If you fear your credit card info has been stolen, enter it here and you can find out for free. Avoiding fraud has never been easier!

For my internship I created a methodology to test the security of mobile applications. After I finished it I decided to take a look at WhatsApp and test the methodology I created. Several new vulnerabilities were found, including a very severe one that even affected people not using WhatsApp. But before going into detail let's first investigate the security history of WhatsApp.

Over the last few months, I’ve seen a password strength meter on almost every signup form I’ve encountered. Password strength meters are on fire.



Here’s a question: does a meter actually help people secure their accounts? It’s less important than other areas of web security, a short sample of which include:

Preventing online cracking with throttling or CAPTCHAs.
Preventing offline cracking by selecting a suitably slow hash function with user-unique salts.
Securing said password hashes.
With that disclaimer — yes. I’m convinced these meters have the potential to help. According to Mark Burnett’s 2006 book, Perfect Passwords: Selection, Protection, Authentication, which counted frequencies from a few million passwords over a variety of leaks, one in nine people had a password in this top 500 list. These passwords include some real stumpers: password1, compaq, 7777777, merlin, rosebud. Burnett ran a more recent study last year, looking at 6 million passwords, and found an insane 99.8% occur in the top 10,000 list, with 91% in the top 1,000. The methodology and bias is an important qualifier — for example, since these passwords mostly come from cracked hashes, the list is biased towards crackable passwords to begin with.

These are only the really easy-to-guess passwords. For the rest, I’d wager a large percentage are still predictable enough to be susceptible to a modest online attack. So I do think these meters could help, by encouraging stronger password decisions through direct feedback. But right now, with a few closed-source exceptions, I believe they mostly hurt. Here’s why.

I'm too busy to read all this.
If you are a user:

Make sure all your passwords are 12 characters or more, ideally a lot more. I recommend adopting pass phrases, which are not only a lot easier to remember than passwords (if not type) but also ridiculously secure against brute forcing purely due to their length.

If you are a developer:

Use bcrypt or PBKDF2 exclusively to hash anything you need to be secure. These new hashes were specifically designed to be difficult to implement on GPUs. Do not use any other form of hash. Almost every other popular hashing scheme is vulnerable to brute forcing by arrays of commodity GPUs, which only get faster and more parallel and easier to program for every year.

Is your DNS OK?
A half dozen national Internet security teams around the world have created special web sites that will display a warning message to potential victims of the DNS Changer infection. For example if you visit http://dns-ok.de/ then you'll get a German language page saying either that you appear to be infected or that you appear not to be infected. Andrew Fried and I created http://dns-ok.us/ for the same purpose, though of course our page is in American English. The full list of these "DNS Checking" web sites is published on the DCWG's web site along with a lot of information about the threat, the arrests, the takedown, the court orders, and clean-up information for victims. Now that we've got all these web sites that are able to tell someone if they are a victim and that tell victims what to do to clean up their computers and their home routers, the problem seems to be getting people to care.

The Broken Sandbox

At its best sandboxing is a means for app developers to faithfully state their intentions in a manner that can be evaluated by users, and also be reliably enforced by the operating system. So if your new “Fun on Facebook” app declares its intention is to connect to the web, you might judiciously allow it. If it says it needs to write files to the root of the filesystem, you’d be wise to search for another app.

Sandboxing on the Mac works by providing developers with a standardized list of “entitlements” which are clear descriptions of things it would like to do on your Mac. Examples include: access the internet, read files from your Pictures folder, print things on your printer.

The number one broken thing about sandboxing as it stands today, is the list of entitlements is simply too limited. Many apps on the App Store, including my own, will need to have their functionality considerably diminished, or in some cases made outright useless, in order to accommodate the available list of entitlements that sandboxing offers.

It is widely known that law enforcement agencies are turning to social networks to monitor citizens but one UK Twitter user saw a joke tweet land him in hot water, as he was detained by Homeland Security in Los Angeles, interrogated and barred from the US, The Sun reveals.

Before Leigh Van Bryan and his friend Emily Bunting embarked on a holiday to Los Angeles, Van Bryan tweeted that he was going to “destroy America,” boasting that he would try “digging up Marilyn Monroe” during his trip across the pond.

If someone tweets they would “destroy America,” you would expect it to alert law-enforcement agencies. However, in the UK, “destroying” can also be used as a term for partying or having a good time.

When Van Bryan and Bunting arrived in the US, they were immediately detained by officials at Los Angeles International Airport, held by armed guards and questioned for over five hours before they were “handcuffed, put in a van with illegal immigrants and locked up overnight.”

Twelve hours later, after being held in separate cells (Van Bryan shared his cell with Mexican drug dealers), the pair were released and put on a plane home.

The American Civil Liberties Union has brought a suit against the US government over its seizure of the laptop of a computer security consultant - a seizure carried out at a Chicago airport about a year ago without a search warrant or any charges of crimes.

According to a report in Sunday's Boston Globe, the consultant - a former MIT researcher, David House - was returning from rest and relaxation in Mexico when federal agents seized his laptop.

According to the Globe, the government wanted to know more about House's connections to Bradley Manning, the US Army private accused of leaking classified information to WikiLeaks.

The seizure comes as no surprise. As Globe writer Katie Johnston notes, United States ports of entry are dubbed "Constitution-free zones" by civil liberties advocates.

Barring invasive techniques such as strip seizures, government agents are free to disregard Fourth Amendment protection against unreasonable search and seizure. They don't need reasonable suspicion or probable cause, and they can take what they like, be it laptops or smart phones.

Last month, an anonymous blogger popped up on WordPress and Twitter, aiming a giant flamethrower at Mac-friendly writers like John Gruber, Marco Arment and MG Siegler. As he unleashed wave after wave of spittle-flecked rage at “Apple puppets” and “Cupertino douchebags,” I was reminded again of John Gabriel’s theory about the effects of online anonymity.



Out of curiosity, I tried to see who the mystery blogger was.

He was using all the ordinary precautions for hiding his identity — hiding personal info in the domain record, using a different IP address from his other sites, and scrubbing any shared resources from his WordPress install.

Nonetheless, I found his other blog in under a minute — a thoughtful site about technology and local politics, detailing his full name, employer, photo, and family information. He worked for the local government, and if exposed, his anonymous blog could have cost him his job.

I didn’t identify him publicly, but let him quietly know that he wasn’t as anonymous as he thought he was. He stopped blogging that evening, and deleted the blog a week later.

So, how did I do it? The unlucky blogger slipped up and was ratted out by an unlikely source: Google Analytics.

Security has become a foremost concern on the Web in the past few years. Hackers have always been around, but with the increase in computer literacy and the ease of access to virtually any data, the problem has increased exponentially. It is now rare for a new website to not get comment spam within days of its release, even if it is not promoted at all.



This increase in naughty behavior, however, has spurred developers to write better code, and framework vendors have implemented many functions to help coders in their battle against the dark side.

Because data validation and sanitization is a big part of both security safeguards and normal user-input processing, by securing our code we will be not only protecting our behinds, but offering a better, more solid user experience.

While a large part of this article is specific to WordPress, a sizeable chunk is about general practices that anyone can use. Even the WordPress-centric sections contain useful logic, so reading them may well be worth it even if you use a different framework.

BozoCrack
BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.

It works way better than it ever should.

Configuration

While the provided PHP configuration (found in /etc/php.ini) is okay, it’s not great, and can be improved by changing some of the settings specified below.

I noticed in some discussion on Hacker News about Google Chrome an argument that disabling third-party cookies somehow improved privacy.  I don’t intend to comment on the rest of the debate, but this particular assertion is troubling.

At time of writing, only two browsers interfere with third-party cookies in any meaningful way.  Internet Explorer denies setting third-party cookies unless a P3P header is sent.  This is basically an evil bit, and just as pointless.  No other browser even pretends to care about this standard.

The other is Apple’s Safari browser, which denies setting third-party cookies unless a user has “interacted” with the framed content.  The definition of “interacted” is a bit fuzzy, but clicking seems to do it.  No other browser does this, or anything like it.  There are some laughably simple hacks around this, like floating an iframe under the user’s cursor (and, for some reason, submitting a form with a POST method).  Even if those hacks didn’t exist, the idea is still pointless.

Silly me. I thought flying on 9/11 would be easy. I figured most people would choose not to fly that day so lines would be short, planes would be lightly filled and though security might be ratcheted up, we’d all feel safer knowing we had come a long way since that dreadful Tuesday morning 10 years ago.

But then armed officers stormed my plane, threw me in handcuffs and locked me up.

The standard procedure to upgrade Drupal to the latest release is to download it from drupal.org and follow the included UPGRADE.txt.
For administrators using the UNIX shell it may be easier using the attached patch files below instead of downloading and installing the newest complete Drupal release.

Encrypting your data on your iPad or iPhone is a great way to protect yourself on the off chance you lose your device. Even if someone plugs your device into a computer, they ideally won’t be able to steal all of your data. On current iOS devices, encrypting is as simple as setting a passcode.

Encryption in iOS 3 and then iOs 4 -- I say “ideally” because it turns out to be a little more complicated than simple setting a passcode.

When Sidestep detects you connecting to an unprotected wireless network, it automatically encrypts all of your Internet traffic and reroutes it through a secure connection to a server of your choosing, which acts as your Internet proxy. And it does all this in the background so that you don’t even notice it.

With Sidestep enabled, no one can eavesdrop on your traffic and impersonate you or see what you’re seeing as you browse the web.

At the Non-volatile Systems Laboratory we have designed a procedure to bypass the flash translation layer (FTL) on SSDs and directly access the raw NAND flash chips to audit the success of any given sanitization technique. Our results show that naïvely applying techniques designed for sanitizing hard drives on SSDs, such as overwriting and using built-in secure erase commands is unreliable and sometimes results in all the data remaining intact. Furthermore, our results also show that sanitizing single files on an SSD is much more difficult than on a traditional hard drive. We are working on designing new FTLs that correct these issues and also exploit properties of flash memory to maintain performance while sanitizing the flash drive.

It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.

When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.

Over the last week, I've talked to some of those who participated in the HBGary hack to learn in detail how they penetrated HBGary's defenses and gave the company such a stunning black eye—and what the HBGary example means for the rest of us mere mortals who use the Internet.

Also fun to realize: for every character less than 20, you lose 100x your security. A 19-character password could be cracked in just 1% of the time of a 20-character password. A 10-character password would take .000000000000000001% of the time.

I know the reasoning behind not letting infinite password attempts -- brute force attempts is not a meatspace weakness, but a problem with computer security -- but where did they get the number 3 from?

Isn't denial of service a concern when implementing a lockout policy that is easily activated?

Is there any hard research showing an optimal number or range to choose before locking out an account that balances actual security threat with usability?

Thinking it through, I don't see any measurable security difference between 3 attempts and 20 attempts with the password complexity generally in use today.

Five security layers down: you now finally arrive at the only one which Ben-Gurion Airport shares with Pearson — the body and hand-luggage check.

"But here it is done completely, absolutely 180 degrees differently than it is done in North America," Sela said.

"First, it's fast — there's almost no line. That's because they're not looking for liquids, they're not looking at your shoes. They're not looking for everything they look for in North America. They just look at you," said Sela. "Even today with the heightened security in North America, they will check your items to death. But they will never look at you, at how you behave. They will never look into your eyes ... and that's how you figure out the bad guys from the good guys."

That's the process — six layers, four hard, two soft. The goal at Ben-Gurion is to move fliers from the parking lot to the airport lounge in a maximum of 25 minutes.

It seems like every time Facebook amends its privacy policy, the web is up in arms. The truth is, Facebook’s well publicized privacy fight is nothing compared to the vulnerability of all unsecured HTTP sites — that includes Facebook, Twitter and many of the web’s most popular destinations.

Developer Eric Butler has exposed the soft underbelly of the web with his new Firefox extension, Firesheep, which will let you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies.

As Butler explains in his post, “As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed” in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user’s site with their credentials.

People feel that if security system A is harder for them to use then system B, then A must be harder for an attacker to bypass. But the facts don’t always match this intuition.

What authentication code do you think is harder for a bad guy to hack, the 7 character strong password “1Ea.$]/”, or the mnemonic for the first 3 characters, “One Elvis Amazon”? Certainly “1Ea.$]/” is harder for a person to remember. It feels like it should be harder to break. But a computer, not a person, is going to be doing the guessing, and all it cares about is how big the search space is. There are 937 possible 7 character passwords. Let’s say there are 250,000 possible English words (more on that figure later). Then there are 250,0003 3 word combinations — meaning an attacker would have to do 260 times more work to guess “One Elvis Amazon” than to guess “1Ea.$]/”.

En bloggartikel om SSL Explorer och valet av denna som lösning för säker åtkomst av internt nät.

Artikel om hur säkerhetsproblem när man tillåter stil och anpassning i koden.

En text om hur man förebygger CSRF, Cross-site request forgery. Som att se till att formulär kollas så att de verkligen kommer från den egna sidan.