Clickjacking Webcast Tomorrow

November 19, 2008 by Eliot 2 Comments

[Jeremiah Grossman] and [Eric Lawrence] will be presenting on clickjacking and browser security in an online seminar tomorrow. Clickjacking allows an attacker to transparently place links exactly where a user would be clicking, essentially forcing the user to perform actions without their knowledge. This method of attack has been known for a few years, but researchers have focused their attention on it lately because they feel the threat has been underestimated. Recently, Adobe patched a vulnerability specifically because of this issue. Tune in tomorrow for more info on the attack.

Hacking At Random 2009 Dates Announced

November 18, 2008 by Eliot 3 Comments

Hacking at Random, an international technology and security conference, has just announced the dates for their 2009 event. The four day outdoor technology camp will be held August 13-16 near Vierhouten, Netherlands. HAR2009 is brought to you by the same people who held What the Hack, which we covered in 2005. They’ve done this every four years for the last 20. We’ll be sure to attend. We loved CCCamp in Germany last year and plan on attending ToorCamp in Seattle this year too.

[photo: mark]

Google Explains Android Patches

November 13, 2008 by Eliot 6 Comments

g11

Google has been trickling out info about what they’re actually fixing in the G1 firmware updates. Before RC29, users were able to bypass the phone lock using safe mode. RC29 also brought WebKit up to date, presumably patching the bug [Charlie Miller] found. RC30 takes care of root console problem. Unfortunately there are very few details as to what or how particular items were broken. This release method leaves much to be desired; having the official Android Security Announcements group be the absolute last place to get security news is asinine.

[photo: tnkgrl]

Recovering Photos With PhotoRec

November 12, 2008 by Eliot 17 Comments

photorec

A coworker approached us today with a corrupted SD card. It was out of her digital camera, and when plugged in, it wasn’t recognized. This looked like the perfect opportunity to try out [Christophe Grenier]’s PhotoRec. PhotoRec is designed to recover lost files from many different types of storage media. We used it from the command line on OSX, but it works on many different platforms.

It’s a fairly simple program to use. We plugged in the card and launched PhotoRec. We were prompted to select which volume we wanted to recover. We selected “Intel” as the partition table. PhotoRec didn’t find any partitions, so we opted to search the “Whole disk”. We kept the default filetypes. It then asked for filesystem type where we chose “Other” because flash is formatted FAT by default. We then chose a directory for the recovered files and started the process. PhotoRec scans the entire disk looking for known file headers. It uses these to find the lost image data. The 1GB card took approximately 15 minutes to scan and recovered all photos. This is really a great piece of free software, but hopefully you’ll never have to use it.

Company Shutdown Causes 2/3rds Drop In All Spam

November 12, 2008 by Eliot 26 Comments

The Washington Post is reporting that the shutdown of one hosting company has caused the total volume of spam to drop by 2/3rds. The company in question is McColo Corp. Both Hurricane Electric and Global Crossing pulled the plug today after a damning report revealed a number of illegal activities happening on McColo’s servers. McColo already had a reputation with the security community. When contacted about abuse, the company would often shift servers to new IP ranges instead of shutting them down. Although not the main source of spam, the company was host to many botnet control servers and phishing sites.

[photo: mattdork]

[via Waxy]

Running Debian And Android On The G1

November 11, 2008 by Eliot 6 Comments

tmobileg1

[Jay Freeman] has a rather exhaustive tutorial on how to set up a Debian environment on your T-Mobile G1. The first major issue with this is that getting root level access through telnetd is being patched. It certainly is a security issue that needs to be fixed, but a user shouldn’t have to root their own phone to begin with. While the G1 comes with some Linux tools, they’re limited. [Jay]’s goal was to create a familiar Debian environment on the phone. It takes a few tricks, but if you’re familiar with the command line, you shouldn’t have any problems. Debian already has ARM EABI support, so creating a working image isn’t a problem. The image file is stored on the SD card and mounted using the loopback device. The G1’s kernel has module support turned on, so [Jay] created an ext2 and unionfs kernel modules. [Benno Leslie]’s Android version of busybox is used to perform the actual mounting. Once mounted, you just need to chroot into the environment to start playing with native Linux apps. [Jay] takes this a step further by using unionfs to make the Android and Debian environments share the same root. This is really a great how-to and it’s nice to know that modules can be added to the kernel.

[photo: tnkgrl]

[via Hackszine]

Messing With Barcodes

November 10, 2008 by Eliot 13 Comments

[nico] just received his credentials for an upcoming conference. On each badge, there’s a 2D barcode with the participant’s bio and contact info. These are meant to be scanned by vendors for future contact. [nico] isn’t so interested in that and plans on updating his personal info by generating a new barcode. To this end, he’s collected a number of links to help out barcode hackers. He used the SWIPE toolkit to identify the format and decode (it has an online component too). There are also several online encoders you can use, like this one from [Terry Burton]. If you’re wondering what sort of shenanigans you can get into faking barcodes, check out [fx]’s presentation from 24C3.

[photo: seanbonner]