Laptop Service Center leads to leakage of Personal Information and Blackmailing

There have been many instances where your data is at risk but one of the worst way to leak your data is  giving your laptops to service center people. I have myself had a horrible experience with Authorized Acer service center where the bastard was supposed to replace the motherboard and in return he did gave me a new motherboard but replaced my cdwriter with a very old and used cdrom, stole my 1GB ram and gave me 256MB Ram, he even damaged the LCD and never accepted that they spoiled my machine. Luckily I had all my data encrypted on the HDD but not sure what went wrong. I was unable to access the data and lost all the data. That was a big blow but I wonder what that Acer Authorized service center moron would have done if he had my data. Here is a case where a leak happened from a Apple service center in delhi. Not sure if this is exactly true but one thing is sure.. The service center people are bastards as far as I know. One more thing..  Whenever I get a chance I always suggest people never buy acer, they are cheap initially but they will cost you double of what you have paid in the long run.. You can below read about the incident that happened with a musician's daughter.


"Delhi Police is investigating a case of blackmailing of young sitarist and legendary musician Pandit Ravi Shankar's daughter, Anoushka
and has arrested a Mumbai-based man who allegedly accessed her photographs stored in her laptop.

The man, whose identity has not been revealed, has been arrested by the Special Cell of Delhi Police following investigations in Mumbai after Ravi Shankar approached police last month complaining about the harassment meted out to his daughter, a senior police official said.

Police had last week registered a case under Section 386 of Indian Penal Code which relates to extortion by putting in fear of death or hurt and provides for a maximum punishment of 10 years in jail.

The official said the musician, who lives in the US, has told police that Anoushka had given her laptop to a service centre in south Delhi in February.

"We think that the material in the laptop was copied by someone. We interrogated the staff at the Apple Services Centre. Later, we zeroed in on the Mumbai-based man and arrested him," he said.

The man allegedly sent a series of e-mails to 28-year-old Anoushka, demanding money for not making public the photographs. The alleged blackmailer even asked for USD one lakh in one e-mail.

Police did not state as to when the man was arrested."

Update: As per IndianExpress it seems one of her friend had hacked into her email account and copied photos, if this was true then why did police say that they talked to Apple store people and zero'd in on one guy from mumbai.. maybe they are hiding something or theyjust lied. any ways.. its looks like things are sorted out now. link to IE news

Read more...

Virus writers using opensource code, Will opensource give edge to viruses too ?

Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.
By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.

According to Candid W?est, threat researcher with security firm Symantec, around 10 percent of the Trojan market is now open source.
The move to an open source business model is allowing criminals to add extra features to their malware.
"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," W?est said.
Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.
More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.
Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favor in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.
There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for $350 per time before it went open source, while the Zeus Trojan today sells for between $1,000 to $3,000.

However, head of new technologies at RSA, Uri Rivner, said the move to become open source had not reversed Limbo's decline in fortunes.
"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations.
"At the beginning of it going open source it was big news but people have since stopped investing in it.
"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.
Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking websites and capture the keystrokes and the files saved on an infected computer.
And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.
"If you make (the Trojan) open source, that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's W?est said.
The majority of Trojan infections occur via drive-by downloads, where the malware is automatically downloaded after browsing an infected website, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.
These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an e-mail with a link to an infected file or attachment.
RSA analysts say these new methods have fuelled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.

Read more...

Disloyal employees are not hackers, says court

An appeals court has ruled that a former employee who took company data with him for his own business did not violate the Computer Fraud and Abuse Act, despite his unethical actions. This outcome pits the court against itself as to whether disloyal computer use counts as unauthorized access. This surely gives some relief to people who are planning insider attacks on an organization.

The "unauthorized access" provision of the Computer Fraud and Abuse Act (CFAA) has turned out to be quite an asset to those looking to prosecute people for all manner of actions involving computers, even though it was originally meant to target hackers. The Ninth Circuit Court of Appeals has ruled, however, that it cannot be used to prosecute someone for being disloyal with company info after quitting—a decision that is being applauded by CFAA critics who want to limit the statute.

The decision came after a company named LVRC Holdings filed a lawsuit against a former employee, Christopher Brekka, his wife, Carolyn Quain, and their independent consulting business. LVRC had accused Brekka of using company computers "without authorization" in order to e-mail himself LVRC client files in order to use that information for his personal business after leaving the company.

Based on that description, one might assume that Brekka had used his or someone else's credentials to break into the network after he quit, but that's not exactly the case. As it turns out, Brekka had e-mailed the documents to his home PC while he was still an employee at LVRC, using login information that the company admin had sent to him. The documents he e-mailed included a financial statement for the company, LVRC’s marketing budget, and admissions reports for patients, among other things. Not so coincidentally, Brekka apparently did this while he was in talks to acquire part of LVRC. Those talks eventually broke down and Brekka left the company.

Brekka subsequently used the data to help his own consulting business, which he runs with his wife. You could argue that his actions were unethical and downright slimy, but LVRC brought charges under the CFAA, saying that he had gained unauthorized access to LVRC machines in order to get the data. LVRC had argued that Brekka's intent at the time of access determined whether or not he was authorized—basically, the company said he was committing a "thought crime." More

Read more...

Puppy Linux 4.3 is out with complete overhaul under the hood

Puppy Linux 4.3 is a massive upgrade from the 4.2 series, with almost all the components updated or replaced. Also, the whole system through which this Linux distribution is being built has been replaced with a completely new one, called Woof. The switch imposed the creation of a new package management system, called Puppy Package Manager, which supports the use of packages from any distribution within Puppy.

Puppy Linux 4.3 is powered by the 2.6.30.5 Linux Kernel, which is configured to support multiprocessor systems, EXT4 filesystems and is patched to work with Aufs2. Legacy dial-up modems are well supported, with drivers included for Agere, ESS, Lucent, Conexant, Smartlink, Pctel and Intel chipsets. More up-to-date methods of connecting to the Internet are also supported, including the use of 3G modems.

There are many more changes to puppy linux, I have one of my USB drives that has puppy 4.2 installed. I am currently downloading 4.3 to replace the old version with the new one and I am desperate to try out my 3G modem on puppy. If my 3G modem works that would be the best gift from puppy 4.3 upgrade for my birthday.

Cheers!

Read more...

Security, Privacy, and Sustainability Costs for “Free” Software

Traditional total cost of ownership analysis does not consider the unique costs and benefits of free software and services, particularly if delivered through the Internet.

“Understanding the costs as well as benefits of ‘free’ software will avoid creating the expectation that there is such a thing as a ‘free lunch’ in IT - a benchmark that no IT Business model can meet.”

As per the report both Free as well as Paid software end up with the same cost of maintenance. In fact in come cases you might be saving on acquisition cost but might be compromising on security.

You can read the full report of ACT about the cost of Free Software here.

I am not sure if this report was funded by Microsoft or not and I am not against Open source software :)

Read more...

FraudView From ArcSight

ArcSight has some really cool products, We had implemented a SOC for a big client using ArcSight ESM, The new product fraudview might be targetted to a certain business but as far as i feel, the same pattern recognition and rules can be used with ArcSight ESM if you already own it. There is no real need to buy it. But the for targeted business the product looks good.

"The new product, FraudView, looks for patterns in transactions that might indicate fraud.

Security company ArcSight has retooled one of their event-monitoring products and created an appliance designed to detect fraudulent bank and brokerage transactions.

ArcSight found that customers who were using its Enterprise Security Manager (ESM) product -- which has a correlation engine that is used to spot anomalous activity on networks such as a worm -- was being used by brokerages to detect stock scams, said Rick Caccia, vice president of product marketing.

The correlation engine takes data and then checks to see if it violates certain rules. Brokerages found the correlation engine also worked well when it was fed other data, such as application logs, trading positions and historical stock data.

The brokers were using the product to detect the so-called pump-and-dump scams, Caccia said. That's when fraudsters use various methods to artificially cause a stock price to rise and then sell off the shares before it falls.
It worked, and that caused ArcSight to look into how the correlation engine could be used for spotting other kinds of financial fraud. The result is a new product, FraudView.
FraudView, which is an appliance that banks and brokerages install alongside their back-end systems, looks at payment and transaction data and assigns it a risk score.
The bank or brokerage sets its own rules for what transactions will be allowed or rejected. FraudView does ship with a basic set of rules and triggers that would commonly be used, such as the U.S. government's requirement to report transfers of more than US$10,000, Caccia said. It is also capable of automatically creating new rules based on suspicious patterns.
The correlation engine in ESM was modified. Instead of looking at data such as IP (Internet Protocol) and MAC (Media Access Control) addresses, it looks at other data appropriate for financial transactions, Caccia said.
FraudView also has a pattern recognition engine, which can spy fraud trends within large sets of transactions. The appliance can also analyze data from other fraud detection systems.
In order to generate a risk score, FraudView looks at frequency of transactions, withdrawal limits and locations where cash is withdrawn in addition to other data, Caccia said. The analysis takes a second or two, he said.
Caccia said FraudView has been tested by some brokerages and banks. One U.S. bank deployed FraudView and soon after detected an attempted $1 million fraudulent wire transfer. Caccia said he can't reveal the bank's name, however".[source]

Read more...

Intelligence Bureau wants to block all VOIP calls in india

India’s Intelligence Bureau (IB) has reportedly called on the Ministry of Communications and Information Technology to block all internet telephony services in and out of the country until the Department of Telecommunications (DoT) is able to track such calls, the Economic Times reports. The IB claims that India currently lacks the necessary technology to track VoIP calls, and argues that this presents a national security issue, with the bureau noting: ‘In the absence of Caller Line Identification (CLI) parameters of calls landing from abroad, it is next to impossible to identify the country of location of the caller. Moreover, of late a number of service providers in India have started providing VoIP solutions for making calls both domestics as well as foreign. The calls passing through the VoIP/IP route contain inadequate parameters rendering it impossible to trace the actual callers. As DoT had conveyed that it is not possible to mandate transmission of CLI from abroad, we had approached DoT to block such calls till a technical solution is found.’

Should the DoT act on the recommendations, hundreds of thousands of VoIP subscribers would be affected; according to the latest available statistics from the Telecoms Regulatory Authority of India (TRAI) there are 34 companies providing commercial VoIP services at the end of March 2009, and more than 130 million minutes of calls using internet telephony were logged between January and March 2009.

Read more...

Best Practices for Collecting Forensics Evidence

Very good article written by Paul on Forensics Evidence collection, You can read it at SANS.

Read more...

Windows Vista / 7 SMB Protocol Reboot Vulnerability

A vulnerability in Microsoft's implementation of the SMB2 protocol can be exploited via the net to crash or reboot Windows Vista and Windows 7 systems. The root of the problem is an error in how the srv2.sys driver handles client requests when the header of the "Process Id High" field contains an ampersand. The attack does not require authentication; port 445 of the target system merely has to be accessible, which in the default Windows local network configuration, it usually is. SMB2 is an extension of the conventional server message block protocol.

Exploit code is already available online and The code is getting integrated in MetaSploit and its gona be cool, point, click and reboot Windows Vista / 7 machines.

The vulnerability exists in SRV2.SYS which fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.

The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.

Read more...

Open Wifi Connections still at large in India

Wifi Scanning is a very good exercise and should be carried out regularly, it helps not only to secure yourself from troubles caused by some malacious person but even to keep bandwidth suckers from using your wifi internet for free and you pay the bills.

In a city like Bangalore, India's Silicon Valley, the Internet has become indispensable with millions of e-mails sent daily, electronic transactions made and data transferred. But how secure is the World Wide Web? A Bangalore Mirror and TIMES NOW team travelled from Koramangla in South Bangalore to 'Electronic City' and found over 40,000 unsecure Wi-Fi networks in the city.

Electronic City is considered a software hub, and as the world celebrates 40 years of the Internet, we found 40,000 unsecure Wi-Fi networks in the city with 600 alone in the 12-kilometre stretch the team covered.

The thousands of access points make for easy pickings for a terrorist with the right resources.

Armed with laptops and two powerful wireless antennae, the team began 'War Driving' - the process of scanning for vulnerable wi-fi networks to crack into their domains. The process was somewhat tedious - beginning with a scan for unsecure wi-fi networks, then searching for open air networks, and finally a scan for networks with WEP or Wired Equivalent Privacy-enabled networks - considered the weakest.

Accompanying us were Members of the Indian Cyber Army, a group of anti-hackers.

Once a vulnerable wi-fi user was scanned thoroughly, his WEP key was cracked by the Wireless Penetration Testing system. Then we used the same WEP key to get to the access point of the network provider. After successfully acquiring the access point, we acquired an Internet Protocol from the same network which enabled us to access the internet. Finally, we sent mails from those hacked access points to the Karnataka police.

Here are the do's and don'ts to secure a wi-fi network.

1. You must use strong encryption keys and a user-based authentication.

2. Don't use a default password for your network.

3. Always disconnect your network when not in use.

These are simple steps that might prevent your internet network from becoming the gateway to cyber terror. News Source

Read more...

X-Force Threat Insight Report Q2 2009

This edition of the X-Force Threat Insight Report provides an exhaustive list of security alerts, breaches and the most commonly seen threats in Q2 2009. It also delivers two new and insightful articles by IBM ISS researchers. The first article assesses one of the more serious threats of 2009, Conficker. The Conficker worm family has evolved into a massive sophisticated malicious botnet arsenal and infrastructure of millions of compromised hosts. Learn what actions your organization can take to mitigate this threat.

The second article discusses Internet fraud schemes, specifically, Advance Fee schemes and Romance scams. These schemes, which are costing victims billions of dollars, exploit human emotions and use social engineering to lead people to make decisions based on their feelings rather than on the facts or logic of the situation. Report

Read more...

SwineFlu Virus disassembly - Good Reading

Comparison to Computer Viruses


How many bits does it take to kill a human?

The H1N1 virus has been comprehensively disassembled (sequenced) and logged into the NCBI Influenza Virus Resource database. For example, an instance of influenza known as A/Italy/49/2009(H1N1) isolated from the nose of a 26-year old female homo sapiens returning from the USA to Italy (I love the specificity of these database records), has its entire sequence posted at the NCBI website. It’s amazing — here’s the first 120 bits of the sequence.
atgaaggcaa tactagtagt tctgctatat acatttgcaa ccgcaaatgc agacacatta

Remember, each symbol represents 2 bits of information. This is alternatively represented as an amino acid sequence, through a translation lookup table, of the following peptides:
MKAILVVLLYTFATANADTL

In this case, each symbol represents an amino acid which is the equivalent of 6 bits (3 DNA-equivalent codons per amino acid). M is methionine, K is Lysine, A is Alanine, etc. (you can find the translation table here). Continue...

Read more...

Compliance Failure by bank leads to lawsuit

A big problem for major corporations is compliance, If they would have been compliant to the security standards laid by the FFIE Council, the breach of this couple's bank account would have been avoided and even this lawsuit, infact this might open more lawsuits for them. Noone why so many banks are expected to fall in US this year.

A judge of the District Court for the Northern District of Illinois allowed a couple to pursue their suit for negligence against the Citizens Financial Bank.

They claim an account they had at that bank was breached and they suffered a loss of $26,000 through theft, all because the bank had not implemented a two-factor authentication method as recommended by the Federal Financial Institutions Examination Council.

At that time, the bank were still using usernames and passwords for accessing the accounts, and they have not been able to convince the judge that their safety measures were adequate and that they didn't breach their duty to protect the account in question.

This decision gives weigh to the point that security analysts have been trying to prove for quite some time - companies need to show due diligence when it comes to protecting their customers' personal data, or they could get sued after a breach that compromises said data.

Read more...

India could become cyber-crime hub

India is vulnerable to cyber crimes as 97 per cent of Indians, who use information technology, are not aware of how to be secure, and the situation has been further complicated with the surfacing of the 10 minute E-mail.
Cautioning that India could become one of the potential hubs of cyber crimes, the director of Intelligent Quotient Security System, Pune, Mr Herald D’Costa said, “10 minute E-mail is the most dangerous E-mail, that had been developed and is being misused to cheat, to issue threats and even play truants.”
Talking to this paper he said, “It is a disposable E-mail ID, in which an E-mail gets destroyed in just 10-minutes time and no traces can be found. This is the biggest draw back of this particular technology. Terrorists also can use it or someone can send it in the name of terrorists to a businessman, layman, or anybody and can cheat.’’

Mr D’Costa said according to Net craft, India stands 4th in the banking technology frauds in the world. Every year 15,000 cyber crimes are registered. While explaining, he said in Maharashtra, a person went to a police station saying he got an E-mail informing him that he had won Rs 8 crore and to get the prize money he had to pay a certain amount. After paying this amount, he did not get any money or reply. It was then that he realised that he was cheated, but it was too late.
The people need to be made aware this as many get E-mails as if they are coming from their banks to ask their account IDs and passwords for verification purposes. They should divulge information because this personal information can be used by cyber criminals, who sent the E-mails and in turn money could be withdrawn from their account, he informed.
Mr D’Costa said, “People should refrain from using card-money, they should stop using credit cards as this has more chances of being used in a fraud. A crorepati can become roadpati in no time, however, he added that debit cards to some extend are safer.
He cautioned the public to refrain from E-banking from public places like cyber cafes or other such places.
Many banks tell ID account holders to use virtual keyboards for entering the passwords during E-banking transactions, but this also is not found to be 100 per cent secure in many of the E-banking websites. Even if people use virtual keyboards the password is stored in the hard disc, which can be recovered by using forensic software, which are freely available on the Internet.
People should opt for E-banking transactions only after ensuring that it is a genuine web site. If people want to do any E-banking then they should demand for a token from the banker. A token is a device that generates an unique number, displayed on the device after his password has been given. He should enter this code after the password is entered. This code is valid for only 8-10 seconds, then it expires. This is a safe method for E-banking.
He said any account holder opens an E-banking account, he should request the bank to send a transaction check after any transaction is done through E-banking or through plastic money. This particular act may save many of the crimes which committed through plastic cards.
Every organisation or institute that takes the credit cards for their customers should follow some general guidelines.
A genuine credit card will always be glossy or shining while a duplicate or clone one will be rough. In case of genuine plastic money, first four digits of plastic card will display just the name of the account holder in bold, while in case of duplicate one there is nothing of this sort. If the card is used globally, then at the back of the plastic card the security code will always be displayed whereas, in a duplicate card the security code is always masked with a white paper. Internally whenever a card is used globally it is a mandatory norm set by the bank, that the security code should always have hologram, whereas a duplicate will never have a hologram. In case of genuine plastic money just above the magnetic tape you will have customer care center toll free number, whereas a duplicate will never have it. “There are many critical points by which we can avert cyber crime frauds,” he informed

Read more...

Indonesian Hackers Claim Web Attack on Malaysian Sites

A ring of Indonesian hackers on Monday claimed to have attacked scores of Malaysian Web sites, one more in a series of flashpoints threatening tenuous ties between neighbors.

The two countries have been embroiled in a string of spats over alleged misappropriation of cultural icons, reports of migrant worker abuse and territorial disputes.

A statement posted on a blog titled “Terselubung” says that a number of Malaysian Web sites had been hacked and defaced to “celebrate” Malaysia’s Independence Day, which was celebrated on Monday.

“Today, Aug. 31, 2009, an uncreative country, a country who likes to steal Indonesian culture, a country whose citizen is the mastermind of bombings in Indonesia, a country who has tortured many of our sisters — the migrant workers who worked there, a country who abused our national anthem, a country who harassed Indonesia on the Internet, a country that has stolen Sipadan and Ligitan islands, a country which has trespassed our water illegally, a country which received their independence from Britain, is celebrating its anniversary,” the Web site statement read.

“As good Indonesian citizens, we will celebrate their independence in our own way. We are celebrating by undertaking a mass attack on the country’s Web sites,” the statement continued.

The site then listed more than 120 Internet addresses, including domains for Malaysian education and tourism pages. But checks on a sample of the mentioned sites revealed only a few of them remained defaced, or that many had recovered from the attacks. Continued....

Read more...

Microsoft IIS5 and IIS6 FTP Exploit 0day

Microsoft on Monday said it is looking into a report of a flaw in some versions of its Internet Information Services product that could allow an attacker to gain control of a system.

In a statement, a Microsoft representative said the company "is investigating new public claims of a possible vulnerability in IIS 5 and IIS 6 File Transfer Protocol (FTP)."

Microsoft said it is not aware of any attacks using the vulnerability. "We will take steps to determine how customers can protect themselves, should we confirm the vulnerability."

This exploit triggers a large SITE command and can easily be detected.

If you want to detect the attack with Snort you can download the rule from ET.

The IIS FTPD Exploit can be found here

Read more...