Posts Tagged: Security

BloggingView Comments
30
Apr 10

Fun with Secret Questions

If you’re working in security, this will make you laugh. Hard.

“Ally Bank wants its customers to invent their own personal secret questions and answers; the idea is that an operator will read the question over the phone and listen for an answer. Ignoring for the moment the problem of the operator now knowing the question/answer pair, what are some good pairs? Some suggestions:

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.”

You MUST READ the comments to the original post – there’s some HILARIOUS stuff in there, like

Q: Sir, before I begin, I would like to remind you that we do not serve gays, latinos, women, or people over the age of 50. Are you any of those things, sir?
A: Yes and I’ll be seeing your ass in court.

Great.

BloggingView Comments
26
Jan 10

Free luggage protection courtesy of the TSA

Are you worried about your luggage getting lost? Carrying expensive camera or computer gear and want to make sure it arrives at your destination?
Try this (by Bruce Schneier):

“I have a starter pistol for all my cases. All I have to do upon check-in is tell the airline ticket agent that I have a weapon to declare…I’m given a little card to sign, the card is put in the case, the case is given to a TSA official who takes my key and locks the case, and gives my key back to me.

That’s the procedure. The case is extra-tracked…TSA does not want to lose a weapons case. This reduces the chance of the case being lost to virtually zero.

It’s a great way to travel with camera gear…I’ve been doing this since Dec 2001 and have had no problems whatsoever.”

That’s probably the most creative way of getting the TSA to actually do something useful ;)

BloggingView Comments
29
Sep 09

Microsoft Security Essentials available for download – FREE

greenshot_2009-09-29_16-37-09

Get it now!

BloggingView Comments
4
May 09

European Identity Conference 2009 – May 5th to May 8th

greenshot_2009-05-04_08-56-191

I’ll be spending the rest of this week visiting European Identity Conference 2009 in Munich. I was there last year, and it’s an event worth visiting – a diverse set of great personalities in the identity space, and a perfect opportunity for networking.

I’ll be blogging and twittering (use hashtag “#eic2009″) here, and you can follow more information about the event on EventTrack.

greenshot_2009-05-04_09-01-28

See you there!

BloggingView Comments
21
Aug 08

The danger of the Kill Switch

There has been a lot of talk around the “kill switch” that Apple seems to have implemented in the iPhone.

While people say the app review before stuff gets released in the AppStore should prevent them from having to use it, I can understand why that will not work. The review can only be on the surface, malicious stuff may be well hidden in an app.

There are already two ways to disable the kill switch (one more reason to jailbreak your iPhone): the new version of BossPrefs and a quick /etc/hosts hack.

The bigger danger, however, is someone mis-using the kill-switch. The URL seems to be https://, so re-directing to a different server should not be possible (provided the iPhone really does check the site certificate). If BossPrefs can disable the switch, this of course also means that a malicious app could just point the call to a different server and either just spy on you or disable your apps at will.

I wouldn’t be surprised to see this “feature” prominently discussed on one of the next security conferences.

BloggingView Comments
6
Aug 08

How a baby became Bin Laden

I’m always wondering about the trend to more IT in passports, government transactions and medical systems. Stuff like that has been pushed by the industry for years now, never even bothering about its usefulness or – behold – business case. In my view, this is driven purely by vendor sports.


Look at this:

“Jeroen van Beek takes the passport of a 16-month-old British boy and puts it on to a £40 smartcard reader the size of an iPod. He punches a code into his computer and, within seconds, the information contained in the passport’s microchip appears on screen.

This is not supposed to happen, as communication between the chip and the reader uses powerful encryption, but a renowned British computer expert called Adam Laurie worked out how to crack the code 18 months ago.
[...]
On his computer, Mr van Beek alters the cloned chip and removes the image of the child, the Times photographer Michael Crabtree’s son, Thomas, and replaces it with the image of Osama bin Laden. He does the same with the passport of my partner, Suzanne Hallam, installing the image of Hiba Darghmeh, a Palestinian suicide bomber instead. And, if the chips had contained other biometric data, such as fingerprints or iris scans, he could have changed those too.”

Passports are often valid for 5 years or more. From the sales pitch until the roll-out, the technology used is probably 5 years old already.

I have spent roughly 10 years in PKI and security related topics, and I haven’t seen a single technology that could be secure over such long time periods.

BloggingView Comments
15
Apr 08

test.com

Last week we were starting to test an application that I implemented for a customer. Part of that application does approval workflows, so we had to create test users. We did not want to disturb real users with emails, so the customer created the test users with “name.lastname@test.com” email addresses.

After about a week we started getting bounce messages from postmaster@test.com ;)

The emails that were sent also contained user names and passwords for newly created users. Granted, only for test systems that are not accessible from anywhere, but still: in this day and age, you need to be careful with email systems.

I wonder how many emails, and how many ones with “interesting” content, the postmaster for test.com is receiving from people all over the world…

Time to ask yourself: what are you entering in the email address field when you’re testing something, or providing dummy data in a web registration form?

BloggingView Comments
28
Feb 08

Security Problem Excuse Bullshit Bingo Generator

Via Fefe

http://www.crypto.com/bingo/pr

Use at your own discretion. Great fun for RSA conference, probably ;)

← Older Entries