Join the God Side, Jesus is Coming…….

Archive for July, 2011

The science of password selection

A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused passwords and even when I looked at a totally unrelated system – Gawker – reuse was still very high with over two thirds of common email addresses sharing the same password.

But there was one important question I left unanswered and that was how people choose their passwords. We now know that structurally, passwords almost always adhere to what we would consider “bad practices” but how are these passwords derived in the first place? What’s the personal significance which causes someone to choose a particular password?

Read more…

Advertisements

The padlock icon must die

What do you think of when you see this little guy on a webpage:

lock

You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit.

The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleading.

Excellent post, read more at troyhunt.com

Researcher finds dangerous vulnerability in Skype

A security consultant has notified Skype of a cross-site scripting flaw that could be used to change the password on someone’s account, according to details posted online.

The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later. He said on Friday he hasn’t heard a response yet.

The problem lies in a field where a person can input their mobile phone number. Kayan wrote that a malicious user can insert JavaScript into the mobile phone field of their profile.

There are some mitigating factors, such as that the attacker and victim must be friends on Skype. Also, the attack may not immediately execute when the victim logs in. Kayan said he noticed the behavior happened only after the victim logged in several times. But he said in an e-mail that once it happens the first time, “it happens with each re-login.”

Skype should be checking the input into the mobile phone field and validating that it is indeed a phone number and not executable code. The problem affects the latest version of Skype, 5.3.0.120, on Windows XP, Vista and 7 as well as Mac OS X operating system.

Source: networkworld

JailbreakMe for the Lulz

What’s JailbreakMe? It’s an easy way to jailbreak an Apple iOS device using a PDF (related) vulnerability.

It’s done with a “drive-by” style exploit.

All somebody needs to jailbreak their (newer) iPad/iPhone/iPod is to visit jailbreakme.com and to touch the free/install button. The German Federal Office for Information Security has issued a warning about this. They’re concerned about the potential for targeted malicious attacks using trojanized versions of the JailbreakMe exploit.

Source: F-Secure

 

Hacker Exposes Florida’s Voting Database — Again

Election fraud and accusations of rigged voting might be as old as US election systems themselves, but some may wonder, if a hacker can gain access to the election voting system, how secure are elections anyway?

The AntiSec movement is definitely rolling along, but Anonymous is pointing to a recent hack that could raise some serious questions over the integrity of voting in Florida. It seems that a hacker who uses Twitter obtained parts of the Florida voting database which has been subsequently posted to Paste2. It appears that the hacker in question wanted to show that voting fraud can easily happen today and dumped parts of the Florida database to prove it.

Source: Zeropaid

NHS heads to cloud for security?

The NHS has signed a deal with Zscaler – a cloud-based security and bandwidth management company.

A document seen by IT Pro detailed a Zscaler webinar stating the NHS was a customer, even though no formal announcement has been made.

Zscaler’s product offering sends all customer traffic through the cloud, analyses it and then allows organisations to add policies on both security and bandwidth management.

No further details on the contract have been officially released.

Its key protection areas include email, web security and data loss prevention. The last area will be important for the NHS, which has seen data leave its premises and go missing numerous times.

 

Source: ITPRO

Google dealing with privacy bugs in Google+

Google’s new social networking site, Google+, which is built to beat Facebook primarily on privacy features, has several privacy bugs the company is working to fix.

Many of the existing privacy bugs in Google+ revolve around the site’s mechanism to block users, according to a list of known problems Google has published and is in the process of fixing.

For example, after a user blocks someone, that blocked person may not always be removed from the user’s extended circles and the blocked person’s posts will remain on the user’s activity stream.

Source: ComputerWorld

Tag Cloud