Archive for the ‘Security’ Category

« Older Entries

Zero for owned.. Do they have a point?

Thursday, July 30th, 2009

Two days ago the hackers who release the Zero for owned (maga)’zine’ released the fifth version, ZFO5.
For who do not know what I am talking about, check this link to read it.

Basically they hack some “wannabe” hackers and whitehat hackers which, according to them, are commercial fuckers who do not really help their customers on the long term. I am not going to comment on this statement, but the these guys had another statement that got me thinking:

The very concept of “penetration testing” is fundamentally flawed.  The problem
with it is that the penetration tester has a limited set of targets they’re
allowed to attack, while a real attacker can attack anything in order to gain
access to the site/box.  So if a site on a shared host is being tested, just
because site1.com is “secure” that does NOT in anyway mean that the server is
secure, because site2.com could easily be vulnerable to all sorts of simple
attacks.  The time constraint is another problem. A professional pentester with
a week or two to spend on a client’s network may or may not get into
everything.  A real dedicated hacker making the slog who spends a month of
eight hour days WILL get into anything they target. You’re lucky if it even
takes him that long, really.

They have a point here. In most pentest contracts ( at least the ones I know of) companies will only pay for theire most vulnerable or important systems to be pentested. But a blackhat could (easily) hack one of the others that have not been pentested and then he has a totally different attack vector, one the whitehat has not been able to test because of the lack of time and/or money. Besides that in the end everything could be hacked. The only thing that prevents many systems from being hacked is time and the fact that most systems are not worth hacking.

Posted in Hacking, Security | No Comments »

Information exchange

Tuesday, July 14th, 2009

Today I was behind my computer when I received tweets about a severe vulnerability in Microsoft Office Web Components. Although it did not apply to me ( I am not using internet explorer, actually most of the time I am not even using windows ), I figured I had loved this way of information exchange when I was a network/system administrator in a previous job.

In a fairly big network it would have been plausible that every few hours a PC would be infected due to this vulnerability. So the faster the problem is known, the less damage could have been done to the client machines.

I can recommend any system/network administrator to sign-up for a twitter account and follow some security related persons / groups. Reading tweets costs time, but it will spare you time when something bad is on the loose.

Tags:
Posted in General, Vulnerability, Windows | 2 Comments »

New cold war? Blame software piracy!

Thursday, July 9th, 2009

Today the Santa Maria Times posted an article about Cyber Warfare, and they even called it a new cold war. Perhaps they are luring people to their website with their sensationally article, because I do not think we are in a new cold war… yet.

Last weeks we have heard of reports of DoS attacks on several US government websites and South-Korea government websites. But there is absolutely no prove that these attacks have been organised by country Cyber warfare agencies from for example Russia or China although a lot of PC’s were located in these countries.
I think it is pretty clear why a lot of DoS involved PC’s where located there. These countries are compared to the western civilisation relatively poor, but they do have PC’s. My guess is that these people do not have money for , or do not want to spend it at, legal software and thus are vulnerable because they do not get (sufficient) updates.
Some investigation on my part supports this: according to statistics at statcounter.com, the windows XP usage is 92% in china, and according to this article 80% of all software in China is pirated .
OS usages in China 2008-2009These machine are an easy target for groups of hackers who want to form a botnet and can then be used to perform the DoS attack. Of course, those hackers could be in service of some government, but I highly doubt that.

If I would be some cyber warfare minister I would upgrade all internet lines to 10 MB/s of all departments  in my country and all embasies abroad, get me some servers in data centers abroad so I could tunnel traffic through them and develope an application that should run as a service on every machine in that department.
Why would a country do all effort to get ( and maintain ) a botnet if it already has all necessary means?
Of course, for more covert operations you would like to have a botnet because it is less easy to trace, but for the rest: In a real war you also know  who you are up against, so why not in cyberwar?

Tags: ,
Posted in Cyber warfare, Security | No Comments »

Meldpunt brakke websites

Wednesday, July 1st, 2009

Laatst wilde mijn vriendin iets bestellen op internet, iets wat regelmatig gebeurt in ons huishouden. Ze had net twee dingen in haar “winkelmandje” gedaan toen ze een javascript error kreeg en mij vroeg er even naar te kijken. De website zag er nogal brak uit, dus besloot ik de HTML broncode maar eens door te worstelen. Al bij het eerste formulier was het raak. Prijzen stonden verborgen in de website en werden meegestuurd. Dus, na aanpassing van de prijs in de code, werd iets van 10 euro voor 1 euro in het winkelwagentje geplaatst. De zoek knop bevatte een sql injectie, en een variabele in de URL was vatbaar voor een XSS aanval. En het ergste is nog, dit is niet het werk van een simpele hobbyist, het is het werk van een hobbyist die er zijn werk van gemaakt heeft. Hij/zij verkoopt deze webshop als service en heeft op de website van zijn bedrijf een mooi overzicht geplaatst van al zijn klanten, die dus allemaal vatbaar zijn voor dezelfde lekken.
Ik kan mijn inziens niet zelf dit bedrijf benaderen. Door mijzelf er van overtuigd te hebben dat die website niet deugd heb ik hem feitelijk gehacked ook al heb ik geen schade aangericht.

Daarom heb ik besloten dat er een meldpunt moet komen voor brakke website die een gevaar vormen voor de integriteit en vertrouwelijkheid van (persoons)gegevens. Aankomende maanden zal ik me gaan verdiepen in hoe ik dit het best kan aanpakken, en of het uberhaupt mogelijk is. Misschien dat dit meldpunt qua rechten gelijk staat aan een rechtspersoon, en dus zou het meldpunt ook vervolgd kunnen worden en kan ik me zelf de moeite besparen van het oprichten van een meldpunt en gewoon zelf een bedrijf inlichten….

Update: Een vlugge zoek opdracht in google levert al ruw weg 45.000 resultaten op, alleen in nederland! Dit lijkt toch wel een probleem te zijn.Dit zegt overigens nog niet dat alle gevonden websites kwetsbaar zijn, maar wel dat ze brak zijn.

Tags:
Posted in Dutch, Security | No Comments »

Gemalto optical reader.. What’s new?

Friday, June 26th, 2009

According to their press release Gemalto launched a new product which can read your TAN code from the website with a small device.
It works like this:

  1. The user goes to the website of his bank;
  2. The user inserts his card in to the device;
  3. The user enters his PIN, which is then verified by the device;
  4. The user points the device at his computerscreen, and is asked to verify the the transaction / login procedure on the device;
  5. When verified, the device responds with a OTP ( one-time-password );
  6. The user can login or authorise the transaction with his Username and the OTP.

I do not see what is new to me, as a user of online banking. I already have such a device, which does exactly the same thing except for the fact I do not have to point my device at my screen prior to logging in!

It would’t work for me either because my desk is unfortunatly, turned away from the window so sometimes the sun shines directly on my screen. I am pretty sure I won’t be logging in to my bank with that device until sunset…

Tags:
Posted in Personal, Security | No Comments »

« Older Entries