Page 63 of 68 FirstFirst ... 1353596061626364656667 ... LastLast
Results 931 to 945 of 1011
  1. #931
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Re: Virus Alerts/Security Warnings/Solutions

    WPA gets cracked

    First WEP, now WPA Wi-Fi encryption has been cracked:

    http://isc.sans.org/diary.html?storyid=5300

    Time to switch to WPA2 if you want to keep your packets safe (at least for the time being).

  2. #932
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Re: Virus Alerts/Security Warnings/Solutions

    Quote Originally Posted by Ned Slider View Post
    WPA gets cracked

    First WEP, now WPA Wi-Fi encryption has been cracked:

    http://isc.sans.org/diary.html?storyid=5300

    Time to switch to WPA2 if you want to keep your packets safe (at least for the time being).
    More details here:

    http://arstechnica.com/articles/paed...-cracked.ars/1

    It maybe not as bad as it first sounds.

  3. #933
    Joined
    Aug 2001
    Posts
    74,682

    Re: Virus Alerts/Security Warnings/Solutions


  4. #934
    Joined
    Aug 2001
    Posts
    74,682

    Re: Virus Alerts/Security Warnings/Solutions


  5. #935
    Joined
    Aug 2001
    Posts
    74,682

    Re: Virus Alerts/Security Warnings/Solutions

    Another one from our friends at SANS

    http://isc.sans.org/diary.html?storyid=5596

  6. #936
    Joined
    Aug 2001
    Posts
    74,682

    Re: Virus Alerts/Security Warnings/Solutions

    Zune Players? Not a security issue particularly but noteworthy

    http://www.cnn.com/2008/TECH/12/31/z...res/index.html


    Internet message boards have been flooded with complaints about Zune's 30GB models freezing, prompting Y2K-like speculation about end-of-year hardware or software problems.
    "It seems that every Zune on the planet has just frozen up and will not work," posted a Mountain Home, Idaho, user on CNN's iReport.com. "I have 3 and they all in the same night stopped working."
    Another iReporter said he was working the night shift at a Toys R Us store in Puerto Rico when his Zune player and the Zunes of four co-workers all failed about 1:30 a.m. ET Wednesday. iReport.com: They all froze up
    Last edited by jimzinsocal; 12-31-2008 at 03:51 PM.

  7. #937
    Joined
    Aug 2001
    Posts
    74,682

    Re: Virus Alerts/Security Warnings/Solutions

    Some clear thinking and great info here

    http://www.pendre.co.uk/

  8. #938
    Joined
    Jan 2001
    Location
    Auckland
    Age
    40
    Posts
    30,912

    Re: Virus Alerts/Security Warnings/Solutions


  9. #939
    Joined
    Aug 2001
    Posts
    74,682

    Re: Virus Alerts/Security Warnings/Solutions

    Another one from our friends at SANS

    http://isc.sans.org/diary.html?storyid=5653


    And now the holidays are over we might want to read this information.

    http://www.pendre.co.uk/

  10. #940
    Joined
    Aug 2001
    Posts
    74,682

    Re: Virus Alerts/Security Warnings/Solutions


  11. #941
    Joined
    Aug 2001
    Posts
    74,682

    Re: Virus Alerts/Security Warnings/Solutions


  12. #942
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Re: Virus Alerts/Security Warnings/Solutions

    Quote Originally Posted by jimzinsocal View Post
    And now the holidays are over we might want to read this information.

    http://www.pendre.co.uk/
    2008 was an interesting year. The SSL certificate vulnerability above, the Kaminsky DNS flaw in July and the WPA flaw weren't at all unexpected but they all got us thinking about how much we can now trust crucial infrastructure that we once took for granted.

    The Kaminsky DNS flaw was particularly interesting for a number of reasons:

    1. We all thought internal servers operating behind a firewall were safe against external attack - how WRONG we all were!
    2. The attack vectors were numerous and nothing seemed safe - websites and email redirection were both vulnerable, and we authenticate so much by email (for example, recovery of lost passwords and login details)
    3. Despite being given advanced warning, the Internet was still slow to react to the threat.


    WPA may not have totally fallen just yet, but it's not far off. The fall back is WPA2, but how long will that be safe for, how many are in a position to immediately deploy it and how long will it take. And what happens when WPA2 fails? Why is this important - well ask TK Maxx who where in the process of updating their WEP-enabled wireless cash registers used to transmit customer credit card transactions after WEP got cracked when they were hacked and subsequently lost hundreds of millions of customers credit card details in an incident that still remains one of the most widely publicised security breeches ever.

    The SSL exploit showed us that MD5 is not safe. We knew that anyway yet it's still being used by SSL root certificate authorities. SHA-1 is already looking dodgy (and that's now the mainstay of SSL certs) and SHA-256 or SHA512 won't hold up that much longer. That little padlock symbol in your browser status bar means nothing when the bad guys can produce their own trusted certs for their phishing sites at will.

    The take home message from 2008 is that you need to reassess what you thought was safe because a lot of principles we took for granted last year are now left lying in tatters.

  13. #943
    Joined
    Feb 2001
    Location
    near the sea-port of Antwerp, Belgium
    Posts
    12,856

    Re: Virus Alerts/Security Warnings/Solutions

    Quote Originally Posted by Ned Slider View Post
    2008 was an interesting year. The SSL certificate vulnerability above, the Kaminsky DNS flaw in July and the WPA flaw weren't at all unexpected but they all got us thinking about how much we can now trust crucial infrastructure that we once took for granted.

    The Kaminsky DNS flaw was particularly interesting for a number of reasons:
    1. We all thought internal servers operating behind a firewall were safe against external attack - how WRONG we all were!
    2. The attack vectors were numerous and nothing seemed safe - websites and email redirection were both vulnerable, and we authenticate so much by email (for example, recovery of lost passwords and login details)
    3. Despite being given advanced warning, the Internet was still slow to react to the threat.

    WPA may not have totally fallen just yet, but it's not far off. The fall back is WPA2, but how long will that be safe for, how many are in a position to immediately deploy it and how long will it take. And what happens when WPA2 fails? Why is this important - well ask TK Maxx who where in the process of updating their WEP-enabled wireless cash registers used to transmit customer credit card transactions after WEP got cracked when they were hacked and subsequently lost hundreds of millions of customers credit card details in an incident that still remains one of the most widely publicised security breeches ever.

    The SSL exploit showed us that MD5 is not safe. We knew that anyway yet it's still being used by SSL root certificate authorities. SHA-1 is already looking dodgy (and that's now the mainstay of SSL certs) and SHA-256 or SHA512 won't hold up that much longer. That little padlock symbol in your browser status bar means nothing when the bad guys can produce their own trusted certs for their phishing sites at will.

    The take home message from 2008 is that you need to reassess what you thought was safe because a lot of principles we took for granted last year are now left lying in tatters.
    .


    I 'm no expert by any means, that 's why I want to ask this: isn't there anything other than those in the 'Open' community (to fall back on if need be or to work towards and switch to in the near future) ?


    .


    Fold with what you have, Every Work Unit will make a difference.

  14. #944
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Re: Virus Alerts/Security Warnings/Solutions

    Quote Originally Posted by noorman View Post
    .
    I 'm no expert by any means, that 's why I want to ask this: isn't there anything other than those in the 'Open' community (to fall back on if need be or to work towards and switch to in the near future) ?
    For something as large as the Internet to work effectively, standards have to be agreed upon and used. Sure, you could use some proprietary technology that may protect you, but what happens when you want to communicate or do business with someone who uses some other proprietary technology and they aren't compatible? So we need standards.

    Standards tend to be open, especially in security. People aren't so quick to trust and/or adopt anything that isn't open to scrutiny. For example, if two encryption methodologies were proposed for the next generation - one open and subject to scrutiny by experts in the field, and the other closed were the vendor just says "trust us, this won't get cracked - your data's safe with us", which one do you think the Internet will adopt as the standard? Besides, if standards are closed then someone has a vested (normally financial) interest in them. Should security be a taxable commodity only available to the rich or should security be freely available to everyone? The Internet is way bigger than any one company and any encryption standard needs to be able to hold up when all the information regarding it (source code, public keys etc) is in the public domain but it's still not possible to crack it.

    SSL certificates already kind of fall into this category - there are very few Root Certificate Authorities (CAs) that are willing/able to sign certificates for free that are trusted by the major OS/browser vendors, and this is despite the fact that the technology used is exclusively free and open source available to everyone (OpenSSL). BTW the recent SSL certs flaw is not in any software product but in the way trusted Root CAs use it. We put our trust in them, pay them for a service and yet they fail to listen to the security warnings and continue to use insecure practices putting everyone at risk. Now they've been named and shamed, they will mend their evil ways ad use SHA-1 like they should have been doing all along. It won't happen over night and there will still be a lot of certs out there using vulnerable MD5 hashing in their chain but at least it's a step in the right direction and it was discovered by researchers rather than exploited by bad guys. But what happens if SHA-1 falls tomorrow (there have been DC projects aimed and discovering flaws in it for quite some time). There currently is no fallback position, no next level of encryption that can be used that has been widely agreed upon (they're working on a standard for 2012).

    The other issue is that much of the Internet infrastructure, at multiple levels (for example, arp, dns, email) was designed at a time when the Internet was a small collection of trusted machines - the Internet and many of it's underlying protocols were inherently built on trust. Trying to bolt a security layer onto something that was never designed with security in mind is always going to come back at some point and bite you in the ass. Combine this with the fact that the bad guys are getting smarter (way smarter) and consumers are generally getting (relatively) dumber then we have a real problem. By that I mean that consumers are no longer in control of their own PCs - they have no idea what's running on them or why, they have no idea what modern security methodologies do, how to implement them or why they are necessary. Again, the current SSL flaw is a classic example. Before we could advise folks to look for https in the address bar or look for the little padlock in the status bar and you're safe, but not any longer. Now to know you're safe you have to manually examine the cert chain all the way up to the root cert and check the hashing algorithm used on each cert to ensure none of the certs used MD5, then assuming the name on the cert matches exactly with the site you think you are visiting then you know you are safe. - that just doesn't wash with most consumers I know.

    One interesting development is in the field of quantum encryption. If I understand quantum theory correctly, the basis is that simply by looking at the data you change it so the two parties instantly know if the data stream has been intercepted or examined in any way and thus know not to trust it regardless of whether the person intercepting or examining it is able to crack the encryption or not. Again my understanding is that inherently they would not be able to encrypt it because by simply trying to do so they have changed it's state so what they decrypt isn't going to be what was sent. I understand some small scale trials have been used to send data across a town or city so I guess it's still a way off yet but does have the potential to offer truly unbreakable encryption as opposed to encryption that is crackable but not in a realistic timeframe given current computer resources.

  15. #945
    Joined
    Aug 2001
    Posts
    74,682

    Re: Virus Alerts/Security Warnings/Solutions

    Nasty site beware
    This site makes it look like it is scanning your computer and finding trojans and other bad stuff. Then it suggests you download a fix it has for you. Yeah right to bad they can't be shut down!

    http ://best4scan.com/22/?uid=114
    http ://go6scan.com/?uid=114
    http ://best4scan.com/?uid=114 This ones title is Internet Security is Important

    Don't visit them just an FYI is all.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •