12/28/2009

Software fraudster ‘fooled CIA’ into terror alert

Filed under: — Aviran Mordo

A con man fooled US spooks into grounding international flights by selling them “technology” to decode al-Qaeda messages hidden in TV broadcasts, it’s claimed.

A long and highly entertaining Playboy article explains that in 2003, 50-year-old Dennis Montgomery was chief technology officer at Reno, Nevada-based eTreppid Technologies. The firm began as a video compression developer, but Montgomery took it in new and bizarre directions.

He reportedly convinced the CIA that he had software that could detect and decrypt “barcodes” in broadcasts by Al Jazeera, the Qatari news station.

The Company was apparently impressed enough to set up its own secure room at the firm to do what Montgomery called “noise filtering”. He somehow produced “reams of data” consisting of geographic coordinates and flight numbers.

In December 2003, it’s claimed CIA director George Tenet was sufficiently sold on Montgomery’s data to ground transatlantic flights, deploy heavily armed police on the streets of Manhattan and evacuate 5,000 people from the Metropolitan Museum of Art.

Homeland Security secretary Tom Ridge told the press the terror alert was the result of “credible sources - about near-term attacks that could either rival or exceed what we experienced on September 11″.

In fact, according to evidence from his former lawyer, Montgomery, the “credible source”, was a “habitual liar engaged in fraud”.

Inmate gets 18 months for thin client prison hack

Filed under: — Aviran Mordo

A former prison inmate has been ordered to serve 18 months for hacking the facility’s computer network, stealing personal details of more than 1,100 of its employees and making them available to other inmates.

Francis G. Janosko, 44, received the sentence earlier this week in federal court in Boston after pleading guilty to the hacking offenses in September.

In 2006, Janosko hacked a thin client that was connected to a prison server to access the employee database for the Plymouth County Correctional Facility in Massachusetts, prosecutors alleged. After obtaining the names, addresses, dates of birth, social security numbers and telephone numbers of the employees, he made them accessible to other inmates.

Although the machine was configured only to run a legal research program, the prisoner managed to use it to get free rein over a variety of unauthorized services. In addition to the employee database, Janosko was also able to access the internet to download videos and photographs of prison employees, inmates and aerial shots of the prison, according to court papers. The hacking took place between October 2006 and February 2007.

Microsoft IIS vuln leaves users open to remote attack

Filed under: — Aviran Mordo

A researcher has identified a vulnerability in the most recent version of Microsoft’s Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver.

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension “.asp.” By appending “;.jpg” or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it “highly critical,” vulnerability tracker Secunia classified it as “less critical,” which is only the second notch on its five-tier severity rating scale.

370 Passwords You Shouldn’t (And Can’t) Use On Twitter

Filed under: — Aviran Mordo

As you may know, Twitter prevents people from doing just that by indicating that certain passwords such as ‘password’ (cough cough) and ‘123456′ are too obvious to be picked.

It just so happens that Twitter has hard-coded all banned passwords on the sign-up page. All you need to do to retrieve the full list of unwelcome passwords is take a look at the source code of that page.

Do a simple search for ‘twttr.BANNED_PASSWORDS’ and voilà, there they are, all 370 of them.

This isn’t a security issue, of course, and in fact it’s helpful to distribute the list so you can check if your favorite password that you use for other services might not be as fail-proof as you’d like to think. For the full list, simply download this TXT file, but here are a couple:

- password
- testing
- naked
- stupid
- twitter
- 123456
- secret
- please
- beavis
- butthead
- internet
- hooters

Powered by WordPress