COFEE vs DECAF

It cannot get any more hilarious than this:


Two developers have created "Detect and Eliminate Computer Assisted Forensics" (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password protected or encrypted sources.

Orignal Source: arstechnica

Which Antivirus To Use?

This is one question, that all security professionals get asked a lot. Goes without saying, any one person’s opinion may not be the statistically correct answer. To make matters even worse, (un)fortunately, there are a number of reports out there which probably, only Einstein and Bill Gates can read, decipher and really understand.

Here is one simple, to the point, straight forward report that I think answers this question bang on: Battle of the anti-virus

Hotmail Compromised

I hope everyone out there is aware of this hack. I would recommend everyone to change their passwords asap.

ISC's Post

Cracking Encryption Keys

We all know we need to protect sensitive, confidential or customer related data, with strong encryption algorithms and lengthy keys.

But where does the buck stop? How much security is too much security, for something with absolutely no financial value - like for example a calculator’s Operating System?

Texas Instruments Signing Keys Broken

Using Twitter as a Botnet Command Channel

Just when you thought you knew everything there is to know about Twitter, here comes another surprise..!!

Brazilian ID thieves are using Twitter streams to send commands to their botnets. The bots are programmed to monitor RSS feeds from these Twitter accounts.

Sounds pretty innovative, right?

Analyzing Tr.im's Sad Demise

www.Tr.im, a popular URL shortening service, is shutting down its business. Hence, in a few months from now, all the tr.im links over the internet may die.

So, this makes me wonder:
  1. What is going to happen in case more and more of these types of services go out of business? Ever wondered how that could adversely affect our "World Wide Web"? How frustrating it would be to not be able click and navigate to the useful links we find, in gazillions of blogs, whitepapers, news articles, etc. over the net?
  2. What if a spammer or a hacker buys the domain name after tr.im (or another similar service) ends its ownership? Instead of killing all the tr.im URLs on the internet, he may decide to point them to any malicious website of his choice!
This just goes on to prove that our internet still needs some more time to mature and be a smarter and safer place to hangout.

The Economics of Botnets & 0-Day Market

Ever wondered what all can a botnet actually do? How much damage can it cause? Or how much does it cost to rent a botnet or even better - how much can you earn from a botnet..??

All this and more answered by Yury Namestnikov in his blog.

Another very good paper to read, is by the famous Dr. Charlie Millar
The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales

Update 03-Apr-2012:
Some current figures around how much a 0-day can be worth.

Update 01-Jun-2012:
Mr. Schneier finally speaks on this topic

Update 13-May-2013:
Very interesting, the US government is a big buyer of 0-day exploits!!

Web App Security Portfolio

Ever wondered how to go about documenting and securing all the web applications in your organization?

This article from Nick Coblentz will definitely be of help.

Biometrics: Identity & Authentication

Almost everywhere today, you would come across a two-factor authentication, where a user is required to enter a User ID and a Password to access a system.

However, now biometrics is gaining popularity pretty quickly, which combines both the Identity and Authentication into one. This definitely helps the user because now s/he does not need to memorize the username or the password, but is this really the best way forward?

Take a look at this article written by Steve Riley.

PDF Vulnerability

A very serious pdf vulnerability is out in the open and is doing rounds in the news. The interesting part of this vulnerability is that a victim could get effected, even without opening the infected pdf file..!!

Here is one of the most comprehensive articles I have come across. The author demos three methods to trigger the vulnerability:
  1. When the user just selects the infected pdf doc with a single click
  2. If the user changes his Windows Explorer's view to Thumbnails View
  3. If the victim hovers his mouse's cursor over the document

Is Open Source More Secure?

Someone very recently asked me if Open Source Softwares were better and more secure, compared to their proprietary (read: Microsoft) counterparts.

Today I came across a blog from Jack Danahy, and he talks about this same topic is some serious depth. He also goes on to explain how companies use and misuse these misconceptions to make their own sales pitch.

Net conclusion: All software has some amount of vulnerability within them. Users should always remember to trust reputed software vendors and should always keep up with the latest security patches.

Recover Windows Passwords

For some serious physical hacking, or if (in the unlikely scenario that) you honestly lost your Windows login password and would like to either retrieve it or reset it, I would recommend Ophcrack.

Ophcrack is a open source live CD, that you would need to download and burn, and then use it to boot up the PC, that requires its password reset/recovered.

Works with XP and Vista and can crack both LM, as well as NTLM passwords.

Retrieving Microsoft Product Keys

This is not by any means a new software, but I still wanted to put this on my blog, just for general awareness.

Magical Jelly Bean KeyFinder is a very handy tool to extract the Windows XP, Vista and MS Office product key from any PC. May come in useful to dig out a forgotten or lost key. Could also be misused to steal someone else's key, if you can manage to get access to a victim's machine.

Defect vs Vulnerability

Defect vs Vulnerability

What do you think should be more critical to the business? Should we be spending more resources on managing Quality Defects or should we give Security Vulnerabilities a higher priority?

As Info Security professionals, we blindly tend to think that a vulnerability is more serious than a defect and hence must be tackled asap. However, HP has a very interesting article that talks about this philosophy, that just shattered my misconception..!!

TwitterFox Easy To Hack

Twitter is a very popular social networking site, which has already been in the news in the recent past for its inherent security weaknesses. If that wasn't enough, there also exists a security flaw in TwitterFox, which is a popular Firefox plugin that users use to quickly and conveniently send and receive messages from Twitter. At the time of me writing this article this plugin has been download over 1.1 million times, from addons.mozilla.org alone..!!

Unfortunately, TwitterFox is not too secure. Every time a user wishes to refresh his/her messages, the plugin sends the User ID and Password unencrypted to the server. The plugin only uses Basic Access Authentication Method, which as detailed below, is as good as communicating in plaintext.

Hence, if a hacker manages to capture the data-packet that is sent over by your browser to the Twitter's server, your credentials can easily be compromised. All the attacker needs to do is setup a sniffer on your network, which isn't too hard if you are on your office or college network, or do a simple MITM attack.

Now most of the users (like myself) use common passwords over multiple accounts. Hence, an attacker could even manage to gain access to much more than the user's Twitter account.

My advise - Stop using TwitterFox, at least till the time we have a more secure version of this plugin.


Here is the Proof of Concept for this vulnerability:

(1) At regular intervals (or when explicitly requested by the user), TwitterFox sends a request to the server for any new messages that this user may have received after the last sync

(2) This request contains the user's login credentials that are sent over using Basic Access Authentication Method. This protocol is NOT a security protocol and does not provide any security whatsoever. (For further reading check Wikipedia entry on Basic Access Authentication)


(3) There are a number of desktop and even web based tools available to convert this captured string, which is Base64 encoding, to plaintext. One of the web based tools is available here.

Recommended Software: Regshot

We all know how messy the Window's Registry is. It could cause your system to slow down, crash or even stop booting up completely.

Regshot is a light-weight, open-source utility that can take snapshots of the registry and compare it with another clean snapshot taken at an earlier stage, when the system was known to have been working properly.

This could come in handy while investigating issues that come up after the installation of a new software, or just to know what happens behind the scenes. From a security perspective, it is a handy tool to keep an eye on your registry and be forewarned in case a virus or a trojan messes up your machine.

Grab your free, portable copy at: http://sourceforge.net/projects/regshot/

Is Someone Reading Your Emails?

Would you get to know, if somebody hacks or guesses your email account's password? What if the hacker logs on to your email account, reads your emails and then logs off without making any obvious changes? Is there any way to catch this type of an attack?

Here is a very interesting article that tells you not only a way to know if somebody has been snooping over your emails, but can also capture the intruder's IP Address.

Are you Sure your Email isn’t being Hacked?

Phishing Attacks Targeting Experienced Users

Looks like phishers are getting even more sophisticated and determined. This latest attack requires the user be logged into their (lets say) bank website, when they access the attacker's website. They are targeting experienced users, who may not necessarily get fooled by the traditional phishing attacks.

TOP 25 Most Dangerous Programming Errors

The first step of Info Sec, is always to secure your app's at the code-level. Developers and Coders should always make sure they do not leave any vulnerabilities in their programmes. SANS has come up with a list of 25 common programming flaws. A must read for everyone related to Software Development Life Cycle.

Update: Now Gary McGraw has released an article, giving 11 reasons why these type of lists do not work in real life. Hmmm, I guess this is like the usual cat-and-mouse game..!!

Top 10 Myths

Came across an article written on FinanceTech that talks about some popular Info Sec myths. Pretty interesting, considering my blog (almost) has the same title as their write-up..!!

The Top 10 Information Security Myths

Password Sniffing

Wanna learn how hard it is to sniff passwords traveling over your network in clear text? Not hard at all, takes under a minute to do this attack. All that needs to be done is ARP Poisoning, and a simple Man In The Middle Attack (MITM) is accomplished..!!

Take a look at the IronGeek's video. For some background details, take a look at Wikipedia's entry on Arp Spoofing.

Twitter Under Attack

Twitter, a popular social-networking site, has been the recent target of some phishers.

Twitter accounts of a number of celebrities, including Britney Spears and Barack Obama, also got hacked. Earlier the rumors were that this hack was accomplished with the help of the fake (phished) website. However, later twitter officials confirmed that a hacker managed to get into one of their admin-tools and hence was able to get access to these accounts.

SSL Certificates - Who To Trust?

StartCom tells us about the Certification Authorities (CA's) that we should steer away from.

Untrusted Certificates


Well, Comodo isn't the only CA who is in trouble. The certificates issued with a MD5 hash may not be too reliable as well.

MD5 collision creates rogue Certificate Authority

Update 16-Aug-2013:
Microsoft finally takes a decision to block MD5 certs

Bypassing Anti-Virus Softwares

Irongeek explains how easy it is to fool Anti-Viruses and sneak malwares, trojans or viruses to a victim (using Metasploit).

Bypassing Anti-Virus with Metasploit

Biometrics - A Dependable Authentication System?

Bruce Schneier talks about the pros, cons and challenges of Biometrics.

Tigers use scent, birds use calls – biometrics are just animal instinct