Wednesday, 21 December 2011

Sophospuzzle answers

Yesterday Sophos introduced a small Christmas challenge, and I took part it in, it was definitely a fun learning experience.

The first step is deciphering this: =ImYndmbn1ieiBnLmJWdjJmZ

As soon as I saw it I knew it looked familiar but it doesn't decrypt straight away, it's in the wrong order. Swap the lettering around including the = sign, so it should now be ZmJjdWJmLnBiei1nbmdnYmI=

You'll need this to decode it.

Input the fixed lettering into the calculator and decode it safely as text and you'll get this: fbcubf.pbz-gnggbb

Still doesn't make a lot of sense does it? ah well, lets decode it again. It's encoded using rot13, rot short for rotate, it rotates any letters 13 letters forwards or backwards in the alphabet. when it's decoded, you'll get, remove the - and replace it with /.

* Note, remember "rot13", you'll need it later.

That was rather easy. Now use that URL and get to the second stage.


Second stage:

This is a much harder stage and you'll want either Python or C programming language experience. I went with C and wrote a short little program for this step.

Anyway, download the text file and read the instructions. Now you'll need to decode the block of text.

Now ignore the ascii art in there, it doesn't mean anything towards this, it just looks nice. Start at the top and analyze the code, we can see 504b code, which is code for zip, so we can safely assume this is a zip file.

Now this is where you'll want either Python or C to help out. As I said, I used C, so here is a pastebin or my coding for my program.

It's also worth me mentioning a little extra thing about that block of text. It's hex code, so you can run it through a hex to ascii translator, and you'll be able to decipher some of the real text, you'll also get a hint of what it inside that zip file.

Use my program to strip out any characters that shouldn't be there and put the zip file back together. Once you have the zip file, you'll need to extract the zip file and get the image from inside it, but first, you'll need the password for it. Remember I said you'll need rot13? that's the zip password, so now you can extract the image.

Now once it's extracted, have a peek at it and play around with it. It's just a pink block, that's all you'll see till you open it up. The block actually has some hidden text in it, but your not supposed to know that till later on.

What I mean by that is, open the gif file in Notepad (or whatever word editing program you prefer, Notepad++ personally), now remember these 2 things: Since when was pink a shade of gray? & GIF89a

You'll need those 2 hints later.

Now we can open up the image file and reverse engineer it. Not everyone will be able to do this, but I can because I'm on Windows XP. I used the debugging program through the command line.

cd C:\
cd gif
debug theimage.gif

You'll get just a dash when you open the debugging program, so now you'll want to dump the memory, press d & enter.

Next, you'll notice that GIF89a has re-appeared, I said you'll want to remember that along with the next bit I'll talk you through. Once you dumped the memory, it will come to the - mark again, so press d and do another dump of the memory to get the important part. (-d)

This second block of code has the important bit, you'll see some more bytes of data. F1 BB ED

That's where the hidden text is, there's more than 1 pink in the paint palette and that's why you can't see it normally, no matter what you do. Okay so we now have the bytes where that hidden text is, so we need to change the colour to be able to see it. Back at the - mark, this time type "e 34d", and press enter to edit the data.

You'll see F1 come up, and I changed it to 80 (gray) so I could see it, and I did this for all 3 bytes of text. Type 80 next to the F1, press space, Do the same for BB & ED.

Now you've changed the colour of all 3, press enter to get back to the - mark, type w and press enter to write the new data. 429 bytes of data should be written now, and you can now close the command prompt by typing q at the - mark.

Now open the gif file again and you can see the hidden text. Spy Bounty Recurs? what does that mean?

It's an anagram, this step is somewhat easier. Run it through an online anagram solver, however the last word wont come out right, but from what letters are left, you could work it out. You could also do this manually and go look at NakedSecurity site, the hint is to do with travel and USB's.


Is the answer. Hope you all had fun. :)

Wednesday, 23 November 2011

HTC Mistreating Customers

This a somewhat controversial topic, don't like it then don't read it but if you care about internet freedom, please help spread this.

HTC/Samsung and possibly other companies are installing rootkits in Android phones, coded into the kernel and it hides in the memory. No this rootkit isn't "malicious", but it's installed [B]without your consent or knowledge[/B] and collects data on you.

One developer who goes by the name of TrevE over at XDA-Developers has blogged about this rootkit, and within the first 24hrs of his information being released, lawsuits are being filed on him by HTC that all his info and research has to be pulled down and must issue a public apology to HTC and has 24hrs to do it. HTC do this so he didn't have time to seek legal advice. Guess what? he got legal advice from EFF (Electronic Frontier Foundation), who came to his aid.

Congratulations HTC, you pissed off the Android community and now you will pay for it. Any dev is advised to dev the hell out of any HTC phone and find out what else HTC is upto.

Also, am I the only one wondering what will happen if this mistreatment continues? I'm sure we all remember what happened to Sony when our brothers from Anonymous stepped in? we wouldn't want the same to happen to HTC would we?

Just a quote from the video, but isn't this the same thing?

Hello Sony

It has come to our unfortunate attention that you have decided to interupt the free flow of information. As you well know from other acts performed by Anonymous, that we will not stand for this.
By sueing Geo Hot, and attempting to view the IP addresses of those who watched his videos, you have angered the hive.

I've bolded the parts that are relevant to this situation. Anyone agree?

Friday, 18 November 2011

Android Security - Pointless?

Thanks to a post from @Androidpolice on Twitter for posting this. The following posts contains quotes from Googles own open source project manager Chris DiBona (he's a complete douche bag btw).

Mobile Security is apparently pointless from what Chris says.

Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. If you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.

So, is Lookout Mobile Security useless and pointless? Hey Chris, it's 2011, wake up and smell the coffee. Security is becoming a bigger and bigger issue, malware is evolving. Yes what we have right now may not be 'big' per se but it's heading that way.

If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.

So Lookout are "scammers and charlatans". Hey Chris, I wonder what will happen if this was sent to Lookout Mobile Security, or Kaspersky Mobile Security, or BitDefender Mobile Security? OOOH SHIT wait I already sent it to Lookout. Oh well. Can anyone 'lawsuit'?

Also what makes me laugh:

So there you go. I'm sure people will now chime in about some worm or malware they downloaded from some app market or something, which will be moderately fun, then it will devolve into a discussion about something unrelated, then I'll cancel comments. :-)
This guy is quite obviously a troll who can't face the truth. Proposes a statement but can't back it up, and when people show him facts that he's wrong, he disables comments. Chris, PLEASE do EVERYONE a favour and kindly go kill yourself now. Thank you.

Thursday, 17 November 2011

Suing Acer; More Trouble Than It's Worth?

Acer are being sued in CA for misrepresentation. You can grab a copy of the document file here [pdf]

Acer sold some laptops that were supposed to come with OEM Recovery CD's and didn't. Obviously recovery CD's are very handy should something go wrong, and I'm guessing the person who filed this lawsuit isn't an advanced person when it comes to technology and computers. Yes Acer may have misrepresented it, but is going through (no doubt) months worth of court action, seeing lawyers, paying for lawyers, etc worth all this bother?

I see the point their making and it's a valid point, but it seems more trouble than it's worth.

I don't have any recovery discs for mine neither and yes my machine has died on me in the past and wouldn't boot no more, but seriously that's not the end of everything. I just boot Linux instead, open source, free to download the OS, free to burn to a CD, grab my data and format. Takes me what, 1hr maybe 2? that seems like less of a bother than going through months of court related stuff, having to pay for lawyers, etc

This costs me what? like £50 for a decent external 1TB HDD that hasn't failed on me in the past 3yrs, £10 for hundreds of blank CD's to put Linux on. £60 seems a good deal than bothering with courts if I'm honest. :\

I dunno, go figure.

Wednesday, 16 November 2011

Google Music: I Don't See The Point In It?

Okay so today Google released their new Google Music service, it was a decent conference, you'll probably find the recorded version for playback on the Android Youtube channel soon.

Now me personally, I don't want to come off like I'm all for piracy because I'm not, but I seriously do think this whole Google Music stuff will only lead to piracy.

Someone buys a song, shares it over Google+, so their friends can listen it to once. Now, it's not exactly hard to go download Audacity to record the song as it's played back. Now the problem is, whoever does that has a free copy of whatever song, this person brags about it to his friends and ends up passing it to them, they pass it to their friends, etc.

Somewhere along that line, the file is uploaded to the internet via file hosts/P2P/torrents, and eventually ends up on Youtube, now people across the globe can listen to it whenever they want. I have Internet Download Manager installed on my machine and IDM allows me to download songs (including video) in flv format for FREE.

Now lets recap. Songs people have to BUY eventually end up on the internet, anyone who's anybody can get a copy of them for FREE. Problem Google?

Also, I noticed I can't download Google Music to my SGS phone as it's only for US people. Oh wait someone leaked the APK and now I do have Google Music.

That is all.

Android Security: What Should We Worry About?

Last night I was crawling the net for the latest security news and found something of real interest. More Android malware? more Android vulnerabilities? Nope. Although I will say this. Android malware is optional, yes I said optional. What do I mean by that?

Android malware can be installed with your permission, and doesn't come free with the phone when you buy it. This security threat is NOT optional and is installed by your carrier. This threat has permissions even higher than super user and hides in your phones memory.

So what is it exactly? this rootkit is known as Carrier IQ (CIQ for short). What does it do you ask? normally CIQ is used to report back to the manufacturer when there is a problem with the phone, like if it crashes, etc. No big deal right? wrong.

The CIQ on Samsung/HTC phones is used as tracking system. It's tracking YOU. It's tracking your location via GSP even if you have it switched off, your calls, your text messages, what apps your running and when you use them, etc. Yes, this threat is keylogging you.

What makes this even worse is all that data is sent back to your carrier and is NOT anonymous. All that data has YOUR name on it. Apparently your privacy doesn't matter to HTC or Samsung, you don't have the option to opt-out of this program.

You can find both articles on XDA-Developers forum here and here.

Personally, I didn't even know about this invasion of my privacy until last night and this quote from XDA pretty much sums up how I feel about it.

Remember, we may not be the vast majority of your users/customers, but unfortunately for you, our communities are the ones who can make your sales efforts into a living nightmare. Consumers are the ultimate key holders and we suggest that you stop looking at us as dollar signs and more like people and customers. All in all, I am not for sale and my privacy is priceless.

Something tells me Samsung and HTC are about to be sued to hell, we shall see.

Friday, 11 November 2011

FBI Take Down DNSChanger Cybercrime Circle

Quick shoutout to the FBI, Team Cyru and everyone else who helped bring down the DNSChanger malware circle, 7 charged with internet fraud of $14m

We love you guys.

As always, you can find more news in my Twitter feed.

Charlie Miller Kicked Off iOS Dev Team

Recently news broke of security expert Charlie Miller who has helped find many holes in iOS, was kicked off the dev team for showing a proof of concept that allowed malicious apps to be planted into the iOS app store with a code-signing bug. Article by ComputerWorld here

I know many companies have a policy with security researchers - that they have to keep quiet until the hole is closed and not release details about it.

Miller never really released anything, I saw his video for the proof of concept he did, he didn't release the method of how he did it. Yes I can say fair enough, but I can't help but think Apple shot themselves in the foot as well. Losing a decent security researcher like Miller... we'll see how it effects Apple.

Interview with Sony's CEO Howard Stringer

So once again, another article concerning Sony. Sony's CEO Howard Stringer was interviewed by The Street about the Sony breaches. article here.

The basic message was hackers didn't impact Sony too negatively, customers still came back. In a way, I suppose it's true, I find myself still loving my PS3, but not because of what most of todays customers see in the PS3.

Sure everyday customers see the PS3 for being able to play PS3 games both on/offline and play Blurays, but what do customers NOT know about the PS3? I can still play my PS3 games offline and play Bluray movies, but my PS3 is fully unlocked under my control. Mine is jailbroken with ReBug 3.55.2 - I get all the features including OtherOS++, where I've installed Ubuntu Linux. The PS3 market is split in 2 because of Sony, one half know the love the PS3 for games/PSN, the other half love it for it's ability to boot to Linux.

But anyway, back to the article.

"The target opportunity was a revenge attack, initially -- it was because we went after a hacker who hacked PlayStation," he said. "PlayStation is vital to us, and so we were afraid that it would essentially destroy a PlayStation."

What I find funny about the article is he doesn't say why people want revenge on Sony. Good point - why would people want revenge on Sony? Lets think shall we?

1. Arresting GeoHot
2. Arresting Graf_Chokolo
3. Sending DMCA's to sites like Github
4. Arresting others hackers

and those are just the upfront facts, do I need to mention Sonys fucked up TOS? If you take a moment to read them, you'll find they are basically screwing you in the ass. THAT is why you were attacked Sony, but we all know they will never say out loud for fear of embarrassment.

He's scared of the PS being destroyed? Sorry Howard, may as well get working on the PS4, the PS3 is the most open console on the market, with both hardware and software exploits, what other console offers Bluray playback + Linux + games? As a person who loves freedom, the so called "hackers" are the ones who are probably bringing more love to the PS3 than Sony ever could, a lot of the Linux community loves the PS3.

But anyway, that's just how I feel about it.

Personal Phones - Privacy Invasion... By Your Boss

Hmm, no blog post for a good 2 weeks or so, time for an update, covering some of what I've read in this weeks new, all tech related but on different subjects.

First up, this article here got me a bit pissed off.

No way something like can stand in a court of law. Employers "demanding" the right to have remote access to employee's PERSONAL phones. Okay wait a second, personal phones? The key word here is personal. Who in their right mind gives someone they don't know remote access to their personal phone? I know I wouldn't.

The message here is DON'T use your personal phone for work, giving your boss remote access to your phone is complete privacy invasion, it's complete bullshit as far as I'm concerned. As much as I hate to say it, take the option of going with a firms provided BlackBerry phone (as much as I hate them compared to Android). Your personal phone is yours and only YOU should have access it to, full stop.

Wednesday, 26 October 2011

Mobile Phone Theft

I was chatting to mobile security expert @drogersuk yesterday and today, on the subject of mobile phone theft, about mobile phones that are stolen dialling premium rate numbers out in Afghan and India, and the real owner of the phone being charged several thousand dollars/pounds for calls they didn't make, so figured I'd make a blog post on my thoughts on this, how can this issue be resolved? is it an unsolvable problem?

Nothing is really "unsolvable" per se, but the steps I think are needed to combat this problem aren't small by any means. It's a two sided issue, on behalf of network providers and the end user.

Are we looking at a social issue rather than a technological one? Does new technology such as NFC and basing our lives in the cloud increase the risk of theft? Would the introduction of biometrics on phones put us as users at more of a risk than if we didn’t have it?

Technically - yes. Technology continues to evolve, people put more and more risk into the cloud, personal data, even as far as putting their life into the cloud and when their phone is stolen - their life is screwed.

Not too sure on the biometric thing right now, we need more time to see how the whole facial recognition unlock screen works out in Ice Cream Sandwich - personally it's a good idea, so only 1 person can unlock it but whether it will have that effect remains to be seen.

So what can network providers do?

Surely to god making a deal/partnership with a decent antivirus company like Lookout or BitDefender to offer customers to have protection software pre-installed on phones would be a good thing for the security community (although would that fall under the anti-competition issue MS is suffering with W8?)

As others have noted and pointed out, network providers need to start blocking calls to premium numbers if they notice them, I mean someone calling a number that everyone knows is going to charge a hell of a lot of money can't be normal right? or at least block them and contact the real owner via another contact number, home landline or something along those lines? Just like the malware on PC issue, it's a constant game of cat and mouse but it's better than nothing.

What can the end user do?

Be responsible! this applies more to adults than younger kids who have phones but my point remains. All the information about mobile phone security/safety and mobile phone theft and the risks involved is out there - they just have to search for it!

Sadly I still see people not treating their smartphone like any normal computer, antivirus, passwords, etc. To the very least - install antivirus - at least if people who do use the cloud can then access their phone remotely, lock/wipe it before ANYONE has a chance to use it - then phone their provider and ask them to cancel the SIM/contract so it can't be used to call premium numbers.

Saturday, 22 October 2011

Steve Jobs Hates Android & More News

About time I made another blog post, so here goes. This weeks news, a biography on Steve Jobs and how much he hated Android, he vowed to destroy Android. Here's what he said:

“I will spend my last dying breath if I need to, and I will spend every penny of Apple’s $40 billion in the bank, to right this wrong… I’m going to destroy Android, because it’s a stolen product. I’m willing to go thermonuclear war on this.”

I don’t want your money… I want you to stop using our ideas in Android

Now, lesson 1. You can't own an idea, you can't control an idea, once it's out, then it's out. Much like the internet, once something is posted, it can't be removed. I've said this before and I'll say it again - your greedy Steve, it's first come first serve in today’s world.

Honestly though, I think it's this hatred runs deeper than just people "stealing" ideas. I've watched Apple & the iPhone grow in popularity and market share, and I've watched Android grow to what it is today. I personally think Steve is/was jealous of Android and it's huge success. Apple is just 1 company who made a (slightly more secure) product, but when it comes to Android and Google, Google has many companies working on Android. Samsung/HTC/Motorola/Sony, Apple may have had the best innovator as it's CEO, but Jobs is just 1 person competing against 5 different companies designing different phones, using different versions of Android.

That's just 1 fact. The next fact is the openness of Android, that's what attracted me to Android. I'm not paying for the OS, I don't have to be locked down in what I can do to my Android, root it, change the ROM, overclock it, etc and that's what's attracting the huge fan base Android has today. The speed at which Android is developing compared to Apple is outstanding, and the awesome devs at work, the folks over at XDA are amazing. Android has iPhone beat hands down right now and probably forever more. Apple might always exist, but Android will always be a few steps ahead. Linux is the future now, people want openness - which brings me onto the next subject of this blog post.

Ed Bott made a blog post this week on ZDNet about the W8 UEFI Secure Boot system, published with the title "Why do Linux fanatics want to make Windows 8 less secure?"

We don't want to make it "less secure", we just want to have the option to disable the feature so us advanced users are able to use Linux.

I hear that Microsoft (and others) are pushing for this to be mandatory, so that it cannot be disabled by the user, and it would be required for OS badging.

THAT is what I personally am against. I think I made it obvious I am a person all about the freedom of information and the freedom of choice and more so when it comes to being able to use Linux. I've loved Windows for many years (even if I refuse to leave XP) and MS are going in a way I don't like. I only speak for me but I think we all would be fine if we are just given the choice of weather we want this feature on/off. Yes the OS is more secure with it on, but I don't go about getting myself infected and thus I don't need the feature to be on and that lets me use Linux - yay a bonus, we all love bonuses right? The powers of Linux devs are incredible, I don't fully understand why some people want this option forced upon us and not being able to switch it off, but hey whatever.

Friday, 14 October 2011

Verizon Tracking Customers

I aren't a Verizon custom, but this caught my eye so decided to write about it. Verizon have updated their TOS to include the fact they are now tracking their customers mobile devices... and monitoring their customers at the same time?

There is a few different things they are tracking, but what caught my eye was this; they monitor a devices location... for marketing purposes? that doesn't make sense.

What information are we talking about?

Location of your device ("Location Information")

How information will be used

1. To create business and marketing reports.
2. For other companies to create business and marketing reports.
3. To make mobile ads you see more relevant.

Basically, when they collect information about a devices location, they also collect information of the persons location at the same time, lets face it, no one leaves their smartphone unsupervised. Verizon offer it's customers an opt-out option, I advise anyone using Verizon to opt-out A.S.A.P, this is a breach of customers privacy. It doesn't matter to me that they say they wont share this information with anyone - it's the fact I don't want to be tracked of my location by people I don't know.

But back to the point I want to make. I don't see how ANY of that is relevant to where a customers device is, it's basically saying a GPS that customers aren't allowed to switch off if they are included in this. Something tells me law suits are heading the way of Verizon.

To opt-out of the program, visit THIS LINK

Thursday, 6 October 2011

The Day Apple Died?

Fairly certain by now 90% of the internet has heard Steve Jobs has passed away after his long hard fight with Cancer.

I want to keep this seperate from the other thread, but quite a few people across several sites now saying today is the day Apple died. Apple the company will live on, but a lot of people saying Steve put the love into Apple products and they wont the same without him.

Apple are fighting Android as hard as they can, but the demand of the public for open source and freeware is just too great and Android is attracting lots of people, but Apple are just one company, Google has many companies working on the Android project as a whole, Samsung, Sony, HTC, Motorola and now Amazon Kindle using the Android OS, will Apple still stand as strong as they once did? Is there any flare left in Apple now?

I agree Crush. I forgot to mention Motorola and the Intel deal Google have for their Android hardware.

Steve will always be remembered for what he did, revolutionizing the computer industry, but will Apple really want to fight this patent war with Amazon as well now? I'm sure Amazon wouldn't mind siding with the awesome power that be Google, Apple have taken a major blow today and I can't see fighting Amazon would be a good move, that would only push them right into Googles arms, that would only end up as a Apple loss Google win situation.

After the show Apple put on the other day (which wasn't at all impressive, rushed at best), it makes me wonder how much longer Apple will hold together.

Tuesday, 4 October 2011

Lets Talk iPhone Event

Must say watching the event from a live blog posts updating every minute or so is no where near as entertaining as watching a proper live online flash stream, I hate having to sit and read, webcasts are the way forward, listening to updates while carrying on with my work is just my preference.

But anyway, my thoughts right? overall, not too bad I suppose if your an iPhone/Apple lover.

Apple started out talking about a few of the different products, iPad/iPod and the Mac OSX Lion, apple blathered on about how many apps were downloaded from the App Store, yeah high figures but that's Apple, kinda not suprising really, but nothing worth mentioning, just Apple adding hype.

Down to the actual things worth mentioning.

Apple announced a "Find My Friends" app that uses GPS and from the screenshot I've seen, it looks risky, it used pin pointing in an overhead eagle eye view showing who is where, don't think I want random people even if they are my friends knowing where I am unless I say so. But then again, how well do you know someone? if you have the GPS enabled, I can imagine it would pose a risk to burglary.

Apple then moved on to the new hardware in the phone. Mostly about the new dual core processor, and as stated in a blog post on Android And Me site, Android has been using dual core for a while now, it seems to me Apple are the ones playing catch up with the ever expanding Android. There was also the subject of data network speeds. So, the topic of selling prices for the 4S. 16GB - $199 32GB $299 64GB $399 that's quite a lot of money no matter which size version you go for, personally I don't know if it's worth it.

Fun fact: Apples shares dropped 3.6% at the announcement of the iPhone 4S... that doesn't seem right to me, a new product that carries the Apple brand, and Apple LOSE shares? LOL, oh well.

Honestly there is nothing in the 4S that my Galaxy S can't do, including the new camera hardware. My phone can do stunning 1080p HD quality pictures and not lose any quality in sports mode, under the fast shutter. Apple also threw in a quick slag off of Android phones, made a suggestion that an Android user could make a coffee while waiting to take a picture? no really Androids aren't that slow, screw you Apple you ego based jerks.

Siri, Apples voice recognition app now in the 4S, it can understand English US, UK and Australia, and German/French included and will be released as beta. ... I don't know, probably not worth it, my Android already has this for text messaging, searching, anything that requires the keyboard basically, but if I talked to it in another language, it uses Google Translate for me, this probably isn't something Apple will be able to do, although more and more languages will come to the 4S eventually I imagine.

The whole event seemed rushed and not enough detail on anything Apple showd off. Ah well, onwards as ever.

Wednesday, 28 September 2011

Quick Post - Samsung vs MS

Refer to this article

More or less, the article is just another article on this now stupid mobile patent war between Microsoft, Samsung (Google?), and Apple. It seems MS have settled an agreement with Samsung on it's patents and Samsung will pay MS for every Android system it sells.

No one really knows how much MS will be handed per phone sold, but there's just 1 small point that annoyed the hell out of me.

Microsoft is on a winning streak with this strategy. Casio and numerous other companies that use Linux in their hardware have paid off rather than face a Microsoft lawsuit. While Microsoft has claimed for years that Linux violates over 200 of the company’s patents, Microsoft has also never said what these patents were.

First, Amanda McPherson, vice president of marketing and developer programs at The Linux Foundation, points out that you need to keep in mind that, “Patent licensing agreements are done every day in this industry. Unfortunately, this is business as usual. It’s not surprising that in these cases, in particular, one of the parties is choosing to publicize them.” In other words, it’s business as usual, but in the interest of anti-Linux FUD, Microsoft wants to frighten companies.

As a tech reporter and just cause I have an Android, I like to know things, I want to get the facts and not the bull MS seem to give everyone, stop dancing round the questions MS and just answer them for fuck sakes. Well anyway just quickly to my point.

MS are more than happy to sue companies using Linux for patent infringement but wont tell us what these patents are? it seems MS can't man up when people actually want information on the subject; way to go MS, another nail in your coffin - no wonder everyone hates you.

That is all.

Monday, 26 September 2011

W8 Secure Boot System

I was reading this article on ZDNet this afternoon, followed by a quick read of this article.

Both articles concerning the "Secure Boot" system of W8, blocking the use of Linux. I was talking to a colleague about this a few days back, he said MS are trying to protect their "customers" by not allowing unsigned code.

Fair enough I can see his point, but using a system like that, I just can't agree with it. You may want to keep me safe, but at the same time your going to tell me the ability to use Linux is there - but the risk of malware also exists, so therefore I'm not allowed to have control over my own computer? Supposedly, your customers are "kept safe" under this system as long as they agree to play by your rules? frankly MS, you piss me off.

Hey MS, who are you to decide this? I'll do what I want with *MY* computer thank you very much, you need to take a leaf out of Google's book. My Android gives me the option to run unsigned code - yes the warning is shown but they give me the option, the exact opposite of what your doing.

Shame on you MS - this kind of thing I would expect from Sony. I can't help but think your screwing with the wrong people MS, has no one learned what happened to Sony when they removed Linux from the PS3, or is it just me? Oh well, you lost me as a Windows user.

So, who's still going to Windows 8 now?

Friday, 23 September 2011

ISP's To Cut Internet To Infected Machines?

An interesting article posted this evening over at Naked Security by Chester Wisniewski. A proposal to cut internet access to machines under a botnet control.

I read through the article and it got me thinking about this, how would I feel if ISP's did cut peoples internet access of infected machines?

Machines under a bot masters control is quite dangerous, don't get me wrong, but the idea of cutting their internet access straight away isn't something I agree with. As a person who works in the malware removal field across several online forums, internet access to infected machines is actually quite important.

1. Some of our tools need internet access, I wont name the tool I'm refering to, but it needs internet access to be able to install the Microsoft Windows Recovery Console, and Microsoft are all about making things easier for the end user right? Sure we can install the Recovery Console another way, but the way we do it through internet connection makes it so the process is automatic, much easier on the user and me helping them.

2. We also need internet access to submit malware samples to security researchers to make our tools better; cutting internet access to infected machines stops us doing that, or are these top government guys happy so long as they get their way?

So really, all your doing in cutting internet access is making our jobs harder and frankly annoying me in the process, I see this as more ISP censorship, that they can do this without really giving the user chance to sort the issue out.

However, I don't want to just say I'm all for one side of the coin without thinking about the positives. Right now, this is just an idea of the DHS and NIST, but this idea is far from bulletproof.

Yes cutting internet access to infected machines would solve some of the problems, stops the bot master using the users infected machines for malicious purposes; stops the end user making things worse, but just suddenly deciding to call/email the end user and giving them the "oh hai your machine is infected, were cutting your internet access now and you don't have any say in it, kthxbi" isn't the right way to do this.

Really if ISP's want to go with this method, I personally think they should give the infected end user X amount of time to clean the machine up before cutting internet access. That way governments get what they want, and we get what we want, right?

Thursday, 22 September 2011

Google+ - Think Twice

I read NakedSecurity's article on Google+ this morning, warning users about the dangers of privacy when joining Google+.

Hopefully I aren't just repeating their article, but I wanna post my own here.

1. When joining Google+, you can't join anonymously, you have to provide your real name and may be asked to provide evidence that you are who you say you are, in the form of a government document such as passport or birth certificate.

Sorry, but everyday, security experts tell people to not give out personal information online, hell, even Google themself usually give us options to be able to hide our indentity, but all that goes out the window with G+ it seems.

But this rule it seems goes out the window as well if your a celebrity or just any person in general that brings in good SEO. William James Adams of the Black Eyed Peas is now a member of G+ using the name "" as his first name, and "." as his second name.

Hey Google, I think you need to suspend that account - it breaks the rules right? oh wait that probably wont happen, although your more than welcome to prove me wrong Google. A warning to the public - Information entered on Google+ may be shared with Google and other 3rd party outside sources for Google's own SEO purposes.

To say Google hyped this to be a Facebook killer, right now I can't see that happening. Honestly Google, if you want to be able to challenge Facebook, you need to sort your shit out and fast, cause Google+ is set for failure. Sure Google+ might grow and be quite popular, it will only be popular to those who choose to give up their personal information to you, but I wont be one of them.

A last note from me. Hey Google - My G+ account uses my pseudo online name.... whatcha gonna do about it?

Monday, 19 September 2011

Phones Without AV Software - Shocking

I got a tweet from another mobile phone security expert this morning, research by car phone warehouse about the number of people who DON'T use antivirus software on their smart phones. I knew some people don't, but the numbers are beyond shocking to say the least.

You can read the article here.

I read the article myself and I only really needed to read half of it to get the idea of the article.

More than half (54 percent) of mobile phone owners believe their data would be secure if their handset was lost or stolen, says the Carphone Warehouse.

However, research by the mobile phone retailer of more than 2,000 Brits, revealed that of these 86 percent don't have security software installed on their handset leaving them wide open to nosey thieves that may want to trawl through their personal data.

86% WITHOUT AV software? excuse me but that is just pure stupid, it crosses the line quite frankly. There is already banking malware for Android smart phones like Zeus and SpyEye that steal your personal data and run up your bills, and 86% go without AV software? the threat towards mobile phones is growing everyday and the level malware takes is getting worse. How much more malware do we need to see before people start to take notice and install some prevention software?

Frankly from my perspective, people just don't have the respect for smart phones that they demand. Many people are attracted to Android because of the fact it's open source - they can change what they want on it. While this is true and it's the #1 reason that attracted me to Android, open source has it's bad sides and people just don't respect that.

Smart phones nowadays are no different from your laptop or desktop machine - they are a computer that sits in your hand and they should be treated as so, they need prevention from the internets dark sides too. Just because it's a phone and it's open source doesn't mean your safe.

Furthermore, 65 percent of mobile phone owners they don't have a password on their voicemail, despite the fact nearly a third (32 percent) claim they worry their handsets aren't that secure.

Honestly, it's not hard to set a god damn voice mail password on Android systems, I've done it myself for my phone. People wonder why we keep seeing things being leaked online - Look at the Rupert Murdoch stories, sure I don't agree that phone hacking should be done but look at how easy it is to do it, and things like this can be prevented by just taking 5mins to set a 4 digit PIN code - are people really that lazy, or just plain stupid?

Thursday, 15 September 2011

Sony's new TOS - Hey Sony, You Suck

I posted PDF document to my Twitter but I'll post here as well, Sony changed their TOS today to include even tighter and more restrictive rules on it's customers.

PDF Document of new T.O.S

With this new TOS, as a customer, you have to agree that you lose your right to sue Sony no matter what, they've gone through this in quite some depth.

What is arbitration?

Arbitration is an alternative method of resolving disputes in which two parties present their individual sides of a complaint to a arbitrator or panel of arbitrators. The arbitrator, who is supposed to be neutral, then weighs the facts and arguments of both parties and decides the dispute. Arbitration may be voluntary or mandatory.

What is mandatory binding arbitration?

In mandatory binding arbitration, a company requires a consumer to agree to submit any dispute that may arise to binding arbitration prior to completing a transaction with the company. The consumer is required to waive their right to sue, to participate in a class action lawsuit, or to appeal.

Quote from PS3Hax:
Throughout most of the T.O.S, you will see loads of red text and red lines running through text, one thing that caught my eye was the striking out of key words like purchasing and owning, that were replaced with “licensing”, so what that basically means, that any product you “buy”, is no longer yours as you are only licensing it, or in other words renting it, until such times Sony removes that service/feature.

It's been said before that Sony try and claim anything you buy from them still belongs to them, but honestly, screw what Sony think, my PS3 is legally and rightfully mine, I paid for it.

Sony are an evil company. The facts are on the internet, look at their history. The DRM rootkit (malware) that their CD's installed on victims machines that they were sued for. Took Linux away from us on PS3, when they advertised the PS3 for it's Linux ability, hacked by LulzSec and other hackers, and rightfully so, I can't stand Sony and I refuse to side with them, even if they get hacked, I wont defend Sony at all.

This new TOS is complete bullshit, I haven't updated my PS3 since OFW 3.55 because I refuse to agree to their TOS/TOC and I hope more people jump ship away from Sony and the PS3, I hope people actually read the TOS before agreeing to it, it's just 1 big trap.

Wednesday, 14 September 2011

Facebook Subscriptions

For a long time, I've been a lover of Twitter and never really liked Facebook, and today Facebook introduced another feature, subscriptions. To me, they are kind of pointless and I don't see the use in them.

Facebook say it is so I can see others posts without being their friend and I can control what I see from them. But really, I aren't friends with anyone who I don't need to be friends with, let me be a bit more specific. I'm only friends with people that are close and matter to me, I don't want to see other crap from people that I don't really care about.

Sure I have 'liked' a few pages to get updates from them, but only a certain few make that list, security companies feed like Sophos.

Subscribers can see only the things you share publicly.

There's no point in people subscribing to me neither, I don't share ANYTHING publicly, my privacy settings are set to friends only and again, only people important in my life are on my friends list so unless I know you, you don't need to see what I've posted on Facebook.

It seems like Facebook keep pushing for social-ness and open-ness and surely there is always the security risk of it, it's so easy to stalk people via Facebook now, but I aren't one of these people who like to share everything I do, I keep myself to myself and I'm happy with the way I am.

Windows 8 - Part 1

So since yesterday, there is a lot of buzz online of Windows 8, people downloading the dev preview, and they aren't alone, I've downloaded it, just not got round to trying it yet, but I will soon.

Anyway, main point of this blog post. I was watching the live webcast yesterday, and I do like some of the features they have in Windows 8, one being protection against autorun malware, they tested a USB pen drive infected with a rootkit and the machine refused to boot with that active - good defence.

One thing that bothers me though, this built in antivirus they are hyping so much. I can't see it ending nicely, take note from what happened with Internet Explorer, MS were forced into making Browser Choice for the end users, and I know I aren't the only one sat thinking MS are gonna get sued into making "Antivirus Choice".

But anyway, that's not for me to worry about. What is to worry about, is if this is going to be good or bad. Built-in protection is good, but if everyone used Windows 8 and everyone used this new built-in antivirus, then everyone would be at risk. I never tried it, but I heard good things about MSE, good detections and isn't a resource hog on the system, but a built in antivirus is going to have to be an all-in-one detections and protection against the likes of TDL4 and these fake HDD rogues that keep spreading around. Also, there is a fine between good detections and false positives - I work in the security community and no matter what version it is, I see AVG falsely detecting our malware removal tools, and I hope MS can keep good on their word.

Whatever their plan is for this built in antivirus, I hope it's light weight and doesn't drain the systems resource and has decent detection ratings. I just can't imagine Mcafee & Norton/Symantec are too happy about this though - we'll see how it plays out, but I honestly expect some lawsuits flying MS's way.

Expect another blog post soon, I'll grab some malware from MDL later when I've got W8 installed and see what happens.

Sunday, 11 September 2011

The Next Step In TDL Development

A few days ago, Norman reported of this newest piece of crap released by the TDL4 guys. So far they have pwned infecting Windows file, pwned infecting the MBR, now they are after the BIOS.

This new infection boots itself when the BIOS is loaded and uses several new nasty techniques. They still infect the MBR with TDL4, but this new infection checks that the MBR infection is not damaged by malware removal tools, and if it is, will re-write the malicious code into the MBR. Symantec did an awesome write up on it, here.

I knew these guys were serious when we started seeing these dangerous MBR modifications by the infection but targeting the BIOS takes it to a whole new level.

But, lets look on the good side. A few days ago, Brian Krebs wrote this awesome article on tracking one person who might be involved with the upkeep of the TDSS botnet, the person was traced back to somewhere in Russia (why does Russia not suprise me?).

A day after Brian posted his findings on his blog, his site and his provider suffered a DDOS attacks, which took him and his site offline for a little while. Luckily his site wasn't down long and he got it back up and running fairly quickly, but it shows they are scared of being caught - to me the attack was in retaliation of his findings.

Shame DDOS attacks are useless nowadays - fair enough they knock the site offline for a while but no permenant damage was done to Brians site.

Keep up the awesome work Brian!

Thursday, 8 September 2011

The World of Android

Catching up with some evening reading online, and two somewhat older articles posted on ZDNet at the end of August caught my attention. Article 1 & Article 2

Give article 1 a read first. This mobile patent war is getting more stupid by the day, the amount of companies suing other companies all over mobile patents. Now with Steve Jobs stepping down as company CEO, will Apple ever be the same? in terms of how strong the name Apple is, without Steve, can they maintain that name?

To me, Apple are such an ego based company, suing Android makers for patent infringement, HTC, Motorola & Samsung, but now these companies are all counter suing Apple.

I'm sure you all saw the news recently of an Apple employee losing the iPhone 4 prototype in a bar, but lets look at it this way. There is a chance they did this on purpose - look at the attention they got from it, and as a prototype, it could of been nothing more than a "leak" to see what people thought of it before actually releasing it fully around the world.

Recent news also showing Apple hiring for a new job as Product Security Manager, someone to look after Apples new hardware product without risk of losing them, but from here (to me), Apple are going down hill.

Now on article 2, carrying on with the theme of Apple and Android. Reasons why I chose Android over other phones/OS's. Reading article 2, I agree mostly with the David Gewirtz, I hate Apple products, the iPhone layout was just so hard to grasp.

David, your second reason on the insecurity of Android. I can see your reasoning, but that is just one risk that comes with open source software - people reverse engineer it and look for holes to abuse and push malware through, and the malicious apps that subscribe the phone to premium rate numbers and reading text messages and listen to voice mails, but with Android slowly taking over the market share, again, it's just one side effect, the malware authors follow the largest crowd. There is good reason to go with the closed source more secure iPhone over Android, but my open source freedom is not something I want to give up. The malware problem nowadays, 99% of it is the end user - installing things that are too good to be true or don't read what apps they install are accessing - a lot of the problem would be avoided if they did.

Next, yeah Google's way of naming the Android version is a bit weird, how they jumped from 2.2 to 3.0 can be a little confusing when your looking for one version specifically, but that's one that I suppose I like about Google, the unexpectedness of it, keep people guessing!

I suppose it is a downside of Google releasing newer Android OS's that can't run on whatever phone you purchase, but again, I'll run the risk. Making tweaks to the phone is just like any software I install, going through the options to finetune it to how I want to run it.

Other that what I've posted above, I agree completely with everything else.

Saturday, 3 September 2011

Prey Project

I was sat watching this weeks BBC Click episode, you can find it here, as many security companies are bringing out apps for smart phones not only to keep them safe from malware, but to find missing devices, well now we have that for our laptops and desktops.

I decided to give it a go, see what I make of it and it's really really simple to use, so I'm gonna do my own review of this, as the BBC Click review really looked rush and wasn't given much time to go through it and show you people how it works, so I'll do it here.

Let me introduce you to the Prey Project. This program allows you to remotely track your laptop or desktop the first time they make an internet connect when stolen.

How does it work?

I've installed this on my laptop, it uses tracking it via the nearest WiFi AP or GPS to pin point where your stolen device is. Just like any remote access program, Prey also allows you to remotely lock the device with a password so it can't be used, and sound an alert if needed.

This is just the software side of things, there is a few more things I'll go through in this blog post as well, but here is 3 screenshots of my settings on the Prey website.

When a device is stolen, you switch the "Missing?" option to 'Yes' so Prey knows to track it and there is your settings for locking the device with a password and setting an alert to let the thief know they are being tracked.

Now, Prey also monitors your machines hardware and alerts you to any change, see screenshot I took below, but it's monitoring my motherboard, how much RAM I have, how many RAM sticks are in my machine, what my BIOS is including version number, and my processor, how fast it is and how many cores are in it.

Another thing I haven't said but I'll cover it anyway. You can have it monitor upto 3 devices all at one time. So far, I'm only monitoring one device, my desktop machine, so I'm gonna add my laptop into that when I get a chance to.

I recommend giving them a try, upgrade to premium for just $5 a month and take advantage of all the premium features they offer, totally worth it. Here is another blog about a success case of using Prey software, check it out:Why You Don't Steal From A Hacker

Follow Greg, Prey and me on Twitter for loads more updates.

Friday, 2 September 2011

Chromebooks AREN'T dead.

I was reading another article on ZDNet a few days back about the Chromebook being dead before it's even begun to reach big popularity.

I want to make a blog post about this, I don't think the Chromebook is dead by any means, I want to get a Chromebook some day. While I do agree with the last paragraph there about it being more economic to just have an Android tablet, it's cheaper and isn't any different to the Chromebook really aside from maybe a slight hardware difference.

Let me just quickly run through my thought on this. Things like my Android phone and the tablet are just devices I use and carry around with me while I'm on the move, devices that I can just quickly jump onto Facebook and Twitter and check out my daily news feeds for things, where as the Chromebook like any laptop based device is something I can sit down with, plug in my USB mouse and compile blog posts and such.

Secondly, in terms of security and reliability, I've been a very happy Google product consumer for a while now and Google have made me proud with how quick they jump on vulnerabilities. It's a fair point to say if Chromebook's do become the more popular laptop device in the coming years, yes we will see malware for Chromebook's, we've already seen a test of that at Blackhat 2011, but compared to Microsoft, lets just say I trust Google way more.

Lastly, Chromebook is just something different that I want to try personally. Windows has ruled for many years and still will do but it has too many extra features for me, I don't use them all and as we have seen, Chromebook is just much lighter on resources as it's just a browser, that's all people really want to do nowadays.

It seems another member of ZDNet agree's with me, a new article concerning the article I linked to at the top appeared 3 days back.

Facebook Bounty Program

Just wanted to make a quick post about this. Read this article today that was on Threatpost a few days back about the Facebook bounty program and it looks like it's working.

Facebook have so far paid out $40,000 to white hat hackers who reported security vulnerabilities. I'm glad to see it working as well, for a long time Facebook has been the #1 way to spread malware and along with these crappy Facebook scams, I've posted about this issue before and it's about time something is done and I'm glad to see this looks like a good start to making Facebook safer.

Wireless Tethering

So today I watched the latest BBC Click episode on wireless tethering and also read the worded version of this story/article.

See the article here:

Some say it's "stealing" from carriers as it costs extra and tethering wasn't supposed to be included in the data plan.

I'm an Android user personally, my phone comes with "Mobile AP" which is a mobile access point, that allows me to tether other devices over wifi to my phone and uses my phones 3g network as the hotspot. I however don't use this and went with rooting to allow me to use Wireless Tether app from the Android store.

The two biggest networks in the US have clamped down on what they say is "illegal" tethering.
Instead of allowing users to install unofficial apps to workaround any barriers, operators are now re-directing them to a page indicating the cost of upgrading to a tethering plan.

AT&T says its aim is "fairness for all of our customers" by making all users pay the additional fee. But even analysts are divided as to whether it can legally justify charging more.

"The simple truth is that those who go the unofficial tethering route are stealing service from the carrier, with the exception of those lucky customers whose plans allow tethering as part of the basic service,"

Good thing I'm UK based on Vodafone network who have allowed it this year in the more updated smartphones, and I agree with Martin Hocking on this when he said it's our data and we should be able to use it as we want to - we should. But what gets me here is how tethering is illegal? if whoever wants to suggest that I'm stealing, then go ahead, I don't care, I'll admit I'm stealing then, screw what you think.

For those other carriers who think it's right to charge more for tethering, honestly your wrong. We pay for data, it's ours to use as we see fit, I pay for my 500mb of data on my phone and it's no one elses business but my own what I use it for, tethering included.

Some carriers want to ban tethering by detecting large spikes in data usage. Sorry, but from my stand point, doing this will only result in law suits. You as a carrier gave us 500mb/1gb of data and we'll do what we want with it, when we want to.

Wednesday, 24 August 2011

Upgrade From XP, No Thanks

I was reading this article today about about the market share of Microsoft OS's in terms of how much malware effects them quantity wise, and with what is said in the article, I agree, XP is the most vulnerable to attackers.

While XP is still the most popular OS out of them all, it's slowly losing it's market share of users as more stores around the world ship out machines with Windows 7 on them and in the near future, Windows 7 will likely become the most popular OS, which creates a question for attackers. Where will they move onto?

I think we see it enough everyday in the news that Android smartphones are by far the most popular platform to attack just because of the openness and by far the most vulnerable, just like XP is, and we see it everyday that the world is moving onto smart phones. Smartphones ARE computer that we can hold in our hands, laptops and notebooks were the *thing* for a while, but smartphones is where it's at in terms of where the market share will go.

While I work in the computer security community, I do advise most everyday users to upgrade to Windows 7, but frankly the malware problem overall is down to the end users that don't keep up with security patches.

For now though, I'll be one person to keep XP alive, I'm sticking with Windows XP until support stops, then I'll move onto the newest OS (likely be Windows 8 by that time)

Google Adds URL Shortener

Another awesome idea by Google, a second URL shortener, but this one is more designed around security.

Unlike, which is public, anyone can make a short URL with that can lead anywhere, but will be private and only created by Google themselves, can't be created by anyone and Googles plan is to use them for when linking to something that is a Good product or service.

The idea is that more users will trust links if they know that the website they are being linked to is a Google product and safe.

Nice one Google!

Tuesday, 23 August 2011

Rammnit Adapts To Zeus

In the latest malware news, the file infecter known as Rammnit gets an upgrade. The writers and creater(s) of Rammnit has adapted the Zeus code into it's coding, and this is just the first step in the evolution of newer infections.

Earlier this year we saw the Zeus source code released online, followed by SpyEye code being released online, and so far Rammnit is the first to take advantage of this and the creators added Zeus into Rammnits source code, all in the name of financial gain.

The malware scene and writers make millions from online fraud everyday, and as we saw, Zeus and SpyEye was widespread and very successful in what the infection was made to do, now with Zeus/SpyEye being released online, it's given malware writers a new base and platform for them to build around and possibly upgrade, and it just makes it easier for malware writers to create new malware with new techniques.

Sure, right now a lot would say TDL4 (as far as fixable infections go) is still the most dangerous as it's hiding in the MBR, one of the most dangerous areas of a machine to play with, but the point I'm making is that making malware nowadays with all the tools appearing online and in underground communities, it's not hard to do.

It wouldn't suprise me if we DID see more malware taking on the likes of Zeus into their code, and this can only result in more new and dangerous malware appearing.

More on Polymorphic File Infecters

I was sat thinking this evening about this new infection Kaspersky picked up a few days, and it amazes me as to why more malware writers haven't (yet) adapted this technique of infecting many of a computers system files.

I mean across the forums that I help on, we do see the likes of Virut, Sality and Rammnit but it's only the minority for now and it's a constant fight between the good guys and the bad guys.

Truely if the bad guys were bent on winning in the sense of creating malware that can't be beat, they would of adapted to infecting system files. Sure they've already managed this in the likes of TDL3 where it infects a random .sys driver file but it can be disinfected and repaired. Now with TDL4 they've gone as far as hiding in ring0 with the MBR infections.

I'm really just amazed why we aren't yet seeing TDL4 come with an explosive bomb attached to its chest and start infecting system files - it can be done and it's the one kind of infection that cant be stopped as the damage is just too great.

Sure we know the only way out of an infection like this is a quick drop everything and format situation, so I wonder if the bad guys want us to fight their malware instead of going down the path of destruction method, I mean their malware longs longer when we fight it right? rather than formatting, and they can constantly update to stop our tools from killing the infection.

Ah well, it was just a topic I was sat wondering about, who knows if we'll see more file infecters in the future.

Saturday, 20 August 2011

Polymorphic File Infectors

I was reading this article today on Securelist about a new virus Kaspersky picked up called Virus.Win32.Xpaj.gen. It's a polymorphic file infector.

What are they and what makes them dangerous?

Essentially a polymorphic file infector injects malicious code into every .exe file on a machine and damages them beyond repair. This new virus works the same way as Win32.Sality virus, it spreads via USB so no doubt if this new infection starts to spread bigtime, it will cause mayhem on computers. Luckily the other infections that use this file infecting techniques aren't seen often so lets hope we only see a minimum of this new infection.

What can be done

As expected with malware nowadays, this one also comes with backdoor capabilities, and sadly with polymorphic file infectors there is nothing that can be done, the damage caused to a machine is too severe, and as I've seen with other infections like this, like the Rammit & Virut families, there is nothing that can be done to combat it.

The one warning I can give is the word of warning people to switch off autorun in Windows (even though Windows Updates now does this) to prevent infected USB hardware infecting your machines. Even though this update from Windows should of reached the majority of users by now, I still see lots of machine with autrun switched on, my old college machines for example.

The only way out is to fully format the WITHOUT backing anything up as backed up files are likely to be infected as well.

Here is another article about Sality & Virut by another amazing member of the security community meikimoes, worth reading.

Thursday, 18 August 2011

Recommended Apps for Android

Thought I'd make a "Recommended Apps for Android" list, just some of apps I use on my Android everyday and some that run in the background, but they are all recommended anyway.

Lookout Mobile Security
Wireless Tether*
BBC News
TuneIn Radio

* = Apps that require a Rooted Android phone.

Tuesday, 16 August 2011

Facebook to enforce real name policy?

Was reading this article today on TheHackerNews and thought I'd post a little something about it.

The sister of Facebook CEO, Randi Zuckerberg wants to put an end to online anonymity. Facebook wants to force people to use their real names on Profiles.

You realize all this will do is anger the online consciousness that is Anonymous and me included. I'm not really a Facebook fan, never have been. I'm only on there to talk to a few friends and family, and my name is set to Belahzur because that's my online identity.

I'm sure everyone saw the big debate Google got when they forced this on users of Google+ and suspended accounts for it, frankly if Facebook did the same to me, cut me off contact with family just because I'd rather keep my real name hidden, then I'll happily leave Facebook and never go back there.

I don't want to sound like I'm all for Anonymous, but as an insider, what they do is for a just cause. I want my freedom of speech and my right to hide my name if I want to. If Facebook do plan to do this, then they deserve what's coming to them November the 5th.

MS Declares Victory Over Linux

I was reading this article on ZDNet today, and it caused something in me to snap.

To me Linux has never been a threat to MS directly, I don't see where MS see the Linux competition from, I like Linux because of the openness of it, allowing me to do what I want to the OS.

Mobile matters. Desktop doesn’t.

Just cause I don't like MS - Android market share owns that of Windows phone.... isn't Androids kernel based on Linux? oh wait it is, Linux isn't a threat? Linux is a bigger threat than MS imagine it to be - Linux was never developed to compete with MS, it was developed and mainly used nowadays for people who are sick of MS and want to try something different.

Linux is free to download - any distro of it, I don't have to pay anyone a penny to legally download ubuntu or Redhat. Lets look at another fact.

Boot discs - I'm sure you can name an awful lot of them, 90% of them are based on Linux. You can call us hackers if you wish, but the Linux community is about sharing in the openness of Linux, we like knowing how things work and reverse engineering and making it our own version of something.

Take a lesson from Sony, I'm fairly certain everyone on the internet saw the attacks on them, and that started because of what they did to Geohot and others, they removed OtherOS and forced me off PSN because I want to keep Linux on my PS3.

Recently Mozilla are planning their own Firefox OS - Guess what? they are planning to base it on....... Linux. MS only say they declare victory now because they've had the market share of OS users now for so long and I doubt that will ever change, Windows will hold claim of the most popular OS, but great things come in small packages and that's what Linux offers. We don't have to rely on anyone else with Linux, like with Windows Updates, if we want something added or changed, we do it ourselves.

MS can declare victory over Linux, but Linux will NEVER die.

Monday, 15 August 2011

Google buys Motorola

Todays big news, Google has bought Motorola for the price of 12.5 billion.

Quote from ZDNet:
While Motorola Mobility will remain a licensee of Android, and Android will remain as an open operating system, Motorola Mobility will act as a separate business under the arm of Google.

There has been many contributors towards the Android OS and why is has been so successful in it's market share of recent, and that's down to the openness of Android, and it's exactly the reason I chose Android over the other smart phones.

Others think Google just bought themselves a lawsuit however, Microsoft were suing Motorola for Android patent infringement, and Microsoft could potentially sue Google now, as Motorola is now working under Google. This would be a decent court room fight to see, not many companies would think of going against Apple or Microsoft in court just because of how much money each company has, but the 1 company that is strong enough to fight Microsoft, would happen to be Google.

I imagine if MS are still fighting Motorola, I can see MS settling and coming to an agreement. My thoughts if they went to a court room battle, MS vs Google directly over this, I can't see MS winning; it's more about which company has more money and looking at how much Google make every day alone, MS wouldn't be on the winning end.

With Google taking up more and more market share for the Android OS, Microsoft will also need to do the same if they ever want to (at the very least) get their Windows Mobile OS out into the market, and one way they could do this, would be to buy out RIM (Research In Motion), the makers of the BlackBerry phone, just to try and even the battlefield for Microsoft a little bit more. This has yet to be seen, but it's one way MS could counter attack Googles newest purchase, some say MS will buy Nokia or RIM, others say they wont.

With Google and Microsoft are going at each other on the mobile OS war, I'd love to see Google slap Microsoft down a peg or two, would Microsoft even dare to fight Google? that would be a good lawsuit to watch.

I guess we shall see in the coming days/weeks how this unfolds.

Thursday, 11 August 2011

Facebook & Phone Numbers Exposed

So it appears Facebook have added a sneaky setting very quietly to be Facebook Mobile settings and this is *by default*, a big security risk. Facebook expose your mobile phone number with people who you may not want to share it with.

Here's a screenshot from my list of contacts. I've removed their names and numbers to respect their privacy.

One of my friends there is an old friend from college, I never had this mobile phone number but now apparently Facebook gives me it because of this new stupid feature they put in.

Those who use Facebook Mobile from your smart phone, please switch off contact sync so Facebook doesn't get your contacts from your phones contact book.

I don't really like nor do I appreciate Facebook doing this, I use my phone for my Facebook login approval settings, I trusted Facebook with my number and now they want to give it away to others without my permission?

I'd advice everyone to disable that option so others can't get your phone number.

More information here:

Wednesday, 10 August 2011

Google+: Safer than Facebook?

As you have probably seen on the internet, there is an on-going debate over Google+ allowing pseudonym name on their social networking. Right now G+ is still in beta, giving scammers/spammers alike the chance to send out false invitations to Googles social networking site, anyone who doesn't have an account is 99% likely to click the link hoping to get invited to G+.

Google also ban people not using their real names, so to spammers, does that keep them away from Google+? sure there has been lots of scams concerning G+ but not originating from G+.

On the same subject on privacy and safety. Google+ works on a 'circles' system, meaning we can share data and information with a small group of people we choose or an individual compared to Facebook, where it's friends only, or friends of friends, or no one at all.

This is my circle, only 6 people, but I can add a status and only a select few people I choose can see it, does this make your information safer? only those who you want to see your status can see it, I suppose the answer would be yes.

The only downside is when your added to someone else's circle, they can message you without your approval, making it easier for spam/scam messages to be sent out. Google+ is still at a very young age to say it has over 10 million members and Google can and probably will change and upgrade quite a few things before it goes public, sadly this is just one of the dangers of the closed beta stage.

Right now, Google+ looks safer than Facebook, but only time will tell.

"Phone Hacking" has go to stop

Yet again another morning, I check my Twitter feed to see another person being arrested under the suspicion of phone hacking.

A little while back BBC Panorama did a show about this, they met a hacker who explained how easy it is to do this, and I have to agree, it is easy. I'm an Android user and I know how to do it, but again this comes down to the end user problem.

People who buy smart phones but don't change their voice mail PIN, or they do change it, but they change it to 1 2 3 4 or something similar that is easy to guess just from looking at the keyboard, usually it's numbers that are on a horizontal line or a vertical line so people don't forget it.

Unfortunately doing that doesn't make your voice mail PIN number secure, it needs to be random, use sites like to give you a random 4 number PIN.

It's a shame how people think phones aren't anything like computers, they don't need security because they are in your hands and no one else's, but they do, they are mini hand held computers and should be treated the same way as a desktop or laptop computer.

Tuesday, 9 August 2011

ChromeOS Vulnerabilities

ChromeOS Vulnerabilities

As the ChromeOS fan base grows, so does the market share of malware. Since ChromeOS is based solely on a browser, malware writers focus their attacks into malicious extensions for Chrome. Take example from Scratchpad, one of the apps that comes pre-installed with ChromeOS and the vulnerability that was found in it, known as open permission.

A quote from Kyle Osborn at the Defcon 19 Conference.

Because it has access to all sub-domains under, this could include your contacts or Voice account. An exploit could export your entire contact list as a CSV," he said, simply because you were using a Google-written app.

Through the use of a tested malicious app installed into ChromeOS, they were able to forcefully download an app of their choosing, and because everything is synced to a users Google account, there is no defense wall to bypass.

Don't get me wrong, the security in ChromeOS is much tigher than other OS's but the attacks are shifting from the everyday malware we see in Windows to web based attacks.

The only downside is how this system turns the end user into the firewall basically. When installing apps, it still shows what information that apps accesses, but not everyone reads that, infact the majority of people wont read it and will just skip the small print to install the app.

A writeup on the Chromium blog can be found here about developing apps more safely:

RIM & BlackBerry Rant

Now, time for the big news story of the day, riots happening across several parts of the UK. The riots are thought to be organised on BlackBerry Messenger service (BBM) as it's a closed system and more private than other platforms of communication.

Quote from RIM:
We feel for those impacted by this weekend’s riots in London. We have engaged with the authorities to assist in any way we can. As in all markets around the world Where BlackBerry is available, we cooperate with local telecommunications operators, law enforcement and regulatory officials. Similar to other technology providers in the UK we comply with The Regulation of Investigatory Powers Act and co-operate fully with the Home Office and UK police forces.

Because of this statement, the BlackBerry blog site was hacked and defaced by TeaMp0isoN, and here is the quote from them.

Dear Rim;
You Will _NOT_ assist the UK Police because if u do innocent members of the public who were at the wrong place at the wrong time and owned a blackberry will get charged for no reason at all, the Police are looking to arrest as many people as possible to save themselves from embarrassment…. if you do assist the police by giving them chat logs, gps locations, customer information & access to peoples BlackBerryMessengers you will regret it, we have access to your database which includes your employees information; e.g – Addresses, Names, Phone Numbers etc. – now if u assist the police, we _WILL_ make this information public and pass it onto rioters…. do you really want a bunch of angry youths on your employees doorsteps? Think about it…. and don’t think that the police will protect your employees, the police can’t protect themselves let alone protect others….. if you make the wrong choice your database will be made public, save yourself the embarrassment and make the right choice. don’t be a puppet..

p.s – we do not condone in innocent people being attacked in these riots nor do we condone in small businesses being looted, but we are all for the rioters that are engaging in attacks on the police and government…. and before anyone says “the blackberry employees are innocent” no they are not! They are the ones that would be assisting the police

I have to say I am with TeaMp0isoN, not every BlackBerry user is guilty and passing on messages that are perfectly innocent to the police is invasion of privacy, how many of your customers would love to know you plan on passing their location via GPS to police? it's besides the point that it's police but that your tracking them anyway, when customers may not want to be tracked.

Innocent police will be harmed just to track down the guilty? there has to be a better way than this, it's not right but it's not like we have a choice in the matter right? think about it though for a second, because of this, how many people will leave RIM and go over to Apple (iPhone)or Google (Android)?

On a similar note, a few days ago I made a quick blog post about another raid on a PS3 hacker that was raided by police (, and during these riots, a Sony store caught fire, bad karma? quick video here

Chrome extensions

For those of you out there that use Facebook as well as other platforms like Twitter for news or just want to see only relevant information and need a way to hide anything that isn't useful, like the sponsored box? or friends are friends with other peoples, here's some helpful Chrome extensions that I use.

The first, Facebook Purity.

Once installed you may want to configure it just a bit, but I use it to hide anything I don't want to see, give it a try, it's worth it.

Once configured to meet your needs, it add a little bar at the top of your Facebook news feed, to show/hide items that you have chosen to be hidden, it's very simple to use and filters all the useless crap.

Second, have you ever wanted to shorten a URL really really quickly? if so, use this extension. Shortener Lite:

It will add a little button to the top right of your Chrome window, and when you want to shorten a URL, just press it and there you have it, a short URL.

There is also another blog post, listing a nice collection of extensions for Chrome, specifically for those who work in computer security, worth looking at and installing a few.

Funny Wifi Names

1 week old article but only getting around to going through all my favourite tweets recently.

Saw this article about their favourite Wifi names on, some made me laugh.

But on that basis, have you enabled or disabled your SSID Broadcasting? would love to hear some other funny Wifi names out there.

Short to long URL's

It seems LongURL isn't working right now, so here's an alternative site to make short URL's long again.

I've tested it personally across quite a few URL shortening services like and it works fine.

Insert a short URL, press the X-ray button and see where the short URL leads to. Very handy for avoiding phishing scams.

My week in review

So looking back at the past week, lets go over a few things.

First, the infamous Defcon 19 Conference. The tech generating is getting younger and smarter, the 10 year old girl going by the name of CyFi found exploits in farming games by altering the clock to make time go faster, my hats off to you, that's very impressive to say she is just 10 year old.

Mikko Hyponnen gave his awesome talk about how we've been fighting computer malware for 25 years, and how this started with the Brain.a virus. Two articles of his talks about how and why computer virus started appearing online found in these two links: &

Next we have the UAV that can stay in the air for upto 1hr that can monitor for WiFi signals, phone signals and Bluetooth, and using this is able to track movement of a signal it picks up, pretty cool eh? this is made possible by the 32gb Linux hardrive inside the vehicle to store it's stolen data.

For a roundup of the 2011 Conference, see this excellent article by Threatpost:

Next is the new WiFi standard, for anyone who works in networking will be very familiar with the 802.11 a/b/g/n standard, well now it's time to introduce the next stage in the evolution of standards. Introducing 802.22, a new range of WiFi that allows upto 62 miles away, 12,000 square miles to be exact. This probably wont be seen on devices for another year or so, but don't worry, your router(s) should still be able to use this newer standard.

Something tells me we'll see this going to iPhone/iPads very soon, Apple are usually very quick on the updates, and now the wireless tethering on devices like iPhones and Androids, we may see 802.22 make an early appearance.

Friday, 5 August 2011

Sony at it again?

Just reaald an article about police raiding the home of another PS3 hacker for publishing his jailbreak software. Sony, did you not learn from the past few months, do you want the attacks to resume? Cause your sure going the right way about it to piss more people off again.

Sorry but it has to be said. As the video published by Anonymous said, this is the same as someone legally owning and buying a computer but being punished for installing or deleting programs.

Keep it up Sony, your going to hell regardless, you've lost a massive user base to MS xbox during the PSN downtime.

Thursday, 4 August 2011

GMail 2 step verification

I know this news is 1-2 weeks old but it needs be repeated. As more of the worlds market start going to smart phones (Android/iPhone/BB), Google started doing as Facebook do, using a security feature that works by sending an SMS message to a users  smart phone and requires a pin number to access any GMail account with this security feature setup.

I think more and more sites need to start doing this, as I told a friend the other day, he can have my Facebook name and password but can't access my account without my phone. So with this in mind, it's no wonder were seeing more trojans on the Android phones that access users text messages and phone calls & voice mails, since using open source is easier for hackers to find exploits in. Is the future of malware moving onto smart phones too? Windows still holds the base for malware but as technology evolves (ChromeOS and OSX), so does malware, it becomes more and more widespread to many different targets and platforms. But anyway back on subject, people need to start using the two step verification in GMail, and start locking up their data and protect themself online.

Good work to Google on this, it's a step in the right direction security wise.

Wednesday, 3 August 2011

Facial Recgonition Software

So just how much DO you value your privacy these days? I was reading an article today about someone who used everyday software available on the net to identify people using nothing more than a basic picture of someone and using facial recgonition is able to track down their personal information such as their Facebook, names and adresses, etc

So how much do we value privacy these days? Your best friend Facebook could be your worst enemy? Is this even possible?

Although I have to say this is a very smart evolution to technology. Yes it was only developed as test that it can be done but "if it can be used, it can be abused" as they say.

Twitter parental controls

Another nice move by Twitter! They are testing out a parental control feature to filter out content that may be NSFW (not safe for work) and this is added as an option in the settings to filter out tweets that are marked as 'sensitive' by the publisher of a certain tweet, and this is done without the possibilty of false positive and without forcefully filtering content.

Thank you to Twitter for not forcing this upon users and not censoring information shared. I love you Twitter. <3

Tuesday, 2 August 2011

Google Chrome

Google have updated Chrome to stable version 13.0.782.107, following Google paying out $17,000 in bounty reward money to researchers. Users are encouraged to update to this new version.

Windows XP - breading ground for malware

So I was reading an article on technet about Windows XP being the most popular OS for malware and more specifically the TDL4 rootkit that infects the Master Boot Record (MBR) as the research by Avast shows XP counts for 74% of malware, with Vista counting for 17% and 7 counting for 12% and 7 being safer than XP. Yes I understand this result naturally comes with the fact Vista and 7 have better defences with the UAC & driver signing as well as a few other defenses, then when it comes to x64, even less because of the different file system it uses.

Vista & 7 might be safer but are harder to repair if they do get infected - I see plenty of Vista and 7 machine that come with custom written MBR code from manufacturers for OEM partitions, and repairing these aren't easy - many malware removal tools write 'default' Vista or 7 code and these OEM machines don't use 'default' code and using default code on an infected machine causes the machine to become unbootable.

So yes XP might not be as safe as the more upto date OS's but it's much easier to repair the MBR on an infected XP machine.

However, I aren't just bashing Vista & 7, it's just these certain features like OEM are designed to help the everday user but sometimes make our jobs harder, and lots still love XP because it works and it's simple.  It's not complicated and XP had many years between the release of XP and the release of Vista, so are the end users to blame for the mass infection range of XP?

Monday, 1 August 2011

Facebook bounty program

Facebook have recently started a bug hunting bounty project, similar to what MS and Google have, for any white hat anywhere in the world to volunteer their skills for. Facebook is willing to pay upto $500 or more for any security hole found, but ask that researchers take oath that they give Facebook a 'reasonable' amount of time before they publish their research publically.

Have to say, good on Facebook, to me they have really tightened their security - I use the text message service with a code number if an unauthorized device accesses my Facebook account and it hasn't failed me in testing it out, aling with entering a device name.

Good work Facebook, keep it up, +1 to you guys on this.

Saturday, 30 July 2011

Week in review

Hello folks. I'm away all for this next coming week so I shall do a special 'week in review' blog post when I get back, until then folks, cya.

Friday, 29 July 2011

Infected hardrives for sale?

Buying a new hardrive, bound to the harmless right?

In an article published by HNS (HelpNetSecurity), an Australian supermarket ALDI was selling hardrive that were infected with the Conficker worm.

The company now asks anyone who bought a hardrive from them for it to be returned.

The thing is though, how many customers will have used their hardrive before they were alerted to this issue? I see a lot of machines everyday that still use the autorun feature in Windows, and even more machines with old outdated software on them.

This also raises another question, people who use these old(er) machines that run with plenty of security holes left open, how often do they run an antivirus scan?

I know not everyone is tech savvy, but a simple thing like switching off autorun can (to some degree) prevent the Conficker worm activating from external media. Think about it before you buy your next piece of external hardware, the bad guys are hiding everywhere and picking up an infection nowadays is getting harder to avoid.

Thursday, 28 July 2011

Anonymous & FBI

An article written on Gawker a few days ago about 19yr old girl being raided by the FBI as they thought she was a "power that be" in Anonymous, turns out they were wrong.

It's interesting how the FBI go around busting down the doors of innocent people.

Later they told my family that I was "arrogant and belligerent." I disagree. I think they expected me to cry. I think they expected me to ask for forgiveness.

I think they expected me to panic and give them everything I knew. I think that these are stupid expectations based on the fact that I am 19 and female.

I have to say good on her, not breaking under pressure, they searched a house of an innocent girl who was only an IRC channel OP, LOL! Well done FBI, were the words "arrogant and belligerent" because you didn't find much, didn't find what you hoped you'd find?

Give the article a quick read, it's worth reading.

See what you make of it.

Wednesday, 27 July 2011

Wifi Hacking DVD

Downloaded the Wifi Hacking DVD released by SecurityTube a few days back and only just got round to looking at it.

A quick look at what it contains for anyone interested:

Definitely worth looking at and worth learning from, however the DVD is 4.23gb to download, but anyone who works in computer security should get this.

Tuesday, 26 July 2011

Mozilla's own OS

So we have the Mac OSX, Windows, Google with ChromeOS, now Mozilla want to dabble in it.

Good for them I say, before Chrome, Firefox was the way forward, there isn't much to write about, it's all just a simple plan for now, nothing is "concrete".

Mozilla have named the project "Boot to Gecko". Mozilla are possibly looking at building on a Linux base rather than re-invent the wheel so to speak.

Sources say they may prototype their OS for PC's but they are mainly focusing on handheld devices such as phones/tablets/pads and will be released real time in open source.

No doubt this project will take quite a while to even see the light of day but from what I've read, if anything ever become of this project, I would be willing to give it a try, I was a Mozilla user for many years and still am, they made an awesome product in Firefox and Thunderbird, so this has the potential to be something even better.

Keep up with the discussions and planning here with these two links: &


So, my next quick write up is about Google+, Google's own social networking.

Over the past few days, Google have been removing accounts G+ that don't use real names, or "pseudonyms". Now, I myself use a pseudonym name, for I am Belahzur and my G+ name is set to that as well just because I'd rather use that than my real name online.

Google said they wanted Google+ to kill Facebook? that wont happen if they force people to use their real identity. Yes it's a "social network" but that doesn't mean Google should be allowed to force users to either use their real names or be locked out of G+, I know plenty of friends and family on my Facebook that don't use real names and I think that's part of Facebooks success.

Something I saw from an article on a article about G+:

There's a very simple business reason why Google cares if they have your real name. It means it's possible to cross-relate your account with your buying behavior with their partners, who might be banks, retailers, supermarkets, hospitals, airlines. To connect with your use of cell phones that might be running their mobile operating system. To provide identity in a commerce-ready way. And to give them information about what you do on the Internet, without obfuscation of pseudonyms.

This made me think twice. Google use your data and pass it onto third parties? Yes this happens everyday without users even thinking about it and mostly it wont really effect us but when it comes to social networking, what users are interested in and what kind of topics are in their circles isn't to be shared with the world, data should be kept private.

Yes I realize G+ is still very young at only 4 weeks old but with over 10 million users already, Google needs to start thinking about what people want, not what they want.

Monday, 25 July 2011

In recent news...

BBC did an article recently about Sony hiding behind insurance companies in regards to the data breach back on April, see the article here:

Zurich American Insurance has now gone to court in New York seeking a declaration that it does not have to help Sony with current or future legal action related to the data breach.

Legal papers filed by Zurich reveal that 55 separate class action lawsuits are pending in the US because of the breach.

Also underway are investigations by state and federal regulators that could also end-up before the courts.

Sony has made claims on several of its insurance policies, including one with Zurich, to help pay its legal bills and provide compensation.

However, Zurich argues that the policy it set up for Sony does not cover the part of the business that suffered the breach or the sort of damage the theft caused.

Why should anyone help Sony? it was their lack of security that caused this, they care more about money than they do about customer service and customer safety.

Let me explain what I mean. I watched day after day of new attacks on Sony, investigations in the the sony breach showed that Sony KNEW that they were using old outdated Apache software on their servers with no firewall installed.

But anyway, Sony are now trying to hide behind their insurance companies to help pay for their screw-ups, I don't see why anyone has to help Sony, this was their problem and they could of prevented this from happening.

Let me rewind a bit though, back before the attacks started. As a wise person once said "How did this happen? Who's to blame?" Look how long the PS3 went without a jailbreak because customers loved what the PS3 offered. When they removed Linux, they messed with the tech boys community and that's one group of folks you don't want to mess with. This all started when Sony removed Linux from the PS3. I'll show it in a chain of events, like this:

Sony remove Linux from PS3 > Geohot jailbreak to put Linux back > Sony targeted Geohot and other hackers with legal action > Sony requested sites to remove jailbreak software > Anonymous & LulzSec got involved.

If they didn't remove Linux and started targeting hackers, would any of this of happened? Think about it.

Looking back at my other article about Sony, see the fact of their poor customer service, their bad reputation and now PSN is back up, their poor attempt at getting customers back with crap games that are years old.

I wont ever use a Sony product ever again.