Online University Lowdown has an excellent article on the 25 best colleges for nerds and some of the cool courses being offered at these colleges.

From colleges with video game design majors to artificial intelligence, to majors in ‘ethical hacking’, colleges around the world are starting to appeal to the nerds in all of us.  This list of 25 courses and programs offered at colleges around the world identifies some of the nerdiest coursework, starting with the most obvious, and winding up with the most obscure…

Note: Most of the courses listed below are full 4 year courses. Also, clicking on the links below will take you straight to the course listing whether at physical universities or online schools. A lowdown according to them …

# 1: Game Software Design and Production at DigiPen Insititute of Technology

# 2: Ethical Hacking at the University of Abertay in Dundee, Scotland and InfoSec Institute

# 3: Open Source Development at University of California Berkeley and online equivalent at University of Illinois

# 4: Cryptography at Stanford University, MIT and University of Washington

# 5: Network Security at the University of Tennessee Knoxville and an online equivalent at The American Intercontinental University

Hacking Competition, Red vs Blue TeamInformit.com is providing a good coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning.How many times have you heard a commercial telling you how much money an Information Technology professional can earn in a year? Well, trust me; the job is not as easy as it sounds. Just ask the eight teams that participated in the annual Collegiate Cyber Defense Competition (CCDC). During the event they are under immense pressure to a build web application, maintain a web server with an ecommerce system, manage an Exchange server, keep a DNS server up and running and more — all while protecting their network from four seriously determined hackers.

From the article: “When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours.”

The rules were fairly simple — at least at first glance. Basically, the Red Team could do anything but hurt someone or perform a denial of service attack (network flood). The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.

Communication was allowed between team members, but only the team leader could talk to the white cell members about problems, etc. The feds could be called over for an investigation and the Red Team was allowed to try to talk to the teams to put a social engineering twist on the games. Finally, all business objectives and administrative requests are sent to the CEO via email.

I’m all for this and from TFA, this sounds like a great thing (and lots of fun!). It seems that this includes even the social enginnering aspect. In other words, it’s a trivial matter to get into somebody’s system; it takes a whole another skill set to convince that person to hand you the keys to their data. That is to say, attempting to gain access to a computer system through it’s weakest link: THE USERS! It’s one thing to pit technical skill againt the threat of hacking, but it’s been done over and over, all that technical skill accounts for nothing if you have a user that has his/her password written down on a sticky – on their MONITOR! Users must be educated and kept up to task on things like this, and it’s my opinion that the IT/Security industry does not place enough emphasis in that area.

In this contest, Social engineering was allowed. It seems that a few members of the Hacker/Red team would often walk around the room and try and to watch what people were doing. A few times they even stopped and tried to get information out of the student/blue teams. However, they had to leave our team area when asked. It seems that one team actually left sheets with the wrong passwords on the tables in hopes that they(Red Team) would waste their time.

Google Fight between Red vs Blue TeamsEven GoogleFight thinks that the Red Team actually whupped the Blue Team with the Red Team(Hackers) returning 267,000,000 results compared to the Blue Team(Students) which returned 146,000,000 results.

For those who read French here is a press release [web.crim.ca] about a team of Scheme hackers headed by Marc Feeley [umontreal.ca] participating in a Quebec security competition who won both the first prize for keeping the other nine teams out and the second prize for finding the most security problems in the other teams’s servers.

According to a member of the student team

USB flash drive Logon programs review
 
Security login using a USB flash drive tokenIn my searches I have found lots of people (like me) asking for programs/software that would turn a regular USB drive into a security token to replace a Windows password. There is not a whole lot of information or a review of similar programs (except in Chech here: http://www.zive.cz/h/Uzivatel/Ar.asp?ARI=126071&CHID=1&EXPS=&EXPA= or in German here: http://www.se-community.com/forum/viewtopic.php?t=23325&highlight=rohos ) .

So, I decided to spend some time trying and outlaying the features of four of the top most programs out there to make this USB drive into a security token — which you have to insert into a port on the portable laptop or a desktop to login.
This table was completed based my personal requirements to the features and most asked features by other people in the forums/blogs. See notes on a specific feature below.

Features of the product: Rohos Logon Key (the winner)
www.rohos.com
Dekart Logon
www.dekart.com
Proteg
www.inflexpoint.com
Natural Login
www.palcott.com

Notes: Available as an EXE, MSI, or a server version.
Can be installed only using an Administrator account. Windows 2003 is not supported.
USB Key creation
Quick and easy.
Key Activation then adding user accounts to USB Key
It does not replace your pass with a USB Key. But adds additional authentication level – by using USB flash drive. Password usage is required.
Advanced.
USB Key removal options:
Lock desktop, turnoff, shutdown, hibernate pc.
Log Off user.
Activate screen saver1
Lock/logoff/
turnoff/restart
lock
lock
Can completely disable password login
+
+
– 
+
USB Key security. (two-factor login)
PIN. Keeps passwords on a USB drive in a secured manner.
Keeps plain passwords. Optional PIN for encryption.
Does not creates any file on USB drive.
Always makes you to use a password along with a USB flash drive.
Optional user defined questions or a graphical pattern you need to enter Creates encrypted file.
Multiple logins on a single USB Key
+
+

+
Key duplicate security hole.

program bounds up to owner USB flash drive and does not accept other for login (unless owner has 2 keys)
+

Program bounds up to your USB flash drive. It does not creates any files on USB flash drive.
+
Has emergency login way in case you lost or USB Key
+
based on a set of questions…

+
By answering to predefined set of questions.
+
login with user-defined questions/answers.
Windows XP welcome screen support
+


~
Windows Vista support
+



Easy of use for Key
Higher.
Standard
Standard
Higher
Additional Options
login screen customizations, Enhanced system shutdown dialog. Password generator. Remote desktop login via USB key support. Access restriction for users based on time factor. Has a Server version for networks.
Biometric logon + support of a dozen corporate security tokens.
no
no
New features development?
Support?
Has the best live product and support. Has a blog. Also available is a thorough Admin guide.
No new features for a long time. Support personnel always saying ‘we will implement this in future…’
No replies to my messages.
Last release date: 2005 year.
They speak French basically …
Last release date: 2005.
Price & Score (max of 10):
Features
/Support
/Usage
/Security
25/35$
9
10
10
10
~40$
7
5
8
8
25$
6
6
8
9
19/29$
8
6
9
10

TrueCrypt LogoTrueCrypt is a free open source disk encryption software that works on both Windows and Linux platforms. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. TrueCrypt does this by creating a virtual hard drive that will read and write encrypted files on the fly. The advantage of using TrueCrypt is that you need not download it everywhere. All you need are the files truecrypt.exe, truecrypt.sys and the volume file you create which you can carry on your flash drive.

Step by Step Tutorial on how to encrypt your Hard disk or data or message using TrueCrypt

Step # 1: Download and install TrueCrypt

Step # 2: Once you Launch TrueCrypt, Click on “Create Volume” button. This launches the Volume Creation wizard that prepares the encryped drive location. Next, choose ” Create a Standard TrueCrypt Volume” and hit Next. Next, click on “Select File” button. Browse to a place where you want to store your encryped files. In this case, I am selecting askstudent.ajit Note: This is not the file you want to encrypt. Think of this as a Folder Name which in turn would contain the files you want to encrypt later on. Hit Next

Store Encryped Files 

In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.

The first recorded mention of phishing is on the alt.online-service.america-online Usenet newsgroup on January 2, 1996, although the term may have appeared even earlier in the print edition of the hacker magazine 2600. The term phishing is a variant of fishing, probably influenced by phreaking,  and alludes to the use of increasingly sophisticated lures to “fish” for users’ financial information and passwords. The word may also be linked to leetspeak, in which ph is a common substitution for f.

Shown below is a sample email message I received from PayPal

Paypal phishing email

If you dissect this email digging into its header and the content code, you will see two things jump out