Your Ad Here

Friday, May 30, 2008

Cyber Bullies and the Effect on Our Kids

Cyber Bulling has been a big problem and is becoming an expectable way kids use to express their feelings towards others. As a parent, it is important to understand and be able to determine the signs and effects of cyber bulling on our kids. Below are some key information about the topic:

This constant contact via technology also allows the school yard bully to continue to hound their victims 24 hours a day and invite others to pile on.

This pack mentality combined with the anonymity of the attacks puts a lot of stress on young victims that don’t know how to deal with the situation.

The statistics according to are pretty alarming:

  • 42% of kids have been bullied while online. 1 in 4 have had it happen more than once.

  • 35% of kids have been threatened online. Nearly 1 in 5 have had it happen more than once.

  • 21% of kids have received mean or threatening e-mail or other messages.

  • 58% of kids admit someone has said mean or hurtful things to them online. More than 4 out of 10 say it has happened more than once.

  • 53% of kids admit having said something mean or hurtful to another person online. More than 1 in 3 have done it more than once.

  • 58% have not told their parents or an adult about something mean or hurtful that happened to them online.

Parents that are completely out of the loop with their child’s technology usage can find it hard to detect when something of this nature may be occurring, but generally speaking, changes to the child’s behavior will accompany the attacks.

Not any of these signs on their own is an indicator, but combined they could warrant a discussion with your child:

  • Unusually long hours on the computer

  • Clearing the screen when you enter room

  • Secretive Internet activity (won’t say who their chatting with)

  • Getting behind in school work

  • Lack of appetite, headaches or Stomachaches

  • Trouble Sleeping

  • Fear of leaving the house, especially to go to school

  • Appears upset after Internet use.

  • Hesitation to get online

  • Cries for no apparent reason

  • A marked change in attitude, dress or habits

Our schools and lawmakers are still trying to catch up with this new form of abuse, so how to report such activity will vary greatly based on your community.

There are many Web sites that can help if you think your child is a victim of cyber bullying, including,, and

It’s also vital to discuss with your “screenager” the importance of not participating in any online discussion that serves to demean or belittle others. What may seem like a harmless action only serves to amplify the problem for the victim and encourages the instigator to continue.

From a technology standpoint, if you feel the need you can install a program that will track all of the activity that occurs on your child’s computer, including what others are sending them via instant messaging.

Check out the various tracking software available from sites such as and as the activity logs that they generate can come in handy if you need to report the problem to a school or law enforcement.

The EnCase Evidence File Components and Function

The EnCase evidence file arrangement has what is described as “bag-and-tag” information which consists of information pertaining to case in the header of the file. In addition to the case information data, the image file also contains data and file integrity. Data and file integrity are very important when it come to ensuring the integrity and the proper authentication of the evidence image for court purposes. Message Digest 5 (MD5) and Cyclical Redundancy Check (CRC) are two functions that are used to provide these mechanisms within the EnCase evidence file.

MD5 is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input that is claimed to be as unique to that specific data as a fingerprint is to the specific individual. The result of the calculation is a 128-bit hexadecimal value which provides a number of possible values consisting of 2 ^128. This means that the odds of two files having the same MD5 value is 1 in 2^128. Because the chances are statically remote, the forensic community has adopted and accepted MD5 sufficient for forensic authentication.

CRC is similar in function and purpose to the MD5. The CRC algorithm results in a 32-bit hexadecimal value.

An EnCase evidence file has tree major components: the header, the data blocks and the file integrity component (CRC and MD5). The header will appear on the front end of the evidence file and the data blocks follow the header.
Any additional contribution towards this topic will help for those attempting to obtain the EnCE.

Wednesday, May 28, 2008

Apple fixes 70 issues with Mac OS X 10.5.3 update

By Jim Dalrymple, IDG News Service

May 28, 2008

Apple on Wednesday update Mac OS X fixing 70 issues with the operating system and its components.

Among the changes in Mac OS X 10.5.3 are several fixes for Apple's Time Machine backup application. Compatibility issues with its hardware counterpart, Time Capsule have been address, as well as compatibility issues with Aperture 2. Reliability has been improved when doing a full restore from a Time Machine backup and an alert message incorrectly stating that a backup volume doesn't have enough space has been fixed.

Apple's virtual desktop application, Spaces, received some minor updates, as well. A problem that could cause the reordering of application windows when switching desktops and then switching back has been fixed. An issue when pressing Command-Tab may incorrectly switch to a new space and reliability when syncing to .Mac have both been fixed in the update.

Mail received 10 updates in Mac OS X 10.5.3. Among them a stability issue when dragging large attachments to a mail message and reliability issues when changes are made to a mailbox while offline.

iChat reliability while screen sharing and an issue with group chats not being indexed in Spotlight has been addressed.

Automator, AirPort, Address Book, Parental Controls, and VoiceOver all received reliability enhancements with the update.

The 420MB Mac OS X 10.5.3 update is available for download via from the software Update control panel.

NSA to Roll Out New Security Strategy at AFEI Conference

The National Security Agency and AFEI are gathering together at a conference in June some of the most influential leaders in information security and assurance to discuss the new DoD strategy for a comprehensive set of services that provide enterprise information assurance capabilities.

Arlington, VA (PRWEB) May 28, 2008 -- The National Security Agency continues its rollout of the new DoD security strategy, Enterprise Security Management, at the second AFEI Enterprise Security Management conference in June ( "This conference will continue and focus the exchange of community perspectives which began at the September 2007 ESM Fall Festival to increase understanding and awareness of ESM across both the public and private sectors by engaging government, industry and allies" said Marcia Weaver, Chief of the Enterprise Security Management System Program Office at NSA.

"The threat is real" said Dave Wennergren, Deputy Chief Information Officer of the Defense Department at the September event. "The nature of the world has changed; it's now about the net -- the survivability, sustainability and resilience of the network. It is fundamentally changing how people think about addressing the threat."

The threat is both real and prevalent. The TimesNow Morning Show in India broadcast on Thursday, May 22 reported on the Indian government accusing China of daily attacks on networks and websites, including their National Informatics Center. Last May the BBC reported that Estonia, one of the most internet-savvy states in the European Union, was under sustained denial-of-service attacks that were rumored to have come from Russia. Last January DoD experienced a cyber-attack that took an e-mail system off-line. Defense Secretary Gates said the Pentagon is exposed to "perhaps hundreds of attacks a day."

The Department of Defense is highly dependent on networks and digital information to conduct the vast majority of its routine business and warfighting missions. In the past security solutions have been added to information systems after they were built and deployed. This approach will not provide the information assurance ans superiority necessary in today's threat environment.

"Enterprise Security Management provides the foundation to make information superiority a reality" said Ms Weaver. "This is critical to our mission success and provides information to those who need it, when and where it is needed, while denying it from our adversaries" she said.

The conference focuses on managing enterprise Information Assurance (IA) processes, services, and assets within new global operating paradigms, acutely shortened decision cycles, evolving information-age environments, and with the same underlying drivers across the public and private sectors. Industry and Government are seeking the same new technologies, practices, and approaches to policies that will institutionalize enterprise-wide security.

"Business leaders concerned about protecting networks and data, detecting and defeating cyber attacks, ensuring the security of enterprise information, and understanding the emerging principles of unified information assurance across their enterprise should be attending this conference" said Dave Chesebrough, President of AFEI. "We must be prepared to deter, prevent and defeat cyber attacks that could cripple our infrastructure and cause economic disruption."

About AFEI:

AFEI is an industry association dedicated to the advancement of the sharing, integration, management and protection of information across extended enterprises (people, process and technology), with a focus on national security and defense issues. AFEI ( is an affiliate subsidiary of the National Defense Industrial Association (NDIA) (, America's leading industry association promoting national security.


Press inquiries should be directed to Betsy Lauer, Director of Business development, AFEI


EU agency declares war on botnets...

Original URL:

EU agency declares war on botnets

By John Leyden

Published Wednesday 28th May 2008 10:50 GMT

ENISA, a pan-European agency designed to promote closer coordination on information security, is calling for a revamp of cyber-security laws and best practices in a bid to combat the growing economic impact of cyber attacks and botnet spam.

The adoption in Europe of US-style information security breach disclosure laws is a key plank in this manifesto, and emerged in a technical briefing by The European Network and Information Security Agency to journalists on Tuesday.

ENISA reckons security breach reporting, applied consistently across Europe, would reveal the scope of information security problems. The agency wants to strike a balance between transparency and confidentiality rules (for example, in the banking sector) in setting up a security breach reporting regime. It wants this framework to be applied across the EU unlike security breach disclosure laws in the US, which are applied on a state-by-state basis.

ENISA's executive director Andrea Pirotti said that six million computers worldwide are compromised by malware and connected to a botnet. "They are used for fraudulent activity by criminals. This is why we can state that info security is the most serious concern of any public or private organisation. Our critical national infrastructure, our business, our private communication goes online. We don't want such structures to be disrupted. We don't want our critical infrastructures to collapse."

Dr Ronald De Bruin, head of the cooperation and support department at ENISA, said that spam is growing ten per cent year on year. "Spam costs €64.5bn for service providers, double that of 2005, even though 94 per cent of spam is filtered out before it reaches users' in-boxes. Spam introduces all sorts of security risks from virus infection and phishing to botnets."

ENISA is a brainchild of EU Commission. The agency, established three years ago, acts as a centre of expertise for policy formation in the area of information security. It can only recommend courses of action which the EU, in consultation with industry, needs to apply.

ENISA helps counter cyber-attacks such as those faced by Estonia last year. It supports member states in setting up Computer Emergency Response Teams (CERTs), which De Bruin described as digital fire brigades. Europe has 14 national CERTs compared to eight in 2005. This figure is expected to grow to 24 over the next two years or so.

The agency has launched a three year programme designed to improve the resilience of public e-communications and services. It aims to perform a gap analysis prior to identifying and promoting best practices. "Our target is that by 2010 the Commission and at least half the member states have made use of our recommendations in policy," explained De Bruin. He added that it was piloting risk management tools for SMEs, who are seen as fighting on the front line against cyber-crooks.

ENISA wants to act as a clearing house for best practices in cybersecurity. "We need to build on existing national systems where the EU has no operational role but acts as a facilitator of best practices," he said.

De Bruin highlighted gaps in cyber-security reporting as a particular problem.

The briefing also covered concerns within the agency about privacy and social networking sites. Existing EU laws were written before the advent of social networking websites, such as Facebook and MySpace. De Bruin described social networking as a "digital cocktail party" which it wants to encourage. At the same time ENISA wants to develop recommendations to consumers, users and social networking sites designed to guard against privacy risks.

For example, it reckons EU legislation needs to be expanded to cover the posting and tagging of photos of people which, at present, can be made without a subject's consent. "Our position is not to scare people however we feel we have to make recommendation to help protect against risks and therefore create a better and safer environment," Dr De Bruin explained.

A video on ENISA's work on "Security in Online Social Networking" can be foundhere (

ENISA information security strategy can be found here (pdf)( A recording of Tuesday's meeting (registration required) can be found on ENISA's website here ( ®

Related stories

Soaraway security spending keeps breaches in check (22 April 2008) 
Civil liberties groups challenge Data Retention Directive in ECJ 
(10 April 2008) 
Make vendors liable for exploits 
(10 March 2008) 
EC report warns governments on e-trust 
(23 November 2007) 
Consumers baulk at returning to hacked stores 
(17 April 2007) 
Europeans fear data loss disaster 
(19 February 2007) 
European Central Bank wants EU protection from US 
(4 October 2006) 
Commission concerned about Vista security 
(14 September 2006) 
Europe may mandate data breach notification 
(13 September 2006) 
European Cyber security agency is go 
(21 November 2003) 
EU sets up Euro-security agency 
(19 November 2003)


New Adobe flaw being used in attacks

Very interesting article from InfoWorld.

Malware Infected Windows PCs

Lately, there has been a rash of PC infestations.  In the past week, I have personally worked on 4 Intel based PCs that had slowed down to a crawl or did not allow the user to be productive.

In reviewing their PCs, I noticed the “Trojan.Smitfraud” to be of abundant on these systems amongst other malicious software.

I personally feel these compromised systems are lethal weapons that can allow hackers to attack our infrastructure, other businesses or committee crimes.  Better software and usability measures need to be a priority.

I use Ultimate Boot CD for Windows to examine and repair these systems.  I find that it work well and does not use the Windows based OS to do its analysis.

Information on Trojan.Smitfraud can be found below:




Type Description

Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.



Category Description

Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.



Level Description

High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.

Advice Type



Trojan.Smitfraud is a group of programs that are used to download rogue security products and change the user's desktop to display false warnings that the computer is infected with spyware.

Add. Description

Trojan.Smitfraud downloads and installs programs that purport to scan for adware and spyware and typically display false reports of spyware in order to frighten the user into paying for the program.

Release Date


Last updated on

May 9 2008

File Traces



%SYSTEM%\ adobepnl.dll


%SYSTEM%\ ccc3.dll


%system%\ cdromdrv32.dll


%SYSTEM%\ dcvwaah.dll


%SYSTEM%\ dpfwu.dll


%SYSTEM%\ ekvrlfzz.exe


%SYSTEM%\ fyhhxw.dll


%SYSTEM%\ gqagksr.dll


%SYSTEM%\ gtpbx.dll


%system%\ hjfjhigjxe.dll


%SYSTEM%\ ishost.exe


%SYSTEM%\ ismini.exe


%SYSTEM%\ ismon.exe


%SYSTEM%\ isnotify.exe


%SYSTEM%\ issearch.exe


%SYSTEM%\ ixt0.dll


%SYSTEM%\ okkmtv.dll


%system%\ olechs32.dll


%SYSTEM%\ oqabf.dll


%SYSTEM%\ sbnudh.dll


%SYSTEM%\ syycum.dll


%SYSTEM%\ titiau.dll


%SYSTEM%\ urroxtl.dll


%SYSTEM%\ users32.exe


%SYSTEM%\ veklo.dll


%SYSTEM%\ vwlummc.dll


%SYSTEM%\ wuwbxp.dll


%SYSTEM%\ xxfgmy.dll


%SYSTEM%\ zphnok.dll


%windows%\ dpvtporsdq.dll
















The EnCase Evidence File Format

The EnCase Evidence File Format

The EnCase evidence file can also be referred to as a forensic image file. The concept of an image file is where the entire drive contents of a target media is copied to a file and checksum values are calculated to verify the integrity (useful in court cases) of the image file (often referred to as a “hash value”). Forensic images are acquired with the use of software tools such as the UNIX “dd’ and FTK Imager as well as hardware were cloning devices such as the Solo Masster and Logicube’s MD5 have added forensic functionality.

One major difference between the above mentioned techniques to acquire image files and the EnCase image files is the “bag-and-tag” concept. The UNIX “dd” and many of the hardware cloning devices only provide the bit-for-bit information during acquisition. EnCase on the other hand provides the bit-for-bit data as well as additional data such as case information; data block integrity and file integrity to name a few. These functions are built into the EnCase imaging process for interoperability and ease of use. If the same function were to be implemented using the UNIX “dd” or the hardware options, this process would require many different tools and multiple steps to obtain the same results.
My next posting will be on the "EnCase Evidence File Components and Functions".

Friday, May 23, 2008

15 year old hacker steals data and gets caught…

The 15-year-old student is being charged as a juvenile, so police are not releasing his name. The charges against him are felony computer trespass, felony unlawful duplication, felony computer theft, and misdemeanor theft by unlawful taking. He has been released to his parents' custody, police said.

School officials maintain the student involved in the breaches didn’t do so for identity theft purposes, but rather were “motivated by an irresponsible interest in determining whether they could infiltrate the network and circumvent the safeguards.”

Below has more information on the matter:

15-Year-Old Steals Data on 55000 People in School District Hack

 Downingtown student, 15, charged as a hacker

Thursday, May 22, 2008

What are the phases of the EnCE® exam?

What are the phases of the EnCE® exam?
The EnCE® exam has two phases:

  • Phase I of the EnCE® exam is a computer-based test administered by Prometric. Students must obtain a grade of 80% or higher to pass and proceed to Phase II.
  • Phase II is a practical test requiring students to examines computer evidence that is sent to them via CD-Rom. Students must submit their findings report to the certification coordinator within 60 days and receive a grade of 85% of higher to pass. A 30-day extension may be granted in certain circumstances. Candidates successfully passing Phase I and II of the process are awarded the EnCE® designation.

How much does the EnCE® program cost?
The total cost for the EnCE® program is $200.00(USD) in the USA and $225.00(USD) internationally . This fee is paid to Prometric to take the Phase I computer-based test. When you register for Phase I of your EnCE® test with Prometric, you will notice the price is listed from $750.00 to $1000.00 (USD). After you enter in your voucher number provided by the Guidance Software certification coordinator, the test price will change to the discounted price. EnCE® certification is inexpensive compared to other professional and IT certifications. The cost was intentionally kept low, as Guidance Software understands many users, especially in the public sector, will not be reimbursed for the fee.

What materials can I use to study for the EnCE® computer-based test?
Guidance Software offering free EnCase® Certified Examiner Study Guides for the computer-based test administered by Prometric. All EnCE® candidates whose applications are approved by the Certification Coordinator will receive a free EnCE® Study Guide by mail. The study guide covers the four parts of the test administered by Prometric including: Examining Computer Based Evidence With Encase®, Computer Knowledge, Good Forensic Practices, and Legal.

If your application for the EnCE® program has been approved and you have received a Prometric voucher number, but have not received you EnCE® Study Guide, please fill out our online Study Guide Request or contact the Guidance Software Certification Coordinator at (626) 229-9191, ext. 513, or email us at

We recommend candidates familiarize themselves with information contained in the following publications:

The EnCase® Forensic Methodology Training manuals also serve as helpful study material. The EnCase® Legal Journal can be downloaded in Adobe Acrobat Reader from Guidance Software's Web site. The EnCase® User's Manual can also be downloaded from Guidance Software's Web site (EnCase® software user name and password required). Some suggested resources for the Computer Knowledge and Good Forensic Practices sections are:

  • How Computers Work by Ron White
  • Handbook of Computer Crime by Eoghan Casey

What topic areas does the EnCE® computer-based test cover?

  • Examining computer based evidence with EnCase®
  • The EnCase® Evidence File
  • EnCase® Concepts
  • The EnCase® Environment
  • Searching
  • File Signature and Hash Analysis
  • Computer Knowledge
  • Understanding Data and Binary
  • The BIOS
  • Computer Boot Sequence
  • File Allocation Table Systems
  • Computer Hardware Concepts
  • Good Forensic Practices
  • First Response
  • Acquisition of Digital Evidence
  • Operating System Artifacts
  • Legal (North American EnCE® candidates only)

How do I renew my EnCE®?
The EnCE® designation is valid for two years from the date it is earned. EnCase® Certified Examiners are required to earn sixty-four (64) credit hours of documented continuing education in Computer Forensics or Incident Response every two years to maintain their certification. The training should either be from Guidance, your agency, or an accredited source. You can earn one credit hour for each classroom hour of training and 1/2 credit hour for each one hour of instruction as a Computer Forensics or Incident Response curriculum instructor. Your expiration date is listed on your wallet card. In order for training to qualify for renewal it needs within the two year time period. (Example: If you were certified on 1/1/2005, only training taken between 1/1/2005 and 1/1/2007 would qualify for renewal credits.)

If you were not given certificates, please put the following information in a letter.

Date of the Class
Number of hours
Name of the class
Who provided the training
Short description of the class

When you are ready to submit your renewal credit, please fill out the EnCE® Renewal Form, attach renewal documentation and either mail, fax, or scan/email to:

Certification Coordinator
Guidance Software, Inc.
215 N. Marengo Ave. 2nd floor
Pasadena, CA 91101
Fax: (626) 432-9558

What if my voucher expires or did not finish my Phase II test before the due date?
- If the Phase I voucher expires, simply contact the Certification Coordinator to obtain a new voucher.
- If anyone does not turn in the Phase II practical with in the time allotted them, they will be required to wait 2 month from the date that the test would have been due and then start the EnCE® process over starting at Phase I.

What if I fail the test?
- Anyone who does not obtain a grade of 80% to pass the Phase I test will be required to wait 2 months before a new voucher will be issued.
- Anyone who does not obtain a grade of 85% to pass the Phase II Practical will be required to wait 2 months before they will be allowed to retest. Those who fail the Phase II will be required to start over at Phase I .
- A new application will be needed if organization of personal information has changed during the 2-month wait period.

Contact Guidance Software's EnCE® certification coordinator at:
Guidance Software
Certification Coordinator
215 North Marengo Avenue
Second Floor
Pasadena, CA 91101
Tel: (626) 229-9191 x 513

Apple Certified System Administrator 10.5

Apple Certified System Administrator (ACSA) 10.5 certification verifies an in-depth knowledge of Apple technical architecture and an ability to install and configure machines; architect and maintain networks; enable, customize, tune, and troubleshoot a wide range of services; and integrate Mac OS X, Mac OS X Server, and other Apple technologies within a multi-platform networked environment. ACSA certification is intended for full-time professional system administrators and engineers who manage medium-to-large networks of systems in complex multiplatform deployments.

Required Exams:

• Mac OS X Server Essentials v10.5 Exam (9L0-509)

• Directory Services v10.5 Exam (available mid-2008)

• Advanced Administration v10.5 Exam (available mid-2008)

• Deployment v10.5 Exam (available mid-2008)

As the Apple certification program continues to evolve, TestKing will continue to change and update our content to reflect those changes. Most of those who have earned one or more Apple certifications have done so through self-study, mainly because of the cuts in IT training budgets in recent years. With that in mind, TestKing has developed high quality and affordable study materials that will help you pass your certification exams quickly and easily, the very first time.

Why Bots are Bad News to your Network…

Any security vulnerability is potentially damaging to a business, and bots are no different. When malware programs are running on employee machines, companies have the right to worry about the safety and integrity of their data and their systems, and whether compromised information and performance could affect not just their competitiveness but their viability.

Adhering to company policies such as remote access, software downloads and patch management are all key to protecting the enterprise.

Wednesday, May 21, 2008

Open source security gets thumbs up

The quality of open source code has improved over the last two years, according to an audit sponsored by the US Department of Homeland Security, reports The Register.

The security and quality of more than 250 open source projects - including Apache, Linux, Firefox and PHP - was assessed using code analysis tools from Coverity as part of the federal government’s Open Source Hardening Project. Coverity set up a scan site that invited individual developers to put their code through its paces with its static source code analysis tool, Coverity Prevent.

The same approach was used to analyse 250 popular open source projects, containing more than 55 million lines of code, on a regular basis. This analysis revealed a 16 per cent reduction in “static analysis defect density” across popular projects over the last two years, reflecting the discovery of 8,500 individual defects. The site divides open source projects into rungs on a ladder based on how far each project gets in fixing bugs. [The Register]

The 100th Post of KellepCharles Security Blog

During the first 99 posting of information security related entries, I covered the many aspects of security from Information Warfare, to security patched and digital forensics tools to security related conference and certifications.  You can get a better picture of the diverseness of the blog from this list of topics I have covered below.

During my next 99 posting, I plan to build on many of the past topics as well as introduce some more new and exciting ones…


Tuesday, May 20, 2008

PHP Update Quashes Security Bugs

PHP Update Quashes Security BugsThe open-source PHP Group has released a high-priority update to fix multiple security vulnerabilities.

The PHP 5.2.6 release (download here) corrects at least four documented security flaws of varying severity and also upgraded the bundled PCRE (Perl Compatible Regular Expressions) to version 7.6.

Secunia has slapped a "moderately critical" label on this update and warnedthat some of the PHP vulnerabilities can be exploited by malicious users to bypass certain security restrictions, which could cause a denial of service or compromise a vulnerable system.

The vulnerability details:

  •  An unspecified error in the FastCGI SAPI can be exploited to cause a stack-based buffer overflow.
  •  An unspecified error exists in processing incomplete multibyte characters within "escapeshellcmd()."
  •  A security issue is caused due to an unspecified error. No further information is currently available.
  •  An error in cURL can be exploited to bypass the "safe_mode" directive.
  •  A boundary error in PCRE can potentially be exploited by malicious people to cause a DoS or compromise a vulnerable system.
  • China Gateway for Most Cyber-Attacks

    By Michael Ha
    Staff Reporter of The Korea Times

    Most cyber-attacks against computer infrastructures and web sites for South Korea's government agencies originate from China, a new study revealed.

    The study warned that the breach of cyber security often results in the loss of critical national and financial information and urged the Korean government to step up its security efforts.

    Lee Hong-sup, chairman of the Korea Institute of Information Security and Cryptology, presented his group's findings today. He reported the results at the ``2008 National Defense and Intelligence Protection Conference," held in Seoul this week.

    In presenting a report titled ``How to Counter Hacking From China," Lee said 54 percent of cyber-attacks on South Korea's government websites and computer systems originate from Internet sources in China, making it the biggest cyber security threat for the Korean government. 

    The United States is also a major source of hackers. The study said 14 percent of all cyber-attacks on South Korean government's computer systems originate from America. 

    Additionally, more than 5 percent of cyber-attacks originate from Japan, with Brazil trailing closely behind with 4.9 percent. Taiwan was responsible for 3 percent of hackers.

    These findings were based on the analysis of more than 2,100 cases of hacking and hacking attempts against Korean government agencies during the month of March.

    The study pointed out the example from South Korea's ``Auction," a popular online auction company, to illustrate the danger of cyber-attacks. Hacks against the web site occurred in February and had originated from a Chinese Internet source. 

    The attack resulted in the dissemination of a vast amount of personal data including credit card information and social security numbers from more than 10 million customers.

    Lee also said reported cases of ``voice phishing" ― committing financial fraud via phone lines using stolen phone numbers and other personal data ― that originate from China number more than 5,700 a year. He urged further cooperation between the public and private sectors to develop protective measures.

    Other presenters at the conference urged the South Korean government to step up its cyber-defense capability. Korea University's Graduate School of Information Management and Security Chairman Lim Jong-in said North Korea has been developing its cyber-attack system since 1989. 

    Lim said, ``Japan is also independently developing computer viruses and hacking technologies for the purpose of cyber-attacks. Japan's cyber-defense capability rivals that of the United States."

    ``There is a paradigm shift in modern warfare and it now includes cyber wars and cyber defense strategies," Lim said.

    Monday, May 19, 2008

    CWSP - Certified Wireless Security Professional

    The CWSP exam is an advanced level wireless LAN certification developed by Planet3 Wireless. This exam is a part of the Certified Wireless Network Program (CWNP). The exam tests your ability on how well you are able to protect your company’s valuable data from hackers. For anyone desiring a career in IT or Security this is a certification you cannot afford to be without.

    The CWSP is the first nationally recognized wireless security exam offering in the United States. While this exam is has been around for several years, it is probably one of the best kept secrets. However when securing employment with major corporations in the area of wireless security, you will find that employers are looking for this certification.

    One of the great fears around wireless is security. The one thing that beats fear is education. I applaud Planet3 Wireless on the job they have done in providing an exam that is both comprehensive and accurate. This vendor neutral exam really outlines the security solutions that are available today and more importantly how the solution should be utilized. The exam looks at the customer’s infrastructure and not the vendor’s product. You will find that the exam leaves no stone unturned.

    Test Preparation:
    The best study material to date other than real world experience is a combination of the following

    1. CWSP Instructor-led Training
    2. CWSP Study Guide
    3. Practice Test

    Ideally, your chances are better for passing the exam when you combined all three of these methods. However, money and time constraints sometimes prevent this from happening.

    Exam Prerequisites:
    There is only one prerequisite. Individuals attempting to take this exam must be CWNA certified. (Certified Wireless Network Administrator (CWNA) is another wireless certification through Planet3 Wireless which deals with wireless administration). While not a requirement, it is recommended that testers have their Security+ and/or SCP certification.

    Exam Registration #:

    Exam Cost:
    The exam can be purchased for $175.00 USD.

    Exam Format:
    The CWSP exam is a 90 minute timed exam which consists of 60 scenario based questions. You are required to obtain a passing score of 70%. Should you have an interests in being an instructor, the passing score requirements are a little more stringent. A passing score of 80% is required.

    Exam Content
    You will find that the exam covers three basic areas; Wireless LAN Security Solutions, Wireless LAN Intrusion, and Wireless LAN Security Policies. The exam goes into deeper detail by highlighting the topic below:

    * Wireless Security Principles
    * Intrusion Techniques
    * How Networks are Compromised
    * Intrusion Detection Systems
    * Layer 2 Wireless VPNs
    * SOHO/SMB 802.1X/EAP Security
    * Enterprise Wireless Gateways
    * Secure Wireless Bridging
    * Wireless LAN Switching
    * Wireless VLANs and EAP Types
    * Secure Wireless LAN Management
    * Wireless VPN Routers

    Exam Location:
    The exam is nationally recognized and can be taken through any Authorized Thompson Prometric Testing Center. For locations in your area, check out

    I highly recommend anyone who is going into the field of security wired or wireless to take this exam.

    XP SP3 Issues

    FYI, SANS Diary just posted an entry on XP SP3 Issues at

    "According to an article published by Information Week, the newly released 
    XP SP3 is causing systems to blue screen (aka BSOD) on AMD based systems. 
    Microsoft and HP seem to think its center around the Power Managment 

    Here is an example of a message you might receive:

    A problem has been detected and Windows has been shut down to prevent 
    damage to your computer...
    Technical information:
    *** STOP: 0x0000007E (0xC0000005, 0xFC5CCAF3, 0xFC90F8C0, 0xFC90F5C0

    HP has posted a work around that has you go boot into Safe Mode and 
    disable the Intel Power Management.

    ISC contributors also sent in links to a blog by Jesper Johansson. The 
    blog contains loads of information on the issue and a link to Jesper's 
    "small tool that will detect the IntelPPM problem and mitigate it before 
    installing the service pack".

    For free SP3 MS support call (866) 234-6020 ("Free unlimited installation 
    and compatibility support is available for Windows XP, but only for 
    Service Pack 3 (SP3). This support for SP3 is valid until April 14, 

    And an older diary entry notes the following wrt XP-SP3:
    "retrofits some of the Vista functionality into XP, namely in the area of 
    Network Access Protection, Black Hole Router Detection, enhanced security 
    for administrator and service policy entries (basically some better 
    default settings) and a kernel mode crypto driver.  Additionally, some of 
    the "optional" updates released since SP2 will be installed with SP3 (MMC 
    3.0, MXSXML6, WPA2 support, etc)."

    Linux SSH Service Security Tips

    SSH Default Settings

    While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain sshd settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the /etc/ssh/sshd_config file. Lines with a pound sign (#) are commented and not read. To edit this file from a terminal:

    sudo vi /etc/ssh/sshd_config

    For a Gnome editor, press Alt+F2 and use:


    gksudo gedit /etc/ssh/sshd_config

    For a KDE editor, press Alt+F2 and use:


    kdesu kate /etc/ssh/sshd_config

    Please remember, after making any changes, sshd must be restarted, which can be done from the terminal with this command:


    sudo /etc/init.d/ssh restart

    SSH Root Login

    By default, the SSH daemon ships with remote root logins enabled. This is a potential security risk, and so should be disabled. To disable root login, edit the /etc/ssh/sshd_config file and replace the following line:


    PermitRootLogin yes

    with this line:


    PermitRootLogin no

    SSH Login Grace Time

    The login grace time is a period of time where a user may be connected and not begin the authentication process. By default, sshd will allow a connected user to wait for 120 seconds (2 minutes) before starting to authenticate. This could be used to conduct a Denial of Service (DoS) or a brute force attack against a running SSH daemon. A more reasonable setting is 20 seconds. To change this, replace this line:


    LoginGraceTime 120

    with this line:


    LoginGraceTime 20

    SSH Welcome Banner

    The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server. To enable login messages, remove the pound sign from this line:


    #Banner /etc/

    so it looks like this:


    Banner /etc/

    Now, edit /etc/ and place a warning to unauthorized users. The following is taken from the Advanced OpenSSH page and is modified from a U.S. Department of Defense warning banner.



                                NOTICE TO USERS



    This computer system is the private property of its owner, whether

    individual, corporate or government.  It is for authorized use only.

    Users (authorized or unauthorized) have no explicit or implicit

    expectation of privacy. 


    Any or all uses of this system and all files on this system may be

    intercepted, monitored, recorded, copied, audited, inspected, and

    disclosed to your employer, to authorized site, government, and law

    enforcement personnel, as well as authorized officials of government

    agencies, both domestic and foreign. 


    By using this system, the user consents to such interception, monitoring,

    recording, copying, auditing, inspection, and disclosure at the

    discretion of such personnel or officials.  Unauthorized or improper use

    of this system may result in civil and criminal penalties and

    administrative or disciplinary action, as appropriate. By continuing to

    use this system you indicate your awareness of and consent to these terms

    and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the

    conditions stated in this warning. 



    Once this is in place, restart sshd and all users will see this warning before they get the login prompt.


    SSH Allowed Users

    By default, SSH will permit every user with an account to attempt to log in. To prevent this, you can use the AllowUsers directive. To do this, add a line like this in your sshd configuration file:


    AllowUsers jsmith tallen

    The AllowUsers directive is the list of all users that are allowed to log in through SSH. If you have a large number of users, or you intend to have a changing list of users, you can also use the AllowGroups directive and create a group specifically for users allowed to log in through SSH. You can add a group for this purpose with this command:


    sudo addgroup sshlogin

    Using the example name of 'sshlogin', you would then add this line to your sshd configuration file:


    AllowGroups sshlogin

    After you restart sshd, only users in the AllowUsers list (or users who are members of the 'sshlogin' group if you chose that method instead) will be allowed to log in through SSH.