May 21

In January 2011, well-known computer hacker George “GeoHot” Hotz discovered and published the keys to the Sony PlayStation 3 game console.  GeoHot had previously cracked the iPhone, allowing users to “jailbreak” their phone and run any software they want.

Crack Goes the PS3

Around the same time, another hacker group fail0verflow had also cracked the PS3 and released tools that enabled users to install the Linux operating system on the PS3.  The capability to turn the PS3 into a regular Linux computer was a favorite among geeks and hackers.  Sony originally provided this feature, but later angered the hacker community when it turned off the feature in 2010.

GeoHot took it to the next level and released the PS3’s “root key.”  This key authorizes hackers to run essentially any software on the PS3.  And a root key is nearly impossible to change without breaking all existing PS3 software.  Hence, GeoHot permanently and publicly cracked the PS3 platform.

Continue reading »

May 11

Imagine you are at a cocktail party.  You are having a private conversation with someone you thought was a trusted business associate.  You lean forward and whisper confidential information in his ear.  He immediately repeats what you said aloud.

Your secret may not be exposed – depending on whether anyone is within earshot – but this person has violated your trust.  You are unlikely to share any more secrets with him.

This is what it’s like when a website or online store emails your password in plaintext.  The vendor has violated your trust and called into question whether you should continue to do business with them.

Continue reading »

Jun 04

It’s a standard movie cliché: A hacker pounds away on his keyboard for 30 seconds to break a military-grade encryption scheme.  Nevermind that in real life it would take 8.4 million CPU years to factorize a 1024-bit number in software.  (Although the days of total security with 1024-bit RSA are coming to an end.)

SMBC, embedded with permission

Apr 21

During a recent security audit, a company discovered that a
blonde employee was using the following password:


When the company asked the blonde why she had such a long password, she said the login screen required the password to be at least 8 characters long and include at least one capital.

From Politically Incorrect Humor

May 21

Want to snoop on your friends’ porn viewing habits?  Then follow these simple steps:

Step 1.  Copy and paste some code into a widget on your website or blog.

Step 2.  Send you friends to the webpage where you put the widget.  Their porn history will be captured in the widget.

Step 3.  See what porn sites your friends have been visiting by looking at the widget you put on your website.

How does this work?  The widget takes advantage of a security leak in the web style sheets (CSS).  Your web browser displays links you have visited in a different color.  The code mentioned above displays a list of porn sites and detects which sites have been visited based on the link color.  The best/worst part of this trick is that will likely never be fixed because it is a fundamental feature of the Web browser.

We installed this on one of our blogs, and it failed to catch any of the porn sites that we’ve visited.  I guess isn’t considered porn.

I Caught You Watching Porn

Apr 07

From xkcd: A webcomic of romance, sarcasm, math, and language

More funny stuff

Mar 20

Presenters at the CanSecWest security conference detailed how to sniff data by analyzing keystroke vibrations using a laser pointed at a laptop computer, or through electrical signals coming from a PS/2 keyboard on a PC plugged into an electrical socket.

Using about $80 worth of equipment, researchers pointed a laser on the reflective surface of a laptop between 50 feet and 100 feet away and were able to determine what letters were typed.  Line-of-sight is required, but it works through a glass window.  Using an infrared laser would prevent the victim from discovering they are under surveillance.

In the second attack method, researchers were able to determine keystrokes on a PS/2 keyboard through a ground line from a power plug in an outlet 50 feet away.  They used a digital oscilloscope and analog-digital converter, as well as filtering technology to isolate the keystroke pulses from other power line noise.

Story at CNET

Mar 11

For decades we’ve been told by security software vendors that to truly delete data from a hard drive, you have to overwrite the data multiple times with different patterns of 0s and 1s.  But now we can file this away with other computer urban legends.

Computer forensics expert Craig Wright and his colleagues ran a scientific study that overwrites hard drive data and then examines the magnetic surfaces with a microscope.  They published their results in Lecture Notes in Computer Science as Overwriting Hard Drive Data: The Great Wiping Controversy.

The study concludes that after a single overwrite of hard drive data, the likelihood of being able to reconstruct a single byte is 0.97 percent.  The odds of recovering multiple sequential bytes of data (such as a password or document) are significantly less and would require exact knowledge of where on the hard drive the sensitive data is located.

This means data-wiping software that overwrites data up to 35 times may make you feel better, but it only wastes your time and money.

A much bigger data security hole is to overwrite all copies of the data that’s to be deleted.  This is not a problem if you are wiping an entire hard drive, but if you are trying to delete a single sensitive document, you have to worry about temp files, shadow copies, backups, file fragments, the Windows swap file, etc.

Jan 14

Experts from more than 30 U.S. and international cyber-security organizations jointly released a consensus list of the 25 most dangerous programming errors that lead to security bugs and cyber-crime.

The impact of these programming errors is significant.  Just two of these errors resulted in more than 1.5 million website security breaches during 2008.  These breaches allowed malicious software to take control of the computers that visited those web sites, turning their computers into zombies that committed further cyber-crimes.

Shockingly, most programmers do not understand or look for these errors.  Colleges rarely teach programming students how to avoid these errors.  And most software companies don’t explicitly test for these errors before releasing their products.

Continue reading »