[http://www.whitewolfsecurity.com/publications/biometric_locks.php Hacking Biometric Locks]
[http://securityvulns.com/Udocument435.html VMware Releases A TON of Patches] - [
PaulDotCom] - Patches still pending for VM Fusion, WTF! You should patch, its important, especially because the security of multiple machines is at risk, in a platform independent kind of way.
[http://www.heise-online.co.uk/security/Chinese-resarchers-use-heartbeats-against-implant-hacking--/news/111463 Body entropy?] - [Larry] - We talked about hacking medical implants a few weeks back. These researchers are utilizing a biometric footprint to derive the key. They measure the interval between 16 heartbeats down to the millisecond, and combine it with photoplethysmograp (PPG - the measurement of light absorption under the skin relative to pulse), and use it to generate a 64 bit key. Now, cetainly a 64 bit key might be weak, but it is an interesting concept...
[http://blog.ncircle.com/blogs/vert/archives/2008/09/the_browser_with_bling.html Chrome is Shiny, but scratches easily] - [
[http://howto.wired.com/wiki/Secure_Your_iPhone "Securing" Your iPhone] - [
PaulDotCom] - I was excited about this article, until I read it. The first two items are implementing a 4 digit pass code, because that provides security, right. Then make sure your phone locks, well duh. And somehow re-mapping my home button protects my information, at least it prevents people from bypassing the lock and accessing my address book. Is that really security or just a workaround? The best part about the article? The screenshot of the iPhone shows they have 3 apps that need updating, doesn't keeping your software up-to-date apply to your phone as well? Also, none of this protects your information as it flys in clear text over open wireless networks...
[http://www.hackinthebox.org/index.php?name=News&file=article&sid=28049 CSI Stick] - [Larry] - A neat little tool for cell phone "forensics" that works with Motorola and Samsung phones. This tool collects all of the SMS data, pictures, placed phone calls, e-mails, and phonebooks. The device runs $200 and requires a PC to attach it to. I wonder how this would compare to ay, LadyAda's simcard reader (at $17) for the kit. This goes along to some practices that Paul and I have done - having someone unsuspecting hand us their cell phone - which contains personal, potentially sensitive data! [http://www.bitpim.org/ bitpim] was the software mentioned by Mike Kershaw for accessing other phones with AT style commands.
[http://www.theregister.co.uk/2008/09/03/mythbusters_gagged/ Mythbusters Prevented From Running RFID Hacking Show] - [
PaulDotCom] - Conflicting stories abound, it appears that CC companies do not want RFID shortcomings to be public knowledge. I don't think that talking about RFID hacking and vulnerabilities is a crime, so look for some things coming soon.
:''[http://www.adamsavage.com/ Adam Savage] (Mythbusters co-host) discussed this as The Last H.O.P.E. You can see the relevant part of his talk [http://www.youtube.com/watch?v=X034R3yzDhw here] on youtube.''
[http://www.schneier.com/blog/archives/2008/09/security_roi_1.html Security ROI] - [Larry] - There is just too much to talk about here in a few short lines. Does RIO for security work? is the RIO more of a soft cost (IE preventing a breach, remediating, cleanup and legal/community view issues) Let's discuss.
[http://www.darkreading.com/document.asp?doc_id=162800&f_src=darkreading_section_297 HP Adds Smart Card Readers to HP Printers] - [
PaulDotCom] - Okay, here's a newsflash, authentication is not the major security problem on printers and multi-function devices!!!!! How about implementing software without vulnerabilities, using secure protocols to transfer data, hardening the operating system, and encrypting the files/filesystem? Now you have no excuse, if you are building on technologies such as smart cards to these devices, you can implement all of the other security measures.
[http://www.phiprivacy.net/?p=634 Paper records too] - [Larry] - While not really a tech problem, don;t forget about all of that stuff that you print. I guess ultimately it comes down to appropriate record retention (backup tapes anyone) and appropriate storage. Want lots of data, go after the backup tapes, or where they were stored. This gentleman was able to buy the contents of a storage unit at auction for $25, contents sight unseen. the contents had medical data, ripe for identity theft. What if this had been your backup tapes?
[http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts Botnet Counts: For Good Measure] - [
PaulDotCom] - Some really cool graphs on the number of botnet drones, yes they have sharply increased over the past few months. However, even more frightening, the number of C&C servers increased ([http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotnetCharts Reference]). This means, more drones and more individual botnets, confirming suspiciouns that botnets are more abundant and perhaps purpose built to avoid detection and eventual shutdown. The reason, seems to correlate with the rising SQL injection flaws. SQL injection flaws, ah yes, I've responded to incidents where these flaws are rampent. I also think that targeted phishing attacks are more common as well, especially in university settings.
[http://www.schneier.com/blog/archives/2008/09/software_to_fac.html Hacking so easy my mom can do it] - [Larry] Software to cook the books at restaraunts.