Rob O’Hara on phreaking, Tesla coils and modems

Rob O’Hara posted a podcast about phreaking today. He explains in layperson’s terms how the phone system was controlled by tones, cites it as an example of security through obscurity, and he talks about his own first-person experience subverting the phone system. He was far from the only one who did that.

Read more

The 1 TB-ish SSD: The Micron M500

Anandtech has a review of the Micron M500, which is the first 960 GB SSD to retail for less than $600. Micron had to make some decisions to get that combination of capacity and price, so it’s not truly a no-compromises SSD, but like the article states, it’s a not-quite-a-terabyte capacity at the price that the best 80 GB drive was selling for in 2008. That’s a long way to come in five years. At $599, the price is high, but it’s not out of reach. If you really need that much high-speed capacity, you can probably come up with that sum.

And the drive’s reception has been very good. It’s backordered everywhere I’ve looked. Read more

If you use a Linksys router, you need to drop everything now and upgrade it

If you own a Linksys WRT54GL or EA2700 router, both devices have serious security vulnerabilities. Serious enough that the only way to continue using them safely is to load an alternative firmware such as DD-WRT on them. That’s not entirely a bad thing; DD-WRT is more capable, and unlike most consumer-oriented firmware, allows you to disable WPS.

The EA2700, in particular, is so trivially easy to hack it’s laughable–all it takes is entering a predictable URL into a web browser. That’s it.

Read more

The AMI BIOS breach of 2013

A security professional’s nightmare happened to AMI this week. Tons of confidential data, including the source code for the UEFI BIOS for Intel Ivy Bridge-based systems and an AMI-owned private key for digital signatures, turned up on a wide-open FTP server for all comers to download anonymously. This AMI BIOS breach has numerous implications.

The implications are nearly limitless. To a malware author, this is like finding a hollowed-out book at a garage sale stuffed with $100 bills with a 25-cent price sticker on the front. If you’re a budding security professional, count on being asked in job interviews why you need to protect confidential information. The next time you get that question, here’s a story you can cite.

Read more

Although it’s counterintuitive, AT&T’s new password policy makes sense

AT&T has a new password policy that forbids the use of certain common words in passwords, including some words of a colorful nature.

Yes, it reduces the number of possible passwords, but that isn’t exactly a bad thing.

Read more

We need to fix CISPA, not kill it

Here’s a good plan for fixing CISPA. And CISPA needs to be *fixed*, not stopped. We have three alternatives right now:

Secure the Internet
Voluntarily pare back the Internet
Wait for the Internet to fall apart and/or become too dangerous to use anymore

Given the unpleasant side effects of options 2 and 3, option 1 is all that’s left. Otherwise, the Internet will become a weapon of mass destruction. Keeping a hacktivist group or rogue nation from shutting down all gas and electric power in New York City on the coldest day in January is CISPA’s goal. Read more

The ethics of writing nefarious security instructions

This week I posted a link to a video showing how to crack a WPS-enabled wifi network, and this week, Ars Technica wrote a firsthand account of cracking a password list. I’m sure this raises questions of ethics in some people’s minds. To be honest, spreading this kind of information makes me a little uncomfortable too, but I also think it’s necessary.

Read more

The Internet is at war. Please read this if you run a DNS server.

A Dutch ISP that acts as a spam haven is DDOSing Spamhaus, and they’re using DNS to do it. The attack is using spoofed DNS queries to create, basically, a smurf-like attack. And the sheer volume of traffic is likely to affect the Internet as a whole.

That might explain why my recruiters were complaining that it was taking forever to look up job postings today. (Yes, I can publicly admit that I’m talking to recruiters. That’s another story.)

But basically, if you run a DNS server, you need to check your configuration to keep lowlives from using your DNS as a weapon. Here is a useful page for those of you running BIND, the one of the most popular DNS servers.

This was the most common type of attack in 2012; it looks like some people are trying to up the ante in 2013. We can make it stop, but every sysadmin running a DNS server is going to have to pitch in to help.

No, it doesn’t take a “serious hacker” to crack wi-fi through WPS

John C Dvorak is raving in PC Magazine about Netgear wireless routers and range extenders and how easy WPS makes it to set them up–and providing some very seriously flawed security advice along the way.

“Note that WPS is crackable by serious hackers using brute-force attack, but any SOHO user not dealing with government secrets should be fine.”
Read more

How to check to see if a FedEx or UPS e-mail message is real

“Did you order anything lately?” my wife asked me.

“Not that I can think of,” I said.

“We got this e-mail about a FedEx package that they couldn’t deliver on the 17th,” she said. “It has a ‘print receipt’ button.”

Don’t click on that button.

Read more