The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption and read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router."
Link.Friday, November 7, 2008
WPA partially broken
"Security researchers say they've developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.
Wednesday, October 22, 2008
Skype-in numbers for Mexico city
It's been hard for me to keep the blog up-to-date due to, among others, excess of work, my class at UNAM, mountaineering on weekends.
Anyway, yesterday I've just paid a 3 month subscription to Skype-in service, meaning I can receive calls in my computer that have been generated, mostly, from local phones, I know this is old news for other countries, but in Mexico it's a new service. You can even choose your number (sort of, just the last 4 digits). I can think of many illegal scenarios for scams, and I think it won't take much time to attract the attention of criminals in Mexico, so bad.
Anyway, yesterday I've just paid a 3 month subscription to Skype-in service, meaning I can receive calls in my computer that have been generated, mostly, from local phones, I know this is old news for other countries, but in Mexico it's a new service. You can even choose your number (sort of, just the last 4 digits). I can think of many illegal scenarios for scams, and I think it won't take much time to attract the attention of criminals in Mexico, so bad.
Friday, September 12, 2008
UNAM's Computer security conference
The UNAM's computer security conference will be held on September 25th-26th in Mexico city, the line-up includes (among others):
Registration is now open for this 2-day event. The fee is $100 per person for both days.
Where: Palacio de MinerĂa, downtown.
See you there two weeks from now.
- Eugene Schultz
- Kimberly Zenz
- Dr. Tom Holt
- Peter Casidy
- Lance Spitzner
- Jess Vincent
Registration is now open for this 2-day event. The fee is $100 per person for both days.
Where: Palacio de MinerĂa, downtown.
See you there two weeks from now.
Monday, August 25, 2008
New blog from my class
I've just added a link to a blog related to computer security topics from my class at UNAM. We'll be discussing fresh news and other info. Sorry, only spanish.
Monday, July 28, 2008
Heart defibrillators & security
A couple of weeks ago I received the printed version of "The Institute" newspaper from IEEE. Although not fresh news (I found some headlines dated March 13, 2008), there is an interesting article titled "hacking hearts" about the "hackability" of the human heart defibrillators.
Back in May the IEEE held a Symposium about privacy & security, and the topic of security of defibrillators was deeply discussed, "The researchers tricked the defibrillator into responding to their signals by recording a real device programmer talking electronically to a defibrillator, then replaying the signals wirelessly back to the defibrillator."
Were you concerned about your car's bluetooth connectivity?, what about this?
Back in May the IEEE held a Symposium about privacy & security, and the topic of security of defibrillators was deeply discussed, "The researchers tricked the defibrillator into responding to their signals by recording a real device programmer talking electronically to a defibrillator, then replaying the signals wirelessly back to the defibrillator."
Were you concerned about your car's bluetooth connectivity?, what about this?
Friday, June 27, 2008
802.11n and vulnerabilities
With the upcoming release of IEEE's 802.11n standard, I've been looking for already known vulnerabilities with the draft-based (2.0) products that have been sold for a while.
There are some interesting URLs where you can dig, like WVE and Joshua Wright's website. The standard is planned to be released on November 2008, and so the "certified" products, so we expect to find exploits, vulnerabilities shortly after.
There are some interesting URLs where you can dig, like WVE and Joshua Wright's website. The standard is planned to be released on November 2008, and so the "certified" products, so we expect to find exploits, vulnerabilities shortly after.
Friday, May 9, 2008
Mexican Senate's site hacked
Today the Mexican Senate's website has been hacked by a southamerican hacker group. It's been almost 10 years since that website was hacked by the X-ploit group. The people responsible for the Senate's website still have many lessons to learn.
Back to the roots
Tuesday, February 5, 2008
Security patch for the "2wire authentication vulnerability"
Today the UNAM-CERT has released an update to the security note published back in December 2007 that warned about an authentication vulnerability in the 2wire modems.
Last week the UNAM-CERT tested the new firmware that is scheduled to be released to the TELMEX users (prodigy Infinitum) later this month. The new firmware version is 5.29.135.5 and will be deployed in the next weeks. It is important to say that the update is automatic.
The complete information is here: http://www.cert.org.mx/nota/?vulne=5534
Last week the UNAM-CERT tested the new firmware that is scheduled to be released to the TELMEX users (prodigy Infinitum) later this month. The new firmware version is 5.29.135.5 and will be deployed in the next weeks. It is important to say that the update is automatic.
The complete information is here: http://www.cert.org.mx/nota/?vulne=5534
Sunday, January 27, 2008
2wire authentication vulnerability reaches the mainstream
It's been 50 days since the UNAM-CERT first warned about the 2wire authentication vulnerability we found through an 0-day exploit.
Many people and security-related companies have claimed that "that was old news" referring to the "cross site request forgery (XSRF)" vulnerability reported by a mexican hacker group back in August 2007, BUT our security note announced a brand-new-authentication-vulnerability that put in high risk more than 1 million users (at least) in Mexico.
Back in December 2007 we got in touch with 2wire and Telmex before releasing the security note, we were the first team to discover and to report the issue while some companies were buying their gifts for christmas day and cooking the turkey.
For those companies, the issue remained unnoticed for some weeks (even when we made public the vulnerability and when some blogs had been discussing the topic for a while). But two weeks ago a company (one of those cooking the turkey for the christmas back in 2007, TrendMicro) made a statement about the issue, 1 month after our security note was released (just in time) . It's funny TrendMicro is warning about a "massive attack to hit the mexican users" when this issue has been exploited for a long time.
It seems that TrendMicro Labs are only able to "predict attacks" when they have enough newspapers to "read the future".
Then appeared Symantec, some days ago, with the article "first case of drive-by-pharming in the wild", based on the Trendmicro statement (I guess).
But aside the flames, the important thing here is: antivirus and security-related companies based in the USA or other countries doesn't put enough efforts to detect the current threats in LatinAmerica or at least not in Mexico. And that's odd, because they sell a lot of licenses here, I think they should start working instead of warning of "(already) upcoming threats".
Shame on them!
Many people and security-related companies have claimed that "that was old news" referring to the "cross site request forgery (XSRF)" vulnerability reported by a mexican hacker group back in August 2007, BUT our security note announced a brand-new-authentication-vulnerability that put in high risk more than 1 million users (at least) in Mexico.
Back in December 2007 we got in touch with 2wire and Telmex before releasing the security note, we were the first team to discover and to report the issue while some companies were buying their gifts for christmas day and cooking the turkey.
For those companies, the issue remained unnoticed for some weeks (even when we made public the vulnerability and when some blogs had been discussing the topic for a while). But two weeks ago a company (one of those cooking the turkey for the christmas back in 2007, TrendMicro) made a statement about the issue, 1 month after our security note was released (just in time) . It's funny TrendMicro is warning about a "massive attack to hit the mexican users" when this issue has been exploited for a long time.
It seems that TrendMicro Labs are only able to "predict attacks" when they have enough newspapers to "read the future".
Then appeared Symantec, some days ago, with the article "first case of drive-by-pharming in the wild", based on the Trendmicro statement (I guess).
But aside the flames, the important thing here is: antivirus and security-related companies based in the USA or other countries doesn't put enough efforts to detect the current threats in LatinAmerica or at least not in Mexico. And that's odd, because they sell a lot of licenses here, I think they should start working instead of warning of "(already) upcoming threats".
Shame on them!
Subscribe to:
Posts (Atom)
