Hacking with no technology

NEW YORK--The typical image of a hacker is a kid hunched over his keyboard in the wee hours of the night staring at commands on his computer screen that unlock the secrets of the national government.

But, according to someone who knows better, the woman sitting next to you in the airport or Starbucks fiddling with her digital camera while you work on your company's confidential sales data could be just as dangerous.

One of the more fascinating talks at the Last HOPE hacker conference this weekend was by Johnny Long, a security researcher who hacks, writes books on … Read more

Protecting against Wi-Fi, Bluetooth, RFID data attacks

NEW YORK--Using a laptop, cell phone headset, building access badge, credit cards, or even a passport can make you a walking target for data thieves and other criminals, a security expert warned at the Last HOPE hacker conference here late Friday.

In a frightening but entertaining session entitled "How do I Pwn Thee? Let me Count the Ways" (pwn is hacker speak for "own" or control), a hacker who goes by the alias "RenderMan" explained how most people are at risk and don't even know it.

By now most people probably know they … Read more

Security Bites 108: Understanding white listing

To put it simply, the concept of "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past.

In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million antivirus signatures or even a percentage of that if generic signatures are used is a … Read more

Dutch court allows publication of Mifare security hole research

Updated 8:30 a.m. PDT with researcher comment and photos. Updated 11:17 a.m. with NXP comment.

NEW YORK--A Dutch court ruled on Friday that a university can publish an article on security flaws in the Mifare Classic wireless smart card chip, the most popular chip used in transit systems around the world.

NXP Semiconductors, formerly Philips Semiconductors, sued to prevent computer science professor Dr. B. Jacobs Radboud at University Nijmegen from publishing a scientific paper on the technology, arguing that it would be irresponsible to make the information public.

The Rechtbank Arnhem court ruled that prohibiting publishing … Read more

Linux desktop security: It's a matter of process and architecture

Is Linux inherently more secure than Windows? Apparently so, according to this article, but the reasons have less to do with "thousands of eyeballs" and more to do with "intelligent design."

There are numerous reasons why a Linux PC is more secure from malicious software than a Windows PC. The most obvious is the way a user interacts with his operating system....

A Linux virus is doomed from early conception and there's a rough jungle awaiting. For an ELF binary file to get infected by a virus, the malicious program has to first get write access to other binaries. Prior to that, it must somehow disguise itself. Binary-only applications are so rare in the Linux world that any software not designed by a major developing firm is subject to inquiry. After a day in the wild, someone will figure out the binary file hides something else and the element of surprise will be gone. We're used to having the source code at our disposal. Try hiding a malicious code in plain text....… Read more

HOPE conference highlights everyday hacking

Updated July 18, 7:52 AM PDT with more details about live radio broadcast

NEW YORK--From sessions on how-to create fluorescent mice and crack safes to discussions on losing your privacy in a taxi and complaints about Wikipedia, the Last HOPE conference starting here Friday has something for just about everyone.

The conference is the brainchild of Emmanuel Goldstein, aka Eric Corley, who publishes the notorious 2600 magazine. Corley has seen the community grow from its early days in the1980s with kids going to jail for breaking into the AT&T network, to millions of regular citizens skirting the … Read more

A real simple answer to password protection

It's a question I get asked a lot: what's a good way to remember passwords for a computer?

Here's how Christopher Horn over at Real Simple chose to answer it:

Writing down random log-in user names and passwords is unsafe and leaves them vulnerable to getting lost. Use a spreadsheet or a word-processing document to keep track of all the information safely. List the link for each website you have an account with and the specific user-name and password information that goes with that account. Click the Save As option under the File tab and name the … Read more

Despite patch, today's systems still vulnerable to 2002 flaw

For the last week, I've written that Dan Kaminsky undertook unprecedented action in coordinating a variety of vendors in secret over the last six months. Ari Takanen, co-founder and chief technology officer of Codenomicon, wrote to challenge that notion.

In an e-mail on Thursday, Takanen cited his work on a Simple Network Management Protocol version 1 (SNMPv1) flaw back in 2002 as an example. Like Domain Name System, SNMP is a fundamental element of the Internet.

I wrote: "There have been other multiparty patch releases, but never has there been one on such a massive scale. It took … Read more

Mozilla updates Firefox with three security patches

On Thursday, Mozilla pushed out a new security update for its new Firefox browser. Version 3.0.1 for Windows and Mac addresses vulnerabilities in malformed GIF files on Mac OS X, command-line URLs that could launch multiple tabs when Firefox is not running, and a potential remote code execution by overflowing CSS reference counter.

Meanwhile, Mozilla updated the earlier version of Firefox with 2.0.16 on Tuesday. The update addresses two of the Firefox 3 critical issues--command-line URLs and overflowing CSS reference counter.

Version-specific updates have been pushed out automatically to existing Firefox users.

Mozilla will continue to … Read more

Linus Torvalds: Don't glorify the security "monkeys"

Leave it to Linus Torvalds, founder of the Linux kernel, to speak his mind. While many point to Linux as superior to Windows as offering superior security, Torvalds doesn't want anyone to make a fetish of security, including the OpenBSD people to whom he addresses this classic missive:

...[O]ne reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.

It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.… Read more