ibneko: (Default)
Official news post here:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

General rundown of exactly _what_ is being affected:
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

Discussion forums of patches and such:
http://www.ruby-forum.com/topic/157034

Now, my question to you guys, is... has anyone patched their copy of ruby? Anyone have any pointers on patching/upgrading ruby on a production site? My partner, the one who set everything up, is off on his honeymoon and can't be reached. The wannabe security professional side of me understands what the vulnerabilities mean and would very much like to patch and upgrade ruby. But from what I've read on the discussion forum, the releases are said to break stuff, which would be Very Bad™ for a live site.

Looks like we're running:
"Ubuntu 7.10" codename gutsy
ruby 1.8.6 (2007-06-07 patchlevel 36) [x86_64-linux]

crossposted to the ruby_lang, rails_dev community...

(This news is now about 5 days old...)
ibneko: (Default)
http://www.eff.org/action/bordersearch

There's links that'll help you send a generic e-mail to your local congressperson, and/or help you locate their phone number.

So go, e-mail. Help keep our deep dark secrets private.
ibneko: (Default)
...and encrypting+hiding data too large to store online.

Now that US customs agents have unfettered access to laptops and other electronic devices at borders, a coalition of travel groups, civil liberties advocates and technologists is calling on Congress to rein in the Department of Homeland Security's search and seizure practices. They're also providing practical advice on how to prevent trade secrets and other sensitive data from being breached.
In a letter dated Thursday, the group, which includes the Electronic Frontier Foundation (EFF), the American Civil Liberties Union and the Business Travel Coalition, called on the House Committee on Homeland Security to ensure searches aren't arbitrary or overly invasive. They also urged the passage of legislation outlawing abusive searches.

The letter comes 10 days after a US appeals court ruled Customs and Border Protection (CBP) agents have the right to rummage through electronic devices even if they have no reason to suspect the hardware holds illegal contents. Not only are they free to view the files during passage; they are also permitted to copy the entire contents of a device. There are no stated policies about what can and can't be done with the data.

-http://www.theregister.co.uk/2008/05/01/electronic_searches_at_us_borders/

I need to get TrueCrypt working. But I've heard some questionable, "things will crash and data will get lost" things about the initial mac release.

TrueCrypt, from what I've read, is supposed to let you encrypt things as well as hide them in harmless looking files. Pain in the ass though... At least I don't think I'm crossing the border anytime soon...
ibneko: (Default)
http://www.theregister.co.uk/2007/12/12/hp_laptop_vuln/

Apparently, due to stupidity on the part of HP*, your machine can get hijacked if you visit a malicious website.

*requires HP Info Center to be installed.

---
http://www.merriam-webster.com/info/07words.htm
Also, w00t has been named the word of the year. Oh dear.

--
http://www.improveverywhere.com/2007/12/12/save-the-date-no-pants-2008/
Lastly, if you're in New York *coughdaphucough*, you should check out no-pants day, 2008. :D
ibneko: (Default)
First: IT Security Warfare. A rather interesting read, at least for me.
http://mcwresearch.com/archives/496

Second: a presentation at the AAAS. Someday, I'll have the self-esteem and guys to stand up in front of a crowd and do that.
http://www.youtube.com/watch?v=yL_-1d9OSdk (via [livejournal.com profile] porsupah)

Third, from the interesting Geeketiquette blog, comes the Dresscodes: Geek vs. Non-Geek. Some of it is true, I suppose.
http://geeketiquette.com/archives/2007/06/27/dresscodes-geek-vs-non-geek/
(but potentially worth noting, if you're a geek like I am, and fail to pick up on normal social cues...)

Lastly, via metaquotes (and [livejournal.com profile] porsupah): the interaction between Christianity and Islam, if they're both kids....
http://community.livejournal.com/metaquotes/6156094.html?thread=113259582

And an odd mishmash of links that I need to visit/do/screw/whatnot:
OpenVPN, when on public, unsecured Wifi (project temporarily on hold; uiuc provides vpn that covers everything I need):
http://blog.2blocksaway.com/2006/12/11/building-a-cheap-secure-wireless-wlan-infrastructure-with-openvpn-and-linux-an-advanced-tutorial-of-openvpn/3/
http://openvpn.net/download_action.php?openvpn-2.0.9.zip
http://wiki.cacert.org/wiki/openVPN

Rails! Ruby! Arrrr?:
http://summerofrails.org/

Security:
http://www.priamos-project.com/
http://www.remote-exploit.org/backtrack.html
http://garrett.reid.org/backtrack/ (and why I need a MacBook /Pro)
http://insecurewebapp.sourceforge.net/main/index.html (download and try)

Wifi cracking:
http://kismac.de/_trac/wiki/DWL-G122 (need to locate and buy...?)

Japanese:
http://lrnj.com/ (learning japanese with RPG... something?)

Origami (via... [livejournal.com profile] kimoi):
http://www.geocities.com/foldingca/butterflyball.html
ibneko: (Default)
http://darwin.servehttp.com/cgi-bin/hash.pl

About this:
The original concept that spawned this can be found at http://www.nth-dimension.org.uk/utils/ghash.php. I wrote this up to see if it would actually work... And it would be more convenient than having to download a 50+ GB rainbow table from here (or here).

Ideally, you'd be using this to recover a forgotten password. But it could also be used for less ethical/illegal purposes. Knowledge is power. With power comes responsibility. Use this tool wisely. What you do with knowledge is up to you; I take no responsibility for your actions.


The list of characters that I support: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"'><,.?/
(configuration 6 of the antsight.com rainbowcrack tables)

Here's the hash for password: http://darwin.servehttp.com/cgi-bin/hash.pl?show=md5&word=password (=> 5f4dcc3b5aa765d61d8327deb882cf99 =^.^=)

Now here's the question: How long will it take Google before they crawl the entire thing? :D Currently, it's set to 16 max characters, although I probably should have set it to 8. Here's to hoping Google doesn't crawl depth-first...

Other MD5 tools:
http://us.md5.crysm.net/ (MD5 reverse lookup: I think they run their own database...)

[edit] Here's the source code, for anyone who might be interested. It's licensed under GPL, although quote honestly, I don't think I fully grasp the concept of GPL. They need an easier-to-understand license XP Or provide a "common language" equivalent, similar to the nice Creative Commons license. But if you decide to run the code elsewhere, do drop me a line - I'd be interested.

[edit 2] Looks like here's another one with a similar idea. Except they hash all of the options and don't cover as many letters as I do. I wonder if it's more effective...?

Ah, it looks like while Google has crawled them, there's a limit to how much Google will crawl. Like the reverse.me.uk site only retrieves 49 search results. While a site like apple.com will retrieve 45K results.

Why is that? Does Google check for unique looking pages? o.O I wish I knew what algorithm Google was using, and how to maybe get past that. Maybe I should add random password generators at the bottom of the script, so Google will randomly jump to deeper hashes? Maybe? o.O

[edit 3] And here's another one. Again, Google doesn't find anything after the first few letters. Interesting..

Ingenious~

Jun. 23rd, 2007 10:52 am
ibneko: (Default)
Instead of downloading a bigass rainbow table, now, maybe if this works, you can just google your MD5 hash.

http://www.nth-dimension.org.uk/utils/ghash.php
(they should add SHA-1! maybe? o.O And the other ways of encrypting passwords...)

Although it'd be more interesting if they actually created a wordlist with configuration 6*. And put that online. Looks like they're just doing a wordlist.

*see: http://www.antsight.com/zsl/rainbowcrack/ (rainbow tables - 64 GB XD)

They do note that it would take several years for just one computer to calculate that entire table... but for the Google Hash site, they calculate the number on the fly... so they would only have to generate (and store?) the original keys... not too bad?

(Hmmm.. I wonder if there's some way to trick Google into calculating the MD5 hases for us...)

[edit] No, there's another way to do this. Essentially, provide a list of characters - clicking on a character will add that to the current string that we hash. So it's kinda recursive...

I'll build an example this afternoon, when I finish lunch. This should be interesting. The only limit now, is how deep Google will crawl? And if Google crawls depth-first or breadth-first? And how much data would Google be willing to store from a simple site?

Hashes I want to do: maybe we'll start with MD5 first. Then SHA? And the windows password hashing method?

And a final question: Is this unethical? Because technically, the only real use for the last one would be to crack passwords... And I can't really think of any reason why you might need the other ones. Although I must say, I'm rather fond of the idea of creating information and making it searchable. I am a creature of information. Hear me roar? o.O Mew.
ibneko: (Default)
http://www.sonicwall.com/phishing/index.html

Try it out. It's a test to see how well you can spot phishing* e-mails.

*phishing e-mails = an attempt to "fish" for information by sending a realistic-looking e-mail, and linking you to a site that looking similar to the real thing, where you'll be tricked into giving up your personal information.

-

Sadly, I didn't pay as much attention as I should have, and ended up with only a 7/10. >.<;;
ibneko: (Default)
You were issued 150 points and you now have 150 points in total.

You now have over 100 points and can start assuring others.


=^^=v

Spiffy. For the record, I got the papers signed by a public notary over spring break, on the 23rd of March. They were mailed off to Australia (yep, Australia!) on the 26th. So that was about a two-week turnaround time. Whee!
ibneko: (Default)
I managed to make a CSR (Certificate Signing Request), pass that onto CACert, and install the certificate onto my server. =^^=v

Mostly, I think it was this table that I was lacking previously:

DN Field



Explanation



Example


Common Name The fully qualified domain
name for your web server. This must be an exact match.
If you intend to secure the
URL https://www.yourdomain.com, then your CSR's common name must be
www.yourdomain.com.
Organization The exact legal name of your
organization. Do not abbreviate your organization name.
RapidSSL.com
Organization Unit Section of the organization
Marketing
City or Locality The city where your organization
is legally located.
Wellesley Hills
State or Province The state or province where
your organization is legally located. Can not be abbreviated.
Massachusetts
Country The two-letter ISO abbreviation
for your country.
US


--
In other news, I wish I could stay up all night and all day. Not sleeping would be so nice sometimes.
ibneko: (Default)
If you know the password because you've changed it from the default, you're fine.

Otherwise, there's a new attack - Attackers use Javascript in your browser to change your router settings, so trying to access the banks online will redirect you to their site. There, they can steal your information when you enter it.

The well written analogy is:
I’ll start with a high-level real-world analogy of this attack. Imagine that whenever you wanted to go to your bank, you picked up your phone directory, looked up the bank’s address, and then went there. Our attack shows a simple way that attackers can replace the phone books in your house with one that they created. Now, when you pick up that rogue phone book to get your bank’s address, it’ll actually give you the wrong address. At this wrong address, the attackers will have set up a fake bank that looks just like your bank. When you do business with this fake bank, you’ll give up all your sensitive bank account information. However, you’ll never realize that you were at a fake bank since you trusted the address that you got from what you thought was your legitimate telephone book.

http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
(they also have a nice flash video that provides a graphical idea of how it works.)

No clue what I'm talking about? If you connect to the internet by way of a router (regardless of wired or wireless), you can check by following the following steps:
1. Access your router. Chances are, one of the following links will work:
http://192.168.0.1
http://192.168.1.1

2. If a username/password thing pops up, good. Try the following:
Netgear:
Username: admin
Password: password

Username: admin
Password: 1234

(username may be "Admin")

D-link:
Username: admin
Password: empty

Linksys:
Username: empty
Password: admin

3. Now change the password.
Netgear:
Navigate to Maintenance > Set Password. (Netgear support page)

D-link:
Navigate to Tools, then Admin (D-link support page)

Linksys:
Either click on "Administration", or "Password" (Linksys support page)

--
Other username/password combinations I've run across are:
admin/admin
admin/setup
admin/pass
admin/none

If step 2 fails, follow the instructions here to figure out where you need to go.
ibneko: (Default)
Yay, there's a newspaper article in the Washington Post suggesting that stupid cellphone companies shouldn't lock down their phones:
http://www.washingtonpost.com/wp-dyn/content/article/2007/02/08/AR2007020802169.html

There's some (IMO) stupid counterarguements about competition and stuff. Granted, I just skimmed and haven't really read, so I may have skipped over something that I shouldn't have skipped.

Remote-Exploit.org, the people who supply BackTrack, a Linux Live Distro focused on penetration testing, apparently has security courses online. I need to take those.

http://www.remote-exploit.org/courses.html

And via Mark R., pretty wallpapers! http://interfacelift.com/wallpaper/index.php?sort=date

Sunsets are pretty...

--
5 page paper completed in 6-ish hours. Not... too bad? Proofread. Due in 5 hours. Whee. Time for bed.
ibneko: (Default)
Month of Apple Bugs!
http://projects.info-pull.com/moab/

And a person who has announced he would try to create patches for vulnerabilities as they come out:
http://landonf.bikemonkey.org/code/macosx/

So much to learn, so little time!
ibneko: (Default)
http://psiphon.civisec.org/ - the way to get through web blocking in other countries.

http://ibneko.livejournal.com/582793.html - original post on the thing.

Server is now up and running. Painless install, although router had to be configured, so it's still not exactly a user-friendly thing.

(Todo: Write a script that will attempt to set up routers. That would be spiffy. Good javascript project?)

Should be reachable at https://hikari.servehttp.com:440/hikari/ (Up and running. Certificate is selfgenerated, so uh, connection is secured in the idea that there's encryption. But there's no guarrentee that the server you're reaching is actually me.)

Username and Password creation upon request. Currently friends and friends-of-friends only. As in, if I know you on LJ, comment with a desired username, and I'll make an account for you and send you the password.

[edit] Ok, it works. There's no https support (aka, can't check gmail e-mail, can't visit sites that require secure http). But since I can't hide it so it only shows up in the system bar, I'm not going to be running it unless someone actually needs the thing.
ibneko: (Default)
Airport security chiefs and efficiency geeks will be able to keep close tabs on airport passengers by tagging them with a high powered radio chip developed at the University of Central London...
...People will be told to wear radio tags round their necks when they get to the airport. The tag would notify a computer system of their identity and whereabouts. The system would then track their activities in the airport using a network of high definition cameras...

[source:http://www.theregister.com/2006/10/12/airport_rfid/]

I'm not the only one disturbed by this, right?

Right, so ways around this:
-Swapping tags with other people in bathrooms
-->can be countered by adding restrictions: you're supposed to be flying out of this gate, then you have to exit via this gate with your own tag.

-Ditching your tag to do Bad Things™ like bombs, etc.
-Making your tag broadcast someone else's signal.
-Making your tag broadcast a scrambled or random signal.
-->Object counting software - we see people in area, but there's a person missing a tag
or /duplicate tags/unissued tag id being returned. Flag security and notify them. This is much harder, and requires a shitload of processing power, but it's doable.
ibneko: (Default)
USB Missile Launcher - by way of The Register:
http://www.iwantoneofthose.com/search.do?productCode=mislau

::snickers:: so silly. I want one.

---
MoBB - Month of Browser Bugs, as announced by MD Moore, "the co-founder of the Metasploit Framework", releasing one new browser hack every day for the entire month of July. News via this article: http://www.eweek.com/article2/0,1895,1985027,00.asp?kc=ewnws070606dtx1k0000599

Blog here: http://browserfun.blogspot.com/

--
This is interesting: Hamachi - a zero-config VPN networking enabler. As in, it makes use of a third party mediator to get past firewalls, and from there on, data goes directly between the two machines...? (according to it's website, anyhow)

"Once you have computers hooked up via Hamachi, they will be tricked into thinking that they are on the same local area network (LAN). This leads to a number of wonderful things, some of which are obvious and some are not. "

Thus far, there's windows, linux, and MacOS X versions out.
ibneko: (Default)
via [livejournal.com profile] fbartho: http://www.oreillynet.com/pub/a/mac/2003/01/20/mail.html?page=1

It covers mail encryption and/or digital signing.

The link is actually a bit out of date though, but the process is pretty painless. Just head over here:
https://www.thawte.com/secure-email/personal-email-certificates/index.html
And then click on "Join".
You'll go through a process of e-mail verification, then information gathering (not that much personal stuff, but you'll need to give them 5 questions for later verification, should you lose/forget your password). Note that they don't gather a phone number, so you _should_ go back and add that in afterwards, so they can call you for lost-password retrieval.

Once that's complete, request a certificate, and if you're running in Safari and using Mail, it's very easy. As soon as your certificate is ready, they'll send you an e-mail. Click the "Fetch" button, and it'll download (an .exe file, yes, I know. Just click "Download"). Keychain Access will pop open. Select "Keys", and you should see a "Key from www.thawte.com". Double-click on the private key, and select the "Access Control" tab, then change it to "Confirm before allowing access" and check the "Ask for Keychain password". This way, if you lose control of your computer, people can't just sign e-mails with your key, without your keychain password. Which... should be ok, unless people get control of your keychain password.

Eh, well, so the last bit is actually up to you. Once it downloads, you're all set to send e-mails.

Mail me. :) I'm at ben.juang //at// comcast.net.
ibneko: (Default)
I need to update LiveJournal on my iBook and play around with it.. it's been a while since I've played with my installation. 'course, it's rather boring when there's no one else in it.. kinda like playing God without little critters to poke at and ask for opinions.

I should install some other blogging tools. Done it before, but meh.

Need to install Tripwire, Snort, and Nesses. Maybe Linux as well, on my Desktop box here.

Oh, and while I'm on security, this is pretty sad:
DHS Gets Another F in Computer Security

DHS, if you don't know, is our lovely "Department of Homeland Security". Somehow, I get the vaguest feeling that they just sorta sit there and get paid to look pretty.

"It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks," Paller said. "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified."
:: sighs:: This is why, while I'm interested in security, I'm not too enthusiastic about working in the sector. Well, that, and there is SO MUCH I still need to learn.
ibneko: (Default)
Secunia (security-bug-whatnot site that I follow) has released a Vulnerability test for the Safari command execution exploit.

http://secunia.com/mac_os_x_command_execution_vulnerability_test/

The current available solution:
Solution:
The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari.

--
Or use firefox. Maybe. I dunno. Will test that... maybe much later.

Expand Cut Tags

No cut tags

Profile

ibneko: (Default)
ibneko

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Page generated May. 23rd, 2017 10:43 pm
Powered by Dreamwidth Studios
November 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 2016