(image courtesy of Lifehacker!)

The fine folks at Lifehacker posted an interesting feature a few days ago on how to crack wireless networks – the previous tutorial focused on some particular apps and a lot of command-line fu, but this time around a few easy to obtain apps and a computer that’’s portable enough to take with you to the network you want to crack and you may be able to find your way onto any wireless network you choose – provided there’s enough traffic on it to crack its WEP key.

In this article, they cover my favorite, KisMAC, a fantastic utility for Mac OS that does exactly what you want it to do with so little fuss you could give it to an inexperienced user to figure out – but if you do understand what’s going on under the hood, it’s even more powerful.

[ Lifehacker :: WEP Cracking Redux: Beyond the Command Line ]

Government officials reported earlier today that a distributed denial-of-service (DDoS) attack was directed at the Web sites of several US government agencies, and that the attacks likely started after July 4th. Officials have also been able to determine that the attack likely originated from North Korea, and that a botnet of likely over 50,000 infected systems were used to take part in the attack. Here’s the official word:

A botnet composed of about 50,000 infected computers has been waging a war against U.S. government Web sites and causing headaches for businesses in the U.S. and South Korea.

The attack started Saturday, and security experts have credited it with knocking the Web site of the U.S. Federal Trade Commission (FTC) offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the U.S. Department of Transportation (DOT).

With that out of the way, many government agencies have been reporting the issue as a major incident, calling it “complex” and “sophisticated,” and it’s kind of disturbing that we’ve learned so little from the greater virus incidents earlier in the decade to use those adjectives to describe this. The attacks have been on-going, and definitely have utilized a modestly sized botnet, but this type of work indicates a potency and level of effort that I think we’ve come to expect from North Korea in other regards: good for getting our attention, but not for much else.

DDoS attacks are relatively harmless when the target doesn’t drive revenue from its Web site or services, and are fairly easy to orchestrate. Additionally, there’s no indication that the North Koreans were responsible for amassing the botnet, were hijacking someone else’s, or perhaps worst of all (but most likely) were customers of a hacker-for-hire ring, some of which are known to sell or rent their botnets to anyone with some spare cash.

There will likely be calls for the US government to strengthen its cybersecurity posture after these attacks, and while I invite any money being invested in technology security, disaster recovery, and business continuity by any organization, I hope logic wins the day against fear.

If you have something that you absolutely, positively must keep chained to one place, whether it’s your bike or your laptop, the 100-Decibel Alarm might be just the item for you. Perhaps you’re worried about your luggage when you travel, to make sure that thieves don’t steal it, or prying eyes don’t end up in your suitcase (just don’t hold me responsible when some TSA agent decides to “inspect” your particular luggage!).

The alarm is pretty simple, it’s your typical combination-based cable lock, and you can lock and unlock it using a combination of your choosing pretty simply. There’s a huge red sticker on the front announcing that it’s a 100-decibel alarm, which will hopefully be enough to scare off any would-be thieves or cable-cutters, but if the red sticker doesn’t warn them off, the ear-splitting alarm will when they cut the cable or try to break the lock open. As soon as the cable is cut or the lock is forcefully opened, the alarm goes off, and won’t stop. How you make it stop once the evildoer has fled and you’ve retained your property, I’m not sure. Either way, the 100-Decibel Alarm retails for $25 US from Skymall, and they’re available now.

[ Techie Diva :: Lock Alarm Guaranteed to Shock Ears ]

Yowch. The Transportation Security Administration, the fine folks responsible for protecting Americans as they travel on plane, rail, or any other major means of public transit, has made something of a major boo boo. A hard drive, containing the private information on over 100,000 TSA employees, from baggage screeners to administrators and officials, has gone mysteriously missing, with no indication or knowledge of where the drive is, who might have it, or whether the data has been used for any nefarious purposes like identity theft.

The lost hard drive contains a wealth of sensitive information, including banking data, social security information, and home addresses of all of the employees. The TSA claims it has no idea whether the drive and its data is missing inside its headquarters, or within the controlled area from which it went missing, or whether it’s left TSA control and is out and about floating around somewhere. The drive contained archive information for employees that worked at the TSA from 2002 to 2005, and the TSA is working with the Secret Service to find and retrieve the drive and its data.

[ MSNBC News :: TSA Hard Drive Goes Missing, With Data on 100,000 Employees ]

The TSA has set up a website to help current and former employees learn more about what they’re doing to retrieve the drive and protect the people who may have been affected:

[ TSA : TSA Employee Data Security Incident ]

(image courtesy of one of my homes away from home, AppScout!)

According to Symantec, Firefox is living up to its name as the more secure browser, as it suffered 26% fewer flaws and critical bugs than its rival for market share, Internet Explorer, in 2006.

According to Symantec’s tally, 40 Firefox vulnerabilities were disclosed between August and December 2006; Internet Explorer (IE), meanwhile, was hit with 54 bugs. Opera and Safari — the browser Apple Inc. bundles with Mac OS X — had four flaws each.

For all of 2006, however, the numbers were nearly neck and neck: Firefox was nailed by 87 flaws during the 12 months, IE by 92.

The trend line also put Firefox in the better light. The open-source browser had 15 percent fewer vulnerabilities in the second half of the year compared to the first, while IE’s total increased 42 percent during the period.

“Internet Explorer was particularly affected by concerted efforts to ‘fuzz’ the browser for new vulnerabilities,” said the Symantec report, which cited July’s ‘Month of Browser Bugs’ project as a big contributor. “The majority reported affected Internet Explorer or Windows components accessible through the browser,” Symantec said.

To add insult to injury to IE, Mozilla developers patched Firefox five times faster than did Microsoft’s. On average, Firefox had an attack exposure window — the amount of time between the disclosure of a bug and when it was patched — of just two days based on a sample set of 26 flaws. By comparison, Microsoft took an average of 10 days to patch the sample 15 vulnerabilities. Both vendors’ attack windows were a day longer in the second half of the year than in the first six months.

That about says that. Firefox evangelists, rejoice!

[ PC World: Firefox Hit by Fewer Flaws Than IE in 2006 ]

It’s been several years we’ve had a serious virus or worm outbreak, and the “Storm” worm is already spreading worldwide with the speed that we saw back in 2003 from worms like “Blaster” and “Funlove.” Disguised as a typical email attachment (and proving that we haven’t quite learned all the lessons about safe downloading that we should have learned back then) the “Storm” worm arrives in your inbox with subject lines like “230 Dead as storm batters Europe,” or “U.S. Secretary of Sate Condoleeza Rice has kicked German Chancellor,” and have attachments with names like “Full Video.exe” and “Full Story.exe.”

So far reports say that the worm has infected over 300,000 PCs worldwide, the most in an attack since 2005, and while the worm isn’t really a “worm,” that is, it doesn’t infect a machine and immediately begin emailing itself to other people, it’s managed to infect so many computers because the virus writers are using bot nets to spam people with copies of the virus in large volumes.

[ PC World: "Storm" Worm Spreads Rapidly Worldwide ]

Microsoft was apparently so concerned about Windows Vista passing the test of IT security and being useful in as many applications as possible that they called in probably the most proficient group of professionals they could find: The National Security Agency (NSA). Microsoft wanted Vista to meet Department of Defense (DoD) and federal standards for IT security, so they enlisted the help of the National Security Agency (NSA) to make sure that Vista would be up to the challenge. Whether or not Vista really is significantly more secure, or secure enough to meet DoD standards is a different issue entirely, but its likely as secure as its going to get, considering the bulk of security-related issues come from lapses in network security, patching, user education, or security policy.

Regardless, it’s rather impressive that Microsoft went to the effort of getting the help of America’s codewriters and codebreakers to help fortify its technology:

“Our intention is to help everyone with security,” Tony W. Sager, the NSA’s chief of vulnerability analysis and operations group, said yesterday.

The NSA’s impact may be felt widely. Windows commands more than 90 percent of the worldwide market share in desktop operating systems, and Vista, which is set to be released to consumers Jan. 30, is expected to be used by more than 600 million computer users by 2010, according to Al Gillen, an analyst at market research firm International Data.

Microsoft has not promoted the NSA’s contributions, mentioning on its Web site the agency’s role only at the end of its “Windows Vista Security Guide,” which states that the “guide is not intended for home users” but for information and security specialists.

The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system.

The NSA also declined to be specific but said it used two groups — a “red team” and a “blue team” — to test Vista’s security. The red team, for instance, posed as “the determined, technically competent adversary” to disrupt, corrupt or steal information. “They pretend to be bad guys,” Sager said. The blue team helped Defense Department system administrators with Vista’s configuration .

Red Teams and Blue Teams are nothing new to anyone who knows much about penetration testing, white-hat hacking, and security auditing and testing-the red team is the “adversary” or the “enemy,” the black-hat hacker or team of crackers looking to intrude on your network and collect information from your systems and networks. The blue team can either be the responding team, or the team that does the analysis once the red team has done its work, or can be as innocuous as the tech support folks who help set up and configure the network for the penetration test. The red team is where the action is.

It’s rather amusing that both parties are eager to discuss the fact that they helped the other, but neither is willing to discuss exactly how. Ah well, secrets will be secrets, I suppose.

[ For Windows Vista Security, Microsoft Called in Pros ]

PC World’s security report for the year highlights some of the biggest threats to personal and network security we saw online this year, including new kinds of spam engineered to evade common filters, a more phishing attacks, crackers extorting site owners and companies by holding their data or websites for ransom. Among some of the most worrying issues this year were the increasing professional nature and complexity of the kinds of attacks against corporate and business targets, more and more phishing and the beginnings of business attempts to combat it, and more new spam-an issue that many technology analysts were already calling a fixed problem.

In the analysis, PC World looks at five of those top threats in more detail, from profitable cybercrime all the way to the perils of Windows Vista.

[ PC World :: 2006: The Year in Security ]

There’s nothing new about this, but in the end, human beings really are the weak link when it comes to keeping sensitive information safe online. Where it comes to keeping critical information safe, most people are both horribly naive and also admirably trusting of the source of a phishing expedition. For example:

That’s what the U.S. Military Academy at West Point did in 2004 to a group of 512 cadets, selected at random for a test called the Carronade. The cadets were sent a bogus e-mail that looked like it came from a fictional colonel named Robert Melvillle, who claimed to be with the academy’s Office of the Commandant (The real Robert Melville helped invent a short range naval cannon called the Carronade nearly 250 years ago).

“There was a problem with your last grade report,” Melville wrote, before telling the cadets to click on a Web page and “follow the instructions to make sure your information is correct.”

More than 80 percent of the cadets clicked on the link, according to a report on the experiment.

Worse still, even after hours of computer security instruction, 90 percent of freshmen cadets still clicked on the link.

Ouch. That’s pretty bad. Still, phishing attacks are hard to prevent, and can be easily done with even the slightest bit of information about the subject. The article discusses several attempts to protect people from their own, and where the application developers like Microsoft and others have to catch up in the process of making their products safer and offering the kind of information to the user that they can use to tell if someone is out to trick you or not.

[ Humans Called Weak Link in Tech Security ]

Over at ZDNet Australia, blogger Munir Kotadia points out that Symantec made the prediction 18 months ago in their last Internet Threat Report that by this time Mac OS X would be riddled with spyware, viruses, and security threats. Symantec quietly released their most recent report this week, and after it was released and made absolutely no mention of Mac OS X or any security threats to the operating system, quietly said later that it was wrong about the prediction, and that in the past 18 months there have been no viable, serious security threats to Mac OS X. Mac users can breathe a sigh of relief, but should still and always be on guard to new security threats, and to stand against the kind of security threats of which no operating system is immune-the kind that target the user through social engineering like phishing and password stealing.

Kotadia points out that his query to Symantec to get them to own up to their botched prediction was misconstrued by Apple fanatics at MacDailyNews [ http://macdailynews.com/ ] as dissapointment that Symantec didn’t include Mac OS X in their threat report-which is a sad, sad thing. It’s good news for Mac users, but the fanboy reaction isn’t warranted, and I think Kotadia settles the matter rightly. Still, it’s big news that even as many security analysts predicted that OS X would be the next big target on the horizon, it just hasn’t happened yet.

[ ZDNet Australia :: Symantec's OS X Spyware Prediction in Flames ]