The researchers are able to emulate the card reader, change commands and to emulate cards. They recommend all firms using the RFID-cards based on the “Prime” product line to replace as fast as possible to the newer product line “Advant”.

Therefore the danger of this exploit has grown because also Script-Kiddies are able to use this exploit. The BSI recommended using another browser to not get victim of this exploit. Microsoft recommends to set the security options to “high” or to disable JavaScript on which the exploit is based.

A video explaining the attack “Aurora” can be found here.

But the biggest danger for a mobile phone is one that is not one for personal computers: You can lose your mobile phone. This is not only a danger for smartphones but also for all mobile devices containing personal information. Another danger for smartphones is leaving them unattended or loaning it to people because they can install spyware on your smartphone. Additionally to spyware there are mobile viruses, worms and Trojans threatening your smartphone. They can spread using e-mail or via SMS.

Generally speaking, web-based and e-mail attacks are as possible with smarthones as they are with personal computers. Wi-Fi and Bluetooth are two technologies which can be dangerous too. Wi-Fi can be attacked by a man-in-the-middle attack and Bluetooth is also a target for attacks. A good discussion of Bluetooth security you can find here: part1, part2. Here you can find a FAQ on how to use your smartphone securely. Another interesting article about smartphone security can be found here.

The encryption algorithm(A5/1) of the gsm network is over 20 years old and can be hacked by non-professionals with relatively easy means in a short time. Nohl said that he and his helpers had successfully hacked the gsm-encryption algorithm in a distributed attack within three month and with 40 computers. The needed codebook with the rainbow tables is already distributed via file sharing networks. With this practical tutorial for hacking the gsm network the attacks will be considerably faster in the future.

Therefore the Chaos Computer Club asks for a stronger encryption of the gsm network from the industrial association GSMA. The GSMA denies this because they say that although hacking the gsm network is theoretically possible, it is practically improbable and the application of the presented method of hacking the gsm network is in many countries illegal.

This news is based on a german article which can be found here.

It seems the attackers had been able to change the DNS entries at Twitter’s provider. On the provider’s site no evidence was found that unauthenticated users had logged into the system. Therefore it is assumed that the attackers had the proper credentials to log into Twitter’s account at the provider.

In the last year, social networking services have often been attacked in various ways because of their popularity.

The whole article can be found here.

Zbot is a password-stealing software, logs financial data and sends them to the botnet. Last year more than 100M US fraud was linked with Zeus malware variants. It was also held responsible for the “destruction” of 100.000 infected computers by deleting registry key data, making them inoperable. Zeus botnet is estimated to consist of millions of infected computers around the world.

The last Zbot executable is spreading through spam mails like a Christmas e-card mail faking users to download and run a file “xmas2.exe” (63,488 bytes) ,or through drive-by downloads . When executed the malware injects code into system processes (like svchost.exe) and begins to communicate with the C&C server, located in EC2 cloud,  for configuration . An example of the infected machine’s browser connection shown below:

The hackers did not hack the Amazon’s infrastructure directly. They exploited a web site which was hosted in the infrastructure and installed the Zeus C&C server software. This was done either by just stealing site’s administrator password or taking advantage of a vulnerability of the site’s software. Don DeBolt, director of threat research with HCL Technologies, stated that it was the first time Amazon’s EC2 was used for that type of illegal activities/actions. He also said that the server software was identified and removed from Amazon EC2.

As the Register informs, the success rate of this attack is very significant considering number and size of active botnets of the Internet. To be more specific, in the same article is mentioned what Jonathan Wilkins of iSEC Partners had said: “The method had a total success rate of 17.5 percent against reCAPTCHA. The rate is significant because of the wide use of botnets by spammers and other miscreants. Even a modest-sized network of 10,000 infected machines with a success rate of 0.01 percent would yield 10 successes every second. That could translate into 864,000 new accounts every day.”

The whole article can be found here.

On it’s initial release, Shodan search refine capabilities include country, hostname, ip-range (removed), port, service-version and header part specifications. Although the majority of the indexed results include web server data, it can be used already for other services too. Some examples:

• List of telnet enabled hosts in Greece
• List of apache servers running version 2.2.3
• List of cisco routers with web interface
  

The results of this Service can be used for malicious activities. With automated queries, exploiters could find in seconds vulnerable versions or legacy unpatched machines, botnets could find easier possibly vulnerable hosts or spammers could gather old/unpatched SMTP servers. On the other side, as a side effect, it may can help administrators to identify a possible  vulnerability/security hole in their systems.

Shodan can be compared with the capability of forming specific queries to known search engines like Google. One difference is, Google can show data indexed from web page content while Shodan is more like a portscan utility, such us nmap, caching the results.

The service raises some ethical arguments and some discussions about its legality. Although it does not serve anything more that it is not already “in plain view”, port scanning can be considered illegal as they are not “authorized” connections to the hosts.

In a comparative test, almost 200,000 sample emails were sent to 14 different anti-spam products that were required to filter out spam messages from legitimate smails (ham). The test found that no legitimate mail was blocked by more than four products.

The tests gave VB’s anti-spam team the idea of a hypothetical spam filter that marked email as spam if at least five of the 14 products evaluated marked it as dodgy. Such a hypothetical filter would achieve a capture rate of 99.89 per cent and, better still, no false positives.

“For end-users this means that if spam filtering is business-critical, the use of more than one spam filter may be a good option,” said VB’s anti-spam test director, Martijn Grooten. “The anti-spam industry, meanwhile, should consider the benefits of collaboration and information sharing – and might be better able to protect our inboxes as a result.”

The argument recalls the business case of firms such as GFI that have sold products that run two or more anti-virus engines in parallel to detect security threats against mail servers and the like. Running multiple products together makes up for the deficiencies of any single product providing, of course, the components lack similar shortcomings.

Security as a service firms, such as MessageLabs, run multiple spam and anti-virus filtering techniques to weed out junk or dangerous messages from email feeds. Grooten told El Reghe wasn’t advocating any particular approach to spam filtering so much as encouraging more information sharing among anti-spam firms, which he reckons lags behind the sample sharing and collaboration commonplace among anti-malware researchers.

“Every spam filter uses multiple techniques but their effectiveness could be further improved if vendors share information on the latest spam attacks between each other more efficiently,” Grooten explained.

The bimonthly VBSpam tests use Virus Bulletin’s live email feed as well as a spam messages provided by Project Honey Pot. Each tested product is exposed to the same email stream.

The company said on Tuesday that Azure, unveiled in October 2008, would continue as a Community Technology Preview (CTP) through to the end of this year.

Azure will be opened to paying customers on January 1, but you won’t actually be charged for using Azure until a month later, as Microsoft tries to get its provisioning and billing systems up and running.

Microsoft chief software architect Ray Ozzie told Microsoft’s Professional Developers’ Conference (PDC) in Los Angeles, California that the company will test the systems that allocate compute resources and charge customers for “accuracy and completeness.”

Also, it sounds like the full complement of data centers actually running Azure won’t be fully in place until the turn of the year.

Data centers in Europe and Asia – Dublin, Amsterdam, Hong Kong and Singapore – follow those in Chicago and San Antonio. All three zones will go live in January, Ozzie told PDC.

So is Azure late?

Chief executive officer Steve Ballmer said in February Microsoft would “have the ability to go to market” by the end of year at PDC. “[Azure] will reach fruition with the PDC this year”.

From that perspective, you could argue Microsoft has hit Ballmer’s stated goal.

However, Microsoft will still be refining the very systems that allocate computing and storage resources and that then charge people for them one month after the “official” launch and up to three months after Microsoft had the “ability” to go to market.

There is a precedent. This was kind of soft and hard launch dates Microsoft used on Windows Vista, with the staggered November “business” launch and January consumer release.

It fell to the white-haired chief software wizard to spin the Azure features developers can use now. New features that Ozzie said go live Tuesday at PDC are single sign-in for Windows Azure and SQL Azure storage.

Ozzie noted Azure also now offers multiple sized virtual machines with the ability to support any Windows code or programming model.

Windows Azure will come in four sizes of virtual machine, starting at $0.12 per service hour and with 1.75Gb of memory. The Azure virtual machines are priced the same as Amazon’s own Windows service, but Microsoft has squeezed in an additional virtual machine SKU – called medium and charged at $0.24 per service hour and with 3.5Gb of memory.

Microsoft has also packed a lot of development into a short time. It’s built the computing fabric, a programming architecture and ability to program not just using all Microsoft’s programming languages and Visual Studio but also PHP, Java, and Ruby with a Fast CGI bridge and SDKs.

Also, the storage mechanism underwent a massive change, as Microsoft decided to give developers the familiarly of SQL Server, only in the cloud. Ozzie noted Tuesday Azure now offers features for updating and accessing data such as entity group transactions and block blobs.

Another feature coming next year is Windows Server AppFabric, a set of application services for building and deploying Windows Communication Foundation and Windows Workflow services on servers and in the cloud. Released as a beta Tuesday, AppFabric combines hosting and caching from the previous Dublin and Velocity projects with the Azure AppFabric Service Bus and AppFabric Access Control layer that was previously called .NET Services.

Server and tools president Bob Muglia said AppFabric would let you create an easy to mange infrastructure with Microsoft taking care of things like fail over and load balancing.

He also promised a set of predefined Windows server images would be loaded on Azure, which you could download, mount, take a virtual machine snap shot, and save for future use. Muglia said this would make it simpler to deploy applications you’ve built to Windows Azure.

Also, in Visual Studio 2010, will be Azure templates that Ozzie said would let you move cloud applications backwards and forwards between your systems and the cloud.