Security Hacks

1542 Articles

Medeco High Security Lock Picking

July 29, 2008 by 11 Comments


Despite, Hack a Day seeming to be fairly lock heavy lately, we’ve yet to cover a major story from The Last HOPE. At the conference, [Jon King] talked about vulnerabilities in Medeco locks and presented his Medecoder tool. Medeco is really what makes this story interesting; unlike the EU, the US has very few high security lock manufacturers. You pretty much have to use Medeco and it’s found in many government agencies.

The Medeco locks have a vertical row of six pins arranged like most pin tumbler locks. Unlike your average lock, the rotation of the pins is important. When the key is placed in the lock, it not only moves the pins to the correct height, it also rotates them to the correct orientation. A sidebar blocks the cylinder unless the pins are rotated properly. Each pin has three possible orientations. They’re biaxial as well, which means the pin’s offset point allows for three more possible positions.

Continue reading “Medeco High Security Lock Picking”

Lock Picking And Security Disclosure

July 28, 2008 by 5 Comments


Slate is running an interesting article about taking new security approaches to lock vulnerabilities. In the past, lock makers such as Medeco have been able to quietly update their product lines to strengthen their security, but as movements such as Locksport International gain popularity and lock picking videos on YouTube become dime a dozen, lock makers can no longer rely on security through obscurity. It’s no question that an increased interest in this field helps lock manufacturers to create more secure products, but because patching these flaws often means changing critical features of the lock, it becomes a very expensive game of cat-and-mouse.

Traditional lock picking has employed the use of picksets, like the credit card sized set given out sold at The Last HOPE, but more recent methods of lock hacking have used bump keys or even magnets. However, as manufacturers make their locks less susceptible to picking and bumping, not even high-security locks will ward off someone determined enough to create a copy of the key, either by observing the original or using impressioning, as [Barry Wels] covered in a recent talk at HOPE 2008.

Adeona: An Open Source Laptop Tracking System

July 26, 2008 by 24 Comments


Adeona is an open source internet-based laptop tracking system that is free to use. It’s available for Linux, OSX, and Windows XP/Vista. After installation, Adeona will submit at random intervals, anonymously encrypted updates on the computer’s location to servers on the Internet, specifically to OpenDHT, a free storage service. The information is kept on the servers for one week. If your laptop becomes lost or stolen, you can use the retrieval tool to access information about where your laptop was last used: the external IP address, internal IP address, and nearby routers. If your laptop is a Mac, you can also download isightcapture to grab a picture of the thief. Adeona is designed to protect against common criminals who may not have much technological knowledge, and does not have any protections against events such as disk wipes. The open source nature of Adeona’s system means that there’s ample opportunity to improve upon the release or add extensions. Here’s one user who really likes what he sees.

[via Schneier]

Five Plugins And Tips To Secure Your WordPress Blog

July 26, 2008 by 3 Comments


How do you protect your own blog from getting hacked? There’s never a foolproof answer, but with some added tools and caution, you can make your website a little safer from getting into harm’s way. Cats Who Code has five plug-ins and tips you can use to protect your WordPress install. Some of the tips are common sense advice that can apply to anything related to technology – such as making backups often and using strong passwords. Others include suggested plugins that can help you verify whether your WordPress install has any security holes, or small tricks to hide the version of WordPress you’re using. Do you have any useful plugins or tricks to share to keep your blog safe from hackers?

[via Digg]

Surveillance As Art

July 25, 2008 by 8 Comments


The Target Project is a graduate project from the Royal College of Arts in London. It is designed to make us question our relationship with surveillance technology and CCTV. This is a particularly meaningful demonstration for a country like Britain which is said to contain up to 4.2 million CCTV cameras or roughly 1 for every 14 people.

This project has two demonstrations on their site. The first is dubbed the RTS-2 (Racial Targeting System). This system is essentially a camera which follows faces and is able to analyze and interpret the person’s race. The second is SOLA. This system is able to quickly scan someone and calculate their body mass index then publish this information to the web. Both systems achieve their goal by blatantly pointing out a line in which more surveillance does not equate to more security. They also show the wealth of personal data that can be obtained about a person by a simple camera.

[via we make money not art]

Predictive Blacklisting With DShield

July 25, 2008 by 4 Comments


The DShield project is hoping to change how we protect our networks from malware with predictive blacklisting. Using a method similar to Google’s PageRank, DShield collects logs from network administrators to help develop a score based on maliciousness. They combine this score with information about where the malware has already hit to determine an overall threat level.

Similar to antivirus programs, the system still relies on networks being attacked to rate the threat level. They have shown though, that the predictive method is consistently more effective than manual blacklisting. The system has been available for free for the past year. Those utilizing the system have been reporting positive results. They do note that there are a few people whose network infrastructure doesn’t match up with the predictions very well. If you would like to participate, go to their site and sign up.

DNS Cache Poisoning Webcast

July 24, 2008 by 4 Comments


UPDATE: Full audio of the webcast is now available

Today Black Hat held a preview webcast with [Dan Kaminsky] about the massive DNS bug he discovered. On July 8th, multiple vendors announced a patch for an undisclosed DNS vulnerability. [Dan Kaminisky] did not release the details of the vulnerability at that time, but encouraged security researchers to not release their work, if they did happen to discover the bug. On the 21st, the full description of the vulnerability was leaked.

In today’s webcast, [Dan] covered how he felt about the handling of the vulnerability and answered a few questions about it. He started out by talking about how he stumbled across the bug; he was working on how to make content distribution faster by using DNS to find the server closest to the client. The new attack works because DNS servers not using port randomization make it easy for the attacker to forge a response. You can read the specifics of the attack here.

Continue reading “DNS Cache Poisoning Webcast”