November 24, 2015
The Hacking of Hollywood

The Hacking of Hollywood:

Hollywood’s hacker war began on February 19, 2004 with a simple phone call. It happened at a T-Mobile store near Los Angeles. The caller told the salesperson he was from the T-Mobile headquarters in Washington. “We heard you’ve been having problems with your customer account tools?” The caller said.

Great little read, and I love the fact that most hacks basically consist of calling someone, telling them you are someone important, and they tell you their password. No exploits, no wild, four handed typing, just some kid saying he’s looking into something and give me your username and password.

Security - Posted by Arcterex at 10:40 AM
September 17, 2015
AVG Now Can Sell Your Browsing Data

AVG anti virus just updated their privacy policy. it says that they can and will sell your browsing history to 3rd parties.

As the first comment says, time to look for a new anti-virus if you’re on windows and care about your privacy.

Sigh.

Security - Posted by Arcterex at 12:44 PM
April 27, 2015
Conversation With a Tech Support Scammer

Via Daring Fireball is this great Conversation With a Tech Support Scammer. Amazing what these guys go through to get you…

When investigating an incident that involved domain redirection and a suspected tech support scam, I recorded my interactions with the individual posing as a help desk technician and researched the background of this scheme. It was an educational exchange, to say the least. Here’s what I learned about this person’s and his employer’s techniques and objectives.

Security - Posted by Arcterex at 04:08 PM
Security Advisory: Multiple WordPress Plugins

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins. Keep your fingers on that update button folks.

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the addqueryarg() and removequeryarg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

Security - Posted by Arcterex at 10:30 AM
April 13, 2015
uTorrent Hopes to Regain Trust After Bitcoin Mining Controversy | TorrentFreak

uTorrent Hopes to Regain Trust After Bitcoin Mining Controversy

The Bitcoin miner was quickly suspended until further notice. Based on the negative backlash from users it was recently announced that the “offer” would not be reinstated.

Guess we’ll see…

Security - Posted by Arcterex at 05:21 PM
April 10, 2015
Coding Horror On Code Security

Jeff Atwood digs deep into security, bugs, and perceptions and misperceptions in Given Enough Money, All Bugs Are Shallow.

Security - Posted by Arcterex at 02:13 PM
April 07, 2015
Last Week Tonight on Government Surveillance and Edward Snowden

Last Week Tonight with John Oliver has a fantastic segment on Government Surveillance, including an interview and some amazing footage. Here’s the embedded:

Regardless of what you think of Snowden, this is a fantastic bit of video, and an amazing interview.

Security - Posted by Arcterex at 02:56 PM
March 10, 2015
uTorrent *MAY* Quietly Installs Cryptocurrency Miner, Users Complain

TorrentFreak reports that uTorrent Quietly Installs Cryptocurrency Miner

The complaints mention the Epic Scale tool, a piece of software that generates revenue through cryptocurrency mining. To do so, it uses the host computer’s CPU cycles.

The guys at uTorrent say they’re not aware of any issues, but if you’ve noticed that your uTorrent-running-computer has been running more lately, it’s something to look at for sure.

Security - Posted by Arcterex at 12:31 PM
February 13, 2015
Facebook Photo Delete Vulnerability Found and Fixed

How I Hacked Your Facebook Photos is the story of how a ridiculously simple “hack” let you delete anyone’s photos, public or private, from facebook.

I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.

Kudos to the fast response from Facebook in fixing this.

Security - Posted by Arcterex at 11:32 AM
January 28, 2015
Canadian Government Spies on Millions of File-Sharers

Looks like up here in the frozen north we were feeling left out, luckily we now know that the Canadian Government Spies on Millions of File-Sharers, so we can be just like the big boys in the US.

That assumption has today been blown completely out of the water amid revelations that Canada’s top electronic surveillance agency has been spying on millions of downloads from more than 100 file-sharing sites.

Security - Posted by Arcterex at 11:53 AM
October 28, 2014
How To Smuggle Secrets Online

A fascinating article on how Edward Snowden Taught Me To Smuggle Secrets Past Incredible Danger:

On May 13, after creating a customized version of Tails for Greenwald, I hopped on my bike and pedaled to the FedEx office on Shattuck Avenue in Berkeley, where I slipped the Tails thumb drive into a shipping package, filled out a customs form that asked about the contents (“Flash Drive Gift,” I wrote), and sent it to Greenwald in Brazil. He received the package two weeks later, it having been delayed in transit, for what I believed to be bureaucratic rather than nefarious reasons, and the blue thumb drive actually made a cameo appearance in “Citizenfour.” For a technologist, this was a dream come true.

Security - Posted by Arcterex at 05:09 PM
October 03, 2014
An in-depth look at Apple Pay

Great look at Apple Pay and what’s behind the secure payment system. Pretty in depth look with a lot of great info here.

With Apple Pay, no credit card data — even in encrypted form — is ever stored on the iPhone or on Apple’s servers. Similarly, no credit card data is ever transmitted to or stored on a merchant’s servers.

When a user first signs up for Apple Pay, either via an existing iTunes credit card or by loading a new one onto the iPhone, the card information is immediately encrypted and securely sent to the appropriate credit card network. Upon determining that the credit card account is valid, a token is sent back down to the device whereupon it’s safely stored within the iPhone’s Secure Element.

Apple/Mac , Security - Posted by Arcterex at 12:58 PM
September 29, 2014
OS X Bash Update 1.0 Download Released to Address Security Bug

Apple has released an OS X Bash Update to address the recent “Shellshock” and “Aftershock” BASH bugs.

Security - Posted by Arcterex at 02:54 PM
September 25, 2014
Bash shell 'Shellshock' flaw

Bash shell ‘Shellshock’ flaw opens OS X, Linux, more to attack, called ‘bigger than Heartbleed’

Well, this isn’t good. Akamai security researcher Stephane Chazelas has discovered a devastating flaw in the Unix Bash shell, leaving Linux machines, OS X machines, routers, older IoT devices, and more vulnerable to attack. “Shellshock,” as it’s been dubbed, allows attackers to run deep-level shell commands on your machine after exploiting the flaw, but the true danger here lies in just how old Shell Shock is—this vulnerability has apparently been lurking in the Bash shell for years.

Security - Posted by Arcterex at 10:55 AM
July 09, 2014
iOS 8 Privacy Updates

Really great overview of the iOS 8 Privacy Updates, if you’re interested in that sort of thing.

Apple/Mac , Security - Posted by Arcterex at 10:56 AM
May 06, 2014
Analysis of a Linux Server Attack

Fishing for Hackers: Analysis of a Linux Server Attack is a pretty fascinating look at the analysis and recreation of an attack on a vulnerable Linux server.

Security - Posted by Arcterex at 05:10 PM
April 29, 2014
Tails is A Super Secure OS

The Verge says This is the most secure computer you’ll ever own.

Security - Posted by Arcterex at 12:32 PM
April 23, 2014
OpenSSL Source Code Rampage / Analysis

OpenSSL Valhalla Rampage is a great, uhm, rampage through the OpenSSL source code, and ripping it apart a bit at a time. From their site:

Tearing apart OpenSSL, one arcane VMS hack at a time.

The awareness recently on OpenSSL has been a great catalyst to look at some of the “but it’s there and it works” for some of the most used Open Source software.

Programming , Random Linkage , Security , Software - Posted by Arcterex at 02:41 PM
February 20, 2014
Bitcrypt Broken

Apparently the encryption malware Bitcrypt has been broken. Here’s a fascinating look at the analysis required to figure out the virus and reverse engineer it.

With such factors, we could build a Python script implementing all the cryptographic operations to decipher the encrypted files, and save the precious pictures. Such a Python script is available on our bitbucket repository.

Security - Posted by Arcterex at 04:11 PM
January 28, 2014
Davos to Detention, Security Theatre At It's Finest

Ahmed Shihab-Eldin writes Why I Hate Coming Home to America:

Like all Americans (and every human being for that matter), I want to be safe. But I can’t help but question the efficacy of our national security policy, including the practice of detaining U.S. citizens because something (never specifically explained) about a name or person’s identity is said to match that of someone somewhere in the world who is deemed to pose a threat to America. How close is the match? What aspects of one’s “profile” are searched for a match? None of that is ever explained.

Read the whole piece… Ahmed is very aware of the “safety” of screening and all that crap, but come on, WTF guys. Why can’t you just say “we’re going to discriminate against brown people because they’re brown… oh, and anyone with a funny terrorist name” and have it out in the open, instead of pretending that they were randomly selected, or a profile match, or whatever excuse that isn’t “you look like the people who attacked the US on 9/11 so we’re going to fuck with you”.

Come on.

Security - Posted by Arcterex at 10:59 PM
January 20, 2014
Adware vendors buy Chrome Extensions to send ad- and malware-filled updates

Suddenly had extra ads, popups, and new search results show up and your virus and spyware scanner reports everything as a-ok? It might be to do with the report from Ars on Adware vendors buying Chrome Extensions and updating them with spyware. Because Chrome extensions update silently, and are out of the scope of spyware and virus scanners, it’s a great new vector to use for scammers and advertisers. Other things:

  • Chrome extensions are fairly easy to make, so being offered a few thousand for a couple of hours work that it took to make an extension is a good deal if you’re not clear on what the new owner will do with it.
  • Many extensions ask for full access to all your browsing (normally by necessity), making them an attractive target for purchase.

Something to be aware of. If google was smart they’d either add in some sort of spyware checking, or add a notification to the user on either extension ownership change, or a more obvious changelog.

Security - Posted by Arcterex at 10:31 AM
December 23, 2013
Mitnick On the RSA / NSA Denial

Sorry, RSA, I’m just not buying it is the title of the latest blog from Kevin Mitnick, noted security expert. If you haven’t kept up, revelations came to light lately that security company RSA took $10 million from the NSA to deliberately weaken / backdoor their RSA cryptography, and RSA denied it, kinda. Mitnick basically says “nope”, but in a much more elegant way.

Security - Posted by Arcterex at 02:38 PM
October 17, 2013
Excellent Video On What the NSA Is Doing And Why It's Bad

Great job by John Koetsier in his latest article all about this crowdsourced anti-NSA video. Worth the watch.

Random Linkage , Security - Posted by Arcterex at 09:05 AM
September 11, 2013
Apple details Fingerprint Sensor/Touch ID security

Apple details Fingerprint Sensor/Touch ID security as well as a bunch of other questions answered.

Via the Wall Street Journal, an Apple spokesperson fleshes out some of the finer details surrounding the fingerprint sensor and Touch ID.  To use Touch ID, it is mandatory to also set up a passcode. This acts as a fallback in case the fingerprint sensor fails temporarily or experiences a permanent hardware fault. iOS may necessitate a passcode under some other conditions, as well.

Assuming that you believe them, and don’t think they’re a front for the NSA to get everyone’s fingerprints as well as location, contacts, etc (the iPhone does seem to be the phone of choice for terrorists), this is good news.

Apple/Mac , Security - Posted by Arcterex at 04:59 PM
July 17, 2013
Android Backs up Wifi Passwords in Plaintext to the Cloud

At least according to Issue 57560:

The “Back up my data” option in Android is very convenient. However it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.

Ignoring the implications of google knowing yet another bit of information about us, or the tinfoil hats when you combine this information with the previous scandal with them capturing and saving encrypted wifi data from the street view cars, where are the pitchforks? If Apple did this, there’d be a class action lawsuit already (even if the story was completely different, it’d be filed purely on the headline).

Android , Security - Posted by Arcterex at 03:48 PM
July 05, 2013
Jay Z's Samsung Only Album Release Triggers a Piracy Bonanza

Jay Z’s ‘Exclusive’ Album Release Triggers a Piracy Bonanza at TorrentFreak.

I’m not sure if this will be a good or bad thing for Mr. Z.

Security - Posted by Arcterex at 03:35 PM
May 24, 2013
Big X.Org Security Advisory

A big X.Org Security Advisory yesterday:

Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org’s security team to analyze, confirm, and fix these issues.

Fixes are underway already, and it sounds like (to someone not hugely versed in deep x.org code) the issues aren’t going to affect the normal linux user running behind a firewall, but if you run unchecked code from untrusted sources locally (or allow other users to connect to the X.org port remotely), be careful. Keep up to date with updates and make sure your system is patched over the next week or two.

Linux , Security - Posted by Arcterex at 02:28 PM
April 23, 2013
BitTorrent's Secure Dropbox Alternative Goes Public

BitTorrent’s Secure Dropbox Alternative Goes Public:

BitTorrent Inc. has opened up its Sync app to the public today. The new application is free of charge and allows people to securely sync folders to multiple devices using the BitTorrent protocol. Complete control over the storage location of the files and the absence of limits is what sets BitTorrent’s solution apart from traditional cloud based synchronization services.

Security - Posted by Arcterex at 12:22 PM
April 16, 2013
Linode Customer Database Hacked

Read Marco’s thoughts on how the Linode customer database was hacked:

Yesterday, a group named HTP claimed responsibility for accessing Linode Manager web servers, we believe by exploiting a previously unknown zero-day vulnerability in Adobe’s ColdFusion application server. The vulnerabilities have only recently been addressed in Adobe’s APSB13-10 hotfix (CVE-2013-1387 and CVE-2013-1388) which was released less than a week ago.

The IRC transcript is interesting as well.

Coldfusion? Seriously?

Security - Posted by Arcterex at 09:24 AM
March 04, 2013
The Pirate Bay Relocates to Korea [updated]

The Pirate Bay blogged this morning about a new chapter in their interesting history:

We believe that being offered our virtual asylum in Korea is a first step of this country’s changing view of access to information. It’s a country opening up and one thing is sure, they do not care about threats like others do. In that way, TPB and Korea might have a special bond. We will do our best to influence the Korean leaders to also let their own population use our service, and to make sure that we can help improve the situation in any way we can. When someone is reaching out to make things better, it’s also ones duty to grab their hand.

Very interesting turn of events… what do you think about this?

Update - I’m kinda disappointed that it was a hoax :(

Security - Posted by Arcterex at 01:07 PM
January 22, 2013
How Oracle installs deceptive software with Java Updates

Nice look from ZDNet of how Oracle installs deceptive software with Java updates.

In the background, the Ask toolbar installer continues to run, but it delays execution for 10 minutes. If you are a sophisticated Windows user and you missed the initial checkbox, your natural instinct at this point would be to open Control Panel and check Programs and Features. When you do, you will see that only the Java update has been installed. You might also check your browser settings to confirm that no changes have been made to your settings. You might conclude that you dodged a bullet and that the unwanted software wasn’t installed.

But you would be wrong. The Ask installer is still running, and after waiting 10 minutes, it drops two programs on the target system.

I knew about having to opt out of the toolbar crapware, but some stuff in there I am amazed that they get away with.

Short version: there’s almost no reason to use Java, so don’t install it. Ever.

Security - Posted by Arcterex at 03:33 PM
January 08, 2013
Multiple Security Issues in the Ruby on Rails Action Pack

Running a Ruby on Rails site, you may want to know about the Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156). The link includes links to patches if you can't upgrade ASAP.

Ruby , Security , Software - Posted by Arcterex at 01:58 PM
January 04, 2013
Password Security Advice

Scorpion Software, a noted security company from Chilliwack, has a good article on their blog on testing your password security, including a free whitepaper.

Security - Posted by Arcterex at 02:04 PM
January 03, 2013
Tool To Bypass full-disk encryption and passwords on any powered-on computer via Firewire

From JWZ passed on by my buddy @halkeye: Bypass full-disk encryption and passwords on any powered-on computer via Firewire.

The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any machine you have physical access to. […]

Well of course, any machine you have physical access is kinda screwed, unless you use some sort of encryption like ….

It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. […]

Oh.

Kinda scary, but the circumstances needed (powered on, has firewire, physical access, etc) make it not needing to run around screaming just yet.

Security - Posted by Arcterex at 09:46 AM
December 07, 2012
Kim Dotcom Reveals More Details of New Filesharing Service "Mega"

Kim Dotcom says Mega Will Turn Encryption into a Mass Product and revealed some details today, like it will use military grade encryption, and the file manager screen.

Security - Posted by Arcterex at 04:36 PM
November 05, 2012
Digital vs Analog Privacy

Why Offline Privacy Values Must Live On In The Digital Age is a very cool story from TorrentFreak about what the similarities and differences are between digital and analog privacy are, and why they matter.

First, the letter was anonymous. You, and you alone, determined whether you identified yourself as sender on the outside of the envelope for the world to know, on the inside of the letter for only the recipient to know, or didn’t identify yourself at all when sending a letter. This was your prerogative.

Security - Posted by Arcterex at 09:26 AM
October 22, 2012
Amazon DRM Backfires

In the article Outlawed by Amazon DRM, probably the worst of all cases of DRM is exposed. This is the sort of thing that gets your Open Source friends will use as a prime example of why DRM is bad, and quite frankly, they’re right.

The short version is a friend of the author had her Kindle wiped and her Amazon account closed with no explanation and no recourse. Talking to Amazon was like talking to a brick wall in terms of either a) getting it reversed or b) figuring out why.

Not cool Amazon, not cool at all.

Random Linkage , Security - Posted by Arcterex at 10:29 AM
September 10, 2012
GoDaddy Outage Takes Down Millions Of Sites, Anonymous Member Claims Responsibility

I head that GoDaddy was down today and figured it was just another blip, but after reading the article on TechCrunch that GoDaddy Outage Takes Down Millions Of Sites, Anonymous Member Claims Responsibility my response is now “ouch”. Their twitter @godaddy indicates the level of panic going on over there right now. Really interesting to find the story behind this.

News , Security - Posted by Arcterex at 12:15 PM
September 04, 2012
AntiSec leaks 1,000,001 Apple UDIDs From A Hacked FBI Laptop

Hows this for starting the news cyle for the new school year with a bang? Ok, so what seems like has happened. FBI has a huge list of Apple iPhone UDID (unique phone identifiers) along with names, device types, and other personal identifiable information. FBI has this on a laptop. Hacker hacks into laptop and retrieves said information. Anonymous then leaks this information to the web.

Hacker news has the story: AntiSec leaks 1,000,001 Apple UDIDs, Device Names/Types, along with others.

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTAiOSdevices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

Obviously a few questions come up. Why does the FBI have this information? Where did it come from? What (if any) connection does Apple have? Is it legit? Does this mean that the FBI is actively tracking users, or just gathering device information? Are these American citizens, non-Americans, or maybe just racially profiled iPhone users?

It’ll be interesting for sure.

Update: Marco links to more information including a potential cause for the leak.

News , Security - Posted by Arcterex at 10:08 AM
December 06, 2011
C|Net Download.Com is now bundling Nmap with Malware Wrapper

Via the nmap hackers mailing list (and Gruber): Nmap Hackers: C|Net Download.Com is now bundling Nmap with malware!

People still use download.com?

Security - Posted by Arcterex at 02:28 PM
September 30, 2011
Microsoft Security Essentials Identifies Chrome As Virus

Problems with Microsoft Security Essentials and it identifying chrome as malware and nuking it from computers.

Oops, very inconvenient for the user, strangely convenient for Microsoft. Completely unintentional I'm sure.

Security - Posted by Arcterex at 03:38 PM
September 26, 2011
Stopping Facebook Tracking

Good stuff from Lifehacker on how Facebook Is Tracking Your Every Move on the Web and How to Stop It.

Security - Posted by Arcterex at 06:27 PM
Hacker News: MySQL.com currently Hacked

Interesting info from Hackernews: MySQL.com currently Hacked (and serving javascript malware). The linked story has a nice deconstruction of it. My chrome browser isn't alerting me to the site at all, so it's either been fixed or Google hasn't been alerted to it yet.

Security - Posted by Arcterex at 10:35 AM
September 19, 2011
OS/X Lion Oversight Lets Non-Admin Change Other Users' Passwords

Showing I'm not a completely blind apple-fanboy, looks like this is a big oversight from Apple: Lion permissions oversight lets non-admin user to change other account passwords.

"Oops."

Apple/Mac , Security - Posted by Arcterex at 03:19 PM
June 06, 2011
Reverse Engineering Mac Defender

Pretty awesome guide to Reverse Engineering Mac Defender for people interested in such things.

Security , Software - Posted by Arcterex at 07:28 PM
May 13, 2011
Tracking A Stolen Laptop

Interesting story of a Man using Prey to track his stolen MacBook Pro hundreds of miles.

Security - Posted by Arcterex at 10:04 AM
May 06, 2011
LastPass Security Notification

LastPass : The last password you'll have to remember: LastPass Security Notification in case you hadn't heard already. The guys on the TnT podcast do a good job talking about this as well (the 5/5 episode).

Security - Posted by Arcterex at 02:02 PM
Client-side encryption for Dropbox

So if you're worried about Dropbox not being as private as you were led to believe, you might want to check out SecretSync - Client-side encryption for Dropbox. Basically it creates a folder that will be encrypted on the client side before it's synced up to dropbox, and only accessible to you. Windows only, but mac and linux clients coming soon.

Note: I have no idea if this has been tested or verified by anyone, for all I know installing this program could sell your secrets to the Russians and talk to your mother dirty. Just sayin'. Thanks Bryan for the link.

Security , Software - Posted by Arcterex at 12:03 PM
April 07, 2011
The "Creepy" App

Not sure how old this is, but check out the Creepy app. It will scrub the internet for location data for a given twitter or flickr ID and display it all in a nice map for you. Good reason to start removing those geotags from your images and social network data. Think about this as doing for location data what Firesheep did for https security.

Security , Software - Posted by Arcterex at 04:07 PM
January 13, 2011
Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else

Cool article on Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else. Short story: Many free themes hide spammy links or potentially evil code in them.

Security , Software - Posted by Arcterex at 08:17 AM
January 12, 2011
ESFS - Encrypted Steganography Filesystem

Interesting project.... ESFS, the encrypted steganography filesystem, implemented (currently) entirely in Python.

Linux , Security - Posted by Arcterex at 10:13 AM
January 03, 2011
Server Hack Emergency Checklist

A great link from @spolsky to a checklist on what to do if your server has been hacked. I'm sure there are other things, but it's definitely a good place to start, and the users on Server Fault know what they're talking about.

Security - Posted by Arcterex at 02:55 PM
September 24, 2010
The Asian Domain-name Extortion Scam

Marco.org warns of The Asian domain-name extortion scam. Pretty similar to a bunch of similar scams, and now you've been warned (assuming the email doesn't get caught up in your spam filter of course :)

Security - Posted by Arcterex at 10:42 AM
August 06, 2010
Scorpion Software's Pilot Episode of "Five by 5"

Must plug my good buddy Dana and his company Scorpion Software's premier episode of a podcast called "Five by 5".

I am pleased to announce that we are launching a new webisodic series called "Five by 5" to do just that. It will be a weekly to bi-weekly web based show covering the tips, tricks and tactics to use when considering how to secure remote access to information.

Business , Security - Posted by Arcterex at 10:05 AM
July 20, 2010
TrueCrypt 7

TrueCrypt 7.0 has been released. Hardware acceleration, a new auto-mount type is added, and various other tweaks.

Security , Software - Posted by Arcterex at 04:49 PM
June 15, 2010
Adobe Flash Update Tries to Install McAfee

Adobe updates Flash against security flaw - but watch out for the extras. Seriously? A company as big as Adobe has to do this crap?

Sneaky, that - trying to get you to install McAfee Security Scan Plus when all you actually want is an update of Flash.

I can understand if you're a small company trying to get a bit of extra revenue from installing crapware like the Ask toolbar, etc, but Adobe seems a bit big to do this sort of thing. The only justification I can see is that they are truly concerned about user's security and feel they aren't going to listen to a "hey, you know you should have an AV program installed" type message, and figure it's better to just shove AV software down their throats. I pity the IT workers that are going to have to deal with uninstalling this or dealing with conflicts or other really bad things resulting from users randomly installing things on their computers.

Random Linkage , Security - Posted by Arcterex at 01:09 PM
May 23, 2010
Block Sites from Using Your Facebook Login with Adblock Plus

WIth all the recent Facebook privacy issues, you'll definitly want to check this lifehacker article on how to Block Sites from Using Your Facebook Login with Adblock Plus. Yet another reason to use AdBlock plus! (please click on the ufies.org ads though of course! :)

Security - Posted by Arcterex at 04:55 PM
May 17, 2010
Facebook Privacy Scanner @ ReclaimPrivacy.org

ReclaimPrivacy.org is a Facebook Privacy Scanner which will scan your facebook settings for you and show you any issues with it, and give a one-click fix to fix them.

With the backlash against Facebook lately, this is a great looking tool that works nicely. The only complaint I have is that it will just fix the issues with one click, without actually telling you exactly what it's doing, in case you were wanting to keep it that way, or tweak it. Still, perfect for your mother/sister/kids/grandmother who you don't want to accidentally share out a bit too much!

Security - Posted by Arcterex at 09:37 AM
May 16, 2010
Bewildering Tangle of Facebook Privacy Options

The NY Times has an infographic on Facebook Privacy: A Bewildering Tangle of Options which maps out some of the head-shake-inducing privacy options and mis-steps that are in facebook today.

Security - Posted by Arcterex at 12:38 PM
May 07, 2010
When 4Chan Gamed the TIME 100

We looked at the (latest) 4Chan Time Top 100 hack a while back, now there's a good video from time.com itself: When 4Chan Gamed the TIME 100.

Security - Posted by Arcterex at 02:46 PM
April 23, 2010
Web Reaction To Facebook's Not-So-Open Graph

I didn't really get what the big deal was about at first, but after reading through the Are Like Buttons Evil?, I'm getting it a bit more. I can forgive Facebook for a lot of their sins, but defaulting a privacy policy in which other "affiliate" (read: advertisers) to open is fairly evil. The article goes more into how this isn't "open" (ie: the "like" button only goes back to facebook, not to digg/reddit/etc), but for me I'm more concerned about the security implications for people having to deal with the settings they don't understand.

To turn this off, log into facebook and then:


  • Go to Account
  • Go to Privacy Settings
  • Click Applications and Websites
  • Click Instant Personalization (great description eh?)
  • Finally you can decide to uncheck the "Allow select partners to instantly personalize their features with my public information when I first arrive on their websites." button

5 Steps through pretty nonspecificly named menus, to get to an option that a) gives your details to advertisers and b) defaults to on... sorry Facebook, but that's pretty evil. Of course, they know if they default it to 'off' no one would ever turn it on, so they wouldn't make their next bazillion dollars from our personal information to other big companies.

Security - Posted by Arcterex at 08:58 AM
April 21, 2010
Rails Domains Hacked (They're Back Now)

Funny story over on RailsInside about how a Gorgeous Blonde (Who's Not DHH) Takes Over Official Rails Sites. Looks like @DHH got the domain issue fixed up now though, and all seems to be back to normal.

Security - Posted by Arcterex at 08:35 AM
March 31, 2010
jQuery Plugin To Crash IE6

Not that I'd advocate this of course, but the Crash jQuery Plugin is there to use if you need to for some reason.

Seriously though, crashing someone's browser isn't cool, cause lets be honest, the people that are still running ie6 are either a) people like your grandmother who doesn't know any better, or b) people have have to because they work with some sort of antiquated company or software that requires it.

Course, these people aren't going to be surfing to sites that will have jQuery enabled anyway....

Security - Posted by Arcterex at 10:04 AM
January 01, 2010
Y210k Bug In Spamassassin

Look like there is a bug in Spamassassin in the check for "dates grossly in the future" which defines among other things, 2010 as "grossly in the future". The details are here. I've updated the ruleset on UFies.org though, but please check your spam boxes if you use SA for your spam checking.

Security , UFies.org - Posted by Arcterex at 11:54 AM
November 23, 2009
Thanksgiving Audiobook Giveaway

Found out on TWIT this week that Audible.com is having a thanksgiving giveaway of a free audiobook (no credit card required, but an account is needed) and the selection is pretty good, not just crap ones. Hey, free is free!

Security - Posted by Arcterex at 12:34 PM
New Jailbroke Virus Reminder To Practice Safe Computing

Being that the New jailbroken iPhone worm is malicious, it's another reminder to people who have jailbroken phones that if you can ssh into the phone with username root and password of 'alpine', you really want to change the password, cause everyone knows what it is already.

Security - Posted by Arcterex at 10:48 AM
November 03, 2009
80 percent of viruses love Windows 7

Davey Winder says that 80 percent of viruses love Windows 7, and that a Windows 7 machine without AV software on it gobbled up viruses like a fat kid gobbles up candy on Halloween. Now this was a bit of an unfair test, not installing AV software, but still, the "we're making Windows more secure" mantra has been going at MS for a while now, you'd think that this would be better.

As a note, here is the article that RoundTop mentioned.

Microsoft , Security - Posted by Arcterex at 02:02 PM
October 19, 2009
Beware of SPAM Claiming to Be a UFies.org Update

If you received an email with content similar to the below:


On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.ufies.org.secure.digi1adm.org/ssl/id=70140097714-[youremail]@ufies.org-patch[somenumber].exe

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator


Please be aware that a) it has nothing to do with UFies and is just a well crafted spam trying to get you to run some random .exe. Don't click it and if there is ever a question, please contact me directly. Also the chances of a server update requiring you to run a .exe on your computer are 0.0%.

Security - Posted by Arcterex at 09:55 AM
October 16, 2009
AVG 9 Free Available

Another Lifehacker note is that AVG 9 Free Now Ready for Download. Though for the first time in years I'm not using AVG and am testing the new Microsoft suite. No word if this AVG release removes some of the annoying "you know you want the non-free version... come on...." popups when using the app.

Security - Posted by Arcterex at 11:49 AM
October 12, 2009
Major Snow Leopard Bug Gaining Notice

I haven't seen much confirmation of this, but I'd be a hypocrite if I didn't point to a story where <screaming alarm voice>a Major bug in Snow Leopard deletes all user data</screaming alarm voice>. It appears to be centered around the guest account, and logging into it, then back into your account deletes all your data (if it's true, Steve Jobs deserves a spanking, cause that's bad), but might also have to do with the way you upgraded to Snow Leopard, upgrade vs fresh install or something. Read the article and watch for news about this, and maybe stop using the guest account until this is all worked out. And maybe switch back to a PC for a bit too....

Apple/Mac , Security - Posted by Arcterex at 09:53 AM
October 05, 2009
10,000 Hotmail Passwords Leaked Online

According to Lifehacker, 10,000 Hotmail Passwords were Leaked Online. Time to a) change your password and b) check the site to see if yours is listed there.

Hey, what happened to one way hashes? Isn't that the way you're supposed to do passwords?

Security - Posted by Arcterex at 01:59 PM
September 29, 2009
Microsoft's Security Essentials Free to Consumers

A sneaky inside source in the Microsoft world pointed me to uhm... well, already public information about Microsoft Security Essentials, which will be available to the public tomorrow, free of charge. MSE is Microsoft's integrated anti-malware, anti-virus solution, which I'm sure that McAfee, Symantec and friends are going to be happy with.

The original version was open to only 75,000 users, but if you knew where to look *cough*softpedia*cough* you could still find the download from the Microsoft site. Now they have announced that it is available now. No fees, no registration, no renewals, no nothing. OMFG, have they done this right? One might argue they should have done it sooner, shouldn't have done it at all, should just fixtheirdamnOSdammit, and the like, but a couple of people that I respect greatly in the security space (including Steve Gibson of the Security Now! podcast have given it a thumbs up (and if you know how paranoid Steve Gibson is, who just recently upgraded from Windows 2000 to XP... though that might take away some credibility :) ) that's quite the endorsement).

I've got this installed on my new Windows 7 install instead of AVG for the first time in years, and so far I can say it hasn't gotten in the way, has warned me of a couple of infected keyge... uhmm... files, and hasn't appeared to suck up too many system resources. I'm giving it a cautious "works for me" so far.

Anyway, Microsoft Security Essentials is out, free, and available for download now. Guess the next step is to wait for the reviews to come out and see what the other experts think of it.

Microsoft , Security - Posted by Arcterex at 08:28 AM
September 09, 2009
Operating a Tor Exit Node

Why you need balls of steel to operate a Tor exit node details some of the things that might happen if you run a Tor exit node. Now personally I'm glad that Tor exists and think that it is an essential part of society/internet/etc, even though some of it's uses are completely unsavory. Still, after reading this I have to applaud the people who do take on the responsibility.

Security - Posted by Arcterex at 07:28 PM
September 08, 2009
Windows Vista/7 Remote BSOD

Saw via slashdot that there's a Windows Vista/7 SMB2.0 Remote B.S.O.D.

"Oops"

Looks like you can send malformed SMB headers at a fully patched Vista/Windows 7 server and "poof", BSOD. I haven't tested this of course, but something to be aware of, I'm sure a patch for this will be coming out RSN.

The saving grace is that SMB2 is probably not going to be a) enabled on a server connected to the net or b) allowed into a corporate LAN from the outside. Still a danger though...

Security - Posted by Arcterex at 03:11 PM
August 20, 2009
Pirate Bay Copy Comes To Life

Torrent Freak points out that the copy of The Pirate Bay that was posted has been brought to life, and is up and running over at btarena.org. Or at least I think it is. Hard to tell. Anyway, the 21G of torrents are up and going and alive and well out in the wild.

Privacy , Security - Posted by Arcterex at 08:20 AM
August 13, 2009
Digsby Crapware

If you're a digsby user, you may want to re-consider after reading this where lifehacker details some of what Digsby has done lately in terms of bundled crapware. Bummer.

Update: Digsby has posted a response.

Security , Software - Posted by Arcterex at 04:29 PM
August 12, 2009
Plausibly Deniable Encryption

Really interesting article over on Slashdot on SEncryption? What Encryption? and discussing how having an encryption program that you can be forced to give up the keys to (or arrested for refusing to) automatically puts you under suspicion, because if you do have some sort of program like TrueCrypt then you must have something to hide. The author goes through the pros and cons of a few different ways, and proposes some interesting ideas of ways for plausibly deniable encryption to become a little bit more mainstream and "normal", and therefor not as much of a red flag that you have evil anti-government subversive videos hidden on your hard drive.

Security - Posted by Arcterex at 02:32 PM
August 10, 2009
The iPhone SMS Hack

Tom's Hardware scored an interview with the author of the iPhone SMS hack, where he explains what the issue was and how he exploited it.

Security , iPhone - Posted by Arcterex at 10:16 AM
August 04, 2009
Mozilla Firefox 3.5.2 Released

Quick note that Mozilla has released Firefox 3.5.2, so if you don't see a "firefox has updated, restart now?" when you get into the office this morning, go to help -> check for updates to get yourself up to date and protected against a couple of security vulnerabilities.

Mozilla/Firefox , Security - Posted by Arcterex at 08:03 AM
July 29, 2009
FBI Raid on UWWWB

Very interesting story about the raid and takedown of UWWWB by the FBI (I had never heard of them before this) from the point of view of the owner. An excerpt:


Here's what happened: March 12th, 2009, at about 5:AM in the morning, my home alarm system went off. I get up to see what’s going on, on maybe 3 hours of sleep, and my wife points out there are two people with flash lights in my back yard. Now, this may not be unusual for everyone, but I lived in a fairly nice home in Southlake Texas, the United States highest per-capita income city for 2008. A very nice community, virtually no crime, and excellent schools. That is to say, I did not live in a shack in the hood, this is nice suburbs, and not where the FBI usually does raids.

Reading the full story it is an interesting tale from a point of view that you don't normally hear, and basically amounts to a huge headache (to say the least) based on the ability for someone to cry wolf and bring the full might of the US government down on someone without that much investigation (at least in this case).

Security - Posted by Arcterex at 12:24 PM
July 16, 2009
NMap 5.0 Released

The sysadmin's best friend, nmap, just got a major version update. The Nmap 5.00 Release Notes have all the details.

Security - Posted by Arcterex at 09:34 PM
June 12, 2009
Windows UAC Vulnerability

I Started Something has video demonstration of a Windows 7 UAC code-injection vulnerability. Source code has been released as well.

Hopefully this will be fixed before the final release sometime in September. Hopefully no one argues that being able to change UAC options silently is a bad idea.

Security - Posted by Arcterex at 03:12 PM
June 02, 2009
New L0phtCrack (v6) Released

Slashdot notes that the venerable IT security tool L0phtCrack has released version 6. 64 bit support, better NTLM password hash handling, and support for rainbow tables are among the improvements.

Security - Posted by Arcterex at 09:02 AM
June 01, 2009
MS Silently Installs Google Extension

Saw via Slashdot that Microsoft Update Quietly Installs Firefox Extension. Technically I'm sure it wasn't silent, and that somewhere buried in the small print it said it was going to do this, but still, that's no excuse. AVG does the same thing to show "safe links" in your google results, and I have the same opinion. Don't F-n do it. Or if you do, have it on a separate page of the install wizard, defaulting to no showing clearly what you're doing. Like Sun does for the google toolbar (or is it yahoo now?) when they do a java update. Well, without the default to No that is.

Security - Posted by Arcterex at 09:29 AM
April 01, 2009
Register.com DNS Servers Down - DOS Attack

So maybe all the conficker hand-wringing wasn't an overreaction.... seem according to the twitters (11) register.com's dns servers are down due to a massive DOS attack.

So if you're website is down (like our companies is) or you're wondering why half the internet is dark, this may be the reason :) Some people are reporting it's back, but with sporadic response from their DNS servers.

Security - Posted by Arcterex at 02:25 PM
February 25, 2009
How the Trial Against PirateBay is Going

We're into the Pirate Bay Trial Day 8 and things are progressing, but not hugely so. Some choice pickings from the entry on torrentfreak:


Kennedy said he qualified as a lawyer since the 70’s but hasn’t practiced recently. He was asked if he understood BitTorrent. Kennedy said he did, but in “very vague terms.” When the defense lawyers asked more detailed questions, about uTorrent for instance, Kennedy said he’d heard of it but had no idea of the details. It was very clear he knew nothing about any remotely technical issues.

If you want to see the real nightmare for the prossecution, check out what happened on day 7:

When asked if he had any network equipment logging exactly what was going on ‘behind the scenes’ of any of his sample downloads, he replied that he didn’t. When asked if he verified in any way during the download process that he had any contact with The Pirate Bay’s tracker, again the answer was negative.
[...]
Then, Nilsson came out to say that he was sure that a majority of the content on The Pirate Bay was copyrighted. However, he had no evidence that supports this claim. The defense lawyers pressed him on this and he had to cave in, “I have no documentation as to the claim that most material is copyrighted. It is just an opinion,” Nilsson said.

Security - Posted by Arcterex at 11:01 AM
August 11, 2008
Vista Security Issues not *that* Bad

Maybe the initial "all of vista's security rendered useless" may have been sensationalist, so says OSNews in their Look at a New Vista Security Bypass.

Security - Posted by Arcterex at 02:03 PM
February 06, 2008
TrueCrypt 5.0 Released

TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows Vista/XP, Mac OS X and Linux just released version 5.0, including an OS/X version, a Linux graphical version, and lots of other goodies. Great work guys!

Security - Posted by Arcterex at 08:51 AM
January 10, 2008
Running an Open Wireless Access Point

Here's a Wired article by security guru Bruce Schneier entitled Steal This Wi-Fi


I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

My thoughts on this are twofold if I were to do this (and he has some good arguments on it): 1 - I'd want a 'no wireless' button so that anyone using my wireless is cut off when I'm playing games... nothing sucks like having a high ping for no reason all of a sudden and 2 - I'd probably want to DMZ the wireless so it is separated from the rest of my internal network. Having open wireless is very nice.... it annoys me if I'm wandering into some random building in downtown and want to check my email from my iPod and all the networks are encrypted and not using 'admin and password'. Of course, out in the boonies where I live I doubt there'd be a whole lot of "walk in" traffic as it were :)

Security - Posted by Arcterex at 02:06 PM
October 11, 2007
P2P-ers: Use a Blocklist

Nice article on ars technica saying how you should use a blocklist or you will be tracked... 100% of the time if you're on P2P networks.


# If you don't use a blocklist, you will be tracked. Every one of the researchers' test clients that did not use a blocklist soon connected to an IP address found within those lists. It turns out that 12 to 17 percent of all IP addresses on the network belonged to these blocklisted ranges.

I'd never advocate piracy or copyright infringement, but if you are one of those evil pirates, an interesting read which will make you shutdown your torrent client until you install a blocklist of some sort. The only ones I really know of are:

Anyone know of different/better ones they want to share?

Security - Posted by Arcterex at 08:11 AM
July 15, 2007
Windows Lock/Unlock Via Webcam

Chris Pirillo pointed out some software from BananaSecurity which uses a webcam to recognize your face, lock your computer when you're not there, and unlock it only when it recognizes your face again. Obviously there are some questions about this, like what if I'm wearing a hat, what if it's darker/lighter, how secure is the lock it puts on your computer, and what if I want to use the webcam? Course, it still interest me greatly as the laptop that work got for me has a built in webcam on it...

Security , Software - Posted by Arcterex at 10:12 AM
June 12, 2007
Safari on Windows 0 Day Exploit

If you're one of the fine folks who downloaded the Safari public beta be careful, there is a 0 day exploit out already. Don't think this is in the wild, but definitely potentially dangerous due to bad handling of URI protocols. Hmm... page seems to be dead....

Security - Posted by Arcterex at 09:43 AM
June 05, 2007
GMail PGP/GPG Encryption

Here's a cool little extension for firefox that allows you to Encrypt and sign Gmail messages with FireGPG.

Security - Posted by Arcterex at 09:12 PM
May 29, 2007
Complete Firewall on a USB Key

Now this is supercool! Via slashdot (discussion) comes a Windows firewall squeezes on a USB key. The "windows" part of is is a bit of a misnomer though, it's actually a firewall running linux as the core and a bunch of security applications on top of it, but currently it only works when plugged into a Windows host.

It sounds like the system grabs network traffic as it comes into the windows host, does the happy-happy firewalling stuff, then passes things back to the host. Linux and Mac drivers are planned.

Check the screenshots midway through the article too, very sexy graphs!

Hmm.... firewall on a small host, I wonder where I've heard of those before? :) If anyone remembers the cool project the dot-com I was part of that created the firecard, we did something similar, or at least, kinda similar. At the time we used RJ45 jacks (like Yoggie Systems' previous version) and we were on a PCI card instead of a USB key. OK, maybe not that similar then....

Security - Posted by Arcterex at 03:38 PM
April 03, 2007
GPG In GMail

FireGPG Is a easy way to use GPG easily in GMail.

Security - Posted by Arcterex at 08:38 AM
March 26, 2007
Wireless Security Myths

George Ou posts about Wireless LAN security myths that won’t die. A nice breakdown of what'll get you the most bang for the buck.

Security - Posted by Arcterex at 01:23 PM
March 21, 2007
New TrueCrypt Released

Slashdot announced that TrueCrypt 4.3 was Released. Fun new features are 32/64 bit Vista support, ability to load it onto mp3 players, and auto-dismount in addition to the fun stuff like hidden volumes, plausible deniability, "traveler mode", and other fun stuff. Check it out at http://www.truecrypt.org/

Security - Posted by Arcterex at 10:16 AM
March 20, 2007
BitLocker vs FileVault OS Disk Encryption

Lifehacker takes on a comparison of two of the major disk encryption systems available and puts them in a bloodthirsty cage match. OK, maybe not quite.... however, the OS Encryption Showdown: Vista's BitLocker vs. Mac's FileVault is a good primer as to what's available and the up and downsides. Read the article to see who wins!

I'm disappointed that Linux doesn't have an offering here. Actually, I'm disappointed Linux doesn't have a user friendly offering here. Linux has had disk encryption for a while now, it just hasn't had the friendly frontend that OS/X and Vista have put on it, and instead make the user resort to typing in cryptic commands like dd and cryptsetup and dealing with terms like 'loop-AES' and 'LUKS'.

Security - Posted by Arcterex at 10:06 AM
February 13, 2007
OS Security Feature Matrix

Speaking of Vista, here's a link to a OS Security Features Chart over on Matasano Chargen's blog. Interesting, though I wonder how targeted this was at Vista. I'd like to see something similar for Linux (ie: grsec, selinux, and friends).

Security - Posted by Arcterex at 04:42 PM
February 11, 2007
Security / Anarchy Download of the Day: DemocraKey

Found this one on LifeHacker.... a nifty portable app for your ipod (works fine on a USB key though) called DemocraKey.


Imagine carrying a portable security suite with you wherever you go. Walk up to any computer, quickly scan it for viruses, and then defeat any internet access blocks to view any website you want anonymously. It’s here, and the DemocraKey 2.0 Lite let’s you have it on your iPod.

You can use it either to access the freedoms and justices you deserve from inside a repressive state, or surf porn from school, whichever one floats your boat :)

Security , Software - Posted by Arcterex at 03:55 PM
January 25, 2007
The Perfect Password?

Another forgetfoo post is a link to Neomeme on Generating the Perfect Password. How about "ppearsfweocrtd" ?

Definately an interesting idea, and anything that encourages users to have better passwords and better security makes everyone happier!

Security - Posted by Arcterex at 03:58 PM
January 22, 2007
Quick and Painless VPN Setup

Darren pointed me to an article on Lifehacker on setting up Hamachi, what looks like a nice and quick VPN tool. Not exactly the industry strength stuff you would want to connect your satallite offices (for that you'd probably go openvpn or freeswan), but for getting into friends machines for maintenance, or a quick an dirty connection to surf pr0n from home from work it sounds like the way to go. Win/Linux/Mac as well which is nice.

Security - Posted by Arcterex at 01:31 PM
December 03, 2006
Encrypted Devices Under Linux HOWTO

Found a good tutorial on how to Encrypt devices using dm-crypt and LUKS.

Linux , Security - Posted by Arcterex at 06:27 PM
June 01, 2006
Hard Drive Encrypting Virus Cracked

If you've been hit by the ugly virus that encrypts all the files on your hard drives and then extorts you for cash, you're lucky. The article states that the virus has been cracked and that the password you need is: "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw".

Fun times :)

Security - Posted by Arcterex at 03:15 PM
Calling all Windows Security Experts... Firewall Dashboard 1.1 Now Available

I know I rag on Microsoft, and Windows security, but at least there are those out there doing something about it. My ex-boss, ex-coworker and good friend Dana has just released version 1.1 of Firewall Dashboard. New features include:


  • Import/export of config for deployment to multiple machines
  • A new plugin to aid in remote monitoring for managed service providers
  • New reports and the usual array of bugfixes and tweaks

For those of you who don't know what Firewall Dashboard is, it's a firewall log report creation tool for Windows firewalls. Probably pictures speak louder than words, so just hit the screenshots.

Microsoft , Security , Software - Posted by Arcterex at 08:47 AM
February 20, 2006
Denyhosts Tutorial HowtoForge has a nice tutorial on Preventing SSH Dictionary Attacks With DenyHosts. This is the program I installed last week on UFies and it seems to be working just fine. So far I have 37 IPs blocked, and my SSH attempts are down to under 100 to over 20,000 per day :)
Security - Posted by Arcterex at 10:39 AM
October 24, 2005
Test mod_security Just installed mod_security in anticipation of using it on UFies, please let me know if you see anything wierd.
Security - Posted by Arcterex at 06:26 PM
July 28, 2005
Worried About New Windows Activation Checks? Don't Be. Recently MS has said they are going to start doing checking for piracy when doing a windows update. Worried? Don't be, the system was cracked in 24 hours using a simple line of javascript. Maybe all that integration of IE is a good thing!
Security - Posted by Arcterex at 10:25 AM
February 08, 2005
Spam Blocking with Postfix Kasia points to how to block spammers with Postfix HELO controls. Going to see if this'll work on UFies.....

Update ... ok, implemented more strict helo rules for the site... ie: you can't use 'helo ufies.org' when connecting to my mailserver unless you're legitimately ufies.org. Here's hoping...

Security - Posted by Arcterex at 09:26 AM
January 26, 2005
Movable Type Exploit Fixed A Movable Type Vulnerability has been patched with the lastest version. Everyone who has a blog on ufies please make sure you upgrade ASAP (there is also an upgrade in the form of a plugin for ease of update.
Security - Posted by Arcterex at 03:47 PM
January 17, 2005
Debian Updates Gallery For Security Issue Thanks to Dana for pointing out Debian just today released an update for this Gallery security hole.
For the stable distribution (woody) these problems have been fixed in version 1.2.5-8woody3.

For the unstable distribution (sid) these problems have been fixed in version 1.4.4-pl4-1.

We recommend that you upgrade your gallery package.

I'd assume all ya'll have already updated this, but if you're in debian, make sure you do your apt-get updates early and often!

Security - Posted by Arcterex at 09:12 AM
January 02, 2005
Adaptive Firewalls with Snort and SnortSam I was browsing around some stuff for setting up Snort on my network and came across a link to SnortSam, which lets you modify your firewall based on Snort IDS rules. I'm thinking this will go a long ways towards setting up a way to kill off some of the comment spammers. IE: set up a rule that will detect if someone tries to hit mt-comments from the same IP more than say, once per second and then block them for an hour (or send a pingflood back to them, with a big "screw you spamming asshole" written on the nose, whichever you prefer :)
Security - Posted by Arcterex at 10:57 AM
December 21, 2004
New MovableType Release Addresses Spam Load Issues The new Movable Type 3.14 apparently addresses the load issues that have come up from comment spammers attacking system and driving up the load on the server.

I've blogged about the problems I've had with this. So subtle hint to all of you guys with MT3 on the UFies.org server, please upgrade :)

Security - Posted by Arcterex at 12:05 PM
December 06, 2004
Secure Password Creation Neat tip to one of the redhat lists on creating secure passwords using a tool called mnencode.
Security - Posted by Arcterex at 08:21 PM
October 22, 2004
More Linux vs Windows Security The Reg has a long Windows vs Linux report. Linked from /. (discussion), and it seems to take into account things like damage potential, ease of exploitation, size of deployment, busting some myths, etc. I haven't had a chance to read the entire thing yet, but while the Reg isn't the biggest MS fan in the world, I trust their reporting a bit more than Microsoft's "facts" somehow. But hey, I'm biased as well.

I guess the problem is that no matter who does the reporting and comparing they'll have some link to something, or someone will dig up that sometime around 1992 someone in the organization mentioned that "this microsoft thing is kinda cool" and therefor is biased, or they have a linux server so they can't possibly report fairly.

It's also the right tool as Dana is constantly saying, but there are definately crossovers in between linux and windows as far as the tools that are available for both. Anyway, recommended reading of course, and the /. discussion I'm sure will be full of intelligent and calm discussion :)

Security - Posted by Arcterex at 11:37 AM
BSD IDS There is a new Intrusion Detection System for FreeBSD. The thesis is available. From the email to the IDS list:
The IDS system is designed as a kernel module for FreeBSD 5.2. It is inspired by the SpamAssassin program, which detects spam by applying a set of tests to every email message and counting a sum of point score generated by each test. My IDS system applies a set of tests to every running process in the OS and counts its score generated by the tests. Therefore, the purpose of the IDS is not to monitor the network traffic, but rather to monitor the process activity.
Security - Posted by Arcterex at 09:28 AM
October 12, 2004
MS Users Start Your Upgrades! As seen on slashdot, it looks like a whack of new updates for windows have been posted to the Microsoft technet update page. Included in the goodness are Shell, NNTP, SMTP, Zip, and a few others. Doesn't look like it's on windows update yet, but you can download the hotfixes from the linked page. Not all these affect all versions, and in a couple of cases it looks like you're safe if you are running xpsp2, but not all.
Security - Posted by Arcterex at 04:39 PM
July 13, 2004
Snort, MySQL Acid Guide for Gentoo Link for self: Complete guide to Snort, MySQL, and Acid on gentoo from the forums.
Security - Posted by Arcterex at 12:30 PM
July 08, 2004
Microsoft only Half Patches (again) Shocking as it may seem, apparently the patch release by Microsoft a few days ago to patch a serious hold in Internet Explorer only addressed the immediate problem, and left users open to another closely related security hold. Full story here. Isn't this the same thing that happened with WinNuke back in the day?

Maybe this is the sort of thing that they need to NOT do to increase shareholder value.

Security - Posted by Arcterex at 12:15 PM
June 16, 2004
Retractable Email Big String is an email service which claims that it lets you recall, erase, and time out email. I'm interested in how they claim to do this (or how they plan to reach into my /home/alan/Mail/inbox spool file and delete chunks of data. Sadly the "Free trial" requires a credit card number. Anyone have any experience with this, or know someone with this service?

Ah, they link to a server that stops serving the images/files after you decide. Stupid and lame, figured so.

Security - Posted by Arcterex at 05:01 PM
June 04, 2004
Gallery Users Time to Upgrade Gallery users will want to upgrade to the latest version ASAP. Apparently there's a new exploit that's out or almost out that I was alerted to, and people outta get their systems up to date.
Security - Posted by Arcterex at 03:09 PM
May 30, 2004
Another Comment Spam Killing Solution While MT-Bayesian isn't perfect, it could have some advantages over mt-blacklist. For those of us who were caught over the weekend by the comment spam zombies and had to (in my case) clean 1200+ comments out, this might be something worth looking at. If you are running mt-blacklist don't forget to upgrade to the latest version and to import the master blacklist file.
Security - Posted by Arcterex at 10:33 AM
May 19, 2004
Google takes a stand on spyware.... Google's software principles basically say "don't screw over the customer". This isn't going to stop spyware bastards from doing their dirty work, but it is nice to see that someone is thinking of trying to start a trend towards making your computing experience safe.
These guidelines are, by necessity, broad. Software creation and distribution are complex and the technology is continuously evolving. As a result, some useful applications may not comply entirely with these principles and some deceptive practices may not be addressed here. This document is only a start, and focuses on the areas of Internet software and advertising. These guidelines need to be continually updated to keep pace with ever-changing technology.

Read it all here. Via Scripting.com.

Security , Software - Posted by Arcterex at 01:20 PM
May 12, 2004
Some OS Myths Debunked There's a good series of articles over at OSNews.com on Common OS Myths Debunked. Not all Linux friendly and not all Windows friendly. I don't agree with all of the writers opinions, but so far it seems to be pretty brually honest. For example, when talking about the "myth" that windows is bad for the server the author says (after agreeing that the myth isn't a myth at all):
s more effectively, than on a Linux system where the web server is running "far removed from the OS." I am no security expert but if you tried to sell your web server to the Linux community on the basis that it "works in kernel space instead of user space!" you would be laughed out of the room, and possibly the state.
It's a good read, both to take stock of your own misconceptions as well as to get some ammo when talking to people who insist that "X is better than Y for Z".
Security - Posted by Arcterex at 11:24 AM
April 06, 2004
Statement of GNU/Linux Security Debian, RedHat, Mandrake, SUSE and Mandrake have released a Joint Statement about GNU/Linux Security in response to a report on Linux security. Basically it points to flaws in the original reports methodology (considering every vulnerabilty as having the same danger), and says that closer investigation of the reports conclusions should conducted.

This has always been one of the problems with examining security between Windows and Linux (or any different OS)... high profile or low profile, root exploits, local, remote, etc all come into play, and you rarely see a comparision where all these factors are taken into account.

My way of looking at it is how comfortable would I be putting a box of either type connected directly to the internet without a (separate) firewall? Hint. Not windows :)

Security - Posted by Arcterex at 03:18 PM
March 12, 2004
Blocking Mail Liars Good thread on the postfix-user email list on How to ban spam pretending to be from my domain. Some good configuration options for the postfix users out there.
Security - Posted by Arcterex at 10:05 AM
February 27, 2004
SCO and Darl - What Drugs are They On? In an open letter, Darl McBride determines that the GPL and open source software is, among other things, a threat to US security. Evil doubleplus bad people in other countries can obtain "their" intellectual property for free over the internet (even from countries they as good wholesome apple pie eating Americans would never sell to) and use the technology to build a virtual supercomputer in short order. This supercomputer would no doubt be used to create more weapons of mass destruction, without giving SCO their just desserts, and kill puppies.

I'm convinced that you have to be on some really good drugs to reach these conclusions.

Security - Posted by Arcterex at 09:33 AM
February 25, 2004
Log Watching In the "to do later on when I have time" category comes the Central Loghost Mini-HOWTO with some good info for syslog-ng, swatch, and the like. Also here is the Gentoo security guide which is another good resource.
Security - Posted by Arcterex at 11:48 AM
February 16, 2004
Spyware Oh My If you ever needed more of a reason not to run IE and Outlook, this is it.
Security - Posted by Arcterex at 07:47 AM
February 08, 2004
Postfix MyDoom Fixes There is someone's body_checks file available for postfix users to help squash the MyDoom virus (thanks again microsoft!). You can put this into your postfix setup by adding the following line to main.cf:

body_checks = regexp:/etc/postfix/body_checks
with the body_checks file being something like what is posted in the link. In theory it should work :)

Anyone know of a good integrated virus checker for postfix like qmail has?

I've added some body_checks onto the ufies.org mail mail system and it's catching stuff already, which is good. If you're losing mail let me know though :)

Some good procmail magic is also available here.

Security - Posted by Arcterex at 02:53 PM
January 28, 2004
Spamassassin Rules of the Day Lately I've been seeing Spamassassin's accuracy go down and down and down. A message on the gentoo-user list pointed me to the Spamassassin Wiki and in particular the Rules Du Jour page. Basically new rules to help deal with the constantly changing battlefield of fighting spammers that you can download whenever suits you (or via a handy cron entry) and in theory SA's accuracy will go up.
Security - Posted by Arcterex at 08:54 AM
January 20, 2004
Better Spam Fighting? The CRM114 Discriminator - The Controllable Regex Mutilator - better than Spam Assassin? Anyone using this? Via random($foo).
Security - Posted by Arcterex at 10:59 AM
December 02, 2003
Buy Security From Microsoft Dana's security blog has a pointer to an article which notes that Readers Wouldn't Buy Security Products From Microsoft. I'm in total agreement. Lots of interesting comments on this one, with many good points. As I noted elsewhere, Microsoft can't write a word processor that isn't vulnerable to attacks and viruses, why should people trust them to write security software. They write user friendly OSs and decent applications, but much as they'd love to sell you otherwise (and I'm sure they will be telling people how wonderful a security company they are as much as they are starting to hype Longhorn), they should stay out of the security market.

Sadly, they probably won't, and will go in with all their resources, marketting, bloggers and programmers and probably squeeze some of the security vendors out of the market (ie: zonealarm) as they try to sell us on the "no, you can trust us this time" marketting hype that's no doubt coming.

As Dana noted they have a chance with Longhorn to prove they can create a secure OS. It'll be here in 2006 (or later), so you can see that as either a huge opportunity for security products and/or alternative OSs to jump in, or sad because the people that are being hit by viruses and worms aren't the sort of people that do anything to their OS from the time they buy their new computer (ie: the stereotypical mom, dad, granny and grampa).

Security - Posted by Arcterex at 09:46 AM
November 27, 2003
Bug In MS Exchange 2003 Anyone running an Exchange server might want to take note of it's latest flaw. "[...] a person can gain unauthorized access to another users account."

What makes this even funnier to me is that not that long ago I read someone comment on a blog somewhere (might have been on scoble) saying that exchange was "invaluable" to them. People run exchange on purpose? Why? Anyway, I resisted responding at the time. Guess this is a good response though :)

Security - Posted by Arcterex at 04:26 PM
October 31, 2003
3D NMap Very cool.... Scanmap3D is a java program that displays nmap information in a 3d format. The screenshots look pretty nifty. Also check out nmap3d which is I assume, a similar program (though no screenshots so I can't assert it's niftyness).
Security - Posted by Arcterex at 11:50 AM
May 21, 2003
Virus Myths Good article on Windows, IIS and Exchange myths from security focus. Thanks to < a href="http://members.shaw.ca/barrygray/">Bear.
Security - Posted by Arcterex at 12:28 PM
May 12, 2003
Top 75 Security Tools The top list of 75 Favorite Security Tools. Good stuff.
Security - Posted by Arcterex at 09:59 AM
April 23, 2003
New Outlook Worm Apparently there is a new outlook worm going around that is exploiting SARS fears. Standard rules apply, don't open .exe files in your mail. Ever.
Security - Posted by Arcterex at 10:58 AM
January 17, 2003
Analysis of a Compromised Honeypot Fascinating article entitled Analysis of a Compromised Honeypot, which gives an interesting look into how script kiddies and crackers think and operate. Via the honeypots mailing list.
Security - Posted by Arcterex at 02:32 PM
December 15, 2002
Mitnik's Missing Chapter Mitnick's 'Lost Chapter' Found is a wired story about how Kevin Mitnik's book, The Art of Deception, had it's first chapter (detailing his early life and some issues he has with Markoff's famous NYT front page story) pulled at the last minute. Seems that the chapter made it to the internet, and it is quite a good read. I wouldn't mind picking the book up either.
Security - Posted by Arcterex at 11:49 AM
November 19, 2002
IE Exploit One more reason not to surf with IE.
Security - Posted by Arcterex at 05:17 PM
October 29, 2002
E-Card Trojans This securityfocus story shows one more reason why you should use a browser that is non-activeX. There's a nice (and authentic-looking) trojan that poses as an e-card greeting requiring you to install a greeting card plugin that feeds porn ads to you.

The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.
Security - Posted by Arcterex at 01:50 PM