140 2012 323 abstract accelerate administration administrative advertising agree amounts anonymous arise biggest bits carrier caught ch characters choices configuring difficulty digits equipment factory firewall focused giving googles gpgpu gpu guardian header helps joined mx neighbor nerves nist ntlm oil openbsd page1 paint presumably pros recognize reset significantly st staray stations steal targeting variant visit wan washington
The time has come to install a personal firewall of some
kind. This is especially true if you are the proud user of a full-time
connection to the net such as a cable or ADSL modem. If you have an old PC sitting
idle, then a product called GNATBox
Lite from GTA is a high-quality,
free solution. This provides both security and network address
translation (NAT) that allows you to share your one connection with up to 5
machines on your LAN at the same time. If you need to protect a web server (or
some other server you run) then the full-blown commercial version of GNATBox
is hard to beat.
Current (July'05) estimates are that an unprotected windows
box will be hacked
within about 12 minutes from being connected to the internet. The
corollary to this is that it is impossible to install and download the
necessary security patches to such a box without it being compromised
unless it is behind a firewall. This hypothesis was retested in 2008 and
it was found that the time to infection could be as low as 4 minutes.
SmoothWall may be
another choice for a personal firewall, it gets a reviewed review here
here. A review of the SmoothWall corporate server is here.
LEAF is the Linux
Embedded Appliance Firewall project. And then there is Captin Crunch's
unit called the CrunchBox which is available from ShopIP,
this is based on OpenBSD. IPCop
is another variant of SmoothWall.
MandrakeSoft is going to have an integrated firewall,
VPN and traffic management product.
An alternative to this might be one of the new "Router with
NAT" boxes that are starting to show up. The UGATE-3200P (reviewed by Electric
Tech) from Maxgate (appears
defunct) or the DL-701
from DLink may be the solution. Linksys
has a number of these, such as the BEFSR41,
with varying number of ports and is reviewed here.
Tech also has one of these. Not to be left out in the cold SMC
also offers the Barricade
which includes printer server capability, and is reviewed here.
And now Netgear is offfering the
which is reviewed here.
- 2010-Nov-27: Slashdot discusses testing utility SCADA security.  
- 2010-Sep-26: Sometime security is just about the bleeding obvious, screen smudges on your cell phone display could give away your unlock pattern or code, just as wear patterns on your alarm system touch pad could make cracking your PIN easier.  
- 2010-Sep-24: Slashdot discusses the need for firewalls on individual computers versus a single point of isolation between the safe network and the hostile world. 
- 2010-Sep-24: The Stuxnet worm may have been targeting the Iranian nuclear program. This worm was designed to exploit Siemens SCADA (industrial network) systems though weaknesses in their PLC systems. 
- 2010-Jul-16: Another hack has been found that allows for an attack from the local network side of a wireless router, so if the router has a weak admin password it is at risk even though no administration is allowed from the regular WAN. This gets further discussion here on Slashdot, with most taking the position that so long as you are using a good password there is no significant threat here. 
- 2010-Jul-06: Photo kiosks are becoming infected, they are picking up viruses from customers' USB drives (probably using the Windows auto-run feature) and then spreading these to subsequent customers. The same process could probably happen with flash cards as well - better remember to set the write protect switch on your SD card. 
- 2010-Jun-30: CUDA graphics engines have been used to accelerate the calculation of MD5 hashes to speed up password cracking attempts. Based on the timings that are published here a password length of 10 characters is getting to be pretty weak - that would take a single machine 50 years to search, so a project that combined these machines in a distributed fashion could easily crack 10 character passwords in days or less.  
- 2010-Jun-30: Scammers have taken to using micro charges to large numbers of credit cards to avoid detection. 
- 2010-Jun-22: The skin that HTC applies to Android to make things pretty has some security issues, in the Droid Incredible phone it saves screenshots of the user's browser to internal memory, to make this worse these are not deleted by resetting the phone to factory defaults. 
- 2010-May-25: Tabnapping is a new (for 2010) approach to scamming the web browser user into revealing IDs and passwords. Be on the look out for tabs that contained some content to be replaced by authentic looking login pages when they are re-exposed. Perhaps this will be combined with exploits that grab your browsing history so that the attacker can present you with a login page you are likely to have used. 
- 2010-Mar-31: Google's Chrome browser is the only browser to survive two years at the Pwn2Own competition without being hacked. 
- 2010-Mar-26: Google has been researching web site based malware distribution techniques. They are finding that 1.3% of Google searches return at least one link to a malware site and that most of these are hosted in China. Web adverts are now being used to deliver malware.  
- 2010-Mar-26: Slashdot discusses free anti-virus software for Windows. Uncharacteristically Microsoft's Security Essentials gets recommended by a number of people. 
- 2010-Mar-08: The CipherChain series of products allows one to add full disk encryption in hardware to any PC using standard SATA disks. 
- 2010-Feb-26: Mozilla debates whether to trust the Chinese certificate authority. An interesting debate because a compromised certificate authority could facilitate attacks against SSL connections. 
- 2010-Feb-24: Bank card skimmers have been found hiding in gas pumps at 180 service stations in Utah. 
- 2010-Feb-22: The Chuck Norris botnet is attacking weakly secured routers, DSL modems and even satellite TV receivers. Given that devices like DSL modems and cable modems are often only configured by the ISP there's a good chance for poor practices on the ISP's part (like using one user name and password on all of the modems it controls) to lead to massive hacks. Even though this attack is only against the router or modem, there is a nasty issue here in that a compromised router could be set to divert DNS look-ups to a bad DNS server which could serve up the wrong IPs for the some common internet services (like Facebook or some of the advertising suppliers) which could divert the user's browser to sites that try to install malware. 
- 2010-Jan-15: One curious outcome of the attacks on GSM cellphone encryption that were published around the start of 2010 is that the GSM association actually moved to a weaker encryption algorithm (called KASUMI) from the previous MISTY algorithm. 
- 2010-Jan-12: Kodak's wireless picture frames are rather insecure allowing the public to browse the feed for them and potentially to load content onto them.  
- 2010-Jan-12: The joy of securing your passwords if you let programs remember them for you. This contains a number of suggestions for password storage programs and for configuring common applications like Firefox. 
- 2010-Jan-09: A number of "secure flash drives" that claim NIST certification to the FIPS 140-2 standard have been found to be easily cracked. Turns out that while they may actually use AES 256 bit encryption inside the way the password authentication is done can be trivially bypassed so that any of these drives can be unlocked without the correct password. Schneier discusses it here. NIST is investigating this issue. The known vulnerable drives are:
- Kingston DataTraveler BlackBox
- SanDisk Cruzer Enterprise FIPS Edition
- Verbatim Corporate Secure FIPS Edition
- 2009-Nov-20: Slashdot discusses tools for helping you remember your passwords. 
- 2009-Nov-11: An ATM flash mob managed to steal about $9 million from ATMs in 49 cities around the world in a 30 minute coordinated attack. Of course, with that many people involved someone is bound to slip up, get caught and then spill his guts... By Nov'09 it appeared that this case had been cracked. 
- 2009-Nov-11: Slashdot discusses the vulnerability of the electric power grid. 
- 2009-Nov-06: A man in the middle attack against SSL/TLS has been discovered. More coverage here. 
- 2009-Nov-03: The Amazon EC2 cloud computing service has been used to crack PGP passwords through brute force key searching. This article describes the general process and some details of how to setup the EC2 machine images. A followup article examines the cost to crack passwords of different sizes (and complexities) using this technique. Based on an opponent spending a few thousand dollars a password of 8 characters or less is not safe unless it uses more than just upper and lower case letters and numbers. The good thing is that a password using only lower case letters and numbers would cost $75M to crack this way if it was 12 characters long (and this rises massively with just one more character), so passwords still don't have to be massively long. This gets further discussion here on Slashdot. 
- 2009-Oct-23: The Evil Maid attack against encrypted file systems - pretty much amounts to: if you leave your laptop anywhere there is a chance someone could install some sort of key logger on it, and then you're toast. 
- 2009-Oct-09: With Security Essentials Microsoft dips its toe in the muddy waters of virus detection, mocked here on Slashdot. 
- 2009-Sep-19: The Register takes a look at how online advertising can be used to infect computers with malware. This sort of trick was used to attack readers of the New York Times in Sept'09. 
- 2009-Sep-18: Microsoft has filed some civil lawsuits against some of the malvertisers - those who try to trick you into installing malware through online advertisements. 
- 2009-Sep-09: Twitter has been found to be tracking the links you click on. 
- 2009-Sep-08: A good article that talks about attacks by E-Mail and helps train users in how to recognize them. 
- 2009-Sep-04: About 10 digits is all that's needed to uniquely identify you (unless you need to be distinguished from past or future versions). This article points out a number of common ways people can be tracked through readily accessible information like zip codes and date of birth or even movie preferences. 
- 2009-Aug-26: Slashdot discusses ways to track stolen gadgets and some of the privacy issues that arise. 
- 2009-Aug-24: Ten ways to destroy a hard disk. Though no one suggested just driving over it a few times or attaching it to a lightning rod. 
- 2009-Aug-07: Credit cards and access cards which use RFID for "security" are becoming targets for information theft. This was demonstrated at DefCon in 2009, discussed here on Slashdot. The UK National Identity card may also have been hacked, though the UK Government claims this is not the case (this article contains some interesting information on how the card is using public key security for various functions), discussed here on Slashdot. 
- 2009-Jul-28: Some odd new forms of spam are discussed here. Including using sites such as Craigslist to spam people by first registering fake adverts and then sending you spam in fake responses to the fake advert through the site's email forwarding feature. 
- 2009-Jul-08: As a side-effect of dismissing a class-action suit against Microsoft for violating privacy by collecting IP addresses a Judge has ruled that IP addresses are not personally identifiable. If you think about it, this sort of issue has been recognized in the past with radar camera issued speeding tickets, where the license plate cannot be used to identify the driver of the vehicle. 
- 2009-May-01: Various resources on the conficker worm that is set to change course on 1-Apr-09. Slashdot has more on it here. This has actually infected some medical equipment in hospitals where the equipment is based on Windows NT or 2000. 
- 2009-Apr-08: The US electric grid is thought to have been penetrated by spies.  
- 2009-Mar-24: Another report of hackers penetrating control systems. This mentions the Bellingham Washington gasoline spill, but that was not due to hackers.  
- 2009-Mar-23: The future may include viruses and other malware that can infect the BIOS of a computer, making the tried and true disinfection technique of wiping the hard disk and reinstalling useless. 
- 2009-Mar-20: Slashdot discusses Windows home directory encryption. 
- 2009-Feb-13: A Slashdot discussion of full drive encryption which (perhaps predictably) has a lot of recommendations of TrueCrypt. 
- 2009-Feb-08: An overview of the tools that OpenBSD provides for spam interception and prevention, including blacklisting, greylisting and spamtraps. Discussed here on Slashdot. 
- 2009-Jan-29: Full disk encryption is expected to drop in price (to near zero) and become available on most new drives, but when? With this approach a drive must receive the appropriate password before it will load any data, so you end up entering the password before the computer starts to boot. But what happens if you forget the password? Will you be able to overwrite the old disk with a new data set using a new password, or is the drive rendered inoperative to protect the encrypted data on it? Or, is there an administrative password you can enter to reset the user password? Or do you have to ship it back to the manufacturer to be unlocked? Or is there even a secret back door - say for customs to use? This gets discussed here on Engadget and here on Slashdot.  
- 2009-Jan-21: Ever wondered what that TPM header was for on your motherboard? This article explains a bit about how this is used to create and store encryption keys for drives you attach to the motherboard. It can be used in such a way that the data on the drive is only accessible when attached to the motherboard that was used to format it.  
- 2009-Jan-19: This paper: Secure Deletion of Data from Magnetic and Solid-State Memory talks about secure data deletion and has some epilogues that address recent changes in the field. 
- 2008-Dec-03: A long discussion of one man's crusade to stop spambots that scan his web site. 
- 2008-Nov-03: Slashdot discusses the new wireless home security systems. 
- 2008-Nov-03: In the UK someone put data about 12 million tax payers on a USB stick and then proceeded to drop it in a pub parking lot. Looks like big brother wants to share all your data. 
- 2008-Oct-26: Slashdot discusses current choices in free anti-virus software.  
- 2008-Oct-13: Grocery store credit card scanners are being tapped to steal credit cards and send them to Pakistan. 
- 2008-Oct-01: A new internet-based denial of service attack may have been found. Slashdot discusses it here. After some thought it appears this form of attack probably isn't against a new weakness, rather it is a better way to launch a common type of denial of service attack allowing each client machine (i.e. attacking resource) to inflict more damage. 
- 2008-Sep-11: One attack against a SCADA system has now been published. Some of the Slashdot discussion gives a hint of how frequently these systems may actually be connected to the Internet rather than being completely isolated as one might at first think.  
- 2008-Sep-04: Your government may have the the worst computer security. And if you try to point out their problems they might fight back. Another example of government mishandling security: the British National High-Tech Crime Unit had a web site which got linked to by a number of important sites (like the BBC) and then they abandoned it, now a German owns the domain name. 
- 2008-Aug-27: A long open security hole in the border gateway protocol (BGP) has been publicly revealed. This works by convincing a target router to reroute packets to the attacker so he can play man-in-the-middle and other eavesdropping games. 
- 2008-Aug-04: The STARAY S from Radion is a 2.5 inch, USB drive enclosure with integrated security (and a keypad to allow entry of the pass code). Like a lot of these products the details on the actual cryptographic methods used are missing (they just say "proprietary 64-bit" which is usually a bad sign), so probably best avoided until more is known. This is now available.  
- 2008-Aug-01: The USA's DHS has finally given public details on its policies for border searches of laptops and other electronic devices and documents. In short they can take anything you have, for any (or no) reason and keep it for any length of time. Discussed here on Slashdot.  
- 2008-Jul-14: Adeona is an open source project (GPLv2 license) to develop a system for tracking the location of a lost or stolen laptop to assist in its return. This system uses a public distributed storage server to receive the location updates, but the location updates are encrypted so that only the true owner can access their contents (protecting his privacy). Discussed here on Slashdot.  
- 2008-Jun-18: The Abstract Cheetos Attack, social engineering takes a culinary twist. If your target doesn't go for the cheetos bait then there's always powdered doughnuts or perhaps cinnamon buns.  
- 2008-Jun-15: An old virus (Gpcode) that encrypts your files for a ransom has been updated in mid'08, its use of crypto has been fixed and the only defense against this is a good backup system (possibly coupled with some tests to see if an unusual number of tiles have had their contents change). 
- 2008-Jun-06: The top five antivirus applications for the PC.  
- 2008-May-15: A bug in SSH key generation introduced by Debian's package maintainers in 2006 was not fixed until May'08. A more detailed write up on this is here. 
- 2008-May-15: Bruce Schneier writes about choosing secure passwords and taking your laptop through US customs. Discussed here on Slashdot. 
- 2008-May-13: The NSA takes a look at system hardening.
- 2008-May-05: Slashdot discusses backscatter spam in follow up to this article, and this article. Most of these place the problem in the "a few an hour" category, but if you have your own domain and have set it to receive all email for any name sent to it, you will see huge spikes when your domain name is used as a target. What happens is that the spam bots send their email out and makes up return email addresses by combining a large list of user names with your domain name. Some portion of these outbound messages trigger back scattering and, as your email is set to receive any mail that comes to the domain, you get to see all of these. The first time I was hit by this was in Feb'05 for a couple of weeks. Every few months now, I'll go though a couple of days were I get over a thousand such messages a day. 
- 2008-Apr-22: Fujitsu has added hardware-based automatic full drive encryption to a 2.5 inch 320GB hard drive.  
- 2008-Apr-16: The DataTraveler BlackBox drive from Kingston features a 256-bit hardware AES encryption processor and has been inspected by NIST in the US and the Communications Security Establishment in Canada. I wonder how long it will be before hackers open one up and find there's a trivial way to defeat this drive's security, like so many of the competing products. At $424 for an 8GB drive it would probably make more sense to buy a conventional drive and an ASUS Eee to run TrueCrypt> on it.  
- 2008-Mar-25: Slashdot discusses securing your laptop and cloud of small electronic devices in a cubical. 
- 2008-Mar-23: Quantum computing (if it ever becomes feasible) may not be as big a threat to current encryption as some are saying today. 
- 2008-Mar-22: The strange story of bounced email that ends up at donotreply.com. 
- 2008-Mar-18: bitvise has a number of SSH products for Windows, including Tunnelier.  
- 2008-Mar-14: One Journalists view of laptop security and the issue of border crossings - where you may be without any legal protection against search and seizure. 
- 2008-Mar-04: An old security hole in the Firewire software for Windows can be exploited to unlock PCs. 
- 2008-Mar-04: Modern DRAM chips can actually hold their data for a long time, and if they have been cooled this could even be in the range of minutes. This represents a potential security threat. One of the main reasons this attack works as well as it does is that current operating systems do not clear memory that is no longer in use (though Windows 2000 and up appear to clear it before allocating it to another process for use). Because of this it also is possible to boot a system from another drive (such as a USB drive) and then read the contents of memory left over from the last run. 
- 2008-Feb-19: The 2.5 inch Easy Nova Data Box PRO-25UE RFID portable encrypted drive turns out to be pretty insecure (discussed here on Slashdot), seems the manufacturer only implemented an XOR algorithm instead of the claimed AES.  
- 2008-Feb-18: In a rather strange computer crime an investor hacked into a computer at IMS Health from which he stole a future earnings announcement, then he took a gamble and bought short expiry put options (which would have been virtually worthless at the time) in the company's stock. Once the earning announcement went public the following day the options grew in value by a factor of 5 and he sold them. The SEC figured that this must have been insider trading so halted his account and investigated. Now a judge has decided that while it was a crime to steal the earnings announcement it was not a crime under current US law to make money off the trade. 
- 2008-Feb-18: A look at the state of wireless security in Bluetooth, WiFi and WiMAX. 
- 2008-Feb-11: Slashdot discusses DKIM - Domain Key Identified Mail - an attempt to reduce email fraud. 
- 2008-Feb-06: TrueCrypt 5.0 has been released, this version includes full drive encryption that will prompt the user for the password at system boot. Discussed here on Slashdot. 
- 2008-Feb-05: Gutmann sound wave therapy, the strange tale of the Dutch proximity card billing system and how $2G was spent to produce an insecure system.  
- 2008-Jan-28: The mysterious world of phishing and the associated money-mule scam. 
- 2008-Jan-22: SmallNetBuilder has a number of articles on WEP and WPA wireless encryption security, worth a read if you are setting up a WiFi network. 
- 2008-Jan-21: The InfoSec Institute offers a number of computer security and forensics training courses. 
- 2008-Jan-21: Slashdot discusses the CIA's claims that cyber attacks have blacked out cities, including one in the US. While this sounds pretty far-fetched, the claimed approach of attacking the SCADA system (which is the brain and nerves of the whole system) is plausible, especially when coupled with lax security practices (like installing WiFi on the internal LAN). Additional coverage on Engadget too.  
- 2008-Jan-19: Using La Fonera router and the Fon Network to share an internet connection.  
- 2008-Jan-14: A security issue with flash in web browsers has been discovered that can be used to open ports in a home firewall by using UPnP. 
- 2008-Jan-12: Slashdot discusses how to safely dispose of old hard drives.  
- 2008-Jan-10: Bruce Schneier talks about the pros and cons of leaving a wireless LAN unsecured. This gets discussed here on Slashdot.  
- 2008-Jan-01: SftpDrive allows you to drive map an SSH server as a Windows drive to allow applications within Windows to use files on the SSH server as if they were just on simple network shared drives.  
- 2007-Dec-21: Virus writers are getting more cunning or anti-virus writers are getting worse, so it looks like the effectiveness of anti-virus tools dropped in 2007. 
- 2007-Dec-16: The .Mac web interface (which allows Mac users to check the contents of their iDisk from a remote location) does not have a logout button - so potentially anyone who uses the public computer after you are done could gain access to your files. 
- 2007-Dec-04: The Microsoft wireless (radio) keyboards are insecure and keystrokes could be easily sniffed. At this time it is not known if the similar Logitech keyboards suffer from the same problems. This gets further discussion here on Slashdot. 
- 2007-Nov-20: A discussion of using Google as an MD5 cracker tool (discussed here on Slashdot), entering an MD5 hash code and finding a word that it is the hash for. There is some interesting discussion of salting and other approaches to hash reversal, including sites that specialize in just this problem.  
- 2007-Nov-17: Hushmail has been giving out private decrypted emails. 
- 2007-Nov-06: Bruce Schneier discusses the Storm Worm, which has been running unchecked for nearly a year now, and wonders what it will eventually be used for. 
- 2007-Oct-07: Canada's Information and Privacy Commissioner gave a talk called Privacy by Design that addresses how to design software that protects the user's privacy. Discussed here on Slashdot. 
- 2007-Oct-01: A new approach to email authentication is being proposed, which would help in the fight against spam. 
- 2007-Sep-19: Cybercrime is now big business, and may be worth more than the drug trade. 
- 2007-Sep-17: Germany has arrested 10 people in a phishing scam. 
- 2007-Sep-17: Researchers have discovered new security holes due to multi-core CPUs. 
- 2007-Sep-16: A wireless (WiFi-based) camera can be a potential security breach-point, discussed here on Slashdot. 
If you travel to India be very careful when using Internet
Cafes, the police may have installed
A Slashdot discussion
of Ophcrack, a Windows password cracking tool, there's plenty of
additional material in the comments. KB299656 applies to
this issue of the weak hash algorithm used in LAN Manager.
The Exploit Prevention
Labs Blog discusses new threats
For those worried about leaking WiFi and other signals, a
rather thick window
film (used by some US agencies) may someday be made available to
In May'07 a non-prime: 2^1039-1 was factored
after 11 months of time. Which means that 1024 bit RSA encryption
can now be attacked, at some cost.
Sometimes companies that
should know better fall victim to simple social engineering
The Nokia N800 can be turned into a WiFi auditing device. This
discusses installing Metasploit
on one, more coverage here.
Wikipedia discusses challenge-response
discusses choosing a firewall
EM-SEC Coating, a paint that
absorbs WiFi signals
If you are running a wireless LAN you should read
this article, if you are running in WEP 64 bit or 128bit mode you
may be less than an hour away from being cracked.
Why would Skype
read the BIOS (or at least part of it)?
spam by setting the primary MX record to point to a server that
does not respond to mail delivery requests. Apparently most spam
delivery clients will only try the first MX record.
a review of six rootkit detectors for Windows
Slashdot discusses spam
alternatives to embedding passwords into source code.
The web-based Anonymizer
has been discontinued
A Slashdot discussion of anonymous
surfing, proxy servers and other solutions
- TOR, The Onion Router, is an
project that seeks to prevent web traffic analysis. There is a FAQ on it
here. The authors warn that a possible exploit of TOR (since the
final connection from the exit node to the site you are trying to reach
is not encrypted) would be for the owner of an exit node to sniff all
the outbound traffic looking for passwords etc., well someone did
this and collected embassy-related passwords. There is more concern about abuse of TOR exit sites.
iSight could be taking pictures and sending them to malicious web
A Slashdot discussion on firewall
traversal for applications like Skype
- OpenID is a decentralized
identity system, it is discussed here
on Slashdot. In Feb'07 Bill Gates
announced that Microsoft will support it too. More discussion on OpenID, Yahoo, IBM, Microsoft, VeriSign and Google have all joined its board and there are now 250M OpenIDs in use. Here is a brief description of the process of getting an OpenID. MySpace has joined the OpenID coalition, adding a few more users. OpenID gets mentioned here in reference to attempts to move away from passwords to other means of authentication. Ned Batchelder found OpenID hard to get started in and dug up these discussions: OpenID is Why I Hate The Internet and The problem(s) with OpenID that talk about the difficulty of using OpenID and the apparent flaws in it. Microsoft has added support for OpenID to Windows Live, discussed here on Slashdot. OpenID for non-SuperUsers talks about setting up OpenID to use delegation. Not to be left out, Google is also supporting OpenID, but they have decided to fork development to address some of their concerns. More on Google's OpenID project here. Some sites are dropping support for OpenID. 
from A to Z, an overview article
A USB-powered disc-scratcher
designed to distroy CDs and DVDs.
No-swipe credit cards might be
read from a distance (perhaps by someone standing nearby in the
built a honeypot PC using Windows XP Home (Oct'06) and monitored it
to see how often and by what means it would get attacked. The result:
attacked within seconds of being connected to the net and during 7
hours in service it never got more than a 15 minute break from being
A Slashdot article discussing Crypto Snake
An online service called Jigsaw
is collecting publically available identity information, is this a threat to
An ethical hacker discusses protecting
your identity online.
problems with Windows Mobile programs
The European Galileo GPS Satellite has been cracked
making access to its data available.
grc.com has a number
of POD casts (in MP3) format that address a variety of security
Computer users are the weakest link in the security chain, a
auditor proved this with "lost" USB
drives. Probably about time that banks switched back to less
generic PC hardware to eliminate this sort of threat.
stations move from Shortware to VoIP, the spys of the world get an
if it is possible to run Windows XP in accounts without Administrator
PIN scandal, a massive leakage of PINs.
WiFi security, the new trend of using your neighbor's WiFi. A very
large residential WiFi mapping
database has been revealed.
tags for Homeland Security purposes? I wonder if someone will
remember the old spy trick of implanting a pellet into someone using an
Authentication Scheme for HTTP
using an iPod to scan networks for data.
The NetBSD project's cryptographic disk
driver (CGD) (discussed here
on Slashdot) keeps all data on the disk encrypted, which would be an
especially good idea for laptops. This can also be used to
encrypt CDs or DVDs.
Even the wiretapping
system has security issues.
A Slashdot book review of: Cryptography
in the Database, by Kevin Kenan, ISBN 0321320735.
USB and Firewire hardware
used to break
into locked PCs.
SnakeCard, open source solutions
for analysis of smart cards
The Net Cowboy infra-red web
- Printers are now spying on you... well, cunningly recording unique identifying marks on the pages they
print. The EFF has compiled a list of printers which have implemented these tracking dots.
exploits of MD5 flaws, there may be some areas where the recently
discovered weakness in MD5 could actually be exploited, in particular
allowing an attacker to modify a distributed software package (perhaps
to introduce some form of malware) and the rebuilding the MD5 checksum
so that the tampering is not detected.
What might be on your hotel
Does having an IT
encourage a companies workers to be less
concerned about computer security?
People are leaving
their files behind on discarded hardware
of keyboards can be recorded and used to crack passwords
dumbest ideas in computer security
Slashdot book review of: Brute
Force: Cracking the Data Encryption Standard, by Matt Curtin, ISBN 0387201092.
What's on your
network? This article
on tracking down and removing unwanted devices looks quite good.
Commander wireless router is equipped for monitoring network
A Slashdot review of, File
System Forensic Analysis, by Brian Carrier, ISBN: 0321268172.
Possible security risks
with SSH based on an attack from the DMZ
Brute force attacks
on SSH are being done.
SSH to achieve more secure online web surfing and email. More
information on this. An
a packet sniffing and generation tool controlled by Python scripting
Just how secure are proximity cards?
Design of a reader.
Attacking Windows computers by using USB
Firewall and VPN server is a custom Linux distro that is only about
13MB that contains a combination of firewall and IPSEC plus PPTP VPN
What forms of internet
attacks are happening to your computer,
Those credit card banks will apparently
credit to anyone, even on a torn
It looks like the first generation of RFID
chips may not be very secure
RFID adds to the security
of casino chips, at least that's their excuse...
just don't work well.
a burglar with a web-cam type device
has now been compromised, time to start moving to more bits. More on this.
Kit Revealer from SysInternals
Snooping on the contents of magnetic
stripes on cards.
The biggest PC virus
threat of 2004? The problem with JPEG rendering by Microsoft's GDI
library, there's now a virus in the wild that exploits this.
A Slashdot review of: Steel
Bolt Hacking, by Douglas Chick, ISBN: 0974463019, which addresses
the question about how secure locks are. The
Lockdown: Locked, but maybe secure, an article on the security of
typical home and business key locks.
depend on the security built into your keychain flash drive
A Slashdot review of: Network
Security Assessment, by Chris McNab, ISBN: 059600611X.
More specialized Google searches, the Register
reports on accessing web-connected security cameras this way, with
follow up discussion on Slashdot.
has further information. johnny.ihackstuff.com
has more on Google hacking.
to search for your personal information in case some careless
on-line system has leaked it.
A Slashdot review of Tao of Security Monitoring, by
Richard Bejtlich, ISBN 0321246772.
Time to disconnect
your web cam when its not in use
can applied to executables too.
secure is the Windows Firewall that is included in XP?
Big bucks may be transferred
over the public internet, now this has to attract the attention of
the bad hackers.
SHA-0 has been broken, MD5
may be next.
Windows systems are expected to survive less than 1/2 hour before
A net cash system based on proof
of work tokens
Looks like the Kensington computer
locks, that are popular for laptops, may not be so secure
the magstripe, stripe
snoop is software to read the contents of these
and anonymous communication channel
sub-system could be a source of insecurity
Adding a reverse
firewall to the home network access point could reduce the value of
home PCs as spambots and DDOS units.
- Tricks that
are possible with caller ID via VOIP, so soon I won't be seeing any
more Toll Free Calls on my
caller ID, instead they'll use a database
of all my contacts and pick one of these names at random. There is now
(hopefully, for only a short time?) a
service that enables anyone, using any phone, to make a call with
any desired caller ID. The US has made this practice illegal and in May'08 the first set of such telemarketers were found guilty in New Jersey - now if only Florida and Nevada would stop calling me...
A Slashdot review
of Network Security Hacks, by
Andrew Lockhart, ISBN 0596006438.
Looks like MD5 can no longer be considered secure, now there's
MD5 cracking service, presumably done as a distributed computing
Openswan, free IPSec
June 2004, the Linksys WRT54G wireless
router could be a security risk as it still has ports 80 and 443
working, even after disabling remote administration for full security.
Apparently a the NetGear
WG602 also suffers from this sort of thing.
A Slashdot review of Cryptographic Security Architecture:
Design and Verification, by Peter Gutmann, ISBN: 0387953876.
Overview of anti-spam
VoIP based Wi-Fi phone
A Slashdot review
of A Field Guide to Wireless LANs
for Administrators and Power Users, ISBN: 0131014064
discussion on setting up wireless access points for coffee shops
Using a Chinese
Lottery to look for MD5
collisions, you could be part of a distributed computing project
each time you visit a web site.
Its possible to build and deploy an electronic
voting system correctly.
here on Slashdot.
fast encryption solutions for Windows. Including TrueCrypt, an open source disk
encryption solution (further discussion of TrueCrypt appears here).
In Mar'07 version 4.3 of TrueCrypt was released, announced here on
sounds like a similar commercial package. A bunch of "tiny"
full hard drive encryption
Cypherix makes Cryptainer
LE which offeres 128bit encryption for windows
is a very
small (no frills) implementation of the IDEA encryption algorithm,
its written in x86 assembler and works well on WindowsNT4. It has a
limitation with file names, it does not like files with more than a 3
letter extension, and when you try this it will send its output to the
console rather than the file. There is some more information about this
along with a number of other links to download it from and some other
crypto tools. A copy of it is also available here.
Aug 11, 2003 brought us the Blaster worm, here
is Microsofts information on it and here is a guide from Visualante.
are using search engines to reduce their work load.
Towards the end of 2006 there was a large increase
in email spam
Field Guide to Spam, documents the tricks the spammers use to get
their mail to you.
Maybe there are patterns
to the prime numbers afterall
Using the Windows2000 CD to open
up a WindowsXP system
newsletter by Bruce Schneier (author of the very readable Applied
Cryptography text) is available at counterpane.com. Practical
Cryptography, also by Bruce Schneier and Niels Ferguson is reviewed
review of Internet Site Security
as part of an analysis of TCP/IP sequence number attacks.
A review of 8 intrusion
detection systems (11-Jul-02)
according to iana.
A glimpse at the future of web
file sharing and privacy may be had by looking at CodeCon 2002.
Here's a hardware
keystroke logger... easy to remove if you see one on the back of your machine.
This series of Register
articles discusses some of the secure web surfing options currently
Guide to Wireless Auditing, makes use of the scapy Python packet
state of Wireless
WiFi is insecure,
and it's all the user's fault.
discusses the issues of wireless LAN security.
Wireless lans are becoming more popular, they are a bit much
home in 2001, but the pricing will probably drop significantly by 2002.
However, their security
has some major
flaws as shown in this
paper... NetStumbler has
quite a lot on this issue. Some more on free access at www.free2air.org.
Some suggestions on how
to secure a wireless LAN by using PPPoE or PPTP. Looks like the
next generation of wireless, 802.1x, may also be insecure.
And now your favourite geek store may be using these to broadcast
your credit card numbers.
The SANS Institute runs incidents.org
which tracks the progress of some worms and things (including the Code
Red Worm). Caida.org has some dynamic
graphs of the code red worm's progress. And in the end even Microsoft (hotmail) got hit by the worm. A script that can be used to notify
the victim of code red that their system is infested. Another
script, this one will shut down
the infested system to prevent it from further abuse. Another script,
this one is in python and it just
parses your web server's access log to find the sites to notify (the way it
notifies them is to start a browser on them pointed to a web
page about code red). Some thoughts on what the next
generation (Warhol Worms) of worms might be like.
Acording to The
Register the CERT people now have a security
advisory for the home user.
SecurityFocus has some articles
on computer networking security.
Arudius (also here)
is a live CD Linux distro for information security professionals. It is
focused on providing tools for infomation assurance and vulnerability
Bastille is a security
auditing and configuration tool for Linux systems.
Typhon is a internet
DShield.org is a
intrusion detection system, they collect information (in the form
server and firewall log files) and look for atack patterns in them.
There are a number of web servers you could run, but many
choose MicroSoft's IIS. Unfortunately for them it seems to have become the target
of choice for hackers, as seems to be about as solid as Swiss
cheese. See also this.
Gibson Research Corp. has a
security related tools, Patchwork tests Windows NT and 2000 systems for
certain known issues and ShieldsUp is a test of your net visable ports.
Yoggie makes a small,
Linux based, security
computer which acts as a firewall and malware scanner on the LAN
connection between your computer and the net. In May'07 they announced
a newer version called the Pico
which is discussed
here on Slashdot.
- Now SOHOWare is
NBG800 (reviewed here)
which is the first I have seen that claims to have stateful packet
(which is something that GNATBox has had for a long time). This Slashdot
article looks at this sort of equipment. GigaFast
makes a 4 port router with a built in printer server. The Compex
NetPassage is another NAT firewall/router unit, with wireless
ISB Pro800 router
with NAT sounds nice.
Configuring to use NetMeeting or other H.323 Video Conferencing Software
This article suggests
that the easiest way of doing this through firewalls is to setup a VPN
between the two end points and then connect through it
from microsoft, routers that support
H.323 to some degree
may be another approach
Videophone requires fewer ports than H.323
chat, this looks pretty promising, its free (for personal use in a
1 to 1 chat mode - beyond this they sell a more full featured version)
and it claims to be able to work through firewalls.
MSN Messenger also can do this,
and it appears to work through firewalls (though so far I have not got
audio to work - but video works fine)