2012-10-31

What is crucial? Confidentiality, Integrity or Availability?

Now, IT Security is all about C, I and A. But, what is more important of these three?
Some of the opinions on the net:



Identify Hoax Images

It's not unusual for internet to be filled with hoax images, which are also sometimes used to phish users into clicking links to malware hosting websites. Here is a very good study on how to identify hoax images, using Hurricane Sandy as an example.

South Carolina breach exposes 3.6M SSNs


This is insane:

  • First the govt gets hacked, because there was a default password on the authentication system
  • Then the hackers steal Personally Identifiable Information (PII), all of which was unencrypted.
  • Then they make a public announcement, to claim that "The industry standard is that most SSNs are not encrypted"
  • Moreover, the attack happened in mid-September, but was disclosed in late-October. The government is now giving free insurance "now" to the effected.

Greek Ministry Hacked


Anonymous claims to have access to a SAP 0-day. Passwords disclosed in plain text here.

2012-10-28

CryptoHaze

Another online (good) tool to crack hashes. Very nicely explained in this video.
Good reminder to all: All password must be salted and hashed - don't forget salts must be randomized

2012-10-24

Social engineering: 3 examples

Very good real life cases on human hacking (i.e. social engineering)

Another interesting example, using an example of a fake Titanic sequel's trailer

2012-10-18

45000 Wordpress Blogged Hacked

Some vulnerability exploited to exploit 45K blogs, to make some money for the hacker.

Story of Amanda Todd - Hats off to Anonymous

A really sad story of a paedophile cyberstalker to drove a 15 years old Canadian girl into depression, and finally the poor girl committed suicide. Anonymous hacked the stalker and published his complete details online.

Now there is a debate if Anonymous did the right thing by taking the law into their own hands. Take a look at the following video, which Amanda posted a few weeks before she killed herself - for sure it's a good dead by Anonymous (even if the means were controversial).


2012-10-16

How Does IDFA/IFA Works?

IFA or IDFA stands for "identifier for advertisers." It's a random, anonymous number that is assigned to a user and their device. It is temporary and can be blocked, like a cookie
In case someone would like a simple summary.

5 Scary Types of Security Professionals You Will Meet in Your Career

Summarizes my own personal experience as well...!

5 – The NO-Master
4 – The By-The-Book Preacher
3 – The Dinosaur
2 – The Technology-Solves-It-All
1 – The paranoid

How to Sell the Value Of Information Security – The four “Rs”

Good article, that talks about:   Risk, Reputation, Regulation, Revenue

Cyberthieves loot $400,000 from city bank account

Payroll accounts compromised.

2012-10-15

The new SHA 3

Keccak wins and is awarded as SHA3 by NIST (National Institute of Standards and Technology)

honeynet.org

A website dedicated to detect new attacks, with honeypots??!!!  Would prefer to get some more details, before I can trust these guys.

Lock's Master Keys

As they say, security is truly only as strong as the weakest link. So, no point in setting up super secure locks, when the master keys are being sold on ebay.


SQL Injection Tools

An extremely (and humours) demo of the HAVIJ tool. Another tool to go over is the SQLMap.

The Security Tradeoffs

I have been doing some interviews lately, and the most fundamental IT Security question is probably the most difficult to answer.

What are the tradeoff of security? What is the direct impact of Security? For this question, lets talk about all the aspects of security (not just "IT Security").

There is an open debate if security is a tradeoff with privacy? Does an increase in security, make people lose their fundamental right of privacy or even liberty?

  • Yes, in a way, more security would mean more vigilance and less anonymity
  • No, because security controls can be present to protect privacy, especially "Personally Identifiable Information"

Hence, that is a valid debate.

However, the one point, no security guru would contradict or debate on is, "Security" is for sure a tradeoff between "Usability" and "Cost". An organization can only hope to control two of these variables, but never all three.


Image courtesy:   Technet Microsoft
Another good reference article

Update: 15-Oct-2012
A humorous video, which shows that privacy cannot exist without security, and vice-versa security cannot exist without privacy.

Update 17-Feb-2015:
Apple's Tim Cook speaks on this topic



2012-10-12

Google & Yahoo's Ireland domain names hijacked

Google and Yahoo's Ireland domain names were hijacked. This is an attack which could be devastating for the end users, who would never get to know what website they get redirected to.

Firefox v16 Pulled Down

Firefox 16 was pulled down by the vendor (Mozilla) after a serious vulnerability was discovered.
[Quote]  The bug was discovered by Gareth Heyes who blogged the issue with proof of concept code on Wednesday. By going public rather than reporting the issue to Mozilla, Heyes spurned the chance of a $3000 bug finders reward. Asked why, he replied, “I think Mozilla taking FF16 down is reward enough. Publicity LOL. 3K LOL.”

2012-10-11

2012-10-10

Japan, Asean to create cyberdefense network

Under the system, the Japanese government plans to share information on cyberattack patterns and technologies to defend against these attacks. It also plans to carry out exercises to verify the effectiveness of the system within the current fiscal year.
Full Story

Pwn2Own 2012

23-Jan-2012:
This year's Pwn2Own contest has much higher prize money, and has a different format. Looks like Pen-testing is fast becoming a sport..!!

Update 28-Feb-2012:
Google withdraws it's sponsorship for the Pwn2Own event, and announces it will hold another similar event (called Pwnium) or its Chrome browser, at the same venue, with $ 1 million in reward...!!

Update 07-Mar-2012:
The hacking king, Charlie Miller will not be participating this year.

Update 07-Mar-2012:
Glazunov scores $60,000 for the first Pwnium payout..! So unlike last few years, this time Chrome is the first browser to go down. However, this is not necessarily because the browser is insecure, but only because the prize money is enormous.

Update 09-Mar-2012:
Barely 24 hours after Chrome's bug was discovered, it has been patched and the latest version of the browser is now available.

French team from Vupen, was able to hack both IE9 and Chrome. Hence, Chrome gets hacked twice in the same week! However, this particular bug will not be reported to Google, and hence may not get patched at all.

12-Mar-2012:
Google Chrome falls again, this time by a teenager, who calls himself Pinkie Pie! Once again, he earned $60,000 from Google, and once again Google patched the vulnerability in less than 24 hours!! Commendable effort, indeed.

Update 26-Aug-2012:
Google decides to have a second Chrome hacking contest, and the max prize pool is a whooping a 2M. Location = KL, Malaysia

Update 10-Oct-2012:
The same kid (Pinkie Pie ) breaks into chrome a second time, to win $60,000!!


2012-10-08

Civil Rights Captcha


A new captcha that tests the user's "feelings" and not what the user sees on the screen. From Civil Rights Defenders.





Microsoft will reject ‘weak’ digital certificates from 09-Oct-2012

Users will have no choice but to upgrade their certificates from tomorrow (9 October 2012). Failure to do so will lead to “disruptions to business and computing operations,” continued Venafi, which “could include everything from Internet Explorer failures to inability to encrypt or digitally sign emails on Outlook 2010 and other legacy systems that rely on the older, weaker encryption keys.”
Full Story

Universal Man-in-the-Browser (uMitB) Attack

Quote:
We have discovered a new Man in the Browser (MitB) scam that does not target specific websites, but instead collects data submitted to all websites without the need for post-processing
Youtube Video Demo
The researcher's page

The POC (technical details) have not been released, to the best of my knowledge.

2012-10-07

Hacking Routers

These are the scariest types of hacks, where the user's router/modem is compromised leaving a non technically savy user without the faintest idea of how to fix it. Plus, the usual antiviruses and browsers may detect the issue, but for sure will not be able to fix it for the user.
Hence, this story where 4.5 million routers in Brazil have been compromised is not to be taken lightly.

Taking scareware scams to the next level

.. purporting to be affiliated with major computing vendors including Dell, Microsoft, McAfee and Norton, the telemarketers conned unwitting consumers into believing that their computers are riddled with viruses, spyware and other malware, charging anywhere from $49 to $450 per PC to remotely access and "fix" the machines.
Full Story