Content Injection: Hack the Hacker

Traditional IDS/IPS systems occur at the network level, usually plugged into a spanning port on a switch. I love this concept and think it should be part of any defense in depth strategy. The two primary weaknesses in these devices are, (1) they cannot process encrypted streams and (2) they can often be circumvented with a little creativity. In this post I want to discuss using Client-Side IDS (C-IDS) for more advanced attack detection.

I don’t know how realistic this would be but it could be fun concept to investigate. Imagine setting up modules on your reverse proxy. As user visits the site, different modules could get launched during different requests. One module could detect a user’s browser plugins. One module could detect Tor and other services with Tor. Put the results into a hashing algorithm and you have a semi-unique client fingerprint regardless of IP address (although privacy laws could restrict these kinds of requests). OR, our reverse proxy could inject random code snippets of defense, overwriting and hijacking JavaScript functions (i.e. alert) with our own action (i.e. logging, blocking etc). Check out some of Mario’s code snippets of defense for the idea: here, here, here, and here.

Read the rest of this story…

Posted in Coding, Internet, Security | 2 Comments

How to keep your password hidden in plain sight

When all of your users have decided to keep their passwords written down on sticky notes, on their hands and under their keyboards how do you protect them from themselves?  You could go ahead and rip off each of their finger nails (ouch) until they promise to never write it down again or you could take a much nicer, more humane route — teach them a way to write it down without writing it down.

I learned a trick somewhere along the way of a simple means of keeping your information handy without giving it out to the rest of the world.  It starts like this…  Choose a keyword, write it down anywhere you’d like, choose a modification system and stick with it.

So, say my keyword I wanted to use was target.  It’s simple, I could write it on my hand, on my car window or even shout it from the roof tops and besides people thinking I was crazy for the red-bullseye store no one would be the wiser.  Next, I choose a pattern or modification system to use.  I’m going to add the number of characters in the domain to the middle of my word and then write the first three letters of the site’s domain (with the first letter capitalized) to the end of my keyword.  It may sound a bit tricky at first but after using it a couple of times, it becomes easy.  When I setup my new Twitter login, I choose my username and then I create my new password.  Starting with my keyword, target, I put the number 7 in between the r and the g.  So now I have tar7get and then I add the first three letters of Twitter.com to the end of the password forming the new password, tar7getTwi.

Now I have a password with a number, a capital letter and I almost never use the same one again.  It means that my accounts can be secure, I don’t lose sleep over the 20 million passwords I have AND it’s easy to “remember” or figure out the next time I go to that site.

Source: Srcasm

Posted in Internet, Privacy, Security | No Comments

Running Backtrack in VirtualBox

Seeing as I’ve just spent the morning trying to get all this up and running I thought I’d create an entry about how to get Backtrack running in VirtualBox.

For those who haven’t heard of it, VirtualBox is an open source equivalent to vmware workstation. It does full snapshoting (unlike vmware server) and seems to have a very active support community.

The setup I wanted was for the virtual machine to have its own IP address and full network access. The default setup for VirtualBox is to have NAT based networking so I had to do a bit of work to get full “Host Interface” mode. Unlike vmware, VirtualBox doesn’t do all the networking itself you have to do the initial setup yourself. This is done by using tun/tap and bridging. The instructions here work on Arch but should be generic enough for any distro. The install guide has detailed instructions for debian/ubuntu, redhat and suse.

Read the rest of this story…

Posted in Coding, Linux, Privacy, Security, Software | 5 Comments

Linux Replacements for Your Favorite Windows Apps

For many users, getting started with Linux is surprisingly easy. New, friendlier versions of the free operating system, such as Fedora and Ubuntu, feature straightforward menus and automated installations that make switching from Windows to Linux a relatively simple process.

But a lot of people who try Linux dump it and switch back to Windows the instant they want to get some work done, mostly because they don’t know which Linux programs to use in lieu of their old Windows standbys. Fortunately, such confusion need last only a moment.

Linux offers equivalents to many Windows applications that are often as good as–or even better than–the programs you’re used to. In some cases the apps are also available in Windows and Mac OS versions, allowing dual-booters to stay with the same set of free programs regardless of the operating system in use.

For your convenience, we’ve provided download links to as many of these applications as possible. The majority of them, however, come preinstalled in the most popular Linux distributions, or are available through online software installers such as Fedora‘s YUM or Ubuntu‘s Synaptic Package Manager. Installing new software through your Linux distribution’s package management system is generally better than installing programs manually, so check your OS’s software repositories before downloading any of the apps from our links.

Read the rest of the story…

Posted in Internet, Linux, Software, Windows | No Comments

The IronKey – World’s Most Secure Flash Drive

The IronKey, designed to be the world’s most secure flash drive, protects your data, online passwords, and Internet privacy. Now you can safely carry your digital life with you wherever you go—with confidence and peace of mind. While it uses advanced security technologies previously only available to government agents and other secret operatives, it is simple to use and requires only a password to unlock it.

• Military-Grade Encryption – The IronKey Cryptochip protects your data to the same level as the government’s most classified information.

• Self-Destruct Sequence – If the Cryptochip detects any physical tampering by a thief or a hacker, it will self-destruct.

• Online Security Vault – If your IronKey is ever lost or stolen, easily restore your online passwords from your encrypted online backup.

• Stealth Browsing Technology – Surf the Web safely and privately through almost any network, even across unsecured wireless hotspots.

• Self-Learning Password Management – Securely store and backup all your online passwords as you go, and automatically log into your online accounts to avoid keylogging spyware and phishing attacks.

• Waterproof & Tamperproof – The IronKey was designed to survive the extremes and exceeds military specifications for water resistance.

1GB – $79.00
2GB – $109.00
4GB – $149.00

Learn More…
Purchase…

Posted in Hardware, Privacy, Security | No Comments