Brontoforumus Archive

Please login or register.

Login with username, password and session length
Advanced search  

News:


This board has been fossilized.
You are reading an archive of Brontoforumus, a.k.a. The Worst Forums Ever, from 2008 to early 2014.  Registration and posting (for most members) has been disabled here to discourage spambots from taking over.  Old members can still log in to view boards, PMs, etc.

The new message board is at http://brontoforum.us.

Pages: 1 ... 5 6 7 8 9 [10] 11

Author Topic: Computer security  (Read 24670 times)

0 Members and 1 Guest are viewing this topic.

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #180 on: August 28, 2012, 08:48:17 AM »

More from Ars: cracking wifi passwords.

Quote
Using the Silica wireless hacking tool sold by penetration-testing software provider Immunity for $2,500 a year, I had no trouble capturing a handshake established between a Netgear WGR617 wireless router and my MacBook Pro. Indeed, using freely available programs like Aircrack-ng to send deauth frames and capture the handshake isn't difficult. The nice thing about Silica is that it allowed me to pull off the hack with a single click of my mouse. In less than 90 seconds I had possession of the handshakes for the two networks in a "pcap" (that's short for packet capture) file. My Mac never showed any sign it had lost connectivity with the access points.

I then uploaded the pcap files to CloudCracker, a software-as-a-service website that charges $17 to check a WiFi password against about 604 million possible words. Within seconds both "secretpassword" and "tobeornottobe" were cracked. A special WPA mode built-in to the freely available oclHashcat Plus password cracker retrieved the passcodes with similar ease.

Usual rules apply: this doesn't work on truly random passwords, or passphrases of randomly-combined words.
Logged

Rico

  • Tested
  • Karma: 18
  • Posts: 1916
    • View Profile
Re: Computer security
« Reply #181 on: August 28, 2012, 09:18:20 AM »

I had to crack my house's wifi a while back when no one could remember the exact capitalization/punctuation of our passphrase but the guy who had set up the routers was too lazy to factory reset and set everything back up. Out of curiousity I just used a normal dictionary and not a small custom one with what we mostly knew the passphrase to be, and it was easy and quick even with a somewhat out-of-date GPU.

I should really retry it on our current setup to see how much time a better passphrase adds to the process.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #182 on: August 30, 2012, 07:29:56 AM »

Aaaand Oracle's known about the Java vulns since April.

Honestly, why the fuck did they even buy Sun?


...oh right.  Patents.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #183 on: August 30, 2012, 11:29:41 AM »

Patched.  Update your Java, kids.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #184 on: August 31, 2012, 10:55:58 AM »

So, okay.  To review:

Oracle hears about critical vuln in April.  Releases patch in June that does not fix said critical vuln.

Zero-day attack discovered this week.  Oracle does not speak to the press or even acknowledge that such an attack exists, but finally pushes out a fix yesterday.

I'm guessing by now nobody is going to be remotely surprised that the fix also has a critical vuln.
Logged

Mongrel

  • Emoticon Knight-Errant
  • kodePunc Team
  • Tested
  • *
  • Karma: -65340
  • Posts: 17029
    • View Profile
Re: Computer security
« Reply #185 on: September 03, 2012, 05:03:07 PM »

I'm not 100% sure, but they might have just patched the patch. My Java just prompted me with a new update.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #186 on: September 04, 2012, 02:27:32 PM »

UPEK fingerprint reader software exposes Windows passwords.

Granted, it requires physical access to the computer, and it's a generally accepted truth that if an attacker has physical access to your computer you're already fucked.  But still and all, it's a monumental fuckup.

Quote
The UPEK Protector Suite, which was acquired by Melbourne, Florida-based Authentec two years ago, is marketed as a secure means for logging into Windows computers using an owner's unique fingerprint, rather than a user-memorized password. In reality, using the software makes users less secure than they otherwise would be. When activated, the software writes Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. Once the key has been acquired, it takes seconds to decrypt the password.

"After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted," said an advisory issued by Elcomsoft, a Russia-based developer of password-cracking software. "Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon."

When Protector Suite isn't activated, Windows doesn't store account passwords unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic login.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #187 on: September 05, 2012, 03:00:49 PM »

Cylink’s Justin Clarke has tagged another SCADA maker for default insecurity, discovering a hidden factory account – complete with hard-coded password – in switch management software made by Belden-owned GarrettCom.

[...]

Since GarrettCom claims “75 percent of the top 100 power utilities in North America” among its customers, the patch might be regarded as important.

ffffffffffffffFFFFFFFFFFFFFFF
Logged

TA

  • Tested
  • Karma: 29
  • Posts: 3219
    • View Profile
Re: Computer security
« Reply #188 on: September 05, 2012, 03:06:07 PM »

Logged
Do you understand how terrifying the words “vibrating strap on” are for an asexual? That’s like saying “the holocaust” to a Jew.

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #189 on: September 07, 2012, 10:51:32 AM »

Anybody else in IT?

Shit's about to get busy: this Patch Tuesday, Windows is going to start enforcing 1024-bit SSL keys.  That's every supported version, meaning anything from XPSP3 on.

Quote
For starters, once the patch is applied Internet Explorer will block access to SSL websites that use certificates with keys less than 1024 bits long. Similarly, Outlook 2010 will not be able to connect to an Exchange Server that uses a key that's too short, and it will no longer be able to encrypt or digitally sign mail using such keys. Applications and ActiveX controls that were signed with less than 1024 bit signatures may not install correctly, either, among other potential problems.

This is -- like sunsetting IE6 -- a good thing but one that will break a bunch of shit in the enterprise.
Logged

Kayma

  • kodePunc Team
  • Tested
  • *
  • Karma: 31
  • Posts: 2692
    • View Profile
    • http://twitter.com/kayma
Re: Computer security
« Reply #190 on: September 08, 2012, 08:14:09 AM »

Would have been scared if they were enforcing 2048, but I think we might maybe be OK on this.

(Having said that, obviously this will end up being a nightmare)
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #191 on: September 13, 2012, 09:12:55 AM »

Ars: Crack in Internet's foundation of trust allows HTTPS session hijacking

Quote
The technique exploits web sessions protected by the Secure Sockets Layer and Transport Layer Security protocols when they use one of two data-compression schemes designed to reduce network congestion or the time it takes for webpages to load. Short for Compression Ratio Info-leak Made Easy, CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable.
Logged

Kayma

  • kodePunc Team
  • Tested
  • *
  • Karma: 31
  • Posts: 2692
    • View Profile
    • http://twitter.com/kayma
Re: Computer security
« Reply #192 on: September 13, 2012, 03:31:26 PM »

Quote
"It's not something that some hackers are going to do when you're sitting in Starbucks. It's really something that Iran is going to do to try to find dissidents or China is going to do for the same reason. And it's a big deal because of that, especially if Google and Twitter are the ones who are vulnerable.

Those are scary implications. At least the vulnerability can, apparently, be patched out.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #193 on: September 17, 2012, 10:31:57 AM »

Zero-day vuln in IE; so far being exploited on IE7 and 8 under WinXP, but tests suggest IE9 under Vista/7 is vulnerable too.

No patch but apparently upgrading Java to version 7 helps.  Ideally, don't use IE unless you have to, but I'm guessing most of us here already don't use IE unless we have to.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #194 on: September 25, 2012, 08:08:28 AM »

Samsung's dialing protocol allows arbitrary access to some system features, including factory reset.  This can be exploited trivially, by link, text, or QR code.

Quote
The tel protocol is generally used with phone numbers to provide clickable "call me" links on websites: tapping on the hyperlink in the handset's web browser opens up the dialling software and calls the number contained in the link. Such calls aren't made until the fandroid presses a "dial" button, so security is maintained - but some numbers don't require "dial" to be pressed, and it's those which are exploited in this attack.

The best example of an executing number - aka an unstructured supplementary service data message - is *#06#: enter that into just about any GSM phone and it will display the IMEI, the device's serial number. But, importantly, it will do that without one pressing the "dial" button.

That's benign, but try entering *2767*3855# on a Samsung Galaxy S3 and you'll be rewarded with an impossible-to-cancel factory reset before you can say shudda-bought-an-iPhone.

The good news is this should be trivial to patch -- just require a Dial press for system feature access, even if nothing's actually being dialed.

But in the meantime, if you've got a Samsung phone you may want to back up your shit just in case.  As the article notes it's not a particularly likely target for widespread attacks since the days of purely-destructive computer attacks are largely behind us, but just in case...
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #195 on: September 25, 2012, 02:02:06 PM »

IEEE exposes 100000 passwords stored in fucking cleartext.

Quote
"It is certainly unfortunate this information was leaked out, and who knows who got it before it got fixed," Dragusin wrote. Elsewhere in the post he said: "If leaving an FTP directory containing 100GB worth of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome."

The exposure is problematic because it could provide outsiders with a candid view of the password choices of some of the world's most influential software and hardware engineers. Many Internet users employ the same or a similar password for multiple accounts, with the average person using just 6.5 passcodes to access 25 separate accounts, according to one landmark study. While there are no public reports of the data circulating on the Internet, many password crackers prefer to keep their password lists a closely guarded secret, so there's no guarantee the information isn't already being used to compromise IEEE members.

There are plenty of fucking dumb passwords in there, but this is a reminder that even if you've got a really good password you shouldn't reuse it, because one of the sites you use it on could be run by complete fucking incompetents.  Like, you know, the world's largest professional organization for computer engineers.

I wrote some thoughts on password wallets over in the Android thread.  If you're not using one, start.
Logged

Brentai

  • https://www.youtube.com/watch?v=DnXYVlPgX_o
  • Admin
  • Tested
  • Karma: -65281
  • Posts: 17524
    • View Profile
Re: Computer security
« Reply #196 on: September 25, 2012, 02:07:27 PM »

I joined IEEE literally last month.

For fuck's SAKES.
Logged

JDigital

  • Tested
  • Karma: 32
  • Posts: 2786
    • View Profile
Re: Computer security
« Reply #197 on: September 26, 2012, 05:15:13 AM »

Many Internet users employ the same or a similar password for multiple accounts, with the average person using just 6.5 passcodes to access 25 separate accounts, according to one landmark study.

If you ask me, it's more like 1 password for over 100 accounts.

Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #198 on: October 11, 2012, 01:01:07 PM »

Hope you didn't upgrade to Firefox 16 yesterday, because it's got a vuln that allows sites to access your browsing history.  It's been pulled; a fix should be up soon.
Logged

Ziiro

  • Inquiry?
  • Tested
  • Karma: -65461
  • Posts: 2270
    • View Profile
Re: Computer security
« Reply #199 on: October 11, 2012, 02:40:27 PM »

So in the process of checking if mine had updated in help -> about, it downloaded an update.

Now running 16.1.

 :rage:

edit: on that note, chrome installed and running now. Might as well give it a try.
Logged
Pages: 1 ... 5 6 7 8 9 [10] 11