Monday, April 28, 2008

MAC Utilities.

Hi folks, today some little but useful applications to improve your network control on your own MAC.

The first one is a Proxy TCP connection: iBouncelT
is a tool for proxying tcp connections through open socks servers. You can start as many bouncers as you need, each one listening on a different local port. Supported clients include ssh, telnet, rsh, rlogin, rcp, irssi. iBounceIT is distributed as Universal Binary so you can run it on both PowerPC and Intel platforms. iBounceIT is freeware and opensource. iBounceIT is a frontend for the unix tool sbouncer

RouteSplit:
is a AppleScript Studio application for Mac OS X 10.4 (PowerPC and Intel). Older versions of Mac OS X have not been tested. With RouteSplit you can add a static route, test it and optionally install a launchd startup script in your system in order to preserve the route settings after reboots.


WaterRoof:
is an IPFW firewall frontend for Mac OS X with a easy interface and many options. Features include dynamic rules, bandwidth management, NAT configuration and port redirection, pre-defined rule sets and a wizard for easy configuration. You can also watch logs and graphic statistics. Rules configurations and network options can be saved and optionally activated at boot time.
With WaterRoof setting up a dual-homed firewall with Mac OS X has never been so easy...

iSteg:
iSteg is an encryption tool that allows the user to hide a file inside a jpeg picture. This encryption technology is called steganography. iSteg is a frontend for the opensource tool outguess 2.0.
iSteg can be used to both encode and decode a hidden file.
iSteg is a Universal binary application, so it can be used natively on both PowerPC and Intel based Macs.

DummyMac :
is a bandwidth manager. You can limit inbound/outbound bandwidth choosing a port range. Very useful for dialup connections. You can download with BitTorrent, surf the web and iChat without getting mad with lag and timeouts. DummyMac is a frontend for the traffic shaping module "Dummynet", included in ipfw 2, the built-in Mac OS X firewall software.

Thursday, April 24, 2008

Mass SQL Injection

Yes, it's true. Another Massive SQL injection on the network, performing a Google search results in over 510,000 modified pages.
From F-Secure WeBlog:
Check it out directly on Google page

Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):



Which decoded became:



What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

That's another big security issue present inside ASP pages, really dangerous:

For more details check out here.

Tuesday, April 22, 2008

iBUILDER, Only For Windows So Far.

Here we go, another cool Application for iPhone, unfortunately only for Windows, so far.



iBuilder, a nifty new project by rotem25, allows you to select from a large list of items for your iPhone, and create a package which can then be added to your internalPackages in iPwnage and used to create a custom firmware for your iPhone.

Obama Site Hacked !

Yesterday I found this incredible article on zdnet.

According to Netcraft, a hacker exploited security flaws in Obama’s site to redirect traffic to Hillary Clinton’s site. Anyone that visited Obama’s community blogs section of the site was sent to Clinton.

The most amazing thing is that some ( called Mox ) confessed the fact in his own blog .


First, let me explain why I put hacked in quotation marks. It is because e what I did was not hacking in the sense that I burrowed into some dusty served and changed the Obama site and stole all your credit card numbers. All I did was exploit some poorly written HTML code.

So, you may be wondering, I never saw this hacking! Well, apparently someone videotaped it. http://youtube.com/watch?v=NKjomr1Afq0. You may also be wondering, how did you get Hillary’s site to appear where Obama’s should be. The answer to that is, through the magical world of Cross Site Scripting. http://en.wikipedia.org/wiki/Cross-site_scripting.

You might be wondering, how did you get xss to work here? First, go to your manage blog tab. Then go to Edit Settings. You see how you can put anything you want as a blog URL? Well, its fixed now, but before you could put in any characters you wanted. Including >, “, and


Here the YouTube Demonstration.

Monday, April 21, 2008

Nice Spam Report by Commtouch

Hi Folks, today I wanna point out a nice report on new eMail Frauds.
The report has been signed Commtouch Cafe, a company founded in 1991 dedicated to protecting the integrity of the world's most widespread form of communication, e-mail. The most interesting section is the second one called "Spammers, Fraudsters and Malware Writers Hide within Third-Party Sites and Senders", I suggest a fast reading about that, in such way you can see and test some real example of:

1) Hotmail Welcome Letters Camouflage Pharma Spam
2) Spammers Cloak Site-links in Search Result URLs
3) Google Redirects to Porn Malware Site
4) Spammer Uses Flickr to Host Spam Images
5) 419 Scams & Spearphishing Use Google & Yahoo! Calendar Standards
6) Blogspot Redirects to Malware Sites

The report is pretty short and very easy to read, it's not extremely complete but it provides a wide range of reflection .

Tuesday, April 15, 2008

Fring, IM on Your iPhone !!!

That's very cool folks,
finally a full IM has came out for iPhone. You need to install Fring on your iPhone by adding a new source (http://fring.com/iphone.xml), make a simple free registration and here we go, that's all.



After that you may configure your own IM like for example Skype, MSN, SIP, Google Talk, Twitter, Yahoo and AIM. The software rests on background mode also when you put on sleep the display and when you push on Home button, in that way you don't need to let fired on your iPhone .



Of course it sucks a lot of battery power because it lets the wireless communication switched on and the process alive but to me, it's a great software; I definitely suggest it !
Actually I've just some doubts about the security of the system, I had no chances yet to verify the communication, the encryption level (if there is) and the application accuracy, please if someone of you, is going to test these stuff let me know as soon as possible, we might do that together, I am really scared to see IM passwords moving arount the word without any kind of encryption.

BBC offers job to iPlayer hacker

Directly from BBC News:


The BBC has jokingly offered a job to the hacker who managed to convert its iPlayer software for the PlayStation 3.


This one could be a very interesting work !!

Monday, April 14, 2008

Saving Papers

Hi Folks, How many pice of papers we waste during the day ? I know... a lot, but fortunately there are plenty non-waste people !
Look at that !



Did you change mind ? :)
BTW, I think this is a great idea to spread around public places and study rooms, maybe with more strips, using a horizontal piece of paper and longer then this ones.

Friday, April 11, 2008

MacBook Air: reset the PMU

This is a great tips for every MacBook Air users, directly from MacTips (my favorite mac tips website) .






So you just bought the wonderfully tiny MacBook Air and now it won't turn on, or maybe it doesn't want to charge the non-replaceable battery. Either way, you probably need to reset the PMU. How do you reset the PMU on your MacBook Air?
In order to reset the PMU of your MacBook Air follow these steps.
1. Turn off MacBook Air.
2. Connect the power adapter and plug it in.
3. On the LEFT side of the keyboard (Yes, the left side only), hold down Shift, Option and Control.
4. Press the power button.
5. Wait 5 seconds, then release all keys.
6. Push power button to turn your MacBook Air back on.
Caution, make sure the MacBook Air is completely shut down before reseting the PMU to avoid damage to your file system.


You can also find another good paragraph on that directly on Apple site, here, and here something more about MAC batteries.

Monday, April 7, 2008

Physical Security

On Server Room entrance. They know how much security is  important in server environment so they decided to put this code-lock in the door. 



What do you think about that ? :) Of course it's a rhetoric question ! It's very easy to guess the 4 digit unlock pin. Moreover you might think that the # is used as "Enter Key" and that there are not one digit passwords, like for example 8888 or 9999 because both buttons are spoiled. So, you need 16 - 2 = 14 attempts in order to guess the right pin, that means in average it takes only 7 attempts to guess the correct sequence and enter into server room ! Cool, isn't it ?

Sunday, April 6, 2008

The Password Meter

Hi folks, this is a really interesting online service !
Thanks to The Password Meter you can test your own passwords understanding how much safe they are.



As you may see from the previous picture, this smart tool uses a deduction process to evaluate your password strength, for instance if you put only letters on your password, it will reach a very weak score due to the -n rule. The deduction process is useful to subtract points to the total score while the additions process adds score to it. Both follow a well known rate putted into Rate column. Moreover if you scroll down you can download the entire package, All that is still free !

Yahsnarf.

Today I wanna show a little script which filtering the communication is able to extract Yahoo messages.Yahsnarf is a Yahoo messanger sniffing script written in Ruby very light and intuitive, you can use it through pcap file typing ./yahsnarf.rb -r or on fly typing sudo ./yahsnarf.rb -i en1.

Here a little example:



Pretty Nice !

Saturday, April 5, 2008

Through The Next Step.

Today I found another incredible forward step branded iPhone: IPSWTool. Thanks to this amazing tool you can build your own Firmware; pre-installing software, making different partitions and so forth. Let's look it !



Applications:
1) Installer
2) BigBoss
3) CrashX

Utilities:
1) OpenSSH
2) InternationalFix
3) BBInfo

Subsystems:
1) Cydia
2) BSD SubSystem

And at least but not last the Scheme Partitions where you can decide your own partition's table in easy and graphical way. After the previous iPhone PWNAGE phase you might be able to upload your just-built-in firmware on it. I know, here you can find some "hand steps" in order to build your own firmware too, but I haven't tried it yet because I really want to wait for this smart tool which will help you in these "dirty steps" . So, I'm looking forward to download it !

Friday, April 4, 2008

Memories

From my head.



Remembering San Francisco and My Wood House.

Wednesday, April 2, 2008

How To Find The Right Source ?

Yes, sometime you need the right application for your iPhone. Installer is an amazing utility but how can you find the right repository ? Actually there are plenty repository available online, and there are no unique URL's collector. Thanks to iAppCat which is a META-repository you can find and build your own repository collecting all the applications you interested on.



That's another great idea by KM.

OmniWeb: A Nice Way To Surf Web

Today I discovered, for the first time, OmniWeb 5. It's a commercial web browser but also available for free, with some limitations. It's one of the coolest web browser that I've ever seen so far,I really have no idea about security, I didn't find time to test it, but it gotta a new concept of  tabs and lots of graphic innovations. Just for example, I was impressed about new tab's concept. They're not horizontal like all the normal web browsers they're vertical with a little preview in real time.
Here, only one of the amazing features that I found.






At last, here all the innovative features that it sells for $15.