard developed by the IETF and allows an organization to cryptographically sign outgoing e-mail to verify that it sent the message.

read more | digg story

FDIC Video - How To Guard Against Internet Thieves & Electronic Scams

The FDIC has an excellent video available on how to prevent being victimized by Internet Crime. It is very well done and perhaps the best video out there for the average person to take basic precautions when using the internet. You can view the video CLICK HERE or the website address is:

http://www.fdic.gov/consumers/consumer/guard/index.html

How will Real ID affect you?

Here is a good story recently put together on CNET news. Everyone really should take the time to read this. There are some very interesting things developing. Some states have not complied with the Real ID Act, so it gets complicated for people who live in those states as they travel about the country. There has not been alot of information put out about this, but this is a very concise Q & A on the points:

The Real ID law is touted by Homeland Security officials as an anticrime and antiterror measure, but is steadfastly opposed by some state governments on privacy and sovereignty grounds. Computer scientists also have raised concerns about how its creation of a national interlinked database would work in practice. Keep reading for more on Real ID.

read more | digg story

N.L. government ignores basic computer security

DO YOU assume the personal information that government agencies keep on us is safe and secure? With all the new privacy laws it must be, right? Privacy laws are all fine, but unless basic computer and data security measures are put in place and adhered to, it’s all for naught.

read more | digg story

Internet Crime Complaint Center

In case you are the victim, or believe a website to be a fraud, you can file a complaint with the ICCC (Internet Crime Complaint Center)For redirection to their website CLICK HERE

There are also a wide variety of tips and information on topics that deal with all the various amount of schemes that are being perpetrated on the internet.

Think Like a Thief and You’d Protect Your Data Better

Data theft is the number one motive for intentional data breaches. It is a lucrative business for organized crime and sometimes it is a crime of opportunity for insiders with access to valuable information. In either case, the motivation is the same: personal financial gain.What criminals would find lucrative for their business ...

read more | digg story

FREE Software Security Analyzer From Secunia

This is a great tool that everyone can use to determine the level of your different software security patches:

The Secunia PSI is a free solution from Secunia that allows private users to map, update, and secure the programs installed on their computers. As of February 2008, the Secunia PSI has been installed on more than 280,000 computers, the Secunia PSI monitors more than 23 million programs, categorised as either Insecure, End-of-Life, or Patched.

I ran this on my computer this morning and found 9 applications that needed attention. Not only does it tell you that they need attention, but it gives you a direct link to the patch necessary. Excellent utility!

You can Download this FREE tool here:
Secunia Personal Software Inspector

Top Ten Web Hacks of 2007

The polls are closed, votes are in, and we have ten winners making up the Top Ten Web Hacks of 2007! The competition was fierce. The information security community put 80 of the newest and most innovative Web hacking techniques to the test. The voting process saw even some attempts at ballot stuffing, but to no avail.

read more | digg story

Microsoft To Release Bumper Crop of Vulnerabilities In February

pcmag.com A large collection of patches for vulnerabilities affecting numerous Microsoft products will be released next Tuesday, February 12, 2008, according to Microsoft's Security Bulletin Advance Notification for February 2008. The advance notifications reveal limited information; more details will be available on Tuesday.

A total of 12 vulnerability disclosures will be released, 7 of them for critical vulnerabilities:


* One critical vulnerability affects all current versions of Windows, including Vista, except for Windows 2000.

* One critical vulnerability affects all versions of Windows, but is only listed as of Moderate severity on Windows Server 2003. This distinction is usually drawn for browser-based functions which are limited, by default, by Windows Server 2003's Enhanced Security Configuration. But, oddly, the advisory also lists Microsoft Visual Basic 6.0 Service Pack 6 and Microsoft Office 2004 for Mac as affected by this vulnerability and for the effect to be critical.

* One critical vulnerability affects VBScript and JScript in Windows 2000, Windows XP and Windows Server 2003, but not Vista.

* One vulnerability is critical appears to affect all versions of Internet Explorer for all current versions of Windows, including IE7 on Windows Vista.

* The final 3 critical vulnerabilities affect various Office products and versions.
o One is critical for Publisher 2000, but Important for Publisher 2002 and 2003.

o One is critical for Office 2000 SP3, but Important for Office XP SP3 and Office 2003 SP2. (Office 2003 SP3 appears not to be affected.)

o One is critical for Word 2000 SP3, but important for Word 2002 SP3, Word 2003 SP2, and Office 2004 for Mac.


* One Important vulnerability affects Active Directory functions on Windows 2000, Windows XP SP2 and Windows Server 2003.

* One Important vulnerability affects Vista only.

* One Important vulnerability affects IIS on all versions of Windows except for IIS 6.0 on Windows XP SP2. (Weird!)

* One Important vulnerability affects some versions of IIS on Windows XP SP2 and Windows Server 2003.

* One vulnerability affects the Microsoft Works 6 file converters. It's rated Important on Works 8.0 and Works 2005, but Moderate on the converter in Office 2003 SP2 and SP3.

Identity Management Ready to Skyrocket

Identity and access management market to hit $12.3B by 2014, new report says If you thought identity management technology was catching on, you ain't seen nothin' yet.That's the thrust of a new report published Wednesday by Forrester Research. The research firm predicts that identity and access management, will grow to 12.3B by 2014

read more | digg story

Visit ManagedIdentityProtection.com TODAY to find out how to Simplify Your Life and Defend Your Identity. We are in need of people who want to help us in this growing market.

A Google Horror Story

Earlier this week, an acquaintance of mine found himself trapped in a Kafka-esque nightmare, a nightmare that should make all of us stop and think. He wants to remain anonymous so let's call him Bob. Bob was an early adopter of all things Google. [...]

read more | digg story

Identity Theft On The Hill

Sunday, February 10, 2008; Page B08Recently, Georgetown University informed thousands of students, alumni, faculty and staff that a computer hard drive containing their personal information -- names, birth dates and Social Security numbers -- had been stolen from an administrator's office [Metro, Jan. 30].

read more | digg story

Recover A Lost Wireless Key

I came across this handy little utility today and thought I would share it with my readers. It very quickly will tell you all the keys that Windows has stored on your computer from the networks that you have input keys on. You can download the file here: Wireless Network Key Retriever

Security pros: Kill ActiveX

Wave of IE plug-in bugs prompts US-CERT to recommend disabling ActiveX February 5, 2008 (Computerworld) A wave of bugs in the plug-in technology used by Microsoft Corp.'s Internet Explorer browser has some security experts, including those at US-CERT, recommending that users disable all ActiveX controls.

read more | digg story

Microsoft Windows Live Mail's CAPTCHA defense falls to spam

Microsoft’s Windows Live Mail is being targeted by spammers adept at eluding CAPTCHA protection, according to Websense. According to Websense, spammers have created bots that are capable of creating random Live Mail accounts and then using them to launch attacks. In other words, the CAPTCHA defense doesn’t work. A CAPTCHA...

read more | digg story

Attackers zero in on Yahoo Jukebox ActiveX flaw

Just one day after hackers showed how to exploit a number of flaws in the ActiveX software used by Internet Explorer, Symantec has spotted online criminals using one of the attacks.

read more | digg story

RedTube: Our Registrar was Hacked

RedTube, one of the biggest porn sites on the Internet, says Turkish "cyber terrorists" hacked their domain registrar, eNom.com, causing an outage lasting up to 48 hours, depending on when routers refreshed ...

read more | digg story

Hey, Mac Users! You're Not as Secure as You Think You Are!

So, you think that since there are so few holes in your Mac OS that you're invulnerable to attack? That may be true for Trojans and viruses, but it's not the case for phishing attacks that can be fiendishly deceptive and destructive. Not worried yet? Read this column and you might think again.

read more | digg story

Top 11 Malware Threats To Watch Out For In 2008

Here's a heads-up on the evolving security threats we can expect to see in the coming year, including emerging menaces such as badvertising, adsploits, anti-social networking, lieware, and whaling

read more | digg story

Tutorial: How to set up WPA2 on your wireless network

If you are still using WEP encryption it's time to change! WEP is ineffective and has been for a long time. It's easily cracked. I know alot of people understand this, but if you have not changed, please take the time to do it now. Here is an excellent tutorial that explains the entire process.

August 24, 2006 (Computerworld) -- If you are like most people, your home or small office wireless router probably is running without any encryption whatsoever, and you are a sitting duck for someone to easily view your network traffic.

Some of you have put encryption on your wireless networks but aren't using the best wireless security methods. This means that you are running your networks with inferior protocols that offer a false sense of protection because these protocols are very easily broken into. It is the difference between using a deadbolt and a simple lock on your front door. For instance, Tom's Networking has a three-part series that shows you how easy it is to crack Wired Equivalent Privacy.

If you want to keep your neighbors out of your business, then you need to use Wi-Fi Protected Access version 2 (WPA2) encryption. This is now showing up on a number of routers and is worth the extra few steps involved to make sure your communications are secure. It is currently the best encryption method but getting it going isn't so simple. This recipe will show you how to make it work.

How does WPA2 differ from earlier versions? First, it supports the 802.11i encryption standards that have been ratified by the IEEE. These are the commercial-grade encryption products that are available on enterprise-class products.

Second, there are two encryption methods that WPA2 adds: one called Advanced Encryption Standard (AES) and one called Temporal Key Integrity Protocol (TKIP). Both of these allow for stronger encryption, and while the differences between the two aren't that important for our purposes, you should pick one method when you set up your network as you'll see in a moment.

Finally, the protocol creates a new encryption key for each session, while the older encryption standards used the same key for everybody -- which is why they were a lot easier to crack.

Also part of the new standard is Pairwise Master Key caching, where faster connections occur when a client goes back to a wireless access point to which the client already is authenticated. There is one more acronym I'll mention, and that is Pre-Shared Key or PSK. The WPA2 standard supports two different authentication mechanisms: one using standard RADIUS servers and the other with a shared key, similar to how WEP works. We'll get back to this in a moment, but let's show you how to get this train going.

Step 1: Windows OS: First make sure your operating system is up to date. If you are running Windows XP, you'll need service pack 2 and you'll need to download the WPA2 patch that's located here.

If you're using a Mac, you need to be running OS X 10.4.2 or better. Apple calls its version WPA2 Personal. While Linux is outside the scope of this article, you can get more information here.

Step 2: Wireless Adapter: While you are updating your Windows OS, you might want to make sure that the wireless adapter in your laptop is also up to the task of supporting WPA2. The Wi-Fi Alliance maintains an online database of products that is somewhat difficult to use. Go to their Web site, check the WPA2 box and then select which vendor you are interested in.

If you have a built-in Intel wireless adapter, it needs to be running Intel's ProSet version 7.1.4 or better, excluding versions 8.x. You can get more information on this page on Intel's Web site.

Step 3: Wireless access point/router: Next, make sure your router/gateway can support WPA2. If you have purchased it in the last year, chances are good that it does, but you might need to update your firmware as well. For the Belkin Pre-N router model 2000, I needed to update the firmware to version 2.01. An older model 1000 didn't support WPA2 and couldn't be upgraded. How can you tell the difference when you are buying one? You can't, other than opening the box and looking at the label on the bottom of the unit.

Here is how you set up the wireless security section of your router to support WPA2. In our examples here, we chose WPA2-AES. Here's a screenshot for the Belkin router:

You'll notice that you can obscure the key from being shown on the screen, which is a nice feature. That is the PSK that we mentioned earlier. Keep track of this; you'll need it later.

With this recipe, I also tried a Netgear WNR854T router, which didn't need any firmware update to support WPA2. Here is the screenshot from the Netgear router, where you can see the shared passphrase on the screen in the clear:

If you are using Apple's Airport router, you need to download the patch for Airport 4.2 here.

Step 4. Finishing the configuration: Now comes the fun part. Once you have your routers set up, you need to get the clients working properly. I'll show you the screens for Windows, but the Mac is similar.

The biggest issue is that you have to remember the PSK that you used to set up the router and enter it when prompted by the OS. You can enter any phrase from 8 to 63 characters, and obviously the longer the better. Don't forget to match the right combination of acronyms that you chose when you set up your router to match what is required in Windows' Wireless Properties Association dialog box, as shown in this screenshot:

Do this for all of the client computers on your network. Once you get everything working, if you take a look at your wireless connections screen, you should see something like this, where the wireless3 access point is showing that it has WPA2 security enabled:

OK, now you should be done. If you aren't getting a connection, chances are there is a mismatch between your router and your client. Check all the steps and make sure that the WPA2 choices are showing up in the right places and that you have chosen the appropriate encryption method (AES or TKIP) for both router and client pairs. You might also have to use the wireless management software from your adapter vendor, rather than Microsoft's, to set up your connection. Once you have a working connection, you don't have to go through all these steps and should be connected securely automatically.

David Strom is a writer, editor, public speaker, blogging coach and consultant. He is a former editor in chief of Network Computing and Tom's Hardware and has his own blog at http://strominator.com. He can be reached at david@strom.com.

Flash Ads Serving up Malware on Popular Sites

Malicious Flash banner ads have been surfacing on major web sites including Expedia.com, Rhapsody.com, and MayoClinic.com in the last month, according to media reports. Users who click on the banners, which advertise a digital music service, a student dating service, and disk cleaning software, are redirected to Web sites that install malware.

read more | digg story

Nine Ways to Wipe Out Spyware

PCmag.com rounded up the best (and worst) of the apps dedicated to finding and killing spyware—and keeping it from getting onto your machine in the first place. Not all antispyware apps are created equal!

read more | digg story

MayDay! Sneakier, More Powerful Botnet on the Loose

A new peer-to-peer (P2P) botnet even more powerful and stealthy than the infamous Storm has begun infiltrating mostly U.S.-based large enterprises, educational institutions, and customers of major ISPs.

read more | digg story

Guess who's winning the security-vs.-privacy fight?

In the nervous post-9/11 period, John Poindexter, the retired admiral and Iran-contra figure, created for the Pentagon a Big Brother intelligence...

read more | digg story

72 Tips for Safer Computing

I just picked this issue up from the newstand yesterday. Good guide and one that you can keep coming back to to make sure you are protected:From the basics to the extreme, here are the tricks that will keep your computer, you, and your family secure and safe.

read more | digg story

Google blog used to spread malware

Latest example of a bogus blog posting used to spread malware. A Google-hosted blog is running phony security content that's linked to malware, as well as using Google's automated notification service to try to entice subscribers to click on an infected link, says one security expert.

read more | digg story

Russia the Evil Hacker Haven

The most powerful Internet weapon on the planet is being protected by the Russian government. The weapon in question is the Storm botnet. This is the largest botnet ever seen, and while the United States has traced its creators to Russia, the government there refuses to cooperate in shutting Storm down.

read more | digg story

Steal this WiFi

Very interesting story dealing about the consequences of having an open WIFI connection:

Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

read more | digg story

R.I.P. American Privacy. We will miss you.

The FBI is gearing up to create a massive computer database of people's physical characteristics, all part of an effort the bureau says to better identify criminals and terrorists.

read more | digg story

Employee Pulls Plug on Digital Bank Robbery

Online transfer would have sucked "millions" from the bank's vaults; thieves are arrested An alert employee found a foreign device attached to his computer, then pulled the plug only seconds before a group of digital bank robbers could steal "millions" from his bank near Stockholm, Sweden.

read more | digg story

Wireless headsets: A corporate spy's best friend

Imagine spending months, millions of dollars, and countless hours designing, building, and implementing a world-class security program only to have it circumvented by an inexpensive wireless telephone headset. According to Secure Network Technologies, a penetration testing firm, that's is exactly what can happen at many large corporate offices.

[...]

What did we prove? That many companies which fear security breaches and eavesdropping are actually bugging their own offices, and spilling their private content over the open air waves without their knowledge. The problem is not unlike the early days of wireless LANs and WiFi, when the technology became popular before adequate security was developed.

What can you do about it? The first step is to recognize the vulnerability. These headsets generally operate at 900MHz and, as we learned, are not necessarily secured with encryption. Find out who's using the technology and where. Secondly, you should consider doing a scanning test, as we did for our client. It's worth $80 to make sure your corporate secrets are not unintentionally leaking out of the building via wireless headsets.

Source: Hacking Wireless Headsets, Steve Stasiukonis, Dark Reading, 22 January 2008

The quote above is from an article in which Secure Networks describes an actual pen test they performed for a client, during which they discovered significant wireless headset vulnerabilities. Using a commercially available radio scanner, an attacker can monitor and record telephone conversations from as far away as 600 feet (UPI). But it's not just telephone conversations that are at risk. In some cases, the headset continued to transmit after a call was terminated. This effectively "bugged" the user's work area.




Blog Entry shared from the Adventures in Security Blog.
Original author: Tom Olzak (Director, Information Security)

Spies in the the Phishing Underground

If you want a real behind the scenes look at the criminal element in this underground world of phishing, read this article!

Both Nitesh and Billy are well-known security researchers that have recently managed to infiltrate the phishing underground. In this interview, they expose the tactics and tools that phishers use, illustrate what happens when your confidential information gets stolen, discuss how phishers communicate and even how they phish each other.

read more | digg story

Wi-Fi Users, Beware: Hotspots Are Weakspots

Next time you are sitting in a hotel lobby checking email on your laptop, be careful: The "businessman" in the next lounge chair may be tracking your every move. Many Wi-Fi users don't know that hackers posted at hot spots can steal personal information out of the air relatively easily.

read more | digg story

IRS Pencil Sharpener Now Available

I thought it would be fun to start the week off with a little humor ----- In an effort to offset tax payer costs for the operational costs of its organization, the IRS is introducing a line of products, beginning with this fantastic pencil sharpener.

read more | digg story

The OLPC Project and Nigerian Spammers - Is there a link?

Simple speculation that the mass release of the One Laptop Per Child has coincided with a huge rise in the number of Nigerian spam, and auto-bot attacks.

read more | digg story

Scientology Internet Hackers Plan Real-Life Protests at Church Locations

Hackers who launched a massive online attack against the Church of Scientology are now turning to real-world protests to draw attention to what they call a "vast moneymaking scheme under the guise of 'religion."'

read more | digg story

The Twenty Minute Guide to PC Security: 20 Tips to Secure your Box

"In this article we cover 20 of the most basic PC security steps, from installing essential safeguards to tailoring your own Internet behavior, which will together help you dramatically reduce the odds of your computer being infected by malware." Even your Mom can follow this guide.

read more | digg story

Simplify Your Life Defend Your Identity

ManagedIdentityProtection.com

Microsoft Bid for Yahoo Raises Privacy Flags

In the wake of Microsoft’s offer to purchase Yahoo for $44.6 billion, consumer advocates are renewing concerns about the potential for virtually unchecked surveillance and tracking of consumer activity online.

read more | digg story

Simplify Your Life - Defend Your Identity --- Managed Identity Protection

Heathrow PC security probe launched

Public access internet terminals at Heathrow airport may be vulnerable to hacking attacks.

read more | digg story

There are much safer ways to prevent this kind of malicious activity. We have a VERY good low cost alternative to those Windows public terminals. You can e-mail us for details. datasaversinc@gmail.com

Couldn't Agree More

Chris Pirillo spends some time talking about the Bloatware that McAfee and Norton put out in their software packages designed to protect your computer. The first thing I do when someone asks me to look at their computer, especially a new PC is to get rid of these software packages. I rip them out and usually install AVG antivirus, Windows Defender, and enable Automatic Windows updates, and windows firewall. With these tools the average user is protected adequately. Well, I'll let Chris tell you:


Chris | Live Tech Support | Video Help | Add to iTunes

Simplify Your Life Dedend Your Identity - Managed Identity Protection.com