List of most useful online tools

Here is the list of some very useful n unique online handy tools for hackers,geeks :).Due to busy schedule I am not able to post description of every website will edit the information later.

• AdHoc IP Tools
• Ben's Web Utilities
• BGPViz
• BrowserSpy
• CERT Station
• CIDR Reports (ASN & BGP Info)
• CodeFlux Tools (SSL lookups)
• Command Line Reference Page
• Country to IP Address Reference
• Default Password List (another) (another) (another)
• DiG Gateway
• digitalpoint DNS Zone Xfer
• Fixed Orbit(ASN & BGP Info)
• GeekTools (Does DNS AXFR)
• Graphical DNS Tools
• HTML Status Codes (from RFC)
• HTTP Viewer
• InfoSysSec Online Tools
• Internet Topology Tools
• MD5 Hash Reverse Engineering Site
• Nerd Labs RevDNS Block Lookup (and other tools)
• NetBIOS Name Table
• Netcraft
• Network-Tools (Does SSL lookups and chaos queries too)
• NSRL Hash check (thanks to SANS) New
• Open Mail Relays List
• Opus 1 (you can mod your UDP traces)
• Open Proxies List
• Relakks VPN Service
• Root TLD Lookup
• Sam Spade
• Shodan Computer Search Engine New
• Swiss VPN
• T1 Shopper Online Port Scanner
• TechnicalInfo
• Tiny URL (URL Decoder)
• Traceroute.org
• TrimWare Online Tools
• User Agent Strings
• Visual Route Server (big list of them!)
• Web Based Network Tools
• Web Probe
• Web Sniffer
• Well Known Ports (plus trojans!)
• Windows Event Id's

If you like the post do share your views :)
SHARING IS CARING.

METASPLOIT v 3.6 RELEASED

All Metasploit editions are seeing an update to version 3.6 today, including an enhanced command-line feature set for increased proficiency and detailed PCI reports with pass/fail information for a comprehensive view of compliance posture with PCI regulations.

This release adds 15 new exploits for a total of 64 new modules since version 3.5.1. All editions of Metasploit now include Post Exploitation modules that provide local exploits and additional data gathering capabilities.

Metasploit Express and Metasploit Pro users benefit from the Project Activity Report and Global Search capabilities now available in the user interface. Metasploit Pro users now have access to the new Pro Console, PCI Report, and Asset Tagging features. The full release notes for the open source framework can be found online here  

PenTBox v1.4

PenTBox is a Security Suite with programs like Password Crackers, Denial of Service testing tools like DoS and DDoS, Secure Password Generators, Honeypots and much more.Pentbox is destined to test security and stability of networks.

Tools included in PenTBox

Base64 encoder y decoder,
Digest for MD5,
SHA1,
SHA256 and SHA512,
Port scanner,
TCP DoS,
TCP AutoDoS,
SYN DoS,
Honeypot,
L33t Sp3@k Converter 

PenTBox is programmed in Ruby so ruby is required, and oriented to GNU/Linux systems compatible with Windows, MacOS and more.

Tutorial for PenTBox

1.Download PentBox and un tar
2. We are using windows box , simply run exe and choose from three options.
3. And your ready to attack  or audit. Nothing much to think or relay on.
Download PentBox Here

Pentbox is simple yet powerful .Feature i liked most is simple honeypot :) 

WordPress Releases Security Hardening Update

The WordPress project has announced the releases of WordPress 3.0.5. Dubbed as a security hardening release it is an essential update for those with any untrusted user accounts, but it also comes with other important security enhancements and hardening for all WordPress installations.
Two cross site scripting bugs have been squashed:

• Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role.
• Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role.

Also included in 3.0.5 are two security enhancements one of which improves the security of any plugins which were not properly leveraging the WordPress security API.
All WordPress administrators are encouraged to upgrade to this latest version. You can update automatically from the Dashboard > Updates menu in your site’s admin area or download 3.0.5 directly

Facebook unveils security tools after Zuckerberg's page hacked

Facebook today announced two new security measures -- wider use of HTTPS and the introduction of "social authentication" -- less than 24 hours after the Facebook page of company founder Mark Zuckerberg was defaced by a hacker.

A blog post by Facebook's Alex Rice ties the security announcement to Friday being "Data Privacy Day," but the press and bloggers are having a high time connecting the news and Zuckerberg's victimization, whether or not there is actually any connection.

The first new security measure involves expanding the use of HTTPS -- Hypertext Transfer Protocol Secure -- beyond password exchanges.

Rice writes: "Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the 'Account Security' section of the Account Settings page."

The second measure is a captcha-like authentication mechanism that instead of relying on illegible printed words employs photographs of a Facebook user's own friends.
Rice continues: "Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."
Meanwhile, Facebook has remained officially mum regarding yesterday's apparent hacking incident that saw someone insert a message onto Zuckerberg's Facebook fan page, which has attracted 2.8 million Facebook users. While it was removed relatively quickly, some 1,800 of those users managed to "like" the page and more than 400 left comments beforehand. The message read:
"Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn't Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a 'social business' the way Nobel Price [sic] winner Muhammad Yunus described it? #hackercup2011"

As of this writing, Zuckerberg's page remains disabled.

Verisign and responsible disclosure

In a recent post on his company blog, Verisign's vice president of marketing Tim Callan commented on the disclosure of our MD5 collision attack:

Here is the Scene Follow,

VeriSign did not receive any of [the] information ahead of the actual presentation, rendering it impossible for us to begin work on mitigating this issue prior to this morning.

I feel that this statement is inaccurate. Not only did we contact Verisign before our presentation to let them know about our research, we also strongly advised them to stop using MD5 as soon as possible and were given a chance to review their mitigation plans. I hope that Tim Callan's post is a result of a simple miscommunication between the technical people at Verisign their marketing department.

To help clarify this issue, in this post I will provide some background information about the disclosure of our work, as well as the exact timeline of our communication with the affected certificate authorities.
Protecting Internet users

From the very beginning of this project, all members of our team agreed that we needed to disclose this vulnerability without putting any users at risk. There were two main goals we set out to achieve: first, to prevent our rogue CA certificate from being abused; and second, to ensure that nobody else can repeat this attack before the affected CAs get a chance to fix the problem.

We took the following steps to prevent abuse of our rogue CA certificate:

* We did not release the private key for our rogue CA.
* We set the expiration date of the rogue CA certificate to August 2004, ensuring that even if the private key falls into the wrong hands, it will be useless against people who have their system date set correctly.
* We contacted the major browser vendors (Microsoft and Mozilla) to offer them a chance to explicitly blacklist our certificate if they felt that the past expiration date is not effective enough.

To make sure that our work could not be repeated by malicious attackers, we did not release the MD5 collision finding software necessary to do the attack. In addition, we chose to delay the publication of the improved collision finding techniques we had to develop for this project. Our team was confident that the R&D investment required to repeat our attack without access to this information would be prohibitive and the affected CAs would have enough time to stop using MD5 before the attack could be repeated.
Notifying the affected certificate authorities

Since we had already taken steps to ensure that the attack could not be easily repeated, notifying the affected certificate authorities before our presentation was not required in order to protect Internet users. A more important consideration was to ensure that we could present our work at the Chaos Computer Congress without interference. In the last year we have seen multiple cases in which companies have used legal threats in an attempt to silence security researchers and prevent the release of information that exposes their security failures. The most prominent examples include the lawsuit against Dutch researchers who showed fatal security flaws in the MIFARE transit cards and the restraining order that led to the cancelation of a talk about vulnerabilities in the fare collection system of the Boston subway.

Since the affected CAs did not have a significant track record of responding to public security vulnerabiltiies in their systems, we could not be confident that they wouldn't overreact and attempt to stop or delay our presentation through legal or other means. It was this feeling of uncertainty that led to our decision to avoid direct contact with them and to obtain Non-Disclosure Agreements from the browser vendors we contacted.

Recognizing the significance of the issue, Microsoft offered to act as a intermediary and contact the affected CAs on our behalf without revealing our names or the date of our presentation. Their proposal was reviewed by our team as well as our lawyers and on Dec 23 we agreed to go ahead with it:

Date: Tue, 23 Dec 2008 05:21:07 -0500
From: Alexander Sotirov
To: Microsoft Security Response Center

All of the team members agreed with the proposed plan, you can go ahead and
contact Verisign. Thanks for the help with this issue.

Here are the details that you can reveal to Verisign:

1) point them to the 2007 paper that describes the generation of colliding x509
certificates: http://www.win.tue.nl/hashclash/TargetCollidingCertificates/

2) tell them that Microsoft has been made aware that this crypto attack has been
improved and some practical limitations have been worked out, allowing the
successful generation of colliding x509 certificates signed by real
certificate authorities which still use MD5

3) tell them that RapidSSL and FreeSSL (also owned by Geotrust) use MD5 and
are vulnerable to this attack

4) encourage them to move to SHA-1 for all new certificates asap

5) it is important to stress that this attack is a generic attack against
CAs that use MD5 and not specifically targeting Verisign. They have a
good PR opportunity to react quickly and fix the bug before other CAs
They don't want to be the _last_ CA that uses MD5 :-)

If they request additional information from us, please pass the request along
and we'll try to help with what we can. You can call me directly at
XXX-XXX-XXXX if rapid response is required. We would be happy to chat with
Verisign directly on Dec 30, but we'd like to avoid direct contact until then.

The same day Microsoft contacted Verisign and informed them about our research. Verisign understood the severity of the issue and began working on it:

From: Microsoft Security Response Center
To: Alexander Sotirov
Date: Tue, 23 Dec 2008 13:18:09 -0800

We spoke to Verisign this morning, and essentially used your last e-mail as
a script to introduce them to the issue. We also passed along the roots they
own which you identified as affected, and they are reviewing their next steps
right now. They understood the severity of the issue and are taking it
seriously. At this point in time they did not have any further requests for
information.

They were however surprised by the ssl123 certificate: they claim these are
all issued using sha1. The ip address you listed for that certificate is no
longer live, and the hostname in the CN is using another Verisign certificate.
Would you mind if I pass along the subject and issuer information for them to
progress their validation?

I was happy to help Verisign by providing extra information about the SSL123 certificate in question. I also gave Microsoft permission to contact the other affected CA:

Date: Tue, 23 Dec 2008 19:38:09 -0500
From: Alexander Sotirov
To: Microsoft Security Response Center

> They were however surprised by the ssl123 certificate: they claim these are
> all issued using sha1. The ip address you listed for that certificate is no
> longer live, and the hostname in the CN is using another Verisign
> certificate. Would you mind if I pass along the subject and issuer
> information for them to progress their validation?

I have the original cert from that website. I've attached a zip file with all 5
Thawte MD5 certs that I found in the wild, including the SSL123 one. It's a
bit disconcerning that the CAs themselves don't know what algorithms they are
using.

You can give Verisign these certs, I collected them from public websites so
they are not secret in any way.

> The RSA root you listed is in fact also owned by Verisign, so they are
> investigating that one as well. There is one other root which belongs to
> another company, being Chosen Security/TC TrustCenter AG. We tentatively have
> a call scheduled with them tomorrow morning at 8 AM PST. If you can confirm
> that we can communicate the same information to them, this would be
> excellent.

Yes, you can communicate the same information to them.

On Dec 24, Microsoft requested permission to release more information to the CAs:

From: Microsoft Security Response Center
To: Alexander Sotirov
Date: Wed, 24 Dec 2008 09:09:15 -0800

One of the two certificate authorities got back to us and stated they will be
changing their engineering efforts to SHA1 within a *very short* timeframe. We
are literally talking days/weeks here. This is still going to be after your
presentation date. However, they are asking us specifically whether this
timeframe will be acceptable.

We cannot answer any questions on this for now - we are only the "voice box" in
between here. I do feel you should be giving them at least some nod in the
direction that they will still not make it in time, but also that this is not
very critical.

Could I have your permission to release the following statement to them:

"Hi [name],

The finder informed us they will likely take this issue public prior to [your
proposed switch date]. However, he wanted us to convey to you that they will
only be demonstrating that the generation of an “evil twin” certificate is
possible. They will not disclose their collision seeking algorithm, nor will
they be releasing any Proof of Concept code. Given the significant amount of
cryptographic research involved, they feel that their results will not be
repeatable for at least some time. They do plan on releasing a full research
paper on their method, but this will definitely be released much later than
your proposed switch time.

As such they don't feel that making this change will directly affect your
customers. They do think the level of responsiveness you are showing would be a
positive PR opportunity for your organization."

As this statement essentially conveys your plans and opinion, please feel free
to propose any other one with your team or make changes where you deem
necessary.

I promptly agreed to the proposed statement, with some minor edits:

From: Alexander Sotirov
To: Microsoft Security Response Center
Date: Wed, 24 Dec 2008 14:04:40 -0500

> "Hi [name],
>
> The finder informed us they will likely take this issue public prior to [your
> proposed switch date]. However, he wanted us to convey to you that they will
> only be demonstrating that the generation of an “evil twin” certificate is
> possible. They will not disclose their collision seeking algorithm, nor will
> they be releasing any Proof of Concept code. Given the significant amount of

make this "...releasing the software that implements the collision generation."

> cryptographic research involved, they feel that their results will not be
> repeatable for at least some time. They do plan on releasing a full research
> paper on their method, but this will definitely be released much later than
> your proposed switch time.

add "They will wait until all CAs have completed the move to SHA-1 before publishing
the details necessary to repeat the attack."

> As such they don't feel that making this change will directly affect your
> customers. They do think the level of responsiveness you are showing would be
> a positive PR opportunity for your organization."

I agree with this statement. You can share it with all affected CAs.

Alex

On Dec 29, Verisign confirmed that they are planning to stop using MD5 by the end of January.

From: Microsoft Security Response Center
To: Alexander Sotirov
Date: Mon, 29 Dec 2008 13:45:25 -0800

Hi Alexander,

Here is more feedback and contact information from Verisign:

"The SSL123 certs using MD5 are through a legacy reseller platform we are in
the process of EOL'ing. We do still have resellers using it so will need to
make updates to that platform as well.

We are working on making system changes to stop using MD5. They won't all be in
place by January 5th, but will be by the end of January. From what I am reading
below, the key thing seems to be that we are taking measures to stop using MD5
in the short term - so our plan to have all system changes in place by the end
of January should be Ok. Would you agree?

As far as contacts, from a technical point of view they can contact me. My
information, including cell is below. From a PR standpoint, the best person to
contact is Tim Callan - his email address is xxxxxxxx@verisign.com and direct
line is XXX-XXX-XXXX and cell is XXX-XXX-XXXX. An alternative contact for PR if
you can't reach Tim is Tina Hou (xxxxxxxx@verisign.com). She reports directly
to Tim.

Jay Schiavo
xxxxxxxx@verisign.com
Direct: XXX.XXX.XXXX
Mobile: XXX.XXX.XXXX"

Only 5 hours after our presentation, Verisign stopped using MD5 for all new RapidSSL certificates, successfully eliminating this vulnerability.

Cryptographic algorithms can become broken overnight, so it is important for CAs to demonstrate the ability to react quickly to such issues. I'm happy with the reponse from Verisign and the other affected CAs. Based on our experience with them, I would not hesitate to work with them directly on any vulnerabilties I might discover in the future.


This Symbolically tells..!! "SECURITY IS ZERO"

Geinimi, Sophisticated New Android Trojan Found in Wild

The Threat:
A new Trojan affecting Android devices has recently emerged in China. Dubbed “Geinimi” based on its first known incarnation, this Trojan can compromise a significant amount of personal data on a user’s phone and send it to remote servers. The most sophisticated Android malware we’ve seen to date, Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.

Geinimi is effectively being “grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions. Though the intent of this Trojan  isn’t entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet.
Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan. If you are already a Lookout user (free or premium), you are protected and no action is needed.
How it Works:
When a host application containing Geinimi is launched on a user’s phone, the Trojan runs in the background and collects significant information that can compromise a user’s privacy. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI). At five minute intervals, Geinimi attempts to connect to a remote server using one of ten embedded domain names. A subset of the domain names includes www.widifu.com, www.udaore.com, www.frijd.com, www.islpast.com and www.piajesj.com. If it connects, Geinimi transmits collected device information to the remote server.
Though we have seen Geinimi communicate with a live server and transmit device data, we have yet to observe a fully operational control server sending commands back to the Trojan. Our analysis of Geinimi’s code is ongoing but we have evidence of the following capabilities:

• Send location coordinates (fine location)
• Send device identifiers (IMEI and IMSI)
• Download and prompt the user to install an app
• Prompt the user to uninstall an app
• Enumerate and send a list of installed apps to the server

While Geinimi can remotely initiate an app to be downloaded or uninstalled on a phone, a user still needs to confirm the installation or uninstallation.
Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities. In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware. The Lookout Security team is continuing to analyze capabilities of new and existing Geinimi variants and will provide more information as we uncover it.
Who is affected?
Currently we only have evidence that Geinimi is distributed through third-party Chinese app stores. To download an app from a third-party app store, Android users need to enable the installation of apps from “Unknown sources” (often called “sideloading”). Geinimi could be packaged into applications for Android phones in other geographic regions. We have not seen any applications compromised by the Geinimi Trojan in the official Google Android Market.
There are a number of applications—typically games—we have seen repackaged with the Geinimi Trojan and posted in Chinese app stores, including Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010. It is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected. As the Lookout team finds more variants of the Geinimi Trojan grafted onto legitimate applications, we’ll provide timely updates.
As stated above, Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan.

How to Stay Safe:

• Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.
• Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
• Be aware that unusual behavior on your phone could be a sign that your phone is infected. Unusual behaviors include: unknown applications being installed without your knowledge, SMS messages being automatically sent to unknown recipients, or phone calls automatically being placed without you initiating them.
• Download a mobile security app for your phone that scans every app you download. Lookout users automatically receive protection against this Trojan.

With the discovery of this new malware, it is more important than ever to pay attention to what you’re downloading. Stay alert and ensure that you trust every app you download. Stay tuned for more details on this threat.

WireShark 1.4.3

WireShark is probably one of the most famous and most frequently used network sniffer. People like to call it the Network Protocol Analyzer too. Call it whatever, but, your security tool aresenal is incomplete without WireShark. It was previously called as Ethereal.


Also, it is open source. It is cross platform and it has been in development for more than 10 years now! It also appears in the TOP 100 tools on SecTools. This application is very similar to TCPDump in its working, but it has better sorting & grouping actions. It also has a GUI, which TCPDump lacks. It allows the user to see all traffic being passed over the network. It uses pcap & WinPcap where applicable to capture packets.


Here is the starting introduction video for newbies







Features

* Deep inspection of hundreds of protocols, with more being added all the time
* Live capture and offline analysis
* Standard three-pane packet browser
* Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
* Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
* The most powerful display filters in the industry
* Rich VoIP analysis
* Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
* Capture files compressed with gzip can be decompressed on the fly
* Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
* Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
* Coloring rules can be applied to the packet list for quick, intuitive analysis
* Output can be exported to XML, PostScript®, CSV, or plain text

Download Wireshark v1.4.3 & Wireshark v1.2.14 (wireshark-win32-1.4.3.exe/wireshark-1.4.3.tar.bz2) here.

Tabnapping tutorial&how to stay secure

What is tabnapping?

tab napping is a new form of phishing..in which a attacker redirects a normal looking page to malformed page either in some time or when victims moves to other already opened tabs.Tabnapping might sound simple but its very effective as victims feels comfortable with normal looking page and voilla he gets pawned when he moves back to original tab

tabnapping was developed by aza razkin

how to stay safe from tabnapping
1)Always look for the url in adress bar before logging in to important sites.

2)Try using no-script addon from firefox it will disable js and other malicious scripts which can be used by hackers.

3)Try using ctr+n for tabs



here is the video demonstrating  it practically


here is the code

A New Type of Phishing Attack from Aza Raskin on Vimeo.

Tunisian government harvesting usernames and passwords

The Tunisian Internet Agency (Agence tunisienne d'Internet or ATI) is being blamed for the presence of injected JavaScript that captures usernames and passwords. The code has been discovered on login pages for Gmail, Yahoo, and Facebook, and said to be the reason for the recent rash of account hijackings reported by Tunisian protesters.


ATI is run by the Tunisian Ministry of Communications. They supply all of the privately held Tunisian ISPs, making them the main source of Internet access in the country. They’ve been under scrutiny for years, due to the fact that they make use of their authority to regulate the entire national network
. Last April, ATI earned international attention by blocking access to sites such as Flickr, YouTube
, and Vimeo.


According to Reporters Without Borders, authorities claim to target only pornographic or terrorist websites. “However, censorship applies above all to political opposition, independent news, and human rights websites.”


“When an Internet user attempts to access a prohibited website, the following automatic error message appears: “Error 404: page not found,” without displaying the familiar “Error 403” more typical of a blocked site...This strategy equates to a disguised form of censorship.”



As for the JavaScript itself, The Tech Herald has seen examples of the embedded script during live surfing sessions with sources in Tunisia, and in posted source code made available to the Web. The source for the GMail injection is here, the Yahoo injection is here, and Facebook is here.


Four different experts consulted by The Tech Herald independently confirmed our thoughts; the embedded code is siphoning off login credentials.


On Twitter, security researcher Gerry Kavanagh and Errata Security CTO David Maynor told us that you can tell the code is capturing login information by how it references the login element for the form.


“Suffice to say, the code is definitely doing something surreptitious,” Kavanagh noted.


Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s Josh Abraham, broke the code down further. Crowley explained that the JavaScript is customized for each site’s login form. It will pull the username and password, and encode it with a weak crypto algorithm.


The newly encrypted data is placed into the URL, and a randomly generated five character key is added. The randomly generated key is meaningless, but it is assumed that it’s there to add a false sense of legitimacy to the URL.


The random characters and encrypted user information are delivered in the form of a GET request to a non working URL. In the Gmail example, you see this URL listed as http://www.google.com/wo0dh3ad. Abraham noted that the encryption makes it easy to capture usernames and passwords that would include special characters such as ‘%’ or ‘/’.


Considering that the backbone of the Tunisian Internet
is full of state run filters and firewalls designed to block access, configuring one to log the GET commands with the harvested data would be trivial. But is this a government sponsored action?


The likelihood that a group of criminals compromised the entire Tunisian infrastructure is virtually nonexistent. Code planting on this scale could only originate form an ISP. With their history of holding an iron grip on the Internet, ATI is the logical source of the information harvesting.


There is an upside however, as the embedded JavaScript only appears when one of the sites is accessed with HTTP instead of HTTPS. In each test case, we were able to confirm that Gmail and Yahoo were only compromised when HTTP was used. For Facebook on the other hand, the default is access is HTTP, so users in Tunisia will need to visit the HTTPS address manually.


Another interesting note is that it appears the embedded code has targeted Tunisian users for several months. Slim Amamou, of the Global Voices Advocacy blog, reported his findings on the code last July, and at the time, ATI was blocking Google’s HTTPS port, forcing users to default to HTTP.

The ATI website has been offline for more than a day. The outage started after Anonymous launched Operation: Tunisia. 

Registry/Registrar Separation Coming to an End?

Since 1998, there has been a separation between domain registries that manage and operate Top Level Domains (TLD ) and the registrars that sell domain names. That policy of separation will not be carried forward for a new generation of TLDs ,set to emerge over the course of the next several years.
A number of domain name industry stakeholders — including the .org registry and TLD operator Afilias – opposed the move to remove the separation of registries from registrars. They argued that having cross-ownership could lead to abuses and lack of competition. With a new ICANN policy set to enable cross-ownership, consumer protections will be put in place which may help alleviate those concerns.
“After much debate on the issue of vertical integration, this month the ICANN board voted to allow registrars own new TLD registries,” Roland LaPlante, senior vice-president and chief marketing officer at Afilias told InternetNews.com. “To be clear, Afilias raised concerns about whether adequate consumer protection could be assured in vertically integrated registries/registrars.   ICANN has adopted specific mechanisms designed to guard against abusive practices that could harm domain name registrants.”
With the new ICANN policy, there is now an opportunity for Afilias to profit from the new rules. LaPlante noted that many registrars have already approached Afilias as a potential back-end service for TLDs they plan to apply for.
On the issue of trying to prevent potential abuse of the registry/registrar cross-ownership, LaPlante said that governance of registrar/registry ownership is an ICANN issue. That said, he added that Afilias has a positive track record of ensuring that all registrars have equal access to its registry system. According to LaPlante, it is Afilias’ intention to continue to be vigilant in that area.
While ICANN has opened the door to cross-ownership, potential domain registry operators will need to overcome a number of technical challenges.  That’s where Afilias is looking to profit, with services for potential new TLD registry/registrar owners.
“Afilias is offering a white-labeled registry service to registrars that seek to launch new TLDs in this upcoming round,” LaPlante said. “We also offer this service, as we do for 15 other TLDs, to corporations or communities looking to launch their new TLD bids.”
As part of the new round of TLDs from ICANN, Afilias has previously announced that it is part of a bid for the .eco TLD. With cross-ownership now possible, the ownership landscape of the overall domain name industry could be shifting as well.
“There are a variety of models that may come about from this new TLD round for Afilias or other registry providers – whether as simply service providers, joint ventures, or applying for new TLDs directly,” LaPlante said. “We will be making some exciting announcements as the new TLD application timeframe is finalized.”
ICANN is now in the public comment phase for the final Applicant Guidebook for new generic TLDs.  The public comment period ends on December 10th, after which ICANN plans on spending four months on market outreach about the new TLDs application process.

Leaked U.S. document links China to Google attack

The information came from the latest WikiLeaks release

The cache of more than 250,000 U.S. Department of State cables that WikiLeaks began releasing on Sunday includes a document linking China's Politburo to the December 2009 hack of Google's computer systems.

The U.S. Embassy in Beijing was told by an unidentified Chinese contact that China's Politburo "directed the intrusion into Google's computer systems," the New York Times reported Sunday, citing a single leaked State Department cable.
"The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said," the Times reported.
The cable is another piece of evidence, albeit thinly sourced, linking China to the Google attack. Wikileaks is gradually releasing this latest set of cables, and the document in question was not available on WikiLeaks' Web site at press time. The Times, along with a handful of other newspapers, was given early access to the documents.
Security experts have linked the attacks to servers at a university used by the Chinese military, and both Google and the State Department implied that they thought China was behind the attacks when they were first disclosed in January, but nobody has produced conclusive proof that they were state-sponsored.
Google was one of more than 30 companies targeted in the attacks, known as Aurora. Google said the primary goal of the hackers was to access the Gmail accounts of human rights activists, and that the attack apparently failed.
Within hours of Google acknowledging the Aurora attacks, the State Department issued a statement, saying the attacks were serious and asking the Chinese government for an explanation.
The state documents are the latest blockbuster disclosure to come from the document-leaking organization. Earlier this year, WikiLeaks came under fire from U.S. authorities after releasing hundreds of thousands of military documents relating to the U.S. wars in Afghanistan and Iraq.
Wikileaks and State Department representatives could not be reached immediately for comment Sunday. Earlier this year, the State Department said that it regrets, "all of the activities that WikiLeaks has done, past, present, and future."