Posts Tagged ‘Security

14
Oct
08

give me your key.

104bit WEP key can be obtained within 1min with 20MB of sniffed data.

Wow… now WEP isnt safe at all ?
I knew with enough data (like 2Gig) you can calculate and pull out WEP key but only 20MB now?

University of Kobe and Hiroshima will be releasing the details soon including WINDOWS based program as well. I guess we just have to keep our eyes open for now.

Advertisements
24
Sep
08

you are not from USA.

lot of sites (especially one for DRM or content thats US only) prevents only US IP address ranges)

Is it just me or it is just useless form of filtering?
What if you’re accessing from US proxy ?
(you’re working for US based company via VPN and going out to internet from US based proxy)

What if you’re using anonymous proxy (there are 100s of them on the internet.)

Im not really sure WHY they even bother. filtering users based on IP isnt perfect and never will be.
I know IPV6 isnt coming anywhere in near future but If users are browsing with IPv6?

Real question is, is there any perfect way to filter them (provide social security number? , not that I would submit that over internet)

14
Sep
08

passwd reset plz

Sorry, I need my password reset..

Since the dawn of time, users are getting either dummer or just plain stupid for many occasions. Well I dont need to say why users are becoming more stupids as there are 100s of jokes flying around (or urband legend such as CD-Drive as coffee mug holder,etc)

One of the MOST if not worst stupid request user can make is, yes you guess it, password reset.
However, I dont blame them for some system (such as do not use old password, do not keep password for more than 90 days, do not change password within 3 days, password must contain special characters and numbers and not dictionary words)

All good but strict rule usually end up like people writing down password or put it on their monitor using post-it or other forms.

Well, most, if not, all attack is from remote locations in remote countries. So I wont bother covering physical security requirement nor why user must not write down password on piece of paper.

Topic isnt really password reset and how users are dumb, but how to recover and how to crack/reveal(another recover? form)

I’ve heard of john the ripper even before but never actually cracked one as jtr does not offer crack to AD directly. Means someone has to extract AD password hash. And since my background is more wintel guy than *nix person, I never bother with jtr on *nix.

Probably by now, you know where Im going. Yes, there are several tools that can dump “HASH” password from AD. with right conbination with jtr, it can display the password.

Let me just tell you, I am impressed.

my user password in AD is 12 chars long, 8 chars, and 6 numeric chars. and it was cracked in less than 1 min. <with serious face>oops</with serious face>

well to defend my password level, my admin password (which is lot longer and contains special char) was not cracked even after 30min(and still going as I am typing this)

ok enough CRACKing but how about other method?
(excluding your favourite, call your helpdesk)

program wise, it is rather simple, ask user to jump the hoops(as ask some questions such as “what is your mum’s name) and once validated, reset their password. Lucky me(again) Citrix has tool called password manager self recovery tool (now I do sounds like sales man)

Took me a bloddy few hrs to figure out the implementation (as WI4.0 does not support recovery out of the box) and due to permission changes on AD hierachy (inherit was turned off) initial implementation didnt work. Party me to blame too but document was just not very friendly at all.. Who Am I kidding its my fault that I didnt read the papers but seriously that doc wasnt not designed for troubleshooting…

Now what I get from users?

How do i use password self recovery tool?

This is why i say users are getting dummber and dummer…

12
Sep
08

identity theft?

who the hell are you?

one might ask, who I am, if they have never met me before. For every new site we register, it is not uncommon that we are force to enter the damn username/password/emailadd/mailing add and list continues. I THINK openID movement is to start shared provider of one’s identity.

Not that anyone would be interested to impose as myself on the web, it is rather interesting common platform for user identification is emerging and its OPEN this time. Some may have heard it, its openID.

There are famous M$ passport system (hotmail, MSN, MS sites) which has failed to be more widely accepted but OPENID seems to be more widely used than ever now.

All the good stuff (on the book), but still I need to authenticate and enter my details and it seems only informaton openID provider allowed to share was email add, that was it. I had to enter all other details to the commercial site even thought I’ve decided to use OpenID as Auth mechanism.

so far, this doesnt impress me. YET.

What does AAA means to them??

11
Sep
08

Chicken or the Egg?

System down?! where is the saved password ?

Recently we have lost multiple servers (file server, email etc) stored on the virtual system.

Since there are HECK of a lot of servers and systems, password is kept on the encrypted file that stored on the FILE server.

ok….. here is the joke, if file server is down, how can you open the password file to logon to the virtual server that hosts the file server?

it was like old “chicken and egg” joke. (those who never heard the term read this wiki entry)

Lucky I had password file open otherwise we would be running around in circle.

What would you suggest ?

1 write down on a paper(or post it and stick it on the server)
2 write down on some file and store in multiple location.
3 write down somewhere not on file server.

Security 101, Dont write down password is meaning less when ppl just cant remember 100 of passwords hence requires to save somewhere.




September 2017
M T W T F S S
« Jan    
 123
45678910
11121314151617
18192021222324
252627282930  

Greyeye Tweets