Software Security Courtesy Of Child Labor

October 28, 2010 by Mike Szczys 34 Comments

We couldn’t help but poke a little fun in the headline. This is [Alex Miller], a twelve year old who claimed a $3000 bounty from Mozilla. See, [Alex] is a self-taught security guru. When Mozilla upped the reward for discovering and reporting critical security flaws in their software he went to work searching for one. He estimates that he spent an hour and a half a day for ten days to find the hole. Fifteen hours of work for $3000? That’s pretty good!

Is it good or bad to pay for these kind of submissions? The real question: Is the bounty high enough to get blackhats to report vulnerabilities, rather than selling software that exploits them? Let us know what you think in the comments.

[via Zero Day]

Firesheep: Promoting Privacy In A Scary Way

October 25, 2010 by James Munns 50 Comments

Often, software hackers are the activists that push software giants towards updating vulnerable applications. In todays example, [Eric Butler] is pushing Facebook, Twitter, Flickr, and more all at the same time. By creating a user script-kiddie friendly extension for Firefox, he has allowed just about anyone to sniff unsecured connections on public Wi-Fi access points and log into these unprotected accounts.

Right now the extension is available for Windows and Mac, with a Linux port coming soon. Temporarily, the best way for a user to avoid getting taken advantage of would be to not use these social networking sites on a public connection, or to implement a secure proxy for these connections that would keep your data safe. Hopefully these websites will have a quick rebuttal that allows for security without workarounds. With all of the bad press they are recieving, they certainly have incentive to.

Are there any software or security buffs out there? We would love to see someone port this to an iPhone or Android app that could check and log open Wi-Fi points. We’ll leave the foot work to the experts out there, but do be sure to give us a heads up if anyone manages to make it happen, okay?

Embedded RFID For Online Passwords

October 11, 2010 by Mike Szczys 33 Comments

[Jair2K4] is using his unique RFID tag address as an online password. We’d bet that if you went far enough to get an implant in your hand you’d continually search for a reason to use it. Wanting to do more than just start his car with a wave of the hand, he built an interface module out of an Arduino and a Parallax RFID reader. Using a program called AAC Keys on Windows 7 he emulates a keyboard using the input from the Arduino. When it comes time to login he types his username and parks the cursor in the password box. By holding the RFID implant next the reader, the ID is dumped as the password, along with a newline (might be a carriage return, we’re not certain) character which submits the login. Take a look for yourself after the break.

On the one hand, nobody will be able to steal his tag as easily as they could steal one that is on a key ring. But we know RFID is rather notorious for a false sense of security. As long as you’re not using it for state secrets we think it’s a nice solution.

Update: After reading the comments on this feature, [Jair2K4] made some changes to his code. It now reads the tag and verifies it with stored data, then spits out whatever password you wish (making it easy to change passwords from time-to-time). He also added servo control to the sketch.

Continue reading “Embedded RFID For Online Passwords” →

BIOS Password Cracking

October 7, 2010 by Mike Szczys 45 Comments

[Dogbert] took a look at the security that goes into BIOS passwords on many laptops. He starts off with a little background about how the systems work. People are bound to forget their passwords, so when you enter a wrong one three times in a row you get a message similar to the one above that locks you out until all power is removed from the system (then you get three more tries). But check out that five-digit number in the picture. That’s a checksum of the password. Some BIOS versions display it automatically, some require you to hold down a certain key during POST, but it’s the pivotal data needed to crack the password.

[Dogbert’s] post doesn’t go into verbose detail about the algorithms he uses to brute force the passwords. But he has posted the Python scripts he uses to do so. Learning how to generate the passwords based on the checksum is as simple as studying the code, which is often the best way to learn.

Arduino, RFID, And You

October 7, 2010 by Jakob Griffith 13 Comments

[Matt] has mixed up a batch of two RFID reading door lock systems. While the “door lock” part of the setup has yet to come into existence, the “RFID reading” section is up and running. By using the Parallax RFID readers (for cheap, remember?) and an Arduino, [Matt] is able to parse an RFID tag, look its number up in a database, and then have a computer announce “Access Denied” in a creamy “Douglas Adam’s sliding door of Hitchiker’s Guide” kind of way with Python.

Good books aside, catch a not as exciting as you’re thinking video after the jump.

Continue reading “Arduino, RFID, And You” →

Cheap(er) Biometric Gun Safe

October 5, 2010 by Jakob Griffith 30 Comments

[Greg] sent in his biometric pistol safe lock. He keeps his guide light on details so not every Joe can crack the system (there is a thread to sift through if you really wanted to), but the idea runs fairly simple anyway. [Greg] took an old garage door opening fingerprint scanner and wired it into a half broken keypad based pistol safe. While he did have some issues finding a signal that only fired when the correct fingerprint is scanned, a little magic with a CMOS HEX inverter fixed that problem quick.

This does bring one question to our minds, are fingerprint scanners as easy to crack as fingerprint readers?

You’re Stealing It Wrong: A Speech By Jason Scott

October 1, 2010 by Caleb Kraft 22 Comments

slipped disk in all of his glory

[Jason Scott], data historian extraordinaire gave this fantastic speech at Defcon 18 about the history of inter-pirate piracy. At an hour long, it is an enthralling journey through computer history, especially pertaining to piracy. Take a seat, no matter how much you know about security and piracy, you are likely to learn a few things. We find the lesser discussed issues like pirates stealing other pirates work interesting, as well as the part where pirates have to crack really boring software to have a release when there’s nothing better out there. Also worth noting, according to [Jason], the demoscene evolved from the little opening sequences from cracks. There are just too many interesting aspects to note here, even some porn related stories during the BBS days.

This is a great lesson from someone who is both knowledgeable and entertaining. [Jason] teaches this stuff without ever sounding stuffy, boring, or overly technical. Catch the video after the break.

Continue reading “You’re Stealing It Wrong: A Speech By Jason Scott” →