Tuesday, May 24. 2005
i'm quitting earth for a while
dot
dot
Wednesday, May 18. 2005
The Honeynet Project has just realeased a paper about phishing:
Phishing is the practice of sending out fake emails, or spam, written to appear as if they have been sent by banks or other reputable organisations, with the intent of luring the recipient into revealing sensitive information such as usernames, passwords, account IDs, ATM PINs or credit card details. Typically, phishing attacks will direct the recipient to a web page designed to mimic a target organisation's own visual identity and to harvest the user's personal information, often leaving the victim unaware of the attack. Obtaining this type of personal data is attractive to blackhats because it allows an attacker to impersonate their victims and make fraudulent financial transactions. Victims often suffer significant financial losses or have their entire identity stolen, usually for criminal purposes. This KYE white paper aims to provide practical information on the practice of phishing and draws on data collected by the German Honeynet Project and UK Honeynet Project. This paper focuses on real world incidents that the Honeynet Project has observed in the wild, but does not cover all possible phishing methods or techniques. Attackers are constantly innovating and advancing, and there are likely to be new phishing techniques already under development or in use today.
Most companies assume that enough user awareness and education are sufficient to increas the awareness level on phishing attack. However, education and awarenes is not enough enough. Proactive is one of the most effective way to prevent phishing, and increase the awareness level tenfold. How? If you can afford to pay for consultants, get your money worth by asking them to include phishing as part of the security audit. If you can't get your system administrator to do it.
I did this recently, and had a success rate of almost 30% (which means that out 100, 30 staff fell for my phishing trick). Besides phishing, I also did a spamming exercise for the same company. The result was a 20% success rate.
This is an amazing result, considering that the said company values its privacy. It also shows that no amount of control, policy and technology can prevent spammers and phishers from entering your staff's mailboxes. Companies have to be proactive in fighting spam and phish.
Monday, May 16. 2005
One thing I like about Perl is its vast documentation resources. Say for example, if I need to review the Perl function split, all I need to to is issue perldoc -f split from the command line. Similarly, if I want to know how a module works, say for example DBI, then I just issue a perldoc DBI. If I need to be more specific, I can also issue perldoc DBD::mysql.
Besides this, Perl provides information for the beginners as well: perldoc perlintro. There's ample tutorials available. My favorites are
- perldsc - Perl data structure codebook
- perllol - how to manipulate lists of lists (or arrays of arrays)
- perlboot, perltoot and perltooc - Perl OO tutorials
- perlbot - Perl bag'o object tricks
- perlsec - Perl security
For more tutorials, documentations and references, just type perldoc perl on the command line. perldoc perldoc will show you how to use perldoc
Listening to: Death in Vegas - Aisha
Sunday, May 15. 2005
Well, this news report says so:
"The system administrators of the organisations or companies should pay attention to the latest in information technology," said Anonymous, 24, a hacker from Shah Alam.
"It is easy to hack a website and to find weaknesses in the system. Even a primary school kid can do it.
"If a hacker is malicious, he can do a lot of damage to a system or to individuals. Hackers can re-create a bogus website that looks exactly like the real one and no one can tell the difference.
"This is not such good news if you are a banking website, for example."
It does not even take a computer genius to hack, according to hackers. You can find hacking software on the Internet, and downloading the programmes and using them maliciously is just a click away.
"A hacker can download a port scanner, which looks for an open door in a system.
"Usually, any system which can be accessed by the public has some extra ports open so that the public can have access to it.
"All a hacker has to do is to find the open port and enter whatever commands that they can create themselves, and they are in the system."
Most hackers said they do it just for the fun of it, but there is always the few who do it for malicious reasons or profit.
ph334r the Anonymous hacker from Shah Alam, and yes, with a news report like the above, the education ministry should think twice about the security of this system before launching it. Else, they have to be prepared for the rise of school-kid hackers attempting to change their grades... ph334r
At the click of a mouse, parents will be able to find out if their child had actually attended a co-curricular activity on a certain day or had really scored an Ã
http://www.hackiis6.com. For an Xbox? Seriously, no researcher will give up his/her 0day for an Xbox. Anthony said that the price needs to be increased to USD250,000 [ here], and Roger A. Grimes (whoever he is) said that Anthony can't hack it either, and he offered him USD2000 of his personal money to it [ here].
Now, if the box is not hacked, it does not mean that the Microsoft IIS engineering team has achieved the greatest feat in software engineering ever, that is shipping a 0bug software. But history says otherwise. And the box will remain unhacked, because, no one will give up an 0day for an Xbox. Glory does not count either.
Let's take a look at our CtF event - I'm pretty sure that no teams will ever use an 0day during the contest. For the simple reason that one can make more money in consulting with the 0day, rather than winning, say, an iPod during a CtF game. Being the winning team, without using an 0day is good enough. Now, which is why, for this year's game, we're introducing custom vulnerabilities and the teams have to write exploits for it, during the game. It's going to be exciting.
Listening to: Soulsaver - Rumblefish (The Boy Lucas Mix)
|
