Online Nmap

A cool website, which could be used or misused to scan targets, and keep the attacker's IP safe.


IE Vulnerability Exposes Mouse Movements

As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. 
Full Story Here


Europol and ICE seize 132 domain names

Looks like USA is tightening security by forcefully taking over domain names.

GoDaddy's DNS Servers Hijacked

"In this current spate of attacks, criminals are exploiting DNS by hacking the DNS records of sites, adding one or more additional subdomains with corresponding DNS entries (A records) referencing malicious IP addresses. The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers." The upshot is that hackers can thus hijack the DNS to create legitimate-looking URLs in phishing attacks, evading security filtering and tricking users into thinking the content must be safe
Full Story


HoneyDrive – Honeypots In A Box

A ready virtual image, with ready OS for a honeypot.

Former CIA director's affair gets caught via his gmail account

Height of irony, the USA's CIA director was unable to protect his email communication. Well he did put in place a few measures, but apparently not good enough.

First, Patraeus set up a dummy account. And second, it's been reported that Petraeus and Broadwell never actually sent any emails to each other. Rather, the two relied on a strategy that has previously been used by terrorists in an effort to keep investigators off the scent.
Full story


Anonymous Hackers Leaked document of 5000 Israeli Officials

Anonymous has published document of 5000 Israeli officials.  1.3Mb size HTML file has been uploaded here wikisend.com .  It contains name, address, phone number , ID Number and email address.
Full Story


Georgia hacks their haker

This is unprecedented.  The formal report from the Govt is here.

The nation of Georgia, fed up with persistent cyber-spying attacks, published photos of a Russia-based hacker who it alleged waged a persistent, months-long campaign that stole confidential information from Georgian government ministries, parliament and banks. (Photo: Cert.gov.ge)

$1 Million stolen from Citibank's ATM

A very organised gang, opened fake checking accounts, with some seed money, and then would withdraw that same amount multiple times, across various locations, all within 60 seconds.


Indian Defence Org Hacked

Sounds embarrassing.

Windows 8 Launched... Countdown for the first hack!

Update: 01-Mar-2012:
Windows 8 has been officially been released:

Update 15-Oct-2012:
There have been some news that this OS is storing passwords in clear text. I have not been able to find too many details. So, hopefully there will be some updates from the big MS. Personally, I hope they have not goofed up this bad. Now, there is also a French tool, which would help script-kiddies point and click and crack passwords.

Update 01-Nov-2012:
Less than a week after the official go-live, Vupen finds a 0-day


What is crucial? Confidentiality, Integrity or Availability?

Now, IT Security is all about C, I and A. But, what is more important of these three?
Some of the opinions on the net:

Identify Hoax Images

It's not unusual for internet to be filled with hoax images, which are also sometimes used to phish users into clicking links to malware hosting websites. Here is a very good study on how to identify hoax images, using Hurricane Sandy as an example.

South Carolina breach exposes 3.6M SSNs

This is insane:

  • First the govt gets hacked, because there was a default password on the authentication system
  • Then the hackers steal Personally Identifiable Information (PII), all of which was unencrypted.
  • Then they make a public announcement, to claim that "The industry standard is that most SSNs are not encrypted"
  • Moreover, the attack happened in mid-September, but was disclosed in late-October. The government is now giving free insurance "now" to the effected.

Greek Ministry Hacked

Anonymous claims to have access to a SAP 0-day. Passwords disclosed in plain text here.



Another online (good) tool to crack hashes. Very nicely explained in this video.
Good reminder to all: All password must be salted and hashed - don't forget salts must be randomized


Social engineering: 3 examples

Very good real life cases on human hacking (i.e. social engineering)

Another interesting example, using an example of a fake Titanic sequel's trailer


45000 Wordpress Blogged Hacked

Some vulnerability exploited to exploit 45K blogs, to make some money for the hacker.

Story of Amanda Todd - Hats off to Anonymous

A really sad story of a paedophile cyberstalker to drove a 15 years old Canadian girl into depression, and finally the poor girl committed suicide. Anonymous hacked the stalker and published his complete details online.

Now there is a debate if Anonymous did the right thing by taking the law into their own hands. Take a look at the following video, which Amanda posted a few weeks before she killed herself - for sure it's a good dead by Anonymous (even if the means were controversial).


How Does IDFA/IFA Works?

IFA or IDFA stands for "identifier for advertisers." It's a random, anonymous number that is assigned to a user and their device. It is temporary and can be blocked, like a cookie
In case someone would like a simple summary.

5 Scary Types of Security Professionals You Will Meet in Your Career

Summarizes my own personal experience as well...!

5 – The NO-Master
4 – The By-The-Book Preacher
3 – The Dinosaur
2 – The Technology-Solves-It-All
1 – The paranoid

How to Sell the Value Of Information Security – The four “Rs”

Good article, that talks about:   Risk, Reputation, Regulation, Revenue

Cyberthieves loot $400,000 from city bank account

Payroll accounts compromised.


The new SHA 3

Keccak wins and is awarded as SHA3 by NIST (National Institute of Standards and Technology)


A website dedicated to detect new attacks, with honeypots??!!!  Would prefer to get some more details, before I can trust these guys.

Lock's Master Keys

As they say, security is truly only as strong as the weakest link. So, no point in setting up super secure locks, when the master keys are being sold on ebay.

SQL Injection Tools

An extremely (and humours) demo of the HAVIJ tool. Another tool to go over is the SQLMap.

The Security Tradeoffs

I have been doing some interviews lately, and the most fundamental IT Security question is probably the most difficult to answer.

What are the tradeoff of security? What is the direct impact of Security? For this question, lets talk about all the aspects of security (not just "IT Security").

There is an open debate if security is a tradeoff with privacy? Does an increase in security, make people lose their fundamental right of privacy or even liberty?

  • Yes, in a way, more security would mean more vigilance and less anonymity
  • No, because security controls can be present to protect privacy, especially "Personally Identifiable Information"

Hence, that is a valid debate.

However, the one point, no security guru would contradict or debate on is, "Security" is for sure a tradeoff between "Usability" and "Cost". An organization can only hope to control two of these variables, but never all three.

Image courtesy:   Technet Microsoft
Another good reference article

Update: 15-Oct-2012
A humorous video, which shows that privacy cannot exist without security, and vice-versa security cannot exist without privacy.

Update 17-Feb-2015:
Apple's Tim Cook speaks on this topic


Google & Yahoo's Ireland domain names hijacked

Google and Yahoo's Ireland domain names were hijacked. This is an attack which could be devastating for the end users, who would never get to know what website they get redirected to.

Firefox v16 Pulled Down

Firefox 16 was pulled down by the vendor (Mozilla) after a serious vulnerability was discovered.
[Quote]  The bug was discovered by Gareth Heyes who blogged the issue with proof of concept code on Wednesday. By going public rather than reporting the issue to Mozilla, Heyes spurned the chance of a $3000 bug finders reward. Asked why, he replied, “I think Mozilla taking FF16 down is reward enough. Publicity LOL. 3K LOL.”



Japan, Asean to create cyberdefense network

Under the system, the Japanese government plans to share information on cyberattack patterns and technologies to defend against these attacks. It also plans to carry out exercises to verify the effectiveness of the system within the current fiscal year.
Full Story

Pwn2Own 2012

This year's Pwn2Own contest has much higher prize money, and has a different format. Looks like Pen-testing is fast becoming a sport..!!

Update 28-Feb-2012:
Google withdraws it's sponsorship for the Pwn2Own event, and announces it will hold another similar event (called Pwnium) or its Chrome browser, at the same venue, with $ 1 million in reward...!!

Update 07-Mar-2012:
The hacking king, Charlie Miller will not be participating this year.

Update 07-Mar-2012:
Glazunov scores $60,000 for the first Pwnium payout..! So unlike last few years, this time Chrome is the first browser to go down. However, this is not necessarily because the browser is insecure, but only because the prize money is enormous.

Update 09-Mar-2012:
Barely 24 hours after Chrome's bug was discovered, it has been patched and the latest version of the browser is now available.

French team from Vupen, was able to hack both IE9 and Chrome. Hence, Chrome gets hacked twice in the same week! However, this particular bug will not be reported to Google, and hence may not get patched at all.

Google Chrome falls again, this time by a teenager, who calls himself Pinkie Pie! Once again, he earned $60,000 from Google, and once again Google patched the vulnerability in less than 24 hours!! Commendable effort, indeed.

Update 26-Aug-2012:
Google decides to have a second Chrome hacking contest, and the max prize pool is a whooping a 2M. Location = KL, Malaysia

Update 10-Oct-2012:
The same kid (Pinkie Pie ) breaks into chrome a second time, to win $60,000!!


Civil Rights Captcha

A new captcha that tests the user's "feelings" and not what the user sees on the screen. From Civil Rights Defenders.

Microsoft will reject ‘weak’ digital certificates from 09-Oct-2012

Users will have no choice but to upgrade their certificates from tomorrow (9 October 2012). Failure to do so will lead to “disruptions to business and computing operations,” continued Venafi, which “could include everything from Internet Explorer failures to inability to encrypt or digitally sign emails on Outlook 2010 and other legacy systems that rely on the older, weaker encryption keys.”
Full Story

Universal Man-in-the-Browser (uMitB) Attack

We have discovered a new Man in the Browser (MitB) scam that does not target specific websites, but instead collects data submitted to all websites without the need for post-processing
Youtube Video Demo
The researcher's page

The POC (technical details) have not been released, to the best of my knowledge.


Hacking Routers

These are the scariest types of hacks, where the user's router/modem is compromised leaving a non technically savy user without the faintest idea of how to fix it. Plus, the usual antiviruses and browsers may detect the issue, but for sure will not be able to fix it for the user.
Hence, this story where 4.5 million routers in Brazil have been compromised is not to be taken lightly.

Taking scareware scams to the next level

.. purporting to be affiliated with major computing vendors including Dell, Microsoft, McAfee and Norton, the telemarketers conned unwitting consumers into believing that their computers are riddled with viruses, spyware and other malware, charging anywhere from $49 to $450 per PC to remotely access and "fix" the machines.
Full Story


Anonymous Philippines Attacks Their Govt

More government websites defaced. Anonymous strikes again.

phpMyAdmin Backdoored

When a free/opensource tool gets compromised and backdoored, it is a sure sign of war

Snoopy: A distributed tracking and profiling framework

Snoopy:  A tool which sounds both scary and technically interesting:
There have been recent initiatives from numerous governments to legalise the monitoring of citizens' Internet based communications (web sites visited, emails, social media) under the guise of anti-terrorism. Several private organisations have developed technologies claiming to facilitate the analysis of collected data with the goal of identifying undesirable activities. Whether such technologies are used to identify such activities, or rather to profile all citizens, is open to debate. Budgets, technical resources, and PhD level staff are plentiful in this sphere.


Source of data breaches

Only 25% of data breach cases are the work of external attackers. And only 12% of them were perpetrated by insiders with ill intent. That leaves 63% of the issues caused by something more mundane [“inadvertent misuse”]
Full Story

Android phones can be reset to factory default by clicking on links

I usually don't cover vulnerabilities on mobiles, but this one is pretty interesting. Youtube video here

How Safe Is Your Bank ATM PIN?

The blog says thieves have a 20-percent chance of guessing your ATM code, by using those first 3 [most popular] combinations.  
Full story here


Australia's IT Sec contest

In case any one is interested in story writing.

Domino's India Hacked

The website of Domino's Pizza India was hacked, but customers' information was not compromised, the local franchisee Jubilant FoodWorks said on Wednesday.
Story Here

Mr. Ankit Fadia Continues To Be The Joke of the Town

Update 13-Jan-2012:
Ankit Fadia, who is a famous self acclaimed hacker, but with tons of controversies to his name, doesn't seem to have a good start in 2012. He has already been hacked numerous times.

Update 12-Sep-2012:
And he is hacked again, this time his hosting company, cancels his account.

Hacker Cosmo's Story

A biography of  a hacker.



“SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks. It implements most common low-bandwidth Application Layer DoS attacks"

GoDaddy Attacked

Update 10-Sep-2012:
GoDaddy, one of the largest domain registrar was under a DoS attack from Anonymous. "The outage started around 10:25 AM Pacific time, and services for the bulk of affected customers were restored at 2:43 PM."
The surprising bit is that the hackers took down the DNS server of GoDaddy. This is pretty unusual. Would like to read more details about it.

Update 11-Sep-2012:
GoDaddy blames outage on corrupted router tables, and say they were not attacked??!!


Hackers hold Mitt Romney's tax returns for ransom

USA is gearing up for the elections, and so are the hackers. Presidential Candidate Mitt Romney being asked for a ransom.


Laptop fingerprint readers vulnerabale

Looks like the biometric readers are insecure, opposite to the popular belief.

Sony Hacked (again)

Update 07-Sep-2012:
Sigh... I lost count as to how many times these guys have been hit just in 2011 and 2012..!!
Hackers Pastebin Post  &  Sony's Statement


Anonymous Attacks FBI - Leaks Apple Records

Update: 04-Sep-2012:
FBI has been chasing Anonymous members for a while now. I guess this is their way of counter-attacking. Some time back the hackers intercepted one of the meetings of FBI and released the recording. Now, they have hacked them and released some confidential user Apple records. Question is why is FBI keeping this information, and what do they intend to do with it?

Story Here;  Hacker's pastebin release (with links to the dump);
Copy of the file, in case it disappears from these links.

Update: 05-Sep-2012:
Not surprisingly, FBI has denied that any FBI laptop was hacked.

Update: 11-Sep-2012:
New report suggests that the leaked data came from a publishing company, called Bluetoad.

Update: 13-Sep-2012:
A spokesperson of Anonymous, Barrett Brown, was raided by FBI and arrested. Unfortunately, the guy at that time was on a video chat, and hence the whole thing got recorded (at least the audio).


Passwords Cracking - Myths and Realities

It's no news about how insecure passwords are, and why they do not add to any real security. A good post to talk about the common myths around password cracking.

9 Biggest IT Security threats

Hacking has evolved from one-person crime of opportunity to an open market of sophisticated malware backed by crime syndicates and money launders
Full Story

Avoid Security Suffering With These 3 Questions

What to ask yourself before any security project?

Cracking WiFi password with CloudCracker

Why not move password hacking to the cloud? Presenting a case study with CloudCracker.

Team Ghostshell - 1 million accounts leaked

Seems like some hactivists have been working hard, 1 million accounsts were leaked over the weekend from some pretty serious sources by the group Team GhostShell – who are affiliated with Anonymous.
More details here and here. The hackers pastebin page

How much is leaked data worth?

Update 16-July-2012:
German state buys CD of Swiss bank customers for €3.5m

Update 29-Aug-2012:
A good article that explains, most likely these losses are inflated. Does Cybercrime Really Cost $1 Trillion?


More Internet Censorship

Some more articles on internet censorship in India and Oman. The surprise is the following, and I quote infosecurity-magazine below:
Although there have been dozens of cases in which specific countries block domestic or foreign internet content they don't want their citizens to view – either because it's critical of government policies, or it violates their own laws and regulations – it's very rare to see one country’s internet access restricted due to transit and peering agreements. (Note: transit agreements are those in which ISPs allow data from another ISP to move through their infrastructure, whereas for peering agreements, ISPs agree to station hardware in the same location for a mutually beneficial transfer of data.)



CryptoCat, which is a browser based, encrypted chat client, has been in the news for a while now. The debate is if it is really as secure as they claim it to be. The analysis are here

Attack on Saudi Aramco

A hacker group calling itself the Arab Youth Group has claimed responsibility for what appears to be a serious hacking attack on Saudi Aramco, one of the world's largest energy companies.
Full Story


Anonymous Hits Stratfor

Update 27-Dec-11
Just as promised, Anonymous stole from the rich and gave to the poor.

Update 29-Dec-11:
In a surprising turn of events, Anonymous has refuted the claim, and said they support Stratfor. On the other hand LulzSec claimed the responsibility. More details are here.

Update 31-Dec-11:
860,000 credit card accounts released by LulzSec, out of which 50k are government accounts!

Update 28-Feb-12:
WikiLeaks Releases Leaked Stratfor Emails

Update 12-Aug-12:
WikiLeaks undergoing massive denial-of-service attack, because of Stratfor leakage.
A group who calls themselves "AntiLeaks" takes the responsibility. 

Update 13-Aug-12:
Attack continues, wikileaks is still down. Some more details, as to what could be the motive of the attack.

Update 21-Aug-12:
Now Anonymous has released a video asking the UK government to release Assange (founder of Wikileaks). 

Update 06-Jul-13:
Now, the poor Assange is hiding at the Ecuador embassy. London managed to hide a bug inside an electrical socket!


Nmap's NSE

Learn more about Nmap Scripting Engine, from the creator himself. Here is a old blackhat video


FTC hits Google with $22.5 million fine for Safari tracking

The government agency today announced that Google has agreed to pay $22.5 million to settle the FTC's charges that Google "placed an advertising tracking cookie on the computers of Safari users who visited sites within Google's DoubleClick advertising network."
User privacy is becoming bigger and more serious..!

Defcon's Social Engineering Challenge

A reminder to all of us, that users are still the weakest link in the security chain.
Sigghh... Why bother with firewalls and all the other gizmos?


Cyber gang made £30 MILLION from fake gov certs

Chinese police are celebrating the arrest of a nationwide cyber crime gang suspected of making over £30 million by selling fake professional qualifications, which they helped to produce by hacking into government web sites.
Full Story

Mat Honan, Reporter Gets Hacked!

Interesting story of how a hacker went about completely ruining a person's digital life. And all of this was done without a single software/tool/malware.
Click Here


A Cross Platform Malware Development Framework

This is the Malware industry maturing up.

Anonymous' Logo

This is plain silly.
A French company tried to trademark the logo of Anonymous. Of course the hacking community was not amused  and published their personal information on pastebin, with a threat to kill their internet sales.
The company has since then shut down their business.

Is Microsoft Listening on Skype Calls?

Is this rumor is true, then it will mean some serious impact to the privacy of the users (even if some bloggers feel otherwise)

Microsoft Attack Surface Analyzer

Microsoft has released Attack Surface Analyzer, a free tool that can help us understand how newly installed applications can affect the security of a Windows OS.

Full Story


Undetectable hardware backdoor - Rakshasa

What's really scary is that Rakshasa doesn't reside in the disk and therefore leaves zero evidence in the filesystem. It leaves zero network evidence on the LAN. It can "remotely boot from an alternate payload or even OS" like fake Truecrypt/Bitlocker. Rakshasa can even show a fake BIOS menu if necessary
This is scary. More details here.

Dropbox Hacked Again!

This time it looks like the bad guys are using accounts credentials hacked from our sources. More details and previous incident.

SSL/TLS Broken - Beware of BEAST & Lucky 13

The way things are going, we may need to start thinking about replacing SSL

Update 27-Sep-11:
An interesting post to understand the scope of this new security hole

Update 04-Oct-11:
An article from Infosecurity-Magazine confirming my suspicion

Update 14-Oct-11:
Learn about the BEAST from the horse's mouth:  The author's own blog

Update 31-Jan-12:
Another good article that summarizes how SSL is now broken, and what is the future of web authentication

Update 01-Aug-12:
Certificate pinning might be one solution to the problems. However, this sounds like a difficult solution to deploy, where all clients would have to cache the certs of all the trusted websites/servers.

Update 12-Feb-13:
A new attack, called Lucky Thirteen. Original white paper here.

Update 18-May-13:
Some issues/concerns with IPv6 integration.


Encrypt Text From Browsers

A super simple way to encrypt any email / IM / Tweet on the fly from within the browser, with no special tools.

SafeGmail, a tool to encrypt gmail messages within the browser.

Another easy way to encrypt text in broswers - Mailvelope

Yahoo confirms theft of 450K unencrypted passwords

After Linked-in, Yahoo loses 450,000 user login credentials, which were unencrypted. Since then, they claim to have fixed the issue. However, the fact remains, it's really pathetic that the web service providers still  do not adhere to the basic security principles, like encrypting passwords.

Here is the orignal dump of exposed passwords. Another copy is here.
A good analysis of the exposed passwords.
In case anyone needs a refresher course on what hashing is, and how to do it properly.


Wikileaks releases Syria Files, 2.4 million government related emails

Wikileaks says its latest release shines a light on the inner workings of Syria's government and on Western hypocrisy
Full Story

Internet will vanish Monday for 300,000 infected computers

As many as 300,000 PCs and Macs will drop off the Internet in about 65 hours unless their owners heed last-minute calls to scrub their machines of malware.
DNSChanger's victims to be removed from the net

Schneier's So You Want to Be a Security Expert

Good article for the newbies trying to get into this industry.


Trend Micro AV breached & backdoored

A hacker claims to have breached and backdoored security and antivirus software firm Trend Micro due to 'pseudo-security' as well as SYKES which runs support services for Trend Micro. According to Pastebin and a dump for 'proof' of the breach, the hacker claims to still be in control of a backdoor into the security firm.
Full Story

30 June - Leap Second problem

Apparently, there the clocks had to be inserted with another second on 30-June (details here). This did not go well with the applications. Issues faced described here.

Indian Navy secrets stolen and sent to China

Computers in India’s primary eastern seafront naval establishment at Visakhapatnam were reportedly infected with spyware that sent classified information to IP addresses in China.
Full Story


SSL Certificates Stolen From DigiNotar

Approximately 531 certificates were stolen, possibly by the Iranian Government.

Technet has a very good article around why such an attack is brutal and how to protect against it

Microsoft feels this could even lead to attackers pushing malware via Windows automatic update

Impact of this hack:

Update 07-Sep-11:
        Not surprisingly, the same hacker which attacked Comodo, has taken the responsibility of this hack
        To make matters worse, he claims to have compromised four other Certificate Authorities (CA)..!!

Update 09-Sep-11:
        Fox-IT has published a very good report on the incident

        ComodoHacker claims he can now exploit Windows Update as well

Update 12-Sep-11:

Update 27-Sep-11:
        DigiNotar has filled for bankruptcy, plus the Dutch government has revoked their root cert

Update 28-Jun-12:
        Dutch govt tells us how difficult & time consuming it is to replace all digital certs in an organization.

Update 01-Nov-12:
Fox IT now details the attack


99% of attacks could be stopped by patching

Microsoft’s chief UK security advisor Stuart Aston has pointed out that less than 1% of attacks are based on zero-day exploits
Full Story


CloudFlare Hacked - Google's 2FA is Flawed

This just goes on to show how sophisticated attacks are becoming.
While an authentication flaw, social engineering, and questionable account recovery methods all played a part in the attack, CloudFlare admits, in Prince’s own words, that they “did some dumb things” 
Full Story

Update: 06-Jun-2012:
Google now starts informing users in case they think they have been victims of state sponsored attack. No details are however being disclosed.

Update: 15-Jun-2012:
Details around what 0-day vulnerability is being used

Update: 20-Jun-2012:
European aeronautical supplier's website infected, with this same exploit.

Economists demonstrate exactly why bank robbery is a bad idea

The typical return on a bank holdup is, "frankly, rubbish."
Full Story


Citibank revamps credit card and ATM security measures

All new cards will be sent out deactivated from 1 July 2012, and on-demand deactivation and reactivation option for its credit cards will now be allowed.
Full Story


Create SSH Tunnels

How to create simple ssh tunnels - for secure browsing especially when you are at a airport or coffee shop (any untrusted network).
Video Tutorial
Where to get free shell accounts

To setup simple PHP based proxies, try proxy labnol

Hackers more aggressive in attacking customer accounts

A survey of large financial institutions shows they faced more attacks by hackers to take over customer banking accounts last year than in the two previous years, and about a third of these attacks succeeded.
Full Story


PandaLabs - Another Security Firms Goes Down

In a major break for law enforcement, several members of the LulzSec and Anonymous hacking groups were arrested this morning based on information provided by "Sabu," the shadowy LulzSec leader who was secretly arrested last year.

Hackers claiming to belong to the Anonymous hacking collective early Wednesday defaced Panda Security's PandaLabs website in apparent response to the arrests of five hackers Tuesday in the U.K. and the U.S.

The extent of the hack seems pretty bad. The hackers were completely able to hack the pandalabs.pandasecurity.com sub-domain of the company, and were able to paste the password hashes of all the employees with access to the Unix server hosting it. The website has been moved offline, but the Google cache is still available. 

One of the arrested hackers is Jeremy Hammond. Here is his story.

This is getting serious. To retaliate, Anonymous has hacked 3 TB worth of data of FBI. They have posted the file names and hashes.

The story of sabu

Story of a member of Anonymous

There are two sides to the online activist phenomenon, one like Joker and the other like Batman. Parmy Olson speaks to a member about the future of the hacker collective and about which side should win.

Hackers claim to steal 110,000 SSNs from Tenn. school system

Nothing new I guess


Microsoft's DNT

After Microsoft announced Do Not Track would be turned on by default in Internet Explorer 10, the latest W3C DNT draft proposal suggests Do Not Track should not be on by default
This would probably be the first time ever Microsoft's security control has been deemed as "too secure".

A little more info around how online tracking works.

Update 09-Aug-2012:
MS goes ahead and enables the setting as default.

Update: 27-Sep-2012:
A good write-up on why this would adversely impact the internet.


India to greenlight state-sponsored cyber attacks

The Indian government is stepping up its cyber security capabilities with plans to protect critical national infrastructure from a Stuxnet-like attack and to authorise two agencies to carry out state-sponsored attacks if necessary.
Full Story


LinkedIn Hacked!

Professional social networking service LinkedIn today said it is investigating reports that hackers broke into its systems and accessed the usernames and hashed passwords of the social network's 6.5 million members.
Seems like the password hashes were leaked. However, considering some of the hashes have already been decrypted. Reason - the hashes were not salted, plus were using an outdated algo SHA1.

Update: 09-Jun-2012:
It is truly very sad Linked In is trying to be so evasive about this whole incident. Would have expected a little more responsibility from them. Their Post1 & Post2

Update 10-Jun-2012:
A good FAQ for the readers.
For now the dump is available here, but it may go offline soon. I have copied the dump of password hashes here as well. Drop me a email or comment below and I'll send over the password to you.

Update 19-Jun-2012:
LinkedIn hit by a class action law suit.

Update 20-May-2016;
Almost 4 yrs later, the hacker decides to sell the dump. However, seems like he has 117M user records (not 6.5M). Unbelievable - the company lied !


Has Vupen been hacked?

Vupen is one of the biggest names when it comes to research and sale of 0-day exploits. They did pretty well in the pwn-2-own contest as well. Now a company like that, wouldn't want to publicly admit that they got hacked, would they?
Full Story


Presidential Candidate Email Hacked

A hacker yesterday claimed to have broken into a personal email account linked to GOP presidential candidate Mitt Romney by answering "secret" password-reset questions.
Full Story


Flame Malware

Here is some info around this malware, which is supposedly funded by a Government agency.

Update 04-Jun-2012:
If this article is true, it shows how serious USA government (and maybe others) are becoming in using cyber-world for warfare.

Update 05-Jun-2012:
This is truly worrisome, "Flame is using valid but fake Microsoft certificates to sign the code through a bug in their CA system via Terminal Services". Microsoft has released an emergency patch to revoke the three certs in question.

Update on 07-Jun-2012:
Considering MS's update feature was mis(used) to spread the malware. It shows how serious the breach is.

Update on 11-Jun-2012:
“They said that it was Israeli intelligence that began, a few years earlier, a cyberspace campaign to damage and slow down Iran’s nuclear intentions.” It was only later that they managed to convince the US to join. The US is saying ‘we did it, and you helped;’ while Israel is saying, ‘no, we did it, and you helped.’
Well, doesn't really matter. Point to note is that WW3 may not have weapons at all.
BTW, there is now evidence to show that there is a direct link between Flame, Stuxnet malware.

Update on 12-Jun-2012:
The rouge cert from MS was obtained via a previously explained vulnerability in SSL. Details are here and here.


Instant decryption of MS Office 2010 documents now possible

Passware announced Passware Kit Forensic 11.7, which includes live memory analysis and subsequent decryption of MS Word or Excel 2007-2010 files. In addition, the new version instantly decrypts PGP Whole Disk Encrypted volumes and recovers passwords for Apple disk images.
Full Story

RSA Software Tokens Hacked

As if the RSA hack last year wasn't enough. Now researchers have found flaws in their software based tokens.

What is a SSL cert?

A funny and interesting way to explain it to dummies (and a reference to rest of us).

Anonymous claims it hacked a DOJ site

The U.S. Department of Justice said Tuesday it was looking into the unauthorized access of a website server in its statistics wing, after hacker group Anonymous claimed to have collected and released 1.7GB of data from it.
Full Story

Banking malware spies on victims by hijacking webcams, microphones, researchers say

A new variant of SpyEye malware allows cybercriminals to monitor potential bank fraud victims by hijacking their webcams and microphones, according to security researchers from antivirus vendor Kaspersky Lab.
Full Story


Anonymous #OpIndia Engaged

Update 09-May-2012:
This time the big guy have decided to attack the Govt of India. The rationale is (somewhat) explained in their YouTube video.

Update 20-May-2012:
The websites belonging to India’s Supreme Court, the Ministry of Communications and Information Technology, the Department of Telecommunications, and both of the nation’s political parties were targets. Full Story Here

How To Make An Auto Hacking Usb Drive

A simple way of creating malicious auto run USB drives, to steal passwords, or to just steal data.


Kickstarter's API bug exposes user data

Based on our research, the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us. Outside of that person's use, our research shows that a total of 48 unlaunched projects were accessed during the three weeks this bug was live (this number includes a number of views by Kickstarter's developers working on the API itself).
Full Story


The Blackberry Project: how easily do we sell our privacy?

... as results from the project begin to appear, the main conclusion from Singularity appears to be a generational shift in attitudes towards privacy. The researchers “went to great lengths not to betray the confidence of the teens to their parents, even when some of the kids ran away from home or illegal activities were being discussed.” The kids seemed to be content with this.
Full Story


OpenDNS launches a tool to encrypt DNS requests

DNS requests [by default] are unencrypted, meaning that an interloper monitoring a person's internet traffic, such as over an unencrypted public Wi-Fi access point at an airport or cafe, could see the requests and compromise a person's privacy.
Full Story

Users Still The Weakest Link in the Security Chain

Well, it is an age old known fact. One of the many articles that talks about it


Engineering mistake exposes clear-text passwords for Lion

A debugging switch inadvertently left on in the current release of Lion, version 10.7.3, records in clear text the password needed to open the folder encrypted by the older version of FileVault.
Full Story


Stenography used by al Qaeda

On May 16 last year, a 22-year-old Austrian named Maqsood Lodin was being questioned by police in Berlin. He had recently returned from Pakistan via Budapest, Hungary, and then traveled overland to Germany. His interrogators were surprised to find that hidden in his underpants were a digital storage device and memory cards. Buried inside them was a pornographic video called "Kick Ass" -- and a file marked "Sexy Tanja."
Full Story

Browser For Hackers

Best browser for hackers with built in features for hackers- OWASP Mantra Browser Security Framework for penetration testers
Full Story 

Hackers blackmail Belgian bank with threats to publish customer data

The hackers call their demand an "idiot tax" because the information was unencrypted on the bank's web server
Cyber Extortion


Google StreetView's Wi-Fi Snooping

Okay, there was an intentional reason why I didn't post about this 2010 matter.

The Story via PCWorld:
Google's Wi-Fi woes started in 2010 after the company received a request from Germany's data protection authority to audit the information that Street View cars collected. As part of the project, Google was recording publicly available identifying information from Wi-Fi routers around the world in order to create a router location database to help improve the accuracy of location-based services for Android phones and other Google products. But the search giant also said its cars had mistakenly collected fragments of user data in the process.
Google's Response:
Google publicly apologized for the action, and got an external auditor to check their code, and also validate they have deleted all the personal information.

Realistic View:
So, how much personal data, could a moving car have picked up? If a person leaves his house door open, and a person standing on the street, inadvertently peeps inside and catches a glimpse of a confidential piece of paper - then who is at fault?


Sick SSL ecosystem: 90% of HTTPS sites insecure, 75% vulnerable to BEAST attack

Trustworthy Internet Movement's SSL Pulse shows 90% of the world's 200,000 most popular websites with HTTPS-enabled are actually insecure and 75% are vulnerable to the BEAST attack
Full Story


VMWare's Source Code Leaked

The company says, it is no big deal, and brings no security risk. Hence, either their code is really really secure, or the company is really really stupid.


India overtakes U.S. as top email spam source

About 9.3% of worldwide spam traffic during the first three months of 2012 originated in India, Sophos says
Full Story

Most IT, security pros see Anonymous as serious threat

Bit9 survey shows that many IT professionals believe hacktivists are likely to target their organizations
Full Story


Anonymous AnonPaste

Anonymous releases AnonPaste, which is an alternative to PasteBin and can be used to make any posts anonymously. Press Release


Google warns 20,000 websites they could be infected with malware

The sites could be infected with JavaScript redirect malware and servers could be compromised, Google warned
Full story here


3 million bank accounts hacked in Iran

First, he warned of the security flaw in Iran’s banking system. Then he provided them with 1,000 bank account details. When they didn’t listen, he hacked 3 million accounts across at least 22 banks.
Full Story


10 SQL Injection Tools

The top free SQL injection tools.

Finding the New Encryption Standard

NIST began a public contest in 2008 to find a hash function to serve as the SHA-3 standard. Here is a status update on this project. One of the algos will be chosen in 2012.

Another update on the shortlisted candidates 


Hack compromises personal data of Utah Medicaid recipients

The Utah Department of Technology Services (DTS) has admitted that cybercriminals stole personal information on 181,604 Medicaid and Children’s Health Insurance Plan (CHIP) recipients, including social security numbers of 25,096 individuals.


485 Chinese Websites Defaced - Curtsey Anonymous

This time they claim to educate the users against their government:
Hello, we are Anonymous.All these years the Chinese Government has subjected their people to unfair laws and unhealthy processes.People, each of you suffers from tyranny of that regime.Fight for justice, fight for freedom, fight for democracy!


Hackers Claim To Be 'LulzSec Reborn'

Update 27-Mar-2012:
Undeterred by the recent arrest of key hackers tied to Anonymous and LulzSec, members of a mischief-making ring calling themselves "LulzSec Reborn" took on some high-profile targets this week.


Securing your Board of Directors' communication portal

Interesting article, talks about how to secure the board of directors, who arguably have access to the most confidential data in the entire organization.


Full Disk Encryption

Advantages of full disk encryption:   According to researchers, full-disk encryption is hampering police forensics.

Update - 21-Mar-2012:
So, what is the best way to protect personal data on a workstation?
Is it Full Disk Encryption?
  • Yeah, but what if a court orders you to reveal your password?
  • Or what if a guys just steals your encrypted laptop and runs away?
Here is an article with the best solution. The solution described is around creating hidden, encrypted volumes using TrueCrypt.

Indian company hacks GSM and usurps IMSI

Seems like GSM service providers are not always encrypting the traffic as they should be.


MS12-020 RDP Vulnerability

Another 0-day bug, which has been in the wild for 1 year..! Still a mystery how the POC got leaked!!!

Microsoft blames security info-sharing program for attack code leak.

Update 04-May-2012:
Microsoft boots Chinese firm for leaking Windows exploit


"Quis custodiet ipsos custodes" – "Who watches the watchmen" Awards!!!

The Big Brother Awards honor individuals, companies and government institutions that “have severely violated privacy.” There are three prize categories: People, Companies and Government.

The winners:

  1. Dutch minister Edith Schippers was awarded the People prize
  2. Facebook won the Company award
  3. The Government prize was awarded to the national police (the KLPD)

Anonymous Rolls Out A Hacking OS

Update: 15-Mar-2012:
Surprises keep on coming...
Anonymous has now released a Ubuntu based distribution, to "test the security of the websites". Points to note:
  • It has only been released as a live-cd. Hence, there is no intention of hiding some back-doors in there
  • They explicitly refuse to accept donations for this project. I can only assume they are well funded
Update: 16-Mar-2012:
In their twitter feed, Anonymous declares, "The Anon OS is fake it is wrapped in trojans. RT"

In India, 112 government websites hacked in three months

This is really insane, about time the Govt becomes serious about IT Security.


How Anonymous plans to use DNS as a weapon

Update 08-Mar-2012:
This is of course only a theoretical concept. A full scale DNS attack has not ever been conducted.

Update 29-Mar-2012:
Alright so Operation Global Blackout is fast approaching, i.e. 31-Mar-2012... That is the day Anonymous is supposedly going to take down the internet, using DDoS on DNS servers. Of course, there are varying theories around this threat, but all in all this still seems very unlikely to completely bring down the internet.

Update 01-Apr-2012:
The days comes and goes, and there is no evidence of even an attempt to attack the DNS servers.

Update: 26-May-2012:
So, anonymous fooled us (or joked or lied) about trying to bring down the internet. Of course, we all know a simple DDoS attack is not going to cripple the net. Here is an article that actually tells us how to kill the internet, and let me assure you, it ain't simple.


Free Cryptography Course

Cryptography, is one IT Security subject that is closest to my heart, and is also probably the most important subject for we guys to be knowledgeable in. Stanford University is offering a free online 6-week course, and I am amazed to see what an unbelievable course they have setup. 

The course officially starts on 12-Mar-2012, but they have already released the first week's course material, and I can tell you this is NOT one of the typical "free" non-sense stuff.

Each week, the students have to study the video lectures, then pass an online exam, plus an assignment. It is pretty intense.

Anonymous Take Out Vatican Site

This seems out of the ordinary. Anonymous attacks the catholic church!!

The same website gets hacked a second time.. This time the justification even more bizarre


Online Virus Analyser

A very good list of websites to trust when trying to clean your network of a malware infection.



Okay, internet for sure has many many concerns and issues when it comes to user privacy, with all the social networking sites, blogs, video-sharing, file-sharing, etc. etc.

However, this one site, for sure makes we wonder if we have started to cross the line..?!!!?

Detect if visitors are logged into Twitter, Facebook or Google+

A nice hack to know what Social Networking tools are your web-visitors logged on to.

Schneier reveals three biggest information security risks in 2012

Always a good read by Bruce Schneier.

SQL and XSS vulnerabilities will be the fastest growing threat of 2012

What to look out for in 2012

Stolen NASA Laptop Had Space Station Control Code

"NASA had 5,408 computer security lapses in 2010 and 2011". Full story here

NASA says it was hacked 13 times last year

Hackers had 'full functional control' of Nasa computers

NASA's rebuttle: "The thief cannot control the space station, because the codes can only be used from within the Command Center at Houston." Never heard something as stupid as this.


Google's "We are changing our privacy policy"

I am sure, everyone would have noticed Google's message by now. Of course most of us would not have bothered to read it. However, it is very worrisome what Google's new privacy policy looks like, which goes into effect on 01-Mar-2012!!

Here is a blog, which simplifies the legal jargon for common users.

Update 26-Mar-2012:
Google customers launch class action suit over privacy policy

Microsoft Store in India hacked, user data leaked, passwords stored in plain text

The Microsoft Store India was hacked by Evil Shadow, a team of Chinese hackers, who tagged the site with 'Unsafe system will be baptized.' More embarrassing than the defacement, the hackers breached the database and then leaked usernames and passwords which had been protected with no encryption. That's right, Microsoft which supposedly takes privacy very seriously, had stored passwords as plain text in the Microsoft Store.
Full Story Here!

Update 28-Feb-2012:  This gets worse and worse, now MS admits that the credit card information was also being stored in plain-text, and has been compromised as well. The Microsoft's India store is still unavailable at the time of this post.


Bangladesh Cyber Army Threats Indian Stock Market

Bangladesh Cyber Army (BCA) has released a video threating to attack the Indian stock markets. On the other hand, three such websites have been down for some time now (maybe it's a coincidence or maybe it is really an attack)
Full story here!

16-Feb-2012:  In retaliation an Indian hacker, by the name of ‘Silent Hacker’ had defaced 30 Bangladeshi government websites.

Nortel repeatedly breached over a decade

Sigh, no wonder the poor guys went bankrupt... Seriously poor management!

Demand for information security professionals remains strong

Only 7% of information security professionals were unemployed at any point during 2011, with nearly 70% reporting a salary increase, and 55% expecting to receive an increase in 2012, according to a survey by non-profit IT security trade group (ISC)².
Full story here!

Foxconn said to have been hacked by group critical of working conditions

Hackers claimed to have stolen internal data from Apple supplier Foxconn, and leaked the information online, in response to media reports of poor working conditions at the electronics manufacturer's factories in China.
Story Here

Google-Motorola Purchase May Help Android

More about this merger