ThisMyShiznat

The NCSC (National Cyber Security Center), a division of the DHS (Department of Homeland Security) announced recently that they will be building a wiki to facilitate collaboration between federal agents working on cyber security.

It looks like the wiki will be used by several federal agencies aside from the NCSC, and it will be used to develop and share documented procedures and standards for federal networks and data systems.  This is a big step forward.  More to come I’m sure.

Original article here from InformationWeek

A top operational official in charge of protecting civilian government computer networks has resigned, dealing another blow to the federal effort to enhance cybersecurity.

Original article here from The Washington Post

No, I’m not talking about the Bush administrations federal budget.

Early this morning both Twitter and Facebook were victims of Distributed Denial of Service attacks.  (DDoS)  The attack seems to have hit Twitter first, bringing the social network site to it’s knees.  Shortly after Facebook also began experiencing intermittent issues, though it seems that the Facebook system handled the attack better than Twitter.

In theory, the attackers could have executed a buffer overflow attack by sending packets with 141 characters to the web servers.  Ok.. that’s a lie, but if you know what it means then it’s probably pretty funny.  At a minimum I amuse myself.

Personally, I don’t tweet.  I am even bothered by the SMS protocols restrictions.  For non tech speaking readers, that means I wish text messaging supported more than 160 characters.  140 is just absurd.  Now the Extended SMS protocol does support up to 1000 characters *i think*, but for the most part, cellular carriers don’t use XMS (eXtended Message Service).  Especially if your texting to a cell phone using another carrier.

I read one report about the twitter attack where a marketing executive in Manhattan complained that she couldn’t get to twitter, and didn’t know where to go to find answers because she gets all her news from twitter.  wait..  you get ALL of your news in 140 characters or less?  seriously?  The average news report i read is about 2 pages long, but hey, whatever suits you.

Speaking of the inherent limitations of communicating in such short bursts.  Did you know that Congressmen and Senators tweet with each other while in session?  Yeah, so the people who are running our country are sharing their opinions with each other this way.  I’ll say it one more time.  140 characters or less.

Below is an actual simulated tweet from the congress floor.

Ithink th $ 4 Kulnkerz iz huge sucess the $ alocated wuz sposd2 last 3 mnths and we 
ran out in 1week Oh wait the black guy iz taking again.

Ok, I’ll stop now.  Please click my advertisers.

In recent news AT&T was under fire from the web site operators at 4chan. Over the weekend, AT&T began blocking traffic to www.4chan.org, do to what it called a DDoS attack being launched from 4chan servers.  Today, 4chan argued that the AT&T was intentionally blocking the sites content from its subscribers.

I’m sure you have heard of AT&T, but if your not familiar with 4chan, then I don’t recommend visiting their site at www.4chan.org.  Even if you just did go there, you won’t think it’s very interesting at first glance.  From visiting the site, I would assume that they are based out of Japan.  Traceroute tells me the server is being hosted in California by a company called xeex Communications.

During todays report, a false report of Randall Stephenson’s death showed up on a website affiliated with CNN.  The website, at IReport.com is “a user-generated site” and that stories are not “edited, fact-checked or screened”.  Basically, the site appears to serve as a bulletin board for real news.  In this case, the report never made it into the national news, but in the past these pranksters have managed to get these stories through.

A recent whitepaper has been release, and the techniques will be demonstrated at the 2009 Blackhat convention, laying out details for two techniques for keystroke logging, using very unconventional methods.

Typically, keystroke logging is done by means of software installed on the victims PC, or through a small piece of hardware attacked to the keyboards cable.  In this case, access to the computer is not required at all.  The first attack involves sniffing slight voltage changes from an AC electrical outlet up to 30 feet away from the victims computer.  When a key is pressed on the keyboard, a string of binary code is sent to the computer through the USB or PS2 cable, for instance 1000101 or 110100100.  Since there is no shielding on the ground cable attached to the keyboard, running into the computer and back to the ground wire in the buildings electrical wiring, the variations, or noise, generated can be picked up quite easily from a nearby outlet.

Scary huh?  Well, not really, not to me at least.  An easy way around this is to get yourself a nice wireless keyboard.  Since the wireless keyboard uses infrared light, or bluetooth, there is no ground cable on the keyboard, and the signal cant be snooped on in the electrical cabling.  Great success.  Right?

Unfortunately, as an example, the bottom line with car security systems still holds true to this day.   If an auto thief want your car, they are going to get it.  You didn’t hear this from me, but did you know that a LoJack  system can be rendered useless with a handful of fairly inexpensive neodymium magnets?  Also, a few pieces of aluminum tubing will also do the trick.  It’s called science and it works.  Distortion and interference can cause the LoJack signal to be rendered useless.  I’m not telling how to, or that you should do this, because inexperienced auto thief’s will do it wrong and you will probably be caught.  Experienced auto thief’s already know this trick.  As for me, I’m just familiar with the concept.  That’s all.

Back to keystroke logging though.  Lets say you have the wireless keyboard, or a laptop running on a battery.  No connection to the ground wire in the AC system.  In this case, the attacker can use a fairly inexpensive laser to measure vibrations on the laptop, keyboard, or even the table top where the keyboard is sitting.  Now these vibrations aren’t going to be nearly as easy to decipher as the 1′s and 0′s being sent out through the electrical wire, so it will be good for preventing the casual hacker from logging your stokes.

It’s like they say.  A lock on a door will only keep an honest person out of your room.