The Lair of the SlowFox

Yay, Monday...

Mon, 11 Jan 2010 08:34:35 GMT

At the desk three days this week, and then for Thursday and Friday I'm on a training course off-site. This in turn means that Mali gets checked into his Happy Holiday Home on Thursday morning, picked up on Saturday morning, because I can't get back to him at lunchtimes.

It was a very static weekend on my part - it wasn't the snow so much as the ice: the ice was lethal. Put it this way; when Mali, with four-paw-drive, is falling over, you know conditions are dicey. However, the rain started on Sunday and has made substantial inroads on the ice/slush, such that one can walk along with some fair degree of confidence, for the most part, that you'll manage to stay upright.

Finally, Steve Gibson and Leo Laporte were talking on Security Now last week about ShadowServer, a site that tracks botnets across the interwebs. From the graphs, it looks like there was some massive cut-off on New Year's Eve...

comments

MD5

Wed, 16 Dec 2009 08:26:17 GMT

MD5 is a hashing algorithm that attempts to verify that a given file's integrity hasn't been compromised (during a download process, or in the process of being copied from A to B etc).

Typically, you'll have a file reference given on a web-site and, somewhere else (this is important, more later), there'll be a long string of seemingly random characters called the MD5 Sum, or MD5 Hash or whatever:

c59b048c992804d165aed10170f003dc

What happens is that the algorithm works through the source file, and maps the first element to something new, and then feeds that result into part of the computation for the second element, and then the result of that into the third element etc. When it reaches the end of the file, the whole result gets fed back into the algorithm again. And again, and again for a specified number of iterations (loops). The end result of these calculations boils down to the specific MD5 Sum for the file.

I use WinMD5Sum on the work PC:

The idea behind MD5 hashing is that even tiny changes in the original file result in significant differences in the end MD5 hash.

For example, I created a text file called hello.txt, which contained the phrase Hello, world..

The MD5 sum of this worked out to be 45d2c2d506211d17f99a3eb8de863f36

By changing the last character to a comma - Hello, world, - the MD5 sum changed to c59b048c992804d165aed10170f003dc, immediately telling me that the file's changed from the original.

An MD5 sum is always 32 characters long, yet can be generated for files of any size. Pretty obviously, then, there will be various different kinds of files that result in the same hash - these are known (with the industry's predictable fondness for dramatic vernacular) as 'collisions'. Nonetheless, the risk of collision is pretty small (if, for example, by repeatedly going through the MD5 hashing algorithm, all files eventually boiled down to a single value, it'd obviously be useless) - that said, boffins have managed, now, to successfully construct amended files that generate the same MD5 hash, but this requires a fair bit of work and an accommodating starting point.

Anyway, the idea is that you see a file - exciting_prog.exe - on a website and download it. By using an MD5 checksum, you can verify (beyond reasonable doubt) that the file you've downloaded is the file that the website intended you to download.

(which, by the way, is a loooooooooooooooooong way from saying it's safe).

The major caveat should be obvious: the situation where the file's MD5 sum is listed in the same directory as the file itself. Consider: if nefarious malfeasants have managed to hack the server and place a malicious file in the benign one's place, then since they've clearly got access to the server, it'd be trivial for them to also replace the posted MD5 sum with the sum to match their own malicious file.

comments

Not exactly reassured

Mon, 09 Nov 2009 08:30:30 GMT

Now that's inspiring, no?

comments

Cool Google Security Link

Mon, 21 Sep 2009 07:13:20 GMT

TWiT's Security Now podcast mentioned this fantastic tip in their most recent episode, whereby you can use google to see how many security issues a given site has raised over the last 90 days. Google obviously collect this data, since they warn you about suspicious sites etc every now and again - this tip simply surfaces that information.

Unfortunately, there isn't a user-interface as such, so you have to handcraft the URL, but it's relatively straightforward:

Example: http://www.google.com/safebrowsing/diagnostic?site=google.com

This checks google's own site (and ironically reports one malicious scripting exploit found in the last 90 days).

To target a different site, you simply change the ?site=google.com bit at the end of the URL to point to the desired target.

So, to check The Grauniad's site(s), we'd use ?site=guardian.co.uk, like this:

http://www.google.com/safebrowsing/diagnostic?site=guardian.co.uk

Interestingly, The Other Place throws up several issues:

Of the 15126 pages we tested on the site over the past 90 days, 144 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-20, and the last time suspicious content was found on this site was on 2009-09-20. Malicious software includes 3 scripting exploit(s), 2 trojan(s), 2 exploit(s). Malicious software is hosted on 19 domain(s), including tinnily.info/, convex.ru/, lavyer.info/. 10 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including lj-toys.com/, goeachscan.com/, susuman.com/.

Currently, Dreamwidth gets a clean bill of health.

Anyway, really cool google tool to play with (I checked work, and it's currently clean, too).

comments

Reset your routers...

Fri, 28 Aug 2009 09:40:20 GMT

For those of you with WiFi routers, it's time to make sure you're using WPA2 security:

WEP encryption was cracked a long time ago, and people moved across to WPA.

Now, on the back of theoretical work last year, a team of Japanese computer scientists claim they can crack WPA in 60 seconds.

The attack only works on WPA, and not WPA2, so if your router and clients support it, I'd suggest that you move on up, as it were. And even if the scientists aren't making their methodology public just yet, the fact that it can be done means that it won't be long before this work gets replicated in the wild.

I'm guessing that I'm going to have to revise my parentally-aimed analogy:

WPA - that's like parking your car in a dodgy area;

WEP - that's parking the car with the doors unlocked;

No Encryption - that's parking the car with the door open and the keys in the ignition.

Me? I turned WiFi off. Now, where'd I put that tin-foil hat?

comments

Flash! Argh!

Wed, 26 Aug 2009 07:16:06 GMT

OK, listen up.

So, you clear out your cookies regularly, and you delete your browser history. That's it, then, right? Your tracks are covered...

Nope.

Website operators love user-data - it helps them deliver 'more compelling content' to you, the user, and the nature of data being what it is, standard browser cookies were proving a little limiting.

Plus there was that option for the user to clear all their cookies out, and thus the website lost all its history on you.

So there are these things called Flash Cookies, which are available to websites which use Flash, if you have Flash installed. And since a large part of the web is just b0rked without Flash, most of us do.

You can't delete Flash Cookies from the browser (as far as I know). But Adobe do have a control panel on the web for you to have a look at them. Go here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html.

That graphic, top right, is NOT an image, it's the Flash Settings Control Panel for YOUR BROWSER.

The far right tab will show you the websites that you've visited that have stored some kind of information on your machine, anticipating the happy day that you return to their corner of the interwebz.

comments

Securing GMail

Fri, 19 Jun 2009 20:16:11 GMT

You've probably known this for a long while, but since I've only just got around to doing it, I thought I'd mention...

As this Wired article explains, although gMail asks for your initial log on password via HTTPS (the nice, secure protocol), the rest of your session, under the default settings, is plain HTTP. Which is potentially a problem if you're checking email from a WiFi hotspot or whatever.

Changing this is easy enough, once you know where to look.

Go to Settings (upper right hand side of the screen), and from there you should be on the 'General' tab.

Right at the bottom of the page is a section headed 'Browser Connection', and, as above, the default is 'Don't always use HTTPS'. I've changed my settings to 'always use https', and haven't (yet) noticed any drawbacks.

Now, because HTTPS is encrypted, it does mean that encryption/decryption has to take place at both the client (your machine) and the server (Google's kit), so, in theory, using HTTPS all the time will slow things down a bit.

On the other hand, not using HTTPS means that the communication twixt you and Google's cloud is all in the clear, and is much easier to eavesdrop/snoop on. Especially since a tool was announced at DEFCON last year which made such snooping 'relatively easy'.

So, the general advice (from Wired, above, The Register, here, Mashable, here and the good old Beeb, here) is to always use HTTPS.

comments

Passwordmeter

Tue, 16 Jun 2009 06:55:23 GMT

This Password Strength Checker is an interesting tool.

It uses Google's javascript urchin.js to determine the strength of a password, based on the number of characters, whether or not you're using mixed case, letters, non-alpha-numerics and the like.

Obviously you don't feed it your real password (unless you're feeling particularly brave - it's running a script that's hosted on a different server!), but if you pass it constructs that are similar in nature, it'll give you a rough idea of how secure Google thinks that particular algorithm might be.

comments

More on Windows Update and Firefox

Thu, 11 Jun 2009 06:21:54 GMT

alicit found this story on IT Wire which explains a little bit more about that .NET Assistant for Firefox that was included in Windows Update.

The bit that I was wondering about, given that some of you were reporting yourselves unaffected, is explained by the fact that the particular Update in question only kicked into play if you had the .NET 3.5 framework installed.

The .NET framework is a set of code that makes other programs work (a, uh, framework, if you will). Whilst most of you will have some level of .NET framework installed, you might not all be up to 3.5 yet. So this possibly explains why some of you didn't have the .NET Assistant 1.0 installed.

However. Do keep a periodic eye on the list of extensions to Firefox - once you do install .NET 3.5 (and at some point, unless you never download/install any new software on your machine, you'll have to), it may be that Windows Update will identify your machine as having this particular need, and sort you out accordingly.

Hopefully, by then they'll have learnt their lesson, and actually inform you of what they're doing...

comments

Running Windows? Use Firefox? Read this

Wed, 10 Jun 2009 07:37:08 GMT

( Microsoft installed an update on Firefox as part of Windows Update that makes Firefox inherently less secure than it had been. You need to change this )

comments

Dog logistics

Wed, 20 May 2009 06:17:37 GMT

Sneaking online over breakfast, before Mali and I head up to his Happy Holiday Home where he's staying for the next 48 hours (or thereabouts). Tomorrow, see, I'm off (with work) to Stockton on Tees: we're setting off at 7.30am, and we're not expecting to be back much before 8pm.

Kennels, for their part, open at 8am, and close at 5.30pm, in terms of drop-off/collection, so as is usually the case with these work thingies, I tend to end up having to put Mali in for an 'extra' day, as it were. To be honest, he doesn't seem to mind: when we park up at the place, he'll be desperate to get inside and meet up with the staff there. And, despite it being a huge place (they have room for 72 dogs and I forget how many cats), all the staff know Mali on sight (I'm pretending this can only be a positive thing).

Actually, this works out quite neatly today, as I'm babysitting up at the Farm this evening for both P and his sister (who's now three years old, and is cute beyond belief). So, having dropped Mali off at the kennels, I drive to work, and from work I drive straight up to the Farm, without needing to worry about coming back to Castle Fox to check on Mali.

And the babysitting also ties in neatly, because the Farm's PC crashed on Monday (they had a series of repeated power cuts, after which their Dell has reportedly flung itself into a massive sulk and won't. do. anything). So I'm going to have a look at that whilst I'm there and see if I can help at all.

And finally, going back to that post on Microsoft's Malicious Software Removal Tool, I've learnt that Windows will do a cursory scan on the next rebook of the PC after that month's Windows Updates have been installed, but that the Full Scan is only a user-driven thing. So it's worth running.

comments

Pity the malware, fool!

Mon, 18 May 2009 13:50:26 GMT

Y'know, I've often wondered, whilst watching the Microsoft Updates download to the work PC (for Castle Fox is a Linux domain), what on Earth is that 'Malicious Software Removal Tool' that seems to be a perennial feature?

( Microsoft's Malicious Software Removal Tool )

comments