August 02, 2006, 9:03 PM PDT
Criminals using Web apps to hide attacks
Posted by: Robert Vamosi

In a presentation at Black Hat, Chuck Willis and Rohyt Belani recounted recent case studies where criminal hackers had used Web applications to break into companies. The researchers' talk focused on incident response and forensic techniques that helped reveal the backstory of the attacks. They cited two case studies.

One study involved an online stock trade company where roughly 1,000 customers had mysteriously purchased shares of a penny stock none of them had never heard of before. In most cases, the stock purchase went unreported (the stock had gained in value, so the customers affected had all benefited). But a handful did complain, so digital forensic examiners were brought in. By analyzing the servers and finding all the logs that corresponded to the date, time, and stock purchases, the investigators found that all the purchases had been made with the same session ID. The stock trade company made the mistake of issuing a session ID before authenticating the user, so the attacker was able to send, via phishing attack, one session ID so that when the victim logged into his account, it triggered an automated script that bought the shares for other customers as well.

In a second case study, the CEO of a retail giant received an extortion note via U.S. mail. In the note was a snippet of database including customer credit card information; the extortionist was demanding money or he'd go public with the 125,000 credit card numbers he had. Here the investigators had only 72 hours, but ultimately they found that a software developer had put in a backdoor on the credit card database. The software had been outsourced from Asia, and by searching the Web logs for that particular database call, they found one request that resolved to an address also in Asia. According to Willis and Belani, law enforcement in that country was able to arrest the individual, and do so with a few hours to spare.

Permalink | Post a comment

• Read also: security, Black Hat
• Email to a friend | Print this post

August 02, 2006, 5:39 PM PDT
iPhone on its way?
Posted by: Kent German

The cell phone rumor mill is at it again with more speculation about the already overhyped Apple iPhone. The latest dish is that Apple will premiere the "iChat" Monday at its Worldwide Developer's Conference in San Francisco. Engadget has pictures of a rumored device on its site. We can't say whether the gossip is true, but we'll be at Steve Jobs's keynote to let you know for sure. Stay tuned.

Permalink | 4 comments

• Read also: Cell phones, buzz
• Email to a friend | Print this post

August 02, 2006, 4:38 PM PDT
The Web-based drawing tool, LithaPaint
Posted by: Rafe Needleman

Is there anything you cannot do in a Web-based application? We have word processors, spreadsheets, and presentation programs running on the Web. There are drawing applications and even video editors. And now there's the beginning of a free-form graphics creation tool, LithaPaint.

Don't throw out your Photoshop license yet. The service is still in early alpha testing, a lot of it doesn't work, and most of the LithaPaint tools help you draw and manipulate lines, which is not enough; a more complete tool would also manipulate textures and areas. But it's interesting to experiment with, if only to see how much can be done inside a browser window.

There's one thing that we have yet to solve, though, with all of these applications: data interoperability. Currently, you cannot copy and paste between Web-based applications like you can with desktop apps. You can export documents from, and import to, most of the apps, but that's a kludge that takes us back to the early days of personal computing.

Permalink | Post a comment

• Read also: Web 2.0
• Email to a friend | Print this post

August 02, 2006, 4:35 PM PDT
Surprise! Girls like gadgets!
Posted by: Molly Wood

Actually, I was sort of blindsided by how much press this story ended up getting, because I thought, at this point, it was fairly obvious that women were into technology in levels approaching that of their male counterparts. Although, even I never would have thought a digital video camera would rate higher than a new pair of designer shoes. Per a study conducted by the Oxygen network, 77 percent of respondents said they'd be more interested in a plasma TV than a diamond solitaire necklace. If they had $500 to spend, women chose iPods or cell phones over little black dresses. I mean, granted, they lose me at the shoes, but it shouldn't come as a surprise to anyone that women care about technology--or that they care about shopping.

Permalink | 2 comments

• Read also: Buzz
• Email to a friend | Print this post

August 02, 2006, 3:00 PM PDT
Don't call it in
Posted by: Robert Vamosi

It's called Vishing, and it's yet another way that phishers are trying to get you to give up your personal information--this time over the telephone. In a presentation at Black Hat, Jay Schulman outlined just how criminal hackers are able to do this. Essentially it's a man-in-the-middle attack using VoIP. By recording legitimate telephone services from well-known financial institutions, criminal hackers can, using open-source PBX software such as Asterisk, re-create a realistic-sounding interactive voice recognition system on their own. Because many of these scams come from Eastern Europe and target Americans, the use of text-to-speech software further disguises any accent, lulling phone callers into handing over their info. In Schulman's example, victims call in and provide the criminal attacker with credit card and zip information, but when they are asked to check their bank balance, they are often handed over to a live telephone operator at the bank in question. The criminal hackers, in this case, are in the middle, recording all the personal information provided. Schulman reminded the audience to call the number on the back of your credit card, not some number sent to you via e-mail. Further, he asked that financial institutions start educating the public about these scams.

Permalink | 1 comment

• Read also: Security, Black Hat
• Email to a friend | Print this post

August 02, 2006, 2:47 PM PDT
Kingston enters the portable media player market
Posted by: James Kim

Memory powerhouse Kingston has entered the PVP market with its K-PEX Personal Media Player, a compact flash-based device available in either 1GB ($130) or 2GB ($180) capacities. K-PEX, which stands for Kingston Personal Entertainment eXperience, includes a Mini SD slot for expanding the relatively low capacity. The K-PEX measures 3.7 by 1.8 by 0.57 inch, weighs 2.2 ounces, and is built around a 2-inch LCD (220x176 pixels). It's a bit smaller than, say, an Archos Gmini 402.

The device can play back MP3, WMA, OGG, and WAV audio (not sure if it's DRM compatible), and supports MPEG-1, MPEG-2, AVI, WMV, and ASF video. Video playback does require the bundled transcoder software. The multitalented device is compatible with JPEG and text files, includes an FM tuner and a built-in speaker, has a 17-hour audio battery life, and can be used as a voice recorder. The press release even states that this thing can play games, but we'll have to see about that when we get a review unit.

We're not sure what to think so far; the interface looks intuitive enough, but it will be competing against the likes of the Creative Zen V Plus, SanDisk's Sansa e series, and Cowon's iAudio U3. Check back soon; we're getting the device next week.

Permalink | Post a comment

• Read also: MP3, portable audio
• Email to a friend | Print this post

August 02, 2006, 12:23 PM PDT
Acura Integra thefts promote Civic unrest
Posted by: Kevin Massy

An interesting report from AP today says that the Acura Integra was the second most stolen car in the United States last year--and the fourth , fifth, seventh, eighth, and ninth most stolen. That's right, six different Integras ranging from the 1995 model to the 2001 model made the top 10 most popular targets among car thieves, according to CCC Information Group, an industry organization based in Chicago. So why are the Integras so popular? The answer, says an LAPD spokesperson, is that enterprising boy racers steal Integras for their powerful double-overhead cam engines, which they remove and drop into mechanically compatible Honda Civics for use in illegal street racing.

According to AP, Acura realized the theft problem (after more than 10 years, I should hope so) and built extra security into the RSX, which replaced the Integra in 2002. It looks like Honda may have taken notice as well. Based on our time in the 2006 Civic Si, there are no Acura parts required to turn it into a hot rod: just add driver.

Source: Associated Press

Permalink | 4 comments

• Read also: Car Tech
• Email to a friend | Print this post

August 02, 2006, 11:25 AM PDT
Keyboard profiling at Black Hat
Posted by: Robert Vamosi

There's the infamous New Yorker cartoon of a dog typing on a keyboard that reads, "On the Internet, no one knows you're a dog." Black Hat presenter Neal Krawetz says while he still may not know who you are, he can tell other details about you such as gender, handedness, and even whether you are a musician. Keyboard analysis is not forensics because you can't claim to know conclusively who authored a blog site, an IM, or even computer malware. Rather, Krawetz says his keyboard analysis is more like profiling, like using blood splattering at a crime scene to infer suspect information. He used blogs from MySpace to demonstrate his gender analysis. Research has shown that males use certain words more often than females, along with other differences. Applying these differences to hundred of blogs, Krawetz found that although MySpace contributors identify themselves as roughly 60 percent male and 40 percent female, he found 20 percent of the females demonstrated strong male attributes in their writing, which could mean they are lying. In another demonstration, looking for patterns in lines of code, he attempted to identify the multiple authors of the phatbot worm. And using finger-drumming analysis, Krawetz demonstrated how patterns revealed when typing random characters onto a keyboard can tell him whether someone is likely to be a musician.

Permalink | 2 comments

• Read also: Security, Black Hat
• Email to a friend | Print this post

August 02, 2006, 11:25 AM PDT
Sony's new digital camera GPS
Posted by: Will Greenwald

Users can now organize their photos by place as well as time, with Sony's new GPS-CS1 device. This small, keychain-size GPS unit clips to your bag or belt, or slides into your pocket where it silently tracks everywhere you go. Once you're done wandering and shooting, upload both your photos and the GPS data to your computer. The GPS-CS1's included software checks when every image was shot, and syncs it to the GPS data recorded at that time. The Picture Motion Browser software included with most recent Sony cameras and camcorders can then take that information and organize your photos on an online map.

At heart, it's just a small GPS device that you sync up to your computer via USB. It still seems like a nifty device to let you organize where you've been and what you've shot. Instead of flipping through dates, times and thumbnails, you can just check out all of the photos you shot in Chelsea or Central Park, or the Grand Canyon. These camera-oriented GPS devices have been available as accessories to certain digital SLRs, but this is one of the first times we've seen such a device directed towards the snapshot crowd.

With a suggested retail price of $150, the GPS-CS1 won't be the cheapest gizmo in your pocket. Still, users interested in a tiny GPS that can work with their digital camera might want to check it out when it hits stores next month.

Permalink | 2 comments

• Read also: digital cameras, digital imaging, GPS, camera accesories
• Email to a friend | Print this post

August 02, 2006, 10:58 AM PDT
Alltel's LG AX490 shows off Fastap
Posted by: Kent German

Digit Wireless, which teased us the past couple years with its Fastap keyboard, has finally brought the technology to the United States. Alltel yesterday introduced the LG AX490, the first cell phone from a U.S. carrier equipped with the Digit's alphanumeric keypad technology. Set in the midst of the AX490's usual number keys are small, round buttons for each letter of the alphabet. Designed for quicker and easier messaging, the raised buttons essentially give users a full alpha keyboard. The AX490 flip phone also comes with a VGA camera, a speakerphone, and Bluetooth, while the price should be $59 with a two-year contract.

Permalink | Post a comment

• See product information for LG AX490
• Read also: cell phones
• Email to a friend | Print this post