The weak password problem : Now solved????

1.    We are part of the first phase of IT revolution across the globe where every thing is happening....methods to secure...methods to hack....stronger and powerful servers....patching vulnerabilities....fighting malware....analysing stuxnets genre...and what not....every thing is happening.....now the following text (org from http://lanl.arxiv.org/abs/1103.6219) opens another dimension to make the passwords secure.....

"Vulnerabilities related to weak passwords are a pressing global economic and security issue. We report a novel, simple, and effective approach to address the weak password problem. Building upon chaotic dynamics, criticality at phase transitions, CAPTCHA recognition, and computational round-off errors we design an algorithm that strengthens security of passwords. The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective. We expect our approach to have wide applications for authentication and encryption technologies."

2.    Thanks http://lanl.arxiv.org

The Gawker case : EXPERIENCING A HACK

1.   A six-letter password in lower-case text takes a hacker's computer just 10 minutes to crack. But make those letters upper-case and it takes 10 hours for it to randomly work out your password. Thus simply upper-casing your password can minimise a hacker's chance of finding out your account.Add numbers and/or symbols to your password and the hacker's computer has to work for 18 days.Despite widespread warning, 50 per cent of people choose a common word or simple key combination for their password.The most used passwords are 123456, password, 12345678, qwerty and abc123. 

2.   I read about the Gawker case recently wherein the subject media firm Gawker urged subscribers to change their passwords after its user database was hacked and more than 1.3 million passwords were stolen.Now imagine some one like Yahoo or Google requesting one fine day on a similar line....won't our heart come out????

3.   The exact Gawker announce ment goes like this 

“Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords. We’re deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us.”

4.   The problem emanated when Gawker recently launched a multi-site redesign thatthat failed spectacularly, leading visitors to blank pages. The culprit was a misbehaving piece of JavaScript, but when a single line of JavaScript causes your entire suite of sites to fail you no longer have websites, you have, well, nothing.The problem with Gawker’s redesign is that it uses JavaScript to load everything. That means that, not only is there no chance for the site to degrade gracefully in browsers that don’t have JavaScript enabled, the smallest JavaScript typo can crash the entire website.

5.   Now we all have seen it personally as we sometimes tend to have the same password for multiple accounts on the web.....this could be a simple fall like a pack of cards...one point failure leads to the complete fort coming down.....so guys...take care....change ur passwords for better and stronger security.....

INTERNET KILL SWITCH????

1.   Recent events in Egypt and the debate over the “Cyber Security and American Competitiveness Act of 2011”, has introduced the cyber world with a yet another jargon term “INTERNET KILL SWITCH”.Whats this all about and what does this mean.....crux in brief as i understood after going through few good informative sites....read onnnnn!!!!!

2.   The term would give US the best tools available to swiftly respond to a significant CYBER threat.Thus if the U.S. detected a serious cyberthreat at some point of time, this switch would enable the US President to instantly shut down any infrastructure connected to subject infrastructure.It is not a mandate to be able to shut down the entire Internet but rather authorizes the president to order turning off access to “critical infrastructure” .

3.   Our interest here is to look at just one dimension of the issue – the technical feasibility; the political and policy aspects, we’ll leave to others.

4.   Thanks http://www.switched.com

Operation Pay Back & LOIC

A good one to read about the link between Mega D Botnet,Operation Pay Back with the aid of LOIC @ here

Full stop from being tracked online :An attempt from FIREFOX

1.  Firefox is working on a system which will provision web surfers to stop from being tracked online.We all know how  behemoths viz Google,Facebook and a plethora of OWMs use such information to sell targeted adverts and make money without ever asking the consent of the user.Such a move would be welcomed by privacy campaigners who have long complained that Google & Facebook are taking indecorums with the information .Currently these information seeking companies make use of 'cookies' that automatically save themselves onto users computer when they surf the web, and then keep a track of the browsing history.This data is then sold on to advertisers who put highly lucrative targeted ads on the individual's screen, depending on what internet pages they have recently been looking at. 

2.  Vice president of engineering at Mozilla,Mike Shaver,summed up the plan by saying the aim was to "put the user in control but not overwhelm them".And this would not only be a welcome step being used against information thefts but also actually be a booon for users who have been taken on a ride for so long on which they never ever desired to also......

OPERATION CISCO RAIDER

1.   Counterfeiting is not new....since we were born we have been seeing dupli's and counterfiets of Reebok,nike,hmv etc...the list is actually endless....this endless list is now augmented with IT inventory....to cite you an example which has rocked the nations across is about OPERATION CISCO RAIDER.

2.    Relevant original EXTRACT FROM http://www.coastnetwork.com is produced below : 

" Cisco made a decision a decade ago to manufacture product in China as a way of cutting production costs. A great deal of Cisco manufacturing is now done overseas, specifically in China. What has happened is that many of the companies that do the outsourcing for Cisco now run an extra shift and sell the now counterfeit hardware out the back door. After all, they have the manufacturing capability, the expertise and the full blessing of Cisco. The result? More and more counterfeit Cisco hardware is now showing up on American shores. Part of the problem is that China does not have strong intellectual property protection laws. This is a situation that Cisco and many other companies are still struggling to solve and one that does not promise to be resolved soon.

Warning signs of a possible counterfeited item:

If you are getting discounts of 40-55% off the list price for brand new hardware, i.e. sealed boxes, then it is a red flag. The largest of Cisco’s customers – the Bank of Americas, Ford Motor Company, United Airlines, AT&T, etc. get these discounts. You don’t. If it is any consolation, even dealers do not get the top corporate discounts.       

While it is flattering and tempting to receive big discounts for new Cisco hardware, it is also unrealistic and should be treated with the utmost caution. 

Ask what the retail price is and compare it to the price you are being quoted. If you are getting a 15-25% discount from the list price for new/sealed hardware, then you are being quoted a fair and realistic price. Expect a reasonable discount, however; too big a discount often spells trouble.

Another sign to be aware of is the receipt of unsolicited email from unknown dealers offering you Cisco hardware at very good prices. This warning is doubly true if the email or company originates from mainland China.

3.     Thanks http://www.coastnetwork.com/counterfeitcisco

Biggest release of Patch update by MICROSOFT

1.    Patches by MS to be released today are said to be the biggest and largest batch of updates by Microsoft since Oct 2003.According to Microsoft, this batch will be the LARGEST in its history with no less than 16 security updates designed to address a total of 49 vulnerabilities in Windows, Internet Explorer, MS-Office and the software giant's .NET Framework.

2.    All this effort and size of the patches by MS reflects how vulnerable each one of us remains to the hacking and leak of personal info in wrong hands....the batch of updates will include Windows 7 critical updates,updates for Internet Explorer, MS -Office 2010.And all those happy using the pirated copies of OS across remain as vulnerable as they are already....

RISK MANAGEMENT : Beware while u update with Patches

1. A zero-day exploit as discussed at an earlier post in this blog .....Some thing more to it...

2. A good extract straight lift from Infosecurity-magazine.com

"For a vendor, developing the update is not the part that takes time – testing is. We have more than 600 million downloads when we publish an update. If we “just” break 10% of the systems the update is installed, it would be a huge denial of service. So testing is the name of the game. How well is an unofficial patch tested?Often the vendor publishes workarounds (at least we do). This should be part of your risk mitigation strategy. Would the workaround be acceptable to buy you time?

How far do you trust the author of the unofficial update? How big is the risk that the update comes with pre-installed malware? The question immediately comes up: Why should we trust a vendor? Well, you bought or downloaded the software at the first hand – so, you decided to trust the vendor at the beginning.

What do you do once the vendor releases an update? Can you de-install the unofficial update?

Basically, it is a risk management decision, which should include at least the questions I raised above. Do not just run for the unofficial update – to me it should be really the last resort, if even!"

3. A good site to follow : Check out http://www.infosecurity-magazine.com

CLEANERS & FOOTPRINTS

1. Off late I have been experimenting with few software's which claim to do a 100% cleansing action of removing every browsing marks and history of any kind on your computer that u use for work and surfing.These incl the following :

- CyberScrub Privacy Suite v 5.1

- PC Tools Privacy Guardian v4.5

- Webroot Window Washer 6.5.5.155

- MilEraserSetup_XP2k

- Privacy-eraser

- Notrace-setup

- Eraser 6.0.7.1893

2. Among these I have no doubts of who is leading?....CyberScrub Privacy Suite v 5.1 & PC Tools Privacy Guardian v4.5.Though CyberScrub Privacy Suite v 5.1 does leave Chrome traces and does't have Chrome included in its list of browsers......It does a pretty neat job by giving options of wiping that include Navy Staff Office Publication (NAVSO PUB) 5239,Russian Gost,Brouce Schneier algorith and many others with options of selecting passes......on the other side ie PC Tools Privacy Guardian v4.5...includes chrome as a option to be selected with similar wiping algorith options.....

3. Try you must.......all of them to know the real difference or simply follow the recommendations......

Browser Forensics - Not Simple

1.      Just read one book by Peter C.Hewitt on Browser Forensics.An eye opener for anyone....the amount of info that stands compromised whilst using any browser is astonishing.....

2.      Now in a normal routine maintenance when I used to clear my browser History,cookies and cache....when I used to remove unnecessary files using utilities like Glary Utilities,Cc Cleaner and Tuneup utilities....i used to think that there r no traces left...before I was introduced to Mandiant's Webhistory, Pasco, Galleta and IE Passview.

3.      I checked up first with Mandiant's Webhistory....an 8 MB file...simple to install,,,free.Web Historian is a program that allows an investigator to collect, display and analyze web history data using Mandiant Intelligent Response (MIR) technology. It seeks to provide a customizable yet simplistic interface to view and navigate voluminous amounts of web history data. Perhaps the most powerful feature is the ability to correlate and provide multiple views of the data (including graphical and timeline) through the Analyzer and Web Profiler tool, in the hopes that investigators can come to well-informed conclusions about the data quickly.

4.       So after I cleaned up my PC using every utility....and scanned the PC with this software....the result was like nothing has been removed...all what I had accessed in last few days stands out in a compiled tabulated form ready to be saved as a Excel file for record.So what exactly allows this info extraction in spite of assurances from utilities available.The most recent versions of Windows store information about the pages viewed by the browser in a file called index.dat. One of the index.dats, in turn, contains information pointing to other files used in the browsing session. Windows has 3 types of index.dat files, for the cache, history and cookie files, respectively.Obviously, viewing all 3 types will give us the best understanding of what browsing took place. So....its not simply erasing ur history that could save you at some time......there is much much more ........

New Gen BIOMETRICS : PALMSECURE from FUJITSU

1. Quiet often we seen biometrics fingers,palm,eyes,retina being chopped off in Hollywood movies for gaining illegal access to control rooms and secure areas by the bad man...so we used to think like there is no end and no permanent solution to this....now comes a solution to this problem wherein not the fingerprint or the palm print is taken as authentication model....it is the veins inside that exist inside the palm that matter and should match...now these veins should also be flowing blood to authenticate the logger.

2. Fujitsu provides a highly reliable biometric authentication system based on palm vein pattern recognition technology. PalmSecure™ features industry-leading authentication accuracy with extremely low false rates, and the non-intrusive and contactless reader device provides ease of use with virtually no physiological restriction for all users.Applications include :

• Physical access control / Time and Attendance
• User authentication to PCs or server systems
• Government / Commercial identity management systems
• OEM terminal devices (POS, ATMs or information kiosks)
• Other industry-specific applications
• 
  

3. More about this here.

TABNAPPING : A new generation Cyber Crime

1. Another new term in the cyber crime is "Tabnapping" a combination of "tab" and "kidnapping" that could be used by phishers to dupe users into giving up passwords by secretly changing already-open browser tabs. All browsers on Windows and Mac OS X are vulnerable.It is thus a computer exploit,a kind of phishing attack, which persuades users to submit their login details and passwords to popular Web sites by impersonating those sites and convincing the user that the site is genuine. Eg . An open tab of Facebook for instance may be a false window. But very few of us may notice. As a result, we readily log in our username and password when prompted, only to fall to phishers.

2. Aza Raskin is the person behind coining this term,this 1984 born genius is an active phishing researcher.It is unlikely that Browser makers will patch this up soon the risk does not emanate from security vulnerabilities per se.

3. However, every major browser has a filter of some kind designed to weed out malicious sites and sites suspected of being infected with attack code. Those filters, assuming the blacklists underlying them are current and accurate, would block tabnapping attacks.

4. Thanks http://www.standardmedia.co.ke & http://www.couponsherpa.com

Augment your regular desktop with a FACE RECOGNITION feature

1. Face recognition technology although has been compromised earlier on various times and occasions which have been mentioned at this blog here,here and here.But again things are improving with more complex algorithms being used for processing and allowing a person to Log In.Now suppose an online exam is being conducted which requires students to login with their accounts; anybody could login with anybody’s account as long as they knew their username and password.So for regular window OS users,Luxand Blink allows an alternative to traditional Windows login and a solution to problems. It provides its users with a different way to login to Windows: through Facial Recognition.

2. Luxand Blink is a free application comptable with 32 bit version of Windows Vista and Windows 7. The download size of the application is 8MB and installs in a standard way. A webcam is required to be installed in the computer...(did I need to tell that?)

3. So just look into a webcam for a moment, and you’ll be logged into your account before you notice. Blink! employs advanced face recognition technologies to provide automatic, quick and reliable login to one or many computer users. It uses its advance image recognition algorithms to recognize our face. Such is the competence of this application, that whether the lighting is different or our hair are different, Luxand Blink will still recognize our face and log us in.So a regular old desktop becomes ready with the FACE RECOGNITION feature.

4. Thanks http://www.luxand.com/blink/

PANOPTICLICK : Your Browser Finger Print

1. The development and growing interest in hacking and retrieving info from browsers has been gaining significant importance today when security is BAAP of all priorities in any IT field.Today surfers are warned that even with cookies deleted and disabled,advanced fingerprinting techniques could be used to identify them.In an attempt to check and test browsers,THE ELECTRONIC FRONTIER FOUNDATION has come up with a site at http://panopticlick.eff.org/ which tests your browser to see how unique it is based on the information it will share with sites it visits.

2. Check out at http://panopticlick.eff.org/

"GOOGLE STREET VIEW" - FIGHTING PRIVACY ISSUES

1. Ever heard of google's street view application...m sure many of you must have...for those who have not heard of it...in brief it refers to a technology featured in Google Maps and Google Earth that provisions isometric views from various positions along many streets in the world. Launched on May 25, 2007 the application displays images taken from a fleet of specially adapted cars. Areas not accessible by car are sometimes covered by Google tricycles. On each of these vehicles there are nine directional cameras for 360° views at a height of about 2.5 meters, GPS units for positioning and three laser range scanners for the measuring of up to 50 meters 180° in the front of the vehicle. There are also 3G/GSM/Wi-Fi antennas for scanning 3G/GSM and Wi-Fi hotspots.

2. No about the fighting issue that i have reffered in the subject topic.Now whether it is a facility for the world base users to utilize viewing live views of streets world vide or it is an attempt to log in to the private data of the users across.....yess...I repeat it is the private data of the users avaiable from the open WiFi signals from their home computers and laptops.The intresting thing is that Google has accepted this collection of data from unencrypted wireless networks....and they have put the blame on a masoom software engineer.Google says the massive furore over Wifi snooping by Street View cars was all the fault of one software engineer.In an interview ,CEO Eric Schmidt said the whole affair came about because a software engineer inserted unauthorised code into the Street View system software. The man is now under investigation internally by the company as per posts on google blog.

3. Now what ever answer that google may come up with in form a mistake or simply putting the blame on that software engineer(...where was the Software Testing deptt and QC then otherwise?),the point that I intend putting accross is that just take care of envryting your WiFi router.Google has at least accepted the fact and mistake and they are taking measures to rectify it...but it will not be always like that.....there are so many mis adventurists present all around that looking around that unencrypted wireless networks for misuse.....just read this post again to avoid becoming a target like others.

4. Thanks http://tech.blorge.com & http://en.wikipedia.org/

SHADOWS IN THE CLOUD

1. First time I heard this term...i thought its abt some movie...some crime thriller or may be some novel or book...but when I actually came to know about this...it was exploring a whole new world....this is abt a 60 pg brief on how cyber security can compromise you and your organisation secrets....wonderfully compiled...easy to understand...easy english....gr88888 ...

2. I got the copy from SCRIBD at http://www.scribd.com/doc/29493199/Shadows-in-the-Cloud-20100406

3. Must read for IT Security enthusiasts!!

EAVES DROPPING RISK : EMR

1. Imagine someone sitting in a van outside a person's house can read the EMR that is emanating from the user's laptop computer inside the house and reconstruct the information from the user's monitor on a different device. Different devices have different levels of susceptibility to Tempest radiation. A handheld calculator gives off a signal as much as a few feet away, and a computer's electromagnetic field can give off emissions up to half a mile away. The distance at which emanations can be monitored depends on whether or not there are conductive media such as power lines, water pipes or even metal cabinets in the area that will carry the signals further away from the original source.

2. This problem is not a new one; defence specialists have been aware of it for over twenty years.Information on the way in which this kind of "eavesdropping" can be prevented is not freely available. Equipment designed to protect military information will probably be three or four times more expensive than the equipment likely to be used for processing of non-military information.Until recently it was considered very difficult to reconstruct the data hidden in the radiated field, and it was therefore believed that eavesdropping on digital equipment could only be performed by professionals with access to very sophisticated detection and decoding equipment. As a result, digital equipment for processing information requiring medium or low level protection, such as private and business information, is not protected against eavesdropping of this kind.

3. The EMR that is emitted by electric devices contains the information that the device is displaying or storing or transmitting. With equipment designed to intercept and reconstruct the data, it is possible to steal information from unsuspecting users by capturing the EMR signals. The U.S. government originally began studying this phenomenon in order to prevent breaches in military security. The government was using the technology to their advantage during WWII and realized that they needed to protect themselves against others using the same tactics against them. The name Tempest, or Tempest radiation originated with the U.S. military in the 1960s as the name of the classified study of what was at the time called "compromising emanations."

4. Today the phenomenon is more commonly referred to as van Eck phreaking, named after Wim van Eck, the Dutch computer scientist who brought it to general attention in 1985 when he published his paper "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?," in which he demonstrated that the screen content of a video display unit could be reconstructed at a distance using low-cost home-built equipment - a TV set with its sync pulse generators replaced with manually controlled oscillators.

5. Van Eck phreaking is a major security concern in an age of increasing pervasive computing. High-security government agencies are protecting themselves by constructing safe rooms that through the use of metallic shielding block the EMR from emanating out of the room or by grounding the signals so that they cannot be intercepted. It is possible, though costly, for individual users to shield their home computer systems from EMR leakage.

6. Thanks http://www.webopedia.com

CYBER GENOME PROJECT : U CAN BE TRACED BACK!!!!

1. The earlier mention on IP Spoofing and the pleothra of options and techniques available for attack,hack,sniff,crashing a network etc are well known for not reaching out to the origin of the person or hacker with the malaecious intention. DARPA (...please google or bing if u wish to know more on DARPA)has finally come out with the ‘Cyber Genome Program’ which will allow any digital artifact either in form of a document, or a piece of malware - to be poked into its very origins.

2. In in principle, it appears that almost any data fished from a relevant network, a computer, a pen drive, someone's phone or whatever is to be studied much as like a human genetic material. The code or document's relationships with other "digital artifacts" will be revealed, perhaps its origins, and other info of interest to a Pentagon admin defending military networks or a military/spook investigator tracing online adversaries.In other words, any code you write, perhaps even any document you create, might one day be traceable back to you - just as your DNA could be if found at a crime scene, and just as it used to be possible to identify radio operators even on encrypted channels by the distinctive "fist" with which they operated their Morse keys. Or something like that, anyway.

3. The concept is a cyber-equivalent of human finger-prints or DNA. The project will thus seek to develop a digital genotype as well as any inferred or observed phenotype in order to determine the identity of such digital artifacts and thus the users who left them behind.

4. DARPA is now looking for technologists to develop and use the cyber-equivalent of DNA to target the people behind cyber attacks. They are looking for geniuses in the fields of Cyber Genetics, Cyber Anthropology and Sociology and Cyber Physiology who can jointly work out the practical solutions to this project.The research involves creating lineage tree for digital artifacts, gaining better understanding of software evolution, and automatic analysis of social relationships between users and malware. Each of these researches will jointly develop the cyber equivalent of fingerprints or DNA.DARPA believes that this can identify the best-of-the-best hackers.

5. Thanks http://www.theregister.co.uk

Google vs Bing : On Data retention policy change

1. Ever wondered about privacy policy of search engines specifically about Google and Bing...i came to know of this recently while i read at http://www.bing.com/community/blogs/search/archive/2010/01/19/updates-to-bing-privacy.aspx on the subject.

2. In case of Bing,the amount of time IP addresses are stored from searchers is 18 months which the claim now to reduce to 6 months. Generally, when Bing receives search data ,the following things undergo action

First, steps to separate the account information (such as email or phone number) from other information (what the query was, for example).

Secondly , after 18 months another additional step of deleting the IP address and any other cross session IDs associated with the query.

3. Under the new policy, all the steps will continue as were applied previously except that now IP address will be completely removed at 6 months, instead of 18 months. Rival Google had cut retention time to 9 months from 18 in August 2008.Notwithstanding, Microsoft executives arrogates their initiative go much further than Google , because Microsoft intends deleting all parts of the IP (Internet Protocol) address after six months, while Google still retains part of the address after its self-imposed nine-month cut-off point.

4. Thanks http://microsoftontheissues.com

The ALT key Combos

Nothing new for those who are conversant with the special characters used in combination with the ALT key.Following is a small summary i could manage from technochest...for those of you who do not understand the use of such characters......they are of crucial signia in the world of PASSWORDS......got that!!!!!!

Alt +0162 = ¢ , Alt +0163 = £ , Alt +0165 = ¥ , Alt + 0128 = €

Alt +0169 = © , Alt +0174= ® , Alt + 0153 = ™ , Alt + 0161 = ¡

Alt +0177 = ± , Alt +0191 = ¿ , Alt +0215 = × , Alt + 0247 = ÷

Alt +0190 = ¾ , Alt +145 = æ , Alt + 155 = ¢ , Alt + 156 = £

Alt + 157 = ¥ , Alt +159 = ƒ , Alt + 171 = ½ , Alt + 172 = ¼

Alt + 225 = ß , Alt + 230 = µ , Alt + 241 = ± , Alt + 0134 = †