Archive for the 'security' Category
Monday, September 10th, 2007
Coding Horror has written an informative article on Rainbow Tables, and why Windows servers can be particularly vulnerable.
The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. The Geekwisdom password strength meter rates it “mediocre”.
Why is Ophcrack so fast? Because it uses Rainbow Tables. No, not the kind of rainbows I have as my desktop background.
Posted in security | No Comments »
Monday, July 30th, 2007
This Firefox extension makes the saved passwords feature of Firefox safer by forcing you to click on the Secure Login button in order to fill in your login name and password on forms. This helps prevent cross-site scripting attacks on malicious sites that try to steal your passwords.
Secure Login provides you with a number of Security enhancements and helps protecting you from phishing:
Disabling the prefilling of login forms prevents malicious JavaScript code to automatically steal your login data.
This is due to the fact that no login data is inserted in form fields before the user clicks on the login button or logs in using the keyboard shortcut.
To make sure you login to the right website, the second level domain of the login url is compared to the second level domain of the current page.
If they do not match a dialog prompt is displayed before login.
Secure Login provides you with an optional setting to protect you from all JavaScript code during login.
This can prevent cross-site scripting (XSS) attacks without having to deactivate JavaScript completely.
If you enable this option, your login data will never be inserted in any form fields nor will the login form be submitted.
Instead your credentials will be sent to the login page using internal Firefox methods.
Not all login forms will work this way, e.g. not those using JavaScript routines. Therefore, you can add such websites to an exception list.
Posted in downloads, security | No Comments »
Friday, April 20th, 2007
Just like CRTs, someone can eavesdrop on the electromagnetic emissions from your LCD display.
Back in 1985, Wim Van Eck proved it was possible to tune into the radio emissions produced by electromagentic coils in a CRT display and then reconstruct the image. The practice became known as Van Eck Phreaking, and NATO spent a fortune making its systems invulnerable to it. It was a major part of Neal Stephenson’s novel Cryptonomicon.
CRTs are now well on the way to being history. But Kuhn has shown that eavesdropping is possible on flat panel displays too. It works slightly differently. With a flat panel display the aim is to tune into the radio emissions produced by the cables sending a signal to the monitor. The on-screen image is fed through the cable one pixel at a time. Because they come through in order you just have to stack them up. And Kuhn has worked out how to decode the colour of each pixel from its particular wave form.
Posted in computers, security, technology | No Comments »
Tuesday, March 20th, 2007
The latest update to the TrueCrypt encryption utility is now available.
We are pleased to announce that TrueCrypt 4.3 has been released. Among the new features is full compatibility with 32-bit and 64-bit Windows Vista, support for devices and file systems that use a sector size other than 512 bytes (such as new hard drives, USB flash drives, DVD-RAM, MP3 players, etc.), auto-dismount when a host device (e.g., a USB flash drive) is inadvertently removed, and many more. In addition to new features, there are many significant improvements. Some portions of the TrueCrypt device driver have been completely redesigned and several bugs have been fixed. For a comprehensive list of changes, please see http://www.truecrypt.org/docs/?s=version-history
Posted in apps, downloads, security | No Comments »
Monday, March 19th, 2007
Engadget has a fascinating series of articles on lock security and lock picking.
The most popular locking mechanism in the world utilizes the pin tumbler design, first developed 4000 years ago in Egypt and then rediscovered and perfected a century and a half ago by Linus Yale. There are billions of these locks in the world and they come in all sizes, configurations, and security ratings. Some are secure; most are not, and even some high security rated cylinders can be easily compromised. All that is required to open many times of pin tumbler cylinders — the kind of lock that probably keeps the bad guys out of your home — is a bump key and a tool for creating a bit of force. The bump key shown above opens an extremely popular five pin lock, and the plastic bumping tool is produced by Peterson manufacturing, although many others are now being offered for sale. With these two cheap implements, anyone — and I do mean anyone — can get into your home or business in a matter of seconds.
Related:
Posted in security, technology | No Comments »
Tuesday, March 13th, 2007
A new tool has been announced in the piracy arms race. This tool can be deployed by network administrators to monitor network traffic in order to identify people using P2P services, and can automatically boot them off the network. The question is whether or not it can distinguish legitimate uses of those P2P technologies. The price: “$1 million price tag for installation and $250,000 yearly operation costs.”
Red Lambda says that cGrid monitors “a large variety of different P2P clients, in addition to other avenues of file-sharing including Windows file sharing, FTP, IM, and others,” and that cGrid does not perform content inspection but instead focuses on the behavior of the protocols being monitored. But the company does not expand on how it differentiates between legitimate uses of those technologies and illegal ones, raising questions of its effectiveness in an academic setting where students may be using P2P and other services potentially flagged by the system for legitimate, academic reasons.
Posted in networking, rights, security, technology | No Comments »
Monday, March 5th, 2007
TaskList.org can tell you whether or not a process in your Windows task list is spyware.
Posted in security | No Comments »
Tuesday, January 30th, 2007
Grab the latest version of the PuTTY SSH client and associated utilities.
Posted in apps, downloads, networking, security | No Comments »
Wednesday, January 3rd, 2007
An aide for a Montana congressman was fired for trying to solicit hackers from attrition.org to boost his college GPA. The hackers merely led him on through a series of hilarious emails, including some asking him to take pictures of squirrels.
From: Todd Shriber (nascar24_08530@yahoo.com)
To: lyger@attrition.org
Date: Wed, 9 Aug 2006 12:58:29 -0700 (PDT)
Subject: Question for you or other Attrition members
Lyger - I came across Attrition.org for the first
time. I enjoyed the site though I am not an expert
with computers. That brings me to my next point: I
need to urgently make contact with a hacker that would
be interested in doing a one-time job for me. The pay
would be good. I'm not sure what exactly the job would
entail with respect to computer jargon, but I can go
into rough detail upon making contact with a
candidate. Thanks for your help.
Posted in funny, security | No Comments »
Wednesday, November 8th, 2006
This is a visual guide to lock picking in comic book format. This guide is easier to read than the classic MIT Guide to Lock Picking.
Locksport International is proud to provide a simple, visual guide to lock picking. It is our hope that beginners will find this useful in learning the basic skills of picking pin tumbler locks.
Posted in reference, science/nature, security | 1 Comment »
Tuesday, October 3rd, 2006
Some useful tools to keep your data away from prying eyes.
Everyone wants to be a badass. Whether you want to admit it or not, if you are a self respecting geek, you want to protect your sensitive information in a way so the CIA can’t even read it. You probably wouldn’t look, considering you live in your basement
and don’t have anything to hide besides that gigantic Mountain Dew Machine and the codes for free Whopper Sandwiches. So I’ve looked for you.
Posted in cryptography, security | No Comments »
Wednesday, September 13th, 2006
This is a hilarious transcript of a naive script-kiddie being baited into trashing their own machine.
<Elch> You’re a real computer expert
<bitchchecker> shut up i hack you
<Elch> ok, i’m quiet, hope you don’t show us how good a hacker you are ^^
<bitchchecker> tell me your network number man then you’re dead
<Elch> Eh, it’s 129.0.0.1
<Elch> or maybe 127.0.0.1
<Elch> yes exactly that’s it: 127.0.0.1 I’m waiting for you great attack
<bitchchecker> in five minutes your hard drive is deleted
<Elch> Now I’m frightened
Posted in funny, security | No Comments »
Wednesday, July 12th, 2006
I found this great little overview on defending your ssh server from script kiddies. This should be required reading for anyone running a ssh server.
During 2005, bute force attacks on the ssh (secure shell) service became pretty popular. These attacks are based on a rather simple idea: use an automated program for trying, one after the other, many combinations of standard or frequently used account names and likewise frequently used password (e.g.: guest/guest).
Defence methods
There are a number of methods to defend against such brute force attacks. The following list is intended to give an overview of them, and briefly mention their respective advantages and disadvantages.
- Strong passwords
- RSA authentication
- Using ‘iptables’ to block the attack
- Using the sshd log to block attacks
- Using tcp_wrappers to block attacks
Posted in security | No Comments »
Thursday, June 8th, 2006
This short article documents how frighteningly easy it was to compromise a credit union’s network security. They simly left USB flash drives that had been purposely infected with trojans where employees could find them, sat back, and waited for sensitive data to stream in. Even worse, the employees had been tipped off that a security audit was going to be performed.
After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.
Posted in security | No Comments »
Sunday, April 23rd, 2006
Researchers can use the noise profile of digital camera sensors to identify whether a set of images came from a certain camera. From MetaFilter:
Every original digital picture is overlaid by a weak noise-like pattern of pixel-to-pixel non-uniformity. Although these patterns are invisible to the human eye, the unique reference pattern or “fingerprint” of any camera can be electronically extracted by analyzing a number of images taken by a single camera. Fridrich’s lab analyzed 2,700 pictures taken by nine digital cameras and with 100 percent accuracy linked individual images with the camera that took them.
Posted in photography, science/nature, security, technology | No Comments »
Tuesday, April 18th, 2006
The latest version of TrueCrypt encryption software has been released. This is one of the best tools available out there for securing your data.
TrueCrypt 4.2 Released
April 17, 2006; 1900 GMT
We are pleased to announce that TrueCrypt 4.2 has been released. Among the new features is the ability to create a TrueCrypt volume under Linux, ability to create a ‘dynamic’ container whose physical size (actual disk space used) grows as new data is added to it, ability to change volume passwords/keyfiles under Linux, ability to create keyfiles under Linux, ability to restore and backup volume headers under Linux, and many more.
This release makes the Linux version of TrueCrypt completely independent on the Windows version. However, both versions will continue to be mutually compatible. For a comprehensive list of changes, please see http://www.truecrypt.org/history.php
Posted in apps, downloads, security | No Comments »
Friday, April 14th, 2006
Freedom to Tinker has an interesting post on how HDCP could be broken.
Every new HDCP device is given two things: a secret vector, and an addition rule. The secret vector is a sequence of 40 secret numbers that the device is not supposed to reveal to anybody. The addition rule, which is not a secret, describes a way of adding up numbers selected from a vector. Both the secret vector and the addition rule are assigned by HDCP’s central authority. (I like to imagine that the central authority occupies an undersea command center worthy of Doctor Evil, but it’s probably just a nondescript office suite in Burbank.)
Posted in math, rights, security, technology | No Comments »
Thursday, March 16th, 2006
Cockeyed.com has a disturbing story where a guy tears up a credit card application he received in the mail into smallish pieces, tapes it all back togther, and then fills it in. He even changes his return address to his parent’s home, and sends it back to the credit card company. Amazingly, the application is accepted and they send him a new credit card!
On the Chase Website about protecting your identity, I learned that I should tear up financial solicitations that I am not interested in.
This was bad news. Maybe my card would never come.
I also checked the Federal Trade Commission website on protecting your identity.
They suggested that I “tear or shred” credit applications and other forms before discarding them.
…
Things worked out just fine for me, I got my card, and I’m happy. But for you, you might be worried right now. Every credit card application you get is now like a villain from a suspense thriller. If you don’t figure out how to completely destroy it, it may come back to terrorize you in the sequel.
Posted in funny, security | No Comments »
Monday, February 27th, 2006
The Ethical Hacker Network has some tips on using Google queries to check the security of a site. The article is an excerpt from the book Google Hacking for Penetration Testers.
Although we see literally hundreds of Google searches throughout this book, sometimes it’s nice to know there’s a few searches that give good results just about every time. In the context of security work, we’ll take a look at 10 searches that work fairly well during a security assessment, especially when combined with the site operator, which secures the first position in our list. As you become more and more comfortable with Google, you’ll certainly add to this list, modifying a few searches and quite possibly deleting a few, but the searches here should serve as a very nice baseline for your own top 10 list.
Posted in security, web | No Comments »
Monday, February 20th, 2006
This is the classic hacker text on how many locks work and how to pick them. This was apparently published by a student at MIT in 1991, but MIT requested that their name be removed from the title.
Posted in security | 1 Comment »
