Taranfx - Your Gateway To Technology » Security

170M Downloadable Facebook Profiles, Privacy #FAIL

admin — Fri, 30 Jul 2010 16:15:59 +0000

If you are on facebook, and believe that its is a safe place to share your Personal stuff, take this: User data for 171 Million Facebook profiles has been leaked on to Torrents.

Facebook recently announced 500 Million users, of which 100 Million are leaked and are fully available, uncesored, unaltered for download on PirateBay. Every 3rd profile is available, and if these not so lucky users had most stuff in “info” tab open to Public, congratulations, its all in there.

Background:

A researcher, Ron Bowes, has compiled a list of more than 170 million Facebook users and the Web address of their profile page on the site and released it on a BitTorrent site, meaning it is making it accessible to millions of web users. Initially, he wrote a script to download all Facebook profiles listed in the social network’s public profile directory, which only includes people who have configured their settings for Public Search Listings to be .. Read Further »

Facebook bug lets Hackers delete User’s Friendlist

admin — Sat, 22 May 2010 20:25:18 +0000

Everyone is complaining about Facebook’s privacy negligence: The configuration to control privacy is hard for most users to adjust, as a result of which, most users are unaware of the privacy hit everytime the post on Facebook.

Forget privacy, a newly discovered Bug in Facebook lets hackers delete Victim’s Facebook friends, without permission.

The flaw was reported by Steven Abbagnaro, a student in New York. But as of Saturday morning, Eastern time, it had still not been patched, based on tests conducted by one of the security analyst.

The Facebook Hack

Combined with spam, or a self-copying worm, a hacker to create a havoc on the Facebook social network. The hack captures publicly available data from .. Read Further »

Hackers Hack Cars Remotely, disable Engines, brakes

admin — Fri, 14 May 2010 17:49:07 +0000

How far can softwares hackers reach? Perhaps, everywhere where software reaches? In a world where a complete PC can be hacked with a USB stick, everything appears possible.

In a paper[ by autosec], the security researchers claim that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some Really nasty things, such as turning off the brakes, changing the speedometer reading, wishfully blowing hot air or music on the radio, and even locking passengers in the car.

Earlier, same hackers hacked into a test car’s braking system and prevented the test driver from applying brakes. Additionally, they were able to kill the engine, falsify the speedometer reading, and automatically lock the car’s brakes unevenly. The test was done by attaching a laptop into the car’s diagnostic system and then controlling that computer .. Read Further »

How I would Hack your PC, Mac with USB HID

admin — Thu, 15 Apr 2010 18:48:45 +0000

We live in the world full of serpents, overlook things for seconds and you are bitten to death.

Trojans, viruses, malware are everywhere. They find new ways to enter our sacred computers some way or the other. Talking about scenarios where hacker had physical access, traditionally, lame Autorun based USBs could install unwanted programs on your PCs the moment they are plugged, but those are easy to get rid of: Switch off autoplay. What if a USB uses a cross-platform native profile to inject malicious programs into computers? — It becomes unstoppable.

One such device was demoed at this year’s Shmoocon, it’s called “Phantom Keystroker”. It’s a simple USB dongle form factor device, which when plugged to a computer uses USB HID class to identify itself as a Human interface mouse and keyboard from a legit manufacturer and start execution of instructions, which would perhaps annoy the user .. Read Further »

Reverse Phone Lookup – Weapon of Choice for Unsolicited Calls

admin — Sun, 04 Apr 2010 14:24:29 +0000

Technology always gives you a double-edged sword. The one that lets you cut through the gates, and the other side can cut the holding hand. Similar the story of Traceability and the privacy.

The number of spamming, phishing have taken a new Horizon. Leaving the web aside, apart from spamming, Phishing is common on phones too. Consider this, you get a call from a correspondent who pretends to be from your bank and with little “intelligently faked” information about you, (say some kind of your recent activity), would be enough for you to trust the other party. In fact, in 95% of the cases, users would fall for it without bearing a doubt in mind.

Honestly telling, its really hard to tell when you are wrong. Its hard to figure out who is calling you and your family. The right thing to do is Reverse Number Lookup. To start with you can look for any of the .. Read Further »

GMail gets OAuth, Secures 3rd-Party Apps Access

admin — Wed, 31 Mar 2010 17:13:40 +0000

Google is transforming the Email experience by extending the authentication to OAuth standard in it’s popular email service: Gmail. The move aims to harden the security of email accounts, after the having featured alerts for Simultaneous Logins, https implementation over last few days.

Normally, when a user authorises a third party developer (e.g. Facebook) to see their contacts list, he has to give-out password which is a very insecure way of doing things especially when the 3rd part app is not as trustworthy.

Now with OAuth, users will be transparently able to login, share contacts, just like they do with Twitter accounts. The feature is now available to developers via the Google Code Labs website.

Most Google APIs support this .. Read Further »

Browser Fingerprinting: Privacy is a Myth

admin — Sat, 27 Mar 2010 15:22:19 +0000

If you thought cookies reveal alot about your identity over the internet, probably you need to rethink. A new type of tracking is now considered to be way more powerful, and yet you don’t have a clue about it.

The method grabs a large amount of data about your browser, such as plug-ins, system fonts, and your operating system, screen resolution, etc. Each one when considered alone, they don’t identify you. But when collaborated, they’re a digital fingerprint: A Digital replica of you identity on the web.

It’s like describing a person. Just saying “blonde hair” won’t identify anyone. But add in “5 feet, 11 inches tall,” “mole on left little finger”, “versace glasses,” and so on, and soon you have enough information to pull someone out of a crowd, even without their name, .. Read Further »

Pwn2Own 2010 – Firefox, Safari Browsers Hacked, Chrome Stands

admin — Thu, 25 Mar 2010 15:48:18 +0000

Every year, CanSecWest hosts a competition to analyse digital security. The most interesting among them are industry’s top Internet browsers, Operating systems. Pwn2Own hacker challenge wrapped up today with the same hacker taking the most vulnerable browser down, yet again.

As usual, Safari was the first to fall, followed by IE 8, then was Firefox on Windows 7 x64 and iPhone’s mobile Safari. Google Chrome, however, is the last man standing.

Charlie Miller, the first hacker to take safari down, says that Chrome is still the hardest one to exploit.

“There are bugs in Chrome but they’re very hard to exploit. I have a Chrome .. Read Further »
Related Stories
Arora – Speedy Cross-platform Web Browser. Benchmark Chrome, Firefox, Epiphany
So Safari 4 is World’s fastest browser? NO! Browsers Benchmarked!
Safari 5 gets Extensions
IE9 vs. Chrome vs. Firefox vs. Opera Performance
IE Flaw Makes local Files Public
Firefox 4 – Screenshots Released. Is it Chrome Inspired?
Firefox 3.7 Screenshots. New UI Design
Firefox 3.5 Released, Detailed Feature Review.
What happened to Web Literacy? Google finds out.
Firefox to go multi-threaded for multicores.
Hackers Hack Cars Remotely, disable Engines, brakes
Sync iPhone Bookmarks with Firefox, Chrome

GMail now Warns for Simultaneous Logins

admin — Wed, 24 Mar 2010 17:18:57 +0000

How many time did you login to your email account publicly and feared if someone might keylog you? Of course prevention is way better then the aftermath but Gmail has taken the next steps in protecting your account from simultaneous logins, preventing suspicious activities.

Now, if it looks like something unusual is going on with your account, Gmail will alert you by posting a warning message saying, “Warning: We believe your account was last accessed from…” along with the geographic region, as illustrated below:

In order to make this possible, .. Read Further »

Google SkipFish: Web-Application Security Scanner

admin — Sat, 20 Mar 2010 09:25:34 +0000

Google has taken the next step to make Web Applications Robust, it has released a Web application security scanner called Skipfish. The free (and Open Source) scanner is designed to work within a variety of existing Web application frameworks and is built with an emphasis on speed and low false-positives, as per Google. SkipFish is based on C and is fast scanner that can easily achieve 2000 requests per second on LAN networks and 500+ requests against fast Internet targets, with minimal CPU usage. Unlike, other web-application security frameworks, its easy to use and supports wide variety of Web frameworks, auto-learning capabilities.

.. Read Further »

Chinese Google Hacker Tracked

admin — Mon, 22 Feb 2010 19:13:33 +0000

The source of high profile attack on Google [Aurora] has been tracked down to the source, a Hacker from China. The US authorities have traced the person who had written the code to make it possible.

Reportedly, the master-mind is a freelance security consultant which has ties with both Chinese government and military. What this means is, Chinese government had access to his work. The man claimed that ”he would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing”.

Repeatedly, Chinese government was denying involvement in the hacking case, but the latest upcoming makes it almost .. Read Further »

Windows 7 Rogue WiFi Hack

admin — Sat, 20 Feb 2010 21:11:50 +0000

Windows 7’s popularity has raised its market share at a sky-high pace. Within 3 months of its official launch, it has crossed the Mac OS to capture 8% of the OS market.

A while back, we discussed that Windows 7 features a half-baked “SoftAP” feature, also called “virtual Wi-Fi,” that allows a PC to function as a Wi-Fi client and also as an Access Point (AP) a.k.a wireless router.

The idea is not new but, pretty nifty for sharing data, music, files with others other peers in absence of an actual AP. But often good features come with a backdoor. But it makes executions of certain nightmares handy, e.g.Visitors and parking-lot hackers can piggyback onto the user’s laptop and .. Read Further »

China Busts Black-Hawk Hackers

admin — Mon, 08 Feb 2010 13:16:54 +0000

As per the latest upcoming from the China Daily, the largest illegal hacker training and recruitment portal in China has been shut down by police . The operation was planned, executed by a team size of 50.

In the action, 3 people have been taken into custody along with million dollars worth assets. The allegations were that the group ran a site called Black Hawk Safety Net which offered various exploits, DDoS, readymade software. Along with them were bundled viruses, trojans that could cause havocs in minutes.

It is said that Black Hawk had around 200,000 members running on 9 servers, 5 PCs all of which are now shutdown.

The business had been running over the span of 5 years, and the owners managed to collect more than $1 million as membership fees. .. Read Further »

WebCam as Security Camera [DIY]

admin — Fri, 05 Feb 2010 21:07:24 +0000

Surveillance systems can relieve your worries, but, they can also relieve your wallet. Why fall for expensive equipment when you can build your own at Fraction of cost ?

You can use a cheap Web Cam as a good Security camera that does almost everything that professional equipment does. I’ve been trying few softwares that would serve the purpose by securing my roof and the main door. Here is the softwares I’ve finally shortlisted and thought you would be interested in.

Vitamin D: This is an exceptional product that has an exceptionally intelligent motion-detection algorithms. This software does it all right by differentiating between different kinds of motions.

It lets you customize “the size” of the objects that would trigger events .. Read Further »

IE Flaw Makes local Files Public

admin — Thu, 04 Feb 2010 19:08:30 +0000

The end of Internet Explorer is finally here. Series of events: Google Hacking, removal of support for Google apps, several other vulnerabilities are forcing users to move to alternates.

Recently, at Black Hat DC conference, a security consultant (Jorge Luis Alvarez Medina) demoed how it’s possible to exploit a flaw in Internet Explorer browser that turns your personal computer into a public file server. In other words, attacker can remotely read files on the victim’s local drive.

There are a few ways to initiate the attack, which is somewhat complex because you have to “string alot of the features together to build an attack tool,” Medina said. One method involves enticing the victim to click a link to a malicious Web site.

.. Read Further »

Face-Recognition Security Software Laptop

admin — Mon, 25 Jan 2010 20:26:22 +0000

How many times did you lose patience over unlocking your windows machine with your long-passwords and how many times you ahted it when you had to share your password for use by your roommate?

Well, hate it no more, here is an application that will kill this problem permanently.
FaceCode is an access control software developed by Recognix Technologies LTD. It is ideal for your home and office PC, FaceCode is a user friendly face recognition PC logon software. FaceCode is the only product using advance face recognition technology to control the access to your computer. Faceode verify the identity of the user and logs them on to their personal account.

FaceCode gives you complete control over access to your PC. Using a simple web-camera, FaceCode will recognize existing PC users and log them onto their own user area without the need to type in usernames or passwords.

Key Features:

- Absolutely secure and reliable
- Prevent access from others
- Automatic Log on
- Artificial intelligence
- User friendly
Finally, Your face is your key.

FaceCode support logon both to Windows and Domain accounts.

This program is shareware, which means you .. Read Further »

ALL Windows PC Exploited by Hack

admin — Wed, 20 Jan 2010 18:12:00 +0000

There exists an encryption that has been left UnBroken since 1942 approximately time around the World war 2. This is called security – when encryption algorithm lasts long, really long.

Unfortunately, Microsoft has a different story. After 17 years of windows, someone found a hole that makes every windows PC on this earth prone to hacking.

This hole allows users with restricted access to escalate their privileges to system level – This is possible on all 32bit Windows .. Read Further »

Code that Hacked Google IDs [Aurora]

admin — Sat, 16 Jan 2010 19:31:27 +0000

Chinese hackers changed the face of Internet forever by taking the wrong step — trying to hack the search giant and several other giants.

Apparently, we know that hackers exploited a Vulnerability in Internet Explorer, but little was known about it untill the code that hacked Google became public.

So what does this code do ?

In Easy Words: Basically, the script creates a blank element on the page. This element has an “address” like a house. Then the element “moves out” and something else takes up the space of the house (it might even move the house around, or be larger than the house and contain it). But the script still knows where the house was, and can put things in there and if another bit of the program happens to overlap, some code put in that place might .. Read Further »

GMail gets Secure

admin — Wed, 13 Jan 2010 16:13:11 +0000

Google has long offered the ability to use a secure connection with Gmail via settings or using https:// in the URL itself. Now Google has defaulted it to https connection.

I don’t know about the readers, but I always used secure anyway. You can still move back to http, but that would be very unjustified.

Google was concerned about latency issues caused with https, that’s why it was never defaulted, but now Google seems to learn that security it the topmost thing we need.

Definitely this is triggered by High profile attack on Google from China. Google may leave china forever leaving a message for it’s worldwide users: “Security is our top most concern”. .. Read Further »

How Twitter was Hacked

admin — Fri, 18 Dec 2009 21:04:19 +0000

Internet faced World Wide Panic as Twitter.com was defaced to run out of service. Soon after the attack Users were able to see a page that claimed work of “Iranian Cyber Hackers”.

In simple words, it was nothing but a DNS hijacking attack in which Twitter’s DNS records were altered. That means surfers trying to reach the website directly via name resolution services were redirected to a fake domain, while the Twitter servers were running. As a result, applications that depended upon Twitter’s API - such as TweetDeck or mobile phone apps - were unaffected by the attack. Hence, Twitter servers were never hacked!

Rik Ferguson, a security consultant at Trend Micro, explains that this type of DNS hijacking usually involves compromising the systems at the registrar responsible .. Read Further »

WPA Cracker in the Cloud

admin — Mon, 07 Dec 2009 22:46:38 +0000

Wireless Networks have long been a threat to our network security. Security freaks know it that breaking a wireless WEP network takes couple of seconds. All it takes is to capture those IVs and calculate the key by simple maths.

When WEP was launched it was called Wired equivalent privacy, Now people call it Wasted

On the contrary, WPA based networks are still better, it need dictionary brute force which can be very slow at times coz all the permutations and combinations will take several hours over standard core duo or quad cores. However, what if you could leverage the Power of Cloud computing to do this, it would take couple of minutes.

.. Read Further »
Related Stories
Windows 7 Rogue WiFi Hack
All Smartphones with WiFi on Risk
Multi Gigabit Wireless: WiGig, WHDI, SiBEAM
Leveraging Cloud Computing to Drive Mobile Wireless Networks
New Vulnerability makes it Easy to Crack Wi-Fi with WPA Encryption
Secrets of Best Enterprise WiFi Strategies for Achieving Robust Network
IPv6 Challenges Ahead – Security, Migration. Still Not a Next-Generation.
Cloud Security still the Biggest Concern/Hurdle for Google, Microsoft, Verizon.
Virtualization aware Networking powered by Cisco and VMware
Juniper EX8216 is a Cloud switch, Delivers 12.4 Terabits
Confused by WEP, WPA, TKIP, AES & Other Wireless Security Acronyms?
Survey: Wireless networks easy to compromise

SpyPhone App Steals Personal Data from ALL iPhones

admin — Sat, 05 Dec 2009 13:29:47 +0000

Who was that someone shouting loud that only Jailbreaking makes iPhone insecure? We now have a new App that makes even an UnModified/Virgin iPhone leak personal data like you have never seen before.

A Swiss iPhone developer has unveiled a new application that is capable of harvesting huge amounts of personal data from iPhones, including geolocation data, passwords, address book entries and email accounts information, images, Safari Browsing history, youtube, keyboard logger, etc. all this using just the public API exposed by Apple’s SDK.

In oder for this application, SpyPhone, to work, it does not need any exploits or any jailbreaking/firmware modification, attacks in order to access the iPhone’s data. Instead, SpyPhone relies on using the iPhone’s .. Read Further »

All Smartphones with WiFi on Risk

admin — Wed, 18 Nov 2009 13:02:18 +0000

WiFi is a must in every smartphone, but Today’s report brings bad news for enthusiasts who use WiFi excessively for their daily online interactions.

The list of vulnerable devices is huge: Nokia N95, HTC Tilt running Windows Mobile, HTC G1 running Android, and the iPhone 3GS with the 3.1.2 firmware.

All of them are vulnerable to man-in-the-middle attacks, carried out via Wi-Fi connections.

Man in the Middle Attack (MITM)
A man‐in‐the‐middle attack intercepts communication between two systems by relaying
messages between them. In this attack, the attacker makes an independent connection with both
.. Read Further »
Related Stories
Windows 7 Rogue WiFi Hack
WPA Cracker in the Cloud
Multi Gigabit Wireless: WiGig, WHDI, SiBEAM
Reverse Phone Lookup – Weapon of Choice for Unsolicited Calls
Hacking the Unsecure GSM Encryption
New Vulnerability makes it Easy to Crack Wi-Fi with WPA Encryption
Secrets of Best Enterprise WiFi Strategies for Achieving Robust Network
iPhone SMS Hack Fix via Firmware Update
IPv6 Challenges Ahead – Security, Migration. Still Not a Next-Generation.
Survey: Wireless networks easy to compromise
170M Downloadable Facebook Profiles, Privacy #FAIL
Nokia Siemens buys Motorola Wireless, boost 4G Networks

Windows 7 UAC Flawed

admin — Fri, 06 Nov 2009 15:06:57 +0000

UAC or User Access control force program execution to go through user permissions. This is one feature that was improved in Windows 7 to reduce the annoyance caused in windows Vista.
But now as per Sophos senior security engineer found that User Account Control is flawed.

As expected, UAC prompts the user for permission before granting elevated privileges but was ineffective in stopping common samples of malware from running, in a Windows 7-based system without virus protection.

Whereas two of the ten chosen malware samples for the test would not run in Windows 7 without UAC turned on at all, only one sample W32/Autorun-ATK was controlled by UAC. The other seven ran .. Read Further »

Secure iPhone from Hacking

admin — Wed, 04 Nov 2009 19:31:55 +0000

As reported by large number of sources, a Dutch hacker hacked a user’s Jailbroken iPhone and locked it unless it pays a mentioned amount to the Hacker.

A Proof of concept comes from the Forum post by the targetted user on a Dutch forum. The message on iPhone says:

“Your iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files.”

A URL is displayed that redirects .. Read Further »

NASA Security Breached, a Thousand Times

admin — Fri, 16 Oct 2009 19:37:30 +0000

NASA might have made significant discoveries in the deep space, their security has been breached 1100+ times within last 2 years.

Being the hottest space mission organization, NASA has faced several hacking attempts, both with bad intentions and just-for-fun kinds of hacker groups.

Security gurus from the Government Accountability Office (GAO) has released a 53-page report pretty much ripping the space agency’s network security strategy stating that NASA has significant problems protecting the confidentiality, integrity, and availability of the information and variety of networks supporting its mission centers.

The report gives out facts — NASA did not .. Read Further »

DIY Universal Credit Card Spoofer

admin — Fri, 25 Sep 2009 15:56:42 +0000

Earlier, back in the 90s when I first dated the Internet, I found credit cards were easy to exploit. It was as easy as getting a software that auto-generates numbers that could be used to make purchase online. Thank god, those things no longer work, other wise it would have been chaos.

Well what you are about to read could be HARMFUL to us, again.

WARNING: Do not proceed if you intend to exploit this. The sole purpose of the original author of the hack is for educational purposes only.

Magnetic spoofers have been around for a while. The one you see in movies, a kid hacks CCs with a piece of hardware, is very much possible.

We’re getting close to that kind of magic with card spoofer that is button-programmable.

Jarek, the author of the Hack, accomplished this by interfacing a 16-button keyboard and a LCD with an AVR ATmega168 microcontroller. Card codes can be entered with the buttons and verified on the LCD. Of .. Read Further »

Vulnerabilities in HTML 5 and Future

admin — Sun, 13 Sep 2009 09:34:46 +0000

HTML 5 comes with alot of promise for the web. It has lot of new features that could make Web Browsers and Apps much more powerful than they ever were.

Let’s go by an example. Try accessing Gmail on iPhone or Android phone, you will have notice some differences from what it used to be a month ago. The new thing worth noticing is the introduction of the offline access.

Gmail went down, offline in September, but credits to Gears, Gmail was still up and running with select Browsers. On the other side, iPhone Safari doesn’t have a Gears plugin, so how was it still running?

The answer lies with the HTML 5 standard, more .. Read Further »

The UnBroken Encrypted Message since 1942

admin — Wed, 02 Sep 2009 20:04:51 +0000

Back in time, Encryption used to be weak, plain, and simple. We can break those in couple of seconds with a normal PC over a brute-force attack. With the modern computing Grids, its possible to do much more than that.

Irony is, Today, three German ciphers are unsolved since World War II — They are now, finally being cracked, powered by thousands of home computers. The codes resisted the best efforts of the celebrated Allied cryptographers based at Bletchley Park during the war. The complex ciphers were encoded in 1942 by a new version of the German Enigma machine, and led to regular hits on Allied vessels by German U-boats.

The advancement in German encryption techniques led to significant Allied losses in the North Atlantic throughout 1942.

The three unsolved Enigma intercepts were published in a cryptography journal in 1995 and have intrigued enthusiasts ever since.

Many projects had been started to utilize the power of Idle CPU from Home PCs in various Open Research projects. These .. Read Further »

The Great FireWall of China – Chinese Internet Censorship Insights

admin — Sun, 30 Aug 2009 22:06:50 +0000

Chinese Government has added additional layers of filtering to all traffic that reaches the end-users. The censorship is one of it kinds which assures cleaner WWW.

Because of this civilized censorship, the browsing experience is different in china than the rest of the world. Let’s discuss How Chinese internet is different from the world!

1. Due to congestion on China’s backbone networks and the time it takes for communications to travel across undersea cables to the United States and Europe, travelers find a noticeable difference in the responsiveness of the Internet in China compared to the rest of the world.
2. The Chinese government uses four mechanisms — DNS blocking, reset commands, URL keyword blocking and content scanning — to prevent Internet users in the country from reaching blacklisted Web sites or content.
3. Chinese authorities monitor all the Internet traffic coming in and out of the country using mirroring routers designed for back-up and disaster recovery operations. These routers are hooked up to .. Read Further »

President Obama Could Shutdown the Internet, New CyberSecurity Bill

admin — Sun, 30 Aug 2009 18:04:03 +0000

Just How powerful one man, one President could be? He can order National Security and get a Nation wide “Emergency”. But did any one ever heard, President of a country shutting down Internet for the whole world? We are not far.

The second draft of a Senate cybersecurity bill appears to quote a language that would grant President Obama the power to shut down the Internet.

The Senate bill, first introduced in April by Senator John Rockefeller (D-W. Va.), does, however, still include language that gives Obama the authority to direct responses to cyber attacks and declare a “Cyber Emergency”.

The language in the first draft of the bill has been rewritten regarding the President’s authority to shutdown both public and private networks including Internet traffic coming to and from compromised systems.

The original bill included the words:

“The President may order the limitation or shutdown of Internet traffic to and from any compromised Federal government or .. Read Further »
Related Stories
170M Downloadable Facebook Profiles, Privacy #FAIL
Facebook bug lets Hackers delete User’s Friendlist
Hackers Hack Cars Remotely, disable Engines, brakes
How I would Hack your PC, Mac with USB HID
Reverse Phone Lookup – Weapon of Choice for Unsolicited Calls
GMail gets OAuth, Secures 3rd-Party Apps Access
Browser Fingerprinting: Privacy is a Myth
Pwn2Own 2010 – Firefox, Safari Browsers Hacked, Chrome Stands
GMail now Warns for Simultaneous Logins
Google SkipFish: Web-Application Security Scanner
Chinese Google Hacker Tracked
Windows 7 Rogue WiFi Hack

Hacking the Unsecure GSM Encryption

admin — Fri, 28 Aug 2009 09:19:51 +0000

Sometimes its ridiculous how the most common (and important) technology in our daily-life is vulnerable to kinds of attacks that could bring nightmares. Still, no one is aware, no one is doing anything. Such is the Case of Today’s GSM — The most popular Cellphone Technology.

Every year, some hacker comes out and breaks something crucial to us, which makes us and authorities learn it the HARD WAY, “We are not safe”.

The best work is done by BlackHat and DEFCON, which are open forums for Hackers, especially DEFCON, which has open hacking challenges.

If you ever went to the DEFCONs, you know what I’m talking about. These guys can take down a military of servers down in couple of hours. They can hack anything from a conventional “lock” to GSM phones.

This year was no exception. Karsten Nohl, a PhD candidate from the University of Virginia gave .. Read Further »

New Vulnerability makes it Easy to Crack Wi-Fi with WPA Encryption

admin — Thu, 27 Aug 2009 15:58:26 +0000

Wi-Fi, since it’s birth suffers from security issues. It’s first Encryption, WEP, can today be broken in a minute. and Irony — It’s still used commonly. What’s new? Computer scientists in Japan say they’ve developed a way to break the WPA encryption (considered secure) system used in wireless routers in about one minute.

Confused by WEP, WPA, TKIP, AES & Other Wireless Security Acronyms?

The attack gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA (Wi-Fi Protected Access) Encryption system. The attack was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University, who plan to discuss further details at a technical conference set for Sept. 25 in Hiroshima.

Last November, security researchers first showed .. Read Further »

Biggest Identity Theft EVER – 130 Million Credit Card Numbers Stolen

admin — Tue, 18 Aug 2009 15:34:59 +0000

How big can a theft be? 100s of credit card no.s and total amount of millions? Wrong. Today, this theft is much bigger than any one has ever seen. 130 Million Credit card numbers, a total theft that when mis-used can lead to multi-billion theft.

A Miami based person and two Russian guys are being indicted to be guilty for stealing 130 million credit card numbers, the largest identity theft in history. That’s alot — like, one for every housing unit in the United States. How did they do it?

The theft had been living over years of work. This historic theft involved five corporate data hackings, between 2006 and 2008, including Heartland, Hannaford, 7-Eleven and two unnamed companies, according to Channel Web. US investigators say the team scanned lists of Fortune 500 companies and learned about their checkout counter machines (also known as point-of-sale (POS) systems).

Then to take the hack further, they wrote specific codes to corrupt their data systems and launch a virus from computers in the United States and Europe to pull hundreds and thousands of credit card .. Read Further »

Twitter is Dwelling Botnets – DDoS and Downtime

admin — Sat, 15 Aug 2009 17:13:30 +0000

While I write this, Twitter went down again. Another DDoS Attack just like the one we had seen earlier. Social networks are most prone to different kinds of threats. Why Social sites? Almost every one we know in Real life exists on one social network or the other. And Twitter bieng no.1, it’s hacker’s obvious choice to build Botnets home inside Twitter.

A security researcher has found that hackers are using Twitter as a means to distribute instructions to a network of compromised computers, a.k.a botnet.

The traditional way of managing botnets was IRC or different honeypots. But with changing times, botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trend among the tricks.

Twitter came to know about this from an account that it recently suspended. What was it doing? It was being used to post tweets .. Read Further »

Secrets of Best Enterprise WiFi Strategies for Achieving Robust Network

admin — Fri, 14 Aug 2009 16:33:13 +0000

Almost Every enterprise we know of relies on wireless infrastructure to run their offices, remote users, some way or the other. The best practices being adopted the Industry’s Top players are no longer secrets, they are revealed here.

The highest scorers had aggressive growth in Wi-Fi coverage and traffic, and a big drop in network downtime — What does this mean? A more stable network on which users increasingly rely, These best-in-class enterprises are holistic in approaching what they conceive of as a strategic enterprise asset.

These enterprises no longer see a Wi-Fi network as a convenience that’s casually overlaid on the wireline infrastructure, and managed on an ad hoc basis. Instead, the best-in-class companies adopted an array of proactive tactics, technologies and procedures to achieve big gains in performance and security, creating a reliable network with optimal throughput. The tactics included:.. Read Further »

Domain Name theft was NOT a Crime in the past – p2p.com Hijacking Case

admin — Wed, 05 Aug 2009 17:25:22 +0000

Domain hijacking is the process by which internet domain names are stolen from the rightful registrant. Domain theft is an aggressive form of domain hijacking that usually involves an illegal act. In most cases, identity theft is used to trick the domain registrar into allowing the hijacker to change the registration information to steal control of a domain from the legitimate owner. – says Wikipedia.

Domain theft or Domain Hijaking, is what we have seen for years. The most surprising fact is, it was never interpreted to be a theft! There were no Rules or Regulations that abide people to Lawful actions under the state.

And the worst part – It’s easy and there are lots of Tutorials on how to do it over the web.

I still wonder, whether the day would come that Internet Corporation for Assigned Names and Numbers (ICANN) would actively control domain .. Read Further »

Hacking as a Service HaaS – Security & Future

admin — Fri, 31 Jul 2009 22:51:55 +0000

He wakesup from a dream, which he thought was a dream. In the dream world he is a hacker, and to enter the Real world, he takes the Red pill, He wakes up to the real world and fights back into the Virtual world, because He is the One – Neo.

The concept of Matrix was once rejected by analysts. But today we feel with the kind of Technology advancements, it’s not far from I-M-Possible.

I started from the “Hacker” word to bring-out another advancement of an underworld. Normally, the Hacker word is used for both good and bad guys. I`ll refer mostly to bad guys.

Let’s start from this -

Late last year, the software engineers developing a new Windows-based networking client confronted an all-too-common problem in today’s hostile internet environment:

How would they make their software resistant to the legions of enemies waiting to attack it? Particularly worrisome was a key feature of their code, a mechanism to accept updates online. If it were subverted, an attacker could slip his own program into an installed base of millions of .. Read Further »

iPhone SMS Hack Fix via Firmware Update

admin — Fri, 31 Jul 2009 15:47:06 +0000

Apple had been silent on the Critical Vulnerability found by BlackHat’s security expert presenter, till Google went ahead with the similar fix for the Android platform.

I haven’t heard the official news coming directly Apple, but Carriers are doing it. First one to do is O2 UK, which announced that Apple will be releasing fix by weekend.

There’s no news from AT&T yet, but they are not far from.

It’s an admirably quick fix to a comically terrible problem. Probably, it will come as 3.0.1 or something similar. But at least Apple’s got an update infrastructure to match their relatively quick remedy; what’s really worrying is that some other vulnerable phones—mostly Windows Mobile handsets—are still vulnerable, and whatever updates Microsoft have in store may have a slightly harder time blanketing users without the near-daily update checking built into the .. Read Further »

iPhone and Android SMS Hacks

admin — Thu, 30 Jul 2009 15:59:16 +0000

BlackHat is a yearly security conference where Industry’s most Dark side secrets are revealed.

Few years back, Sir Lenin identified a Cisco security flaw that could bring down EVERY SINGLE CISCO ROUTER in the world. Lenin was from ISS (Internet Security Systems), he was fired & tortured, and what not. Cisco, at no cost, wanted their secrets to be revealed. Well, that was years back. since that year, we have more darker sides of the IT world.

This year, Security researchers have identified several SMS vulnerabilities that can be used to deny service to mobile phones. They’re presenting Today but their findings have been published.

Detail

A serious security flaw that could allow a remote attacker to take control of the victim’s iPhone by sending a specially constructed SMS message. The vulnerability might be publicly demonstrated and explained as per the schedule here .. Read Further »

L0pht Hackers are Back after a Decade with HNN

admin — Fri, 24 Jul 2009 19:24:57 +0000

After a decade of being offline they are back again, this time with geeky video reports about security, Hacker News Network.

Hacker News Network, HNN, is one of the projects of the Boston-based hacker. The Project is known as L0pht Heavy Industries.

Why Am I talking about them?

Well it’s pretty much justified:

They’re the guys who famously once told the U.S. Congress that they could take down the Internet in about 30 minutes. They helped inventing the way that could help computer companies drill out security bugs in most things on Internet.

The L0pht was powered by eight active members who used to be solid hackers, back in the days in 1990s. But something wrong happened, most of them had faded, even as they’ve watched a cottage industry of security research firms sprout up based on many of the disclosure techniques they pioneered. The .. Read Further »
Related Stories
Hackers Hack Cars Remotely, disable Engines, brakes
How I would Hack your PC, Mac with USB HID
Browser Fingerprinting: Privacy is a Myth
Pwn2Own 2010 – Firefox, Safari Browsers Hacked, Chrome Stands
Chinese Google Hacker Tracked
Windows 7 Rogue WiFi Hack
China Busts Black-Hawk Hackers
ALL Windows PC Exploited by Hack
Code that Hacked Google IDs [Aurora]
Google to Shutdown in China?
How Twitter was Hacked
Secure iPhone from Hacking

Top 10 Most Dangerous BotNets, Malware [Fix]

admin — Wed, 22 Jul 2009 20:44:27 +0000

Botnet is a collection of software robots, or bots, that run automatically. It is often associated with malicious software over network of computers using distributed computing. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.

While the term “botnet” can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed via drive-by downloads exploiting Web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.

The bad news is that, Botnet attacks are increasing, as cybercrime gangs use compromised computers to send spam, steal personal data, perpetrate click fraud and clobber Web sites in denial-of-service attacks. Here’s a list of America’s 10 most wanted botnets, based on an estimate by security firm Damballa of botnet size and .. Read Further »

E-Passports Hacked using RFID

admin — Mon, 20 Jul 2009 17:52:02 +0000

I can’t seem to believe it. Are governments and National Security Agencies blind? E-Passports are becoming popular amoung a large no. of countries and it’s so easy to hack and clone, but no one has raised any concerns, Why ?

How E-Passports work? Why do we need them?

E-Passports are based on recent buzz of RFID. they broadcast some unique

id/information (theoratically) identifiable and understandable by only select Terminals put at airports.

In theory the RFID passports improve security and are faster to process.

The first is Ironical; the second not much better. Why?

What is faster are the new RFID chipped ID cards for border crossings: They broadcast their unencrypted info for 10 meters or more. Wow! Now that makes the HACKABLE!

E-passports not only threaten .. Read Further »

Indian Hacker Reacts to Racism in Australia – RAAF Air force Hacking

admin — Sun, 19 Jul 2009 14:09:55 +0000

When Governments fail to provide a solution to Social extremism, people react.

This time, the reaction had been something different from the usual. An Indian geek, Atul Dwivedi, deprived the Royal Australian Air Force RAAF website. After doing so, he posted a message on the Home page as a warning to Prime Minister “Kevin Rudd”.

The downtime had been for whooping two days: Monday and Tuesday. The RAAF website’s Homepage was replaced to a message quoting

“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn [sic] all your cyber properties like this one.”

I’m not really here to discuss the social aspect of the things, because they are often controversial. A brief story would be: Alot of Indian students have migrated to Australia, specially areas surrounding melbourne and Sydney, to seek .. Read Further »

IPv6 Challenges Ahead – Security, Migration. Still Not a Next-Generation.

admin — Sat, 18 Jul 2009 12:18:38 +0000

IPv6 took more than two decades to upgrade from an existing internet standard that drove traffic of Trillions of Terabytes of Data every year. After, IPv4, IPv5 was a literal Realtime protocol which was not practical to implement, hence was a failure, never came out of paper. We had high hopes for a Internet standard that emerges after a complete decade of development life cycle.

It never came upto the Expectations

IPv6 the so called “next-generation” Internet protocol isn’t keeping too many U.S. CIOs and network managers up worrying at night. But the story is two folded with an Irony.

IPv6 Irony

IPv6 was primarily designed to encounter two problems taking the third point into consideration:

1. Meet growing IP address requirements.

2. Provide Inherent Proven Security to make IP communications more secure.

3. Easy Migration / Adoption while doing 1 and .. Read Further »

Cloud Security still the Biggest Concern/Hurdle for Google, Microsoft, Verizon.

admin — Thu, 16 Jul 2009 19:28:54 +0000

Cloud has brought us unlimited and unmatched processing power that we could never think of a decade ago.

Earlier, I wrote how cloud computing was actually a Dark (Cloud) Knight. And the joker was successful in showing the Gotham that even the best among us could fall. This finds a corollary in the cloud computing world.

A Look back at the Benefits: Cloud storage offers some exciting advantages. It offers “pay as you go”, .. Read Further »

Cybercriminals hack into Bank ATMs in Eastern Europe

admin — Sat, 06 Jun 2009 23:15:01 +0000

Cybercriminals are improving day by day in terms of technology they use to counterfeit security of Bank systems. Recently, a new malicious software program, that can be installed on ATMs running Windows XP operating system that records sensitive card details, have been found by security vendor Trustwave.

The malware activity has been found on ATMs in Eastern European countries, and is likely to expand over to western europe aswell.

How it works? Step by Step
1. The malware records the magnetic stripe information on the back of a card as well as the PIN (Personal Identification Number), which would potentially allow criminals to clone the card in order to withdraw cash.

2. The collected card data, which is encrypted using the DES (Data Encryption Standard) algorithm, can be printed out by the ATM’s receipt printer.

3. The malware is controlled via a GUI that is displayed when a so-called “trigger card” is inserted into the machine by a criminal. The trigger card causes a small window to appear that gives its controller 10 .. Read Further »

The Pirate Bay and a Never-Ending Search for an Unbiased Judge

admin — Mon, 25 May 2009 19:34:54 +0000

Mid-April, the four founders of The Pirate Bay were found guilty of being accessories to breaching copyright law; they aided in breaching copyright of 33 files. As a result, they were sentenced to one year in jail and a 2.75 million EUR fine. However, it was quickly revealed that the judge in the case was heavily biased, and ever since then there’s been a search for a judge who is actually not involved with any pro-copyright groups or with the lawyers working for the entertainment industry in this case. Turns out that’s actually kind of hard.

The original judge during the case turned out to be a member of several pro-copyright groups. To make matters worse, the lawyers working for the entertainment industry in this case were members of the same groups, which obviously meant that the judge was simply not a good fit for the case. So, the search began for a new judge, one without any affiliations, to investigate the conflict-of-interest.

Well, this turns out to be a bit more difficult than anticipated. Judge Ulrika Ihrfeldt was appointed by Court President Fredrik Wersäll .. Read Further »

Security Audit leaks and Impacts, know before you make Blunder!

admin — Mon, 25 May 2009 18:50:42 +0000

Security consultancy Networks Unlimited allowed freelance reporter Sandra Gittlen to tag along as it conducted a data leak audit at a Boston pharmaceutical firm, then presented its findings to company execs. In exchange for this type of access, we agreed not to identify the pharma firm.

When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company’s data leak defenses and he would then be able to leverage the audit results into funding for additional security resources.

“Data leakage is an area that doesn’t get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it,” the IT director says.

But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping .. Read Further »

VPN Security: where are the holes in your security.

admin — Thu, 14 May 2009 16:36:52 +0000

Demand for mobile and remote access to small- and midsized business networks has increased dramatically. Even the most basic VPN technologies are so accessible and affordable that there is no good reason for failing to utilize them. That said, the real question for SMBs is which type of VPN to implement: Standard IPSec or SSL?

SSL is best

SMBs that have limited budgets and/or those that do not share highly sensitive data may opt for a standard VPN because of cost; this technology is virtually free. In fact, most operating systems have built-in VPN protocols, but you typically get what you pay for here. Such protocols often rely on little more than usernames and passwords, they usually lack robust authentication and encryption components, and they can easily become open doorways into corporate networks.

Furthermore, standard VPNs require the deployment of software and clients – an administrative headache at best.
SSL VPNs use the same encryption protocols as many .. Read Further »

Symantec CEO: The future of security [video]

admin — Wed, 22 Apr 2009 08:10:11 +0000

At the RSA Conference in San Francisco, Symantec CEO Enrique Salem reveals what he thinks the security of the future will look like. Among the things he says we need to do? Make security risk-based, info-centric, automated, and work-flow driven to keep up with security threats.

Courtesy: Zdnet

.. Read Further »

Survey: Wireless networks easy to compromise

admin — Sun, 19 Oct 2008 09:26:38 +0000

Deloitteâ€™s recently released Wireless Security Survey assessing Mumbaiâ€™s â€” Indiaâ€™s financial capital â€” state of security awareness in respect to wireless security, shows an ugly picture of insecure wireless networks in both, business, and residential districts. With Mumbai being the home of Indiaâ€™s most important financial institutions, next to the majority of multinational corporations, it may also turn into the playground for the next high profile data breach.

The key findings of the survey are:

Of the 6729 wireless networks seen, 36% appeared to be unprotected i.e. without any encryption
52% were using low level of protection i.e. Wired Equivalent Privacy (WEP) encryption
Over 95% of the networks broadcast their SSID, with 25% of these using their routerâ€™s default SSID
Balance 12% were using the more secure Wi-Fi Protected Access (WPA)

Whatâ€™s the practical applicability of .. Read Further »