Thursday, January 31, 2013

PSA Security & Hacking: UPnP (Universal Plug and Play ) Vulnerability



Security Now 389 "Unplug UPnP" links for audio downloads & etc http://twit.tv/show/security-now/389

[Edited to Add:  Steve Gibson has UPnP exposure test in Shields up now!  Thanks Steve!! https://twitter.com/SGgrc/status/297165652257554432]

CERT Note http://www.kb.cert.org/vuls/id/922681

US CERT "Multiple vulnerabilities have been announced in libupnp, the open source portable SDK for UPnP devices. Libupnp is employed by hundreds of vendors for UPnP-enabled devices. Information is also available in CERT Vulnerability Note VU#922681.

US-CERT recommends that affected UPnP device vendors and developers obtain and employ libupnp version 1.6.18, which addresses these vulnerabilities.

US-CERT recommends that users and administrators review CERT Vulnerability Note VU#922681, disable UPnP (if possible), and restrict access to SSDP (1900/udp) and Simple Object Access Protocol (SOAP) services from untrusted networks such as the Internet." ~http://www.us-cert.gov/current/

Steve Gibson provides details on this issue, he also notes in the VOD above that he is going to add the capability to test for this Vulnerability to his ShieldsUP service/software.

ShieldsUP http://www.grc.com/x/ne.dll?rh1dkyd2

Problem with this, is even if you disable UPnP on your Router, it may still be enabled on the WAN (Internet) side.

Till Gibson gets this functionality added to ShieldsUP, not sure how most people could scan for it to be sure it was disabled on their routers.

Hard Core Nerds with correct tools could Pen Test individual Routers, but not aware of any practical way to test for people that don't have the skillset and tools for Pen Testing.

AFAIK the Rapid7 tool isn't stable/reliable, least it wasn't yeasterday for many people, it may have been patched since then, but not comfortable recommending it at this time.

I wouldn't trust vulnerability list from any Manufacturer on this, because it is a very bad case of stupid to have in the first place.

I haven't had enough time to find out if Tomato http://en.wikibooks.org/wiki/Tomato_Firmware#Supported_devices or DD WRT http://www.dd-wrt.com/site/index provide a guaranteed fix for this yet.



iOS 6.1 Update & Problems

There are critical Security Patches in iOS 6.1, so I strongly recommend updating to it if your iOS device is supported.

See http://support.apple.com/kb/HT5642 for more on the Security issues addressed.

There are a couple of problems being reported with iOS 6.1 for iPhone 5 and iPod Touch 5th generation (current late 2012 release Touch).
 
Some iPhone 5 owners are having problems with LTE after updating to iOS 6.1

See http://support.apple.com/kb/HT5642 for more information and possible solution for LTE problems with iOS 6.1 on iPhone 5

Solution that seems to work for some people is to reset network settings "Settings-->General-->Reset-->Reset Network Settings"


5th Gen iPod Touch owners are reporting some problems with iOS 6.1,  they are getting "Unable to Verify Update" error message.

Claiming no net connection, even with good signal or even via cable PC/Mac for some people.

One possible solution or work around, as well as more details at https://discussions.apple.com/thread/4751554?tstart=0

Possible solution, posted by oneGodguitarist, from link above:

"It took me a while but I finally got it to update.  I did a couple of things.  I reloaded itunes as "repair" just to make sure that nothing was missing.  The thing that really worked was that I tried connecting my device to another laptop with itunes.  It updated on there but to factory settings.  Then, I was able to go back to the main computer and reconnect and restore."



Wednesday, January 30, 2013

Starcraft 2 HOTS Unit Information & More

http://wiki.teamliquid.net/starcraft2/Heart_of_the_Swarm

Think this has been up about a month or so, if you spot any errors and can't edit the wiki yourself post in comments.

I know people that can edit on Liquidpedia, and will try to pass info on to them.


Tuesday, January 29, 2013

Security & Hacking: Java with Swiss Cheese Security

This has been all over the Net, not like anyone was really expecting Java to become truly secure I suppose, but this does seem very bad,  so I am going to start calling it Swiss Cheese Security, SCS for short, since it is so full of holes.

Various Links on *known* Security holes from last week or so, I am sure there are many more known and unknown:

Saturday, January 26, 2013

DC LAN #11

[Sorry I am so late with this, event is still going as I finally get this posted, probably 2 or more hours left].


The 11th Washington D.C. LAN event. With $250+ in SC2 Tournament prizes, and $150+ in BW

Tournament prizes! Thread: http://www.teamliquid.net/forum/viewmessage.php?topic_id=391066

When: 02:00 KST/Sat 18:00 CET/Sat 12:00 EST/Sat 09:00 PST

Streamhttp://www.twitch.tv/therealnanman

Caster: TheRealNanMan

New Budget Line of Macs ^_^

http://osxdaily.com/2013/01/25/check-out-this-awesome-lego-rendition-of-the-original-macintosh/

To be clear this is humor, not claiming these are real Macs!

Thought it was cool use of Legos though.

Friday, January 25, 2013

HwangSin is streaming

Though not sure for how long, think he has been up all night.

Either that or he got up real early.

Streamhttp://www.twitch.tv/hwangsin/

Wednesday, January 23, 2013

Security & Hacking: "Multiple Vulnerabilities in Cisco Wireless LAN Controllers"

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130123-wlc

Cut & Paste from above link:

"Summary

The Cisco Wireless LAN Controller (Cisco WLC) product family is affected by the following four vulnerabilities:
  • Cisco Wireless LAN Controllers Wireless Intrusion Prevention System (wIPS) Denial of Service Vulnerability
  • Cisco Wireless LAN Controllers Session Initiation Protocol Denial of Service Vulnerability
  • Cisco Wireless LAN Controllers HTTP Profiling Remote Code Execution Vulnerability
  • Cisco Wireless LAN Controllers SNMP Unauthorized Access Vulnerability

 

Vulnerable Products

For specific version information, refer to the Software Versions and Fixes section of this advisory.
Each of the following products is affected by at least one of the vulnerabilities covered in this security advisory:
  • Cisco 2000 Series WLC
  • Cisco 2100 Series WLC
  • Cisco 2500 Series WLC
  • Cisco 4100 Series WLC
  • Cisco 4400 Series WLC
  • Cisco 5500 Series WLC
  • Cisco 7500 Series WLC
  • Cisco 8500 Series WLC
  • Cisco 500 Series Wireless Express Mobility Controllers
  • Cisco Wireless Services Module (Cisco WiSM)
  • Cisco Wireless Services Module version 2 (Cisco WiSM version 2)
  • Cisco NME-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco NM-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco Catalyst 3750G Integrated WLCs
  • Cisco Flex 7500 Series Cloud Controller
  • Cisco Virtual Wireless Controller
  • Cisco Wireless Controller Software for Integrated Services Module 300 and Cisco Services-Ready Engine 700, 710, 900, and 910"

Security & Hacking: Project Ophelia PC on USB Stick

Official links http://content.dell.com/us/en/corp/d/secure/2013-01-08-dell-wyse-ultra-compact-cloud-client.aspx or http://www.wyse.com/about/press/release/2377

Articles:
http://arstechnica.com/information-technology/2013/01/is-dell-looking-to-kill-pcs-with-project-ophelia/
http://www.computerworld.com/s/article/9236035/A_new_computer_that_defies_category
http://www.infoworld.com/t/thin-clients/meet-ophelia-dells-50-plug-in-cloud-based-pc-challenger-211031

Not sure if this makes sense for business or not, it is intended for thin clients, http://en.wikipedia.org/wiki/Thin_client.  There are Pros and Cons to that approach, way real old school computers were used.

[Personally I think a dispersed mesh network of powerful but very small devices is the more likely future of computing, but that is topic for another day.]

Project Ophelia has a lot of applications for Pen Testing or Hacking though IMO. 

You might need to Hack the device a bit, but note while it is using Android to start with, they are planning on offering it with various OS's if I understand correctly.

According to some of the news articles, they are aiming at $50 price, so it would be cheap.

According to the ComputerWorld article (though not sure where they got the info, CES maybe?) specs are as follows:  "The device will run Android OS Jelly Bean, have 8GB of memory to support applications, music, video and presentations, and a microSD slot up to 32GB of storage."

Tuesday, January 22, 2013

Monday, January 21, 2013

PSA Wikipedia downtime & disruptions with Server Migration likely

Wikimedia sites to move to primary data center in Ashburn, Virginia

Tuesday Jan 22 through Thursday 24, 2013 is the current planned time frame.

Source http://blog.wikimedia.org/2013/01/19/wikimedia-sites-move-to-primary-data-center-in-ashburn-virginia/:

"Engineering teams have been preparing for the migration to minimize inconvenience to our users, but major service disruption is still expected during the transition. Our sites will be in read-only mode for some time, and may be intermittently inaccessible. Users are advised to be patient during those interruptions, and share information in case of continued outage or loss of functionality.
The current target windows for the migration are January 22nd, 23rd and 24th, 2013, from 17:00 to 01:00 UTC (see other timezones on timeanddate.com)."

Makes me wish I had Wikipedia already downloaded for offline access, it is on my to do list, have blogged about it before http://cliffsesportcorner.blogspot.com/2012/09/random-wikipedia-of-day.html.

Link to Download page http://en.wikipedia.org/wiki/Wikipedia:Database_download

Security & Hacking: Red October Whitepaper from AlienvaultLabs & Kaspersky

Red October malware "Indicators of Compromise" Whitepaper (PDF) http://labs.alienvault.com/labs/wp-content/uploads/2013/01/RedOctober-Indicatorsofcompromise-2.pdf

Open IOC file https://github.com/jaimeblasco/AlienvaultLabs/blob/master/malware_analysis/RedOctober/48290d24-834c-4097-abc5-4f22d3bd8f3c.ioc

Via http://labs.alienvault.com/labs/index.php/2013/red-october-indicators-of-compromise-and-mitigation-data/

Security & Hacking: "...not just the Big Guys at risk"

Sophos' Naked Security article "Boutique babycare website hack - not just the Big Guys at risk" link http://nakedsecurity.sophos.com/2013/01/21/boutique-babycare-website-hack/

Article is mainly about @JokerCracker or https://twitter.com/JokerCracker hacking of a Babycare website.

[Personal commentI really think hacking a Child or Baby care site publicly is about as bad as being a pedophile, and have to wonder about the motivation for doing so.  I plan to cover ethics & morality eventually on this blog, as it relates to Security & Hacking issues.]


Of course the passwords were not encrypted.

They suggest not using services that you suspect don't follow best practices, which is nice sounding advice, but not real practical for many in real world situations.

Generally speaking, there is no real way to know, without doing Pen Testing, if a site has good, bad, or fair security.

Unless it is REALLY bad, like not using HTTPS for logins & such, which I have personally experienced.

Before I started this blog, I was putting a lot of effort into Book reviewing, since I am a writer and a book worm.

While exploring ways to get frequent ARC (Advance Reader Copies, which are copies of book that are printed before they are published, like getting hands on new hardware or software before it is released to the public, legitimate way to do reviews before book is published), found a specific company that I was real interested in working with, that didn't use HTTPS on their site.

Even though they required SSN & other PII for application to the the ARC program, the PII stuff was more or less needed, but they were clearly not handling data properly.

I sent email to them about the issue, and from their response it was clear they were so clueless about Best Practices, that there was no point in trying to educate them, till they get hacked.

There is a saying, something like "Fools never learn, most people learn the hard way, and wise people learn from others mistakes."






Sunday, January 20, 2013

Security & Hacking: Malware & US Power Plants

Summation by Reuters http://in.reuters.com/article/2013/01/16/cyber-security-powerplants-virus-idINDEE90F0H720130116 of this ICS CERT Monthly Monitor (PDF) http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Oct-Dec2012.pdf

I strongly suggest reading the PDF if you want to learn or understand the issue.

One of the things I noted on my first read of the PDF, was that not only was the one plant hit by Malware, but that two of their workstations that were critical to the operation of the plant had no backups, or even backup components on site.

This hints at the rather large scope of the problem for improving ICS security.

I don't have a background in ICS or Power Plants, my experience is more in physical security, but the impression I got from the ICS CERT Monthly Monitor was that many (most?) of these plants are used to winging things.

They are used to enough slack, or excess capacity, in the system or grid as a whole, that they haven't had to meet the type of uptime requirements many in IT fields take for granted.

If I understood correctly, a simple HDD or power supply failure of one of the critical workstations could have deadlined the whole plant for indefinite period.

Further Resources from US CERT Control Systems Security Program (CSSP):

Security & Hacking: Java exploit Number ∞

http://nakedsecurity.sophos.com/2013/01/20/java-hacker-boasts-of-finding-two-more-unpatched-holes/

http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/

Seems like you can find new/more Java exploits a lot faster than they can be patched, so if your concerned about security, stop using Java on Browsers!

Course, if you want to make sure Blackhat Hackers don't starve, keep using it, </sarcasm>

Nerd News: NASA's Inflatable Module for ISS

http://www.nasa.gov/mission_pages/station/news/beam_feature.html
http://www.space.com/19290-private-inflatable-space-station-bigelow.html
http://www.gizmag.com/bigelow-beam-iss-nasa-contract/25877/

For more on Whipple Shields see http://ares.jsc.nasa.gov/ares/hvit/basic.cfm, http://ares.jsc.nasa.gov/ares/hvit/sd.cfm or http://en.wikipedia.org/wiki/Whipple_shield

I am real interested in this inflatable module, eventually we might be able to have entire space stations or space ships made this way, or with most of the structure made this way, which could really lower the weight.

Weight is a big problem for getting this to orbit from Earth surface, the gravity well is useful in day to day life, but it is a real PITA for getting into space.

For more on orbital costs see http://home.earthlink.net/~kstengel226/astro/cost2orbit.html also http://en.wikipedia.org/wiki/Comparison_of_orbital_launch_systems

WhiteRa vs aG'Fuzer Bo7

Awesome Gaming would like to bring a show with a best of 7 (seven) between aG'Fuzer and White-Ra, with the winner taking $150 

Streamhttp://www.twitch.tv/awesomegaminglive/

CastorsCyniko & BelleNoir (Skype @CnikoSC & @BelleNoirTV)


Links:

Friday, January 18, 2013

PSA Security & Hacking: Shylock Banking Trojan now spreading via Skype

Primary source https://www.csis.dk/en/csis/blog/3811

As someone that is computer security conscious, I avoid online banking completely.

For friends, family, & others that insist on online banking I suggest either of the following:

  • Use a Live CD, Brian Kreb has excellent articales on how to do this http://krebsonsecurity.com/2012/07/banking-on-a-live-cd/ or http://krebsonsecurity.com/banking-on-a-live-cd/
  • Use a recent iOS device, iPhone 4S or newer, iPad 2 or newer, iPod Touch 5th generation or newer.  There are significant hardware security improvements that started with those respective devices. 
I also strongly suggest if using the iOS devices, to turn off Simple Passcode, and use a Pass Phrase, even if you don't lock your iOS device all the time, this will enable whole device encryption.

Clear instructions & screenshot for turning off Simple Passcode http://www.computerworld.com/s/article/9231627/Kenneth_van_Wyk_Shutting_down_security_gotchas_in_iOS_6?taxonomyId=17&pageNumber=1

The reason for this, is that a hacker with right software, can use a computer to try passwords, they can also bypass the 10 try feature.

So if your using the Simple Passcode, which is just a 4 digit number, they will probably be able to hack it in less than an hour.

However, if you use a Pass Phrase, like I <3 my iPad.  I hate green beans! the hacker will have a much more difficult time.  [Note, don't use that pass phrase, it is just to illustrate the concept.]

Since instead of only 4 numbers, there are 34 characters, counting the blank spaces, plus your using uppercase letters , lowercase letters, numbers, special characters, and blank spaces.

The hacker won't have any idea how long your password is, and by using at least one of all possible upper/lower case, numbers, symbols, and blank spaces you make hackers job a lot harder.

For more on passwords see http://cliffsesportcorner.blogspot.com/2012/05/steve-gibsons-haystacks-needles.html

Additional links:


Security & Hacking: Malware 2 Years ago USB Battery Charger Backdoor

Energizer Battery Charger Software Included Backdoor http://krebsonsecurity.com/2010/03/energizer-battery-charger-software-included-backdoor/

Energizer DUO USB battery charger software allows unauthorized remote system access http://www.kb.cert.org/vuls/id/154421

This is from 2010, so certainly not new concept, I hadn't heard of this specific hack before though, & to be honest, don't think I would have expected this, before reading Brian Kreb's article on it.

Though I was aware of the Vodafone issue that some of the Energizer Duo articles/comments mentioned http://research.pandasecurity.com/vodafone-distributes-mariposa/

To be clear, there wasn't Malware on the USB device itself, but in the software you could download from Energizer to monitor the device.

I didn't find any articles explaining how the Malware got inserted into the Energizer software, but some stories suggested it might have been in place for ~3 years.

If anyone has any more detail on this I would be interested in learning it.

Schneier also posted about it http://www.schneier.com/blog/archives/2010/03/back_door_in_ba.html


Thursday, January 17, 2013

Security & Hacking: "Loan agency loses data on 583K Canadian students"

http://www.scmagazine.com.au/News/329135,loan-agency-loses-data-on-583k-canadian-students.aspx

Ironic tidbit, "The loss was discovered during the investigation of the disappearance of a USB key containing the personal information of another 5000 Canadians."

Sigh.

Some years ago, similar thing happened to me personally, bunch of computers were stolen from company that the bank for one of my school loans used for billing.

Bank didn't notify any of us with student loans, and those Hackers sent out a lot of snail mail forms trying to get signatures.

I was lucky, I was stubborn enough that I ignored the bogus form, thought I didn't know what was going on at the time.

The form they sent didn't match anything current, and I was a broke college grad at the time, so I noticed the details about $'s and such didn't make any sense on the form, so I just ignored it.

Learned later about the stolen computers & HDD's and then knew what had happened.

Professional iOS apps: Anatomy & Medical Meditations Calculator

I am not a big iOS fan personally, but my girlfriend has iPad , and I plan to get iPad (mainly for the secure aspects of iOS & PDF reading) next Spring.

So I am continually doing research for useful apps and accessories, I will definitely use this Anatomy app https://itunes.apple.com/us/app/anatomy-atlas/id295806778?mt=8, it will be useful for my work in Forensics, Physical Anthropology, and Martial arts.

Not sure if I will use this medical calculator app https://itunes.apple.com/us/app/mediquations-medical-calculator/id287958963?mt=8 but it turned up in my search for the Anatomy app, and has very high rating.

Might see if the Medical Examiner I know locally would be interested in it.

For more inforomation on the Medical calculator app see company's website http://www.mediquations.com/iPhone_iPodTouch_iPad/index.html

Security & Hacking: More Depth on Red October

I posted first about Red October Malware a few days ago.

I am fascinated by Red October, not sure yet if it compares to Stuxnet and/or Flame for amount of talent and other resources invested in it.

But Red October seems to clearly be more of an intelligence gathering tool to be at this point, than a Cyber Weapon like Stuxnet.

Personally I am far more into researching and analyzing than breaking things.

So while I was impressed by Stuxnet and Flame, I am enthusiastic about Red October.

SecureList articles for Red October (Rocra for short):

Security & Hacking: " Patient data revealed in medical device hack"

http://www.scmagazine.com.au/News/329222,patient-data-revealed-in-medical-device-hack.aspx


Face palm, after reading this section, though not only vulnerability:
Once an extensive 200Gb forensic imaging process of the Windows-based platform had completed and the system was booted into a virtual machine, it took the researchers "two minutes" to find the first vulnerability.
"We noticed there was a port open, and we started basic fuzzing and found a heap overflow and wrote up a quick exploit for it," Rios said.
"The exploit runs as a privileged service, so we owned the entire box - we owned everything that it could do."
The researchers suspect the authentication logins for the system,  one with a username Philips and password Service01, are hardcoded and unchangeable by users, but when they warned Philips the company refuted the claim.

Security evidently wasn't part of the design criteria.

Article notes US DHS (Dept. Homeland Security) and FDA (Food & Drug Administration) were pressuring Philips to fix the problem.

ESET UK Masters HOTS Showdown: DIMAGA vs White-Ra

A HOTS Bo9 Showmatch between WhiteRa & Dimaga tonight!

There is a Bo5 match between Phamut & Abomb 75 minutes before that, more information at http://www.teamliquid.net/forum/viewmessage.php?topic_id=393684

ESET UK Masters on twitter https://twitter.com/esetukmasters or @esetukmasters

Streamhttp://www.twitch.tv/esetukmasters

When:  (Fri 04:15 KST) Thurs 1/17/2013 @ 20:15 GMT/21:15 CET/2:15 pm EST/1:15pm CST/11:15 PST

Tuesday, January 15, 2013

Nerd News: "Netflix shows off how it does Hadoop in the cloud"

This article http://gigaom.com/2013/01/10/netflix-shows-off-its-hadoop-architecture/
is referring to this Netflix blog post http://techblog.netflix.com/2013/01/hadoop-platform-as-service-in-cloud.html

The Gigaom author, Derrick Harris, has previously written about Netflix's data collection and analysis, see http://gigaom.com/2012/06/14/netflix-analyzes-a-lot-of-data-about-your-viewing-habits/

For those not familiar with Hadoop see http://en.wikipedia.org/wiki/Apache_Hadoop or http://hadoop.apache.org/

Should be of interest to Nerds that deal with data, especially large volumes of data.

Security & Hacking: "Cisco Linksys Remote Preauth 0day Root Exploit "





From DefenseCode http://blog.defensecode.com/2013/01/defensecode-security-advisory-upcoming.html

"Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other 
Linksys versions/models are probably also affected.
Cisco Linksys is a very popular router with more than 70,000,000 routers sold.
That's why we think that this vulnerability deserves attention.

According to our vulnerability disclosure policy, the vulnerability details will be
disclosed in following 2 weeks on http://www.defensecode.com/, BugTraq and
Full Disclosure."

Related:

Monday, January 14, 2013

Security & Hacking: Red October Malware

http://arstechnica.com/security/2013/01/red-october-computer-espionage-network-may-have-stolen-terabytes-of-data/

I tweeted about this earlier today, it is still way to early to have solid grasp of the scope of this Malware IMVHO, but the Ars article does good job of giving initial idea of the size of this attack.

Lots of things about this Malware are really impressive, but this part grabbed my attention, from Ars link at top:
One novel feature contained in Red October is a module that creates an extension for Adobe Reader and Microsoft Word on compromised machines. Once installed, the module provides attackers with a "foolproof" way to regain control of a compromised machine, should the main malware payload ever be removed.
"The document may be sent to the victim via e-mail," the researchers explained. "It will not have an exploit code and will safely pass all security checks. However, like with exploit case, the document will be instantly processed by the module and the module will start a malicious application attached to the document."
This is one of the tidbits that make me think this is State sponsored, most criminals are opportunistic, in other words criminals tend to attack easy targets.

There are exceptions, certain types of Terrorist attacks and/or Ideological attacks may chose well defended targets because they are not motivated my economic profit for example.

The amount of effort this shows, for re exploiting a targeted system, after Computer Security removed original exploit, has the definite mark of Military Intelligence to me.

I suggest the Ars article linked at top.

The comments to the Ars article are well worth reading for people wanting to learn more, you can find good insights and resources in the comments section whether your new to Computer Security or an expert yourself.

You do have to screen out the noise to find the signals of course.


Original article from Kaspersky is https://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies

[Edited to add this from link immediately above, Rocra (short for "Red October"), is shorthand name they are using for this Malware, might be useful for additional Google searches.]

I will certainly be blogging more about Red October.

I have created new Label Red October Malware, you can bookmark that, if you want an easy way to check for updates.

I will be adding that Label to the selected labels at left side of Blog.

Labels can be found at bottom left of every blog post, and here is a suggested list of Labels for people interested in Security & Hacking:
I am still looking for ways to improve searches on my blog, so far best I have found is simply using Google with Cliff's Esport Corner in search box, plus topic your interested in like Red October, if a Label doesn't work for you.

I have tested Google's gadget for Blogger, but it wasn't as useful as regular Google for finding material on my blog the last time I tested it.








Scarlett vs Sage SC2 practice games & both are streaming

Just saw great game between them, hoping for several more tonight!

Streams:

Friday, January 11, 2013

More on Passwords & Password Keepers

 I may have mentioned Brian Kreb's password article before, http://krebsonsecurity.com/password-dos-and-donts/, but wanted to make sure I linked to this article http://krebsonsecurity.com/password-dos-and-donts/

He mentions three Password Keepers:  Roboform, Passwordsafe, & Keepass.

Keepass is the only one of those three I know a bit about, have a computer nerd friend that has used that for years.

It is good and free.

I am trying to provide a good selection of quality Password Keepers for people to chose from, not everyone's needs and wants are the same.

I prefer mSecure, partly because it has stronger encryption than many others, but it is also one of the most expensive consumer options.

Lot of my gamer friends though don't want to, or can't afford, to spend much on computer software.

Something to remember when using Password Keepers, is that you want to have that Data backed up VERY well.

You can use Dropbox or similar cloud storage, but you can also use Password Keepers on multiple devices (ie Smartphone, Tablet, & PC) I also like using a quality Flashdrive with hardware encryption.

I also like using written backup stored securely, I have physical items I have to keep secure, so I have ready storage for that.

I have written about Passwords & Password Keepers before, I specifically recommend reading Steve Gibson's Haystacks & Needles (Understanding Passwords) and "Lessons Learned from Cracking 2 Million LinkedIn Passwords."

For more posts click one of the these Labels:


Those Labels and more can be found at bottom left of Blog post, selected Labels can be found in Label Cloud at left side of blog, space limitations there, but I open to feedback for labels that should be added or removed from the Label Cloud.

Stay Safe,

Cliff



Security & Hacking: Java Zero Day

Another day, another Zero Day, Java this time, seems to be general concensus is to uninstall it if possible for your situation, I haven't seen anything one way or the other if Firefox + NoScript is vulnerable or not, or if Chrome is vulnerable or not.

I would think that Firefox with NoScript would offer some protection, but I don't have the correct expertise to know or test that myself currently.

Would welcome any info yes or no about Firefox+NoScript and/or Google Chrome and this Zero Day.

How To Disable Java in Browsers:

How To Disable Java in Google Chrome: enter chrome://plugins/ in location bar (where URL's go, NOTE: you can Bookmark chrome://plugins/ so you don't have to manually type it in future), then click Disable. See http://nakedsecurity.sophos.com/how-to-disable-java-chrome/ for illustrations/screenshots.

How To Disable Java in Firefox:  Go to Add Ons (or Tools then Add Ons depending on your OS),  click the Add Ons Tab, Disable Java.  See http://nakedsecurity.sophos.com/how-to-disable-java-firefox/ for Screenshots.


How To Disable Java on IE (Internet Explorer), I haven't used IE in so many years, I am not going to write anything, just go to http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/ for clear instructions with Screenshots, I think it is easier just to uninstall Java if your using IE, but I don't trust my memory on IE, because it has been so long since I used it.

How to Disable Java in Safari:  Easily done, go to Preferences in Safari, Select Security, Uncheck Java.  Again for Screenshots see http://nakedsecurity.sophos.com/how-to-disable-java-safari/

Honestly I reccomend leaving it disabled, all my Browsers have had it disabled for a long time, I have not noticed any problems.

I recommend the same for Javascript.

For further reading:

Security & Hacking: Stanford's "Real-World Crypto" Workshop

[Updated with link to Day 3]

https://crypto.stanford.edu/RealWorldCrypto/index.php

Bristol Cryptography Blog's coverage:

Iron Squid Ro16 - Day 1

Missed first series  (sleeping) T_T event is live as I post this.

When: 1:00 KST/Fri 17:00 CET/Fri 11:00 EST/Fri 8:00 PST

Bo5's:
  1. HerO vs MKP
  2. MC vs viOlet 
  3. Mvp vs Goswser 
  4. Leenock vs Life


Streams:


Thursday, January 10, 2013

Wednesday, January 9, 2013

Security & Hacking: Adobe & Microsoft Update Patches

http://krebsonsecurity.com/2013/01/adobe-microsoft-ship-critical-security-updates/

http://www.livehacking.com/2013/01/09/in-brief-adobe-fixes-at-least-26-security-problems-in-adobe-acrobat-and-adobe-reader/

Short Version:  Make sure your Updated & Patched!

Also, use Firefox with Noscript (Addblockplus as well is good idea, you can Whitelist ie allow sites you want to support or trust) or Chrome, (again with Addblockplus) Chrome has functionality that is similar to Noscript!

Stop using IE unless your forced to, if your forced to use IE set updates to auto AND check updates second Wednesday (Microsoft issues patches every second Tuesday, but checking Wednesday you generally avoid checking to early in the day, and also usually have bit faster download speeds).

TLO Streaming SC2

Stream http://www.twitch.tv/liquidtlo

I really like TLO's Nydus play, and all his creep Shenanigans.

Security & Hacking: Yahoo email


A lot of people have been having problems with Yahoo Email recently http://downrightnow.com/yahoomail


It seems like Yahoo has forced password resets on all recently active email accounts.

Probably because of renewed surge of Yahoo email hacking or exploits this week story(s) about the old XSS vulnerability see this link http://www.scmagazine.com/yahoo-patches-xss-flaw-affecting-mail-users/article/275301/ for more.

But there are, or have been problems with resetting passwords for some.

I have multiple email accounts on various services, Yahoo, Gmail, Hotmail, etc. this lets me test various things, including problems and vulnerabilities.

Yahoo forced reset on my most used account, but it wouldn't let me access email without a workaround, until today.

Even with text message code.

Interestingly enough, one of my never used Yahoo email accounts (I wasn't even sure if it would have been closed down because it was inactive) worked fine with old password, no reset was forced on that account.

I frequently check account activity on my Yahoo email accounts, link here shows how to do so http://help.yahoo.com/kb/index?locale=en_US&y=PROD_ACCT&page=content&id=SLN2073 

Though annoyingly default showing is location (of your IP Provider, so don't freak out if it doesn't show your town without further checking).

You have to click on the location tab to select IP address, which is what you really want.

For more information on what IP address is (TL DR version id number for any device hooked to a network, works like a snail mail address so messages go to right place) see http://en.wikipedia.org/wiki/IP_address

This site http://www.whatismyip.com/ if you click on it (WOT score for that link https://www.mywot.com/en/scorecard/whatismyip.com) will show you your current IP address, so you can verify email access for Yahoo email via IP address.

Anyway, it really looks like Yahoo took lazy approach to dealing with this problem, I know my yahoo account that had password reset forced on it was not being used by anyone but me.

Because I monitor what IP addresses access it, additionally that account has a very strong password, so if Yahoo passwords get stolen and it is compromised quickly I will know that it wasn't stored with proper encryption at Yahoo.

So there was no suspicious activity on that account, only ever gets logged into from a single IP Adress, and is normally logged into several times a week from that address, can't see how that would trigger any flags.

And my seldom if ever used accounts were not forced to reset passwords.

So it looks to me like Yahoo forced passwords on all active accounts during some time frame, and that is part of the reason why they, and the people that use Yahoo Email, are having so many problems.

The system crashed under the load of people trying to access their accounts, failing, and spamming attempts.

I strongly suggest everyone see Steve Gibson's Haystacks & Needles (Understanding Passwords) for good understanding of strong passwords.

For more posts on Passwords click the Label Passwords, that Label, with selected other ones can be found in the Label cloud at left side of Blog.

There are also Labels at bottom left of every Blog post.

For Pen Testers and such I suggest one of the these Labels:








Tuesday, January 8, 2013

Ayesee streaming Dota 2

Stream http://www.twitch.tv/ayeseetv

Ayesee, such a Boss!

Pew Pew "Lasers from Space"

Now on Earth http://www.technologyreview.com/view/509586/physicists-demonstrate-first-laser-made-from-a-cloud-of-gas/

For more on the natural occurring Lasers see NASA link http://www.nasa.gov/home/hqnews/1995/95-148.txt

Really Cool!

Science is so much stranger than Fiction!

Security & Hacking "Snorby"

Snorby link:  https://cloud.snorby.org/#/

I would suggest starting with the TaoSecurity article, where I found this myself, http://taosecurity.blogspot.com/2013/01/welcome-to-network-security-monitoring.html

I also strongly recommend TaoSecurity itself as very good resource.

Big Brother (DHS) & You

http://www.schneier.com/blog/archives/2013/01/dhs_gets_to_spy.html

So little Data Privacy, wonder how long it will take for this trend to change.

I am pretty sure it will change, though perhaps not in the way I would like.


Monday, January 7, 2013

CES Coverage resources

I will put several links for live blogs, streams, etc for CES 2013 on this blog post.

Will update throughout the week.

CES Links:




  • PC Perspective main site http://www.pcper.com/ & live link http://www.pcper.com/live/
  •  ComputerWorld  http://www.computerworld.com/s/article/9234982/Complete_coverage_CES_2013
  • AnandTech  main page note Pipeline section at right side http://www.anandtech.com/
  •      Brian Klug's CES bag http://www.anandtech.com/show/6545/ces-gear-whats-in-my-bag
  •      Vivek Gowri's CES Bag http://www.anandtech.com/show/6556/ces-gear-whats-in-viveks-bag
  •      "AT&T Developers Summit Keynote" Live Blog http://www.anandtech.com/show/6560/att-2013-developer-summit-keynote-live-blog
  • Android Police  main site http://www.androidpolice.com/ 
  • Daily Tech http://www.dailytech.com/
  • PC Mag http://www.pcmag.com/CES/
  • CNet CES http://ces.cnet.com/
  • Ars CES Gear  http://arstechnica.com/gadgets/2013/01/ars-ces-gear-its-totally-my-bag-baby/


  • Things from CES I like   (some neat, some useful, some both):


    HwangSin Streaming SC2

    Stream: http://www.twitch.tv/hwangsin

    <333 HwangSin

    Sunday, January 6, 2013

    Random Wikipedia of the Day (RWotD): Illegal Number

    http://en.wikipedia.org/wiki/Illegal_number

    Illegal Numbers.

    Odd the things you can learn from Wikipedia.

    Nerd Jobs: "The Ph. D. Grind"

    http://www.pgbovine.net/PhD-memoir.htm

    If your interested in Nerd or Gaming type job, you should spend the time to read this memoir.

    Describes one path to that type of work.

    I suggest you start at link above, but for the TL DR people:


    Nerd News: Amount of Internet Archived

    http://www.technologyreview.com/view/509411/computer-scientists-measure-how-much-of-the-web-is-archived/

    I find this general topic of interest, since I consider myself to be a mix primarily of Research Librarian & Writer, one of my goals with this blog is to provide a information resource to gamers.

    Though a lot of people don't realize it, the skills and resources needed to find strats for games or answers to computer problems are the type of thing a good Librarian could help you with, since at the core, they are really about finding and organizing data.

    For more on LIS (Library Information Science):

    TLO is streaming some awesome SC2

    Streamhttp://www.twitch.tv/liquidtlo

    He is playing a great game vs a Terran atm, using Nydus like I think all Zerg should to help deal with Broodlord immobility.

    Thursday, January 3, 2013

    HwangSin is Streaming Sc2

    Streamhttp://www.twitch.tv/hwangsin

    HwangSin Fighting!

    Security & Hacking: "Emergence of state-sponsored malware and targeted attacks as major factors"

    https://threatpost.com/en_us/blogs/2012-what-have-we-learned-010213

    Also, one of the things I am concerned about, is that because things like Stuxnet & Flame became public, the more common criminal Hackers will certainly be able to use many of the sophisticated techniques employed by those State sponsored Cyber attacks.

    Then will then package it into things like the Blackhole Exploit kit, so anyone that is willing to spend the money will be able to use those very powerful hacking tools.

    It will trickle down so that eventually even Script Kiddies will have the tools they need to cause significant damage to businesses, utilities, etc.