Security now

Fremen

Here's a really good podcast on computer security. If you're an IT professional it probably won't teach you much, but it's good for students and interested laypeople.
The earlier episodes are a lot better, since the later ones tend to bloat with adverts and irrelevant chat :mad:
Steve gibson has the geekiest voice in the world, but if you can ignore it, the show's worth a look.

http://www.grc.com/securitynow.htm

DonkeyStyle \o/

Yeah I think I've listened to all of them now... I found the episodes on wep/wpa and rootkits interesting.
I agree that earlier episodes were the best, before they'd run out of things to talk about.
Their most recent episodes where they spend the first 20 minutes waffling about ebooks has really put me off though... I wish they'd just start a 'sci-fi author waffle now' podcast and be done with it.

Secutiry now also somehow by osmosis lead me to twit.tv, crankygeeks and dl.tv, which are regular residents on my mp3 player.

JohnnieM

the password generator on the site is great.
www.grc.com/pass

Black Swan

JohnnieM wrote:

the password generator on the site is great.
www.grc.com/pass

Another good source of passwords is the Irish language.

Cake Fiend

Blue_Lagoon wrote:

Another good source of passwords is the Irish language.

/me slowly shakes head in melancholy disappointment

Black Swan

Cake Fiend wrote:

/me slowly shakes head in melancholy disappointment

Why for prey tell?

aidan_walsh

Blue_Lagoon wrote:

Why for prey tell?

Dictionary attacks work irrespective of what language is used as long as an approptiate dictionary is used. Social engineering could feasibly be used to determine what dictionary type to use in the attack.

JohnnieM

Blue_Lagoon wrote:

Another good source of passwords is the Irish language.

Have you looked at the password on that site.. they are complete gobbldego ok... uncrackable if used to full lenght...

Black Swan

aidan_walsh wrote:

Dictionary attacks work irrespective of what language is used as long as an approptiate dictionary is used. Social engineering could feasibly be used to determine what dictionary type to use in the attack.

aidan and JohnnieM... OK you guys, I surrender! I'm just a noobe in learning mode when it comes to Internet security, that's why I frequent this forum, hoping I might pick up something useful. And after reading an article this afternoon in the most recent issue of WIRED about how a rock star was cyber-stalked by a fan, I'm a bit more aware of the risks of easy passwords and social engineering. He used his middle name "Charlie" as a password (if you can believe it), and cause his bio was online, all h*ll broke loose for him and his wife when a hacker (and fan) decided to snoop, stalk, and play with their lives. Now he has randomly constructed passwords and complains that he cannot remember them, wishing he could go back to the open, simple life of the Internet before...

Martyr

Now he has randomly constructed passwords and complains that he cannot remember them, wishing he could go back to the open, simple life of the Internet before...

thats something most of us have in common.. using a phrase is usually better than a password.
its easier to remember and almost as secure as a long password made of symbols/numbers/characters.

Black Swan

Average Joe wrote:

thats something most of us have in common.. using a phrase is usually better than a password.
its easier to remember and almost as secure as a long password made of symbols/numbers/characters.

Well, I have used several Irish words run together in the past and thought it was a good approach, but now I am rethinking it...

JohnnieM

For my Access point I have a full 63 characters of Complete Jibberish and I usually cut and paste it if i need to add something... in the meantime I store it on a USB drive and keep in a safe place...I also have it mailed to my G mail account (which is Secure) and Can look it up there by looking up a subject line that only i know.. etc etc:D .J

aidan_walsh

Blue_Lagoon wrote:

Well, I have used several Irish words run together in the past and thought it was a good approach, but now I am rethinking it...

I used to do something similar until someone recently got into my PayPal account. Now I use variants on a random MD5 hased string which I keep in a text file on my USB stick saved inside a TrueCrypt container. The only reason I can't use the full string all the time is that every site has its own upper limit on password length.

koloughlin

JohnnieM wrote:

G mail account (which is Secure)

This might be totally paranoid, but while the login to gmail is done over https, the actual page displays are over http (at least for my gmail account) and aren't secure

aidan_walsh wrote:

Now I use variants on a random MD5 hased string which I keep in a text file on my USB stick

Aidan touches on another good point here. If you use the same password for many online sites you are leaving yourself vulnerable to a dishonest employee of one site retrieving your password and your personal information and attempting to use it on another site. Not all systems that use passwords store them in such a way that the system admins can't retrieve them in plain text.

ecksor

koloughlin wrote:

This might be totally paranoid, but while the login to gmail is done over https, the actual page displays are over http (at least for my gmail account) and aren't secure

It makes no sense to encrypt the transmission of mail content via your browser since it's not encrypted during transit at any point in time. Encrypting your login details does make sense.

koloughlin

ecksor wrote:

It makes no sense to encrypt the transmission of mail content via your browser since it's not encrypted during transit at any point in time. Encrypting your login details does make sense.

I agree, the point I was trying to make was that storing the password for your access point in your email account is inherently flawed because every time you access it you expose it to being sniffed.

Fremen

Y'all had better be using WPA or this is all moot...

NutJob

As For the podcast im not gone on Security Now.
Its just steve gives me a headache.

Try these:
-Sploitcast
-cyberspeak
-pauldotcom
-network security podcast
-Securityroundtable

Others not really related:
Lug radio live (just entertaining)
In the Trenches (kevindevin.com)

JohnnieM

koloughlin wrote:

This might be totally paranoid, but while the login to gmail is done over https, the actual page displays are over http (at least for my gmail account) and aren't secure



Aidan touches on another good point here. If you use the same password for many online sites you are leaving yourself vulnerable to a dishonest employee of one site retrieving your password and your personal information and attempting to use it on another site. Not all systems that use passwords store them in such a way that the system admins can't retrieve them in plain text.

Log on to g mail using https ie https://mail.google.com/mail/ and it remains secure throughout the session..

That particular password is only on my Access point..various other shoter jibberish for other log ons etc etc
must say I like the idea of Truecrypt must try it out..

Capt'n Midnight

koloughlin wrote:

Aidan touches on another good point here. If you use the same password for many online sites you are leaving yourself vulnerable. ...

not to mention the sites that email your password back to you in plain text when you reset it :rolleyes:

things not to use as passwords - Christian names of members of the opposite sex, names of mythical persons.

things to use if possible - non-printable characters
the £ sign isn't on US keyboards, but it's on UK and Italian ones so not that rare but you get the idea

Blue_Lagoon wrote:

Another good source of passwords is the Irish language.

while you get fadas you loose kjqwxy and z so you better have a very good vocab to get any sort of protection from a dictionary attack , being a small country there are fewer nouns too so not too sure you get much more entrophy

Cake Fiend

ecksor wrote:

It makes no sense to encrypt the transmission of mail content via your browser since it's not encrypted during transit at any point in time.

I disagree - with so many people using webmail in work, internet cafés, etc, I'd say there's a fair risk of webmail traffic being sniffed on the user's local network. Using SSL for the session between the user and the mail server would at least help avoid this area of vulnerability.

mick.fr

Cake Fiend wrote:

I disagree - with so many people using webmail in work, internet cafés, etc, I'd say there's a fair risk of webmail traffic being sniffed on the user's local network. Using SSL for the session between the user and the mail server would at least help avoid this area of vulnerability.

Agree!

ecksor

If you're using webmail in these environments, how often do you trust the machine running the web browser?

Martyr

Cake Fiend wrote:

Using SSL for the session between the user and the mail server would at least help avoid this area of vulnerability.

Depending on the attacker, using SSL/SSH on a LAN might not make a whole lot of difference, i think that is the point ecksor makes.
I agree having some encryption is better than none, though.

Have a gmail account myself, and there are always advertisements displayed in relation to words in the message.. its a little annoying, but no big deal.

ecksor wrote:

If you're using webmail in these environments, how often do you trust the machine running the web browser?

was gonna say keyloggers are a big problem too, especially in internet cafes.

mick.fr

Average Joe wrote:

Depending on the attacker, using SSL/SSH on a LAN might not make a whole lot of difference

Hi Joe, can you explain this one please ?
Real time SSL decryption might take a bit more than a single hacker... :-)

ecksor

Who cares? If an attacker has control of the machine then they can simply MITM your connection or trojan the application client or OS.

mick.fr

ecksor wrote:

Who cares? If an attacker has control of the machine then they can simply MITM your connection or trojan the application client or OS.

Well assuming there is no point of using any security solution because anybody could potentially take ownership of a computer and compromise the data anyway is like..suicidal isn't ?

We know very well security is not about implementing a solution that will reduce the attack surface to 0. What we know is that by implementing effective security solutions we are mitigating and assessing the risk.

Nobody can't win at security, this is all about mitigation

ecksor

I think you've gotten confused about what we're talking about here.

The topic has moved onto discussing the situation of accessing webmail from a work or net cafe type environment. One where a person typically doesn't have use of a machine which they can think of as trustworthy.

Martyr

mick.fr wrote:

Hi Joe, can you explain this one please ?

ecksor answered this.

ecksor wrote:

If an attacker has control of the machine then they can simply MITM your connection or trojan the application client or OS.

Cake Fiend

ecksor wrote:

If you're using webmail in these environments, how often do you trust the machine running the web browser?

Personally? I don't

As mentioned, someone with control over the machine could use a keylogger to capture all outbound info, and anyone on the network could potentially set up a MITM attack and subsequently sniff - but as Mick says....:

mick.fr wrote:

Nobody can't win at security, this is all about mitigation

Most people would take any additional protection they can get. If using SSL will stop someone from casually sniffing my email traffic, it's one extra step.

ecksor

If you think that you gain any assurance from using SSL in that environment, then you're deluding yourself. Who exactly is going to be sniffing on a local LAN in a situation that you describe that this is a serious impediment to? You're taking an "every little helps" approach, which is of course true, but you're not even sure if you're getting a little help when you have no idea what SSL implementation you're using.

NutJob

ecksor wrote:

If you think that you gain any assurance from using SSL in that environment, then you're deluding yourself. Who exactly is going to be sniffing on a local LAN in a situation that you describe that this is a serious impediment to? You're taking an "every little helps" approach, which is of course true, but you're not even sure if you're getting a little help when you have no idea what SSL implementation you're using.

to be honest even fiddler at this stage can do a mitm attack