I’m downloading rainbow tables to go along with with my password cracking software. I ended up getting almost every user account just using alpha-numeric tables. I want to go for the whole shabang so I’m downloading rainbow tables with alphanumeric and special characters and spaces. I just noticed I’ll be over quota. Hope I dont get a nasty email from Cox. Well at least I found one thing that can be legally downloaded via bittorrent.
Archive for the ‘Hacks’ Category.
Exploit Code Too Prevalent?
Microsoft complained this week about “security” companies publishing exploit code for its vulnerabilities. It was once common to publish proof of concept code as a method of proving a vulnerability exists. This goes beyond that. These companies that have received credit for holding off public announcement of the vulnerability until a patch is available, then release exploit code at the same moment Microsoft releases the patches.
Administrators have not yet had time to do any due diligence on the patches. Even if they deployed patches without any testing, roll-outs at large organizations take time.
This exploit code is widely available. Its not like the olden days where you had to know where to look. Now every script kiddie has 5 copies of the code at their disposal and the administrator has it too. This exploit code is then expanded on to create a worm.
Sometimes exploit code is neat. It gives a solid demonstration that encourages people to patch. Releasing this code publicly at the same time the patches are released is reprehensible. Why help the virus writing incubation period?
Security Problems for RFID?
Graduate students at Johns Hopkins University have uncovered a method of cracking the encryption surrounding RFID, so reports news.com.
Non-technical results are posted at www.rfidanalysis.org
RFID systems are used in automotive keys so that a signal from the key is necessary to start the car. It is used in Mobil SpeedPass and it is used in Wal-Mart inventory.
The writers point out that the 40 bit encryption is rather trivial to hack. What is needed is AES encryption. The problem is with the long rollout cycles for automobiles, this is not a change that will occur immediately.
Of course with speedpass I still think the primary issue is when someone steals your keys they now have access to your credit card (without signature necessary) at every Mobil/Exxon station.
Everything Old is New Again?
Over at Slashdot, they have an article on a new form of wireless hijacking.
They’ve written an applet to sniff wireless traffic and replace specified responses with their own content. So when you pull down a website it is replaced by something else.
In theory its similar to a man in the middle attack, but its more interesting because it is grabbed out of the air.
Their writeup is here. I’d highly suggest not following the links to images or videos on that site.
