Aug 292012

Last week’s feature explaining why passwords are under assault like never before touched a nerve with many Ars readers, and with good reason. After all, passwords are the keys that secure Web-based bank accounts, sensitive e-mail services, and virtually every other facet of our online life. Lose control of the wrong password and it may only be a matter of time until the rest of our digital assets fall, too.

Take, for example, the hundreds of millions of WiFi networks in use all over the world. If they’re like the ones within range of my office, most of them are protected by the WiFi Protected Access or WiFi Protected Access 2 security protocols. In theory, these protections prevent hackers and other unauthorized people from accessing wireless networks or even viewing traffic sent over them, but only when end users choose strong passwords. I was curious how easy it would be to crack these passcodes using the advanced hardware menus and techniques that have become readily available over the past five years. What I found wasn’t encouraging.

First, the good news. WPA and WPA2 use an extremely robust password-storage regimen that significantly slows the speed of automated cracking programs. By using the PBKDF2 key derivation function along with 4,096 iterations of SHA1 cryptographic hashing algorithm, attacks that took minutes to run against the recent LinkedIn and eHarmony password dumps of June would require days or even weeks or months to complete against the WiFi encryption scheme.

What’s more, WPA and WPA2 passwords require a minimum of eight characters, eliminating the possibility that users will pick shorter passphrases that could be brute forced in more manageable timeframes. WPA and WPA2 also use a network’s SSID as salt, ensuring that hackers can’t effectively use precomputed tables to crack the code.

That’s not to say wireless password cracks can’t be accomplished with ease, as I learned firsthand.

MORE:  How I cracked my neighbor’s WiFi password without breaking a sweat | Ars Technica.


Aug 272012

A vulnerability in the latest version of Oracle’s Java software framework is under active attack, and the damage is likely to get worse thanks to the availability of reliable exploit code that works on a variety of browsers and computer platforms, security experts warn.

The flaw in Java version 1.7 was reported on Sunday afternoon by FireEye security researcher Atif Mushtaq. A separate post published on Monday by researchers Andre M. DiMino and Mila Parkour said the number of attacks, which appear to install the Poison Ivy Remote Access Trojan, were low. But they went on to note that the typical delay in issuing Java patches, combined with the circulation of exploit code, meant it was only a matter of time until the vulnerability is exploited more widely by other attackers.

Members of Rapid7, the security company that helps maintain the open-source Metasploit exploit framework used by penetration testers and hackers, said they have already developed an exploit that works against Windows 7. They are in the process of testing it against the Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome browsers running on other operating systems, including Ubuntu Linux 10.04 and Windows XP. They went on to suggest that users should disable Java until a patch plugging the gaping hole is released.

“As a user, you should take this problem seriously, because there is currently no patch from Oracle,” a Rapid7 exploit developer wrote in a blog post. “For now, our recommendation is to completely disable Java until a fix is available.”

MORE:  Critical flaw under active attack prompts calls to disable Java | Ars Technica.


Aug 132012

McAfee Social Protection doesn’t force you to make a blanket restriction the way Facebook’s privacy settings do, so you can block your office manager from seeing those pictures of you dancing drunk at a bar in Cabo, while letting them see all of the nice pictures of your family and pets. If they try to see a picture that’s blocked, all they’ll get is a blurry pixelated version that reveals nothing.

Even if you are one of the chosen few who gets to see a picture, McAfee claims that the app will make it impossible to download, even using print screen or other common workarounds. Still, if you’re really desperate, I guess they can’t stop you from taking a picture of the screen with a camera.

MORE:  App stops creepy stalkers from stealing your Facebook pictures | DVICE.


Aug 062012

Apple has removed any reference to Safari for Windows from its website, and is more or less acting like it never happened.

Safari for Windows made its way onto millions of PC’s using the iTunes auto update system, and you’d be hard pressed to find a single fan among those they duped into downloading it. As a WebKit equipped browser it wasn’t the worst option for Windows users at the time, but it also didn’t offer any distinct advantages. Today Safari 5 users on Windows are stuck using an outdated browser, and naturally, aren’t warned that they are vulnerable to at least 121 unpatched flaws. According to Apple’s own documentation these flaws can expose users to attack by malicious code execution, and are quite serious in nature.

MORE:  Maximum PC | Safari For Windows is Abandoned By Apple, Leaving Users Vulnerable With No Warning.


Apr 052012

Aside from plug-ins there are a number of additions you can make to your .htaccess file which in conjunction with plug-ins and regular updates will tighten up your site’s security and give you that extra level of protection.Im going to cover a few of these that I feel protect some of the essentials in your WordPress install and show you how and where to add the code snippets; you dont have to use every single one, just whatever you feel would help you secure your site.


via Protect your WordPress site with .htaccess | Tutorial | .net magazine.


Oct 122011



When illegal downloaders illegally downloaded an illegal copy of the illegal Deus Ex: Human Revolution beta, they illegally enjoyed themselves for the first few illegal levels before the game was all like, “lol j/k” and kicked them out to a Web-based form that started asking them all kinds of probing questions about their illegal activities, courtesy of a startup anti-piracy firm called Anti-Piracy Strategies.

The strangest part, though, was that 90% of the victims actually went and filled out the questionnaire rather than ripping their ethernet cords out of the wall, encasing their hard drives in blocks of concrete, and dumping them into the nearest major body of water like I would have done.

via Anti-piracy company pirates a million copies of Deus Ex | DVICE.

Oct 112011

Aaron Barr believed he had penetrated Anonymous. The loose hacker collective had been responsible for everything from anti-Scientology protests to pro-Wikileaks attacks on MasterCard and Visa, and the FBI was now after them. But matching their online identities to real-world names and locations proved daunting. Barr found a way to crack the code.

In a private e-mail to a colleague at his security firm HBGary Federal, which sells digital tools to the US government, the CEO bragged about his research project.

“They think I have nothing but a heirarchy based on IRC [Internet Relay Chat] aliases!” he wrote. “As 1337 as these guys are suppsed to be they don’t get it. I have pwned them! :)”

But had he?

via How one man tracked down Anonymous—and paid a heavy price.

Sep 062011

A well known security firm warns that the number of compromised digital security certificates from DigiNotar, a Dutch certificate authority outfit owned by VASCO Data Security International, has doubled in size over the past week from 250 false SSL certificates to 531. False certificates have now been issued for Facebook, Google, Tor, Skype, Mossad, CIA, MI6, Twitter, and several other high profile sites.

“This is really bad news. As DigiNotar is a ‘root’ certificate, they can assign authority to intermediaries to sign and validate certificates on their behalf,” security firm Sophos explains. “It appears the attackers signed 186 certificates that could have been intermediate certificates. These certificates masqueraded as well-known certificate authorities like Thawte, Verisign, Comodo, and Equifax.”

According to Sophos, computers users of IE and Safari on Windows 7/Vista/2008/2008R2 and/or Chrome and Firefox on all platforms are immune from exploitation, so long as you’re rocking a fully patched browser and OS. Things aren’t as peachy for Apple users.

via Maximum PC | Hackers Issue Rogue SSL Certificates for CIA, MI6, and Mossad; Apple Stands Pat.

Sep 062011



Unfortunately, as evidenced in the video embedded below, a newly appointed Page admin can remove the Page creator’s admin status, which can be very nasty in certain cases. Today, Facebook Pages are more than fun, they’re a serious part of business promotion and losing administrative access to a Page can lead to host of problems.

via Facebook Flaw Lets You Hijack Page from Original Owner.