What’s phising? Wikipedia has a really detailed explanation on this very word, and so I save myself from explaining it too much. To me, phising is a method that hackers use to trick people into entering their sensitive credentials onto a fake website that made to look like a real one, and after the victims being tricked, usually the hackers got what they were after such as a bank password.
Why am I talking about phising? Well, on this post, I’m not trying to talk about phising in general, because there are countless of phising attacks that hackers know and use them. Nonetheless, most phising attacks usually depend on a user’s carelessness from the start, and one example would be an email claimed to be a bank email with a malicious link which led to a fake website made to look like a real bank website.
Even worse, there is a new phising attack that uses Javascript to infect your browser somehow, and then it changes a legit website into a fake website when you’re not looking. As a user opens more than one browser tab, an malicious Javascript automatically changes one of the browser tabs into a malicious website made to look like a real website such as Gmail, and in combination of attacks add on top of this very dirty phising attack, a user can be tricked into giving out his or her sensitive credential.
All phising attacks that hackers use are stuffs of nightmare, and this one is no different. This is why I love to use Firefox with Noscript plugin. This plugin has worked wonder for me as it stops all Javascript from working unless you allow certain portion of website to do so. To end this post with a doubt, I could be very wrong of how this phising attack works its dirty magic, because I’ve got to know this scary phising attack from reading it here. Feel free to correct me on my lack of understanding about this phising attack, and don’t go try this, or else you’ll be in a world of hurt as in being locked up by the FBI or whatever enforcers that would go after hackers.
A New Type of Phishing Attack from Aza Raskin on Vimeo.
Microsoft Windows 7 provides two major protections against hackers, and those are DEP (data execution prevention) and ASLR (address space layout randomization). Unfortunately, at a hacking contest known as Pwn2Own, two researchers were successfully bypassed those protections that Windows 7 has been so proud of. Thanks to IE8, the hack was able to allow one of the researchers took control of the Windows 7 machine. Another researcher was able to use another type of exploit to hack Mozilla’s Firefox 3.6 to bypass the same protections that Windows 7 has provided, and the result was clear that a Windows 7 machine was compromised.
No worry though, the peoples from Microsoft and Mozilla were there and witnessed the contest, and these peoples were definitely brought back of what they knew about the exploitations so theirs experts could work on to patch up the exploits. The contest wasn’t released any critical information of which to allow other hackers to simulate or carry out the same attacks. Still, the genie is already out of the bottle! Hackers who have thought about bypassing the DEP and ASLR were tough and a waste of time would have to rethink as the researchers at the contest were able to bypass the protections with little less or more than 2 minutes. This is bad news for the rest of us who are using Windows 7 and IE8 and Mozilla’s Firefox 3.6, because the known exploits although not yet made known to the hackers aren’t yet patched. Hackers are bunch of smart and persistent humans, and so they probably are going to challenge themselves to see if they can replicate what the researchers had done at the Pwn2Own contest. Let hope only the good hackers get some success and the bad won’t have a clue of how to bypass the Windows 7′s protections just yet. (Good hackers are the white hackers who are working for security companies, and the bad hackers are the black hackers who also known as crackers since they’re cracking other people’s machines and software for profit and evil intentions.)
Folks who are now think that other browsers other than IE8 and Firefox 3.6 are safer to use may be right and may also be wrong! Why? Thanks to the elite contest such as Pwn2Own, Microsoft and Mozilla are now knowing about the exploits and have proceeded to patch up the exploits, and for this reason the two browsers are somewhat relatively safer than before. Other browsers are safe because those weren’t the tested pigs that the researchers had dealt with. Safety through obscurity is weak in my opinion. Still, it’s a quick and a dirty patch for the paranoid computer users who want to stay relatively safe on the web by switching to other browsers until IE8 and Firefox 3.6 update with new patches. In my opinion, IE8 and Firefox 3.6 are somewhat safer in the long run, because these two browsers are more targeted since these browsers have the largest browser’s user share. If you’re still not clear in what I mean, here is another way to skin a cat. Browsers that are more targeted have been patching up more; browsers that are less targeted have not yet been exploited as much therefore less safer since more unknown exploits are still lurking around and needing to be patch up. Source.
Security reports are rarely made headlines since people do not care unless they themselves are having the problems. In a way, it’s doesn’t matter if you and I care about security or not, since our current premium security software from well known security vendors aren’t equipped to deal with the real sophisticated threats. Not to undermine the threats of viruses and worms and malware, but the available security software in the market are only capable of weeding out the common security threats; it’s still so important to arm yourself with a well known security software to fight the common security threats since these are everywhere.
Highly sophisticated attacks that target specific organizations and groups of people are many steps ahead where normal security software from well known security vendors render somewhat useless. Just recently, a report from a security firm NetWitness suggests that a new type of bot known as Kneber botnet has been successfully gathering amazing amount of information from various accounts of well known organizations and social network websites and government agencies around the globe. It’s most likely that these big organizations and government agencies are using highly sophisticated and expensive security software, but it seems when come to security, it’s never enough to arm a network with even more security solutions.
For average people like all of us, what could we arm ourselves with to safeguard against major security threats? Probably the best thing we could arm ourselves with is knowledge. The knowledge of how to spot a security hole and how to be paranoid about network security. Without such knowledge, one could be carefree until the compromises made known. The best practices that everyone of us could put into use to guard ourselves against major security threats are not to surf the web carelessly, use good security software, be mindful about downloads, avoid strange emails, learn more about the security from respected security websites, and warn other people about known security threats.
Bruce Schneier from CNN wrote an article on how Google was compromised by Chinese hackers, and he mentioned that for being complying to the law Google had built a backdoor to aid the US government in gaining access to users’ accounts easier — the Chinese hackers used this backdoor to hack Google’s users accounts. In a sense, Google’s system is very similar to Windows, because it emphasizes on convenience over security. So to speak, in a way Google needs to apply Linux’s vision as to create a system with security at heart which means closing down all backdoors in Google’s system. More.
Another bad day for Twitter? News spread across the Internet that earlier people woke up to Twitter and couldn’t use the website. Instead of anything, people saw Twitter website got defaced by hackers who called themselves “Iranian Cyber Army.” Here is a screenshot that can be found on BusinessInsider as proof. We all know how hard Twitter works in fighting against this type of attacks, but it’s so unfortunate that Twitter is still helpless against hackers. More.
As for not being open source like Linux, Windows 7 is having a hard time in explaining why it has NSA’s adepts tuning its security mechanism. NSA is National Security Agency and is a part of United States Department of Defense. NSA is responsible for securities of involvements in various fields included technology. A better explanation of NSA can be found on Wikipedia. The question is, why on earth Microsoft which is a commercial corporation is joining hand with NSA? People are fearing that NSA and Microsoft are crafting a backdoor into Windows 7 to allow future tracking and interception capabilities. Microsoft is denying this and so the NSA. Let hope the spying part is just a rumor, and the cooperation of both parties is true, then Windows 7 is going to be a much tougher operating system for hackers to hack into. What do you think? Source.
Within 12 hours, 8 men were able to rob about $9 million from ATMs. Men were caught for their carelessness of not covering up their tracks on card-processing network. Nonetheless, these men were able to bypass the encryption that the ATMs used, and so they were able to cash out millions of dollars. 8 men could face heavy fine and a heck a lot of time in prison. Source.
Recent Comments