What I Know It’s About Experience

29Mar/10Off

Pwn2Own 2010 News

Pwn2Own is the brain child of Dragos Ruiu, the founder and director of the CanSecWest security conference.  This is an annual conference held every year in Vancouver, Canada (usually late March).  If you have never been to it I highly recommend the event. This is probably the most technically advanced conference world wide, even more so then events like Blackhat or Hack In The Box.  It tends to be smaller, about 200 people.  The Pwn2Own is an event where conference attendees are challenged to hack a fully patched device.  The first contest began in 2007 with just a Macbook laptop, but has grown to include items such as a Windows laptop and iPhone.  What makes this contest different then other hacking events is the caliber of contestants.  You literally have some of the best exploit developers in the world. They are motivated with a total of $100,000, but in addition gain tremendous bragging rights.  Many of the contestants said it took them 1-2 weeks to develop the exploits, in some cases two people worked together.  That averages 80-160 man hours to create an exploit. This year at the contest the following fully patched systems were successfully hacked.  
 
Firefox on 64-bit Windows 7
  Internet Explorer 8 on 64-bit Windows 7
  Safari on Mac OS X
  iPhone
So, what does that mean to us?  In general three things.
  1. Developing a new exploit takes a lot of work, however with enough time and talent anything can be hacked, even something fully patched.
  2. In general, most criminals are simply too lazy or do not have the skills to develop such advanced exploits.  But then again, they don't have to.  The simple, well known exploits and vulnerabilities are working just fine.
  3. The only organizations that would have to worry about such attacks are high-value targets. If you believe you are such a target, and that threats may target specifically you, contests like this demonstrate that no matter how much prevention you implement it can be bypassed. Detection and incident response are just as important as prevention. 
via HoneyTech Security Update
Tagged as: , , , , , No Comments
9Mar/10Off

1024-bit RSA encryption cracked!!

Since 1977, RSA public-key encryption has protected privacy and verified authenticity when using computers, gadgets and web browsers around the globe, with only the most brutish of brute force efforts (and 1,500 years of processing time) felling its 768-bit variety earlier this year. Now, three eggheads (or Wolverines, as it were) at the University of Michigan claim they can break it simply by tweaking a device's power supply. By fluctuating the voltage to the CPU such that it generated a single hardware error per clock cycle, they found that they could cause the server to flip single bits of the private key at a time, allowing them to slowly piece together the password. With a small cluster of 81 Pentium 4 chips and 104 hours of processing time, they were able to successfully hack 1024-bit encryption in OpenSSL on a SPARC-based system, without damaging the computer, leaving a single trace or ending human life as we know it. That's why they're presenting a paper at the Design, Automation and Test conference this week in Europe, and that's why -- until RSA hopefully fixes the flaw -- you should keep a close eye on your server room's power supply.

via: Engadget.com

Tagged as: , No Comments
21Jan/09Off

Biggest data breach in history

شركه  heartland payment systems  تم اختراقها  وسرقه 100 مليون بطاقة ائتمانيه :) طبعا الهاكرز اللي مخططين للموضوع شكلهم مخمخين على الموضوع وانتظروا لحد اليوم المهم وهو يوم تنصيب الرئيس الجديد لامريكا وطبعا الناس اغلبهم  مشغولهين بمتابعه الحدث بس مو هنا الزبده. المشكله انهم ماعرفوا بالموضوع الا من شركه فيزا وماستر كارد اللي كلمتهم وقالت ان فيه عمليات جالسه تصير مشبهه فيها انها غير طبيعيه  وفعلا بعد التحقيق بالموضوع وجدوا ادله  تاكد بان النظام تم اختراقه  فانجنوا كيف تم الاختراق؟؟ طبعا مازالت التحقيقات مستمره والموضوع داخله فيه  الـ FBI وبحكم ان الاختراق يعد الاكبر في التاريخ  فتحوا موقع  اسمه  www.2008breach.com  من خلاله  تم الاعلان وتحذير العملاء  وحثهم على تشيك  سجلاتهم الخاصه  وعند ملاحظه اي عمليه مشبوهه عليهم الاتصال فورا والابلاغ  عنها. طبعا قدروا يحددون اي السجلات والمعلومات اللي قدروا يحصلون عليها بالضبط. وهذا يرجع لوجود انظمه مراقبه داخليه على الانظمه. 

انظمه المراقبه مثل IDS و IPS و  تفعيل الـ Auditing Logs مهمه جداا باي بيئه عمل مو شرط انها تحميك من الهاكرز بشكل كامل ولا فيه اصلا شي كامل .. بس على الاقل راح يكون بامكانك السيطره على الموقف ومعرفه اللي صار بالضبط وبالتالي تكون عندك فرصه كبيره  لمطارده الهاكر والقبض عليه. طبعا عشان بيئه العمل تستفيد من هالتقنيات بالشكل المطلوب لازم توظف ناس متمكنه بهالمجال وتعرف تراقب وعندها خلفيه عن التحركات المشبوهه والغير عاديه لكن اذا الانظمه موجوده بس الناس  اللي موظفهم غير مؤهلين فا ماراح تقدر تستفيد بشكل كامل  وبعض الاحيان ممكن يكون فات الاوان واخترقت انظمتك وموظفينك يتفرجون لان ماعندهم القدره على التمييز :) .

Tagged as: 3 Comments
   

Calendar

September 2010
S S M T W T F
« Aug    
 123
45678910
11121314151617
18192021222324
252627282930  

RSS Free Softwares

Tag Cloud

Announcement Antivirus Apple auditors benchmark Beta1 Browser Business Risk Information Security Debug documentation Editions Education Certification Knowledge Experience Federated Search Forensic Hacked Hardware HITB 2008 I'M A PC Internet Broken Live MacBook Micorosft Microsoft Microsoft ads Microsoft ICE nVidia Defective Oracle PDC 2008 Projects Recorder Security Security Awareness Security Talk Snow Leopard Sun SuperFetch UAC USB 3.0 video Wave3 Windows Windows7 Windows 2008 R2 Windows Vista WP-RTL

Posts Archives

Friends