The following is a design for a CAPTCHA that is likely invulnerable to automated decryption. I originally developed this as part of an anti-spam system that was a very early progenitor of Receiver Initiated Authentication.  This CAPTCHA should be particularly invaluable given the recent reports that bots now have as high as a 35% successful [...]

Filed under: security | No Comments »

Last week’s dramatic rescue of 15 hostages held by the guerrilla organization FARC was the result of months of intricate deception on the part of the Colombian government. At the center was a classic man-in-the-middle attack.
In a man-in-the-middle attack, the attacker inserts himself between two communicating parties. Both believe they’re talking to each other, and [...]

Filed under: exploit, security | No Comments »

Not only generating private keys using an untrusted third-party, but sending them in the clear over http? Nice. I wonder where all these people are who are clever enough to need an SSH key, but too stupid to type ssh-keygen -t dsa?
I wouldn’t be surprised if this was some minor social engineering attempt; the server [...]

Filed under: pwned, security, ugh | No Comments »

AVG has rejiggered the fake traffic it’s spewing across the internet, causing new headaches for the world’s webmasters.
In late February, AVG paired its updated anti-virus engine with a real-time malware scanner that vets search engine results before you click on them. If you search Google, for instance, this LinkScanner automatically visits each address that turns [...]

Filed under: security, ugh | No Comments »

When it comes to security, maybe the end user isn’t always the problem.
That’s the conclusion of a study published today by technology reseller giant CDW Corp. The study notes some paradoxes between IT professionals’ views on their organizations’ security and their actual security status.
For example, when asked if their security systems were easy to use [...]

Filed under: lulz, security, ugh | No Comments »

An attack this week targeting the Metasploit Website redirected visitors to a phony page proclaiming the hack — but the hacking tool site’s servers remained intact.
HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems, says the attack didn’t actually touch the Metasploit servers themselves. The attacker or attackers instead infected another [...]

Filed under: exploit, hax, security | No Comments »

More XSS (Cross-site Scripting) fun! After yesterday’s post I realized that not everyone reads hacker blogs so I feel it as my duty to post it here. Stefano Di Paola and Giorgio Fedon have found a universal XSS in PDF. RSnake found also a vulnerability on local PDF file execution. This is bad people; Every [...]

Filed under: exploit, hax, security | No Comments »

Today I was toying with Apache and made a .htaccess for all of you; that prevents most used XSS and SQL injection vectors in the request uri. It looks at the request uri and sends the malicious user to a log file which sends an e-mail to the webmaster with all his information and what [...]

Filed under: b3st pract1c3s, codemonkey, exploit, security | No Comments »

Researchers have hacked a built-in maintenance application found on many smart phones that could open the door to hacking the cellular network itself.
David Maynor, CTO for Errata Security, this weekend at the Summercon security confab in Atlanta will demonstrate a tool built by Errata that provides a peek into the inner workings of the cell [...]

Filed under: hax, security | No Comments »

Ten days ago, a Debian Security Advisory (DSA-1571-1) was released that detailed a flaw in the OpenSSL cryptographic libraries that affects both Debian and other Linux distributions derived from Debian.
Unlike a buffer overflow or many other vulnerabilities, this flaw wasn’t introduced through insecure programming — quite the opposite. In fact, the programmer was using Valgrind [...]

Filed under: security | 1 Comment »

SAN JOSE, California (AP) — Todd Davis has dared criminals for two years to try stealing his identity: Ads for his fraud-prevention company, LifeLock, even offer his Social Security number next to his smiling mug.
Now, LifeLock customers in Maryland, New Jersey and West Virginia are suing Davis, claiming his service didn’t work as promised and [...]

Filed under: privacy, pwned, security | No Comments »

Security startup Rohati Systems emerged out of stealth mode today and unveiled a multigigabit-speed network appliance for controlling user access to applications.
Rohati’s Transaction Network System (TNS) appliance, which will ship in July, handles user entitlement management with per-transaction policies across multiple applications. The appliance plugs into the network and doesn’t use client agent software nor [...]

Filed under: security | No Comments »

Why-o-why did they decide to make Debian specific changes to OpenSSL? Seriously, leave cryptography to the people who are cryptographers. Distro-builders should keep the hell away from it. To get cryptography right is already hard enough as it is.
We’re checking our company keys now. If a few of them are invalid we have to get [...]

Filed under: security | No Comments »

A new SQL injection attack aimed at Microsoft IIS web servers has hit some 500,000 websites, including the United Nations, UK Government sites and the U.S. Department of Homeland Security. While the attack is not necessarily Microsoft’s fault, it is unique to the company’s IIS server.
The automated attack takes advantage to the fact that Microsoft’s [...]

Filed under: security | No Comments »

“Adobe Air is an application platform/framework which received some buzz recently. One of the most popular Twitter clients was written using Adobe Air. Air seems to make it relatively simple to write nice looking cross platform applications. Two weeks ago, Adobe Air was released for Linux and I gave it a try on my Debian [...]

Filed under: linux, security | No Comments »