I love data centres.
The hum of the fans, the whirring of the servers, always have appealed.
This place is stunning. Facebook have a great set up. This is really is a next generation approach to big data and big networks.
Sunday, 19 August 2012
Saturday, 21 July 2012
This is a beautiful device.
Combine a powerful intrusive piece of hardware and stunningly ingenious form factor.
Social engineering expressed in plastic.
Combine a powerful intrusive piece of hardware and stunningly ingenious form factor.
Social engineering expressed in plastic.
Tuesday, 5 June 2012
Four Critical Security Flaws
I love it when companies are this honest about their security breaches.
Usually this stuff is only gained through the large significant breaches through court reports and intense scrutiny by journalists.
It is this transparency that allows smaller organisations to lock down their systems.
I find it interesting how it was through third party individual authentication security weaknesses that the breach occurred.
Usually this stuff is only gained through the large significant breaches through court reports and intense scrutiny by journalists.
It is this transparency that allows smaller organisations to lock down their systems.
I find it interesting how it was through third party individual authentication security weaknesses that the breach occurred.
Saturday, 14 April 2012
Wednesday, 22 June 2011
Problems with Passphrases
I saw great talk at RANT a week ago and it reassured me that folks are starting to adopt passphrases to defeat rainbow tables and other hash pre-computational attacks.
Basic idea behind passphrases is the use of a combination of words to form your password. Take two to six words and just type them into form a long password. Much longer than your standard 8 character standard password. The power of passphrases is that as the password grows longer the tables must grow bigger at a greater than exponential rate.
They are also much easier to remember than a numeric, upper and lower case alphabetic combination.
Example of this - "foreigner mudslide apple" is a 24 character password that would require well above the current limited rainbow tables sets of 14 character password hash table to crack. The 14 character rainbow table is roughly 186Gb in size. To add another 10 characters to that table puts in the terabyte range. Therefore, passphrases are a good thing.
But the title of this is the Problems with Passphrases, which all rests on the folks managing passwords on web and corporate sites. These folks are putting policies in place that limit password size, do not allow non-alphabetic characters, no spaces and basically only allow weaker passwords to be used.
If we are to continue to use passwords - these limitations need to change. Start to accept longer passwords and passphrases. Again it is the tech side that seems to the ones slowest to pick up the necessary changes.
Basic idea behind passphrases is the use of a combination of words to form your password. Take two to six words and just type them into form a long password. Much longer than your standard 8 character standard password. The power of passphrases is that as the password grows longer the tables must grow bigger at a greater than exponential rate.
They are also much easier to remember than a numeric, upper and lower case alphabetic combination.
Example of this - "foreigner mudslide apple" is a 24 character password that would require well above the current limited rainbow tables sets of 14 character password hash table to crack. The 14 character rainbow table is roughly 186Gb in size. To add another 10 characters to that table puts in the terabyte range. Therefore, passphrases are a good thing.
But the title of this is the Problems with Passphrases, which all rests on the folks managing passwords on web and corporate sites. These folks are putting policies in place that limit password size, do not allow non-alphabetic characters, no spaces and basically only allow weaker passwords to be used.
If we are to continue to use passwords - these limitations need to change. Start to accept longer passwords and passphrases. Again it is the tech side that seems to the ones slowest to pick up the necessary changes.
Thursday, 11 November 2010
Great Post by Merlin Mann
I love this post by Merlin. How people can (mis)treat the people that they want work from.
Reminds me of this YouTube video.
Reminds me of this YouTube video.
Wednesday, 6 October 2010
.ly domain space to be considered unsafe
Unfortunate, when there is no central control over Domain Name registration this stuff can happen.
Article here
The Libyan Domain Name Registry is grabbing back .ly domain names and stating that less than 4 character domain names in the .ly namespace must be held by Libyan residents. In addition, websites in this domain space must comply with Libyan Sharia Law.
Wondering what impact this will have on bit.ly, owl.ly and ad.ly?
Article here
The Libyan Domain Name Registry is grabbing back .ly domain names and stating that less than 4 character domain names in the .ly namespace must be held by Libyan residents. In addition, websites in this domain space must comply with Libyan Sharia Law.
Wondering what impact this will have on bit.ly, owl.ly and ad.ly?
Hacking the D.C. Internet Voting Pilot
Very good article on the pilot test of the system which will allow overseas military personal to vote online.
A shell-injection vulnerability which allows the remote commands to be executed.
Evil happens when you allow the temp file to retain commands in the file extension.
A shell-injection vulnerability which allows the remote commands to be executed.
Evil happens when you allow the temp file to retain commands in the file extension.
Saturday, 28 August 2010
Heads up on the following fallacious information floating around Facebook
Facebook launched Facebook Places yesterday. Anyone canfind out where you are when you are logged in. It gives the actual address & map location of where you are as you use Facebook. Make sure your kids know. TO UNDO: go to"Account", "Account Settings", ..."Notifications", then scroll down to "Places" ...and uncheck the 2 boxes. Make ...sure to SAVE changes and re-post this!!
This does not turn off Facebook Places - it simply stops you recieving Facebook Places notifications from friends.
Facebook Places only works from GPS enabled devices (eg iPhone and Android). You need to be running the Facebook app ...and check-in through that app for it to send out notifications of your location
If you want Facebook Places to not post your location from your mobile phone - don't use it. Don't check in from your mobile phone. No need to change any settings in Facebook for this.
However, it is important to understand when you agree to an iPhone or Android app sending location information from a GPS mobile phone, what is sent and who it is sent to. It is too easy to click through those dialogues.
Finally, tell your kids to not post anything that they do not want handed to them during a job interview. It is the best way to approach this form of self-exposure rather than try to alter ever-changing privacy settings.
Facebook launched Facebook Places yesterday. Anyone canfind out where you are when you are logged in. It gives the actual address & map location of where you are as you use Facebook. Make sure your kids know. TO UNDO: go to"Account", "Account Settings", ..."Notifications", then scroll down to "Places" ...and uncheck the 2 boxes. Make ...sure to SAVE changes and re-post this!!
This does not turn off Facebook Places - it simply stops you recieving Facebook Places notifications from friends.
Facebook Places only works from GPS enabled devices (eg iPhone and Android). You need to be running the Facebook app ...and check-in through that app for it to send out notifications of your location
If you want Facebook Places to not post your location from your mobile phone - don't use it. Don't check in from your mobile phone. No need to change any settings in Facebook for this.
However, it is important to understand when you agree to an iPhone or Android app sending location information from a GPS mobile phone, what is sent and who it is sent to. It is too easy to click through those dialogues.
Finally, tell your kids to not post anything that they do not want handed to them during a job interview. It is the best way to approach this form of self-exposure rather than try to alter ever-changing privacy settings.
Friday, 9 July 2010
Classic Craiglist Money Order Scam in the wild
Story of a girl who got a job and then a simple request by her new "boss".
-----------
My friend accepted a job as a 'personal assistant' she found on CL. So far her boss, who says he is out of the country in Ireland, has sent her two Western Union money orders for $950 each, and her job was to put the money orders in the bank, take out a $300 for her trouble and then send the rest to some other person. (The last one was in Dubai)
This seems incredibly fishy. Is there a reason she shouldn't be doing this? She knows literally nothing about the guy other than his email address, phone number and first name.
UPDATE: She didn't seem to think it was as big of a deal as I do. I think she's embarrassed and doesn't want to admit it. She has a savings account with money in it from modeling or something when she was a kid, so she said if it turns out it was a scam (and not money laundering like she thought at first), she'll just have to pay the money back and be out $1700.
----
This is why CraigsList has this statement at the bottom of the page
* DEAL LOCALLY WITH FOLKS YOU CAN MEET IN PERSON - follow this one simple rule and you will avoid 99% of the scam attempts on craigslist.
* NEVER WIRE FUNDS VIA WESTERN UNION, MONEYGRAM or any other wire service - anyone who asks you to do so is a scammer.
* FAKE CASHIER CHECKS & MONEY ORDERS ARE COMMON, and BANKS WILL CASH THEM AND THEN HOLD YOU RESPONSIBLE when the fake is discovered weeks later.
* CRAIGSLIST IS NOT INVOLVED IN ANY TRANSACTION, and does not handle payments, guarantee transactions, provide escrow services, or offer "buyer protection" or "seller certification"
* NEVER GIVE OUT FINANCIAL INFORMATION (bank account number, social security number, eBay/PayPal info, etc.)
* AVOID DEALS INVOLVING SHIPPING OR ESCROW SERVICES and know that ONLY A SCAMMER WILL "GUARANTEE" YOUR TRANSACTION.
-----------
My friend accepted a job as a 'personal assistant' she found on CL. So far her boss, who says he is out of the country in Ireland, has sent her two Western Union money orders for $950 each, and her job was to put the money orders in the bank, take out a $300 for her trouble and then send the rest to some other person. (The last one was in Dubai)
This seems incredibly fishy. Is there a reason she shouldn't be doing this? She knows literally nothing about the guy other than his email address, phone number and first name.
UPDATE: She didn't seem to think it was as big of a deal as I do. I think she's embarrassed and doesn't want to admit it. She has a savings account with money in it from modeling or something when she was a kid, so she said if it turns out it was a scam (and not money laundering like she thought at first), she'll just have to pay the money back and be out $1700.
----
This is why CraigsList has this statement at the bottom of the page
* DEAL LOCALLY WITH FOLKS YOU CAN MEET IN PERSON - follow this one simple rule and you will avoid 99% of the scam attempts on craigslist.
* NEVER WIRE FUNDS VIA WESTERN UNION, MONEYGRAM or any other wire service - anyone who asks you to do so is a scammer.
* FAKE CASHIER CHECKS & MONEY ORDERS ARE COMMON, and BANKS WILL CASH THEM AND THEN HOLD YOU RESPONSIBLE when the fake is discovered weeks later.
* CRAIGSLIST IS NOT INVOLVED IN ANY TRANSACTION, and does not handle payments, guarantee transactions, provide escrow services, or offer "buyer protection" or "seller certification"
* NEVER GIVE OUT FINANCIAL INFORMATION (bank account number, social security number, eBay/PayPal info, etc.)
* AVOID DEALS INVOLVING SHIPPING OR ESCROW SERVICES and know that ONLY A SCAMMER WILL "GUARANTEE" YOUR TRANSACTION.
Wednesday, 7 July 2010
The Secret Stash Project
yiting cheng does a decent job of showing you how to hide stuff in plain sight.
yiting cheng does a decent job of showing you how to hide stuff in plain sight.
Wednesday, 26 May 2010
Facebook - The Privacy Reality
After seeing a lot of articles appearing on the new facebook privacy changes, I think that the only reasonable response to these and future changes is the following:
Do not post anything on Facebook that you want to keep private
You have to be aware that your posted content and personal information can be sold to a third party without your consent.
Currently, your information can be secured within Facebook using the new privacy settings, however, as has been seen in the recent past, Facebook is highly likely to change their privacy policy in the future.
So, the only control that you as a Facebook user have is to limit the information you provide through this social website.
Do not post anything on Facebook that you want to keep private
You have to be aware that your posted content and personal information can be sold to a third party without your consent.
Currently, your information can be secured within Facebook using the new privacy settings, however, as has been seen in the recent past, Facebook is highly likely to change their privacy policy in the future.
So, the only control that you as a Facebook user have is to limit the information you provide through this social website.
Saturday, 2 January 2010
Security Concerns with using your iPhone as a Credit card reader
I always thought it was strange that Apple Stores used Windows CE devices to take payments. It is testament to the power that Microsoft's Mobile OS has in the payment field, while Apple seems to have a struggled in this area.
Supposedly some folks are trying to change this and the new Card Readers for Apple portable devices are appearing.
The only reason this story is appearing here in the ZIS blog is due to the lack of basic security provision in these new addons. Slide card readers should be on their last legs and I was surprised by use of them in North America when I was last there.
Supposedly, new cards issued by North American Banks are being shipped with chips but the hardware suppliers should be on this movement as well. While chip and pin has its problems as well documented by the security group out of Cambridge and specifically Stephen J Murdoch, no one would dispute the technical advantages it has over the older magnetic strip system. The main concern that S J Murdoch has is the banks assertions that the system is completely secure and that any fraudelent activity that takes place is due to card user lack of diligence and not their systems.
I would assume that products being designed now would include at least chip and pin and adhere to the basic PCIDSS requirements.
Supposedly some folks are trying to change this and the new Card Readers for Apple portable devices are appearing.
The only reason this story is appearing here in the ZIS blog is due to the lack of basic security provision in these new addons. Slide card readers should be on their last legs and I was surprised by use of them in North America when I was last there.
Supposedly, new cards issued by North American Banks are being shipped with chips but the hardware suppliers should be on this movement as well. While chip and pin has its problems as well documented by the security group out of Cambridge and specifically Stephen J Murdoch, no one would dispute the technical advantages it has over the older magnetic strip system. The main concern that S J Murdoch has is the banks assertions that the system is completely secure and that any fraudelent activity that takes place is due to card user lack of diligence and not their systems.
I would assume that products being designed now would include at least chip and pin and adhere to the basic PCIDSS requirements.
Tuesday, 8 December 2009
Wireless Security
Lack of Wireless protection is again in the headlights of security scrutiny.
The line for acceptable wireless security controls is constantly moving. WEP was never considered secure. It arrived broken and just became “brokener”.
WPA is now replaced by WPA2 and that latest version is under attack by dictionary attacks. It is very impressive that a wireless secret key is now worth 34 dollars.
The easiest way to protect yourself from attacks on your wireless device is to work on the elements that go into the encryption process. For the WPA-PSK process that involves the password and the SSID. Having a non-default SSID was always a good idea since it tells the potential attacker nothing about the network that they are sniffing. it is easy to change and can reflect your personality. Since the SSID (and SSID length) are used to slat the algorithm changing these from the default is the first step in securing a wireless connection.
Secondly, you need to choose a passkey of a reasonable length. To avoid repetitive phrases, I tend to use GRC password generator for 63 character keys. This can be a bit of pain for devices where the key has to be entered by hand (sometimes with a wiimote).
These two tasks should leave your wireless access device fairly secure but the other side of the coin (detective controls) should also be in place. More on that later.
The line for acceptable wireless security controls is constantly moving. WEP was never considered secure. It arrived broken and just became “brokener”.
WPA is now replaced by WPA2 and that latest version is under attack by dictionary attacks. It is very impressive that a wireless secret key is now worth 34 dollars.
The easiest way to protect yourself from attacks on your wireless device is to work on the elements that go into the encryption process. For the WPA-PSK process that involves the password and the SSID. Having a non-default SSID was always a good idea since it tells the potential attacker nothing about the network that they are sniffing. it is easy to change and can reflect your personality. Since the SSID (and SSID length) are used to slat the algorithm changing these from the default is the first step in securing a wireless connection.
Secondly, you need to choose a passkey of a reasonable length. To avoid repetitive phrases, I tend to use GRC password generator for 63 character keys. This can be a bit of pain for devices where the key has to be entered by hand (sometimes with a wiimote).
These two tasks should leave your wireless access device fairly secure but the other side of the coin (detective controls) should also be in place. More on that later.
Wednesday, 2 December 2009
Mark Zuckerberg has finally realised that Facebook may have some security issues and announced that there will be more granularity on the exisiting security controls. Also the massive Networks will no longer be the basis for information sharing.
Monday, 26 October 2009
Cryptography at IBM
A great video from the IBM Smarter Planet series on their Cryptography team with a short introduction to “privacy homomorphism,” or “fully homomorphic encryption". This breakthrough makes possible the deep and unlimited analysis of encrypted information — data that has been intentionally scrambled — without sacrificing confidentiality.
Extended abstract on privacy homomorphism can be found here.
Extended abstract on privacy homomorphism can be found here.
Wednesday, 16 September 2009
Adam Savage at HOPE
Interesting stuff from HOPE
I never noticed this when it first appeared a while back.
I guess when the well known attacks become mainstream - that the lawyers show up.
I never noticed this when it first appeared a while back.
I guess when the well known attacks become mainstream - that the lawyers show up.
Friday, 31 July 2009
Tuesday, 24 March 2009
Worm Attacking Home Routers and DSL Modems
Very good article detailing the psyb0t botnet worm.
This is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems.
It stresses the importance of changing all passwords on internet facing network kit.
Use a random string of sufficient length or grab a 63 character string from GRC.
This is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems.
It stresses the importance of changing all passwords on internet facing network kit.
Use a random string of sufficient length or grab a 63 character string from GRC.
Saturday, 6 September 2008
Subscribe to:
Posts (Atom)
Posts
