Warning: Creating default object from empty value in /home/ict-forward/www-apps/wp-svn/wp-includes/ms-load.php on line 138
January « 2011 « The FORWARD project blog

Archive for January, 2011

Security Flaw Makes VPNs Useless for BitTorrent

Wednesday, January 19th, 2011

Nowadays VPN (virtual private network) services became very common because more and more users would like privacy. Many websites, like the Pirate Bay’s Ipredator, will offer anonymous vpn services which ensures privacy in downloads from BitTorrent. But is this working?

It turns out that there’s a big security flaw in these services that allows individual users to be identified! The flaw is caused by a combination of IPv6 and PPTP -based VPN services, which is widely used ,moreover  IPV6 is enabled by default in most computers (vista,win7).

With this flaw, the IP address and sometimes the MAC address and the computer’s name of a user behind a VPN can be found thanks to their connection broadcasting information that can be used to identify them. Also if the clients are not seperated they might expose each other and reveal sensitive information.(seperate subnet for each one may help).
Only if the following preconditions exist, it may be possible to see a user’s public IP.

1)The computer has an IPv6 stack installed with support for tunneling IPv6 traffic over an IPv4 link (such as ISATAP) (Default in windows vista and 7)
2)The computer has a public IP address assigned.(if you are behind a router with NAT ,192.168.1.1 will be compromised)

Some ways to avoid this flow is to disable IPv6 and rollback to IPv4 or use an alternative to PPTP ,the OpenVPN which is free ,open-source and more stable.
Also by using a VPN, a third party company  access to all your private information, that could be a far larger security hole than anything else, so be careful who you trust with your data.

sources
www.wired.co.uk

http://torrentfreak.com/huge-security-flaw-makes-vpns-useless-for-bittorrent-100617/

Malicious Kama Sutra presentation

Friday, January 14th, 2011

A supposed PowerPoint presentation file, called Real kamasutra.pps.exe, supposedly demonstrates different sexual positions. The file does include a NSFW slideshow of 13 different positions, but this is just a decoy.

The malicious file uses the old double extension ruse, a mainstay of virus writing for many years. While a casual glance might fool users into thinking it is a PowerPoint document, the file is actually an executable.

The real purpose of the distribution is to install a Trojan called AdobeUpdater.exe, and identified by net security firm Sophos as Bckdr-RFM. Compromised machines might be used to send spam or spy on users, among other malicious purposes.

How to protect from IP Spoofing?

Friday, January 14th, 2011

How IP Spoofing Works
Without getting too technical, an IP Spoof works something like this. An Internet user types in some address in the address bar of his/her Internet browser. Let’s say, for example, that the user wants to go to a bank’s website to check a checking account balance.

The cracker, who has hijacked the IP address of the bank, redirects the Internet user to another site. Again, this site may contain distasteful content such as nude pictures but often the spoofed site will contain a replica of the bank’s website. The Internet user, not aware that he/she did not arrive at the website he/she intended to visit, innocently types in a user name and password that the cracker may gather from the victim to be used for identity theft purposes.

Protecting Yourself from IP Spoofing
IP Spoofing is difficult to detect but there are a few things you can do to protect yourself. First, many web browsers give a quick “click” whenever the user surfs to a website or the user is redirected to another site. If your browser clicks many times in a row, a cracker may be redirecting you from site to site to cover his/her tracks. If you suspect IP Spoofing, close your browser immediately and contact the owner of the site.

Second, look for clues on a website that give telltale signs that the website you are viewing is not the real one. Look for misspellings, drawn out and nonsense sentences, and any feature of the site that look unprofessional. This is especially true of banks and other financial services websites. Many times the cracker lives in a foreign country and doesn’t have a good grasp of the English language. It’s unlikely that a bank, for example, would display an unprofessional appearance so this is a red flag to alert you to a possible IP Spoof and identity theft attempt.

iPhone Safer from Hackers than Android

Friday, January 14th, 2011

Android-based smartphones are more vulnerable to attacks by hackers and electronic viruses than the iPhone, according to the chairman of the world’s largest provider of security software for corporate servers. The remarks were made less than a week after the company, Trend Micro, released its Mobile Security software for Android devices.

“Android is open source, which means the hacker can also understand the underlying architecture and source code”, Chairman Steve Chang told Bloomberg Businessweek.

“We have to give credit to Apple, because they are very careful about it,” he added. “It’s impossible for certain types of viruses”to operate on the iPhone.”

Google didn’t exactly refute Chang’s claim in its response to Bloomberg. “On all computing devices, users necessarily entrust at least some of their information to the developer of the application they’re using,” it said in an email. “Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer.”

In the iPhone universe, the amount of trust a user must cede to a developer is less than in the Android realm because Apple reviews all apps before it allows them to be sold through its App Store. Although that kind of quality review doesn’t exist in the Android world yet, some vetting of apps will occur when Amazon launches its Android apps store later this year.

As smartphone usage grows in corporations, they’ll become more tempting targets for hackers. “Smartphones are the next PC, and once they’re adopted by enterprises, data loss will be a very key problem,” Chang said.

Trend Micro’s Mobile Security app for Android, which it’s selling for $3.99, will block viruses and malicious viruses, as well as unwanted calls, on smartphones running the operating system. It also installs parental controls on a phone’s web browser. According to the company, the app is the only mobile tool that uses cloud-based security intelligence to protect Android devices from the latest cyber threats.

source: PCWorld

Tips for Correct Passwords

Friday, January 14th, 2011

Choosing Passwords
These days, we have passwords for just about everything. You need a PIN to use your debit card or access an ATM. You need a password to log on to your bank, Amazon and other shopping sites, your favorite discussion forum, and many other websites. Remembering all of those passwords can be a major hassle! Unfortunately, this often leads to using the same password at multiple sites, which means that if someone guesses your password they can access a lot of your information. Even worse, it’s often a very weak password; believe it or not, many people actually use the word ‘password’ as their password!

Let’s look at some tips for choosing good computer security codes and passwords to keep your private information secure.

Choosing Good Computer Security Codes and Passwords

A good password is one that isn’t a common word or anything else someone could guess, but that is somehow meaningful to you. It doesn’t do you much good to keep everyone else out of the system if you can’t get in, either! For something like a home wireless router where it’s rare that you need to type in the password, you can get away with using a random string and writing it down, but you certainly wouldn’t want to leave your bank passwords lying around! While some people can remember random strings, most of us will probably forget them. Accordingly, the trick is to come up with a string that is meaningful to you but gibberish to anyone else.

In one Asimov story, a character had a 14-character password chosen by taking the first letter of each line of a poem; while his enemy was able to figure out the password (from knowing the approximate length and the character’s background and love of poetry), the idea still holds: choose a string of characters that refers to something meaningful. For example, suppose your wife’s name is Mary, you met her when you were 27, you went to Paris for your honeymoon, and your daughter was born when you were 32, something that you found very exciting. The string M27PF32! is thus total gibberish to anyone not familiar with your line of reasoning, but should be easy enough for you to remember.

Security Risks When Using VoIP

Friday, January 14th, 2011
Identity and service theft
VoIP services can be phreaked. Phreaking is a type of hacking that steals or uses a service from a service provider on the expenditure of another person. Session initiation protocol (SIP) – an authentication method over VoIP calls, does not commonly use encryption, which results in VoIP services being phreaked.
Eavesdropping
Hackers steal user names, passwords and phone numbers through eavesdropping to take control over voicemail, billing information and call forwarding. The hackers do not always do this to gain access to a free service, but also to get important information like business data and other sensitive information.
Vishing
It is another name for VoIP phishing, which involves someone calling you pretending to be a trustworthy organization (e.g. your bank) and requesting personal and sensitive information such as account number, credit card details, etc. The criminals who might phone you already have some information about you, which creates a false sense of security and consequently you give them more sensitive information.
Call tampering
Voice calls can be tampered by the attacker, who can simply flub the quality of the call by injecting noise in the communication stream. The voice call participants can meet long periods of silence during the call when the attacker withholds the transfer of packets.
Viruses and malware
VoIP equipment such as soft phones is vulnerable to malware just like any other internet application. The soft phone application runs on a user system (i.e. PC and PDA) and is easily exposed to malicious code attacks.
DoS (Denial of Service)
VoIP can suffer from DoS (Denial of Service) attacks. It is often achieved by overloading the network, device or consuming all available bandwidth. VoIP calls can be dropped untimely by also flooding the target with unnecessary SIP call-signaling messages, which results in halting of call processing.
SPIT (Spamming over Internet Telephony)
Spamming in VoIP has not become very common as yet but is beginning to be, soon. Like those emails we often receive consisting of online promotion, sales calls, now these messages are also going to VoIP voicemails. Since every VoIP account has an associated IP address, it becomes very easy for spammers to send their voice messages to numerous random IP addresses, which results in voicemails clogging. Spam messages sent to VoIP accounts can also carry malware and spyware with them.

Mac App Store Protection Cracked

Friday, January 14th, 2011

A group of hackers, Hackulous, announced that they developed a program called “Kickback” that can break the protection of applications hosted on the Mac App Store. In order words this means that by installing this software users will be able to pirate any application in the store. More specifically users can run paid applications for free when the copy and paste in a receipt number from a free application.

According to Dissent, member of Hackulous:

We don’t want to release kickback as soon as the [Mac App] Store gets released. I have a few reasons for that.

Most of the applications that go on the Mac App Store [in the first instance] will be decent, they’ll be pretty good. Apple isn’t going to put crap on the App Store as soon as it gets released. It’ll probably take months for the App Store to actually have a bunch of crappy applications and when we feel that it has a lot of crap in it, we’ll probably release Kickback.

So we’re not going to release Kickback until well after the store’s been established, well after developers have gotten their applications up. We don’t want to devalue applications and frustrate developers.

US orders Twitter to hand over account data on Wikileaks and multiple Wikileaks

Friday, January 14th, 2011

US orders Twitter to hand over information about accounts registered or associated with Wikileaks, rop_g, ioerror, birgittaj, Julian Assange, Bradley Manning, Rop Gongrijp, and Birgitta Jonsdottir for the time period November 1, 2009 to present (december 2010).

All previously mentioned twitter accounts are supposed to be connected with wikileaks. That means that anyone connected with them is supposed to be related and/or a supporter of wikileaks.

If you are a follower (not sure if it also includes mentions and retweets) of any of those accounts, twitter has already handed all your personal information to the US government.

You can find the subpoena here

source

Which is the fastest computer ?

Friday, January 14th, 2011

Since 1993, the fastest supercomputers have been ranked on the TOP500 list according to their LINPACK  benchmark results. But how unbiased and definitive is this list?

At the moment the top supercomputer in list is China’s Tianhe-1A which usurped the US Cray XT5 Jaguar system as the world’s fastest supercomputer. It cost of over $88 million ,it’s peak performance reaches 1.206 petaflops and it runs at 563.1 teraflops on the Linpack benchmark. The key to become no1 supercomputer was the use of GPUs (7,168 Nvidia Tesla M2050 ) in compination with 14,336 Intel Xeon CPUs.

But the Linpack  benchmark is often criticized for not necessarily predicting  the usefulness of a system in solving real-world problems and it doesn’t measure about 80% of the workloads that are usually run on supercomputers. The Linpack benchmark has been ported to Android mobiles and a tweaked Motorola hit 52Mflop/s, so humorously has been mentioned that 100.000 people around the world would have had the world’s fastest Linpack number,revealing the ‘stupidity’ of Linpack. Aslo the Linpack method said that offers boosted results when GPUs are used and many contesting the lead of Tianhe.

So we can’t say which is truly the fastest computer in world till new set of benchmarks developed.

sources :

http://www.top500.org/list/2010/11/100

http://it.slashdot.org/index2.pl?fhfilter=supercomputer

http://www.pcworld.idg.com.au/article/368598/supercomputing_top500_brews_discontent/

http://www.ibtimes.com/articles/76731/20101028/tianhe-1a-tianhe-supercomputer-fastest-supercomputer-china-us-nvidia-amd-gpum-cpu-chip-semiconductor.htm#

http://www.computerworld.com/s/article/9196981/Nvidia_chief_scientist_CPUs_slowed_by_legacy_design

“Anonymous” activities

Friday, January 14th, 2011

Anonymous is a group of individuals, mainly from on-line community,
who share common ideas and act against self agreed goals under
the name “Anonymous”. Their strength lies in their number and
the true anonymity. Anonymous use public communication channels for
their conversation and planning of their activities, like wikis , irc, facebook,forums etc.

A list of activities done by Anonymous

Hal Turner raid
Took down Turner’s website.

Project Chanology
Criticize the Church of Scientology for Internet censorship
and plan a DDOS series of attacks to  the Church’s websites and
street protests wearing masks.

Epilepsy Foundation forum invasion
Anonymous blamed for an attack on Epilepsy Foundation of America
forum/website, using JavaScript code and flashing animations to
provoke seizures in victims.

Defacement of SOHH and AllHipHop websites
Starting from a flooding in forums,then DDoS attacks against the
websites and finaly they deface the site by adding satirical images,
headlines and also stole employess information, using cross-site scripting.

Operation Titstorm
A protest against the Australian Government using DDoS Attacks in
federal websites.

WikiLeaks
After the worldwide fight from goverments against wikileaks, Anonymous decided to express their support to wikileaks with several Operations/protests.

Operation Payback
When this operations started the main target was websites that did not respond to software takedown notices.The DDoS websites of Law firms, copyright organisations etc. till the target moved to companies that oppose Wikileaks.Some of the targets was Amazon, Paypal, MasterCard, Visa and the Swiss bank PostFinance.

Zimbabwe
Goverment website taken down due to censorship of wikileaks documents

Operation Tunisia
8 Tynisian gov websites taked down due to censorship of wikileaks.

sources:

http://www.slashdot.org/

http://www.wired.com

http://www.wikipedia.com