Top Stories for Today
[273] Inside the mind of a Russian hacker [181] Koobface Worm Doubles Its Number Of Command And Control Servers In 48 Hours [154] 10 Reasons Why Security Problems Persist at Microsoft [114] iPhone 4.0 Bringing Multitasking [111] The Oracle approach to application security [109] HSBC Breach of Customer Data 'Inexcusable' [107] Code library gives homebrew iPod remotes chance for awesome [105] Mark Zuckerberg's 2004 Email Break-In Could Be A Felony [104] Rootkit shows potential for hackers to wreak havoc on smartphones [100] Pentagon trains workers to hack Defense computers [97] Guide To Security In The Workplace [96] Moshe Ben Abu publishes exploit code for new IE hole [95] Pirate Bay appeals looks set to start in September [85] Visa issues guidelines for data field encryption [82] Balancing 'Advanced Security' With User Privacy [82] Security Industry Faces Attacks It Cannot Stop [79] Smartphone apps need securing at the software development stages [79] Pennsylvania CISO out of a job following RSA Conference appearance [79] Foreign intelligence agencies hack into British companies [77] Celebrities caused 2009 Twitter crime wave [74] Sacrificing Privacy for National Security [72] Nvidia Denies Bribing Game Developers for Implementation of PhysX View the Top 50 articles
Top 20 of the Last 2 Weeks
|
Inside the mind of a Russian hacker
Posted by l33tdawg on Friday, March 12, 2010 - 12:05 AM (Reads: 273)
|
Source: BBC
Andrei is a young man with immense power at his fingertips. He's a reformed Russian hacker.
Back hunched, eyes fixed on the computer screen in front of him, he demonstrates what he can do. "Look, here's the log-in and the password," he says, pulling up a Georgian government website. "This site has already been hacked, I'm just demonstrating the vulnerability. But it's easy if you know how."
At just 20 years old, Andrei works for an information security firm. He says he does nothing illegal now, but he used to. "I started when I was 14. I hacked a series of military resources, the US army, some Russian departments. I wanted to examine how well protected they were."
[  ]
| |
The Oracle approach to application security
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 111)
|
Source: IT Hound
Until recently, security was an integral part of the application; business logic and security code were hardly discernible. Today’s web-based applications demand much more agility to face changing customer needs, often leading to many application component modifications and redeployments.
Typically, multi-tiered web applications are defined in “patterns” that isolate user interface from business logic and data storage. Application security is different at each tier involved in the overall process. For example, a user interface must provide a way to authenticate incoming requests, and application servers must access backend database systems securely. Companies understand the necessity of including security as part of the development process, but they face challenges in implementing security in the various layers of multi-tiered web applications.
[  ]
| |
Visa issues guidelines for data field encryption
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 85)
|
Source: Finextra
Visa Europe, Europe's leading payment system, today launched the industry's first guidance for data field encryption solutions by providing the minimum security practices needed to help support Payment Card Industry Data Security Standard (DSS) compliance.
The guidelines are based on best practices developed by Visa Europe that will help merchants and other stakeholders in the payments process to evaluate data field encryption solutions. These technologies can help secure card data when it is either being stored or moved and render it useless to fraudsters in the event of a data compromise.
[  ]
| |
Pirate Bay appeals looks set to start in September
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 95)
|
Source: Network World
The case against the four people involved in the running of Pirate Bay is heading back to court at the end of September. The appeals trial is tentatively scheduled to start on Sept 28., the Svea Court of Appeals said on Wednesday.
It has been almost a year since Fredrik Neij, Gottfrid Svartholm Warg, Peter Sunde and Carl Lundström were found guilty of being accessories to crimes against copyright law, and each sentenced to one year in prison. The court also ordered them to pay around 30 million Swedish kronor ($4.2 million) in damages. All four subsequently appealed the verdict.
Nine days have been scheduled for the trial, the last one being Oct. 15. The dates are preliminary, and can be changed if the defendants or the prosecution have any objections. On Thursday, Sunde's lawyer told the court that Sunde is unable to attend, according to Svea Court of Appeals judge Ulrika Ihrfelt.
[  ]
| |
Guide To Security In The Workplace
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 97)
|
Source: Katonda
Data loss is a major concern for businesses of all sizes. High profile data breaches continue to grab headlines and organisations are feeling the heat of the intense media spotlight for losing confidential information about their company, employees, and clients.
The Human Resources department is the gatekeeper of highly confidential employee data, and it needs appropriate measures in place, ensuring that the trust employees place in them to secure this information is well founded. Employees can also access the company’s confidential data, and it’s vital that HR, working with IT, have the right tools and procedures to help staff avoid accidental disclosures. Few employees have malicious intent towards employers. Guarding against the few that do requires draconian levels of control, an approach which can stifle the trust within an organisation.
[  ]
| |
10 Reasons Why Security Problems Persist at Microsoft
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 154)
|
Source: eWeek
As much as Microsoft would like security problems to just go away, they won't. The chances of Microsoft eliminating most of the software flaws that invite new attacks are slim to nil. But there are many things that Microsoft should do to improve the situation. We take a look at why security issues continue to haunt the software giant and what Microsoft can do about it.
Microsoft sent out a patch March 9 for security holes in Office Excel and Windows Movie Maker. Recent reports also suggest that a zero-day vulnerability is currently being used to attack Internet Explorer 6 and 7, allowing malicious hackers to run remote code.
The software giant said it's aware of problems affecting computers because of the IE flaw. But it's just another in a long line of vulnerabilities that have yet to be patched in IE, Windows and several other Microsoft products. Security has been an enormous issue for Microsoft throughout the years. As its software became more popular and as hackers became more sophisticated, Microsoft customers were being targeted at an astounding rate.
[  ]
| |
Code library gives homebrew iPod remotes chance for awesome
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 107)
|
Source: Arstechnica
Not too long ago, David Finland built a device capable of communicating with just about any model of iPod via the dock connector using an Arduino Nano, PodGizmo breakout board, an old USB iPod connector, and a momentary switch. While it may not sound like a big deal, there is more to it than one might think: namely programming a device (in this case the Arduino Nano) to be able to receive, interpret, and respond to messages sent from an iPod.
This means teaching it to speak Apple Accessory Protocol and, although proprietary in nature, it has been fairly well documented around the Internet. Finland slung some code so that his iPod touch was hooked up to one of the famous Staples Easy buttons in his car. Now he could easily play and pause his iPod touch without having to fiddle with the on-screen controls.
[  ]
| |
Pentagon trains workers to hack Defense computers
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 100)
|
Source: CNN
The Pentagon is training people to hack into its own computer networks.
"To beat a hacker, you need to think like one," said Jay Bavisi, co-founder and president of the International Council of Electronic Commerce Consultants, or EC-Council. His company was chosen by the Pentagon to oversee training of Department of Defense employees who work in computer security-related jobs and certify them when the training is complete.
The Department of Defense does not consider this hacking. "DoD personnel are not learning to hack. They are learning to defend the network against hackers," said spokesman Lt. Col. Eric Butterbaugh.
[  ]
| |
Nvidia Denies Bribing Game Developers for Implementation of PhysX
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 72)
|
Source: X-Bit Labs
Nvidia Corp. has denied accusations of its arch-rival Advanced Micro Devices of providing cash to game developers for implementing GPU-accelerated processing of physics effects using PhysX middleware. While Nvidia admits that it can provide engineers or artists to help game developers to incorporate certain effects into titles, the company cannot influence their decision to utilize PhysX, but not other libraries or engines.
“There could be no deal under which we would cash somebody in for using PhysX,” said Ashutosh Rege, the worldwide director of developer technology at Nvidia
[  ]
| |
Balancing 'Advanced Security' With User Privacy
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 82)
|
Source: Internet Evolution
In what could be a portentous move, IBM Corp. (NYSE: IBM) recently launched the IBM Institute of Advanced Security. Whether it can succeed may depend on how well it can balance issues of security and privacy in dealing with the government sector.
The organization, which will keep its headquarters in Washington, D.C., plans to use IBM's "research, services, software, and technology" to help governments and the private sector understand and, perhaps more importantly, limit the spread of cyberattacks across the Web.
IBM said that its work with security stakeholders will be "collaborative" in nature. Rather than providing a service and keeping information close to the vest, IBM plans to allow both public and private organizations to tap into IBM's services to enhance their security infrastructures.
[  ]
| |
Celebrities caused 2009 Twitter crime wave
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 77)
|
Source: Network World
Criminals started targeting Twitter in earnest during a key period in early 2009, and security company Barracuda Labs has worked out why. During the same few weeks a key list of a-list celebrities joined the site.
According to the company's analysis, the 'red carpet' era between November 2008 and April 2009 saw 48 out of the 100 currently most popular Twitter celebs start using the service, including such notables as Ashton Kutcher, Oprah Winfrey, Ashley Tisdale, Miley Cyrus, Paris Hilton and music group Coldplay.
This in turn drove a huge surge in public interest, which spiked from 2 percent growth rates in November to a 21 percent growth rate by April, the service's 'tipping point' month.
[  ]
| |
Rootkit shows potential for hackers to wreak havoc on smartphones
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 104)
|
Source: Computer Weekly
Researchers at Rutgers University in the US have developed a proof-of-concept rootkit capable of compromising most aspects of a smartphone.
They have shown how a software attack could cause a smartphone to eavesdrop on a meeting or track its owner's location. Unlike viruses, rootkits attack operating systems and can be detected only from outside a corrupted operating system with specialised tools.
"We are showing that people with general computer proficiency can create rootkit malware for smartphones. The next step is to work on defences," said professor of computer science Liviu Iftode.
[  ]
| |
HSBC Breach of Customer Data 'Inexcusable'
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 109)
|
Source: Securities Industry
The theft of 15,000 records of HSBC Swiss account holders is “inexcusable,” according to a security expert who provides consulting services to financial firms, and the bank should have taken steps to prevent the loss.
“As an HSBC customer, I'm appalled,” said Steve Markey, founder and principal of Philadelphia-based data security and privacy consulting firm nControl LLC whose clients include AIG, Haverford Trust and Printz Capital Management. “As a security and privacy expert, controls should be in place.”
According to Markey, up to 70 percent of all security breaches are a result of insider threats. Banks need to segregate duties so that only those employees who need to can access sensitive data, he said, and have data leakage and loss prevention technology in place.
[  ]
| |
Sacrificing Privacy for National Security
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 74)
|
Source: USA News
The 1983 terrorist attack in Beirut that killed 241 marines made the intelligence community's failings clear to then Deputy National Security Adviser John Poindexter. He launched a surveillance overhaul that, National Journal's Shane Harris writes, helped give rise to modern counterterrorism. In The Watchers: The Rise of America's Surveillance State, Harris traces U.S. counterterrorism since, highlighting the technological advances that allow agencies to collect more data now than ever.
Harris, a two-time finalist for the Livingston Awards for Young Journalists who covers counterterrorism, intelligence, and homeland security, recently chatted with U.S. News about why more resources should be devoted to data analysis and how citizens' privacy may be compromised for the sake of national security.
[  ]
| |
Pennsylvania CISO out of a job following RSA Conference appearance
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 79)
|
Source: SC Magazine (US)
Bob Maley, Pennsylvania's CISO since 2005, is out of a job, days after he joined a group of other state IT security chiefs on an RSA Conference panel and reportedly offered candid remarks about a recent data breach.
Gary Tuma, a spokesman for Gov. Endell, told SCMagazineUS.com on Thursday, that Maley was no longer employed by the state. He would not say whether he was fired.
"Beyond that, it's a personnel issue and we don't discuss it," he said. Maley's final day in his $90,661-a-year post was Monday. A call placed to Maley's cell phone went directly to voicemail.
[  ]
| |
Foreign intelligence agencies hack into British companies
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 79)
|
Source: Telegraph (UK)
In evidence to a Parliamentary committee, The Centre for the Protection of National Infrastructure, a Government agency, said that Government-backed hackers from China and Russia were behind a large proportion of the operations.
Their aim is to steal government, defence and technology information. Most large firms have been targeted and, in ''many cases'', the attacks have been successful.
Islamist terrorists are also behind attacks via the internet. Although their efforts are more limited, they are on the increase. The scale of the attacks was disclosed in the annual report of the Intelligence and Security Committee (ISC).
[  ]
| |
Moshe Ben Abu publishes exploit code for new IE hole
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 96)
|
Source: CNet News
An Israeli security researcher has published exploit code for an unpatched hole in Internet Explorer that Microsoft disclosed two days ago.
Microsoft had warned in an advisory that a new vulnerability in IE 6 and IE 7, which could allow an attacker to take control of a computer, had been targeted in attacks.
Releasing the exploit code publicly increases the chances of attacks on the zero-day hole and could pressure Microsoft to issue a patch before its next scheduled Patch Tuesday in four weeks. Researcher Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit database.
[  ]
| |
iPhone 4.0 Bringing Multitasking
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 114)
|
Source: Apple Insider
Apple this summer will go a long way towards silencing critics and catering to one of the most prevalent demands of its iPhone user base, when it introduces a multitasking solution through the handset's 4.0 software update that will finally allow several third party apps to run concurrently and in the background.
People with a proven track record in predicting Apple's technological advances tell AppleInsider that the Cupertino-based company has developed a "full-on solution" to multitasking on the iPhone OS but offered no specifics on how the technology would optimize resource conservation and battery life -- two of the most critical issues surrounding the matter, alongside security.
From a user-facing perspective, Apple plans to deliver a multi-tasking manager that leverages interface technology already bundled with its Mac OS X operating system, according to those same people. It was requested that specifics be withheld at this time, as the iPhone Software 4.0 remains under development and reportedly has a quite 'way to go' before it's ready for prime time.
[  ]
| |
Koobface Worm Doubles Its Number Of Command And Control Servers In 48 Hours
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 181)
|
Source: Dark Reading
The shut down and recovery of the Troyak-as command and control center (C&C) for the active Zeus botnet was good news for the whole IT security community. But unfortunately, as some botnets struggle, others stay unaffected. As part of their relentless effort to stay ahead of cybercriminals, Kaspersky Lab's research and analysis team have recently monitored a surge in Koobface C&C servers, the highly prolific worm infesting social networking sites. Koobface targets sites such as Facebook and Twitter, and uses compromised legitimate websites as proxies for its main command and control (C&C) server.
Definition of Command & Control Center: Command and Control centers are servers maintained by the owners of a botnet and used to enable the infected computers to "call back to their masters" and get updates and commands, such as downloading new or more malware, or stealing various computer files or personal information, such as banking accounts.
[  ]
| |
Mark Zuckerberg's 2004 Email Break-In Could Be A Felony
Posted by l33tdawg on Friday, March 12, 2010 - 12:00 AM (Reads: 105)
|
Source: Business Insider
Mark Zuckerberg's hacking of email accounts and user profiles in 2004 could be felonies under Federal and state law, according to privacy lawyers.
As we described last week, Mark used login data of early Facebook members to break in to the private email accounts of two Harvard Crimson editors. He also broke into the systems of competitor ConnectU and changed user profiles, also according to IMs.
Mark now oversees private data of 400 million people as the CEO of Facebook. Questions have been raised about whether this 2004 behavior violated laws and whether users can trust the company to keep their information from being misused.
[  ]
| |
|
HITB Ezine
WANT TO GET PUBLISHED? SEND YOUR ARTICLES TO ZARULSHAHRIN -AT- HACKINTHEBOX.ORG
Issue #1 - #37
Issue #38
Last 15 Postings to HITB Forum
Packet Storm Security Latest
· winxpcalc-shellcode.txt36 bytes small Microsoft Windows XP Professional SP2 Italian calc.exe shellcode.
· 03.11.10-1.txtiDefense Security Advisory 03.11.10 - Remote exploitation of a memory corruption vulnerability in WebKit, as included with multiple vendors' browsers, could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when a certain property of an HTML element is reset via JavaScript code. When this occurs, a C++ object is incorrectly accessed after it has been freed. This results in an attacker controlled value being used as a C++ VTABLE, which leads to the execution of arbitrary code. iDefense has confirmed the existence of this vulnerability in Google Chrome 3.0.195.38 and Safari 4.0.4. Previous versions are suspected to be vulnerable. A full list of affected Apple products can be found in Security Advisory APPLE-SA-2010-03-11-1 Safari 4.0.5.
· joomlaparty-sql.txtThe Joomla Party component suffers from a remote SQL injection vulnerability.
· joomlacolor-sql.txtThe Joomla Color component suffers from a remote SQL injection vulnerability.
· joomlagigfe-sql.txtThe Joomla Gigfe component suffers from a remote SQL injection vulnerability.
· joomlaproducts-sql.txtThe Joomla Product component suffers from a remote SQL injection vulnerability.
· samagraph-sql.txtSamagraph CMS suffers from a remote SQL injection vulnerability that allows for authentication bypass.
· nuxkeylogger0.0.1.cNux Keylogger monitors keyboard activity on a Linux system. It's possible to hide and daemonize this process and it supports azerty and qwerty keyboard modes.
Topics
· All topics · AMD News (Feb 23, 2010) · Apple News (Mar 12, 2010) · Articles (Mar 03, 2009) · Ask Us (Feb 01, 2003) · Audio/Video (Mar 11, 2010) · Encryption (Mar 10, 2010) · Games (Mar 09, 2010) · Hardware (Mar 04, 2010) · HITB News (Feb 09, 2010) · Industry News (Mar 12, 2010) · Intel News (Mar 11, 2010) · Law and Order (Mar 12, 2010) · Linux (Feb 25, 2010) · Microsoft (Mar 12, 2010) · Networking (Mar 10, 2010) · PDAs (Feb 09, 2007) · Privacy (Mar 11, 2010) · Red Hat (Mar 09, 2010) · Science (Mar 10, 2010) · Security (Mar 12, 2010) · Software & Programming (Mar 12, 2010) · Spam (Jan 26, 2010) · Technology (Mar 11, 2010) · Transmeta (Jul 07, 2007) · Viruses & Malware (Mar 12, 2010) · Wireless (Mar 03, 2010)
Follow us
Join our Facebook Group
Follow us on Twitter
Follow our RSS feed
|