There’s a nice little demo over at Gadget Trail on how to eavesdrop on a VoIP session. They use a Voyage account as an example. The basics:

• Get on the same subnet as the victim.
• Fire up CAIN, and poison the ARP cache.
• Use CAIN to record the call.

Nothing earth-shattering, but it helps demonstrate how easy it is using free Windows tools.

Hacking Voyage: How To Eavesdrop On Calls [Gadget Trail]

ISPs AOL, Yahoo, Microsoft, EarthLink, NetZero and Juno are joining forces to develop technology to scan for child porn on their networks.

Plans call for the missing children’s center to collect known child-porn images and create a unique mathematical signature for each one based on a common formula. Each participating company would scan its users’ images for matches.

Sounds like they will store hashes of known child porn images, and look for matching hashes.

The interesting thing is that they are comparing it to scanning for scanning for viruses, which they already do today. Scanning for viruses meant to protect themselves and their customers. There’s a clear business case for that, and relatively little privacy concerns.

Privacy advocates might be alarmed by this, but there’s not need to be. They seem to have each had their own ado way of doing this in the past, now they are just pooling their best practices to increase their effectiveness; thus protecting society at large. Bravo!

ISPs Take Aim at Child Porn [Wired]

Press Release [National Center for Missing & Exploited Children]

Winn Schwartau at Network World does a good job of pointing the myriad of authentication flaws present at your average bank.

My wife overheard the conversation and raised hell with me about how easy it was to gain access to our intertwined online accounts with no decent security check. AmSouth’s proof-positive security check was, in fact, public information.

Then it only got worse. AmSouth called me at home…

When are banks going to get that why we give them money is because we trust them? The lack of decent authentication goes a long way to undermine that trust. A new report from emarketer.com says:

The key factor in customer attitudes is the perception of Web site security. Being able to trust a banking site is extremely important to customers, with more than 87% saying in an Ipsos Insight survey that they wanted assurance that the bank would not sell their personal information and 83% wanted assurance that such data was protected from hackers.

The banks need to get security right or they will be losing customers quickly. This is a great chance for them to sell security as a competitive differentiator.

Big bank goes phishing [NetworkWorld]

Are On-Line Banking Sites Secure Enough [SecurityProNews]

A new report [pdf] from Webroot declares a staggering 87% of PCs are infected with Spyware. This is just headline-grabbing fear-mongering at it’s worst.

It turns out that Webroot was counting “tracking cookies” as Spyware. We’re all familiar with this, every time you run most popular Ant-Spyware products, it alerts you to the dire warning of all the cookies installed on your machine.

Let’s set the record straight. Cookies may be a minor privacy risk, but the are not a significant security risk. Who decided cookies were Spyware anyway?

My prediction is in two years that the Ant-Spyware market will be dominated by the Ant-Virus vendors. The technology is basically the same. If the small players like Webroot want to compete they need to quit spouting falsehoods like this one, and start adding real value by making a better product.

Your Spycar Ran Over My Dogma [SecurityFix]

Levi’s is among the ever increasing numbers of retailers using RFID to track inventory:

Levi Strauss & Co., one of the nation’s largest clothing manufacturers, confirmed April 28 its testing of RFID “hang tags” on clothing shipped to two retail outlets in Mexico and one in the United States

To their credit, they are making them removable, and posting notices about them to ease privacy concerns. Wired has an article in this month’s issue on RFID Hackers:

They then showed how easily they could upload one chip’s data onto another. “I could download the price of a cheap wine into RFDump,” Grunwald says, “then cut and paste it onto the tag of an expensive bottle.”

I’d take a pair of Levi’s for the price of some Two Buck Chuck anytime.

Levi’s New Style: RFID [eWeek]

The RFID Hacking Underground [Wired]

The British paper The Guardian exposes a hole in British Airlines website. Given someone’s name and frequent flier number you could steal their entire identity:

We logged on to the BA website, bought a ticket in Borer’s name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

The airline responded and closed the hole. According to the article, somehow this whole issue is the fault of CAPPS II, the now-defunct TSA program for screening for airline terrorists. While I’m not excited about any program that invades my privacy and marks my friend’s 2-year-old as a terrorist, the airline is at fault here, not the TSA.

However, there are two lessons here:

1. Be careful of how you deal with any information that is a unique identifier to you. You never know what other information it might be tied to.
2. When engineering or auditing a system, approach it in a threat-based way. Ask yourself, “If I only knew X piece of information how much could I learn.” Better you find out the nasty truth than a national newspaper.

Q. What could a boarding pass tell an identity frustrated about you? A. Way too much [The Guardian] (via Likehacker)