Archive for the ‘Security’ Category

uTorrent web servers compromised

No Comments »


If you are a torrent lover like me then you need to read this.

Unfortunately, a day before yesterday (13th September, 2011) uTorrent’s (tiny and very stable torrent client) web servers were compromised by a hacker. This happened at 4:20am PST, and uTorrent’s web server team didn’t take the hacked server offline until 6am PST. The problem is, the hacker replaced the uTorrent Windows client with a fake antivirus executable. So anyone who downloaded the client during that 1 hour 40 minute period was actually downloading malware unknowingly.

The malware in question is called Security Shield, and is a well-known rogue anti-spyware program. It will pop-up a professional looking app screen on your desktop that lists fake infections after doing a fake scan. It then offers to remove them if you pay for the full-version of the “security suite.”

If you were unlucky enough to visit utorrent.com and download the Windows client during couple of days, then you’ve probably already seen the Security Shield software pop-up and run on your machine. You need to remove it asap check your PC with some good Antivirus other wise read this page [bleepingcomputers]

uTorrent has now apologized and managed to get their servers back online after removing the rogue files. If nothing else this should act as a reminder to everyone to ensure any files you download from the Internet are scanned with a reputable security scanner before being run, as clearly you can’t trust legitimate sites all of the time.


Hacker’s Interview – behind Comodo and DigiNotar hacking

4 Comments »

 

Comodo is one of the largest SSL and Code Signing Certificate provider, some Comodo certificates were hacked earlier this year and now ComodoHacker  claimed hacking DigiNotar a Dutch Code Signing/SSL provider company.

Meanwhile, the fallout from the hack continues. DigiNotar has, in effect, lost its status as a trusted root certificate authority. Its certificates have been blacklisted by Microsoft, Google, Mozilla, and Apple.

With this hack the hacker can intercept all encrypted communications of Windows Update and other microsoft services, Gmail , Mozilla based  and Apple services without user knowledge.

Also Microsoft and Firefox  just released a security update to block all DigiNotar based certificates. (Kindly update your systems now)

ComodoHacker also justifed his attack on the Dutch certificate authority by blaming the Dutch for the murder of 8,000 muslims at Serbian hands in Srebrenica; "It's enough for Dutch government for now, to understand that 1 Muslim soldier worth 10000 Dutch government."

Here is the Interview of the Iranian Hacker who was behind Comodo and DigiNotar hacking.

 

Hi

I have received around 25 interview requests, I'll give response to all requests, I'll give interviews to all.

Just to make some points which I see around in internet about me and in some interview questions:

a) I'm single person, do not AGAIN try to make an ARMY out of me in Iran. If someone in Iran used certs I have generated, I'm not one who should explain.

b) This attack was really more sophisticated than simple Stuxnet worm. 0-days? I already have discovered similar bugs, trojan? I already wrote most sophisticated undetectable ring0 and ring3 rootkit (works together), signing certificates? huh, man! I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google's cert, I have code signing privilege! You see? I owned an entire computer network of DigiNotar with 5-6 layer inside which have no ANY connection to internet, I have so much to explain, but later… You have to wait!

c) I still have access to 4 more CAs, I just named one and I re-name it: GlobalSign, StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy (CEO) was sitting behind HSM and was doing manual verification.

d) I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and… Simply I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?

I'll talk about more stuff later. May I also start a web hacking course for Anonymous and Lulzsec and friends of them, Rootkit development for Stuxnet developers, 0-day vuln. assessment in Windows and Linux environment for Stuxnet developers and other hackers too. huh? What do you think?

Dutch government is paying what they did 16 years ago about Srebrenica, you don't have any more e-Government huh? You turned to age of papers and photocopy machines and hand signatures and seals? Oh, sorry! But have you ever thought about Srebrenica? 8000 for 30? Unforgivable… Never!

I heard also that Dutch government tries to gather documents and make a compliment against Iran, really? Shame on you man! Have you been in court for Srebrenica? Who should file compliment for Srebrenica? You should pay, these are consequences of Srebrenica, just know it! This is consequence of fighting with Islam and Muslims in your parliament.

WOOOOORLLLLDDD! Wait for me, you have so much more SHOCKINGS to see from me! From a person who came to this world just 21 years ago! JUST WAIT!
 

 


Why Pakistan’s move against online crypto is a dangerous idea

No Comments »

Pakistan newspaper The Express Tribune reports from Karachi that the country's telecommunications regulator is pressing ISPs to comply with recent regulations which restrict the use of end-to-end encryption.

Any technology which conceals communications and prohibits monitoring, it seems, is off the menu.

The Tribune quotes a letter sent to it by an ISP which had been warned by the regulator:

    In line with [the Monitoring & Reconciliation of International Telephone Traffic] Regulations 2010 and national security, [the Pakistan Telecommunication] Authority prohibited usage of all such mechanisms including encrypted virtual private networks (EVPNs) which conceal communication to the extent that prohibits monitoring.

The letter continues by reminding the ISP:

    It is observed that the aforementioned directive has not been followed in true letter and spirit as EVPNs are heavily being used on the Licensees Network.

This concern over the inability of law enforcement to intercept or prevent communication between criminals and militants will no doubt resonate in other countries – notably in the UK, where services such as BlackBerry's instant messaging came under the spotlight after the recent riots there.

Unfortunately, however, an internet in which encryption was banned altogether would be even more dangerous than what we have today.

You've probably heard the gun lobby's truism that "if guns are outlawed, only outlaws will have guns." Yet there are many countries where private ownership of guns – handguns, at least – has been heavily regulated or even banned outright without a concomitant increase in gun crime.

It's tempting, therefore, to argue that if we can ban guns without endangering society, despite the vigorous warnings of a vocal minority, we can do the same with cryptography. Perhaps "if crypto is outlawed, only outlaws will have crypto" is just the crazy slogan of a bunch of libertarian survivalist cypherpunks with something to hide?

The problem is that banning every sort of 'communications concealing' technology online would destroy the very fabric of the internet's law-abiding use. There would be no SSH, no SSL, no TLS, no HTTPS. There would be no WiFi security. Online commerce would implode.

Whether the private ownership of weapons is as big a threat to society as some like to make out is an argument for another day, because cryptography on the internet isn't like handguns in the suburbs.

In most developed countries, you don't routinely need to pack a Browning Hi-Power when you visit your local bank branch. (Even in countries where that's legal, the bank would probably make you lock it in a safety deposit box at the entrance, anyway.)

In contrast, you do routinely need to use an SSL-protected tunnel to the bank when you transact online.

Significantly, the bank needs you to do so, as well. And if you don't, you're actually playing into the hands of the crooks.

So the next time you hear a nanny-state advocate oppose the general availability of strong crypto on the grounds that "if you've got nothing to hide, you don't need to hide anything", don't just sigh in dismay.

Confront them with the inanity of their remark. (Unless they've got a Browning Hi-Power. In that case, give a little smile and leave as soon as you can.)

* If you have nothing to hide, then it doesn't matter whether you choose to hide it or not, does it?

* Online, you do have things to hide. And if you and the rest of us don't hide it as a matter of course, the cybercrooks will plunder our economy more seriously than they're doing already.

In short, if you want to do away with online crypto, you're making things easier for the crooks, not harder. And that, I'm sorry to have to say, is a truism.

Take cryptography seriously. Protecting your own online assets helps protect everyone else, too.

Sources:
http://tribune.com.pk/story/240736/virtual-watchdog-internet-users-banned-from-browsing-privately-for-security-reasons/
http://nakedsecurity.sophos.com/2011/08/29/pakistan-move-against-online-crypto-a-dangerous-idea/?utm_source=facebook&utm_medium=status%2Bmessage&utm_campaign=naked%2Bsecurity


Firefox releases Version 5, five remote code vulnerabilities fixed

No Comments »

Firefox releases Version 5; five remote code vulnerabilities fixed

* MFSA 2011-26 Multiple WebGL crashes
* MFSA 2011-22 Integer overflow and arbitrary code execution in Array.reduceRight()
* MFSA 2011-21 Memory corruption due to multipart/x-mixed-replace images
* MFSA 2011-20 Use-after-free vulnerability when viewing XUL document with script disabled
* MFSA 2011-19 Miscellaneous memory safety hazards (rv:3.0/1.9.2.18)

 

Mozilla delivered on its promise to have the Version 5 release of its browser ready by midwinter's day, which takes place today in Australia – 22 June 2011.

The new version officially calls itself 5.0, but the Version 4 release is just three months old, and has had only one point update (to Version 4.0.1).

It looks as though Mozilla is simply copying Google's Chrome version numbering system in order to seem more "with it."

 

Source :-
http://nakedsecurity.sophos.com/2011/06/22/firefox-release-v5-five-vulns-fixed/


Why I love “hackers” culture

1 Comment »

From Nmap Manual

If you find yourself really bored one rainy afternoon, try the command

nmap -Pn -sS -p 80 -iR 0 –open

to locate random web servers for browsing.

(use it at your own risk !! as some companies might complain for port scanning)


Windows Mobile joins the party after Apple (iPhone) and Google(Android) Sued

No Comments »

After a week windows mobile 7 also joins the party along with Google Android and Apple iPhone, both companies are sued against stealing user sensitive data (like GPS cordinates which is user's pin point location) from user's mobile devices and transmitting over internet then stored at Google and Apple databases.

CNET reported the location tracking on Monday, almost a week after reports of similar tracking in Apple's iPhone and Google's Android mobile OS raised concerns that smartphones could be used by police, civil litigants, or abusive spouses to track an owner's movements over extended periods of time.

Microsoft Version:-
https://www.microsoft.com/windowsphone/en-us/howto/wp7/web/location-and-my-privacy.aspx
 

Sources:-
http://www.theregister.co.uk/2011/04/25/apple_sued_for_location_tracking/
http://www.theregister.co.uk/2011/04/28/google_sued_over_android_location_tracking/
http://www.theregister.co.uk/2011/04/27/windows_phone_location_tracking/