Passwords Cracking - Myths and Realities

It's no news about how insecure passwords are, and why they do not add to any real security. A good post to talk about the common myths around password cracking.

9 Biggest IT Security threats

Hacking has evolved from one-person crime of opportunity to an open market of sophisticated malware backed by crime syndicates and money launders
Full Story

Avoid Security Suffering With These 3 Questions

What to ask yourself before any security project?

Cracking WiFi password with CloudCracker

Why not move password hacking to the cloud? Presenting a case study with CloudCracker.

Team Ghostshell - 1 million accounts leaked

Seems like some hactivists have been working hard, 1 million accounsts were leaked over the weekend from some pretty serious sources by the group Team GhostShell – who are affiliated with Anonymous.
More details here and here. The hackers pastebin page

How much is leaked data worth?

Update 16-July-2012:
German state buys CD of Swiss bank customers for €3.5m

Update 29-Aug-2012:
A good article that explains, most likely these losses are inflated. Does Cybercrime Really Cost $1 Trillion?

More Internet Censorship

Some more articles on internet censorship in India and Oman. The surprise is the following, and I quote infosecurity-magazine below:
Although there have been dozens of cases in which specific countries block domestic or foreign internet content they don't want their citizens to view – either because it's critical of government policies, or it violates their own laws and regulations – it's very rare to see one country’s internet access restricted due to transit and peering agreements. (Note: transit agreements are those in which ISPs allow data from another ISP to move through their infrastructure, whereas for peering agreements, ISPs agree to station hardware in the same location for a mutually beneficial transfer of data.)

CryptoCat

CryptoCat, which is a browser based, encrypted chat client, has been in the news for a while now. The debate is if it is really as secure as they claim it to be. The analysis are here

Attack on Saudi Aramco


A hacker group calling itself the Arab Youth Group has claimed responsibility for what appears to be a serious hacking attack on Saudi Aramco, one of the world's largest energy companies.
Full Story

Anonymous Hits Stratfor

Update 27-Dec-11
Just as promised, Anonymous stole from the rich and gave to the poor.

Update 29-Dec-11:
In a surprising turn of events, Anonymous has refuted the claim, and said they support Stratfor. On the other hand LulzSec claimed the responsibility. More details are here.

Update 31-Dec-11:
860,000 credit card accounts released by LulzSec, out of which 50k are government accounts!

Update 28-Feb-12:
WikiLeaks Releases Leaked Stratfor Emails

Update 12-Aug-12:
WikiLeaks undergoing massive denial-of-service attack, because of Stratfor leakage.
A group who calls themselves "AntiLeaks" takes the responsibility. 

Update 13-Aug-12:
Attack continues, wikileaks is still down. Some more details, as to what could be the motive of the attack.

Update 21-Aug-12:
Now Anonymous has released a video asking the UK government to release Assange (founder of Wikileaks). 

Update 06-Jul-13:
Now, the poor Assange is hiding at the Ecuador embassy. London managed to hide a bug inside an electrical socket!


Nmap's NSE

Learn more about Nmap Scripting Engine, from the creator himself. Here is a old blackhat video

FTC hits Google with $22.5 million fine for Safari tracking

The government agency today announced that Google has agreed to pay $22.5 million to settle the FTC's charges that Google "placed an advertising tracking cookie on the computers of Safari users who visited sites within Google's DoubleClick advertising network."
User privacy is becoming bigger and more serious..!

Defcon's Social Engineering Challenge

A reminder to all of us, that users are still the weakest link in the security chain.
Sigghh... Why bother with firewalls and all the other gizmos?

Cyber gang made £30 MILLION from fake gov certs

Chinese police are celebrating the arrest of a nationwide cyber crime gang suspected of making over £30 million by selling fake professional qualifications, which they helped to produce by hacking into government web sites.
Full Story

Mat Honan, Reporter Gets Hacked!

Interesting story of how a hacker went about completely ruining a person's digital life. And all of this was done without a single software/tool/malware.
Click Here

A Cross Platform Malware Development Framework

This is the Malware industry maturing up.

Anonymous' Logo


This is plain silly.
A French company tried to trademark the logo of Anonymous. Of course the hacking community was not amused  and published their personal information on pastebin, with a threat to kill their internet sales.
The company has since then shut down their business.

Is Microsoft Listening on Skype Calls?

Is this rumor is true, then it will mean some serious impact to the privacy of the users (even if some bloggers feel otherwise)

Microsoft Attack Surface Analyzer


Microsoft has released Attack Surface Analyzer, a free tool that can help us understand how newly installed applications can affect the security of a Windows OS.

Full Story

Undetectable hardware backdoor - Rakshasa

What's really scary is that Rakshasa doesn't reside in the disk and therefore leaves zero evidence in the filesystem. It leaves zero network evidence on the LAN. It can "remotely boot from an alternate payload or even OS" like fake Truecrypt/Bitlocker. Rakshasa can even show a fake BIOS menu if necessary
This is scary. More details here.

Dropbox Hacked Again!

This time it looks like the bad guys are using accounts credentials hacked from our sources. More details and previous incident.

SSL/TLS Broken - Beware of BEAST & Lucky 13

The way things are going, we may need to start thinking about replacing SSL

Update 27-Sep-11:
An interesting post to understand the scope of this new security hole

Update 04-Oct-11:
An article from Infosecurity-Magazine confirming my suspicion

Update 14-Oct-11:
Learn about the BEAST from the horse's mouth:  The author's own blog

Update 31-Jan-12:
Another good article that summarizes how SSL is now broken, and what is the future of web authentication

Update 01-Aug-12:
Certificate pinning might be one solution to the problems. However, this sounds like a difficult solution to deploy, where all clients would have to cache the certs of all the trusted websites/servers.

Update 12-Feb-13:
A new attack, called Lucky Thirteen. Original white paper here.

Update 18-May-13:
Some issues/concerns with IPv6 integration.