I usually refrain from posting about such stuff on my site, mostly because I tend to work myself up into a rant and I just don't have the time and energy to deal with that these days, but this was a really good read. While responding to a question about a certain aspect of airline security, a pilot provided his thoughts on the industry as a whole. This is a very insightful point of view, and covers a lot of what's just plain wrong with the state of affairs today.
I highly encourage anyone interested in this sort of stuff (and if you ever have reason to fly on a plane, you should be interested) to read the full article. It only takes a few minutes.
(as found on Bruce Schneier's blog)
JST posted a good question a while back in the Universal Extractor forum. He wanted to know if any executable files (such as installers) were actually run during the extraction process. For the vast majority of files, UniExtract will "rip" the contents out of the file using a extraction/decompression utility. For example, Inno Setup installers are handled by innounp, self-extracting Zip files are handled by 7-Zip or Info-ZIP, etc. However, there also cases where some files simply must be executed in order to extract the contents.
JST was concerned about this because he sometimes uses Universal Extractor to investigate malicious files. Obviously you want to be very careful when examining malicious files, so his concern was well justified. He asked for a list of file types that UniExtract will actually execute when extracting. It took me a while to get around to documented this, but I've finally done so. You can read the full list in this forum thread:
This is good information to know, especially if you ever work with suspicious files. I'm probably going to add this information to the main UniExtract page as well, and will look into possibly adding a warning message to UniExtract itself before executing any untrusted files.
I recently came across an interesting article on Irongeek.com (which itself is a pretty interesting security site that I'll probably add to my list of news feeds) entitled, "ALT+NUMPAD ASCII Key Combos: The α and Ω of Creating Obscure Passwords." The author suggests the idea of using non-standard (ie, not defined on standard keyboards) special characters as part of your password. It's common knowledge that adding special characters to your password greatly increases the difficulty of guessing or brute forcing the password. This extends the idea by adding normally hidden (and often unthought of) characters to the mix. So, while something like
abCD1234%^&* might be a good example of using special characters in a password (though obviously you'd want something more random than that sequence), consider this password:
äßÇÐ½²¶╔¥¢. I'd love to see the password cracker that can crack that one. :-)
Of course, as the author mentions there are downsides to this. Increased complexity notwithstanding, its strength is also its main weakness; these are non-standard characters, and as such not all applications and operating support them in the same manner (or at all). While this may work great as a Windows user password, for example, it may not be possible to use it as a Linux user password.
Regardless, it's still an interesting concept that deserves some attention. Check out the article for more details on the subject, as well as a tutorial and reference charts for entering special characters. The Wikipedia article on Windows Alt keycodes (also referenced in the article) is another good resource.
Security guru Bruce Schneier has written a rather fascinating article on password composition and cracking. Security professionals in general would be interested in this, but in truth anyone using computer systems (read: you) should read and pay attention to this article.
Interesting statistics from the article: 24% of all analyzed passwords are recovered within minutes; up to 65% are cracked within one month.
You can read the full article at this link:
SecurityFocus recently published a two-part article by Mikhael Felker covering security concerns with the password management functionality in both Internet Explorer and Mozilla Firefox. It's a pretty good read for anyone interested in such topics.
For you open source freaks out there who want (or need) to use Windows, stay virus free, but only use open source software (besides your OS), there is a new piece of antivirus software out there. ClamWin is a Windows port of the well-known ClamAV, released under the GPL, and it works very well. Besides your own use, it's also good to have a free/legal solution to those house calls where your friends/neighbors/family has a virus but doesn't want to buy AV software.
Check it out at the ClamWin website.
Okay, this is actually one of the coolest things I've seen in a while. According to the site:
SecurityDocs.com is a directory of information security articles, white papers, and other documents that information security professionals find useful.
I spent a little bit of time earlier browsing the site, and it looks like there's some REALLY good content on here, covering everything ranging from firewall rulesets to OS hardening to security awareness. Very cool.