Your security, networking, programming, and application news source.

Monday, March 24, 2008

Google Search Within A Site

  Google silently added a new feature that allows searching within a site to search results. This could have normally been done with some well crafted search queries, but this is much nicer. (the screen shot will make this clear)

  While this is a awesome feature, it has some sites mad because it will detour people from using their crappy on-site search features, which serve up their own ads and surely don't show competitor's ads.

<The New York Times>
<Google Blog>

Wednesday, March 19, 2008

RFID Credit Cards

  RFID is becoming more popular for many things. Credit cards using RFID technology sporting names like 'EZ Pass', 'quick pass', and 'speed pass' are growing. A recent Boing Boing <video netcast episode> is re-raising concerns about the security of such cards.
  An older <The New York Times report> featured tests on 20 cards from Visa, MasterCard and American Express, showed that the data was being broadcast in plain text. This data frequently includes the card holder's full name, sometimes even the card number and expiration date.

  A common misconception is that RFID is totally insecure by nature. This isn't true. RFID's are just a family of inexpensive devices that broadcast via radio frequencies. Other than their price, these devices are most notable for their tiny size and ability to be self-powered. These devices can capture power from the radio frequency of a requesting device, powering it's self, to make a radio frequency reply.
  This misconception comes from frequent news headlines where a poor attempt, or no attempt, was made to protect the data or signals a RFID made. These signals are easily captured, but encryption techniques can be used to protect this data. Designers frequently don't bother.
  In some cases, like this credit card situation, an ideally secure encryption scheme may require more elaborate equipment for legitimate readers, possibly an expensive central payment system. This could defeat the entire purpose of making transactions fast.

  Some effort should be made using one of many encryption techniques to protect this data. Although the card number maybe be useless without the security code, a plain text card holder's name is surely a bad idea.

  A Boing Boing TV <video netcast episode> claims a suitable RFID reader can be purchased for as low as $8 from eBay. Some lady with her hair dyed till its falling out, and a dude who has never washed his hair, demonstrate reading a card through your pocket with a similar device. Their demonstration revealed that the full goods may still be broadcast in plain text by these type of cards.

Lingering VCL Bof exploit

A buffer overflow exploit vulnerability was found in the popular <VideoLAN VLC Media Player> in the parsing of subtitle files. The last release, VLC 0.8.6e was supposed to fix this along with some other issues, but this issue is <reported> to still exist.

The simple fix is to not process untrusted subtitles using VLC. Alternatively you could use a <nightly build>, all though you may run into a bug or stability issues.

<Secunia advisory>

Thursday, March 13, 2008

Accessing 'Must Sign Up to View' sites

  More and more sites try to capture you as a repeat visitor from your casual viewing of their site by forcing you to create an account to view or download their content. We will list a few techniques and services which will help you circumvent this annoying process.
  There is a ton of additional services/techniques more than we will list. Feel free to post your favorite in the comments. No account or sign up is required to post comments. The best technique to use may vary by site and the content you are after, but in general the following suggest should be considered in order.

BugMeNot is a site that allows people to share login accounts for accessing sites.


<BugMeNot Firefox Add On>

Web caches are saved copies of web pages. They can let you view sites who are no longer accessible and sometimes can cache sites not normally accessible.

Google automatically shows a link to cached versions of search results as shown above.

<More about Google caches>

The Wayback Machine (referring to the time machine in 'The Rocky and Bullwinkle Show' cartoon) is another web caching service.

<Internet Archive: Wayback Machine>

  User Agent spoofing is another possible technique. When a web page is requested by your browser some information is sent along. Part of that information is your <user agent> witch identifies your browser and possibly your operating system and their versions. This is to help websites display properly across many software clients and platforms.
  Web search engines have 'spiders' crawling the web indexing web sites. To comply with standards and prevent getting low search engine scores web sites typically do what they can to allow web spiders a larger amount of access to content. Spiders typically are identified by their user agent string. So, by spoofing a web spider's user agent string, you may have some less restricted access to content of sites. The following tools will help you spoof your user agent.

<Firefox add on: User Agent Switcher>
(this may require a quick <Google search of 'user agent list'> to find a list of common user agents to load into the tool.)

<Be The Bot> A web based proxy meant to request pages using a Google or Yahoo spider's user agent string.

Wednesday, March 12, 2008

Firefox 3 Browse On A Diet

Firefox 3 puts a nice effort into further reducing memory consumption. Initial testing of Firefox 3 Beta 4 shows a dramatic change. In the mist of Internet Explorer 8's less than fantastic standards progress, along with rumors of the IE8 beta being horribly buggy, Firefox's competitive outlook seems good.

Memory change highlights:

  • Reduced memory fragmentation
  • Cycle collector
  • Tuned Caches
  • Image data storage adjustment
  • Leak cleanups

<Source: Firefox 3 Memory Useage>

Wednesday, March 5, 2008

Internet Explorer 8 beta availible for download

Microsoft has made the IE8 betas available for download.
<Internet Explorer 8 beta Download>

To help developers with compatibility testing, Microsoft has made <Virtual PC> images preloaded with XP-SP2 or Vista available with IE6, IE7, or IE8 beta. Microsoft claims they will expire on July 3, 2008.
<VPC Image Dowloads>

AOL OpenAIM 2.0, a step in the right direction?

  <AOL Developer Network> unveils OpenAIM 2.0. Totally unrestricted development for the failing instant message network. Previous attempts at opening the network to developers where hindered by quotas and developer licenses. In a total about face they seem to be intending to go the other direction, removing quotas and double faced developer logins. They also have released the OSCAR protocol documentation!
  This looks nice and fuzzy on the outside, but <Wired's coverage> mentions the following concerning information:

"AOL is going even further, offering such services the option to run AOL-served advertisements as part of a revenue sharing plan."

Despite this, it's obviously a step in the right direction. Hopefully other chat services will take notice and follow suit, otherwise reconsidering AIM, again, might be in a lot of chatters' future.

Hacking Through Firewire Connection

Apparently someone just noticed that unrestricted direct write access to RAM is a feature of Firewire (according to the article). This allows one to compromise password protection code, and probably most anything else one can imagine. This is described as being done with a physical connection to the target system through a firewire port, using another system. Windows and OS X are said to be vulnerable to this.

<Engadget: Windows passwords easily bypassed over Firewire>