Saturday, April 17, 2010

Types of attacks

From Microsoft Encyclopedia of Security (direct quote)

Types of attacks
Access attacks: The intruder tries to gain access to resources on your network by exploiting flaws in software such as buffer overflows and information leakage and by elevating the intruder’s privileges to execute arbitrary code.

Denial of service (DoS) attacks: The intruder tries to deny legitimate users access to resources on your network.

Reconnaissance attacks
: The intruder ties to map your network services in order to exploit vulnerabilities detected.

Effects on systems being attacked
Active attacks: These involve trying to modify data either during transmission or while stored on the target system. Examples include inserting backdoors and Trojans, deleting or modifying log files, disrupting services or communication, and so on.

Passive attacks: The goal here is not to modify the target system but rather to capture data being transmitted by eavesdropping or by using a packet sniffer in order to obtain sensitive or confidential information such as passwords or credit card numbers. Passive attacks are also used for capturing information that can help the attacker create a map of the target network’s hosts and services, which
usually forms the preamble of an active attack.

Saturday, April 10, 2010

Salient Ads

I seem to be getting many emails from a company called Salient Ads. They are a email advertising company. It follows the format, where the email contains a link advertising a service with image promoting the service.
So if you receive any of these emails below, it probably is because a company you have given your email to has sold you out and I do not recommend you get caught up in the hype of the email. I do not know the sender and you probably don't too.

Example of spam emails

Email: College Loans (FinancialAid@largeperiod.com)
Subject: Education is expensive. Get a student loan now.‏
Message: Student loans help finance further study.

Email: LearnAccounting (AccountingSchools@chrismaspeace.com)
Subject: A Chance To Switch Careers
Do your own taxes and charge others

Email: GI Bill Express (MilitaryBenefits@mysnowballfight.com)
Subject: Legislative Alert for the Military‏
Message: Legislative Alert for the Military

Email: Cash Department (Loans@first9949.com)
Subject: Quick Loans! Up to $500 in 1hr! Approval in minutes!‏
Message: Up to $500 in hour..approval in minutes!

It supposedly not spam messages, because it states at the bottom of each email: "You are receiving this advertisment because you have opted-in to receive third-party marketing messages If you do not want to receive this type of emails from us, please unsubscribe here.
Salient Ads Ltd: 8171 Yonge Street Suite 136, Thornhill ON, L3T 2C6, Canada"

Salient Ads is an online marketing company and you can opt out there email service by clicking the link at the bottom of the email or by visiting their website.

Thursday, April 8, 2010

Ethical Hacking cont. (2)- Finding public information

This is a continuation of the post: Introducing Ethical Hacking.

One of the important steps to ethical hacking is to assume you have no information about company (in other words, to forget everything you know about your corporation) and start from ground up. So let's start with only your corporation's name (you have to know which organisation to hack).

Gathering information from public sources
1- Google: "Google" your company and see what information you can gather.
2- Hoovers and Yahoo! Finance: Detailed information about companies available to the general public.
3- U.S Securities and Exchange Commission: SEC filings that the company has made.
4- United States Patent and Trademark Office: For patent and trademark information.
5- Whois- DNS Servers responsible for hosting.

What information to look for:
1- Employee's Names/Contact Information.
2- Key Dates
3- SEC filings
4- Patents
5- Presentations, Articles, Webcasts

I'll stop there. There's plenty of work there for you to do. In the meantime, I will be writing up the next section.

For more information (detailed information) check out Hacking: The Art of Exploitation:

Apple introduces iAds to the mobile platform

iAds enable software engineers and corporate advertisers a new road to advertising.
From CNET: But this sets up a battleground for how advertising evolves on mobile platforms. Apple is declaring that the best way for marketers to reach mobile users is through iPhone applications, rather than the Web at large. Google and AdMob, on the other hand, are much more focused on ads delivered in the browser on mobile Web pages. And Apple made some compelling arguments Thursday about why its plan could be more effective.

Jobs said that the average iPhone owner spends 30 minutes a day using applications. So there's an awful lot of potential ad impressions at play, but mobile ads inside iPhone apps are even more annoying than desktop ads because should you happen to click on one, you're taken away from the app and into the browser.

My experience with advertisement in the sides of screens are normally not clicked by end users. The users are focused on the middle of the screen where most of the "action", one could say, is happening. However, my opinion applies to computer screens about 17 inches or wider. This may be different with 3.5 inch display screen, as the focal point is closer to the ads.

Also, users probably will not like the idea as in reality, 3.5 inch (diagonal) display is not really that large. iPhone users would like to use their screen to maximum capacity, and not have some of their precious screen space be taken up by an advertisement.

For developers/business owners reading this and wondering whether it is a business opportunity:

iAds work on a simple revenue split. 60% of revenue is given to the developer (10% lower than iPhone apps). However, apple will host and deliver all the ads to the end users.

Mac4Lin: Make Windows Look Like Mac the easy way

Even since I have entered the linux world, I have seen many skins that attempt to replicate the look of Mac/Windows XP/Windows Vista/Windows 7 with the use of themes and skins with specific desktop managers (and programs).

But for those who are not technically capable, Mac4Lin is a linux distribution that can make your PC look like a Mac. Of course, there are programs that are exclusive to Mac and have not been ported to linux. I have never been a fan of making one OS look like another. However people do things just because they can. So, if this is your thing, try it. (My thoughts: looks like Mac in some ways, but does not "feel" like it though)

The Inquirer: Designed by Anirudh Acharya of San Diego, California, Mac4Lin looks like the real thing. Only instead of a fully blessed by Steve Jobs Leopard OS X under the bonnet, it runs something which is not proprietary and is free.

Mac4Lin supports GNOME 2.26 and is backwards compatible. It is unlikely to appeal to the Linux purist, who probably wouldn't stoop to stick anything like a Windows 7 look on Linux either.

Maybe it is just the fact that one has a OS that resembles a proprietary for free that makes people want to do things like this. I would like to hear your thoughts if you do like to skin your operating system.

Wednesday, April 7, 2010

The end has arrived for Bebo

AOL announces that Bebo is going to be sold or closed down. AOL decided this as it would take “too much additional investment” to keep the social networking site worthwhile.

John Brod, Executive Vice President at AOL:

“The strategy we set in May 2009 leverages our core strengths and scale in quality content, premium advertising and consumer applications, positioning us for the next phase of growth of the Internet. As we evaluate our portfolio of brands against our strategy, it is clear that social networking is a space with heavy competition, and where scale defines success. Bebo, unfortunately, is a business that has been declining and, as a result, would require significant investment in order to compete in the competitive social networking space. AOL is not in a position at this time to further fund and support Bebo in pursuing a turnaround in social networking.

“AOL is committed to working quickly to determine if there are any interested parties for Bebo and the company’s current expectation is to complete our strategic evaluation by the end of May 2010.”

According the WSJ, Bebo was never really a success.
The site never gained a foothold in the U.S. and steadily fell behind the competition. Bebo attracted 5 million unique U.S. visitors in February, down 12% from the same period last year, according to comScore Inc. In contrast, Facebook attracted 111.8 million unique U.S. visitors in February, nearly double the size of its audience in February 2009.

"We've known this has been a declining asset since just beyond day one that they bought it," says Ross Sandler, an Internet analyst with RBC Capital Markets. "It is a sunk cost at this point."

Well, there is the end of the Bebo, which was a flop since day 1. Good Bye Bebo, but I doubt many people will miss you.

Monday, April 5, 2010

Run Google Chrome inside Internet Explorer

From Google:Google Chrome Frame is a free plug-in for Internet Explorer. Some advanced web apps, like Google Wave, use Google Chrome Frame to provide you with additional features and better performance.

It brings new technologies that are not supported yet in Internet Explorer 6, 7 and 8 into Internet Explorer. It literally is like running Google Chrome. I highly recommend this plug in, not that I use it, but because I use Google Chrome.

Additional benefits include internet Explorer runs 8 times faster using Google Chrome frame, according to Techworld.

Techworld: Microsoft's Internet Explorer zips through JavaScript nearly ten times faster than usual when Google's new Chrome Frame plug-in is partnered with the browser, benchmark tests show.

According to tests run by Computerworld, Internet Explorer 8 (IE8) was 9.6 times faster than IE8 on its own. Computerworld ran the SunSpider JavaScript benchmark suite three times each for IE8 with Chrome Frame, and IE8 without the plug-in, then averaged the scores.

To try Google Chrome Frame, visit the Google Chrome Frame website. Please comment if you have used it.

Great New: Blu ray goes high capacity

The Blu ray disc association gave released a new generation of blu ray discs that holds more than double the amount of data that previous generations of the disc.

The new format, called BDXL, can hold up to 128 GB on a write once blu ray disc, and 100 GB on a rewritable disc.

There is bad news though. Because this new format requires a laser that can penetrate 3 to 4 layers deep into the disc, the PS3 probably won't be able to access these discs (even with a firmware upgrade guys). A more powerful laser probably is needed.

Information Week 05/04/2010
: However, the higher number of layers require a more powerful laser, so the new format is not backward compatible with current hardware used to record data or play today's Blu-ray movies. As a result, adoption of the new technology will likely be slow, until manufacturers start releasing new hardware that can play and record the old and the new formats.
However, don't expect to see these disc in circulation too soon. From experience, it takes a while for new technology to be implemented into society. Sometimes, it is even rejected (remember the Nintendo Gamecube).

Apple Ipad sells more than 300 000 ipads!!

On Monday, Apple has said that it has sold more than 300 000 iPads on the first day it was released. Many analysts' expectations have been met by this number. Apple has also said that iPad users have downloaded over a million applications and 250 000 ebooks from the iTunes store.

It is not surprising that the vast majority of first iPad owners are Mac users. CNN's Fortune Brainstorm Tech blog also came up with other statistics from a survey of a sample size of 448 iPad owners.

Apparently,

* 74% were Mac users (26% owned another kind of PC). 96% planned to continue using their computers.

* 66% owned iPhones. Only four or five respondents (1%) thought they could replace their iPhone with an iPad.

* 13% owned Amazon (AMZN) Kindles and 58% of those planned to replace it with the iPad.

* The $499 16GB iPad was the most popular (39%) followed by the 32 GB (32%) and 64GB (28%). When the iPhone first launched, only 5% bought the low-end 4GB model.

* 74% planned to use their iPads to surf the Web; 38% to read books; 32% to e-mail; 26% to watch video; 18% to play games and other apps; 8% to listen to music.

* 78% said they didn't consider any other gadget before buying an iPad. 10% were thinking about buying a Kindle, 6% a netbook, 4% a laptop, 1% an iPhone, 1% an iPod touch.

The Associated Press claims that the company faces challenges encouraging more consumers to buy the product.

Associated Press
: Once the early excitement settles, Apple needs to convince a broader swath of people to buy if it wants the iPad to follow the iPhone's successful trajectory.

Many companies have tried to sell tablet computers before, but none has caught on with mainstream consumers. Apple's iPad comes at a time when people have even more Internet-connected gadgets — smart phones, laptops, e-book readers, set-top boxes and home broadband connections — and it may need to work harder to persuade people to buy yet another device that serves many of the same purposes.

Nevertheless, I wish I was Steve Jobs.

Sunday, April 4, 2010

How secure a Macs?

Many Macintosh users believe that their macs are very robust and immune against viruses and hacking. They get the misconception that their mac is very secure because they have never been hacked before. They hear stories from their friends, co workers and family of how a Windows PC has been hacked. (I know that this is a generalization of Mac users, you can flame me if you want.)

This is not the case. Macintosh's are not immune to viruses and Mac users can also be victims of phishing scams. This is what Jacob Appelbaum, a hacker and researcher, has to say about the subject.

It's possible to have a well-secured machine regardless of operating system. Users generally aren't able to secure machines and so this responsibility often falls to the vendor...Mac OS X and Windows both encourage users to download programs from the Internet without any thought for security.

Graham Cluley, a senior technology consultant at Sophos, comments similarly on the issue:

I would argue that an Apple Mac user wanting to watch the 'Erin Andrews Peephole Video' is just as likely to download a bogus browser plug-in to help them do that, as a Windows user. And it doesn't matter that Mac OS X will ask them to enter their username and password to install the plug-in--they want to watch the video, they will enter their username and password.

It is also a misconception that Macintosh's are also immune to viruses. Macs aren't immune to viruses, but they are very rare. I do recommend users use antiviruses on these operating systems. The reason that there are less Macintosh viruses is that Apple holds less market share that apple and thus this means that designing a Mac virus would mean that less users can be targeted.

Tony Bradley from PC World made this comment, backing up my point quite nicely:

... the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with five percent market share.

This was quite evident where at a security conference in Vancouver, "smart people" hack into fully patched and secure machines in short periods of time.

The Apple iPhone 3GS was fully compromised in 20 seconds by two hackers, the first time the mighty iPhone 2.0 has fallen to a crack. And the infamous Charlie Miller, who has successfully hacked into fully patched Macs for the last two years, this year wormed his way into fully patched and secure MacBook Pro to take home a cool $10,000. Another guy slammed into a fully-patched Windows 7 machine.

What was my point? Macs can be just as insecure as Windows if hackers out there feel like hacking it. Luckily for Mac users, many hackers aren't.

If you feel that this article is incorrect (factually), then feel free to argue it in the comments.

Saturday, April 3, 2010

What is Naked DSL?

Naked DSL is an ADSL2+ broadband Internet connection that allows the end user can avoid phone rental fees while still having access broadband services. This is because it doesn't require a landline service.

Naked DSL offers ADSL2+ speeds. ADSL2+ allows the user to enjoy a more satisfying experience online with transfer (download) speeds which are extremely fast compared to traditional ADSL services.

ADSL speeds, however, are not clear cut. Many factors influence ADSL2+ speeds including distance from the nearest exchange, quality of the line, the signal strength, traffic congestion (referring to the internet).

With Naked DSL, a phone line (which users pay for every month through line rental) is no longer needed. All that is needed is a copper wire from the exchange to a home. Companies have its own broadband equipment so users can receive broadband without paying for line rental.

Friday, April 2, 2010

The legal status of Hackintosh- Is it legal?

A "Hackintosh" is a computer running Apple (Mac) software that is not made by Apple. It is therefore said that the Apple software is hacked.

However, there have been many misconceptions on whether it is legal to use Apple software of a regular PC. The clear cut answer is no.

Psystar is attacked for selling hack macintosh's
The company Psystar has had a lawsuit from Apple filed against them because the company was openly selling computers loaded with a Mac OS. From Wikipedia:

Psystar Corporation is a Miami, Florida based company which sold "Open Computers". These computers, first announced in April 2008, had the option to be pre-installed with Mac OS X Leopard, making them the first commercially distributed 'hacked' Macintosh computers.[1] In November 2009, a U.S. Federal District Court ruled Psystar violated Apple's copyrights in doing so.

Psystar Corporation is currently having a struggle with Apple, and the journey has involved filing for bankrupty and court complications.

What if I am just using the computer for private use (no commercial aspect)?
While a private user will not be under as much stress from Apple as Psystar, it doesn't make using a Mac OS on a PC any more legal. This is a segment for a EULA for a Mac OSX operating system- important bits are bolded for emphasis

2. Permitted License Uses and Restrictions.
A. Single Use License. Subject to the terms and conditions of this License, unless you have purchased a Family Pack or Upgrade license for the Apple Software, you are granted a limited non-exclusive license to install, use and run one (1) copy of the Apple Software on a single Apple-branded computer at a time. You agree not to install, use or run the Apple Software on any non-Apple-branded computer, or to enable others to do so. This License does not allow the Apple
Software to exist on more than one computer at a time, and you may not make the Apple Software available over a network where it could be used by multiple
computers at the same time.

So it can be seen that hackintosh's is not legal (although one probably won't be sent to jail for it). Will this stop people from doing it..... probably not.

Introducing ethical hacking

Ethical hacking the process where an individual uses tools to strengthening the strength of your computer by testing the security of your system through physically (electronically actually) hacking it. It is a form of hacking (breaking into a computer system) that is legal (to the best of my knowledge). But I caution readers to check laws before proceeding because laws are different depending on area and change over time.

Many IT practitioners conduct these tests to confirm that their security system can stop the real hackers. Ethical hacking allows one to test their computer security policies and plug up holes before the real bad guys get to it.

From Hacking for Dummies, Chapter 1:

You need protection from hacker shenanigans. An ethical hacker possesses the skills, mindset, and tools of a hacker but is also trustworthy. Ethical hackers perform the hacks as security tests for their systems.

If you perform ethical hacking tests for customers or simply want to add another certification to your credentials, you may want to consider the ethical hacker certification Certified Ethical Hacker, which is sponsored by EC-Council. See www.eccouncil.org/CEH.htm for more information.

Ethical hacking — also known as penetration testing or white-hat hacking —involves the same tools, tricks, and techniques that hackers use, but with one major difference: Ethical hacking is legal. Ethical hacking is performed with the target’s permission. The intent of ethical hacking is to discover vulnerabilities from a hacker’s viewpoint so systems can be better secured. Its part of an overall information risk management program that allows for ongoing security improvements. Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate.

For anyone interested in the topic, I will continue to post more on the topic. Also check out Hacking for Dummies to anyone really interested or urgently need to revise their security policy. >> Ethical Hacking Cont.

Linux is insecure?

I am a linux fanboi and ever since I was immersed into the world of linux and linux security (iptables and interactive firewall etc), it has always been emphasized to me that linux is a very secure operating system. It is one of the reasons that many people use to attempt to persuade more people into using the operating system.

However, it seems that the linux may not be as secure as many believe. According to linux-watch.com, Steven J argues that all software is insecure. This is the beginning of his article Face it: Linux is insecure:

Linux is insecure. Open source is insecure. Windows is insecure. All software is insecure.

Deal with it.

People keep having this delusion that security is a product. That, if you just buy some magic box, you'll have a program or an operating system that's as secure as Fort Knox.

It doesn't work that way. Security is a process, not a product.

According to Hacking For Dummies by Kevin Beaver, linux also has the same vulnerabilites that can be exploited as Windows operating systems. He claims that:

Linux — the new darling competitor to Microsoft — is the latest flavor of UNIX that has really taken off in corporate networks. A common misconception is that Windows is the most insecure operating system (OS). However,Linux — and most of its sister variants of UNIX — is prone to the same security vulnerabilities as any other operating system.

Hackers are attacking Linux in droves because of its popularity and growing usage in today’s network environment. Because some versions of Linux are free — in the sense that you don’t have to pay for the base operating system — many organizations are installing Linux for their Web servers and e-mail servers in hopes of saving money.

I am not saying that you will be hacked if you use a linux of operating system. My point is that whilst the security and stability of linux can be emphasized, security precautions also need to be emphasized, so users of linux (especially those new to linux) are not given the false sense of security that linux is a 100% secure operating system.

According to linux-mag.com, this may be true. From their article,

Unfortunately, many Linux distributions make a number of painfully wrong security decisions at install. All too often these issues are overlooked by the administrator since the prevailing wisdom tends to be: “If it’s Linux, it’s secure.” As we’ll soon see, that’s not always the case.

With that said, there are many linux operating systems with a strong emphasis on security. Also, there are many auditing tools that can be used to assess the current security policy of a linux system. Linux Security Auditing Tool (LSAT) is one such tool that achieves this. usat.sourceforge.net

Thursday, April 1, 2010

Mafiaboy: How I Cracked the Internet and Why It's Still Broken

Michael Calce was a canadian teenager, with the alias "Mafia Boy", conducted one of histories most "successful" DoS (denial of service- an attack which prevents computer resources from being access) in history.

Michael Calce conducted a denial of service (DoS) attacks that brought down Amazon.com, CNN.com, eBay, Yahoo!, and many other very popular internet sites for more than a time frame of six hours.

The estimated losses because of the attack were estimated to be $1.2 billion, including drops in share values, loss of revenue and recovery time. He has now written a book about his journey in the hacking world.

From yyztech.ca,

The book is the story of Michael Calce's involvement in hacking, from his early adventures on AOL, launching the attacks on Yahoo, CNN and eBay in 1999 to the resulting investigation, trial and sentencing that followed. The second part of the book covers a bit of his life afterwards but is mostly on how hacking has changed since his Mafiaboy days and ways for users to protect themselves online.

When I first came across the book I had to google "MafiaBoy" as, while the name sounded familiar, I couldn't recall who he was. In short, besides his age and the high profile of his targets, his story isn't that unique: "teen hacks website" is almost a cliche at this point with everything from James Bond to Doctor Who featuring young computer geniuses who are up to no-good. So it's worth asking beyond who was MafiaBoy, what exactly did he do, and does it matter nearly 10 years on.

-From http://www.yyztech.ca/posts/mafiaboy-how-cracked-internet-why-still-broken

In this book, he also examines the current state of security of the internet. He also examines how hackers these days are more criminal minded, engaging in the activity for money.

Getting more codecs for eeepc

One thing that I could not do with a eeepc is play mp4 files. The solution to this was to install a codec pack. It adds codecs to mplayer.

There is a guide at eeepc user. For those who are too lazy to even google it, I will quickly rehash the procedure to save you a mouse click (I really do have too much time).

Why have a codec pack added to your eeepc?

Raw video (or music in fact is huge) so codecs are used to compress the file into a smaller size (codec in fact means compressor decompressor) to save space. There are different types of codecs and eeepc player does not have them all. Therefore to play specific files, you have to get a codec pack.

Adding codec pack

1. Need a working internet connection.

2. Open up a terminal window (press Control + Alt + T )

3. In console, type "sudo /usr/share/mplayer/scripts/binary_codecs.sh install" without quotes. To copy and paste, right click copy and in the terminal window, press the scoller button on the mouse down.

4. Wait for the downloads to finish downloading which depends on speed of connection.

5- You are done. Try your multimedia file to see if it works.

h264 codec missing

Apparently, the newer version of mplayer in Xandros (eeepc linux operating system) does not support the h264 codec. To get this functionality back, mplayer must be downgraded.

Downgrading Mplayer so it supports h264

**Proceed with caution**. This process may cause problems in your eeepc. If you want to continue, here are the steps (taken from eeepcuser.com)

1. Open up a terminal window (press Control + Alt + T )
2. Type in the terminal window sudo kwrite /etc/apt/sources.list
3. Add the following to the file: deb http://http.us.debian.org/debian/ etch main non-free contrib
**If the above repository is not working, give this one a try: deb http://www.debian-multimedia.org etch main
4. Save changes to the file
5.Back in the terminal, type "sudo aptitude update" without quotes
6.Then type "sudo aptitude install mplayer=1.0~rc1-12etch5" without quotes.

To play rmvb files on eeepc


1. Download the codecs files for rmvb (real media video) files and save it a known directory.

2. Right click the file and select Extract All.

3. Type in the following lines in terminal (should know how to open terminal by now)

cd /{insert directory name}/essential-date
sudo mkdir /usr/lib/codecs/
sudo cp * /usr/lib/codecs/

4. You are done.