Thursday, February 25, 2010

Adobe blacklisting framework


As abode said it is not practically feasible to disable whole of javascript in adobe, it introduced a feature called black listing. This allows users to define any specific javascript API as a black list item, which then it wont be allow it to be called. Say we found a vulnerability in docmedia.newplayer, you can add this to black list and hence you can safeguard your system by doing so.
By putting that into the black list, then any PDF document that it attempts to call that, that call will be denied.  And so, it’ll deny valid calls as well as malicious calls that try to corrupt the call in order to create a crash. And this is something individual users can do, and also administrators for managed desktop environments can also do this using group policy objects to roll-out the change as a registry key. Below video should demonstrate on how to add a javascript function to blacklist item.
Given that Adobe currently has no automatic updates in place, my question is how will a normal user will get to know what needed to be blacklisted. This fix may help the technical users but for average user they have to wait for adobe's next major update which is likely to be within next three months.

Tuesday, February 23, 2010

Open source encryption tools


Failing to secure your data can result in some potentially costly and time consuming processes to recover and re-secure what was lost. It’s worth the time up front to do what you can to ensure your personal data and information stays relatively secure and at least poses some challenge to those who’d like to access it. As an added incentive, many times this can be done for virtually no up front investment on your part. Here are a few free encryption tools that you can use to secure your important info.
TrueCryptTrue crypt is an excellent open source disk encryption tool. Easy to encrypt/decrypt any file on the file as needed without user intervention beyond entering their pass-phrase initially.With TrueCrypt, you get the functionality to encrypt an entire partition of your hard drive if you so wish. Once encrypted, you can then store and access files on the partition like you would any other part of your computer. The best part? The encrypted files aren’t marked so there’s no way for an intruder to tell what’s sensitive info right off the bat.
GNU Privacy Guard: This open source encryption tool offers a free way to get public key encryption. With this, you can encrypt any emails you send out that you want to keep private and secure, with the passwords for access known only to you and your recipient. GnuPG is the complete and free implementation of the OpenPGP standard. GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.
LockNoteUsing AES 256, this program encrypts your documents. It can be useful for securing business information and sensitive communications. The recipient of the document must have a password to be able to decrypt the information. You can type any text you want, e.g your bank account information, website passwords, social security number etc. and then simply close LockNote, at which time you will be prompted to set a password. Subsequent access to LockNote requires the correct password. The program is portable and does not require an installation. You can simply copy the locked file to a USB stick, iPod or other portable device (or send it by email) and unlock it on any PC. The idea behind LockNote is not to provide a full featured data storage, but a simple, secure and portable way to store any kind of text information. If you want to organize your data, you can create multiple copies of LockNote and rename them to identify the data they contain (e.g Personal.exe, Bank.exe).
[ad#Google Adsense Horizondal banner 468-60]
S-ToolsIf you’re interested in steganographics, give this tool a try. It hides your encrypted files in GIF or WAV files and allows you to easily compress and send them as well. You open up a copy of S-Tools and drag pictures and sounds across to it. To hide files you just drag them over open sound/picture windows. You can hide multiple files in one sound/picture and your data is compressed before being encrypted then hidden. Multi-threaded operation means that you can have many hide/reveal operations going simultaneously without fear of them interferring with you or holding up your work. You can even close the original picture/sound with no ill effects to ongoing threads. Encryption services come courtesy of "cryptlib" by Peter Gutmann (and others).
Cryptainer LEThe name for this program says it all, as it can be used to create small (25 MB) containers within your hard drive where encrypted information can be stored.
File BuddyUse File Buddy to encrypt your files and erase the original un-encrypted versions from your computer so they won’t be hanging around for prying eyes to find. File Buddy helps you clean your file system of files you no longer need. It uses Droplets to automate tasks you do frequently such as setting file attributes or finding duplicate files.

Monday, February 22, 2010

USB's hardware encryption cracked


Kingston, SanDisk and Verbatim all sell quite similar USB Flash drives with AES 256-bit hardware encryption that supposedly meet the highest security standards. NIST validates the USB drives for use with sensitive government data. Security firm SySS, however, has found that despite this it is relatively easy to access the unencrypted data, even without the required password.
The hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.
"It's really onerous. It's a stupid crypto mistake and they screwed up, and they should be rightfully embarrassed for making it," said cryptographer and computer security specialist Bruce Schneier.
The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers' nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations – and this is the case for all USB Flash drives of this type.
Read computer world for complete analysis on the vulnerability

10 Youtube URL Tricks You Should Know About

Sunday, February 21, 2010

4 Quick Sites That Let You Check if Links Are Safe


Whether you’re accessing popular social networking sites or other communication apps such as your webmail portal and IM clients, the links let you dive into a world of new information. With one click, you may end up enjoying a great story, or on the other hand unfortunately trying to crawl your way out of a potentially harming website.
You may have your anti-virus and malware removal tools programs installed, but they will not prevent you from clicking any of those potentially-harmful-but-so-interestingly-looking Twitter, Facebook or email links. Even if you have security toolbars and add-ons installed, the following online tools may help you find out whether a website really is safe, especially if you would like to get a second opinion (e.g. you suspect the site’s review hasn’t been updated) or if you decide that you don’t need more add-ons slowing your browser’s performance. click the link below from makeuse.com
Posted using ShareThis

Wednesday, February 17, 2010

Android's malicious apps


Android, a Linux based mobile operating system intially developed by Android Inc., and later purchased by Google. Google recently released their new mobile "Nexus One"with android OS. Google allows developers to write managed code in the Java language, controlling the device via Google developed Java libraries.
So far in 2010 Google android has proven to be a hot topic with increasing popularity. As it popularity increases it becomes the target for hackers and malware writers to explore its security.  As per kaspersky, "2010 promises to be a difficult time for iPhone and Android users,".
As per kaspersky press release
An increase in attacks on iPhone and Android mobile platforms. 2010 promises to be a difficult time for iPhone and Android users. The first malicious programs for these mobile platforms appeared in 2009, a sure sign that they have aroused the interest of cybercriminals. The only iPhone users currently at risk are those with compromised devices; however the same is not true for Android users who are all vulnerable to attack. The increasing popularity of mobile phones running the Android OS combined with a lack of effective checks to ensure third-party software applications are secure, will lead to a number of high-profile malware outbreaks.
They also made five other predictions on greatest threats and new attack vector and they are
  • A rise in attacks originating from file sharing networks. This year, we will see a shift in the types of attacks on users, from attacks via websites and applications toward attacks originating from file sharing networks.
  • An increase in mass malware epidemics via P2P networks. In 2009 a series of mass malware epidemics has been “supported” by malicious files that are spread via file sharing networks. This method has been used to spread notorious threats such as TDSS and Virut as well as the first backdoor for Mac OS X. In 2010, we expect to see a significant increase in these types of incidents on P2P networks.
  • Continuous competition for traffic from cybercriminals. The modern cybercriminal world is making more and more of an effort to legalize itself and there are lots of ways to earn money online using the huge amount of traffic that can be generated by botnets. In the future, we foresee the emergence of more "grey" schemes in the botnet services market. These so-called "partner programs" enable botnet owners to make a profit from activities such as sending spam, performing denial of service (DoS) attacks or distributing malware without committing an explicit crime.
  • A decline in fake anti-virus programs. The decline in gaming Trojans witnessed in 2009 is likely to be repeated for fake anti-virus programs in 2010. Conficker installed a rogue anti-virus program on infected computers. The fake anti-virus market has now been saturated and the profits for cybercriminals have fallen. Additionally, this kind of activity is now being closely monitored by both IT security companies and law enforcement agencies, making it increasingly difficult to distribute fake anti-virus programs.
  • An interest in attacking Google Wave. When it comes to attacks on web services, Google Wave looks like it will be making all the headlines in 2010. Attacks on this new Google service will no doubt follow the usual pattern: first, the sending of spam, followed by phishing attacks, then the exploiting of vulnerabilities and the spreading of malware.
Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised."
Here is a link describing the fraudulent app that attempts to steal bank information has made it to the Android app store.
To know more about android and its architecture visit android developer center or click here

Flash cookies


Flash-cookies (Local Shared Objects, LSO) are pieces of information placed on your computer by a Flash plugin. Those Super-Cookies are placed in central system folders and so protected from deletion. They are frequently used like standard browser cookies. Although their thread potential is much higher as of conventional cookies, only few users began to take notice of them. It is of frequent occurrence that -after a time- hundreds of those Flash-cookies reside in special folders. And they won't be deleted - never.
Some flash cookies properties are
  • They are never expiring - staying on your computer for an unlimited time.
  • By default they offer a storage of 100 KB (compare: Usual cookies 4 KB).
  • Browsers are not aware of those cookies, LSO's usually cannot be removed by browsers.
  • Via Flash they can access and store highly specific personal and technical information (system, user name, files,...).
  • Ability to send the stored information to the appropriate server, without user's permission.
  • flash applications do not need to be visible
  • there is no easy way to tell which flash-cookie sites are tracking you.
  • shared folders allow cross-browser tracking, LSO's work in every flash-enabled application
  • the company doesn't provide a user-friendly way to manage LSO's, in fact it's incredible cumbersome.
  • many domains and tracking companies make extensive use of flash-cookies.
  • These cookies are not harmless.
In order to track our flash cookie information we need to go to Adobe flash web site. There will a setting manager , its a special control panel that runs on your local computer but is displayed within and accessed from the adobe website. Adobe has no access to these setting, its completely users responsibility to change the setting as he requires it. Click on this link to access your security manager setting.  To change your settings, click the tabs to see different panels, then click the options in the Settings Manager panels that you see on the web page. The five tabs are Global storage settings, Global security settings, Global notification settings, website privacy settings, website storage settings.  To read more about those tabs click here
When SWF or FLV content is being played, the settings you select for Flash Player are used in place of options you may have set in your browser. That is, even if you have specified in your browser settings that you do not want cookies placed on your computer, you may be asked if an application that runs in Flash Player can store information. This happens because the information stored by Flash Player is not the same as a cookie; it is used only by the application, and has no relation to any other Internet privacy or security settings you may have set in your browser.
Similarly, the amount of disk space you let the application use has no relation to the amount of disk space you have allotted for stored pages in your browser. That is, when SWF or FLV content is being played, the amount of disk space you allow here is in addition to any space your browser is using for stored pages.
No matter how you may have configured your browser, you still have the option to allow or deny the application that runs in Flash Player permission to store the information, and to specify how much disk space the stored information can occupy.
Solution
Firefox Extension Better Privacy is a cookie manager for LSO flash objects and DOM storage objects. Local storage objects are placed on the computer by a flash application like the YouTube video player.
BetterPrivacy can stop them, . by allowing to silently remove those objects on every browser exit. So this extension becomes sort of "install and forget add-on". Usually automatic deletion is safe (no negative impact on your browsing), especially if the deletion timer is activated. The timer can delay automatic deletion for new or modified Flash-cookies which might be in use. It also allows to delete those objects immediately if desired.

With BetterPrivacy it is possible to review, protect or delete new Flash-cookies individually. Users who wish to to manage all cookies manually can disable the automatic functions. BetterPrivacy also protects against 'DOM Storage' longterm tracking, a browser feature which has been granted by the major browser manufactures.
To know more about flash cookies and how to's click the following links
Recommended comprehensive Flash cookie article (topic: UC Berkeley research report)
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/
Privacy test:
http://netticat.ath.cx/extensions.html
Navigate to BetterPrivacy (right column)

Five registry keys to improve Windows 7 security :: SearchSecurity.com.au



As administrators roll out Windows 7, the following questions and associated registry keys may help them achieve their desired user experience

Top black hat conference


Here’s a list of the top 20 hacker conferences out there today with a short description that I found from one of hacking website. I am not very sure where i got it from but sure some valuable information . They aren’t ranked from best to worst, because I am in no position to judge them since I haven’t been to all of them. If you think I missed a great one, feel free to mention it in the comments.

  • DEFCON @ www.defcon.org – DEFCON is one of the oldest continuous running hacker conventions around, and also one of the largest. Originally started in 1993, it was a meant to be a party for member of “Platinum Net”, a Fido protocol based hacking network out of Canada. As the main U.S. hub I was helping the Platinum Net organizer (I forget his name) plan a closing party for all the member BBS systems and their users. He was going to shut down the network when his dad took a new job and had to move away. We talking about where we might hold it, when all of a sudden he left early and disappeared. I was just planning a party for a network that was shut down, except for my U.S. nodes. I decided what the hell, I’ll invite the members of all the other networks my BBS (A Dark Tangent System) system was a part of including Cyber Crime International (CCI), Hit Net, Tired of Protection (ToP), and like 8 others I can’t remember. Why not invite everyone on #hack? Good idea!
  • Blackhat @ www.blackhat.com – “From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas to a global conference series with annual events in Tokyo, Amsterdam, Las Vegas and Washington DC. It has also become a premiere venue for elite security researchers and the best security trainers to find their audience.”
  • ChicagoCon @ www.chicagocon.com – “features security-focused boot camps, exams on-site followed by a two-day ethical hacking conference. Learn from the pros and network with peers in order to advance your InfoSec career.”
  • Toorcon @ www.toorcon.org – “San Diego’s hacker conference bringing together the top security experts to present their new tricks of the trade and have fun in the sunny and beautiful city of San Diego.”
  • ShmooCon @ www.shmoocon.org – “ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks, One Track Mind. The next two days, there are three tracks: Break It!, Build It!, and Bring It On!.”
  • Hackinthebox @ http://conference.hackinthebox.org – “Asia’s largest network security conference held annually in Kuala Lumpur, Malaysia and more recently the Middle East.”
  • HOPE @ www.thenexthope.org – “The HOPE conferences have been running since 1994. HOPE stands for Hackers On Planet Earth and it has become a gathering point for thousands of computer hackers, phone phreaks, net activists, government spooks, and a whole lot of curious people from all corners of the globe. This will be our sixth one (hence the name) and we expect to continue to grow and have more imaginative events, cool speakers, and fun projects than ever before. “
  • Notacon @ www.notacon.org – “ an annual conference held in Cleveland, Ohio, explores and showcases technologies, philosophy and creativity often overlooked at many “hacker cons”. Our desire is not to supplant other events, but complement them and strike a balance that has gone unnoticed in our community for far too long. “
  • HackerHalted @ www.hackerhalted.com – “Hacker Halted aspires to be a complete and comprehensive conference cum workshop that will educate and equip its participants with the in-depth knowledge of understanding the vulnerabilities and the countermeasures to overcome the security infringements present today.”
  • ConFidence @ www.confidence.org.pl – International IT security conference held in Poland.
  • Nullcon @ www.nullcon.net– “If you too share this passion for knowledge, if a core dump brings glimmer to your eyes, if you want to share your hack with others and you have an inquisitiveness to learn, then nullcon is the place for you. If meeting hackers/researchers/phreaks in a 2 days event packed conference and the sun-bathed beaches of the tropical paradise called Goa won’t get you off your bed, nothing ever will. So crack you knuckles, fire your Live CDs, dust your Debuggers and get ready for some serious action this February.”
  • Phreaknic @ www.phreaknic.info – “Phreaknic was started years ago by JonnyX. After 5 years of working his bony ass off putting together a con on a budget, he had to leave Nashville to get a good job and survive. He passed on the duties to Dolemite, who with the help of his amex card, put together a group of directors and formed a non-profit corporation to put on the con. Dolemite built on previous successes, and has made phreaknic a well organized, finely tuned machine… Well, fairly well tuned. We have our moments. After Phreaknic 11, Dolemite stepped down as President of Nashville2600, the non-profit that puts on Phreaknic. A vote was taken and skydog was elected as President of the Nashville2600 Organization. This is our 13th year. We are the longest running annual hacker con in the United States. DefCon is the longest running, having just had their 17th con.”
  • Dnscon @ www.dnscon.org – “DNS is a data and network security council conference. This being the annual meeting of UK security professionals and interested individuals. The UK’s longest running open information security conference provides an opportunity to find out about new threats to information security.”
  • bruCON @ www.brucon.org - BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Brussels, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. It’s affordable, accessible and entertaining. BruCON is a conference by and for the security and hacker community.
  • thotcon @ www.thotcon.org – “THOTCON (pronounced \?th?t\ and taken from THree – One – Two) is a new small venue hacking conference based in Chicago IL, USA. This is a non-profit, non-commercial event looking to provide the best conference possible on a very limited budget. “
  • SEC-T @ www.sec-t.org – “SEC-T is an annual vendor and company independent information security conference in Stockholm, Sweden. The conference is a single track conference with one hour time slots. All presentations and official communications will be in English to allow our non-swedish-speaking presenters and attendees to participate without restrictions.”
  • Summercon @ www.summercon.org – “Summercon is known as the world’s oldest (and drunkest) computer hacker convention. While it has been held in many places around the globe, it has called the ATL home for the last two years. We’re happy to inform you that it will be held in ATL for 2009! Other cons may try to tell you that they will be ‘informative’ or ‘ground breaking’. We at SummerCon can only promise you the time of your life and an opportunity to meet life long friends. If you happen to learn something, we take no responsibility. Please stop back frequently as the site will be updated constantly.”
  • Shakacon @ www.shakacon.org – “The Shakacon security conference is a laid back conference where industry, government, academia and independent experts will get together to share knowledge and experience in one of the most beautiful places on Earth, Hawaii. “
  • Hacking At Random @ www.har2009.org – “an international technology & security conference. Four days of technology, ideological debates and hands-on tinkering in the Netherlands.”
  • RSA Conference @ www.rsaconference.com – “RSA Conference is helping drive the information security agenda worldwide with annual industry events in the U.S., Europe and Japan. Throughout its 19 year history, RSA Conference has consistently attracted the world’s best and brightest in the field, creating opportunities for conference attendees to learn about IT security’s most important issues through first-hand interactions with peers, luminaries and emerging and established companies.”
Once again, if you think I missed a great one, feel free to mention it in the comments below.

France's new Internet privacy law


French government have created a new state agency called HADOPI stands for Higher Authority for the Distribution of Works and the Protection of Copyright on the Internet.
The law took effect from this new year 2010 after a long struggle in the parliament. According to this new law,Illegal downloaders will be sent a warning e-mail, then a letter if they continue, and finally must appear before a judge if they offend again. The judge can impose a fine, or suspend their access to the internet.


Saturday, February 13, 2010

Adobe's javascript issue


I was reading this article from Threat post where Adobe's security chief Brad Arkin had  interviewed by Threat-post editors Dennis Fisher and Ryan Naraine. It was long but interesting conversation with Brad Arkin explaining about what the recent malware exploit and what really went wrong and how there team responded to this  exploit. Questions from Dennis and Ryan were more straight to the point and made more sense on adobe's reply on this issue. It is interesting to know how impossible it is to completely remove javascript without causing major compatibility problems.  But it is a lengthy conversation and here are the few very informative key points.
JavaScript black list:
i am not sure how many of you out there are aware of the JavaScript blacklist function a new feature that shipped along with their October update. JavaScript blacklist will allow users to define any specific javascript API as a black list item, which than wont be called. By putting a javascript into the black list, any PDF document that it attempts to call that will be denied. it’ll deny valid calls as well as malicious calls that try to corrupt the call to create a crash. And this is something users can do, and also administrators for managed desktop environments can also do this using group policy objects to roll-out the change as a registry key.
Document.netplayer:
The actual malware identified in adobe flash and adobe reader is in an API called Document.netplayer. Brad's response for the possible disruption this API can cause is
Docmedia.newplayer is not one of the new API calls that is showing-up in every single PDF that we see.  It’s something that’s used a lot less often.  And so, if you were to disable JavaScript altogether, that would disrupt a lot of things.  Disabling this here, you know, for the people who rely on it, obviously, it would disrupt what they’re doing.  But, the majority of PDFs that use JavaScript don’t have this in it.  And so, for most users, their experience and their workflows are gonna be the same.  It’s something that, you know, enterprises need to understand what’s in their workflow so they can check what the impact would be.
Mitigation:
  • Utilizing the JavaScript black list function.  This is the most powerful mitigation.  It completely protects users against the attack, and at the same time it will cause the least disruption for legitimate uses of the program.
  • Something that’s a lot more disruptive, but also completely mitigates the current attack is disabling JavaScript altogether
Adobe's steps to mitigate future attacks:
Back in May we announced this security initiative that the Reader and Acrobat engineering teams were working on.  And the – the three big legs of that process, we were doing – improving our process for urgent patch release, and then moving through the quarterly security update cycle.  But, the most important thing that we were doing there was the code hardening activities, and a big part of the code hardening, for us, was looking at the JavaScript APIs and doing things like looking for problems and fixing them, but also tightening up input validation, so that even if there might be a latent bug somewhere deep in the code that we don’t know about, if we can prevent the ability of the attacker to get malicious data to that weak spot in the code, then that’ll protect against the problem.  And so, tightening-up the input validation, working on, you know, any potentially risky areas and seeing what we could do there.
Why don't you just remove JavaScript support from Adobe Reader?
No.  JavaScript is really an integral part of how people do form submissions.  And so, anytime you’re working with a PDF where you’re entering information, JavaScript is used to do things like verify that the date you entered is the right format.  If you’re entering a phone number for a certain country it’ll verify that you’ve got the right number of digits.  When you click “submit” on the form it’ll go to the right place.  All of this stuff has JavaScript behind the scenes making it work and it's difficult to remove without causing problems.
Flash cookies
Flash player local shared objects, because they behave quite differently from browser cookies.  But, the local shared object is something that – what we find is that there’s a lot of great uses for that where the developer will store data locally, it’ll improve network performance, it’ll improve the user experience where they can queue stuff up immediately and not having to wait for network latency.  But, then we’ve see there’s some confusion about how to manage the local shared object, and then also there’s things that subvert the user’s intention where, you know, we’ve seen things like this respawning that you talked about.  And so, our goals are to make it as easy as possible for the user to exercise whatever it is they’re intending to do.  And it’s actually not any harder managing local shared objects through Flash Player in terms of just, if you measure the number of clicks required.  It’s just, it’s less familiar to users, and so people know how to go to their browser file menu and click on, you know, “clear cookie cash.”
But, doing those same clicks for Flash Player is something that people aren’t as familiar with, and we for a long time have tried to work with the web browser vendors for them to open-up the API, so that when the user clicks “clear browser cookies,” it’ll also clear the Flash Player local shared objects.  But, the browsers don’t expose those APIs today.  And so, that’s something that we’ve been working with those guys, because if they can make that open up that API ability, then we can hook into that as Flash Player, so that when the user clicks “clear” it’ll clear Flash Player as well as the browser cookies.
For complete story click here. Now its time for me to research how possible is to get browsers to clear the flash cookies along with browser cookies when user clicks "clear it"?  If you got any ideas please do comment..

Thursday, February 11, 2010

Researcher Uncovers Twitter, Google Calendar Security Vulnerabilities


A security researcher uncovered some holes in Google Calendar and Twitter that may allow an attacker to steal cookies and user session IDs...
A security researcher has uncovered vulnerabilities in Twitter and Google Calendar that could put users at risk.
In a proof-of-concept, researcher Nir Goldshlager demonstrated cross-site scripting (XSS) vulnerabilities in Google Calendar and Twitter that he said could be used to steal cookies and session IDs. He also uncovered an HTML injection issue affecting Google Calendar as well that he said could be used to redirect a victim to an attack site anytime the user viewed his or her Google Calendar agenda events....
For complete article from eweek, click

Monday, February 8, 2010

Phishing, how to stay safe!


In response to one of the comment I received from a reader. How do we differentiate a legitimate email or website with a fake website. Here are some tips to share..
Basically, phishing is an attempt, either by email or sending you to a webpage , to trick people into revealing users personal details like username, passwords, bank details, credit card details or some other sensitive informations by pretending to be bank or some other legitimate entity. Phishing email will typically include a link to a website that appears exactly same as your legitimate bank asking you for information with some tricky questions or an attachment to fill out. Some of the recent example of phishing attacks are
  • A legitimate-looking face book email asks people to give information to help the social network update its log-in system. Clicking the "update" button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to give their password. When the password is typed in, people end up on a page that offers an "Update Tool," but which is actually the Zeus bank Trojan.
  • A recent e-mail scam asks PayPal customers to give more information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says "Get Verified!"
Lets look at an example of how a fake paypal page may look like. It's actually very similar to original one..
Say lets take Ebay as another example. Attacker can be more tricky and sneaky by, they will close the address bar in a pop-up and reproduce an address bar with the correct EBay website address.
phishing ebay one
As we look, our URL box is tricked to display some other address, but lets manually enable the address bar. For doing so, go to View-Tools-Address bar.
phishing ebay 2After carefully examining, we are not in signin.ebay.com (legitimate) we are in sing-in-sec.com(as per first screenshot, a fake page).
[ad#Google Adsense Text and Image Adds]
Phishers also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail about swine flu asked people to give their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Many instance social networking sites like Myspace, face book and Twitter have been directed to fake log-in pages. Attackers are also turning to instant messaging to lure people into their traps. In one recent scam a  live chat was launched via the browser. The scammer communicated to victims via the chat window, pretending to be from a bank and asking for more information.

Identifying Phishing

  • Observe the sender information looking for legitimacy. There cannot be two address under same name, so there has to be some catch in the URL. Say for instance, alerts@Paypal.co.uk." However, legitimate PayPal messages in the U.S. come from Service@paypal.com" and include a key icon. Most phishing e-mails come from outside the U.S. so an address ending in ".uk" or something other than ".com" could show it's a phishing attempt.
  • Legitimate companies email will be more targeted than a more generic email from hackers. Legitimate companies will tend to use customer names or user names in the email, ad may also include part of account number. But a fake email will be more generic like "Dear Yahoo user".
  • Make sure to look at the hyperlinks inside the body of the email. In most cases words in the links may be misspelled and they tend to use subdomains or letters or numbers before the company name.  Try mousing over the link you can see the real access on the bottom of the web browser.
  • If you are unsure about the legitimacy of the link that you bound to click, go to the company website to see the address listed. check your full email header to see the full email address and other information.
  • Deceptive website URL's:  Secure websites start with https. Always confirm if website URL is correct. It is always good idea to type the website url directly in the browser and avoid following link from email. By checking the beginning of the Web address in your browsers address bar showing "https://" rather than just “http://” would make sure that you are using an encrypted secure website. A small chain will also show in your browser when you are using a secure website.
WARNING: Phishers can get you to enter their own website and create a "secure link" for you to give all the information they need. They can also spoof the windows explorer to show exactly what they want by putting a window in top of the other, covering the real internet URL
  • Sense of Urgency-Phishing emails generally use scare tactics. These emails try to force customers in taking action by stating that account is about to be closed if account information is not verified. Always suspect email that seems to generate a sense of urgency.
  • If the e-mail has an attachment, be wary of .exe files. Scammers like to hide viruses and other malware there so it executes when opened.
  • Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.

Avoiding Phishing

  • Regarding emails: DO NOT trust emails urgently requesting personal financial information !
  • Be sure not to call any number or use any link in the suspected email as this may put you in the hands of those responsible for the phishing attack. Note: By using a trojan horse spyware, phishers can change your HOSTS file which thereby redirects specific URL's to a page of their choosing. They could copy your banks webpage and redirect you to their fake bankpage even if you wrote the exact correct address into the address field. This means; You MUST have control over your HOSTS file.
  • Be suspicious of impersonal emails.
  • NEVER fill out forms in email messages that ask for personal financial information
  • Be suspicious of email links. Never trust it! There are ways to "spoof it" !
  • Always make sure that you're using a secure website when submitting credit card or other sensitive information via your Web browser
  • Regularly log into your online accounts
  • Ensure that your browser is up to date and security patches applied

Sunday, February 7, 2010

Solving global warming


I got this image as a good morning email message from one of  my friend.  A cool image with to do's and dont's  for global warming.  I find this is cool...