In latest designed-to-scare-the-crap-out-of-you news, Microsoft has confirmed that it’s developed an innocuous-looking and addictively-named peripheral the size of a key fob that plugs into your computer, vacuums up a copy of everything on that computer, cracks all your passwords, decrypts all your encryption, and just generally does whatever it likes with whatever you’ve got until it’s done.

And it’s giving them away free.

That was the bad news. The good news is, they’re only giving them to the Good Guys.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence…it also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.
More than 2,000 officers in 15 countries, including Poland, the Philippines, Germany, New Zealand and the United States, are using the device…
Smith acknowledged Microsoft’s efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said.

Well, that should all make us feel better, no? After all, the police hardly ever lose anything important.

Recently, the focus is shifting to the security impact of social networking sites. Security professionals are becoming increasingly aware of potentially harmful information that is posted on Facebook, MySpace, Tweeter and even LinkedIn.  The fact is that criminals, terrorists and competitors are carefully watching all the social sites in order to take advantage of the information posted there.  Sometimes they go beyond passively collecting information into trying to solicit information from specific individuals. An interesting variance of “phishing” is often used on sites such as LinkedIn and Facebook where malicious users typically create a group, name it after the company they are interested in, invite few individuals whose profile shows that they work, then let the group grow and expand. The control over the group enables them to harvest valuable information about the company and use it to further their goals.

Here is the example of using social sites to obtain insight into competitor’s plans – the fashion industry executive is planning a trip to China, her kid posts on Facebook “Oh, my mom is going to China next week” (includes the city and province, which by the way is known for specializing in making designer hand bags ). As this company does not (yet) have a line of hand bags, competitors put two and two together and take steps to neutralize upcoming market expansion by the target company.

There are much more serious potential consequences of disclosing trip (or other personal) information about high profile corporate officers by their family members or coworkers, on social networking sites. Terrorist and criminals can use the information to develop kidnapping or assassination scenarios.

Because of the high profile of individual involved, probably the best example is the last year’s incident when the wife of John Sawers, at that time the future Chief of British Secret Intelligence Service (MI6), posted family details on her Facebook page without any privacy protection on her account. The posted information included family photos, location of their London apartment, usual whereabouts of their three children and Sir Sawers’ parents. The incident raised security concerns and Sir Sawers wife’s actions were described as serious error and potentially damaging not only to their personal security but to the sensitive post he was about to take, as publishing this kind of personal information left him open to criticism and blackmail.

The bottom line is – security professionals should always stay on alert and be ready to face new challenges even if they come out of apparently harmless places such as social networking sites.

You purchase a router of your choice, configure the basic options, then it comes time to configure your wireless security options.
Most routers/access points come pre-configured with WEP as the default option – and most users think that the 64-bit hexadecimal key must be more secure than setting your own WPA(2) passphrase that can be as short as 5 characters. Think again.

In one study, WEP was shown to be cracked in less than a minute due to various flaws in the authentication protocol.

The next option would be to use WPA which was brought to replace WEP and fix all the security issues that came with it. But this time, there were issues with the de-authentication protocol – the passphrase was sent plain text when clients disconnected from the access point!

Next time you configure a wireless access point, be sure it is configured to use WPA2 – which is as of today not crackable using conventional methods.