Category: Security

  • Apple iPhone “Jailbreak” FUD

    Apple may well have good and fair reasons to keep users from “jailbreaking” their iPhones, however the arguments as presented in the article are just FUD: If AT&T’s cell network is this vulnerable, we have far greater worries than a little iPhone hacking. After all, Apple’s argument is essentially to keep jailbreaking out of […]

  • Useful browser check…

    Apparently a lot of compromised browsers purposefully send a modified “UserAgent“, for instance: UserAgent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) that “AnitvirXP08” isn’t supposed to be there and best guess is it helps web sites that work […]

  • A moment of mourning…

    Time to hold a moment of mourning. It appears that WPA (fortunately not WPA 2 yet) has been cracked: I realize Erik Tews is probably a good person and all and probably believes he’s helping the world by finding this vulnerability before the “real” hackers do, but ultimately I’m unimpressed. The fact is, […]

  • Just when you thought it was safe in the Universe again…

    Dang, now that’s a hack allright: Fortunately they missed the “Create Black Hole” setting…

  • RedHat gets hit this time…

    It just goes to show, if you think you’re safe, you’re not. This time RedHat was hit: This is pretty ugly since it involves the signing of certificates used to validate the RPM repositories and RPMs themselves. RedHat claims that the “passphrase“s for the certificates weren’t compromised, so no harm no foul. However it’s […]

  • Brilliant article with x-Hannaford CIO

    StorefrontBacktalk has a short but brilliant article with the former CIO, Bill Homa, of Hannaford grocery chain who suffered a major breach of credit card data: There are three particular points that stand out: That Microsoft is still so hole ridden as to put your company at additional risk. That PCI is still not […]

  • WPA versus WPA2?

    So what’s the difference? Not much or a lot depending on your opinion. WPA uses TKIP for key management, whereas WPA2 uses AES-CCMP. Usually depending on how the AP has been set up, you can use either (TKIP or AES-CCMP) interchangeably, thus using WPA or WPA2 as needed. Many older devices like those running Windows […]

  • WPA resources

    When researching using WPA on Ciscos I ran into a lot of useful URLs as resources. If you’re in the same bind, you may find them helpful too: Not a pretty list, but still good to […]

  • What is 802.1x?

    If you’re investigating things like enterprise WPA and/or NAC based network control you’ll probably run into the fact that it uses 802.1x protocol. So what is 802.1x? Basically the long and short of it is IEEE 802.1x is just a protocol to pass EAP over wired/wireless LANs. EAP on the other hand is just a […]

  • If using WPA-PSK, use a long key!

    If you must use WPA-PSK (meaning WPA with a pre-shared key, rather than WPA using 802.1x authentication via Radius), make sure your key is sufficiently long. Ideally 20 characters or more. To quote: Robert Moskowitz’s article, “Weakness in Passphrase Choice in WPA Interface,” describes a theoretical attack on WPA passwords. The tools WPA-psk-bf, CoWPAtty and […]