Despite its premium price, Apple’s iPhone has been selling like hot cakes last weekend, and and sales are still growing strong. No wonder security researchers are very interested in the smart gadget. Errata Security, a consulting and product testing company that offers expertise in cybersecurity has already spotted a flaw in the iPhone’s Safari browser less than 72 hours after its announcement. More are on the way as of this writing. I’ve compiled a list of possible and/or existing iPhone vulnerabilities based on the reports of different security blogs and news Web sites.

1. “By effecting a buffer overflow in the application (Safari), an attacker can take control of the browser and run code on the device”. -Robert Graham, CEO of Errata Security.
2. “The scenario that seems most attractive is to have the phone dial 900 numbers, an age-old attack that allows criminals with ties to fee-based phone services to profit each time an infected computer dial the number”. -Robert Graham
3. “Our Bluetooth fuzzer¹ locks up the device, so that’s an interesting sign”. -Robert Graham
4. Currently making progress on unlocking the phone so it can be used on networks other than AT&T’s. -Antivirus Tools
5. Working on getting the iPhone to run Linux. -Antivirus Tools
6. Working on the possibility of allowing third party applications to the iPhone. -Antivirus Tools article
7. iPhone root password is alpine and mobile user account password is dottie, although they’re useless at the moment since the iPhone has no terminal yet for remote access. -Hackint0sh forum
8. “One underground site has collected information from the iPhone’s Macintosh OS X Disk Copy Disk image file.” -CNET News
9. Crack open the service activation codes. -CNET News
10. Support use of the iPhone as a modem. -CNET News
11. Breaking iPhone’s digital rights management (DRM) functionality. -Antivirus Tools

¹Fuzzer - A Security fuzzer is a tool used by security professionals (and professional hackers) to test a parameter of an application. Typical fuzzers test an application for buffer overflows, format string vulnerabilities, and error handling. More advanced fuzzers incorporate functionality to test for directory traversal attacks, command execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Web Vulnerability scanners typically perform all of this functionality, and can be considered an advanced fuzzer. -CGI Security

Read more…

I scoured the Web to find the best single file antivirus scanners and I have found 5 services worth checking out. In choosing the top 5, I should have a basis so I created one. I based my criteria on convenience, file size capability, browser compatibility, update frequency and service load. Without further ado, here they are! The top 5 free single file online virus scan services:

1. VirusTotal
2. Virus.org Rogue File Scanning Service
3. Jotti’s Malware Scan 2.99
4. Dr. Web AntiVirus
5. Kaspersky File Scanner

Read more…

Have you been reading technology news lately aside from the iPhone hype?

Danger USB! Worm targets removable memory sticks to infiltrate business
The W32/SillyFD-AA worm hunts for removable drives such as floppy disks and USB memory sticks, and then creates a hidden file called autorun.inf to ensure a copy of the worm is run the next time it is connected to a Windows PC.

USB flash drive worm spreads information about AIDS
The W32/LiarVB-A worm hunts for removable drives such as floppy disks and USB memory sticks (as well as spreading via network shares), and then creates a hidden file called autorun.inf to ensure a copy of the worm is run the next time it is connected to a Windows PC.

Harry Potter worm claims teenage wizard is dead
The W32/Hairy-A worm can automatically infect a PC when users plug-in USB drives, which carry a file posing as a copy of the eagerly anticipated novel, “Harry Potter and the Deathly Hallows”.

Get a hold of yourself and shut up about the iPhone first. This one’s more important.

Read more…

For whatever reason, my Web host has been experiencing Distributed Denial of Service (DDos) attacks. What’s DDoS, you might ask. First, let me explain to you in layman’s term what denial-of-service means. The Internet offers several services- WWW, email, ftp, newsgroup, telnet, p2p among others. These services have corresponding numbers or ports assigned to them. For example, WWW uses port 80, e-mail- port 110 and port 25, ftp- port 21, telnet- port 23, and so on. There are over 65,000 possible ports. The most used service could probably be the World Wide Web. The Web uses HTTP (protocol) and assigned to port 80. A denial-of-service occurs when access to a certain service, such as the WWW is (well, what do you know?) denied. In other words, when we get The connection has timed out messages in our Web browsers while visiting our favorite Web sites, a denial-of-service might have taken place. Of course there are other possibilities, but DoS is certainly one of them.

This is what I’ve experienced yesterday. For more than 4 hours, my blog was inaccessible. It didn’t take long before I found out that all of the other blogs and Web sites in the domain were also down.

My Web host isn’t just experiencing an ongoing DoS attack. Unfortunately, it’s on a larger scale- a DDoS attack. DDoS is different from DoS in that the former makes use of multiple compromised (or infected) computers that are collectively termed as a botnet. Moreover, my Web host may be a victim of a special type of DoS attack termed as pulsing zombie. Wikipedia describes this scenario:

A network is subjected to hostile pinging by different attacker computers over an extended amount of time. This results in a degraded quality of service and increased workload for the network’s resources. This type of attack is more difficult to detect than traditional denial-of-service attacks due to their surreptitious nature.

Denial-of-service attacks are difficult to detect because some occurences may be unintentional, such as the Slashdot or Digg effects. A Web site may also be mentioned in television that’s why there’s a sudden increase in traffic and thus, a heavy load on the Web server is experienced.

Below is a video that demonstrates how a DDoS attack is done. In the video, the attacker used some kind of master program that controls where the zombie or compromised computers should attack. Notice how the target domain became slow and/or inaccessible.

Thousands of sites have been affected yesterday. The issue here isn’t really the service that the Web host is providing, but rather the motive behind these attacks. I believe most of us have been contented with the level of service that this Web host has provided for FREE. What could’ve enraged the attackers? When motives aren’t clear, then I guess conscience should take over.

When I created my first website, I didn’t have a solid understanding of the elements behind it. All I knew was that it looked good when viewed in Internet Explorer 4 on an 800 by 600 screen resolution. I used JavaScripts in hyperlinks, marquees, images and whatever element I could style. With regard to the layout, I used tables and frames to position my header, navigation and content. Back then, it was purely presentational. Proficiency in image editors such as Photoshop and CorelDraw as well as in WYSIWYG (pronounced wee-zee-wig) HTML editors like Dreamweaver was sought-after (until now). As long as one can generate Web sites out of images, it was considered enough. Many ignored the underlying code. Moreover, some resorted to Flash-based Web sites, and they were so l33t. Then I realized what my brother told me a few months ago, Anyone can create Web sites.

Six years later, here I am going back to my teenage hobby. So much has changed on the Web since. I hear Web standards, Web content accessibility, microformats and semantics. I didn’t even realize that we’re already using XHTML and CSS.

The old school was fun, but moving on to this new one seems to be far more promising. It strengthens the fundamental methodologies. It’s the way the Web should be. Nowadays, a budding Web designer needs to go back to the drawing board. It’s not about how the pages look anymore. More importantly, it’s about what they mean. And this is where semantics come in.

Read more…

According to The Principles of Beautiful Web Design by Jason Beaird, there are 2 main standpoints from which most people determine whether a Web site design is good or bad- usability and aesthetics. A good design must maximize both. A good Web site must be able to reach people and retain their interest. Imagine having a Web site that presents information well, but looks ugly. On a similar note, visualize having a beautiful Web site, but you have to figure out what to do next.

I’m not a usability expert nor a design guru, but I desire to be both. Reading books about Web design, Web standards, design theory and the like is, I believe, my first step towards becoming a good Web designer. These precious bits of knowledge, when tied together, make something that is more than fulfilling. It’s a personal achievement.

Read more…

I’ve been exploring a lot of blogs lately. Whether it be for a design evaluation or a Stumble, I go there. However, I haven’t been particular about content. I declared in a discussion somewhere that only extreme interest can force me to read an entire article. I intend to change that now. I want to explore the World Wide Web in a broader sense. I want to know what my fellow bloggers have been up to. At least once in a week or month, I’ll pay a visit to their blogs and read entirely at least one of their articles. In this way, I can learn more things without thinking about directions. Inspiration from nothingness. Hmmm… Sounds fun.

1. Brown Thoughts: Analog Ideas in a Digital World.
2. Syaf The Geek: Let’s Make Computing Much Fun, Shall We?
3. Untwisted Vortex: Living in a Different Land
4. Secret of Unlimited Prosperity: Visualize. Feel. Abundance
5. Veggie-Blog: Providing Insight Into the Vegetarian Lifestyle

Read more…