Anonymous and LulzSec trawl Google Code search for security holes

Exotically named hacking tools such as Low Orbit Ion Cannon and #RefRef have garnered plenty of headlines over the last few months but a new report suggests that the world's favourite search engine might be an equally important weapon in the arsenal of cyber-criminals and hacktivists.

The report explains how a simple search on Google Code is all that's needed to uncover a wealth of information that can be used to break into websites, cloud-based services and secure networks.

Google's Code Search is a tool that makes it easy for those with technical know-how to search the vast amount of computer code that is publicly available online.

Researchers from IT security consultancy Stach & Lui report that hacking groups such as Anonymous and LulzSec are using Google Code search for a number of nefarious activities.

With a few well-crafted searches they can uncover passwords for cloud services, configuration files for Virtual Private Networks and find code  that is vulnerable to common website hacking tactics such as SQL injection.

While the findings provide a much-needed wake up call to online businesses, admins and developers, they also offer a fascinating insight into the motivation of hacking collectives such as Anonymous and LulzSec.

According to Stach & Lui ‘Google Hacking’, as the technique is known, is believed to be Anonymous and LulzSec’s primary means of identifying potential targets.
Rather than being motivated by politics or injustice, hacking groups may simply be targeting organisations because Google Code search has turned up a vulnerability too tempting to ignore, making them less political action groups, more malicious 21st century Wombles.

So what can online businesses do to protect themselves from these online, evil Uncle Bulgarias?

The first line of defence is to make sure that developers are following established best practice and that executives are creating a culture where best practice is encouraged and supported. Including passwords in code has always been a bad idea and techniques to prevent and detect SQL injection vulnerabilities are well established.

Businesses should also prepare so that if they are successfully attacked after a data leak they don't lose their shirt. Data stored in the cloud can be rendered useless to attackers by the simple expedient of encrypting it.

Stach & Lui warn that in the businesses using cloud services should also take a close look at the small print; many cloud service providers state that they don't accept responsibility for leaks.

For more on this take a look at the Stach & Lui's Pulp Google Hacking presentation.

Read More...

Error 3200: Apple iOS 5 stumbles on launch

Apple has launched the much anticipated iOS 5.0 - the new version of its operating system for iPhones and iPads, complete with revolutionary new features such as the iCloud.

It should have been a great moment for the company, and something to put some cheer back in Apple fans' hearts following the death of founder Steve Jobs last week.



However, things aren't going as smoothly and catch-free as the notoriously detailed-orientated company would perhaps like.

Many users are finding that their attempts to update their iOS devices to the latest and greatest version of the mobile operating system are floundering, with users faced with error messages such as

"An internal error occurred." (3200)

during the install process.
Others are seeing messages related to internal errors 3002 or Error 3004.

Whatever the number, the problem has got so big that the phrase "Error 3200" is currently trending on Twitter.

Theories are bouncing around the net that Apple is simply a victim of its own success, and its servers have not been able to cope with demand for the new version of iOS, meaning that devices are failing to properly register themselves with the mothership. If that's true, you might be wise to wait a day or two.



Unfortunately, Apple's website isn't being terribly helpful for any users searching for information about what the error may mean:



Come on Apple, surely you can do better than that?
Me? I have chosen to hold off upgrading my wife's iPhone and iPad to iOS 5.0 - just as we haven't updated our iMac at home to Mac OS X Lion yet.

Call me antediluvian if you wish, but I can't really see the attraction in being an early-adopter. Security patches are one thing, but if something is working for me just fine, I don't feel the need to install the shiny new version as soon as it rolls off the software vendor's conveyor belt.

The risk is always going to be that there are still some wrinkles to iron out. I'd much rather wait until the teething problems have been sorted out, and then consider whether the new features built into Apple's operating system are what I'm after.

This is hardly the most auspicious launch for iOS 5.0 and the much vaunted iCloud. And let's not forget, if there's an error 3200 you have to assume that there's at least another 3199 error messages waiting to show their face to some poor users at some point in the future. :) Read More...