Waking up from the hangover of Bruce Schneier, team ClubHack is ready to rock the security world again

Visit http://clubhack.com/2011 for more details

In this 5th edition of ClubHack, we have Richard Stiennon as our invited guest & keynote speaker

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He is the author of Surviving Cyberwar (Government Institutes, 2010) and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software.

It seems that hacking activity is on continuous rise. It appears that the guys in the wild do not take any break or rather there is no specific season for hacking; its 24×7 on all 365 days…..

Amongst others, following are some of the recent hacking activities:

• Harvard University website hacked by Syria protesters
• 75 Indian Govt and University Sites hacked including Patiala Police
• The Council on Governmental Ethics Laws (COGEL) hacked and complete database dumped
• Anonymous Austria post via the official Twitter account about 25,000 records Austrian police officers
• Mysql.com website hacked
• USA Today Twitter account hacked
• 700,000 sites on Inmotion Hosting Server hacked
• Core Security Technologies website defaced

Phew… there are many more and still counting

Related articles

• USA Today Twitter Hack of the Day (geeks.thedailywh.at)
• Harvard Web site hacked with pro-Syria message (news.cnet.com)

Around 3 months back we heard a news of “technical snag” which caused chaos in T3 of IGI airpot delhi. The internal team was doing invetigation since then and now they have concluded that the “technical snag” was a cyber attack. Its is believed that its was a malicous script sent from remote

As per Indian Express, CBI registering a case under the IT Act in June and started investigation. Investigators of CBI says that “malicious code” was in the form of “attack scripts”, which means a programme was written by an expert to exploit the system’s security weakness.

The check-in counters, transfers counters and boarding gates at the IGI are operated using the Common Use Passengers Processing System (CUPPS), maintained by Aeronautical Radio Incorporated (ARINC). The CUPPS operates on a common software-and-hardware platform that integrates all information such as an airline’s reservation system, the expected time of departure and the capacity at waiting lounges. The problem in CUPPS started at 2.30 am on June 29 due to which check-in counters of all airlines at T3 became non-operational.

“This forced the airlines to opt for manual check-in and as a result passengers had to wait. There are around 172 CUPPS counters and only a third were functioning online,” said an official. The investigation revealed that someone had hacked into the main server of the CUPPS and introduced a virus.

It took nearly 12 hours for the experts — from ARINC, Wipro and DIAL — to restore the system. The CBI was also called in as officials suspected it was a security breach. “We found that there were serious security lapses,” said a CBI official.

Computer scientists from UC Davis university have developed an Android app named TouchLogger that logs keystrokes using a smartphone’s sensors to measure the locations a user taps on the touch screen.

Researchers have demonstrated that it is possible to log individual keystrokes entered on a smartphone’s on-screen keyboard using device’s built-in accelerometer (also known as the gyroscope). The researches were able to correlate the movements of the phone with individual keystrokes on an all-numeric keypad with an accuracy of about 70%. With minor refinements, the researchers believe they can expand the effectiveness of TouchLogger.

Applications like these can be potentially dangerous as an application does not require special privileges to access the device’s accelerometer. Major smartphones, like Apple’s iPhone, RIM‘s Blackberry, etc. give a user the freedom to define special permissions for applications to define their level of access. Usually within these  permissions not much importance is given to those pertaining to the device’s movements.

The developers of TouchLogger created this application for a PoC to be presented at HotSec’11, San Francisco. Presentation video available here (mp4) and the paper can be downloaded from here. A preliminary evaluation of the tool was done using HTC Evo 4G smartphone.

Following table shows the distribution of inference results which are evident for the app being correct 70% of the time.

The scientists noted that the W3C recently published a specification for web applications to access accelerometer and gyroscope sensors using JavaScript. They are in the process of extending their work into a full research project.

A less original, but rather more effective approach is taken by Android malware called GingerMaster. It uses a root exploit called GingerBreak to permanently compromise the smartphone. According to security researcher Xuxian Jiang, GingerMaster is the first piece of malware to deploy a root exploit for Android 2.3.3 “Gingerbread”. It is concealed in repackaged legitimate apps and registers a receiver which will be
notified when the smartphone has finished booting. Once installed, it then launches a background service.

Image by kryptyk via Flickr

Oracle issued an emergency patch to fix a denial of service(DoS) vulnerability in Oracle HTTP server products that are based on the Apache Web server 2.0 and 2.2.

Attack Details
—————–
With this attack any exploiter can remotely send large chunk of data in the header without any authentication or requiring  any username and password. When the server tries to process the data, memory and CPU resources are exhausted, resulting in a DoS attack. This bug is known since long but a  security researcher [kingscope] posted an “Apache Killer” Perl script on Full Disclosure mailing list in August; which made it easier to launch such attacks.

National Vulnerability Database (NVD) has assigned a Common Vulnerability Scoring System (CVSS) score of 7.8 to this vulnerability – Common Vulnerability and Exposures -2011-3192.

Oracle strongly recommended customers to apply Security patch as soon as possible since this patch is released out of the regular quarterly cycle of updates.

We are proud to announce the release of the First book by our friend Vivek Ramachandran, founder of http://securitytube.net

The book is titled “BackTrack 5 Wireless Penetration Testing Beginner’s Guide” and is available @ amazon.

The book is written with a lot of care and keeping beginners in mind and the writing style will help anyone to jump start and learn fast on this topic. We all have been loving the videos created by Vivek and we are thankful to him for creating this nice book for all.

Link to book: BackTrack 5 Wireless Penetration Testing Beginner’s Guide

Enjoy

UPDATE: India shipping is available from http://www.packtpub.com/backtrack-5-wireless-penetration-testing-beginners-guide/book
UPDATE: BackTrack 5 Wireless Penetration Testing Beginner’s Guide is now available @ Flipkart.com too
 

ClubHack is proud to announce partnership with SecurityByte2011

Securitybyte conference offers an exciting series of events that are highly relevant to today’s information security issues & concerns. Attending this event is one of the most cost-effective and time-efficient ways to stay on top of what’s current, enhance your information security skills and accelerate your success

• Largest Information Security conference in India with 2 days of conference talks & 2 days of hands-on trainings for over 1000 delegates.

• 25 world renowned information security experts & leaders from across the globe to deliver talks & trainings.

• Specialized talks, trainings, boot camps for Security teams, Developers, Architects, DBAs, Network administrators, QA auditors, Government Agencies, Compliance & Risk professionals and leaders.

• Highly discounted training prices from renowned Training providers.

A chinese documentary on military activities by mistake exposed a lot which was not intended.

Check out the video at 36s onwards. You’ll notice a nice UI (probably written in delphi) being used to launch attack

against an IP. The large writing at the top says “Select Attack Target.” Next, the demonstrator choose an IP address to attack from (it belongs to an American university). If you dig more online, you’ll find that the compromised IP 138.26.72.17 belongs to the University of Alabama in Birmingham (UAB).

The documentary was intended to praise the wisdom Chinese military strategists, and a typical condemnation of the United States, but accidentally it exposed the intent and activities Chinese Military University do.

As per  Jason Ma, a commentator for New Tang Dynasty Television: “This is the first time we see clearly that one of the top Chinese military universities is doing this research and developing software for cyber-attacks. There’s solid proof of it in this video”

Check out the full report by TheEpochTimes

As per china daily, last year china has suffered nothing less than 493000 cyber attacks. This was claimed  in a report by the country’s National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC)

According to the report, 14.7% of the attacks came from US where as 8% came from Indian IPs.

Hackers tampered with nearly 35,000 web pages — including 4,635 government websites — in the past year, the report said, up 67.6 percent from a year earlier. It said 60 percent of websites of ministry-level government departments are at risk of being hacked.

Personally not sure how much to trust this news.