Advertisements

General Musing

blaze your trail

Posts Tagged ‘security

Scandalous Insights

leave a comment »

Scandalous Insights

LinkedIn says in their blog: We are working hard to protect you, but there are also steps that you can take to protect yourself, such as:

  • Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.
  • Do not use the same password for multiple sites or accounts.
  • Create a strong password for your account, one that includes letters, numbers, and other characters.
  • Watch out for phishing emails and spam emails requesting personal or sensitive information.

LinkedIn – you can make it easier for your users to perform these tasks, you could auto expire passwords, have strength indicator, and even verify with other sites that they don’t have the same password: Login with the credentials given You can even implement SPF, DKIM, etc correctly to make your mail better. You don’t implement this security for UX and marketing reasons, instead you implement security to stop your users from being able to use your site better.

You don’t, instead you piss on your less tech savvy customers, and place part of the blame on them. I’ve offered multiple times to come and help you fix your stuff – free.

I’m sorry that you are idiots! And my offer still stands.

Taking Steps To Protect Our Members

View or comment on Daniël Crompton’s post »

Advertisements

Written by Daniël W. Crompton (webhat)

June 8, 2012 at 6:56 pm

Password Leak June

leave a comment »

Password Leak June
Today for you in Password Leak June: Last.FM

After earlier news that LinkedIn and others leaked passwords this week, Last.fm marketeers must have been wondering how they too could increase brand awareness.

Clearly this is a new meme, so much safer than planking. Although I will be skipping it as I like to have halfway decent software as a starting point.

Adrianus Warmenhoven
And now Last.fm has leaked passwords:

http://www.last.fm/passwordsecurity

Last.fm Password Security Update – Last.fm

The world’s largest online music catalogue, powered by your scrobbles. Internet radio, videos, photos, stats, charts, biographies and concerts.

View or comment on Daniël Crompton’s post »

Written by Daniël W. Crompton (webhat)

June 8, 2012 at 3:28 pm

Posted in Uncategorized

Tagged with , , , ,

Advantage of Saved Passwords

leave a comment »

Advantage of Saved Passwords

The only password you ever need to remember is the password for your mailaccount, so use complex passwords you can’t remember and have them saved by your browser – preferably with a password on you browser store. When your computer crashes it doesn’t matter as you can simply reset your password for the service as long as you remember to remember your mail password.

Chrome
FireFox

View or comment on Daniël Crompton’s post »

Written by Daniël W. Crompton (webhat)

June 8, 2012 at 1:51 pm

Posted in Uncategorized

Tagged with , ,

Unsalted Hashes? Argghh!

leave a comment »

Unsalted Hashes? Argghh!
And “The unsalted hashes use SHA-1 encryption, and while it is somewhat secure, it can still be cracked if the user employs a simple dictionary password.”

I do not agree at all with the ‘somewhat secure’ as they are not even SALTED… that means all dictionary possibilities already have been done.

Read Adrianus Warmenhoven‘s post:  WHY NOT EVER EVER TO USE MD5 OR SHA1 TO HASH PASSWORDS:
http://www.warmenhoven.co/2012/03/06/do-not-use-md5-or-sha1-to-simply-hash-db-passwords/

glyn moody
Bad day for #LinkedIn: 6.5 million hashed passwords reportedly leaked – change yours now – http://tnw.co/Md9yBq whoops
Bad day for LinkedIn: 6.5 million hashed passwords reportedly leaked – change yours now

Already in the spotlight over concerns that its iOS app collects full meeting notes and details from a device’s calendar and sends them back to the company in plain text, LinkedIn …

View or comment on Daniël Crompton’s post »

Written by Daniël W. Crompton (webhat)

June 8, 2012 at 2:06 am

Posted in Uncategorized

Tagged with ,

How to not take down a botnet by a Law Abiding Citizen #security

leave a comment »

Hi all,

I’ve spent some time over the last few days getting to know the Sality botnet, which is estimated to have at least one million peers. It was ranked by Symantec as the number one malicious code family in 2010 by number of endpoint detections, and has been used to push spam, steal passwords, crack SIP accounts, and various other nasty things.

It has come to my attention that it is not only possible but easy to seize control of version three of the botnet, and, more importantly, take it down. Sadly, doing so would require breaking the law. For this reason, I have to request that nobody perform the steps I am about describe. You can find all the files mentioned below in this archive (password: sality):

http://www7.zippyshare.com/d/65744138/9360/byesality.zip

Firstly, you should not use SQL injection to exploit this site: http://www.capesolution.com/login/login.aspx . Furthermore, you should not upload an encrypted version of the AVG Sality removal utility to /images/logo/logof.jpeg . Finally, you should under no circumstance laugh maniacally as you watch a sizable botnet disintegrate before your eyes.

Although it shouldn’t matter to anyone, this URL won’t stay active for long. When the authors of Sality remove this particular URL, or if that SQL injection turns out to be difficult to leverage, you should definitely not try to replace one of these files:

  • h ttp://yaylaozu.com/images/logo.gif
  • h ttp://destekegitim.com/images/logo.gif
  • h ttp://dav14gurgaon.org/images/logo.gif
  • h ttp://dersrehberi.com/images/logo.gif
  • h ttp://cisse.com.tr/images/logo.gif
  • h ttp://cbe.com.vn/images/logo.gif

You should also *never* use the provided Python script to get an updated list of targets from the P2P network.

Obviously this could be misused by unscrupulous individuals. For this reason, I am not providing details on how to create a properly encrypted executable, although I imagine some either already know or will quickly figure it out. The payload is not malicious, but you don’t have to take my word for it. One can check it out in a VM via the provided Sality sample by simply using fakedns and thttpd to serve up the file to the virus, or by running/unpacking the provided original.

Thanks for taking the time to read this. I might release more notes on various other pieces of Sality fun if and when the botnet is shut down, but alas, this day may never come. It is unfortunate that I am unable to do so now due to these legal issues, but, as I’m sure you all know, it is more important to respect the law than to fix anything.

Sincerely,
A Law Abiding Citizen

Written by Daniël W. Crompton (webhat)

March 27, 2012 at 2:22 pm

Posted in Uncategorized

Tagged with , ,

6 Months of Security Links #2011

leave a comment »

I’m a regular curator of daily links, and like to give overviews of my collection of curated links and posts. This is partly as there are some good sources and articles in here and as I am working on a research project which I started based on a number of books I read.

I’m sure you’ll find something interesting in the items below – there are some gems in the list – and I dare to hazard the guess you might learn something you wanted to know. 🙂

Read the rest of this entry »

Written by Daniël W. Crompton (webhat)

July 15, 2011 at 4:10 pm

Posted in tagging

Tagged with , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

OCSP Troubles #security #x509 #certificate #revoke

with one comment

A company was having intermittent trouble with their new authenticated SSL, it wasn’t that they experienced trouble with the certificates, which came from a large international CA, or the authentication. There was a bug which caused the OCSP check on some certificates to fail. And after it had failed the first time for a certificate it would continue to fail for that certificate until the application server had been restarted. As this was a mission critical application for their customers between 8am-6pm they had taken to restarting the servers at 7am to ensure that there would be less issues during the day. This was obviously not a permanent solution so the vendor was called to fix the issue.

Read the rest of this entry »

Written by Daniël W. Crompton (webhat)

June 23, 2011 at 7:05 am

%d bloggers like this: