Bunny.py is a meshing #radio darknet that hides its traffic in unused fields of 802.11 - covert channels ahoy ! https://github.com/mothran/bunny #security #wifi
Next step for the Wi-Fi security arms race : intrusion detection systems that check for abnormal entropy in the wrong places.
Eavesdropping on an encrypted wireless keyboard with a shortwave #radio receiver and a couple of scripts (linked from the article) :
http://windytan.blogspot.fr/2013/03/eavesdropping-on-wireless-keyboard.html #security
2008’s #WiFi Pineapple man-in-the-middle device updated - build it for $25 ! Yet another reason not to trust weakly identified access points.
http://penturalabs.wordpress.com/2013/04/25/blue-for-the-pineapple #security
Alternative to dumb port scanning, leveraging reverse DNS to discover a subnet’s IPv6 hosts. Supposes that reverse DNS is correctly configured… http://www.reddit.com/r/netsec/comments/1bfu76/how_are_we_going_to_port_scan_for_open_hosts_on/c96p936
If you’re interested in discovering hosts on an #IPv6 network, RFC 5157 is the document to read http://www.rfc-editor.org/rfc/rfc5157.txt #security
« From March to December 2012 we used [...] a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. »
« All data gathered during our research is released into the public domain for further study. The full 9 TB dataset has been compressed to 565GB using ZPAQ and is available via BitTorrent. »
The original message: ►http://seclists.org/fulldisclosure/2013/Mar/166
A good explanation: http://www.zdnet.com/illegal-botnet-census-finds-1-2m-devices-with-default-passwords-7000012871
Do note that the machines which scanned were cracked machines and so the entire operation was probably illegal in most countries.
DNSChef is a highly configurable #DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka “Fake DNS”) is a tool used for application network traffic analysis among other uses. For example, a DNS proxy can be used to fake requests for “badguy.com” to point to a local machine for termination or interception instead of a real host somewhere on the Internet.
High value applications security auditing cheat sheet: https://github.com/iSECPartners/LibTech-Auditing-Cheatsheet #security
Le Fonds du Collège International #AFNIC lance son #appelàprojets 2013 !
AFNIC International College Fund launches its 2013 #callforproposals
#Internet #resilience #Security
#résilience #sécurité #Internet
Don’t use #PHP libraries with known #security issues - Fabien Potencier
http://fabien.potencier.org/article/67/don-t-use-php-libraries-with-known-security-issues
One of the goal of good security issues management is transparency. That’s why the Symfony project has a simple way of reporting security issues (via the security [at] symfony.com email address), an easily accessible list of security advisories, and a well defined blog post template to announce security issues. Recently, we have also enforced the need to have a #CVE identifier
etc. etc. ; ça pourrait servir d’#exemple_à_suivre pour #SPIP
http://symfony.com/doc/master/contributing/code/security.html#security-advisories
ouais bonne idée ... pour la prochaine refonte de spip.net ? ;)
Donc si je comprends bien le conseil de Fabien c’est de n’utiliser que des librairies PHP dont les problèmes de sécurité ne sont pas encore connus ?
Aïe pas sur la tête !
When It Comes to Security, We’re Back to Feudalism | Wired.com
http://www.wired.com/opinion/2012/11/feudal-security
http://www.taz.de/uploads/images/684x342/bruce_schneier.20100804-14.jpg
In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm. Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades. We trust that our data and devices won’t be exposed to hackers, criminals, and malware. We trust that governments won’t be allowed to illegally spy on us.
Trust is our only option. In this system, we have no control over the security provided by our feudal lords. We don’t know what sort of security methods they’re using, or how they’re configured. We mostly can’t install our own security products on iPhones or Android phones; we certainly can’t install them on Facebook, Gmail, or Twitter. Sometimes we have control over whether or not to accept the automatically flagged updates – iPhone, for example – but we rarely know what they’re about or whether they’ll break anything else. (On the Kindle, we don’t even have that freedom.)
The Good, the Bad, and the Ugly
I’m not saying that feudal security is all bad. For the average user, giving up control is largely a good thing. These software vendors and cloud providers do a lot better job of security than the average computer user would. Automatic cloud backup saves a lot of data; automatic updates prevent a lot of malware. The network security at any of these providers is better than that of most home users.
Pour moi c’est surtout un texte qu’il faudrait donner à lire à tous les membres des assemblées nationales afin qu’ils comprennent comment encore une partie de leur pouvoir passe entre les mains d’institutions qui échappent à tout contrôle démocratique.
#féodalisme
“DNSSIG is a simple and efficient way for authenticating responses sent by an upstream DNS resolver to a client. [...] This is not a replacement for DNSSEC. The purpose is to sign the ‘last mile’. For unsigned zones, this is better than nothing.”
http://dnssig.org
I wonder why they do not use the standard way, SIG(0) (RFC 2931)
Resist: Security culture
http://security.resist.ca/personal/culture.shtml
The first step in recognizing security risks in a community is working towards creating a security culture. Below we have compiled some relevant materials and links that should be used in conducting security workshops and educating activists that you work with.
As our direct action movement becomes more effective, government harassment will only increase. To minimize the destructiveness of this government harassment, it is imperative that we create a “security culture” within our movement. Violations of security culture include behavior is inappropriate because it intensifies government harassment, jeopardizes the freedom of other activists, and destroys the trust within the movement.
#cybersecurity #tools #outils #securityculture #resistance #activisme
OWASP Xelenium Project - OWASP
https://www.owasp.org/index.php/OWASP_Xelenium_Project
“Xelenium is an automation testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses ‘Selenium - Webdriver’ as its engine and has been developed using Java swing.”
Un outil java pour scanner un site à la recherche de failles XSS.
Authentication #security tip of the day: do ’echo -n your_password | sha1sum’ and search result in Google. Got a hit ? Change your password ! Repeat test with ’echo -n your_password | md5sum’. Yes, your favorite password is probably already in a rainbow table somewhere...
On Twitter, four proposals to improve security (because the command you mention leaves the password in the history).
Michel Leunen says « And do ’history -c’ at the end to erase your password from the terminal history ! »
And François Revol : « read p; echo -n “$p” | sha1sum # would avoid leaking it to history (but still briefly to ’ps’ output) » Colm MacCárthaigh suggests to solve this last proble with « tr -d ’\n’ | sha1sum »
Or Changaco, more radical : « don’t put it in the history at all (see HISTCONTROL in bash, HIST_IGNORE_SPACE in zsh) »
Prepending a space before the command keeps it from being written to the shell’s history.
Bekenntnisse eines Botnetz-Betreibers | heise Security
http://www.heise.de/security/artikel/Bekenntnisse-eines-Botnetz-Betreibers-1574190.html
Comment gagner de l’argent en gérant son propre #botnet
(et comment protéger sa machine)
Cette brève sur heise #security contient des liens vers une page où un #codeur criminel explique comment il fait pour gagner de l’argent. En lisant on tombe sur des explications comment se protéger contre des #malware et comment en fabriquer des plus ou moins efficaces.
J’arrive à la conclusion qu’il est plus facile de se protéger qu’on le pense d’habitude, mais qu’il ne faut pas faire confiance aux logiciels #antivirus : Leurs auteurs font exprès de laisser systématiquement des trous, afin de ne pas ruiner leur propres affaires.
L’interview
http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama
http://i.imgur.com/yxMDx.jpg
réponses uniquement : http://www.reddit.com/user/throwaway236236
Comment fabriquer des browser extensions
►http://kangoextensions.com
Des infos valables sur les questions de sécurité
https://www.securelist.com/en/blog
http://krebsonsecurity.com
Le « #linker » (éditeur de liens, dit Wikipédia) est un logiciel indispensable à la création de programmes mais souvent méprisé et certainement bien moins connu que le compilateur (un peu de pub au passage : tout programmeur devrait avoir lu « Linkers and Loaders » de John Levine http://linker.iecc.com ). Cet excellent article de 2010 détaille la sécurité du « linker » et les attaques possibles.
Breaking the links : Exploiting the linker
de Tim Brown
Researchers’ Typosquatting Stole 20 GB of E-Mail From Fortune 500
►http://www.wired.com/threatlevel/2011/09/doppelganger-domains
Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.
The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.
http://www.wired.com/images_blogs/threatlevel/2011/09/Vulnerable-Domains_Doppelganger.jpg
#Dropbox Lied to Users About #Data #Security, Complaint to FTC Alleges | Threat Level | Wired.com
http://www.wired.com/threatlevel/2011/05/dropbox-ftc
Dropbox, which has more than 25 million users, revised its website claims about its data security April 13, from:
— All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.
to:
— All files stored on Dropbox servers are encrypted (AES 256).
Les mots de passe pourront être connus des services anti-terroristes
http://www.numerama.com/magazine/18192-les-mots-de-passe-pourront-etre-connus-des-services-anti-terroristes
#via_google_reader #via:packrati.us #france #security #2011 #email #droit
25 Years of Digital Vandalism - NYTimes.com
https://www.nytimes.com/2011/01/27/opinion/27Gibson.html?ref=global-europe&nl=todaysheadlines&emc=globaleuab1
Should the lights go out in our online bus shelters one day, or some critical control system go spectacularly awry, it may in a sense, however distantly, be because Israel found a way to shut down Iran’s centrifuges. But in another way it will be the result of a bright idea two brothers once had, in the vicinity of Lahore Railway Station, to innocently clamp a digital pirate’s wheel.
Stuxnet Worm Used Against Iran Was Tested in Israel - NYTimes.com
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all