Free Hack Tools

October 2008

Free tool hacks banking, webmail, and social networking sessions. A researcher will demonstrate a free, plug-and-play hacking tool this week that automatically generates man-in-the middle attacks on online banking, Gmail, Facebook , LiveJournal, and LinkedIn sessions – even though they secure the login process. The researcher, who recently released the so-called “Middler” open-source tool, will show it off at the SecTor conference in Toronto. Aside from the unnerving capability of hacking into sites that perform secure logins and then use clear-text HTTP, Middler is also designed for use by an attacker with no Web-hacking skills or experience. ”The Middler allows an attacker with no Web application-hacking experience to launch attacks that previously required substantial time and skill,” according to the Middler Web page. The Middler basically clones the victim’s online session by using the same cookies and HTML form parameters as the victim. Then the attacker can inject malicious java_script onto the Web pages, redirect the user to another page, or log the victim’s session.

Smart Card Hack...

October 2008

Boffins (finally) publish hack for world’s most popular smartcard. Two research papers published Monday have finally made it official: the world’s most widely deployed radio frequency identification (RFID) smartcard - used to control access to transportation systems, military installations, and other restricted areas - can be cracked in a matter of minutes using inexpensive tools. One paper - published by researchers from Radboud University in Nijmegen, The Netherlands - describes in detail how to clone cards that use the Mifare Classic. The chip is used widely throughout the world, including in London’s Oyster Card, Boston’s Charlie Card, and briefly by a new Dutch transit card. Manufacturer NXP and the Dutch government had tried in vain to prevent the researchers from disclosing their findings, arguing that the findings would enable abuse of security systems that rely on the card.

Clickjackers...

October 2008

‘Clickjackers’ could hijack webcams, microphones, Adobe warns. Adobe Systems Inc. warned users Tuesday that hackers could use recently reported “clickjacking” attack tactics to secretly turn on a computer’s microphone and Web camera. Flash on all platforms is susceptible to clickjacking attacks, Adobe said in an advisory posted Tuesday. By duping users into visiting a malicious Web site, hackers could hijack seemingly innocent clicks that, in reality, would be used to grant the site access to the computer’s webcam and microphone without the user’s knowledge. ”This potential ‘clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog,” acknowledged the company’s security program manager, in a post to Adobe’s security blog. Although a patch is not ready, Adobe’s advisory listed steps users can take immediately to block webcam and microphone hijacking. Adobe recommended that users access Flash’s Settings Manager using a browser to select the “Always deny” option. Adobe rated the vulnerability as “critical,” its highest threat ranking.

Neosploit is back!!!

October 2008

Hackers resurrect notorious attack tool kit. Neosploit, the notorious hacker exploit kit that some thought had been retired months ago, has not only returned from the dead, but is responsible for a dramatic increase in attacks, a security researcher claimed today. “Neosploit’s back,” said the director of security research at Aladdin Knowledge Systems Inc. In July, researchers at RSA’s FraudAction Research Lab said that they had evidence that the creators of Neosploit were abandoning the business. For proof, RSA quoted a going-out-of-business message said to have originated with Neosploit’s authors. Neosploit, which first appeared in 2007, was a follow-on to the earlier MPack and a contemporary to another infamous exploit kit, WebAttacker. Those kits, including Neosploit, were used by cybercriminals to launch attack codes aimed at new vulnerabilities in Windows, Internet Explorer or third-party software such as Apple Inc.’s QuickTime. But Neosploit also boasted features new to the click-to-attack business, including sophisticated statistical analysis and management tools.

The Sky is Falling, The Sky is Falling!!!

October 2008

Father of the internet: ‘web is running out of addresses’. The world is about to run out of the internet addresses that allow computers to identify each other and communicate, the man who invented the system has told The Times. The “father of the internet” and one of the world’s leading computer scientists, said that businesses and consumers needed to act now to switch to the next generation of net addresses. Unless preparations were made now, he said, some computers might not be able to go online and the connectivity of the internet might be damaged. IP addresses are as crucial to websites as street addresses are for businesses but some network engineers predict that we will run out of them in two years. What is the solution? Every computer and online device is assigned a unique IP address, but the pool of unallocated numbers is about to dry up. When the internet system was founded in 1977, he set in place “internet protocol version four” (IPv4) which provided 4.2 billion addresses. With the number of internet-enabled devices, particularly mobile phones, soaring, less than 14 per cent of those addresses remain vacant. It is estimated that IPv4 addresses, each of which is a series of 32 binary digits, will run out in 2010 and possibly as early as next year. A new system, called IPv6, has been ready for implementation for more than a decade. Under IPv6, each address has 128 bits and so provides 340 trillion, trillion, trillion different addresses - that is 340,000,000,000,000,000,000,000,000,000,000,000,000. It is assumed that this will meet humanity’s needs for decades to come. The two protocol systems will run in tandem and IPv4 addresses will still work as normal. But if the IPv6 is not widely adopted, then those using it may find themselves unable to connect across the whole internet.