Spoofing Caller ID

How to spoof caller ID, on a telephone call? Here is a website providing free (almost) service.

Microsoft Decides Not To Patch BEAST

It looks like Microsoft originally had a patch for the BEAST vulnerability, but for some reason they have withdrawn it for the December Patch Tuesday.
Both BEAST and Duqu are pretty nasty malware, I’d guess seen as though they’ve already fixed the BEAST problem – they just need to work on compatibility issues – that we’ll definitely be seeing the patch rolled out in the January Patch Tuesday.
Full story is here.
Ahhh, remind me what is BEAST?

Downloading Torrents - How anonymous are you?

Well, it isn't a secret, that browsing on the net isn't anonymous. Here is a website that tracks all the torrents downloaded by you.

PS:  Not sure on the accuracy/reliability of the website. 

Serious Security Flaw in Skype

The researchers found several properties of Skype that can track not only users' locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site.
Full story is here.

Google's Income

Okay, this may not be totally linked to IT Security, but here is an interesting comparison what Google earns.

Should infected computers be prevented from connecting to the internet?

Last year, Microsoft’s Scott Charney wrote that "we need to improve and maintain the health of consumer devices connected to the Internet. This will benefit not only users, but also the IT ecosystem as a whole. To realize this vision, governments, the IT industry and Internet access providers should ensure the health of consumer devices before granting them unfettered access to the internet."

2011 A Hacking Recap

2011 has been called the year of the hack....

"Quis custodiet ipsos custodes"?

A very famous Latin phrase meaning, "Who will guard the guards"?
Here is a study that says 25% of the IT Security staff, break their own rules...!

Here is another article that talks about how IT Staff are also a risk to an organization:
With great privilege comes great responsibility

Cyberspace spending on the rise

That's good to know

How to drive the IT steering committee forward

A good post

p0isAnon is born, steal from the rich, and give to the poor

In its latest escapade dubbed Operation Robin Hood, Anonymous is vowing to steal credit cards and use them to donate money to charities and the “99%” of people who are poor.
To accomplish this, Anonymous felt it necessary to team with TeaMp0isoN to form p0isAnon. They even developed a new logo with the Anonymous “mask” on a green and black background.

Session Hijacking

A easy to use hack, which demonstrates how to take over a victim's gmail session, by first stripping the HTTPS traffic, and rendering it into basic HTTP, and then hijacking the session

Largest DoS Attack of 2011

An attack that went upto 45GBps...!!!

Google protects HTTPS-enabled services against future attacks

Google takes another step to strengthen their security.
Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.

e Censorship

China has always been stringent about freedom of speech on the internet. Seems like Pakistan is going the same direction. There is a new ban on over 1600 words which cannot be sent as a text-message.

The Reporting Line For A CISO

This is also a open ended question: Should the Chief Information Security Officer (CISO) of an organization report to the CIO, CTO, CSO, CEO or COO?

I doubt there is a single answer that can be applicable to all the organizations. However, ideally there should be enough segregation of duties between the IT Team and the IT Security Team. This is required to ensure the IT Security team can operate freely and without any undue pressure. What good is the maker-checker concept if either can be influenced by one other? Two simple examples to clarify my point:

  1. The IT project team is working on setting up a new system and have a tight deadline to meet. To cut corners a few security best practices are overlooked. Will the CISO have the authority to pull the plug on this project, if he reports in to the Head of IT (who could be a CIO or CTO)?
  2. The OS and application patches are not being rolled out as frequently as they should be. The CIO likes to keep the roll-outs to a minimum to save on the issues and challenges a roll-out typically causes. Will the CISO have the authority to challenge the CIO here?

Here is an article that agrees to these views.
Another article that tries to answer this tough question.

APT vs AET

Persistent and Evasive Attacks Uncovered

Facebook Porned & Pwned

Facebook has been attacked by yet another worn which displays pornographic images on the victim's page. Facebook claims the attack is now under control.

Anonymous, who was believed to be the attacker, have clarified that they are not the ones to be blamed for this.

Anonymous Leaks FBI's Cyberexpert's Emails

An excerpt below, the full story is here:
Anonymous hackers broke into two of Bacalagan's gmail accounts, his text message logs and his Google Voice voicemails, then dumped the whole thing on to a website andThe Pirate Bay. 

How To Lock Down Your Wireless Network

An article for dummies (and a reference for rest of us), around how to secure home wireless connections.

Cyber Attack on Adidas

adidas.com and miCoach.com shut down after the attack





Vulnerabilities give hackers ability to open prison cells from afar

hmm.... One eye opener story.

Internet Usage in India

Very interesting:
  1. By the end of this year, one in every 10 Indians will be an Internet user, making the country the third-largest Internet market in the world after China and the United States.
  2.  At the end of December, 121 million Indians will be accessing the Internet at least once a week

Israel govt. websites down, after a hacker threat

Sounds a bit far-fetched. So, what would have happened if the Anonymous (or someone else for that matter) group had not announced their threat?

There Is No Honor Among Hackers v2

Similar to a story I blogged about back in 2009, here is another case how hackers are always ready to kick each other on the back side. However, in this particular case, it seems more likely that there was a political motive here.

Researchers defeat CAPTCHA on popular websites

It is not at all surprising, that someone was able to defeat the captcha. Seems like Google and reCAPTCHA are better than the rest.

Full story here and here

24-Jan-2012:  Unlike the automated captcha solvers, another popular method is to use actual humans to solve it. The actual humans are located in (cheap) resource intensive countries. Here is a very good post around how to setup on one of such services.

Duqu Malware

Okay, I'm a bit late in blogging about this new 0-day vulnerability in MS Windows.

The attack is basically carried out using a malformed MS word file.

Microsoft is yet to release a patch to address this vulnerability, but however have issued a workaround

Update 01-Dec-2011:  This spying operation now seems to be shutting down

Companies Lose Encryption Keys in the Amazon Cloud

This is scary

Nine Great Uses for Private Browsing

Some benefits of using private browsing

To launch a window in private browsing mode:

  • Chrome and Opera: Ctrl+Shift+N
  • Firefox, Internet Explorer: Ctrl+Shift+P

BSNL Hacked

BSNL's domain:  http://bsnl.co.in/tender1/   has been hacked by a Pakistani group.
Wonder how this so called "cyber-terrorism" really help!!??

THC-SSL-DOS Tool

Here's a tool to perform a DoS attack on a web-server over SSL

Microsoft's YouTube Channel Hijacked

This is just plain funny - helps us remember that sometimes the basics are what we forget to check and secure.

DroidSheep

You may have heard for FireSheep which is a Firefox plugin for easily hijacking sessions of the poor, unsuspecting victims on the network.

Here comes DroidSheep which does the same on Android platform!

Social Engineering, the USB Way

A little outdated story, but still a good to remember around how gullible people are, and why people are for sure the weakest link in security.

Sony: Setting an example for all APTs

In case you have been living under a rock, and are not aware of the Sony hacks, this article is for you. Basically, after the first few hacks I lost count, but seems like Sony was hacked a whooping 21 times between Apr-2011 and July-2011 (wow!)

Update: 12-Oct-11
     Only a few hours after my post, Sony has declared that they have been hacked one more time

Dirty little secrets revealed by ethical hackers

A good read

Anonymous 'hacktivists' briefly take down NYSE.com

A DDoS attack for about 2 minutes, wonder how much $ loss does that translates into..!!

Security For Laptops

A good article for the physical and data security of laptops


Blackberry Outage Across 4 continents

Why isn't RIM being up-front, by informing their users why their service is unavailable? I wonder if they got hacked and are just too embarrassed to say it..!!


Update @ 14-Oct:
After a 4 day outage, the services have been restored. RIM says this was because of the failure of a switch. Hmmm....
Update @ 27-Oct:
RIM hit with consumer lawsuits over BlackBerry outage

Microsoft leaks patch info four days early

Usually Microsoft rolls out their bulletins, with details around what vulnerabilities addressed, along with the patches itself. The rationale is, this info can be used by the hackers to exploit the vulnerabilities. In fact it is a known fact that malicious activities increase immediately after MS's patch Tuesday (called exploit Wednesday), where hackers try to break into any unpatched machine they can find.

So, now MS has committed the blunder of rolling out their bulletin four days in advance, which will give all the trouble makers a bigger window to try and break into the Windows machines.

Attack on DNS - NetNames

This is pretty upsetting... A compromised DNS, would render all the security controls of a website useless. The website will be totally at the mercy of the attacker

HDFC Bank Hacked

HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability

Citi Bank's Woes

So, Citi Bank's been in trouble for a long time now, and doesn't seem as if they have publically announced any major measures they may have taken to improve the security


Citigroup hack exploited easy-to-detect web flaw

Citigroup: Customer losses from hack attack reaches $2.7M



War of the patents

Okay the story started with Google complaining how Microsoft, Oracle and Apple are being hostile, by forming a consortium and jointly purchasing the Nortel's patents. Google claims they are charging a hefty fee to their brainchild and free, open-source Android OS.

Goes without saying, Microsoft made an awesome comeback by saying they had invited Google to be part of their consortium to begin with.

On the other hand, Microsoft and Apple fans seem to be upset by this, and are retaliating, by saying Google has always been an unfair player and has been misusing their dominance in the search market.

Update 15-Aug:
Google has purchased Motorola Mobillity, at a 63% premium and that too in cash, and just for one reason - to improve their patent portfolio.



The New Era Of Trojans

The malware is becoming smarter and smarter. The new variants know how to fool people, and steal their money..!


Browser Wars - How browsers make money

A very interesting article around the economics of a browser

RSA Hack

Here is my take on what is going on with RSA. After the well publicized attack on RSA, it is really important to know what the next step is to protect your organizations.

This article was published in the CHMag's Aug-2011 edition.


Update 07-Dec-11:  Here is an article that agrees with me, that SMS (text messages) based tokens are a far better option.

Microsoft's Bug Bounty

Microsoft today launched a $250,000 contest for researchers who develop defensive security technologies that deal with entire classes of exploits.

Anonymity on Internet

On the Internet, nobody knows you're a dog..!! Is that really true today?

How important is anonymity on the internet?

Internet users (or should I say netizens) take their online privacy for granted. The direction in which internet is heading, this may really become a thing of the past.

Laws are becoming more and more stringent when it comes to the details ISP's need to record for their users
Facebook is advocating killing of anonymity
Google has already forbidden creating of pseudonyms on Google+
On the other hand China has always had a very locked down, censored internet laws

  

Is there a spike in hacking recently?

With so much hacking news around, with Citi, RSA, Sony, Lockheed Martin, etc. all reporting serious breaches in the last couple of months, the question is has there been an increase in the hacking activities?

A few security experts share their views.

Mobile Devices

If you are as confused as I am, around which is a more secure (if not the most secure) mobile device, here is a very good comparison for the iOS, Android, WebOS, etc.

Another good article that explains why Android is more prone to attacks - no its not because it is insecure or IOS is more secure.

Another article that feels both IOS and Android are equally good and bad.

.secure Internet

US govt is proposing to setup a ".secure" Top Level Domain (TLD), which will only host secure and trusted websites.

I don't think that's such a good idea.

Anonymous Group under fire!

The Story:

FBI has arrested 14 hackers of the Anonymous hacking group, for attacking PayPal, MaterCard, Visa around Dec-2010.


Their Crime:

These 14 "hackers" as FBI calls them, downloaded a tool called LOIC, which voluntarily attached their machines to the Anonymous' botnet, which at that time were being used to attack the payment gateways, which had cut off their services to Wikileaks. So, in support to Wikileaks the Anonymous group decided to fight back (dubbed Operation Payback) and called for volunteers.


So, how did they get caught?

The tool took no effort to hide the IP address of the botnet, hence easily leading the feds to the doorstep of the attackers


Conclusion:

Guys come on, these poor people were only angered by what PayPal and Mastercard did. They for sure are not the "real" hackers here. So, why not go after the big fish in the pond?


The Story continues:

In retaliation to these arrests, this week, Anonymous broke into NATO's servers and stole over 1 GB of data.

Smart Identity Cards

There are some interesting projects going around the world, for ID cards. India's UID project, went live very recently. Another project that the British are working on.

Should organizations dump Windows for Apple or Linux

Post the famous Google attack, they decided to replace their Windows desktops with Apple and Linux. That is not always the best approach to secure your organizations - there is a difference in being safe and secure.

Portable Windows

How to install Windows-XP on a portable drive

Security Tips - Internet Users

Some security tips (a little higher than a beginner level) for internet users

FireSheep

A few interesting articles on FireSheep.


FireSheep is a Firefox Addon created by Eric Butler that provides an easy way for non-hackers to access other’s login info when visiting Social Networking sites.

WikiLeaks nearly immune to takedown

Wikileaks has an unbelievably strong resilience built in (for all questionable reasons), but this can be a role model for the rest

Infrastructure vs. Application Security Spending

It's so true that we need to invest as much as we invest in securing the infrastructure

Sharing IT Resources

The delicate balance between IT Security and sharing of IT Assets to reduce costs

Lifetimes of cryptographic hash functions

A very interesting post around the various hashes, and their lifelines.

Hack Attack - Time Mag

A very interesting article by the Time magazine, around the recent hacking incidents, covering groups like LulzSec, Anonymous, etc.

Foreign policy for the safety of people

Terrorist attacks, around the world, have become so common that it makes each organization wonder what the best way is to ensure the safety of their people.

Should CIOs have a foreign policy?

90% of companies say they've been hacked

This is scary... One of the survey's claim that 90% of the companies have been hacked at least once in the last 12 months

How China swallowed 15% of internet traffic

Back in Nov-2010, China published incorrect routes which caused an internet outage for 18 minutes.

The root cause, was nothing but a known vulnerability of BGP. Makes you wonder what could be the impact if someone was to actually take down the internet