TSA Full Body Scanner

“We Don’t Save The Photos.” Really?!?

Despite promises that these full body scanning systems will not save naked photos of you, recently it was discovered that 35,000 photos of naked citizens were being stored by the U.S. Marshal’s Service (another Federal agency) and over 100 of those photos were leaked.

In response to this, the TSA posted on their official site:

Myth: TSA Advanced Imaging Technology (AIT) images can be stored on the AIT machines located in our airports.
Fact: Completely false – TSA’s machines should not be confused with the recent stories about the U.S. Marshals Service. The machines used by TSA at our airports cannot store, print or transmit images. They simply don’t have that ability.

Note the claim that the images are not transmitted? Yet they’ve also told us that the images are transmitted to another location where a different TSA agent is viewing them. So which of their two stories are we to believe?

They are also being extremely specific when they say the LOCAL machines at the airports don’t store images. I’m willing to bet images are being stored in a central system somewhere, just not LOCALLY. Considering that the TSA is also certainly tapped into every flight manifest, it doesn’t take much work to start matching up images with travelers so they can build a database of what every man, woman and child in the US looks like in their birthday suit.

Remember, it only takes ONE employee with access to take home millions of scans on a portable drive to ruin your day. And these things happen all the time.

So What? How Detailed Could The Images Be?

Well, you tell me what you think. Here is a scan that was simply inverted to show you what’s possible. The TSA technology is MUCH higher resolution than this.

In fact, in England, use of full-body scanners is considered a violation of child pornography laws, and the machines are banned for children under 18.

What if You Opt Out of the Body Scanner?

Well, I’ll tell you since the TSA doesn’t. I’ve opted out about 90% of the time, unless I’m in a huge hurry – and even then it didn’t always help.

When you opt out of a body scan you are placed into a separate line where you wait for the next available TSA agent to come get you and do a screening. In literally every case except one when I did this I had a TSA agent with a very bad attitude come get me. (More about that in a minute.)

• The agent will ask you where your items are that went through the metal detector and then carry all of them over to a table. You are not allowed to touch your stuff or help carry it. You stand there and wait.
• Next, the agent will tell you what they are about to do and describe how they are going to frisk you using the front of their hand in places that are not sensitive, and the back in other places.
• They they have you hold your arms to the side and begin to frisk you. When they get to your genitals they absolutely go all the way there – every time. YES, you will have their hands on your junk. (Hopefully you enjoy that kind of thing.)

For females who go through the screening process, they will use the back of their hands to rub completely around the outside of your breasts. The bad news is, you will be fondled. The good news is that it doesn’t cost you a dime to get felt up!

By the way, Dave Barry had similar experiences with the TSA you can read about here, and here’s a little video about the new pat down procedures:

Lets say that you decide to forgo the manhandling and breeze through the body scanner! Well, 50% of the time when I’ve done that I still get dragged aside for the probe! Damn! This tells me that you might as well not even bother and move straight on to the anal probe.

Why do All the TSA Agents Have Bad Attitudes?

I don’t know if dealing with so many people every day makes you numb or what, but 90% of the TSA agents that I’ve interacted with treat me like cattle. This lack of treating people with respect and dignity comes from the top. If the executive leadership demanded it, it would filter down. But clearly they do not.

Here is an example of how unreasonable TSA agents can be:

I’ve had several screeners come up to me and ask questions in accusatory and demeaning ways, and when I respond in a similar fashion they act as though I have no right to question them or attempt to retain some shred of human dignity. I’ve also experienced what can only be described as threats and intimidation.

One agent went so far as to attempt to “stare me down” when he overheard me speaking to a travel partner saying that I didn’t believe this made us any safer.

What Else is the TSA Wasting Money On?

I’ve got two words for you – behavior detection. Did you know the TSA has 3,000 agents deployed in airports across the country at an annual cost of $200,000,000 trained in “behavior detection”. Yet they’ve never apprehended a single terrorist.

Oh, and the GAO released a report that said at least 16 individuals later accused of involvement in terrorist plots flew 23 different times through U.S. airports since 2004. Yet none were stopped by TSA behavior detection officers working at those airports. None.

The bottom line is, the TSA spends $6.3 BILLION per year, has 60,000 employees, and has does not seem to have made us safer. Their argument might be that TSA run programs prevent people from even trying… but security existed in the airports for decades prior to the TSA and the results were no different.

None Found

Today I got an email from Google as follows:

Dear site owner or webmaster of onemansblog.com,

While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/support/webmasters/bin/answer.py?answer=35769&hl=en. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

The following is some example hidden text we found at http://onemansblog.com/:

calendar acrobat download wcc adobe’s click. create watermark in adobe acrobat ea adobe acrobat professional Software Planetadobe creative suite 2 rumors adobe acrobat not finding scanner . adobe acrobat 8.01 professional software adobe acrobat 5.0. activate adobe acrobat 8 adobe acrobat contact sheet Adobe Acrobat 9 Pro Extended | Software Planetadobe acrobat 6 professional serial numbers c adobe acrobat fields sql . download adobe acrobat reader full version could not find adobe acrobat plugin

In order to preserve the quality of our search engine, pages from onemansblog.com are scheduled to be removed temporarily from our search results for at least 30 days.

Why, pray tell, would Google ban OneMansBlog from the index? Well, because some sneaky bastard somehow added a bunch of spam to the footer of my blog! HOW? My directory permissions are correct, I have all the latest versions of plugins installed and WordPress is up to date. So, let’s run down a checklist of things you should do so as not to fall victim to the spammers too:

1. First of all, change your password for logging into your blog to something HARD. Something that will never appear in any dictionary attack. Mine was good, but now it’s even better. See my How I’d Hack Your Weak Passwords article to understand more.
2. Add the Login Lockdown plugin to your WordPress to protect against brute force attacks. If someone incorrectly attempts to log in more than 3 times it will lock their IP address out for an hour.
3. USE WP Security Scan to look for vulnerabilities in your WordPress installation!
4. Routinely search through your theme’s Header.php and Footer.php files and make sure nothing spammy is showing up in there. If so, delete it immediately and search for, or recruit help in searching for, the breach!
5. Change the FTP login on your Webserver just to be sure that no one has managed to guess what it is.

Finally, I encourage you to restrict access to your /wp-admin/ directory. Put a text document called .htaccess in the wp-admin directory to resrict access to your WordPress admin panel by IP so that only someone coming from your IP address can access it. The following should be in the file with no line breaks before or after it:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from X.X.X.X #Put your IP address
allow from X.X.X.X #Put another IP address
</LIMIT>


If you don’t know your current IP address you can stroll over to WhatsMyIp.org and they’ll tell you. Then you can add as many lines as you need for the various spots you might access WordPress from. Like your home, work, etc.

If all of that doesn’t help you, then may God have mercy on your soul. Because I don’t know what else to do. You should check with your Web hosting provider and ask them to look into the problem. And if they don’t do it, then go to Layered Tech, get hosted on The Grid, and ask for DEFCON management! That is all.

And remember! If this can happen to me, it WILL happen to you if you don’t take precautions. You’ve been warned.

None Found

Here is Richard “Mack” Machowicz from The Discovery Channel’s show Future Weapons giving the run down on the fastest gun on the planet. 3,000 rounds per minute is an awesome weapon!

Now, have you ever wondered what all those extra SUV in a Presidential or VIP motorcade are? You know the ones with blacked windows that no one gets in or out of. Wonder no more… They have a 6 barrel 7.62 mm or 308Win mini Dillon gun… which fires over 3,000 rounds per minute. The wipers need to be run to remove spent casings when the weapon is firing.The vehicle is also armor plated.

Here is my boy Jesse James putting a Dillon Gun to work on a car in the desert!

Oh, in case you thought I was kidding about the SUVs actually being equipped like this, here’s the proof:

And now here is how the pros do it from a moving chopper!

None Found

Iron Mountain Inc is a company specializing in data storage. The best known Iron Mountain storage facility is a high-security cave in a former limestone mine at Boyers, Pennsylvania near the city of Butler in the USA.

It has been in operation since 1950, and it is here that Bill Gates stores his Corbis photographic collection in a refrigerated cave 220 feet underground.

None Found

Windows security is sad. Although most of you have probably already read my article about using strong passwords, even the strongest passwords won’t keep your Windows login account from being penetrated. In fact, it takes only a couple of minutes to gain complete access to a Windows system using nothing more than a free CD ROM.

Now, if there is any good news – people are constantly locking themselves out of their personal laptops and home computers by forgetting the password. And recently I’ve had two different friends do this within a period of a couple of days. So you guys know how this works… when I start getting requests, I document the solution.

So, how easy could it be? Here are the instructions:

• Download the ophcrack CD. (Bad news, it’s 455 MB.)
• Burn it to a CD ROM. (ImgBurn is fantastic freeware for this purpose.)
• Put the CD in your machine and reboot it.

You should be able to follow any of the on screen instructions and have access to your computer again within minutes. Here is a little video demonstrating the process, though it’s highly unnecessary.

None Found

• Thousands Standing Around
• Take Scissors Away
• Truly Stupid Activities

From the Washington Post:

Travelers and their advocates have long complained that lines are too long at many airports, that some security measures seem inconsistent and that security officers seem to be in short supply.

Others say that TSA officers seem to be doing little but hanging out at checkpoints, even when the lines grow.

Yeah, I’ll agree with all of that. Why is it that every time you travel you have to go through screening stations where there are extra TSA agents standing around – yet there are additional scanning machines sitting idle that they just refuse to turn on!

Grrr.

Also see The TSA Does It Again.

None Found

For the rest of us that don’t happen to live in Connecticut, here is the interview as graciously provided by Bruce.

As further reading on the topic of password security, please see my complete article on How I’d Hack Your Weak Passwords. And if you are looking for the password manager I referred to called Roboform I created a short RoboForm Demonstration Video to get you started.

You’ll also find over 30 other related articles in the Security category.

For the regulars around here, you really should stop by Bruce’s site and listen to his other interviews (he’s even got an RSS feed to subscribe to). There are a lot of great tips, and he is a true professional so these are high quality audio clips. Believe me, if it weren’t for the magic of Bruce’s editing prowess mine wouldn’t have been very good!

None Found

Some young guys in L.A. garnered some serious attention when they told ABC News that they could hack cell phones of the rich and famous. And this short video is the result of that claim.

Now, my only problem with this video is that they get everyone all worked up about the fantastic security risk, but then never actually define how the attack is taking place or what can be done to guard against it! Morons.

I can only assume that the vulnerability being exploited here is one called Bluesnarfing. It is an attack which utilizes the Bluetooth functionality of most new phones. This is the wireless function that allows you to wear that dorky earpiece and annoy everyone around you in the mall.

Luckily the UK’s TV show, The Real Hustle has a much better explanation of what is going on and how to prevent getting Blue-Jacked!

None Found

Well, hopefully you notice the little icon of a laptop beside the network entitled “Free Public WiFi”. This is NOT a free wireless access point, but instead a laptop computer that someone has configured to capture your personal data and rob you blind.

The way this scam works is that a criminal entices unwitting suspects to connect to the Internet through their computer. Meanwhile, they are running packet sniffing software to read every bit of unencrypted data passing through it. This includes every web page you visit, the e-mails you write, and even the instant messages you send.

Why would someone want to do this? Because if they listen to what you say long enough they are eventually going to capture a password or some personally identifying information that could prove useful to them.

Oh, and if that isn’t bad enough, once your laptop is connected to theirs, you have opened the door for them to scan all of the ports on your machine in the hopes of finding a security loophole. If they do find one, they could install a rootkit or some other malware on your machine, turning it into a mindless zombie under their control from now on.

So, the bottom line here is, don’t be randomly connecting to just any old network you see. You need to ensure that you are actually connecting to a wireless access point (you can even tell Windows to ONLY show WAPs), and that you have a software firewall installed (see my list of Top 50 Favorite Freeware for recommendations).

Edit: Thanks to Kim for pointing out that there were YouTube videos on this topic. I found these two which share a little more info. The first is from Chris Pirillo:

Next is from a local news channel:

None Found

With a specially modified blank key and a small hammer – or even stick, 90% of home locks can be picked in a matter of seconds. The technique is called Lock Bumping, and the instructions are now all over the Internet.

Take a look at this news report, and then please take appropriate action to ensure that you are not vulnerable.

None Found

That organization exists for the sole purpose of suing the pants off of people, but they can only do so when people leave plenty of evidence about their activity – namely hosting content on their computers and allowing others to download it. Most of the time it seems these foolish people aren’t even aware that what they are doing by running Kazaa, eMule, Gnutella, or some other file sharing application puts them at risk.

But why in the world would anyone share their music, movie or software collections via open, anonymous connections? Especially when there are other virtually risk-free alternatives? (By the way, know your rights if RIAA comes calling.)

Now, I’m not advocating that people steal stuff online.

When it comes to software there are plenty of freeware and open source alternatives for just about anything you could want to do. Long ago I published a list of My 51 Favorite Freeware Apps which I recommend and use on every machine I own. But if you are going to download some software or music online, then at least don’t be an idiot about it!

• Don’t use file-sharing applications! Many of them have all sorts of mal-ware built into them, and you will compromise your computer just by installing them! Not to mention the fact that by design they leave a great big open hole into your hard drive that people can put and take things in and out of. Don’t do it!
• Google is all you need. In many cases Google will serve up exactly what you are looking for. You just have to learn how to do a search correctly (see below).
• Usenet is a sure bet because it isn’t free. Everyone wants something for nothing. But didn’t your mama ever tell you that nothing in life is free? Well, Usenet has a cost – but it contains just about everything in the known digital universe.

**–WARNING!!–**

There are bad people out there looking to take over and control your computer and ruin your life. They use viruses, trojans and other mal-ware, so I don’t recommend you follow any of the instructions below. If you are going to do so, make sure that you have your anti-virus and firewall software up to date and activated. If you need recommendations for good ones see my freeware listing above.

You have been warned!!!

How to Bootleg Music using Google

It is pathetically simple to download just about any song you want using nothing more than Google. All you need to do is search using the terms “index of” along with the name of the song or artist. Using the quotes around “index of” helps narrow the results to directories that contain files.

For example, lets say you like the song Stacy’s Mom by Fountains of Wayne. Do a search on either “index of” stacy’s mom or “index of” fountains of wayne. Very quickly you’ll find some listings that look something like “Index of ./Music/” and guess what you’ll find in them.

It’s all there: The Beatles, Elvis, Pavarotti, Harry Potter audio books… whatever. Here, I’ve even built a custom little search form (with a few added improvements) to demonstrate. You may have to check several of the results because spammers try to capture some of the most common search terms with fake listings.

To use the search form replace “ENTER-SEARCH-TERMS” with your search terms inside the first set of quotes.

How to Bootleg Movies using Google

Feature length movies are a little more complex to search for, and there are not nearly as many posted in open directories on the web. Probably because they are about 200 times the size of a typical MP3. However, here is another custom search which will help you find it if it is there.

The same search method is often used to find free “porn”, “xxx”, “sex” and other illicit movies. To use the search form below replace “ENTER-SEARCH-TERMS” with your search terms inside the first set of quotes.

How to Bootleg Software using Google

Downloading illegal copies of music or movies may be wrong, but downloading software from an unknown source is just plain stupid. Hackers embed all kinds of nasty mal-ware in popular software and then distribute it freely around the net hoping people will install it – and the hidden payload. You can put your entire digital world at risk by downloading from untrusted sources.

Still, for those of you who run with scissors, here is a Google search box. Try “photoshop”, “partition magic” or “ethereal” etc. Just like above, replace “ENTER-SEARCH-TERMS” with your search terms inside the first set of quotes. And don’t forget how dangerous this software can be!

Bootleg ANYTHING on Usenet

Unlike the Web or file-sharing sites, Usenet is a global system of interconnected news servers run by private companies or organizations. Usenet is distributed among a large, constantly changing conglomeration of servers which store and forward messages to one another. (Here is everything you could want to know about them.)

Usenet is comprised of around 100,000 different “news groups”, each focused on a particular topic. Some of these news groups get hardly any traffic, while others are very, very busy. There are really cool, useful and perfectly moral newsgroups such as alt.crafts.blacksmithing, sci.engr.joining.welding or comp.infosystems.www.authoring.html. There are also morally questionable groups that contain software such as alt.binaries.warez, alt.binaries.warez.ibm-pc, or alt.binaries.multimedia.utilities; and groups that contain adult material such as alt.binaries.multimedia.erotica alt.binaries.pictures.erotica or alt.binaries.ijsklontje.

It is likely that your ISP is running news servers which you have access to for free; however, they are probably only carrying the newsgroups that don’t tend to have all of the attached photos, media and software in them. The reason is simple. The more attachments there are, the more data has to be stored. And your ISP doesn’t want to be the central repository of illegal content because it’s expensive to maintain the massive databases.

For this reason you will have to subscribe to a News service provider such as GigaNews at a cost of between $7 – $20 per month. They also offer a free 3 day trials. You will also need News Reader software. Although Outlook and Outlook Express come with free news readers built in, most people turn to outside software for this task because of the huge feature differential. The most popular newsreader is Forte Agent, which also offers a free trial.

Once you have the software and a news service provider it’s as simple as doing a search to find just about anything your evil little heart desires. The following sites run services that catalog everything posted on Usenet and will direct you to immediately download the results:

• NZBIndex.nl
• newzBin
• Yabse

Forte Inc. also maintains Agent’s Guide to Binaries for more information.

Summary

To finish up this article I’d just like to make a few comments.

• Please, I’m begging you not to lecture me about providing this information. I’ve posted articles on how to hack weak passwords, how to make cocaine, and how to make crack. I don’t do these things, and the criminals already know how! I’m providing the information so that regular honest people at least know what the heck is going on and how it’s being done.
• Don’t do anything that goes against your personal belief system. That means don’t murder people, steal stuff, hurt puppys, or be mean. If you do any of these things it is on you – not me! If you buy a kitchen knife and use it to carve up a human it doesn’t mean the person who made the knife is evil.
• There is such a thing as white hat, or “ethical”, hacking. Ethical hackers often uncover exploits in systems and then publish the information for the general public in order to draw attention and close security loop holes which otherwise would remain open. I consider providing this information the same thing. Like I said, it’s nothing the criminals don’t already know.

In summary, I’m just the reporter.

None Found

This isn’t Troy’s first dance either. He previously invented a suit which was intended to be able to survive a bear attack, and even made a video of it.

Here is a short take from the Project Grizzly video:

The Hamilton Spectator had the following to say about the new suit:

The grizzly man is back, and this time he’s ready to take on bullets and bombs.

Troy Hurtubise, the Hamilton-born inventor who became famous for his bulky bear-protection suit by standing in front of a moving vehicle to prove it worked, has now created a much slimmer suit that he hopes will soon be protecting Canadian soldiers in Afghanistan and U.S. soldiers in Iraq.

He has spent two years and $15,000 in the lab out back of his house in North Bay, designing and building a practical, lightweight and affordable shell to stave off bullets, explosives, knives and clubs. He calls it the Trojan and describes it as the “first ballistic, full exoskeleton body suit of armour.”

And here is a short video of The Trojan body suit:

Unfortunately development of this suit has driven Troy into bankruptcy and earlier this year he tried to sell the suit on eBay, but the reserve was not met.

None Found

None Found

There is a great Web site called Bad Vista which can give you tons of reasons not to adopt this operating system, but I’m just going to stick to three primary ones for now:

• What I do in the privacy of my own home, on the privacy of my own computer is none of Microsoft’s business. But for some reason, the most powerful software company on Earth has let media companies push it to add in all sorts of “Digital Rights Management” crap. This will cause several problems:
1. Let’s say you buy a movie on BlueRay disc, but want to take it to Mom’s house and play it back on her DVD player. Well, since a DVD player can’t play a BlueRay you slap it in your PC to convert it over, but wait! Vista says NO! It doesn’t matter that you legally own a copy of that content.
2. On the other hand, you invest in a bunch of HD DVDs, like Microsoft is pushing for their 360 gaming device, but in 3 years they are all obsolete because the new Super, Duper HD DVDs have been released, so you figure you’ll convert your legal copies of those to the new format, but again. NO! Microsoft ain’t gonna let you do it.
3. The cost associated with Windows DRM is absolutely astounding. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it’s not used directly with Vista.
• Multimedia performance under Vista is the worst of any modern operating system. Ever. And this is actually by design! So, even though people now watch TV online, have thousands of digital photos and even edit their home movies on their PC, Vista will actually do a worse job with all this than XP ever did.
1. Vista requires that any interface that provides high-quality output degrade the signal quality that passes through it if premium content is present. This is done through a “constrictor” that downgrades the signal to a much lower-quality one, then up-scales it again back to the original spec, but with a significant loss in quality.
2. Vista will silently modify displayed content under certain situations discernible only to Vista’s built-in content-protection subsystem. What happens currently is that Vista just refuses to play premium content rather than downgrading it.
3. If a copy protection weakness is found in a particular device (like your BRAND NEW ‘Vista Capable’ PC), it will have its signature revoked by Microsoft. This means a report of a compromise will cause all premium content ability for that device worldwide to be turned off until a fix can be found – rendering your expensive hardware completely useless just because Microsoft isn’t happy, and despite the fact that you don’t care about that ‘security’ issue.
• Microsoft operating systems and software are getting more insecure and unreliable with every release. This is not because it’s “so hard” to design in security features, but because Microsoft is so interested in sticking their nose in every other aspect of your digital life that the real job of the OS takes a back seat.
1. Given the fact that Microsoft may push an “update” to you which disables your PC, people will disable updates in order to avoid this potential issue. The side-effect of this is PCs will become vulnerable to newly discovered malware, viruses, spyware, etc.
2. The massive DRM and other bloat in Vista will require more CPU, RAM, Video processing and other hardware. It has already been shown to run at least 10% slower than XP. It also unnecessarily utilizes more power at all times meaning increased energy consumption for every PC running it – further straining the electric grid.

So, in short. If a PC manufacturer were to send me a brand new top-of-the line computer for free and it came with Vista I would either re-format the hard drive and install XP, or refuse the system altogether. And that’s not an exaggeration. Just try me…

But worse than that, considering that eventually XP will simply be outdated I’ll have no choice but to migrate to a new operating system within the next few years. And that system will be Linux.

If you really want to read a complete analysis of why Vista sucks like nothing has ever sucked before, fall asleep reading this.

EDIT: This info added 3/30/2007
This just in. More evidence that Vista is unbelievably insecure:

In what could be the most embarrassing exploit to impact Windows Vista since its commercial launch in January, security engineers at McAfee’s Avert Labs confirmed today – and posted the video to prove – that the operating system can be caused to enter an interminable crash-restart-crash loop, by means of a buffer overflow triggered by nothing more than a malformed animated cursor file.

And here is the video demonstrating how simply looking at an animated icon can freakin freeze up your system Mr. Biggelsworth…

None Found

And I’ll do it all with this tiny little application. Don’t believe it? Fine, download it, unzip it and launch it. You’ll be instantly staring at all of the passwords you’ve ever told Microsoft to remember for you.

If that doesn’t make you paranoid… well, you just aren’t alive. So, what can you do about it?

1. Take my previously stated advice of using RoboForm to remember all your passwords.
2. Don’t ever, ever, ever allow Internet Explorer to save a password. You also can’t allow Outlook to save a password.
3. Immediately download and use a system cleaning utility to erase all that data.
4. Strengthen all of your passwords!
5. Switch to FireFox or Opera as your main Web browser.
6. Switch to Thunderbird for mail reading.

I know I’m beginning to sound like a broken record to my regular readers when it comes to security paranoia, but I’d rather you be safe than sorry. And hey… at least One Man is looking out for you. :-)

None Found

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
• So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
8. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Tutorial. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

Please, be safe. It’s a jungle out there.

EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.

None Found

PayPal is about to issue SecureID cards to all business clients in order to provide further account security. Now this is what I’m always talking about when I speak of defense in depth! PayPal will combine layers of security, in this case something I have (SecureID password generator), with something I know (my username/password combo) to ensure it’s actually me accessing the site.

In fact RSA, the company that makes the SecureID platform, has has no reported case of a security breach in 15 years! So, I’m very happy to see PayPal leading the field in implementing this security mechanism. Now I just hope that the real financial institutions like Smith Barney, Bank of America and others will follow suit.

By Joris Evers, Staff Writer, via CNET News.com:

eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.

The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle on data-thieving phishing scams.

“If a fraudulent party somehow got hold of a person’s username and password, they still wouldn’t be able to get into the account because they don’t have the six-digit code,” Sara Bettencourt, a PayPal spokeswoman, said by phone Thursday. “This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection.”

PayPal Security Key The “PayPal Security Key” will cost $5 for personal PayPal accounts, but will be free for business accounts, Bettencourt said. PayPal has been testing the device with employees for a couple of months and plans to start trials with customers in the next month or so, she said. As of September 30, there were nearly 123 million PayPal accounts, eBay has said.

PayPal users in the U.S., Germany and Australia will be able to sign up for the trial through a special Web site, Bettencourt said. “Based on the response, we look forward to eventually rolling it out in other countries,” she said.

The password-generating device is based on technology from VeriSign, with which eBay entered into a security partnership in 2005. Such key fobs are also used for added security by large corporations for access to corporate resources, and some banks and brokerage firms offer them to clients with a high net worth. Other companies that supply the password gadgets include RSA and Vasco.

eBay and PayPal are common phishing targets. These prevalent scams typically use fraudulent Web sites made to look like legitimate sites and spam e-mail to trick people into giving up their personal information such as login names and passwords.

In a recent survey of Google’s public blacklist of phishing sites, security researcher Michael Sutton found that nearly half of all the active phishing sites targeted either eBay or PayPal. The Google blacklist is used in Google’s Toolbar for Firefox and the Firefox 2.0 browser.

None Found

But, if you really despise IE and wish you never had to open it again (or if it just isn’t working), have I got news for you… Using either Opera or Firefox you can head over to WindizUpdate and get your system updated from a source other than Microsoft.

Here are 10 reasons this site is superior to Microsoft’s:

• It doesn’t install Microsoft Active X spyware plugins on your PC.
• It doesn’t make you install the Windows Validation crap, and even works if your install is not valid.
• No personally identifiable information is collected from your computer.
• If an update has been superseded by a newer one, it will not ask you to install the older one.
• WindizUpdate will find more security patches needed for your O/S than the “other” website.
• It will not nag you to install patches for software you don’t have installed.
• Works on Windows versions no longer supported by Microsoft like NT 4.0 and Windows 95.
• Integrated download manager with error detection lets you can cancel and resume downloads at any time.
• On my machine its a lot faster than Microsoft’s update.
• Upgrading to the latest version of Internet Explorer is not considered a Critical Update!

If you don’t yet have Firefox I highly recommend that you visit my Google Pack page and download it.

Even if you want to stick with IE it’s good to have a backup browser – and every machine should have Firefox installed. Trust me, the minute your IE isn’t working and you don’t have an alternative you’ll be wishing you had downloaded it…

If you don’t yet have Opera, you might want to check out my Top Freeware page. I find Opera to be the best and fastest browser, but it doesn’t have quite the name recognition of Firefox or IE.

None Found

Can you recommend a good hard drive sweeper? I need to clean up my PC at work… been surfing the net a little too much.

Well yes. Yes I can…

There are lots of good reasons to clean up your computer’s hard drive and usage tracks:

• If a hacker ever gained access to your machine, some of your juiciest information is stored in your Web browsers cache. There is enough in almost every browser on earth to engineer a social breach. In other words a hacker could gain access to your personal data and then use it to pose as you.
• You may be working in an environment where your boss frowns on Internet use, even though it actually helps you do your job. In these cases you need to clean up after yourself because any third grader can see what you’ve been doing the moment you log off the machine.
• Finally, you might be doing something morally or ethically “challenged”. Need I say more?

If someone was going to do a forensic analysis of your machine to determine what you’ve been up to, you can bet they are going to start with the following areas:

• Temporary Internet files, Web site cookies, browser history, and index.dat
• Typed URL history
• Saved passwords and form auto-complete information stored in your browser
• Recent Documents
• Usage history of: Start/Run, Search
• Temporary directories on the hard drive
• Items contained within the Windows Registry
• Deleted items contents
• Media player history

And that’s not all… So you can see how it would be difficult to keep all of your private information protected, given that it’s scattered all over your machine in places you’ve never even heard of.

Here’s what you can do about it. First, use one (or more) of the following tools to automatically erase all of the things on the list above. And by the way, all three of these offer Secure File Deletion, which makes the deletions unrecoverable:

1. Clean Cache – Looks like this domain is gone. Thanks to John Williams for catching this for me!
2. CCleaner
3. Privacy Eraser

After you delete all of that stuff, you’re going to notice that Web sites which you used to go that recognized you don’t anymore. This is because the cookies have been deleted. Also, any of your saved passwords are gone, and that might make things a little less convenient. Don’t worry… you didn’t think I would leave you inconvenienced did you?

Now what you need in order to have a safe, secure and pleasant browsing experience is RoboForm. This is a little program which builds itself into Internet Explorer, Avant Browser or Firefox and which saves all of your login data to your favorite sites, but does so in an encrypted format so it can’t be snooped!

You can read more about RoboForm on my previous post about protecting your digital secrets. If you have an iPhone or Android device it will even sync all of your data to it so you can take it all with you everywhere you go. If you’d like to download it without having to navigate their web site here is the direct download link for Windows.

You should also review my article entitled How I’d Hack Your Weak Passwords.

Be safe.

None Found

The reason for this change is that associate professor Wang Xiaoyun of Beijing’s Tsinghua University and Shandong University of Technology, and her associates, have already cracked SHA-1. This marks the fifth straight encryption method that Xiaoyun’s team has broken (SHA-1, MD5, HAVAL-128, MD4, and RIPEMD).

What does this mean for the rest of us?

Well, MD5 and SHA-1 are the two most extensively used hash algorithms in the world. These two main algorithms currently underpin many digital signature and other security schemes in use throughout the international community.

They are widely used in banking, securities, and e-commerce. In fact, SHA-1 has been recognized as the cornerstone for modern Internet security.

For example, whenever you login to your online bank account, or make a purchase from Amazon.com they tell you not to worry because “This transaction is protected by Secure Socket Layer Encryption”; well, guess what… That’s an SHA-1 encrypted session.

And if your company has set you up with a laptop and a VPN connection back to the corporate LAN, guess what? Yep, that’s an IPsec connection powered by SHA-1.

According to Bruce Schneier, who warned that this was coming 2 years ago:

For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before.

But there’s an old saying inside the NSA: “Attacks always get better; they never get worse.” Just as this week’s attack builds on other papers describing attacks against simplified versions of SHA-1, SHA-0, MD4, and MD5, other researchers will build on this result. The attack against SHA-1 will continue to improve, as others read about it and develop faster tricks, optimizations, etc. And Moore’s Law will continue to march forward, making even the existing attack faster and more affordable.

Jon Callas, PGP’s CTO, put it best: “It’s time to walk, but not run, to the fire exits. You don’t see smoke, but the fire alarms have gone off.”

All of this demonstrates why I keep repeatedly commenting on the lack of defense in depth at our financial institutions.

If banks and investment firms would implement an additional layer of protection beyond the simple password or challenge Q&A and move to something such as Secure ID tokens, it wouldn’t matter nearly as much if a password was compromised because without the correct random code to go along with it a hacker would still be out of luck.

Here is a great little video to explain what I’m talking about.

None Found