iPhone vulnerable to phishing attacks

Security researcher Aviv Raff said on Wednesday that the iPhone’s Mail and Safari applications are prone to URL spoofing and could allow phishing attacks against iPhone users.

The alert was anticipated. Prior to the release of the iPhone on July 11, Raff was one of a few security researchers who indicated they had found vulnerabilities but were waiting to see the final iPhone 2.0 release.

By crafting a specially designed URL, Raff says an attacker could create an e-mail link that appears in Mail to be from a trusted site (a financial institution or social network). By clicking the link, Safari will open to the phishing site. The issue affects users of iPhone 1.1.4 and 2.0.

Raff, who has informed Apple of the vulnerability, declined on his blog to offer more details until a patch is available.

Until then, Raff suggests iPhone users “avoid clicking on links in the Mail application which refers to trusted Web sites (e.g. bank, PayPal, social networks, etc.). Instead, a user should enter the URL of the Web site manually in the Safari application.”

Source:
http://news.cnet.com/8301-1009_3-9998070-83.html?part=rss&subj=news&tag=2547-1_3-0-5

Posted in Hardware, Internet, Privacy, Security | No Comments

Attack code imminent for DNS flaw

One day after a security company accidentally posted details of a serious flaw in the Internet’s Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon.

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. “It’s not that hard,” he said. “You’re not looking at a DNA-cracking effort.”

The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. In a telephone interview, HD Moore, author of the Metasploit penetration testing software, agreed with Aitel that the attack code was not going to be difficult to write.

The flaw, a variation on what’s known as a cache poisoning attack, was announced on July 8 by IOActive researcher Dan Kaminsky, who planned to disclose full details of the bug during an Aug. 6 presentation at the Black Hat conference.

That plan was thwarted Monday, when someone at Matasano accidentally posted details of the flaw ahead of schedule. Matasano quickly removed the post and apologized for its mistake, but it was too late. Details of the flaw soon spread around the Internet.

Source:
http://www.infoworld.com/article/08/07/23/Attack_code_imminent_for_DNS_flaw_1.html

Posted in Internet, Linux, Security, Software, Windows | No Comments

How to install an SSH Server in Windows Server 2008

SSH is the secure shell, a standard defined in RFC 4251. It is a network protocol that opens up a secure channel between two devices using TCP port 22. This channel can also be used for SFTP and SCP (secure FTP and secure copy, respectively). To make this work, you need a secure server on the system you are connecting to and a secure client on the client you are connecting from.

Keep in mind that SSH is completely interoperable between different platforms. For example, you could connect to a SSH server on a Cisco router from a Windows client, you could connect to a Linux server from a Cisco router, and you could connect to a Windows 2008 Server from a Linux client.

The only possible compatibility issue is that there are two versions of SSH, SSH version 1 and SSH version 2. You should make sure that the server and client support the same versions so that you know which version you are using when you connect. Usually, this version can be negotiated.

While none of the Windows operating systems come with a SSH Server or Client, they are very easy to install.

Source:
http://www.windowsnetworking.com/articles_tutorials/install-SSH-Server-Windows-Server-2008.html

Posted in Internet, Linux, Networking, Privacy, Security, Windows | 1 Comment

Phishers Lose the URLs

Phishers are doing their homework. The conventional way is to ask users to update their accounts by asking them to click a certain link. A phishing email usually displays legitimate URL or a hyperlink. Upon clicking, the user will be redirected to the phishing Web site.

But now, there’s no URL seen in new phishing email samples we’ve discovered. They display instead a legitimate email address. This is to trick users that the recipient of the user name and password they will send is a legitimate user, but looking at the source code of the mail, it would go to an individual email address, the phisher’s.

Source:
http://blog.trendmicro.com/phishers-lose-the-urls/

Posted in Internet, Privacy, Security | No Comments

TSGrinder – Brute Force Terminal Services Server

This is a tool that has been around quite some time too, it’s still very useful though and it’s a very niche tool specifically for brute forcing Windows Terminal Server.

TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.

TSGrinder is a “dictionary” based attack tool, but it does have some interesting features like “l337″ conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a
username/password combination within a particular connection.

Source:
http://www.darknet.org.uk/2008/07/tsgrinder-brute-force-terminal-services-server/

Posted in Internet, Privacy, Security | No Comments