Monday, August 31, 2009
Hiroshima University's Toshihiro Ohigashi and Kobe University's Masakatu Morii say they have developed a way to break the Wi-Fi Protected Access (WPA) encryption system used in wireless routers in about one minute.
Last November, researchers demonstrated how WPA could be broken, but the Japanese researchers have taken the attack to a new level. The first attack worked on a smaller range of WPA devices and required between 12 and 15 minutes to execute. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm, and neither work on newer WPA 2 devices or WPA systems that use the more secure Advanced Encryption Standard algorithm. Wi-Fi Alliance's Kelly Davis-Felner says WPA with TKIP was developed as a type of interim encryption method when Wi-Fi was first evolving, and Wi-Fi-certified products have had to support WPA 2 since March 2006.
There's certainly a decent amount of WPA with TKIP out in the installed base today, but a better alternative has been out for a long time. Most enterprise Wi-Fi networks feature security software that would detect the man-in-the-middle attack but the development of a practical attack against WPA should give people a reason to dump WPA with TKIP and start using AES.
Refer here to read full details.
Friday, August 28, 2009
A Worcester Polytechnic Institute (WPI) study by professor Craig Wills found that the practices of many popular social networking sites can make personal information shared by users on their pages available to companies that track Web user browsing habits. The study, presented at the Workshop on Online Social Networks, part of ACM's recent SIGCOMM 2009 conference, described the method that tracking sites could use to directly link browsing habits to specific individuals.
Wills says users are given a unique identifier when they sign up with a social networking site, and when social networking sites pass information to tracking sites about user activities, they often include the identifier, giving the tracking site a profile of Web browsing activities and the ability to link that profile to a user's personal information. Wills says this is a particularly troubling practice for two reasons. "First, users put a lot of information about themselves on social networking sites. Second, a lot of that information can be seen by other users, by default." A unique identifier could give a tracking site access to a user's name, physical address, email address, gender, birth date, education, and employment information.
Wills says he does not know what, if anything, tracking sites do with unique identifiers given to them by social networking sites, and while the Web sites provide users with tools to protect themselves, the best way to prevent privacy leaks would be for social networking sites to stop making unique identifiers visible.
Please refer here to read the full research details.
Tuesday, August 25, 2009
Crown Plaza Venice Hotel suffers GBP90,000 loss due to sloppy coding
Web site code auditing could have avoided the 90,000 pound online booking loss incurred by the Intercontinental Hotels Group. Richard Kirk, Fortify's European Director, said that the online booking fiasco - in which rooms at the Crown Plaza Venice East Quarto D'Altino hotel were sold for pennies - has lost the group tens of thousands of pounds.
Rooms, which normally cost between up to 150 pounds a night at the four star hotel in Venice, have been booked by savvy Internet punters, most of whom are well aware of the law of contract. After the company initially blamed the fiasco on hackers, they quickly realised their own coding and data mistake - and are now effectively locked into completing the contract with customers.
Kirk says that the incident, which will cause a hole in the hotel's annual profits, could have been avoided if the hotel group - or its booking IT services provider - had used standard code auditing techniques on the Web site server system and its allied data. Standard auditing techniques that look for non-standard patterns in bookings, as well as erroneous low or high value card authorisations, would have picked up this anomaly.
According to Kirk, because of these failings in the audit process, more than 5,000 bookings were reportedly made within hours of the one pence rate being offered on the Crown Plaza Web site.
The irony of the situation is that the hotel - and the Intercontinental Hotels Group - will probably gain in the publicity stakes, but this is an expensive way to learn that your Web site code auditing and allied safeguards have failed you.
Friday, August 21, 2009
One of the best tools for converting a Windows Media file — wma, .wmv, .asf, etc. — to the .mp3 format is WinFF. It's a free, multiplatform tool available from the WinFF site. The program can handle a range of conversions and is supported by an online discussion board, a wiki, and more.
Well-known tech author Jake Ludington has a how-to page for WinFF on his MediaBlab site. Jake even provides a video clip showing how to use WinFF. The info is good, but the page is somewhat cluttered with ads for other audio tools, most of which have nothing to do with WinFF, so read (and click) carefully.
By starting with a free tool that I know is a good one, you can gain experience with audio conversions safely and without paying a fee — or taking a shot in the dark with unknown software.
WinFF may turn out to be all you need. If not, at least you'll have a rock-solid basis for comparison when you look at alternative tools. Happy converting!
Thursday, August 20, 2009
Researchers at Germany's Leipzig Max Planck Institute for Human Cognitive and Brain Sciences and the Wellcome Trust Centre for Neuroimaging in London have developed a mathematical model that could significantly improve computers' ability to automatically recognize and process spoken language.
The researchers say their new language processing algorithm could eventually imitate brain mechanisms and help machines perceive and understand the world around them. The researchers created a mathematical model that was designed to imitate, in a highly simplified manner, the neuronal processes that occur during human speech comprehension. The neuronal processes were described by algorithms that processed speech at several temporal levels. The model was able to recognize individual speech sounds and syllables and was able to process accelerated speech sequences.
Additionally, the system had a brain-like ability to predict the next speech sound, and if the prediction was incorrect because the speaker made an unfamiliar syllable out of familiar sounds, the system could detect the error. "The crucial point, from a neuroscientific perspective, is that the reactions of the model were similar to what would be observed in the human brain," says the Max Planck Institute's Stefan Kiebel.
Wednesday, August 19, 2009
Russian hackers stole U.S. identities and software tools for use in a cyberattack against Georgian government Web sites during the war between Russia and Georgia in 2008, according to a new report by the U.S. Cyber Consequences Unit. The report says that Russian hackers converted Microsoft software into a cyberweapon and collaborated on popular U.S.-based social-networking sites, including Facebook and Twitter, to coordinate attacks against Georgian sites. Although the cyberattacks were closely examined following the war, the connections to the United States had remained hidden until this year.
Personal and credit card information stolen from U.S. citizens was used to register Web sites that launched the botnet attacks, and once the attacks started, Facebook and Twitter were used to exchange attack code and encourage others to join the attack. Experts say the study shows how cyberwarfare has outpaced military and international agreements, which do not account for the possibility of using U.S. resources and civilian technology as weapons.
Identity theft, social networking, and modifying commercial software are all common attack strategies, but combining these strategies raises the attack to a new level, says former U.S. Department of Homeland Security cybersecurity chief Amit Yoran. White House officials are now studying how laws of war and international obligations need to be adjusted to account for cyberattacks. The U.S. Cyber Consequences Unit says the Georgian attacks were perpetrated by Russian criminal groups, and had no clear link to the Russian government, but the time of attacks, which started only hours after the military invasion started, suggests the Russian government may have at least indirectly coordinated with the cyberattackers.
Refer here to read more details about this research.
Tuesday, August 18, 2009
In a paper that will be presented at ACM SIGCOMM 2009, which takes place Aug. 17-21 in Barcelona, Spain, Microsoft researchers will demonstrate HostTracker, software that removes the anonymity from malicious Internet activity.
The researchers were able to identify the machines responsible for anonymous attacks, even when the host's IP address rapidly changed. The researchers say HostTracker could lead to better defenses against online attacks and spam campaigns. For example, security firms could create a clearer picture of which Internet hosts should be blocked from sending traffic to their clients, and cybercriminals would have a more difficult time disguising their activities as legitimate communications. The researchers analyzed a month's worth of data collected from a large email service provider to attempt to determine users responsible for sending spam. Tracking the origins of a message involved reconstructing relationships between account IDs and the hosts used to connect to the email service.
The researchers grouped all the IDs accessed from different hosts over a certain time period, and the HostTracker software searched through this data to resolve any conflicts. The researchers also developed a way to automatically blacklist traffic from an IP address if HostTracker determines that the host at that address has been compromised. HostTracker was able to block malicious traffic with an error rate of 5 percent, and using additional information to identify good-user behavior reduced the error rate to less than 1 percent.
Refer here to read more details.
Friday, August 14, 2009
A line at the bottom of the Gmail window indicates when your account was last used and also links to more-complete usage info. We can use this activity log to determine whether someone has guessed your password and taken over your account.
Last week I posted, "One third of surfers admit they use the same password for all websites," that how hackers take advantage of user weak passwords and test thousands of passwords per day and take over poorly defended accounts.
I recently found out that Gmail activity log, at the bottom of the page, can alert you to unauthorized use of your account. If you're a Gmail user and are concerned as to whether your account password has been compromised, there's a link at the bottom of the screen that shows when your account was used and from where.
At the bottom is a message Last account activity: xx minutes ago at IP xxx.xxx.xxx.xxx [or on this computer] refer to above picture. Click the Details link, and a pop-up window shows all sign-ins over the last couple of days, together with other useful info and a button to Sign out all other sessions. Refer to below picture.
I would advise all my readers, to frequently check your account activity just to ensure that you are keeping an eye on your account. If you notice any un-usual activity, I recommend you change your password immediately.
Tuesday, August 11, 2009
The days of Apple having invulnerable systems is long gone, with the Apple pop culture spreading worldwide and becoming ever more popular, it has in doing so, attracted the likes of hackers and exploiters too. Luckily the CEO of AVG (JR Smith) has come forward to calm the nerves of the Apple supporters whose faith in Apple’s security has been somewhat shattered over the last month due to articles like THIS one about the iPhone, and THIS one about the Mac keyboards.
JR Smith has revealed to CNET UK, that he is releasing a full AVG desktop product for OS X next year, and also that he plans on releasing a piece of real-time AV software for the iPhone before the end of 2010. But when developing for the iPhone he has one big problem to overcome, the iPhone in its current state does not allow for apps to run in the background, therefore destroying the ability to have a real-time scanner, but he says it is something they are working on, “We can’t add a layer of protection on to the iPhone today, so that’s a lot of the conversation that we’re having with Apple.”
So it seems that AVG are stepping up their game to the same level of the hackers and exploiters, making plans for the Mac community as well as the portable gaming community.
Monday, August 10, 2009
A group of Chinese companies has managed to develop the first SMS worm. It’s a pretty cool concept, abusing the Symbian Express Signing procedure.
Some abstract from the article:
Three Chinese companies — XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin — created the ‘Sexy Space’ worms or Yxe Worm (Worm:SymbOS/Yxe.D) and submitted to Symbian OS-based phones through the express signing procedure, said F-Secure Security Labs recently.
“The worm is the first text message worm in history,” said Chia Wing Fei, security response senior manager at F-Secure. “Our labs have received few confirmed reports from China and Middle East at the moment.”
The first stage of Symbian’s signing process is done automatically using an antivirus engine, said Chia, adding that once an application has been submitted and scanned, random samples are then submitted for human audit.
However, most applications are not inspected by humans through the express signing procedure, he noted.
An attacker can therefore put a web link pointing to the worm’s web site into a text message and invite the user to download the worm by clicking the link, Chia said. Once activated, the worm will install itself on the device, and send a similar text messages to all phonebook contacts listed, he added.
“These messages are sent in your name and from your phone. It means you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you 500 times 5 cents,” Chia noted.
What will happen next? Anti-Virus for mobile will be common in next couple of years, hang-on already exists (e.g. Kaspersky Mobile Security).
Friday, August 7, 2009
The disclosure of a back door allowing bad guys to repeatedly guess Gmail passwords should remind us all to protect our accounts with long and strong character strings.There's a straightforward way to protect your online accounts — use signin phrases that are easy for you to remember but hard for others to guess.The latest vulnerability affecting Gmail accounts was recently revealed by security researcher Vicente Aguilera Díaz in a posting on the Full Disclosure security list.
According to Aguilera's new security alert, Google allows anyone with a Gmail account to guess another Gmail user's password 100 times every two hours, or 1,200 times per day. No "captcha" keeps hacker bots from guessing passwords in this way. Worst of all: If a hacker controls, say, 100 Gmail accounts, 120,000 guesses can be made per day.
Because Gmail accounts are free, many hackers control far more than 100 accounts, of course.To its credit, Gmail requires fairly long passwords of 8 characters or more. However, as Aguilera points out, Gmail allows users to create extremely weak passwords such as aaaaaaaa.A quick survey of my friends and relatives revealed that not one of them uses strong passwords. Most people have no idea how to create them. Yet everyone I asked expressed guilt at using easy-to-crack passwords: pet names, birthdays, and common dictionary words.Most people's passwords could be guessed in far fewer than 10,000 attempts. And, despite using weak passwords, the people I interviewed say they rarely change their signin strings. (One-third of the people surveyed use the same password for every Web site they sign in to, and the infamous Conficker worm needed to try only 200 common passwords to break into many systems, according to an analysis by the Sophos security firm.)
Many respondents to my informal survey admitted to keeping an unencrypted file on their systems that lists every password they use! You may not think the password to your webmail account is valuable. But anyone with access to your account can use it to send spam and ruin your online reputation. More seriously, you may have entered the same password at an online banking site, such as PayPal, or a site where your credit-card number is stored for easy ordering, such as Amazon.
Wednesday, August 5, 2009
The contactless terminals will be introduced later this year by ANZ Bank and 7-Eleven based on technology developed by Visa.
The new cards communicate with readers via radio waves and don't have to be swiped through a terminal like mag stripe cards.
The retailer's 388 stores in NSW, Queensland and Victoria will have the terminals, which will allow customers from any bank to make purchases using either a Visa or Mastercard equipped with contactless capabilities.
The rollout coincides with a multi-million-dollar SAP software upgrade aimed at strengthening 7-Eleven's data analytics capability and improving transparency to franchisees.
The retailer's lease on its payment terminals had expired and it decided to use the lease renewal to upgrade its units, ANZ innovation group general manager Peter Dalton said.
Refer here to read full details.
Adobe has released an out-of-cycle patch for its Flash Player, AIR, Reader and Acrobat software, closing more than 10 vulnerabilities that potentially left users open to attack.
It closes a recent vulnerability in Flash that was highlighted by Symantec and actively exploited in the wild. It also fixes 11 other flaws, including three that fixed problems in vulnerable Microsoft code (its Active Template Library (ATL)).
All of the fixed vulnerabilities were critical, with most having the potential to allow an attacker to take over a user’s system. Details of how to update the Adobe software can be found in its security bulletin here. Adobe is planning its next regular quarterly security update for Adobe Reader and Acrobat on 13 October.
Adobe has had a very difficult time this year, with its popular Reader and Acrobat products suffering so many problems that a Microsoft ‘Patch Tuesday’ style security update cycle has become necessary.
Cyber criminals see PDF-reading software as a good oppportunity to compromise computer systems as well as to install malware.