If you handle passwords like me then you know how much trouble it is to keep track of the numerous passwords necessary to conduct daily business. Since writing down passwords is about the worst form of password security possible, short of disclosing them to someone else, many turn to electronic means for storing them for easy recall when required. The Mandylion Password Manager is one such device that even went so far as to be certified for use by the U.S. Army.
Unfortunately, we all have to deal with modern life’s little cyber-burden, the password. Some of us do so by simply re-using an old password when the system asks you to change it. Other times we use the same password but just add the month at the end. Some people even resort to keeping their passwords written on yellow stickey notes or in their wallet. None of these options, however, is very effective for protecting your valuable data. Instead, we would like to present a superior solution brought to you compliments of the US Military.
This nifty little gadget will hold up to 50 passwords and will even go so far as to generate them as well. It is small enough to fit on a keychain, so it is easy to keep on your person at all times. It can create passwords based on a number of settings and will even prompt for password changes at set intervals. All data is stored in permanent memory, so in the unlikely event that the battery dies the passwords remain stored.
If you find the burden of managing passwords to be too intense then this might be exactly what the doctor ordered.
TrueCrypt is an open-source freeware disk encryption application for Windows and Linux. The encryption is on-the-fly and even goes so far as to offer plausible deniability in the event that an adversary forces you to reveal the password. If you are in need of securing documents then this might be just what the doctor ordered.
If you have ever been concerned with catching a virus, or having your computer exploited, after completing a fresh install of Windows XP then this guide by the SANS Institute is exactly what you need. Windows XP: Surviving the First Day is written for the average computer user, in order to ensure that they are able to successfully complete an installation of Windows XP without fear of getting 0wned, so to speak.
This is probably one of the best written, well laid out articles on this very subject. Whether you are in to computer security or not, this is a guide that should be followed by all.
If you are a web developer then you should already be aware of the implications of storing passwords in cleartext in a database. Doing so is one of the largest mistakes that you can make when designing the infrastructure for the site. All it would take is for one account to get compromised, privileges elevated and then an attacker would have the plaintext versions of all users signed up on the site. Imagine the horror!
The PHP Security Consortium has a well written article on using password hashing in web based applications. If you are still storing passwords in cleartext in a database then I highly suggest reading this article and then working on migrating to storing passwords hashes instead. When the inevitable security breach comes to light do not be surprised.
In this article I’m going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I’ve been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords. Password hashing is a way of encrypting a password before it’s stored so that if your database gets into the wrong hands, the damage is limited. Hashing is nothing new - it’s been in use in Unix system password files since long before my time, and quite probably in other systems long before that. In this article I’ll explain what a hash is, why you want to use them instead of storing real passwords in your applications, and give you some examples of how to implement password hashing in PHP and MySQL.
In the unlucky event that you are storing cleartext passwords in a database then writing a script to store the password hash instead should be quite easy. Like I said previously, I highly recommend changing your design if you are using this horrible one. You will thank yourself, and this article, in the longrun.
Symantec has posted a patch to correct the huge anti-virus client vulnerability that I previously reported on. The fix is apparently a manually installable one as opposed to being pushed out through Symantec’s LiveUpdate service. Looks like this upcoming Tuesday will be a busy day for many system administrators, as they work extra hard to secure their network from this exploit.
In another twist in the ongoing saga that is the NSA eavesdropping lawsuit, it appears that AT&T bungled a legal brief by including sensitive information that was blocked out but which can be easily read by some PDF readers.
AT&T’s attorneys this week filed a 25-page legal brief striped with thick black lines that were intended to obscure portions of three pages and render them unreadable.
But the obscured text nevertheless can be copied and pasted inside some PDF readers, including Preview under Apple Computer’s OS X and the xpdf utility used with X11.
The information unintentionally released in the brief is not classified nor does it explain anything about the NSA’s eavesdropping program. Another chapter in this odd battle between the EFF and AT&T/USA.
The NSA eavesdropping case just keeps getting more interesting by the day. Today, the judge presiding over the case ordered documents to be released in redacted form.
Much of the wording in the redacted text of Klein’s affidavit (.pdf), which was published in the court docket Thursday afternoon, matches language in the statement published Monday by Wired News.
Technical details in the newly released documents also mesh with the documents published by Wired News. Additionally, both sets of documents refer to an employee who was cleared by the NSA to work in the room, but who was later laid off by AT&T as part of a downsizing. This shared detail, along with others, was not part of Klein’s only previous public statement, which was released by his lawyer in early April and printed in full by Wired News.
It would appear that the information provided by whistle-blower Mark Klein is authentic and that the NSA has been conducting surveillance on American citizens, in direct violation of their charter. But that does not mean the case will continue with a certainty as the judge presiding over the it will review the government and AT&T’s motions to dismiss the case on the grounds of national security.
Sniffing an enterprise network is a pretty easy task to perform, especially with the right tools. However, just because a tool offers the capability to easily capture data does not mean that interpreting that collected information is easy. That is, unless you have access to the ultimate net monitoring tool, the tool that the NSA enlisted in their eavesdropping program that was recently uncovered.
“Anything that comes through (an internet protocol network), we can record,” says Steve Bannerman, marketing vice president of Narus, a Mountain View, California, company. “We can reconstruct all of their e-mails along with attachments, see what web pages they clicked on, we can reconstruct their (voice over internet protocol) calls.”
Narus’ product, the Semantic Traffic Analyzer, is a software application that runs on standard IBM or Dell servers using the Linux operating system. It’s renowned within certain circles for its ability to inspect traffic in real time on high-bandwidth pipes, identifying packets of interest as they race by at up to 10 Gbps.
Sounds like a well designed product, especially if it is capable of keeping up with traffic flowing at a rate of 10Gbps. When you get that high you generally see software of this nature start to drop packets because of the amount of data being pumped through the pipes.
If you are truly concerned about the NSA reading your email, and opening up sensitive attachments, then encrypting your email is the best thing you can do. Grab PGP and be on your way to ensuring what you write is only read by the intended recipients, not some NSA lackey.
A newly discovered Symantec AntiVirus worm hole puts millions at risk without any user interaction whatsoever.
“This is definitely wormable. Once exploited, you get a command shell that gives you complete access to the machine. You can remove, edit or destroy files at will,” said eEye Digital Security spokesperson Mike Puterbaugh.
Oddly enough, Symantec’s Personal Firewall was designed to protect against this vulnerability, which means that the company was somewhat aware of this issue. Look for a patch to be issued within the coming days.
Using public WiFi, while nice because it is free, is a sandbox for hackers to capture data that you might have otherwise thought was secure. Any black hat can use freely available tools that can sniff the data leaving your computer and capture that information so it can be used with malicious intent at a later date. One of the best ways to combat this security risk is by securing Firefox and IM with PuTTY in a sort of makeshift Virtual Private Network (VPN).
There are times when you want to connect to the Internet through unknown and/or insecure networks such as the local Panera or other WiFi hotspot. If you aren’t careful, you might make it all too easy for someone to sniff your connection using Ettercap.
This HOWTO is an easy to read, well written reference guide for setting up Firefox and GAIM so that it uses PuTTY as a sort of proxy server. The only piece missing is the SSH server that you are going to need access to in order for this to work properly. Look around the internet and you should be able to find something that suits your needs.