MicroTechXP

Smartphones are seen as a more of a security risk than laptops and mobile storage devices, according to new research. Some 94 percent of senior IT staff fear PDAs present a security risk, just above the 88 percent who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was “not worth” protecting.
The results come from a survey of 300 senior IT staff conducted by endpoint data protection supplier Credant Technologies. A key danger with PDAs was that over half of IT executives surveyed were “not bothering” to enter a password when they used their phone. Nine in 10 of the smartphones were being given access to company networks without extra security, even though the phones were individually owned by users. There were no access restrictions being applied to 81 percent of the phones.

View: The full story @ Infoworld

Looks like Vista’s much-maligned User Access Control or UAC has one benefit for a savvy user: it can detect rootkits before they install. AV-Test.org conducted a test of popular antivirus programs to see how well they detected rootkits and the tester had to turn off UAC on the Vista test systems because it detected every rootkit used in the test. 
Once on a PC, rootkits can bury themselves quietly, but they have to get to that point first. As long as users interpret prompts from the UAC system attentively, or those messages haven’t in some way been spoofed, rootkits struggle to jump to the PC without drawing attention to themselves. [HardOCP]

The fact that Microsoft has relaxed its antipiracy mechanism built into Windows Vista concomitantly with the release of Service Pack 1 failed to stop hackers from providing a crack for the latest version of Windows Genuine Advantage Validation. Various reports point out that Genuine Advantage Validation and Notifications versions 1.7.69.1 (1.7.0069.1) and 1.7.69.2 released in March 2008, following the March 18 availability of Windows Vista SP1 through Windows Update and the Microsoft Download Center, have been cracked.
The workaround is designed to be integrated with pirated copies of Windows XP and Windows Vista in order to render useless the WGA Validation mechanism. According to the reports, applying the WGA crack will permit users of counterfeit versions of Windows to access and download items from Windows Update, Microsoft Download Center and Microsoft Update. The pirated operating systems with the cracked WGA will pass all validations on Microsoft’s websites and offer anything from updates to applications that are restricted to users of genuine operating systems only.
View: Full Article @ Softpedia

After Mac was hacked in 2 minutes at the CanSecWest Conference, it was now the time for Vista to get hacked on the 3rd day. Vista’s security was compromised through the popular 3rd party software, Adobe Flash. 
“The contest, which saw a MacBook Air get hacked on Thursday, relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air’s downfall through the OS X operating system.”
The MacBook Air went first; a Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference. [WinVistaClub via Neowin]

It may be the quickest $10,000 Charlie Miller ever earned.
He took the first of three laptop computers — and a $10,000 cash prize — Thursday after breaking into a MacBook Air at the CanSecWest security conference’s PWN 2 OWN hacking contest.
Show organizers offered a Sony Vaio, Fujitsu U810, and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system using a previously undisclosed “0day” attack.
Within 2 minutes, he directed the contest’s organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems.
Miller was quickly given a nondisclosure agreement to sign, and he’s not allowed to discuss particulars of his bug until the contest’s sponsor, TippingPoint, can notify the vendor.
Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible by, or possibly inside, Apple’s Safari browser. [Yahoo! News]

A security consultant, Adam Boileau, based in New Zealand has released a tool that can unlock Windows computers in seconds, via a Firewire port, without the need for a password.
With this tool, called Winlockpwn, one could “unlock locked Windows machines or login without a password … merely by plugging in your Firewire cable and running a command”.
The hack, which affects Windows XP computers but has not yet been tested with Windows Vista, was first demonstrated, at a security conference in Sydney in 2006, but Microsoft has yet to develop a fix. But now that a couple of years have passed and the issue has not resolved, Boileau, decided to release the tool on his website. [WinVistaClub]

View: theage

The teenage hacker who managed to unlock the iPhone so that it can be used with cellular networks other than AT&T will be trading his reworked gadget for a new car.

George Hotz, of Glen Rock, N.J., said he had reached the deal with CertiCell, a Louisville, Ky.-based mobile phone repair company. Hotz posted on his blog that he traded his modified iPhone for “a sweet Nissan 350Z and 3 8GB iPhones.” “This has been a great end to a great summer,” Hotz wrote.

The 17-year-old Hotz said he will be sending the three new iPhones to the three online collaborators who helped him divorce Apple Inc’s popular product from AT&T’s network. The job took 500 hours, or about 8 hours a day since the iPhone’s June 29 launch.

Hotz made the deal with Terry Daidone, co-founder of CertiCell, who also promised the teen a paid consulting job.

“We do not have any plans on the table right now to commercialize Mr. Hotz’ discovery,” Daidone said in a statement.

Looks like the official Microsoft U.K. Domain was attacked and defaced by a hacker identified as rEmOtEr. Microsoft confirmed that the hack has been successful. rEmOtEr altered a webpage in the Microsoft.co.uk domain with two images and multiple references to the kingdom of Saudi Arabia. The U.K. branch of the Redmond company managed to fix the problem, and the functionality of the website is back to normal parameters. The webpage
hacked dealt with Microsoft events and can be found here. In the adjacent image you can see how the hacker defaced the page, courtesy of Zone-H.

Roger Halbheer, chief security advisor for Microsoft in Europe, the Middle East and Africa admitted that the hack was successful and revealed that the whole event was unfortunate. According to Microsoft, no sensitive information was compromised in the attack. This is a clear indication that the hack was done for show, rather than to actually cause any harm. Another argument that supports such a scenario is the fact that rEmOtEr took time to document the hack in two separate video fragments. You will be able to watch for yourselves the live hacking via the two “remoter_vs_microsoft.avi” files.

The hack was possible mainly because of the fact that the database was allowed to return error messages explained Halbheer, as cited by InfoWorld. The attack was possible through a technique referred to as SQL injection. This fact is also confirmed by the hacker in the two videos that were made available. Via Structured Query Language injection rEmOtEr was able to gain access to the database. In the video fragments you will be able to see how easy the hacker obtains both usernames and passwords for the database. Working his way from error message to error message, rEmOtEr finally could switch from SQL queries with an unexpected form to direct instructions to the database.

Download: The Videos
Source : Softpedia