A photo that can steal your online credentials

At the Black Hat computer security conference in Las Vegas next week, researchers will demonstrate software they’ve developed that could steal online credentials from users of popular Web sites such as Facebook, eBay, and Google.

The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.

“We’ve been able to come up with a Java applet that for all intents and purposes is an image,” said John Heasman, vice president of research at NGS Software.

They call this type of file a GIFAR, a contraction of GIF and JAR, the two file types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.

To the Web server, the file looks exactly like a .gif file, however a browser’s Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim’s browser. For its part, the browser treats this malicious applet as though it were written by the Web site’s developers.

Here’s how an attack would work: The bad guys would create a profile on one of these popular Web sites — Facebook, for example — and upload their GIFAR as an image on the site. Then they’d trick the victim into visiting a malicious Web site, which would tell the victim’s browser to go open the GIFAR. At that point, the applet would run in the browser, giving the bad guys access to the victim’s Facebook account.

Source:
http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html

Posted in Internet, Privacy, Security | No Comments

Wi-Fi networks suffer ‘autoimmune’ attacks

JUST as the body’s immune system sometimes mistakenly attacks its own cells, so the security software intended to protect network users can be fooled into attacking them. This could make attacks by hackers even harder to detect and prevent.

Security software typically prevents unauthorised access by encrypting most of the data transmitted across a network, preventing hackers from exploiting it to cause trouble. However, the administrative commands used to authorise or exclude users are usually sent “in the clear”, for simplicity’s sake.

That means hackers can use fake commands to disconnect users, in so-called denial-of-service (DoS) attacks. To try to prevent this, security software is designed to check that messages are valid before they’re relayed to users and acted upon.

Source:
http://technology.newscientist.com/channel/tech/mg19926676.100-wifi-networks-suffer-autoimmune-attacks.html?feedId=tech_rss20

Posted in Hardware, Internet, Networking, Privacy, Security | No Comments

Freezing the Cold-Boot Attack

A security expert who helped pioneer some of the research behind the recent cold-boot attack discovery by researchers at Princeton University will reveal next week at Black Hat USA the technical details of methods he developed for protecting an encrypted laptop from the hack.

The software-based techniques defend against so-called cold boot attacks on machines that were recently shut down or are in hibernate or screen-lock modes, by protecting the encryption keys themselves. The cold boot attack basically takes advantage of a brief window when cryptographic keys remain stored in DRAM at shutdown or in sleep mode to then retrieve those keys.

To date, most preventative measures have required users to turn off their machines when they were finished, and to then sit and watch them for about five minutes, says Patrick McGregor, CEO of BitArmor, which has built technology to defend against cold-boot attacks.

“Some people have dismissed the cold boot attack as a minor issue, but that’s not true. To pull off the attack, all you have to do is literally stick a USB into the laptop you get your hands on,” McGregor says. “It doesn’t require any technical skill — you can easily get automated tools to perform the attack for you.”

The epidemic of stolen laptops has brought the vulnerability to the fore: last year, over 600,000 laptops were stolen from airports alone, McGregor notes. “And all the information on those machines is vulnerable to cold-boot attacks.”

Source:
http://www.darkreading.com/document.asp?doc_id=160626

Posted in Hardware, Privacy, Security | No Comments

Researcher reveals Twitter ‘follow’ bug

Attackers can exploit a bug in Twitter to force victims to follow the hacker’s account, a security researcher said Thursday.

According to Aviv Raff, the Twitter vulnerably could expose users to malware-hosting Web sites. “It can force people to follow you, which means all your twits will be showed in their Twitter home page — including potentially malicious links,” Raff said during an interview conducted via instant messaging.

On a site dubbed “Twitpwn” that he launched earlier Thursday to report research he’s done on the social networking and micro-blogging service, Raff spelled out only the basics. “Twitter security team was notified on 31-July-2008,” he said on the site. “Technical details will be added as soon as this vulnerability will be fixed.”

Twitter will have a fix in place by Friday, Raff added.

An attacker can currently leverage the bug by tricking users into clicking on a link on a malicious or hacked Web site. From that point, the victim’s Twitter account is automatically set to follow the attacker’s.

Source:
http://www.networkworld.com/news/2008/073108-researcher-reveals-twitter-follow.html?fsrc=rss-security

Posted in Internet, Privacy, Security | No Comments

SIPcrack – SIP Login Dumper & Hash/Password Cracker

SIPcrack is a suite for sniffing and cracking the digest authentication used in the SIP protocol.

The tools offer support for pcap files, wordlists and many more to extract all needed information and bruteforce the passwords for the sniffed accounts.

If you don’t have OpenSSL installed or encounter any building problems try ‘make no-openssl’ to build with integrated MD5 function (which is slower than the OpenSSL implementation).

Usage

Use sipdump to dump SIP digest authentications to a file. If a login is found, the sniffed login is written to the dump file. See ’sipdump -h’ for options.

Use sipcrack to bruteforce the user password using the dump file generated by sipdump. If a password is found, the sniffed login in the dump file is updated See ’sipcrack -h’ for options.

Source:
http://www.darknet.org.uk/2008/08/sipcrack-sip-login-dumper-hashpassword-cracker/

Posted in Internet, Privacy, Security | No Comments