You can find loads of screenshots here and here , but the main domain name pointed to the website shown on top of this post.
There’s a bit of confusion about how the hack was performed exactly, but it appears as if the hackers found a way into NIC.ma , which controls the DNS for the country, and targeted the Google domain name especially. The domain was pointed to a different server, and the web page above was shown when people tried to access the search engine. Google apparently at one point automatically relayed visitors from Morocco to Google.com instead of Google.co.ma, but it took a while to get the latter functioning correctly again.
PAKbugs.com leads to a forum where Pakistan hackers hang out, and the names on top of the web page above are all members of the message board. They’re being proud of it here
This website (in French) claims that this isn’t the first such incident this year, as apparently the websites for Google Algeri and Google Puerto Rico were taken hostage by hackers last month too.
Hackers Temporarily Seize Control Of Google Morocco Domain Name
Download Music From Last.FM
You can listen to Last.FM on your iPhone, G1 and your PC/Mac but you can’t have mp3 files. With Last.Fm Downloader you can! It’s free and has no spyware, viruses.
FYI:
Last.FM downloader is pretty much illegal to own because you are downloading songs that are copyright material, but I am sure you have P2P software such as LimeWire, Strong DC++, Kazaa etc…
Use it at your own risk.
Currently this is only supported in Windows.
Thanks for the Link:NirmalTV
How To Download YouTube Videos or Convert To Mp3 3gp Mp4 Etc
These few websites will provide you great tools to download youtube videos or convert them into Mp3, Avi, 3GP or Mp4 for iPhone, iPod .
1.KeepVid - Easy to use and they also have toolbar for easy youtube video download.
2. WikiHow - Few methods that will give you enough info on how to download videos to iPod
3. Vixy - Best tool out there! Allows you to convert flv files online into mp3 or any other file you can think of!!
How to Use MSN Web Messenger with Hotmail Account
MSN Web Messenger is as of today Integrated with your HotMail account. You can basicaly use web msn messenger and talk to others while composing new email.
To message someone go to contacts, click on the person you would like to talk to and click on “Send an Instant Message (Available).
Or better yet, sign up with Gmail
Download and Sync YouTube Videos to iPod or iPhone
Here are some basic step by step guides that will show you how to download youtube videos to iPhone or iPod.
Best way to get FLV file from Youtube and convert for iPod or iPhone is via vixy.net. Works for Mac and Windows users.
Windows users can use AVS Video Converter that lets you convert FLV files to any file you can think of and it’s free too (see AVS4You)
Hope this short tutorial helps you get all the youtube videos you want on your iPhone or iPod Touch in our case.
How to Save Web Pages and Blogs for Offline Reading
Store Web Pages for Offline Viewing
If you have Google Desktop running in the background, you already have a local copy of all web pages that you have recently opened / read in any browser on your computer. You can click "Browse Timeline" inside Google Desktop and your web history will be listed in reverse chronological order - the most recently visited websites will be listed at the top.The problem with web history in Google Desktop is that it can get cluttered too easily and finding relevant pages from the history may require some effort. In that case you may install Scrapbook for Firefox and only save relevant web pages that you intend to read in an offline environment.
Scrabbook, like Google Notebook, is primarily for organizing web research but it’s an excellent offline browser as well. You can specify the depth level and all target links from the current web page (up to that level) will be saved offline automatically. For instance, you want to read all stories on the CNN and BBC website offline. Capture the home page with Scrapbook and set the depth as 1 - it will then save full text of all the front page stories as well.
Scrapbook can export all the web captures as an HTML web page so you can easily read the saved content on a mobile phone or your PDA. Another popular tool for downloading web pages in Firefox is DownloadThemAll.
The limitation with either of the above tools is that they work only in Firefox and also require some manual work. What if you want to read all front stories from all major news websites while offline? All news sites provide RSS feeds but they aren’t full text so you have no option but to scrap content from the main website in order to read it offline.
HTTrack is a free website copying software where you can create download jobs and execute them whenever you go online. For example you can create a single download job for all news websites (like BBC, NYT, etc.), set the depth limit as 1 and get an offline version all the front news stories in one go. You can also save this job and re-execute it anytime later either manually or set it up as a scheduled task.
Another good alternative to HTTrack is wget available for Mac, Windows and Linux. You don’t have to spend time learning the complicated command line switches of wget as there are nice GUI apps available both for Mac (CocoaWget) and Windows (WinWget).
Download Blogs for Offline Reading
Blogs, or websites that offers RSS feeds, are much easy to handle and save because we know exactly what stuff has changed since we last visited that site.There are two categories of blog readers - (a) Addicts or people who are subscribed to several hundred feeds and want to read them all while offline and (b) Casual Readers or people who follow only a dozen or so feeds.
Casual readers can simply add their favorites feeds to Tabbloid and download them all as a PDF newsletter (example).
For people who fall in the category of addicts, the solution that will work best is a dedicated offline reader that can pre-fetch all the new articles and here are some good choices:
My first recommendation has always been FeedDemon - it’s fast, rich in features and the upcoming v2.8 is even better since it lets you export unread items as an HTML web page that can be read on any device.
If you are subscribed to feeds in Google Reader, you can either try RSS Bandit or Scoop - these are desktop based readers that work in offline mode and can synchronize with your Google Reader subscriptions. If you are on Bloglines, a similar solution for you exists in the form of GreatNews - a desktop RSS reader that is also portable. Google Gears is another solution for Google Reader users but it has limitations.
The advantage with either of the above solutions is that they all support synchronization - so if you mark an item as read in an offline environment, the change will get propagated when you go online next so there’s no double work.
Saving Blogs & Web Pages for Mobile Phones
If you plan to save web pages for offline viewing on a mobile device (with a small screen), I would recommend Web2Book - it not only downloads multiple web pages and blogs in one go but also converts them into formats like HTML or PDF that are supported on almost every mobile device.Web pages saved with Web2Book can be easily read on ebook devices like the Microsoft Reader or the new Sony Reader. Another option for mobile devices is Plucker - it’s an offline browser available both for Windows Mobile and Palm based PDAs.
If you are an iPod owner (the old models, not the latest iPod touch), you can even turn your MP3 player into a notes reader and read web pages as plain text.
Drawloop, an online service that I mentioned in the previous Adobe PDF guide, too can join multiple web pages and save them in a single PDF file like in this example where you have the home pages of three news websites saved in a single file.
source:labnol
Creates Auto-Starting Installer CDs for Any Applications
Windows only: Free app Install-It puts a small auto-starting application on any removable drive that makes installing applications a double-click affair.
After downloading the Install-It package, you'll want to extract its files to somewhere you can reach, like your desktop, and open up the Install.ini file in your favorite text editor. This file is simply a list of program descriptions and the locations of their installer files. If you're creating a disc full of useful installers, just replace the default examples with your chosen verbiage for each app and the location/names of the setup files. You separate those two items with a comma, using slashes where necessary, and end each line with a semi-colon.
Here's an example Install.ini I made for a supposed Windows XP re-installation:
Copy all your installer files and Install-It's files into a CD-burning app, such as CDBurnerXP, and fire away.
Now you've got a CD that, on most computers, will pop up with a list of programs that can be installed without anyone having to guess which icon or cryptic filename means. If a computer isn't set to auto-start when it detects an autorun.inf file, though, you'll have to point the computer to install.exe—not a problem, though, if you've put each application in its own directory.
Install-It is a free download for Windows systems only.
Install-It [via The Red Ferret Journal
How To Identify Fonts Being Used In Images
Have you ever encountered problems in identifying what fonts is being used in an image? Of course fonts being used in popular movie banners can be found easily because you have the keyword but what if you found a free template and the font is not included? You either recreate the buttons with your own fonts replacing the original, or try posting in forums and hope that someone would have seen that font before and let you know what is the font name. There are so many fonts, maybe hundred of thousands fonts available on the internet and to identify an unknown font is definitely NOT an easy task!
Identifont, a free service offered to help you identify fonts by answering a series of simple questions about its appearance.
Finally, if WhatTheFont system is unable to give you a good match of the font you’re looking for, you can then submit your image to WhatTheFont Forum to have your image viewed by font geeks the world over.
3 Ways a Twitter Hack
"It appears someone gained access to the tools Twitter uses to control its millions of accounts," explained Graham Cluley, a senior technology consultant at security firm Sophos PLC. "Internal tools used by the tech support team were compromised. It's not clear if it was an inside job, or outside hacker. Twitter does say they think it was an individual."
The hack, according to Cluley, is much more serious than the earlier phishing attack because it was compromise of the system that potentially exposed all Twitter users to the following dangers.
Fraudalent password use If you gain access to someone's Twitter account, you might be able to gain access to their password, said Cluley.
"We know that 41 percent of people admit to using the same password on every web site and account that they access," he said.
Hackers, while gaining access to something seemingly simply like a username and password to one account may very well be able to use the information to gain access to more important information, such as your bank account.
Malware Infection Twitter officials said 33 accounts had been attacked in the latest hack, including high-profile users such as Britney Spears and Barack Obama. The hackers used their temporary access to send offensive messages. CNN journalist Rick Sanchez found his account had been hacked with a message that read "i am high on crack right now might not be coming to work today."
The damage could have been much worse, said Cluley, if the hacker had decided to take a different approach.
"Imagine if instead, in the case of Britney Spears account for example, that the hacker had posted a link that said: 'Here's my new video. Click on this link.' Imagine how many people would have clicked on that and it could have pointed to malware? And Barack Obama is one of the most followed people on Twitter. If he said: 'I've just made a new speech. Check it out.' a lot of people would click on that link and get infected."
source:network world
Hacker opens gaping holes in CSAT score security
As the investigation into the leak of college entrance exam results rolls on, prosecutors said yesterday that the computer server at the Korea Institute for Curriculum and Evaluation, which administers the exam, had been hacked over 200 times. Not only the test results but also the institute’s internal information was stolen.
According to prosecution and police sources, a manager at a public relations firm called Inuni Co. whose surname is Kim accessed the institute’s server over 200 times between August 2007 and December 2008.
A detention warrant was filed against Kim on charges of breaking information and network laws but it was rejected by the court.
Kim easily broke into the server. In August 2007, he accessed an employee’s e-mail account at the institute. Kim obtained the e-mail ID from a press release, and the password was the same as the ID.
Kim tried to log in to e-mail accounts of other institute employees over 50 times. One of his successes was with the account of someone in the institute’s administrative office. The employee used a password identical to the romanized spelling of his name.
One of the employee’s e-mails contained an attached file containing the passwords of five other employees at the institute. The employee temporarily managed the other employees’ e-mail access information because he dealt with changes in the institute’s server. Their passwords were identical to the last seven digits of their residential identification numbers.
In this way, Kim downloaded 16 types of internal information from the institute. Among the materials downloaded were plans to grade answer sheets from the 2009 College Scholastic Ability Test, scoring schedules and the number of students who missed the test.
“Kim could look at the Korea Institute for Curriculum and Evaluation’s internal information by accessing the e-mail of seven employees,” a prosecutor said.
Kim passed the information on to VisangEdu, a private education company. VisangEdu made the CSAT score analysis public on Dec. 9, a day before the CSAT results were announced.
Kim accessed the institute’s server four times on Dec. 10 after the institute requested a probe into this case.
As the investigation closed in on him, Kim destroyed a memo containing the IDs and passwords of the seven employees. Prosecutors plan to decide what kinds of charges they will file against Kim and a VisangEdu director whose surname is Jin this week.
Get things Insurance
Dissecting iMobile - Security Analysis of ICICI Mobile Banking App
Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:
Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.
Which brings me to explain Step 2 in detail:
On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.
What filename do you have to give and How?
That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.
Where ICICI Bank failed?
They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 - Resource Not Found” error. Got it? Implementing this is pretty simple.
There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 - Resource Not Found” error page.
Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?
That was a long post already We still have some more to go. Lets take a break.
Image Credits
Back? Ok Now, lets dissect the actual JAR file and look into the technical details of its implementation.
The Manifest File:
Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.
Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.
Some more Holes:
Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.
What should the bank do here?
Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.
Suggestion for Users:
Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.
Thats about it !
Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.
How to open mobile websites on your PC browser
There are a number of use-cases for which you would want to browse a mobile-optimized website on your PC. When you visit the mobile website on your PC’s web browser, the website displays the full content much to your dismay. However, when you visit the browser on a mobile, it displays a perfectly mobile optimized page.
In these cases, there are some simple steps that you can follow to open mobile websites on your PC:
- Download and install the latest version Firefox from http://www.getfirefox.com/.
- Visit Firefox Add-ons page and download the Modify Headers addon.
- Install the addon and restart firefox.
- From the firefox window, select “Tools” menu & click on “Modify Headers” option (Tools -> Modify Headers).
- The window will open as shown:
Click to enlarge
- Below the title bar, there’s a drop down. Select “Add” from the drop down box.
- Now in the text box next to the drop down, type “user-agent”.
- In the third text box, paste this string - Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE51-1/100.34.20; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413.
- Click on “Save”.
- The screen should look like as shown in the screen shot below:
Click to enlarge
- Using the buttons on the Modify Headers addon window, you can enable or disable particular items.
- That’s it! Whenever you want to view a mobile website, just go to Tools->Modify Headers and enable the user agent you added in step 8. When you don’t need it, just open this window and disable it.
- You can close addon window after you have enabled/disabled items.
- Enjoy!
Click to enlarge
Click to enlarge
