Archive for the ‘Uncategorized’ Category
How many of those wordpress, joomla, drupal blogs, web2.0 products of various sort and other websites do you go to that are encrypted using SSL(https)? How many times a day to you enter your credentials, or use cookie based (the ‘remember me’ checkbox type) authentication on websites a day? Do you find yourself in coffee shops, or other public wifi frequently and sometimes wonder who is watching your traffic?
I know I do. Up until now I’ve been using SSH tunnels to get my traffic back home where I know nobody is running a packetsniffer. The trouble with SSH tunnels though is that they’re fickle, and often drop. I wanted a better solution – so I made one.
I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.
Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).
[EDIT] Unfortunately, I am no longer able to make this event. I’m sad, I really really wanted to go. [/EDIT]
I’m excited to announce that my talk was accepted and I’ll be speaking at ToorCamp this year! I’ll be giving a heavily augmented version of my peoplehacking talk, and including subject matter about kinesics, NLP and lie-detecting methodology.
If you’re into hacking people, or have any aspirations to get better at spotting liars, show up – if I have my way this will be a ‘kaminsky style’ talk – except I drink scotch.
So here’s the scoop:
The phishers phish more than just banking websites – twitter is vulnerable to this just like any other websites that take login information.
That being the case the phish is simple: You’re sent to a website that looks just like twitter, but isnt.
The site isnt twitter – so don’t give them your password!
Apparently people dont think phishers target twitter (well maybe not after today). Some high profile accounts were hacked today:
The need for security is everpresent. Please, watch where you’re going.
If you think you’ve been compromised, change your passwords immediately – and that doesn’t mean adding a 1 to the end of it.
I’ll be adding this subject matter to the security 101 talk happening at RefreshSD in San Diego at the Qualcomm campus on the 13th.
A friend of mine, Damon (@dacort) recently put together a formal class to illustrate some of the vulnerabilities he’s found.
This class was geared more towards php and rails rather than a sort of ‘introduction to personal security’, and went over things like cross site scripting, cross site request forgery, sql injection, and using really neat tools that I didn’t know about to enumerate databases behind vulnerable web apps.
REALLY REALLY neat stuff. If you’ve been to any of my talks, you should watch Damons.
He can be found over at startupsecurity.info