Protecting your computer from unwanted guests: Firefox with NoScript

In the final post of this series I'll look at my favorite tool, Firefox with the NoScript plugin. Firefox is a browser by Mozilla and NoScript is a plugin that can be installed on Firefox. What NoScript essentially does is blacklist all the "JavaScript, Java, Flash, and other plugins" running on websites. It also provides cross-site scripting (XSS) and clickjacking protection.

After downloading and installing Firefox, go to the NoScript site or plugin page and install it to Firefox. A reboot of the browser will be required, but NoScript will be up and running. Now comes the annoying part. Every website and every script running on that website will require your approval to run. This is great for avoiding malware and web ads, but means that a page might not run properly when you first visit it.

To allow a web page and some scripts that will be needed to perform functions on the web page, click on the NoScript icon, which is an 'S' with a prohibition sign. Click on the main web page and allow, this will provide some more functionality on the page as well as open up more scripts to unblock. And that's the tricky part figuring out which scripts to allow to run. A Google search can help with this, but sometimes it's just trial and error to allow the right script to get the function you want to run. If you get frustrated enough you can 'temporarily allow all this page,' 'allow all this page,' or 'Allow Scripts Globally (dangerous).' Allowing scripts globally will essentially disable the plugin and I would avoid if you can. Temporarily will allow as long as the browser is open and allow all this page will allow all the scripts on the page permanently. Some scripts might run on multiple sites, so allowing them once allows them for all websites.

This method of protection will require the most work on your part, but also provides the most security when browsing the web. Accidentally clicked the wrong link? No worries, the script that installed the nasty malware never had a chance to run. You'll also get to see all the useless crap companies put on their web pages.

This the final post in my series on Protecting your computer from unwanted guests. This was mainly to provide my brother a walkthrough for protecting his computers at work, but if any other security professionals would like to chime in with tips or other suggestion, I would love that.

This post first appeared on Exploring Information Security.

Protecting your computer from unwanted guests: EMET

One of the awesome under-publicized tools that does an awesome job of hardening a computer is Microsoft's Enhanced Mitigation Experience Toolkit or EMET for short. This tool helps vulnerabilities in software from being exploited. It's not foolproof and researches have found ways around it, but it is effective. I've seen it be effective first hand. The tool is easy to install and manage, but will require some action on your part.

Download EMET and run the install. As part of the installation select 'Use Recommended Settings' then click 'Finish' and 'Close.' Once installed, right click on the EMET icon in the bottom right corner of the screen or the box thingy that pops up by click on the triangle on the task bar. Ensure that Data Execution Prevention (DEP) is set to 'Always On,' Structured Exception Handler Overwrite Protection (SEHOP) is set to 'Application Opt In,' Address Space Layout Randomization (ASLR) is set to 'Application Opt In,' and Certificate Trust (Pinning) is set to 'Enabled.' And that is pretty much it. EMET is now running on your computer kicking ass.

Unfortunately, EMET also steps in and kicks the ass of a legitimate like its cousins Internet Explorer and Microsoft Office applications or some other program. To fix this look at the alert and look at what the program is being blocked for. Then click on the 'Apps' button in the configuration section and uncheck the box of the blocking action for that application.

For more information on the tool you can download the user guide with the EMET installation. Also, Windows Update will not keep EMET up-to-date and will require a manual download and installation of any new version releases.

This post first appeared on Exploring Information Security.

Protecting your computer from unwanted guests: software patching

Patching is an important part of protecting a computer from unwanted guests. It is that process where we like to hit 'Install later' when a new patch becomes available.

Windows updates should be straight forward and already set to automatically run when new patches come in. To check that this is in fact the case do the following:

Click Start -> Control Panel -> Windows Update. On the left hand side click 'Change settings.' In the 'Important updates' section click the drop down and select 'Install updates automatically (recommended).' Set a date and time. Mine are set to 'Every day' and at '3 a.m.'

For all non-Microsoft software use Secunia Personal Software Inspector (PSI). This is a free tool for home (commercial is paid) use that goes out and grabs and installs all the updates for most of the third party software installed on a machine. Some updates will require manual installation, but most won't require any action from you at all. Simply download, install, and forget. Well, except for the manual installs that should be checked for every once and a while. 

This post first appeared on Exploring Information Security.

Protecting your computer from unwanted guests

My brother and I in Holland, in a big ass clog, keeping out feet protected from bad...things.

My brother and I in Holland, in a big ass clog, keeping out feet protected from bad...things.

My brother recently contacted me about an incident involving a tech support scam. Luckily, the scam was caught before anything serious happened and one good thing came out of the episode, which leads me to this post and the next few posts. I will be going over some of the tools that can be used to keep unwanted guests out of a computer. All the tools I will be talking about are free, but will require some configuration and thinking.

Tools

Here are the four tools I recommend for avoiding those nasty Internet Transmittal  Diseases (ITD):

  • Microsoft Security Essentials - Anti-virus

  • Secunia Personal Software Inspector (PSI) - Software patching

  • Microsoft Enhance Mitigation Experience Toolkit (EMET) - Computer hardening

  • Mozilla Firefox with NoScript plugin - Safe browsing

  • BONUS: Turn on click-to-play in browsers

I want go in-depth on Microsoft Security Essentials and turning on click-to-play in browsers. For Security Essentials, go to the download page, download, and install. Simple as that. There aren't many settings for the anti-virus program and that's a good thing. Anti-virus is largely mocked within the infosec community, because it's easy to circumvent, and that includes the $40-60 big name anti-virus companies of the world. Still, it has saved my bacon a time or two and worth installing, especially if it's free like Security Essentials.

I covered click-to-play in my last post and provided a link to a pretty good article that goes through how to turn on click-to-play in all the browsers. No need to reinvent the wheel, so here's the link again. Click-to-play is easy to turn on and easy to get used to and helps with computer performance.

If any of the posts are unclear are you have a questions, please leave a comment or contact me directly.

This post first appeared on Exploring Information Security.

Impressions from Bsides Nashville 2015

For the second year in a row, I traveled to Nashville this past weekend for it's local BSides security conference and like last year it was a wonderful conference to be apart of.

I took my camera again this year and I will have pictures from the conference before the end of the month is out. I've got school to wrap-up and several other things going on the next couple weeks. Time is very much at a premium for me right now, but I wanted to take a quick moment to highlight a couple of good things that happened at the conference.

First, I met several wonderful people this year, including: Amanda, Tim, Brett, Shelby, Frank, esSOBi, Adrian, and many many others. I also got to interact a little more with Lauren and Geoff and the rest of the BSides Nashville organizers this year, which was a treat. Putting together a security conference is a lot of work and they did a very good job again this year. I am already looking forward to next year.

The talks were again fantastic, though I didn't get to sit in as many as I did last year. A green track was added to the conference this year and it was completely packed for all the talks. There is a lot of interest in information security right now and there was proof in that track. I hope more security conferences, and in particular BSides, take note and start catering talks and content to people just starting out in security.

The one talk that stuck out to me the most was Johnny Xmas' "That's NOT my RJ45 Jack!: IRL Networking for Humans." The description is in the link and the talk is embedded below so I won't get into what makes the talk great. You'll just have to watch it. The one thing I will say is that this talk isn't just for security professionals. It's for professionals in general.

Watch it!

Almost forgot, the food was amazing again this year!

This post first appeared on Exploring Information Security.

BSides Nashville video project

I will be traveling to Nashville, TN, to attend BSides this weekend. For the second year in a row I will be running around the conference taking pictures. I'll also be shooting video this year, as part of my final project for a cinematography course I'm doing.

The idea is that I want to show hackers in a more positive light via a documentary style. The project is only required to be a few minutes long, so I won't need a ton of footage. I would like to setup some interviews before hand with some people to ask them what the term, "hacker" means to them. I also want to setup some interactions to shoot highlight some of the words people use in their interview. For example, words like family or community, I can use shots of people hugging, high-fiving, etc. Curiosity and a desire to learn I can use lock picking and shots of people in talks.

This is going to be a very fluid thing so I'd love to get the interviews done, then move onto getting shots of the conference. If anyone would be willing to help me with either item, I would very much appreciate it. Email me at timothy.deblock[at]gmail[dot]com.

This post first appeared on Exploring Information Security.

Information security podcast review

There are a lot of good information security related podcasts out there. Here are the ones I listen to and my impressions of the show. In no particular order.

PVC Security Podcast - FULL DISCLOSURE: I produce this show, would appreciate any feedback you have for the show positive or negative.

I love the passion and fun Paul and Ed bring to the show. They speak their mind and have some fun doing it. I take the quality of a show very seriously both from a technical and non-technical standpoint and I was happy to find that Paul and I share a lot of those same philosophies in the production of an audio show. We’re only 10 episodes in, so we’re still figuring some things out. When we created the podcast we decided that it wouldn’t cover news topics (though I did make them cover Sony) like several of the other podcast. Instead we wanted to focus on how to become a better information security professional and how to facilitate an improved security culture within an organization.

Security Weekly - This was one of the first podcast I was able to find on information security and it’s easily one of the top podcasts in the infosec community. It can get a little vulgar and can get a little off track, but the co-hosts are very knowledgeable and entertaining. It can get a little long, usually running 60-90 minutes, but that includes an interview, a demo and a news segment. Of the three segments the interviews are the best. I have gotten more information and ideas and tools out of this podcast than any other podcast I’ve listened to.

Down the Security Rabbithole - If you’re into enterprise security and want a more top level view of information security this is the podcast for you. They cover topics from an executive level as well as dive into the legal aspects of information security. They do cover news topics but do it from a much broader viewpoint. My only gripe with the show is that the audio quality can be lacking at times. The main issue being co-hosts being at different volume levels throughout the show. The audio quality seems to be getting better though

Risky Business - The best information security podcast out there. Patrick Gray is the Australian based podcast host and producer for the show. The production value of the podcast is high and well structured. He always has good interesting interviews and covers the news in an entertaining light-hearted way. If you’re only looking for only one security podcast to listen to, this has to be it.

Crypto-Gram Security - This is Bruce Schneier’s monthly podcast that basically has Dan Henage reading the articles Schneier posted on his website. Depending on how ofter Schneier writes, this podcast can be anywhere from 15 - 45 minutes long. Dan does a great job reading and producing the podcast. It’s a nice way to listen to Schneier articles. I usually pick up new things in the podcast that I missed reading his articles.

Defensive Security - This is another well produced show that takes a blue team approach to discussing topic and news items. From a technical aspect everything is sound. From a presentation standpoint it could use more energy. It is a good podcast that takes a slightly different angle on information security.  

Data Driven Security - This is the latest show I’ve picked up and I’ve loved the two episodes I’ve listened to so far. The topic, as the title suggests, is about data within information security, which might not appeal to everyone. Still it covers metrics within security, which is very much needed in every organization. I’m looking forward to seeing what I can learn from this show.

This post first appeared on Exploring Information Security.

The only thing I'm going to say about the Sony mess

I had a long list of links that I was going to use to put together a longform post about the Sony hack titled, "The massive Sony link dump." I am currently in the process of re-evaluating my priorities and what I want to do with my time in regards to this site. A massive post about Sony lost its luster pretty early in the process and was thus axed in the face. In its place I have something much more fun.

SonyAttribution

The guys over at Data Driven Security, who have a wonderful podcast and were recently guests on the PVC Security Podcast (Episode 7 and 9) I produce, put together a site that finally solves the Sony attribution problem. If you don't like that attribution simply refresh the page and you get a new one. It's called the Sony Hack Attribution generator and it's utterly fantastic!

Give it a whirl or two or 50.

This post first appeared on Exploring Information Security.

Infosec links January 6, 2015

Chip & PIN vs. Chip & Signature - Brian Krebs - Krebs on Security

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

Banks' Lawsuits Against Target for Losses Related to Hacking Can Continue - Nicole Perlroth - The New York Times

The ruling is one of the first court decisions to clarify the legal confusion between retailers and banks in data breaches. In the past, banks were often left with the financial burden of a hacking and were responsible for replacing stolen cards. The cost of replacing stolen cards from Target’s breach alone is roughly $400 million — and the Secret Service has estimated that some 1,000 American merchants may have suffered from similar attacks.

Banks: Card Breach at Some Chick-fil-A's - Brian Krebs - Krebs on Security

The source said his institution saw Chick-fil-A locations across the country impacted, but that the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.

 This post first appeared on Exploring Information Security.

What I learned about information security in 2014

PVCSec Podcast logo

PVCSec Podcast logo

On New Years Eve the PVC Security podcast had a very impromptu recording session. We decided, on Twitter, five hours before the New Year to record our weekly podcast and discuss what we learned about security in 2014. I was hosting a party at the exact same time of the recording so I didn’t pipe in with what I learned in security last year, so instead I’ll write about it here.

The biggest thing I learned about security in 2014 is that it’s very important to have a solid background in IT. Understanding how a network is put together and how computers and servers work goes a long way in helping to secure them.

It is also extremely helpful in getting security implemented in an organization. Implementing security should not be about telling people their systems or applications are broken and that THEY need to go fix them. It should be about working together to finding the best most secure way of doing things. Understanding the limitations of a network, computer or server is going to help in finding the best solution to an insecure problem.

I’ve been working in information technology since 2002. I’ve done everything from moving phone lines to pulling cable to soldering to workstation troubleshooting to inventorying to server management to network management to now security. I’ve got a very broad IT background and I’m starting to realize that it is helping me become a good security professional. That’s not to say that one can’t jump into security or take another route to security, but I think I’ve benefited from having experience in the areas that I now find myself trying to secure and keep secure.

Happy New Year! I am looking forward to all the new things I will learn in 2015.

This post first appeared on Exploring Information Security.

Hacking the movies

In the first month of 2015 a new hacker movie is set to come up called, Blackhat. The movie is about a convicted blackhat hacker getting recruited by the government to track down and another hacker causing mayhem and destruction. It looks fascinating and I plan to at some point see it and hopefully review it on the site.

In the meantime here are the hacker movies (in no particular order) I have seen and what I've thought of them.

Hackers - 1995

Very entertaining movie. It's been a while since I've seen it, but there a lot of very memorable scenes that I can recall. It was also referenced at the most recent DEF CON by Wesley McGrew when he hacked the pineapples people tried to use at the security conference.

Sneakers - 1992

I recently watched this movie for the first time and I was a little disappointed that I've missed out on this wonderful movie for the past two decades. It uses a lot of techniques pen testers use today to break into an organization and it's got a top notch cast. Robert Redford, David Strathairn, Dan Aykroyd, Timothy Busfield, Mary McDonnell and Donal Logue. I'm pretty sure the logo for the Blackhat conference comes from this movie.

Swordfish - 2001

I've read on Twitter that the hacking scenes in this movie are bullshit (I haven't watched it since getting into infosec) and they probably are, but that doesn't make it any less entertaining. The hacking part of the movie is simply there to push the story along to John Travolta shooting people while standing in a sports car and helicopters making buses fly. I watched this movie several times in my younger years.

Die Hard 2 - 1990

It might be a little bit of stretch to call Die Hard 2 a hacker movie, but I just watched it recently and think it's totally a hacker movie. A rogue military group takes over Dules airport to free a drug lord being extradited to the U.S. They hack into Dules airport tower and seizing control of all the systems. There's not a lot of actual hacking, but there is quite a bit of social engineering that provides a nice twist towards the end of the movie.

Live Free or Die Hard - 2007

This Die Hard actually did have quite a bit of hacking included in the movie and for the life of me I don't remember a whole lot about the movie. I thought it was a solid movie, though of course not as good as the other Die Hard movies. I'll be watching it again some time in the near future.

Office Space - 1999

In an interview I was once asked to name my three favorite movies. This was one of the movies I answered with and as expected I didn't get the job. This movie isn't about hacking but it's one of the key elements of the film when Peter, Michael and Samir upload a virus to try and rip off the company their about to fire. It's a good example of insider threat now that I think about it. It's still one of my favorite movies of all-time and if employers can't handle that, that's their problem.

The Matrix - 1999

I'm still not sure if this should be considered a hacking movie, but it uses hacking as the gateway into the real world and out of the dream state that is the Matrix. It's a visual stunning, action packed movie that still holds up to today. The other movies, not so much.

Tron - 1982

This falls along the same lines as The Matrix. A visually stunning movie that uses hacking as a gateway into another world. Tron: Legacy (2010) is even more stunning, but like the Matrix sequels falls short of the original. The soundtrack is good though.

The Italian Job - 2003

There's quite a bit of hacking from "The Napster" (Seth Green) as well as some social engineering. I would have to watch the movie again (it's free on Amazon Prime, at the moment), but from what I recall there wasn't a lot of messing about with hacking techniques. Lyle (Seth Green) was in and out and probably highlighted a weakness in traffic equipment that has become a bit more relevant today. Though, it seems to be used more as a prank than for a brilliant plan to steal a ton of gold bars.

The Social Network - 2010

Facebook all started with the hacking of the Harvard network by Mark Zuckerberg, according to the movie. The hacking seemed pretty legitimate in the movie, though I'll need to go to the judges on that one. It played a small role at the beginning of the movie and that was about it. Then it turned into a programmer and developer movie. I thought the movie was good and enjoyed it thoroughly. Like a few other movies that only have small parts of hacking this probably should make the list, but it's on the Wikipedia list so there's that.

What about you?

What are some movies you enjoyed or hated that included hacking? What did I miss and what should I see? Which ones incorporate the best hacking techniques?

Happy New Year!

This post first appeared on Exploring Information Security.

Console infosec links December 31, 2014

Grinches steal Christmas for Xbox Live, Playstation Network users - Eric Bangeman - ars technica

Hacker group Lizard Squad took credit for the DDoS attack via Twitter, promising to back off once they get a sufficient number of retweets. "Get this tweet 2,000RTS and make sure to follow @iBeZo if you want us NOT to hit XBOX and PSN #offline for the rest of the night! RT," the group tweeted Christmas night.

Darkode - Ode to LizardSquad (The Rise and Fall of a Private Community) - MalwareTech

With darkode as a cybercrime hotspot, it's not really a huge surprise that people working in the security industry gained interest in getting access. Researchers such as Xylitol and Brian Krebs dedicated a big part of their blogs to having the inside scoop on darkode, and although admins were very proactive in seeking out and banning security researchers; there was always another hacker to pay off or account to hijack, resulting in numerous threads hating on researcher and Brian Krebs becoming a meme. 

Who's in the Lizard Squad? - Brian Krebs - Krebs on Security

The core members of a group calling itself “Lizard Squad” — which took responsibility for attacking Sony’s Playstation and Microsoft‘s Xbox networks and knocking them offline for Christmas Day — want very much to be recognized for their actions. So, here’s a closer look at two young men who appear to be anxious to let the world know they are closely connected to the attacks.

This post first appeared on Exploring Information Security.

NSA infosec links December 30, 2014

Over 700 Million People Taking Steps to Avoid NSA Surveillance - Bruce Schneier - Schneier on Security

Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

NSA waiting until Christmas Eve to reveal its embarrassing self-audit - Kevin Collier - The Daily Dot

The report is a collection of documents, heavily redacted, arranged by quarter, and ranging from the end of 2001 to the end of 2012. They largely catalog individual instances where a National Security Agency employee illegally or mistakenly used the agency’s powerful technology to search an American or a foreigner in the U.S. without a warrant, was caught, reprimanded, and the information deleted.

Prying Eyes: Inside the NSA's War on Internet Security - SPIEGEL Staff - SPIEGEL Online International

Today, NSA spies and their allies do their best to subvert the system their own military helped conceive, as a number of documents show. Tor deanonymization is obviously high on the list of NSA priorities, but the success achieved here seems limited. One GCHQ document from 2011 even mentions trying to decrypt the agencies' own use of Tor -- as a test case.

This post first appeared on Exploring Information Security.

Hacking infosec links December 29, 2014

Hacker Lexicon: What Is an Air Gap? - Kim Zetter - WIRED

Air gaps generally are implemented where the system or network requires extra security, such as classified military networks, the payment networks that process credit and debit card transactions for retailers, or industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company’s business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems.

Hacker Lexicon: What Is a Backdoor? - Kim Zetter - WIRED

Generally this kind of backdoor is undocumented and is used for the maintenance and upkeep of software or a system. Some administrative backdoors are protected with a hardcoded username and password that cannot be changed; though some use credentials that can be altered. Often, the backdoor’s existence is unknown to the system owner and is known only to the software maker. Built-in administrative backdoors create a vulnerability in the software or system that intruders can use to gain access to a system or data.

Marketing Just Isn't Ready for Hackers - Peter Herzog - Dark Matters

The infosec staff that came through had been talking about it being a potential toehold in the company to reach other systems. But when they saw the compromises didn’t go further than a few servers in marketing, they concluded it was just an employee who brought the infection in from home and that they caught it in time.

But did they?

This post first appeared on Exploring Information Security.

Policed infosec links December 24, 2014

Pirate Bay Has Been Raided and Taken Down: Here's What We Know - Kim Zetter - WIRED

“There were a number of police officers and digital forensics experts there. This took place during the morning and continued until this afternoon. Several servers and computers were seized, but I cannot say exactly how many,” Swedish prosecutor Fredrik Ingblad told Radio Sweden.

The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users - Kevin Poulsen - WIRED

Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of  suspects hiding behind the Tor anonymity network.

The Limits of Polic Subterfuge - Bruce Schneier - Schneier on Security

The facts are these. In June, Two wealthy Macau residents stayed at Caesar's Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests' Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.

This post first appeared on Exploring Information Security.

InfoSec links December 22, 2014

Hacker Lexicon: What is a Zero Day - Kim Zetter - WIRED

Zero-day vulnerability refers to a security hole in software—such as browser software or operating system software—that is yet unknown to the software maker or to antivirus vendors. This means the vulnerability is also not yet publicly known, though it may already be known by attackers who are quietly exploiting it. Because zero day vulnerabilities are unknown to software vendors and to antivirus firms, there is no patch available yet to fix the hole and generally no antivirus signatures to detect the exploit, though sometimes antivirus scanners can still detect a zero day using heuristics (behavior-tracking algorithms that spot suspicious or malicious behavior).

Finally, a New Clue to Solve the CIA's Mysterious Kryptos Sculpture - Kim Zetter - WIRED

The 12-foot-high, verdigrised copper, granite and wood sculpture on the grounds of the CIA complex in Langley, Virginia, contains four encrypted messages carved out of the metal, three of which were solved years ago. The fourth is composed of just 97 letters, but its brevity belies its strength. Even the NSA, whose master crackers were the first to decipher other parts of the work, gave up on cracking it long ago. So four years ago, concerned that he might not live to see the mystery of Kryptos resolved, Sanborn released a clue to help things along, revealing that six of the last 97 letters when decrypted spell the word “Berlin”—a revelation that many took to be a reference to the Berlin Wall.

How the World's First Computer Was Rescued From the Scrap Heap - Brendan I. Koerner - WIRED

When the Army declared ENIAC obsolete in 1955, however, the historic invention was treated with scant respect: its 40 panels, each of which weighed an average of 858 pounds, were divvied up and strewn about with little care. Some of the hardware landed in the hands of folks who appreciated its significance—the engineer Arthur Burks, for example, donated his panel to the University of Michigan, and the Smithsonian managed to snag a couple of panels for its collection, too. But as Libby Craft, Perot’s director of special projects, found out to her chagrin, much of ENIAC vanished into disorganized warehouses, a bit like the Ark of the Covenant at the end of Raiders of the Lost Ark.

This post first appeared on Exploring Information Security.

InfoSec links December 18, 2014

Spike in Malware Attacks on Aging ATMs - Brian Krebs - Krebs on Security

This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad.

This Fake Log Jams Your Phone So You'll Shut Up and Enjoy Nature - Andy Greenberg - WIRED

Artist and coder Allison Burtch has created a new device to save us from our cellphones and ourselves. It comes in the form of a 10-inch birch log that jams cellular radio signals, and it’s called the Log Jammer. Packed with about $200 of hardware including a power source, a circuit board of her own design, voltage control components, an amplifier, and an antenna, it can produce radio noise at the 1950 megahertz frequency commonly used by cellphones. It’s powerful enough to block all cellphone voice communications in a 20-foot bubble, and its log-like exterior is designed to unobtrusively create that radio-jamming zone in the great outdoors.

'Replay' Attacks Spoof Chip Card Changes - Brian Krebs - Krebs on Security

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

This post first appeared on Exploring Information Security.