Ramblings & ephemera

How an email account without passwords can be good for security

From Robert X. Cringely’s “Stream On“: Mailinator is ad hoc e-mail for those times when just maybe you don’t want to use your regular e-mail address. Say you are snitching on the boss, buying inflatable people, or want 32 different PayPal accounts. Just tell someone—anyone—that your e-mail address is fatman@mailinator.com or skinnykid@mailinator.com, or clueless@mailinator.com or […]

My favorite iPhone apps

Someone on a mailing list asked for a list of our favorite iPhone apps. Here’s what I said: Reeder is the best RSS reader (tied to Google Reader, natch), bar none. Articles presents Wikipedia beautifully. Dropbox is an essential for the reasons Martin gave. Echofon is a great Twitter app, especially since it syncs with […]

A story of failed biometrics at a gym

photo credit: kevindooley From Jake Vinson’s “Cracking your Fingers” (The Daily WTF: 28 April 2009): A few days later, Ross stood proudly in the reception area, hands on his hips. A high-tech fingerprint scanner sat at the reception area near the turnstile and register, as the same scanner would be used for each, though the […]

What passwords do people use? phpBB examples

From Robert Graham’s “PHPBB Password Analysis” (Dark Reading: 6 February 2009): A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. … This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. … The striking different between the two incidents is […]

Conficker creating a new gargantuan botneth

From Asavin Wattanajantra’s “Windows worm could create the ‘world’s biggest botnet’” (IT PRO: 19 January 2009): The Downadup or “Conficker” worm has increased to over nine million infections over the weekend – increasing from 2.4 million in a four-day period, according to F-Secure. … The worm has password cracking capabilities, which is often successful because […]

Rainbow Tables crack passwords

From Chapter 2: Botnets Overview of Craig A. Schiller’s Botnets: The Killer Web App (Syngress: 2007): According to the Rainbowtables.net Web site, using their tables and others on the Internet “it is possible to crack almost any password under 15 characters using a mixed alphanumeric combination with symbols for LM, NTLM, PIX Firewall, MD4, and […]

Why you should not run Windows as Admin

From Aaron Margosis’ “Why you shouldn’t run as admin…” (17 June 2004): But if you’re running as admin [on Windows], an exploit can: install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect) install and start services install ActiveX controls, including IE and shell add-ins (common with spyware and adware) access data […]

Bad passwords for SSH

From Christian Seifert’s “Analyzing malicious SSH login attempts” (SecurityFocus: 11 September 2006): First, we analyzed the login names that were used on the login attempts. During the sample period, there were 2741 unique account names ranging from common first names, system account names, and common accounts to short alphabetical strings captured by the system logger. […]

Two-factor authentication: the good & the bad

From Bruce Schneier’s “More on Two-Factor Authentication” (Crypto-Gram: 15 April 2005): Passwords just don’t work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there’s an upper limit to how complex a password users can be expected to remember. About five […]

California’s wide-open educational software reveals personal info

From Nanette Asimov’s “Software glitch reveals private data for thousands of state’s students” (San Francisco Chronicle: 21 October 2005): The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security […]

Rainbow cracking is now a public service

From Robert Lemos’s Rainbow warriors crack password hashes (The Register: 10 November 2005): Over the past two years, three security enthusiasts from the United States and Europe set a host of computers to the task of creating eleven enormous tables of data that can be used to look up common passwords. The tables – totaling […]

Users know how to create good passwords, but they don’t

From Usability News’ “Password Security: What Users Know and What They Actually Do“: A total of 328 undergraduate and graduate level college students from Wichita State University volunteered to participate in the survey, and were regular users of the Internet with one or more password protected accounts. Ages of the participants ranged from 18 to […]

John the Ripper makes password cracking easy

From Federico Biancuzzi’s “John the Ripper 1.7, by Solar Designer“: John the Ripper 1.7 also improves on the use of MMX on x86 and starts to use AltiVec on PowerPC processors when cracking DES-based hashes (that is, both Unix crypt(3) and Windows LM hashes). To my knowledge, John 1.7 (or rather, one of the development […]

A brief history of backdoors

From Network Magazine: Ken Thompson, a designer of the Unix OS, explained his magic password, a password that once allowed him to log in as any user on any Unix system, during his award acceptance speech at the Association for Computing Machinery (ACM) meeting in 1984. Thompson had included a backdoor in the password checking […]

Crack Windows passwords in seconds

This is an oldie but still a goodie – or a baddie, if you use or depend on Windows. Back in 2003, researchers released tools that enable the cracking of Windows passwords in an average of 13.6 seconds. Not bad, not bad at all. CNET has a nice writeup titled Cracking Windows passwords in seconds, […]