You can get more information at this url:http://www.dinnersetgang.com/

Watch CBS News Videos Online

http://www.nytimes.com/2010/01/03/education/edlife/03cybersecurity.html

Wanted: ‘Cyber Ninjas’

By CHRISTOPHER DREW
Published: December 29, 2009

FOR a regional competition last spring, eight students from California State Polytechnic University, Pomona, spent six months of Saturdays practicing how to defend a typical business computer network from attacks. Then, over two grueling days, they outscored teams from five other schools at blocking worms and other efforts to disrupt their e-mail and Internet systems.

For the six seniors in the group, all in computer information systems, the victory was even sweeter. Boeing, the giant aerospace and military company, offered them jobs.

Boeing’s decision to snap up all the graduates on the team shows how urgent the demand for computer-security experts has become, and helps explain why colleges are scrambling to add courses and specialized degrees in the once-exotic field.

In fact, as attacks on vital computer systems proliferate, surveys show a serious shortage of talent to combat them. Banks, military contractors and software companies, along with federal agencies, are looking for “cyber ninjas” to fend off a sophisticated array of hackers, from criminals stealing credit card numbers to potential military adversaries.

“There is a huge demand, and a lot more schools have created programs,” says Nasir Memon, a professor at the Polytechnic Institute of New York University in Brooklyn. “But to be honest, we’re still not producing enough students.”

Mr. Memon’s school created a master’s degree in cybersecurity last fall. So did Indiana University, whose security degree is in “informatics,” an academic field in which students find new uses for information technology. Starting in the fall, Georgia Tech will offer a master’s degree in information security online; the program is aimed at computer professionals who want to learn to deal with computer threats. N.Y.U. Poly, whose master’s program is also online, prefers students with bachelor’s degrees in computers, math, science or engineering. But it will consider career changers who will take basic computer classes. Carnegie Mellon in Pittsburgh; Purdue in West Lafayette, Ind.; and George Mason in Fairfax, Va., are among other universities with master’s programs in cybersecurity.

Jeffrey M. Henbest, one of the Cal Poly students hired by Boeing, says cybersecurity is seen at his school “as the most technically demanding field, kind of like the fighter pilot of the information technology industry.”

While perhaps just a few thousand jobs are available now, government officials involved in cybersecurity expect the number to grow rapidly. (Professor Memon says pay starts at $50,000 with a bachelor’s, $60,000 to $80,000 with a master’s.)

One concern, says Dale W. Meyerrose, the vice president for cyberprograms at the Harris Corporation, a military contractor, is the shortage of young Americans interested in pursuing careers involving math and science.

But Barbara G. Fast, Boeing’s vice president for cybersolutions, says that young people’s familiarity with posting and chatting, and the fascination with virtual gaming, could make cybersecurity seem like fun. In puzzling out security problems, she says, it can be hard to imagine how far a computer network extends and who the intruders might be.

“It’s a real, three-dimensional, visualization challenge that we have.”

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221900481

Tech Insight: 3 Factors To Assess Before Doing Your Own Penetration Testing
What you need to know about bringing penetration testing in-house

Nov 20, 2009 | 11:43 AM
By John Sawyer
DarkReading

With the veil of mystique and enterprise concerns surrounding penetration testing gradually being lifted, enterprises are realizing how a quality, comprehensive pen test can supplement their security efforts and find holes before attackers do — with the added benefit of meeting PCI DSS requirement 11.3. Now many enterprises are starting to consider whether they should perform pen testing in-house themselves.

The average IT professional views pen testing as a black art. It’s an activity often seen as dangerous and counterproductive to an operational environment where testing could impact business and cause downtime, but it’s a practice gaining popularity thanks to the annual pen-testing requirement by the PCI Data Security Standards (DSS) and publicity surrounding the recent purchase of the Metasploit Project by Rapid7.

Deciding whether to pen test in-house or outsource the job is a decision not to be taken lightly considering it can cost anywhere from $5,000 to $50,000 or more, depending on the size of the target, scope, and reputation of the testing vendor. A pen-testing product, meanwhile, costs anywhere from a few hundred dollars for a narrowly focused tool to $30,000.

While saving tens of thousands of dollars by purchasing your own pen-test tool sounds good at first, with internalizing the work has its own costs. The investment in human resources, training, and software must be weighed against the potential savings from shelling out big bucks for a third party pen test. Let’s examine each:

# Human resources: The first and most obvious cost to the bottom line is HR. Are there existing personnel within the organization who have the skills and experience to perform a comprehensive pen test? If so, then the next decision is whether their current job duties can coexist with their new pen-test duties. Answering those questions can result in the need to hire new staff to fill in as needed, or to redistribute personnel to make sure all areas are covered appropriately.

# Training: Training the newly designated pen tester — or, if you’re lucky, a whole pen-testing team — is the next item on the cost sheet. Time needs to be set aside to attend training either online or at a conference. Online courses, like those from Offensive Security, run as little as $500 to several thousand dollars, while a multiday pen-testing course, like SEC 560 Network Penetration Testing and Ethical Hacking from SANS, is $4,300 for six days.

Don’t forget about retention issues that can accompany adding increased responsibilities on current employees and training both new and current employees. Competent pen-testing skills are very valuable right now, and you’ll need to make sure your pen testers’ salaries are reasonably competitive with how much they could make elsewhere.

It’s not uncommon for employers to draw up a contract that says the employee must repay part or all of the training expenses if he chooses to leave for another employer within a specific amount of time.

# Software: Pen-testing software runs the gamut in terms of cost. Exceptional free tools, like the Metasploit Framework and w3af, are available, but they entail a steeper learning curve compared to a polished commercial solution like Core IMPACT. The differences can be measured in the tens of thousands of dollars and hours versus days to become familiar and reasonably comfortable using the different tools. Determining which software to use will depend on budget, organization size, familiarity of the tools by the pen tester, and technologies used by the target.

Once you’ve answered the question of whether performing in-house pen testing is cost-effective, you still need to answer the ever important question: Can your team perform a comprehensive test that is objective and doesn’t suffer from a myopia that often occurs when the tester is too close to the target organization?

The upside of performing pen testing with an internal team is they are familiar with the organization, the network, where the critical assets are, and the people. They may end up finding chinks in the company’s armor quicker than a third-party pen tester because they have the familiarity and will know where to look first.

But the trade-off is an internal pen-testing team may be too familiar and comfortable with the target environment and could overlook common issues that someone from the outside may not. Personal relationships may even impact whether they target specific users for social engineering exercises, like a simulated phishing attack.

Making the decision to staff, train, and maintain an internal pen-testing team is a big one that can have a serious impact on the security of your company — more than just checking off “YES” on a PCI Self Assessment Questionnaire. It’s a good idea to hire a third-party pen-testing firm to follow up on the initial pen tests by the internal team to make sure they’re doing a solid job — and every couple of years thereafter to ensure results are consistent.

The url for the interview in question can be viewed here:

http://interviews.slashdot.org/interviews/03/02/04/2233250.shtml

If you look at question 3, the interviewer implies that social engineering and easy passwords seem to be an obsolete problem when it comes to security. The excerpt from that dialogue follows:

3) How Do You Plan on Getting Up to Speed? (Score:5, Interesting)
by bloxnet

I have read a bit about you, so I know that you were no slouch back in the days prior to your incarceration and release…but if you have actually stuck with the limits of your probation how are you planning to jump into consulting again?

Don’t get me wrong, but you can only advise people on social engineering and easy passwords for so long … what kind of knowledge did you already have on PKI, VPNs, Firewalls, IDSes? There seems to be so much that has changed that just a cursory understanding of the principles behind these technologies does not seem sufficient to serve as a consultant (or at least one I would pay for).

Since so much has changed radically in the last few years, how have you kept up or do you plan to keep up at the moment? I can’t see just reading a book on the latest OS specs and administrative tasks and being able to consult on them without hands on experience, and in your case you have quite a few years of language, os, security, and other operational technology advances to get up to speed with, etc.

So basically….what’s you game plan to get back to a modern day equivalent of the proficiency you had several years ago?

Kevin:

There’s a widespread misconception that I only used social engineering attacks to compromise my targets. Not so. I do admit, however, that social engineering was extremely effective in reaching my goals without resorting to using a technical exploit. I would look for the weakest link in the chain that was the least risk and cost to me. This involves looking at the big picture, rather than focusing on a single access point. For instance, if an attacker can walk into the server room without much chance of detection, that’s all she wrote.

You are correct that security technologies have evolved in the last decade. I haven’t been living in a vacuum, even though the Bureau of Prisons made efforts to restrict my reading material. I’ve kept up with the many trends in the industry and have been able to use computers for the last year prior to the expiration of my supervised release, as long as I didn’t access the Internet. I have plenty of previous experience working with security technologies such as firewalls, operating systems, configuration and patch management. As far as PKI and IDSes, I’ve kept up with the technology by reading until the time I was finally permitted to use computers in January, 2002. Of course, I still have a lot to learn since security technologies are evolving rapidly, but I have no doubt that I’ll be up to speed in no time.

As you know, security is not a product that can be purchased off the shelf, but consists of policies, people, processes, and technology.

The implication that the interviewer makes is interesting. He seems to be implying that social engineering and easy passwords are no longer problems. He may also be implying that people with the skill set of Kevin Mitnick aren’t useful. Nothing could be further from the truth.

He does bring up a valid point though. Why hire a security consultant when so much of this knowledge is so much more widespread than it used to be? Many more people are aware of the dangers involved with social engineering and attacks on basic authentication mechanisms like passwords. There are several good books to be found on IT security and anyone can easily educate themselves on the topic.

Many of those books, however, only scratch the surface of what is possible in the real world.

London police have arrested a man in their hunt for the smartly-dressed robbers who pulled off what is thought to be Britain’s biggest jewellery heist, a spokesman says.

Two gun-toting men walked into the exclusive Graff store on London’s swanky New Bond Street and stole 43 rings, bracelets, necklaces and watches with a retail value of £40 million ($79.39 million).

Scotland Yard said their detectives were pressing on with investigations into last Thursday’s raid – caught on camera by a passer-by, in a video posted on YouTube – and had arrested a man on Monday in an east London suburb.

“Following the release of CCTV (closed-circuit television) images of two men they want to speak to, officers are currently following up a number of inquiries,” a spokesman said on Wednesday.

“A 50-year-old man was arrested for robbery on August 10 in connection with the incident outside a residential address in Ilford.

“He has been subsequently bailed pending further inquiries.”

A number of addresses were searched on Tuesday, he said, adding that the police would not go into further details.
The armed robbery was carried out in broad daylight at 4.40pm last Thursday. The men arrived in a London black taxi and threatened staff with handguns.

As the robbers left Graff, they dragged a female member of staff with them and fired a warning shot outside the shop, although no one was injured and the assistant was left behind as they raced off.

Another shot was also fired soon after as the pair abandoned their BMW getaway car nearby and switched to a Mercedes-Benz, before switching to a third car later.

The pair, dressed in grey suits and white shirts and speaking with London accents, were probably helped by at least another two men acting as getaway drivers, reports said.

Among the items stolen were a pair of white round diamond double hoop earrings, a yellow diamond flower necklace, platinum white Marquise diamond ring and a chronograph men’s 45mm watch.

Police said it was a “well-planned robbery” conducted by “extremely dangerous” men.

New Bond Street, in the plush Mayfair district, is dotted with big name gem stores including royal jeweller Asprey.

Graff, which is known for its diamonds and caters to celebrities, was also targeted in 2003 in what until now was reportedly Britain’s previous most expensive jewellery robbery, worth £23 million (A45.65 million).

Stars spotted wearing Graff’s jewels include Paris Hilton, Kylie Minogue, Naomi Campbell, Oprah Winfrey and Victoria Beckham.

The latest heist is also thought to be the second biggest robbery in Britain, after a STG53 million ($105.19 million) raid on a securitas depot in Kent, south-east England, in 2006, police said. A gang tied up staff and stole cash.

Read the whole thing:

He took the elevator, descending two floors underground to a small, claustrophobic room–the vault antechamber. A 3-ton steel vault door dominated the far wall. It alone had six layers of security. There was a combination wheel with numbers from 0 to 99. To enter, four numbers had to be dialed, and the digits could be seen only through a small lens on the top of the wheel. There were 100 million possible combinations.

Power tools wouldn’t do the trick. The door was rated to withstand 12 hours of nonstop drilling. Of course, the first vibrations of a drill bit would set off the embedded seismic alarm anyway.

The door was monitored by a pair of abutting metal plates, one on the door itself and one on the wall just to the right. When armed, the plates formed a magnetic field. If the door were opened, the field would break, triggering an alarm. To disarm the field, a code had to be typed into a nearby keypad. Finally, the lock required an almost-impossible-to-duplicate foot-long key.

During business hours, the door was actually left open, leaving only a steel grate to prevent access. But Notarbartolo had no intention of muscling his way in when people were around and then shooting his way out. Any break-in would have to be done at night, after the guards had locked down the vault, emptied the building, and shuttered the entrances with steel roll-gates. During those quiet midnight hours, nobody patrolled the interior–the guards trusted their technological defenses.

Notarbartolo pressed a buzzer on the steel grate. A guard upstairs glanced at the videofeed, recognized Notarbartolo, and remotely unlocked the steel grate. Notarbartolo stepped inside the vault.

It was silent–he was surrounded by thick concrete walls. The place was outfitted with motion, heat, and light detectors. A security camera transmitted his movements to the guard station, and the feed was recorded on videotape. The safe-deposit boxes themselves were made of steel and copper and required a key and combination to open. Each box had 17,576 possible combinations.

Notarbartolo went through the motions of opening and closing his box and then walked out. The vault was one of the hardest targets he’d ever seen.

Don’t be surprised if you see this as a movie in the next few years.

Milan, Italy, 2008 – Oscar Night Jewel Heist; $20 million in jewelry

Laguna Hills, California, 2006 – $500,000 in jewelry

Antwerp, Belgium, 2003 – $100 million in diamonds

Amsterdam 2005 – $102 million in diamonds

East Coast Gate Cutting Crew, 2003-2005 – $5 million in jewelry

Florida to New York, Dinner Time Burglars, 1969-1990 – $70 million

Paramus, New Jersey, 2008 – $1 million in jewelry

Baghdad, Iraq, 2007 – $282 million in cash

First of all, the EZ Padlock is about $10.00. Chances are good that you can find one at your local Wal-Mart. I have already found an exploit. This padlock implements a rolling code to prevent key copying, but the security is an illusion. All you have to do is create two buttons with either a Philips Pronto or Omniremote or any other remote software you might be using on a PDA. Make two buttons. Train button 1 and then train button 2. While training, make sure the lock is not going to be activated by the remote since you will be clicking it. Now use your newly trained button 1 to open the lock. If you try button 1 again, it won’t work. So use button 2 to open it again. Now button 2 doesn’t work a second time. No worries. Use button 1 again and it will open the lock again. So far, I am not impressed with this product.

What follows is the data I have been able to collect so far. The following is in the pronto hex format. Some codes might be “dirty” which means they were learned with slightly incorrect timing. These codes should be mostly correct though. All of these codes came from the same remote.

001e 003c = 0
0023 003c = 1

Breakdown of button 1

011d 0028 1 0 1 1 0 1 1 0 0 1 1 0 1 0 0 1 1 1 0 0041 001e 0041 001e 0 1 0046 001e 0 1 0046 0019 1 0041 001e 0 0 1 1 0 1 1 0 1

1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 0 0 1 0041 0019 0046 0019 1 0 1 0046 0019 0041 001e 1

0118 0028 0 1 1 0 1 1 0 1 1 0 0 1 0 1 1 0 1 0 1 0046 0019 0041 001e 1 1 0041 001e 1 0 0041 001e 0 0041 001e 1 1 0 0 1 1 0 1 1

0 1 1 0 1 1 0 1 1 0 1 0 0 1 0 1 1 0 0041 001e 0041 001e 0 1 1 0041 0019 0046 0019 1

0118 0028 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 0 1 0 0041 001e 0041 001e 0 0 0041 0023 0 1 0046 0019 1 0046 0019 1 0 1 1 1 0 1 0 0

1 0 0 1 1 0 1 0 0 1 0 1 1 0 1 1 0 1 0046 0019 0041 001e 1 1 0 0041 001e 0041 001e 0

0118 0023 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 1 0 1 0041 001e 0041 001e 1 1 0041 001e 1 1 0041 001e 0 0041 001e 0 1 1 0 0 1 0 0 1

0 1 1 0 0 1 0 0 1 0 1 1 0 1 1 0 1 1 0041 001e 0041 0019 1 0 1 0046 0019 0041 001e 1

0118 0028 0 1 0 0 1 0 0 1 1 0 1 1 0 1 1 0 0 1 1 0041 0019 0046 0019 1 0 0041 001e 1 0 0041 001e 1 0041 001e 1 1 0 0 1 0 1 1 0

1 1 0 0 1 0 1 1 0 1 1 0 1 1 0 1 1 0 0041 001e 0041 001e 0 1 0 0041 001e 0041 001e 0

0118 0028 1 0 0 1 0 1 1 0 0 1 1 0 1 1 0 1 1 1 0 0041 001e 0041 001e 0 1 0046 001e 0 1 0046 0019 1 0041 0019 1 0 1 1 0 1 1 0 1

1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 1 0 1 0041 0019 0046 0019 1 0 1 0041 001e 0041 001e 0

You will notice the format of this code has an obvious structure. The header of 0118 0028 gets the AGC ready in the reciever. You will notice that this is repeated 6 times. The header and data that follows is transmitted 6 times. Chances are that the code is sent LSB first which is usual for most remotes.

I have discovered some flaws in the security the EZlock is using. This lock supposedly uses a 32 bit code that rolls. As it turns out, this is not exactly the case.

The following numbers are in Pronto hex format.

There is a header of 0118 0028 and then 64 bits in the bitstream. This is sent 6 times by the transmitter for redundancy. Let us suppose that the 64 bits are broken in half so it is 32 bits and 32 bits. This is where things get interesting.

The first 32 bits seem to be static. They don’t change with each press of the remote.

The last 32 bits are the bits that roll. I have only gotten 9 of those bits to roll (got up to 276 so far), but the flaw is that the lock only memorizes what the last rolled code was. For example, if you send the first 32 bits and then the last 32 bits equal 1 (00000000000000000000000000000001), the lock will open. If you try to send the same code again, the lock will not open because the last 32 bits equal 1. If they equal any other number (up to at least 9 bits that I know of so far), then the lock will open. You can now go back to one again and the lock will open. Yes, I know I am repeating myself, but this combined with the other flaw I have discovered makes a brute force attack very possible.

The first 32 bits are the most important to the lock because they have to be correct or else the lock will not open, but here there seems to be another huge flaw. So far, in all of these locks that I have encountered, I have yet to find one that has any bits set to a 1 in the first 16 bits of the total 64. What does this mean? It seems like a brute force attack is now very possible because the part of the key that matters in the first 32 bits is only using 16 bits. That is only 65,535 possible codes.

This may be due to a manufacturing process. It almost appears that these may have been made sequentially. If you don’t make more than 65,535 locks, then why use codes that go over that?