Tuesday, May 24, 2005
Project Honeynet reveals how phishing attacks are carried out
Here is one of my earlier entries describing what Phishing is.
Saturday, May 21, 2005
He asked the cashier why she was refusing to take the card. He said that the ID (drivers licence in this case) contained the signature also and the cashier could verify his signature on the receipt with the one on the drivers licence. She said that if the card is signed and if that guy refutes the transaction then it Visa/Mastercard/ or whoever issued the card has to pay-up. But if the card is not signed and if she relies on the ID then the liability shifts onto the them.
Look guys, I am no lawyer... but is this true? I know people who write "See ID" on the back of their cards and get away with it (atleast so far). Did she BS him or is that a factual thing?
Wednesday, May 18, 2005
How to crack WiFi networks that use WEP
At an ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. So even the 128 bit key is not safe enough.
Here is what The Feds suggested to protect your WiFi network:
- Network segregation: Seperate your WiFi network from your internal network and put a firewall in between.
- Change default settings of your Access Point: Seems like a no brainer that you should change your default password and default SSID to some more secure.
- Turn off the Wifi network when not in use: Use a timer to turn off the Wifi network when you are not using it (eg. sleeping hours).
- Firmware updates: Keep updating you firmware on the AP, as vendors might release patches for existing vulnerabilities.
Securing Web-application state stored on the client-side
According to the article these are the pros and the cons of storing the state in the HTML itself:
Storing state on the client has the following benefits:
* Scalability - A single server can support more clients. An increase in clients does not require more memory or database resources on the server.
* Back Button is not a Problem - All state is saved in the page making the back button no longer an issue. What you see in the HTML page is the Java object used to generate that page.
* Session Time-Outs not an Issue - HttpSession time outs are not a problem.
Saving state on the client does not come for free. Here are some of the drawbacks:
* Computing Resources - There is a CPU cost associated with encoding/decoding and encrypting/decrypting of state for each interaction.
* Bandwidth - Since all the state related to a page is sent back to the server on each request there will be more data sent.
* Browser Crashes - If the browser that contains the state crashes the state is lost.
Tuesday, May 17, 2005
Why is data on laptops not encrypted
Encryption on laptops should be done by the O/S itself. Although the Windows O/S gives you an option to encrypt files and folders, it doesnt let you encrypt the entire hard disk. I am not sure about the other operating systems like Linux/Solaris. Let me know if they provide encryption capabilities across the board for all the data on your hard-drive on a laptop or even on the desktop.
Update: On my flight to San Francisco, I came across an article in the in-flight magazine which said "4425 number of laptops left in the cabs of one taxi in chicago in 6 consecutive months in 2004 - according to a survey of taxi drivers by security firm Pointsec. 21460 handheld computers and 85619 mobile phones get left behind." As we store more and more data on our mobile devices we need a way protect it even more.
Monday, May 16, 2005
How to request a server SSL certificate
Create your key. Always use the full state name, no abbreviations. CN (Common name) should be domain of your site. This will also create a keystore if it doesnt already exist.
keytool -v -genkey -keyalg RSA -keystore keystore -dname "cn=www.mysite.com, ou=None, L=Redmond, ST=Washington, o=MyCompany, c=US"
Now generate the Certificate Signing Request known as a CSR. This process should create a file called "www.mysite.com.csr" in your current directory.
keytool -certreq -sigalg MD5withRSA -file www.mysite.com.csr -keystore keystore -storepass password
Once Verisign is done with their verification process they will sign and issue you a certificate. They might email it to you. Some CA's like Thwate provide the facility of login/password and ask you to download the certificate.
Once you save the certificate file locally lets say as "www.mysite.com.cert", you will need to import it into your keystore.
keytool -import -keystore keystore -keyalg RSA -import -trustcacerts -file www.mysite.com.cert
A server side certificate contains the name of the site/domain it is intended for and cannot be shared across domains. It is valid only for a particular domain, unlike client side SSL certificates which can be shared.
You can follow this link on keytool, if you need more information about using it.
Tuesday, May 10, 2005
Password generator for a simple Single Sign-on solution
The concept is simple, but brilliant and effective. You create a personal master password. I recommend creating it with all the standard tricks ~ alphanumeric, minimum length 10 chars and includes a special character or two. This password is then mashed up with the name of the site that you are visiting to create a unique MD5 hash that can be used as a password for that site. Now each time the hashed up key would be different, giving you the ability to create a unique password for each site without having to remember it.
A password generator Greasemonkey script simplifies life even further. Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. Check out Jon Udell's 2.75 minute screencast demonstrating how easy it is to use this concept. You just have to remember a single personal master password giving you a kind of Single Sign-on effect.
This solution works best in Firefox with Greasemonkey installed, though it is not needed (check Nic's website below). It even works with IE and Safari.
Nick Wolff's Password generator
Johannes la Poutré's Password composer
Jon Udell's entry talking about the single sign-on solution
Monday, May 09, 2005
How to avoid becoming an Identity Theft victim:
- Do not give your Social Security number, mother's maiden name, or account numbers to strangers who contact you by phone, Internet, or mail.
- Guard your mail from theft.
- Pay attention to the time of the month your bills arrive (and call up the service you are subscribed to, if the bill doesnt come on time).
- Put passwords on all your accounts with creditors.
- Dont carry your Social Security Card (I carry a photocopy in my wallet).
- Dont carry credit cards or ID cards that you dont need.
- Cut or shred credit cards or ID cards you dont need.
- Cut or shred unwanted documents.
- Order a copy of your credit report at least once a year. (check this out to get your free credit report).
- Keep a log of every transaction and action.
- Report identity theft to the police or sheriff in the area where you live.
- Report the identity theft to your bank and other creditors.
- Contact the three major (Experian, TransUnion and EquiFax) credit reporting agencies.
- Ask businesses to provide you with information about transactions make in your name (Businesses are mandated by a law in Washington to provide it).
- Contact the Federal Trade Commission's (FTC) identity theft hotline (1-877-IDTHEFT) or visit their website.
Saturday, May 07, 2005
Passwords are passe
But how about your personal passwords? Lets say your hotmail password. Did you *ever* change it since you created it? I have only changed my hotmail password once since I created my account in 1998. Thats not just me, that is a typical user behavior. There are a gazillion issues with passwords and managing them. Here are a few:
- Each website or service that you register with requires you to create a new username and password.
- Each one has a different rule for what constitutes a safe password or the length of your password.
- You typically have 2-3 passwords that you resuse everytime you register on a website. One the them might be the cryptic one that you use with your bank accounts and such, one of them might be the lousy (eg 1234) one that you use for stuff like hotmail.
- You dont change your password ever. (you think: who is break into my free New York Times registration?)
- You write down your passwords in a text file that you put on your desktop or carry in your wallet.
- You think of a genius password (or so you think!) that no one should be able to guess. Like some word in your native language. This doesnt work, because crackers usually conduct dictionary attacks and yes they use native dictionaries. I have around 40 native language password dictionaries, that can be used for an attack.
Computer manufacturers need to ship keyboards and/or mice with inbuilt fingerprint scanners. Browsers like IE and Firefox should be able to scan your index finger and send it to a website whenever it asks for you to sign-up or sign-in. Ofcourse the whole process of sending across fingerprints should be encrypted end-to-end. Mobile phones need to be equipped with fingerprint scanners as well, that let you sign-in into your email account.
The password issue is going to become messier as we move ahead with putting stuff like videos, photos, blogs, music on the network. The network could be a home network or something like a file store online. Everything needs a password these days: phones, wireless routers, voicemail accounts, websites, TV's etc. Our reliance on digital stuff is increasing. We need to rely on the digit (aka finger ~ pun intended) to make the digitization of our lives simpler.
Thursday, May 05, 2005
Mitigating a DOS attack
So what can be done when a DOS attack occurs? Can it be stopped or its effect mitigated? Well, lets look at a few options:
- Configure your router to block all outbound packets that have a source address that doesnt match your network subnet (this mostly helps when your network/machines are used to conduct an attack on someone else).
- You can use a combination of firewall and Intrusion Detection Software (IDS) to cut down on suspicious traffic.
- Restrict broadcast traffic.
- Rate limit your traffic. Rate limiting restricts the amount of bandwidth a specific type of traffic can consume at any given moment.
- Disallow broadcast ICMP packets through your router
Sunday, May 01, 2005
SSL - a false sense of security
SSL works only at the transport layer. Let me explain. What SSL can do is protect data exchanged between a browser and a server. What it cannot do is protect the server which stores the data from other kinds of attacks.
The data inside the server's database is NOT protected by SSL. It lies there in plain text unless the server uses some sort of encryption while storing data inside the database. SSL does not protect against operating system vulnerabilities. If someone out there can exploit a known vulnerability about the operating system, then the server and potentially the data might be exposed.
It is difficult to track down what was sent in as data via SSL (because everything is encrypted) and infact hackers prefer SSL to exploit application level vulnerabilities. Often hackers use a combination of outbound proxy servers and SSL so that their activities cannot be traced back to their computer.
Copyright Anand Jain 2004, 2005. All rights