>the laziest blog on earth...contact me: mudwerks AT gmail DOT com
ALL MY SONGS!...
AVAILABLE NOW on bandcamp!
(via Cisco switches to weaker hashing scheme, passwords cracked wide open | Ars Technica)
Password cracking experts have reversed a secret cryptographic formula recently added to Cisco devices. Ironically, the encryption type 4 algorithm leaves users considerably more susceptible to password cracking than an older alternative, even though the new routine was intended to enhance protections already in place.
It turns out that Cisco’s new method for converting passwords into one-way hashes uses a single iteration of the SHA256 function with no cryptographic salt. The revelation came as a shock to many security experts because the technique requires little time and computing resources. As a result, relatively inexpensive computers used by crackers can try a dizzying number of guesses when attempting to guess the corresponding plain-text password. For instance, a system outfitted with two AMD Radeon 6990 graphics cards that run a soon-to-be-released version of the Hashcat password cracking program can cycle through more than 2.8 billion candidate passwords each second…
cryptographic salt!
(via Zero-day attack exploits latest version of Adobe Reader | Ars Technica)
A previously undocumented flaw in the latest version of Adobe Systems’ ubiquitous Reader application is being exploited in online hacks that allow attackers to surreptitiously install malware on end-user computers, a security firm said.
The attacks, according to researchers from security firm FireEye, work against Reader 11.0.1 and earlier versions and are actively being exploited in the wild. If true, the attacks are notable because they pierce security defenses Adobe engineers designed to make malware attacks harder to carry out. Adobe officials said they’re investigating the report.
“Upon successful exploitation, it will drop two DLLs,” FireEye researchers Yichong Lin, Thoufique Haq, and James Bennett wrote of the online attacks they witnessed. “The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.” DLL is the researchers’ shorthand for a file that works with the Microsoft Windows dynamic link library…
I use this: Foxit Reader, it’s free…
Twitter is looking to add another layer of protection to its user authentication. After having at least 250,000 accounts’ passwords compromised in an attack against its service last week, Twitter apparently plans to implement two-factor authentication as an option to help users better protect their accounts—or at least it’s hiring people to help do that.
In a job listing posted by Twitter this week, the company seeks software engineers to develop “user-facing security features, such as multifactor authentication and fraudulent login detection.” When contacted by Ars, a representative for Twitter said the company has no specific details to share about its plans at this time.
Twitter currently uses OAuth as its authentication protocol via applications (either mobile apps or other Web services), which prevents attackers from recording and replaying session information trying to hijack open user sessions. For direct user authentication, Twitter uses secure socket layer (SSL) encryption to pass user credentials from Web browsers and other Twitter clients.
Those measures protect users’ passwords and sessions from being directly intercepted and taken over in most cases. But they don’t guard against “man-in-the-middle” attacks, where a malicious access point or firewall using an SSL proxy intercepts encrypted Web traffic. Hackers have grabbed users’ Twitter credentials in the past through malicious webpages using cross-site scripting, e-mail “phishing” attacks, and other means. Last August, for example, the Reuters news service had its Twitter feed taken over by pro-Syrian hackers who pulled the Twitter password from the service’s blogging platform…
(via AP News: US government tells computer users to disable Java)
WASHINGTON (AP) - The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.
The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.
Experts believe hackers have found a flaw in Java’s coding that creates an opening for criminal activity and other high-tech mischief…
ahem…if possible - dump it
On Saturday, Microsoft published a security advisory warning users of Internet Explorer 6, 7, and 8 that they could be vulnerable to remote code execution hacks. The company said that users of IE 9 and 10 were not susceptible to similar attacks and recommended that anyone using the older browsers upgrade. Still, customers who still run Windows XP can not upgrade to IE 9 and 10 without upgrading their OS.
Microsoft’s confirmation comes after reports from several security groups that the attack sprung from the Council of Foreign Relations website, creating a “watering hole attack” that left people who visited the site through older versions of the browser open to further attack…
Electronic lock manufacturer Onity has finally agreed to reimburse its customers—major hotel chains like Marriott, Hyatt, and InterContinental (IHG)—for some of the costs of replacing its hackable locks.
Back in July, a security researcher exposed the fact that Onity locks (in use on around 4 million hotel rooms worldwide) could be disabled in a matter of seconds using a custom-designed kit that cost about $50. The company acknowledged the flaw but did not offer much in the way of a response until November.
Last month, following the theft of a laptop from a Texas hotel room using this hardware hack, the company began instituting a temporary hardware fix by physically blocking access to the ports with epoxy, and more recently, with a plastic plug and “security screws.”
Now, Forbes, which has been following this story for months, reports in a new corporate memo that the company has come to agreements with its hotel customers but has been less than forthright as to who will pay for these fixes.
“Just how much of the fix Onity is paying for in each customer’s case seems to vary,” Forbes reporter Andy Greenberg wrote on Thursday. “Though Onity seems to be offering the full price of the hardware fix for returned circuit boards from IHG and Marriott, the Hyatt memo states that Onity would charge $11 for every new circuit board it installed and repay only $6 for the replaced ones. It also mentions a $10 charge per lock for on-site firmware upgrades, as opposed to the free firmware upgrades in the other two deals.”
Greenberg published one of the internal corporate memos between Onity and Marriott-managed and franchised hotels, which Onity declined to confirm or deny was authentic.
When Ars contacted Onity for comment, Suzanne Fritz, a company spokesperson returned essentially the same canned statement that she gave to Forbes, which makes no mention of a permanent, technical replacement to the vulnerable locks.
“As of November 30, 2012, Onity has shipped 1.4 million solutions for locks to hotel properties,” she said by e-mail. “Over the next several weeks, we will ensure all hotel properties in our database receive the mechanical solution. These mechanical caps and security screws block physical access to the lock ports that hackers use to illegally break into hotel rooms. The mechanical solution remains free of charge to customers.”
(via DSL modem hack used to infect millions with banking fraud malware | Ars Technica)
Millions of Internet users in Brazil have fallen victim to a sustained attack that exploited vulnerabilities in DSL modems, forcing people visiting sites such as Google or Facebook to reach imposter sites that installed malicious software and stole online banking credentials, a security researcher said.
The attack, described late last week during a presentation at the Virus Bulletin conference in Dallas, infected more than 4.5 million DSL modems, said Kaspersky Lab Expert Fabio Assolini, citing statistics provided by Brazil’s Computer Emergency Response Team. The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.
“This is the description of an attack happening in Brazil since 2011 using 1 firmware vulnerability, 2 malicious scripts and 40 malicious DNS servers, which affected 6 hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems,” Assolini wrote in a blog post published on Monday morning. “This enabled the attack to reach network devices belonging to millions of individual and business users, spreading malware and engineering malicious redirects over the course of several months…”
(via iPhone reportedly vulnerable to text message spoofing flaw - Engadget)
If you’re an iPhone owner, you may want to use good judgment before responding to any out-of-the-blue text messages in the near future. French jailbreak developer and security researcher pod2g finds that every iPhone firmware revision, even iOS 6 beta 4, is susceptible to a flaw that theoretically lets a ne’er-do-well spoof the reply address of outbound SMS messages. As Apple is using the reply-to address of a message’s User Data Header to identify the origin rather than the raw source, receiving iPhone owners risk being fooled by a phishing attack (or just a dishonest acquaintance) that poses as a contact or a company. A proof of concept messaging tool is coming to the iPhone soon, but pod2g is pushing for an official solution before the next iOS version is out the door. We’ve asked Apple for commentary and will get back if there’s an update. In the meantime, we wouldn’t panic — if the trickery hasn’t been a significant issue since 2007, there isn’t likely to be a sudden outbreak today.
(via Apple’s “in-app purchase” service for iOS bypassed by Russian hacker | Ars Technica)
A Russian hacker has unveiled a service that allows users of Apple iOS devices to pirate digital books, premium game levels, and other content sold through the company’s in-app purchase program.
The new service, which has already been subject to attempts at shutting it down, requires no jailbreaking and only minimal configuration changes. It works by funneling purchase requests through a server operated by the hacker, rather than the legitimate one offered by Apple. As a result, charges that normally would be applied to a user’s account are bypassed. A video demonstration shows an iPhone running a prelease version of iOS 6 using the service to obtain free content, but the service says it works for all devices that use iOS 3 or later.
A note to readers: in addition to legal and ethical considerations involving the pirating of for-fee content, the service comes with other serious consequences. Namely, it allows the operators of the fake server to see a user’s Apple ID, password, and possibly other data that is normally sent only to Apple. Hacker Alexey V. Borodin told Ars Technica that he doesn’t use, log, or otherwise monitor that data, but there is no way to confirm those assurances…
