This time for good!

Yep it’s true.

As you probably already know previous versions of Windows a full format did not wipe in any way, all it did is a quick format(resetting the MFT) plus bad sector error checking and correction(1).

So from Vista onwards to Windows 7 full format also zeroes the entire disk, thus making the full format process a lot more secure then before.

I found out the hard way while playing with some recovery tools. 🙂

Random garbage would have been better, but not that needed really, since i don’t believe in recovering, after zero only wipe, strings of more then 5 bytes from 10(0) or so megs, even if doing that magic magnetic polarization thing experts were boasting a couple of years ago. From my experience zero wipe is more then enough, and why bother with dozens of passes of all kinds of garbage that lasts for ages, when people don’t even zero wipe.

So if you ask me, this is nothing but good news from Microsoft. ^^

Tagged with:
 

Albert Gonzalez at the 2001 DefCon hackers' convention in Las Vegas

Twenty years at least for now, because there’s a second conviction on a second trial to be made on which he could get up to 25 years. The court has agreed to serving his sentences concurrently, though, which means if he gets more then 20 year in the second case then he will serve that one if not he will serve the first one, sort of to speak.

Read more here.

Tagged with:
 

skipfish

A fully automated, active web application security reconnaissance tool. Key features:

  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The post announing the tool:

https://googleonlinesecurity.blogspot.com/2010/03/meet-skipfish-our-automated-web.html

The project page at google code:

https://code.google.com/p/skipfish/

Skipfish documentation:

https://code.google.com/p/skipfish/wiki/SkipfishDoc

The tool is written by lcamtuf, who joined google a few years ago. 🙂

Tagged with:
 

Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

The information comes from one of Gonzalez’s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.

Watt told Threat Level that Gonzalez was paid in cash, which is generally done to protect someone’s status as a confidential informant. The Secret Service said it would not comment on payments made to informants. Gonzalez’s attorney did not respond to a call for comment.

read more…

Tagged with:
 

Yep they do.

Base reward is 500$ but if ones find is rated as critical/severe/clever the reward is raised to 1337$. 🙂

They are not the only ones nor the pay rate is that awesome but still, more software companies engaging into such rewards for vulnerabilities is nothing but good news, since slowly, this might turn into an industry standard.

Tagged with:
 

Lawyers…

  • Lawyer: “Doctor, before you performed the autopsy, did you check for a pulse?”
  • Witness: “No.”
  • Lawyer: “Did you check for blood pressure?”
  • Witness: “No.”
  • Lawyer: “Did you check for breathing?”
  • Witness: “No.”
  • Lawyer: “So, then it is possible that the patient was alive when you began the autopsy?”
  • Witness: “No.”
  • Lawyer: “How can you be so sure, Doctor?”
  • Witness: “Because his brain was sitting on my desk in a jar.”
  • Lawyer: “But could the patient have still been alive nevertheless?”
  • Witness: “Yes, it is possible that he could have been alive and practicing law somewhere.”
Tagged with:
 

SHODAN – the computer search engine

SOHDAN is a computer search engine in the sense that it lets you search for computers/servers/routers by strings in the default banners spitted on the following currently supported ports:

  • HTTP 80
  • SSH 22
  • FTP 21
  • TELNET 23

A couple of basic filters have been implemented:

  • “port:” –  narrow search by port
  • “country:” – narrow searches by country
  • “hostname:” – match for specific strings in hostnames
  • “net:” –  narrow searches to specific ips or subnets
  • “os:” – narrow searches to specific operating systems

Put in basic words it is an immense database of ready scanned hosts for you to … oh well, you know what to do. 😉

The annoying thing is that you have to login to view more then one page of results or to use the net: filter, but i am sure that achillean had strong enough reasons to do that. Nonetheless the SHODAN is a great new type of search engine.

A couple of example searches:

Of course you can expand on those and create more specific searches, that’s where the power of SHODAN relies, actually knowing what you are searching for and being specific about it.

Here is a brief intro from Shmoocon on what you can or cannot do with SHODAN: