Last week Microsoft launched a deathwatch for its 10 year old Internet Explorer 6 browser to ensure that IE6 is “gone for good”.

According to Microsoft, IE6 still has a 12% global usage share, with almost half of that in China with 5.9% usage. Other countries with a higher-than-average IE6 share include South Korea, India and Taiwan.

As part of this drive, Microsoft wants to bring IE6′s share under 1%. That site, ie6countdown.com , shows Net Applications’ usage share numbers for IE6 in 43 countries, including the China, U.S., India, as well as the browser’s current global share.

For more details see:

http://www.ie6countdown.com/

Bruce Schneier, a cryptographer, computer security specialist, and author graced ClubHack2010 as a special guest and keynote speaker and releasing CHMag Dec Edition.

He was received at airport by a volunteer who didn’t took his name placard rather the volunteer took a print of Bruce Lee’s Picture.

He loved it.

Bruce Schneier was welcomed at ClubHack2010 in traditional way & sported the “pheta” at the whole conference.

During his welcome @rohit11, @clubhack‘s founder told him the story of guru dronacharya & eklavya and told him that many people in India are eklavya for you and take you as guru Dronacharya can do anything to be your student.

After that he came on stage to give his talk on cyber war for an hour.

The total time Bruce spent in Pune was 7 hours but he and attendees of ClubHack2010 enjoyed every moment of it. Our official photographer was smart enough to take out his won time with Bruce to click some special photographs. Some of them are here for you

Few days back ClubHack started an anonymous survey of favorite password manager via twitter & facebook. Check the survey @ http://j.mp/PassMgr

Here is first cut report of the same

As expected the most favorite password manager is “Brain” but beyond that LastPass is winning the race in products.

There were some interesting entries in the password manager which we think are worth sharing

# Notepad – Dude, now please let everyone know where you keep this notepad

# PGP encrypted file

# Winrar SXF

# Draft in gmail

Few more products came into light which were not in our initial list

# 1PasswordPro

# PasswordCard- http://www.passwordcard.org This is interesting

# Xmarks –  still???

# PasswordSafe

The survey is still on  and you can give your anonymous views at http://j.mp/PassMgr

We’ll keep updating this post with periodic results

Here are few wallpapers for you

Brought to you by deepranjan@chmag.in

The add-on, named ‘Firesheep’, was released by web application developer Eric Butler during the ToorCon security conference held in San Francisco and is designed to hijack a user’s current internet session over the unsecured Wi-Fi network.

The main motive behind the release of the add-on is to make people aware of the dangers of accessing unencrypted websites from public Wi-Fi hotspots, Butler said.

More details :-

• http://codebutler.com/firesheep
• http://links.visibli.com/links/517bbe

Have you ever received promotional calls by companies you have never heard of? Or are you sure that you have never agree to give your phone number to these companies? Customer database is the answers to these questions. Companies acquire your information by buying the database.

Personal information values especially in market-driven economy. Who buy what kinds of products, formulates the marketing and promotion strategies of the companies. A list of personal date do value.

Data could be sold everywhere, by everyone, even from the insiders. Cisco conducted a global study on data security and leakage in businesses in 2008. The study showed ”insider threat” is the major threat to customer data. It means data loss or leakages resulting from employee behavior. It could be due to carelessness, such as forget to log off, share passwords among colleagues, or even fail to return company devices when quitting the job. The internal factor poses a greater threat to the data security far more than external factors such as hackers do.

The above excerpt is taken from hackinthebox.org. To add to it, I would like to describe an incidence with my friend.

I recently joined a technical course which had a tenure of 14 days. In the same batch was a guy named Shella from Italy. He had come to India to just pursue the course. And he had only visited Bangalore and Mumbai. He had bought a Vodafone SIM from Bangalore and no one had his number except two organisations, one, the institute where we were pursuing this course, and two, VODAFONE. One fine day he gets a promotional SMS on his cell from some college offering an MBA course. He narrates to me about this and says “I haven’t given my number to anyone in India, except %#Solutions(The institute where we pursued our course), so I think these people might have provided my number to this promoter”. But, the SMS was from a college from Bangalore and there is no question of an institute in Mumbai to provide details to some college in Bangalore. So by now we should be pretty sure from where the data had been leaked. Yes, it could be someone from Vodafone, Bangalore.

This was just an example of insider data breaches. Organizations trust their employees to handle sensitive data and they need to do that because employees are the primary assets a company owns. In DEFCON this year a social engineering competition was held to see how creative hackers can be. Hackers demonstrated the idea of a fake interview to siphon information from a rival organization’s employee. First the employee in the rival company is called and told that we have a better offer for you than your current one. Then a fake interview is setup with the hacker who poses to be the employer. The place could be a plush lounge or restaurant where the employee feels that the employer is real and not making it all up. After all organizations can go to any extent to get their rival’s sensitive information. The hacker then starts siphoning information from the employee and it can be well understood that a human can be most vulnerable when in an interview, because we generally tend to look at the interviewer being superior to us and we are very cautious about our speech. A normal human mind might think that If I am getting a better job just by giving out some information, then it won’t harm much. We recommend that the hacker be accompanied with a psychiatrist for better results.:-)

Customer data breaches have been prevalent in India since many years. In a sting operation about 5-6 years ago on a news show I heard that one contact number sells for Rs 7. I am sure the price must have at least been doubled by now looking at the competition for better marketing.

Information:
(For Indian Subscribers)If you want to stop receiving promotional SMS’ and calls send an SMS as:
‘START DND’ without quotes and send it to 1909. This is a Do Not Disturb service and has been initiated by TRAI(Telecom Regulatory Authority of India).

Infosys chairman N.R. Narayana Murthy inaugurated Calcutta’s first cyber crime police station and a technologically upgraded control room at Lalbazar along with chief minister Buddhadeb Bhattacharjee.

“The computer makes people efficient, conquers distance and improves the quality of life. The new technology will definitely enhance the quality of crime detection in Calcutta,” he said.

“He put forward a number of interesting questions to the officers. His suggestions will help Calcutta police,” said Bhattacharjee.

More details : http://www.telegraphindia.com/1100825/jsp/frontpage/story_12853385.jsp

Written by a programmer or acquired by a criminal, an e-mail virus is a piece of computer code spread via email and designed to run on any computer.

Occasionally, the code is nested in an attachment and installed after the victim opens it up.

Once it gets its hooks into your computer, the virus can scan word documents, spreadsheets and address books, on the prowl for other active e-mail addresses to target.

For some victims, the telltale sign of a computer hijack is when the confused e-mail arrives from an estranged ex.

If the software has lapsed, its mandatory that one should install antivirus software from a full-service company that offers free updates with the program. If the virus is still present after running virus removal and scanning programs, we might have to reload the entire system.

If we wish to keep our computer and personal lives free of complications, experts say the most important piece of advice is to read our electronic mail with a healthy dose of apprehension.

More Details :- http://abcnews.go.com/Technology/anatomy-mail-hack/story?id=11101261

Please note this article is for educational purpose only.

What be your reaction if you get a mail in your corporate Inbox with from field as “HR Helpdesk” (assuming that’s how HR mail appears in your organization) with subject as “Best Employee Bonus of Rs. 1,50,000”? The mail reads that you have been awarded the bonus because of your hard work, dedication etc. All you need to do is reply with some of your official & personal details and the bonus is yours. If I were you I would jump on it and reply in matter of 30 seconds.

However, what you would have failed to notice is that the email ID in reply field would not be one of your HR’s corporate email ID’s but some malicious unknown email ID on the public domain. This is what we called Social Engineering.

Social Engineering is a term associated with attacker’s abilities to manipulate the natural human tendency of trust leading to malicious activities like unauthorized access, loss of confidential details, phishing etc. It’s actually an art of luring people in getting them to do what you desire. A child emotional pursuing his parents to buy her a toy, a sales person convincing the customer to buy his products or a phishing attack are all examples of Social Engineering.

Social Engineering can be categorized as Physical & Physiological.

1        Physical – In this case an attacker attempts to circumvent physical security controls.

Amongst many, some of the examples dealing with Physical Social Engineering are:

• Bypassing the physical security checks and gaining unauthorized access to physical premises
• As a visitor entering the cabin of a Top level executive in her / his absence
• Impersonating as a courier agent and dropping off an unchecked parcel to a C-Suite executive’s cabin.
• Entering restricted areas like data center and gain unauthorized access to critical details like network setup
• Tailgating thru main entrance and other entry / exit points (Fire exits, smoking zones etc.)
• Impersonating as a government official / person belonging to an authorized department (Electricity Board, Fire Department etc.) and conducting a site visit to gain critical information related to the facility

2        Psychological – In this case attacker plays with victims trust basically uses a human psychological factor.

Amongst many, some of the examples of psychological social engineering are:

• An email from Public domain ID example ABC@goodsite.com (name in the INBOX could be displayed as HR@corporatenetwork.com / IT@corporatenetwork.com)

The content of the mails could be:

1        “This is an automated employee detail collection form. In the view of current HINI Pandemic and heavy rains we are in process of updating and maintaining an up to date employee database. All the ‘CorporateNetwork’ employees are requested to cooperate and provide the necessary details at the earliest. Please fill in all the details and submit the form. This is an auto generated email, please do not reply to this email.”

2        “Virus Alert Recipient name: This is an automated alert sent by the virus update engine. A new virus which targets IT Services and Software Development organizations has been circulating the Internet. This particular virus requires an immediate software update to prevent infection. Please click the link below to update your workstation with necessary patches”

• Cold Calls to Employee’s impersonating as vendors or media personnel’s inquiring about the internal related details like Applications, IT Infrastructure, Physical Security etc.
• Calls to employees impersonating as IT Helpdesk requesting for login credentials. The imposter could convince the victim by stating that the credentials are required for maintenance activities
• Imposter could obtain employee details from Public domain and call up the organizations IT Helpdesk to reset the victims password and thus gain unauthorized access
• Mails from forged Bank ID’s requesting for Internet Banking login credentials

Don’t want to be victim to Social Engineering attacks, follow some basic thumb rules:

• Never allow people to tailgate with you.
• Verify the identity of the visitor against his/her valid ID Card
• Ensure all Entries / Exit points are secured at all times
• Visitors should not be allowed in the office space without appointments. The could be requested to be at the reception.
• Avoid use of corporate ID’s on public domain, blogs, discussion forums etc.
• Do not share login credentials with anyone. IT Helpdesk or Banks do not need employees / customers login credentials for any of their operations.
• Before replying to mails asking for sensitive / personal information verify the origin and sender’s details
• Never click on unknown links / links contained in the mails of unknown origin. An innocent URL like www.goodsite.com could actually be linked to www.xyz.abc.net etc. which might infest your PC with Malwares, Trojans, Virus and worse Back-Doors giving complete remote access of your PC to attackers
• Avoid accessing confidential and critical online details like corporate mail box, Bank accounts etc. in public places, hotels etc. where Internet security cannot be trusted
• Read and follow the security guidelines dealing with Internet Banking issued by the Banks from time to time
• Verify the SSL certificate of the Bank website before getting into any Internet Banking transaction
• Use a strong and complex password
• Do not note down the user ID & passwords on piece of paper, notepads etc. which could be accessible to others
• Use virtual keyboard where applicable
• Avoid installing software’s / tools of unknown origin because these might open backdoors to your PC

Educational Reference:

• http://www.social-engineer.org
• http://www.phishme.com/

Methodology to Measure the WAN Performance while selecting an optimum location for the Data Center (DC)

Introduction:

Network performance is one of the most critical factors to be considered while selecting the location for Data Centers. There are many factors that influence the network performance. These factors are highly dependent on the type of applications and services being hosted out of the data center. The Wide Area Network (WAN) factors which help in determining the network performance from the perspective of selecting a location for the data center are:

• Round Trip Time (RTT) from source to destination
• Throughput
• Theoretical Network Limit

1        Round Trip Time (RTT):

RTT is the time taken by the IP packet to transverse the path from the source to the destination and back. It is usually measured in milliseconds (ms).

2        Theoretical Network Limit :

As the name suggests, theoretical network limit is the theoretical maximum (ideal) throughput possible on a given network link(s) between source and destination. It is typically expressed in Mbps. This limit is calculated based on RTT, Maximum Segment Size (MSS) and Loss rate in percent.

3        Throughput

It is the amount of data transferred from one place to another or processed in a specified amount of time. Data transfer rates for networks are measured in terms of throughput. Typically, throughput is measured in kbps, Mbps and Gbps.

Methodology to calculate RTT, Theoretical Network Limit and Throughput

Step 1: Calculation of Round trip time (RTT)

RTT can be calculated by sending ICMP Ping messages to the destination. Ping messages need to be sent between the source and destination between which the RTT needs to be calculated. Using Looking Glass utilities, Ping messages can be sent from different locations around the globe.

Looking Glass is a utility available on the internet using which Ping messages can be sent to the required destination from servers (or network devices) located in different locations around the world.

Thus, a very good approximate of RTT can be obtained between the source country * and the destination.

Parameters required for measuring Theoretical Network Limit and Throughput:

• Round trip time (RTT)
• Maximum segment size (MSS) (typ.1460 Byte)
• Loss rate in % (typ. < 10^-6% (< 10^-8))
• TCP window size (typ. 64 Kbyte)

Step 2: Calculation of Theoretical Network limit

The approximate Theoretical Network limit can be calculated using the following formula (based on the Mathis et.al. formula)

Theoretical Network rate < (MSS/RTT)*(C/sqrt(Loss)) [ C=1. Loss is the Loss rate in %. typ. < 10^-6% (< 10^-8)  ]

Step 3: Calculation of Throughput

Throughput can be calculated using the formula

Throughput <= TCP buffer size / RTT

Where, TCP Buffer size > = TCP Window size, Typical TCP window size = 64 Kbyte

The theoretical network limit and throughput are dependent on the RTT. So, a very good approximation of RTT is imperative. RTT analysis should be carried out at different times, during the course of the day and an average should be taken, to get a good approximate.

Note:

1        Many looking glass utilities are available on www.traceroute.org

2        The calculator for theoretical Network limit and Throughput is available on www.switch.ch/network/tools

* The exact location within the source country depends upon the location of the available network device (Looking Glass) from where Ping messages are being sent.