Friday, 18 February 2011

Security Weekly News 18 February 2011 - Full list

Category Index

Hacking Incidents / Cybercrime
 
If you're thinking of robbing a Las Vegas casino, and you're not George Clooney, I have a word of advice: give up now. As Anthony Carleo recently found out, even if you leave the casino in one piece, the chips you stole are going to be worthless long before you make your get away. The 29 year old suspect is accused of robbing the Bellagio on December 14th of 2010, stealing chips whose face value totaled around $1.5 million dollars. Their real value, however, was zero. Thanks to RFID tags embedded inside them, the chips with denominations of $100 to $25,000 could be immediately deactivated rendering them unredeemable for cash value. Watch CCTV footage from the December 14th robbery in the video clip below, followed by the recent press conference from the Las Vegas Police concerning Carleo's arrest. Stealing worthless chips and then getting caught trying to sell them to undercover officers? Danny Ocean this guy is not.
 
Prisoners at New York's Rikers Island jail have been caught buying up iPads and Macs in an elaborate cyber-crime arrangement that saw them forging credit cards-your credit cards, people!-to buy $1m of Apple products.
This hip young thing with a taste for Apple kit? 28-year-old Shaheed Bilal, who tasked his three younger brothers, girlfriend and 22 other friends and family-members in the outside world with purchasing the gadgets, to sell on at discounted rates.
 
Last week, a Facebook dataset was released by a group of researchers (Amanda L. Traud, Peter J. Mucha, Mason A. Porter) in connection with their paper studying the role of user attributes - gender, class year, major, high school, and residence - on social network formations at various colleges and universities. The dataset - referred to by the researchers as the "Facebook 100? - consists of the complete set of users from the Facebook networks at 100 American schools, and all of the in-network "friendship" links between those users as they existed at a single moment of time in September 2005.
 
Police are investigating the discovery of snooping devices attached to public computers in two Cheshire libraries.
Staff found the keyloggers, USB devices which record keyboard activity, in the back of two PCs at Wilmslow Library and one at Handforth Library.
 
Late this week, I heard from several anti-spam activists who alerted me to a nice reminder that spammers don't always win: Spammers have been promoting their rogue pharmacy sites via images uploaded to free image hosting service imageshack.com. In response, the company appears to have simply replaced those images with the following subtle warning:
 
The BBC has confirmed that BBC Radio's 6Music and 1Xtra sites were hacked to serve malware. In a statement to The H, a BBC spokesperson said, 'We can confirm that the 1xtra and 6Music websites were hacked yesterday. The issue was quickly dealt with, and the sites are now back to normal. We're currently investigating what happened'.
 
Having a Ball with ATM Skimmers  [krebsonsecurity.com]
On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn't look quite right about the machine: A silver, plexiglass device had been attached to the ATM's card acceptance slot, in a bid to steal card data from unsuspecting ATM users.
But the customer and the bank's employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.
 
In a current report, anti-botnet specialists at Damballa write that the number of bot-infected PCs worldwide increased sevenfold within a year, although no absolute figures are mentioned. The researchers consider that the expansive growth in 2010 was caused by the increasing availability of 'exploit packs' and trojan toolkits. Such tools enable criminals without programming skills to assemble their attack weapons and malware with a few simple mouse clicks. Toolkit prices range between $100 and $1,000.
 
Simply browsing the sites would be enough to cause infection, Websense says
Two websites operated by the BBC have been infected by iFrame attacks and could be serving up malware, according to researchers
The BBC-6 Music site and areas of the BBC 1Xtra radio station site are affected, according to a blog by researchers at Websense.
The injected iFrame occurs at the foot of the BBC 6 Music Web page, and loads code from a site in the .co.cc top-level domain, Websense says. The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site.

Unpatched Vulnerabilities
 
Rated as Critical
A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to cause a denial of service or take complete control of a vulnerable system. This issue is caused by a heap overflow error in the 'BowserWriteErrorLogEntry()' function within the Windows NT SMB Minirdr 'mrxsmb.sys' driver when processing malformed Browser Election requests, which could be exploited by remote unauthenticated attackers to crash an affected system or potentially execute arbitrary code with elevated privileges.
VUPEN has confirmed this vulnerability on Windows Server 2003 SP2 and Microsoft Windows XP SP3.

Software Updates
 
Microsoft has announced that the first service pack for Windows 7 and Server 2008 R2 is available to download for MSDN and TechNet subscribers. This is offered in three versions, one for 32- and two for 64-bit Windows (x64 and Itanium). All three will update both Windows 7 and Server 2008 R2, because both operating systems are based on the same kernel. The sizes of the packages are 550 MB (x86), 925 MB (x64) and 525 MB (Itanium).
 
Oracle released the February 2011 Critical Patch Update for Java SE and Java for Business today. As discussed in a previous blog entry, Oracle currently maintains a separate Critical Patch Update schedule for Java SE and Java for Business because of commitments made prior to the Oracle acquisition in regards to the timing for the publication of Java fixes.
Today's Java Critical Patch Update includes fixes for 21 vulnerabilities. The most severe CVSS Base Score for vulnerabilities fixed in this CPU is 10.0, and this Base Score affects 8 vulnerabilities.
 
Update 1 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere Hypervisor (ESXi) 4.1, ESXi 4.1, addresses several security issues
 
Most versions of Java and some versions of PHP enter an infinite loop trying to turn the string '??2.2250738585072012e-308'? into a double precision floating point value. (Remember scientific notation? Floats and doubles are good for representing really big and really small numbers. Very important for getting the physicists to shell out for supercomputers.) Here are the details on the bugs.
This is a recipe for a quick and easy denial of service attack. If you have a Java application that does something as simple as this:
Double.parseDouble(request.getParameter('d'));
attackers can wedge a thread every time they make an HTTP request. Now Anonymous doesn't need a botnet army to take your app offline. A laptop with an AOL dialup connection should be plenty.
 
The Management Center for Cisco Security Agent is affected by a
vulnerability that may allow an unauthenticated attacker to perform
remote code execution on the affected device.
Cisco has released free software updates that address this
vulnerability.
A workaround is available to mitigate this vulnerability.
 
Windows only: Sumatra PDF has always focused on being the faster, lighter, and less system-burdening alternative to Adobe and other PDF solutions, and its latest 1.3 update continues down that path. Images are rendered faster, in particular, and less memory is used.

Business Case for Security
 
The Spy Next Door: Stealing your life for £44  [blog.itsecurityexpert.co.uk]
How easy can it be to steal your life? For less than 44 quid is it possible to steal your bank account username, password and bank account security questions? For less than 44 quid is it possible to harvest your credit card details, including your credit card security code and Verified by Visa or MasterCard SecureCode password? Is it possible to read your private Emails and access your Email account? Is it possible to monitor all your private web surfing habits and instant messenger conversations, and obtain your username and passwords for all your websites?
 
Cyber crime costs the UK economy £27bn a year, the government has said.
The figures, published for the first time, are a mid-range estimate and the real cost could be much higher.
They are made up of £21bn of costs to businesses, £2.2bn to government and £3.1bn to citizens.
Security minister Baroness Neville-Jones said the government was determined to work with industry to tackle cyber crime.
At the moment, cyber criminals are 'fearless because they do not think they will be caught', she said in a briefing in central London.
 
Up to 60 per cent of Irish companies have suffered a data breach and only a third have proper data breach policies, according to a survey to be published by the Irish Computer Society.
The Data Protection Attitudes and Practices Survey 2011, also reveals that more than one in seven people have suffered a personal data breach over the past 12 months.
And almost half of IT staff are unaware that data breaches must be reported by law. Consequently, two thirds of Irish IT workers say that they are not confident that a data breach involving their own personal information would be reported to them.
 
The FREE ISO27k Toolkit  [www.iso27001security.com]
The FREE ISO27k Toolkit consists of a collection of ISMS-related materials contributed by members of the ISO27k Forum, either individually or through collaborative working groups organized on the Forum. We are very grateful for their generosity in allowing us to share them with you.
The toolkit is an incomplete work-in-progress: further contributions are most welcome, whether to fill-in gaps or provide additional examples of the items listed below.
 
Align your PCI-DSS v1.2 compliance activities with your ISO27k ISMS, for mutual benefit
 
A new 'State of Application Security Survey' conducted by the Ponemon Institute and commissioned by Barracuda Networks and Cenzic on respondents' perceptions and experiences protecting Web applications has some disappointing results. The survey underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security.
According to 74 per cent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment. And while website attacks are the biggest concern for companies, 88 per cent spend more on coffee than securing Web applications
 
Two of the top five most frequently observed flaws were patched more than five years ago, M86 study says
he availability of a patch for a security flaw doesn't always solve the problem, according to a new study published today.
According to the new Security Labs Report from M86 Security, the top six most frequently observed vulnerabilities on the Web were all discovered at least four years ago, and have all been patched for at least two years.
Most of the top 15 flaws detected by M86 Security were on Windows or Adobe applications, and most have been around for some time -- MS Office Web Components active script execution, for example, has been known since 2002, yet it is still No. 2 on the most frequently detected list.
 
The study found that over half the antivirus programs managed to detect fewer than 10% of the viruses active on the Internet.
If you think your antivirus software is protecting your computer, think again. Only 17% of all of the viruses on the web are detected by antivirus providers, according to research carried out by the Israeli firm Security Art, which examined the effectiveness of 42 antivirus programs, including programs sold by McAfee, Kaspersky, AVG and Aladdin as well as Symantec's Norton antivirus program.
The study also found that over half the antivirus programs managed to detect fewer than 10% of the viruses active on the Internet. Among the antivirus programs tested, the one with the best record was Mcafee with Artemis/GW, with a 17% success rate, followed by Microsoft with 16% and Sophos with 13%. Lower rates were registered for Norton, at 12%. Other products, from Trend Micro, Aladdin eSafe, Fortinet, and the most common, full version of McAfee, registered success rates of less than 10% in detecting the viruses.
 
A security researcher who analyzed data from two recently leaked databases concluded that the rate of password reuse is higher than previously believed.
Joseph Bonneau, a PhD student with the Security Group at the University of Cambridge Computer Laboratory, analyzed user passwords stolen from Gawker and rootkit.com.
The Gawker user database was leaked by hackers in the first half of December, while the rootkit.com one made its way onto the Internet just recently, after Anonymous hacked HBGary.
The Gawker leak was much bigger, exposing some 1.3 million logins and password hashes, compared to the 81,000 stolen from rootkit.com.
When intersecting the two databases, Bonneau found a number of 522 email addresses registered at both sites. Of those, about 456 were determined to be valid pairs.
 
The Home Office has pledged to spend £63m on the fight against cyber crime.
The move follows David Cameron's announcement in October that Britain is to spend £650m on a new cyber security programme, as part of sweeping reforms to the UK's defence capabilities.

Web Technologies
 
Java is out of date on more than 40 percent of machines
Wolfgang Kandeck, CEO of Qualys, said during a presentation at the RSA Security Conference in San Francisco that 80 percent of browsers his company's BrowserCheck service checked were missing one or more patches, ComputerWorld has reported.
BrowserCheck checks for vulnerabilities in browsers (on Windows, Linux and Mac) and 18 browser plug-ins. Plugins include Flash and Reader (Adobe), Java (Oracle) and Silverlight (Microsoft) and Windows Media Player (Microsoft).
 
Ever wonder about that mysterious Content-Type tag? You know, the one you're supposed to put in HTML and you never quite know what it should be?
Did you ever get an email from your friends in Bulgaria with the subject line '???? ?????? ??? ????'?
I've been dismayed to discover just how many software developers aren't really completely up to speed on the mysterious world of character sets, encodings, Unicode, all that stuff. A couple of years ago, a beta tester for FogBUGZ was wondering whether it could handle incoming email in Japanese. Japanese? They have email in Japanese? I had no idea. When I looked closely at the commercial ActiveX control we were using to parse MIME email messages, we discovered it was doing exactly the wrong thing with character sets, so we actually had to write heroic code to undo the wrong conversion it had done and redo it correctly. When I looked into another commercial library, it, too, had a completely broken character code implementation. I corresponded with the developer of that package and he sort of thought they 'couldn't do anything about it.' Like many programmers, he just wished it would all blow over somehow.
 
Some less obvious benefits of HSTS  [scarybeastsecurity.blogspot.com]
HSTS, standing for HTTP Strict Transport Security, is a relatively new standard that aims to bolster the strength of HTTPS connections.
Hopefully it's about to catch on. Google Chrome has supported HSTS for a while now, and Firefox support is imminent.
The stated benefits of HSTS include:
* Defenses against sslstrip-like attacks. The initial navigation to blah.com is automatically upgraded to HTTPS.
* Zero tolerance for certification problems. The user is not permitted to 'click through' anything such as a self-signed cert.
 
 [blog.ivanristic.com]
IronBee, a new Apache-licensed web application firewall
It is my great pleasure to announce the launch of IronBee, a brand new open source web application firewall. It's a project whose main goal is build a universal application security sensor through focus on community-building first , code second. To that end, not only is the project open source, but it uses the Apache 2 license and does not require copyright assignments from contributors. How's that for a conversation starter?
 
Spot the Vuln - Radical  [blogs.sans.org]
When you are right, you cannot be too radical; When you are wrong, you cannot be too conservative.
- Martin Luther King, Jr.
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
 
Google is developing a set of extensions for Java that should aid in better securing Java programs against buffer overflow attacks.
Last Friday, Google announced that it open sourced a project that its engineers were working on to add a new functionality into Java called Contracts, or Design-By-Contract (DBC).
 
Yet another operation permitted across domains with no specific security checks is the ability to seamlessly merge <IFRAME> containers displaying chunks of third-party sites (in their respective security contexts) inside the current document. Although this feature has no security consequences for static content - and in fact, might be desirable - it poses a significant concern with complex web applications where the user is authenticated with cookies: the attacker may cleverly decorate portions of such a third-party UI to make it appear as if they belong to his site instead, and then trick his visitors into interacting with this mashup. If successful, clicks would be directed to the attacked domain, rather than attacker's page - and may result in undesirable and unintentional actions being taken in the context of victim's account.
There are several basic ways to fool users into generating such misrouted clicks:
 
ClearClick News  [hackademix.net]
As you probably know, ClearClick is the only effective client-side protection against Clickjacking (AKA UI Redressing).
A couple of weeks ago, Atul Agarwal of Secfence privately reported me a ClearClick bypass based on tracking user's mouse movements and dynamically putting an extremely small click target just under his pointer. Even though it required the attacker's page to be whitelisted and run JavaScript, I deemed this bug deserved to be fixed ASAP because ClearClick, like most web application security countermeasures offered by NoScript

Network Security
 
When talking about security, companies often focus on the "security perimeter". Inside this perimeter, you have the "good" guys and all the rest is considered as the "wild" world, the Internet. Once you passed the access controls, you are free to walk and do what you want. Can you approve this from a security point of view? And this is true for physical security as well as network security. So often, I found myself alone in corporate buildings where I could perform so many malicious actions! (I insist here on the "could" verb ;-) )
A new wave of gadgets, called the "PlugBot" or the "Pwnie Express", are available for sale on the Internet. The work "gadget" is not the most appropriate in this case. I would say "killer tools" instead. Those small boxes have the same size as a PLC adapter. This makes them extremely portable and discrete. They integrate a powerful toolbox:
 
How to crash the Internet  [www.zdnet.com]
We know you can take down Web sites with Distributed Denial of Service (DDoS) attacks. We know that a country, like Egypt, can knock down a country's entire Internet infrastructure. And, we thought we knew that you couldn't take down the entire Internet. It turns out we could be wrong.
In a report from New Scientist, Max Schuchard a computer science graduate student and his buddies claim they've found a way to launch DDoS attacks on Border Gateway Protocol (BGP) network routers that could crash the Internet.
 
Targeting a vulnerability in Acrobat Reader is one of the more popular ways of compromising systems nowadays. PDF Stream Dumper is a free tool for analyzing suspicious PDF files, and is an excellent complement to the tools and approaches I outlined in the Analyzing Malicious Documents cheat sheet.
For this introductory walk-through, I will use a malicious PDF file that I obtained from Contagio Malware Dump. If you'd like to experiment with this file in an isolated laboratory environment, you're welcome to download the malicious PDF from my server; the password to the zip file is the word "infected".
 
How To Outrun A Lion?  [www.ctrl-alt-del.cc]
You don't have to outrun a lion - it's enough you outrun the guy running next to you.
Funny enough, the same stands for securing your IT infrastructure - if you are in the 'low hanging fruit' category, you get owned for sure - possibly before you even notice anything shady going on behind your shiny website. When you raise the bar a bit and step out of the damned circle, most of the attackers will give up on you and move to find some other target that is easier to compromise.Of course that doesn't work for determined attackers that want YOU and nobody else, but that's a story for another time.
What's that smell?
It's a smell of FAIL my friend...
 
DDoS Analysis Process  [isc.sans.edu]
We sometimes get requests from people who are undergoing Denial of Service attacks. These days that usually means a Distributed Denial of Service attack. In our role at the Internet Storm Center, we're often limited to consultation roles and and can only recommend possible courses of action for the client. We don't have a canned response or top-three recommendations that will work in all cases; instead we have a process. Hopefully it can keep pace with the evolution of attacks
 
Two Windows 7 security patches from this month's Patch Tuesday are reported to prevent VMware's View desktop virtualistation client from accessing the View Connection Server. According to a VMware Knowledge Base article, users that have installed either one or both of patches (Article ID 2482017, 2467023) are affected.
 
Network Visualization  [isc.sans.edu]
One area of interest that I have is network visualization. What I'm referring to is being able to visually see the traffic flows and patterns to determine anomolies or events of interest. We have so much information with our networks today, that it is difficult to process all of it. The trend seems to be getting worse and reverting back to my good ole Army days of 'Do more with less'. With the economic times we live it, it always seems that security is one area that takes a hit. So, we have to work smarter and network visualization is one area that I think has great potential, but seems to be very under developed.
 
A Distributed Cracker for VoIP  [www.symantec.com]
Back in the spring of 2010, I blogged about W32.Sality and the decentralized P2P botnet made up by hosts infected by Sality. The botnet is used to propagate URLs pointing to more malware. Recently, the gang behind Sality has distributed a tool to brute force Voice over IP (VoIP) account credentials on systems that use Session Initiation Protocol (SIP). SIP is a protocol widely used to initiate and control voice and video calls made over the Internet.
Let's rewind back to November 2010. At that time, a few SIP-related blogs and mailing lists reported attacks against SIP servers. The attacks consisted of REGISTER attempts using what appeared to be random account names. The novelty lied in the source of the attack, as it seemed the traffic originated from many different IPs. No specific malware was traced back to these attacks, though.

Database Security
 
Network-Based Security Software Monitors Traffic and Helps Prevent Attacks from Reaching Oracle and Non-Oracle Databases
News Facts
To help organizations prevent sophisticated internal and external attacks from reaching their enterprise databases, Oracle today announced the availability of Oracle® Database Firewall.
Oracle Database Firewall establishes a defensive perimeter around databases, monitoring and enforcing normal application behavior in real-time, helping to prevent SQL injection attacks and unauthorized attempts to access sensitive information.
Using innovative SQL grammar analysis technology, Oracle Database Firewall examines SQL statements sent to the database and determines with high accuracy whether to pass, log, alert, block or substitute SQL statements based on pre-defined policies including:

Mobile Security
 
Challenges in Smartphone Security  [www.quantainia.com]
With so much information to digest and so little time, this month we decided to take a slightly different approach and not publish a standard whitepaper, but rather collate our thoughts in the form of an infographic. Let us know what you think of it and whether you prefer it to our usual format.
 
The most exciting feature that came with the Verizon iPhone was the inclusion of a mobile hotspot app. The downside? It costs $20 a month? Here's how to get Wi-Fi tethering without paying a monthly fee.
The process is actually ridiculously simple, but you should know it isn't free. This process will cost you $20, but only once (as opposed to every month, like you'd pay with Verizon and eventually AT&T). Here's how it works:
 
This post documents an XSS vulnerability that I discovered in the default Gmail app (v1.3) provided by Google in Android 2.1 and prior. All versions included in Android up to and including 2.1 seem to be affected, but the bug was unintentionally patched in Froyo (2.2) when Google updated the application to v2.3. The vulnerability let an attacker execute arbitrary Javascript in a local context on the phone, which made it possible to read the victim's emails (and the contacts mentioned in those emails) off of the phone, download certain files to phone (and open them), and more easily perform various other attacks that have previously been documented to take further control of the phone. Less seriously, it was also possible to crash the application repeatedly, resulting in a denial-of-service situation. The flaw has now been fixed via server-side patch to the Gmail API.
 
Researchers in Germany say they've been able to reveal passwords stored in a locked iPhone in just six minutes and they did it without cracking the phone's passcode.
The attack, which requires possession of the phone, targets keychain, Apple's password management system. Passwords for networks and corporate information systems can be revealed if an iPhone or iPad is lost or stolen, said the researchers at the state-sponsored Fraunhofer Institute Secure Information Technology (Fraunhofer SIT).

Cloud Security
 
This is going to be a bit of a different post for me. One of the exercises in our CCSK Enhanced class we are developing for the Cloud Security Alliance is to encrypt a block storage (EBS) volume attached to an AWS instance.
There are a few different ways to do this, but we decided to go with Trend Micro's SecureCloud service for a couple of reasons. First of all, setting it up is something we could do within the time constraints of the class. Trying the same process with TrueCrypt or some other native encryption services within our AWS instance would take more time than we have considering the CCSK Enhanced class is only one day, and covers a ton of material. The other reason is that it supports my preferred architecture for encryption- the key server is separate from the encryption engine, which is separate from the data volume. This is actually pretty complex to set up using free/open source tools. Lastly, they offer a free 60 day trial.

Privacy and Censorship
 
Wrapping up the last of the United Kingdom's notorious copyright infringement 'pay up' letter cases, a UK patent and copyright judge has had a major revelation. Just because some lawyer cites an Internet Protocol (IP) address where illegal file sharing may have taken place, that doesn't mean that the subscriber living there necessarily did the dirty deed. Or is responsible for others who may have done it.
'What if the defendant authorises another to use their Internet connection in general and, unknown to them, the authorised user uses P2P software and infringes copyright?' asked His Honour Judge Birss QC last Tuesday.
 
I've heard that a lot of new cameras (especially smartphone cameras) can store personal information like my location in photos. How can I get rid of this and protect my privacy?
....
When you take a picture with your digital camera, it stores all sorts of information, called EXIF (Exchangable Image File) data, in the photo's file. This includes things like type of camera, shutter speed, or the date the photo was taken. However, many new cameras-especially the cameras built into iPhone and Android phones-will also store your GPS location by default, which could easily lead someone to your home address or phone number.
 
Slightly Right of Centre  [www.slightlyrightofcentre.com]
Digital rights, from the centre - of Farnham
I don't need to defend porn to fight the UK net filtering proposals
Government censors set to decide what sites we can look at?
Personally I don't think we should judge what people choose to do in the company of their computer, so long as the curtains are drawn.
But if you're ideologically opposed to pornography there are still lots of reasons to oppose any government plans to regulate the internet.
What is being called for, mostly by the Christian right, is state censorship of communications.
 
Starting Page  [onethingwell.org]
When you search with Startingpage, we submit your search query to Google and return the search results to you in total privacy. Because Startingpage does the searching for you, you never make direct contact with Google. That means Google can't record your IP address, log your visit, or put tracking cookies on your browser. And we won't either.

General
 
Has anyone you know ever lost control of an email account and inadvertently sent spam-or worse-to their friends and family? There are plenty of examples (like the classic 'Mugged in London' scam) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents-if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.
Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we've developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Now it's time to offer the same advanced protection to all of our users.
 
Single-use passwords are more secure than the usual combination of user name and password, but an additional device has usually been required to generate and display them. Intel, Symantec and Vasco plan to put an end to this problem and enable users to generate single-use passwords which are suitable, for instance, for logging into websites and VPNs, using their own PCs.
 
Cenzic Invented Fault Injection?!  [stop232patent.com]
What did YOU do in 2002?
That is right, in 2007 (February 27) Cenzic was awarded patent (No. 7185232) for 'Fault injection methods and apparatus', which in short words is requesting a page and injecting faulty parameters and searching for error responses. Too bad this was done (and documented in exploits now in the securityfocus archive) months and even years before!!!
The patent was persued February 28th, 2002. (Thanks to @spinkham for pointing this typo to me)

Tools
 
Nmap 5.51 Released  [seclists.org]
Hi folks! I'm happy to report that Nmap 5.50 has been a huge success,
with nearly 300,000 downloads in the two weeks it has been available!
That much attention inevitably uncovers some bugs, so I'm pleased to
release 5.51 to address them. Most of the bugs are pretty minor.
 
WirelessKeyDump v1.00  [www.nirsoft.net]
WirelessKeyDump is a console application (Command Prompt) that dumps the list of all wireless keys stored by the wireless networks module of Windows operating system.
 
The Yeti is here  [www.sensepost.com]
After several months of dedicated ... uh dedication, our new network footprinting tool is being made available to the masses.
It's called Yeti and it is a cross-platform, Java application. It's predecessor, BidiBlah, was only available on Windows platforms and hopefully with Yeti we can now offer Internet intelligence gathering to everyone.
 
We have done many List's of before this post. To name a few - List of FREE VPN Providers!, List of Cell Phone Forensic tools! and List of TOP LiveCD's for Penetration Testers!. But, nothing like the one we are doing today. Infact, we don't know if some one has attempted to list down hardware devices that could assist in a penetration test covertly. We have tried our best to include all of the available devices, but we might have missed some. Incase you know of any, please let us know.

Funny
 
PaulDotCom Hacked!!!  [pauldotcom.com]
Well, not really... Yet.
 
Privacy  [www.dilbert.com]
 
parenthesis  [xkcd.com]
 
No button  [nooooooooooooooo.com]
 
LOL  [twitter.com]