Continue reading »]]> MOSCOW – Russia’s biggest retail bank is testing something that the old K.G.B. might have loved, an automated teller machine with a built-in lie detector intended to prevent consumer credit fraud.

New customers could talk to the machine to apply for a credit card, with no human intervention required on the bank’s end.

The machine scans a passport, records fingerprints and takes a three-dimensional scan for facial recognition. And it uses voice-analysis software to help assess whether the person is truthfully answering questions that include “Are you employed?” and “At this moment, do you have any other outstanding loans?”

The voice-analysis system was developed by the Speech Technology Center, a company whose other big clients include the Federal Security Service – the Russian domestic intelligence agency descended from the Soviet K.G.B.

Dmitri V. Dyrmovsky, director of the center’s Moscow offices, said the new system was designed in part by sampling Russian law enforcement databases of recorded voices of people found to be lying during police interrogations.

The big bank involved, Sberbank, whose majority owner is the Russian government, said it intended to install the machines in malls and bank branches around the country, but had not yet scheduled the rollout. Technology consultants say it would be the banking world’s first use of voice analysis in automated teller machines.

It was the global financial crisis, partly prompted by loans that people could not or would not repay, that prompted Sberbank to tap Russia’s national security experts as it set out to automate banking activities, said Victor M. Orlovsky, a senior vice president for technology at the bank.

The software detects nervousness or emotional distress, possible indications that a credit applicant is dissembling. That information, Mr. Orlovsky said, would be used in combination with other data, including credit history.

Sberbank says that to comply with Russian privacy law, the bank plans to store customers’ voice prints on chips contained in their credit cards rather than on a central database.

In addition, Mr. Orlovsky said the bank planned to make consumers aware of the types of information, including biometrics, that the machine would be collecting. But the technology center says even people who know about the voice-stress program would have trouble fooling it.

One of the center’s other products measures anger and is already installed at the telephone call center of the Russian national railways.

“We are not violating a client’s privacy,” Mr. Orlovsky said.

“We are not climbing into the client’s brain. We aren’t invading their personal lives. We are just trying to find out if they are telling the truth. I don’t see any reason to be alarmed.”

Continue reading »]]>

Some of the details are beginning to emerge about the 10 Russian spies that were captured in the US. According to an article on The Register, the spies communicated with Ad-Hoc Wi-Fi networks and hid messages in pictures using Steganography.

FBI agents monitored 28 year old Russian spy Anna Chapman as she communicated with a Russian government official. Anna would go to a book store and using her laptop, created an Ad-Hoc Wi-Fi connection to a Russian contact who was outside the store:

Surveillance agents nearby used “a commercially available tool that can detect the presence of wireless networks” to witness the creation of the ad hoc networks. NetStumbler is probably the most popular example of such software. Law enforcement agents were able to detect a particular MAC address – MAC address A – at the time that Chapman was observed powering on her laptop computer,” the complaint says. Law enforcement agents were also able to determine that the electronic device associated with MAC address A created the ad hoc network.”

The spies also embedded secret messages in pictures and uploaded them to sites where Russian officials retrieved them, and decoded the messages.

A New Jersey search uncovered a network of websites, from which the alleged spies had downloaded images. “These images appear wholly unremarkable to the naked eye,” the complaint explains. “But these images (and others) have been analyzed using the steganography program. As a result of this analysis, some of the images have been revealed as containing readable text files.”

It is interesting to see the tactics used by modern spies. Of course Russia is denying any and all involvement. Kudos to the FBI for taking them down.

Continue reading »]]> In their latest “Weekly Threat report”,VeriSign’s iDefense Intelligence Operations Team has profiled the underground market proposition of someone claiming to have 1.5 million compromised Facebook accounts available for sale.

The pricing method is based on the number of contacts per compromised account, presumably with the idea to allow easier spreading of related malicious content across Facebook.

Here’s an excerpt from the report, and a brief FAQ on the underground ad.

• “On Feb. 10, 2010, (cybercriminal) stated that he or she is selling 1.5 million compromised Facebook accounts, in bulk quantities, belonging to users in various countries. The price per 1,000 accounts varies based upon the number of friends and contacts that each account possesses. For a purchase of compromised accounts containing 10 contacts or fewer, a buyer must pay $25 per 1,000 accounts. A purchase of compromised accounts containing 10 or more contacts requires a buyer to pay $45 per 1,000 accounts. Accounts containing zero contacts are also available for bulk purchasing from (cybercriminal), at the cost of $15 per 1,000 accounts. The prices of these accounts are presumably in USD or the equivalent amount in some form of electronic currency.”

Sometimes, there’s no honor among cybercriminals (Phishers increasingly scamming other phishers), just like there isn’t among “real life” thieves.

From the distribution of backdoored web interfaces to web malware exploitation kits, to the actual “binding” of additional malware to the original release, sophisticated or at least cybercriminals with experience, have realized that there are thousands of potential cybercriminals that could unknowingly start working for them. The process of “cybercriminals attempting to scam novice cybercriminals” demonstrates just how vibrant the ecosystem has become these days.

With a huge percentage of the underground marketplace driven by reputation, this is exactly what this particular seller of Facebook data is missing. Moreover, with quality assurance now an inseparable part of the cybercrime ecosystem, the seller is not just skipping the time frame in between which the accounts were compromised, he is also not mentioning have many of them are actually verified as working.

These, and several other factors make me skeptical on the quality of this underground proposition.

If we consider that the cybercriminal’s claims to be true, how did he manage to obtain 1.5 million Facebook accounts?

The ad is clearly stating that they are accounts with contacts, meaning they’re compromised, and other which have zero contacts, meaning they’ve been automatically generated by outsourcing the CAPTCHA-solving process to international teams specializing in the process.

The compromised accounts could have been obtained through the emerging Cybercrime-as-a-Service (CaaS) market model. For instance, if he has paid $100 for 3GB of raw crimeware data, and the data mining allowed him to compile a list of 1.5m Facebook accounts, based on the current price, he’ll automatically break-even.

Phishing campaigns shouldn’t be excluded as a possibility, however, it remains unclear whether the seller has launched them personally, or managed to purchase the raw data from someone else.

What kind of a business model within the cybercrime ecosystem would allow him to sell the data so cheaply, and still make a profit?

It’s a business model with an ever-decreasing cost of supply, based on the currently active “malicious economies of scale” phrase. This efficiency-driven cybercrime model is in fact so successful, that whether consciously or subconsciously, cybercriminals are realizing the basics of market liquidity, and the time value of “underground goods”, in particular the decreasing future value of assets like the Facebook accounts — the value becomes zero when the affected user changes his password from a malware-free host.

Why would a cybercriminal want access to your Facebook account?

For a variety of fraudulent reasons, all of them exploiting the already established trust relationship between the compromised account’s holder and his network of friends.

From “money transfer schemes” where the fraudster is supposedly stuck somewhere and requires cash, to a malware campaign relying on nothing else but a status message leading to a client-side exploits serving site. Your network of friends, turns into his network for propagation of fraudulent/malicious schemes and campaigns.

VeriSign’s iDefense also makes an interesting observation.

With Facebook’s user base growing to 300 million people across the globe, this indispensable marketing platform can be easily integrated into the cybercriminal’s arsenal, with localized and targeted social engineering attacks relying on basic market segmentation, launched with the idea to achieve a higher conversion rate, compared to mass marketing approaches.

Fact or fiction, based on the ad’s content, this is perhaps the perfect time to change your Facebook password from a malware-free host, since a strong password is just as weak as the weak one in general if there’s malicious code present on the system.

Written By : Dancho Danchev

Continue reading »]]> Mohit Sharma

Apr 03, 2010

http://www.indianexpress.com/news/hacker-held-for-duping-job-aspirants/599464/

The Delhi Police arrested a professional hacker on Friday who led a gang which allegedly duped hundreds of youths by promising them jobs as technicians and airline crew.

Police identified the accused as Amritesh and said they are raiding several places in Delhi to nab his associates.

Amritesh, the police said, had hacked a popular job website — he would find out probable victims and stay in touch with them until they paid money for the promised job.

Police sources said at least 25 students who were cheated by the gang approached the Safdarjung Enclave police on Friday, alleging they have been duped of lakhs of rupees.

Abhinav, a student, said, “Amritesh promised me a job with a popular airline for Rs 80,000. He even gave me joining letters printed on the airlines’ letterheads and affidavits. He also arranged meetings with a person who claimed to be the HR head of the airline. He said I could join work in January.”

Continue reading »]]> By Sean Hollister

Mar 9th 2010

http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/

Since 1977, RSA public-key encryption has protected privacy and verified authenticity when using computers, gadgets and web browsers around the globe, with only the most brutish of brute force efforts (and 1,500 years of processing time) felling its 768-bit variety earlier this year. Now, three eggheads (or Wolverines, as it were) at the University of Michigan claim they can break it simply by tweaking a device’s power supply. By fluctuating the voltage to the CPU such that it generated a single hardware error per clock cycle, they found that they could cause the server to flip single bits of the private key at a time, allowing them to slowly piece together the password. With a small cluster of 81 Pentium 4 chips and 104 hours of processing time, they were able to successfully hack 1024-bit encryption in OpenSSL on a SPARC-based system, without damaging the computer, leaving a single trace or ending human life as we know it. That’s why they’re presenting a paper at the Design, Automation and Test conference this week in Europe, and that’s why — until RSA hopefully fixes the flaw — you should keep a close eye on your server room’s power supply.

Continue reading »]]> Insecurity complex still rife shock

By John Leyden

30th March 2010

http://www.theregister.co.uk/2010/03/30/password_security_still_pants/

Nearly a quarter of people (23 per cent) polled in a survey by Symantec use their browser to keep tabs on their passwords.

A survey of 400 surfers by Symantec also found that 60 per cent fail to change their passwords regularly. Further violating the ‘passwords should be treated like toothbrushes’ maxim (changed frequently and not shared), the pollsters also found that a quarter of people have given their passwords to their spouse, while one in 10 people have given their password to a ‘friend’.

Password choices were also lamentably bad. Twelve of the respondents admitted they used the phrase ‘password’ as their, err, password while one in ten used a pet’s name. The name of a pet might easily be obtained by browsing on an intended target’s social networking profile.

Eight per cent of the 400 respondents said they used the same password on all their online sites, a shortcoming that means a compromise of one low-sensitivity account hands over access to a victim’s more sensitive webmail and online banking accounts. The survey respondents came from readers of Symantec’s Security Response blog, who might be expected to be more security savvy than the general net population, though the survey shows many of them making the same basic errors that crop up time and again in password security surveys.

Symantec has put together its findings together with a list of suggestions for picking better passwords, a basic but woefully overlooked security precaution, in a blog post at  http://www.symantec.com/connect/pt-br/blogs/password-survey-results.

The net security firm advised computer users to pick a mix of numbers, letters, punctuation, and symbols when picking passwords. This may be derived from taking a memorable phrase and altering it by replacing characters with symbols, for example. Surfers should avoid personal information, repetition and sequences in passwords, Symantec further recommends.

Continue reading »]]> IANS / PTI

The Hindu

March 2010

http://beta.thehindu.com/business/article193044.ece

There have been attempts to hack into the government computer network, but till date there has been no loss of vital information, says Minister of State for Communication and Information Technology Sachin Pilot.

“Yes, there have been attempts but I can categorically say that not one attempt has been successful,” the minister said. “The government’s computer network system, maintained by the National Informatics Centre, is highly efficient,” Mr. Pilot told IANS in an interview.

Earlier this year, hackers tried to penetrate government computers in vital ministries including the office of the National Security Adviser (NSA). These attacks, officials said, originated in China.

According to the Computer Emergency Response Team, a cyber security advisory and referral agency of the Department of Information Technology, 570 Indian web sites were defaced by hackers during January this year, against 271 during the like month of last year.

During the whole of last year, a total of 6,023 cases of defacement were reported.

The agency also said that during January, out of 246 cyber-security incidents, as 63 percent related to spamming, 18 to phishing, 8 percent to malicious viruses, 76 percent to unauthorised scanning and the rest to other categories.

Former NSA M.K. Narayanan, who is currently West Bengal governor, had stated that his office and other government departments were targeted on the same date that U.S. Defence, Finance and Technology companies, including Google, reported cyber attacks from China.

The hackers had sent an e-mail with a PDF attachment containing a Trojan virus. But the virus, which allows hackers to download or delete files, was detected and officials were told not to log on until it was eliminated.

Mr. Pilot pointed out that such hackers were usually scanning the entire system to find weak spots. “But our people are very efficient and well trained. Safeguards have ensured that national security has not been breached.”

The Ministry of External Affairs and Indian embassies have instituted stringent protocol on the use of e-mails by serving officers, which includes frequently changing passwords and using e-mails only for routine communication.

Besides, the ministry has instituted a periodic security review of all computers to ward off cyber threats.

Continue reading »]]> William Maclean, Security Correspondent

Reuters

Feb 22, 2010

http://www.reuters.com/article/idUKTRE61L37B20100222

LONDON (Reuters) – The best weapon against the online thieves, spies and vandals who threaten global business and security would be international regulation of cyberspace.

Luckily for them, such cooperation does not yet exist.

Better still, from a hacker’s perspective, such a goal is not a top priority for the international community, despite an outcry over hacking and censorship and disputes over cyberspace pitting China and Iran against U.S. firm Google.

Nations are thinking too parochially about their online security to collaborate on crafting global cyber regulation, an EastWest Institute security conference heard last week.

Policy statements from governments around the world are dominated by the need to heighten national cyber defenses. As a result, too many cyber criminals are getting a free ride.

“Nations are in denial,” a cyber law expert told Reuters, saying national legislation was of limited use in protecting users of a borderless communications tool.

“It may take a big shock of an event to wake people out of their complacency, something equal to a 9/11 in cyberspace,” he said referring to the 2001 coordinated attacks on U.S. cities.

With a quarter of humanity connected to the Internet, cyber crime poses a growing danger to the global economy.

TARGET THE PERPETRATOR

The FBI tallied $264 million in losses from Internet crime reported by individuals in the United States in 2008 compared to $18 million of losses from 2001: These were probably a fraction of the losses caused to companies and government departments.

The menace extends to many sectors including control systems for manufacturing, utilities and oil refining, since many are now tied to the Internet for convenience and productivity.

A priority for regulators is to find ways of tracking down criminals across borders and ensuring they are punished, a tough task when criminals can use proxy servers to remain anonymous.

“We cannot postpone the debate until we are in the midst of a catastrophic cyber attack,” former U.S. Homeland Security Secretary Michael Chertoff told the conference.

“We must formulate an international strategy and response to cyber attacks that parallels the traditional laws governing the land, sea, and air.”

Security experts say the ability to conduct disastrous mass cyber attacks is the preserve of some governments, well beyond the capacity of militant guerrilla groups like al Qaeda.

But it cannot be assumed that international organized criminal networks, long practiced at mass online fraud and theft, are not developing an interest in gaining this ability.

“Cyber crime is a very sophisticated crime with very sophisticated players and it takes a multinational effort to make sure we can enforce the law,” Dell Services President Peter Altabef told Reuters.

“Once you have identified who is at fault you really want to make sure, as a deterrent, that you can go to those jurisdictions and enforce the laws on the books.”

James Stikeleather, Dell Services Chief Technology Officer, told Reuters that tracking own criminals across borders could pose legal issues for drafters of multilateral regulation.

Giving an example, he said the more companies added the technology needed to give investigators the ability to attribute a crime, the more users’ privacy and anonymity would be reduced.

“PLAYING WITH FIRE”

“Probably the sticking point among the governments will be ‘where is the appropriate level of attribution versus anonymity or privacy for what people are doing (online)’.”

Datuk Mohammed Noor Amin, chairman of the U.N.-affiliated International Multilateral Partnership Against Cyber Threats, said failure to regulate could perpetuate cyber “failed states.”

He cited impoverished countries where customers can purchase unregistered SIM cards with mobile Internet capability, giving them the ability to commit online crime such as identify theft against people in rich nations without fear of being traced.

He said it was in the interest of rich nations to help poorer countries develop the capacity to crack down on this kind of abuse, because their own citizens were being targeted.

“Governments tend to look at their self-interest. But it’s actually in their own interest to collaborate,” he said.

Altabef said the growing rate and scale of international cyber attacks threatened to undermine the trust between nations, businesses and individuals that was necessary for economies and societies to act on the basis of the common good.

Complacency was also a problem, delegates said. “Nations take for granted the Internet is going to be ‘on’ for the rest of our lives. It may not necessarily be so,”.

“Imagine the Internet being down for two to four weeks,” he said. This would “rain disaster” on online businesses as well as transport, industry and governmental surveillance systems.

“People have realize the Internet is an integral part of every country, politically, socially and business-wise.”

“Not to focus on cybersecurity is playing with fire.”

Continue reading »]]> 17 February 2010

http://www.h-online.com/security/news/item/Top-25-Programming-Errors-list-updated-933535.html

Just as they did last year, over thirty international security organisations have come together, to publish a list of the 25 most dangerous programming errors leading to vulnerabilities that can be exploited for cybercrime and espionage. The 2010 CWE/SANS Top 25 MDPE (Most Dangerous Programming Errors) has been updated with a number of improvements to how the errors are graded, prioritised and categorised. For example, new “Focus Profiles” allow readers to quickly see the listed errors sorted for particular professionals’ interests.

A Category based view of the list sorts the errors into “Insecure Interaction”, covering various injection techniques, “Risky Resource Management”, covering buffer overflows or invalid calculations and “Porous Defenses”, which encompasses weaknesses in encryption or authentication. In the overall short list, the top problems were cross site scripting, SQL injection, classic buffer overflows, cross site request forgery and improper access control.

The idea behind the publication of the list is to make developers aware of the causes of many weaknesses and their ramifications in terms of overall security. The list also includes a section on “Monster Mitigations”, a set of practices which, if followed, can help address many of the Top 25 errors or reduce their severity.

Red Hat’s Mark Cox also published an analysis of programming errors Red Hat experienced in 2009. He noted that of the eleven flaws that have affected Red Hat Linux development, 5 were not in the top 25 but four of them were “on the cusp” having just missed inclusion in the CWE/SANS list. Cox says that “2009 was the year of the kernel NULL pointer dereference flaw” but that this flaw didn’t make it to the top 25 as, in 2010, the “Linux kernel and many vendors ship with protections to prevent kernel NULL pointers leading to privilege escalation”.

Organisations that contributed to the compilation of the list include, McAfee, Microsoft, Oracle and Symantec as well as organisations such as the Open Web Application Security Project (OWASP) and the Web Application Security Consortium (WASC).

The initiative is managed by Mitre and the SANS Institute . It receives funding from the US Homeland Security’s National Cyber Security Division and the NSA, who also contributed to compiling the list.

The List –

http://cwe.mitre.org/top25/#Listing

Continue reading »]]> Over a billion people visited social networking sites such as Facebook and Twitter last month so it’s not surprising that hackers have these sites in their cross-hairs.

The attacks come in many forms: spreading Trojan viruses including key loggers, phishing for passwords and sniffing out packets of sensitive information.

In fact, according to recent research from Breach Security Labs, social networks were the most targeted category in 2009, accounting for 19% of all malicious attacks last year.

The media reports evidence of these attacks seemingly every day.

For instance, in late January Twitter announced that they had once again fallen victim to hackers who were using torrent-based phishing attacks to steal usernames and passwords and hack into user accounts.

This is not the first time the popular social network has been hacked.

In late 2009, some Twitter users fell victim to a phishing attack when they received email notifications from their “new followers,” with a link that lead them to a fake Twitter site where they were prompted to enter their usernames and passwords.

Facebook has had its share of malicious attacks as well.

Most recently, in January there were widespread reports of users receiving direct messages from their “friends” within the network that included a link to a website that was suspected to infect the user’s computer with spyware.

Other widely reported incidents involve offers for a free iPod touch or gift cards, when in fact the only gift these unsuspecting users received was to have their usernames and passwords sold as part of a phishing list readily available for would-be cyber criminals to purchase online.

It’s no shock that these sites are being targeted considering that the time American’s spent on social networks increased 82% in 2009 from the previous year, accounting for over 17% of the total time spent online. *

Many of the more prominent networks have taken measures to increase security and privacy settings.

For example, Facebook has begun to closely monitor the number of postings from each account to detect abnormal behavior that can indicate an account has been compromised.

If a user who normally posts once or twice a day begins to send out hundreds of messages, the account is flagged within the system and attempts are made to contact the user and alert them to change their password and advise friends not click though on links from their recent postings.

In addition to setting robust social network passwords, setting personal reminders to change your passwords monthly and taking advantage of the privacy settings afforded by each individual network, consumers can also take advantage of simple and cost effective data encryption solutions designed to lock down your personal info and passwords.

The more advanced encryption software solutions available today enable the user to securely log into websites by using specialized tools like password managers that retain all of the data regarding each account in an encrypted vault or folder.

The data entered into password managers is encrypted in case of theft or loss of the computer or USB flash drive it is stored on.

These types of password protection features are also capable of creating, storing and managing strong secure passwords so you can maintain unique IDs for each website, without having to remember them each time you log on to do online banking, surf social networks or check your email.

By utilizing tools like password managers, users eliminate the risk of exposing themselves when using computers that they do not own.

Finally, there is another very simple tool that needs to be used when on any type of social networking site: common sense.

Only put info on your walls, blogs, tweets or posts that you would feel comfortable with strangers knowing. For example, you may not want everyone to know when you will be out for the night.

This opens a door for someone to be watching and break into your home knowing you are not around.

Exercising some simple common sense in terms of what information is made public could have prevented many of the social network related horror stories we hear about every week.

With the rapid growth in social networking and the increasing instances cyber criminals targeting these online destinations, it’s imperative that we all understand the potential threats of identity theft and harm to our personal reputations.

By using simple data encryption and password protection tools, you can ensure that your personal information and online identities remain secure and private.

Nielson Research Study

Continue reading »]]> By Ellen Messmer

Network World

February 3, 2010

http://www.computerworld.com/s/article/9151979/How_Wi_Fi_attackers_are_poisoning_Web_browsers?source=CTWNLE_nlt_security_2010-02-04

Public Wi-Fi networks such as those in coffee shops and airports present a bigger security threat than ever to computer users because attackers can intercede over wireless to “poison” users’ browser caches in order to present fake Web pages or even steal data at a later time.That’s  according to security researcher Mike Kershaw, developer of the Kismet wireless network detector and intrusion-detection system, who spoke at the Black Hat conference.

He said it’s simple for an attacker over an 802.11 wireless network to take control of a Web browser cache by hijacking a common JavaScript file, for example.

“Once you’ve left Starbucks, you’re owned. I own your cache-control header,” he said. “You’re still loading the cache JavaScript when you go back to work.

“Open networks have no client protection,” said Kershaw, who also uses the handle Dragorn. “Nothing stops us from spoofing the [wireless access point] and talking directly to the client,” the user’s Wi-Fi-enabled device.

Knowledge gained from researchers over the past year, he said, is showing that browser-cache poisoning over Wi-Fi can be kept in a persistent state unless the user knows how to effectively empty the cache.

“Once the cache is poisoned, it’s going to stay there,” Kershaw said. This means that an attacker can intercede to “poison the URL” of the victim so that he will see a fake Web page when they try to visit a specific Web site or try to insert a “shim” that could “ship your internal pages off to a remote server once you’re in a VPN.”

The few defenses Kershaw suggested were continuously manually clearing the cache, or using private-browser mode. “Who knows how to clear the browser cache in an iPhone?” he asked.

Kershaw acknowledged he doesn’t know how widely attacks based on poisoning the browser cache via 802.11 actually are. But the potential for trouble is so evident he said he’d advise corporate security professionals to try to “forbid users from taking laptops onto open networks,” though he admitted, “Your users may lynch you.” He said some vendors, including Verizon, are looking at solving this problem with a custom client that is tied to specific operating systems.

Continue reading »]]> COPYCAT : China Hacks Inspire Copycats

Jaikumar Vijayan,

Computerworld

Jan 24, 2010

http://www.pcworld.com/article/187534/china_hacks_inspire_copycats.html?

Malicious hackers have begun using the recent cyberattacks against Google and more than 30 other companies as lures for launching even more targeted attacks, security firm F-Secure said in a blog post today.

The company reported spoofed e-mails purporting to contain details on the alleged Chinese attacks that contain a PDF attachment. When opened, it installs and runs the Acrobat.exe backdoor on the user’s machine.

A screen shot posted on F-Secure’s Web site showed an e-mail designed to look like it came from George Washington University. The e-mail, with the subject header ‘Chinese cyberattack,’ offered the target a review of an article on the recent attacks that the purported author had just written for the Far Eastern Economic Review.

When the attached PDF is opened in Acrobat Reader, it exploits a known vulnerability in the doc.media.newPlayer function of the reader to install a back door on the user’s system, F-Secure said. The flaw was patched by Adobe last week.

F-Secure reported seeing targeted attacks using similarly poisoned PDF files being directed at U.S. military contractors earlier this week. In that case, the e-mails were designed to appear as if they were from the U.S. Air Force and purported to contain information on an actual Department of Defense event scheduled for later this year.

F-Secure also said it has learned of a similar e-mail targeting the “intelligence sector,” but offered no further details.

Attacks that attempt to take advantage of popular news events or stories to fool users into clicking on malicious attachments or browsing to malicious sites have become common in recent years. What’s different now is that such attacks are being directed at specific individuals and are increasingly tailored to appear as if they are from a trusted source. Many of the so-called Advanced Persistent Threats (APT) faced by large companies such as Google rely heavily on social-engineering tricks to get targeted individuals to open infected e-mails or download malicious files.

Continue reading »]]> CRACK : Hackers crack airport access

By Matthias Kremp

14/01/2010

http://www.spiegel.de/netzwelt/netzpolitik/0,1518,671980,00.html (Translated from German by Google)

http://translate.google.com/translate?u=http%3A%2F%2Fwww.spiegel.de%2Fnetzwelt%2Fnetzpolitik%2F0%2C1518%2C671980%2C00.html&sl=de&tl=en&hl=&ie=UTF-8

Alarming vulnerability to major German airports: With a simple 200-euro device can outsmart the security barriers. Hackers of the CCC led to ARD reporters can be scanned as easily access cards, and then electronically simulated – the police union is appalled.

After the foiled bomb attack in Detroit, the security agencies and airports have reacted quickly and sharply, before the inspection are always long queues, because the checks have been stepped up. Each piece of hand baggage is searched, each fluid control, many passengers two or three times chased through the metal detector.

It is an easy way to circumvent the controls – the ARD-Magazin “Contrasts” is now demonstrating that it appears in many German airports are a vulnerability that can be exploited by simple means.

The allegations are directed against several German airports used to access security system of the Swiss agent LEGIC It should be easy to crack – how easy to have hackers from the Chaos Computer Club (CCC reporters) presented.

The operating principle of the system is simple: Each employee receives an ID card with built-in microchip. To get into airport security areas, the card is tilted close to a reader. This takes over the air on contact with the chip that reads the data and opens the door, where the institution of the chip is identified as being authorized to access.

But with a relatively simple device can be cut short this seemingly secure protection mechanism. Namely, with a “programmable RFID reader, which can both pretend to be a reader – and can pretend to be a map,” said Karsten Nohl, CCC member of the “contrast” searchers. Assemble the apparatus, therefore, will cost less than $ 200.

With this device you can first read an access card – and then switch it so that it emulates the card, then electronically replicates. In the end, can be with the RFID reader to open those doors, which also include the original would have been granted access.

15 centimeters range approximation

In an interview with SPIEGEL ONLINE, the manufacturer Legic confirmed “that members of the Chaos Computer Club has been able to evaluate by reverse engineering the algorithm of Prime and disclose.

Nohl and other CCC members were “simply shocked to even find any hurdles that we would have to overcome.” Only the limited range of the used RFID reader and emulation device using brakes. With a suitably powerful power supply can be ideally bridging distances of about 70 centimeters. If one wishes to remain anonymous and do not bulky power apparatuses attention to themselves, reduces the distance to up to 15 centimeters. But it was no real obstacle, “said ARD editor Matthias Deiss

To read out a map of it ultimately matter if you stands on an escalator next to an airport employee. Because the ID cards bear the usually either on a long ribbon around the neck or with a short bunch of keys on his belt.

The Swiss compromised by the hackers access system is used in Germany at the airports of Hamburg, Berlin-Tegel, Stuttgart, Dresden and Hanover – and marketed internationally. How far with the stunt is in doubt, was an employee of the Hamburg airport the “contrasts” reporters clear. He had his access card entry to the security area and could thus “on access gates, roads, terminals and gates directly via the apron and of course get on an airplane.” With the RFID reader, the same should be possible.

The system is outdated

The Hamburg Airport recognizes the vulnerability. However, it is pointed out that the access is not the only security mechanism of the airport. With other systems would ensure that no unauthorized persons enter the premises. The nature of these systems has been, “contrasts” but not answered. An exchange of more than 15,000 access cards and readers can not get around 500 for cost reasons.

If you read the product description, the Legic published on his website, anyway, the question arises, why use airports specifically chosen this system to protect access. Accordingly, were key to the development of the system presented at the 1992 Cebit, the simplification and comfort in mind. It is also designed for controlling access to “large-scale projects in the leisure industry”, say for example in holiday resorts. According to the data sheet a “basic security with a focus on organization and convenience” is one of the main features of the system.

Legic told SPIEGEL ONLINE with the Prime System Chriffrierverfahren use a firm that meets the technical possibilities of 1992. The company has argued that such procedures are based essentially on the secrecy of the algorithms used. Compared with today’s methods “have these older methods, a lower safety level than modern systems”, which gives the manufacturer openly. He recommends that its customers, the technology “reassess and, where necessary, replace it with modern security systems.” However, even today is still guaranteed the security – if one Legic Prime with additional measures such as a pin number, a video surveillance or simply supplement an usher. But because it costs, just as a replacement of the entire system.

Interior Ministry and police union response

According to a spokesman for the Federal Interior Ministry is on the airport operators to review the security controls already been suggested. Rainer Wendt, chairman of the German police union, which is too little – he asks to replace the cracked security system immediately and put on the cutting edge of technology.

For the omissions of the operators, he shows no sympathy. He proposes to put the security operation now under the supervision of the federal police to: “so that the airport can be more sloppy as they want.”

Continue reading »]]>

Continue reading »]]> There are chances of somebody access to your Gmail or Google Account without prior notice sent to acknowledge you.

If you’ve recently login Gmail with a public computer at cyber cafe or a Internet-enabled system that is not administrated by you (e.g. office Desktop/Laptop that you don’t have root access privilege), remember to keep an eye at your Gmail account activities.

It doesn’t matter you’re login Gmail with HTTPS connection or Remote Desktopback to your secured system at home/office, a software keylogger running as service or hardware keylogger chip seated inside Desktop keyboard can easily recording all keystrokes pressed or capturing screen when you about to copy and paste the password in login form.

After your Google Account is hacked by keylogger, they are not likely to change your password for fun. Instead, the hackers will like to access your Gmail silently for other activities that interest them, e.g. confidential emails, social networks, accounting related login such as online banking, PayPal, eBay auction, etc.

So, how could you tell if someone has accessed your Gmail recently?

Login to your Gmail and look at the bottom of page. There you read a statement similar to this

Last account activity: 48 minutes ago on this computer. Details
(as shown in the screenshot below; highlighted in white):

After your Google Account is hacked by keylogger, they are not likely to change your password for fun. Instead, the hackers will like to access your Gmail silently for other activities that interest them, e.g. confidential emails, social networks, accounting related login such as online banking, PayPal, eBay auction, etc.

^{Gmail account activity may able to tell if you Google Account has been hacked by a keylogger.}

Click the Details hyperlink, a pop-up page will shows you the table of Google Account login details – Access Type, IP Address, and Date/Time when those login took place.

At the bottom of Detail page, there is your current computer IP address that you can take note for next login audit (keep a habit of conducting login audit whenever you login to Gmail):

This computer is using IP address 89.211.85.96.

The IP Address of computer that you normally use to access Gmail is not likely changes (frequently). If it’s an office computer that access to Internet via proxy server, that WAN IP is rather f

Continue reading »]]> http://business.maktoob.com/20090000386986/Saudi_under_attack_from_cyber_criminals/Article.htm

DUBAI – Saudi Arabia tops all Gulf countries in attacks by Internet hackers, UAE daily Emirates Business reported on Thursday, citing software firm Trend Micro.

Of all the recorded cyber attacks in the first nine months of this year in the Gulf, 64 percent were directed at Saudi Arabia and 20 percent at the UAE.

There were 769,698 cases of “compromised systems breakdown” in Saudi Arabia and 248,034 in the UAE, according to Trend Micro data.

Kuwait recorded 94,910, followed by Bahrain at 60,440 and Oman with 37,105 cyber attacks.

Due to high concentration of wealth, Internet security experts put the Gulf at high-risk of cyber threats as criminals try to steal vital data from the public, including information such as bank details and credit card information.

Continue reading »]]> With botnets everywhere, DDoS attacks get cheaper

By Robert McMillan ,

IDG News Service,

October 15, 2009

http://www.networkworld.com/news/2009/101509-with-botnets-everywhere-ddos-attacks.html?hpg1=bn

Cyber-crime just doesn’t pay like it used to.

Security researchers say the cost of criminal services such as distributed denial of service, or DDoS, attacks has dropped in recent months. The reason? Market economics. “The barriers to entry in that marketplace are so low you have people basically flooding the market,” said Jose Nazario, a security researcher with Arbor Networks. “The way you differentiate yourself is on price.”

Criminals have gotten better at hacking into unsuspecting computers and linking them together into so-called botnet networks, which can then be centrally controlled. Botnets are used to send spam, steal passwords, and sometimes to launch DDoS attacks, which flood victims’ servers with unwanted information. Often these networks are rented out as a kind of criminal software-as-a-service to third parties, who are typically recruited in online discussion boards.

DDoS attacks have been used to censor critics, take down rivals, wipe out online competitors and even extort money from legitimate businesses. Earlier this year a highly publicized DDoS attack targeted U.S. and South Korean servers, knocking a number of Web sites offline.

Are botnet operators having to cut costs like other businesses in these troubled economic times? Security researchers don’t know if that’s been a factor, but they do say that the supply of infected machines has been growing. In 2008, Symantec’s Internet sensors counted an average of 75,158 active bot-infected computers per day, a 31 percent jump from the previous year.

DDoS attacks may have cost hundreds or even thousands of dollars per day a few years ago, but in recent months researchers have seen them going for bargain-basement prices.

Nazario has seen DDoS attacks offered in the US$100-per-day range, but according to SecureWorks Security Researcher Kevin Stevens, prices have dropped to $30 to $50 on some Russian forums.

And DDoS attacks aren’t the only thing getting cheaper. Stevens says the cost of stolen credit card numbers and other kinds of identity information has dropped too. “Prices are dropping on almost everything,” he said.

While $100 per day might cover a garden-variety 100MB/second to 400MB/second attack, it might also procure something much weaker, depending on the seller. “There’s a lot of crap out there where you don’t really know what you’re getting,” said Zulfikar Ramzan, a technical director with Symantec Security Response. “Even though we are seeing some lower prices, it doesn’t mean that you’re going to get the same quality of goods.”

In general, prices for access to botnet computers have dropped dramatically since 2007, he said. But with the influx of generic and often untrustworthy services, players at the high end can now charge more, Ramzan said.

Continue reading »]]> Phishing, a topic that’s been in the news, is unfortunately a common way for hackers to trick you into sharing personal information like your account password. If you suspect you’ve been a victim of a phishing attack, we recommend you immediately change your password, update the security question and secondary address on your account, and make sure you’re using a modern browser with anti-phishing protection turned on.

Creating a new password is often one of the first recommendations you hear when trouble occurs. Even a great password can’t keep you from being scammed, but setting one that’s memorable for you and that’s hard for others to guess is a smart security practice since weak passwords can be easily guessed. Below are a few common problems we’ve seen in the past and suggestions for making your passwords stronger.

Problem 1: Re-using passwords across websites
With a constantly growing list of services that require a password (email, online banking, social networking, and shopping websites — just to name a few), it’s no wonder that many people simply use the same password across a variety of accounts. This is risky: if someone figures out your password for one service, that person could potentially gain access to your private email, address information, and even your money.

Solution 1: Use unique passwords
It’s a good idea to use unique passwords for your accounts, expecially important accounts like email and online banking. When you create a password for a site, you might think of a phrase you associate with the site and use an abbreviation or variation of that phrase as your password — just don’t use the actual words of the site. If it’s a long phrase, you can take the first letter of each word. To make this word or phrase more secure, try making some letters uppercase, and swap out some letters with numbers or symbols. As an example, the phrase for your banking website could be “How much money do I have?” and the password could be “#m$d1H4ve?” (Note: since we’re using them here, please don’t adopt any of the example passwords in this post for yourself.)

Problem 2: Using common passwords or words found in the dictionary
Common passwords include simple words or phrases like “password” or “letmein,” keyboard patterns such as “qwerty” or “qazwsx,” or sequential patterns such as “abcd1234.” Using a simple password or any word you can find in the dictionary makes it easier for a would-be hijacker to gain access to your personal information.

Solution 2: Use a password with a mix of letters, numbers, and symbols
There are only 26^8 possible permutations for an 8-character password that uses just lowercase letters, while there are 94^8 possible permutations for an 8-character password that uses a combination of mixed-case letters, numbers, and symbols. That’s over 6 quadrillion more possible variations for a mixed password, which makes it that much harder for anyone to guess or crack.

Solution 3: Create a password that’s hard for others to guess
Choose a combination of letters, numbers, or symbols to create a unique password that’s unrelated to your personal information. Or, select a random word or phrase, and insert letters and numbers into the beginning, middle, and end to make it extra difficult to guess (such as “sPo0kyh@ll0w3En”).

Problem 4: Writing down your password and storing it in an unsecured place
Some of us have enough online accounts that we may need to write our passwords down somewhere, at least until we’ve learned them well.

Solution 4: Keep your password reminders in a secret place that isn’t easily visible
Don’t leave notes with your passwords to various sites on your computer or desk. People who walk by can easily steal this information and use it to compromise your account. Also, if you decide to save your passwords in a file on your computer, create a unique name for the file so people don’t know what’s inside. Avoid naming the file “my passwords” or something else obvious.

Problem 5: Recalling your password
When choosing smart passwords like these, it can often be more difficult to remember your password when you try to sign in to a site you haven’t visited in a while. To get around this problem, many websites will offer you the option to either send a password-reset link to your email address or answer a security question.

Solution 5: Make sure your password recovery options are up-to-date and secure
You should always make sure you have an up-to-date email address on file for each account you have, so that if you need to send a password reset email it goes to the right place.

Many websites will ask you to choose a question to verify your identity if you ever forget your password. If you’re able to create your own question, try to come up with a question that has an answer only you would know. The answer shouldn’t be something that someone can guess by scanning information you’ve posted online in social networking profiles, blogs, and other places.

If you’re asked to choose a question from a list of options, such as the city where you were born, you should be aware that these questions are likely to be less secure. Try to find a way to make your answer unique — you can do this by using some of the tips above, or by creating a convention where you always add a symbol after the 2nd character in the answer (e.g. in@dianapolis) — so that even if someone guesses the answer, they won’t know how to enter it properly.

Continue reading »]]> “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” – Sun Tzu, Art of War

Ethical hackers tries to answer:

What can the intruder see on the target system? (Reconnaissance and Scanning phase of hacking)

What can an intruder do with that information? (Gaining Access and Maintaining Access phases)

Does anyone at the target notice the intruders attempts or success? (Reconnaissance and Covering Tracks phases)

If hired by any organization, an ethical hacker asks the organization what it is trying to protect, against whom and what resources it is willing to expend in order to gain protection.

Continue reading »]]> If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your driving licence number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
• So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. 

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0?, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
7. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

Please, be safe. As Adrian Monk says, It’s a jungle out there.

Continue reading »]]> Quite often I hear comments like “so what if they hack into my system there’s nothing on my system of interest.”  I can’t tell you how more wrong you can be.  The only thing I can think of when I hear someone say that is that person is not aware of just what type of information they have access to.   I’ll show you exactly what type of information a “hacker” has access to once your system has been broken into.  Try to remember this is not meant to scare you, it is meant to inform you.  Keep in mind you are reading this to gain a better understanding of how to protect your-self.

Bank Account Information

I’m sure if you’re like most people you have web banking of some kind. Most banks require you to use 128bit encryption browsers to do your banking online.  This form of banking online does encrypt your information and protect it from otherwise prying eyes of the world that may wish to gain access to such vital information. This should further illustrate how powerful the encryption method is: 

•  40-bit encryption, means there are 2  possible keys that could fit into the lock that holds your account information. That means there are many billions (a 1 followed by 12 zeroes) of possible keys.  

•  128-bit encryption, means there are 288 (a three followed by 26 zeroes) times as many key combinations than there are for 40-bit encryption. That means a computer would require exponentially more processing power than for 40-bit encryption to find the correct key.

Unfortunately it’s useless to you once your computer has been compromised.

Question: How? One of the features of a “Trojan” is a key logger.  The principle behind this is all keystrokes pressed will be recorded and sent back to the “hacker.”

You’re probably asking yourself well “How do they know what bank I’m with?” This information is easily achieved by doing what is called a screen shot.  This gives the “hacker” a picture of your desktop and all windows currently open at the time.

As you can see although you are on a secure web site, it still doesn’t protect your information once your computer is compromised.

Email

Simply put all emails sent to you are accessible to a “hacker” once your system has been compromised.  They can read them and possibly check your mail before you do.  

Pictures

If you have pictures of yourself or family members on your system, they are also available to the “hacker.”  I don’t think I need to explain the danger here.  Not only has the individual compromised your computer system, they also know what you look like.

Resume

This may not sound like a priority file for a “hacker” but stay with me for a second.  How many of you have resumes typed up on your computers? I’m sure a lot of you do.  If a “hacker” were to download your resume they now have access to:

Name:

Address:

Phone:

Workplace:

It doesn’t stop there either.  Those are just a few of the things that can happen when your system is compromised.  This is no science fiction these are real life possibilities.  The extent of that information was gathered just from files on your system.