Monthly Archives: July 2013

26th July – Systems Administrators Day

Systems administrators around the world are being celebrated July 26 for their behind-the-scenes work in keeping the networks of the organizations running smoothly, as part of the loosely organized and whimsical 14th annual SysAdmin Day. It was first created by system administrator Ted Kekatos on July 28, 2000, according to a report in Wikipedia. “Kekatos was inspired to create the special day by a Hewlett-Packard magazine advertisement in which a system administrator is presented with flowers and fruit-baskets by grateful co-workers as thanks for installing new printers. Kekatos had just installed several of the same model printers at his workplace,” the story reported. Since then, SysAdmin Day has been celebrated on the last Friday in July. <more>

SIM security flaw EXposed!!!

Karsten Nohl, founder of Security Research Labs in Berlin, told the New York Times on Sunday that he has discovered a flaw in the encryption technology used in some SIM cards. This vulnerability could allow hackers to eavesdrop on the device owner while in a call, make purchases through mobile payment systems, and possibly even impersonate the device owner. Around 750 million devices could be vulnerable to attacks thanks to this flaw. According to the paper, the newly discovered encryption hole allows the attacker to obtain the SIM card’s 56-digit key. Nohl said that he was able to acquire a key by sending the target device an SMS using a false signature for the device’s wireless carrier. Typically, both the device and wireless carrier verify their identities by comparing digital signatures. If a device recognizes a false signature, it will end transmission. <more>

‘RiskRater’ – Online risk assessment tool by Rapid7

Rapid7 has come up with a risk assessment tool named ‘RiskRater’. It’s a free online tool that assess your mobile, endpoint and user-based risk management programs. The tool aims to bring to your attention areas that need work in a prioritized order. Of all the tasks you could do to improve your organization’s overall security, which should you do first? Some are more valuable to do before others, and RiskRater will help you identify what they are. It shows a number of questions for each of three categories (endpoint, mobile, and user), and calculates a score from 1-10 based on your answers. The scoring is determined based on an algorithm and then mapped against benchmarks. The benchmark is based on data collected from Rapid7’s own research and from responses provided by over 600 organizations. <more>

Two-factor authentication bypass in Dropbox, POSSIBLE!!

Researcher Zouheir Abdallah revealed that an attacker already knows the victim’s credentials (username and password obtained with a Key-logger, cross-site shared password, due the adoption of a easy to guess password etc..), for Dropbox account that has two-factor authentication enabled, is able to hack that account through a procedure. Q-CERT team found a critical vulnerability in DropBox that allows a hacker to bypass the two-factor authentication implemented by the popular file sharing service. The flaw is related to the lack of verification of authenticity of the email addresses used to sign up a new DropBox account, a hacker could conduct the attack creating a new fake account similar to the target one and append a dot (.) anywhere in the email address. <more>

Wi-Vi signals are used to see-through-wall

Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory have come up with a way to create a low-power, portable device that can see through walls using Wi-Fi signals. Technology of this sort, similar in concept to radar or sonar, has existed for years and relies on radio waves and other parts of the electromagnetic spectrum. It is used mainly in law enforcement and military applications. Dina Katabi, a professor in MIT’s Department of Electrical Engineering and Computer Science, and graduate student Fadel Adib propose wider civilian use of the technology through a simple, affordable device like a mobile phone, equipped with two antennas and a receiver.  Here’s an interesting video that shows how the system works. Katabi suggested the technology, which she calls WiVi, can be used for virtual reality and gaming, without requiring the user to remain in a specific area in front of a sensor. She also says the technology could be used for personal safety. <more>

Cisco patches flaws in security appliances

Cisco is advising administrators to patch their security appliance following the disclosure of vulnerabilities in the company’s Web Security and Email Security Appliance systems. The company said that the flaws included both command injection flaws on denial of service attacks for both of the security systems. For the Web Security Appliance, the fix will bring patches for two authenticated command injection vulnerabilities. If exploited, the flaws could allow a user to remotely take control of a targeted appliance and execute arbitrary code. In order to do so, however, the company noted that the user would need to have a valid account on he network, thus decreasing the likelihood of a remote attack. <more>

Facebook Fixes SMS-Based Account Hijacking Vulnerability

A UK security researcher has disclosed a bug in Facebook’s code that allowed him to take over any Facebook account in less than a minute – and earned himself a $20,000 bug bounty in the process. fin1te, a security engineer has described a simple bug “which will lead to a full takeover of any Facebook account, with no user interaction.” Put simply, you send Facebook an SMS message, and Facebook lets you into the account of your choice via smartphone. Once there, of course, an attacker can simply send a password reset message and have the reset code sent to his mobile. <more>