Fri, 03 Jul 2009 01:11:43 +0000 http://hackinthebox.org/ Hack In The Box Backend en-us http://hackinthebox.org/images/hitb.gif http://hackinthebox.org/ dhillon.kannabhiran@hackinthebox.org http://hackinthebox.org/index.php?name=News&file=article&sid=32104 Cryptographic researchers have uncovered a chink in the armour of the widely used AES algorithm. The attacks pose no immediate threat to the security of AES, but they do illustrate a technique for extracting keys that is better than simply trying every possible key combination. Instead of such a brute force approach, the researchers have derived a technique based on "finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle". Collisions in cryptographic happen when two different inputs produce the same output. The approach, in this case, can be used to infer clues about the key used by the AES encryption cypher. AES is an encryption standard recently adopted by the US government, and widely used commercially as a result. Fri, 03 Jul 2009 01:11:43 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32103 Comedian and talk show host Jay Leno has won a cybersquatting case against a Texas man found by a U.N. agency to have misused the domain name thejaylenoshow.com to direct Internet users to a real estate website. In a ruling issued on Thursday, the World Intellectual Property Organization (WIPO) said Leno had common law trademark rights to his name after a 30-year career in entertainment, even though Guadalupe Zambrano registered the site in 2004. Furthermore, real estate agent Zambrano did not have any legitimate rights to the disputed web address and had registered it in "bad faith," according to the ruling by William Towns, an independent arbitrator appointed by the Geneva-based agency. Fri, 03 Jul 2009 01:11:00 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32102 Microsoft has announced a new feature for its Bing search service, which will allow users to receive information on Twitter posts. The new service generates results from thousands of "carefully selected" Twitter users, according to Microsoft, including its own employees, search experts, bloggers and personalities such as Al Gore. "Today we are unveiling an initial foray into integrating more real-time data into our search results, starting with some of the more prominent and prolific Twitterers from a variety of spheres," wrote Sean Suchter, general manager at Microsoft's Search Technology Center, in a blog post. "This includes tweets from folks from our own search technology and business sphere, like Danny Sullivan or [technology columnist] Kara Swisher, as well as those from spheres of more general consumer appeal like Al Gore or [American Idol host] Ryan Seacrest." Fri, 03 Jul 2009 01:10:24 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32101 A Sydney radio show has been caught up in a global Michael Jackson spam storm, after its website was hijacked in a bid to infect users with malware. Cyber criminals hacked into the web server of Beatz Radio, a weekly dance music show that airs on Friday nights on FM 99.3, and used the site to host a file that purported to be unseen videos and pictures of Jackson. But the file was actually a password-stealing trojan that surreptitiously loads itself on to the victim's computer and sends back to the hackers a log of every keystroke made. Links to the bogus YouTube clip were then sprayed out across the world as part of an email spam campaign that sought to exploit the immense interest in Jackson following his death. But Beatz Radio chief Tim Little had no idea until he was contacted by AusCERT, the national Computer Emergency Response Team for Australia. Fri, 03 Jul 2009 01:09:39 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32100 Anyone who was ever fool enough to believe that Microsoft software was good enough to be used for a mission-critical operation had their face slapped this September when the LSE (London Stock Exchange)'s Windows-based TradElect system brought the market to a standstill for almost an entire day. While the LSE denied that the collapse was TradElect's fault, they also refused to explain what the problem really wa. Sources at the LSE tell me to this day that the problem was with TradElect. Since then, the CEO that brought TradElect to the LSE, Clara Furse, has left without saying why she was leaving. Sources in the City-London's equivalent of New York City's Wall Street--tell me that TradElect's failure was the final straw for her tenure. The new CEO, Xavier Rolet, is reported to have immediately decided to put an end to TradElect. Fri, 03 Jul 2009 01:08:27 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32099 A U.S. district court has ordered key players in an international spam ring to give up $3.7 million that they made by sending out illegal email messages pitching bogus hoodia weight-loss products and a "human growth hormone" pill they claimed reversed the aging process. In a Federal Trade Commission law enforcement action, the court found that the five defendants, located in Canada and St. Kitts, violated the FTC Act and the CAN-SPAM Act by participating in the spam operation. The court order bars the defendants from violating the CAN-SPAM Act and from making false or unsubstantiated claims about the health benefits of any food, drug, or dietary supplement. Fri, 03 Jul 2009 01:07:51 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32098 As services become robust enough to support business networks, more businesses are considering online backup for their critical data. Some important factors to consider before making the leap: Security: Make sure your provider is able to offer detailed information about how data is transferred to and from the backup site, and how security is guaranteed at the backup location. Reputable online backup services will include strong file encryption and access-control standards. Availability: Find out how long it takes to restore data if it’s lost and whether there are different levels of availability for different types of data. You’ll want to know exactly how long it will take to get your most critical data back online in the event of a failure. Fri, 03 Jul 2009 01:07:06 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32097 Data visualization has been around for decades, but modern desktop computers finally possess the power to turn raw data into interactive displays for analysis, enabling computer security analysts to use visual analytics techniques to solve daily problems. Although many other tools exist to assist organizations with computer security—from intrusion detection and prevention systems to firewalls and anti-virus applications—none of these solve the data overload problem as effectively as visual analytic software. This is because the problem central to data analysis is an effective reduction of false positives and superfluous data, while preserving important information (sometimes called "improving the signal-to-noise ratio"). Visual analytics allows analysts to interactively apply a wide variety of tools to make important data pop out of the abyss and become instantly understandable. In essence, visual analytics reduces the time taken to convert information to knowledge by an order of magnitude or better. Fri, 03 Jul 2009 01:06:25 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32096 Frost & Sullivan is out with a piece praising the potential of wireless technologies in health IT, but warning of security concerns. Yesterday’s piece about WellAWARE is a good example of what’s possible. Short-haul wireless links monitor patients without their having to wear anything. Cellular phone calls can alert caregivers to problems, and wireless data links can offer specifics. Without wireless technologies such miracles would not be possible. But paranoia over security could kill such applications in the crib. Frost & Sullivan’s wireless analysts can come up with all the scary scenarios they want, but where is the real danger? Fri, 03 Jul 2009 01:05:41 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32095 It was on July 20, 2007 that the Energy Star 4.0 computer specifications came into effect, which was most notable for including requirements for power supplies that met the standards of the 80 PLUS program. As of yesterday, all around requirements have become a little more strict as the new Energy Star 5.0 specs go into effect. Any computer product (game consoles not included) manufactured on or after July 1, 2009 must meet the Version 5.0 requirements to qualify for the Energy Star certification, even if models were originally qualified under the 4.0 specifications. Making it a little tougher this time around, a computer's power supply must have an 85 percent minimum efficiency at 50 percent of the rated output and 82 percent minimum efficiency at 20 percent and 100 percent of rated output. Fri, 03 Jul 2009 01:04:53 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32094 Conficker may not dominate the headlines any longer, but it's still going strong, according to Trend Micro's Malware Blog and stats from the Conficker Working Group. The worm/botnet grabbed plenty of attention earlier this year, and I wrote plenty about it myself. Part of that focus came from its giant infection rate, part from its sophisticated techniques, and part was pure hype. And after a ballyhooed April Fool's day threat came and went with little incident, it seemed to largely vanish from the public eye. But it didn't go away. According to stats from the Conficker Working Group, the number of unique IPs seen infected with the first two Conficker variants has bounced around some, but has generally risen since the end of May. On 5/31 it was at 3.7 million. On 6/29, it was 5.1 million. Fri, 03 Jul 2009 01:04:20 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32093 Recently, the EU was in discussion about a possible cell phone tax in Europe, which would pretty much affect everyone who wished to purchase a phone. Of course, big cell phone manufacturers such as Nokia and Sony Ericsson protested such a tax because their sales would fall. Currently, the EU is based in Sweden, and after a vote was held in a meeting yesterday, it was clear what the public wanted. The vast majority of the EU members voted for duty-free cell phones. As you can imagine, cell phone sales are already falling in Europe due to bad economic times, and a higher tax would have only further plummeted sales. Back in December, the EU searched for a way to differentiate these “multi-functional devices” we call cell phones. They came up with two pretty broad categories - cell phones with TV reception, and cell phones with GPS navigation. Basically, any phone with TV receivers would have been slapped with a 14% tax, while phones with GPS navigation would have been slapped with a 3.7% tax. Fri, 03 Jul 2009 01:03:44 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32092 Mozilla will patch the just-released Firefox 3.5 in the next few weeks to stamp out several bugs that went unfixed in the final version of the browser, the company said Tuesday. Firefox 3.5.1, which Mozilla intends to deliver in mid-to-late July, will include fixes for at least three bugs and "topcrashes," the term the company uses to describe the frequently-reported crashes. Like many applications, Firefox asks users to report crashes by displaying a prompt after the browser goes down. "[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said in notes published after a weekly status meeting. One of the topcrashes scheduled for a fix involves TraceMonkey, the new, faster JavaScript engine that debuted in Firefox 3.5. At least one of the bugs was fixed a week before Mozilla released the final code on Tuesday. Fri, 03 Jul 2009 01:03:12 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32091 BT will guarantee connection speeds of at least 15Mbits/sec on its forthcoming fibre network. The company is accelerating its nationwide fibre rollout, and now plans to connect a million premises by next March, and 1.5 million by next summer. The good news for small business customers is that BT plans to guarantee the speed of the connection on fibre lines. "There will be an SLA [service level agreement] associated with the product," said David Campbell, managing director of next-generation access at BT Openreach. "We will accept a fault and fix it if the line drops below 15 meg." BT's fibre-to-the-cabinet (FTTC) lines will offer download speeds of up to 40Mbits/sec, but BT claims the upload speeds will be more impressive. Fri, 03 Jul 2009 01:01:31 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32090 The Obama administration is moving cautiously on a new pilot program that would both detect and stop cyber attacks against government computers, while trying to ensure citizen privacy protections. The pilot program, known as Einstein 3, was supposed to launch in February. But the Department of Homeland Security is still pulling the plan together, according to senior administration officials. Einstein 3 has triggered debate and privacy concerns because the program will use National Security Agency technology, which is already being employed on military networks. Any involvement of the NSA - the agency oversees electronic intelligence-gathering - in protecting domestic computer networks worries privacy and civil liberties groups who oppose giving such control to U.S. spy agencies. Fri, 03 Jul 2009 01:00:35 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32089 Google App Engine - the development and hosting cloud that serves up third-party apps and websites - was on the fritz for a good six hours this morning. According to a public note from Google's App Engine team, the service began experiencing problems at around 6:30am Pacific. "We're currently seeing elevated Datastore latency and error-rates, as well as elevated serving error-rates," the note read. "All applications accessing the Datastore are affected." By 8:45am, the App Engine team was in "unplanned maintenance mode," disabling all application deployments, Datastore writes, and memcache writes. Problems continued for nearly four hours. At 12:35, the team announced that all functions had returned to normal. Fri, 03 Jul 2009 00:34:47 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32088 Well, it really seems as if Psystar is committed to continue its business, no matter what. The company entered chapter 11 bankruptcy protection in May, and many wondered if this meant the end of the clone maker and the legal case between Apple and Psystar. Well, today the clone maker announced that it is emerging from chapter 11, and while they're at it, they also introduce a new "Mac". The fact that the company is emerging from chapter 11 bankruptcy protection is probably the biggest surprise. Many thought that this would mean the end of the small company; not an odd thing considering the costs of litigation and company operation. "As you all may already be aware in late May, Psystar filed for Chapter 11 protection. Although this was critical to our continued daily operations, we now are ready to emerge and again battle Goliath," the company states, "More information will be available in the coming days when we will be formally discharged by the Bankruptcy court." "When life gives you apples, make applesauce," they add cheekily. Fri, 03 Jul 2009 00:33:44 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32087 Microsoft Research has published a new article that explains in more layperson-like terms exactly what its “Gazelle” Web browser is and why the company’s researchers believe it’s needed. Microsoft is slated to present a paper on Gazelle at the Usenix Security Symposium in August. At that event, the Gazelle team will describe “the design and construction of a browser that is actually a multi-principal operating system.” (A copy of Microsoft’s Gazelle Usenix paper is available now.) I’ve had Gazelle (the project which started life as “MashupOS”) explained to me a couple of times, but I never quite understood it. The new Microsoft-authored article, however, actually helped me understand more about where Microsoft is going with this project. Fri, 03 Jul 2009 00:32:54 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32086 A federal judge on Thursday tentatively threw out the convictions of a Missouri mother for her role in a MySpace hoax directed at a 13-year-old neighbor girl who ended up committing suicide. U.S. District Judge George Wu said he was acquitting Lori Drew of misdemeanor counts of accessing computers without authorization but stressed the ruling was tentative until he issues it in writing. He noted the case of a judge who changed his mind after ruling. Drew showed no reaction to the decision. She was convicted in November, but the judge said that if she is to be found guilty of illegally accessing computers, anyone who has ever violated the social networking site's terms of service would be guilty of a misdemeanor. That would be unconstitutional, he said. Fri, 03 Jul 2009 00:29:32 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32085 Password recovery questions are great to recover a forgotten password in a matter of seconds. All that needs to be done is to answer the password recovery question to receive a new password in the email inbox. This does however make email hacking a profitable business as email accounts are usually connected to online stores and other web services. Attackers with access to a compromised email account only need to answer the secret question to retrieve the password of the web account. This matter is definitely more secure than sending out the password without confirmation on the user’s request. A recent study shows on the other hand that password recovery questions are usually answered honestly. Questions about the birth town, mother’s maiden name or first animal name can sometimes be easily guesses. The study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly. Fri, 03 Jul 2009 00:28:47 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32084 The UAE's State Audit Institution (SAI) has set up a web-based hotline for members of the public to report fraudulent activity within the federal government. The move follows stated commitment by the UAE to raise the standards of accountability and transparency at all federal levels. It is the first fraud hotline initiative of its kind in the Middle East. The 'ReportFraud' service, hosted on the SAI's website www.saiuae.gov.ae, is also open to federal government employees and suppliers. Only matters related to federal organisations can be investigated by the SAI. Fri, 03 Jul 2009 00:28:09 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32083 “It’s just a matter of time,” an official from China’s Ministry of Industry and Information Technology (MIIT) told the state-run China Daily newspaper, a day after it announced the scheme was being postponed. Chinese internet campaigners and prominent bloggers had claimed Wednesday’s surprising climb-down as a victory for ‘people power’, with many expecting that the idea would now be quietly dropped as unworkable, as in the case of similar schemes in the past. Their jubilation may prove be short-lived, however. “The government will definitely carry on the directive on ‘Green Dam’. It’s just a matter of time,” the official claimed. China’s government was assailed from all sides after it announced on May 19 th that all new computer sold in China after July 1st would be required to pre-install the Green Dam software which was officially described as an anti-pornography measurer. Fri, 03 Jul 2009 00:27:26 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32082 Gary McKinnon's life fell apart on April 14, 2003, as he sat, nervous and scared, opposite U.S. prosecutor Scott Stein in the intimidating surroundings of the American Embassy in London. Make no fuss and agree to extradition for crimes of computer hacking and supposed 'cyber-terrorism', and Gary's punishment would be three or four years in jail, mostly spent in the UK, said Mr Stein. Fight against the might of the Bush administration, keen to make a post-9/11 example of Gary, and it would be far longer - raising the prospect that he would die in a high-security prison. Nevertheless Gary chose to fight, sparking a six-year legal battle which continues to this day. Here, we explain his case, and how he has been betrayed by a system supposed to protect him. Fri, 03 Jul 2009 00:26:35 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32081 This used to be a typical day for Dr. Ian Boykin, "In a normal day of rounds, when you come into the hospital the first thing you have to do is ask for a patient list, talk to nurses, check their vital signs." That's the old fashioned, long way. Now, the information he needs is right in his cell phone. Dr. Boykin says, "When I start my rounds I don't even have to stop at the nurses desk. I just go directly to the patients room. I walk in see how they are doing." It's called H-Care Mobility. It's a smart phone application that puts doctor's patient records literally inside a cell phone. It's a new program on the Treasure Coast. After a year long pilot program, Lawnwood Medical center is now encouraging all 220 physicians to use the software. Jennifer Stewart with Lawnwood Medical Center says, "Eventually that is our goal cause we are shooting for a paperless system." Having patient information on a cell phone is a timesaver and saves paper. The hospital says it's safe and has no fears about hackers. Instead they are just making sure patients understand the technology, and more doctors hop on board. Fri, 03 Jul 2009 00:25:24 +0000 http://hackinthebox.org/index.php?name=News&file=article&sid=32080 Apple Inc. is working to fix an iPhone vulnerability that could allow an attacker to remotely install and run unsigned software code with root access to the phone. The attack in question exploits a weakness in the way iPhones handle text messages received via SMS (Short Message Service), said security researcher Charlie Miller, during a presentation at the SyScan conference in Singapore on Thursday. He didn't provide a detailed description of the SMS vulnerability, citing an agreement with Apple. Miller is an authority on Mac OS X security, and is a co-author of The Mac Hacker's Handbook. The SMS vulnerability allows an attacker to run software code on the phone that is sent by SMS over a mobile operator's network. The malicious code could include commands to monitor the location of the phone using GPS technology, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a distributed denial-of-service attack or a botnet, Miller said Fri, 03 Jul 2009 00:24:33 +0000