Thursday, January 21, 2010

Monday, January 18, 2010

Google attack in China

This seems to be a very good reading about the story. Some great technical details and background have been compiled by extraexploit.
As it was mentioned by Andrew Jaquith , human remain the weak link, and I guess it will remain...

Wednesday, January 13, 2010

Online Password Crackers

Here is a nice interesting list of online password crackers by Chris Gates, since the same blog is moving to a new host, check the comments on both the old and new host, as readers are posting more interesting links.

And here is a list of password dictionaries.

Monday, January 11, 2010

Trojans and Bots collection

How easy is it to get some good collection of trojans and bots with different versions, types, and plugins??

I wonder how many of them are not backdoored??

Sunday, January 10, 2010

BIND DNS Sinkhole

Guy Bruneau, posted an entry on SANS handler's diary on how to setup DNS sinkhole.

The same technique was previously discussed with different DNS formats by

Tuesday, January 5, 2010

Analysis, Waledac Peer-to-Peer Botnet

Analysis of Waledac botnet propagation technique is available here. Waledac botnet size estimated to be 390,000 infected host.
The researchers produced a cloned version from Waledac called Walowdac to analyze it.

Trendmicro previously produced an analysis of the same botnet.

Monday, January 4, 2010

Credit Card Honeypot, and Some Privacy Issues

Credit Cards companies are using their own honeypot too, here is what a fraud prevention agent recently disclosed:

Credit Card details: 4485 0489 2408 7591, expires 9/2010, CCV 721
Anyone using these numbers anywhere will have his IP tracked and added to a database. This card has a $0.01 limit; any transaction will be denied, except $0.01 orders of course.

Another interesting and scary part in the same thread:

People always say they are afraid of Google and how much information it has on them. The truth is: people shouldn't be afraid of Google. They should be afraid of credit card companies.

I have access to your full order history. I know everything you ever bought with a credit card. And yes, there are a lot of studies done on credit card purchases.

Some years ago, someone wrote a paper claiming he could get the age, gende and race only from the credit card purchase history. It worked very well. Today, with your full purchase information, we can even "guess" your income range, number of dependant and even weigh. We have a statistical profile of every customer. We can even calculate the odds you eat at McDonald's today, considering you ate there once every X day. In 98% of the time, this model is very accurate.

One drawback is that it requires a lot of information. That is why it takes a few years and then, we are fully able to track you. In many cases, we compare the profile calculated from your purchase history to who you really are (and you thought they asked your income for credit validation) to further improve our models, and track fraud, most of all. It's so sophisticated that if you order products a person in your group never ordered, your card will get automatically locked.

Every time you use your credit card, you leave tracks. And none of it is private. Any police officer can get every purchase you ever made - and it can be used against you. There are many, many cases where credit card purchase history were used to prove DUI (you took a large tab at a bar) indirectly.


That being said, I can vouch for the fact Visa and other credit card companies, I suppose, use this data responsibility. It's not like they would use the fact you bought burgers to ruin your life. I do fear, however, history-based advertising, eventually. Once that border is crossed, there won't be any limit to what the credit cards will do to increase profits. Hello client of Visa: we noticed you ordered a lot of items from X. Did you know Y was actually cheaper, of better quality, and more affordable? You should go at Y!