Privacy, Security Archive

"The major disadvantage of PLAIN text passwords on the server of course is that they are readable. Even if your communication with the server is encrypted it is troubling to have readable passwords on the server. You can easily change this by using the dovecotpw command and creating encrypted passwords."

"Researchers say they've uncovered a flaw in the secure sockets layer protocol that allows attackers to inject text into encrypted traffic passing between two endpoints. The vulnerability in the transport layer security protocol allows man-in-the-middle attackers to surreptitiously introduce text at the beginning of an SSL session, said Marsh Ray, a security researcher who discovered the bug. A typical SSL transaction may be broken into multiple sessions, providing the attacker ample opportunity to sneak password resets and other commands into communications believed to be cryptographically authenticated. Practical attacks have been demonstrated against both the Apache and Microsoft IIS webservers communicating with a variety of client applications. A consortium of some of the world's biggest technology companies have been meeting since late September to hash out a new industry standard that will fix the flaw. A draft is expected to be submitted on Thursday to the Internet Engineering Task Force."

Software Engineer and encryption aficionado Jeff Moser has created an XKCD-esque stick figure comic explaining the Advanced Encryption Standard (AES): where it came from, why it was necessary, and most-illuminatingly, how it works. Your eyes may glaze over toward the end when it gets into some hefty math, but even if you skim that part, you'll know a lot more about encryption when you're done.

In some sense, home security systems suffer the same fate as mobile phone handsets. Most people, if they have one, have the one that a security monitoring company installed, and their only interaction with it is to turn it on or off. But some people want more than just a security system. Some people want a security system that can be expanded to perform almost any kind of home monitoring and automation task. You know, lunatics. Lunatic geeks. Enter the Elk M1.

PandaLabs has issued a ranking of the most insidious malware threats that have surfaced in the past 20 years. Threats have been selected for the notoriety they achieved through widespread epidemic and the damage caused. Some of the "stars" from the list include Melissa from 1999, ILoveYou from 2000 and Nimda from 2001.

Blackberry phones in the United Arab Emirates recently received a text from Etisalat, a major provider in the UAE, prompting for users to download and install an update to enhance performance. It was an ill radio wave that brought that text to phones because it turns out that the "update" downloaded was really software designed to collect received messages and send them back to a central server: essentially spyware.

Kon-Boot seems to be a similar alternative to Ophcrack that also runs on Linux as well as Windows operating systems. It doesn't crack the password but instead bypasses it and lets the user into any account. Those who are admins may want to take a gander at Kon-Boot in case someone with ulterior motives and physical access to vital computers happens to stumble across this tool. Those who have ulterior motives, enjoy. "According to the description at the tool's site, Kon-Boot alters a Linux or Windows kernel on the fly during boot up. The result is that you can login to a system as 'root' or 'administrator' without having to know the associated account password."

The Safari 4 beta is having a little bit of trouble cleaning up after itself, as has been revealed by C. Harwic on his blog. Safari 4 is still in beta, so it's easy to forgive the browser for this rather sloppy housekeeping, which left gigabytes (!) of browsing data in weird places all over your filesystem, even after cleaning the caches or history. Still, this does raise a few questions.

The past few years, it seemed as if virus writers had moved away from doing actual damage to systems to instead focus on stealth, so that infected machines can silently, and unknowingly, be used for all sorts of malicious practices. Sadly, there are still those crackers out there that prefer the old-fashioned approach to these matters. The result: 100000 ruined Windows machines.

Can you make Windows XP so secure that the United States Air Force will use it in its systems? Well, apparently, you can, but you do have to talk to Microsoft. The USAF wanted a locked-down edition of Windows XP, and since they were in the midst of renegotiating the desktop-software contract with Microsoft, they decided to ask Steve Ballmer directly to create it for them. They did.

Many have gotten antsy the past months about the Conficker worm, and all with good reason. Though the worm hasn't done much of anything (yet) except spread like the plague, it's infectious if one doesn't have his or her Windows operating system up-to-date with the most recent security updates. The worm is supposed to execute on April 1st, and the computer world is holding its breath to see if a disaster comparable to the hyped-up supposed Y2K doomsday will ensue or if it's just someone's idea of a sick April Fool's Day joke.

Fresh from winning the PWN2OWN contest yesterday, Charlie Miller has been interviewed by ZDNet. He talks about how Mac OS X is a very simple operating system to exploit due to the lack of any form of anti-exploit features. He also explains that the underlying operating system is much more important in creating a successful exploit than the bowser, why Chrome is so hard to hack, and many other things.

Remember Conficker, the worm that wouldn't have been as devastating as it has been had people just kept their machines up to date? Even though the critical patch had already been released way before Conficker started its rampage, the worm became one of the worst infections to date. A Romanian company has found a cure for the worm.

With the infamous PWN2OWN contest drawing ever closer, the heat is ramping up. This year's instalment pitches Apple's Safari (on the Mac), Google's Chrome, Internet Explorer 8, and Firefox (all on Windows 7) against one another, while also allowing crackers to take on mobile platforms. Last year's winner, Charlie Miller, who won by cracking Mac OS X within minutes last year, says Safari on the Mac will be the first to fall.