What is considered "reasonable security?"
When it comes to protecting your organization and your customers from a data breach, what is considered "reasonable security?"
This question is at the center of several ongoing lawsuits, and how the courts answer it may be one of the biggest stories of 2010.
Shedding light on this hot topic is David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association's Information Security Committee. In an exclusive interview, Navetta discusses:
Current regulatory trends, including the HITECH Act;
Legal issues surrounding "reasonable security;"
How to use existing standards to establish "reasonable security."
It's worth reading interview, please refer here to read further details.
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts
Thursday, April 1, 2010
Thursday, February 18, 2010
Illegal download of movies and music - You can be tracked
Three Arrested As Police Swoop on Rapidshare Link Forum
An Internet forum which provided links to movies and TV shows hosted on sites such as Rapidshare has been raided by police. Following an anti-piracy group investigation, three alleged operators of the 30,000 member site were arrested, two of which were teenagers. Searches were carried out on members in three other locations.
With 30,000 members Filmowisko was a prominent file-sharing forum. The site didn’t host any illicit material, but like many of its type, linked to movies, TV shows, music and other warez stored on hosting sites such as Rapidshare.
“Forum administrators are not responsible for content written by users. The files placed here by users are only for promotional purposes. After 24 hours you must delete all files downloaded from this forum,” said the disclaimer on the front page of the site before it disappeared.
Polish police and the Foundation for the Protection of Audiovisual Creativity (FOTA) anti-piracy group clearly didn’t think the disclaimer counted for much, and on February 12th conducted raids against the site’s operators.
Refer here to read more details.
An Internet forum which provided links to movies and TV shows hosted on sites such as Rapidshare has been raided by police. Following an anti-piracy group investigation, three alleged operators of the 30,000 member site were arrested, two of which were teenagers. Searches were carried out on members in three other locations.
With 30,000 members Filmowisko was a prominent file-sharing forum. The site didn’t host any illicit material, but like many of its type, linked to movies, TV shows, music and other warez stored on hosting sites such as Rapidshare.
“Forum administrators are not responsible for content written by users. The files placed here by users are only for promotional purposes. After 24 hours you must delete all files downloaded from this forum,” said the disclaimer on the front page of the site before it disappeared.
Polish police and the Foundation for the Protection of Audiovisual Creativity (FOTA) anti-piracy group clearly didn’t think the disclaimer counted for much, and on February 12th conducted raids against the site’s operators.
Refer here to read more details.
Wednesday, August 5, 2009
Multiple Adobe security holes closed
A regular patching cycle isn’t enough for Adobe, as multiple flaws need closing in some of its popular software products.
Adobe has released an out-of-cycle patch for its Flash Player, AIR, Reader and Acrobat software, closing more than 10 vulnerabilities that potentially left users open to attack.
It closes a recent vulnerability in Flash that was highlighted by Symantec and actively exploited in the wild. It also fixes 11 other flaws, including three that fixed problems in vulnerable Microsoft code (its Active Template Library (ATL)).
All of the fixed vulnerabilities were critical, with most having the potential to allow an attacker to take over a user’s system. Details of how to update the Adobe software can be found in its security bulletin here. Adobe is planning its next regular quarterly security update for Adobe Reader and Acrobat on 13 October.
Adobe has had a very difficult time this year, with its popular Reader and Acrobat products suffering so many problems that a Microsoft ‘Patch Tuesday’ style security update cycle has become necessary.
Cyber criminals see PDF-reading software as a good oppportunity to compromise computer systems as well as to install malware.
Adobe has released an out-of-cycle patch for its Flash Player, AIR, Reader and Acrobat software, closing more than 10 vulnerabilities that potentially left users open to attack.
It closes a recent vulnerability in Flash that was highlighted by Symantec and actively exploited in the wild. It also fixes 11 other flaws, including three that fixed problems in vulnerable Microsoft code (its Active Template Library (ATL)).
All of the fixed vulnerabilities were critical, with most having the potential to allow an attacker to take over a user’s system. Details of how to update the Adobe software can be found in its security bulletin here. Adobe is planning its next regular quarterly security update for Adobe Reader and Acrobat on 13 October.
Adobe has had a very difficult time this year, with its popular Reader and Acrobat products suffering so many problems that a Microsoft ‘Patch Tuesday’ style security update cycle has become necessary.
Cyber criminals see PDF-reading software as a good oppportunity to compromise computer systems as well as to install malware.
Wednesday, June 3, 2009
Criminals are looking for ways to turn browser vulnerabilities into money.
Security vs. UsabilityUsability and security have been long been at odds with each other in software design. The web browser is no exception to that rule. When browsing the Web or downloading files the user constantly needs to make choices about whether to trust a site or the content accessed from that site. Browser approaches to this have evolved over time - for example, browsers used to give a slight warnings if you accessed a site with an invalid HTTPS certificate; now most browsers block sites with invalid certificates and make the user figure out how to unblock them.
Similar approaches are taken with file downloads. Internet Explorer tends to ask the user several times before opening a downloaded file, especially if the file is not signed. Prompting the user for actions that are legitimate most of the time often creates user fatigue, which makes the user careless in walking the tightrope between software with a "reasonable but not excessive" security posture and a package that is either too open for safety or too closed to be useful. Most browsers today have evolved from the "make the user make the choice" model to the "block and require explicit override action" model.
In some cases the security of the browser has had a major impact on Web site design and usability. Browsers present a clear target for identity theft malware, since a lot of personal information flows through the browser at one time or another. This type of malware uses various techniques to steal users' credentials. One of these techniques is form grabbing - basically hooking the browser's internal code for sending form data to capture login information before it is encrypted by the SSL layer.
Another technique is to log keyboard strokes to steal credentials when the user is typing information into a browser. These techniques have spawned various attempts by Web site designers to provide more advanced authentication with a hardware token and use of various click-based keyboards to avoid key loggers.Another usability feature of the Web browser that has been attacked by malware is the auto-complete functionality. Auto-complete saves the form information in a safe location and presents the user with options for what he typed before into a similar form. Several families of malware,such as the Goldun/Trojan Hearse, used this technique very effectively. The malware cracked the encrypted auto complete data from the browser and send it back to the central server location without even having to wait for the user to log in to the site.
Giving all the vulnerabilities out there and the willingness of attackers to exploit them, you might think that users would be clamoring for more security from their browsers. And some of them do as long as it doesn't prevent any of their desired features from working.
There are a number of documents available that list steps one can take to lock down a Web browser. For example, one of those steps often is something like "Disable JavaScript." But few people actually ever do that - at least not permanently, because using a browser with JavaScript turned off is annoying, and in many cases prevents you from visiting sites you have legitimate reasons to visit.
"Attack and defense strategies are evolving, as the use and threat models. As always, anybody can break into anything if they have sufficient skills, motivation and opportunity. The job of browser developers, network administrators, and browser users is to modulate those three quantities to minimize the number of successful attacks."
Thursday, May 21, 2009
ICANN: apply public health response model to e-security
The idea is to attack the swamps, not the fever," - Paul Twomey
I attended AusCert Conference 2009 in Gold Coast, I got the chance to listen to the speech by Paul Twomey - President/CEO of ICANN, here are the interesting parts from his speach. He advised that the greatest threats to the Internet are not cyber threats, but the threat of inappropriate public policy.
"National security is driven by nation states," he said. "National security or economic policy is going to be the key discussion of our age. We can't risk the Internet by placing onto it more government control," Twomey said. "We need to think about the Internet's fundamental principles of collaboration, co-ordination and communication when dealing with cyber threats."
The proper response to cyber threats is not a national security approach but a public health approach, he said. "Governments have been waging war and espionage for the last 5000 years. There's no reason to think that they won't continue in the Internet age," he said.
The public health approach means accepting that there will be pandemics at some point. "The question is, how do you respond to that?" Twomey asked. "There are mechanisms of collaboration and co-ordination internationally which can do the job." The key for the public, he said, is to maintain a clean commons."The idea is to attack the swamps, not the fever," he said.
I attended AusCert Conference 2009 in Gold Coast, I got the chance to listen to the speech by Paul Twomey - President/CEO of ICANN, here are the interesting parts from his speach. He advised that the greatest threats to the Internet are not cyber threats, but the threat of inappropriate public policy.
"National security is driven by nation states," he said. "National security or economic policy is going to be the key discussion of our age. We can't risk the Internet by placing onto it more government control," Twomey said. "We need to think about the Internet's fundamental principles of collaboration, co-ordination and communication when dealing with cyber threats."
The proper response to cyber threats is not a national security approach but a public health approach, he said. "Governments have been waging war and espionage for the last 5000 years. There's no reason to think that they won't continue in the Internet age," he said.
The public health approach means accepting that there will be pandemics at some point. "The question is, how do you respond to that?" Twomey asked. "There are mechanisms of collaboration and co-ordination internationally which can do the job." The key for the public, he said, is to maintain a clean commons."The idea is to attack the swamps, not the fever," he said.
Saturday, April 18, 2009
Eyeball Spy Turns the Tables on Big Brother
The gaze-tracking system may well be regarded as intrusive by CCTV control-room staff
The performance of closed-circuit television (CCTV) operators could be improved by analyzing their gaze, according to researchers in Turkey. Ulas Vural and Yusuf Akgul of the Gebze Institute of Technology have developed a gaze-tracking camera system to watch the eyeballs of CCTV operators as they work.
The gaze-tracking system would train a Webcam-style camera on the irises of people who watch CCTV images in the control room. CCTV operators could miss criminal or antisocial activity because they have so many screens to monitor simultaneously. After the system uses an algorithm to analyze where CCTV operators are looking, it uses software to create a video of sequences missed during the shift.
"This increases the reliability of the surveillance system by giving a second chance to the operator," the researchers write in the journal Pattern Recognition Letters. The gaze-tracking camera system runs on a standard PC and processes the images in real time, making summary frames ready to browse, similar to a fast-motion flip book.
Source: Click here to read the original news.
The performance of closed-circuit television (CCTV) operators could be improved by analyzing their gaze, according to researchers in Turkey. Ulas Vural and Yusuf Akgul of the Gebze Institute of Technology have developed a gaze-tracking camera system to watch the eyeballs of CCTV operators as they work.
The gaze-tracking system would train a Webcam-style camera on the irises of people who watch CCTV images in the control room. CCTV operators could miss criminal or antisocial activity because they have so many screens to monitor simultaneously. After the system uses an algorithm to analyze where CCTV operators are looking, it uses software to create a video of sequences missed during the shift.
"This increases the reliability of the surveillance system by giving a second chance to the operator," the researchers write in the journal Pattern Recognition Letters. The gaze-tracking camera system runs on a standard PC and processes the images in real time, making summary frames ready to browse, similar to a fast-motion flip book.
Source: Click here to read the original news.
Monday, March 23, 2009
Microsoft Security Assessment Tool: Can It Make Your Organization More Secure?
MS security assessment tool is a 'game changer'
Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development.
As its name suggests, !exploitable Crash Analyzer (pronounced "bang exploitable crash analyzer") combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a "game changer" because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk.
"Microsoft has taken years of difficulties with security vulnerabilities and really condensed that experience down to a repeatable tool that takes a look at a crash and says 'You better take a look at this,'" Kaminsky told The Reg. "What makes !exploitable so fascinating is that it takes at least the first level of this knowledge and packages it up into something that can be in the workflow."
Over the past five years, Microsoft has made a fair amount of progress hardening its operating systems and applications against the most-common security threats. Protections such as Address Space Layout Randomization and cross-site scripting defenses have been added to later versions of Windows and Internet Explorer, respectively. And the company has generally managed to exorcise its programs of dangerous vulnerabilities before they can be exploited by attackers.
Please refer here to read full article. Alternatively, you can click here to read more details about MSAT on Microsoft's technet website.
Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development.
As its name suggests, !exploitable Crash Analyzer (pronounced "bang exploitable crash analyzer") combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a "game changer" because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk.
"Microsoft has taken years of difficulties with security vulnerabilities and really condensed that experience down to a repeatable tool that takes a look at a crash and says 'You better take a look at this,'" Kaminsky told The Reg. "What makes !exploitable so fascinating is that it takes at least the first level of this knowledge and packages it up into something that can be in the workflow."
Over the past five years, Microsoft has made a fair amount of progress hardening its operating systems and applications against the most-common security threats. Protections such as Address Space Layout Randomization and cross-site scripting defenses have been added to later versions of Windows and Internet Explorer, respectively. And the company has generally managed to exorcise its programs of dangerous vulnerabilities before they can be exploited by attackers.
Please refer here to read full article. Alternatively, you can click here to read more details about MSAT on Microsoft's technet website.
Tuesday, February 24, 2009
How to protect yourself from Bluetooth Hack
Almost all new mobile phones and laptops comes with built-in Bluetooth
You may not realize that walking around with Bluetooth enabled on your cell phone leaves you vulnerable to hackers. They can easily connect and manipulate your phone simply by using a Bluetooth connection.
Most new cell phones have Bluetooth by default these days for things like wireless headsets, in-car connectivity, syncing with a computer and many other uses. While Bluetooth has proved to be a very useful tool for cell phones, many are unaware that it opens doors to hackers.
The fact that cell phones carry a lot of private data these days, makes “Bluetooth attacks” even more scary. While simply having Bluetooth as a feature on your cell phone doesn’t make you vulnerable to attacks, walking around with the Bluetooth function enabled and “visible” does. Many people turn on Bluetooth to use a headset or sync with their computer, and then simply forget to turn it back off when they’re done. This is why Bluetooth hacking has become so prevalent and so easy to do.
When Bluetooth is enabled on your device, it’s essentially broadcasting the fact that “I’m here, and I’m able to connect” to any other Bluetooth-based devices within range. This makes using Bluetooth simple and straightforward for the consumer, but also lets hackers know which ones to target very easily.
Here’s how it’s done; a hacker can simply download some special software and install it on a laptop or netbook. He can then install a Bluetooth antenna to that computer and put everything in a backpack, briefcase, etc. Now, all he has to do is walk around public places where a lot of people are concentrated, and let the computer running in his bag do all the work while no one has any idea what’s happening.
The software on the computer will constantly scan the nearby surroundings of the hacker for active Bluetooth connections, and when it finds them, can do a variety of things without the owner having any idea what’s going on. The entire process is automated for the hacker as well, so all he has to do is walk around for as long as he can and collect as much data as possible, which he can then manipulate. Some attacks are less damaging from others, but Bluetooth allows the hacker to do many things.
Once the hacker’s software finds and connects to a vulnerable Bluetooth-enabled cell phone, it can do things like download address book information, photos, calendars, SIM card details, make long-distance phone calls using the hacked device, bug phone calls and much more. There’s a myriad of software freely available that’s made specifically to attack cell phones via Bluetooth connections, and every time an update to the technology or certain cell phones becomes available there’s bound to be new hacking software for it. Certain attacks have become so prevalent that they even have names these days;
“Bluesnarfing” is the term associated with downloading any and all information from a hacked device, and can even allow the hacker to send a “corruption code” to completely shut the phone down and make it unusable. “Bluebugging” is an even scarier hack- it involves using special software to connect to a device and silently making it call another device, usually one the hacker is using, to act as a phone bug. The hacker can then listen in on anything you and anyone around you is saying. Beyond these attacks, hackers can use software to route long-distance calls to worldwide locations to your phone using Bluetooth, which in turn sticks you with the carrier roaming charges. Likewise, a hacked phone can even remotely be used to make “micro-purchases,” or purchases that show up on subscriber’s monthly bills.
The possibilities are virtually endless, and these are just a few examples of what can be done utilizing the Bluetooth connection on cell phones. Many think that they’re safe from such attacks because Bluetooth is such a short-range communication method- a hacker would have to be within a few feet to be able to do anything. With special antennae that’s been developed solely for this application, hackers can connect to cell phones that are up to a 1000 feet and more away. The entire process is just to easy for hackers, all they need is some special software, an antenna of some sort and some basic knowledge.
Luckily, not all Bluetooth-enabled cell phones are vulnerable to all attacks. Bluesnarfing and other attacks may work while bluebugging doesn’t on one make and model of cell phone, while only bluebugging and nothing else works on another. That’s why hackers generally setup a variety of hacks, and when they’re out and about performing their attacks on un-suspecting victims, the software will automatically identify the cell phone model and attack it accordingly in any way it knows how. The bottom line is any cell phone that has built-in Bluetooth can be hacked, it’s just a matter of what type of hacks can be performed.
The best way to avoid such an attack is to simply remember to turn off your Bluetooth when you’re not using it. A lot of people will simply put Bluetooth in “hidden,” or “private” mode which they think will hide themselves from attacks, but in reality, hackers have already figured out how to find them. Disabling the function altogether is the only way to curb an attack.
You may not realize that walking around with Bluetooth enabled on your cell phone leaves you vulnerable to hackers. They can easily connect and manipulate your phone simply by using a Bluetooth connection.
Most new cell phones have Bluetooth by default these days for things like wireless headsets, in-car connectivity, syncing with a computer and many other uses. While Bluetooth has proved to be a very useful tool for cell phones, many are unaware that it opens doors to hackers.
The fact that cell phones carry a lot of private data these days, makes “Bluetooth attacks” even more scary. While simply having Bluetooth as a feature on your cell phone doesn’t make you vulnerable to attacks, walking around with the Bluetooth function enabled and “visible” does. Many people turn on Bluetooth to use a headset or sync with their computer, and then simply forget to turn it back off when they’re done. This is why Bluetooth hacking has become so prevalent and so easy to do.
When Bluetooth is enabled on your device, it’s essentially broadcasting the fact that “I’m here, and I’m able to connect” to any other Bluetooth-based devices within range. This makes using Bluetooth simple and straightforward for the consumer, but also lets hackers know which ones to target very easily.
Here’s how it’s done; a hacker can simply download some special software and install it on a laptop or netbook. He can then install a Bluetooth antenna to that computer and put everything in a backpack, briefcase, etc. Now, all he has to do is walk around public places where a lot of people are concentrated, and let the computer running in his bag do all the work while no one has any idea what’s happening.
The software on the computer will constantly scan the nearby surroundings of the hacker for active Bluetooth connections, and when it finds them, can do a variety of things without the owner having any idea what’s going on. The entire process is automated for the hacker as well, so all he has to do is walk around for as long as he can and collect as much data as possible, which he can then manipulate. Some attacks are less damaging from others, but Bluetooth allows the hacker to do many things.
Once the hacker’s software finds and connects to a vulnerable Bluetooth-enabled cell phone, it can do things like download address book information, photos, calendars, SIM card details, make long-distance phone calls using the hacked device, bug phone calls and much more. There’s a myriad of software freely available that’s made specifically to attack cell phones via Bluetooth connections, and every time an update to the technology or certain cell phones becomes available there’s bound to be new hacking software for it. Certain attacks have become so prevalent that they even have names these days;
“Bluesnarfing” is the term associated with downloading any and all information from a hacked device, and can even allow the hacker to send a “corruption code” to completely shut the phone down and make it unusable. “Bluebugging” is an even scarier hack- it involves using special software to connect to a device and silently making it call another device, usually one the hacker is using, to act as a phone bug. The hacker can then listen in on anything you and anyone around you is saying. Beyond these attacks, hackers can use software to route long-distance calls to worldwide locations to your phone using Bluetooth, which in turn sticks you with the carrier roaming charges. Likewise, a hacked phone can even remotely be used to make “micro-purchases,” or purchases that show up on subscriber’s monthly bills.
The possibilities are virtually endless, and these are just a few examples of what can be done utilizing the Bluetooth connection on cell phones. Many think that they’re safe from such attacks because Bluetooth is such a short-range communication method- a hacker would have to be within a few feet to be able to do anything. With special antennae that’s been developed solely for this application, hackers can connect to cell phones that are up to a 1000 feet and more away. The entire process is just to easy for hackers, all they need is some special software, an antenna of some sort and some basic knowledge.
Luckily, not all Bluetooth-enabled cell phones are vulnerable to all attacks. Bluesnarfing and other attacks may work while bluebugging doesn’t on one make and model of cell phone, while only bluebugging and nothing else works on another. That’s why hackers generally setup a variety of hacks, and when they’re out and about performing their attacks on un-suspecting victims, the software will automatically identify the cell phone model and attack it accordingly in any way it knows how. The bottom line is any cell phone that has built-in Bluetooth can be hacked, it’s just a matter of what type of hacks can be performed.
The best way to avoid such an attack is to simply remember to turn off your Bluetooth when you’re not using it. A lot of people will simply put Bluetooth in “hidden,” or “private” mode which they think will hide themselves from attacks, but in reality, hackers have already figured out how to find them. Disabling the function altogether is the only way to curb an attack.
Thursday, November 20, 2008
My thoughts on Biometrics / Face Recognition
What's your take on Face Recognition Technology?
Biometrics are biological authenticators, based on some physical characteristic of the human body. The list of biometric authentication technologies in still growing. Authentication with biometrics has advantages over passwords because a biometric cannot be lost, stolen, forgotten, lent, or forged and is always available, always at hand. Last and this year we saw heaps of laptops coming up with fingerprint reader as standard.
Now some of the Lenovo notebooks are coming with face recognition software, which is actually a reemergence of an old idea. Now that some systems include integrated cameras with much better quality (1.3MP), facial recognition has become much better. In practice this works very well and is extremely fast at recognition.
The included software lets you log onto your Windows account simply by sitting in front of your system. Your face is your password.
Depending on the software used, face recognition uses multiple techniques to identify a person’s face. Some of the more advanced programs use texture mapping in which a person’s skin texture is analyzed and matched. Most however, define nodal points on a person’s face and then use software to mathematically represent those points. Things measured include distance between the eyes, width of the nose, length of the jaw line, or shape of the cheekbones. Together these concatenate a numerical code which is stored in a database for later retrieval.
Biometrics can become a single of failure though. Consider a retail application in which a biometric recognition is linked to a payment scheme:
As one user puts it, "If my credit card fails to register, I can always pull out a second card, but if my fingerprint is not recognized, I have only that one finger." Forgetting a password is a user's fault; failing biometric authentication is not.
Although equipment is improving, there are still false readings. I think biometrics as unique parts of an individual, forgeries are possible. The most famous example was an artificial fingerprint produced by researchers in Japan.
My thoughts are, forgery in biometrics is difficult and uncommon, forgery will be an issue whenever the reward for a false positive is high enough.
Biometrics are biological authenticators, based on some physical characteristic of the human body. The list of biometric authentication technologies in still growing. Authentication with biometrics has advantages over passwords because a biometric cannot be lost, stolen, forgotten, lent, or forged and is always available, always at hand. Last and this year we saw heaps of laptops coming up with fingerprint reader as standard.
Now some of the Lenovo notebooks are coming with face recognition software, which is actually a reemergence of an old idea. Now that some systems include integrated cameras with much better quality (1.3MP), facial recognition has become much better. In practice this works very well and is extremely fast at recognition.
The included software lets you log onto your Windows account simply by sitting in front of your system. Your face is your password.
Depending on the software used, face recognition uses multiple techniques to identify a person’s face. Some of the more advanced programs use texture mapping in which a person’s skin texture is analyzed and matched. Most however, define nodal points on a person’s face and then use software to mathematically represent those points. Things measured include distance between the eyes, width of the nose, length of the jaw line, or shape of the cheekbones. Together these concatenate a numerical code which is stored in a database for later retrieval.
Biometrics can become a single of failure though. Consider a retail application in which a biometric recognition is linked to a payment scheme:
As one user puts it, "If my credit card fails to register, I can always pull out a second card, but if my fingerprint is not recognized, I have only that one finger." Forgetting a password is a user's fault; failing biometric authentication is not.
Although equipment is improving, there are still false readings. I think biometrics as unique parts of an individual, forgeries are possible. The most famous example was an artificial fingerprint produced by researchers in Japan.
My thoughts are, forgery in biometrics is difficult and uncommon, forgery will be an issue whenever the reward for a false positive is high enough.
Sunday, August 17, 2008
Play DVDs on your Nintendo Wii
Wii can finally play DVDs thanks to hackers
The DVDX installer will install a small, hidden, channel on your Wii that allows you to read DVDs on an unmodified system. It is not an installer for a patched IOS. You may however need one, depending on your system.
Usage of this package is fairly simple. Run the installer.dol found in the package, follow the onscreen instructions, and you’re done.
Once you’ve done that, you can enjoy the splendor of mplayer. That what started out as a simple proof of concept has rapidly turned into a full-featured media player, under the nourishing hands of dhewg. The main aim of the mplayer project was to get DVDVideo going, but it also supports reading video files off the SD card. (Experimental).
A patch for Wii64, the N64 emulator for the Wii, will also be available shortly. This patch will allow you to read games off a DVD.
The DVDX installer will install a small, hidden, channel on your Wii that allows you to read DVDs on an unmodified system. It is not an installer for a patched IOS. You may however need one, depending on your system.
Usage of this package is fairly simple. Run the installer.dol found in the package, follow the onscreen instructions, and you’re done.
Once you’ve done that, you can enjoy the splendor of mplayer. That what started out as a simple proof of concept has rapidly turned into a full-featured media player, under the nourishing hands of dhewg. The main aim of the mplayer project was to get DVDVideo going, but it also supports reading video files off the SD card. (Experimental).
A patch for Wii64, the N64 emulator for the Wii, will also be available shortly. This patch will allow you to read games off a DVD.
Download links:
DVDX installer (end users)
libdi (developers)
mplayer
If you have a modchip, you also need patchmii, in addition to the DVDX stub installer.
patchmii_core
Thursday, August 14, 2008
Sharing Files can help hackers to hack your computer
µTorrent a leaky ship for file sharers
TorrentFreak, claimed that 19 percent of Windows desktops run either the official BitTorrent client or µTorrent application.
A massive hole in the popular peer-to-peer (P2P) client µTorrent has put the computers of millions of file sharers at risk of hijacking. The vulnerability allows hackers to execute code on remote systems, and opens the targeted system to further exploitation.
Hackers can create a stack-based buffer overflow by enticing users to open dodgy .torrent files, the format in which BitTorrent data is stored for distribution. A boundary error caused by the way µTorrent processes .torrent files occurs on execution, opening a backdoor for malicious code execution.
The hole also affects the official BitTorrent client, version 6.x.x
Both the affected BitTorrent release and µTorrent version 1.7.7 remain unpatched. µTorrent users have been advised to upgrade the current 1.8 release, which has reportedly patched the hole, while BitTorrent users should avoid opening unknown .torrent files.
Wednesday, April 16, 2008
XSS - Cross-site scripting
A Real-World Example
The term XSS gets thrown around a lot. Lot's of people don't quite know what it is though. Basically an XSS attack is a client-side vulnerability where a server does not properly sanitize data inputted to readily accessible forms.
In layman's terms, this generally means that a website will display any information given to it, regardless of its malicious content. This is important because it can be used to fool people into clicking on links to (otherwise) trustworthy sites which will, instead, cause malicious code to be loaded.
For this example, we are going to look at a government website which is vulnerable to XSS in two sites using the input from only one form. This is the website for the New York State Assembly. They have a convenient little page to help search for your representative.
Our target for today is the little box I have highlighted in yellow. Now, zip codes are normally numbers, let's see what happens if we give it deliberately false information. In this case, we tell it our "zip code" is "word"
This is the first sign that there might be an XSS vulnerability. The server is readily displaying our input.
Now, what we want to do is see if we can pass code to it. I generally test this by seeing if I can get it to display
In place of a plaintext output. To do this, we are going to take our previous link (http://assembly.state.ny.us/mem/?zip=word) and change it to our potential XSS link [instead of word we can put script alert('hi') ] please put script between <> and see what that gives us.
Here are some key things to remember about forming a sucessful XSS attack:
1. Forms can often be escaped with a ">
2. Some forms of sanitation can be escaped! Of course, this is often hard to do, it is definitely possible
3. Don't be modest. In a case like this, the form could have been pushed to the point of loading iframes with malicious code and all other kinds of fun stuff
The term XSS gets thrown around a lot. Lot's of people don't quite know what it is though. Basically an XSS attack is a client-side vulnerability where a server does not properly sanitize data inputted to readily accessible forms.
In layman's terms, this generally means that a website will display any information given to it, regardless of its malicious content. This is important because it can be used to fool people into clicking on links to (otherwise) trustworthy sites which will, instead, cause malicious code to be loaded.
For this example, we are going to look at a government website which is vulnerable to XSS in two sites using the input from only one form. This is the website for the New York State Assembly. They have a convenient little page to help search for your representative.
Our target for today is the little box I have highlighted in yellow. Now, zip codes are normally numbers, let's see what happens if we give it deliberately false information. In this case, we tell it our "zip code" is "word"
This is the first sign that there might be an XSS vulnerability. The server is readily displaying our input.
Now, what we want to do is see if we can pass code to it. I generally test this by seeing if I can get it to display
In place of a plaintext output. To do this, we are going to take our previous link (http://assembly.state.ny.us/mem/?zip=word) and change it to our potential XSS link [instead of word we can put script alert('hi') ] please put script between <> and see what that gives us.
Here are some key things to remember about forming a sucessful XSS attack:
1. Forms can often be escaped with a ">
2. Some forms of sanitation can be escaped! Of course, this is often hard to do, it is definitely possible
3. Don't be modest. In a case like this, the form could have been pushed to the point of loading iframes with malicious code and all other kinds of fun stuff
Sunday, April 6, 2008
Failures of Disk Encryption
How to break disk encryption...
"Security is not a product but a skilled continuous process which requires thought..." Jorge Sebastiao, 1999.
Even for the best technologies there is always a weak point which must be addressed, in this case Disk Encryption as its weakness. The weakness is that even in memory the keys exist in some readable format, if we can get to it, then it is game over:
"Security is not a product but a skilled continuous process which requires thought..." Jorge Sebastiao, 1999.
Even for the best technologies there is always a weak point which must be addressed, in this case Disk Encryption as its weakness. The weakness is that even in memory the keys exist in some readable format, if we can get to it, then it is game over:
Thursday, April 3, 2008
How To Do Security?
"How Do I?" Videos for Security
Here you’ll find videos that explore a variety of security questions for developers, including encryption, handling attacks, security best practices, and a lot more.
Here you’ll find videos that explore a variety of security questions for developers, including encryption, handling attacks, security best practices, and a lot more.
Tuesday, February 19, 2008
New Form Of Nigerian Scam
Watch Out For New Form Of Nigerian Scam targetting Yahoo! Email Ids..
I have yahoo email id which I really don't use much. I haven't given my id to anyone nor i have used that id at any specific websites for memberships or account registrations. Still, i get loads of spams, scams and phishing emails all the time. I received an email which is very interesting and worth mentioning...
I have yahoo email id which I really don't use much. I haven't given my id to anyone nor i have used that id at any specific websites for memberships or account registrations. Still, i get loads of spams, scams and phishing emails all the time. I received an email which is very interesting and worth mentioning...
This particular email is similar to Nigerian Scam.
Subject Line States: CONGRATULATIONS YOUR E MAIL ID HAS WON $500,000.00 US DOLLARS FROM YAHOO!!!!
Asking users to send this particular personal information at mr_brown_jude at ko.ro.
Personal Information
1. Full name
2. Country
3. Contact Address
4. Telephone Number
5. Marital Status
6. Occupation
7. Age
8. Sex
9. Religion
10.lucky e mail
11.Amount Won
Please, Be very careful and use little bit of common sense. Yahoo! is not that generous that they will give you $5000,000.00 through email.
Monday, February 18, 2008
Things To Know About Security
Worth-Watching Video
What Every Engineer Needs to Know About Security and Where to Learn It.
What Every Engineer Needs to Know About Security and Where to Learn It.
Thursday, February 14, 2008
Personal Computer Security
Data Protection - Essential Downloads To Protect Personal Data ....
I was reading Steve Riley's Blog. He has posted a well written article about supporting your family, friends and neighbours. I totally agree with him, as soon some of your neighbours comes to know that you are computer savy you will get a support call, free of charge.
Following to his post, i would like to mention other security products which you can use for yourself, friends, family and neighbours.
With "CyberFraud" ever increasing, everyone should re-assess how seriously we take data security on a personal level. Here are some essential downloads that can help.
First, ensure your PC is protected by a decent firewall.
Comodo Firewall Pro is free and consistently ends up towards the top of the three in independent testing. It's unobtrustive as far as system resource impact is concerned, uses a host intrusion-prevention system to prevent malware from installing, and it also runs on both 32- and 64-bit versions of Vista. You will get the automatic updates, rootkit and real-time traffic protection you would expect from a full enterprise-level firewall but at a price you most certainly wouldn't.
Equally as important is spyware protection.
Spybot Search & Destroy 1.5, which is finally fully compatible with both Vista and Firefox, comes to the rescue. While the interface is in need of modernisation, we can't knock the performance. It helps prevent spyware and adware getting onto your system in the first place, and if you install it on an already infected PC, it works wonders in getting it clean.
Unfortunately, the installation of computer-comprising and data-stealing torjans is the most common kind of infection you will pick up when link clicking, downloading and practising unsafe surfing.
McAfee SiteAdvisor is another free download for Firefox and IE, and it leaves other antiphishing toolbars in the shade of being both unobtrusive and informative. Perform a Google search and it uses traffic light ticks to warn of the status of a link before you visit: hover over the tick and a balloon appears with more detail; click the baloon to visit the McAfee site for the comprehensive analysis of dangers such as spam email delivery, infected downloads and dodgy affiliate links. The same traffic light principle is applied within the browser itself whenever you visit a site.
When it comes to data privacy, there are plenty of reasons why you might want to remain anonymous while browsing the web, and the truly paranoid will want to leave as minimal a click-trail as possible.
Anonymizer does as good a job as any proxy server we have seen. It hides your IP address by redirecting your web traffic through Anonymizer 128-bit SSL secure severs, so the websites you visit see its generic IP address rather than yours. An integrated antiphishing early-warning tool helps protect you from scams and the latest Anonymizer works with Vista, too.
Ultimately, if you want to protect your personal data, there is one technology you simply have to use: data encryption. Your options here are as varied as they are baffling, but when it comes to value and ease of use, few compare to the open-source hero
TrueCrypt, the latest version is 32- and 64-bit Vista friendly, as well as being able to write data to removable USB drives and MP3 players. It can encrypt your data at the indiviual file level or entire hard drive, using 448-bit keys (Blowfish), 256-bit keys (AES, Surpent, Triple DES and Twofish), as well as 128-bit keys (CAST5). It can create a virtual encrypted disk within a file, which can then me mounted as a real disk, and will happily create a fully hidden volume. It's easy to use thanks to the Windows GUI, will run on Linux, and provides a much more secure environment for your data that, say, a CD in the post.
I was reading Steve Riley's Blog. He has posted a well written article about supporting your family, friends and neighbours. I totally agree with him, as soon some of your neighbours comes to know that you are computer savy you will get a support call, free of charge.
Following to his post, i would like to mention other security products which you can use for yourself, friends, family and neighbours.
With "CyberFraud" ever increasing, everyone should re-assess how seriously we take data security on a personal level. Here are some essential downloads that can help.
First, ensure your PC is protected by a decent firewall.
Comodo Firewall Pro is free and consistently ends up towards the top of the three in independent testing. It's unobtrustive as far as system resource impact is concerned, uses a host intrusion-prevention system to prevent malware from installing, and it also runs on both 32- and 64-bit versions of Vista. You will get the automatic updates, rootkit and real-time traffic protection you would expect from a full enterprise-level firewall but at a price you most certainly wouldn't.
Equally as important is spyware protection.
Spybot Search & Destroy 1.5, which is finally fully compatible with both Vista and Firefox, comes to the rescue. While the interface is in need of modernisation, we can't knock the performance. It helps prevent spyware and adware getting onto your system in the first place, and if you install it on an already infected PC, it works wonders in getting it clean.
Unfortunately, the installation of computer-comprising and data-stealing torjans is the most common kind of infection you will pick up when link clicking, downloading and practising unsafe surfing.
McAfee SiteAdvisor is another free download for Firefox and IE, and it leaves other antiphishing toolbars in the shade of being both unobtrusive and informative. Perform a Google search and it uses traffic light ticks to warn of the status of a link before you visit: hover over the tick and a balloon appears with more detail; click the baloon to visit the McAfee site for the comprehensive analysis of dangers such as spam email delivery, infected downloads and dodgy affiliate links. The same traffic light principle is applied within the browser itself whenever you visit a site.
When it comes to data privacy, there are plenty of reasons why you might want to remain anonymous while browsing the web, and the truly paranoid will want to leave as minimal a click-trail as possible.
Anonymizer does as good a job as any proxy server we have seen. It hides your IP address by redirecting your web traffic through Anonymizer 128-bit SSL secure severs, so the websites you visit see its generic IP address rather than yours. An integrated antiphishing early-warning tool helps protect you from scams and the latest Anonymizer works with Vista, too.
Ultimately, if you want to protect your personal data, there is one technology you simply have to use: data encryption. Your options here are as varied as they are baffling, but when it comes to value and ease of use, few compare to the open-source hero
TrueCrypt, the latest version is 32- and 64-bit Vista friendly, as well as being able to write data to removable USB drives and MP3 players. It can encrypt your data at the indiviual file level or entire hard drive, using 448-bit keys (Blowfish), 256-bit keys (AES, Surpent, Triple DES and Twofish), as well as 128-bit keys (CAST5). It can create a virtual encrypted disk within a file, which can then me mounted as a real disk, and will happily create a fully hidden volume. It's easy to use thanks to the Windows GUI, will run on Linux, and provides a much more secure environment for your data that, say, a CD in the post.
Thursday, January 10, 2008
Calling All Web Hacks Of 2007
Jeremiah Grossman is trying to gather all the neat researches behind web hacks of 2007.
"The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be compiled and I’ll create an open survey."
Read the entire post here
I think its a great idea. It will not only help build a repository of all cool hacks of 2007 but also give people a chance to showcase their work. Letting the industry select the top 10 is an impartial way to choose the best. For those who cannot get into top 10, will still get a lot of visibility, appreciation and who knows that might motivate them for the next year.
If you know of something which is not already in the list, please feel free to add it.It would be really interesting to see who the winners are.
Good Luck to all the participants.
"The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be compiled and I’ll create an open survey."
Read the entire post here
I think its a great idea. It will not only help build a repository of all cool hacks of 2007 but also give people a chance to showcase their work. Letting the industry select the top 10 is an impartial way to choose the best. For those who cannot get into top 10, will still get a lot of visibility, appreciation and who knows that might motivate them for the next year.
If you know of something which is not already in the list, please feel free to add it.It would be really interesting to see who the winners are.
Good Luck to all the participants.
Monday, January 7, 2008
Boeing New 787 May Be Vulnerable to Hacker Attack
Unbelievable - Hacking Boeing Jet.
Well, it will really sound scary when i will say Boeing NEW 787 maybe hacked. Just picture this, someone sitting in the New 787 and notice on of the passenger has hacked the Dreamliner Jet.
"This is serious," said Mark Loveless, a network security analyst with Autonomic Networks, a company in stealth mode, who presented a conference talk last year on Hacking the Friendly Skies (PowerPoint). "This isn’t a desktop computer. It's controlling the systems that are keeping people from plunging to their deaths. So I hope they are really thinking about how to get this right."
Please read full article on: New 787 May Be Vulnerable to Hacker Attack.
Well, it will really sound scary when i will say Boeing NEW 787 maybe hacked. Just picture this, someone sitting in the New 787 and notice on of the passenger has hacked the Dreamliner Jet.
"This is serious," said Mark Loveless, a network security analyst with Autonomic Networks, a company in stealth mode, who presented a conference talk last year on Hacking the Friendly Skies (PowerPoint). "This isn’t a desktop computer. It's controlling the systems that are keeping people from plunging to their deaths. So I hope they are really thinking about how to get this right."
Please read full article on: New 787 May Be Vulnerable to Hacker Attack.
Sunday, January 6, 2008
EnGarde - Secure Linux
First Open Source Internet Operating Platform - Live CD
EnGarde is the first secure open source Internet operating platform.It also has a feature-rich Internet application.
EnGarde ’s features :
EnGarde is the first secure open source Internet operating platform.It also has a feature-rich Internet application.
EnGarde ’s features :
- robust SELinux policies with ease
- maintain secure Web sites
- Monitor networks using advanced IDS
- Protect user with web and email content filtering* Control access to Internet resources
- Install distro
- Update distro
- Run apt-get install selinux-basics selinux-policy-refpolicy-targeted1.
- Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line (by adding it to the #kopt= line and then running update-grub). If you are using lilo, you must instead make similar changes to /etc/lilo.conf and run lilo.
- Fix dependencies listed. Below are the highlights. For a complete list please visit, http://wiki.debian.org/SELinux/Setup#package-specific):
How to Install EnGarde:
- Select dhcp or enter manual ip
- Choose LiveCD or install
- Click log in
- Open a browser and go to https://x.x.x.x:1023/. Login with username admin and whatever you set for the password.
- Use the WebTool’s pulldown menus to select either a service or system you would like to use.
- Simply click on the modules to carry out your requests.
Total time to install EnGarde with SELinux is approx. 15-20 minutes (depending on your connection speed). Please note that a full install was not performed for this review. The concept was to see if EnGarde was a product that was worthwhile. Since EnGarde can run SELinux, it seemed that it would make sense to see everything else that was going on with EnGarde. To perform a full install of EnGarde for SELinux is beyond the scope of this article.
Download EnGarde Now !
Subscribe to:
Posts (Atom)