Monday, December 29, 2008

Quote of the day

Quote of the day

One man gives freely, yet grows all the richer, another withholds what he should give, and only suffers want.

Bible, Proverbs 11:24

New IT Term of the day

New IT Term of the day


Short for Terminal Access Controller Access Control System, an authentication protocol that was commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.

TACACS is now somewhat dated and is not used as frequently as it once was. A later version of TACACS was called XTACACS (Extended). These two versions have generally been replaced by TACACS+ and RADIUS in newer or updated networks. TACACS+ is a completely new protocol and is therefore not compatible with TACACS or XTACACS.

TACACS is detailed in RFC 1492.

Top Online Security Threats for 2009

TRENDS : Top Online Security Threats for 2009

by Lidija Davis

December 27, 2008


Twenty years after the release of the Morris Worm, one of the first worms discovered on the Internet, the Web has proven to be the primary place where bad guys lurk, looking for poorly secured websites to plant malicious code. And, they find plenty.

According to the 2009 Security Threat Report from Sophos, one new infected Web page is discovered every 4.5 seconds. With that in mind, we thought we'd take a look at the top security threats you should be looking out for in 2009.

SQL Injection Attacks

The Sophos research showed that over the past year the number of SQL injection attacks against innocent websites increased, a trend Sophos expects will continue next year.

Web insecurity, notably weakness against automated remote attacks such as SQL injections, will continue to be the primary way of distributing web-borne malware.

A recent report from the Internet Crime Complaint Center also points to an increase in SQL injection attacks in 2008, specifically relating to financial services and the online retail industry. Unfortunately, cyber criminals prey on the needs of Web users at any given time, and this time the economic crisis is their meal ticket.

The article is well worth reading if you're interested in how attackers compromise websites by SQL Injection or if you want ideas on how to reduce the likelihood of intruders gaining access to your private data.

Third Party Advertising Agencies and Scareware

In February 2008, Sophos confirmed a 'poisoned Web advertising campaign' on BBC competitor ITV's website that affected both Windows and Mac machines. While we've all seen Scareware, the pop ups designed to scare people into buying anti-virus software, this is the first time it has been seen for the Mac.

According to Sohpos, a Flash file was injected into traffic served up by ITV.com via third party advertising agencies. Designed to promote a program called Cleanator (Windows) or MacSweeper (Macs), the programs claimed to detect "compromising files" and encouraged users to purchase a full version of the package.

As websites often use third parties to serve up their advertising, Graham Cluley, senior technology consultant at Sophos suggests taking care when selecting agencies. "Website owners should ask the third party agencies they use what procedures they have implemented to positively vet the adverts that they deliver for malicious content or unsavory links.

Social Networking Sites

With social networking on the rise, the bad guys have found yet another playground on the Web. The Sophos report reveals 1800 Facebook users had their profiles defaced in August by an attack that installed a Trojan while displaying an animated graphic of a court jester.

Gated sites appeal to the bad guys because they form a "launching pad" for mass distributing malware attacks and spam, like the recent Koobface Trojan which attacked both MySpace and Facebook and transformed victim machines into zombie computers to form botnets.

Twitter too has become a tool for cyber criminals to distribute malware and marketing messages. In many cases, the bad guys steal members' usernames and passwords and bombard the victims' friends with marketing messages or direct them to third party websites. With Twitter especially, it is difficult to discern where links are going due to the 140 character limit and the use of services that shorten URLs.

On the flip side however, Chris Boyd of FaceTime Security Labs at this years RSA Conference explained that social networking sites are incredibly useful for security researchers. "The people that create these things have been on social networking sites since the beginning; they need to be on them a lot to understand them intimately enough to exploit them. But many times they leave a trail online that we can use to track them, to find out things like their names, ages and friends."

Apple Macs Becoming "Soft Targets"

While Mac malware is miniscule compared to Windows malware, Sophos recommends Mac users follow safe computing best practices and avoid complacency even though cyber criminals are more likely to stick to attacking Windows computers in the foreseeable future due to the higher financial incentive.

With so many Windows home users seemingly incapable of properly defending themselves against malware and spyware, it seems sensible to suggest that some of them should consider switching to the Apple Mac platform. This is not because Mac OS X is superior, but simply because there is significantly less malware currently being written for it.

Along with the scareware attack mentioned earlier, there have been other attempts to infect Mac computers in 2008: the OSX/Hovdy-A Trojan, the Troj/RKOSX-A Trojan, and the OSX/Jahlav-A Trojan.

Smartphones: A New Toy for Cyber Criminals

While most malware and spam is produced as a result of financial incentive, with smartphones, Sophos believes malware will more likely be written by those wanting to make headlines. As neither the iPhone or the G1 has yet been the target of a significant attack, someone will want to be the first and claim the title.

Apple iPhone

According to Sohpos, iPhone users are more vulnerable to phishing attacks than their desktop counterparts for three reasons:

· They may be more willing to click on links because entering URLs on a touch screen is more difficult

· The iPhone version of Safari doesn't display URLs embedded in emails before they are clicked on making it more difficult to tell whether a link leads to a phishing site

· The iPhone browser doesn't display full URLs making it easier for the bad guys to trick users

Google Android

Hackers are only just getting a real look at the Android OS so there is not much to report however, one security flaw was revealed only days after the G1 went on sale. The flaw, discovered by Charles Miller, a principal security analyst at Independent Security Evaluators, was in the browser partition of the phone. According to the New York Times, the flaw enabled keystroke logging software to be installed, making it an easy trick to steal identity information and passwords.

Additionally, while many are impressed with Google's open attitude to applications, others are concerned about the ease in which malicious software could be distributed and caution when it comes to downloading third party apps is advised.

Sophos predicts as more people purchase smartphones, creating threats will become increasingly attractive to cyber criminals: Imagine a generic Mac OS X attack made for the iPhone that could also cripple the Mac computer.

Other Interesting Stats from the Sophos Report

v There were five times as many malicious e-mail attachments at the end of 2008 than at the beginning of 2008

v The United States hosts the most malware on the Web at 37 percent

v Computers in the United States relay the most spam at 17.5 percent

Cyber criminals will always be ahead of security experts simply because most of what the anti-malware providers discover is generally published for the public; the bad guys aren't as open with what they do. But, being aware of trends, keeping security patches up to date, and installing firewalls will do much to thwart the majority of attacks.

2008 was a good year for bad guys

LOOK BACK : 2008 was a good year for bad guys

'Boom year' for hi-tech criminals

By Mark Ward, Technology correspondent,

BBC News



If 2007 was witness to the rise of the professional hi-tech criminal, then 2008 was the year they got down to work.

"The underground economy is flourishing," said Dan Hubbard, chief technology officer at security company Websense.

"They are not just more organised," said Mr Hubbard, "they are co-operating more and showing more business savvy in how they monetise what they do."

Statistics gathered by firms combating the rising tide of computer crime reveal just how busy professional cyber thieves have been over the last twelve months.

Sophos said it was now seeing more than 20,000 new malicious programs every day. 2008 was also the year in which Symantec revealed that its anti-virus software now protected against more than one million viruses.

The vast majority of these malicious programs are aimed at Windows PCs. Viruses made their debut more than 20 years ago but the vast majority of that million plus total have been created in the last two-three years.

Tidal wave

Criminal gangs generate so many viruses for two main reasons. Firstly, many variants of essentially the same malicious program can cause problems for anti-virus software which can only reliably defend against threats it is aware of.

Secondly, in the past security firms have tended to focus on the big outbreaks. By staging a series of small outbreaks the criminals hope to go unnoticed while their family of viruses racks up victims.

Another statistic from Sophos reveals how the tactics of the online criminal groups are changing.

Before 2008 the preferred method of attack was a booby-trapped attachment circulating by e-mail.

Provocative, pornographic and personal subject lines were used to trick people into opening the attachment. Anyone doing so risked having hi-tech criminals hijack their home computer and turn them to their own nefarious ends.

In 2008, said Graham Cluley from Sophos, the main attack vector started to shift. Increasingly, he said, attackers have tried to subvert webpages by injecting malicious code into them that will compromise the computer of anyone that visits.

By the close of 2008, said Mr Cluley, Sophos was discovering a newly infected webpage roughly every 4 seconds.

The type of page being booby-trapped had also changed, he said. Prior to 2008 gambling, pornographic and pirated software sites were much more likely to be unwitting hosts for the malicious code used to hijack visitors' machines.

In 2008 the criminals turned their attention to mainstream sites that had very large audiences and were vulnerable to the code-injection attack.

Bug report

For Mikko Hypponen, chief research officer at F-Secure, 2008 was the year in which some hi-tech criminals got much more sophisticated.

The best example of this, he said, was the virus known as Mebroot.

"We saw it very early in the year and it continues to be a very complicated case," he said.

One of its most remarkable features is its built-in bug reporting system, said Mr Hypponen. When Mebroot is detected or malfunctions revealing its presence it sends off a report to its creators who then turn out a new version with the bug fixed.

"It's amazing that the bad guys were capable of pulling this off," said Mr Hypponen.

Dan Hubbard from Websense said 2008 was also notable for some hi-tech criminals turning away from viruses completely and embraced another way to make money.

Many, he said, were turning out bogus security programs that look legitimate but do not work. Once installed they purport to carry out a detailed scan of a machine and always turn up many instances of spyware and other malicious programs.

Cleaning up a machine using one of the bogus security programs always involves a fee, said Mr Hubbard.

"They are testing legal boundaries that are a grey area right now," said Mr Hubbard.

In mid-December 2008 the US Federal Trade Commission won a restraining order to shut down several firms that ran so-called "scareware" scams.

Research by Israeli security company Finjan suggests that up to five million people around the world have fallen victim to such scams.

A US court granted the FTC an injunction which stopped those behind the scareware products advertise their products, from making false claims about their efficacy and froze assets in the hope that duped customers could be refunded.

2008 also saw other big successes against criminals. In mid-November spam volumes around the world plummeted briefly following the closure of US network firm McColo.

Despite this, said Mr Hypponen, 2008 was a good year for the bad guys. The successes, he said, came due to action by ISPs, other net bodies and the media rather than from the action of law enforcement agencies.

This was mainly due, he said, to the trans-national nature of hi-tech crime that made it very difficult to quickly carry out an investigation and make arrests.

"The vast majority of these cases do not seem to go anywhere," he said.

Paki Cyber criminal economy set to expand in 2009

PAKISTAN : Paki Cyber criminal economy set to expand in 2009

Pakistan Times

Dec 27, 2008


Islamabad: The Pakistan Economy Watch said on Saturday said global financial turmoil has boosted Internet underworld and unleashed a new wave of crimes that is engulfing the globe. The development is enhancing cost of doing business everywhere and creating new challenges to already dull economies.

New task force, increased budget, awareness campaign must to combat threat

Government of Pakistan should immediately form a high-powered task force, upgrade the existing setup and launch an awareness campaign about expanding online criminal market set to hurt limping businesses, said Dr. Murtaza Mughal, President, Pakistan Economy Watch. “Private sector should also come forward and cooperate as it will be major looser by the end of the day,” he said.

2009 will see a record increase in identity thefts, credit and debit card frauds, network breaches, phishing, unauthorised telecom interceptions and database accesses, damaging, deletion, deterioration, alteration and suppression of critical information, misuse of devices, forgery, spam, adware, malware, Trojans, worms, viruses, frauds, threats, and online attacks, he warned.

Tens of thousands of computer engineers, experts, friendly hackers, technicians, and scientists have lost jobs in developed world due to the global crunch. Some are getting allowances that are not enough while others are left high and dry.

With such a high skill-level, backed by company’s information, the recently fired experts have become darling of cyber criminals. Internet mafia has hired many while others are operating in small groups. Some are working individually, said Dr. Murtaza Mughal adding that they pose seriously threat due to their potential to shake the whole world.

Growing e-crime wave sweeping across Pakistan

Supported by abilities of disgruntled IT employees, the underworld is now bolder and sophisticated, they will operate from west but prefer to hit east where the level of IT knowledge is alluring for them. The companies and websites offering stolen financial data have hike prices manifold due to increased demand by unemployed IT experts. Majority of such outfits are based in Russia and former Eastern Europe. Some are also operating from India.

Not a single country is fully prepared to face the menace. There will be no institution immune to online attacks during 2009. Apart from unsuspecting masses, finance, banking and credit card providers will suffer the most while the situation will prove a blessing for companies providing IT security.

Pakistan Economy Watch asked masses to avoid keeping sensitive information, bank records, financial transactions’ detail, agreements and passwords in computers. Online transactions and loading information on websites has become a risky business as around 1500 fraudulent sites are uploaded daily. Credit and debit cards should be used with extra caution.

There is growing evidence that some of the staff operating legitimate financial websites have compromised confidential information for petty gains. Bank data breach has become a routine. Hundreds of such stories are revolving in markets and offices of Islamabad. Other cities are no exception. “Majority of PCs and notebooks in Pakistan are infected with a hidden programmes that record and transmit your every keystroke, don’t become a victim,” warned Dr. Mughal.

(The above is a grim situation. Further, economic bankruptcy of Pakistan, ineffectiveness of elected government and Terror factories on it’s soil, makes it more gloomy - Editor).

Wi-Fi Security eBook became a big hit

HIT : Wi-Fi Security eBook became a big hit


28 December 2008

“The eBook – Securing Wi-Fi Network – 10 Steps to DIY Security has became a big hit. As per our calculations, about 4 million copies are distributed and downloaded”, said Ankur Goyal, co-author of the eBook, which he authored along with Rakesh Goyal.

The eBook is available free and can be downloaded from various sites including www.sysman.in.

“We have taken a different model to distribute the eBook. We contacted various egroups on Internet and requested them to distribute the eBook in their groups. Since, most of their members use Wi-Fi network to connect to Internet, most of these group owners distributed the eBook in their groups for the benefit of their members. We thank these group owners to consider the interest of their group members” said Ankur Goyal in an interview.

It was observed by the traffic on the site that about 1.2 million eBooks were downloaded from www.sysman.in site.

The eBook was released on 10 December 2008 and reaching to 4 million readers in just 2 weeks in remarkable and only possible with the power on internet. In the physical world, this was just not possible. We are still working to reach-out more and more people all-over-the world in their own interest, so that they can secure their wi-fi network themselves by DIY.

The eBook has been published with backing and encouragement from Information Security Education and Awareness Project (ISEAP) of Ministry of Information Technology, Government of India; CERT-In, Ministry of Information Technology, Government of India; Data Security Council of India (DSCI) of NASSCOM and Mumbai Police Cyber Crime Investigation Cell.

Friday, December 26, 2008

Quote of the day

Quote of the day

Silence is one of the hardest argument to refute.

New IT Term of the day

New IT Term of the day


Short for Spam URI Real-time Block Lists, it is used to detect spam based on message body URIs (usually Web sites). SURBLs are not used to block spam senders. Instead they allow you to block messages that have spam hosts that are mentioned in message bodies. In order to use SURBL you need software that can parse URIs in message bodies, extract their hosts, and check those against a SURBL list.

Kiwis nail a Mr Big of the spam world

INDICTED : Kiwis nail a Mr Big of the spam world


December 22, 2008


A New Zealand man living in Australia has agreed to pay fines totalling $92,715 after admitting his role in an international spam email operation said to be responsible for sending out billions of unsolicited emails in recent years.

Lance Atkinson, 26, of Pelican Waters in Queensland, is also facing charges in the US where a court has frozen his assets at the request of the US Federal Trade Commission (FTC), which also succeeded in having the spam network shut down.

New Zealand's Internal Affairs' Anti-Spam Compliance Unit found Lance Atkinson's operation responsible for more than 2 million unsolicited electronic messages that were sent to New Zealand computers between 5 September 2007 and 31 December 2007.

These emails marketed Herbal King, Elite Herbal and Express Herbal branded pharmaceutical products, manufactured and shipped by Tulip Lab of India.

The Department of Internal Affairs said in a statement released today that Atkinson had sought settlement of the New Zealand charges soon after the announced court proceedings against him in October.

Two other defendants, his brother Shane Atkinson, and Roland Smits, of Christchurch, are contesting the claim and have filed statements of defence.

In handing down her decision in a judgment on Friday, Justice Christine French of the High Court in Christchurch said that the spamming operation was said to be one of the largest in the history of the internet and its impact on New Zealand was therefore proportionately large.

The judge gave Lance Atkinson a substantial discount on the originally prescribed fine because of his co-operation and candour with authorities at an early stage.

Atkinson's Australian-registered company, Inet Ventures, is one of four companies targeted by the FTC over the operation, which encouraged people to click through to websites that allegedly used false claims to peddle prescription drugs, as well as "male enhancement" and weight-loss pills.

The only other defendant named by the FTC is Jody Smith of Texas.

The FTC said Atkinson and Smith allegedly controlled a "botnet" of 35,000 computers, capable of sending 10 billion email messages a day.

The non-profit antispam research group SpamHaus said the network - which has ties to Australia, New Zealand, India, China and the United States - was the largest spam operation in the world and at one point was responsible for one-third of all spam.

Atkinson and another business partner were previously fined $US2.2 million by the FTC in 2005 for running a similar spam network that marketed herbal products.

The FTC received more than 3 million complaints about the spam and related websites, illustrating the scale of the operation, officials said.

China consider tough penalties on hackers

CHINA : China consider tough penalties on hackers




BEIJING, Dec. 22 (Xinhua) -- Computer hackers could meet tough penalties under a draft amendment of the criminal law being debated by China's top legislature.

The draft amendment under review by the Standing Committee of the National People's Congress (NPC) would impose steep fines and prison sentences of three-to-seven years, depending on the severity of the offense.

The existing criminal law only imposes penalties on hackers who break into government, military and scientific research institutes' computer systems.

"The articles in the draft amendment filled in the blank of the existing law by expanding the definition of the offended," said Prof. Yu Gang, with the College of Criminal Justice under China University of Political Science and Law.

Under the current criminal law, most hackers would not be charged for breaking into a bank or business's computer system, he said.

He Changchun, 71, who runs a digital photo printing service in northeastern Liaoning Province, was hacked by a rival two years ago. Thousands of photos his clients sent to him disappeared.

His rival, who goes by the name Shang, stole the password to online chatting software used by He and his employees to contact clients and receive their photos. These photos were kept in a rented FTP server.

Shang was able to use the password to destroy photos on the server.

In December this year, a court convicted Shang for "malfeasance competition" instead of hacking.

This kind of sabotage becomes more common as China's Internet users continue to grow in number. China recorded the world's most users at 290 million in November.

The notorious computer virus "Xiongmao Shaoxiang", or "Panda burning joss stick," infected millions of computers from November 2006 to March 2007.

The virus, with a signature flash image of a panda holding three joss sticks, not only crippled computers, but also stole the account names and passwords of online game players and popular chat sites.

People generally think of hackers as computer geniuses, but 90 percent of them are not, Yu said.

"There are many ready-made hacker tools that make hacking quite easy," he said. "A business of training hackers, making computer viruses, selling them and stealing information, is emerging."

The draft amendment also expands prosecution to those who develop and distribute hacking software. They would face similar penalties as hackers.

The draft did not touch cross-border hacking -- a topic that roused hot discussion among the public.

"The criminal law has clear regulations. Either a crime or the result of a crime happens in China, the case is under our jurisdiction," Yu said.

And, if the suspect is a Chinese citizen, he or she will not be delivered to foreign countries for trial, Yu said.

90% of worldwide e-mail is a spam - Cisco

REPORT : 90% of worldwide e-mail is a spam - Cisco

December 24, 2008


As long as cyber crime groups pursuing profiteering through the Internet are improving their skills so as to steal data from businesses, employees and consumers their online attacks are getting more sophisticated and harder to oppose, as noted in the 2008 edition of the Cisco Annual Security Report released this week. In its annual edition Cisco points out to the top security threats of the year providing recommendations on how to protect networks against attacks.

This year the overall number of disclosed vulnerabilities grew 11.5% above 2007. Cisco notes that vulnerabilities in virtualization technology nearly tripled from 35 to 103 on a year-over-year basis. Attacks are becoming increasingly blended, cross-vector and targeted. Threats coming from legitimate domains rose 90% which is nearly double of what was observed a year ago. Meantime, malware infiltrated via e-mail attachments is decreasing in number. Within the period of the last two years the number of attachment-based attacks dropped 50% as compared with the previous two years of 2005 and 2006.

Cisco warned against some specific threats that flooded the web space reporting that the number of spam messages sent daily makes up for 200 billion constituting thus 90% of the worldwide e-mail. While targeted spear-phishing represents about 1 percent of all phishing attacks, it is expected to become more prevalent as criminals personalize spam and make messages appear more credible. The growing danger is also being posed by botnets which are heavily deployed today by cyber criminals. Multiple legitimate web sites were infected this year with IFrames, malicious code injected by botnets that redirect visitors to malware-downloading sites. The use of social engineering to entice victims to open a file or click links continues to grow. More online criminals are using real e-mail accounts with large, legitimate Web mail providers to send spam.

Hackers deface Eastern Rail website

HACKED : Hackers deface Eastern Rail website

Express News Service

Dec 25, 2008


Kolkata Amid growing tension between India and Pakistan, the official website of the Eastern Railway (ER) was hacked and messages were posted claiming that it was done to avenge India’s alleged violation of the Pakistani air space.

On Wednesday morning, the official site of ER — www.easternrailway.gov.in — was found corrupted with a large number of messages put up by the hackers in its scroll section. The scroll which normally consists of official announcements was flooded with notes like “Cyber war has been declared on Indian cyberspace by Whackerz-Pakistan” followed by “Indians hit hard by Zaid Hamid” and “You are hacked.”

On clicking the messages in the scroll, it opened into a new window which claimed that “Mianwalian of Whackerz” have hacked the site in response to the Pakistan air space violation .

When contacted, ER officials seemed to be unaware of the entire incident and the site was not blocked till 11.40 am.

The website, however, started to function normally after 12 noon. “This is a case of SQL injection. An investigation has been ordered and a report will be submitted within 24 hours. Technically, this cannot be called hacking as our database or confidential information could not accessed. We have, however, taken all necessary precautions,” said Samir Goswami, CPRO, ER.

The Railway officials primarily traced the root of injections to Toronto. One official of the ER said that the websites have cyber security certificate from US-based Thawte.

“We have informed the service provider and will likely get responses from them after 24 hours,” said the spokesperson of ER.

Wednesday, December 24, 2008

Quote of the day

Quote of the day

The dream is not what you see in sleep......dream is which does not let you sleep.

Dr. APJ Abdul Kalam

New IT Term of the day

New IT Term of the day

strong password

A password that is difficult to detect by both humans and computer programs, effectively protecting data from unauthorized access. A strong password consists of at least eight characters (and the more characters, the stronger the password) that are a combination of letters, numbers and symbols (@, #, $, %, etc.) if allowed. Passwords are typically case-sensitive, so a strong password contains letters in both uppercase and lowercase. Strong passwords also do not contain words that can be found in a dictionary or parts of the user’s own name.

Software executive sentenced for hacking

JAILED : Software executive sentenced for hacking

By Robert McMillan

IDG News Service

December 23, 2008


The president of a U.S. software company has been sentenced to probation after pleading guilty to stealing password-protected files from a competitor.

Jay E. Leonard, 61, was sentenced to 12 months supervised probation and a US$2,500 fine after pleading guilty to one count of unauthorized access to a protected computer, a misdemeanor charge.

Leonard is the owner of Boulder, Colorado's Platte River Associates, a company that builds software used in petroleum exploration. He illegally accessed a password-protected area of the Web site belonging to his company's competitor Zetaware, according to a plea agreement filed in the U.S. District Court for the District of Colorado.

One week later, he chaired a company staff meeting in which "a tentative plan was discussed to exploit and to unlawfully utilize the downloaded Zetaware files for the economic gain of Platte River Associates," the plea agreement states.

Zetaware CEO Zhiyong He was tipped off to the intrusion by a confidential source, which he then reported to the U.S. Federal Bureau of Investigation (FBI), court filings state. In an interview Monday, he said he is not sure how Leonard was able to access his Web site, but that he believes that he may have been given a password.

He said that one of Leonard's employees may have turned his boss in. He knew Leonard professionally and was "very surprised" by the incident, he said.

Leonard accessed the Zetaware site from a Sprint wireless network at Houston's George Bush Intercontinental Airport, located near Zetaware's headquarters, the plea agreement states.

In a separate case, Platte River Associates is also facing charges of "trading with the enemy," for allegedly allowing its software to be used to evaluate oil and gas development opportunities off the shore of Cuba, which is under a U.S. trade embargo. "The company has expressed an interest in pleading guilty," in that case, although no plea has been accepted by the judge, according to Jeffrey Dorschner, a spokesman for the United States Attorney's office prosecuting the two cases.

Leonard and his attorney did not return calls seeking comment for this story.

Hacker Sticks Company With $43,000 Phone Bill

UNSAFE : Hacker Sticks Company With $43,000 Phone Bill


December 23, 2008


It's a long way from Manitoba to Bulgaria — and phone calls from one to the other can get really expensive.

That's what one hapless Canadian small-business owner discovered after a hacker broke into his company's voice-mail system and placed hundreds of calls to the Balkan nation, landing him with a $43,000 phone bill.

"If I have to pay that whole bill out of my own pocket, I'm looking at having to lay off one of my employees," Alan Davison, owner of HUB Computer Solutions in Winnipeg, told the Winnipeg Free Press. "It's quite obvious something was right out of whack. There were hundreds of phone calls."

HUB offers its business clients "best-of-breed security products and solutions," among many other networking and hardware-related services, yet all that stood between a hacker and the company's voice-mail system was a four-digit password.

"Some of these people are very, very knowledgeable in the area and over time they are pretty good at running different passwords," a local security expert tells the Free Press.

Once in, the hacker needed to only use the outbound-transfer feature to place calls overseas.

Davison wants a break on the bill from Manitoba Telecom Services, but the phone company says that since HUB owned all its internal phone-networking gear, the small business may be liable for the whole thing.

"I'm not going to dispute this person didn't make these calls, but speaking generally, we're just not in a position to monitor everyone's minute-to-minute billing," said MTS spokesman Greg Burch.

NSA patents a way to spot network snoops

TECH-TRENDS : NSA patents a way to spot network snoops

by Robert McMillan


December 21, 2008


The U.S. National Security Agency has patented a technique for figuring out whether someone is tampering with network communication.

The NSA's software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing.

Other researchers have looked into this problem in the past and proposed a technique called distance bounding, but the NSA patent takes a different tack, comparing different types of data travelling across the network. "The neat thing about this particular patent is that they look at the differences between the network layers," said Tadayoshi Kohno, an assistant professor of computer science at the University of Washington.

The technique could be used for purposes such as detecting a fake phishing Web site that was intercepting data between users and their legitimate banking sites, he said. "This whole problem space has a lot of potential, [although] I don't know if this is going to be the final solution that people end up using."

IOActive security researcher Dan Kaminsky was less impressed. "Think of it as -- 'if your network gets a little slower, maybe a bad guy has physically inserted a device that is intercepting and retransmitting packets,' " he said via e-mail. "Sure, that's possible. Or perhaps you're routing through a slower path for one of a billion reasons."

Some might think of the secretive NSA, which collects and analyzes foreign communications, as an unlikely source for such research, but the agency also helps the federal government protect its own communications.

The NSA did not answer questions concerning the patent, except to say, via e-mail, that it does make some of its technology available through its Domestic Technology Transfer Program.

The patent, granted Tuesday, was filed with the U.S. Patent and Trademark Office in 2005. It was first reported Thursday on the Cryptome Web site.

World Bank Debarred Satyam for 8 Years

PUNISHMENT : World Bank Debarred Satyam for 8 Years

Tuesday, December 23, 2008

By Richard Behar


For months, the World Bank has been stonewalling and denying a series of FOX News reports on a variety of in-house scandals, ranging from the hacking of its most sensitive financial data to its own sanctions against suppliers found guilty of wrongdoing.

But last week the world's most important anti-poverty organization suddenly came clean — sort of — in its tough sanctions against a vitally important computer software service supplier that has been linked not only to financial wrongdoing but also to the ultrasensitive data heists.

A top bank official, FOX News has learned, has admitted that a leading India-based information technology vendor named Satyam Computer Services was barred last February from all business at the bank for a period of eight years — and that the ban started in September.

The admission confirms what FOX News reported from its own bank sources on October 10 — a report the World Bank officially disparaged at the time.

The World Bank's revelation of the ban on Satyam comes at a watershed moment for the $2 billion (sales) outsourcing giant, which boasts more than 100 Fortune 500 companies as clients and which trades on the New York Stock Exchange. Last week, India's securities commission announced that it would investigate Satyam.

The move came after the company's founder-chairman suddenly announced the company would spend $1.6 billion to buy two distressed real estate and infrastructure companies that are run and partially owned by his two sons. After Satyam's stocked dropped 55 percent in value, the company reversed course.

The World Bank debarment — the harshest sanction the world's largest anti-poverty agency has imposed on any company since 2004 — was meted out for "improper benefits to bank staff" and "lack of documentation on invoices," according to Robert Van Pulley, the top World Bank information security official.

True to its secretive ways, the bank did not make the admission in public. Instead, Van Pulley made the comments in a meeting and two telephone conversations with officials of the Government Accountability Project (GAP), a 30-year-old whistle-blowing organization based in Washington.

One of the phone conversations was recorded, and FOX News was allowed to listen to the tape after the World Bank backed away from its initial insistence that the conversation remain unreported.

Even so, when asked to comment on the recorded conversation, Van Pulley did not return telephone calls from FOX News. But in a conversation last Thursday with GAP, he conceded the Satyam case had been turned over to the Justice Department in 2006 — as FOX previously reported — as well as to the U.S. Treasury Dept.

It is not known if a case against Satyam or World Bank officials is being pursued by either government agency.

Van Pulley was recently named acting head of information security of the World Bank Group, as part of a management shakeup in the wake of a FOX News series about cyber breaches, corruption and cover-ups at the bank. He is also in charge of the bank's procurement department, where he oversaw the Satyam contract.

From 2003 through 2008, as FOX News reported, the World Bank paid Satyam hundreds of millions of dollars to write and maintain all the software used by the bank throughout its global information network, including its back-office operations. That involved overseeing data that ranges from accounting and personnel records to trust funds administered for many of the world's richest nations.

But at the same time, Satyam was straying badly across the bank's ethical warning lines. In 2005, the bank's chief information officer, Mohamed Muhsin, was ousted after being accused of improperly buying preferential stock options from Satyam, even as he awarded the firm major contracts. A top-secret investigation led to Muhsin being banned permanently from the bank in January 2007. But for reasons that remain unclear, Satyam was allowed to remain in control of the bank's information network until early October 2008.

Van Pulley initially agreed to talk with GAP only off the record after the organization raised questions based on the FOX News reports with World Bank president Robert Zoellick. But GAP international program director Beatrice Edwards, a participant in the talks, objected.

"In this investment climate, there is really very little tolerance for maintaining secrecy about malfeasance at high levels of publicly traded companies," she warned Van Pulley. "And if your own vendors are engaged in bribery of high-level bank officials, and that is secret and off-the-record, that is a problem."

Van Pulley then reversed himself and allowed GAP to make his remarks public — but still refused to provide a written version of his admission. At press time, however, an anonymous World Bank spokesman conceded to FOX News that Satyam was "suspended" in February, declared a "non-responsive vendor" and then "made ineligible to be a bank corporate vendor" until the year 2016.

To date, the World Bank boasts it has banned 343 individuals and companies from doing business with the bank — in many cases permanently. A list of the debarred firms is on the bank's website, but Satyam's name is not included.

In October, Satyam declined to speak with FOX News about anything related to the World Bank, including any ban. But during a press conference several days after the article was published, a Satyam board director and senior executive, Ram Mynampati, denied the company had been banned from future work.

Securities lawyers contacted by FOX News say the debarment by the World Bank — one of Satyam's largest and most important customers — should have been announced by the company to its shareholders immediately and also filed with the U.S. Securities and Exchange Commission.

The World Bank's denials and quiet admissions about its troubled relations with Satyam also refocuses attention on an earlier set of bank denials, after FOX News in October reported that the Satyam-supervised computer network of the World Bank Group had been hacked repeatedly by outsiders for more than a year.

According to FOX News sources, one of the worst breaches apparently occurred last April in the network of the bank's super-sensitive treasury unit, which manages $70 billion in assets for 25 clients — including the central banks of some countries.

Sources told FOX News that bank investigators had discovered that spy software had been covertly installed on workstations inside the bank's Washington headquarters — allegedly by one or more contractors from Satyam. "I want them off the premises now," Zoellick reportedly told his deputies. But at the urging of the bank's then-chief information officer, Satyam employees remained at the bank through early October while it engaged in a "knowledge transfer" with two new contractors.

The bank has vociferously denied that any breaches of its treasury unit took place. And, in his discussion with GAP's officials Thursday, Van Pulley denied that Satyam was behind any of the bank's security breaches. Asked by GAP's Edwards who is responsible for the breaches, Van Pulley stated, "I'm not in a position to tell you," adding that "we're confident" it wasn't Satyam.

Also see -



10 Basic Tips For the Internet Explorer (IE)

10 Basic Tips For the Internet Explorer (IE)

In order to use the Internet Explorer (IE) effectively, we have some basic tips for you to try… Ok let’s go now.

1. To extend the window area of the IE, you can make it easy by pressing the F11 key. Then you press it again in order to return the IE to the normal window.

2. Sometimes you want to search a keyword in a long web page that you are surfing. How do you do ?? Just press Ctrl+F and place the keyword you want.

3. Using Backspace key in your keyboard instead of clicking Back in the IE window.

4. You can close your IE window that you are surfing by Ctrl+W.

5. To see the surfing websites history, Press F4 key to see the URL which you have typed.

6. Press Ctrl+D in order to save the url which you are surfing. And the url will be in the Favorites.

7. To send a web page to your friend. Do you know we can send it by email from the IE’s tools ? Let you try it, go to File > Send > Page by E-mail...

8. To slide the web page by using the keyboard, try it with the arrow keys. To slide it to the bottom and the top of the web page, try the End and Home key.

9. If you find a picture that you prefer it to be the desktop wallpaper, you can immediately set it, right click on the picture area and select the Set as wallpaper.

10. To slide the web page gradually, you may use the Page up, Page down and Spacebar keys. Try it !

Monday, December 22, 2008

Quote of the day

Quote of the day

Something which we think is impossible now will not be impossible in another decade.

New IT Term of the day

New IT Term of the day


The art and science of hiding information by embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images.

Steganography sometimes is used when encryption is not permitted. Or, more commonly, steganography is used to supplement encryption. An encrypted file may still hide information using steganography, so even if the encrypted file is deciphered, the hidden message is not seen.

Special software is needed for steganography, and there are freeware versions available at any good download site.

Steganography (literally meaning covered writing) dates back to ancient Greece, where common practices consisted of etching messages in wooden tablets and covering them with wax, and tattooing a shaved messenger's head, letting his hair grow back, then shaving it again when he arrived at his contact point.

American Express bitten by XSS bugs (again)

RISK : American Express bitten by XSS bugs (again)

Card accounts still naked

By Dan Goodin in San Francisco

20th December 2008


The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials.

The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged.

It turns out that's not the case. The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.

"They did not address the problem," said Joshua D. Abraham, a web-security consultant for Boston-based Rapid7. "They addressed an instance of the problem. You want to look at the whole application and say where could similar issues exist?"

At least two separate sources appeared to discover the XSS hole remained open. Researcher Kristian Erik Hermansen brought it to our attention, and crafted this proof of concept that shows how a rogue website could exploit the bug to siphon a person's americanexpress.com cookie, which helps authenticate users after they enter their user ID and password. A few hours later, Moscow-based SecurityLab.ru put out this advisory.

The botched fix appears to be the result of web developers who fixed the problem for HTTP requests based on the get protocol but not the separate post protocol as well.

This bug was first publicly disclosed in April 2007

It came as a separate XSS error on americanexpress.com was brought to our attention. The weakness was publicly disclosed on a security website forum in April 2007, raising questions about the diligence of Amex security employees in sniffing out and fixing vulnerabilities that could be used to defraud the company's customers.

A company spokeswoman said security is a top concern at Amex and said company employees would investigate the two reported vulnerabilities.

We have no reason to doubt the sincerity of her claim that security is important at Amex, but we still can't understand why the company makes it so hard for researchers to report these kind of vulnerabilities. XSS errors typically can be fixed in a matter of minutes. Just think how much better protected customers would be if the company had an email address or section on its website dedicated to vulnerability reports.

U.S. not ready for cyber attack, war game shows

UNSAFE : U.S. not ready for cyber attack, war game shows

Dec 19 2008

Reuters / Yahoo


The United States is unprepared for a major hostile attack against vital computer networks, government and industry officials said on Thursday after participating in a two-day "cyberwar" simulation.

The game involved 230 representatives of government defense and security agencies, private companies and civil groups. It revealed flaws in leadership, planning, communications and other issues, participants said.

The exercise comes almost a year after President George W. Bush launched a cybersecurity initiative which officials said has helped shore up U.S. computer defenses but still falls short.

"There isn't a response or a game plan," said senior vice president Mark Gerencser of the Booz Allen Hamilton consulting service, which ran the simulation. "There isn't really anybody in charge," he told reporters afterward.

Democratic U.S. Rep. James Langevin of Rhode Island, who chairs the homeland security subcommittee on cybersecurity, said: "We're way behind where we need to be now."

Dire consequences of a successful attack could include failure of banking or national electrical systems, he said.

"This is equivalent in my mind to before Sept. 11 ... we were awakened to the threat on the morning after Sept. 11."

Officials cited attacks by Russia sympathizers on Estonia and Georgia as examples of modern cyberwarfare, and said U.S. businesses and government offices have faced intrusions and attacks.

Billions of dollars must be spent by both government and industry to improve security, said U.S. Rep. Dutch Ruppersberger of Maryland, the Democratic chairman of the intelligence subcommittee on technical intelligence.

The war game simulated a dramatic surge in computer attacks at a time of economic vulnerability, and required participants to find ways to mitigate the attacks -- using real-life knowledge of tactics and procedures where they work.

It was the broadest such exercise in terms of representation across government agencies and industrial sectors, officials said.

Homeland Security Secretary Michael Chertoff, addressing the participants at the end of the exercise, predicted cyberattacks will become a routine warfare tactic to degrade command systems before a traditional attack. That is in addition to threats posed by criminal or terrorist attackers.

International law and military doctrines need to be updated to deal with computer attacks, Chertoff said.

"We know that if someone shoots missiles at us, they're going to get a certain kind of response. What happens if it comes over the Internet?," he said.

Chertoff and Gerencser expressed caution over suggestions earlier this month calling for the appointment of a White House "cybersecurity czar" to oversee efforts. But Ruppersberger disagreed. One person was needed to take charge of efforts and to secure the president's ear, he said.

Ruppersberger said people close to president-elect Barack Obama's transition team have convinced him that Obama understands the importance of bolstering cybersecurity.

Ohio prof develops CCTV people-tracker ware

TREND : Ohio prof develops CCTV people-tracker ware

By Lewis Page

19th December 2008


Boffins in Ohio have taken another step towards the global surveillance panopticon of the future, developing software which can autonomously track an individual through a city using CCTV cameras.

James W Davis, associate prof at the Ohio State computer science and engineering department, developed the new spyware with the aid of grad student Karthik Sankaranarayanan.

Davis and Sankaranarayanan's code works by using a pan-tilt-zoom camera to create a panoramic image of its entire field of view, and then linking each ground pixel in the picture to a georeferenced location on a map. This means that when the camera sees a person or vehicle, the computer also knows in terms of map coordinates where it is looking.

That in turn makes it possible for a new camera to be trained on the target as he/she/it passes out of the first one's field of view. In this way, a subject can be followed automatically anywhere that the monitoring computer has CCTV coverage. There's no need for a human operator to manually train cameras around, using up man-hours and sooner or later making a mistake and losing track.

"That's the advantage of linking all the cameras together in one system - you could follow a person's trajectory seamlessly," says Davis.

For now, such camera networks are small and localised. However, the Home Office here in the UK has said it would like to "create an effective cross country strategic CCTV network". Such a network, combined with Davis and Sankaranarayanan's new software, would allow plods or spooks to track people completely hands-off. That said, until facial-recognition software gets a lot better the computers would lose their target as soon as he or she left CCTV coverage.

Not content with his efforts so far, Davis wants to go even further and write code which can pick out people "engaging in nefarious behaviour".

"We are trying to automatically learn what typical activity patterns exist in the monitored area, and then have the system look for atypical patterns that may signal a person of interest," he says.

Such systems are already being trialled, and are known to be more than a bit flaky. The panoramic-map software with its people-tracking abilities seems more promising - from a surveillance operator's point of view, anyway.

Lok Sabha passed Information Technology (Amendment) Bill

LAW : Lok Sabha passed Information Technology (Amendment) Bill


22 December 2008

Lok Sabha, Lower House of Indian parliament has passed the Information Technology (Amendment) Bill 2006, today, as per the Synopsis of Business, circulated by Lok Sabha Secretariat.

The bill amends the Information Technology Act 2000 with many major amendments. The bill was introduced in Lok Sabha by Mr. A Raja, Minister of Communication and Information Technology on 15 December 2008 and passed today. Now, the bill will move to Rajya Sabha and then after passing at Rajya Sabha, it will get assent of the President to become the Act. The amended bill will come in force on notification by the central government.

The bill provides more teeth to tackle cyber crimes. It also provides a statuary status to CERT-In.

We will keep you posted on the provisions of new bill, when it will be passes by both houses after considering all amendments and suggestions made by MPs.

This Day in History

Thanks for your Visit