Palm Pilot Technology

Computer Security

Copyright 2010 by Stephen Vermeulen
Last updated: 2010 Nov 27		Small Form Factor PCs





140 2012 323 abstract accelerate administration administrative advertising agree amounts anonymous arise biggest bits carrier caught ch characters choices configuring difficulty digits equipment factory firewall focused giving googles gpgpu gpu guardian header helps joined mx neighbor nerves nist ntlm oil openbsd page1 paint presumably pros recognize reset significantly st staray stations steal targeting variant visit wan washington

The time has come to install a personal firewall of some kind. This is especially true if you are the proud user of a full-time connection to the net such as a cable or ADSL modem. If you have an old PC sitting idle, then a product called GNATBox Lite from GTA is a high-quality, free solution. This provides both security and network address translation (NAT) that allows you to share your one connection with up to 5 machines on your LAN at the same time. If you need to protect a web server (or some other server you run) then the full-blown commercial version of GNATBox is hard to beat.

Current (July'05) estimates are that an unprotected windows box will be hacked within about 12 minutes from being connected to the internet. The corollary to this is that it is impossible to install and download the necessary security patches to such a box without it being compromised unless it is behind a firewall. This hypothesis was retested in 2008 and it was found that the time to infection could be as low as 4 minutes.

SmoothWall may be another choice for a personal firewall, it gets a reviewed review here and more here. A review of the SmoothWall corporate server is here. LEAF is the Linux Embedded Appliance Firewall project. And then there is Captin Crunch's unit called the CrunchBox which is available from ShopIP, this is based on OpenBSD. IPCop is another variant of SmoothWall.

MandrakeSoft is going to have an integrated firewall, VPN and traffic management product.

An alternative to this might be one of the new "Router with NAT" boxes that are starting to show up. The UGATE-3200P (reviewed by Electric Tech) from Maxgate (appears defunct) or the DL-701 from DLink may be the solution. Linksys has a number of these, such as the BEFSR41, with varying number of ports and is reviewed here. Hawking Tech also has one of these. Not to be left out in the cold SMC also offers the Barricade which includes printer server capability, and is reviewed here. And now Netgear is offfering the RT314 which is reviewed here.

  • 2010-Nov-27: Slashdot discusses testing utility SCADA security. [9438] [1]
  • 2010-Sep-26: Sometime security is just about the bleeding obvious, screen smudges on your cell phone display could give away your unlock pattern or code, just as wear patterns on your alarm system touch pad could make cracking your PIN easier. [9394] [1]
  • 2010-Sep-24: Slashdot discusses the need for firewalls on individual computers versus a single point of isolation between the safe network and the hostile world. [9385]
  • 2010-Sep-24: The Stuxnet worm may have been targeting the Iranian nuclear program. This worm was designed to exploit Siemens SCADA (industrial network) systems though weaknesses in their PLC systems. [9384]
  • 2010-Jul-16: Another hack has been found that allows for an attack from the local network side of a wireless router, so if the router has a weak admin password it is at risk even though no administration is allowed from the regular WAN. This gets further discussion here on Slashdot, with most taking the position that so long as you are using a good password there is no significant threat here. [9293]
  • 2010-Jul-06: Photo kiosks are becoming infected, they are picking up viruses from customers' USB drives (probably using the Windows auto-run feature) and then spreading these to subsequent customers. The same process could probably happen with flash cards as well - better remember to set the write protect switch on your SD card. [9280]
  • 2010-Jun-30: CUDA graphics engines have been used to accelerate the calculation of MD5 hashes to speed up password cracking attempts. Based on the timings that are published here a password length of 10 characters is getting to be pretty weak - that would take a single machine 50 years to search, so a project that combined these machines in a distributed fashion could easily crack 10 character passwords in days or less. [9266] [1]
  • 2010-Jun-30: Scammers have taken to using micro charges to large numbers of credit cards to avoid detection. [9263]
  • 2010-Jun-22: The skin that HTC applies to Android to make things pretty has some security issues, in the Droid Incredible phone it saves screenshots of the user's browser to internal memory, to make this worse these are not deleted by resetting the phone to factory defaults. [9232]
  • 2010-May-25: Tabnapping is a new (for 2010) approach to scamming the web browser user into revealing IDs and passwords. Be on the look out for tabs that contained some content to be replaced by authentic looking login pages when they are re-exposed. Perhaps this will be combined with exploits that grab your browsing history so that the attacker can present you with a login page you are likely to have used. [9131]
  • 2010-Mar-31: Google's Chrome browser is the only browser to survive two years at the Pwn2Own competition without being hacked. [9043]
  • 2010-Mar-26: Google has been researching web site based malware distribution techniques. They are finding that 1.3% of Google searches return at least one link to a malware site and that most of these are hosted in China. Web adverts are now being used to deliver malware. [5107] [1]
  • 2010-Mar-26: Slashdot discusses free anti-virus software for Windows. Uncharacteristically Microsoft's Security Essentials gets recommended by a number of people. [9036]
  • 2010-Mar-08: The CipherChain series of products allows one to add full disk encryption in hardware to any PC using standard SATA disks. [8996]
  • 2010-Feb-26: Mozilla debates whether to trust the Chinese certificate authority. An interesting debate because a compromised certificate authority could facilitate attacks against SSL connections. [8983]
  • 2010-Feb-24: Bank card skimmers have been found hiding in gas pumps at 180 service stations in Utah. [8975]
  • 2010-Feb-22: The Chuck Norris botnet is attacking weakly secured routers, DSL modems and even satellite TV receivers. Given that devices like DSL modems and cable modems are often only configured by the ISP there's a good chance for poor practices on the ISP's part (like using one user name and password on all of the modems it controls) to lead to massive hacks. Even though this attack is only against the router or modem, there is a nasty issue here in that a compromised router could be set to divert DNS look-ups to a bad DNS server which could serve up the wrong IPs for the some common internet services (like Facebook or some of the advertising suppliers) which could divert the user's browser to sites that try to install malware. [8974]
  • 2010-Jan-15: One curious outcome of the attacks on GSM cellphone encryption that were published around the start of 2010 is that the GSM association actually moved to a weaker encryption algorithm (called KASUMI) from the previous MISTY algorithm. [8922]
  • 2010-Jan-12: Kodak's wireless picture frames are rather insecure allowing the public to browse the feed for them and potentially to load content onto them. [8919] [1]
  • 2010-Jan-12: The joy of securing your passwords if you let programs remember them for you. This contains a number of suggestions for password storage programs and for configuring common applications like Firefox. [8916]
  • 2010-Jan-09: A number of "secure flash drives" that claim NIST certification to the FIPS 140-2 standard have been found to be easily cracked. Turns out that while they may actually use AES 256 bit encryption inside the way the password authentication is done can be trivially bypassed so that any of these drives can be unlocked without the correct password. Schneier discusses it here. NIST is investigating this issue. The known vulnerable drives are:
    • Kingston DataTraveler BlackBox
    • SanDisk Cruzer Enterprise FIPS Edition
    • Verbatim Corporate Secure FIPS Edition
    [8904] [1]
  • 2009-Nov-20: Slashdot discusses tools for helping you remember your passwords. [8763]
  • 2009-Nov-11: An ATM flash mob managed to steal about $9 million from ATMs in 49 cities around the world in a 30 minute coordinated attack. Of course, with that many people involved someone is bound to slip up, get caught and then spill his guts... By Nov'09 it appeared that this case had been cracked. [7549]
  • 2009-Nov-11: Slashdot discusses the vulnerability of the electric power grid. [8728]
  • 2009-Nov-06: A man in the middle attack against SSL/TLS has been discovered. More coverage here. [8713]
  • 2009-Nov-03: The Amazon EC2 cloud computing service has been used to crack PGP passwords through brute force key searching. This article describes the general process and some details of how to setup the EC2 machine images. A followup article examines the cost to crack passwords of different sizes (and complexities) using this technique. Based on an opponent spending a few thousand dollars a password of 8 characters or less is not safe unless it uses more than just upper and lower case letters and numbers. The good thing is that a password using only lower case letters and numbers would cost $75M to crack this way if it was 12 characters long (and this rises massively with just one more character), so passwords still don't have to be massively long. This gets further discussion here on Slashdot. [8690]
  • 2009-Oct-23: The Evil Maid attack against encrypted file systems - pretty much amounts to: if you leave your laptop anywhere there is a chance someone could install some sort of key logger on it, and then you're toast. [8662]
  • 2009-Oct-09: With Security Essentials Microsoft dips its toe in the muddy waters of virus detection, mocked here on Slashdot. [8616]
  • 2009-Sep-19: The Register takes a look at how online advertising can be used to infect computers with malware. This sort of trick was used to attack readers of the New York Times in Sept'09. [8532]
  • 2009-Sep-18: Microsoft has filed some civil lawsuits against some of the malvertisers - those who try to trick you into installing malware through online advertisements. [8520]
  • 2009-Sep-09: Twitter has been found to be tracking the links you click on. [8497]
  • 2009-Sep-08: A good article that talks about attacks by E-Mail and helps train users in how to recognize them. [8492]
  • 2009-Sep-04: About 10 digits is all that's needed to uniquely identify you (unless you need to be distinguished from past or future versions). This article points out a number of common ways people can be tracked through readily accessible information like zip codes and date of birth or even movie preferences. [8451]
  • 2009-Aug-26: Slashdot discusses ways to track stolen gadgets and some of the privacy issues that arise. [8425]
  • 2009-Aug-24: Ten ways to destroy a hard disk. Though no one suggested just driving over it a few times or attaching it to a lightning rod. [8416]
  • 2009-Aug-07: Credit cards and access cards which use RFID for "security" are becoming targets for information theft. This was demonstrated at DefCon in 2009, discussed here on Slashdot. The UK National Identity card may also have been hacked, though the UK Government claims this is not the case (this article contains some interesting information on how the card is using public key security for various functions), discussed here on Slashdot. [8367]
  • 2009-Jul-28: Some odd new forms of spam are discussed here. Including using sites such as Craigslist to spam people by first registering fake adverts and then sending you spam in fake responses to the fake advert through the site's email forwarding feature. [8342]
  • 2009-Jul-08: As a side-effect of dismissing a class-action suit against Microsoft for violating privacy by collecting IP addresses a Judge has ruled that IP addresses are not personally identifiable. If you think about it, this sort of issue has been recognized in the past with radar camera issued speeding tickets, where the license plate cannot be used to identify the driver of the vehicle. [8243]
  • 2009-May-01: Various resources on the conficker worm that is set to change course on 1-Apr-09. Slashdot has more on it here. This has actually infected some medical equipment in hospitals where the equipment is based on Windows NT or 2000. [7811]
  • 2009-Apr-08: The US electric grid is thought to have been penetrated by spies. [7841] [1]
  • 2009-Mar-24: Another report of hackers penetrating control systems. This mentions the Bellingham Washington gasoline spill, but that was not due to hackers. [7782] [1]
  • 2009-Mar-23: The future may include viruses and other malware that can infect the BIOS of a computer, making the tried and true disinfection technique of wiping the hard disk and reinstalling useless. [7775]
  • 2009-Mar-20: Slashdot discusses Windows home directory encryption. [7749]
  • 2009-Feb-13: A Slashdot discussion of full drive encryption which (perhaps predictably) has a lot of recommendations of TrueCrypt. [7579]
  • 2009-Feb-08: An overview of the tools that OpenBSD provides for spam interception and prevention, including blacklisting, greylisting and spamtraps. Discussed here on Slashdot. [7544]
  • 2009-Jan-29: Full disk encryption is expected to drop in price (to near zero) and become available on most new drives, but when? With this approach a drive must receive the appropriate password before it will load any data, so you end up entering the password before the computer starts to boot. But what happens if you forget the password? Will you be able to overwrite the old disk with a new data set using a new password, or is the drive rendered inoperative to protect the encrypted data on it? Or, is there an administrative password you can enter to reset the user password? Or do you have to ship it back to the manufacturer to be unlocked? Or is there even a secret back door - say for customs to use? This gets discussed here on Engadget and here on Slashdot. [7493] [1]
  • 2009-Jan-21: Ever wondered what that TPM header was for on your motherboard? This article explains a bit about how this is used to create and store encryption keys for drives you attach to the motherboard. It can be used in such a way that the data on the drive is only accessible when attached to the motherboard that was used to format it. [7470] [1]
  • 2009-Jan-19: This paper: Secure Deletion of Data from Magnetic and Solid-State Memory talks about secure data deletion and has some epilogues that address recent changes in the field. [7458]
  • 2008-Dec-03: A long discussion of one man's crusade to stop spambots that scan his web site. [7289]
  • 2008-Nov-03: Slashdot discusses the new wireless home security systems. [7136]
  • 2008-Nov-03: In the UK someone put data about 12 million tax payers on a USB stick and then proceeded to drop it in a pub parking lot. Looks like big brother wants to share all your data. [7135]
  • 2008-Oct-26: Slashdot discusses current choices in free anti-virus software. [7098] [1]
  • 2008-Oct-13: Grocery store credit card scanners are being tapped to steal credit cards and send them to Pakistan. [7011]
  • 2008-Oct-01: A new internet-based denial of service attack may have been found. Slashdot discusses it here. After some thought it appears this form of attack probably isn't against a new weakness, rather it is a better way to launch a common type of denial of service attack allowing each client machine (i.e. attacking resource) to inflict more damage. [6960]
  • 2008-Sep-11: One attack against a SCADA system has now been published. Some of the Slashdot discussion gives a hint of how frequently these systems may actually be connected to the Internet rather than being completely isolated as one might at first think. [6831] [1]
  • 2008-Sep-04: Your government may have the the worst computer security. And if you try to point out their problems they might fight back. Another example of government mishandling security: the British National High-Tech Crime Unit had a web site which got linked to by a number of important sites (like the BBC) and then they abandoned it, now a German owns the domain name. [6727]
  • 2008-Aug-27: A long open security hole in the border gateway protocol (BGP) has been publicly revealed. This works by convincing a target router to reroute packets to the attacker so he can play man-in-the-middle and other eavesdropping games. [6750]
  • 2008-Aug-04: The STARAY S from Radion is a 2.5 inch, USB drive enclosure with integrated security (and a keypad to allow entry of the pass code). Like a lot of these products the details on the actual cryptographic methods used are missing (they just say "proprietary 64-bit" which is usually a bad sign), so probably best avoided until more is known. This is now available. [6034] [1]
  • 2008-Aug-01: The USA's DHS has finally given public details on its policies for border searches of laptops and other electronic devices and documents. In short they can take anything you have, for any (or no) reason and keep it for any length of time. Discussed here on Slashdot. [6619] [1]
  • 2008-Jul-14: Adeona is an open source project (GPLv2 license) to develop a system for tracking the location of a lost or stolen laptop to assist in its return. This system uses a public distributed storage server to receive the location updates, but the location updates are encrypted so that only the true owner can access their contents (protecting his privacy). Discussed here on Slashdot. [6517] [1]
  • 2008-Jun-18: The Abstract Cheetos Attack, social engineering takes a culinary twist. If your target doesn't go for the cheetos bait then there's always powdered doughnuts or perhaps cinnamon buns. [6373] [1]
  • 2008-Jun-15: An old virus (Gpcode) that encrypts your files for a ransom has been updated in mid'08, its use of crypto has been fixed and the only defense against this is a good backup system (possibly coupled with some tests to see if an unusual number of tiles have had their contents change). [6345]
  • 2008-Jun-06: The top five antivirus applications for the PC. [6295] [1]
  • 2008-May-15: A bug in SSH key generation introduced by Debian's package maintainers in 2006 was not fixed until May'08. A more detailed write up on this is here. [6152]
  • 2008-May-15: Bruce Schneier writes about choosing secure passwords and taking your laptop through US customs. Discussed here on Slashdot. [6170]
  • 2008-May-13: The NSA takes a look at system hardening. [6151]
  • 2008-May-05: Slashdot discusses backscatter spam in follow up to this article, and this article. Most of these place the problem in the "a few an hour" category, but if you have your own domain and have set it to receive all email for any name sent to it, you will see huge spikes when your domain name is used as a target. What happens is that the spam bots send their email out and makes up return email addresses by combining a large list of user names with your domain name. Some portion of these outbound messages trigger back scattering and, as your email is set to receive any mail that comes to the domain, you get to see all of these. The first time I was hit by this was in Feb'05 for a couple of weeks. Every few months now, I'll go though a couple of days were I get over a thousand such messages a day. [6047]
  • 2008-Apr-22: Fujitsu has added hardware-based automatic full drive encryption to a 2.5 inch 320GB hard drive. [5950] [1]
  • 2008-Apr-16: The DataTraveler BlackBox drive from Kingston features a 256-bit hardware AES encryption processor and has been inspected by NIST in the US and the Communications Security Establishment in Canada. I wonder how long it will be before hackers open one up and find there's a trivial way to defeat this drive's security, like so many of the competing products. At $424 for an 8GB drive it would probably make more sense to buy a conventional drive and an ASUS Eee to run TrueCrypt on it. [5819] [1]
  • 2008-Mar-25: Slashdot discusses securing your laptop and cloud of small electronic devices in a cubical. [5327]
  • 2008-Mar-23: Quantum computing (if it ever becomes feasible) may not be as big a threat to current encryption as some are saying today. [5321]
  • 2008-Mar-22: The strange story of bounced email that ends up at donotreply.com. [5319]
  • 2008-Mar-18: bitvise has a number of SSH products for Windows, including Tunnelier. [5301] [1]
  • 2008-Mar-14: One Journalists view of laptop security and the issue of border crossings - where you may be without any legal protection against search and seizure. [5280]
  • 2008-Mar-04: An old security hole in the Firewire software for Windows can be exploited to unlock PCs. [5217]
  • 2008-Mar-04: Modern DRAM chips can actually hold their data for a long time, and if they have been cooled this could even be in the range of minutes. This represents a potential security threat. One of the main reasons this attack works as well as it does is that current operating systems do not clear memory that is no longer in use (though Windows 2000 and up appear to clear it before allocating it to another process for use). Because of this it also is possible to boot a system from another drive (such as a USB drive) and then read the contents of memory left over from the last run. [5134]
  • 2008-Feb-19: The 2.5 inch Easy Nova Data Box PRO-25UE RFID portable encrypted drive turns out to be pretty insecure (discussed here on Slashdot), seems the manufacturer only implemented an XOR algorithm instead of the claimed AES. [5116] [1]
  • 2008-Feb-18: In a rather strange computer crime an investor hacked into a computer at IMS Health from which he stole a future earnings announcement, then he took a gamble and bought short expiry put options (which would have been virtually worthless at the time) in the company's stock. Once the earning announcement went public the following day the options grew in value by a factor of 5 and he sold them. The SEC figured that this must have been insider trading so halted his account and investigated. Now a judge has decided that while it was a crime to steal the earnings announcement it was not a crime under current US law to make money off the trade. [5111]
  • 2008-Feb-18: A look at the state of wireless security in Bluetooth, WiFi and WiMAX. [5108]
  • 2008-Feb-11: Slashdot discusses DKIM - Domain Key Identified Mail - an attempt to reduce email fraud. [5080]
  • 2008-Feb-06: TrueCrypt 5.0 has been released, this version includes full drive encryption that will prompt the user for the password at system boot. Discussed here on Slashdot. [5054]
  • 2008-Feb-05: Gutmann sound wave therapy, the strange tale of the Dutch proximity card billing system and how $2G was spent to produce an insecure system. [5038] [1]
  • 2008-Jan-28: The mysterious world of phishing and the associated money-mule scam. [5002]
  • 2008-Jan-22: SmallNetBuilder has a number of articles on WEP and WPA wireless encryption security, worth a read if you are setting up a WiFi network. [4976]
  • 2008-Jan-21: The InfoSec Institute offers a number of computer security and forensics training courses. [4975]
  • 2008-Jan-21: Slashdot discusses the CIA's claims that cyber attacks have blacked out cities, including one in the US. While this sounds pretty far-fetched, the claimed approach of attacking the SCADA system (which is the brain and nerves of the whole system) is plausible, especially when coupled with lax security practices (like installing WiFi on the internal LAN). Additional coverage on Engadget too. [4970] [1]
  • 2008-Jan-19: Using La Fonera router and the Fon Network to share an internet connection. [4963] [1]
  • 2008-Jan-14: A security issue with flash in web browsers has been discovered that can be used to open ports in a home firewall by using UPnP. [4672]
  • 2008-Jan-12: Slashdot discusses how to safely dispose of old hard drives. [4657] [1]
  • 2008-Jan-10: Bruce Schneier talks about the pros and cons of leaving a wireless LAN unsecured. This gets discussed here on Slashdot. [4643] [1]
  • 2008-Jan-01: SftpDrive allows you to drive map an SSH server as a Windows drive to allow applications within Windows to use files on the SSH server as if they were just on simple network shared drives. [4567] [1]
  • 2007-Dec-21: Virus writers are getting more cunning or anti-virus writers are getting worse, so it looks like the effectiveness of anti-virus tools dropped in 2007. [4477]
  • 2007-Dec-16: The .Mac web interface (which allows Mac users to check the contents of their iDisk from a remote location) does not have a logout button - so potentially anyone who uses the public computer after you are done could gain access to your files. [4434]
  • 2007-Dec-04: The Microsoft wireless (radio) keyboards are insecure and keystrokes could be easily sniffed. At this time it is not known if the similar Logitech keyboards suffer from the same problems. This gets further discussion here on Slashdot. [4386]
  • 2007-Nov-20: A discussion of using Google as an MD5 cracker tool (discussed here on Slashdot), entering an MD5 hash code and finding a word that it is the hash for. There is some interesting discussion of salting and other approaches to hash reversal, including sites that specialize in just this problem. [4181] [1]
  • 2007-Nov-17: Hushmail has been giving out private decrypted emails. [4169]
  • 2007-Nov-06: Bruce Schneier discusses the Storm Worm, which has been running unchecked for nearly a year now, and wonders what it will eventually be used for. [4028]
  • 2007-Oct-07: Canada's Information and Privacy Commissioner gave a talk called Privacy by Design that addresses how to design software that protects the user's privacy. Discussed here on Slashdot. [2623]
  • 2007-Oct-01: A new approach to email authentication is being proposed, which would help in the fight against spam. [2418]
  • 2007-Sep-19: Cybercrime is now big business, and may be worth more than the drug trade. [2225]
  • 2007-Sep-17: Germany has arrested 10 people in a phishing scam. [2145]
  • 2007-Sep-17: Researchers have discovered new security holes due to multi-core CPUs. [2132]
  • 2007-Sep-16: A wireless (WiFi-based) camera can be a potential security breach-point, discussed here on Slashdot. [2131]
  • If you travel to India be very careful when using Internet Cafes, the police may have installed keyloggers. [2130]
  • A Slashdot discussion of Ophcrack, a Windows password cracking tool, there's plenty of additional material in the comments. KB299656 applies to this issue of the weak hash algorithm used in LAN Manager. [2129]
  • The Exploit Prevention Labs Blog discusses new threats [2128]
  • For those worried about leaking WiFi and other signals, a rather thick window film (used by some US agencies) may someday be made available to the public. [2127]
  • In May'07 a non-prime: 2^1039-1 was factored after 11 months of time. Which means that 1024 bit RSA encryption can now be attacked, at some cost. [2126]
  • Sometimes companies that should know better fall victim to simple social engineering [2125]
  • The Nokia N800 can be turned into a WiFi auditing device. This article discusses installing Metasploit on one, more coverage here. [2124]
  • Wikipedia discusses challenge-response authentication systems [2123]
  • Slashdot discusses choosing a firewall [2122]
  • EM-SEC Coating, a paint that absorbs WiFi signals [2121]
  • If you are running a wireless LAN you should read this article, if you are running in WEP 64 bit or 128bit mode you may be less than an hour away from being cracked. [2120]
  • Why would Skype read the BIOS (or at least part of it)? [2119]
  • Fighting spam by setting the primary MX record to point to a server that does not respond to mail delivery requests. Apparently most spam delivery clients will only try the first MX record. [2118]
  • Slashdot discusses a review of six rootkit detectors for Windows [2117]
  • Slashdot discusses spam blacklists [2116]
  • Slashdot discusses alternatives to embedding passwords into source code. [2115]
  • The web-based Anonymizer has been discontinued [2114]
  • A Slashdot discussion of anonymous surfing, proxy servers and other solutions [2113]
  • TOR, The Onion Router, is an EFF project that seeks to prevent web traffic analysis. There is a FAQ on it here. The authors warn that a possible exploit of TOR (since the final connection from the exit node to the site you are trying to reach is not encrypted) would be for the owner of an exit node to sniff all the outbound traffic looking for passwords etc., well someone did this and collected embassy-related passwords. There is more concern about abuse of TOR exit sites. [2112]
  • Apple's iSight could be taking pictures and sending them to malicious web sites. [2111]
  • A Slashdot discussion on firewall traversal for applications like Skype [2110]
  • OpenID is a decentralized digital identity system, it is discussed here on Slashdot. In Feb'07 Bill Gates announced that Microsoft will support it too. More discussion on OpenID, Yahoo, IBM, Microsoft, VeriSign and Google have all joined its board and there are now 250M OpenIDs in use. Here is a brief description of the process of getting an OpenID. MySpace has joined the OpenID coalition, adding a few more users. OpenID gets mentioned here in reference to attempts to move away from passwords to other means of authentication. Ned Batchelder found OpenID hard to get started in and dug up these discussions: OpenID is Why I Hate The Internet and The problem(s) with OpenID that talk about the difficulty of using OpenID and the apparent flaws in it. Microsoft has added support for OpenID to Windows Live, discussed here on Slashdot. OpenID for non-SuperUsers talks about setting up OpenID to use delegation. Not to be left out, Google is also supporting OpenID, but they have decided to fork development to address some of their concerns. More on Google's OpenID project here. Some sites are dropping support for OpenID. [2109]
  • Security from A to Z, an overview article [2108]
  • A USB-powered disc-scratcher designed to distroy CDs and DVDs. [2107]
  • No-swipe credit cards might be read from a distance (perhaps by someone standing nearby in the queue) [2106]
  • The BBC built a honeypot PC using Windows XP Home (Oct'06) and monitored it to see how often and by what means it would get attacked. The result: attacked within seconds of being connected to the net and during 7 hours in service it never got more than a 15 minute break from being attacked. [2105]
  • A Slashdot article discussing Crypto Snake Oil. [2104]
  • An online service called Jigsaw is collecting publically available identity information, is this a threat to privacy? [2103]
  • An ethical hacker discusses protecting your identity online. [2102]
  • Security problems with Windows Mobile programs [2101]
  • The European Galileo GPS Satellite has been cracked making access to its data available. [2100]
  • grc.com has a number of POD casts (in MP3) format that address a variety of security topics. [2099]
  • Computer users are the weakest link in the security chain, a bank auditor proved this with "lost" USB drives. Probably about time that banks switched back to less generic PC hardware to eliminate this sort of threat. [2098]
  • Numbers stations move from Shortware to VoIP, the spys of the world get an upgrade [2097]
  • Slashdot discusses if it is possible to run Windows XP in accounts without Administrator permissions. [2096]
  • The Citibank PIN scandal, a massive leakage of PINs. [2095]
  • Neighborhood WiFi security, the new trend of using your neighbor's WiFi. A very large residential WiFi mapping database has been revealed. [2094]
  • super-RFID tags for Homeland Security purposes? I wonder if someone will remember the old spy trick of implanting a pellet into someone using an umbrella? [2093]
  • NTLM Authentication Scheme for HTTP [2092]
  • Pod-slurping, using an iPod to scan networks for data. [2091]
  • The NetBSD project's cryptographic disk driver (CGD) (discussed here on Slashdot) keeps all data on the disk encrypted, which would be an especially good idea for laptops. This can also be used to encrypt CDs or DVDs. [2090]
  • Even the wiretapping system has security issues. [2089]
  • A Slashdot book review of: Cryptography in the Database, by Kevin Kenan, ISBN 0321320735. [2088]
  • USB and Firewire hardware can be used to break into locked PCs. [2087]
  • SnakeCard, open source solutions for analysis of smart cards [2086]
  • The Net Cowboy infra-red web cam [2085]
  • Printers are now spying on you... well, cunningly recording unique identifying marks on the pages they print. The EFF has compiled a list of printers which have implemented these tracking dots. [2084]
  • Practical exploits of MD5 flaws, there may be some areas where the recently discovered weakness in MD5 could actually be exploited, in particular allowing an attacker to modify a distributed software package (perhaps to introduce some form of malware) and the rebuilding the MD5 checksum so that the tampering is not detected. [2083]
  • What might be on your hotel room key card? [2082]
  • Does having an IT department encourage a companies workers to be less concerned about computer security? [2081]
  • People are leaving their files behind on discarded hardware [2080]
  • The sounds of keyboards can be recorded and used to crack passwords [2079]
  • The six dumbest ideas in computer security [2078]
  • Slashdot book review of: Brute Force: Cracking the Data Encryption Standard, by Matt Curtin, ISBN 0387201092. [2077]
  • What's on your network? This article on tracking down and removing unwanted devices looks quite good. [2076]
  • The Prismiq Commander wireless router is equipped for monitoring network traffic. [2075]
  • A Slashdot review of, File System Forensic Analysis, by Brian Carrier, ISBN: 0321268172. [2074]
  • Possible security risks with SSH based on an attack from the DMZ [2073]
  • Brute force attacks on SSH are being done. [2072]
  • Using SSH to achieve more secure online web surfing and email. More information on this. An Engadget how-to on this. [2071]
  • Scapy, a packet sniffing and generation tool controlled by Python scripting [2070]
  • Just how secure are proximity cards? Design of a reader. [2069]
  • Attacking Windows computers by using USB flash drives. [2068]
  • The Wolverine Firewall and VPN server is a custom Linux distro that is only about 13MB that contains a combination of firewall and IPSEC plus PPTP VPN servers. [2067]
  • What forms of internet attacks are happening to your computer, [2066]
  • Those credit card banks will apparently give credit to anyone, even on a torn up form [2065]
  • It looks like the first generation of RFID chips may not be very secure [2064]
  • RFID adds to the security of casino chips, at least that's their excuse... [2063]
  • Why passwords just don't work well. [2062]
  • Capturing a burglar with a web-cam type device [2061]
  • SHA-1 has now been compromised, time to start moving to more bits. More on this. [2060]
  • A Root Kit Revealer from SysInternals [2059]
  • Snooping on the contents of magnetic stripes on cards. [2058]
  • The biggest PC virus threat of 2004? The problem with JPEG rendering by Microsoft's GDI library, there's now a virus in the wild that exploits this. [2057]
  • A Slashdot review of: Steel Bolt Hacking, by Douglas Chick, ISBN: 0974463019, which addresses the question about how secure locks are. The Lockdown: Locked, but maybe secure, an article on the security of typical home and business key locks. [2056]
  • Don't depend on the security built into your keychain flash drive [2055]
  • A Slashdot review of: Network Security Assessment, by Chris McNab, ISBN: 059600611X. [2054]
  • More specialized Google searches, the Register reports on accessing web-connected security cameras this way, with follow up discussion on Slashdot. Boingboing has further information. johnny.ihackstuff.com has more on Google hacking. [2053]
  • Use Google to search for your personal information in case some careless on-line system has leaked it. [2052]
  • A Slashdot review of Tao of Security Monitoring, by Richard Bejtlich, ISBN 0321246772. [2051]
  • Time to disconnect your web cam when its not in use [2050]
  • Steganography can applied to executables too. [2049]
  • Just how secure is the Windows Firewall that is included in XP? [2048]
  • Big bucks may be transferred over the public internet, now this has to attract the attention of the bad hackers. [2047]
  • SHA-0 has been broken, MD5 may be next. [2046]
  • Unpatched Windows systems are expected to survive less than 1/2 hour before being hacked [2045]
  • A net cash system based on proof of work tokens [2044]
  • Looks like the Kensington computer locks, that are popular for laptops, may not be so secure [2043]
  • Slashdot discusses the magstripe, stripe snoop is software to read the contents of these [2042]
  • A secure and anonymous communication channel [2041]
  • The DNS sub-system could be a source of insecurity [2040]
  • Adding a reverse firewall to the home network access point could reduce the value of home PCs as spambots and DDOS units. [2039]
  • Tricks that are possible with caller ID via VOIP, so soon I won't be seeing any more Toll Free Calls on my caller ID, instead they'll use a database of all my contacts and pick one of these names at random. There is now (hopefully, for only a short time?) a service that enables anyone, using any phone, to make a call with any desired caller ID. The US has made this practice illegal and in May'08 the first set of such telemarketers were found guilty in New Jersey - now if only Florida and Nevada would stop calling me... [2038]
  • A Slashdot review of Network Security Hacks, by Andrew Lockhart, ISBN 0596006438. [2037]
  • Looks like MD5 can no longer be considered secure, now there's an online MD5 cracking service, presumably done as a distributed computing project. [2036]
  • Openswan, free IPSec VPN software [2035]
  • June 2004, the Linksys WRT54G wireless router could be a security risk as it still has ports 80 and 443 working, even after disabling remote administration for full security. Apparently a the NetGear WG602 also suffers from this sort of thing. [2034]
  • A Slashdot review of Cryptographic Security Architecture: Design and Verification, by Peter Gutmann, ISBN: 0387953876. [2033]
  • Overview of anti-spam solutions [2032]
  • ZyXEL has a VoIP based Wi-Fi phone [2031]
  • A Slashdot review of A Field Guide to Wireless LANs for Administrators and Power Users, ISBN: 0131014064 [2030]
  • A Slashdot discussion on setting up wireless access points for coffee shops [2029]
  • Using a Chinese Lottery to look for MD5 collisions, you could be part of a distributed computing project each time you visit a web site. [2028]
  • Its possible to build and deploy an electronic voting system correctly. [2027] [1]
  • JavaScrypt is a browser based encryption system built on JavaScript, discussed here on Slashdot. [2026]
  • Slashdot discusses fast encryption solutions for Windows. Including TrueCrypt, an open source disk encryption solution (further discussion of TrueCrypt appears here). In Mar'07 version 4.3 of TrueCrypt was released, announced here on Slashdot. BestCrypt sounds like a similar commercial package. A bunch of "tiny" encryption packages. [2025]
  • PGP announces full hard drive encryption [2024]
  • Cypherix makes Cryptainer LE which offeres 128bit encryption for windows [2023]
  • TinyIDEA is a very small (no frills) implementation of the IDEA encryption algorithm, its written in x86 assembler and works well on WindowsNT4. It has a limitation with file names, it does not like files with more than a 3 letter extension, and when you try this it will send its output to the console rather than the file. There is some more information about this program here, along with a number of other links to download it from and some other crypto tools. A copy of it is also available here. [2022]
  • Aug 11, 2003 brought us the Blaster worm, here is Microsofts information on it and here is a guide from Visualante. [2021]
  • How hackers are using search engines to reduce their work load. [2020]
  • Towards the end of 2006 there was a large increase in email spam [2019]
  • The ActiveState Field Guide to Spam, documents the tricks the spammers use to get their mail to you. [2018]
  • Maybe there are patterns to the prime numbers afterall [2017]
  • Using the Windows2000 CD to open up a WindowsXP system [2016]
  • The crypto-gram newsletter by Bruce Schneier (author of the very readable Applied Cryptography text) is available at counterpane.com. Practical Cryptography, also by Bruce Schneier and Niels Ferguson is reviewed here on Slashdot. [2015]
  • A book review of Internet Site Security [2014]
  • Viewing randomness as part of an analysis of TCP/IP sequence number attacks. [2013]
  • A review of 8 intrusion detection systems (11-Jul-02) [2012]
  • Port numbers according to iana. [2011]
  • A glimpse at the future of web security, file sharing and privacy may be had by looking at CodeCon 2002. [2010]
  • Here's a hardware keystroke logger... easy to remove if you see one on the back of your machine. [2009]
  • This series of Register articles discusses some of the secure web surfing options currently available. [2008]
  • A Beginner's Guide to Wireless Auditing, makes use of the scapy Python packet manipulation tool. [2007]
  • The current state of Wireless security (Aug'05) [2006]
  • WiFi is insecure, and it's all the user's fault. [2005]
  • NakedWireless.ca discusses the issues of wireless LAN security. [2004]
  • Wireless lans are becoming more popular, they are a bit much for the home in 2001, but the pricing will probably drop significantly by 2002. However, their security has some major flaws as shown in this paper... NetStumbler has quite a lot on this issue. Some more on free access at www.free2air.org. Some suggestions on how to secure a wireless LAN by using PPPoE or PPTP. Looks like the next generation of wireless, 802.1x, may also be insecure. And now your favourite geek store may be using these to broadcast your credit card numbers. [2003]
  • The SANS Institute runs incidents.org which tracks the progress of some worms and things (including the Code Red Worm). Caida.org has some dynamic graphs of the code red worm's progress. And in the end even Microsoft (hotmail) got hit by the worm. A script that can be used to notify the victim of code red that their system is infested. Another script, this one will shut down the infested system to prevent it from further abuse. Another script, this one is in python and it just parses your web server's access log to find the sites to notify (the way it notifies them is to start a browser on them pointed to a web page about code red). Some thoughts on what the next generation (Warhol Worms) of worms might be like. [2002]
  • Acording to The Register the CERT people now have a security advisory for the home user. [2001]
  • SecurityFocus has some articles on computer networking security. [2000]
  • Arudius (also here) is a live CD Linux distro for information security professionals. It is focused on providing tools for infomation assurance and vulnerability analysis. [1999]
  • Bastille is a security auditing and configuration tool for Linux systems. [1998]
  • Typhon is a internet security scanner. [1997]
  • DShield.org is a distributed intrusion detection system, they collect information (in the form of server and firewall log files) and look for atack patterns in them. [1996]
  • There are a number of web servers you could run, but many choose MicroSoft's IIS. Unfortunately for them it seems to have become the target of choice for hackers, as seems to be about as solid as Swiss cheese. See also this. [1995]
  • Gibson Research Corp. has a number of security related tools, Patchwork tests Windows NT and 2000 systems for certain known issues and ShieldsUp is a test of your net visable ports. [1994]
  • Yoggie makes a small, Linux based, security computer which acts as a firewall and malware scanner on the LAN connection between your computer and the net. In May'07 they announced a newer version called the Pico which is discussed here on Slashdot.
    [1993]
  • Now SOHOWare is offering their Broadguard NBG800 (reviewed here) which is the first I have seen that claims to have stateful packet inspection (which is something that GNATBox has had for a long time). This Slashdot article looks at this sort of equipment. GigaFast makes a 4 port router with a built in printer server. The Compex NetPassage is another NAT firewall/router unit, with wireless capabilities. Nexland's ISB Pro800 router with NAT sounds nice.
    [1992]

Configuring to use NetMeeting or other H.323 Video Conferencing Software

This article suggests that the easiest way of doing this through firewalls is to setup a VPN between the two end points and then connect through it

info, the scoop from microsoft, routers that support H.323 to some degree

VivaVideo may be another approach

Comet Videophone requires fewer ports than H.323

Eyeball chat, this looks pretty promising, its free (for personal use in a 1 to 1 chat mode - beyond this they sell a more full featured version) and it claims to be able to work through firewalls.

MSN Messenger also can do this, and it appears to work through firewalls (though so far I have not got audio to work - but video works fine)



              back to vermeulen.ca home