Create Your Own Public Key Certificate Using OpenSSL
December 30, 2008 – 6:36 PMThis is a great howto from Didier Stevens about creating your own public key certificates using only OpenSSL.
Researchers devise undetectable phishing attack
December 30, 2008 – 11:49 AMWith the help of about 200 Sony Playstations, an international team of security researchers have devised a way to undermine the algorithms used to protect secure Web sites and launch a nearly undetectable phishing attack.
To do this, they’ve exploited a bug in the digital certificates used by Web sites to prove that they are who they claim to be. By taking advantage of known flaws in the MD5 hashing algorithm used to create some of these certificates, the researchers were able to hack Verisign’s RapidSSL.com certificate authority and create fake digital certificates for any Web site on the Internet.
Hashes are used to create a “fingerprint” for a document, a number that is supposed to uniquely identify a given document and is easily calculated to verify that the document has not been modified in transit. The MD5 hashing algorithm, however, is flawed, making it possible to create two different documents that have the same hash value. This is how someone could create a certificate for a phishing site having the same fingerprint as the certificate for the genuine site.
Using their farm of Playstation 3 machines, the researchers built a “rogue certificate authority” that could then issue bogus certificates that would be trusted by virtually any browser. The Playstation’s Cell processor is popular with code breakers because it is particularly good at performing cryptographic functions.
Clone Your VirtualBox Image
December 29, 2008 – 7:29 PMI found out the hard way that you cannot simply copy and paste your .vdi file, rename, and add a second virtual machine to your system. Each VDI file has a unique UUID that a single VirtualBox installation will not duplicate. You have to “clone” it. The screenshot below is from Ubuntu 8.10:
When finished, it displays the file’s new UUID and it’s ready to add.
FBI issues code cracking challenge
December 29, 2008 – 5:17 PMThe FBI today challenged anyone in the online community to break a cipher code on its site. The code was created by FBI cryptanalysts. The bureau invited hackers to a similar code-cracking challenge last year and got tens of thousands of responses it said.
A number of sites host such cipher challenges, including this one at the University of South Hampton.
The FBI offers a few primers on the subject including:
A relatively basic form of substitution cipher is the Caesar Cipher, named for its Roman origins. The Caesar Cipher involves writing two alphabets, one above the other. The lower alphabet is shifted by one or more characters to the right or left and is used as the cipher text to represent the plain text letter in the alphabet above it.
Google Calendar Phishing returns
December 29, 2008 – 5:33 AMIn his blog, Graham Cluley of Sophos alerts his readers to the return of Google Calendar phishing attacks. Originally spotted in the summer, Google Calendar phishing uses event invitations to Calendar users asking them to “Verify Your Account” or face account deletion. Victims of this phish are asked to accept the invitation and confirm their user name, password and date of birth, in their acceptance.
The invitations appear to contain the users full name, adding an element of authenticity to the phish, but this is due to it being sent by Google Calendar as a result of the invitation, which fills in the users full name. The phish appears to come from an email address such as [email protected], where XXXX is a four digit number. When the link is clicked on, users are taken to a real Google Calendar event information page that contains numerous grammatical and phrasing errors in the description of the event. The page claims “we are having congestions due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts” before asking for the user’s Google credentials.
Source:
http://www.heise-online.co.uk/news/Google-Calendar-Phishing-returns–/112318
