Security: Connect the Dots–Ongoing

This article will be an ongoing list of interesting articles in the security arena, none earth-shattering (which will have separate articles), but each one a dot that might connect to other data. Please add other news in the comments or write editor at dciematools.com 

15 August–Welcome to the future: cloud-based WPA cracking is here

Cloud computing is the latest effort to put data off site, to let professionals handle the IT details, or to put large amounts of data close to the user, while allowing the users to concentrate on their application. Dolby, for example, uses the well-regarded Salesforce solution (as do many large corporations) to monitor equipment and solutions in the field. Thus it is news…and really really really points to the need for using excellent passwords.

In 2008, I speculated about the future of distributed security cracking. That future has arrived, in the form of a $17 “cloud” based service provided through the efforts of a security researcher known as Moxie Marlinspike. It is effective against pre-shared key deployments of both WPA and WPA2 wireless networks.

The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. …Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.

If you opt to use the service, you will of course leave a money trail via Amazon Payments — which is probably a bad idea if you are attempting to gain unauthorized access to a secured network illegally. For the good guys testing the security of a client’s network, however, this is an incredibly handy tool to have at one’s disposal.

It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.


 

Please report any security news which you think that community could benefit from in the comments.

SoundToys Donates to Gulf

a series of concerts held on July 1st that featured simultaneous shows at multiple venues from coast-to-coast. Over twenty-five venues held charity concerts, from The Roxy in Hollywood all the way to The Press Room in Portsmouth, NH. The benefit was a great success, demonstrated by the droves of music fans that attended to show their support for the Gulf. All of the money raised by ticket sales and online fundraising platforms will be donated to the fishermen and their families who have been directly affected by the spill, as well as to the restoration of wildlife and wetlands.

“In recognition of such an important cause, we will be donating 100% of our online sales from July 15th to the Gulf Coast Restoration. SoundToys would like to support those affected by this spill through any means possible. If you’ve had your eye on any of our products, July 15th is the day to buy,” said Ken Bogdanowicz, CEO of SoundToys. For more information, please visit http://www.healthygulf.org/.

On Thursday, July 15th, 2010, SoundToys will donate 100% of its online profits to the Gulf Restoration Network. The Gulf Restoration Network is a non-profit organization working to provide assistance to the people, wildlife, and wetlands affected by the BP oil spill. We are pleased to offer this contribution to the Gulf Restoration Network at such a critical time.

The idea to help this cause came to life when the Gulf Restoration Network recently partnered with music venues across the country to put on The Gulf Coast Benefit, a series of concerts held on July 1st that featured simultaneous shows at multiple venues from coast-to-coast. Over twenty-five venues held charity concerts, from The Roxy in Hollywood all the way to The Press Room in Portsmouth, NH. The benefit was a great success, demonstrated by the droves of music fans that attended to show their support for the Gulf. All of the money raised by ticket sales and online fundraising platforms will be donated to the fishermen and their families who have been directly affected by the spill, as well as to the restoration of wildlife and wetlands.

“In recognition of such an important cause, we will be donating 100% of our online sales from July 15th to the Gulf Coast Restoration. SoundToys would like to support those affected by this spill through any means possible. If you’ve had your eye on any of our products, July 15th is the day to buy,” said Ken Bogdanowicz, CEO of SoundToys.
For more information, please visit http://www.healthygulf.org/.

The Threat of Cyberwar Has Been Grossly Exaggerated

Threat of ‘cyberwar’ has been hugely hyped
By Bruce Schneier, Special to CNN 
July 7, 2010 — Updated 1206 GMT (2006 HKT)


(CNN) — There’s a power struggle going on in the U.S. government right now.

It’s about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top.

“The United States is fighting a cyberwar today, and we are losing,”said former NSA director — and current cyberwar contractor — Mike McConnell. “Cyber 9/11 has happened over the last ten years, but it happened slowly so we don’t see it,” said former National Cyber Security Division director Amit Yoran. Richard Clarke, whom Yoran replaced, wrote an entire book hyping the threat of cyberwar.

General Keith Alexander, the current commander of the U.S. Cyber Command, hypes it every chance he gets. This isn’t just rhetoric of a few over-eager government officials and headline writers; the entire national debate on cyberwar is plagued with exaggerations and hyperbole.

At Schneier’s site—Schneier On Security, he makes a list of those exaggerations and hyperbole, and the comments are worth your morning coffee time.

 

Diversity of Thought; Successful Employee Training

Anchor diversity training to the company’s philosophy. At Accenture, that means embedding diversity into all formal instruction, collaborative efforts and on-the-job training. “Rather than have [diversity training] separate and distinct, have it very well integrated into the company,” she says.

  • Be intentional and structured. At the global-management consultancy, all associates are told, “‘We expect you to be skilled and have experiences in certain types of capabilities—and inclusion and diversity is one of those,'” says deJongh. The firm’s diversity expectations increase along with promotions, so senior-level executives are most adept at leading and leveraging the strengths of its diverse teams.
  • Ensure that the curriculum is inclusive in scope. Beyond training for race/ethnicity, gender, sexual orientation and abilities, the curriculum should include diversity of thought and ideas, advises deJongh.
  • {youtube}tA13p8bKVL0{/youtube}

  • Make it real. This is how to keep employees engaged in diversity training so it doesn’t become a check-in-the-box task or, worse, perceived as punitive. To avoid the downsides, don’t brand it as “diversity training,” suggests deJongh, and allow leaders to train other leaders. Themed “instructor-led training is very compelling,” she says, adding that Accenture’s theme this year has been resiliency. “We see resiliency as an attribute that is critical to our women’s ongoing advancement, especially into leadership roles.”
  • Set clear learning objectives. Collaborating with the firm’s career-development teams, deJongh has distilled its associate training goals to awareness/education, management and development. “And they take on increasing levels of sophistication,” she explains. “[Accenture’s objectives] map to where people are in their careers and the expectations that we have of them.” Doing so also helps the firm identify high potentials.
  • Measure what matters. How do you know your diversity training is making a difference? To answer this question, deJongh has begun to use the firm’s annual performance evaluations to track correlations between its diversity training and career-development opportunities. This will help the firm answer such key questions as: Have we increased the number of promotions? Have we closed the gap in attrition? Have we closed the performance gap?
  • Scotopic Issues with 3D, and Silver Screens

    Here’s an interesting tid-bit to throw into the mix.

    mesopic to photopic in candelaTo use rough numbers, according to this clever Luminance Conversion chart, 3 ftL (foot-lamberts) is 10 cd/m2 (candela per square meter). On the log chart to the left, that is somewhat below the arbitrary line between photopic and mesopic, the line where the eyes shift from a high degree of cone activity to predominantly rod vision. As the website which details this data points out (Visual Expert–Night Vision), among other things, this approach to dark brings a shift that diminishes sensitivity to long wavelength colors (red).

    One thing we are pretty certain of, from recent discussions, is that;

    • some cinemas are pushing to get to 3 ftL behind the glasses, that
    • few would know how to measure that, and that
    • few would even dare to measure in the seats outside of the sweet spot of a silver screen.

    To quote further from the Night Vision site:

    “As illumination declines, the visual system starts conserving light in three ways. First, inhibitory responses weaken, and eventually stop. Second, inhibition is replaced by convergence, where the receptor outputs sum together to increase sensitivity but further reduce resolution. Third, there is more available photopigment as light declines. When light strikes a molecule in a photoreceptor, it “bleaches” the molecule, causing electrical activation that leads to a visual sensation. While in the bleached state, it is unresponsive to light. The more photopigment in a bleached state, the less available to respond to light and the lower the sensitivity. In dim light, very little of the photopigment is bleached, so the eye has greater light sensitivity. All of this occurs before and continues after the switch from cones to rods.

    “One effect of switching to rods, however, is the “Purkinje shift.” During photopic cones vision, viewers are most sensitive to light that appears greenish-yellow. In scotopic vision, they are most sensitive to light which would appear greenish-blue during the day.”

    End of Part 1; Scotopic Issues with 3D, and Silver Screens

    Part 2: 23 degrees…half the light. 3D What?

    Part 3:

    Other Industries and Accessibility

    We now have automatic doors that stay open long enough for a wheelchair to roll through and do a turn-around. Our reception desks are low enough for someone who is of small stature or in a wheelchair to comfortably make eye contact with the receptionist.

     

     


     

    What a great goal, to be on the Top 10 Companies for People With Disabilities list. 

    Read the entire AbledBody.com article at:
    A Disability Evangelist For The Workplace 


    Some points from the 2009 Top 10 Companies for People With Disabilities article:

  • The Top 10 Companies for People With Disabilities have at least two percentage points’ higher average retention rates across all races/ethnicities/gender than the Top 50.
  • All these Top 10 have active programs to recruit for people with disabilities, compared with 78 percent of the Top 50 and 48 percent of the bottom quarter of entrants. There were 256 participants in this year’s ranking.
  • All these Top 10 also have active programs to recruit for GLBT employees, compared with 60 percent of the Top 50 and 21 percent of the bottom quarter of entrants.
  • All these Top 10 have employee-resource groups, compared with 94 percent of the Top 50 and 80 percent of the bottom quarter of respondents.  At all these companies, the company funds the groups and allows them to meet during the workday, a senior executive is a member of each group, and the groups are used to augment recruiting and marketing efforts to diverse communities. This is a significantly higher percentage for each of those questions than the Top 50 and the bottom quarter of respondents.
  • Diversity training is mandatory for the entire work force at each of this Top 10, compared with 60 percent of the Top 50 and 41.7 percent of the bottom quarter of respondents.
  • CEO commitment to diversity is clear at these companies. In all, heads of diversity are direct reports or one direct report removed from CEO, compared with 92 percent of Top 50 and 80 percent of bottom quarter of respondents.
  • The corporate-vision statement incorporates diversity at all these Top 10 compared with 90 percent of the Top 50 and 81.6 percent of the bottom quarter of respondents.
  •  

    Released en francais: DCinema Technical Best Practices [Updated]

    Now In English, translated from the french by the EDCF – European Digital Cinema Forum; This excellent guide from the Federation National Cinemas Francais (FNCF) and the Commission Superieure Technique de l’Image et du Son (CST): TECHNICAL GUIDE FOR THE PROJECTION BOOTH IN DIGITAL CINEMA – Click the attachment link below.

    End Update   — — 

    La luminance de toutes les images, dans tous les formats de projection, doit être calibrée à 48 cd/m2. Le projecteur doit permettre la création de cette luminance.

    The Federation of Cinemas and the Commission of Best Practices (La fédération des cinémas et la commission supérieure technique) has released a comprehensive document called The Technical Guide for the Digital Cinema Projection Booth (le Guide technique de la cabine cinéma numérique). The quote above, as an example, says that:

    “The luminance of all images, in all the formats of projection, must be calibrated at 48 candelas per square meter. The projector must permit the creation of that luminance.”

    And which professional digital cinema projector doesn’t create that level of light? One that is projecting a 3D movie would fit into that category. Please ask your local cinema manager if they are showing the latest movie at the required 14 foot-Lamberts (the 48 candela/m2 equivalent that the US and England uses) like they are supposed to.

    If you are signed in, you can download the PDF version of le Guide technique de la cabine cinéma numérique here.

    Your Own Penetration Test

     

    Typical defenses against these threats include:

    • A firewall to separate the corporate network from the Internet

    • An intrusion prevention/detection system (IPS/IDS) to detect when typical hacker activities, such as port scans, occur and to take steps to prevent them from successfully penetrating the network

    • Malware scanners to prevent malicious software getting on to the network hidden in e-mail, instant messaging or Web traffic

    • The use of passwords to prevent unauthorized access to networks, computers, or data stored on them.

    Every organization should have these defenses in place, but this leaves a very important question to be answered: How effective are these measures?

    It’s a deceptively simple question, but it’s essential that you know the answer to it. That’s because if you don’t it may turn out that:

    • Holes in your firewall leave your network vulnerable

    • Your IPS/IDS is not configured correctly and will not protect your net- work effectively

    • The passwords used to protect your resources are not sufficiently strong to provide the protection you require

    • Your IT infrastructure has other vulnerabilities you are not aware of, such as an unauthorized and insecure wireless access point, set up by an employee.


    Since the professionals at your cinema are responsible for entertainment materials which are more valuable than the contents of your local bank, this is valuable information for them.

    This set of instructions include where to download the free, open-souce files, and how to install them.

    These are the chapter headings. We’ll go through these one at a time at a later date.

    1. Carrying Out Your Own Penetration Tests
    2. Network Discovery: Scanning with Nmap
    3. Sniffing Your Network with Wireshark
    4. Checking Password Security with Hydra
    5. Spotting Weak Passwords Using Offline Attacks
    6. Checking Wireless Security with aircrack ng

    The attached file can be downloaded by those who are registered and signed in.

    Dager’s Reinventing Cinema: DCinema’s First Decade

    To be sure there were serious efforts prior to 1999. JVC with their D-ILA technology can make a legitimate claim for the first digital cinema demonstration. On March 19, 1998, they collaborated on a digital presentation at a cinema in London. Another early effort was the movie The Last Broadcast, which may have made cinematic history on October 23, 1998 when it became the first feature to be theatrically released digitally, via satellite download, to theatres across the United States. Wavelength Releasing, Texas Instruments, Digital Projection and Loral Space headed that effort. In 1999, it was repeated across Europe using QuVIS technology and The Last Broadcast became the first feature to be screened digitally at the Cannes Film Festival. In 2000, Disney, Texas Instruments and Technicolor worked with several U.S. and international exhibitors to deploy prototype digital cinema systems in commercial theatres. Technicolor assembled and installed the systems using the TI mark V prototype projector, a special Christie lamp house and QuVIS’s QuBit server with custom designed automation interfaces.

    But the Phantom Menace digital screenings generated widespread visibility and publicity and developments began to occur on a more regular basis. The Society of Motion Picture and Television Engineers began work on standards for digital cinema in 2001. The Digital Cinema Initiatives formed in March 2002 as a joint effort by Disney, Fox, MGM, Paramount, Sony, Universal and Warner Bros. The serious technical groundwork was being laid. The rest, as the cliché goes, is history.

    The challenge? To literally rethink, retool and reinvent, from the ground up, a global industry that had worked successfully for a century. Read that sentence again to get a sense of how overwhelming – and some would, and did, say unnecessary – that task would be and you may gain a greater appreciation for how much was actually accomplished in a decade.

    Home 3DTV Realities

    This article began as a reply to a post on CNET. It has turned into an article that will be added to for more technical content and links.

    Minimalist, you’ve exposed many of the problems of 3DTV, but there are many more. There are also a lot of engineers out there solving them, including new standards. Most of the standards though, are dealing with compression and transmission, so expect a format war that will make the hardware choices difficult…and tend to making the choice of waiting the best one.

    As is typical in cases like this, there is more than one technology for glasses. It seems that the more expensive shutter type glasses are becoming the favorite choice, even though they are more expensive. The other type, with the circular filters have the more expensive screen (the filter is difficult to apply and align correctly) but the less expensive glasses. In theory, both cause less light to come to the eye, but the filter technology would cause even less than the shutter type. Not a problem if you can kick up the gain smoothly during 3D watching, and back again for 2D material, but generally not a panacea. 

    Because of the way that they work, the filter systems also deliver half the picture at a time, interlacing lines. In theory, this will make fast moving scenes stutter. TVs are now already being built with smoothing technology, the so-called ‘Movie’ mode to handle the 24 to 30 frame issues, but to some eyes that sucks resolution. 

    There are going to be glasses for a long time. The problems of glasses-free designs may be solved eventually, but they are many. The company with the largest investment pulled out after spending a fortune trying to make it work, Phillips Wow technology. It can work, as long as one keeps ones head stationary, and level. Making it work for more people means less light to everyone’s eyes, which is fine for a while, but still, no one can look at anyone to see how cool they look without glasses, without breaking up the 3D image. …among other problems. Screens with 4K resolution (4 times what we have now) can solve some of this, but not all. The Digital Signage field will still be developing this technology for their purposes, but don’t confuse their advances (or press releases) for Home3DTV advances.

    Generally, the main ingredient for 3DTV is a fast TV, and most new TVs are above the refresh rate to handle 3D. Since 50Hz in much of the world, and 60Hz in the States can support good HD, and since half the signal has to be blocked half the time, one needs twice those speeds to make 3D work. Of course, if the technology can match it, even faster is better. Cinema screens get flashed 6 times per 1/24th of a second (3 times for each eye) when showing 3D movies. That explains what Sony is aiming for with 200Hz technology.

    That makes other considerations important, like transmission and set-top boxes and what happens when 2D gets mixed with 3D. Sequential, being theoretically 2 full HD fields, needs more data to make a HiDef 3D picture, more than can fit into the HDMI 1.3 pipe. 1.4 is being presented in the market, so that is good, but there is a codec to match that, making everything easier in the future, H.264 MVC. That codec, among other technology, needs to get into the set-top box or into the TV.

    Ultimately, home 3DTV is a fast moving field. It is probably not a fad. It is properly called Stereoscopy, since it isn’t a real 3D hologram. But stereoscopy is one of the major clues we get in nature, so when it is done right on a screen, it can be very natural, pleasing and additive to the experience. It is probably not going to be as big switch as the switch to HD, but a lot of people are betting big amounts that it will succeed. 

    We’ll continue to add onto this article, with more technical and current data, as well as links. Eventually, it will be an FAQ. Any help will be appreciated.

     

    Social Engineering Preview

    Due to the mystery surrounding social engineering many people are afraid of it, or they feel they will never be able to accomplish a successful social engineering test. However, every time you try to get someone to do something that is in your interest, you are engaging in social engineering. From children trying to get a toy from their parents to adults trying to land a job or score the big promotion, all of it is a form of social engineering.


    Those are the beginning paragraphs to an interesting site:

    Social Engineering and the Art of Influence.

    We will use it as the launching point for exploring the best way for organizations who realize what a tremendous responsibility they have in the assets that they are storing.

    Step I – Find the right person to learn this expertise.

    Step 2 – Have them wander the site for a while.

    Avatar’s August Return Adds New Footage

    Yes, we know that Fox is milking this movie for every penny they can get, between the $2.7 billion it earned in theaters, to the double-dip DVD/Blu-Ray offerings (we still haven’t seen a special edition yet), to this new re-release, which I wouldn’t be surprised to see happen every year. And you know what, I’m totally fine with all this. I bought the Avatar Blu-Ray (which is in 2D) and tried to watch it, but couldn’t get into it. I guess it felt incomplete in 2D watching it on my small screen, so having the chance to see it again in theaters in 3D with more footage, I’m sold. So let the Avatar hate (or love) begin again, as it will be returning to theaters.

    For more info on the re-release worldwide, visit the official website: avatarmovie.com/re-releasedates

    Check the original FirstShowing.com story with their always interesting comments

    SmartJog Sends Deluxe DCPs to EU

    SmartJog was already used by Deluxe for transfers and storage of materials between their 11 offices around the world; Rome, Barcelona, Los Angeles, New York, Toronto, and London are mentioned in the press release. SmartJog is also used by post-production facilities world-wide, many who would doubtless send product to Deluxe for final packaging and distribution.

    Back in March, Sperling Reich at Celluloid Junkie asked, “Is it just me, or has anyone else noticed that SmartJog has been on a roll lately when it comes to partnerships?” He pointed out then that SmartJog had recently nailed down deals with Fox, XDC and Ymagis.

    Rack up another one for SmartJog and for Sperling. We’ll go on a limb here: Will Deluxe interest SmartJog in the MediaRecall technology that they bought this spring?

    The press release is attached for readers who are logged in.

    …Like Tangents In Rain