Protect Your Self From FireSheep Posted by Adel Mubarak , Tuesday, October 26, 2010 at 7:18 PM, in Labels: Security

Firesheep banks on the fact that most social sites default to the HTTP protocol because it’s quicker. The already existing Firefox extension Force-TLS attempts to circumvent this by forcing those sites to use the HTTPS protocol, therefore making user cookies invisible to Firesheep.

Like the alternative option HTTPS Everywhere, the Force-TLS Firefox extension allows your browser to change HTTP to HTTPS on sites that you indicate in the Firefox Add On “Preferences” menu, protecting your login information and ensuring a secure connection when you access social sites.

HTTPS encrypts user data, so if a script like Firesheep’s like tries to pull it, it can’t be read. Force-TLS forces a number of sites to make all of their requests over an SSL secured channel and while some sites, like Amazon, don’t currently have the secure option, the majors like Facebook, Twitter, Google, etc all allow a HTTPS connection.

How to configure:

1. Download the plugin here and install into Firefox.

2. Open “Preferences” and add the domains you want to force the HTTPS connection with.

3. Restart Firefox.

Note: Unlike HTTPS Everywhere, Force-TLS relies on the user defining the sites they want to access through a secure HTTPS connection.

And while everyone know that there’s always some privacy risk when interacting online, hopefully the installation of Force-TLS will at least put less of a damper on today’s stint at your local “free Wifi!” boasting cafe. I’m also looking into the possibility of equivalents for this extension on other browsers and will update this post as soon as I have alternative options.

Hacking WEB 2.0 Apps " FireSheep " Posted by Adel Mubarak , at 6:52 PM, in Labels: Security

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

Days at Toorcon 12 They announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.

After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.

Download this gallery (ZIP, undefined KB)

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:

Double-click on someone, and you're instantly logged in as them.

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

Fake Microsoft security essentials Posted by Adel Mubarak , Monday, October 25, 2010 at 3:34 AM, in Labels: Google

Microsoft Security Essentials is fake. Well, it is and it isn't. Microsoft Security Essentials is a free antimalware protection program from Microsoft, but anew malware threat identified by security software vendor F-Secure is also masquerading as Microsoft Security Essentials. You want to avoid that one. The new malware attack is distributed through a drive-by download as either hotfix.exe or mstsc.exe--both reasonably benign and almost legitimate sounding file names that might not raise red flags with some users. The "alert" from the threat steals the Microsoft Security Essentials brand, including the little blue fortified castle icon. The software then displays a seemingly comprehensive list of antimalware solutions--including all of the top names that users are familiar with such as Trend Micro, McAfee, Panda, and Symantec-- and identifies those that are capable of detecting and blocking this nefarious threat. The F-Secure blog explains, "Surprisingly, the only products that seem to be capable of handling the infection are AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross. Never heard of these? No wonder. They are all fake products." The attackers are counting on users being naïve enough to take the bait and agree to be "saved" by purchasing one of these awesome antimalware tools to help eradicate the threat. But, since these are all rogue antivirus programs what you really end up with is some sort of Trojan that opens the system up to further malware compromise and exploit. Don't get confused, though. As mentioned above, Microsoft Security Essentials is a legitimate antimalware application as well. It is offered for free by Microsoft, and is in fact a very capable defense against malware. Microsoft just recently expanded the availability of Microsoft Security Essentials to small businesses as well--making it free to install on up to ten PCs. I must say, though, that I have never understood how anyone falls for rogue antivirus attacks. It seems to me that users should know whether or not they have some sort of malware protection installed, and if so which software it is. If no antimalware is installed, or if the fake alert is apparently from a program other than the one that is installed--why would anyone take it seriously? Did magic antimalware fairies stop by in the night and install this new beneficent tool? And, doesn't it seem at all suspicious that this strange antimalware detection is capable of scanning the PC and identifying this new threat, but invites you to purchase something else to actually deal with the problem? F-Secure detects this new rogue Microsoft Security Essentials threat as Trojan.Generic.KDV.47643.

Securing Android Apps with SSL Certificates Posted by Adel Mubarak , at 1:43 AM, in Labels: Android

Android: Trusting SSL certificates

I used a self-signed SSL certificate for the test version of my backend web service. Since my certificate isn't signed by a CA that Android trusts by default, we need to add our server's public certificate to our Android app's trusted store.These same instructions apply to trusting a custom CA, except you'd get the public certificate directly from the CA instead of from a server.

Required tools:

• OpenSSL's command line client
• Java SE 6 (for keytool)
• Bouncy Castle's provider jar

1. Grab the public certificate from the server you want to trust. Replace${MY_SERVER} with your server's address.

echo | openssl s_client -connect ${MY_SERVER}:443 2>&1 | \  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.pem 

For example, here's the PEM-encoded public certificate from google.com:

-----BEGIN CERTIFICATE----- MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L 05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0 ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5 u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6 z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw== -----END CERTIFICATE----- 

2. Android has built-in support for the Bouncy Castle keystore format (BKS). Put Bouncy Castle's jar in your classpath, and create a keystore containing only your trusted key.

export CLASSPATH=bcprov-jdk16-145.jar CERTSTORE=res/raw/mystore.bks if [ -a $CERTSTORE ]; then     rm $CERTSTORE || exit 1 fi keytool \       -import \       -v \       -trustcacerts \       -alias 0 \       -file <(openssl x509 -in mycert.pem) \       -keystore $CERTSTORE \       -storetype BKS \       -provider org.bouncycastle.jce.provider.BouncyCastleProvider \       -providerpath /usr/share/java/bcprov.jar \       -storepass ez24get 

3. Create a custom Apache HttpClient that uses your custom store for HTTPS connections.

import android.content.Context; import org.apache.http.conn.ClientConnectionManager; import org.apache.http.conn.scheme.PlainSocketFactory; import org.apache.http.conn.scheme.Scheme; import org.apache.http.conn.scheme.SchemeRegistry; import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.impl.conn.SingleClientConnManager;  import java.io.InputStream; import java.security.KeyStore;  public class MyHttpClient extends DefaultHttpClient {    final Context context;    public MyHttpClient(Context context) {     this.context = context;   }    @Override protected ClientConnectionManager createClientConnectionManager() {     SchemeRegistry registry = new SchemeRegistry();     registry.register(         new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));     registry.register(new Scheme("https", newSslSocketFactory(), 443));     return new SingleClientConnManager(getParams(), registry);   }    private SSLSocketFactory newSslSocketFactory() {     try {       KeyStore trusted = KeyStore.getInstance("BKS");       InputStream in = context.getResources().openRawResource(R.raw.mystore);       try {         trusted.load(in, "ez24get".toCharArray());       } finally {         in.close();       }       return new SSLSocketFactory(trusted);     } catch (Exception e) {       throw new AssertionError(e);     }   } } 

Techwadi Live-streaming Posted by Adel Mubarak , at 1:22 AM, in Labels: Entrepreneur

The Rising Tide of Entrepreneurship

25 Oct. 2010 – Smart Village (10:00am – 2:00pm)

26 Oct. 2010 – AUC New Campus (10:30am – 4:30pm)

http://techwadi.linkstream.tv/

Google Android 3.0 Posted by Adel Mubarak , at 1:11 AM, in Labels: Google

It seems that the new operating system Android 3.0 is completed.Android is hoping to have a big succes with this new operating system called Android 3.0.An official announcement said on the internet that there are increasing rumors that the Android developers said that the next version of its mobile operating system Android 3.0 have been completed. The starting point of speculation: If recently on Youtube is a video to see the uploaded android developers on the user account and shows how a group of young people on the Google Campus überdimensioneles gingerbread males unpacks and sets up – the code name of the next Android version is ” Ginger Bread “to German gingerbread. Commented on the video with the words “We’ve been baking something and it’s pretty sweet” is.Android 3.0 is a great operating system.

What Android 3.0 will contain in terms of new features, is still largely unknown. It seems however to be established that it is suitable not only for smartphones, but better than the current Android 2.2 to cope with tablet computers. Manufacturers such as Motorola and LG have already announced any event, to delay the appearance of new tablets until they can provide them with “Ginger Bread”. It is also expected to support the next Android Google’s new Web video formats WebM / VP8.I am sure that Android 3.0 will have a great succes.

$250 million fund for social entrepreneurs Posted by Adel Mubarak , Friday, October 22, 2010 at 2:26 PM, in Labels: Entrepreneur

John Doerr on Thursday launched a $250 million investment fund to find and bankroll what he said would be the next wave of social entrepreneurs

Amazon.com CEO Jeff Bezos, left, listens while Facebook CEO Mark Zuckerberg makes a point at Facebook headquarters, in Palo Alto on Thursday, Oct. 21, 2010. Kleiner Perkins Caufield & Byers (KPCB) today announced the sFund, a new $250 million initiative to invest in entrepreneurs inventing social applications and services. (KAREN T. BORCHERS)

Entrepreneurship Forum in Egypt Posted by Adel Mubarak , at 2:05 PM, in Labels: Entrepreneur

Cairo, Egypt – 25-26 October, 2010

An exciting opportunity is finally taking shape.
We now have a fixed date for the launch of a PlugandPlay (PnP) incubator in Cairo – an important step in our diasporas’ initiatives to promote entrepreneurship and innovation in Egypt. PlugandPlay will house hundreds of entrepreneurs in the next three years. Our focus will be on mentoring, financing and accelerating the growth of the most promising start-ups.
To celebrate and deliberate, we invite executives and high impact entrepreneurs to join us for an open dialogue on how to make the initiative a success. The proposed Agenda is as shown below:

Agenda
October 25, 2010 – Smart Village Cairo
10:00am – 2:00pm
Entrepreneurship in Egypt: Current State of Affairs
Egypt’s commitment to work with entrepreneurs, diasporas, and the private sector to create jobs and value: how real? How effective?
Silicon Valley Ecosystem: Will it Work in the Nile Valley?
How to make the dreams of Egypt’s entrepreneurs come true by providing a complete ecosystem and interconnection with Silicon Valley. Entrepreneurs: Challenges, Opportunities, and Aspirations
Egypt’s best and brightest share their journey to launch, operate, and expand vibrant startups… and the challenges they face Angel Financing, Venture Capital, and Private Equity
Investors from Silicon Valley and Egypt discuss the creation of an effective Angel network and vibrant VC industry in Egypt and the resulting boom in entrepreneurship. Emerging Opportunities: Mobile, Digital Media, and the Internet Leading CEOs and serial entrepreneurs from the US discuss lessons learnt and targeted advice for Egyptian business leaders on the rise.

Register Now for the Rising Tide Forum