FEMA recently installed a new voicemail system in their Maryland Training Center, which uses the Private Branch Exchange or PBX phone network. This kind of system is used by thousands or maybe even millions of companies throughout the world.

Last weekend though, a hacker broke into the network and made over 400 international calls, totaling up to $12,000. Calls were made to various countries in the Middle East and Asia (ironic, huh) and lasted anywhere from 3 to 10 minutes per call.

When the fraud was discovered, all outgoing long-distance calls from FEMA’s National Emergency Training Center were halted. What’s even more embarrassing is that according to John Jackson, a security consultant, this type of attack is very old-school and used to take place around 15 years ago. Most telecommunications security administrators now know to configure security settings, such as having individual users create unique passwords and not continue to use the initial password assigned to users.

FEMA is busy investigating the situation, trying to determine who made the calls as well as the people who received them. As of now, it looks like a “hole” was left open by the contractor when the voicemail system was being upgraded. The agency refused to specify what the hole was or the name of the contractor believed to be responsible.

For something like this to happen to an organization like FEMA, it’s extremely embarrassing. It also underscores just how vulnerable a phone system is, which is why companies are shifting to Voice Over Internet Telephony services (VOIP).

In all likelihood, this is a practical joke that went a bit too far and the person responsible is just a fresh-faced kid who was fooling around. Then again, maybe not, considering the destinations of the calls. What do you think?

Related posts

• Top 15 Security and Hacking Tools & Utilities (0)
• Yahoo marks dangerous search results (4)
• Wordpress Remote Admin Password Reset Vulnerability (13)
• Wireless Hotspot Hacks (1)
• Windows Worms Door Cleaner (2)

Thankfully though it is fairly easy to authorize additional computers so that the Netflix Watch Now option is also available on them. The check if a computer may use the Watch Now option is done in the Windows Registry. The Tech Recipe website found a simply way to copy the key of an authorized computer and import it to another computer to authorize that computer as well.

A user who wants to do that needs to start the Windows Registry on a computer that has the Watch Now option enabled. This is done by using the Windows R keyboard shortcut, entering regedit and hitting enter. Now navigate to the key HKEY_CURRENT_USER\ Software\ Netflix\ Movie Viewer\ and left-click the Movie Viewer key.

Now access the export option under File > Export and save that key to the computer. Now copy that key to another computer running the same operating system. Open the Registry again and import the key using the File > Import menu. The key is specific to the operating system of the computer which means that you cannot import an XP key into Vista and vice versa.

Related posts

• Weak Passwords (12)
• User Data Stolen from The Pirate Bay (0)
• Use a Magnet to protect your PC (10)
• The Anatomy of a Hack Video (0)
• Texterity Magazines offering free iPhone magazines (2)

Again the User Agent is used as the only mechanism to check if an iPhone connects to the service. If you have already installed the Firefox User Agent switcher add-on and added the iPhone user agent to it you are ready to visit the iPhone start page at Texterity Magazines to read any of the 50 magazines for free in your browser.

If you have not done this visit my first article that explains how you can change the User Agent in Firefox to be identified as an iPhone (Iphone user agent) when browsing the Internet.

Magazines seem to be specialized way more at Texterity. Some titles are The American Lawyer, Electronic Products, Extreme How-To, Greenlight Magazine and Popular Science.

Related posts

• Read 20 Digital Magazines for Free (24)
• Transfer Files between iPhone, iPod and Computer (7)
• Send Free SMS with iPhone and iPod Touch (5)
• Wordpress For iPhone Is Not A Killer App (7)
• Why you should not be an early adopter (23)

Yes, the same insecure User Agent check that did not work on so many occasions before. All that needs to be done is change the User Agent in your browser to the one of the iPhone which will trick the website into thinking that you are accessing it with an iPhone. This in turn will give you access to those magazines, among them PC Magazine, Technology Review, Macworld, Lonely Planet and, um, Playboy and Penthouse.

The content is provided in full screen in your browser and you can flip through the pages with a click. It’s probably not the most comfortable way but it’s free and easy enough. Pages are actually shown as images which means they can be saved to the local hard drive.

Firefox users can install the User Agent Switcher add-on and configure it with the following User Agent:

Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/4A102 Safari/419 (United States)

just add the line into the User Agent field in the options of the add-on and any name in the description. Then switch to that User Agent and visit the Zinio website that was created for iPhone users. Thanks Scott for the tip.

Related posts

• Texterity Magazines offering free iPhone magazines (2)
• Weak Passwords (12)
• User Data Stolen from The Pirate Bay (0)
• Use Netflix Watch Now on more than 3 PCs (0)
• Use a Magnet to protect your PC (10)

Words are chosen by probability and suggest alternatives which more often than not make more sense than the first word. This introduces a new technique to spy on users without having to actually access the computer at all, all that is needed is a good view of the hands and the measure of the keyboard.

The second spy tech could come right out of the latest James Bond movie. The researchers at Saarland University managed to write a computer algorithm that is capable of interpreting reflections of the computer screen on objects. The quality of the telescope plays an important role, a normal $500 telescope was able to read 12 point fonts of a reflection that was 5 meters away from the computer and 198 point fonts from a distance of ten meters.

A more powerful Dobson telescope for $27500 was able to yield the same results from a maximum distance of 30 meters. Other tests allowed the researchers to view the monitor from a white wall that was 2 meters away from the computer screen.

The best way to defeat the techniques ? Don’t access a computer in public, always close the curtains when working with your computer and make sure no cameras are installed in the room with a computer.

Related posts

• User Data Stolen from The Pirate Bay (0)
• What will our IT and internet future be like? (5)
• Weak Passwords (12)
• Visible Body – Visualise your body (3)
• Virtual Girlfriend Bed (3)

Creating NTFS Alternate Data Streams is not complicated at all. You can use the “type” command to do that. To fork the file virus.exe into calc.exe you would use the command type virus.exe > calc.exe:virus:exe if they are in the same directory. Add the path if they are not. The size of the calculator does not change, the only indicator is that the file changed stamp is altered.

But executing those files must be harder, right ? Wrong again. To execute virus.exe you use the command “start”, in our example it would be start calc.exe:virus:exe.

A software like Stream Explorer can find those NTFS Alternate Data Streams on your hard drive. An alternative is List Alternate Data Streams

Related posts

• Stream Explorer (0)
• Introduction to new phishing techniques (0)
• Hide Information in Files (0)
• Windows XP exFAT File System Driver (21)
• Which Programs Should I Run To Scan A Computer For Malicious Software? (13)

You basically cut the power button cable of the motherboard, install the reed switch (controlled by magnetic fields) in between and tape the reed switch to the front panel. Now, whenever someone presses the power button nothing happens. Only if you press the magnet against the case at the position where you placed the reed switch and the power button the PC will turn on.

This is of course a basic protection and someone who really wanted to access it could simply remove the switch again or replace the power unit in the PC. Take a look at the video below that walks you through the installation of the protection.

Pc Protection With Hidden Switch – A funny movie is a click away

Related posts

• Testing a newly build PC (4)
• Risks of selling your old pc (0)
• PC Building Advice (1)
• I’m on a shopping spree (9)
• Can You Build a PC for Less Than $100? (16)

The changes are only temporary but you could make a screenshot and send them to your friends to have some fun with them. This is also a reminder that everything that is shown on screenshots can be easily faked. This is especially true for website revenue screenshots for instance.

All you need to do is load a website and load the following code in the address bar:

javascript:document.body.contentEditable='true'; document.designMode='on'; void 0

Make sure you paste everything in one line and hit enter afterwards. Once that is done you can easily edit elements on the website. I created a short video that shows how I edited the Microsoft homepage.

Related posts

• Zombie City Tactics (0)
• Yahoo bought a site I never heard about (2)
• Why Stumbleupon is better than Digg for Webmasters (11)
• Which Adsense Ads and Locations work best on my blog ? (6)
• Weekend fun Starshine (2)

Bkp also said that they know who did this but does not say how they know. He could be referring to IP addresses that they found, other traces or confidential information. They ask every user to change the password during their next login which is apparently happening automatically at the very moment. It remains to be seen if the encryption used to encrypt the email addresses is strong enough to withstand decryption.

Related posts

• Spy Tech: I see what you write (6)
• Weak Passwords (12)
• Use Netflix Watch Now on more than 3 PCs (0)
• Use a Magnet to protect your PC (10)
• The Piratebay To Introduce Paid Subscriptions (14)

The common password approach is the one that could give him instant success if the user is really using one of those common passwords for his accounts. His next approach would be to brute force his way in by brute forcing the password on a website that has weak security. Those sites would not react if large amounts of password requests would come in in short time. Most sites however ban IPs at least temporary after several failed attempts, still no problem if you know how to use proxies to attack with different IPs.

But the brute force programs that he suggests are way outdated. Brutus ? wwwHack ? That’s last millennium. Current state of the art bruteforcers for basic authorization and form protected sites are C-Force or Sentry. The brute force approach has one disadvantage. If you do not know the username you have to try username and password combinations and there is no guarantee that you will discover the combination for the user that you want to hack. You could get login details for other users which are absolutely worthless to you. This means, bruteforcing is only an option if you know the username of the user.

There are actually two ways to bruteforce an account. The first would be to use pregenerated lists of usernames and passwords or try combinations to get into an account. The second to try every char combination possible. It should be noted that the second option could very well last several years or even centuries depending on the size of the selected password.

So, bruteforcing is not really an option and he is not explaining how he would get the username of the user in question except mentioning cookies. Cookies are stored on the targets machine which would mean that he needs either access to that machine or an exploit to get them while the user is online. Not very practicable.

So, what can users learn from his analysis ?

• Don’t overuse passwords, it’s more secure to use different passwords. If you only use one password someone who finds this one out gets access to everything else that is protected by that single password
• Don’t use passwords that are easy to guess or common. No names, no sport teams, relatives, pets, work related, hobbies , and so on
• Use numbers and special chars if possible to increase the security of the password. Remember that size matters.
• Write them down locally and put them in a safe or use a software that encrypts them. You could for instance use a True Crypt partition to store a textfile with your passwords in them
• Every password could be important to gain additional information about a user, never choose weak ones

Related posts

• Brute Force Calculator (13)
• User Data Stolen from The Pirate Bay (0)
• Use Netflix Watch Now on more than 3 PCs (0)
• Use a Magnet to protect your PC (10)
• Ultra High Security Password Generator (4)

Anti-Phishing toolbars and implementations in the major browsers are useful but can, as you will see, give the user a false sense of security. This can be attributed to the fact that databases that contain the information are not updated in real time. Someone has to report a phishing website before it will be added to the database, it would be more than difficulty to create a automatic solution for this problem.

A second difficulty are new techniques used by hackers that are not detected by ant-phishing toolbars and implementations.

Flash Phishing

Anti-Phishing toolbars do check the page content for signs of phishing but do not analyze flash objects at all. Hackers know this and tend to use this to their advantage by using flash to emulate the original website. Users tend to believe that the site is “clean” because their anti-phishing toolbar did not react to it.

It is however relatively easy to find out if the current website is fake.

1. You need to take a look at the url in the address bar. If it is not the original address leave it immediately.
2. Check if it is using https instead of http. If it is using http leave the site immediately.
3. If it is using https check the certificate.
4. If the site is only using flash leave it.
5. Never follow links in emails (unless you know the person)
6. Never follow links in chats (unless you know the person)

You should immediately contact the supposed owner of the website and ask for advice.

Social Phishing

Phishers use other means of getting sensitive data from users. We all know that we should contact the company if we have doubts about a website. What if you would receive a mail from your bank asking you to call them back because there was a security breach ? Would you call them back ?

What if the number was redirecting you to someone in China speaking fluent English ? Would you give him the information he would be asking for to verify´that you are the customer ? Sir, we need to make sure that you are indeed our customer. Could you please supply your credit card information so that I can verify your identity ?

This is not a huge market yet but it will grow over time.

Related posts

• NTFS Alternate Data Streams (3)
• Help the fight against phishing with Phishtank (1)
• Web of Trust: collaborative online security (7)
• Weak Passwords (12)
• User Data Stolen from The Pirate Bay (0)

SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

What does it mean in plain english ? You try to utilise instances of a website that submits data to the webserver, this could be for example a login page, a form field or a comments form.

The article “SQL Injection Walkthrough” helps you identify vulnerable scripts and explains the methods to test, verify and exploit that vulnerability. After reading the article you will have a basic understanding of the technique, if you follow the links given at the end you will be able to read advanced topics on the subject.

Related posts

• SQL Injection Attacks by Example (0)
• Weak Passwords (12)
• User Data Stolen from The Pirate Bay (0)
• Use Netflix Watch Now on more than 3 PCs (0)
• Use a Magnet to protect your PC (10)

Here is a short list of all the other tools mentioned: Nmap, Nessus Remote Security Scanner, John the Ripper, Nikto, Superscan, pof, Ethereal, Yersinia, LCP, Cain and Abel, Kismet, Netstumbler and hping. Make sure you check the tools that you do not know about yet, it might be worth it.

Related posts

• Top Xp Freeware that every user needs part 3 (5)
• Astalavista Top 10 Freeware Tools (2)
• Ultra High Security Password Generator (4)
• Security and Privacy Complete (0)
• Remote SSH: Run processes anywhere on different platforms (1)

[tags]hack, hacking, break in, security, exploit[/tags]

Related posts

• Hacking Demos on Film (1)
• Youtube: Enhance Youtube Experience (11)
• Youtube Videos Get Automatic Captions. 1080p Videos Roll-Out (1)
• Youtube To Add 1080p HD Videos (6)
• Youtube removed videos and Turkey lifts ban (4)

But this is no article on how to protect yourself, I probably write one soon. The Ethical Hacker Network published an interesting article by Daniel V. Hoffman about essential wireless hacking tools. The article has four chapters: Finding Wireless Networks, Attaching to the Found Wireless Network, Sniffing Wireless Data and Protecting Against These Tools.

Daniel reviews some tools in each chapter always giving you more than one choice to try out and finally use the tool that suits you best.

[tags]wireless, hacking, wireless hacking, hacking tools, ethereal, sniffing, network[/tags]

Related posts

• Xirrus Wi-Fi Monitor (2)
• Wireless Security: Attacks and Defenses (0)
• Wireless Hotspot Hacks (1)
• WiFi for Symbian S60 Mobile Phones (6)
• Wi-Fi Signal Strength (8)

All movies are about 20 megs in size and can be downloaded from their website. Topics include Penetration Test Reconstruction, Cracking WEP in 10 Minutes and Tunneling Exploits via SSH.

Use the following link to go to their website: hackingdefined.com

Related posts

• The Anatomy of a Hack Video (0)
• Youtube: Enhance Youtube Experience (11)
• Youtube Videos Get Automatic Captions. 1080p Videos Roll-Out (1)
• Youtube To Add 1080p HD Videos (6)
• Youtube removed videos and Turkey lifts ban (4)