Friday, August 29, 2008
iPhone hack
Source Taken from The Register:
iPhone passwords not worth the paper they're written on
iPhones protected by a password aren't actually protected at all, as just by pressing a few keys a miscreant can access all the phone's functions without needing the password at all.
The trick, reported by MacRumours, is simply a press of the "Emergency Call" key from the passcode entry screen, followed by a double-tap on the home button. That takes the miscreant into favourites, from which they can access the address book, from which they can get into the e-mail client (by tapping a contact's e-mail address) or the browser (by tapping a URL).
Clearly Apple has missed a trick here, and a fix should be quickly forthcoming, but it bodes badly for a device which is trying to sell itself into the enterprise and is already under fire for lacking important security features.
Concerned users can secure their devices by disabling the home button double-tap (Settings > General > Home Button > Checkmark Home), though it really shouldn't be working at all at that point.
Users might argue that a device password should never be relied upon, but one that is so trivial to bypass makes a mockery of the very concept. It's unlikely that this security problem will do more than attract ridicule to the iPhone security model, but it's ridicule that Apple could do without while they're trying so hard to have the iPhone taken seriously as a business device.
iPhone passwords not worth the paper they're written on
iPhones protected by a password aren't actually protected at all, as just by pressing a few keys a miscreant can access all the phone's functions without needing the password at all.
The trick, reported by MacRumours, is simply a press of the "Emergency Call" key from the passcode entry screen, followed by a double-tap on the home button. That takes the miscreant into favourites, from which they can access the address book, from which they can get into the e-mail client (by tapping a contact's e-mail address) or the browser (by tapping a URL).
Clearly Apple has missed a trick here, and a fix should be quickly forthcoming, but it bodes badly for a device which is trying to sell itself into the enterprise and is already under fire for lacking important security features.
Concerned users can secure their devices by disabling the home button double-tap (Settings > General > Home Button > Checkmark Home), though it really shouldn't be working at all at that point.
Users might argue that a device password should never be relied upon, but one that is so trivial to bypass makes a mockery of the very concept. It's unlikely that this security problem will do more than attract ridicule to the iPhone security model, but it's ridicule that Apple could do without while they're trying so hard to have the iPhone taken seriously as a business device.
Labels: iPhone hack
Wednesday, August 27, 2008
The dirty laundry -- Cache it !
The cache can help to speed up loading of pages for commonly visited page. But it serves more than just that.
For restricted site, it prove to be handy when you have forgotten your password and would like to see its content without the need to log in. And google will gladly lend you a hand....
Source Taken from The Register:
That password-protected site of yours - it ain't
It's one of the simplest hacks we've seen in a long time, and the more elite computer users have known about it for a while, but it's still kinda cool and just a little bit unnerving: A hacker has revealed a way to use Google and other search engines to gain unauthorized access to password-protected content on a dizzying number of websites.
While plenty of webmasters require their visitors to register or pay a fee before viewing certain pages, they are typically more than eager for search engine bots to see the content for free. After all, the more search engines that catalog the info, the better the chances of luring new users.
But the technique, known as cloaking, has a gaping loophole: if Google and other search engines can see the content without entering a password, so can you. Want to read this forum from the InkDrop Styles website? You can, but first you'll have to enter a user name and password. Or you can simply type "cache:http://forums.inkdropstyles.com/index.php?showtopic=4227" into Google. It leads you to this cache, which shows you the entire thread.
The technique yields plenty of other restricted forums, including those here, here and here.
Those in the know have been using the trick for years, but a hacker who goes by the handle Oxy recently made this post that shares the technique with the world at large. It reminds us of a similar approach for accessing restricted sites that involves changing a browser's user agent to one used by search engine bots.
The hack is one example of the security problems that result from the practice of cloaking. Robert Hansen, the web security guru and CEO of secTheory recently alerted us to the compromised blog of Blake Ross, the co-founder of the Mozilla Firefox project who recently went to work for Facebook. For more than a month, unknown miscreants have been using his site to host links to sites pushing diet pills and other kinds of drugs.
Thanks the some javascript magic, users who visit the site never see evidence of the compromise, i.e. the links are cloaked. But the image below shows what happens when javascript is disabled.
We've contacted Blake about his website, but haven't yet received a response. Cleaning up the site ought to be as easy as updating his badly out-of-date version of WordPress. Addressing the shadowy world of cloaking will take a bit more work. ®
For restricted site, it prove to be handy when you have forgotten your password and would like to see its content without the need to log in. And google will gladly lend you a hand....
Source Taken from The Register:
That password-protected site of yours - it ain't
It's one of the simplest hacks we've seen in a long time, and the more elite computer users have known about it for a while, but it's still kinda cool and just a little bit unnerving: A hacker has revealed a way to use Google and other search engines to gain unauthorized access to password-protected content on a dizzying number of websites.
While plenty of webmasters require their visitors to register or pay a fee before viewing certain pages, they are typically more than eager for search engine bots to see the content for free. After all, the more search engines that catalog the info, the better the chances of luring new users.
But the technique, known as cloaking, has a gaping loophole: if Google and other search engines can see the content without entering a password, so can you. Want to read this forum from the InkDrop Styles website? You can, but first you'll have to enter a user name and password. Or you can simply type "cache:http://forums.inkdropstyles.com/index.php?showtopic=4227" into Google. It leads you to this cache, which shows you the entire thread.
The technique yields plenty of other restricted forums, including those here, here and here.
Those in the know have been using the trick for years, but a hacker who goes by the handle Oxy recently made this post that shares the technique with the world at large. It reminds us of a similar approach for accessing restricted sites that involves changing a browser's user agent to one used by search engine bots.
The hack is one example of the security problems that result from the practice of cloaking. Robert Hansen, the web security guru and CEO of secTheory recently alerted us to the compromised blog of Blake Ross, the co-founder of the Mozilla Firefox project who recently went to work for Facebook. For more than a month, unknown miscreants have been using his site to host links to sites pushing diet pills and other kinds of drugs.
Thanks the some javascript magic, users who visit the site never see evidence of the compromise, i.e. the links are cloaked. But the image below shows what happens when javascript is disabled.
We've contacted Blake about his website, but haven't yet received a response. Cleaning up the site ought to be as easy as updating his badly out-of-date version of WordPress. Addressing the shadowy world of cloaking will take a bit more work. ®
Friday, August 01, 2008
The Hype is in - DNS Cache Posioning
In today time, the rising cost of living, black hat alike we are living in total reality. Crashing a server doesn't interest them no more, then wat is it ??? Money would have a more direct benefit to them now. I could see trend focusing earning more money using their skills. Tying up with spammers / credit card grabber would spell trouble for us.
Source Taken from The Register:
Black hats attack gaping DNS hole
Miscreants are actively exploiting a gaping hole in the internet's address lookup system that can cause millions of web surfers to receive counterfeit pages when they try to access online banking services and other types of websites.
The first confirmed instance came on Tuesday, when security researcher H D Moore discovered a domain-name service server operated by AT&T had been compromised. The attack caused Moore and other AT&T subscribers to be redirected to a fake Google page that tried to push affiliate advertising sites.
According to Dan Kaminsky, the researcher who first warned of the DNS vulnerability, "there are definitely other confirmed attacks," but non-disclosure agreements prevent him from giving details.
Equally concerning, Kaminsky said, is the sophistication the AT&T attackers showed in carrying out their attack. Rather than use exploit code added last week to Metasploit, a penetration testing kit that just happens to be maintained by Moore, the miscreants fashioned their own program that stealthily redirected users trying to visit Google to an impostor site.
"That was a wildly mature attack," Kaminsky told The Register. "Someone had an entire infrastructure built to attack Google's click-fraud system. That's a significant amount of code."
For more than a week, other researchers pointed to an increase in queries to DNS servers and other evidence suggesting attacks, but the AT&T exploit is the first to be documented.
As we reported last week, AT&T was one of the many laggard internet service providers reported to be dragging their feet in applying patches that fix the devastating DNS flaw. Kaminsky says more ISPs appear to be getting the message. Last week, about 51 per cent of unique name servers tested on his site (see the "check my DNS" button to the right) showed up as vulnerable. Now, he says it's closer to 35 percent.
In most cases, installing the patch is a straight-forward affair, but not always. Paul Vixie, head of the organization that maintains Berkeley Internet Name Domain, the net's most popular DNS server software, recently said updates patching the flaw could cut performance under heavy loads. Vixie said he believed fixing the flaw was more important than suffering slower performance. An update improving performance is in the works.
Even still, it's been more than three weeks since Kaminsky, Vixie and a choir of other influential net figures began imploring organizations to run the patch. Now that attacks have been confirmed in the wild, it's hard to imagine a justification for not doing so.
To test whether your ISP is an offender, please run the tests here or here, and report the results in the comments section. Be sure to include the name server's IP address and the name of the ISP. ®
Source Taken from The Register:
Black hats attack gaping DNS hole
Miscreants are actively exploiting a gaping hole in the internet's address lookup system that can cause millions of web surfers to receive counterfeit pages when they try to access online banking services and other types of websites.
The first confirmed instance came on Tuesday, when security researcher H D Moore discovered a domain-name service server operated by AT&T had been compromised. The attack caused Moore and other AT&T subscribers to be redirected to a fake Google page that tried to push affiliate advertising sites.
According to Dan Kaminsky, the researcher who first warned of the DNS vulnerability, "there are definitely other confirmed attacks," but non-disclosure agreements prevent him from giving details.
Equally concerning, Kaminsky said, is the sophistication the AT&T attackers showed in carrying out their attack. Rather than use exploit code added last week to Metasploit, a penetration testing kit that just happens to be maintained by Moore, the miscreants fashioned their own program that stealthily redirected users trying to visit Google to an impostor site.
"That was a wildly mature attack," Kaminsky told The Register. "Someone had an entire infrastructure built to attack Google's click-fraud system. That's a significant amount of code."
For more than a week, other researchers pointed to an increase in queries to DNS servers and other evidence suggesting attacks, but the AT&T exploit is the first to be documented.
As we reported last week, AT&T was one of the many laggard internet service providers reported to be dragging their feet in applying patches that fix the devastating DNS flaw. Kaminsky says more ISPs appear to be getting the message. Last week, about 51 per cent of unique name servers tested on his site (see the "check my DNS" button to the right) showed up as vulnerable. Now, he says it's closer to 35 percent.
In most cases, installing the patch is a straight-forward affair, but not always. Paul Vixie, head of the organization that maintains Berkeley Internet Name Domain, the net's most popular DNS server software, recently said updates patching the flaw could cut performance under heavy loads. Vixie said he believed fixing the flaw was more important than suffering slower performance. An update improving performance is in the works.
Even still, it's been more than three weeks since Kaminsky, Vixie and a choir of other influential net figures began imploring organizations to run the patch. Now that attacks have been confirmed in the wild, it's hard to imagine a justification for not doing so.
To test whether your ISP is an offender, please run the tests here or here, and report the results in the comments section. Be sure to include the name server's IP address and the name of the ISP. ®
