Blog Rss FeedSome people were having serious problems with their MacBook Air at airport checkpoints. When run through xray machines, the laptop doesn’t look like a laptop.
http://www.tsa.gov/blog/2008/03/update-bob-screens-apple-macbook-air.html
Problems with MacBook Air at airport security gates.
|
|
| Posted on Mar 20, 2008 by: Fred Cirera @ 18:40 |
Comments: 0
|
Phone-based 'vishing' attacks
|
The FBI‘s Internet Crime Complaint Center IC3 published a new advisory on ‘vishing’ attacks As phishing is becoming harder and harder scammers are now using the phone to gather personal information such as credit cards and social security numbers.
We have spent so much time telling people, “don’t trust the mail” and “don’t trust the web” that people don’t trust them anymore. That’s why scammers are starting to use more traditional means of communication, which people are more familiar with and trust. You are more willing to trust some nice and sweet voice on the phone than an funky text in your inbox. The technology to securely sign and identify the sender of an email exists. I don’t understand why the banks are not using it. |
| Posted on Jan 18, 2008 by: Fred Cirera @ 14:12 |
Comments: 0
|
337,000 Personal information stolen.
|
Tennessee is reporting that 337,000 voter names and social security numbers have been stolen. You can read the complete news here For at least the past year, I have read information like this almost every week. I don’t understand why governments, or corporations employees are still carrying around files full of the public’s personal information. I also don’t understand, why their hard drives are not encrypted. Encryption software is cheap, and very easy to use. It would solve the problem of the lost or stolen laptops. Losing people personal information by negligence should be considered a criminal offense. — |
| Posted on Dec 30, 2007 by: Fred Cirera @ 09:21 |
Comments: 0
|
Email obfuscation
|
Email harvester traverse the Web looking for email signatures in web pages. In the sole purpose of building large databases of email addresses to send spam.
That's why it is always a good idea to not publish your email address on a web page, but sometime you absolutely need to be contacted and you need to post your email address. On web pages you have no control, such as forums, blogs or commercial websites, you can use a service like KasMail [kasmail.com] to create a temporary email address. When you need to enter your email somewhere you use that temporary email address. This email address is only valid a short period of time (from few days to several month) and then it is automatically deleted by KasMail. Email harvesters will send the spam to an expired email address. Sometimes though, you need to publish your personal email address. What you can do is to obfuscate your address so the harvesters will miss it. Here is the recipe I often use myself. If you have a Mac, UNIX, or Linux type the following line in a terminal window, to encrypt your email address. If you have Windows installed on your computer, install a real OS. $ echo 'booba@gump.com' | openssl base64 Ym9vYmFAZ3VtcC5jb20K The string "Ym9vYmFAZ3VtcC5jb20K" is your email address encoded in base 64. Enter the following line in your web pages at the place you want to enter your email address. <script type="text/javascript"> document.write(atob('Ym9vYmFAZ3VtcC5jb20K')); </script> Voila! An email harvester will see a group of meaningless characters, and a real web browser will display your email address. |
| Posted on Dec 19, 2007 by: Fred Cirera @ 12:05 |
Comments: 0
|
How to delete flash cookies
|
Everyone heard of http cookies. Everyone knows that cookies can be a problem when it comes to privacy. But everyone is not aware that flash player have their own cookies mechanism. If you go on this page you’ll see a little flash application provided by Adobe to mange your flash settings and the cookies stored by flash. Here is how the application look like.
|
| Posted on Dec 09, 2007 by: Fred Cirera @ 15:21 |
Comments: 3
|
Your GPS is your best friend
|
Ok I know that your GPS is already your best friend. It prevents you for being late at an important meeting by getting lost in the maze of the city streets. It helps you find your way around new places you have never been to before. But even if you know where you are going, and you don’t need your GPS to tell your where to go, it is always a good idea to leave it on. Our streets are filled with cops aiming at your car with radars or laser guns to check your speed. These equipments are very fragile, and they need to be used in a certain way, and under certain conditions, in order to be accurate. Used the wrong way these equipments can be prone to “wild” errors. A study shows that more than 90% of people don’t contest their tickets. Even when they know they did nothing wrong. Just because they feel helpless against a police officer, and his radar. Your GPS can help you challenge the system. You can extract your route log and your speed a the time at which you got the ticket from your GPS. This cannot be considered as a full proof, but it will help you a lot to make your case against an erroneous laser gun. More information on laser guns: |
| Posted on Oct 26, 2007 by: Fred Cirera @ 12:31 |
Comments: 1
|
Using wget to download protected web pages
|
Often commercial websites protect the access to some of their content with a password. But these websites want this protected content to be searchable. In order to index this content they grant access to the private part of the site to search engines. To do so they check the signature of the agent connecting to their web server.
By changing the signature of your agent, ie: forcing the Referer: and by changing the signature of the User-Agent: you can have access to this protected content. How to access this protected content with wgetYou need to create a .wgetrc file in your home directory with setting the Referer and the User-Agent variable set with the signature of a well known search engineb Exemple: # .wgetrc file # Last change: 11-24-2006 header = Accept-Language: en header = Accept-Encoding: gzip, deflate header = Keep-Alive: 300 user_agent = Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html referer = http://www.google.com Then when you get the page with wget you'll get this output: $ wget http://www.example.com/protected_content.html
--14:30:23-- http://www.example.com/
=> `protected_content.html'
Resolving www.example.com... 172.16.1.66
Connecting to www.example.com|172.16.1.66|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 37,356 (36K) [text/html]
100%[====================================>] 37,356 100.31K/s
14:30:25 (100.05 KB/s) - `protected_content.html' saved [37356/37356]
I can't show you a real example here, it will be considered as stilling. For more detail on HTTP protocol check the RFC-1954 and RFC-2068 For more information about what is the User-Agent, search for User-Agent on WikiPedia |
| Posted on Oct 17, 2007 by: Fred Cirera @ 11:04 |
Comments: 0
|
Cryptographic signature.
|
HMAC is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key. The HMAC algorithm can be used to verify the integrity of information passed between applications or stored in a potentially vulnerable location.
For the full details on HMAC, check out the RFC-2104 Python provide some basic cryptographic services such as HMAC. The use of HMAC in python is pretty straightforward. Here is an example: import hmac hmac_engine = hmac.new('This Is My Super Secret KEY') f = open('/etc/services', 'rb') try: for block in f: hmac_engine.update(block) finally: f.close() print hmac_engine.hexdigest() When run, the code reads its source file and computes an HMAC signature for it: $ python hmactest.py
01c274a3eaca826fcd1b645e074bf99b
You can use HMAC in web applications to check the integrity of URLs or cookies. Your application need to send a cookies with some information for example the login. Of course you don't want some to temper with this cookie and change the user name. One solution is to sign the cookie with an HMAC digest. Here is a code snippet example: import hmac import cherrypy user_login = 'mallory' hmac_engine = hmac.new('This Is My Very-Super-Secret KEY!') hmac_engine.update(user) digest = hmac_engine.hexdigest() cherrypy.response.simple_cookie['user'] = user cherrypy.response.simple_cookie['digest'] = digest |
| Posted on Oct 17, 2007 by: Fred Cirera @ 00:34 |
Comments: 0
|