Top Stories for Today
[333] Blackberry spyware source code released [281] Six golden rules for strong passwords [244] iPad Study: The More You Know, The Less You Want One [236] How the NSA Deal Could Kill Google [229] P2P Snoopers Know What's In Your Wallet [227] Indian IT Giant Tata Consultancy Services Hacked [216] The FBI Wants to Know Where You are Online [208] Security flaw puts iPhone users at risk of phishing attacks (Updated) [206] Unannounced Core i7 Apple MacBook Pro surfaces in benchmarks logs [198] ShmooCon: Inside FarmVille's sinister underbelly [191] Symantec hit with class-action lawsuit over auto-renewals [185] Apple's new beta of Mac OS X 10.6.3 includes few changes [172] Internet Overuse Invites Depression, Study Says [163] BlackBerry has spyware risk too, researcher says [145] AU Gov't Still Wants ISPs To Solve Illegal Downloads [140] Recovery, Transformation for IT, Telecom in 2010 [138] High-tech to keep Super Bowl on track View the Top 50 articles
Top 20 of the Last 2 Weeks
|
Blackberry spyware source code released
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 333)
|
Source: Network World
Veracode today released Blackberry-specific spyware, which the code-review specialist intends as a “call for defensive research” to show that the BlackBerry is vulnerable to spyware problems.
“The Blackberry ‘sandbox’ keeps you from getting into the operating system level. It’s effective for that,” says Tyler Shields, senior researcher at Veracode Research Lab and author of the Blackberry spyware. “BlackBerry is one of the better operating systems in regards to security,” he says, “but in the sandbox you can steal data.”
Shields says the point in releasing the spyware source code, which he calls TXSBBspy, is to “show how easy it is to write this code.” He calls the source code a blueprint for malware on the BlackBerry, showing how it’s possible to remotely dump all the contents, send the contents via e-mail, and conduct real-time monitoring of phone messages.
[   ]
| |
P2P Snoopers Know What's In Your Wallet
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 229)
|
Source: Network World
Being security researchers and all, Larry Pesce and Mick Douglas thought it would be a hoot to take a look at some of the information people send out over peer-to-peer (P2P) networks. They were taken aback by what they found.
At the 2010 ShmooCon security conference Friday, the duo showed off the extremely sensitive information they've been able to intercept, including driver's licenses and passports, tax return forms with Social Security numbers; someone's last will and testament and information on one man's secret activities that could potentially be exploited by terrorists.
Douglas and Pesce were inspired to look at P2P networks after highly-publicized incidents where details on a U.S. Secret Service safe house for the First Family leaked out on a LimeWire file-sharing network. In another incident, classified data on the communications, navigation and management systems on Marine One were found in a publicly available shared folder on a computer in Tehran, Iran, after apparently being leaked over a P2P network.
[ ]
| |
Symantec hit with class-action lawsuit over auto-renewals
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 191)
|
Source: Network World
A New York man has sued security software maker Symantec for automatically renewing his subscription to Norton Antivirus, alleging that the company did not notify him before charging $76 to his credit card.
The lawsuit comes seven months after the New York Attorney General's office fined Symantec $375,000 for the practice and ordered it to give notice before renewing any subscription.
According to the lawsuit filed Jan. 19 in a New York County court, Kenneth Elan of Port Washington, N.Y., purchased a copy of Norton Antivirus in 2007. Early in November 2009, Symantec told him that it had automatically renewed his license to the software for one year, and charged his credit card $76.03. Elan said he had not been notified prior to the charge hitting his card.
[ ]
| |
Internet Overuse Invites Depression, Study Says
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 172)
| |
Source: PC World
These studies always drive me to despair.
According to a BBC report: "There is a strong link between heavy Internet use and depression, UK psychologists have said. The study, reported in the journal Psychopathology, found 1.2% of people surveyed were 'Internet addicts,' and many of these were depressed."
And I'll bet a lot of them drink too much and can recite every flavor of Ben & Jerry's.
[ ]
| |
Recovery, Transformation for IT, Telecom in 2010
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 140)
| |
Source: Xchange Magazine
Climbing out of the smoking crater of 2009, the IT and telecom industries will see growth rebound next year amid a set of transformational changes, according to the 2010 outlook from research firm IDC. Driving those transformations will be the spread of cloud-based computing and telephony, the continued explosion in smartphones, and the demand for increased bandwidth to feed demand on both desktop and mobile devices.
“With a global economic recovery widely anticipated, modest growth in IT and telecommunications spending is expected,” the research firm said in its influential Predictions 2010 study. “But the industry is entering this recovery year with an ambitious agenda, making transformation the more interesting theme of IDC's predictions for 2010.”
The global economic recession acted as a “pressure cooker” that sped the development and adoption of new technologies and new business models, explained IDC chief analyst Frank Gens. “What's different about 2010 is that the economic recovery will release some of the pressure on spending, enabling a number of transformational tipping points to be reached in a year of economic upswing."
[ ]
| |
iPad Study: The More You Know, The Less You Want One
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 244)
|
Source: PC World
The more people know about the iPad, the less they want to buy one, according to a study released Friday. But, are we expecting too much? The study seems to confirm the iPad as Apple's least exciting announcement in years. And the company is feeling the backlash that comes from not delivering on the hype.
Retrevo, an online marketplace for consumer electronics, surveyed 1,000 of its customers and found that the iPad's Jan. 27 announcement did more to snuff out customer interest than to spark it.
That's not surprising when all Apple introduced was just a supersized (and superexpensive at the high end) iPod touch. My friend and fellow pundit Larry Magid described as the iPad as "underwhelming."
[ ]
| |
BlackBerry has spyware risk too, researcher says
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 163)
| |
Source: CNet News
We've heard a lot about security issues with the iPhone, but the BlackBerry isn't immune to threats from malicious apps.
Tyler Shields, a senior researcher at the Veracode Research Lab, has written a piece of spyware that allowed me to shoot an SMS command to his phone and have his contact list forwarded to my e-mail address in a demonstration. With another short text command, I was able to get his BlackBerry to e-mail me any SMS messages he sends.
And if I had wanted--and he had allowed me--I could have seen a log of all his calls, monitored his inbound text messages, tracked his location in real-time based on the GPS (Global Positioning System) in his device and turned his microphone on to listen to conversations in the room and record them.
[ ]
| |
High-tech to keep Super Bowl on track
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 138)
| |
Source: CNN
As the players, coaches and halftime performers -- not to mention the Lombardi Trophy -- make their way to Miami's Sun Life Stadium for the Super Bowl on Sunday, Jerry Hunter and company will be keeping a close eye on them.
The Super Bowl has contracted with Hunter's US Fleet Tracking to use its real-time GPS tracking system, which uses satellite technology that can "ping" a vehicle's location every few seconds.
The Web-based mapping system will be just one of the high-tech gadgets used Sunday to make sure the party for 74,000 people runs smoothly. "You think you and your wife have a struggle throwing a dinner party with 30 guests -- making sure everything is where it's supposed to be at the right time?" he said. "Imagine the Super Bowl."
[ ]
| |
AU Gov't Still Wants ISPs To Solve Illegal Downloads
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 145)
| |
Source: ZDNet (Australia)
In the wake of iiNet's recent court win, Minister for Broadband, Communications and the Digital Economy Stephen Conroy has said that he wants the film and internet industries to sit down and try and work out a code of conduct to prevent pirating of copyrighted works rather than working towards legislation changes.
"I would hope to encourage the [internet service providers] and the movie industries to sit down and try and come up with a code of conduct and let's see where that goes before we start leaping off down that path," he told the ABC's Hungry Beast program on Friday.
"I think that a mature approach by both the movie industry and the internet industry sitting down, having a conversation, and coming up with a code of practice is the absolute preferable outcome. The problem is at the moment in Australia there is no agreement, there is no discussion, there is no dialogue and people resorted to court," he said.
[ ]
| |
How the NSA Deal Could Kill Google
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 236)
| |
Source: Wired
The company once known for its “don’t be evil” motto is now in bed with the spy agency known for the mass surveillance of American citizens.
The National Security Agency is widely understood to have the government’s biggest and smartest collection of geeks — the guys that are more skilled at network warfare than just about anyone on the planet. So, in a sense, it’s only natural that Google would turn to the NSA after the company was hit by an ultrasophisticated hack attack. After all, the military has basically done the same thing, putting the NSA in charge of its new “Cyber Command.” The Department of Homeland Security is leaning heavily on the NSA to secure .gov networks.
But there’s a problem. The NSA and its predecessors also have a long history of spying on huge numbers of people, both at home and abroad. During the Cold War, the agency worked with companies like Western Union to intercept and read millions of telegrams. During the war on terror years, the NSA teamed up with the telecommunications companies to eavesdrop on customers’ phone calls and internet traffic right from the telcos’ switching stations. And even after the agency pledged to clean up its act — and was given wide new latitude to spy on whom they liked – the NSA was still caught “overcollecting” on U.S. citizens. According to The New York Times, the agency even “tried to wiretap a member of Congress without a warrant.”
[ ]
| |
Apple's new beta of Mac OS X 10.6.3 includes few changes
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 185)
|
Source: Apple Insider
Apple on Friday evening equipped developers with yet another build of its upcoming maintenance and security update for Mac OS X 10.6 Snow Leopard that includes few changes from an earlier build distributed two weeks ago.
People familiar with the matter say Mac OS X 10.6.3 build 10D548 was distributed alongside an enhancement and focus list nearly identical to build 10D538, which made its way to a small subset of developers last month, as AppleInsider exclusively reported.
The only distinguishable change noted in documentation, those people say, was a request by the Mac maker for its developers to add iCal and printing functions to their evaluation efforts, alongside AirPort, QuickTime and graphics drivers. A prior emphasis on VoiceOver was reportedly not extended to build 10D548.
[ ]
| |
Security flaw puts iPhone users at risk of phishing attacks (Updated)
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 208)
| |
Source: Arstechnica
When Apple introduced iPhone OS 3.0, it attempted to beef up the security of over-the-air enterprise management of iPhones by adding support for Cisco Systems' Simple Certificate Enrollment Protocol (SCEP). However, a flaw in the implementation of the standard could allow hackers to offer mobile configuration files that appear to be from a legitimate source, but may otherwise set your iPhone to access malicious servers.
Ars spoke with a mobile security expert who discovered the problem (who asked to remain anonymous because he did not have approval to talk about the issue). He told Ars that the issue is one of trust: "Who would you trust to change your iPhone configuration over the air? Your carrier? Your company? Your IT security admin?" he asked. Apple uses SCEP as a way for the iPhone to check in with a certificate server to verify that a mobileconfig file has been signed by a trusted source, but flaws in the set-up on the iPhone mean that the process doesn't always work as intended.
[ ]
| |
Unannounced Core i7 Apple MacBook Pro surfaces in benchmarks logs
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 206)
| |
Source: Apple Insider
A benchmark report for an unreleased Apple MacBook Pro sporting Intel's upcoming dual-core 2.66GHz Core i7 mobile processor was published online this week, suggesting a refresh to the professional notebook line may be imminent.
The Geekbench report, which can be seen in its entirety here, was submitted on February 4th and subsequently spotted by a MacRumors forum member. It lists the model as a MacBook Pro 6,1 -- a previously unused MacBook Pro identifier -- running an unreleased build of Mac OS X 10.6.2 labeled 10C3067.
More specifically, the chip that registered inside the unreleased MacBook Pro is the Core i7 M 620, which represents the highest-performance chip announced as part of Intel's new Arrandale mobile offerings last month.
[ ]
| |
Indian IT Giant Tata Consultancy Services Hacked
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 227)
| |
Source: Washington Post
The website Tata Consultancy Services, India's largest software vendor, has been hacked. The hacker has posted a "For Sale" message on the site, which is written in both French and English. Ironically, the company produces security systems software.
The hack is believed to be a DNS hijack, which is similar to the breach that Twitter succumbed to last year. TechCrunch was also recently hacked earlier this year.
[ ]
| |
ShmooCon: Inside FarmVille's sinister underbelly
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 198)
| |
Source: Computer World
You see it all the time on Facebook: A friend moving on up in FarmVille. Another friend trying to expand his posse in Mafia Wars. Everyone thinks of them as harmless third-party applications, free from the crooks and cooks of cyberspace. Unfortunately, that's not the case.
The sad fact is that these applications are susceptible to malware pushers and those looking to steal your personal information. It's not much of a stretch for hackers to impersonate people you think are trusted, fellow players, as is the case with a lot of online gaming. And the more you expose yourself, the bigger the target you become.
The dangers of these games were part of a larger talk on social networking dangers at the 2010 ShmooCon security conference. Indeed, social networkers are in danger from all corners, be it from malicious Twitter bots you think is a celebrity following you or that hot model who friended you on Facebook, hoping you wouldn't notice that she's nothing more than a phishing hook.
[ ]
| |
Six golden rules for strong passwords
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 281)
| |
Source: Indian Express
Waking up to someone asking you for help because their password has been hacked is an unpleasant experience. But such calls are becoming commonplace, not because hackers are becoming smarter (well they are), but because people are stupid enough to keep their passwords simple.
A recently released report from Imperva (http://tinyurl.com/iepasswords) highlights that the most common password used by people is 123456. Moreover, 30 per cent of people use passwords under or equal to six characters, only 60 per cent of them use alpha-numerics and nearly half use slang words, consecutive digits and so on. That’s why I have decided to share with you the six golden rules of a good password.
[ ]
| |
The FBI Wants to Know Where You are Online
Posted by l33tdawg on Monday, February 08, 2010 - 12:00 AM (Reads: 216)
|
Source: Chris Prillo
An article posted yesterday on CNET has Internet users bashing the FBI up one side – and down the other. Many are screaming about “Big Brother”, and civil rights. Others are proclaiming that they are going to leave the Internet completely, which I honestly don’t see happening. Seriously, folks… you’d be able to totally give up your online life?
According to the article, the FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years, a requirement that law enforcement believes could help it in investigations of child pornography and other serious crimes. If logs of Web sites visited began to be kept, they would be available only to local, state, and federal police with legal authorization such as a subpoena or search warrant.
It’s unclear what, exactly, the FBI wants to keep track of. The possibilities include requiring an Internet provider to log the Internet protocol (IP) address of a Web site visited, a domain name, a host name, or an actual website URL. While the first three categories could be logged without doing deep packet inspection, the fourth category would require it. That could run up against opposition in Congress.
[ ]
| |
Taiwan-based Aurora cyber attack part of larger hack than previously reported
Posted by l33tdawg on Friday, February 05, 2010 - 12:26 AM (Reads: 616)
| |
Source: Examiner
The massive Operation Aurora cyber attack last month, apparently launched from command and control server computers in Taiwan, is part of a larger and sustained effort that has been stealing data for years.
Although computer forensics experts have been unable to trace the recent Aurora attack back to China they do not believe that Aurora originated in Taiwan, the Silicon Valley of the western Pacific. Public details about the cyber attack on major corporations in the United States are scanty as the companies try to assess the damage.
The Department of Defense held a conference with top computer security experts last week in St. Louis, Missouri to discuss the problem. One of the participants, Mandiant, a security consulting firm, has released a report on its findings.
[ ]
| |
The 10 best IT jobs right now
Posted by l33tdawg on Friday, February 05, 2010 - 12:26 AM (Reads: 3191)
| |
Source: IT World (Canada)
IT professionals looking to find new employment or upgrade their current positions should investigate job opportunities that address growing demand for technologies such as virtualization, cloud, network security and social computing skills.
Industry watchers report that while an economic recovery won't guarantee that IT jobs return to pre-recession levels, increased interest in emerging and existing technologies will drive internal training and external hiring decisions.
"IT staffing got hit in 2009, but it didn't get decimated they way it did back in 2002. Companies were renegotiating contracts, freezing salaries and delaying projects, so this year we won't see a flood of IT employment back," says Mark McDonald, group vice president and head of research, Gartner Executive Programs. "But we will see a skills shift from IT personnel that operates only in the old, slow expensive ways to IT pros that can adopt agile methods. There will continue to be opportunities in analytics, for people who understand lean IT, Six Sigma, business processes and improvements -- it's going to be about information, connectivity and collaboration."
[ ]
| |
German grocery stores experiment with payment by fingerprint
Posted by l33tdawg on Friday, February 05, 2010 - 12:25 AM (Reads: 344)
|
Source: Monsters and Critics
The tension level at the grocery store checkout sometimes rises when a customer needs extra time because they have no cash and therefore have to pay with a bank card.
This is especially true in Germany where there is almost always a line at the cash register and it's standard for customers to have to bag their own groceries. Some supermarkets in the country are working to remedy this problem by using a fingerprint scanner to verify identity and make the electronic payment.
A pilot project at a supermarket in the Rewe chain is under way near Cologne to test the viability of implementing the payment method in all Rewe affiliates in Germany. The comprehensive affiliate biometric payment method, as it is called, has a 'handy' advantage, said cashier Helga Gerth.
[ ]
| |
|
Last 15 Postings to HITB Forum
Packet Storm Security Latest
· dradis-v2.5.0.tar.gzdradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
· netsniff-ng-0.5.4.1.tar.gznetsniff-ng is a high performance linux network sniffer for packet inspection. Basically, it is similar to tcpdump, but it doesn't need syscalls for fetching packets. Instead, it uses an memory mapped area within kernelspace for accessing packets without the need of copying them to userspace ('zero-copy' mechanism). Therefore, netsniff-ng is libpcap independent. netsniff-ng can be used for protocol analysis and reverse engineering, network debugging, measurement of performance throughput or network statistics creation of incoming packets on central network nodes like routers or firewalls.
· CORE-2010-0121.txtCore Security Technologies Advisory - This advisory describes multiple vulnerabilities based on quirks in how Windows handles file names. Nginx, Cherokee, Mongoose, and LightTPD webservers suffer from related vulnerabilities. Details are provided.
· flexmysql-sql.txtFlex MySQL Connector suffers from a remote SQL injection vulnerability.
· CORE-2010-0104.txtCore Security Technologies Advisory - A security vulnerability was discovered in LANDesk Management Suite: a cross-site request forgery which allows an external remote attacker to make a command injection that can be used to execute arbitrary code using the webserver user. As a result, an attacker can remove the firewall and load a kernel module, allowing root access to the appliance. It also can be used as a non-persistent XSS.
· wippien-negotiation.txtWippien suffers from a flawed key negotiation vulnerability.
· mysql_yassl_getname.rb.txtThis Metasploit module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside ./taocrypt/src/asn.cpp. However, the stack buffer that is written to exists within a parent function stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL.
· novelliprint_datetime.rb.txtThis Metasploit module exploits a stack overflow in Novell iPrint Client 5.30. When passing a specially crafted date/time string via certain parameters to ienipp.ocx an attacker can execute arbitrary code. NOTE: The operation variable must be set to a valid command in order to reach this vulnerability.
Topics
· All topics
· AMD News (Dec 17, 2009)
· Apple News (Feb 08, 2010)
· Articles (Mar 03, 2009)
· Ask Us (Feb 01, 2003)
· Audio/Video (Feb 03, 2010)
· Encryption (Jan 15, 2010)
· Games (Feb 04, 2010)
· Hardware (Feb 08, 2010)
· HITB News (Jan 11, 2010)
· Industry News (Feb 08, 2010)
· Intel News (Feb 03, 2010)
· Law and Order (Feb 08, 2010)
· Linux (Feb 04, 2010)
· Microsoft (Feb 05, 2010)
· Networking (Jan 18, 2010)
· PDAs (Feb 09, 2007)
· Privacy (Feb 08, 2010)
· Red Hat (Nov 18, 2009)
· Science (Feb 04, 2010)
· Security (Feb 08, 2010)
· Software & Programming (Feb 03, 2010)
· Spam (Jan 26, 2010)
· Technology (Feb 05, 2010)
· Transmeta (Jul 07, 2007)
· Viruses & Malware (Feb 04, 2010)
· Wireless (Dec 28, 2009)
Follow us
Join our Facebook Group 
Follow us on Twitter 
Follow our RSS feed 
|
Re: RSA - Breaking the Standard