Bloomberg has posted an interesting summary of recent hacker triumphs based on social engineering attacks. The fundamental piece of hard news was that the US Department of Homeland Security ran a test last year in which they dropped CDs and USB drives around near some US government offices. The test detected that 60 percent of these were inserted into government computers.
I've been looking at the various files LulzSec has uploaded from their victims. These include Sony (several different sites on separate occasions), PBS, the game company Bethesda, Fox TV, Nintendo, and a computer security company called Unveillance. They actually defaced the PBS site, posting a bogus article claiming that dead rapper Tupac was located alive.
They also extracted the hashed password file belonging to the Atlanta chapter of Infragard, an FBI-affiliated organization, and cracked a bunch of the passwords. The site is now offline.
My initial impression is that these folks are using some fairly simple attacks, like SQL injection, to retrieve a lot of the data. Note that in most cases they didn't actually deface the victim. I suspect they would have if they could have. Thus, they're taking advantage of the weaknesses they do find.
There's been buzz in computer hardware blogs over the past few days about how faster processors (and GPUs in particular) are rendering strong passwords "useless." One experimenter, named Vijay Devakumar, posted a description of his success at cracking passwords, which has been recently picked up by bloggers on
There has been an update to the DiskUtil program that prevents my RAID backup procedure from working.
The version I am running - Version 11.5.2 (298.4) - no longer provides a "Remove" or "Demote" function when a RAID drive is missing or offline. I've found two ways around this. I recommend the first approach for regular use. The second is only provided to illustrate a bizarre feature of Apple RAID.
He has posted (pasted, actually) a series of statements on pastbin.com that describe what happened and provide some evidence to support his claim. Note that the link above will probably go sour in a while, since Pastebin's policy is to recycle the pasted storage periodically.
I few months back I retold the story of a bogus Microsoft certificate issued by Verisign in 2001. It's a difficult story to track down ten years later because many articles published by then have either disappeared or been 'updated' to remove details.
I'm assembling an explanation of command injection for my upcoming textbook Elementary Information Security. (yes, yes, it should be finished by now and in production, but things were delayed). This yielded a couple of diagrams that I've managed to squeeze onto a single sheet of 8.5 x 11 paper. Here's a JPEG preview:
It is also available as a PDF file.
I've heard a broad range of claims on how large a firewall rule set might be, so I decided to dig around for published data. There are lots of quotes claiming gigantic numbers, but I only found three reports of plausible-looking data collection - one from 2001 and the others from last year. I also have notes from a fourth that I haven't verified.
In practice, firewall rule sets seem to range from 5 rules to over 25,000 rules. Some claim that even larger rule sets may exist.
The number of rules seem to depend heavily on the number of users behind the firewall, and on the firewall's implementation of the rules themselves. If a firewall can create sophisticated rules, then it takes fewer rules to implement the site's policy.
As with everything, small is beautiful. If you have a lot of rules, it's hard to keep them accurate and up to date.