You have probably heard of the website classmates.com that helps old high school mates get back in touch and recall good times and renew old friendship. You can create an account but apparently to get true value out of the site and look up other people you have to pay for access.

Well, a San Diego resident is filing a lawsuit against the site for sending him false information and tricking him into paying for access. Messages saying “friends are trying to contact you” or “your profile has been viewes X times” enticed him to pay only to find out it was not true.

Read more here

There is even an article about 5 reasons classmates.com should be sued into oblivion.

Recent news have indicated that WPA has been cracked. This is not entirely true. I will provide info on specifics but lets look at a bit of history.

It has been a while since WEP has been fully cracked and should no longer be used. That was alright, we had WPA and WPA2.

Now WPA is said to be cracked. Arstechnica has a good article explaining what exactly happens. Read here.

WPA is a wireless technology that you setup on your access point. You are able to choose an encryption algorithm. TKIP is one and AES-128 using CCMP is another one. What was cracked is TKIP. Here is a white paper explaining even more specifics by the researchers who discovered this weakness in TKIP.

http://dl.aircrack-ng.org/breakingwepandwpa.pdf

In addition to a long and secure passphrase, mitigate this by using WPA2 with AES encryption. That means getting into the your AP settings and choosing these settings. You should even setup MAC security to only allow authorized wifi devices to connect to your network.

MS 08-067 was released out of band. We expect the 1st Tuesday of every month to get new Microsoft patches, but this one is a new one.

Everything you need to know about this is located in a document the people from Securabit, Dshield, pauldotcom and other contributed to create.

http://docs.google.com/Present?docid=dghttrwg_26c47c5xcx

I will be posting scarcely in the next week as well, as I am attending CISSP bootcamp. Study, Study, Study!

PandaLabs reports and Arstechnica writes about some malware that tells you that you have a virus/worm/malware and that you need to download its AV software to fix it. This is a scam that is setup to fake you out and have you click on these advertised popups that say you have a virus to buy their AV software, which is really not legit. They now have your credit card number and your machine remains infected.

This has fooled many people and is setup to replace your background image with one of its own. Reports of bugs crawling on the desktop as well. In the case I experienced, it disables your AV, it disables task manager so you cant stop processes.

Read the Arstechnica article here.

30 million victims.

The trick is that facebook message spoofing is involved and may not be easily detected as emails are. You get a message from a friend that contains links to a video, which is really a link that prompts you to update flash player, and thats when your owned.

Apparently non windows machines might provide a bit more protection.

Read the full story and screenshots at F-Secure.

So if you think you are safe because you see your mail.google.com in the address bar, think again. There is now what is called a Frame Injection vulnerability with google mail and calendar, etc. It has been proven to work by Adrian Pastor at gnucitizen. This link explains how it all works.

To look at the proof of concept, check this link out. **Do not enter REAL credentials**
http://mail.google.com/imgres?imgurl=http%3A%2F%2Fsecuregooglemail%2F&imgrefurl=http%3A%2F%2Fsnipurl.com%2F482f3

Google is working this issue, although it has been in the works for around 6 months already.

Read more here.

So the pauldotcom guys were at the SANS Las Vegas conference and did a presentation on SIM card forensics. You know the little chip that you have in your cellular phone, where you can keep your address book and other data.

This came up for me when one of my daughters had my old phone and was playing around with it. It still had the SIM card in it, but by the time they were done with it they had taken it out. I asked for it and thought, if I lost this I wonder what might be exposed. I took it and bent it, then put it in the trash.

Larry took it a bit further and went to a cell store and then ebay to acquire dozens of used SIM chips to perform testing on. He used a SIM to USB reader and some software to get some interesting data. He found phone numbers and text messages.

Be aware!

Here is his presentation:

http://www.pauldotcom.com/SimcardTechSegment.swf

When most people think of hackers invading the network, we think of someone out in their basement breaking through the corporate firewall. This is not always the case:

http://www.australianit.news.com.au/story/0,24897,24474552-15306,00.html

This article is an example of a disgruntled employee within an organization who acquired a co-worker’s password and used it to do damage to IT systems from this same co-workers home computer.

Good system and security logs are probably what caught this individual, but maybe some tighter access to the IT staff, would have helped. How did he acquire his co-workers password? Was password sharing going on? Security practices were not implemented to their fullest. Internal threats are hard, because we trust our employees, but we have to be careful. I wonder if a background investigation was done. If backups were up to date to recover systems. If critical systems were configured in a failover or cluster, so as to not fully lose service.

So I have been thinking of using a sandbox program like sandboxie, for security reasons when surfing or testing things out. Sandboxie will keep anything malicious trapped and not infect your main operating system. So when people want to try to find free music on the internet, instead of using their main browser, they should use sandboxie.

Rich Mogul from Securosis wrote a good article about using multiple browsers, for such things as banks, site administration, and more.

This is what he wrote: 

Everyday browsing: low risk, low value sites. I use one of the main browsers, and even use it to manage my low value passwords.

Everyday browsing 2: slightly higher risk, but even lower value. Basically, it’s the browser in my RSS reader.

Blog management: a third browser dedicated to running Securosis. This is the bit Robert convinced me to start. I use it for nothing else.

Banking: Internet Explorer running in a Windows XP virtual machine. I only use it for visiting financial sites. To be honest, this is as much a reflection of my bank’s web app as anything else. I can deposit using my scanner at home, but only in IE on Windows.

High risk/research: a browser running in a non-persistent Linux virtual machine. Specifically, it’s Firefox running off the Backtrack read-only ISO. Nothing is saved to disk, and that virtual machine doesn’t even have a virtual hard drive attached.

I suggest reading the entire article at Securosis.

Common email security practice is to not automatically open embedded pictures in your email. This is practiced by many email clients, even gmail.

Apparently the Iphone mail application does not have this security setting and automatically downloads all embedded images in messages. This technique of embedded images is common for spammers/phishers to send to email recipients and if the image is viewed, the spammer knows the account exists and can proceed to add to more spam lists.

Read article here from theregister.

Another vulnerability in the iPhone is with the safari browser. It apparently truncates long urls and this can be used in user trickery. Apple did not respond to Aviv Raff’s(security researcher) warnings, so Raff decided to disclose this vulenerability.

If you see this link in a safari browser on the iphone:

http://securelogin.facebook.com.avivraff.com/reset.php?cc=534a556abd1006&tt=1212620963 (bad link)

It will actually appear like this in the Safari Browser:

https://securelogin.facebook.com/reset.php?cc=534a556abd1006&tt=1212620963 (legit link)

So it is basically hiding the fact that the bad link is not really a facebook link, but an avivraff.com site, even though the iPhone is showing it as a legitimate facebook.com link.