Thursday, July 31, 2008

Smart Phones / Mobile Phones data could be compromised

Bluetooth User Data Could Be At Risk

As you drive with Bluetooth connected to your smart phone, you might be putting your personal data in danger. Think of it this way.
  • The hands free law gave the Bluetooth industry real teeth.

  • The Bluetooth headsets are not just for geeks anymore.

  • We're all expected to drive around with them now.
But when we turn on our cell phones, we send our private data out into the world too. Joris Evers of security company McAfee had this to say. "You're opening doors for people to come in." He says your WI-FI enabled smart phone, like your laptop, is at risk from hackers who want to get their hands on your data.

"The scariest scenario is someone will, through Bluetooth, be able to access your phone, and take any data on your phone, pictures, music, any email on there," explained Evers.

Most of us leave our Bluetooth devices open and unprotected. That leaves our data vulnerable, just like an open WI-FI signal on a laptop. But it's easy to close off your Bluetooth, and protect your data.

"I can turn my Bluetooth on when I'm in my car, use it with my headset, then turn it off when I get out of my car," said Evers. One switch on your phone, and your data is safe, no matter how long you talk.

Best advice is just click "hidden" on your Smartphone when you hook up your Bluetooth headset.

Security Analyser - Automating code review...

New IBM tool analyzes code for mistakes as its written

IBM's Rational Software unit this week unveiled a development tool that can scan and check code as it's written to uncover errors before they make their way further into the development life cycle where fixes are far more costly.

The IBM Rational Software Analyzer automatically scans the new code up to 700 times before an application is complete. Its operation is similar to the grammar check function in Microsoft Word, according to IBM.

"We unfortunately see a lot of defects in code. You really want to be able to minimize those defects. The earlier you do it in the life cycle the less expensive it becomes," said Dave Locke, director of product marketing for the Rational operation.

Please click here to read full details.

Tuesday, July 29, 2008

Watch-Out - Malware is now hosted on blogs

Blogspot.com is number one host for malware

New research by IT security and control firm Sophos has identified Blogger (www.blogspot.com) as the leading host for malware. The popular blogging service now accounts for 2 percent of all of the world's malware hosted on the web.

Attacks on Blogger involve hackers either setting up malicious blogs on the service, or introducing dangerous content into innocent blogs in the form of comments.

The Sophos Security Threat Report, examining cybercrime in the first six months of 2008, noticed a drastic increase in threats spread through the web. It is estimated that the total number of unique malware samples in existence now exceeds 11 million.

Sunday, July 27, 2008

BeCareful in using P2P Clients and downloading files

New Worm Threat For P2P File Sharers

Downloading files from a P2P file sharing network is risky at the best of times, but now there is a new threat that specifically targets music file sharers. Kaspersky Lab, a computer security company, has discovered a Trojan that changes your music files in order to download malware and infect your computer. Once an infected digital music file is played, Internet Explorer is automatically launched and contacts websites that contain malware; this malicious code often masquerades as a codec which tricks the user into downloading it.

The new worm, Worm.Win32.GetCodec.a, works by searching your hard drive for MP3 and MP2 files which it then transcodes into WMA files. Once in this format, it can then wrap the WMA file in an Advanced Systems Format (ASF) container; this format can hold various content, including website links that are used to download malware. The Trojan that is downloaded with this new worm is a proxy program that hackers can use to evade detection; your computer's IP address is used for the hackers illegal activities.

Friday, July 25, 2008

DNS Attack Code Exploit

Metasploit Loads Up DNS Attack Code

Script kiddies and sophisticated hackers gained easy access to code for exploiting a critical flaw in the domain name service (DNS) system when the Metasploit Project added two attacks to its toolkit.

Back on July 9th, an advisory to major vendors of DNS systems advised them to patch their products with all due haste. Security pros with unpatched DNS systems under their purview reading this today need to get this done fast.

The Metasploit Project updated its framework to include code aimed at testing DNS for vulnerability to exploitation. A successful attack against DNS using the method discovered by Dan Kaminsky and confirmed by Halvar Flake would result in requests to a compromised nameserver being silently directed to a different website.

Threat Level learned from Metasploit maintainer and noteworthy security researcher HD Moore about the updates to the testing tool with this code. The two exploits make it "much more effective for wide-scale hijacking," according to Moore.

Much of the threat may have been mitigated already, due to work by Kaminsky and Paul Vixie in coordinating a global response with major vendors of affected products. It won't mean much if admins of vulnerable systems do not apply the patches; one hopes any stragglers will perk up today and get this done.

Backdoor in Skype?

We need an open-source replacement

It has long been speculated that there might be a backdoor built into Skype, something that would allow Skype (the company) or the police to easily monitor Skype conversations. Skype is closed software and can therefore not be examined on the source level. In fact, the Skype executable code has been deliberately obfuscated to resist any attempt of analysis.

Skype claims that it uses strong encryption and that therefore your conversations are secure. But new indications have now emerged that it might not be quite as secure as they would like us to believe. According to this article here, police in Austria recently claimed that listening to Skype conversations is not a problem for them anymore. And Skype refused to comment on this or deny it.

Skype supposedly uses the AES encryption algorithm, which is open, has been thoroughly analysed and is generally found to be very secure. However, claiming to use an algorithm is different from actually implementing it. And besides, during setup of the conversation there is a key exchange phase, which is handled by an entirely different proprietary algorithm, which has not enjoyed the scrutinty of security experts.

Please refer here to read full details.

Wednesday, July 23, 2008

How to Perform Cryptanalysis with Rainbow Tables

Break (almost) any hash into cleartext using cryptanalysis with rainbow tables

In this tutorial, I'm going to explain how to break (almost) any hash into cleartext using cryptanalysis with rainbow tables.

So first, let's look at a hash, specifically an md5 hash. A standard md5 hash is 32 characters long, composed of alphanumeric (0-9, but only a-f) characters. Another standard hash, but less commonly used is sha1, which is 40 characters long. Basically, the idea behind hashing is that you input a string (your password) and a hash pops out. It is impossible to back-track the hash, i.e. decrypt it (although some weakness have been found in hashing algorithms, there is still no way to reverse the hash), so the only way to crack it is to make a bunch of hashes until we find one that matches.

Common ways of creating lots of hashes (with the intent to find a match to the target hash) are brute-forcing and using a wordlist. Brute-force will come up with every string possible and hash it. If you keep a brute-force on long enough (this can take anywhere from a few hours to a few centuries - not kidding), you will eventually find a match, therefore cracking the hash. This is impractical, as most of us don't have access to university or government supercomputing grids.

The second method of cracking a hash is by using a wordlist. Wordlists use the same principal as brute-forcing, except that they check the hash against a list of commonly-used passwords. Some wordlists are just dictionaries, while others are planned out and target certain genres of words. Wordlists work surprisingly well, mostly because people are dumb and use passwords like "password" or "1234567890".

The third and perhaps most effective method of hash cracking is to use rainbow tables, which I am going to explain to you today. Rainbow tables take the same approach as brute-forcing but are so efficient as to cut down the cracking time to anywhere from a few seconds to a few days. This of course depends on the extension of your rainbow tables. More hashes in your tables means a greater chance of a successful crack, but it trades off for a larger file size and longer cracking time. It's up to you to find the balance.

Okay, enough background information; let's get started with learning how to use rainbow tables. The best program for our task is "rcrack". Rcrack is available here, as an open source project (Note: rcrack and other bundled programs with it are only executable via the command line). Also, grab some free rainbow tables from here. You'll find most downloads for the tables themselves in BitTorrent format due to the sheer size (Note: never execute the cracking programs that come "pre-packaged" with table torrents, as most are trojaned. The tables themselves are clean, but always download the programs from their official sites.).

The third and final thing you need is a decent character set; these direct rcrack to understanding what types of characters you wish to crack. The absolute best one I've found is by Ramius Kahn, which have been mirrored here.

Now that you've got your rainbow tables downloaded, rcrack ready, and a decent charset, there's just one final step before you can use these tables. Using the program "rsort" (included in the rcrack package), you must sort each rainbow table (commands available by running the program with no arguments). Doing so is important enough to the efficiency of the cryptanalysis that rcrack will reject any rainbow tables that aren't sorted.

Now we are ready to crack! Run rcrack with no arguments to learn the commands. Input the hash/es you wish to crack using the appropriate method, and go outside for a few hours. It will tie up your CPU and hard drive (it's pretty resource-intensive), so either do something else, or watch intently at the pretty scrolling text. Hopefully, a decrypted hash will pop out at the end, leaving you with a mild case of the lulz.

Rcrack is pretty bitchy sometimes, so if you have any questions or are getting some nasty error, please please please refer to the documentation. Good luck, and happy hashing!

'Cold boot' tools surface

A set of tools for performing 'cold boot' data recoveries has been posted

The tools could allow a user to recover disk encryption keys from a recently powered-down computer, according to the researchers who developed them. The source code for the tools was released earlier this week at the Hackers On Planet Earth (HOPE) conference.

The tools follow a study earlier this year by a group of researchers at Princeton University. The study concluded that, given the right tools, it could be possible to recover disk encryption information from a recently shut-down machine. Because memory chips retain data for a short time after being powered down, an attacker could set the machine into a 'cold boot' and obtain the contents of the memory chips before the machine fully starts up.

The tools follow a study earlier this year by a group of researchers at Princeton University. The study concluded that, given the right tools, it could be possible to recover disk encryption information from a recently shut-down machine.

Please refer here for further details.

Tuesday, July 22, 2008

Silence is not always golden

New guidance for organizations on whistleblowing arrangements

Guidelines for whistleblowers.

Social Engineering 101

Mitnick and other hackers show how it's done

Kevin Mitnick, As a young fugitive hacker, he went to jail for breaking into computer networks, mostly by using his cunning and persuasion than his tech skills. He was an early master of the science of social engineering--manipulating people into doing what you want, such as giving out passwords and other information that unlocks sensitive information on networks.

Please click here for full details and videos.

Monday, July 21, 2008

Protect your Iphone with Antivirus software

First iPhone 2.0 antivirus software released

Paris-based computer security firm Intego said late last week it had released the first antivirus software for Apple's iPhone handset.

The company said the latest version of its Virus Barrier X5 10.5.3 antivirus package for Mac OS X, released last week, was also able to scan the iPhone for viruses. The antivirus software runs from a user's Mac, not from the iPhone itself, and checks for viruses on the iPhone when the handset is plugged into a user's Mac. Files stored on the iPhone are copied to the Mac for a security check.

Intego claimed that because Apple was allowing third-party developers to create applications for the iPhone by using Apple's Software Developers Kit (SDK), there was a risk of installing applications that could harm these devices, or take control of them.


Please refer here for full details.

Web Application Testing Tools

Six open source web application testing tools

If you're building a web application and have high hopes that it will be used by lots of people, one of the most important things to do before you launch it is to test how it functions under extreme conditions.

The purpose of stress and load testing is simple - find out what happens to your application when it gets "hammered" by simulating lots of usage. When done right, such testing can mimic real-world usage and will yield valuable data.

You'll find out how your application performs. You'll often be able to locate performance bottlenecks. And you can better determine what sort of scaling strategy makes sense for your application. Fortunately, there are a number of open source testing tools that enable you to do all of this without spending an arm and a leg.

Fortunately, there are a number of open source testing tools that enable you to do all of this without spending an arm and a leg.

curl-loader
This tool, written in C, simulates the behavior of thousands and tens of thousands of client requests and has support for authentication.

FunkLoad
FunkLoad is an advanced and versatile testing tool that can help discover bottlenecks, "expose bugs that do not surface in cursory testing," and determine how your application manages under heavy stress.

Because it mimics a real web browser, has advanced configuration options and provides detailed reports, it's one of my favorite testing tools.

Hammerhead 2
Hammerhead 2 is a stress testing tool that can simulate many concurrent users at a single time. Its configuration functionality permits the creation of "scenarios" that enable you to simulate real usage.

JCrawler
JCrawler is a very nifty stress testing tool that functions a bit differently than most other stress testing tools. First, it acts like a crawler so it can more easily provide widespread testing of a complex application without requiring lots of explicit configuration. Second, it allows the user to specify hits-per-second instead of "threads." And lastly, it supports applications that make use of HTTP redirects and cookies.

PushToTest TestMaker 5
The maker of this Java-based tool claims to have 160,000 users and describes TestMaker 5 as a "test automation tool" that can simulate "real-world production environments to test scalability under increasing levels of load."

Commercial services and support are available.

Pylot
A multi-threaded stress testing tool, Pylot allows the creation of "test cases" via an XML file. Requests can be configured, a nice GUI is offered for real-time monitoring purposes and useful reports are generated at the end of each test.

Thursday, July 17, 2008

Facebook privacy breach exposed users' hidden dates of birth

Roll-out of new Facebook profile design marred by security slip-up

Sophos, a world leader in IT security and control, has warned computer users that Facebook accidentally publicly revealed personal information about its members, which could be useful to identity thieves. Earlier this week, the full dates of birth of many of Facebook's 80 million active users were visible to others, even if the individual member had requested that the information remained confidential.

According to Graham Cluley, senior technology consultant at Sophos, a security slip-up by the website during the process of a public beta test of its new design for members' profiles left birth date information exposed.

"I was shocked to see people's full date of birth revealed, even though I knew they had their privacy set up correctly to supposedly hide the information," said Cluley. "It's essential that users of social networks should have confidence that their privacy will be protected - and it's especially important with information like your date of birth, which can be a golden nugget for a committed identity thief."

Please refer
here to read full details.

Security is like a stack of Swiss cheese

12 ways to visualize network security

Remember the old M&M analogy - security is like an M&M candy, hard shell on the outside, soft on the inside. In other words, put up firewalls, built a strong perimeter and you're good to go. Of course, nobody believes that M&M-type security is sufficient in today's world of insider threats, data leakage, mobile workers, thumb drives and sophisticated malware. So, what's the new metaphor? We asked around and came up with a number of interesting and useful ways to think about enterprise security.

Please refer here for full article.

Wednesday, July 16, 2008

How will I know if my MSN's been hacked?

More tips to protect yourself on MSN Messenger...

I posted an interesting post on “some tips to protect yourself on MSN Messenger”. I was asked couple of questions from one of my blog reader – I thought of making it a post so other readers can learn something from it.

1) How will I know if my MSN's been hacked?

2) How do I rectify it once I find this out - do I have to reinstall MSN?Thanks.

MSN hacking has two scenarios:

1) MSN ID hack
2) MSN messenger hack

1) If your MSN ID is hacked it is more likely you will not be able to sign in to your msn messenger or in passive hack you might see your unread emails are marked as read. (Passive Hack in MSN hack means person doesn't change your password but does change Secret Question so that if you change your password hacker can changes your password and make it active hack! Confused? Let me explain - In Passive Hack - hacker just captures the password and logs into an account to read email. His/Her intention is just to monitor and read your emails. In case you notice that someone is reading your emails and you change your password. Hacker then change your password because he has already changed your secret question)

Passive Hack is very hard to detect until we see any malicious activity. The best practice in this regard is changing password and secret question frequently or periodically.

2) If your MSN messenger is hacked - it is more likely your whole computer security is compromised. Your computer might have become victim of virus/malware or trojan depends on the nature of the hack. In this case you will notice your contacts in msn messenger will complain that you are sending spam emails or your sending them messages asking them to click on different links or maybe asking them to download something interesting. Secondly, you will also notice your msn will perform slowly due to memory low and your overall computer performance is being affected.

In this case, msn messenger re-install will not fix the problem. You need to make sure your computer has up to date antivirus software installed. If not then you will need to install anti-virus, clean your machine which should fix your msn messenger too. In many cases, if your computer doesn't have anti-virus installed, it is more likely virus/trojan/malware installed on your computer will not let you to install it after your computer's security is compromise. In that case, you might need to re-install your operating system or consult computer expert.

Tuesday, July 15, 2008

Facebook and Privacy Issues

Facebook can use your personal information for marketing...

Lately there's been a lot of news about Facebook using personal details for profit and now Canada's federal privacy commissioner has launched an investigation into Facebook. Apparently four students complained that the popular Web site violates Canadian law by disclosing personal information to advertisers without proper consent.

This in turn reminded me of a wonderful
YouTube video - definitely worth watching and passing on to your less security-aware friends and family! - source Pete Wood.

Anti-Virus softwares are vulnerable itself...

Approximately 800 vulnerabilities discovered in antivirus products
A recent
ZDnet blog discusses a large number of vulnerabilities German research team N.Runs says it found in anti malware products from nearly every vendor. The ZDNet posting includes scary graphs to frighten users of security products.

If anti-virus softwares are vulnerable to security exploits then how someone can rely on anti-virus products? I guess, we soon need to look for anti-vulnerable software and then we might need anti-virus software.

Anti-virus companies should focus on overall security of their software rather then just increasing the prices for updating virus definitions and marketing of their products.

Please refer here for much more detail response on the subject by McAfee.

Monday, July 14, 2008

Mobile Malware next thing to watch out!!

Mobile malware not yet a risk but companies told to prepare

Security risks to mobile devices such as mobile phones, smartphones and personal digital assistants (PDA) are not yet a major issue these days compared to the 1980s when computer networks were once vulnerable to such threats.

However, a security expert said companies should nonetheless be prepared just in case criminal elements, such as hackers, may beat them to it and steal valuable company information usually made available to corporate mobile workers.

The security expert said malware and viruses currently attacking mobile devices are usually simple nuisance viruses, such as those which can freeze the operating system (OS) or change the user’s preferences.

Refer to here for further details.

Thursday, July 10, 2008

XP SP3 will be rolled out soon!

Microsoft to push XP SP3 via Auto Update on July 10

Microsoft is going to release Windows XP Service Pack (SP) 3 via its Automatic Update (AU) service on Thursday July 10, company officials confirmed this week.

The client team has been vague about when it planned to push the latest version of XP to users. “Early summer” and “sometime soon” were favorite comebacks when officials were asked for an AU timeframe for SP3.

Customers who have automatic updates turned on but who don’t want XP SP3 to be downloaded to user desktops this week — for whatever reasons — need to deploy the Microsoft Service Pack blocker toolkit to delay pushed-delivery of SP3. While Microsoft will begin pushing SP3 tomorrow, not all users will receive it immediatly, as the company will be staggering the rollout.

Spammers prefer Gmail Accounts

Gmail: The Choice of Spammers?

An examination of spam originating from the major free e-mail providers shows that like consumers, spammers prefer Google.

In a three-week period from mid-June to this month, e-mail filtering firm Roaring Penguin said it saw an explosion of spam originating from Gmail, while Microsoft Hotmail and Yahoo Mail remained flat.

The company attributes this meteoric rise in Gmail spam to the cracking of Google's CAPTCHA. A CAPTCHA (define) is a test, typically used in Web site registration, that is designed to tell humans apart from programs designed to hack or automate registrations. It consists of a word displayed in such a way that it's difficult for a computer to read, but not a human. A user would be able to successfully enter the word into an input box to gain entry.

Tuesday, July 8, 2008

Universal Forensic Extraction Device (UFED)

Forensics on cell phones

Inside and outside government, professionals increasingly carry data on their cell phones, including e-mail messages, documents, videos and instant messages. And there are those — such as law enforcement officers, some employers and, yes, hackers — who want to get at that data without the owner’s permission.

Until recently, however, the tools to do that weren’t available. A handful of PC-based programs have been able to extract data from selected cell phone models, but special challenges face those who deliver powerful forensic tools.

The biggest one is that there are hundreds of models of cell phones, with manufacturers adding dozens of new ones each year. And all those models employ a wide array of BIOS versions, operating systems and software. The other nut to crack is portability. Cell phones are, of course, extremely portable. But if you need to plug one into a computer equipped with forensic software, extracting data in the field or without the owner’s knowledge can be problematic.

Please refer here for more details.

Protect your Gmail Account

Your Gmail is now a lot more secure

Your email account can contain a lot of personal information, from bank alerts to love letters. Email that, I'm sure, you don't always want other people to see. We understand how important your Gmail accounts are to you, so we're adding a new layer of information and control. With this new feature, you can now track your recent sessions and you can also sign yourself out remotely.

If you are anything like me, you probably sign in to Gmail from multiple computers. I, for example, occasionally sign into my Gmail account from a friend's house when I need to check an important email. Usually I remember to sign out, but every once in a while I wonder if I really did. Now I no longer have to wonder.

At the bottom of your inbox, you'll see information about the time of the last activity on your account and whether it's still open in another location.

Please refer to gmail's blog for more information.

Sunday, July 6, 2008

Wireshark and TShark network tools

Several bugs fixed

The new version 1.0.1 of the Wireshark network analysis tool and its command line variant TShark, remedy a number of security problems. Bugs in previous versions in the analysis modules for GSM messages, PANA, KISMET, and RTMPT packets as well as syslog messages, made it possible for attackers to crash the program. According to the developer advisory, the RMI module would even reveal some contents of the RAM to attackers.

The advisory states that the vulnerabilities are also present in Ethereal. Up to version 0.99, Ethereal was the original name of the Wireshark project. For users that cannot update to the newest version, the developers recommend deactivating the affected module.

I.E 8 with much better security features

Microsoft addresses XSS in Internet Explorer

Microsoft is planning to add a series of new security features to the next version of its Internet Explorer browser, including protection against cross-site scripting attacks.

A beta version of IE 8 is due out in August, and along with the XSS filter, it will include a filter designed to provide better protection against phishing attacks, features that make it easier for developers to request resources and share information across domains, and some changes to the way that ActiveX controls are handled by the browser. Specifically, developers will be able to write controls that are only available for the individual user who downloads them.

The announcement of the new security features in IE 8 came just a week after the release of Firefox 3, the latest version of IE's main competition in the browser world. Firefox 3 also includes updated antimalware and antiphishing capabilities and several other security updates. Microsoft has been fighting to repair the security reputation of IE for several years, since the initial release of Firefox, which the Mozilla Foundation has positioned as a more secure alternative to IE.

Thursday, July 3, 2008

PINS can leak while in transit....

ATM breach reveals PIN problems

Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.

The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by attacking the back-end computers responsible for approving the cash withdrawals.

The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.

Please refer here to read full details.

SSL Blacklist Service - Free of charge

DNS blacklist for weak SSL keys

Working closely with the German hosting company – manitu, heise is making available with immediate effect a realtime DNS-based blacklist service for identifying weak SSL keys. The provider already runs the Realtime Blacklist for the iX spam filter NiX Spam, which enables mail servers to identify and filter spam.

The principle of a DNS realtime blacklist is as simple as it is elegant. An application makes a DNS enquiry for .weakSSLkeys.dnsbl.manitu.net, which arrives at the name server responsible for the weakSSLkeys.dnsbl.manitu.net domain. It checks in its lists to see whether the string – host name is there. If it is, the DNS server responds with the IP address 127.0.0.2; if it cannot find the string, it responds with 127.0.0.3. DNS blacklists normally use NXDOMAIN for a negative result. It makes little sense to do so here, however, as under certain circumstances, certificate tests cannot determine the exact error code of the DNS lookup.

The SHA1 hash value from the certificate's modulus of the RSA key is used as the host name. All tests for weak SSL certificates use a similar fingerprinting, including the Debian Tools openssl-vulnkey and the heise networks SSL tests. The lists log keys with 512, 1024, 2048 and 4096-bits, both for 32- and 64-bit systems and little- or big-endian architectures.

Full article can be read from here.

Tuesday, July 1, 2008

Coffee Machine is hackable, Amazing things in amazing world...

My classmate finds vulnerability in his coffee maker.

Craig Wright, my classmate and a risk advisory services manager at professional services firm BDO, has discovered security holes in his internet-connected coffee maker that could allow a remote attacker to not only take over his Windows XP-based PC but also make his coffee too weak.

He found several security holes, including a buffer overflow in the internet connection software that links his Jura F90 coffee maker to his PC.

Once connected to the internet, the high-end coffee maker, which retails for nearly US$2,000 on Amazon, lets you do things like set the strength of your coffee and get remote diagnostic help over the internet without having to send the appliance in for service.

Wright posted the information on the vulnerabilities, and the fact that there is no patch available yet, to the BugTraq security e-mail list on Tuesday.

"I don't know if many people would target this particular vulnerability because there probably are not a lot of coffee makers at the moment that are internet-connected, and in my case it's behind a firewall," he said.


However, internet-connected appliances are the wave of the future. There is already an internet-connected refrigerator, at least one prototype of a Web-enabled oven, and pilot tests for dryers and water heaters.

Eventually "you'll be able to turn on your oven with your mobile phone" and a malicious hacker could wind up burning the house down, Wright said.

Further article can be read from here.

VOIP Calls are tappable....

Compression lets attackers tap VoIP calls

A common compression technique can make internet telephone calls significantly more susceptible to bugging, according to recent research from Johns Hopkins University.

Internet telephony has become widely used through consumer-centric applications such as Skype, and is becoming more common in enterprises.

The new research suggests, however, that standard encryption and compression methods, when used together, are not sufficiently secure. VoIP calls are commonly encrypted using a technique that preserves the lengths of voice patterns in the original, unencrypted conversation, the researchers said.

Please click here to read full article.

Identity Theft and Financial Fraud

Unisys Security Index Reveals Identity Theft and Financial Fraud Remain Top Global Concerns for Consumers

Fears about identity theft and financial fraud are top global concerns for consumers, according to the latest results of the Unisys Security Index.

Identity theft is the primary security concern cited among respondents in nine out of 14 countries, while misuse of credit or debit card information ranks as the first or second greatest fear in 12 out of the 14 countries.

Source - Earth Times , press release

As i always say, we really need to be careful about our Identity. We need to make sure who we are giving our details are legitimate people. I would prefer giving out less details on social networking websites if you use one and make sure you only add those users who are really your friends.

iSpring - Cool Utility

Converts PowerPoint Presentations to Flash Video

Windows only: Freeware PowerPoint plug-in iSpring converts your PowerPoint presentation to an interactive Flash video with the click of a button. Not only is iSpring a great way to make your PowerPoint presentation more portable (not everyone has PowerPoint, after all), but as Digital Inspiration points out, an exported movie even preserves all of your slide transitions, animations, and hyperlinks.

iSpring is freeware, Windows only, works with PowerPoint 2000 through 2007.

Alternately, you can upload any presentation directly to the SlideBoom web site (which appears to convert and host Flash movies made with iSpring) if you don't want to host the presentation yourself.

***This post is not security related***