Haiders WebSpace » Reference Library (Interesting News)

Google announces Iraq Domain (google.iq)

Haider al-Khateeb — Fri, 01 Apr 2011 18:16:58 +0000

Two new Google domains: Iraq and Tunisia

3/31/2011 12:05:00 PM

We offer search on different regional domains, such as google.fr for France and google.dj for Djibouti, in order to provide the most locally-relevant results. We’ve steadily brought Google to many of the world’s domains, and today we announced on our Google Arabia Blog that we’re adding two more: google.iq for Iraq and google.tn for Tunisia. This brings the number of local Google search domains worldwide to 184, with 15 domains in Arab countries.

The new domains will help people in Iraq and Tunisia find locally relevant information, faster. For example, a search for [central bank] on the Iraq domain yields results relevant to someone in Iraq, such as the Central Bank of Iraq. On the other hand, the same search on the Tunisia domain returns slightly different results.

The new domains also make it easier for people in Iraq and Tunisia to access search in their preferred languages. In Iraq, people can now easily access Google search in local languages like Arabic and Kurdish; while in Tunisia, people can find the Google interface in Arabic and French. In the past, people in these regions would need to visit the domain for another country to use Google in an interface they were comfortable with. And when they did, the results would be relevant to a different region.

Local domains are a first step towards making the web more accessible and relevant for people around the world. They’re also an integral part of our vision to make all of our products available in the world’s top 40 most spoken languages covering 99 percent of Internet users worldwide. We plan to add more domains in the coming months, so stay tuned!

Posted by AbdelKarim Mardini, Product Manager, Middle East & North Africa

Ref. http://googleblog.blogspot.com/2011/03/two-new-google-domains-iraq-and-tunisia.html

Feds use keylogger to thwart PGP, Hushmail

Haider al-Khateeb — Tue, 19 Jan 2010 14:50:33 +0000

by Declan McCullagh

“A recent court case provides a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect’s home or office, implanting keystroke-logging software, and spying on what happens from afar.

An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif., office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives’ contents and inject a keystroke logger into the computers.”

“That was necessary, according to DEA Agent Greg Coffey, because the suspects were using PGP and the encrypted Web e-mail service Hushmail.com. Coffey asserted that the DEA needed “real-time and meaningful access” to “monitor the keystrokes” for PGP and Hushmail passphrases.”

Note: This is the second known/reported case where the police used keyloggers. Check the following ref. to read the full article.

Ref.

Declan McCullagh. Feds use keylogger to thwart PGP, Hushmail (2007) [cited 2010 Jan 19]; Available from: http://news.cnet.com/8301-10784_3-9741357-7.html

IT security pros don’t use passwords on their business smartphones

Haider al-Khateeb — Wed, 13 Jan 2010 17:18:38 +0000

IT security professionals are only marginally more likely to use passwords than standard users, according to a new survey.

A concerning 35 per cent said that they just don’t get around to using a password on their business smartphones, compared to 40 per cent of the general population.

In spite of this carefree attitude, twelve per cent of IT pros said that their phone contained bank account details, while a further 5 per cent admitted to storing credit card information on their work handset.

Andrew Kahl, VP Operations and Co-Founder CREDANT Technologies said: “It is alarming to note that the very people who are responsible for IT security are not much better at protecting the information on their business phones than most of their co-workers, who don’t necessarily know any better. If a smartphone goes missing and isn’t protected with a password, and contains corporate data, then the company is immediately in breach of the data protection act.”

The survey also found that a third of IT professionals use their own personal mobile phone for work purposes even though the company specifically bans them for business use with almost a fifth spending more than an hour or more per day on their own personal phone for business purposes.

The survey was conducted at Infosec Europe 2009.

SC Staff (2009). IT security pros don’t use passwords. [cited 2010 Jan 12]; Available from: http://www.scmagazineuk.com/it-security-pros-dont-use-passwords/article/138942/

Statistics from 10,000 leaked Hotmail passwords

Haider al-Khateeb — Wed, 13 Jan 2010 16:57:05 +0000

by Bogdan Calin

An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.

My impression is that these passwords have been gathered using phishing kits. Even more, the phishing kit used most probably was badly designed, since it was one that didn’t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn’t understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong.

Bellow are the statistics:

The list initially contained 10,028 entries.

After I’ve cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).

There are 8931 (90%) unique passwords in the list.

The longest password was 30 chars long: lafaroleratropezoooooooooooooo.

The shortest password was 1 char long : )

Top 20 most common passwords:

123456 – 64

123456789 – 18

alejandra – 11

111111 – 10

alberto – 9

tequiero – 9

alejandro – 9

12345678 – 9

1234567 – 8

estrella – 7

iloveyou – 7

daniel – 7

000000 – 7

roberto – 7

654321 – 6

bonita – 6

sebastian – 6

beatriz – 6

mariposa – 5

america – 5

Based on these passwords I think the phishing kit was targeted towards the Latino community.

Password length distribution:

1 chars – 2 – 0 %

2 chars – 4 – 0 %

3 chars – 4 – 0 %

4 chars – 31 – 0 %

5 chars – 49 – 1 %

6 chars – 1946 – 22 %

7 chars – 1254 – 14 %

8 chars – 1838 – 21 %

9 chars – 1091 – 12 %

10 chars – 772 – 9 %

11 chars – 527 – 6 %

12 chars – 431 – 5 %

13 chars – 290 – 3 %

14 chars – 219 – 2 %

15 chars – 157 – 2 %

16 chars – 190 – 2 %

17 chars – 56 – 1 %

18 chars – 17 – 0 %

19 chars – 7 – 0 %

20 chars – 14 – 0 %

21 chars – 10 – 0 %

22 chars – 8 – 0 %

23 chars – 3 – 0 %

24 chars – 3 – 0 %

25 chars – 3 – 0 %

26 chars – 0 – 0 %

27 chars – 3 – 0 %

28 chars – 0 – 0 %

29 chars – 1 – 0 %

30 chars – 1 – 0 %

As you can see from the list above, most of the passwords are between 6 and 9 characters long. Average password length is 8 characters.

What kind of passwords were in the list? :

3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
Example : iloveyou

291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
Example: ILoveYou

1707 = 19 %; numeric passwords: passwords containing only numbers (‘0′ to ‘9′)
Example: 123456

2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-’z’, ‘A’-’Z’ and ‘0′-’9′.
Example: Iloveyou12

565 = 6 %; mixed alpha + numeric + other characters.
Example: 1Love You$%@

As we can see and conclude from the list above, a big majority of users still use very poor passwords: 42% (lower alpha only) and 19% (numeric only), while only 6% from all the passwords had passwords which use a selection of alpha numeric and other characters.

Ref.

Bogdan Calin (2009). Statistics from 10,000 leaked Hotmail passwords. [cited 2010 Jan 12];
Available from: http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/

ICANN Approves Arabic, Chinese and other languages to be used in Domain Names

Haider al-Khateeb — Wed, 13 Jan 2010 15:46:53 +0000

Seoul: The first Internet addresses containing non-Latin characters from start to finish will soon be online thanks to today’s approval of the new Internationalized Domain Name Fast Track Process by the Internet Corporation for Assigned Names and Numbers board.

“The coming introduction of non-Latin characters represents the biggest technical change to the Internet since it was created four decades ago,” said ICANN chairman Peter Dengate Thrush. “Right now Internet address endings are limited to Latin characters – A to Z. But the Fast Track Process is the first step in bringing the 100,000 characters of the languages of the world online for domain names.”

ICANN’s Fast Track Process launches on 16 November 2009. It will allow nations and territories to apply for Internet extensions reflecting their name – and made up of characters from their national language. If the applications meet criteria that includes government and community support and a stability evaluation, the applicants will be approved to start accepting registrations.

“This is only the first step, but it is an incredibly big one and an historic move toward the internationalization of the Internet ,” said Rod Beckstrom, ICANN’s President and CEO. “The first countries that participate will not only be providing valuable information of the operation of IDNs in the domain name system, they are also going to help to bring the first of billions more people online – people who never use Roman characters in their daily lives.”

IDNs have been a topic of discussion since before ICANN’s inception. It’s taken years of intense technical testing, policy development, and global co-operation to prepare the Fast Track process for its coming launch.

“Our work on IDNs has gone through numerous drafts, dozens of tests, and an incredible amount of development by volunteers since we started this project. Today is the first step in moving from planning and implementation to the real launch,” said Tina Dam, ICANN’s Senior Director for IDNs. “The launch of the Fast Track Process will be an amazing change to make the Internet an even more valuable tool, and for even more people around the globe.”

Ref. ICANN Bringing the Languages of the World to the Global Internet (2009) [cited 2010 Jan 01]; Available from: http://icann.net/en/announcements/announcement-30oct09-en.htm

Also check the following report from the BBC:
Internet addresses set for change; Available from: http://news.bbc.co.uk/1/hi/8333194.stm

UK can now demand data decryption on penalty of jail time

Haider al-Khateeb — Fri, 08 Jan 2010 14:59:04 +0000

“A controversial provision in the UK’s Regulation of Investigatory Powers Act (RIPA) allows investigators to demand access to cryptographic keys or fully decrypted data. Failure to comply leads to jail time”

“New laws going into effect today in the United Kingdom make it a crime to refuse to decrypt almost any encrypted data requested by authorities as part of a criminal or terror investigation. Individuals who are believed to have the cryptographic keys necessary for such decryption will face up to 5 years in prison for failing to comply with police or military orders to hand over either the cryptographic keys, or the data in a decrypted form.

Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA) includes provisions for the decryption requirements, which are applied differently based on the kind of investigation underway. As we reported last year, the five-year imprisonment penalty is reserved for cases involving anti-terrorism efforts. All other failures to comply can be met with a maximum two-year sentence.

The law can only be applied to data residing in the UK, hosted on UK servers, or stored on devices located within the UK. The law does not authorize the UK government to intercept encrypted materials in transit on the Internet via the UK and to attempt to have them decrypted under the auspices of the jail time penalty.”

Ref.

Ken Fisher. 2007 [Cited 2010 Jan 08]; Available from http://arstechnica.com/tech-policy/news/2007/10/uk-can-now-demand-data-decryption-on-penalty-of-jail-time.ars