Session Hijacking

A easy to use hack, which demonstrates how to take over a victim's gmail session, by first stripping the HTTPS traffic, and rendering it into basic HTTP, and then hijacking the session

Largest DoS Attack of 2011

An attack that went upto 45GBps...!!!

Google protects HTTPS-enabled services against future attacks

Google takes another step to strengthen their security.
Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.

e Censorship

China has always been stringent about freedom of speech on the internet. Seems like Pakistan is going the same direction. There is a new ban on over 1600 words which cannot be sent as a text-message.

The Reporting Line For A CISO

This is also a open ended question: Should the Chief Information Security Officer (CISO) of an organization report to the CIO, CTO, CSO, CEO or COO?

I doubt there is a single answer that can be applicable to all the organizations. However, ideally there should be enough segregation of duties between the IT Team and the IT Security Team. This is required to ensure the IT Security team can operate freely and without any undue pressure. What good is the maker-checker concept if either can be influenced by one other? Two simple examples to clarify my point:

  1. The IT project team is working on setting up a new system and have a tight deadline to meet. To cut corners a few security best practices are overlooked. Will the CISO have the authority to pull the plug on this project, if he reports in to the Head of IT (who could be a CIO or CTO)?
  2. The OS and application patches are not being rolled out as frequently as they should be. The CIO likes to keep the roll-outs to a minimum to save on the issues and challenges a roll-out typically causes. Will the CISO have the authority to challenge the CIO here?

Here is an article that agrees to these views.
Another article that tries to answer this tough question.

APT vs AET

Persistent and Evasive Attacks Uncovered

Facebook Porned & Pwned

Facebook has been attacked by yet another worn which displays pornographic images on the victim's page. Facebook claims the attack is now under control.

Anonymous, who was believed to be the attacker, have clarified that they are not the ones to be blamed for this.

Anonymous Leaks FBI's Cyberexpert's Emails

An excerpt below, the full story is here:
Anonymous hackers broke into two of Bacalagan's gmail accounts, his text message logs and his Google Voice voicemails, then dumped the whole thing on to a website andThe Pirate Bay. 

How To Lock Down Your Wireless Network

An article for dummies (and a reference for rest of us), around how to secure home wireless connections.

Cyber Attack on Adidas

adidas.com and miCoach.com shut down after the attack





Vulnerabilities give hackers ability to open prison cells from afar

hmm.... One eye opener story.

Internet Usage in India

Very interesting:
  1. By the end of this year, one in every 10 Indians will be an Internet user, making the country the third-largest Internet market in the world after China and the United States.
  2.  At the end of December, 121 million Indians will be accessing the Internet at least once a week

Israel govt. websites down, after a hacker threat

Sounds a bit far-fetched. So, what would have happened if the Anonymous (or someone else for that matter) group had not announced their threat?

There Is No Honor Among Hackers v2

Similar to a story I blogged about back in 2009, here is another case how hackers are always ready to kick each other on the back side. However, in this particular case, it seems more likely that there was a political motive here.

Researchers defeat CAPTCHA on popular websites

It is not at all surprising, that someone was able to defeat the captcha. Seems like Google and reCAPTCHA are better than the rest.

Full story here and here

24-Jan-2012:  Unlike the automated captcha solvers, another popular method is to use actual humans to solve it. The actual humans are located in (cheap) resource intensive countries. Here is a very good post around how to setup on one of such services.

Duqu Malware

Okay, I'm a bit late in blogging about this new 0-day vulnerability in MS Windows.

The attack is basically carried out using a malformed MS word file.

Microsoft is yet to release a patch to address this vulnerability, but however have issued a workaround

Update 01-Dec-2011:  This spying operation now seems to be shutting down

Companies Lose Encryption Keys in the Amazon Cloud

This is scary