INSERT (the Inside Security Rescue Toolkit) aims to be a multi-functional, multi-purpose disaster recovery and network analysis system. It boots from a credit card-sized CD-ROM and is basically a stripped-down version of Knoppix. It features good hardware detection, fluxbox, emelfm, links-hacked, ssh, tcpdump, nmap, chntpwd, and much more. It provides full read-write support for NTFS partitions (using captive), and the ClamAV virus scanner (including a fairly recent signature database and a GUI). It also has a network boot facility.

• full read-write support for NTFS-partitions using captive and linux-ntfs
• support for various file system types:
• locally: EXT2, EXT3, EISERFS, REISER4, JFS, XFS, NTFS, FAT, MSDOS, MINIX, UDF, HFS, HFS+, HPFS, UFS, UNIONFS
• net based: NFS, SMBFS, CIFS, NCPFS, SSHFS, AFS
• support for linux software RAID and LVM2
• support for WLAN adapters
• network analysis (e.g. nmap, tcpdump)
• disaster recovery (e.g. gparted, gpart, partimage, testdisk, recover)
• virus scanning (Clam Antivirus with GUI avscan)
• computer forensics (e.g. chkrootkit, foremost, rootkit hunter)
• surf the internet (e.g. the web browser dillo [enhanced version], the graphical FTP client gFTP)
• network boot server to boot network boot enabled clients that cannot boot from the CD (insert-remote)
• installation on a USB memory stick (usb-install)
  based on Linux kernel 2.6.12.5 and Knoppix 4.0.2

Should we use password generators?

...Now, this may sound like there's almost no way for an average person to pick secure passwords and for a system administrator to enforce the use of strong passwords (or passphrases). Luckily, there's a tool I wrote to help the situation. It's pam_passwdqc, a password strength checking module for the PAM (Pluggable Authentication Modules) framework. pam_passwdqc works on Linux, FreeBSD 5+ (in fact, it's been integrated into FreeBSD), Solaris, HP-UX 11+, and reportedly on recent versions of IRIX. Additionally, Damien Miller has developed a plugin password strength checker for OpenBSD's /usr/bin/passwd that uses the password complexity checking code from pam_passwdqc.

What new features does the latest version 1.7 of John the Ripper include?

Solar Designer: The new "features" this time are primarily performance improvements possible due to the use of better algorithms (bringing more inherent parallelism of trying multiple candidate passwords down to processor instruction level), better optimized code, and new hardware capabilities (such as AltiVec available on PowerPC G4 and G5 processors).

Trifinite.group member Kevin has published a paper detailing the techniques he used in the development of the InqTana Bluetooth worm that targets vulnerable Mac OS X systems. There has been significant confusion surrounding this worm, so here are some salient points:

• The concurrent release of the OS X Leap.A and InqTana.A worms is coincidental
• There is no conspiracy, AV vendors and Apple were notified about Kevin's progress in developing this worm in advance of making details publicly available
• Both 10.3 and 10.4 systems are vulnerable until patched with APPLE-SA-2005-05-03 and APPLE-SA-2005-06-08
• InqTana prompts before infecting *by design*, Kevin was just trying to be nice, but the worm could easily spread silently

Kevin's paper is available at http://www.digitalmunition.com/InqTanaThroughTheEyes.txt. Comments can be directed to the BlueTraq mailing list. Our sympathies to those organizations who were affected by the false-positive signatures published by overzealous AV companies.

• Listen to Dr. Ken Knapp cover highlights from the 2005 Auburn Study
• Pick up a copy of the 2006 Resource Guide, Global Edition
• Share feedback with (ISC)2 staff and board members
• Network with fellow members
• Win prizes

• Jane Scott Norris, MS, CISSP, CAP, CISM, CISO, U.S. Department of State
• James R. Wade, CISSP-ISSAP, ISSMP, CHSIII, Executive Director and COO, International Information Integrity Institute (I-4)
• Thomas E. Marshall, PhD, Associate Professor of MIS, Auburn University
• Betty Pierce, GSLC, ISSA International Ethics Committee Chair

A hacker Tuesday published code that exploits a vulnerability found in the latest version of the Mozilla's Firefox browser.

The code, which targets the Firefox 1.5 browser, was posted Tuesday on The Metasploit Project site by a hacker known as H D Moore. Metasploit is a widely used hacking tool.

Moore said that a hacker by the name of Georgi Guninski reported the flaw to the Mozilla Foundation on Dec. 6 of last year, and that he had simply implemented and posted the technique described by Guninski.

Mozilla published an advisory about the exploit last Wednesday as it released the Firefox 1.5.0.1 browser, which included a patch for the flaw. According to the advisory, the vulnerability, which had been rated as moderate, causes a corruption in the browser's memory that could be exploitable to run arbitrary code. Specifically, calling the "QueryInterface" method of the built-in Location and Navigator objects of the browser could allow a hacker to take over a Firefox 1.5 user's system by tricking the user into viewing a maliciously encoded Web page.

SpoofCard calling cards offers you the ability to change what someone sees on their caller ID display when they receive a phone call. Key Benefits: Make calls truly private, Ability to record calls, Change your voice, Fun and inexpensive, Easy to use and fast to set up!

SPOOFCARD FEATURES:

• Caller ID Spoofing
• Voice Changer
• Call Recording
• Web Control Panel

No computer needed! Simply dial the toll free number from the calling card you purchase.

1.Enter your pin number.
3. Enter Destination number.
2. Enter Any Caller ID Number you wish to display.
4. Choose the voice you would like to use.
5. Your call is connected using the specified Caller ID Number.

As an added bonus, we offer you the option to record your conversation for FREE which you can later retrive by logging-in to your control panel or calling our 800 number from anywhere.

Cain for PocketPC (ARM) v1.2 released. Download it here.

Requirements:

• PocketPC 2003 device with an ARM based microprocessor architecture (eg: ipaq6515, Qtek 2020, Qtek 9090 ....)
• Microsoft Windows CE or Windows Mobile operating system.
• 5 Mb of free memory

• Rainbowcrack-online client (works with any Internet connection available such as GPRS, ActiveSync .... )
• Dictionary Attacks for the following hash types: MD2, MD4, MD5, SHA1, RIPEMD160, CiscoPIX, MySQL v3.23, MySQL v3.23 + challange, MySQL SHA1, MySQL SHA1 + challange, LM, LM + challange, NTLM, NTLM + challange, NTLM Session Security.
• Hash Calculator
• Base64 Password Decoder
• Cisco Type-7 Password Decoder
• Cisco VPN Client Password Decoder
• VNC Password Decoder
• Microsoft Messenger Password Decoder
• Internet Explorer Password Decoder
• ActiveSync Password Decoder.

The training manual for Defense Department information assurance professionals that was finalized in December is now available online.

The manual, DOD 8570.01-M: Information Assurance Workforce Improvement Program, will be was posted today, according to Robert Lentz, director of information assurance for the Pentagon.

The manual sets the requirements for training and certification of approximately 80,000 IA professionals within the department, Lentz said. Defense contractors who provide IA services to the Pentagon also will be expected to provide staff who meet the requirements.

DOD CIO John Grimes said in a foreword to the manual that it “is effective immediately and mandatory for use by all the DOD components.” The basis for the manual is an August 2004 directive from deputy secretary Paul Wolfowitz that assigned responsibilities for IA training.

See original article at: http://www.gcn.com/vol1_no1/daily-updates/38125-1.html

Merriam-Webster defines a myth as a popular belief or tradition that has grown up around something or someone but is often unverifiable. When it comes to information security, there's a lot of popular wisdom available, but much of it is unfounded and won't necessarily improve your organization's security.

Why do such beliefs persist? The answer is that we don't challenge new and existing ideas enough. We must test and evaluate the validity of new security concepts, so the good ones can become standards. Only by cutting through the hype to separate reality from myth can IT professionals help take their enterprises to the next level. Here are 10 network security myths that bear further examination.

• MYTH #1: Organizations are more secure now than they were a year ago.
• MYTH #2: The presence or absence of regulations greatly matters when it comes to protecting both personal and customer data.
• MYTH #3: External consultants know more about information security than in-house personnel do.
• MYTH #4: Information security must be managed as a separate business unit to be effective.
• MYTH #5: Complex, frequently changed passwords will make my enterprise secure.
  
• MYTH #6: The padlock icon present during an SSL session means my data is safe.
• MYTH #7: Migrating from Internet Explorer to Firefox will make my enterprise secure.
  
• MYTH #8: Increased security spending results in greater security.
• MYTH #9: Wireless networks aren't secure.
• MYTH #10: Dumping Windows for Linux will make increase security.