Irregular Expressions


January 29, 2012  1:05 AM

By-passing Linux based screen locks

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This gives the warm and fuzy’s.

http://seclists.org/oss-sec/2012/q1/200

The chain is pretty good, the point where the bug was introduced is identified.  From what I can tell this was an optional feature added in the past and recently re-added as a default setting.

Ta-Da!

January 29, 2012  12:56 AM

How private is the private mode?

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

My next project is going to be comparing a set of five to six different browsers that provide a privacy mode and to see what kind of forensic residue is left behind by each.  Also, don’t worry about the challenge that we were working on last month I will get back to it, I just have been terribly busy with other commitments.

What I am trying to find is what is left by each, what you can piece back together from that then I hope to move on to remediation ideas to fill in the gaps for each.

So far the list is looking like Safari ( windows ), Chrome, IE 8, IE 9 and Firefox.


January 27, 2012  12:55 AM

Should you be forced to decrypt your device?

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

That’s a huge question.  I am not a legal expert, and law is not a science either.

What I mean by that is you can ask ten courts the same question and get nine same answers but there is always the chance of that one that interprets it differently.

http://www.engadget.com/2012/01/24/judge-laptop-decryption-colorado-fifth-amendment/

In this case the defense is pulling in the 5th Amendment, arguing that divulging the password will be a case of self-incrimination.

First I think we should try and strip the technology off this problem.  Now is a encrypted data set a lock and key or a combo safe?

Now that is a good question, in my opinion it’s neither.

Those make a poor analogy to a encrypted disk.  What if we look at it as just cipher text?

From what I know the founders of the US used ciphered messages before and after, so what in law references that?

None that I can find.  I would really like to find the answer to this, I may have to ask around.

Now after all of that, there is some places that I have laws specific to key disclosure and I think our paper message would apply to that.  The basic idea of them is give us the key or go to jail for X, some was a few months to two years.  Now depending on the case it might be better to take the two years and have the primary case fall apart.

I doubt that this is done with.


January 26, 2012  4:44 PM

Statistical analysis of elections

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

And the cool thing of the day award goes to,

http://arxiv.org/pdf/1201.3087v1.pdf

Not really IT related, and more then a little out of my element.


January 26, 2012  4:33 PM

Hash Identifier

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This is handy for any CTF games you may find your self in.

https://code.google.com/p/hash-identifier/

It might cut out a bunch of work for you.


January 26, 2012  4:32 PM

Password analysis

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Just stumbled on this,

http://thepasswordproject.com/rockyou_passpal_0.3_dump

Interesting, I have found many times that these dumps will dump vary extremely by what site it’s taken from the context.


January 25, 2012  12:40 AM

News news news

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Found a few things going on that got me fired up.

Megaupload head cheese has been denied bail, they assert that he is a flight risk.

http://www.bbc.co.uk/news/world-asia-16711416

I am totally on the fence on this one, I have seen a lot of legitimate material hosted on there.  The other material I have seen on there is peoples personal stuff, I really have not looked very hard on there of copy righted stuff and what I did look for was already down.  Which fits in with their story / policy of removing it.

I will be following this, I really want to see where all of the figures came from.

Another story is the MS security team has named a bot net creator that looks to have had a previous life at a AV company.

http://www.bbc.co.uk/news/technology-16700192

Another one to follow.


January 25, 2012  12:34 AM

Tor Write Up, Kinda

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

What starts out as a Tor guide quickly goes technical with a wiff a tin foil.

http://cryptome.org/0005/tor-opsec.htm

( Not that I am discounting anything they are saying, none of it is made up. I personally have never thought of anyone going through that kind of effort for the kind of things I am up to.  If you are on the run from the fuzz or are up to general bad bad things I guess that kind of stuff would apply. )


January 24, 2012  12:46 AM

Protecting online banking – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I just want to wrap up my thoughts on this.  This is not going to stop every type of attack, there are a few ways to get around this type of authentication method.  The first one that comes to mind is using the authenticated session that the user has created for you already and not waiting to try and log in later.  While saying that, something is better then nothing.  This may not work against a determined targeted attack but at least you wont be low hanging fruit.

I tried to find a few FI’s that I could point you to that had OTP listed as a two factor method, but I just turned up a bunch of old white papers.  I did find mention of FI’s in Germany that used paper for the OTP and various ones using SMS.


January 23, 2012  1:08 AM

Protecting online banking – Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

My personal choice would be a OTP ( One Time Pad ) setup.

The setup should be fairly simple;

  • Create a system to create random sets of 8 ( or more ) character pads, they should be random but careful to make it easy for users to separate 0 and O.  Maybe only upper and lower case with no numbers?
  • These should not be guessable or form any sort of pattern, so maybe use a hashing function. Just don’t hash 1, 2, 3, 4.
  • When creating the pad one copy is associated with the user and stored as part of the authentication system and the other is handed off.
  • The system should know when a user is nearing the end of the current pad and prompt for the creation of the next.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: