Category Archives: Security

LulzSec is disbanding

http://sophosnews.files.wordpress.com/2011/06/lulzsec-wallpaper.jpg?w=640A publicity-seeking hacker group that has blazed a path of destruction on the Internet over the last two months says it is dissolving itself.

Lulz Security made its announcement Saturday through its Twitter account. In an unusual strategy for a hacker group, LulzSec has used the account as a publicity platform while remaining anonymous.

The group’s disbandment comes unexpectedly, and could be a sign of nerves in the face of law enforcement investigations. One of the group’s six members was interviewed by The Associated Press on Friday, and gave no indication that its work was ending.

LulzSec claimed hacks on major entertainment companies, FBI partner organizations, the CIA, the U.S. Senate and a pornography website.

Absolute security with WEP and MAC access control

There has been so much fuss about wifi security about how easy it is to crack WEP and all. We can have a absolutely secure setup for a wireless network by selecting which devices to be able to connect to our network by a simple feature present in all routers known as MAC address control.

Make sure you change the admin login password for your router and set it as something which is atleast 8 character and involves special case symbols as well as numbers.

Enable WEP by loging into the admin console.

Set the WEP key to whatever you want. The key can be of of varied length depending upon the following types

  • 40- / 64-bit WEP: 10 digit key
  • 104- / 128-bit WEP: 26 digit key
  • 256-bit WEP: 58 digit key

Enable MAC address control.

Select Allow – This enables only the listed MAC addresses to be able to connect to the network. Rest will get a DHCP failure error. This way only the devices whose MAC addresses are entered in the table can connect. Rest can keep trying.

Enjoy your secure wifi network.

Searching talent among hackers

http://1.bp.blogspot.com/_ubx9hYapZs8/TTGnh1TixVI/AAAAAAAAAPU/VqNA2P4KbOA/s1600/hacker-hacking.jpgA Kerala-based IT firm, MobME Wireless, announced an online contest called CodeJAM to find the smartest computer hackers from the state’s colleges, an official said.

The company, incubated at Technopark here, said the contest was a unique way to reward the best programmers and was open to all regardless of their degree or educational merit. The contest will be hosted at codejam.mobme.in.

MobME CEO Sanjay Vijayakumar said that Silicon Valley in the US was created because of path-breaking solutions. The smartest of the hackers, coders and geeks who built world-class solutions in the valley were not the highest scoring students.

“With this contest, we want to find this rare breed from Kerala: the talented people who are super passionate about the code that they write and who can make a huge difference by creating path-breaking innovations for us,” said Vijayakumar.

Launching June 16, the online contest will run for a fortnight and a programming puzzle would be hosted in a specially crafted web portal at 11 p.m. for 14 consecutive nights.

Daily winners will be given a cash prize of 1,000 each during this period. On the 15th day, MobME will conduct a live coding contest at their Kochi office and the winner would walk away with a grand prize of 1 lakh.

The contest is open to any student from Kerala’s colleges who have a passion for programming puzzles. Apart from cash prizes, the winners will also be presented offer letters to join MobME.

Students interested to participate in the contest may watch out for the daily question starting June 16 at www.codejam.mobme.in.

MobME Wireless focuses on value-added services for mobile phone users and carrier-grade solutions for mobile network operators. It is the only technology company to have won the Nasscom Innovation Award twice.

Bank of America insider leaked customer data to criminal gang

Bank of America incurred a loss of at least $10 million (£6 million) as one of the insider sold customer data to outsiders.

Though the customers are being notified of the incident, but the bank is reluctant to provide many details of the case. The case is under investigation and the bank says that a former associate provided customer information to outsiders which were then used to commit fraud against the customers.

The scammers had stolen, “names, addresses, Social Security numbers, phone numbers, bank account numbers, driver’s license numbers, birth dates, email addresses, mother’s maiden names, PINs and account balances.” This information were then used for identity theft. The scammers ordered boxes of cheques and got them delivered to a UPS outlet where they picked them up. And also to prevent BofA from warning the victim, the scammers contacted the telephone company of the victims and rerouted the calls to scammer’s mobile phones.

Source : Techworld

Mac Defender Crashes Apple Security Myth

Mac Defender is turning out to be somewhat of an epidemic that neither Apple, nor Mac users seem prepared for. The Mac malware has caught the Apple ecosystem off guard and threatens to shatter the reality distortion field that Apple thrives on.
Apple, and the Apple faithful would like to pretend that Mac malware doesn’t exist. But, thanks to some awesome investigative reporting by Ed Bott, Jacqui Cheng, and others, we know that AppleCare technicians are seeing an explosion of malware issues, and that Apple has specifically directed support technicians not to get involved.
Cheng points out that there is at least tacit acceptance by Apple that the possibility for malware exists because Apple actually sells multiple malware protection products. And, although Apple Store reps are quick to point out the superior security and lack of malware concerns on the Mac, internally Apple mandates the use of Norton malware protection.

via PCworld

Increase in attacks on Social Networking Sites

http://images.defensetech.org/archives/hack.JPGAccording to the Microsoft Security Intelligence Report, volume 10, there is a steady increase in social engineering attacks in 2010. The data was pulled from Microsoft’s customer base as well as partners and Internet Service providers.

Most of the attempts or attacks are made to churn out the name and password of social networking sites which might be used for other financial sites. As per Microsoft the trend of phishing attacks is shifting from financial sites to social networking sites and gaming sites.

Rogue Security Software

Rogue security software or scareware is designed like legitimate software which when installed on a victim’s machine, generates erroneous alerts and tricks the users to buy more softwares or services.

As per a report on rogue security software by Symantec, it said it received reports of 43 million installation attempts. It is told that it is computer security awareness training programs are the best way to defend against these malicious activities. A few web filtering technologies provided by various vendors also help.

Source: TechTarget

How strong is your password

http://www.passwordsafepro.com/images/secure_passwords.gifIf you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. “password”
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. “god”
  8. “letmein”
  9. “money”
  10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Password Length All Characters Only Lowercase
3 characters
4 characters
5 characters
6 characters
7 characters
8 characters
9 characters
10 characters
11 characters
12 characters
13 characters
14 characters
0.86 seconds
1.36 minutes
2.15 hours
8.51 days
2.21 years
2.10 centuries
20 millennia
1,899 millennia
180,365 millennia
17,184,705 millennia
1,627,797,068 millennia
154,640,721,434 millennia
0.02 seconds
.046 seconds
11.9 seconds
5.15 minutes
2.23 hours
2.42 days
2.07 months
4.48 years
1.16 centuries
3.03 millennia
78.7 millennia
2,046 millennia

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Via One Mans Blog
image: Passwordsafepro

India Defends Right to Access Personal Data

http://sunilnehra.com/wp-content/uploads/2011/04/login.jpgThe Indian government said Tuesday that new rules allowing it to access personal information available with Internet companies have inherent checks and balances against misuse.
The rules under section 43A of the Information Technology Act were enacted last month and reflect the government’s perception that security threats to the country can be countered by better access to online information.

The country is, for example, locked in a dispute with Research In Motion, demanding access to e-mails and other communications on RIM’s corporate service, called BlackBerry Enterprise Server.

Privacy groups and lawyers have described the rules as draconian and said they infringe Indians’ fundamental rights. “These are arbitrary powers that are being given to government, without any checks and balances,” said Pavan Dugga, a cyberlaw consultant and advocate in India’s Supreme Court.

The rules place controls on the gathering and use of personal data by Internet companies, including requiring permission from the provider of information for sharing such data. But the rules cite the government as an exception in this regard.

This article first appeared on The PC World

‘Extremely weak’ security in file hosting sites

http://blog.host.co.in/wp-content/uploads/2009/09/file-hosting.jpgA research carried out by the Katholieke Universiteit Leuven in Belgium and France’s Institute Eurecom reveals that the private files stored on cloud sites are extremely vulnerable to attakers. After examining 100 file hosting services, the researchers concluded that the unique URIs(Uniform Resource Identifiers) were too predictable and easy to crack.

The service providers claim that these URIs are secret and cannot be guessed, but the research results prove to be otherwise. The research reveals that the ‘secret’ URIs are generated in a predictable fashion; thereby making it easy for the attackers to guess and get access to the content.

The report did not point out any particular service provider specifically. However, during a month’s testing they could extract more tha 168,000 private files.

Source: PCPRO

Fraud Prevention Trends in 2011

http://www.tctinvestigations.com/images1/fraud-prevention-services.jpgWith the exponential rise in internet usage online transactions are also increasing; and so is the number of online frauds increasing. Thus the companies not only have to prevent online frauds, but also they have to protect the customer privacy.

According to ThreatMetrix, California based provider of cloud-based fraud prevention solutions, there has been a shift in fraud detection. The shift has been from cookie based identification to utilizing device identification, i.e., detecting returning visitors based on attributes of the device. Also the rules have been improved to use the information to detect spoofed devices and IP addresses as well as sniff out botnets.

Some other trends and predictions in fraud prevention as shared by ThreatMetrix are given as below:

1. Less Reliance on Cookies and Personally Identifiable Information (PII).

As the consumers are becoming more aware of the online frauds these days, they concerned with online privacy. Many of them block or delete cookies themselves or using security software. Hence many fraud prevention solutions are becoming ineffective. Thus there is this shift towards cookieless device identification and device fingerprinting in preventing fraudulent transactions today.

 

2. New Classes of Devices Become Commodities for Fraudsters.

The users use new devices like Smartphone and tablets in which they can hide their IP address and thus eliminate the possibility of detecting the source of transactions.

 

3. Use of Fraud Prevention Solutions Across the Entire Value Chain.

Today’s fraudsters are very smart and hence the threat across the entire value chain in e-commerce continues to persist. Thus the use of fraud prevention software has become very important for the online brands.

 

4. Rise of Online Services and Digital Goods Encouraging Fraud Automation.

The real time online transactions have increased considerably which is now the hot target of online fraud automation and the fraudster can easily automate fraudulent transactions.

 

“Every business that transacts on the Internet needs better automated fraud prevention that doesn’t rely on cookies or personal identifiable information,” said Faulkner. “2011 is the year that technologies like device fingerprinting and collective fraud intelligence in the cloud become mainstream tools for web security and fraud professionals. When fighting a collective problem you need a collective solution.”

 

Source: http://www.securityweek.com/fraud-prevention-trends-2011
image: http://techinvestigations.com