Python Notes for mca i year students osmania university.docx
News Bytes June 2012
1. Newsbytes
Null Meet - 16th June 2012
Sumeer Kumar
Freelance RFiD Consultant
sumeer.kumar@gmail.com
2. • 6.5 million LinkedIn passwords apparently leaked ;
over 60% of stolen passwords already cracked
• Passwords that are reset will now be stored in salted hashed
format viz. a string that is added to your password before it is
cryptographically hashed.
• It means that password lists cannot be pre-computed based on
dictionary attacks or similar techniques.
3. • Google warns Gmail users of state-sponsored
attacks ; to offer cyberwar defence advice to Gmail
users
• The warning:
• “We believe state-sponsored attackers may be attempting to
compromise your computer”, is intended to spur users to take
immediate measures to secure their account.
• Such steps include creating a strong password for the
account,enable two-step account verification, and keep all software
up-to-date.
4. • Phishing with help from Google Docs
• If you're a scammer,you can use Google Docs to phish for
passwords and sensitive information.
• For example:
• An email asks the recipient to confirm their account details or risk
having it shut down.
• The message reads:
• Confirm your e-mail account please enter your Mailbox Details by
clicking the link below:
• [LINK]
• Failure to provide details correctly will result to immediate closure of
your mailbox account from our database.
• The link points to a page on Google Docs (docs.google.com) that
gives the link a false aura of legitimacy.
• But what the link can't do is tell you whether the Google account
holder is legitimate or up to no good.
5. • Siemens enhances security of industrial networks
• Stuxnet: How USA and Israel created anti-Iran virus, and then
lost control of it
• Flame worm - Iran claims to discover new Stuxnet-like malware
• Kaspersky says Stuxnet and Flame are related
• The Flame computer virus which has been raging in the Middle East has
strong links to Stuxnet, a malware program widely believed to have been
developed by the United States or Israel, a security firm said Monday.
• Kaspersky, the Russian computer security firm credited with discovering
Flame last month, said its research shows the two programs share certain
portions of code, suggesting some ties between two separate groups of
programmers.
• A program of the computer virus known as Flame
6. • Mobile workspace offers a secure Windows OS on
any computer
• Imation announced Stealth Zone 2.1 boot-from-USB secure mobile
workspace.
• This new version enhances data security by making it easier and
more convenient for business travelers, teleworkers and contractors
to carry a secure, managed Microsoft Windows 7 operating system
and an encrypted data transfer solution on a single, fully managed
USB device.
7. • Microsoft speaks out on Flame malware
certificate forgery
• Flame malware tricks you into installing apparently-trusted software
signed with a fraudulent digital certificate.
• MS has gone public with additional information about the
cryptographic trickery used in this case.
• For pre-Vista versions of Windows, it seems that the certificate
spoofing didn't rely on any sort of cryptographic forgery.
• But for Vista and later, the attackers needed to forge a certificate.
They did this using an MD5 collision.
• Flame malware used man-in-the-middle
attack against Windows Update
• MS has released an emergency update for all versions of Windows
to address a certificate flaw that was used to spread the Flame
malware from machine to machine.
8. • MySQL flaw allows attackers to
easily connect to server
• Security researchers have released details about a vulnerability in the
MySQL server that could allow potential attackers to access MySQL
databases without inputting proper authentication credentials.
• Facebook unveils new mobile
security measures
• has introduced three security updates for protecting its mobile users: a code
generator, the ability to report unwanted content on your phone, and
improved mobile recovery flows.
• Free mobile security eBook from
Veracode
• Veracode released a free eBook that outlines the ten steps that can be
taken by individuals and organizations to protect against potential security
risks brought on by the bring your own device (BYOD) to work trend.
9. • World's first secure private mobile
carrier
• Gold Line Group appears to be the first company to have
developed a completely secure carrier grade switch.
• The firm still holds $250,000 in unclaimed gold that was
put up as a reward for any hackers, spies or intelligence
agencies which could decipher a message encrypted by
Gold Lock’s mobile encryption. After attempts by over
5,000 individuals and groups, the challenge ended with
none of them able to break the code.
• Apple's iOS 6 to add privacy controls
for user contacts
• Apple will offer users a way to manage which applications have
permission to access their contact information as part of a new
privacy control panel that's coming in iOS 6.
10. • Researchers Unveil New Way to Trust Certificates
• The rise of Tumblr and Google Play spam campaigns
• Google, Facebook, Twitter take on bad ads
• Facebook account cancellation malware poses as
Adobe Flash update
11. • ATTACKS
• Global Payments: data theft compromised
fewer than 1.5 million cards
• Olympics fans targeted with lottery scam
• Father's Day spam floods in, pointing
to gambling websites
• Giant snakes eating zookeepers and
unwatchable videos - Facebook hit again by
clickjacking scams
12. • League of Legends online game joins the
League of the Hacked
• Attacks Targeting US Defense Contractors
and Universities Tied to China
• UGNazi attack 4chan, CloudFlare
• Report: North Korea Accused Of DDoS
Attack On South Korean Airport
• Millions of Last.fm passwords leaked
• Tiny New Tinba Banker Trojan Found
Stealing Financial Data
13. • Things to Ponder
• People would rather lose their wallet than
their phone
• A SecurEnvoy study “what people would most fear losing
from their back pocket”
• 37% said their personal phone, 20% their company
phone, 25% said £50, with just 18% citing credit cards.
Confirmation that we’re gripped by nomophobia – the
fear of being out of mobile contact.
• NSA launches cyber security program for
college students
• The US National Security Agency has launched a
National Centers of Academic Excellence in Cyber
Operations Program to ultimately yield a larger pool of
professionals with expertise in this area
14. • OOPS!
• Yahoo leaks its own private key via new Axis Chrome extension
• A new Yahoo browser for iPad and iPhone, dubbed "Axis," is supposed to tightly
integrate search with web browsing and has a built-in feature to synchronize one's
mobile and desktop experience.
• Yahoo mistakenly bundled its private key inside the Chrome extension version of
Axis.
• Ex MI5 chief gets her laptop stolen at airport
• Former Director-General of UK's internal security service MI5 has had her laptop stolen at
London's Heathrow airport
Dame Stella Rimington, who headed the agency from 1992 to 1996, has since then become a
well-known spy thriller author.
• "....seems to have forgotten the tricks of her tradecraft since leaving MI5," commented a source
for The Sun.
•
15. • TOOLS / RELEASES / UPDATES
• LinkedIn provides breach update -- sort of
• Facebook Issues Security Updates for Mobile App
• Firefox 13 Fixes Seven Security Vulnerabilities
• Firefox 14 Beta promises improved security
• Ruby on Rails patches more SQL injection holes
• Apple quietly reveals iOS security innards
• Absinthe 2.0 Jailbreak for iOS 5.1.1 Devices Released
• Microsoft fixes 28 security bugs ; Issues FixIt For XML Flaw ;
Automatic Updater for Certificate Revocation Lists, Plans to Invalidate
Short RSA Keys
• Microsoft says IE10 will support Do Not Track by default ; violates new
specs
• Oracle Issues Patch to Fix 14 14 critical Java SE holes
16. • Google Fixes Persistent XSS Flaw in Gmail
• Google Patches 13 Flaws in Chrome 19
• Adobe delivers sandboxed Flash Player for Firefox users
• Patches Photoshop, Illustrator for CS5 Users ; Flash update closes
several critical holes
• IBM releases software for developing secure mobile apps
• McAfee upgrades cloud security and Intel identity kit
• AVG spreads its mobile shield
• Security analysis tool Trisul 2.4 released
• Critical updates for IE, RDP, .NET, Flash and Java
• Major shift in strategy for ZeroAccess rootkit malware, as it shifts to
user-mode
• Dell SecureWorks unveils new managed security services
• Lancope unveils new StealthWatch threat intelligence dashboards
22. • Kevin Mitnick
• an American computer security consultant, author, and
hacker.
• In the late 20th century, he was convicted of various
computer and communications-related crimes. At the
time of his arrest, he was the most-wanted computer
criminal in the United States.
• Tsutomu Shimomura,an American scientist and
computer security expert based in the US together with
computer journalist John Markoff, tracked down and
helped the FBI arrest hacker Kevin Mitnick.
• Takedown, his 1996 book on the subject, was later
adapted for the screen in Takedown in 2000.
25. • On the right is a blue box built by Steve Wozniak, on
display at the Computer History Museum,USA.
• A blue box is an unauthorized electronic device that
generates the same tones employed by a telephone
operator's dialing console to switch long-distance calls.
• Emerging in the 1960s and 70s, it allowed users to route
their own calls by emulating the in-band signaling
mechanism that then controlled switching in long
distance dialing systems.
• The most typical use of a blue box was to place free
telephone calls.
• Steve Wozniak and Steve Jobs, founders of Apple
Computer were frequent pranksters using the device.
• On one occasion Wozniak dialed Vatican City and
identified himself as Henry Kissinger (imitating
Kissinger's German accent) and asked to speak to the
Pope (who was sleeping at the time).
28. • Kerberos is a computer network
authentication protocol which works on the
basis of "tickets" to allow nodes
communicating over a non-secure network
to prove their identity to one another in a
secure manner.
• MIT developed Kerberos and named it
after the character Kerberos (or
Cerberus) from Greek mythology which
was a monstrous three-headed guard dog
of Hades.
31. • Anonymous is a loosely associated hacktivist group that originated
in 2003 representing the concept of many online and offline
community users simultaneously existing as an anarchic, digitized
global brain.
• It strongly opposes Internet censorship and has hacked various
government websites.
• It has also targeted major security corporations.
• The Guy Fawkes mask is a stylised depiction of Guy Fawkes, the
best-known member of the Gunpowder Plot, an attempt to blow up
the English Palace of Westminster in London in 1605.
• A stylised mask came to represent broader protest after it was used
as a major plot element in V for Vendetta, published in 1982, and its
2006 film adaptation.
• After appearing in internet forums, the mask was worn by
participants in real-life protests and has become widespread
internationally among groups protesting against politicians, banks
and financial institutions, such as the Occupy movement.
32. Id this movie with a
stellar cast about a
group of hackers.
34. • Sneakers (1992)
• Minor plot element:
• "...Martin, now using the alias "Bishop", runs a
tiger team of security specialists who use
unorthodox methods of testing physical and
electronic security for companies in San
Francisco.
• The team includes: Donald Crease, a former CIA
officer and high-strung family man; Darryl
"Mother" Roskow, a conspiracy theorist with
unsurpassed technical skills and dexterity; Carl
Arbogast, a young genius; and Erwin "Whistler"
Emory, a blind phone phreak with perfect pitch
and an acute sense of hearing..."
37. • A first-person account of the hunt for a computer
cracker who broke into a computer at the
Lawrence Berkeley National Laboratory (LBL) at
UC Berkeley.
• In 1986,Clifford Stoll (the author) was trying to
resolve a USD$ 0.75 accounting error in the
computer usage accounts.
• He traced the error to an unauthorized user who
had apparently used up 9 seconds of computer
time and not paid for it, and eventually realized
that the unauthorized user was a cracker who
had acquired root access to the LBL system by
exploiting a vulnerability in the movemail
function of the original GNU Emacs.
38. How are these guys famous in the Cyber
security World ?
40. • RSA is an algorithm for public-key cryptography that is
based on the presumed difficulty of factoring large
integers, the factoring problem.
• RSA stands for Ron Rivest, Adi Shamir and Leonard
Adleman (pictured), who first publicly described it in
1978.
• A user of RSA creates and then publishes the product of
two large prime numbers, along with an auxiliary value,
as their public key.
• The prime factors must be kept secret. Anyone can use
the public key to encrypt a message, but with currently
published methods, if the public key is large enough,
only someone with knowledge of the prime factors can
feasibly decode the message.
• Whether breaking RSA encryption is as hard as factoring
is an open question known as the RSA problem.
41. • The _____ worm or Internet worm of
November 2, 1988 was one of the first
computer worms distributed via the
Internet.
• It resulted in the first conviction in the
US under the 1986 Computer Fraud and
Abuse Act.
• It was written by a student at Cornell
University and launched on November
2, 1988 from MIT.
43. • Morris worm by Robert Tappan Morris.
• Robert Tappan Morris is an American computer scientist,
best known for creating the Morris Worm in 1988
• He went on to co-found the online store Viaweb, one of
the first web-based applications, and later the funding
firm Y Combinator - both with Paul Graham.
• He is a tenured professor in the department of Electrical
Engineering and Computer Science at MIT.
• His father was the late Robert Morris, a coauthor of
UNIX and the former chief scientist at the National
Computer Security Center, a division of the National
Security Agency (NSA).
44. • X in computing slang refers to an ethical hacker, penetration tester, cracker or
security consolidator.
• X hackers are computer security experts, who specialize in penetration testing, and
other testing methodologies, to ensure that a company's information systems are
secure.
• X hackers are also called "sneakers",red teams, or tiger teams.
• Y is often used figuratively, especially in computing slang, where it refers to a
computer security hacker that breaks into networks or computers, or creates
computer viruses.
• In Western movies, Y is the villain or bad guy, in which such a character would wear
a Y in contrast to the hero's X.
• Z in the hacking community, refers to a skilled hacker whose activities fall somewhere
between X and Y hackers on a variety of spectrums.
• It may relate to whether they sometimes arguably act illegally, though in good will, or
to how they disclose vulnerabilities. They usually do not hack for personal gain or
have malicious intentions, but may be prepared to technically commit crimes during
the course of their technological exploits in order to achieve better security.
• X,Y and Z ?