Tag Archives: security

Trend Micro Migrates Security Tool HijackThis to Open Source

Posted on by

Trend Micro today announced that is has open sourced the code to its popular free security tool, HijackThis. The tool scans systems to find settings that may have been modified by spyware, malware or other programs that have wiggled their way onto a system and caused problems.

via Trend Micro Migrates Security Tool HijackThis to Open Source | SecurityWeek.Com.

“As new malicious code is released faster than ever before, the need for analyzing log data to identify new malicious code is more important than ever,” the company said in a statement. “Through this offer to the open source community, the product has the opportunity to develop and become an even better solution to quickly identify new malicious code.”

Download HijackThis.exe here. (sourceforge)

Official website here.

New research: There’s no need to panic over factorable keys–just mind your Ps and Qs

Posted on by

We have been able to remotely compromise about 0.4% of all the public keys used for SSL web site security. The keys we were able to compromise were generated incorrectly–using predictable “random” numbers that were sometimes repeated. There were two kinds of problems: keys that were generated with predictable randomness, and a subset of these, where the lack of randomness allows a remote attacker to efficiently factor the public key and obtain the private key. With the private key, an attacker can impersonate a web site or possibly decrypt encrypted traffic to that web site. We’ve developed a tool that can factor these keys and give us the private keys to all the hosts vulnerable to this attack on the Internet in only a few hours.

via New research: There’s no need to panic over factorable keys–just mind your Ps and Qs | Freedom to Tinker.

The last time I was at this blog was many years ago when he showed how to hack electronic voting machines.

Critics slam SSL authority for minting certificate for impersonating sites

Posted on by

Critics slam SSL authority for minting certificate for impersonating sites.

Over the past year, security experts have proposed a variety of alternatives to the complex web of trust now used to manage the net’s ailing SSL system. Among them is the Convergence project devised by researcher Moxie Marlinspike. The system, which would have flagged counterfeit certificates used to snoop on some 300,000 Gmail users, has already won the qualified endorsement of security firm Qualys. Google, meanwhile, has said it has no plans to implement Convergence in its Chrome browser.

Offensive Mobile Forensics

Posted on by

There are many different locations containing interesting data on iOS devices. Data often resides in SQLite databases, the chosen format for local storage on mobile devices. The next best place to find sensitive information is in plist, or property list files – these are the primary storage medium for configuration settings in iOS, and they are also a fantastic source of sensitive information. User credentials are often stored here, instead of inside the KeyChain where they should be. Rounding out the top three data sources are binary or binary-encoded files, such as the device’s keyboard cache and pasteboard. Although storage locations commonly change with the release of new iOS firmware, it is fairly simple to poke around the general area and find what you’re looking for.

via Offensive Mobile Forensics.

Similarly to the configuration files for iOS, the XML files storing preferences for Android applications commonly include user credentials and other sensitive information.

Symantec ‘fesses up: ‘Code theft worse than we thought’

Posted on by

A hacker calling himself “Yama Tough”, acting as a spokesperson for the group, claims the source code had been pulled from insecure Indian government servers, implying that Symantec was required to supply their source code to Indian authorities. In a series of Twitter updates, Yama Tough talked about various plans to release the source code before committing to release the secret sauce of pcAnywhere.

via Symantec ‘fesses up: ‘Code theft worse than we thought’ • Channel Register.

Even so the whole Symantec hack soap opera/pantomime (‘You’ve been hacked!”, “Oh no we haven’t”… “Oh maybe we have”) raises serious questions about the security of Symantec’s ecosystem as well as turning the security giant into the punchline for jokes. For example, famed Apple hacker Charlie Miller quipped: “How could Symantec have gotten hacked? Don’t they use AV?” ®

Online Reputation Manager Hacked Websites To ‘inject’ Illegal Code

Posted on by

But Meade said Rexxfield owner and operator Michael Roberts was preparing to purchase a coding hack he called “injection source code” that lets the user manipulate the metadata behind a website, adding a “noindex” tag that drops the results on search engines like Google and Bing — hiding them completely.

Meade said Roberts showed him the code injector’s effectiveness by hacking into Ripoff Report, a complaint board site.

via EXCLUSIVE: Online Reputation Manager Hacked Websites To ‘inject’ Illegal Code | Fox News.

The six dumbest ways to secure a wireless LAN

Posted on by

Summary: [Updated 4/2/2007 – follow-up article here] For the last three years, I’ve been meaning to put to rest once and for all the urban legends and myths on wireless LAN security. Every time I write an article or blog on wireless LAN security, someone has to come along and regurgitate one of these myths. If […]

via The six dumbest ways to secure a wireless LAN | ZDNet.