Warning: Creating default object from empty value in /home/ict-forward/www-apps/wp-svn/wp-includes/ms-load.php on line 138

Warning: Cannot modify header information - headers already sent by (output started at /home/ict-forward/www-apps/wp-svn/wp-includes/ms-load.php:138) in /home/ict-forward/www-apps/wp-svn/wp-includes/feed-rss2.php on line 8
The FORWARD project blog http://blogs.ict-forward.eu/forward blogging on emerging and future threats Mon, 30 Jan 2012 09:09:17 +0000 en hourly 1 http://wordpress.org/?v=3.1 “Stop Online Piracy Act” legislation. NOT. http://blogs.ict-forward.eu/forward/stop-online-piracy-act-legislation-not/ http://blogs.ict-forward.eu/forward/stop-online-piracy-act-legislation-not/#comments Mon, 30 Jan 2012 09:09:17 +0000 mylonak http://blogs.ict-forward.eu/forward/?p=1375 Behind the law

On its surface, fighting piracy sounds like a good thing, especially if you’ve worked hard on a book, album, font, video, or other product and discovered it being illegally distributed free of charge on a shady website or server beyond the reach of U.S. law.

Speaking personally, every for-sale creative product I’ve helped develop in the past two decades has reached appreciative paying customers through authorized sales channels, from tiny Paypal-powered sites to mighty Amazon and chain stores. But pirated copies have also been readily available on law-flaunting websites, and there are always people who will download free stuff even when they know it’s wrong. I always think people who steal stuff weren’t my customers anyway, but not everyone can take that point of view, and it’s reasonable to wish there was some way to stop the illegal distribution of content.

Wishes are one thing, laws are another. If there is a way to stop piracy (and I think we’d have more luck legislating an end to adultery or overeating), SOPA is not it.

A broad and burning brush

SOPA approaches the piracy problem with a broad brush, lights that brush on fire, and soaks the whole internet in gasoline. If passed, SOPA will allow corporations to block the domains of websites that are “capable of” or “seem to encourage” copyright infringement. Once a domain is blocked, nobody can access it, unless they’ve memorized the I.P. address.

Nothing is more dangerous than tremendous power coupled with vague language. But SOPA’s definition is intentionally vague to give corporate lawyers maximum leeway in fighting for their clients’ interests at $450 an hour.

Under SOPA, an article on NPR’s website covering the copyright dispute between Shepard Fairey and the Associated Press could be seen as supporting copyright infringement, because the article includes a JPG of Fairey’s infringing “HOPE” poster as part of its news coverage, or because the article refers passingly to Fairey’s “fair use” defense. Under SOPA, the AP could legally block the entire NPR website in response.

But it doesn’t stop there, because this is the internet, and the internet is about connections.

Say you blog about the NPR story and include a screen capture. Under SOPA, your website could be blocked. If your blog is a subdomain of Tumblr or WordPress, all of Tumblr or WordPress could also be blocked.

Maybe you just post a link to the story on your Facebook wall. Under SOPA, all of Facebook can be blocked. To avoid this fate, Facebook would be responsible for policing the copyright status of every piece of content its users post.

Servers and search engines, too

Ever used a search engine? Google and Bing would have indexed the NPR story and probably included the artwork. (That’s what search engines do.) Therefore Google and Bing could be shut down. To avoid being shut down, Google and Bing would be responsible for policing the copyright ownership of every piece of content they index.

Same thing with hosting companies and Internet Service Providers. If there’s a copyrighted image on an ISP’s server or in the cloud, the server and cloud service must go away, along with all the innocent content also stored on that server or cloud service. To stay online, ISPs of every stripe will be responsible for policing the copyright status of every piece of content they store. Hosting is a tough game. Most hosting companies barely break even, and have a tough enough job maintaining uptime. Who will pay hosting companies to hire content police, and who will train them?

And let’s not forget the Internet Archive Wayback Machine. That’s got to be full of copyright violations. Better to be on the safe side. Let’s just shut it down, and Wikipedia with it (because maybe one file in the Wikipedia commons is arguably copyright protected).

Lobbyists want this

Anyone with five minutes’ experience of how the internet actually works will understand why SOPA is technically unfeasible, economically burdensome, and a ball gag in the mouth of free speech. No company that stores or publishes internet content can police all that content all the time. SOPA is a job and freedom ender.

U.S. legislators are not internet experts, but they know the side on which their bread gets buttered and they are in thrall to powerful lobbyists, as anyone not on peyote knows. Andlobbyists have thrown $91 million at this issue so far, grotesquely outspending citizens and internet companies.

What Big Money wants, Big Money tends to get, even when its experts testifying at the U.S. House of Representatives admit they don’t know what they’re talking about, as covered byFortune, of all publications:

Internet companies worry that they could be held liable for the actions of people outside their control. Under the bill, Yahoo, for example, could be held liable if someone posted a copyrighted picture to that company’s Flickr site. And Google and other search engines would in effect be responsible for the actions of basically everyone on the Internet. But logic either doesn’t seem to matter much to SOPA sponsor Lamar Smith (R-Texas) and his 21 cosponsors, or else they simply can’t get their minds around the problem. Opponents of the bill have noted that it could disrupt the domain-name system—the Internet’s basic technical underpinning. But when witnesses who support the bill were asked about that issue, they said they were not qualified to speak to the technical aspects of it, even as they insisted that SOPA would present no such problem. And in a bit of delicious symbolism, the committee’s streaming video of the hearing basically didn’t work—Why the House is stacking the deck on Internet piracyFortune

 

]]>
http://blogs.ict-forward.eu/forward/stop-online-piracy-act-legislation-not/feed/ 0
a «BEAST» exploiting the (almost) secure web, SSL. http://blogs.ict-forward.eu/forward/a-%c2%abbeast%c2%bb-exploiting-the-almost-secure-web-ssl/ http://blogs.ict-forward.eu/forward/a-%c2%abbeast%c2%bb-exploiting-the-almost-secure-web-ssl/#comments Tue, 10 Jan 2012 10:53:15 +0000 mylonak http://blogs.ict-forward.eu/forward/?p=1348 Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

By contrast, Duong and Rizzo say they’ve figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPs prefix.

“BEAST is different than most published attacks against HTTPS,” Duong wrote in an email. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

Instead, BEAST carries out what’s known as a plaintext-recovery attack that exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness. During the encryption process, the protocol scrambles block after block of data using the previous encrypted block. It has long been theorized that attackers can manipulate the process to make educated guesses about the contents of the plaintext blocks.

If the attacker’s guess is correct, the block cipher will receive the same input for a new block as for an old block, producing an identical ciphertext.

At the moment, BEAST requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work. Nonetheless, the technique poses a threat to millions of websites that use earlier versions of TLS, particularly in light of Duong and Rizzo’s claim that this time can be drastically shortened.

In an email sent shortly after this article was published, Rizzo said refinements made over the past few days have reduced the time required to under 10 minutes.

“BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,” Trevor Perrin, an independent security researcher, wrote in an email. “If the attack works as quickly and widely as they claim it’s a legitimate threat.”

 

 

 

]]>
http://blogs.ict-forward.eu/forward/a-%c2%abbeast%c2%bb-exploiting-the-almost-secure-web-ssl/feed/ 0
Malicious Android apps double in 6 months http://blogs.ict-forward.eu/forward/malicious-android-apps-double-in-6-months/ http://blogs.ict-forward.eu/forward/malicious-android-apps-double-in-6-months/#comments Tue, 10 Jan 2012 10:52:58 +0000 dstamat http://blogs.ict-forward.eu/forward/?p=1352 Lookout mobile security has identified 1000 malicious applications in less than six months.
Previously the most of the malicious apps where located on third-party app stores, and alternatives to the official Android Market.
Lookout mentions that the likelihood of an Android user encountering malware increases from 1 to 4 percent yearliy and the U.S. is placed in the middle of mobile malware, compared to other countries.
Another malware action is when Android users are convinced to click on untrusted links that lead to malware and phishing sites.
The global yearly likelihood of an Android user clicking on an unsafe link is much higher and reaches 36 percent (6 percent higher than July 2011) and the likelihood in the U.S. is 40 percent.
Another issue that Lookout detected is “mobile pickpocketing”, which is applications and malware that charges the phone owner without his knowledge.
There are also the RuFraud applications that pretend to be free wallpapers finder and popular games, but hide terms that allow the service to charge the phone owner, without his knowledge.
Lookout believes that many of these incidents will be reported, and also botnets, malware that exploits weaknesses in mobile operating systems, browser-based attacks , malware hiding in mobile advertisements and tools that allow automatic repackaging of legitimate applications to add malware.
Lookout finally suggests to avoid using third-party application stores, avoid clicking on in-app advertisements, and beware when clicking on apps that ask you to click “OK”. Users should first check any reviews before downloading any application, and mainly those related with games, ulitities and porn, which are most likely to contain malware.

Sources :
cnet.com
RuFraud Apps

]]>
http://blogs.ict-forward.eu/forward/malicious-android-apps-double-in-6-months/feed/ 0
Spam sinks to lowest level in almost three years, says Symantec http://blogs.ict-forward.eu/forward/spam-sinks-to-lowest-level-in-almost-three-years-says-symantec/ http://blogs.ict-forward.eu/forward/spam-sinks-to-lowest-level-in-almost-three-years-says-symantec/#comments Tue, 10 Jan 2012 10:52:44 +0000 gavalet http://blogs.ict-forward.eu/forward/?p=1340 According to the Symantec’s report spam messages have been reduced to a great extent!

Nowadays the global amount of spam messages is 70% compare to 90% that it was in 2009. In this direction they helped the legal actions of Microsoft that reduce the daily amount of spam messages from 52 billion to 33 billion per day. The pharmaceutical spam, which is a special sector of these messages, was decreased to half (32, 5%) ever since Symantec had started tracking it.  Some striking examples in countries are these:

Russia is the most spammed area in the world with the extremely high rate of 76,7 % !The subsequent country is South Arabia which has 76,6%  spam messages!!Last but not least, U.S.A is in a little better situation despite having 69,9 % of  spam e-mails!

Unfortunately, spammers always find a way to get away and in combination with using more targeted malware in order to approach the people, there is not a rapid and determined decline of these messages! The main aim of that junk mail is to deceive the victims or to steal important data of a big company! A prime example of these attacks is the Stuxnet worm is an incredibly large and complex threat.

The Stuxnet worm is a “wake-up call” because of its complexity and its aim at critical infrastructure systems. It can spy on and reprogram industrial control systems and grant hackers control of critical infrastructures. Use four zero-day vulnerabilities; compromise two digital certificates; inject code into industrial control systems and hide the code from operators;

In particular, the malevolent users or programs try to establish a stable access to the main data base of company or of an organization so as to extort information or top secrets. But the problem is getting more and more serious because prompts have been already done in order to destroy the economy of a country or cause a significant damage!

Daily many attacks are reported and blocked through the spam messages. For instance, approximately 94 attacks were blocked by Symantec worldwide each day in November. In addition, in US one attack was blocked every day and in Japan one such attack was blocked every nine days!

In conclusion, some sectors for 2011 totally, which receive targeted attacks daily are:

  • The public sector with about 20 attacks per day.
  • The chemical and pharmaceutical industry sector with 18, 6 each day.
  • The manufacturing (sector) with 13,6 attacks blocked daily.

Relative links:

http://news.cnet.com/8301-1009_3-57338317-83/spam-sinks-to-lowest-level-in-almost-three-years-says-symantec/

http://news.cnet.com/8301-1009_3-20048803-83.html

http://news.cnet.com/8301-27080_3-20023124-245.html?tag=mncol;txt

 

]]>
http://blogs.ict-forward.eu/forward/spam-sinks-to-lowest-level-in-almost-three-years-says-symantec/feed/ 0
WPS Design Flaw Revealed http://blogs.ict-forward.eu/forward/wps-design-flaw-revealed/ http://blogs.ict-forward.eu/forward/wps-design-flaw-revealed/#comments Tue, 10 Jan 2012 10:52:30 +0000 grammatik http://blogs.ict-forward.eu/forward/?p=1365 A security technology that is widely used in latest, domestic or small business, modem/routers, is WiFi Protected Setup (WPS). As its name implies, WPS protocol has been designed to aid in the WiFi security configuration process, enhancing devise usability. However in contrast to usability, security issues have been revealed by several researchers, that could easily lead to a DOS attack.

WPS supports both out-of-band configuration over Ethernet/UPnP and in-band configuration over IEEE 802.11/EAP. Since the (wireless) in-band option is most likely to be exploited by in – range potential attackers , it is interesting to examine all the three configuration methods that an in-band configuration over IEEE 802.11/EAP provides.

According to the first security configuration method, a user has to push a button, usually actual, located on both the Access Point and the new wireless client device. This method is commonly referred as PBC (Push Button Connect), and prevents a user form typing a unique security key-code for performing authentication. The second method involves the typing of the client device PIN into the web-interface of the access point, usually referred as PIN internal registrar. The third method is called PIN external registrar, mainly because the user enters the PIN of the access point into a GUI provided by the client device (usually a computer).

The latter method is extremely vulnerable, to a Brute Force Attack, since authentication is not required. If an incorrect PIN is entered the Access Point responds with an EAP-NACK message. An attacker can use the Brute Force technique, by incrementing the PIN number each time an EAP-NACK message is received. Furthermore, the attacker (client) by sending to the access point a handshake message and receiving back an EAP-NACK message, depending on the type of message sent, is capable of determining whether the first half or the second half of the PIN is correct. This observation has an impact on the performance of the Brute Force algorithm used by a potential attacker, since only the first and the second half of the PIN number has to be incremented accordingly until a match is found, decreasing dramatically the time needed to obtain the PIN.

In an attempt to restrict the Brute Force technique, vendors incorporate into their devices lock down mechanisms that introduce delays every time an incorrect PIN is entered. However at least one researcher has showed that such lock down mechanisms are not sufficient to make the attack infeasible. Several factors influence the Maximum Attack Time, depending on whether a lock down scheme is deployed. The lock down time and the number of attempts before lock down, are the most predominant factors that affect Maximum Attack Time. A researchers implementation of a proof of concept Brute Force attack tool, has showed that the Maximum Attack Time could last from 3.97 hours to 2203.97hours, depending on the lock down mitigation mechanism employed by vendors. Apart from vendors, end users could prevent a Brute Force Attack by deactivating WPS. However this may not always be possible.

Another researcher, by implementing an open source tool capable of performing Brute Force Attacks exploiting the WPS vulnerability, has been concluded that by knowing the WPS PIN, the routers encryption pass phrase can be easily revealed. This is true even if multiple radio frequencies are used in the physical layer, with each configured with different WPA key, or even if the pass phrases are altered by the user.

The key point to note is that WPS functionality is likely to have been turned on by default, as a factory setting, or if this is the case the means of turning WPS off may not be available, resulting in a security flaw, even if end users do not benefit WPS facilities. Definitely a long lock down time period, may not be a solution to prevent Brute Force Attacks, since an access point is usually operating for a long time, in the order of several months, that is enough time for an attack to take place. To address this security flaw, a mature solution could be vendors collaboration to develop mitigation techniques with an end user informative campaign to urge them for firmware upgrade and / or WPS deactivation.

References:

http://krebsonsecurity.com/2011/12/new-tools-bypass-wireless-router-security/#more-13177

http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

 

]]>
http://blogs.ict-forward.eu/forward/wps-design-flaw-revealed/feed/ 0
Google enables two-factor athentication for user accounts http://blogs.ict-forward.eu/forward/google-enables-two-factor-athentication-for-user-accounts/ http://blogs.ict-forward.eu/forward/google-enables-two-factor-athentication-for-user-accounts/#comments Sun, 04 Dec 2011 14:40:48 +0000 hassapis http://blogs.ict-forward.eu/forward/?p=1324 Google seems to take user security quite seriously, since today gmail accounts are commonly used as a global account among many websites.  To protect its customers (paying or not) Google has employed a two-factor authentication method in order for a user to login to its gmail account.

Two-factor authentication is not something used and has been widely used in the financial industry, seems it appears to be very effective.  Google’s scheme involves using a second password in addition to your original password when you try to login.  All you have to do is check the corresponding checkbox from your gmail account’s setting and wait for google to send you a sms with the second password or use a mobile phone application to generate one if you own an Android or iPhone.

However this password will only last a few minutes so hurry up and use it!  Indeed, this new policy (which is of course optional) will add some complexity to the login process for the user, who will need to get such a password every time he tries to login.  Alternatively, you can choose to use the two-factor authentication only once per Computer you login from.  Still this method raises some issues in cases where you do not have a mobile phone available to you, say while travelling abroad.   Google offers a workaround, pre-printed passwords, if you still need or want the option enabled and have no access to a mobile phone or smartphone.

Overall, it seems that the policy worths the extra effort from the user’s end if he desires an impenetrable account.

 

Relative links:

http://www.wired.com/threatlevel/2011/02/google-security/

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

http://www.zdnet.com/blog/perlow/googles-two-factor-authentication-nice-idea-but-unwieldy/15864

http://techcrunch.com/2011/02/10/google-rolls-out-two-factor-authentication-for-everyone-you-should-use-it/

]]>
http://blogs.ict-forward.eu/forward/google-enables-two-factor-athentication-for-user-accounts/feed/ 0
SOPA’s latest threat: IP blocking, privacy-busting packet inspection http://blogs.ict-forward.eu/forward/sopas-latest-threat-ip-blocking-privacy-busting-packet-inspection/ http://blogs.ict-forward.eu/forward/sopas-latest-threat-ip-blocking-privacy-busting-packet-inspection/#comments Mon, 21 Nov 2011 01:31:16 +0000 dstamat http://blogs.ict-forward.eu/forward/?p=1329 According to the Stop Online Piracy Act (SOPA), a network provider can be ordered to prevent access by its US subscribers to allegedly piratical Web sites. That language did not appear in an earlier version, Protect IP Act.

Markham Erickson, head of NetCoalition, mentions that his company would cover IP blocking and it performs deep packet inspection.

Protect IP, on the other hand, doesn’t oblige the ISPs to block their customers from visiting the numeric IP addresses of off-limits web sites and doesn’t perform deep packet inspection.

The head of the Recording Industry Association of America (RIAA) supports the legislation, by suggesting SOPA to be used to force Internet providers to block by IP address and deny access to only the illegal part of a site.

SOPA is designed to respond to the rise of pirate-content  sites and it allows the attorney general to seek a court order against the targeted site that would be served on ISPs , causing the target to disappear.

An aide to the House Judiciary committee stated that IP address blocking and deep packet inspection could be necessary and it would be up to a judge to mark a site as blocked.

Deep packet inspection is the only way to block data from specific pages, and may cause privacy issues as it monitors customers’ browsing.

ISPs aren’t enthusiastic enough about SOPA. Verizon ISP has concerns about the legislation and is working with congressional staff to address them.

AT&T remains supportive of the general framework of the Senate bill (similar to SOPA), but when it comes to SOPA “it is working constructively with Chairman Smith and others toward a similar end in the House.”

Sonic.net says that it’s technically feasible for them to block a list of IP addresses provided by the government, even though it becomes more difficult as the list grows.

On the other hand, Jasper says that deep packet inspection wouldn’t be feasible:
“We have no capability to do this, so it would not be technically feasible, as it would require complete re-engineering and re-deployment of our network”.

According to SOPA, an ISP must take technically feasible and reasonable measures designed to prevent access by its subscribers located within the US to the blocked site that is subject to the order.

The RIAA says that SOPA is much more flexible than Senate bill, as it isn’t such specific. “Instead of setting a particular type of technological response in statue, the bill is flexible to allow an ISP to choose the best method, which today may be DNS blocking. If the ISP feels that any one method may have detrimental effect on the DNS system or on its network, or of technology changes, it is not locked in.”

Unlike SOPA, the Senate bill and Protect IP target DN system providers , financial companies and ad networks and not Internet Connectivity services.

Public Knowlede legal director, Sherwin Siy, stated that the obligations of an ISP receiving those orders are notar enough.

Seth Schoen characterizes as “surprising” the fact that SOPA is much broader than Protect IP.

If all of these apply, SOPA’s blacklists will start to make the US look like more repressive regimes.

Source: http://news.cnet.com/8301-31921_3-57328045-281/sopas-latest-threat-ip-blocking-privacy-busting-packet-inspection/?tag=mncol

 

]]>
http://blogs.ict-forward.eu/forward/sopas-latest-threat-ip-blocking-privacy-busting-packet-inspection/feed/ 0
DNSChanger attackers made profit of $14 million http://blogs.ict-forward.eu/forward/dnschanger-attackers-made-profit-of-14-million/ http://blogs.ict-forward.eu/forward/dnschanger-attackers-made-profit-of-14-million/#comments Fri, 18 Nov 2011 17:47:10 +0000 metalidis http://blogs.ict-forward.eu/forward/?p=1316 DNSChanger is a trojan that will change the infected system’s Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites. It is usually a small file that changes the ‘NameServer’ Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim’s computer will contact the newly assigned DNS server to resolve names of different webservers.

 

Six people, who made that attack and earned more than $14 million dollars ,were arrested in Estonia and Russia by the FBI.Accoriding to FBI When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software

 

What the attackers also did ,was to replace legimate ads on sites with ads that gave illegal payments to them e.g they replaced an American Express ad on the Wall Street Journal home page with an ad for “Fashion Girl LA,” and an Internet Explorer 8 ad on Amazon.com with one for an e-mail marketing firm.Specifically,computers where affected by DSNChanger when they were visting certain web-sites or from downloading particular software,and also preventing in  the same time antivirus and operating systems from updating.

 

This hole operation has been shut down by an FBI two-year investigation so called “Operation Ghost Click”.And so what they did afterwards was to replace rogue DNS servers used in the operation with legitimate servers hoping that infected computers will still be able to access the Internet and aslo making owners of infected computers to clean the malware off their machines.

 

It is also provided a service that can inform you if your computer is infected or not just by visiting the FBI page.

http://news.cnet.com/8301-1009_3-57321844-83/seven-accused-in-$14-million-click-hijacking-scam/?tag=txt;title

http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

]]>
http://blogs.ict-forward.eu/forward/dnschanger-attackers-made-profit-of-14-million/feed/ 0
RSA attack http://blogs.ict-forward.eu/forward/rsa-attack/ http://blogs.ict-forward.eu/forward/rsa-attack/#comments Mon, 07 Nov 2011 11:29:46 +0000 metalidis http://blogs.ict-forward.eu/forward/?p=1312 RSA attackers took the advantage of using phising e-mail and the exploitition  of a previously unpatched Adope Flash hole.

They were sending phising emails to low profile employees with a subject lined of  ”2011 Recruitment Plan”.One of the employess made the terrible mistake and opened the above email and ,so the attached Excel file that contained malware which could exploit a hole in Adobe Flash, installed a back door.From there on the attacker could remotely take control of the computer.

To do that remotely attackers used the Poison Ivy tool which let them to gather critical information using C&C connections.This type of  espionage attack is called ”Advanced Persistent Threat” (APT) and it is used to gather ,as i said ,critical information of the company being hit.Critical information such as knowledgement of the company’s high level operations, network, and info about expert IT employees and their roles in the company.

The next step of the attackers was to gather the data(asap becuse they were discovered by RSA) and exfilarate them in encrypted files over ftp to external compromised hosting provider.

By this type of attack (APT) ,which main characteristic is the persistent espionage of significant targets(stuxnet worm), may had been hit more companies around the globe (see links above).

 

http://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/

http://news.cnet.com/8301-27080_3-20051071-245.html

https://secure.wikimedia.org/wikipedia/en/wiki/Advanced_persistent_threat

]]>
http://blogs.ict-forward.eu/forward/rsa-attack/feed/ 0
Security Flaw Makes VPNs Useless for BitTorrent http://blogs.ict-forward.eu/forward/security-flaw-makes-vpns-useless-for-bittorrent/ http://blogs.ict-forward.eu/forward/security-flaw-makes-vpns-useless-for-bittorrent/#comments Wed, 19 Jan 2011 07:18:30 +0000 Thanos Yannopoulos http://blogs.ict-forward.eu/forward/?p=1293 Nowadays VPN (virtual private network) services became very common because more and more users would like privacy. Many websites, like the Pirate Bay’s Ipredator, will offer anonymous vpn services which ensures privacy in downloads from BitTorrent. But is this working?

It turns out that there’s a big security flaw in these services that allows individual users to be identified! The flaw is caused by a combination of IPv6 and PPTP -based VPN services, which is widely used ,moreover  IPV6 is enabled by default in most computers (vista,win7).

With this flaw, the IP address and sometimes the MAC address and the computer’s name of a user behind a VPN can be found thanks to their connection broadcasting information that can be used to identify them. Also if the clients are not seperated they might expose each other and reveal sensitive information.(seperate subnet for each one may help).
Only if the following preconditions exist, it may be possible to see a user’s public IP.

1)The computer has an IPv6 stack installed with support for tunneling IPv6 traffic over an IPv4 link (such as ISATAP) (Default in windows vista and 7)
2)The computer has a public IP address assigned.(if you are behind a router with NAT ,192.168.1.1 will be compromised)

Some ways to avoid this flow is to disable IPv6 and rollback to IPv4 or use an alternative to PPTP ,the OpenVPN which is free ,open-source and more stable.
Also by using a VPN, a third party company  access to all your private information, that could be a far larger security hole than anything else, so be careful who you trust with your data.

sources
www.wired.co.uk

http://torrentfreak.com/huge-security-flaw-makes-vpns-useless-for-bittorrent-100617/

]]>
http://blogs.ict-forward.eu/forward/security-flaw-makes-vpns-useless-for-bittorrent/feed/ 0