* Posts by djack

154 posts • joined 16 Jun 2009

Page:

Misfortune Cookie crumbles router security: '12 MILLION+' in hijack risk

djack

Re: djack

There are other ways of raising awareness than going full apocalypse scare tactics as a thinly obfuscated attempt to sell software that won't actually fix the problem.

A single http request with a specially crafted cookie from a Web browser with an extension to allow modification of cookies is a far cry from a single packet sent by a normal Web browser. Checkpoint know the difference and have made that statement to confuse and terrify those who don't.

It's difficult enough to get people to take security seriously without this sort of marketing shenanigans.

I'm not just singling out checkpoint here, there are many others who have also done this sort of thing.

4
0
djack

I really hate this sort of shit. Is this an actual issue or a marketing piece?

If it is a real technical announcement, what does this mean :-

"All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser."

Other than (maybe) some relatively complex code with websockets, I'm not sure how to make my browser output a single packet. Such bullshit can only harm any real warning of a real issue.

9
0

Security SEE-SAW: $3 MEEELLION needed to fight a $100k hack

djack

"The fact that they are not being openly addressed shows me that people who understand don't care and people who care don't understand."

Not quite. Often the people with authority don't understand / care. I can't think of a more fruitlessly stressful job than ISO. So many are given the responsibility but not the necessary authority.

1
0

Not sure what RFID is? Can't hack? You can STILL be a card fraudster with this Android app

djack

Re: Bank cards are not susceptible

I can't remember what variant of card is in my bank card, but a number of the newer mifare chips have the ability to emulate a classic but without the (same) flaws.

1
0

Mastercard and Visa to ERADICATE password authentication

djack

Re: So how secure are 'biometrics'?

"I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor)."

Barclays and Natwest (at least) use 2FA with tokens generated by the chip on your debit card. The Barclays variant (I've not used the NatWest one) authenticate access to the account and at the transaction level (the first time you send money to a recipient).

0
0
djack

Re: @Keith stupid (calculator size) chip and pin devices for every purchase

"Is the token thingy in the same wallet as the credit/debit card?"

Probably, but that isn't an issue as you need to input your card PIN each time you use it (like you do in a physical shop).

0
0
djack

Re: @Keith stupid (calculator size) chip and pin devices for every purchase

AFAIK, all those calculator things use the standard EMV (Euro?? Mastercard Visa) authentication package that is embedded in the chip on your bank card. As such they are pretty interchangeable - at the ery least I can log into my Barclays account using a NatWest device.

It's not too difficult to get a couple of the things (hint: most banks will send you a new one if it gets lost or breaks) and at work, all you need is to get one to share between a small group of trusted people.

It can be made relatively painless really easily too, perhaps you force authentication one (a year?) for each individual combination of retailer and delivery address.

0
0
djack

Re: So how secure are 'biometrics'?

Yep, it doesn't matter what biometric is used or even if it is impossible to fool the reader. Biometric authentication is fundamentally the same as any other form..

During enrolment, the authentication server collects data about your authenticator. This may be your password (hash) a seed for a 2FA token, X.509 public key or the base sample data for the biometric (etc. etc.)

During authentication, credential data is collected from the user. This could be input via a keyboard, smartcard reader or some weird and wonderfulscanning device. This data is now a normal bob of data. It may be processed by the client before being sent to the authentication server for processing.

The server compares what it is given by the client to what it has got stored in some fashion. This comparison will result in either a positive or negative result. The authentication server doesn't give a damn about your fingerprint, iris scan or anal probe results, all it needs is a blob of data. If you can supply some data that it can match and inject it into the right place in the communications channel, the server will accept it.

That's why on many Windows networks if you have a password hash, it matters not that you don't know the password or if you have a 2FA token seed and the generation alorithm, you don't need the original token. if you have enough information about a biometric credential and the system in use, you don't need the actual body part and just bypass the scanner hardware.

In the password or 2FA examples, you can revoke the credential and issue a new one. Short of forced surgery, there is simply no way of doing this with biometrics.

6
0

Hey, you, PHONE-FACE! Kickstarter in-car mobe mount will EMBED your phone into your MUG

djack

Their Description is Right too..

"Holding your cell phone visible giving the driver hands free driving"

Did they really mean that?

2
0

Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE

djack

Re: Misleading Language

Considering the number of servers out there still supporting Ssl version 2, I can see this being an issue for a long time.

3
0

EE buys 58 Phones 4u stores for £2.5m after picking over carcass

djack

Re: Decline of the high street

The high-street retailers are more of a victim of parking fees and restrictions. They (generally) don't want or enforce them and it's their customers who have the option of going elsewhere.

2
0

'Stop dissing Google or quit': OK, I quit, says Code Club co-founder

djack

/me Applauds

I've never heard of Code Club or the lady in question before, but I must applaud her stance on not sacrificing her principals.

53
2

NIST to sysadmins: clean up your SSH mess

djack

There are quite a few significant issues with ssh version 1 (the protocol, not any particular implementation), yet you still see it available all over the shop.

That is the thing they are meaning. By all means stay away from the bleeding edge, but also stay away from the bloody and broken obsolete stuff too.

4
0

The police are WRONG: Watching YouTube videos is NOT illegal

djack

Re: They've got you...

Not really, transmission implies that you have the information in question and are sending it somewhere. Even if you have made a request for the transmission to be made, you are still only receiving it.

7
0

Need a green traffic light all the way home? Easy with insecure street signals, say researchers

djack

Unsuprising

I was asked to look at some of the back-end systems for this kind of stuff for a council a few years back. The issues I saw were very scary (even if I weren't under NDA I still wouldn't say as you'd think I'd made it up) and needless to say I chickened out of trying to actually experiment with anything. You can imagine the thoughts running through my head as I joined the massive trafic-jam on the way home. (I later found that it wasn't actually anything to do with me)

3
1

RealVNC distances itself from factories, power plants, PCs hooked up to password-less VNC

djack

How times change .. not

I remember finding similar issues on clients' machines years ago. Though this was unsecured PCAnywhere sessions on dial-up connections.

1
0

The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?

djack

Zotac Steam Box

I followed the link about Zotac's upcoming steam box. Full, glitzy press release oh! and product details ...

ZOTAC Previews ZBOX Steam Machine

Intel Core processor (TBA)

NVIDIA GeForce GTX graphics processor (TBA)

Other details TBA

Final naming TBA

All-black 3rd Generation ZBOX chassis

Orange lighting

SteamOS preinstalled

Steam Controller bundled

Coming 2H 2014

Ahh, informative.

I found that complaining about the (beta) installation process of an OS that is still in beta, and is targeted for self install only by people comfortable building their own rig from scratch, or bought pre-installed on a system to be a little disingenuous.

3
0

Linux kernel devs made to finger their dongles before contributing code

djack

Re: Good for them, and for Yubico

@MyffyW

There is no hard 'artificial' expiration feature.However, there is an internal counter that is incremented every time the device is plugged in. This counter serves as part of the authentication mechanism to prevent replay (and provide some protection from pre-play) attacks. That counter is a 16bit word. Yubico say that this will his corresponds to about 25 tokens every day for 7 years or 5 tokens every day for 35 years.

(http://static.yubico.com/var/uploads/pdfs/Security_Evaluation_2009-09-09.pdf)

You can replace the secret key on a Yubikey but I'm not sure if this resets that counter or not.

1
0
djack

Re: Good for them, and for Yubico

Yep,

I really like Yubikey. Effective and nice and cheap. So cheap that it's feasible to use for your home system security. Each key costs about £25 and that's it. No licensing fees for authentication software, 'agents' or ongoing support fees.

As they supply a preconfigured freeradius virtual appliance, you can (with a bit of work - no more than any other 2FA system) use it with almost anything.

1
0

Google leaves STUPID vuln on Nest devices

djack

Panic!!

I've just found you can do this with practically any computer or laptop!

All you need is an uber dangerous hacker tool called a 'boot disk' and you can load your own software onto the computer without loggingin in!!!

Remember, these are real computers with important things like accounts, porn and world of warcraft characters stored on them.

But, shh, keep it to yourselves guys, I might present this at next year's defcon.

But seriously, this actually makes it more likely that I will buy one. I was interested in Nest when it first came out but was instantly turned off by it's reliance on 'the cloud'. If I can mod the software on these to only talk to my servers, I could be interested.

I like home automation, as long as all that data stays within my security domain.

3
0

Motorist 'thought car had caught fire' as Adele track came on stereo

djack

Re: Genuine reason.

"Except you shouldn't expect a warning of FIRE coming from the radio."

He clearly didn't realise that the message was from the radio. Many modern cars have a multifunctional display in the middle of the dashboard. Trip computer, door ajar warnings, parking sensor warnings and audio information etc. etc. all share the same space, with whatever is selected (or deemed more approriate by the car) shown at any one time.

7
0

Amazon's Spotify-for-books: THE TRUTH

djack

There already is something similar to that bundled into Prime, the 'Kindle lending library' ("Over 500,000 Kindle titles to borrow for free"). As they are trying to strong-arm the indies into agreeing terms to be included, we can assume that the new service does not cover their entire catalogue.

So, this is even more money for similar access to an unknown, but limited selection (sorry, that will be 'selected titles') that you can't query in advance?

1
0

Manic malware Mayhem spreads through Linux, FreeBSD web servers

djack

Re: The fock?

AFAIK, the male are uses humans.txt as a test to see if rfi is possible. Seems a bit draft and wasteful to me. Implying that Google could prevent this malware (and therefore it's all Google's fault) by changing humans.txt seems a bit disingenuous to me. The test could be easily changed to refer to any other arbitrary file.

7
0

OpenWRT gets native IPv6 slurping in major refresh

djack

Re: So much better than original FW

I assure you the signal is very different. Before I could not connect to the network at all from outside the house. I was able to sit in the garden and work yesterday morning :)

I'm also a fan of Mikrotik, in fact I'd just ordered one of their boxes as a replacement AP when I had the brainwave of checking the OpenWRT compatibility. I now need to decide wether to send it back or keep it as a spare (you can never have too many spare bits of kit ;) )

0
0
djack
Thumb Up

So much better than original FW

I only 'discovered' OpenWRT a couple of days ago and quickly dis-proved two beliefs I had about the software, I thought it was only useful if you need extra features not included in the manufacturer's firmware and that it was only for Linksys routers. how wrong I was.

I have a new TP-Link wireless AP. This thing had a weak signal that keeps dropping out and needing a reboot. I had tried everything to make it work reliably and was on the verge of chucking it out until I noticed that OpenWRT would run on it. The difference was noticable straight away, I have a much more stable network and can now even access it from further afield than before. I honestly don't know why TP-Link bothered trying to write their own FW, just ship the thing with OpenWRT, or have the installation instrictions as the first step in the manual ;)

6
0

Pixar frees its production-grade RenderMan software

djack

Re: The economics

From what (little) I know of RenderMan, it is a rendering suite and a very flexible one. It is not a modelling or animation tool, you (can) throw the models and scenes you produce in those tools into RenderMan to get your pretty pictures.

1
1

UK bank heist-by-KVM gang sent down for 24 years after nicking £1.2m

djack

£10 - really?

To pick this up again from the last time this story was reported ..

Quite where can one buy a network accessible KVM device for £10??

Ebay has plenty of connector cables for (much more expensive) IPKVM switches but I have yet to see any evidence to back up this £10 claim.

7
0

BlackBerry ditches T-Mobile US after iPhone advert spat

djack

Re: Hypothermia

"When you're dying due to shitty sales it's not the time to go cutting off sales channels of any kind"

Even if said sales channel is explicitly trying to poach your loyal customers for a competitor? It looks like if they stayed with T-M, they would have fewer customers, not more.

6
2

Full Disclosure redux: under new management

djack

Re: Great idea, but there's just one thing

That's exactly why this is a mailing list rather than a website. Everyone can create an archive whereever they want. Just as the archives of the old FD list are available all over the place.

Besides, Fyodor has repeatedly proven his backbone in the face of takedown 'requests' and the like over the years.

2
0

Mastercard, Syniverse target holiday payment security with mobile verification system

djack

"Finally, if going abroad give the customers an easy way to inform the bank, we are going to be in country X between Y and Z."

One of the few things that MBNA have got right is precisely this. I just drop them a text saying when , where and how long and it's all sorted.

I'm pretty sure that my card was cloned whilst I was in a UK airport when going abroad on holiday a couple of years back. The number was used several times (though I had not attempted to use it whilst away) and the anti-fraud systems kicked in really quickly. The dodgy charges were all sorted and the card cancelled within a few hours of me getting onto the hotel and there was a nice shiny new card waiting for me when I got home :)

0
0

Plusnet shunts blame for dodgy DNS traffic onto customers' routers

djack

Dunno, seems to be bash PN month at the reg.

3
0
djack

Re: For me there is a basic question

'The crucial difference was *the Cisco router could be patched*.'

The supplied Thompson device is actually firmware upgradable, though it's a faff on to do it. I had to flash the stock manufacturer's FW onto mine to allow my firewall to do PPPoE itself. The btchered firmware it came with was truely dire.

0
0

Psssst. Don't tell the Bride, but BBC Three is about to be jilted

djack

Re: And nothing of value was lost...

I disagree, there has been a fair amount of good stuff on BBC Three. As well as those other examples that started on the channel Being Human and The Revolution Will Be televised spring to mind.

I don't think that there has been anything on TV recently that has called out the hipocrisy, corruption and double-dealing in the governemt and large commercial entities.

That said, they could easily fit all of thequality programmes and new experimental stuff on BBC 1 and 2 by cutting down on the number of repeats and examining the synopsis of the shows they have. If the word 'reality' appears in there, then chop the programme. Simple.

17
0

Play.com tech titan snaps up 'VoIP-tastic WhatsApp' firm Viber

djack

What's this got to do with WhatsApp?

5
0

GPs slam NHS England for poor publicity of data grab plan

djack

Thanks for that link - most informative. A couple of things jumped out at me ...

What information will be shared? : Your NHS number and date of birth, your postcode.

Some reasons why you might choose to opt out: There is a small risk of your data being traced back to you. You cannot be sure which companies may have access to your information in the future.

So.. one item of data that uniquely identifies you and two others that, when combined can almost certainly identify you only pose a 'small rsik' of identification?? Oh, and you have no idea where this data is going to end up - who in their right mind can think that this situation is acceptable?

the fact that there is no standard, straight-forward way of opting out of this speaks volumes.

6
0

Elderly Bletchley Park volunteer sacked for showing Colossus exhibit to visitors

djack

Not quite..

From what I have read, Station X was the name for the whole BP operationand not much (if any) wireless listening was actually done there. There were numerous Station Y (Y-erless .. geddit?) posts around the globe that actually did the listening and intercepts, most of which were sent to Station X for decrypting.

Many stories about Station Y posts are covered in "The Secret Listeners" by Sinclair McKay. Quite a fascinating read, The managers at BP were upsetting other, related organisations even then aand we actually had the sort of PRIM-like data capture capability that everyone is getting up in arms about today .. back in the 20s.

0
0

Valve showers Debian Linux devs with FREE Steam games

djack

Re: Can't resist

The games you have bought may not have been posted, but but there are many that have. For example, if of the entire Valve collection only Portal 2 and CS:GO don't have a Linux version (no idea why those two have been left out). I have almost a hundred titles in my library - most of which were imported via the humble bundle, and but some were recent Linux specific purchases. The others being the HalfLife 2 bundle I am bought a when Steam was first launched.

3
0

Google's Nest gobble: Soon ALL your HOME are BELONG to US

djack

Re: @DropBear Beg pardon?

"Can you tell me how you do that please."

Install owncloud (http://www.owncloud.org/) on a server.

Install a CalDAV and CardDAV client on your phone (I use two separate apps, but people have reported good results with DAVdroid).

I have calendar and contacts synced between my phone, tablet, laptop and desktop.

0
0

Security guru Bruce Schneier to leave employer BT

djack

Re: B3

"Cable & Wireless Worldwide became part of Vodafone in April this year."

Yep. C&W have run those networks for many years. A few years back, they lost the contract to Energis - remeber them? They won the gov contract and were then quickly bought by .. Cable and Wireless .. odd, that ;)

0
0
djack

Re: B3

"..Many BT exchanges used to (and I suspect still do) have classified compartments"

Quite true. However, it does not set them apart from other large companies. For example, it's no secret that Vodafone runs the GSI network, which deals with a lot of the classified data traffic in the UK. Most large players in the managed datacentre field have secured DCs that can be used to house classified services and data.

So what was your point?

5
0

Hackers steal 'FULL credit card details' of 376,000 people from Irish loyalty programme firm

djack

What are the Affected Schemes?

Why does there not seem to be a full list of the schemes that Loyaltybuild were responsible for? A couple of company names have been given, but how are people expected to know if they are affected without a definitive list of the schemes?

I'm pretty sure that this will be the first that 99% of the people on the schemes have heard of 'Loyaltybuild'.

2
0

Virgin Media to hike broadband prices by nearly 7 per cent

djack

Re: So will this 7% rise be in addition to the 11.5% rise BB only subs got gouged with?

"Handily VM have included a setting in the admin screens to switch off hub features and enable "modem only mode". There is no reason to stick with 20Mbps just because you don't want a superhub because there is no good reason not to want a superhub"

When the 'super' hub first came out, the modem only mode did not exist. It was simply a planned feature for the future. This came in at the time I was moving out from a shared house with VM BB. They lost me as a customer because they wouldn't supply me with a device that behaved like a plain modem.

That situation has changed now, it may be that Pete 47 isn't aware of the upgrade.

1
0

How Google paved the way for NSA's intercepts - just as The Register predicted 9 YEARS AGO

djack

" I don't use Google products now bar analytics, but even that is soon to change."

You are probably already aware of this, but Piwik does an amount of the stuff that google analytics does and can be self hosted ..

http://piwik.org/

2
0

Your kids' chances of becoming programmers? ZERO

djack

Re: 6502/6809's rool btw...

"EIEIO on the 6502? You jest. It's the PowerPC "Enforce Instruction Execution In Order" opcode."

Hmm, my memory is failing.

The mnemonic expands to the same wording, but I've definitely not done any assembly code on PowerPC (not done any at all for at least 15 years tbh,) so it must have existed on an earlier platform. It could have been 68000 I suppose.

1
0
djack

Re: 6502/6809's rool btw...

Whilst I was more of a Z80 kid, I do remember being amused by EIEIO on the 6502 (I think!)

2
0

Valve uncloaks prototype Steam Machine console specs

djack

Re: dont get it

The point of the differences is not to find the best performing system, it is to find a sweet spot between price and performance that a typical user would accept.

6
0
djack

It's my understanding that SteamOS will be free to download and install wherever you want.

I'm sure that they'd be delighted to have your input.

4
0

Would you hire a hacker to run your security? 'Yes' say Brit IT bosses

djack

Re: Really? Are you sure?

So true.

Unlike physical security who typically have no need to enter the secure areas - just keep others out, information security is much more far reaching. There isn't a clear boundary that is the only place you need to actively defend, you need eyes everywhere from the external boundary firewall(s) through to internal authentication, applications and data stores.

Also, the skills needed to break in are not the same as those needed to secure. My field, penetration testing is the one where people always fail to see that. A bad guy needs to 'simply' find one way to compromise the system and exploit that.

In addition to that I need to find as many other ways as possible and know how to mitigate or fix those issues. I also have to do that with as minimal an impact on the system (not always possible) and communicate the issues to the system owner. I'm also expected to know about pretty much anything that I encounter on a network.

0
0

Travel much? DON'T buy a Samsung Galaxy Note 3

djack

Re: at least my unlocked iPad and iPhone works ANYWHERE!

If it were a radio issue, and the warning would point out that it won't work at all in the other countries. The implication here is that roaming would work, and just not a local SIM. Whilst a technical limitation of a device is disappointing, adding deliberate blocks to functionality that the device has is abhorrent to me (even more than defending Apple).

Is it possible that there is a new standard for a SIM that has only been rolled out in Europe and that the phone depends on a feature in this version?

8
2

Page:

Forums