2011-11-30
Session Hijacking
A easy to use hack, which demonstrates how to take over a victim's gmail session, by first stripping the HTTPS traffic, and rendering it into basic HTTP, and then hijacking the session
2011-11-28
Four hack suspects linked to terrorist group
Further evidence that hacking is becoming a serious organized crime....
2011-11-24
Google protects HTTPS-enabled services against future attacks
Google takes another step to strengthen their security.
Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.
2011-11-23
e Censorship
China has always been stringent about freedom of speech on the internet. Seems like Pakistan is going the same direction. There is a new ban on over 1600 words which cannot be sent as a text-message.
The Reporting Line For A CISO
This is also a open ended question: Should the Chief Information Security Officer (CISO) of an organization report to the CIO, CTO, CSO, CEO or COO?
I doubt there is a single answer that can be applicable to all the organizations. However, ideally there should be enough segregation of duties between the IT Team and the IT Security Team. This is required to ensure the IT Security team can operate freely and without any undue pressure. What good is the maker-checker concept if either can be influenced by one other? Two simple examples to clarify my point:
Here is an article that agrees to these views.
Another article that tries to answer this tough question.
I doubt there is a single answer that can be applicable to all the organizations. However, ideally there should be enough segregation of duties between the IT Team and the IT Security Team. This is required to ensure the IT Security team can operate freely and without any undue pressure. What good is the maker-checker concept if either can be influenced by one other? Two simple examples to clarify my point:
- The IT project team is working on setting up a new system and have a tight deadline to meet. To cut corners a few security best practices are overlooked. Will the CISO have the authority to pull the plug on this project, if he reports in to the Head of IT (who could be a CIO or CTO)?
- The OS and application patches are not being rolled out as frequently as they should be. The CIO likes to keep the roll-outs to a minimum to save on the issues and challenges a roll-out typically causes. Will the CISO have the authority to challenge the CIO here?
Here is an article that agrees to these views.
Another article that tries to answer this tough question.
2011-11-20
Facebook Porned & Pwned
Facebook has been attacked by yet another worn which displays pornographic images on the victim's page. Facebook claims the attack is now under control.
Anonymous, who was believed to be the attacker, have clarified that they are not the ones to be blamed for this.
Anonymous, who was believed to be the attacker, have clarified that they are not the ones to be blamed for this.
Anonymous Leaks FBI's Cyberexpert's Emails
An excerpt below, the full story is here:
Anonymous hackers broke into two of Bacalagan's gmail accounts, his text message logs and his Google Voice voicemails, then dumped the whole thing on to a website andThe Pirate Bay.
2011-11-12
How To Lock Down Your Wireless Network
An article for dummies (and a reference for rest of us), around how to secure home wireless connections.
2011-11-08
Internet Usage in India
Very interesting:
- By the end of this year, one in every 10 Indians will be an Internet user, making the country the third-largest Internet market in the world after China and the United States.
- At the end of December, 121 million Indians will be accessing the Internet at least once a week
2011-11-07
Israel govt. websites down, after a hacker threat
Sounds a bit far-fetched. So, what would have happened if the Anonymous (or someone else for that matter) group had not announced their threat?
2011-11-05
There Is No Honor Among Hackers v2
Similar to a story I blogged about back in 2009, here is another case how hackers are always ready to kick each other on the back side. However, in this particular case, it seems more likely that there was a political motive here.
2011-11-04
Researchers defeat CAPTCHA on popular websites
It is not at all surprising, that someone was able to defeat the captcha. Seems like Google and reCAPTCHA are better than the rest.
Full story here and here
24-Jan-2012: Unlike the automated captcha solvers, another popular method is to use actual humans to solve it. The actual humans are located in (cheap) resource intensive countries. Here is a very good post around how to setup on one of such services.
Full story here and here
24-Jan-2012: Unlike the automated captcha solvers, another popular method is to use actual humans to solve it. The actual humans are located in (cheap) resource intensive countries. Here is a very good post around how to setup on one of such services.
Duqu Malware
Okay, I'm a bit late in blogging about this new 0-day vulnerability in MS Windows.
The attack is basically carried out using a malformed MS word file.
Microsoft is yet to release a patch to address this vulnerability, but however have issued a workaround
The attack is basically carried out using a malformed MS word file.
Microsoft is yet to release a patch to address this vulnerability, but however have issued a workaround
Update 01-Dec-2011: This spying operation now seems to be shutting down
Subscribe to:
Posts (Atom)