You are currently browsing the articles from IT Security Top Headlines written in the month of
parisexposed.com, that opportunistic attempt to make money off Paris Hilton’s personal belongings has no encryption whatsoever on its signup page:
Sign up at your peril!
Tags: web, security, encryption, SSL
Written by pinolobu on January 31st, 2007 with no comments.
Read more articles on news.
Zone-H, the world’s de facto defacement/cybercrime archive, which is used by MAMPU/gCERT to get info on defaced government websites, proved that even if run by full-time ICT security people, and headed by Roberto Preatoni [1], a world-renowned ICT security expert, it’s impossible to keep you own website 100% secure.
Roberto Preatoni (aka Sys64738), 37, is the founder of the defacement/cybercrime archive Zone-H (http://www.zone-h.org). He is also CEO of an International ITsec company (Domina Security) which is active in European and former soviet countries. He has been globetrotting, lecturing in several ITsec security conferences, including Defcon in the US. He has been interviewed by several print and online newspapers where he shares his experiences relating to cyberwar and cybercrimes. He is also a regular speaker at Malaysia’s top annual ICT security conference organised by hackinthebox.org, whose team includes arguably Malaysia’s top hacker, Dinesh Nair.
It was defaced during Christmas 2006, its first security breach via “genuine hacking” since 2002. Other security incidents have happened, but “had been by means of stolen passwords (social engineering against one of our many, many, many contributors) and by means of privilege escalation from within the administrative login, done by one of our first (stupid) Zone-H staff member.”
Full account and detailed explanation as to how the crackers managed to do it available at http://www.zone-h.org/content/view/14458/31/
In essence, Preatoni himself concluded that their faults were:
1) Having a staff member who was not wise enough to recognize a Hotmail XSS attack. [knowledge/skill issue]
2) Not finding the uploaded [by the cracker], but useless at that time, php shell. Zone-H contains 80 gigs of files, but this no excuse. [workload issue?]
3) Not acknowledging in time the JCE component advisory (and we all make our living by reading tons of advisories every day…) [human issue]
Then, 2 days ago, Zone-H was apparently defaced again [2] by Saudi Arabian crackers. Later, Preatoni again issued a statement, stating that it was none of their fault, but rather their DNS registrar. The crackers somehow managed to get the passwords to access the domain management page and changed the DNS entries, pointing the zone-h domain to an IP address belonging to the crackers on which they mounted the defacement page. The “defacement” lasted 48 hours because their registar would only communicate via email. This means that if our upstream(s) is (are) compromised, we & our services would still be inaccessible.
ref:
[1] http://conference.hitb.org/hitbsecconf2006kl/?page_id=101
[2] http://digg.com/tech_news/Archive_of_Defaced_Websites_Defaced_by_Saudi_Arabian_Hackers
[3] http://www.zone-h.org/content/view/14498/31/Tags: zone-h, defacement, cracking
Written by pinolobu on January 24th, 2007 with no comments.
Read more articles on news.
The Sydney Morning Herald reports on 16th Jan 2007 that a Singaporean teenager who illegally tapped into a neighbour’s wireless Internet network - an offense the city-state deems punishable by jail - was placed on 18 months’ probation by a district court Tuesday.
The court also ordered Garyl Tan Jia Luo, 17, to carry out 80 hours of community service after he admitted linking his computer to his neighbour’s wireless router to access the Internet without permission.
Tan could have been jailed up to three years and fined 10,000 Singapore US dollars (US$6,500; euro5,000).
Senior District Judge Bala Reddy cited a probation report as saying Tan had been addicted to Internet gaming at the time of the offense, adding the teenager had "few friends, if not none."
Reddy said Tan should seek "disciplined and structured psychiatric and psychological intervention" to cure his addiction.
Tan is the first Singaporean to have been prosecuted and convicted for tapping illegally into a wireless Internet network, an offense under the Computer Misuse Act, according to Tan’s lawyer, Sam Koh.
A second Singaporean is currently facing 60 charges of illegally accessing wireless Internet networks.
This would seem like stealing, hence would a similar offence be punishable on grounds of theft in Malaysia? Or is it covered under the existing cyberlaws?
Tags: cyberlaws, singapore, wifi, wireless, internet, malaysia
Written by pinolobu on January 17th, 2007 with no comments.
Read more articles on news.
The Star reports on 4th January that computer security researchers said they have discovered a vulnerability in Adobe Systems Inc.’s ubiquitous Acrobat Reader software that allows cyber-intruders to attack personal computers through trusted Web links.
Virtually any Web site hosting Portable Document Format, or PDF, files are vulnerable to attack, according to researchers from Symantec Corp. and VeriSign Inc.’s iDefense Intelligence.
The attacks could range from stealing cookies that track a user’s Web browsing history to the creation of harmful worms, the researchers said Wednesday.
The flaw, first revealed at a hacker conference in Germany over the holidays, exists in a plug-in that enables Acrobat users to view PDF files within Web browsers.
By manipulating the Web links to those documents, hackers and online thieves are able to commandeer the Acrobat software and run malicious code when users attempt to open the files, according to Ken Dunham, director of the rapid response team at VeriSign’s iDefense Intelligence.
Dunham gave this hypothetical scenario: an attacker finds a PDF file on a banking Web site. The attacker creates a hostile Web site that links to the bank’s PDF file.
Included is malicious JavaScript code that will run on the unsuspecting user’s computer once the link is clicked.
"PDF is trusted and tried and true _ everyone uses it,” Dunham said. "But instead of just viewing the file, you’ve initiated script that shouldn’t be executed.
All you have to do is click on the PDF and the ball starts rolling.”
Representatives from Adobe did not return a call from The Associated Press on Wednesday night.
The flaw appears to target Microsoft Corp.’s Internet Explorer 6.0 Web browser and earlier versions, and Mozilla’s Firefox browser, the researchers said.
They recommended that users protect themselves by upgrading Internet Explorer or changing Firefox’s user options so the browser does not use the Acrobat plug-in.
Researchers said it’s unclear how pervasive or harmful any future attacks might be.
"Given that it is easy to exploit, I would expect that we will see this method used considerably in the coming days and weeks, until it is resolved,” a Symantec researcher said in a posting on a company Web log.
Tags: adobe, acrobat, PDF, pdf, vulnerability, vulnerabilities, software
Written by pinolobu on January 4th, 2007 with no comments.
Read more articles on news.
cbc.ca reported on 2nd January:
Google Inc. on Tuesday said vulnerabilities in its software had been fixed and criticized their revelation online over the holiday weekend.
Bloggers who write about the internet search giant had reported security holes that would allow a specially crafted website to obtain the Gmail contact lists of users who have logged into the free e-mail service or other services such as Blogger that require people to sign into their Google accounts.
People could also gain access to the contact lists by copying and pasting a piece of computer code into a web browser.
The flaw could have enabled an attacker to send malicious messages that contain viruses or other malware to people on an exposed contact list.
Google had repaired the identified problems by Monday afternoon — a little more than a day after receiving reports about them, Heather Adkins, Google’s security manager, said in a written statement e-mailed on her behalf to CBC News Online.
"We were first notified that this issue affected Google Video and fixed it within a few hours," Adkins’ statement said, adding that the company later received word that the problem was more widespread.
"The problem with the other products was resolved within 24 hours of the second report. To our knowledge, no one exploited the vulnerability and no users were impacted."
Google Video is the online video sharing service that the company built before buying popular competitor YouTube Inc. on Oct. 9, 2006.
Teen exposed flaw
Adkins’ statement included remarks that were critical of the manner in which the security hole was brought to light.
"We strongly encourage anyone who is interested in researching and reporting security issues to follow responsible disclosure practices including giving vendors ample time to respond to reports," the e-mail read.
"Responsible disclosure allows companies like Google to keep users safe by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys."
The vulnerability was discovered by 16-year-old Haochi Chen of Columbus, Ohio, who reported it on his Googlified blog on Dec. 30.
Chen told CBC News Online on Tuesday that he agreed with Google that care should be exercised when disclosing security holes.
"I think they’re right," Chen said.
Asked whether he would do anything differently, he said, "I would wait for a couple of days" more before publishing news of a vulnerability.
But he insisted that the manner in which he exposed the problem was legitimate. "There’s nothing wrong with it."
‘This feature could be dangerous’
Chen stated in his blog that he discovered the problem after tinkering with an undocumented feature of the Google Video service that lets users e-mail videos to people in their Gmail contact list.
The e-mail feature was reported the same day by Ionut Alex Chitu, who describes himself as a Romanian student who runs the Google Operating System blog.
"This feature could be dangerous," Chen wrote about the contact list problem on Dec. 30.
The next morning he followed up with a comment on his original post, stating, "It is very dangerous. I just confirmed with a few other people. I have also notified the Google Security team."
According to another post by Chen on Jan. 1, Google responded to his alert some 30 hours after he reported the flaw to them — only after word of the vulnerability had spread through a post to the popular social networking news site Digg.
Chen told CBC News Online on Tuesday evening that he had not received any further communications from Google.
In late December, the company also had a problem related to its Gmail free e-mail service, in which users’ stored messages and even their entire accounts were irretrievably deleted.
Tags: google, vulnerability, gmail, vulnerabilities
Written by pinolobu on January 3rd, 2007 with no comments.
Read more articles on news.
As reported by The Star, 2nd January 2007:
The eye-catching advertisement screams in its headline "How to Catch a Cheating Spouse" and promises all the evidence you will need to nail your straying partner. The ad is for a "discreet and fail-safe" software program that will secretly forward all incoming and outgoing SMS messages from your partner’s phone to you.
Offered by one Jopca Solutions, it costs S$200 (RM460) to forward just incoming messages and double that if you want outgoing messages as well.
It takes mere minutes to download the software into the phone to be spied on and it leaves no trail – forwarded messages do not appear in the "Sent" folder.
The difficulty is in sneaking your partner’s phone out for the company to install the software. Also, the software is compatible with only certain models of mobile phones.
For the paranoid and suspicious, the program takes snooping to a new level, but to many, it is a clear invasion of privacy.
Concerns about privacy aside, a person who uses such software could be running afoul of the law.
Said lawyer Adrian Tan: "Anyone using or selling the software can be found guilty under the Telecommunications Act for the fraudulent retention of messages."
Another lawyer said software users are also in breach of the Computer Misuse Act for installing software without the owner’s permission. If found guilty, users can be fined up to S$10,000 (RM23,000) or jailed up to three years, or both.
Michael Ng, who identified himself as a shareholder and employee of Jopca Solutions, said he has received 80 calls since the ad ran about two weeks ago.
He denied that the company is breaking any laws. "We do not retain any messages. We just forward them to another mobile phone."
Suspicious spouses make up 25% of his customer base. The majority, around 60%, are parents who wish to check on their teenage children. – The Straits Times / Asia News Network
This is excerpts of Loh Wei Loong of The Straits Times’s review of the software, dated 31st December 2006:
…a software program that can secretly forward all SMS messages from one phone to another, without leaving a trail.
Jopca Solutions’ Mr Michael Ng even promised me my money back if his software did not work.
The secret was the program he claimed to have devised. In effect, when installed on my wife’s phone, a copy of all SMSes she sent or received would also be sent to my phone.
And she would never find out, he assured me. The program would not show up on the phone’s main menu and there would be no record of outgoing messages in her ‘Sent’ messages folder.
He did say that the software was only compatible with the Nokia 6000 series or the N70 phone, explaining that he had yet to configure the program to other phone operating systems.
I did an online search and came across SMS Anywhere, a program that promised to deliver all that Mr Ng quoted me, but for a mere US$23.90 (S$36). After getting my hands on a Nokia N70, I arranged to meet Mr Ng. As soon as we sat down, the slightly plump man with neatly combed hair whipped out three phones - two regular phones and his Nokia N70.
When he used one of the regular phones to text the N70 - the phone being ’spied’ on - the SMS also appeared on the third phone, complete with the number of the originating phone and the name assigned to that number on the N70.
When he replied to the SMS with the N70, the sent message was forwarded to his third phone.
But I noticed that whenever the N70 forwarded an SMS, an ‘Outgoing’ icon popped out on its screen for two seconds before blinking out. Wouldn’t that be a giveaway, I asked.
‘It is not noticeable,’ was all Mr Ng said.
Whipping out a laptop from his backpack, he proceeded to hook my N70 up and in less than two minutes, told me that the installation was complete.
‘The installation is fast because I have had cases in which the husband can get hold of the wife’s phone for only a few minutes and I’m at his void deck waiting for him, to install it,’ he explained.
He went on to show me the instructions on using the software. By texting one of four alphanumeric codes to the N70 - it doesn’t show up as an SMS - I can either turn the software on or off, change the password or replace the number to which the SMS messages are forwarded.
After pocketing my $200, he warned me to keep my phone on silent mode when I’m with my wife. ‘It would be too much of a coincidence if, every time she received an SMS, your phone rang as well.’
Back home, I managed to get my wife to use the N70 for the day. It worked. I got all her SMSes from her friends and siblings, asking to meet up for shopping. Thankfully, there was nothing to worry about.
Tags: handphone, SMS, SMSes, mobile phone, handphones, mobile phones, phones, snooping, spying, spy, snoop, software
Written by pinolobu on January 2nd, 2007 with no comments.
Read more articles on news.