Google Reader’s Easter Egg
June 9, 2008 – 8:17 AMup up down down left right left right b a 🙂
via: Google Blogoscoped
New Security Tools
June 9, 2008 – 6:27 AMHere is a list of new security tools that were released in the past week.
- SQL Ninja 0.2.3 – SQL server injection and takeover tool
- fgdump 2.1.0 – Tool for mass password auditing of windows systems
- AxBan 1.0.0.4 – ActiveX killbit program
- Nmap 4.65 – Network port scanner
- Nessus 3.2.1 – Vulnerability assessment tool
- Immunity Debugger 1.6 – Debugger
- Kismet-2008-05-R1 – 802.11 wireless sniffer
Source: Infosec Events
OSWA Assistant – Wireless Hacking & Auditing LiveCD Toolkit
June 9, 2008 – 6:20 AMThe OSWA-Assistant is a no-Operating-System-required standalone toolkit which is solely focused on wireless auditing. As a result, in addition to the usual WiFi (802.11) auditing tools, it also covers Bluetooth and RFID auditing. Using the toolkit is as easy as popping it into your computer’s CDROM and making your computer boot from it!
This toolkit is a contribution to the wireless security/auditing community and, as the “Assistant” moniker implies, and is designed for the following groups of people:
- IT-security auditors and professionals who need to execute technical wireless security testing against wireless infrastructure and clients;
- IT professionals who have responsibility for ensuring the secure operation and administration of their organization’s wireless networks;
- SME (Small & Medium Enterprise) and SOHO (SmallOffice-HomeOffice) businesses who do not have either the technical expertise or the resources to employ such expertise to audit their wireless networks;
- Non-technical-users who run wireless networks at home and who would like to audit the security of their wireless home networks and laptops but don’t know how.
You can download OSWA Assistant here:
Or read more here.
Phishers Drop MySpace Bait
June 9, 2008 – 6:15 AMTrendLabs Content Security has come upon a new phishing attack that leads to the download of malware. However, unlike most instances where phishing baits are usually banks, credit unions or other financial institutions, this time it uses the popular social networking Web site MySpace.com.
The phishing URL may be contained in spammed email messages. Once recipients of said messages click or visit the URL, it displays a spoofed MySpace login page. It also uses a popup window declaring a supposed MySpace profile object error and requires that the user download the new version of a new MySpace profile object.
Therein lies the trick: When the user clicks the “continue” button, malicious files are not only downloaded but also automatically installed. The said malicious files are detected as TROJ_ZLOB.GUZ and BKDR_IRCBOT.BGY.
How safe is instant messaging?
June 9, 2008 – 5:49 AMThe number of interested parties eager to listen in on your online conversations, including what you type through instant messaging, has never been higher.
It’s trivial to monitor unencrypted wireless networks and snatch IM passwords as they flow through the ether. Broadband providers and their business partners are enthusiastically peeking into their customers’ conversations. A bipartisan majority in Congress has handed the FBI and shadowy government agencies greater surveillance authority than ever before.
The need, in other words, for secure IM communication has never been greater. But not all IM networks offer the same privacy and security. To chart the differences, CNET News.com surveyed companies providing popular IM services and asked them to answer the same 10 questions.
One focus was how secure the IM service was–in other words, does it protect users against eavesdropping? It’s been 12 years since the introduction of ICQ in 1996, and 20 years since the Usenix paper (PDF) describing the Zephyr IM protocol that spread to MIT and Carnegie Mellon University. By now, encryption should be commonplace.
We found that only half of the services provide complete encryption: AOL Instant Messenger, Google Talk, IBM’s Lotus Sametime, and Skype do. To their credit, not one service says it keeps logs of the content of users’ communications (a certain lure for federal investigators or snoopy divorce attorneys). For connection logs, Microsoft alone said it keeps none at all–though Google and Skype said their logs were deleted after a short time.
Encryption is important. If you’re using an open wireless connection, anyone who downloads free software like dSniff can intercept unencrypted IM communications streams. WildPackets sells to police an EtherPeek plug-in it says can intercept and decode unencrypted IM conversations in wiretap situations (plus Web-based e-mail, VoIP calls, and so on).
All surveys have limitations, including ours. The fact that IM encryption is used is insufficient; it could always be a poor choice of an algorithm or there could be implementation errors that allow it to be bypassed in practice. Our survey will not be the final word in this area.
