komedi filmi izle

Archive for the ‘Security’ Category

Newer Entries »

Why isn’t the Web using it HTTPS always?

Monday, May 2nd, 2011

You wouldn’t write your username and passwords on a postcard and mail it for the world to see, so why are you doing it online? Every time you log in to any service that uses a plain HTTP connection that’s essentially what you’re doing.

There is a better way, the secure version of HTTPHTTPS. HTTPS has been around nearly as long as the Web, but it’s primarily used by sites that handle money. HTTPS is the combination of HTTP and TLS. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communications security over the Internet.

1in9ui5t_HTTPS_Application_Layer

Web security got a shot in the arm last year when the FireSheep network sniffing tool made it easy for anyone to capture your current session’s log-in cookie insecure networks. That prompted a number of large sites to begin offering encrypted versions of their services via HTTPS connections. So the Web is clearly moving toward more HTTPS connections; why not just make everything HTTPS?

HTTPS is more secure, so why isn’t the Web using it? gives some interesting background on HTTPS. There are some practical issues most Web developers are probably aware of.

The real problem is that with HTTPS you lose the ability to cache. For sites that don’t have any reason to encrypt anything (you never log in and just see public information) the overhead and loss of caching that comes with HTTPS just doesn’t make sense. The most content on this site for example don’t have any reason to encrypt anything.

HTTPS SSL initial key exchange also adds to the latency, so HTTPS-only Web would, with today’s technology, be slower. The fact that more and more websites are adding support of HTTPS shows that users do value security over speed, so long as the speed difference is minimal.

The cost of operations for HTTPS site is higher than normal HTTP: you need certificated that cost money and more server resource. There is cost of secure certificates, but obviously that’s not as much of an issue with large Web services that have millions of dollars. The certificate cost can be a showstopper for some smaller low budget sites.

Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn’t work well with virtual hosts. There is a way to make virtual hosting and HTTPS work together (the TLS Extensions protocol Server Name Indication (SNI)) but so far, it’s only partially implemented.

In the end there is no real technical reason the whole Web couldn’t use HTTPS. There are practical reasons why it isn’t just yet happening today.

Posted in Security, Telecom and Networking, WWW dev | 28 Comments »

Location data collecting smart-phones

Wednesday, April 27th, 2011

A location-based services (LBS) are a hot topic among mobile services developers. A location-based service (LBS) is an information or entertainment service, accessible with mobile devices through the mobile network and utilizing the ability to make use of the geographical position of the mobile device. Modern smart-phones have abilities to locate the position of the mobile phone using using GPS and/or based on the radio signal delay of the closest cell-phone towers.

Location information can be used for all kind of services including mobile phone tracking. GPS real time tracking of a person is technically quite possible, by using certain software and hardware tools. The phone could be sending the location data in real time or collecting the places visited to a file inside the phone. A malware can turn your smart-phone to a tracking device.

The widespread collection of location information is the latest frontier in the booming market for personal data. It seems that very many smart-phones track user location and store it on the device (or even send to the phone manufacturer), usually without the permission of the device owner.

Researchers found that iPhones store unencrypted databases containing location information sometimes stretching back. iPhone Tracker open-source application maps the information that your iPhone is recording about your movements to hidden files.

Apple Inc.’s iPhones and Google Inc.’s Android smartphones regularly transmit their locations back to Apple and Google, respectively, according to data and documents analyzed by The Wall Street Journal. This is intensifying concerns over privacy and the widening trade in personal data. Should you care that your iPhone’s logging your location? Apple gives some answers on their side.

gps

Recent news have surfaced that also Nokia phones and Windows Phone 7 phones also collect and send out the location information.

Cellphones have many reasons to collect location information, which helps provide useful services like local-business lookups and social-networking features. Some location data can also help cellphone networks more efficiently route calls.

Google also has said it uses some of the data to build accurate traffic maps. Apple gathers the data to help build a “database with known location information”. Windows Phone 7 transmits to Microsoft a miniature data dump including a unique device ID, details about nearby Wi-Fi networks, and the phone’s GPS-derived exact latitude and longitude.

Maybe the phone manufacturers should have informed the customers on the customers on this beforehand and get their permission to do this. This kind of data collecting can be a potential privacy problems, but maybe the companies can to this because most Smartphone users do care about location privacy according to a new research from Nielsen.

The user is identifiable if you have a series of events. One privacy concern is that location databases can be a gold mine for police or civil litigants: requesting cell phone location information from wireless carriers has become a staple of criminal investigations.

Before the smart-phone era your operator knew your location at certain accuracy. It is needed for the cell phone network to work correctly. A cellphone is continuously sending and receiving signals to and from the nearest operator tower. Even in the standby mode, a cellphone is ‘active’ with the wireless communication. The signals received from cellphones are located by the cellphone service provider by analyzing the signals. Initially, two or three towers nearest to the cellphone are located. These figures are then compared with regards to the relative strengths of their signals. Using this method, a cellphone can be traced to within a 100 meters of its exact place. Your telephone operator could be using this information and even store it. You need to trust them if you use using cell phone.

Posted in Mobile, Security | 16 Comments »

Mag-stripe readers

Wednesday, June 23rd, 2010

iPhone mag-stripe reader stalled article tells that Square, the expected to be breakthrough business launched by twitter-founder Jack Dorsey, won’t be shipping as scheduled. Interesting is that Square was just a magnetic-stripe reader, and that there were a dozen credit card-processing applications on the iPhone. Only this time, it comes with a plastic lump that reads the card number by taking advantage of a feature banks have been trying to phase out for a decade or two. That fact didn’t stop venture capitalists pouring $10m into the company. According to article much of the invested money has been spent refining the hardware, but the real complexity has been underwriting the security of a system.

square_reader

I expect that this iPhone mag-stripe card reader hardware is pretty simple. It seem to plug to the external mic connector of the iPhone, so I quess the hardware could be just the read head and some software for decoding the signal from card stripe. The magnetic stripe read head is pretty similar to compact cassette tape player read/write head. The head from old tape deck work quite OK for this but is not as good as a reading head specifically designed for magnetic stripe reading. The signal level from from compact cassette tape deck read head is usually pretty close to microphone level.

Magnetic Stripe Reading web page shows how to read magnetic stripe using using a computer sound card and magnetic head from cassette deck. The article text as it appears in the Spring 2005 issue of 2600 Magazine. The output of the magnetic head is directly to the mic input of a sound card and a simple Linux software does the decoding.

orig-1t

Since all the data obtained from the reader itself is audio, the device can be even interfaced to a digital audio recording device. Later, you’d view and edit the captured audio file, saving the clean waveform to a standard .wav file to be analyzed with software. At least in theory this works and Magnetic Stripe Reading article says that it works in practice.

When playing with the magnetic stripes of credit cards is nowadays that easy, is no wonder that banks are trying to get rid of that old technology for a safer smartcard technology.

Posted in Computers, Electronics Design, Mobile, Security | 45 Comments »

Could humans be infected by computer viruses?

Thursday, May 27th, 2010

Could humans be infected by computer viruses? press release tells that a scientist at the University of Reading has become the first person in the world to be infected by a computer virus.

A high-end Radio Frequency Identification (RFID) chip was implanted into Dr Gasson’s left hand last year. “Our research shows that implantable technology has developed to the point where implants are capable of communicating, storing and manipulating data,” he said. “They are essentially mini computers. This means that, like mainstream computers, they can be infected by viruses and the technology will need to keep pace with this so that implants, including medical devices, can be safely used in the future.”

If the future is that we all become part machine as we look to enhance ourselves we need to think about security issues of those devices very carefully.

200px-EPC-RFID-TAG

Image source:http://fi.wikipedia.org/wiki/RFID

Posted in Computers, Security, Telecom and Networking | 29 Comments »

Car electronics security

Wednesday, May 26th, 2010

Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. Experimental Security Analysis of a Modern Automobile report experimentally evaluates these issues on a modern automobile and demonstrate the fragility of the underlying system structure. The paper demonstrates that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Practically every modern car has On-Board Diagnostics (OBD-II) service connector in them, and that was the interface those researchers used to hack the car electronics. The ODB-II connector must be located within three feet of the driver and must not require any tools to be revealed. Look under the dash and behind ashtrays. Fortuntaly for car owners this interface is a physical connector and not any hackable wireless interface.

ODB_II_small

Pin 2 – J1850 Bus+
Pin 4 – Chassis Ground
Pin 5 – Signal Ground
Pin 6 – CAN High (J-2284)
Pin 7 – ISO 9141-2 K Line
Pin 10 – J1850 Bus
Pin 14 – CAN Low (J-2284)
Pin 15 – ISO 9141-2 L Line
Pin 16 – Battery Power

Posted in Computers, Electronics Design, Security | 232 Comments »

How trackable is your browser?

Sunday, May 23rd, 2010

Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies. Panopticlick service tests your browser to see how unique it is based on the information it will share with sites it visits. The service will show the information your web browser tells to web sites and how unique your setup is.

panopticlick

More reading:
Is Every Browser Unique? Results Fom The Panopticlick Experiment
How Unique Is Your Web Browser?
Panopticlick: Your Web browsing is less anonymous than you think
A Primer on Information Theory and Privacy

Posted in Computers, Security, WWW dev | 7 Comments »

Researchers find weakness in RSA

Wednesday, March 10th, 2010

Nothing is perfect. The most common digital security technique used to protect both media copyright and Internet communications has a major weakness. RSA authentication is a popular encryption method. he RSA algorithm gives security under the assumption that as long as the private key is private, you can’t break in unless you guess it. Researchers find weakness in common digital security system tells that University of Michigan computer scientists have found they could foil the security system by varying the voltage supply to the holder of the “private key”.

They carefully manipulated the operating voltage of the computer electronics (FPGA). This causes it to make small mistakes in its communications with other clients (if it would make big mistakes it would crash). These faults reveal small pieces of the private key, and enough faults allows the researchers reconstruct the key offline. It takes considerable amount of time (100 hours) and many servers (

For more details read the whole FaultBased Attack of RSA Authentication paper. It describes an end-to-end attack to a RSA authentication scheme on a complete FPGA-based SPARC computer system and demonstrates that a fault-based attack on the RSA algorithm is possible.

It is highly unlikely that a hacker could use this approach on a large institution, so the risk of this to you could be pretty low. The researches say that a common cryptographic technique called “salting” that changes the order of the digits in a random way every time the key is requested, can help to fix this problem. There could also be other solutions as well (maybe better hardware more immune to error).

rsa_attack

Image source: http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf

Posted in Computers, Electronics Design, Security, Telecom and Networking | 5 Comments »

Most Dangerous Programming Errors

Thursday, February 25th, 2010

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software.  The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe.

Cross-site Scripting, ‘SQL Injection and Classic Buffer Overflow are still on the top of the list.

bug_no_400

Image source: http://www.stevenbrown.ca/blog/archives/225

Posted in Computers, Security, Telecom and Networking | 8 Comments »

Do not use Internet Explorer

Tuesday, January 19th, 2010

The German and French governments have warned web users to find an alternative browser to Internet Explorer to protect security. Microsoft has admitted that IE was the weak link in recent attacks on Google’s systems. That Operation Aurora attack used Chinese malware. This broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer. Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system.

Microsoft says that the IE browsers’ increased security setting (security zone to “high”) would prevent any serious risk, but German authorities say that even this would not make IE fully safe. This is a vulnerability that was announced in the last couple of days. Microsoft said that all versions of Internet Explorer were affected and there is no patch yet and Microsoft has not given any details of how soon a fix will be released. The risk is lower with more recent releases of its browser, but it is still there. Google IE flaw issue was clearly a PR disaster for Microsoft. Microsoft is hoping that the knee-jerk reaction of France and Germany is not mirrored elsewhere.

So if you are still using IE 6, then it is finally time time to get rid of that very old insecure browser. Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice. If you use IE7 or IE8, you should consider to start using a safer web browser because independent research says that IE 7 and 8 can also be exploited.

When you do the change I would recommend to change to Firefox, Opera or Google Chrome. While every browser has its security issues, the alternatives I have given do not have this vulnerability and should be considerable safer alternatives to IE in many other ways as well.

ie6nomore-logo

Posted in Computers, Security, WWW dev | 53 Comments »

Newer Entries »
film izle - komedi filmi izle - film izle - film izle - film izle