As the first comment says, time to look for a new anti-virus if you’re on windows and care about your privacy.
When investigating an incident that involved domain redirection and a suspected tech support scam, I recorded my interactions with the individual posing as a help desk technician and researched the background of this scheme. It was an educational exchange, to say the least. Here’s what I learned about this person’s and his employer’s techniques and objectives.
Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins. Keep your fingers on that update button folks.
Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the addqueryarg() and removequeryarg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
The Bitcoin miner was quickly suspended until further notice. Based on the negative backlash from users it was recently announced that the “offer” would not be reinstated.
Guess we’ll see…
Jeff Atwood digs deep into security, bugs, and perceptions and misperceptions in Given Enough Money, All Bugs Are Shallow.
Last Week Tonight with John Oliver has a fantastic segment on Government Surveillance, including an interview and some amazing footage. Here’s the embedded:
Regardless of what you think of Snowden, this is a fantastic bit of video, and an amazing interview.
TorrentFreak reports that uTorrent Quietly Installs Cryptocurrency Miner
The complaints mention the Epic Scale tool, a piece of software that generates revenue through cryptocurrency mining. To do so, it uses the host computer’s CPU cycles.
The guys at uTorrent say they’re not aware of any issues, but if you’ve noticed that your uTorrent-running-computer has been running more lately, it’s something to look at for sure.
How I Hacked Your Facebook Photos is the story of how a ridiculously simple “hack” let you delete anyone’s photos, public or private, from facebook.
I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.
Kudos to the fast response from Facebook in fixing this.
Looks like up here in the frozen north we were feeling left out, luckily we now know that the Canadian Government Spies on Millions of File-Sharers, so we can be just like the big boys in the US.
That assumption has today been blown completely out of the water amid revelations that Canada’s top electronic surveillance agency has been spying on millions of downloads from more than 100 file-sharing sites.
A fascinating article on how Edward Snowden Taught Me To Smuggle Secrets Past Incredible Danger:
On May 13, after creating a customized version of Tails for Greenwald, I hopped on my bike and pedaled to the FedEx office on Shattuck Avenue in Berkeley, where I slipped the Tails thumb drive into a shipping package, filled out a customs form that asked about the contents (“Flash Drive Gift,” I wrote), and sent it to Greenwald in Brazil. He received the package two weeks later, it having been delayed in transit, for what I believed to be bureaucratic rather than nefarious reasons, and the blue thumb drive actually made a cameo appearance in “Citizenfour.” For a technologist, this was a dream come true.
Great look at Apple Pay and what’s behind the secure payment system. Pretty in depth look with a lot of great info here.
With Apple Pay, no credit card data — even in encrypted form — is ever stored on the iPhone or on Apple’s servers. Similarly, no credit card data is ever transmitted to or stored on a merchant’s servers.
When a user first signs up for Apple Pay, either via an existing iTunes credit card or by loading a new one onto the iPhone, the card information is immediately encrypted and securely sent to the appropriate credit card network. Upon determining that the credit card account is valid, a token is sent back down to the device whereupon it’s safely stored within the iPhone’s Secure Element.
Apple has released an OS X Bash Update to address the recent “Shellshock” and “Aftershock” BASH bugs.
Well, this isn’t good. Akamai security researcher Stephane Chazelas has discovered a devastating flaw in the Unix Bash shell, leaving Linux machines, OS X machines, routers, older IoT devices, and more vulnerable to attack. “Shellshock,” as it’s been dubbed, allows attackers to run deep-level shell commands on your machine after exploiting the flaw, but the true danger here lies in just how old Shell Shock is—this vulnerability has apparently been lurking in the Bash shell for years.
Really great overview of the iOS 8 Privacy Updates, if you’re interested in that sort of thing.
Fishing for Hackers: Analysis of a Linux Server Attack is a pretty fascinating look at the analysis and recreation of an attack on a vulnerable Linux server.
The Verge says This is the most secure computer you’ll ever own.
OpenSSL Valhalla Rampage is a great, uhm, rampage through the OpenSSL source code, and ripping it apart a bit at a time. From their site:
Tearing apart OpenSSL, one arcane VMS hack at a time.
The awareness recently on OpenSSL has been a great catalyst to look at some of the “but it’s there and it works” for some of the most used Open Source software.
Apparently the encryption malware Bitcrypt has been broken. Here’s a fascinating look at the analysis required to figure out the virus and reverse engineer it.
With such factors, we could build a Python script implementing all the cryptographic operations to decipher the encrypted files, and save the precious pictures. Such a Python script is available on our bitbucket repository.
Ahmed Shihab-Eldin writes Why I Hate Coming Home to America:
Like all Americans (and every human being for that matter), I want to be safe. But I can’t help but question the efficacy of our national security policy, including the practice of detaining U.S. citizens because something (never specifically explained) about a name or person’s identity is said to match that of someone somewhere in the world who is deemed to pose a threat to America. How close is the match? What aspects of one’s “profile” are searched for a match? None of that is ever explained.
Read the whole piece… Ahmed is very aware of the “safety” of screening and all that crap, but come on, WTF guys. Why can’t you just say “we’re going to discriminate against brown people because they’re brown… oh, and anyone with a funny terrorist name” and have it out in the open, instead of pretending that they were randomly selected, or a profile match, or whatever excuse that isn’t “you look like the people who attacked the US on 9/11 so we’re going to fuck with you”.
Suddenly had extra ads, popups, and new search results show up and your virus and spyware scanner reports everything as a-ok? It might be to do with the report from Ars on Adware vendors buying Chrome Extensions and updating them with spyware. Because Chrome extensions update silently, and are out of the scope of spyware and virus scanners, it’s a great new vector to use for scammers and advertisers. Other things:
Something to be aware of. If google was smart they’d either add in some sort of spyware checking, or add a notification to the user on either extension ownership change, or a more obvious changelog.
Sorry, RSA, I’m just not buying it is the title of the latest blog from Kevin Mitnick, noted security expert. If you haven’t kept up, revelations came to light lately that security company RSA took $10 million from the NSA to deliberately weaken / backdoor their RSA cryptography, and RSA denied it, kinda. Mitnick basically says “nope”, but in a much more elegant way.
Great job by John Koetsier in his latest article all about this crowdsourced anti-NSA video. Worth the watch.
Apple details Fingerprint Sensor/Touch ID security as well as a bunch of other questions answered.
Via the Wall Street Journal, an Apple spokesperson fleshes out some of the finer details surrounding the fingerprint sensor and Touch ID. To use Touch ID, it is mandatory to also set up a passcode. This acts as a fallback in case the fingerprint sensor fails temporarily or experiences a permanent hardware fault. iOS may necessitate a passcode under some other conditions, as well.
Assuming that you believe them, and don’t think they’re a front for the NSA to get everyone’s fingerprints as well as location, contacts, etc (the iPhone does seem to be the phone of choice for terrorists), this is good news.
At least according to Issue 57560:
The “Back up my data” option in Android is very convenient. However it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.
Ignoring the implications of google knowing yet another bit of information about us, or the tinfoil hats when you combine this information with the previous scandal with them capturing and saving encrypted wifi data from the street view cars, where are the pitchforks? If Apple did this, there’d be a class action lawsuit already (even if the story was completely different, it’d be filed purely on the headline).
Jay Z’s ‘Exclusive’ Album Release Triggers a Piracy Bonanza at TorrentFreak.
I’m not sure if this will be a good or bad thing for Mr. Z.
A big X.Org Security Advisory yesterday:
Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org’s security team to analyze, confirm, and fix these issues.
Fixes are underway already, and it sounds like (to someone not hugely versed in deep x.org code) the issues aren’t going to affect the normal linux user running behind a firewall, but if you run unchecked code from untrusted sources locally (or allow other users to connect to the X.org port remotely), be careful. Keep up to date with updates and make sure your system is patched over the next week or two.
BitTorrent Inc. has opened up its Sync app to the public today. The new application is free of charge and allows people to securely sync folders to multiple devices using the BitTorrent protocol. Complete control over the storage location of the files and the absence of limits is what sets BitTorrent’s solution apart from traditional cloud based synchronization services.
Yesterday, a group named HTP claimed responsibility for accessing Linode Manager web servers, we believe by exploiting a previously unknown zero-day vulnerability in Adobe’s ColdFusion application server. The vulnerabilities have only recently been addressed in Adobe’s APSB13-10 hotfix (CVE-2013-1387 and CVE-2013-1388) which was released less than a week ago.
The IRC transcript is interesting as well.
The Pirate Bay blogged this morning about a new chapter in their interesting history:
We believe that being offered our virtual asylum in Korea is a first step of this country’s changing view of access to information. It’s a country opening up and one thing is sure, they do not care about threats like others do. In that way, TPB and Korea might have a special bond. We will do our best to influence the Korean leaders to also let their own population use our service, and to make sure that we can help improve the situation in any way we can. When someone is reaching out to make things better, it’s also ones duty to grab their hand.
Very interesting turn of events… what do you think about this?
Update - I’m kinda disappointed that it was a hoax :(
Nice look from ZDNet of how Oracle installs deceptive software with Java updates.
In the background, the Ask toolbar installer continues to run, but it delays execution for 10 minutes. If you are a sophisticated Windows user and you missed the initial checkbox, your natural instinct at this point would be to open Control Panel and check Programs and Features. When you do, you will see that only the Java update has been installed. You might also check your browser settings to confirm that no changes have been made to your settings. You might conclude that you dodged a bullet and that the unwanted software wasn’t installed.
But you would be wrong. The Ask installer is still running, and after waiting 10 minutes, it drops two programs on the target system.
I knew about having to opt out of the toolbar crapware, but some stuff in there I am amazed that they get away with.
Short version: there’s almost no reason to use Java, so don’t install it. Ever.
Running a Ruby on Rails site, you may want to know about the Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156). The link includes links to patches if you can't upgrade ASAP.
Scorpion Software, a noted security company from Chilliwack, has a good article on their blog on testing your password security, including a free whitepaper.
From JWZ passed on by my buddy @halkeye: Bypass full-disk encryption and passwords on any powered-on computer via Firewire.
The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any machine you have physical access to. […]
Well of course, any machine you have physical access is kinda screwed, unless you use some sort of encryption like ….
It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. […]
Kinda scary, but the circumstances needed (powered on, has firewire, physical access, etc) make it not needing to run around screaming just yet.
Kim Dotcom says Mega Will Turn Encryption into a Mass Product and revealed some details today, like it will use military grade encryption, and the file manager screen.
Why Offline Privacy Values Must Live On In The Digital Age is a very cool story from TorrentFreak about what the similarities and differences are between digital and analog privacy are, and why they matter.
First, the letter was anonymous. You, and you alone, determined whether you identified yourself as sender on the outside of the envelope for the world to know, on the inside of the letter for only the recipient to know, or didn’t identify yourself at all when sending a letter. This was your prerogative.
In the article Outlawed by Amazon DRM, probably the worst of all cases of DRM is exposed. This is the sort of thing that gets your Open Source friends will use as a prime example of why DRM is bad, and quite frankly, they’re right.
The short version is a friend of the author had her Kindle wiped and her Amazon account closed with no explanation and no recourse. Talking to Amazon was like talking to a brick wall in terms of either a) getting it reversed or b) figuring out why.
Not cool Amazon, not cool at all.
I head that GoDaddy was down today and figured it was just another blip, but after reading the article on TechCrunch that GoDaddy Outage Takes Down Millions Of Sites, Anonymous Member Claims Responsibility my response is now “ouch”. Their twitter @godaddy indicates the level of panic going on over there right now. Really interesting to find the story behind this.
Hows this for starting the news cyle for the new school year with a bang? Ok, so what seems like has happened. FBI has a huge list of Apple iPhone UDID (unique phone identifiers) along with names, device types, and other personal identifiable information. FBI has this on a laptop. Hacker hacks into laptop and retrieves said information. Anonymous then leaks this information to the web.
Hacker news has the story: AntiSec leaks 1,000,001 Apple UDIDs, Device Names/Types, along with others.
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTAiOSdevices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
Obviously a few questions come up. Why does the FBI have this information? Where did it come from? What (if any) connection does Apple have? Is it legit? Does this mean that the FBI is actively tracking users, or just gathering device information? Are these American citizens, non-Americans, or maybe just racially profiled iPhone users?
It’ll be interesting for sure.
Via the nmap hackers mailing list (and Gruber): Nmap Hackers: C|Net Download.Com is now bundling Nmap with malware!
People still use download.com?
Problems with Microsoft Security Essentials and it identifying chrome as malware and nuking it from computers.
Oops, very inconvenient for the user, strangely convenient for Microsoft. Completely unintentional I'm sure.
Good stuff from Lifehacker on how Facebook Is Tracking Your Every Move on the Web and How to Stop It.
Showing I'm not a completely blind apple-fanboy, looks like this is a big oversight from Apple: Lion permissions oversight lets non-admin user to change other account passwords.
Pretty awesome guide to Reverse Engineering Mac Defender for people interested in such things.
Interesting story of a Man using Prey to track his stolen MacBook Pro hundreds of miles.
LastPass : The last password you'll have to remember: LastPass Security Notification in case you hadn't heard already. The guys on the TnT podcast do a good job talking about this as well (the 5/5 episode).
So if you're worried about Dropbox not being as private as you were led to believe, you might want to check out SecretSync - Client-side encryption for Dropbox. Basically it creates a folder that will be encrypted on the client side before it's synced up to dropbox, and only accessible to you. Windows only, but mac and linux clients coming soon.
Note: I have no idea if this has been tested or verified by anyone, for all I know installing this program could sell your secrets to the Russians and talk to your mother dirty. Just sayin'. Thanks Bryan for the link.
Not sure how old this is, but check out the Creepy app. It will scrub the internet for location data for a given twitter or flickr ID and display it all in a nice map for you. Good reason to start removing those geotags from your images and social network data. Think about this as doing for location data what Firesheep did for https security.
Cool article on Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else. Short story: Many free themes hide spammy links or potentially evil code in them.
Interesting project.... ESFS, the encrypted steganography filesystem, implemented (currently) entirely in Python.
A great link from @spolsky to a checklist on what to do if your server has been hacked. I'm sure there are other things, but it's definitely a good place to start, and the users on Server Fault know what they're talking about.
Marco.org warns of The Asian domain-name extortion scam. Pretty similar to a bunch of similar scams, and now you've been warned (assuming the email doesn't get caught up in your spam filter of course :)
Must plug my good buddy Dana and his company Scorpion Software's premier episode of a podcast called "Five by 5".
I am pleased to announce that we are launching a new webisodic series called "Five by 5" to do just that. It will be a weekly to bi-weekly web based show covering the tips, tricks and tactics to use when considering how to secure remote access to information.
TrueCrypt 7.0 has been released. Hardware acceleration, a new auto-mount type is added, and various other tweaks.
Adobe updates Flash against security flaw - but watch out for the extras. Seriously? A company as big as Adobe has to do this crap?
Sneaky, that - trying to get you to install McAfee Security Scan Plus when all you actually want is an update of Flash.
I can understand if you're a small company trying to get a bit of extra revenue from installing crapware like the Ask toolbar, etc, but Adobe seems a bit big to do this sort of thing. The only justification I can see is that they are truly concerned about user's security and feel they aren't going to listen to a "hey, you know you should have an AV program installed" type message, and figure it's better to just shove AV software down their throats. I pity the IT workers that are going to have to deal with uninstalling this or dealing with conflicts or other really bad things resulting from users randomly installing things on their computers.
WIth all the recent Facebook privacy issues, you'll definitly want to check this lifehacker article on how to Block Sites from Using Your Facebook Login with Adblock Plus. Yet another reason to use AdBlock plus! (please click on the ufies.org ads though of course! :)
ReclaimPrivacy.org is a Facebook Privacy Scanner which will scan your facebook settings for you and show you any issues with it, and give a one-click fix to fix them.
With the backlash against Facebook lately, this is a great looking tool that works nicely. The only complaint I have is that it will just fix the issues with one click, without actually telling you exactly what it's doing, in case you were wanting to keep it that way, or tweak it. Still, perfect for your mother/sister/kids/grandmother who you don't want to accidentally share out a bit too much!
The NY Times has an infographic on Facebook Privacy: A Bewildering Tangle of Options which maps out some of the head-shake-inducing privacy options and mis-steps that are in facebook today.
We looked at the (latest) 4Chan Time Top 100 hack a while back, now there's a good video from time.com itself: When 4Chan Gamed the TIME 100.
To turn this off, log into facebook and then:
5 Steps through pretty nonspecificly named menus, to get to an option that a) gives your details to advertisers and b) defaults to on... sorry Facebook, but that's pretty evil. Of course, they know if they default it to 'off' no one would ever turn it on, so they wouldn't make their next bazillion dollars from our personal information to other big companies.
Funny story over on RailsInside about how a Gorgeous Blonde (Who's Not DHH) Takes Over Official Rails Sites. Looks like @DHH got the domain issue fixed up now though, and all seems to be back to normal.
Not that I'd advocate this of course, but the Crash jQuery Plugin is there to use if you need to for some reason.
Seriously though, crashing someone's browser isn't cool, cause lets be honest, the people that are still running ie6 are either a) people like your grandmother who doesn't know any better, or b) people have have to because they work with some sort of antiquated company or software that requires it.
Course, these people aren't going to be surfing to sites that will have jQuery enabled anyway....
Look like there is a bug in Spamassassin in the check for "dates grossly in the future" which defines among other things, 2010 as "grossly in the future". The details are here. I've updated the ruleset on UFies.org though, but please check your spam boxes if you use SA for your spam checking.
Found out on TWIT this week that Audible.com is having a thanksgiving giveaway of a free audiobook (no credit card required, but an account is needed) and the selection is pretty good, not just crap ones. Hey, free is free!
Being that the New jailbroken iPhone worm is malicious, it's another reminder to people who have jailbroken phones that if you can ssh into the phone with username root and password of 'alpine', you really want to change the password, cause everyone knows what it is already.
Davey Winder says that 80 percent of viruses love Windows 7, and that a Windows 7 machine without AV software on it gobbled up viruses like a fat kid gobbles up candy on Halloween. Now this was a bit of an unfair test, not installing AV software, but still, the "we're making Windows more secure" mantra has been going at MS for a while now, you'd think that this would be better.
As a note, here is the article that RoundTop mentioned.
If you received an email with content similar to the below:
On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
Another Lifehacker note is that AVG 9 Free Now Ready for Download. Though for the first time in years I'm not using AVG and am testing the new Microsoft suite. No word if this AVG release removes some of the annoying "you know you want the non-free version... come on...." popups when using the app.
I haven't seen much confirmation of this, but I'd be a hypocrite if I didn't point to a story where <screaming alarm voice>a Major bug in Snow Leopard deletes all user data</screaming alarm voice>. It appears to be centered around the guest account, and logging into it, then back into your account deletes all your data (if it's true, Steve Jobs deserves a spanking, cause that's bad), but might also have to do with the way you upgraded to Snow Leopard, upgrade vs fresh install or something. Read the article and watch for news about this, and maybe stop using the guest account until this is all worked out. And maybe switch back to a PC for a bit too....
According to Lifehacker, 10,000 Hotmail Passwords were Leaked Online. Time to a) change your password and b) check the site to see if yours is listed there.
Hey, what happened to one way hashes? Isn't that the way you're supposed to do passwords?
A sneaky inside source in the Microsoft world pointed me to uhm... well, already public information about Microsoft Security Essentials, which will be available to the public tomorrow, free of charge. MSE is Microsoft's integrated anti-malware, anti-virus solution, which I'm sure that McAfee, Symantec and friends are going to be happy with.
The original version was open to only 75,000 users, but if you knew where to look *cough*softpedia*cough* you could still find the download from the Microsoft site. Now they have announced that it is available now. No fees, no registration, no renewals, no nothing. OMFG, have they done this right? One might argue they should have done it sooner, shouldn't have done it at all, should just fixtheirdamnOSdammit, and the like, but a couple of people that I respect greatly in the security space (including Steve Gibson of the Security Now! podcast have given it a thumbs up (and if you know how paranoid Steve Gibson is, who just recently upgraded from Windows 2000 to XP... though that might take away some credibility :) ) that's quite the endorsement).
I've got this installed on my new Windows 7 install instead of AVG for the first time in years, and so far I can say it hasn't gotten in the way, has warned me of a couple of infected keyge... uhmm... files, and hasn't appeared to suck up too many system resources. I'm giving it a cautious "works for me" so far.
Anyway, Microsoft Security Essentials is out, free, and available for download now. Guess the next step is to wait for the reviews to come out and see what the other experts think of it.
Why you need balls of steel to operate a Tor exit node details some of the things that might happen if you run a Tor exit node. Now personally I'm glad that Tor exists and think that it is an essential part of society/internet/etc, even though some of it's uses are completely unsavory. Still, after reading this I have to applaud the people who do take on the responsibility.
Saw via slashdot that there's a Windows Vista/7 SMB2.0 Remote B.S.O.D.
Looks like you can send malformed SMB headers at a fully patched Vista/Windows 7 server and "poof", BSOD. I haven't tested this of course, but something to be aware of, I'm sure a patch for this will be coming out RSN.
The saving grace is that SMB2 is probably not going to be a) enabled on a server connected to the net or b) allowed into a corporate LAN from the outside. Still a danger though...
Torrent Freak points out that the copy of The Pirate Bay that was posted has been brought to life, and is up and running over at btarena.org. Or at least I think it is. Hard to tell. Anyway, the 21G of torrents are up and going and alive and well out in the wild.
If you're a digsby user, you may want to re-consider after reading this where lifehacker details some of what Digsby has done lately in terms of bundled crapware. Bummer.
Update: Digsby has posted a response.
Really interesting article over on Slashdot on SEncryption? What Encryption? and discussing how having an encryption program that you can be forced to give up the keys to (or arrested for refusing to) automatically puts you under suspicion, because if you do have some sort of program like TrueCrypt then you must have something to hide. The author goes through the pros and cons of a few different ways, and proposes some interesting ideas of ways for plausibly deniable encryption to become a little bit more mainstream and "normal", and therefor not as much of a red flag that you have evil anti-government subversive videos hidden on your hard drive.
Tom's Hardware scored an interview with the author of the iPhone SMS hack, where he explains what the issue was and how he exploited it.
Quick note that Mozilla has released Firefox 3.5.2, so if you don't see a "firefox has updated, restart now?" when you get into the office this morning, go to help -> check for updates to get yourself up to date and protected against a couple of security vulnerabilities.
Very interesting story about the raid and takedown of UWWWB by the FBI (I had never heard of them before this) from the point of view of the owner. An excerpt:
Here's what happened: March 12th, 2009, at about 5:AM in the morning, my home alarm system went off. I get up to see what’s going on, on maybe 3 hours of sleep, and my wife points out there are two people with flash lights in my back yard. Now, this may not be unusual for everyone, but I lived in a fairly nice home in Southlake Texas, the United States highest per-capita income city for 2008. A very nice community, virtually no crime, and excellent schools. That is to say, I did not live in a shack in the hood, this is nice suburbs, and not where the FBI usually does raids.
The sysadmin's best friend, nmap, just got a major version update. The Nmap 5.00 Release Notes have all the details.
I Started Something has video demonstration of a Windows 7 UAC code-injection vulnerability. Source code has been released as well.
Hopefully this will be fixed before the final release sometime in September. Hopefully no one argues that being able to change UAC options silently is a bad idea.
Slashdot notes that the venerable IT security tool L0phtCrack has released version 6. 64 bit support, better NTLM password hash handling, and support for rainbow tables are among the improvements.
Saw via Slashdot that Microsoft Update Quietly Installs Firefox Extension. Technically I'm sure it wasn't silent, and that somewhere buried in the small print it said it was going to do this, but still, that's no excuse. AVG does the same thing to show "safe links" in your google results, and I have the same opinion. Don't F-n do it. Or if you do, have it on a separate page of the install wizard, defaulting to no showing clearly what you're doing. Like Sun does for the google toolbar (or is it yahoo now?) when they do a java update. Well, without the default to No that is.
So if you're website is down (like our companies is) or you're wondering why half the internet is dark, this may be the reason :) Some people are reporting it's back, but with sporadic response from their DNS servers.
We're into the Pirate Bay Trial Day 8 and things are progressing, but not hugely so. Some choice pickings from the entry on torrentfreak:
Kennedy said he qualified as a lawyer since the 70’s but hasn’t practiced recently. He was asked if he understood BitTorrent. Kennedy said he did, but in “very vague terms.” When the defense lawyers asked more detailed questions, about uTorrent for instance, Kennedy said he’d heard of it but had no idea of the details. It was very clear he knew nothing about any remotely technical issues.
If you want to see the real nightmare for the prossecution, check out what happened on day 7:
When asked if he had any network equipment logging exactly what was going on ‘behind the scenes’ of any of his sample downloads, he replied that he didn’t. When asked if he verified in any way during the download process that he had any contact with The Pirate Bay’s tracker, again the answer was negative.
Then, Nilsson came out to say that he was sure that a majority of the content on The Pirate Bay was copyrighted. However, he had no evidence that supports this claim. The defense lawyers pressed him on this and he had to cave in, “I have no documentation as to the claim that most material is copyrighted. It is just an opinion,” Nilsson said.
Maybe the initial "all of vista's security rendered useless" may have been sensationalist, so says OSNews in their Look at a New Vista Security Bypass.
TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows Vista/XP, Mac OS X and Linux just released version 5.0, including an OS/X version, a Linux graphical version, and lots of other goodies. Great work guys!
Here's a Wired article by security guru Bruce Schneier entitled Steal This Wi-Fi
I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.
My thoughts on this are twofold if I were to do this (and he has some good arguments on it): 1 - I'd want a 'no wireless' button so that anyone using my wireless is cut off when I'm playing games... nothing sucks like having a high ping for no reason all of a sudden and 2 - I'd probably want to DMZ the wireless so it is separated from the rest of my internal network. Having open wireless is very nice.... it annoys me if I'm wandering into some random building in downtown and want to check my email from my iPod and all the networks are encrypted and not using 'admin and password'. Of course, out in the boonies where I live I doubt there'd be a whole lot of "walk in" traffic as it were :)
Nice article on ars technica saying how you should use a blocklist or you will be tracked... 100% of the time if you're on P2P networks.
# If you don't use a blocklist, you will be tracked. Every one of the researchers' test clients that did not use a blocklist soon connected to an IP address found within those lists. It turns out that 12 to 17 percent of all IP addresses on the network belonged to these blocklisted ranges.
Chris Pirillo pointed out some software from BananaSecurity which uses a webcam to recognize your face, lock your computer when you're not there, and unlock it only when it recognizes your face again. Obviously there are some questions about this, like what if I'm wearing a hat, what if it's darker/lighter, how secure is the lock it puts on your computer, and what if I want to use the webcam? Course, it still interest me greatly as the laptop that work got for me has a built in webcam on it...
If you're one of the fine folks who downloaded the Safari public beta be careful, there is a 0 day exploit out already. Don't think this is in the wild, but definitely potentially dangerous due to bad handling of URI protocols. Hmm... page seems to be dead....
Here's a cool little extension for firefox that allows you to Encrypt and sign Gmail messages with FireGPG.
Now this is supercool! Via slashdot (discussion) comes a Windows firewall squeezes on a USB key. The "windows" part of is is a bit of a misnomer though, it's actually a firewall running linux as the core and a bunch of security applications on top of it, but currently it only works when plugged into a Windows host.
It sounds like the system grabs network traffic as it comes into the windows host, does the happy-happy firewalling stuff, then passes things back to the host. Linux and Mac drivers are planned.
Check the screenshots midway through the article too, very sexy graphs!
Hmm.... firewall on a small host, I wonder where I've heard of those before? :) If anyone remembers the cool project the dot-com I was part of that created the firecard, we did something similar, or at least, kinda similar. At the time we used RJ45 jacks (like Yoggie Systems' previous version) and we were on a PCI card instead of a USB key. OK, maybe not that similar then....
FireGPG Is a easy way to use GPG easily in GMail.
George Ou posts about Wireless LAN security myths that won’t die. A nice breakdown of what'll get you the most bang for the buck.
Slashdot announced that TrueCrypt 4.3 was Released. Fun new features are 32/64 bit Vista support, ability to load it onto mp3 players, and auto-dismount in addition to the fun stuff like hidden volumes, plausible deniability, "traveler mode", and other fun stuff. Check it out at http://www.truecrypt.org/
Lifehacker takes on a comparison of two of the major disk encryption systems available and puts them in a bloodthirsty cage match. OK, maybe not quite.... however, the OS Encryption Showdown: Vista's BitLocker vs. Mac's FileVault is a good primer as to what's available and the up and downsides. Read the article to see who wins!
I'm disappointed that Linux doesn't have an offering here. Actually, I'm disappointed Linux doesn't have a user friendly offering here. Linux has had disk encryption for a while now, it just hasn't had the friendly frontend that OS/X and Vista have put on it, and instead make the user resort to typing in cryptic commands like dd and cryptsetup and dealing with terms like 'loop-AES' and 'LUKS'.
Speaking of Vista, here's a link to a OS Security Features Chart over on Matasano Chargen's blog. Interesting, though I wonder how targeted this was at Vista. I'd like to see something similar for Linux (ie: grsec, selinux, and friends).
Imagine carrying a portable security suite with you wherever you go. Walk up to any computer, quickly scan it for viruses, and then defeat any internet access blocks to view any website you want anonymously. It’s here, and the DemocraKey 2.0 Lite let’s you have it on your iPod.
Another forgetfoo post is a link to Neomeme on Generating the Perfect Password. How about "ppearsfweocrtd" ?
Definately an interesting idea, and anything that encourages users to have better passwords and better security makes everyone happier!
Darren pointed me to an article on Lifehacker on setting up Hamachi, what looks like a nice and quick VPN tool. Not exactly the industry strength stuff you would want to connect your satallite offices (for that you'd probably go openvpn or freeswan), but for getting into friends machines for maintenance, or a quick an dirty connection to surf pr0n from home from work it sounds like the way to go. Win/Linux/Mac as well which is nice.
Found a good tutorial on how to Encrypt devices using dm-crypt and LUKS.
If you've been hit by the ugly virus that encrypts all the files on your hard drives and then extorts you for cash, you're lucky. The article states that the virus has been cracked and that the password you need is: "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw".
Fun times :)
I know I rag on Microsoft, and Windows security, but at least there are those out there doing something about it. My ex-boss, ex-coworker and good friend Dana has just released version 1.1 of Firewall Dashboard. New features include:
Update ... ok, implemented more strict helo rules for the site... ie: you can't use 'helo ufies.org' when connecting to my mailserver unless you're legitimately ufies.org. Here's hoping...
For the stable distribution (woody) these problems have been fixed in version 1.2.5-8woody3.
For the unstable distribution (sid) these problems have been fixed in version 1.4.4-pl4-1.
We recommend that you upgrade your gallery package.
I'd assume all ya'll have already updated this, but if you're in debian, make sure you do your apt-get updates early and often!
I've blogged about the problems I've had with this. So subtle hint to all of you guys with MT3 on the UFies.org server, please upgrade :)
I guess the problem is that no matter who does the reporting and comparing they'll have some link to something, or someone will dig up that sometime around 1992 someone in the organization mentioned that "this microsoft thing is kinda cool" and therefor is biased, or they have a linux server so they can't possibly report fairly.
It's also the right tool as Dana is constantly saying, but there are definately crossovers in between linux and windows as far as the tools that are available for both. Anyway, recommended reading of course, and the /. discussion I'm sure will be full of intelligent and calm discussion :)
The IDS system is designed as a kernel module for FreeBSD 5.2. It is inspired by the SpamAssassin program, which detects spam by applying a set of tests to every email message and counting a sum of point score generated by each test. My IDS system applies a set of tests to every running process in the OS and counts its score generated by the tests. Therefore, the purpose of the IDS is not to monitor the network traffic, but rather to monitor the process activity.
Maybe this is the sort of thing that they need to NOT do to increase shareholder value.
Ah, they link to a server that stops serving the images/files after you decide. Stupid and lame, figured so.
These guidelines are, by necessity, broad. Software creation and distribution are complex and the technology is continuously evolving. As a result, some useful applications may not comply entirely with these principles and some deceptive practices may not be addressed here. This document is only a start, and focuses on the areas of Internet software and advertising. These guidelines need to be continually updated to keep pace with ever-changing technology.
s more effectively, than on a Linux system where the web server is running "far removed from the OS." I am no security expert but if you tried to sell your web server to the Linux community on the basis that it "works in kernel space instead of user space!" you would be laughed out of the room, and possibly the state.It's a good read, both to take stock of your own misconceptions as well as to get some ammo when talking to people who insist that "X is better than Y for Z".
This has always been one of the problems with examining security between Windows and Linux (or any different OS)... high profile or low profile, root exploits, local, remote, etc all come into play, and you rarely see a comparision where all these factors are taken into account.
My way of looking at it is how comfortable would I be putting a box of either type connected directly to the internet without a (separate) firewall? Hint. Not windows :)
I'm convinced that you have to be on some really good drugs to reach these conclusions.
body_checks = regexp:/etc/postfix/body_checkswith the body_checks file being something like what is posted in the link. In theory it should work :)
Anyone know of a good integrated virus checker for postfix like qmail has?
I've added some body_checks onto the ufies.org mail mail system and it's catching stuff already, which is good. If you're losing mail let me know though :)
Some good procmail magic is also available here.
Sadly, they probably won't, and will go in with all their resources, marketting, bloggers and programmers and probably squeeze some of the security vendors out of the market (ie: zonealarm) as they try to sell us on the "no, you can trust us this time" marketting hype that's no doubt coming.
As Dana noted they have a chance with Longhorn to prove they can create a secure OS. It'll be here in 2006 (or later), so you can see that as either a huge opportunity for security products and/or alternative OSs to jump in, or sad because the people that are being hit by viruses and worms aren't the sort of people that do anything to their OS from the time they buy their new computer (ie: the stereotypical mom, dad, granny and grampa).
What makes this even funnier to me is that not that long ago I read someone comment on a blog somewhere (might have been on scoble) saying that exchange was "invaluable" to them. People run exchange on purpose? Why? Anyway, I resisted responding at the time. Guess this is a good response though :)
The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.