The ABCs of securing your wireless network

In this practical introduction to the basics of securing your home wireless network, we'll cover the important, high-level points that ordinary users need to know in order to secure a network of game consoles, phones, and PCs. Along the way, we'll also recap some of the relevant information from the original wireless blackpaper...

Link:
http://arstechnica.com/.../wireless-security.ars

AVG Free v8.0 released

Basic antivirus and antispyware protection for Windows available to download for free. Limited features, no support, for private and non-commercial use only.

Features:

• Virus and spyware protection
• Safe web surfing, downloading and instant messaging
• Hacker attacks prevention
• Phishing and E-Mail scam blocking
• Stops threats before they become a problem

I use and install AVG on most of my systems and it has done well for me. This is worth checking out and for the price (free), why not.

Link:
http://free.grisoft.com/ww.download

Hack into a Windows PC - no password needed

A security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password.

Link:
http://www.theage.com.au/news/security/...

Microsoft's Rich Signature (undocumented)

In this article I'm going to try to provide documentation for the undocumented Rich Signature produced by Microsoft compilers. I'm not completely sure when this signature was introduced, I wrongly believed that I had been introduced with Visual Studio 2003, but I was shown that it is present even in VC++ 6 executables. So, I guess this signature has been introduced with that compiler. Information about this topic is non-existent (seems strange, but it's a fact). Thus, most readers probably don't know what I'm talking about.

Link:
http://ntcore.com/Files/richsign.htm

Free online virus scanner with Virustotal

Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.

Link:
http://www.virustotal.com/

(found through DonationCoder.com)

Suite of hacker tools with no install Linux distro

Knoppix STD is a Linux-based Security Tool. Actually, it is a collection of hundreds if not thousands of open source security tools. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. Its sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can.

Knoppix STD doesn't even have to be installed. Just burn it to a CD, place it in your CD drive, reboot the computer and let it boot from the CD. Knoppix STD will be setup for you. Couldn't be easier to play around with a Linux distro or in this case test out some hacker tools. (built ontop of Knoppix)

Link:
http://www.knoppix-std.org/


Other distros to check out:

• Slax - Some cool custom distros, each for a certain purpose (all fits on a single CD)
• Helix - Used for computer forensics (built on Knoppix)

theBroken - How to hack a wireless network

Was going to embed it here but they made it too wide for a standard Blogger template.

Link:
http://revision3.com/thebroken/ep1/

Exploit-Me lets you test the security of your website

Unsure if your website is as secure as it should be? Then check out the Exploit-Me suite to test the two most common, and well known, forms of attack; Cross Site Scripting (XSS) and SQL Injection.

XSS

XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS) vulnerabilities.

SQL Injection

SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

Link:
http://www.securitycompass.com/exploitme.shtml

WirelessKeyView lets you recover lost WiFi passwords

Freeware application WirelessKeyView recovers the wireless network keys saved to your computer by the Windows Wireless Zero Configuration service of XP or the WLAN AutoConfig service in Vista. As with any password-finding tool...

Link:
http://lifehacker.com/366649/...

How They Hack Your Website: Overview of Common Techniques

When you consider that you can go to Google right now and enter a search string which will return you thousands of usernames and passwords to websites, you realize that this dark science is really no mystery at all. You’ll react similarly when you see just how simple a concept SQL Injection is, and how it can be automated with simple tools. Read on, to learn the basics of how sites and web content management systems are most often hacked, and what you can do to reduce the risk of it happening to you.

Methods Discussed:

• SQL Injection
• Cross Site Scripting (XSS)
• Authorization Bypass
• Google Hacking
• Password Cracking

Link:
http://www.cmswire.com/cms/web-cms/...

PayPal to Safari users: 'Ditch it'

The reason for the warning is Safari's lack of anti-phishing technology. Currently the Apple browser does not alert users to sites that could be phishing for your info, and it lacks support for Extended Validation. PayPal is, of course, a popular site among phishers in their neverending search for personal information, user IDs, and passwords.

Link:
http://.../paypal-to-safari-users-ditch-it

Howto: Hack a web server using a Google Search

The "Cult of the Dead Cow" hacker group – cDc for short – has published a tool that searches for vulnerabilities and private information across the web. Using well-chosen Google search queries, Goolag Scan discovers links to vulnerable web applications, back doors, or documents inadvertently put on the internet that contain sensitive information.

This kind of "Google hacking" is already well known: a hacker using the pseudonym Johnny has already published quite a collection of these "Google Hacks" or "Google Dorks" on his web site ihackstuff. What cDc has done is create an automated tool that allows an unskilled hacker to use these same techniques.

Read about it:
http://.../Cult-of-the-Dead-Cow-Google-into-a-vulnerability-scanner

Some standalone hacks for Google (no application required):
http://johnny.ihackstuff.com/ghdb.php

Three tips to protect your WordPress installation from Matt Cutts

Secure your /wp-admin/ directory
Make an empty wp-content/plugins/index.html file
Subscribe to the WordPress Development blog

I just did two of these on a WordPress blog I admin. Very easy to do and gives you a bit more piece of mind.

Read about how at:
http://.../three-tips-to-protect-your-wordpress-installation/

Is your unlisted address available to anyone?

If you think your unlisted number and address will help protect your privacy then you may be mistaken.

Read all about the exploit here:
http://lauren.vortex.com/archive/000347.html

Then go here:
http://digitallanding.com/

Use the Search for Offers on the right. Enter an unlisted number and see if it returns the proper address. It did in one of my tests.

Will the exploit be plugged like it says here:
http://lauren.vortex.com/archive/000348.html

It may, but others will popup or are already out there waiting to be discovered.

Gmail's old security flaw still may pose a problem

Read about what can happen:
http://www.davidairey.co.uk/google-gmail-security-hijack/

Then go and make sure you have no unwanted filters in your Gmail account:
Login -> Settings -> Filters

How does your antivirus stack-up?

The antivirus applications were tested against more than 25,000 viruses.

Applications tested:

• AntiVir PE Premium
• NOD32
• TrustPort
• BitDefender Pro
• Kasperksy
• Dr. Web
• AntiVirusKit
• Avast! Professiona
• Norton
• Microsoft OneCare
• McAfee
• Norman
• F-Prot
• AVG Anti-Malware
• F-Secure
• eScan
• FortiClient

Link:
http://cybernetnews.com/.../best-antivirus-retrospective-tests/

Internet Explorer and Firefox Vulnerability Analysis Report

For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating the security experience of users as the browser interprets Web content and programs delivered from around the world.

Over the past few years, there has been much discussion of the need for improvements in browser security, but few hard data studies performed to support assertions concerning the security of available browsers.

This report documents the results of my analysis of Internet Explorer and Firefox vulnerabilities over the past few years since Internet Explorer 6 on Windows XP SP2 became available and Mozilla launched Firefox.

Link:
http://.../download-internet-explorer-and-firefox-vulnerability-analysis

Make Password back online

Make Password is back online after a server issue that caused it to not function properly. Thanx to a very helpful person it was brought to my attention and all is resolved.

Link:
http://www.maord.com/

EURion constellation

The EURion constellation is a pattern of symbols found on a number of banknote designs since about 1996. It is added to help software detect the presence of a banknote in a digital image. Such software can then block the user from reproducing banknotes to prevent counterfeiting using colour photocopiers.

Pretty interesting on the mechanism that copy machines use to detect and block the copying of a banknote.

Link:
http://en.wikipedia.org/wiki/EURion_constellation

Quantum cryptography

Elections were transmitted using a secure encryption encoded by a key generated using photons -- tiny, massless packets of light. Since this method uses physics instead of math to create the key used to encrypt the data, there's little chance it can be cracked using mathematics.

Link:
http://.../quantum-cryptology.htm

Password strength value added to Make Password

Make Password has been expanded to included a Password Strength value that can be added to the generated password list. This value is a number from 0 to 100 with 100 being a very strong password and 0 being a weak password.

I think this can help when people are creating large lists of passwords as you will now know the strength of the password.

Want something else added or have comments about Make Password then please feel free to drop by the Forum.

Link:
http://www.maord.com/

How strong are your passwords?

Microsoft has an online Password Strength Checker that will let you know. If your passwords are too weak, or you are looking for password ideas, then check out the article on How to create strong passwords.

Also, if you're looking to make a whole bunch of passwords at a single time then check out Veign's Online Password Creator.

Link:
http://.../protect/yourself/password/checker.mspx

Find Out If Your Computer Is Secretly Connecting to the Web

If you are trying to track down why your computer is running so slooowwwly, try using this simple DOS command from Digital Inspiration to uncover a possible problem:

• Type cmd in your Windows Run box.
• Type "netstat -b 5 > activity.txt" and press enter.
• After say 2 minutes, press Ctrl+C.
• Type "activity.txt" on the command line to open the log file in notepad (or your default text editor)

Or
Use TCP View from SysInternals

As found on LifeHacker:
http://.../find-out-your-computer-is-secretly-connecting-to-the-web

How Windows Update Keeps Itself Up-to-Date

There have been some questions raised about how we service the Windows Update components and concerns expressed about software installing silently. I want to clarify the issue so that everyone can better understand why the self-updating of Windows Update acts the way it does.

Link:
http://.../how-windows-update-keeps-itself-up-to-date.aspx

Website Security Information

Email Injection:

http://www.securephpwiki.com/index.php/Email_Injection

Cross-site Scripting (XSS):

http://ha.ckers.org/xss.html

SQL Injection:

http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

Top 15 free SQL Injection Scanners:
http://.../top-15-free-sql-injection-scanners

SQL Injection Walkthrough:
http://www.securiteam.com/securityreviews/...

Windows passwords safe? - Rainbow Hash Cracking

To understand how rainbow tables work, you first have to understand how passwords are stored on computers, whether on your own desktop, or on a remote web server somewhere.

Passwords are never stored in plaintext. At least they shouldn't be, unless you're building the world's most insecure system using the world's most naïve programmers. Instead, passwords are stored as the output of a hash function. Hashes are one-way operations. Even if an attacker gained access to the hashed version of your password, it's not possible to reconstitute the password from the hash value alone.

But it is possible to attack the hashed value of your password using rainbow tables: enormous, pre-computed hash values for every possible combination of characters. An attacking PC could certainly calculate all these hashes on the fly, but taking advantage of a massive table of pre-computed hash values enables the attack to proceed several orders of magnitude faster-- assuming the attacking machine has enough RAM to store the entire table (or at least most of it) in memory. It's a classic time-memory tradeoff, exactly the sort of cheating shortcut you'd expect a black hat attacker to take.

Link:
http://www.codinghorror.com/blog/archives/000949.html

Elk Cloner was the first

ELK CLONER, 1982: Regarded as the first virus to hit personal computers worldwide, "Elk Cloner" spread through Apple II floppy disks and displayed a poem written by its author, a ninth-grade student who was designing a practical joke.

Read about the other notorious computer viruses over the past 25 years.

Link:
http://www.physorg.com/news107790295.html

Facebook Home Page Code Leaked!

Not much to say except you can see the source code driving the homepage of Facebook.

Link:
http://facebooksecrets.blogspot.com/

Options to hide your email address from spam bots

Wired magazine has a small article on how to protect your email address from spam bots when publishing on your website.

Link:
http://...page_name=hide_your_e_mail_address_from_spam_bots

PayPal Security Key

This is a quick post about a physical security key you can get to better protect your PayPal account. Very nice option.

Link:
http://www.sarahintampa.com/.../high-security-w.html

Mozilla Releases Hacker Tools

Mozilla is beginning to give away programs used by both the good guys and the bad guys to discover critical program vulnerabilities.

The programs, called fuzzers, have so far been for internal use only. Fuzzers poke at programs in search of vulnerabilities that can arise when an application receives data it doesn't expect.

Link:
http://blogs.pcworld.com/staffblog/archives/005059.html

Mozilla Security Blog:
http://blogs.mozilla.com/security

SideJacking: Stealing information when you connect to someone else's WiFi

Users may think that their personal data is safe when they use a secure login page online, but that's quite far from the truth. In fact, everything from the contents of your e-mail, who your friends and acquaintances are, and almost anything else you can think of could be easily exposed by hackers if browsed via WiFi network, security firm Errata Security pointed out in a recent paper presented at this year's Black Hat 2007 and seen by Ars Technica.

Link:
http://...-report-sidejacking-session-information-over-wifi-easy-as-pie

Comodo Free Firewall is better than what comes with WinXP

Unfortunately, most firewalls leak. But Comodo's Firewall is unique in that it passes all known leak tests to ensure the integrity of data entering and exiting your system. Comodo has put firewall through all kinds of sophisticated tests to ensure its firewall powerful enough to ward off these attacks with default settings. No other firewall has had to work this hard.

Features from Comodo's website:

• PC Magazine Online's Editor's Choice
• Secures against internal and external attacks
• Blocks internet access to malicious Trojan programs
• Safeguards your Personal data against theft
• Delivers total end-point security for Personal Computers and Networks

I was a long time user of Sygate's personal firewall but when it was acquired by Symantec no more updates were provided and the firewall and all future development just died. I continued using Sygate until locating Comodo, and so far, has proved to be a great firewall.

Link:
http://www.personalfirewall.comodo.com/

Mozilla Admits Firefox Exploit Caused by Firefox Bug, Not IE

Mozilla Admits Firefox Exploit Caused by Firefox Bug, Not IE: "On July 10, engineers at Secunia issued a security advisory, rated 'Highly Critical,' warning Firefox users that their browser could be tricked into executing arbitrary JavaScript code. Soon afterward, Mozilla developers issued a statement saying the problem was caused by Internet Explorer, which could trick Firefox into executing that code. This morning, Mozilla security chief Window Snyder had to issue a retraction, stating Firefox could just as easily trick Firefox into doing the same thing"

Link:
http://.../Mozilla_Admits_Firefox_Exploit_Caused_by_Firefox...

Top tech support forum helps in all areas.

Tech Support Guy is one buzzing forum with lots of groups and 100K's of posts. If you need some help with anything computer than check this forum out. Even if you don't want to ask a questions just using their search feature can probably yield a discussion going on.

Link:
http://forums.techguy.org/

Ad-Aware 2007 released (free version)

Whats New:

• Redesigned Engine – Benefit from superior program flexibility and more accurate scanning methods with all-new program architecture.
• Improved Code Sequence Identification (CSI) Technology – Boost your privacy protection with precise detection of embedded malware, including known and emerging threats.
• Incremental Definition File Updates – Save precious time and resources with smaller update files resulting in faster download times.
• TrackSweep - Control privacy by erasing tracks left behind while surfing the Web on Internet Explorer, Firefox, and Opera, with one easy click.
• Multiple Browser Support – Choose Internet Explorer, Firefox, or Opera with expanded browser support.
• New Straightforward User Interface – Effortlessly maneuver the complexities of malware detection and removal with our new user-friendly interface.

Link:
http://www.lavasoft.com/products/ad_aware_free.php

Browser are not quite secured, yet

Polish hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE 6, IE 7 and Firefox 2.0.

Read the whole story:
http://blogs.zdnet.com/security/?p=254

See one of the IE security holes:
http://lcamtuf.coredump.cx/ierace/

Remove your phone number from Google's Phonebook

Use the PhoneBook name removal tool from Google of course.

X9 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 CX

Edited: The first and last numbers have been X'd out...

Does that number mean anything to you? Apparently a lot of people are up in arms over it and people posting about it are being threatened with legal ramifications.

"It’s the HD-DVD Processing Key for most movies released so far. I was not aware that a string of numbers and letters was copyrightable. Perhaps its just my ignorance but it seems that someone is abusing the DMCA again.

This means the (admittedly long) number is precisely the key you need in order to decrypt and watch HD-DVD movies in Linux (oh, okay, maybe software is also required). And the fact that it’s out there, spreading like wildfire, is killing the types at the movie studios right now."

This story is spreading like wild-fires and Digg has even removed posts containing the number. Is this huge? Is this a well executed hoax? The next few days will tell.

Link:
http://.../spread-this-number/

AVG anti-rootkit to compliment their great free anti-virus software

AVG Anti-Rootkit is a powerful tool with state-of-the-art technology for detection and removal of rootkits. Rootkits are used to hide the presence of a malicious object like trojans or keyloggers on your computer. If a threat uses rootkit technology to hide itself it is very hard to find the malware on your PC. AVG Anti-Rootkit gives you the power to