Thu, 02 Sep 2010 02:30:56 +0000 http://www.hackinthebox.org/ Hack In The Box Backend en-us http://www.hackinthebox.org/images/hitb.gif http://www.hackinthebox.org/ dhillon.kannabhiran@hackinthebox.org http://www.hackinthebox.org/index.php?name=News&file=article&sid=37716 The sensitive personal information found on the new German identification cards with data chips scheduled for nationwide introduction this November can be easily hacked, according to testing done by a TV news show. Public broadcaster ARD’s show “Plusminus” teamed up with the hacker organisation the Chaos Computer Club to find out how secure the controversial new radio-frequency (RIHD) chips were. Set to air Tuesday evening, the report shows how they used the basic new home scanning machines that will go along with the cards, and found that scammers would have few problems extracting personal information. This includes two fingerprint scans, which German citizens can opt out of, and a new six-digit PIN number meant to be used as a digital signature for official government business and beyond. The home scanners will be necessary for use with home computers to process the personal data for official business and possibly even online shopping. Thu, 02 Sep 2010 02:30:56 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37715 Apple has an obsession with elegance. Just look at the line-up at yesterday's annual orgy of consumer desire. A new iPod Nano that looks like a tiny, animated, touch-sensitive, acid-drenched postage stamp - without losing a microgram of cool. An iPod Touch that generates and displays video, plays games and audio, and runs a kazillion apps, all with fewer buttons than a Mark 1 Walkman. An Apple TV that hooks together HD movies, Internet still and moving pictures, hewn from a minimalist block of ebony-black plastic. On this count, Apple still has it - and has it with enough insouciance to carry off a pricing structure only explicable if they have their flash memory hand-carved by octogenarian Japanese craftsmen using unicorn horn instead of silicon. Not to mention a dollar-to-pound conversion rate uncontaminated by actual forex. Yet there's one place where the whole business falls down. iTunes, now in its tenth incarnation, is the prog rock wig-out at the techno rave. And like the LPs of some of the 70s more behemothian bands, each new version is more overblown than the last. If iTunes was a record, by now it would be a quad album in a gatefold sleeve, with lyrics written in faux runescript and a free Roger Dean poster showing space-going whales dancing a quadrille around Planet Pomp. It is the app that taste forgot. Thu, 02 Sep 2010 02:29:51 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37714 Russian police have arrested 10 suspected members of a ransomware gang who allegedly made millions via a locked computer malware scam. PCs infected by the WinLock Trojan at the centre of the scam were rendered unusable because the malware disabled key Windows components. More embarrassingly pornographic images were displayed on compromised machines, IDG adds. The crooks claimed the damage could only be undone by sending premium rate SMS messages at a cost of between 300 rubles ($9.72) and 1,000 rubles. Tens of thousands of victims, mostly in Russia, were hit by the scam, Host Exploit reports. Web users in Ukraine, Belarus and Moldova were also reportedly affected by the scam, which reportedly earned crooks as much as $16m in just one month. Thu, 02 Sep 2010 02:29:08 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37713 We have come a long way when it comes to DMZs (demilitarized zones). It's no longer a question of if your organization needs a DMZ, but rather, it's now a question of how you should design one. In computer security, a DMZ is a physical or logical subnetwork that contains and exposes an organization's external services to a larger, untrusted network—usually the Internet. The original DMZ designs included a simple network separated from the internal network, where everything that needed access to the Internet was placed. Today, there are as many DMZ designs as there are vehicles on the road. You have industrial trucks designed to simply transport goods as cheaply as possible. You have economy cars designed to save money. And you have exquisite Italian sports cars that are sure to make your friends jealous (and fast enough that you always arrive with plenty of extra time for a nice cup of espresso). DMZ designs are a lot like cars: there are many varieties which go by a lot of different names but they all serve the same purpose. Thu, 02 Sep 2010 02:28:09 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37712 Federal prosecutors have uncovered a scam that used tens of thousands of cloned cellphones to defraud Sprint out of $15m in lost long distance revenue. The operation dates back to at least the latter half of 2009, when cellular customers began complaining that they were billed for international calls they didn't make, according to court documents made public on Wednesday. When Sprint employees looked into the matter, they discovered that many of the calls were made from hundreds of miles away from where the customers lived and within minutes of other calls made from the customers' homes. Eventually, the Sprint investigators discovered that electronic credentials belonging to “tens of thousands of its customers” were used to make international calls that would have cost $15m had they been billed at the going rate. What's more, many of the defrauded customers' online accounts were breached so that changes could be made to passwords, international calling features and other settings. Thu, 02 Sep 2010 02:27:25 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37711 VMWare’s annual “VMWorld” conference is in full swing and on Tuesday the company announced vCloud Director, vShield Edge and four other new products. The products are an important development for virtualization despite sounding a little vSilly to non-IT professionals. In case you don’t know your vSphere from a hole in the ground, here’s a quick summary of where VMware is today: the company has spent a decade evangelizing the value of virtualizing hardware resources to make them do more with less. The “cloud” proselytization efforts have been successful: People started deploying more virtual machines than physical ones starting last year, according to IDC, and VMware now claims 190,000 customers worldwide. VMware’s flagship product is called vSphere and it can be thought of, more or less, like a Windows for the data center. On PCs operating systems like Windows play two roles: they offer an interface for the user to run applications and manage all the hardware (video cards, USB connections, etc.) via “device drivers” that speak their language. Thu, 02 Sep 2010 02:26:39 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37710 After extracting a deal from Research In Motion that appears to give state authorities the ability to monitor messages sent over the company’s BlackBerry network — similar to a deal that RIM agreed to with the government of Saudi Arabia — the Indian government has suggested that it may go after both Google and Skype in an attempt to get similar kinds of security concessions. India’s threat means that this is no longer just about Research In Motion and its specific network or security controls; it’s about gaining widespread and potentially unlimited access to a whole range of cloud-based services. In other words, it means that our growing use of the “cloud” — whether it’s web-based email or web-based voice calls such as those recently launched by Google, or mobile email and data from companies such as Research In Motion — is colliding headlong with the demands of foreign governments to control those services and applications, or at least their demands to monitor them whenever they wish. Thu, 02 Sep 2010 02:25:02 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37709 China is now requiring people setting up new mobile phone accounts to register with their real identities as part of a new government measure to reduce anonymity among the country's 800 million mobile users. All carriers are to adopt the real-name registration system starting this month, said China Telecom spokesman Xu Fei. Within three years, the carriers must also register the real identities of all existing users. "The policy on existing users is not being carried out very forcefully," Xu said. "If existing users do not register their names, their service probably will not be discontinued." Street newsstands in China, where cell phone accounts were once conveniently sold, will also be prohibited from selling SIM cards, Xu added. Thu, 02 Sep 2010 02:12:27 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37708 It's been only a mere six months since its first unveiling, but Microsoft has already announced that Windows Phone 7 has been released to manufacturing. This means device makers can start tuning the software to their hardware, leaving plenty of time to release devices before the holiday season. The news was announced by Microsoft's Terry Myerson. "Windows Phone 7 is the most thoroughly tested mobile platform Microsoft has ever released,"he details, "We had nearly ten thousand devices running automated tests daily, over a half million hours of active self-hosting use, over three and a half million hours of stress test passes, and eight and a half million hours of fully automated test passes. We've had thousands of independent software vendors and early adopters testing our software and giving us great feedback. We are ready." Thu, 02 Sep 2010 02:11:46 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37707 Undergraduate students in America managed to get control of the manoeuvring thrusters of an orbiting 2000-lb NASA satellite at the weekend, sending it plummeting into the Earth's atmosphere to rain burning fragments across the chilly seas north of Norway and Russia. "They ran calculations to determine where the spacecraft was located," said Darrin Osborne, flight director for the now-destroyed Ice, Cloud and Land Elevation Satellite, or ICESat. "The students did this seven days a week." Rather than a posse of delinquent space hacker youths pranging satellites for lolz, however, the undergraduates in question were actually supposed to be in charge of the ICESat. They had been given a go on the controls as part of the ongoing operations of the Laboratory for Atmospheric and Space Physics (LASP) at the University of Colorado. LASP operates various science satellites for NASA from its space command centre on campus in Boulder, Colorado. Thu, 02 Sep 2010 02:11:06 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37706 Apple announced Wednesday that iOS 4.1 will fix proximity sensor and Bluetooth issues, and will add a new feature allowing users to take high dynamic range photographs that produce stunning pictures. The new software will ship Wednesday, Sept. 8 for the iPhone and iPod touch [Updated with HDR photos and details]. Following Wednesday's keynote, the golden master of iOS 4.1 was issued to developers. The new iPod touch, which will be available next week, comes with iOS 4.1 and Game Center preinstalled. Apple Chief Executive Steve Jobs announced that Bluetooth and proximity sensor issues that currently exist with the iPhone 4 will be addressed with next week's release of iOS 4.1. Such problems have persisted since the handset was first launched in June. "All the bugs that we get mails on," Jobs said. "We think we've nailed a lot of them, and we think you're going to be pretty happy with it." Thu, 02 Sep 2010 02:07:25 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37705 The website of the National Institute of Public Administration (Intan) has suffered a cyber attack believed to be by Indonesian hackers. The website is believed to have been inactive since Monday, 6.54pm as shown on its cached version when checked yesterday. It had also been violated with profanity. A minute after the website was accessed, a green cursor trail will appear on the page stating that it had been “hacked by vires-kucrit”. This is followed by a pop-up referring to the National Day celebration albeit in obscene language. Calls for comments from the Intan public relations officer or its director Datuk Dr Muhamad Hamzah went unanswered. Thu, 02 Sep 2010 02:05:43 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37704 A group of misinformed Algerian 'cyber-pirates' attacked the official website of the Belvoir Castle, mistaking it for the Belvoir Fortress in Israel. The pirate group, known as Dz-SeC, hijacked the website and displayed anti-Jewish slogans in Arabic on the homepage, along with a picture of the Algerian national flag. The Belvoir Castle, which acted as a Royalist stronghold during the English Civil War, now plays host to the annual teddy bears’ picnic. The Belvoir Fortress on the other hand, was initially a Christian military stronghold used for fending-off attacks from Muslim forces on the city of Jerusalem. However, the fortress fell under Muslim control, which they later had to relinquish following a brutal attack by Israeli forces. The hacker group claims that the attack on the website was due to Israel's presence and thanked other Algerian pirates for contributing to the attack. Thu, 02 Sep 2010 02:03:59 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37703 As worldwide chief technology officer for security company McAfee, George Kurtz took part in the investigation — called Operation Aurora — earlier this year of the attacks against Google and a number of other companies that apparently targeted high-value sensitive information. He said the attacks illustrate the threat from motivated, well-resourced hackers who use social engineering to compromise information technology systems. “We certainly learned some valuable lessons from Operation Aurora, and what we see as the next frontier in attacking systems in corporations is the mobile devices that are in use today,” Kurtz said. “We’re going to see the next wave of malware and attacks target specific devices.” Thu, 02 Sep 2010 02:03:14 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37702 Recently, Sony blocked the sale of a device called PSJailbreak that would have let anyone run homebrew apps and play backed-up or copied games from their PlayStation 3. Now the same code running the device has been leaked out to the internet, allowing anyone to break open their PS3 if they have the right hardware. The ability to play copied games is locked away in the code but we all know how long that is going to last. Having the code out there also means those who were dinged by the removal of OtherOS should be able to reactivate it. With the PlayStation 3 cracked open, Sony will now have work on closing up any exploits for it on top of their efforts with the PSP. They made a good effort keeping it secure all these years but you really can't stop hackers from getting through. Thu, 02 Sep 2010 02:02:30 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37701 Malicious hackers are using the Google Code repository to host Trojans horses, backdoors and password stealing keyloggers, according to researchers at Zscaler. The researchers found a malicious project hosted on the free Google Code site with about 50+ malware executables stored in the download section of the project. According to Zscaler’s Umesh Wanve, most of the files are executable files along with zipped “.rar” files. "The time stamps show that the files have been uploaded over the course of the last month. This suggests that an attacker is actively using this free service to spread malware." Thu, 02 Sep 2010 02:00:19 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37700 Payments processor Heartland Payment Systems Inc. on Wednesday said it will pay $5 million to Discover Financial Services Co. to resolve issues between the companies related to a 2008 data breach. Hackers installed spying software on Heartland's computer network in 2008, giving them access to data including account numbers, expiration dates and in some cases customer names on the systems that process Visa, MasterCard, American Express and Discover Card transactions. The company revealed the problem in January 2009. Heartland said Wednesday the deal with Discover marks its final agreement with a card brand related to the incident. According to a recent regulatory filing, Heartland had previously reached breach-related settlements totaling $114.7 million. That included a $3.5 million payment to American Express, $59.3 million in payments to Visa and several banks, and $41.4 million to MasterCard Worldwide. Thu, 02 Sep 2010 01:59:07 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37699 The Defense Advanced Projects Agency (DARPA) has launched a project for detecting and responding to insider threats on Department of Defense networks. Under the Cyber Insider Threat (CINDER) Program, DARPA will explore new approaches for improving the speed and accuracy of insider threat detection. The agency last week sought proposals for ways to identity hostile insider activity by monitoring specific user and network behaviors. In the initial stage of the project, the goal is not necessarily to develop new ways of detecting individual malicious insiders themselves. Instead, DARPA hopes to figure out the tell-tale signs and network activities that organizations should monitor to accurately detect malicious activity. Thu, 02 Sep 2010 01:58:28 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37698 Attackers took to Twitter on Monday to spread malware via links pointing to what they claimed was an update to the popular microblogging client TweetDeck. A number of updates were sent from hacked Twitter accounts urging users to download a file called "tweetdeck-08302010-update.exe." The tweets began with phrases, such as “Hurry up for tweetdeck update!” or “Download TweetDeck udate ASAP!,” and included a URL beginning with http://alturl.com/. The links, however, did not lead to a legitimate TweetDeck update, but instead brought users to a trojan, Graham Cluley, senior security researcher at Sophos, wrote in a blog post Tuesday. Some of the malicious tweets referenced the U.K.'s national Bank Holiday, which occured on Monday. The tweets read, “Critical tweetdeck update Bank Holiday” and “Update TweetDeck! Bank Holiday.” Wed, 01 Sep 2010 03:22:33 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37697 A botnet responsible for a significant amount of spam has been crippled but may reconstitute itself in a matter of weeks, according to vendor M86 Security. The Pushdo or Cutwail network of hacked computers ranked in the top five or so botnets for spam, responsible for as much as 10 percent of all spam, said Ed Rowley, product manager for M86 Security. The spam often advertises fake software, so-called designer goods and questionable pharmaceutical products. But security analysts with the computer security company LastLine took action last week, contacting ISPs that were hosting the command-and-control infrastructure for the botnet. About 30 servers at eight hosting providers were found to be supporting Pushdo. LastLine contacted the ISPs, and about 20 of the servers were taken offline, according to itsblog. Some ISPs, however, were unresponsive. Wed, 01 Sep 2010 03:20:54 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37696 Russian police are reportedly investigating a criminal gang that installed malicious "ransomware" programs on thousands of PCs and then forced victims to send SMS messages in order to unlock their PCs. The scam has been ongoing and may have made Russian criminals millions of dollars, according to reports by Russian news agencies. Russian police seized computer equipment and detained a Russian "crime family" in connection with the crime, the ITAR-TASS News Agency reported Tuesday. Russian-language reports say that 10 people are expected to be charged and that tens of thousands of Russian-language victims were hit by the scam, which also affected users in Ukraine, Belarus and Moldova. Wed, 01 Sep 2010 03:18:07 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37695 The cloud lifts Tuesday on Novell's Cloud Security Service, which is software designed so that hosting and cloud-service providers can offer authentication, authorization, provisioning and de-provisioning services to their enterprise customers. The Novell Cloud Security Service software is intended to be used inside a provider's data infrastructure to enable the equivalent of a single-sign-on function to multiple software-as-a-service (SaaS) options that enterprise customers want to use so they can easily provision and de-provision employees. To make the Novell Cloud Security Service work, the enterprise would need to install a server software component, said to be less than 100MB, on their own premises, to communicate back to the hosting provider. That on-premises component becomes the central point for enabling control over password-based authentication, and the provisioning of SaaS services and the immediate de-provisioning of them when it's determined an employee's use of SaaS should be terminated. Novell has been at work on the cloud-security project, which makes use of open protocols such as SAML, for over a year. Wed, 01 Sep 2010 03:17:33 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37694 A survey of 278 IT managers found that spending on storage systems is expected to remain flat through next year because of the soft economy and new technologies that allow IT administrators to do more with what they already have. The survey, conducted by research firm TheInfoPro in June, also asked IT managers which vendors they were most likely to stop doing business with. Hewlett-Packard, Oracle and Sun Microsystems, which was acquired by Oracle in 2009, took the top spots. For the second year, results showed Oracle struggling, TheInfoPro said in a statement. Asked how difficult it would be to switch vendors, 21% of the IT managers surveyed said it would be hard to replace Oracle, while 43% said it would be easy, and 35% said it would be "somewhat difficult." Meanwhile, 36% said it would be hard to switch from IBM, while 41% said it would be somewhat difficult and 23% said it would be easy. As for HP, 41% said it would be hard to switch, 26% said it would be easy, and 33% said it would be somewhat difficult. Wed, 01 Sep 2010 03:16:45 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37693 Twitter has completed its move to OAuth for authentication for all third-party applications. OAuth allows people to use applications without them storing their passwords. In the past, Twitter officials explained in a blog post, developers have been able to choose between basic authentication and OAuth to enable Twitter applications to access user accounts. Both methods require the user’s permission; but with basic authentication, users must provide their password and username for the application to access Twitter and the program has to store and send the data over the Internet each time the application is used. “With OAuth, you still individually approve each application before using it, and you can revoke access at any time,” according to Twitter. “To see which applications you have authorized or to revoke access, just go to the Connections section under Settings.” Wed, 01 Sep 2010 03:14:42 +0000 http://www.hackinthebox.org/index.php?name=News&file=article&sid=37692 Verizon Business is tapping into the popularity of VMware technology with a cloud computing service designed to let customers easily move workloads between their own infrastructure and Verizon's cloud. With the new service, in trials now and due for general availability early next year, enterprises that use VMware will be able to shift workloads out to Verizon's CaaS (Computing as a Service) infrastructure and back again, the companies said. This could help organizations ease their way into cloud computing or take advantage of greater computing resources when necessary. Verizon introduced its first CaaS offering in June 2009. That service requires enterprises to commit to sending certain workloads to Verizon's cloud, because it's not as easy to move them over or get them back as with the new service, AT&T spokeswoman Janet Brumfield said. The earlier service will remain available. Wed, 01 Sep 2010 03:13:59 +0000