Another Facebook vulnerability found

As we explain the security structure of Facebook, it is not rare to phrase negative aspects of Facebook security. The latest news on Facebook security is about  a vulnerability included in Facebook mainframe. This vulnerability enables users to sen malicious software to their victim friends.

This is how the vulnerability came to being. Normally when you try to send a file with .exe extension you receive a system error and you can not send this message. However if you make a little change in the contents of the message (a change on the POST inquiry), it is reported that the enforced controlled mechanism can be by passed through this change. You do not need to be friends on Facebook to send a message to them. This way any attacker can lure their victim through social media tactics to run the .exe file.

Nathan Power working for a security consulting company CDW, has recently warned Facebook authorities on the issue. As Power wrote the details of the incidence on his blog, he commented that authorities have acknowledged the issue however, it might take a while for them to make a fix for the issue.By then do not accept messages with .exe extensions on Facebook.

Sensitive Student Information leaked

Google’s new implementations on search results, lead to a scandal, effects yet unknown.

Even universities that has such reputations can face problems regarding their and their members security. An ivy league college and one of the most prominent  one Yale University, has been the talk of technology spheres because of a great negligence. According to reports names, social security numbers and other sensitive information of 43 thousand students were leaked to anyone who has internet access for roughly 10 months. This fact alarmed university authorities.

According to Yale Daily News, these sensitive information was being stored at FTP servers that also stored open source information. When Google included FTP servers in their search results, information of these students leaked to Google for everyone to see. There are rumors that people searching others to check their Facebook account on Google were able to reach sensitive information such as contact information, social security numbers and other information. It is rather hard to understand the density of the problem yet, Yale authorities are not sure whether these information has been abused. Yale also created a program with credit card companies through which students can monitor their credit card usage which would alarm users but whether this precaution would be enough or not depends on the conscience of the hackers.

How to secure your phone

We have discussed in this blog about people trying to squeeze information from end user cell phones. Since we are at an era where people use mainly their cellphones for many activities such as checking their mail, social websites, send messages and rarely talk on it, the rise on the usage of cell phones for daily activities opened a weak spot for hackers and social engineers to focus on these devices. But how can you save your cell phone from information leakage. Here is how.

First of all if you own a smart phone, you should disregard your previous knowledge on how phones are hundred percent bullet proof for hackers. You should regard security as top priority. It is not because those devices are of high value but their tendency to include more and more sensitive personal information. I will be giving you tips to secure your phone against malicious activities that target your information.

Write down your IMEI number, in case your phone gets lost having written down your IMEI number can help you find your phone back.

Enable a pin number, enable a pin number for phone access and choose a password that can not be guessed easily. This would at least delay the access to your sensitive information.

Connect to secure wireless networks, do not connect to any wireless network you find along your way since they can be set up to leech your sensitive information if not encrypted.
Use software that can remotely access and remove the information, there are various software both for iOS and Android, that can remotely log into your phone and edit the information.There are also several software that can locate your phone or lock it in case it gets lost.

Check the applications and which permissions they get, applications that seem harmless from outside might actually be giving permission for others to exploit your information. Make sure the applications you install do not give such permissions.

Back up your phone often, these days losing a phone might not cost a huge amount to you since you can actually replace your phone for a small price but losing your information can come costly. Like you should back up your computer often back your phone too.

You can also install an off market security software which come handy for several scenarios from email security to blacklisting numbers, firewalls to spam filters.They start from 13.95 $ to 39.95$. You can check the following website for non Apple phones.

http://mobile-security-software-review.toptenreviews.com/

and check app store for apple phones.

 

Siri on iphone 4

When iPhone 4gs first came out Apple rather than the hardware Apple focused on one fact and one fact only. The new phone had personality. It was a nice marketing point since there were many phones that had dual core processors, even better cameras and memory. Although Iphone 4gs made use of a technology that has been around for a great while now, to be exact  since 1952, it made a huge impact on all iPhone and android users. The technology is full of flaws but this is the only almost perfect version of voice recognition. The marketing point of the new phone, which made iphone 4 users jealous raised one question, can iphone 4 users make use of Siri. There are several blogs and conflicting ideas on the issue and there are several coders from jail breaking sphere who are racing to become the first person to draft Siri to iPhone 4. Although some spheres say that voice recognition requires dual core processor A5 chip, there are some videos that uses Siri on iPhone 4 without any speed issues or delays. The fact is although Siri will soon be made available for iPhone 4 users, some features of Siri rely on Apple servers. Existing servers, in some cases are not enough simply for iPhone 4gs users and the servers are not processing data received from non 4gs phones. Many coders are also working on the issue to disguise other phones as 4gs phones so their Siri can also talk to Apple servers. Other than the server issue Siri seems to be portable into other Apple phones. Apple seems to be buying time to sell their new phones before someone exploits the beta software. As soon as Siri becomes available on iPhone 4 we will post it on this blog.

Das trojanische Pferd (the Trojan Horse)

Government Caught in the Act

Hackers discovered the Trojan Horse plan of a country at the heart of Europe.

Trojan horse or simply Trojan, is a malicious software that can track users through their computers. Until now we have encountered many usage of these software, for data theft, computer hijacking, keystroke logging and installation of third party software. But governmental usage of this software raises the question. Is every way allowable to catch a criminal?

A group of hackers in Germany discovered an ugly truth when they were tracking the activities of a Trojan horse. Government of Germany was riding inside.

The name of the Trojan Horse is Bundestrojaner, literally Federal Trojan Horse, it is by the Government of Germany to track Skype conversations of the residents. This is only the visible part, when investigated deeper, hacker group found that the Troajan also installed “0zapftis” (a German cry for the start of the October fest) and “R2D2″ (we all know what it is). When these software dispatched, it installed updates, tracked user entries and activities and also allowed remote connection to certain users. Needless to say these are not legal activities according to German constitution.

The discovery was made by the group Chaos Computer Club (CCC), they had contributors from another club “Sophos”. They announced that they are tracking the activities of this Trojan and although it started with legal consent, following steps came illegally and unauthorized. It is also vulnerable to bad intentions since it has been used for other purposes than it’s primary objective. The issue has already been addressed in political arena and government officials were called for an action.

This is how hackers attack vol2

In this post I will elaborate how hackers use web applications to initiate their attacks.This is important for many of since most of us somewhat create web applications and some of us think about moving to marketing area to create a bigger cash flow.

Attackers, note down boxes used in the site for information inputs. They check whether these boxes use GET or POST method. Both of these methods give the hacker an idea how the website works and they start testing the weak spots of the system.

The web address is configured to show the main directory of the website and the attackers add different directory names and try to see what they can access. For example an attacker targeting a website called www.victimwebsite.com, would try to access a directory called www.victimwebsite.com/admin to see whether he can access the control panel of the website.

Another way to learn about hidden folders is to use robots.txt. This file is aimed to inform search engines which folders are worth listing and which folders should not be listed. This file can include knowledge a hacker is not supposed to know. Thus a specific naming convention should be used for folders in order to make them more stealth. An administrator also should avoid including important folder names on that list.

Moreover embedded codes in CSS files, gives clues about the ability of the coders to the hacker. These files can also create weaknesses for the hacker to exploit.

ATTACK is on the way

Now the attacker has the list of hidden folders, information about operating system, possible vulnerabilities and general map of the website.

There are many options to choose. The simplest is to use a software to crack the password on admin login and wait for it to find the password. This way he can steal information, sell it or simply change the login page. These attempts are generally used by young people who are trying to prove themselves and commonly known as “lamers”.

Real hackers, at large, aim at exploring the weaknesses of the websites. For example they inspect SQL services and try to access the database using telnet client. Experienced hackers will try further to access the database in order to list the tables in the database. They will call it success  when they can access credit card information or other important knowledge.

This is how hackers attack

It is a big thing for a hacking attempt to appear on the media. Media commonly draws a colorful picture of the attack and describe the hacker as a computer genius who possess extraordinary capabilities. However the exaggeration of the media rarely reflects the truth.

With the help of some basic tools and logical approach, hackers turn web servers into game zones that are yet to be discovered. There is a high chance that the hackers use their findings towards their popularity, monetary gain or simply to harm a website.So as website administrators how can you save your work from security vulnerabilities? In order to achieve the best protection lies on understanding the hackers approach. In other words you need to learn the attack in order to defend your work.

If a hacker thinks that your website is worth attacking, at first he would try to create a chart for his target. This chart would be like a map of the web site describing which blocks the site is comprised of and the relationships of the blocks.Unfortunately even the way the website works can give an idea to the hacker to gather information. For example, if the site has a member access area the hackers would know that there is a database which includes user names and passwords. And this would be a block for the website.

When it comes to online store, there exists many lines of codes to satisfy special needs.In these codes hackers look for vulnerabilities that can be used for their purposes. Besides hackers also check advertisement providers, external feeds and DNS registries of the domain name. DNS registries might be a door to all internet sites with their basic names but DNS servers are also knowledge databases open to public.

Windows and Linux includes tools for DNS inquiries, but they are complicated command line tools. But hackers can use many websites such as “Kloth.net” for their inquiries. Sites like this make it easier for hackers, as they can use the website just like they use google. As the results come through you can see the ip addresses related to the website. If you do a domain search with “www” you can access server information. Using this way you can also inquire about smtp and pop servers. Another important step for inquiries is to use a port scanner like Nmap. This way you can discover the services running on the server.

Using Nmap, hackers can send packets to possibly open ports and study the returned values. This way besides the services active on the server, information on the operating system running on the server can be achieved. This way hackers can shape their attacks according to the knowledge returned from their inquiry.

After hackers have gathered enough information they move onto web applications running on the website. A golden rule of the computer world is that no application is without flaw. Programmers that have not been on the field for long make the same assumptions and similar mistakes.First step is to know how the web site works. As hackers visit the page they gather information on page names, their content, and which pages require membership. This way they gather important information on the structure of the website. The structure gives the hacker information about the abilities of the programmer. Certain structures are used to create a web site, this way hackers can use the known vulnerabilities of the program and attack the website.

Next week I will explain further on how information can be leaked from web applications and how hackers start the attack.

To be continued…

Windows 8 raises the bar on Security something to worry Linux users

We can say that most of Linux PC users have installed their operating system on a computer that has been pre installed with Windows. Moreover installing Linux over a pre installed windows PC is cheaper and more convenient regarding you might want to switch back one day.

However with Windows 8, the situation seems like it will change. A security feature in windows 8, might deem installing Linux over Windows 8 certified hardware impossible. A Red Hat developer Matthew Garett, has announced that it is not necessary to panic but it worths worrying.

“The problem” arises from the fact that Microsoft would like to use hardware based secure boot protocol called “Unified Extensive Firmware Interface(UEFI)”. This technology aims to supply protection against rootkits and low level attacks.

Garrett further explains UEFI keys as “If a manufacturer has installed a key into the machine, the only way for the code to be signed by this key, is to have the signing to be done by the manufacturer”. Several keys might be installed on a machine, but if you do not get the machine to sign double data, you can not achieve an installation.

Microsoft already announced that machines with Windows 8 logos will come with a feature called secure boot. Garrett guesses hat Windows on those machines will be signed by a Microsoft key signature. Linux and similar operating systems does not include any signature. Thus if the manufacturer does not have a certain intention to enable these operating systems the OEM and Microsoft signed machines will not operate a Linux general distribution.

Top 3 Craziest Attacks of Anonymous

Anonymous has been pretty popular on technology sphere due to their attacks and they keep attacking more and more every day. The entity who does not want to be counted as a group since they call themselves a unity of hackers. They first came together in order to stop the Scientology cult and publish the truth about them.

The unity fights for freedom and they have been stealing big chunks of data from certain security companies, web sites, technology firms and even countries. In this article I have found top three craziest attacks of Anonymous.

1. Operation Payback

Date: December 2010
Target: Visa, MasterCard, Amazon, PayPal, PostFinance

Government of United States, suggested WikiLeaks to stop publishing secret documents and closed accounts and servers of WikiLeaks  that were in favor of WikiLeaks. Thus Anonymous started attacks on several companies such as Visa, MasterCard and PayPal that did not want to work with WikiLeaks. On December 8th Anonymous has hacked websites of Visa and Mastercard.

 

2. Bank of America

Date 14 2011
Target: Bank of America
Anonymous aimed to reveal unjust practices of Bank of America on mortgage and leaked internal e-mails of Bank of America.

 

3.Operation: Sony

Date: April 02 2011
Target: Sony Entertainment

Constant attacks on Sony’s web site and services , have started on second of April. Anonymous has shaped the history by totally hacking PlayStation Network, their reason for hacking PlayStation Network was the corporate decision on suing George Holtz who has hacked and made way to modify PlayStation.

 

Wireless Hacking is Also Legal

A Dutch court has ruled against punishment for hacking into Wi-Fi connection provided that connected computers were untouched. However the rules regarding data freeloading seems likely to change in the following months.

The unusual ruling came in the case of a student who has hacked into his neighbors wireless connection in order to post a shooting rampage threat at Maerlant College in The Hague. The threat was posted on 4chan, the notoriously anarchic internet image board. The student was sentenced to community service because of the post however he was not sentenced further for hacking into a secured wireless connection. How the student got caught still remains a mystery.

The flaw of the law comes from the fact that Netherlands computer laws dates back to 1990s and according to the laws that defines a computer as “data storage”. Since a router can not store data, hacking into it and using it does not pose as a treat or go against the rules.

This seems like another example of bureaucracy  losing it’s strength against emerging technology rules of which is basically refreshed every minute. As the technology advances and redefines criminal activity, constitutions remain with great amount of vulnerabilities that hackers can deplete.