Sunday, January 30, 2011

packet injection basics .


The Packet Injection basics presentation is an in-depth tutorial on various packet injection programming techniques. We will look at how to construct various headers and then bunch them together to form a complete packet and then how to send this packet over the network. This presentation is a necessary pre-requisite for all the other packet injection videos in this tutorial series.
Please download this file, before you view the presentation







source:securitytube.net

Sunday, January 16, 2011

Hacker cracks W-LAN password in 20 mins using Amazon cloud

A German hacker says he cracked the wireless LAN password of his neighbour in 20 minutes – using the cloud computing power available on Amazon in a demonstration which he says should sensitise people and businesses to security issues.
Thomas Roth, described in Der Spiegel magazine as an IT security expert, will report on his experiment at next week’s Black Hat DC 2011 hacker conference in Washington.

The holder of a W-LAN password can not only spy on the network’s user, but also use the account to secretly start attacks on other servers, or initiate illegal downloads.

The cloud computing systems run not only by Amazon but also Google and Microsoft effectively rent out computing power. For companies which occasionally need such capacity, the idea is attractive as it saves them from having to invest in powerful computing systems of their own.

The amount of computer power in ‘the cloud’ has grown to enormous proportions – and prices have thus fallen, to between $1 and $2 an hour for the use of a very fast computer.

Roth said he easily used this power to show how a W-LAN password could be cracked.

There is already a service called WPACracker which uses 400 computers in the Amazon cloud at the same time to elicit passwords. Roth said he did not even need to use this – rather, he rented the power of a cluster GPU Instance – a group of four extremely fast computer processors.

This took just 20 minutes to crack the WPA password of his neighbour, who had agreed to the experiment. An improvement in the software could reduce this time to around six minutes, he said – which would cost less than $2.

The software tried 70 million words from a dictionary one after another, in a ‘brute force’ attack to find the password.

The WAP password security system is one of the newest, although it has been superseded by the WAP2 system in the newest WLAN systems.

However, the longer the password, the safer it is – and WAP allows up to 63 letters and numbers to be used. The best idea is to use at least 20 figures, without any recognisable words, but using capital as well as small letters as well as numbers and other signs.

Roth said he will publish his software on the internet – not to enable criminals to use it, but to sensitise people to the security issues.

“People tell me it is not possible to crack WAP,” he told Reuters newswire. “And if it were possible, they say it would cost a fortune.” But he said it is actually relatively easy.

Amazon said researchers would often use its system in order to show how security systems can be improved. But the firm said it would be an infringement of its conditions of use to compromise the security of a network. 

Saturday, January 15, 2011

Kama Sutra virus dupes with sexy promise

Hackers are spreading a nasty computer virus with a file promising a PowerPoint presentation of sexual positions from the Kama Sutra, the security firm Sophos warns.
"Be careful what you do with that mouse," Graham Cluley of Sophos said in an online post.
"When you click on the file you do get to see a real PowerPoint presentation, but in the background a backdoor Trojan called Troj/Bckdr-RFM is installed which allows hackers to gain remote access to your computer."
Once a computer is infected with the malicious software, the hacker can steal personal information and spy on users' activities or use the machine for nefarious deeds such as sending spam or attacking websites.
In scant consolation, the booby-trapped file did present slides of more than a half dozen lovemaking techniques illustrated from the ancient Indian text, according to Cluley.

Wikipedia turns 10, looking towards India

Six years of Facebook , four years of twitter. And ten years of the site you probably got that information from. Wikipedia, the San Francisco-based online encyclopedia which completes a decade on Saturday, has become the default stop for anyone searching for information on the net. 

Currently receiving 410 million unique visitors a month, the fifth most in the world, it is aiming to hit the magic 1 billion figure in the next five years. That’s where India neatly fits into its plans. The Wikimedia foundation’s India chapter was officially recognised by the Karnataka government this week and among the 300 plus events scheduled to mark the ten years, more than 60 are in India. 

“Our main strategic focus right now is on India and other countries in the developing world. Massive numbers of people are starting to get connected to the Internet, mostly through mobile phones but also through traditional PCs,” Sue Gardner, executive director, said in an interview earlier this week. When asked about India’s strengths and weaknesses as a contributor and user of Wikipedia, the chief global development officer of Wikimedia Foundation Barry Newstead, cited the commitment to freedom of speech, the fast growth of the Internet and the growing community of Indian volunteers as the major advantages. 

These are particularly relevant advantages for Wikipedia which has chosen to not move its servers to China until its concerns over censorship are addressed. The challenges remain the large number of languages in use and the technical barriers they still face in terms of reading and writing on the net. “To me, Wikipedia is a reflection of the potential of the internet. Wikipedia would simply not exist without it. We have also benefited immensely from the principles and values associated with the idea that knowledge should be free,” he added. 

It is this idea, apart from its handiness as a starting point for research, that has won it many unflinching supporters. The online dictionary also steers clear of using advertising as a means to stay afloat. And it seems to be working. Its reliance as a not-for-profit organisation on donations from a community of readers, contributors and friends has led to the raising of $16 million in donations in 50 days in a recently-completed fund raising drive. “At the heart of Wikipedia’s success is a human potential for altruism and collaboration. Hundreds of thousands of people have clicked edit and made Wikipedia a tiny bit better with each click. They do this without fanfare or recognition, but to share knowledge freely,” Newstead said. 

Concerns over accuracy have been the biggest stumbling block as principle of democratisation of content has sometimes trumped quality control. But for a site that relies on some 100,000 regular contributors who work for free and the general public to write and edit its articles in 270 languages, it has a reputation for getting things right more often than wrong. In fact, the journal Nature reported in 2006 its accuracy was close to that of Encyclopedia Britannica. With expansion plans in the offing, this is one area that will determine the extent of the site’s success. 

Anirudh Bhati, member, executive council of the Wikimedia India chapter and organiser of the celebrations in Delhi, said,” We have received a very enthusiastic response to the tenth anniversary celebrations from people. In our interactive sessions as part of the anniversary we have tried to explain to people our policy of neutrality and that we are not here to do original research but gather facts from secondary reliable sources.” As they say, the best things in life are always free. And may they continue to remain so. 

Friday, January 7, 2011

Android uses cloud security from Trend Micro


Trend Micro recently upgraded its security system for desktop computers to rely heavily on cloud-based detection and protection, and now it's bringing that same network to Android devices.
Trend Micro Mobile Security for Android
(Credit: Trend Micro)
Trend Micro Mobile Security for Android secures your device in four ways. It offers a "safe surfing" feature that prevents phishing attacks and illicit access to your identity and banking information. It also powers the parental controls for Web site content blocking. There's a customized blacklist for call and text filtering, and a download guard that prevents malicious or fraudulent apps from installing on your device.
Trend Micro is the first security company to extend its proprietary cloud-based heuristic- and reputation-based network to smart phones. The benefit of such networks initially was twofold: to allow for more responsive, reflexive security; and to allow the publisher to shrink the size of the of the desktop client. Similar desktop competitors include Microsoft's Security Essentials and Panda's Cloud Antivirus. Trend Micro's Mobile Security for Android appears to be the first time such a network has been used in mobile protection.
The company also has an iPhone and iPad app called Smart Surfing, which also uses its Smart Protection network to verify the safety of URLs visited on the iOS browser.
(Credit: Trend Micro)
Trend Micro Mobile Security for Android comes with a 30-day free trial, and retails for $3.99. You can download it from the Android Market, or scan the QR code.

Monday, January 3, 2011

Saturday, January 1, 2011

using Bit Torrent as DDos attack tool

A recent talk at the Chaos Communications Congress revealed how BitTorrent swarms can be exploited to take down large websites with relative ease. A vulnerability in the technology behind so called trackerless torrents makes it possible for someone to trick downloaders of popular files into send thousands of requests to a webserver of choice, taking it down as a result. Basically, this turns BitTorrent into a very effective DDoS tool.
BitTorrent is one of the most effective technologies to transfer large digital files to many people at once. Unlike a central server, transfers actually tend to go faster as more people share the same files. This characteristic is one of the reasons why it has evolved into the dominant file-sharing platform in recent years.
Every day millions of people are downloading files via BitTorrent, and in some instances more than 100,000 people are sharing the same file at the same time. These large ‘swarms’ of peers are great for sharing, but they also pose a threat as became apparent at the Chaos Communications Congress (CCC) recently.
In a talk titled “Lying To The Neighbours” it was shown that the DHT technology which powers “trackerless torrents” can be abused to let BitTorrent downloaders effectively DDoS a webserver of choice. DHT’s normal function is to find peers who are downloading the same files, but without communicating with a central BitTorrent tracker. This ensures that downloads can continue even when the central tracker goes offline.
According to the presenter who goes by the name ‘Astro’, Kademlia based DHT can be exploited by a malicious peer to carry out a DDoS attack. If there are enough peers downloading the same file, this could easily take down medium to large websites. The worrying part is that the downloaders who are participating in the DDoS will not be aware of what’s going on.
“The core problem are the random NodeIDs. The address hashing and verification scheme works for scenarios like the old Internet, but becomes almost useless in the big address space of IPv6,” Astro told TorrentFreak in a comment. As a result, any BitTorrent swarm can be abused to target specific websites and potentially take them down.
This and other DHT vulnerabilities are not entirely new concepts for BitTorrent developers. They have been discussed in various places already, but no agreement on how they should be dealt with has yet been reached.
Over the last months DDoS attacks have been in the news regularly, mostly carried out under the flag of Anonymous’ Operation Payback. Initially anti-piracy targets such as the MPAA and RIAA were taken offline, and last month the focus switched to organizations that acted against Wikileaks, including Mastercard and Paypal.
While these attacks required hundreds of people to actively participate and fire up their LOIC application at the same time, the BitTorrent DDoS could take down the same sites from a single computer, using BitTorrent downloads as a ‘botnet’. But, where there’s a problem there’s a solution, and Astro has some pointers for BitTorrent developers.
“Not connecting to privileged ports (< 1024) where most critical services reside," is one ad-hoc solution, but Astro says that since it's a design error, the protocol has to be redefined eventually.
The idea of using BitTorrent as a DDoS tool is not entirely new. In fact, researchers have previously shown that adding a webserver’s IP address as a BitTorrent tracker could result in a similar DDoS. The downside of this method is, however, that it requires a torrent file to become popular, while the DHT method can simply exploit existing torrents that are already being downloaded by thousands of people.
It will be interesting to see if BitTorrent developers are going to act upon the DHT vulnerability in the coming months and come up with a solution to prevent this kind of abuse.

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Best Web Host