comp527

A serious “protocol level” vulnerability is reported to be found in SSL. (see here)

According to the website of the company who discovered the vulnerability (link), which they call SSL authentication gap  : “Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching. All SSL libraries will need to be patched.”

It is surprising to know that such a widely used protocol can be vulnerable.

I found an interesting website, when I was seaching for “Google Chrome”. It consists of 40 comics, which describe the ideas behind creating a multi-process browser. Like all Google products, Google Chrome is simple, efficient and minimalist. I highly recommend trying it, if you haven’t used it before.

I think we can all be inspired by these comics while designing our Quiltwork browser.

Here is a remainder that if you want to escape Apple’s security, you’d better know what you’re doing and enforce your own.

A hacker from Netherlands used port scanning to find jailbroken iPhones running SSH and who’s users were careless enough to leave the default root password after jailbreaking their phones. His initial demands for fixing a hacked iPhone were 5 euros and has now published the solution for undoing what he did.

Personal opinion: Those who got their iPhones hacked should have at least said thank you for uncovering how insecure their phones were instead of accepting his apologizes for what he has done.

Ryan Harris, an expert on cable modem hacking who has been selling unlocked cable modems through a small company, is facing criminal charges of wire fraud and computer fraud.
In his defence he claims that: “arresting every firearms dealer, because handguns can be used to commit murder.”

Read more here

A/N: If the fact that one of his programs is called “Coax Thief” puts him in a bad light than a note for all those hacking: Make sure you name all of your software things like “Safe Program Thingy” or “Well Behaved Program”. More importantly, don’t you dare use user or socket messages like: “It’s hacked” or “Hack in place” nor variable or function names with similar connotations!

As if worrying about security on your computer wasn’t enough, your smartphone is increasingly becoming a significant target.

Besides the standard virus and worm attacks via email attachments, one recent attack used the phone’s bluetooth capabilities to spread between other nearby bluetooth-enabled devices.

Research indicates that a significant amount of the problem is that, while many users know to be careful on their home computer, many people feel their phone is more immune to security threats. Not so. The article’s suggestion – “treat your smartphone like a computer, not a telephone.”

Unfortunately, there are many people who don’t treat their home computer security properly, much less their smartphone security. People need to continue to be educated about internet security. If you’re going to fall for a phishing attack on your home computer, you’re probably going to fall for anything on your smartphone. Awareness is key.

News article: http://www.cnn.com/2009/TECH/10/25/smartphone.security/index.html

According to a report from Anti-Phishing Alliance of China (APAC), up to Oct. 22nd, APAC has handled accumulated up to 8342 phishing site domain in China. The top three targets of phishing sites are TengXun(famous for their IM client QQ), TaoBao(biggest online shopping site in China), and ICBC (Industrial and Commercial Bank of China).

Another astonishing figure shows that out of 338 million of internet users in China, there are about 110 million of them have ever encountered a problem of account or password stolen in recent half a year!

It is really a tough task to protect accounts and passwords for general users.

News source: http://www.chinanews.com.cn/it/it-itxw/news/2009/10-26/1931366.shtml

A recent bug in Times Warner cable modem had caused the wireless admin site exposed to a potential hacker. About 65,000 users are affected by this. More details can be found here

The most amazing part of this is that the administrative portion was guarded off by JavaScript code. A simple toggling of JavaScript option exposed this vulnerability.

I admire David Chen for reporting this issue to the concerned authorities. His ethics would go a long way.

A question which always seems to pop off is ” How secure is wireless access?”. Ever since the first draft of 802.11 specifications, people have been able to exploit wireless networks easily.

A classic paper which uncovered the lame security aspects was “Intercepting Mobile Communications: The Insecurity of 802.11″ (link) . This paper showed some very simple tricks to attack wireless medium. It was an eye opener to the 802.11 committee who formed the very basis of the protocol.

In my opinion, we require a new framework to test these vulnerabilities. Even if the protocol is safe, there is some implementation problem. If the implementation is right, there is an issue with hardware and this chain keeps going on…

As most of you know, Windows 7 RTM is officially out as of yesterday. According to Gregg Keizer’s article, we do not need to buy full versions of Windows 7, instead we can just use the upgrade versions (which are considerably cheaper) for a clean install.

The hack is actually quite simple:

1. First we need to install Windows 7 from the upgrade DVD without entering a key.
2. After installing, we just need to change one registry key (1 to 0) and enter “slmgr /rearm” to command prompt.
3. After rebooting,  we can activate Windows with our upgrade key (before the hack, the key was not valid)

Actual details can be found in this blog. There was a similar (but more tedious) “install twice” hack for vista, now with Windows 7, it is even simpler.

Thank you again, Microsoft!

Tor is a system for users to communicate anonymously on the Internet, but in China, it is also a tool to break the restrictions provided by Great Firewall of China, a powerful censorship system which block lots of websites in and out of China.

There are some reports said that at the end of last month, most part of tor’s service was also blocked by GFC. Also on tor’s web page you can find the corresponding blog and data.

It was said that GFC blocked most of the directory servers of tor, thus a tor user cannot accesses them to get a list of available and trusted onion routers. The user can add bridges manually to avoid being blocked as long as he/she can get a list of them by other means.

“An election integrity advocacy group has found extensive voting machine source code in election databases that were provided in response to public records requests. The code, which powers Sequoia voting machines, is said to be a possible a violation of Federal Election Commission rules.”

It seems more evidence comes forward for not using the Sequoia voting machines.

For more info check  this out.