Thursday, January 31, 2013
PSA Security & Hacking: UPnP (Universal Plug and Play ) Vulnerability
Security Now 389 "Unplug UPnP" links for audio downloads & etc http://twit.tv/show/security-now/389
[Edited to Add: Steve Gibson has UPnP exposure test in Shields up now! Thanks Steve!! https://twitter.com/SGgrc/status/297165652257554432]
CERT Note http://www.kb.cert.org/vuls/id/922681
US CERT "Multiple vulnerabilities have been announced in libupnp, the open source portable SDK for UPnP devices. Libupnp is employed by hundreds of vendors for UPnP-enabled devices. Information is also available in CERT Vulnerability Note VU#922681.
US-CERT recommends that affected UPnP device vendors and developers obtain and employ libupnp version 1.6.18, which addresses these vulnerabilities.
US-CERT recommends that users and administrators review CERT Vulnerability Note VU#922681, disable UPnP (if possible), and restrict access to SSDP (1900/udp) and Simple Object Access Protocol (SOAP) services from untrusted networks such as the Internet." ~http://www.us-cert.gov/current/
Steve Gibson provides details on this issue, he also notes in the VOD above that he is going to add the capability to test for this Vulnerability to his ShieldsUP service/software.
ShieldsUP http://www.grc.com/x/ne.dll?rh1dkyd2
Problem with this, is even if you disable UPnP on your Router, it may still be enabled on the WAN (Internet) side.
Till Gibson gets this functionality added to ShieldsUP, not sure how most people could scan for it to be sure it was disabled on their routers.
Hard Core Nerds with correct tools could Pen Test individual Routers, but not aware of any practical way to test for people that don't have the skillset and tools for Pen Testing.
AFAIK the Rapid7 tool isn't stable/reliable, least it wasn't yeasterday for many people, it may have been patched since then, but not comfortable recommending it at this time.
I wouldn't trust vulnerability list from any Manufacturer on this, because it is a very bad case of stupid to have in the first place.
I haven't had enough time to find out if Tomato http://en.wikibooks.org/wiki/Tomato_Firmware#Supported_devices or DD WRT http://www.dd-wrt.com/site/index provide a guaranteed fix for this yet.
iOS 6.1 Update & Problems
There are critical Security Patches in iOS 6.1, so I strongly recommend updating to it if your iOS device is supported.
See http://support.apple.com/kb/HT5642 for more on the Security issues addressed.
There are a couple of problems being reported with iOS 6.1 for iPhone 5 and iPod Touch 5th generation (current late 2012 release Touch).
Some iPhone 5 owners are having problems with LTE after updating to iOS 6.1
See http://support.apple.com/kb/HT5642 for more information and possible solution for LTE problems with iOS 6.1 on iPhone 5
Solution that seems to work for some people is to reset network settings "Settings-->General-->Reset-->Reset Network Settings"
5th Gen iPod Touch owners are reporting some problems with iOS 6.1, they are getting "Unable to Verify Update" error message.
Claiming no net connection, even with good signal or even via cable PC/Mac for some people.
One possible solution or work around, as well as more details at https://discussions.apple.com/thread/4751554?tstart=0
Possible solution, posted by oneGodguitarist, from link above:
"It took me a while but I finally got it to update. I did a couple of things. I reloaded itunes as "repair" just to make sure that nothing was missing. The thing that really worked was that I tried connecting my device to another laptop with itunes. It updated on there but to factory settings. Then, I was able to go back to the main computer and reconnect and restore."
See http://support.apple.com/kb/HT5642 for more on the Security issues addressed.
There are a couple of problems being reported with iOS 6.1 for iPhone 5 and iPod Touch 5th generation (current late 2012 release Touch).
Some iPhone 5 owners are having problems with LTE after updating to iOS 6.1
See http://support.apple.com/kb/HT5642 for more information and possible solution for LTE problems with iOS 6.1 on iPhone 5
Solution that seems to work for some people is to reset network settings "Settings-->General-->Reset-->Reset Network Settings"
5th Gen iPod Touch owners are reporting some problems with iOS 6.1, they are getting "Unable to Verify Update" error message.
Claiming no net connection, even with good signal or even via cable PC/Mac for some people.
One possible solution or work around, as well as more details at https://discussions.apple.com/thread/4751554?tstart=0
Possible solution, posted by oneGodguitarist, from link above:
"It took me a while but I finally got it to update. I did a couple of things. I reloaded itunes as "repair" just to make sure that nothing was missing. The thing that really worked was that I tried connecting my device to another laptop with itunes. It updated on there but to factory settings. Then, I was able to go back to the main computer and reconnect and restore."
Wednesday, January 30, 2013
Starcraft 2 HOTS Unit Information & More
http://wiki.teamliquid.net/starcraft2/Heart_of_the_Swarm
Think this has been up about a month or so, if you spot any errors and can't edit the wiki yourself post in comments.
I know people that can edit on Liquidpedia, and will try to pass info on to them.
Think this has been up about a month or so, if you spot any errors and can't edit the wiki yourself post in comments.
I know people that can edit on Liquidpedia, and will try to pass info on to them.
Tuesday, January 29, 2013
Security & Hacking: Java with Swiss Cheese Security
This has been all over the Net, not like anyone was really expecting Java to become truly secure I suppose, but this does seem very bad, so I am going to start calling it Swiss Cheese Security, SCS for short, since it is so full of holes.
Various Links on *known* Security holes from last week or so, I am sure there are many more known and unknown:
Various Links on *known* Security holes from last week or so, I am sure there are many more known and unknown:
- http://seclists.org/fulldisclosure/2013/Jan/241
- http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53
- http://arstechnica.com/security/2013/01/javas-new-very-high-security-mode-cant-protect-you-from-malware/
- "Oracle Talks Java Security, Pledges More Outreach to Java Community" http://www.securityweek.com/oracle-talks-java-security-pledges-more-outreach-java-community
Saturday, January 26, 2013
DC LAN #11
[Sorry I am so late with this, event is still going as I finally get this posted, probably 2 or more hours left].
The 11th Washington D.C. LAN event. With $250+ in SC2 Tournament prizes, and $150+ in BW
Tournament prizes! Thread: http://www.teamliquid.net/forum/viewmessage.php?topic_id=391066
When: 02:00 KST/Sat 18:00 CET/Sat 12:00 EST/Sat 09:00 PST
Stream: http://www.twitch.tv/therealnanman
Caster: TheRealNanMan
The 11th Washington D.C. LAN event. With $250+ in SC2 Tournament prizes, and $150+ in BW
Tournament prizes! Thread: http://www.teamliquid.net/forum/viewmessage.php?topic_id=391066
When: 02:00 KST/Sat 18:00 CET/Sat 12:00 EST/Sat 09:00 PST
Stream: http://www.twitch.tv/therealnanman
Caster: TheRealNanMan
New Budget Line of Macs ^_^
http://osxdaily.com/2013/01/25/check-out-this-awesome-lego-rendition-of-the-original-macintosh/
To be clear this is humor, not claiming these are real Macs!
Thought it was cool use of Legos though.
To be clear this is humor, not claiming these are real Macs!
Thought it was cool use of Legos though.
Friday, January 25, 2013
HwangSin is streaming
Though not sure for how long, think he has been up all night.
Either that or he got up real early.
Stream: http://www.twitch.tv/hwangsin/
Either that or he got up real early.
Stream: http://www.twitch.tv/hwangsin/
Wednesday, January 23, 2013
Security & Hacking: "Multiple Vulnerabilities in Cisco Wireless LAN Controllers"
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130123-wlc
Cut & Paste from above link:
Cut & Paste from above link:
"Summary
The Cisco Wireless LAN Controller (Cisco WLC) product family is affected by the following four vulnerabilities:-
Cisco Wireless LAN Controllers Wireless Intrusion Prevention System (wIPS) Denial of Service Vulnerability
-
Cisco Wireless LAN Controllers Session Initiation Protocol Denial of Service Vulnerability
-
Cisco Wireless LAN Controllers HTTP Profiling Remote Code Execution Vulnerability
-
Cisco Wireless LAN Controllers SNMP Unauthorized Access Vulnerability
Vulnerable Products
For specific version information, refer to the Software Versions and Fixes section of this advisory.
Each of the following products is affected by at least one of the vulnerabilities covered in this security advisory:
Each of the following products is affected by at least one of the vulnerabilities covered in this security advisory:
- Cisco 2000 Series WLC
- Cisco 2100 Series WLC
- Cisco 2500 Series WLC
- Cisco 4100 Series WLC
- Cisco 4400 Series WLC
- Cisco 5500 Series WLC
- Cisco 7500 Series WLC
- Cisco 8500 Series WLC
- Cisco 500 Series Wireless Express Mobility Controllers
- Cisco Wireless Services Module (Cisco WiSM)
- Cisco Wireless Services Module version 2 (Cisco WiSM version 2)
- Cisco NME-AIR-WLC Module for Integrated Services Routers (ISRs)
- Cisco NM-AIR-WLC Module for Integrated Services Routers (ISRs)
- Cisco Catalyst 3750G Integrated WLCs
- Cisco Flex 7500 Series Cloud Controller
- Cisco Virtual Wireless Controller
- Cisco Wireless Controller Software for Integrated Services Module 300 and Cisco Services-Ready Engine 700, 710, 900, and 910"
Security & Hacking: Project Ophelia PC on USB Stick
Official links: http://content.dell.com/us/en/corp/d/secure/2013-01-08-dell-wyse-ultra-compact-cloud-client.aspx or http://www.wyse.com/about/press/release/2377
Articles:
http://arstechnica.com/information-technology/2013/01/is-dell-looking-to-kill-pcs-with-project-ophelia/
http://www.computerworld.com/s/article/9236035/A_new_computer_that_defies_category
http://www.infoworld.com/t/thin-clients/meet-ophelia-dells-50-plug-in-cloud-based-pc-challenger-211031
Not sure if this makes sense for business or not, it is intended for thin clients, http://en.wikipedia.org/wiki/Thin_client. There are Pros and Cons to that approach, way real old school computers were used.
[Personally I think a dispersed mesh network of powerful but very small devices is the more likely future of computing, but that is topic for another day.]
Project Ophelia has a lot of applications for Pen Testing or Hacking though IMO.
You might need to Hack the device a bit, but note while it is using Android to start with, they are planning on offering it with various OS's if I understand correctly.
According to some of the news articles, they are aiming at $50 price, so it would be cheap.
According to the ComputerWorld article (though not sure where they got the info, CES maybe?) specs are as follows: "The device will run Android OS Jelly Bean, have 8GB of memory to support applications, music, video and presentations, and a microSD slot up to 32GB of storage."
Articles:
http://arstechnica.com/information-technology/2013/01/is-dell-looking-to-kill-pcs-with-project-ophelia/
http://www.computerworld.com/s/article/9236035/A_new_computer_that_defies_category
http://www.infoworld.com/t/thin-clients/meet-ophelia-dells-50-plug-in-cloud-based-pc-challenger-211031
Not sure if this makes sense for business or not, it is intended for thin clients, http://en.wikipedia.org/wiki/Thin_client. There are Pros and Cons to that approach, way real old school computers were used.
[Personally I think a dispersed mesh network of powerful but very small devices is the more likely future of computing, but that is topic for another day.]
Project Ophelia has a lot of applications for Pen Testing or Hacking though IMO.
You might need to Hack the device a bit, but note while it is using Android to start with, they are planning on offering it with various OS's if I understand correctly.
According to some of the news articles, they are aiming at $50 price, so it would be cheap.
According to the ComputerWorld article (though not sure where they got the info, CES maybe?) specs are as follows: "The device will run Android OS Jelly Bean, have 8GB of memory to support applications, music, video and presentations, and a microSD slot up to 32GB of storage."
Tuesday, January 22, 2013
Scarlett vs Minigun Bo7 Showmatch!
IRL messing things up, didn't know this was happening till just now!
Playhem Showmatch B07, live now as I post this, Winner gets $100 2nd gets $50
More info http://www.teamliquid.net/calendar/2013/01/#event_14567
Streams:
Playhem Showmatch B07, live now as I post this, Winner gets $100 2nd gets $50
More info http://www.teamliquid.net/calendar/2013/01/#event_14567
Streams:
- Cast by Unctious & Zoia http://www.twitch.tv/playhemtv
- Scarlett http://www.twitch.tv/scarlettm
- Minigun http://www.twitch.tv/colminigun
HwangSin Streaming
Edited to Add: he is done streaming already :( has a class soon
Stream: http://www.twitch.tv/hwangsin
HwangSin Fighting!
Stream: http://www.twitch.tv/hwangsin
HwangSin Fighting!
Monday, January 21, 2013
PSA Wikipedia downtime & disruptions with Server Migration likely
Wikimedia sites to move to primary data center in Ashburn, Virginia
Tuesday Jan 22 through Thursday 24, 2013 is the current planned time frame.
Source http://blog.wikimedia.org/2013/01/19/wikimedia-sites-move-to-primary-data-center-in-ashburn-virginia/:
Makes me wish I had Wikipedia already downloaded for offline access, it is on my to do list, have blogged about it before http://cliffsesportcorner.blogspot.com/2012/09/random-wikipedia-of-day.html.
Link to Download page http://en.wikipedia.org/wiki/Wikipedia:Database_download
Tuesday Jan 22 through Thursday 24, 2013 is the current planned time frame.
Source http://blog.wikimedia.org/2013/01/19/wikimedia-sites-move-to-primary-data-center-in-ashburn-virginia/:
"Engineering teams have been preparing for the migration to minimize inconvenience to our users, but major service disruption is still expected during the transition. Our sites will be in read-only mode for some time, and may be intermittently inaccessible. Users are advised to be patient during those interruptions, and share information in case of continued outage or loss of functionality.
The current target windows for the migration are January 22nd, 23rd and 24th, 2013, from 17:00 to 01:00 UTC (see other timezones on timeanddate.com)."
Makes me wish I had Wikipedia already downloaded for offline access, it is on my to do list, have blogged about it before http://cliffsesportcorner.blogspot.com/2012/09/random-wikipedia-of-day.html.
Link to Download page http://en.wikipedia.org/wiki/Wikipedia:Database_download
Security & Hacking: Red October Whitepaper from AlienvaultLabs & Kaspersky
Red October malware "Indicators of Compromise" Whitepaper (PDF) http://labs.alienvault.com/labs/wp-content/uploads/2013/01/RedOctober-Indicatorsofcompromise-2.pdf
Open IOC file https://github.com/jaimeblasco/AlienvaultLabs/blob/master/malware_analysis/RedOctober/48290d24-834c-4097-abc5-4f22d3bd8f3c.ioc
Via http://labs.alienvault.com/labs/index.php/2013/red-october-indicators-of-compromise-and-mitigation-data/
Open IOC file https://github.com/jaimeblasco/AlienvaultLabs/blob/master/malware_analysis/RedOctober/48290d24-834c-4097-abc5-4f22d3bd8f3c.ioc
Via http://labs.alienvault.com/labs/index.php/2013/red-october-indicators-of-compromise-and-mitigation-data/
Security & Hacking: "...not just the Big Guys at risk"
Sophos' Naked Security article "Boutique babycare website hack - not just the Big Guys at risk" link http://nakedsecurity.sophos.com/2013/01/21/boutique-babycare-website-hack/
Article is mainly about @JokerCracker or https://twitter.com/JokerCracker hacking of a Babycare website.
[Personal comment: I really think hacking a Child or Baby care site publicly is about as bad as being a pedophile, and have to wonder about the motivation for doing so. I plan to cover ethics & morality eventually on this blog, as it relates to Security & Hacking issues.]
Of course the passwords were not encrypted.
They suggest not using services that you suspect don't follow best practices, which is nice sounding advice, but not real practical for many in real world situations.
Generally speaking, there is no real way to know, without doing Pen Testing, if a site has good, bad, or fair security.
Unless it is REALLY bad, like not using HTTPS for logins & such, which I have personally experienced.
Before I started this blog, I was putting a lot of effort into Book reviewing, since I am a writer and a book worm.
While exploring ways to get frequent ARC (Advance Reader Copies, which are copies of book that are printed before they are published, like getting hands on new hardware or software before it is released to the public, legitimate way to do reviews before book is published), found a specific company that I was real interested in working with, that didn't use HTTPS on their site.
Even though they required SSN & other PII for application to the the ARC program, the PII stuff was more or less needed, but they were clearly not handling data properly.
I sent email to them about the issue, and from their response it was clear they were so clueless about Best Practices, that there was no point in trying to educate them, till they get hacked.
There is a saying, something like "Fools never learn, most people learn the hard way, and wise people learn from others mistakes."
Article is mainly about @JokerCracker or https://twitter.com/JokerCracker hacking of a Babycare website.
[Personal comment: I really think hacking a Child or Baby care site publicly is about as bad as being a pedophile, and have to wonder about the motivation for doing so. I plan to cover ethics & morality eventually on this blog, as it relates to Security & Hacking issues.]
Of course the passwords were not encrypted.
They suggest not using services that you suspect don't follow best practices, which is nice sounding advice, but not real practical for many in real world situations.
Generally speaking, there is no real way to know, without doing Pen Testing, if a site has good, bad, or fair security.
Unless it is REALLY bad, like not using HTTPS for logins & such, which I have personally experienced.
Before I started this blog, I was putting a lot of effort into Book reviewing, since I am a writer and a book worm.
While exploring ways to get frequent ARC (Advance Reader Copies, which are copies of book that are printed before they are published, like getting hands on new hardware or software before it is released to the public, legitimate way to do reviews before book is published), found a specific company that I was real interested in working with, that didn't use HTTPS on their site.
Even though they required SSN & other PII for application to the the ARC program, the PII stuff was more or less needed, but they were clearly not handling data properly.
I sent email to them about the issue, and from their response it was clear they were so clueless about Best Practices, that there was no point in trying to educate them, till they get hacked.
There is a saying, something like "Fools never learn, most people learn the hard way, and wise people learn from others mistakes."
Sunday, January 20, 2013
Security & Hacking: Malware & US Power Plants
Summation by Reuters http://in.reuters.com/article/2013/01/16/cyber-security-powerplants-virus-idINDEE90F0H720130116 of this ICS CERT Monthly Monitor (PDF) http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Oct-Dec2012.pdf
I strongly suggest reading the PDF if you want to learn or understand the issue.
One of the things I noted on my first read of the PDF, was that not only was the one plant hit by Malware, but that two of their workstations that were critical to the operation of the plant had no backups, or even backup components on site.
This hints at the rather large scope of the problem for improving ICS security.
I don't have a background in ICS or Power Plants, my experience is more in physical security, but the impression I got from the ICS CERT Monthly Monitor was that many (most?) of these plants are used to winging things.
They are used to enough slack, or excess capacity, in the system or grid as a whole, that they haven't had to meet the type of uptime requirements many in IT fields take for granted.
If I understood correctly, a simple HDD or power supply failure of one of the critical workstations could have deadlined the whole plant for indefinite period.
Further Resources from US CERT Control Systems Security Program (CSSP):
I strongly suggest reading the PDF if you want to learn or understand the issue.
One of the things I noted on my first read of the PDF, was that not only was the one plant hit by Malware, but that two of their workstations that were critical to the operation of the plant had no backups, or even backup components on site.
This hints at the rather large scope of the problem for improving ICS security.
I don't have a background in ICS or Power Plants, my experience is more in physical security, but the impression I got from the ICS CERT Monthly Monitor was that many (most?) of these plants are used to winging things.
They are used to enough slack, or excess capacity, in the system or grid as a whole, that they haven't had to meet the type of uptime requirements many in IT fields take for granted.
If I understood correctly, a simple HDD or power supply failure of one of the critical workstations could have deadlined the whole plant for indefinite period.
Further Resources from US CERT Control Systems Security Program (CSSP):
- Introduction to Recommended Practices: http://www.us-cert.gov/control_systems/practices/
- Recommended Practices: http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html
- Cyber Threat Source Descriptions: http://www.us-cert.gov/control_systems/csthreats.html
- Information Products: http://www.us-cert.gov/control_systems/csdocuments.html
Security & Hacking: Java exploit Number ∞
http://nakedsecurity.sophos.com/2013/01/20/java-hacker-boasts-of-finding-two-more-unpatched-holes/
http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/
Seems like you can find new/more Java exploits a lot faster than they can be patched, so if your concerned about security, stop using Java on Browsers!
Course, if you want to make sure Blackhat Hackers don't starve, keep using it, </sarcasm>
http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/
Seems like you can find new/more Java exploits a lot faster than they can be patched, so if your concerned about security, stop using Java on Browsers!
Course, if you want to make sure Blackhat Hackers don't starve, keep using it, </sarcasm>
Nerd News: NASA's Inflatable Module for ISS
http://www.nasa.gov/mission_pages/station/news/beam_feature.html
http://www.space.com/19290-private-inflatable-space-station-bigelow.html
http://www.gizmag.com/bigelow-beam-iss-nasa-contract/25877/
For more on Whipple Shields see http://ares.jsc.nasa.gov/ares/hvit/basic.cfm, http://ares.jsc.nasa.gov/ares/hvit/sd.cfm or http://en.wikipedia.org/wiki/Whipple_shield
I am real interested in this inflatable module, eventually we might be able to have entire space stations or space ships made this way, or with most of the structure made this way, which could really lower the weight.
Weight is a big problem for getting this to orbit from Earth surface, the gravity well is useful in day to day life, but it is a real PITA for getting into space.
For more on orbital costs see http://home.earthlink.net/~kstengel226/astro/cost2orbit.html also http://en.wikipedia.org/wiki/Comparison_of_orbital_launch_systems
http://www.space.com/19290-private-inflatable-space-station-bigelow.html
http://www.gizmag.com/bigelow-beam-iss-nasa-contract/25877/
For more on Whipple Shields see http://ares.jsc.nasa.gov/ares/hvit/basic.cfm, http://ares.jsc.nasa.gov/ares/hvit/sd.cfm or http://en.wikipedia.org/wiki/Whipple_shield
I am real interested in this inflatable module, eventually we might be able to have entire space stations or space ships made this way, or with most of the structure made this way, which could really lower the weight.
Weight is a big problem for getting this to orbit from Earth surface, the gravity well is useful in day to day life, but it is a real PITA for getting into space.
For more on orbital costs see http://home.earthlink.net/~kstengel226/astro/cost2orbit.html also http://en.wikipedia.org/wiki/Comparison_of_orbital_launch_systems
WhiteRa vs aG'Fuzer Bo7
Awesome Gaming would like to bring a show with a best of 7 (seven) between aG'Fuzer and White-Ra, with the winner taking $150
Stream: http://www.twitch.tv/awesomegaminglive/
Castors: Cyniko & BelleNoir (Skype @CnikoSC & @BelleNoirTV)
Links:
Stream: http://www.twitch.tv/awesomegaminglive/
Castors: Cyniko & BelleNoir (Skype @CnikoSC & @BelleNoirTV)
Links:
Friday, January 18, 2013
PSA Security & Hacking: Shylock Banking Trojan now spreading via Skype
Primary source https://www.csis.dk/en/csis/blog/3811
As someone that is computer security conscious, I avoid online banking completely.
For friends, family, & others that insist on online banking I suggest either of the following:
Clear instructions & screenshot for turning off Simple Passcode http://www.computerworld.com/s/article/9231627/Kenneth_van_Wyk_Shutting_down_security_gotchas_in_iOS_6?taxonomyId=17&pageNumber=1
The reason for this, is that a hacker with right software, can use a computer to try passwords, they can also bypass the 10 try feature.
So if your using the Simple Passcode, which is just a 4 digit number, they will probably be able to hack it in less than an hour.
However, if you use a Pass Phrase, like I <3 my iPad. I hate green beans! the hacker will have a much more difficult time. [Note, don't use that pass phrase, it is just to illustrate the concept.]
Since instead of only 4 numbers, there are 34 characters, counting the blank spaces, plus your using uppercase letters , lowercase letters, numbers, special characters, and blank spaces.
The hacker won't have any idea how long your password is, and by using at least one of all possible upper/lower case, numbers, symbols, and blank spaces you make hackers job a lot harder.
For more on passwords see http://cliffsesportcorner.blogspot.com/2012/05/steve-gibsons-haystacks-needles.html
Additional links:
As someone that is computer security conscious, I avoid online banking completely.
For friends, family, & others that insist on online banking I suggest either of the following:
- Use a Live CD, Brian Kreb has excellent articales on how to do this http://krebsonsecurity.com/2012/07/banking-on-a-live-cd/ or http://krebsonsecurity.com/banking-on-a-live-cd/
- Use a recent iOS device, iPhone 4S or newer, iPad 2 or newer, iPod Touch 5th generation or newer. There are significant hardware security improvements that started with those respective devices.
Clear instructions & screenshot for turning off Simple Passcode http://www.computerworld.com/s/article/9231627/Kenneth_van_Wyk_Shutting_down_security_gotchas_in_iOS_6?taxonomyId=17&pageNumber=1
The reason for this, is that a hacker with right software, can use a computer to try passwords, they can also bypass the 10 try feature.
So if your using the Simple Passcode, which is just a 4 digit number, they will probably be able to hack it in less than an hour.
However, if you use a Pass Phrase, like I <3 my iPad. I hate green beans! the hacker will have a much more difficult time. [Note, don't use that pass phrase, it is just to illustrate the concept.]
Since instead of only 4 numbers, there are 34 characters, counting the blank spaces, plus your using uppercase letters , lowercase letters, numbers, special characters, and blank spaces.
The hacker won't have any idea how long your password is, and by using at least one of all possible upper/lower case, numbers, symbols, and blank spaces you make hackers job a lot harder.
For more on passwords see http://cliffsesportcorner.blogspot.com/2012/05/steve-gibsons-haystacks-needles.html
Additional links:
- Covers weakness of older iOS devices to hacking http://www.blackbagtech.com/blog/2011/12/15/iphone-forensics-accessing-a-handset-locked-iphone-ipad-or-ipod-touch-device/
- Elcomsoft article (pdf) on password keepers, but they also cover superiority of locking iOS or Blackberry devices over Password Keepers http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf
- Verifying iOS Data Protection enabled http://support.apple.com/kb/HT4175
- Non Apple article for verifying iOS Data Protection enabled (some find Apple's Support articles less than clear) http://www.cloudcentrics.com/?p=1820
- Puppy Linux, a decent choice for Live CD http://puppylinux.org/main/Overview%20and%20Getting%20Started.htm
- Damn Small Linux another decent choice for Live CD http://www.damnsmalllinux.org/
- Place to buy Live CD or DVD with Puppy Linux (so you can just buy it and use it, without hassle of downloading & burning it yourself) http://www.osdisc.com/products/linux/puppy
Security & Hacking: Malware 2 Years ago USB Battery Charger Backdoor
Energizer Battery Charger Software Included Backdoor http://krebsonsecurity.com/2010/03/energizer-battery-charger-software-included-backdoor/
Energizer DUO USB battery charger software allows unauthorized remote system access http://www.kb.cert.org/vuls/id/154421
This is from 2010, so certainly not new concept, I hadn't heard of this specific hack before though, & to be honest, don't think I would have expected this, before reading Brian Kreb's article on it.
Though I was aware of the Vodafone issue that some of the Energizer Duo articles/comments mentioned http://research.pandasecurity.com/vodafone-distributes-mariposa/
To be clear, there wasn't Malware on the USB device itself, but in the software you could download from Energizer to monitor the device.
I didn't find any articles explaining how the Malware got inserted into the Energizer software, but some stories suggested it might have been in place for ~3 years.
If anyone has any more detail on this I would be interested in learning it.
Schneier also posted about it http://www.schneier.com/blog/archives/2010/03/back_door_in_ba.html
Energizer DUO USB battery charger software allows unauthorized remote system access http://www.kb.cert.org/vuls/id/154421
This is from 2010, so certainly not new concept, I hadn't heard of this specific hack before though, & to be honest, don't think I would have expected this, before reading Brian Kreb's article on it.
Though I was aware of the Vodafone issue that some of the Energizer Duo articles/comments mentioned http://research.pandasecurity.com/vodafone-distributes-mariposa/
To be clear, there wasn't Malware on the USB device itself, but in the software you could download from Energizer to monitor the device.
I didn't find any articles explaining how the Malware got inserted into the Energizer software, but some stories suggested it might have been in place for ~3 years.
If anyone has any more detail on this I would be interested in learning it.
Schneier also posted about it http://www.schneier.com/blog/archives/2010/03/back_door_in_ba.html
Thursday, January 17, 2013
Security & Hacking: "Loan agency loses data on 583K Canadian students"
http://www.scmagazine.com.au/News/329135,loan-agency-loses-data-on-583k-canadian-students.aspx
Ironic tidbit, "The loss was discovered during the investigation of the disappearance of a USB key containing the personal information of another 5000 Canadians."
Sigh.
Some years ago, similar thing happened to me personally, bunch of computers were stolen from company that the bank for one of my school loans used for billing.
Bank didn't notify any of us with student loans, and those Hackers sent out a lot of snail mail forms trying to get signatures.
I was lucky, I was stubborn enough that I ignored the bogus form, thought I didn't know what was going on at the time.
The form they sent didn't match anything current, and I was a broke college grad at the time, so I noticed the details about $'s and such didn't make any sense on the form, so I just ignored it.
Learned later about the stolen computers & HDD's and then knew what had happened.
Ironic tidbit, "The loss was discovered during the investigation of the disappearance of a USB key containing the personal information of another 5000 Canadians."
Sigh.
Some years ago, similar thing happened to me personally, bunch of computers were stolen from company that the bank for one of my school loans used for billing.
Bank didn't notify any of us with student loans, and those Hackers sent out a lot of snail mail forms trying to get signatures.
I was lucky, I was stubborn enough that I ignored the bogus form, thought I didn't know what was going on at the time.
The form they sent didn't match anything current, and I was a broke college grad at the time, so I noticed the details about $'s and such didn't make any sense on the form, so I just ignored it.
Learned later about the stolen computers & HDD's and then knew what had happened.
Professional iOS apps: Anatomy & Medical Meditations Calculator
I am not a big iOS fan personally, but my girlfriend has iPad , and I plan to get iPad (mainly for the secure aspects of iOS & PDF reading) next Spring.
So I am continually doing research for useful apps and accessories, I will definitely use this Anatomy app https://itunes.apple.com/us/app/anatomy-atlas/id295806778?mt=8, it will be useful for my work in Forensics, Physical Anthropology, and Martial arts.
Not sure if I will use this medical calculator app https://itunes.apple.com/us/app/mediquations-medical-calculator/id287958963?mt=8 but it turned up in my search for the Anatomy app, and has very high rating.
Might see if the Medical Examiner I know locally would be interested in it.
For more inforomation on the Medical calculator app see company's website http://www.mediquations.com/iPhone_iPodTouch_iPad/index.html
So I am continually doing research for useful apps and accessories, I will definitely use this Anatomy app https://itunes.apple.com/us/app/anatomy-atlas/id295806778?mt=8, it will be useful for my work in Forensics, Physical Anthropology, and Martial arts.
Not sure if I will use this medical calculator app https://itunes.apple.com/us/app/mediquations-medical-calculator/id287958963?mt=8 but it turned up in my search for the Anatomy app, and has very high rating.
Might see if the Medical Examiner I know locally would be interested in it.
For more inforomation on the Medical calculator app see company's website http://www.mediquations.com/iPhone_iPodTouch_iPad/index.html
Security & Hacking: More Depth on Red October
I posted first about Red October Malware a few days ago.
I am fascinated by Red October, not sure yet if it compares to Stuxnet and/or Flame for amount of talent and other resources invested in it.
But Red October seems to clearly be more of an intelligence gathering tool to be at this point, than a Cyber Weapon like Stuxnet.
Personally I am far more into researching and analyzing than breaking things.
So while I was impressed by Stuxnet and Flame, I am enthusiastic about Red October.
SecureList articles for Red October (Rocra for short):
I am fascinated by Red October, not sure yet if it compares to Stuxnet and/or Flame for amount of talent and other resources invested in it.
But Red October seems to clearly be more of an intelligence gathering tool to be at this point, than a Cyber Weapon like Stuxnet.
Personally I am far more into researching and analyzing than breaking things.
So while I was impressed by Stuxnet and Flame, I am enthusiastic about Red October.
SecureList articles for Red October (Rocra for short):
- Jan 14, 2013 "Red October" Diplomatic Cyber Attacks Investigation http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation
- Jan 14, 2013 The "Red October" Campaign - An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies https://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies
- Jan 17, 2013 "Red October" - part two, the modules http://www.securelist.com/en/blog/208194091/Red_October_part_two_the_modules
Security & Hacking: " Patient data revealed in medical device hack"
http://www.scmagazine.com.au/News/329222,patient-data-revealed-in-medical-device-hack.aspx
Face palm, after reading this section, though not only vulnerability:
Security evidently wasn't part of the design criteria.
Article notes US DHS (Dept. Homeland Security) and FDA (Food & Drug Administration) were pressuring Philips to fix the problem.
Face palm, after reading this section, though not only vulnerability:
Once an extensive 200Gb forensic imaging process of the Windows-based platform had completed and the system was booted into a virtual machine, it took the researchers "two minutes" to find the first vulnerability.
"We noticed there was a port open, and we started basic fuzzing and found a heap overflow and wrote up a quick exploit for it," Rios said.
"The exploit runs as a privileged service, so we owned the entire box - we owned everything that it could do."
The researchers suspect the authentication logins for the system, one with a username Philips and password Service01, are hardcoded and unchangeable by users, but when they warned Philips the company refuted the claim.
Security evidently wasn't part of the design criteria.
Article notes US DHS (Dept. Homeland Security) and FDA (Food & Drug Administration) were pressuring Philips to fix the problem.
ESET UK Masters HOTS Showdown: DIMAGA vs White-Ra
A HOTS Bo9 Showmatch between WhiteRa & Dimaga tonight!
There is a Bo5 match between Phamut & Abomb 75 minutes before that, more information at http://www.teamliquid.net/forum/viewmessage.php?topic_id=393684
ESET UK Masters on twitter https://twitter.com/esetukmasters or @esetukmasters
Stream: http://www.twitch.tv/esetukmasters
When: (Fri 04:15 KST) Thurs 1/17/2013 @ 20:15 GMT/21:15 CET/2:15 pm EST/1:15pm CST/11:15 PST
There is a Bo5 match between Phamut & Abomb 75 minutes before that, more information at http://www.teamliquid.net/forum/viewmessage.php?topic_id=393684
ESET UK Masters on twitter https://twitter.com/esetukmasters or @esetukmasters
Stream: http://www.twitch.tv/esetukmasters
When: (Fri 04:15 KST) Thurs 1/17/2013 @ 20:15 GMT/21:15 CET/2:15 pm EST/1:15pm CST/11:15 PST
Wednesday, January 16, 2013
Tuesday, January 15, 2013
Nerd News: "Netflix shows off how it does Hadoop in the cloud"
This article http://gigaom.com/2013/01/10/netflix-shows-off-its-hadoop-architecture/
is referring to this Netflix blog post http://techblog.netflix.com/2013/01/hadoop-platform-as-service-in-cloud.html
The Gigaom author, Derrick Harris, has previously written about Netflix's data collection and analysis, see http://gigaom.com/2012/06/14/netflix-analyzes-a-lot-of-data-about-your-viewing-habits/
For those not familiar with Hadoop see http://en.wikipedia.org/wiki/Apache_Hadoop or http://hadoop.apache.org/
Should be of interest to Nerds that deal with data, especially large volumes of data.
is referring to this Netflix blog post http://techblog.netflix.com/2013/01/hadoop-platform-as-service-in-cloud.html
The Gigaom author, Derrick Harris, has previously written about Netflix's data collection and analysis, see http://gigaom.com/2012/06/14/netflix-analyzes-a-lot-of-data-about-your-viewing-habits/
For those not familiar with Hadoop see http://en.wikipedia.org/wiki/Apache_Hadoop or http://hadoop.apache.org/
Should be of interest to Nerds that deal with data, especially large volumes of data.
Security & Hacking: "Cisco Linksys Remote Preauth 0day Root Exploit "
From DefenseCode http://blog.defensecode.com/2013/01/defensecode-security-advisory-upcoming.html
"Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other
Linksys versions/models are probably also affected.Cisco Linksys is a very popular router with more than 70,000,000 routers sold.That's why we think that this vulnerability deserves attention.According to our vulnerability disclosure policy, the vulnerability details will bedisclosed in following 2 weeks on http://www.defensecode.com/, BugTraq andFull Disclosure."
Related:
- BugTraq http://www.securityfocus.com/
- Full Disclosure http://seclists.org/fulldisclosure/
Monday, January 14, 2013
Security & Hacking: Red October Malware
http://arstechnica.com/security/2013/01/red-october-computer-espionage-network-may-have-stolen-terabytes-of-data/
I tweeted about this earlier today, it is still way to early to have solid grasp of the scope of this Malware IMVHO, but the Ars article does good job of giving initial idea of the size of this attack.
Lots of things about this Malware are really impressive, but this part grabbed my attention, from Ars link at top:
There are exceptions, certain types of Terrorist attacks and/or Ideological attacks may chose well defended targets because they are not motivated my economic profit for example.
The amount of effort this shows, for re exploiting a targeted system, after Computer Security removed original exploit, has the definite mark of Military Intelligence to me.
I suggest the Ars article linked at top.
The comments to the Ars article are well worth reading for people wanting to learn more, you can find good insights and resources in the comments section whether your new to Computer Security or an expert yourself.
You do have to screen out the noise to find the signals of course.
Original article from Kaspersky is https://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies
[Edited to add this from link immediately above, Rocra (short for "Red October"), is shorthand name they are using for this Malware, might be useful for additional Google searches.]
I will certainly be blogging more about Red October.
I have created new Label Red October Malware, you can bookmark that, if you want an easy way to check for updates.
I will be adding that Label to the selected labels at left side of Blog.
Labels can be found at bottom left of every blog post, and here is a suggested list of Labels for people interested in Security & Hacking:
I am still looking for ways to improve searches on my blog, so far best I have found is simply using Google with Cliff's Esport Corner in search box, plus topic your interested in like Red October, if a Label doesn't work for you.
I have tested Google's gadget for Blogger, but it wasn't as useful as regular Google for finding material on my blog the last time I tested it.
I tweeted about this earlier today, it is still way to early to have solid grasp of the scope of this Malware IMVHO, but the Ars article does good job of giving initial idea of the size of this attack.
Lots of things about this Malware are really impressive, but this part grabbed my attention, from Ars link at top:
One novel feature contained in Red October is a module that creates an extension for Adobe Reader and Microsoft Word on compromised machines. Once installed, the module provides attackers with a "foolproof" way to regain control of a compromised machine, should the main malware payload ever be removed.This is one of the tidbits that make me think this is State sponsored, most criminals are opportunistic, in other words criminals tend to attack easy targets.
"The document may be sent to the victim via e-mail," the researchers explained. "It will not have an exploit code and will safely pass all security checks. However, like with exploit case, the document will be instantly processed by the module and the module will start a malicious application attached to the document."
There are exceptions, certain types of Terrorist attacks and/or Ideological attacks may chose well defended targets because they are not motivated my economic profit for example.
The amount of effort this shows, for re exploiting a targeted system, after Computer Security removed original exploit, has the definite mark of Military Intelligence to me.
I suggest the Ars article linked at top.
The comments to the Ars article are well worth reading for people wanting to learn more, you can find good insights and resources in the comments section whether your new to Computer Security or an expert yourself.
You do have to screen out the noise to find the signals of course.
Original article from Kaspersky is https://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies
[Edited to add this from link immediately above, Rocra (short for "Red October"), is shorthand name they are using for this Malware, might be useful for additional Google searches.]
I will certainly be blogging more about Red October.
I have created new Label Red October Malware, you can bookmark that, if you want an easy way to check for updates.
I will be adding that Label to the selected labels at left side of Blog.
Labels can be found at bottom left of every blog post, and here is a suggested list of Labels for people interested in Security & Hacking:
I am still looking for ways to improve searches on my blog, so far best I have found is simply using Google with Cliff's Esport Corner in search box, plus topic your interested in like Red October, if a Label doesn't work for you.
I have tested Google's gadget for Blogger, but it wasn't as useful as regular Google for finding material on my blog the last time I tested it.
Scarlett vs Sage SC2 practice games & both are streaming
Just saw great game between them, hoping for several more tonight!
Streams:
Streams:
Friday, January 11, 2013
More on Passwords & Password Keepers
I may have mentioned Brian Kreb's password article before, http://krebsonsecurity.com/password-dos-and-donts/, but wanted to make sure I linked to this article http://krebsonsecurity.com/password-dos-and-donts/
He mentions three Password Keepers: Roboform, Passwordsafe, & Keepass.
Keepass is the only one of those three I know a bit about, have a computer nerd friend that has used that for years.
It is good and free.
I am trying to provide a good selection of quality Password Keepers for people to chose from, not everyone's needs and wants are the same.
I prefer mSecure, partly because it has stronger encryption than many others, but it is also one of the most expensive consumer options.
Lot of my gamer friends though don't want to, or can't afford, to spend much on computer software.
Something to remember when using Password Keepers, is that you want to have that Data backed up VERY well.
You can use Dropbox or similar cloud storage, but you can also use Password Keepers on multiple devices (ie Smartphone, Tablet, & PC) I also like using a quality Flashdrive with hardware encryption.
I also like using written backup stored securely, I have physical items I have to keep secure, so I have ready storage for that.
I have written about Passwords & Password Keepers before, I specifically recommend reading Steve Gibson's Haystacks & Needles (Understanding Passwords) and "Lessons Learned from Cracking 2 Million LinkedIn Passwords."
For more posts click one of the these Labels:
Those Labels and more can be found at bottom left of Blog post, selected Labels can be found in Label Cloud at left side of blog, space limitations there, but I open to feedback for labels that should be added or removed from the Label Cloud.
Stay Safe,
Cliff
He mentions three Password Keepers: Roboform, Passwordsafe, & Keepass.
Keepass is the only one of those three I know a bit about, have a computer nerd friend that has used that for years.
It is good and free.
I am trying to provide a good selection of quality Password Keepers for people to chose from, not everyone's needs and wants are the same.
I prefer mSecure, partly because it has stronger encryption than many others, but it is also one of the most expensive consumer options.
Lot of my gamer friends though don't want to, or can't afford, to spend much on computer software.
Something to remember when using Password Keepers, is that you want to have that Data backed up VERY well.
You can use Dropbox or similar cloud storage, but you can also use Password Keepers on multiple devices (ie Smartphone, Tablet, & PC) I also like using a quality Flashdrive with hardware encryption.
I also like using written backup stored securely, I have physical items I have to keep secure, so I have ready storage for that.
I have written about Passwords & Password Keepers before, I specifically recommend reading Steve Gibson's Haystacks & Needles (Understanding Passwords) and "Lessons Learned from Cracking 2 Million LinkedIn Passwords."
For more posts click one of the these Labels:
Those Labels and more can be found at bottom left of Blog post, selected Labels can be found in Label Cloud at left side of blog, space limitations there, but I open to feedback for labels that should be added or removed from the Label Cloud.
Stay Safe,
Cliff
Security & Hacking: Java Zero Day
Another day, another Zero Day, Java this time, seems to be general concensus is to uninstall it if possible for your situation, I haven't seen anything one way or the other if Firefox + NoScript is vulnerable or not, or if Chrome is vulnerable or not.
I would think that Firefox with NoScript would offer some protection, but I don't have the correct expertise to know or test that myself currently.
Would welcome any info yes or no about Firefox+NoScript and/or Google Chrome and this Zero Day.
How To Disable Java in Browsers:
How To Disable Java in Google Chrome: enter chrome://plugins/ in location bar (where URL's go, NOTE: you can Bookmark chrome://plugins/ so you don't have to manually type it in future), then click Disable. See http://nakedsecurity.sophos.com/how-to-disable-java-chrome/ for illustrations/screenshots.
How To Disable Java in Firefox: Go to Add Ons (or Tools then Add Ons depending on your OS), click the Add Ons Tab, Disable Java. See http://nakedsecurity.sophos.com/how-to-disable-java-firefox/ for Screenshots.
How To Disable Java on IE (Internet Explorer), I haven't used IE in so many years, I am not going to write anything, just go to http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/ for clear instructions with Screenshots, I think it is easier just to uninstall Java if your using IE, but I don't trust my memory on IE, because it has been so long since I used it.
How to Disable Java in Safari: Easily done, go to Preferences in Safari, Select Security, Uncheck Java. Again for Screenshots see http://nakedsecurity.sophos.com/how-to-disable-java-safari/
Honestly I reccomend leaving it disabled, all my Browsers have had it disabled for a long time, I have not noticed any problems.
I recommend the same for Javascript.
For further reading:
I would think that Firefox with NoScript would offer some protection, but I don't have the correct expertise to know or test that myself currently.
Would welcome any info yes or no about Firefox+NoScript and/or Google Chrome and this Zero Day.
How To Disable Java in Browsers:
How To Disable Java in Google Chrome: enter chrome://plugins/ in location bar (where URL's go, NOTE: you can Bookmark chrome://plugins/ so you don't have to manually type it in future), then click Disable. See http://nakedsecurity.sophos.com/how-to-disable-java-chrome/ for illustrations/screenshots.
How To Disable Java in Firefox: Go to Add Ons (or Tools then Add Ons depending on your OS), click the Add Ons Tab, Disable Java. See http://nakedsecurity.sophos.com/how-to-disable-java-firefox/ for Screenshots.
How To Disable Java on IE (Internet Explorer), I haven't used IE in so many years, I am not going to write anything, just go to http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/ for clear instructions with Screenshots, I think it is easier just to uninstall Java if your using IE, but I don't trust my memory on IE, because it has been so long since I used it.
How to Disable Java in Safari: Easily done, go to Preferences in Safari, Select Security, Uncheck Java. Again for Screenshots see http://nakedsecurity.sophos.com/how-to-disable-java-safari/
Honestly I reccomend leaving it disabled, all my Browsers have had it disabled for a long time, I have not noticed any problems.
I recommend the same for Javascript.
For further reading:
- http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
- http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
- http://nakedsecurity.sophos.com/2013/01/10/protect-yourself-against-latest-java-zero-day-vulnerability-now-maljavajar-b/
- http://www.kb.cert.org/vuls/id/625617
- http://www.livehacking.com/2013/01/11/new-zero-day-java-7-vulnerability-being-exploited-in-the-wild/
Security & Hacking: Stanford's "Real-World Crypto" Workshop
[Updated with link to Day 3]
https://crypto.stanford.edu/RealWorldCrypto/index.php
Bristol Cryptography Blog's coverage:
https://crypto.stanford.edu/RealWorldCrypto/index.php
Bristol Cryptography Blog's coverage:
Iron Squid Ro16 - Day 1
Missed first series (sleeping) T_T event is live as I post this.
When: 1:00 KST/Fri 17:00 CET/Fri 11:00 EST/Fri 8:00 PST
Bo5's:
Streams:
When: 1:00 KST/Fri 17:00 CET/Fri 11:00 EST/Fri 8:00 PST
Bo5's:
- HerO vs MKP
- MC vs viOlet
- Mvp vs Goswser
- Leenock vs Life
Streams:
- English Day9 and Kaelaris http://www.twitch.tv/ironsquid
- French Pomf & Thud and O'Gaming Crew http://www.twitch.tv/ogamingtv
Thursday, January 10, 2013
Security & Hacking: "Nokia’s MITM on HTTPS traffic from their phone"
http://gaurangkp.wordpress.com/author/gaurangkp/
This really upsets me, Nokia is totally corrupting the whole point of HTTPS.
I am certainly not going to recommend or even suggest the Lumia phones anymore, security issues matter a lot to me.
That bums me out as well, because I was really looking at the Lumia 920 as second phone, I like the Qi wireless charging, live tiles of Windows 8, etc.
More articles on this story:
This really upsets me, Nokia is totally corrupting the whole point of HTTPS.
I am certainly not going to recommend or even suggest the Lumia phones anymore, security issues matter a lot to me.
That bums me out as well, because I was really looking at the Lumia 920 as second phone, I like the Qi wireless charging, live tiles of Windows 8, etc.
More articles on this story:
- http://thenextweb.com/insider/2013/01/09/nokia-seems-to-be-hijacking-traffic-on-some-of-its-phones-grabbing-your-https-data-unencrypted/
- http://www.extremetech.com/mobile/145373-nokia-caught-decrypting-https-traffic-for-your-own-good
- http://www.zdnet.com/nokia-hijacks-mobile-browser-traffic-decrypts-https-data-7000009655/
Wednesday, January 9, 2013
Security & Hacking: Adobe & Microsoft Update Patches
http://krebsonsecurity.com/2013/01/adobe-microsoft-ship-critical-security-updates/
http://www.livehacking.com/2013/01/09/in-brief-adobe-fixes-at-least-26-security-problems-in-adobe-acrobat-and-adobe-reader/
Short Version: Make sure your Updated & Patched!
Also, use Firefox with Noscript (Addblockplus as well is good idea, you can Whitelist ie allow sites you want to support or trust) or Chrome, (again with Addblockplus) Chrome has functionality that is similar to Noscript!
Stop using IE unless your forced to, if your forced to use IE set updates to auto AND check updates second Wednesday (Microsoft issues patches every second Tuesday, but checking Wednesday you generally avoid checking to early in the day, and also usually have bit faster download speeds).
http://www.livehacking.com/2013/01/09/in-brief-adobe-fixes-at-least-26-security-problems-in-adobe-acrobat-and-adobe-reader/
Short Version: Make sure your Updated & Patched!
Also, use Firefox with Noscript (Addblockplus as well is good idea, you can Whitelist ie allow sites you want to support or trust) or Chrome, (again with Addblockplus) Chrome has functionality that is similar to Noscript!
Stop using IE unless your forced to, if your forced to use IE set updates to auto AND check updates second Wednesday (Microsoft issues patches every second Tuesday, but checking Wednesday you generally avoid checking to early in the day, and also usually have bit faster download speeds).
TLO Streaming SC2
Stream: http://www.twitch.tv/liquidtlo
I really like TLO's Nydus play, and all his creep Shenanigans.
I really like TLO's Nydus play, and all his creep Shenanigans.
Security & Hacking: Yahoo email
A lot of people have been having problems with Yahoo Email recently http://downrightnow.com/yahoomail
It seems like Yahoo has forced password resets on all recently active email accounts.
Probably because of renewed surge of Yahoo email hacking or exploits this week story(s) about the old XSS vulnerability see this link http://www.scmagazine.com/yahoo-patches-xss-flaw-affecting-mail-users/article/275301/ for more.
But there are, or have been problems with resetting passwords for some.
I have multiple email accounts on various services, Yahoo, Gmail, Hotmail, etc. this lets me test various things, including problems and vulnerabilities.
Yahoo forced reset on my most used account, but it wouldn't let me access email without a workaround, until today.
Even with text message code.
Interestingly enough, one of my never used Yahoo email accounts (I wasn't even sure if it would have been closed down because it was inactive) worked fine with old password, no reset was forced on that account.
I frequently check account activity on my Yahoo email accounts, link here shows how to do so http://help.yahoo.com/kb/index?locale=en_US&y=PROD_ACCT&page=content&id=SLN2073
Though annoyingly default showing is location (of your IP Provider, so don't freak out if it doesn't show your town without further checking).
You have to click on the location tab to select IP address, which is what you really want.
For more information on what IP address is (TL DR version id number for any device hooked to a network, works like a snail mail address so messages go to right place) see http://en.wikipedia.org/wiki/IP_address
This site http://www.whatismyip.com/ if you click on it (WOT score for that link https://www.mywot.com/en/scorecard/whatismyip.com) will show you your current IP address, so you can verify email access for Yahoo email via IP address.
Anyway, it really looks like Yahoo took lazy approach to dealing with this problem, I know my yahoo account that had password reset forced on it was not being used by anyone but me.
Because I monitor what IP addresses access it, additionally that account has a very strong password, so if Yahoo passwords get stolen and it is compromised quickly I will know that it wasn't stored with proper encryption at Yahoo.
So there was no suspicious activity on that account, only ever gets logged into from a single IP Adress, and is normally logged into several times a week from that address, can't see how that would trigger any flags.
And my seldom if ever used accounts were not forced to reset passwords.
So it looks to me like Yahoo forced passwords on all active accounts during some time frame, and that is part of the reason why they, and the people that use Yahoo Email, are having so many problems.
The system crashed under the load of people trying to access their accounts, failing, and spamming attempts.
I strongly suggest everyone see Steve Gibson's Haystacks & Needles (Understanding Passwords) for good understanding of strong passwords.
For more posts on Passwords click the Label Passwords, that Label, with selected other ones can be found in the Label cloud at left side of Blog.
There are also Labels at bottom left of every Blog post.
For Pen Testers and such I suggest one of the these Labels:
Tuesday, January 8, 2013
Pew Pew "Lasers from Space"
Now on Earth http://www.technologyreview.com/view/509586/physicists-demonstrate-first-laser-made-from-a-cloud-of-gas/
For more on the natural occurring Lasers see NASA link http://www.nasa.gov/home/hqnews/1995/95-148.txt
Really Cool!
Science is so much stranger than Fiction!
For more on the natural occurring Lasers see NASA link http://www.nasa.gov/home/hqnews/1995/95-148.txt
Really Cool!
Science is so much stranger than Fiction!
Security & Hacking "Snorby"
Snorby link: https://cloud.snorby.org/#/
I would suggest starting with the TaoSecurity article, where I found this myself, http://taosecurity.blogspot.com/2013/01/welcome-to-network-security-monitoring.html
I also strongly recommend TaoSecurity itself as very good resource.
I would suggest starting with the TaoSecurity article, where I found this myself, http://taosecurity.blogspot.com/2013/01/welcome-to-network-security-monitoring.html
I also strongly recommend TaoSecurity itself as very good resource.
Big Brother (DHS) & You
http://www.schneier.com/blog/archives/2013/01/dhs_gets_to_spy.html
So little Data Privacy, wonder how long it will take for this trend to change.
I am pretty sure it will change, though perhaps not in the way I would like.
So little Data Privacy, wonder how long it will take for this trend to change.
I am pretty sure it will change, though perhaps not in the way I would like.
Monday, January 7, 2013
CES Coverage resources
I will put several links for live blogs, streams, etc for CES 2013 on this blog post.
Will update throughout the week.
CES Links:
PC Perspective main site http://www.pcper.com/ & live link http://www.pcper.com/live/
ComputerWorld http://www.computerworld.com/s/article/9234982/Complete_coverage_CES_2013
AnandTech main page note Pipeline section at right side http://www.anandtech.com/
Brian Klug's CES bag http://www.anandtech.com/show/6545/ces-gear-whats-in-my-bag
Vivek Gowri's CES Bag http://www.anandtech.com/show/6556/ces-gear-whats-in-viveks-bag
"AT&T Developers Summit Keynote" Live Blog http://www.anandtech.com/show/6560/att-2013-developer-summit-keynote-live-blog
Android Police main site http://www.androidpolice.com/
Daily Tech http://www.dailytech.com/
PC Mag http://www.pcmag.com/CES/
CNet CES http://ces.cnet.com/
Ars CES Gear http://arstechnica.com/gadgets/2013/01/ars-ces-gear-its-totally-my-bag-baby/
Things from CES I like (some neat, some useful, some both):
Will update throughout the week.
CES Links:
Things from CES I like (some neat, some useful, some both):
- Fuel Cell from Lilliputian Nectar Mobile Power System, PC Perspective link, Wiki entry on Fuel Cells, TL DR version of fuel cells="functions like a battery that has indefinite shelf life." Good for Urgent or emergency power.
- Storage Visions - The Panasonic DataArchiver - 108TB of Blu-Ray Archival Storage in a 6U Chassis. I have no need for this, but think it is cool.
- Lenovo Gaming Laptop with SLI! http://www.anandtech.com/show/6583/lenovo-ideapad-y400y500-gaming-notebooks-with-sli
- Razer Edge Pro Gaming Tablet i7 CPU, NVIDIA GT 640M LE GPU http://www.razerzone.com/gaming-systems/razer-edge-pro
- Kingston DataTraveler HyperX Predator 1 TB USB 3.0 Flashdrive! http://www.maximumpc.com/article/news/ces_2013_kingston_wields_1tb_usb_flash_drive_video
- TYLT Vu (cool better designed wireless charger Qi standard) http://www.androidpolice.com/2013/01/08/ces-2013-the-first-thing-at-ces-i-actually-want-the-tylt-vu-a-wireless-qi-charger-that-actually-works/
- Muskin's High Performance Ventura Ultra USB 3.0 stick http://www.anandtech.com/show/6606/muskins-high-performance-ventura-ultra-sf2281-usb-30-stick
- Dropbox will be included on all Samsung Phones http://www.computerworld.com/s/article/9235500/Dropbox_to_be_included_on_all_Samsung_flagship_phones_and_camera
Sunday, January 6, 2013
Random Wikipedia of the Day (RWotD): Illegal Number
http://en.wikipedia.org/wiki/Illegal_number
Illegal Numbers.
Odd the things you can learn from Wikipedia.
Illegal Numbers.
Odd the things you can learn from Wikipedia.
Nerd Jobs: "The Ph. D. Grind"
http://www.pgbovine.net/PhD-memoir.htm
If your interested in Nerd or Gaming type job, you should spend the time to read this memoir.
Describes one path to that type of work.
I suggest you start at link above, but for the TL DR people:
If your interested in Nerd or Gaming type job, you should spend the time to read this memoir.
Describes one path to that type of work.
I suggest you start at link above, but for the TL DR people:
- HTML http://www.pgbovine.net/PhD-memoir-prologue.htm
- PDF http://www.pgbovine.net/PhD-memoir/pguo-PhD-grind.pdf
- Mobi book version (will work with Kindle as well, Kindle is basically Mobi with DRM added) http://www.pgbovine.net/PhD-memoir/pguo-PhD-grind.mobi
- EPUB version http://www.pgbovine.net/PhD-memoir/pguo-PhD-grind.epub
Nerd News: Amount of Internet Archived
http://www.technologyreview.com/view/509411/computer-scientists-measure-how-much-of-the-web-is-archived/
I find this general topic of interest, since I consider myself to be a mix primarily of Research Librarian & Writer, one of my goals with this blog is to provide a information resource to gamers.
Though a lot of people don't realize it, the skills and resources needed to find strats for games or answers to computer problems are the type of thing a good Librarian could help you with, since at the core, they are really about finding and organizing data.
For more on LIS (Library Information Science):
I find this general topic of interest, since I consider myself to be a mix primarily of Research Librarian & Writer, one of my goals with this blog is to provide a information resource to gamers.
Though a lot of people don't realize it, the skills and resources needed to find strats for games or answers to computer problems are the type of thing a good Librarian could help you with, since at the core, they are really about finding and organizing data.
For more on LIS (Library Information Science):
- http://en.wikipedia.org/wiki/Library_and_information_science
- http://en.wikipedia.org/wiki/Library_science
TLO is streaming some awesome SC2
Stream: http://www.twitch.tv/liquidtlo
He is playing a great game vs a Terran atm, using Nydus like I think all Zerg should to help deal with Broodlord immobility.
He is playing a great game vs a Terran atm, using Nydus like I think all Zerg should to help deal with Broodlord immobility.
Thursday, January 3, 2013
Security & Hacking: "Emergence of state-sponsored malware and targeted attacks as major factors"
https://threatpost.com/en_us/blogs/2012-what-have-we-learned-010213
Also, one of the things I am concerned about, is that because things like Stuxnet & Flame became public, the more common criminal Hackers will certainly be able to use many of the sophisticated techniques employed by those State sponsored Cyber attacks.
Then will then package it into things like the Blackhole Exploit kit, so anyone that is willing to spend the money will be able to use those very powerful hacking tools.
It will trickle down so that eventually even Script Kiddies will have the tools they need to cause significant damage to businesses, utilities, etc.
Also, one of the things I am concerned about, is that because things like Stuxnet & Flame became public, the more common criminal Hackers will certainly be able to use many of the sophisticated techniques employed by those State sponsored Cyber attacks.
Then will then package it into things like the Blackhole Exploit kit, so anyone that is willing to spend the money will be able to use those very powerful hacking tools.
It will trickle down so that eventually even Script Kiddies will have the tools they need to cause significant damage to businesses, utilities, etc.
Subscribe to:
Posts (Atom)