Tag: Security

Passlet.com

December 4, 2006 » Geek

I saw on my Ajaxian feed today a neat service called Passlet. Essentially it is a password keeper, like KisKis or the one built into Firefox. The novelty here is that it uses JavaScript to handle all the encrypting and decrypting on the client side. That means no transmission of clear text information, not even over SSL.

I happily admit I’d been thinking about this concept for at least 4 months. See, I liked KisKis a lot. It was Java, used good, solid encryption and had a nice interface. Problem was, it’s hard to keep my thumb drive version synced to my box versions, and I rarely remembered to anyway. So I thought, why not make a web based password keeper that used JavaScript to keep it secure?

The result was BlowPass which uses a JavaScript implementation of the Blowfish cipher. I was working on the Ajax stuff when I got frustrated with mootools and left it alone. It has several key weaknesses, and I suppose I could learn from Passlet, but, I may as well just use it instead of finishing BlowPass. If you want the source to BlowPass leave me a note. Thats my GPL disclaimer since the Blowfish implementation was GPL’d.

Update (01/11/07)
BlowPass is semi-active now, you can get more information and try it out at http://static.velvetcache.org/projects/blowpass. It’s still a rather raw version though. If you aren’t concerned about the “open-source” aspect (e.g. don’t want to host it and mod it yourself) I’d go use passlet or passpack.

WLAN Router Monitor BASH Script

November 16, 2006 » Geek

I was reading some material on WEP and WPA cracking, and decided to write a monitor for our router. I was curious if anyone other than us hooked up. I’ve turned off the MAC filtering on it and got my BASH script working.

I’m kinda proud of it actually. I wrote it from scratch, just hit up the man pages on my system for hints. I wanted to use lynx -dump on the “Attached Devices” page, but I couldn’t get lynx to authenticate from the command line. I decided to use wget instead, since it worked just fine. I also knew I had html2txt installed from something else, so that was good too.

Here’s the script, password removed of course. The slickness is all in that last line, pardon my WP plug-in’s poor highlighting.

#!/bin/bash
date >> $HOME/System/routerLog
echo >> $HOME/System/routerLog
wget -O - http://admin:[email protected]/DEV_device.htm | html2text >> $HOME/System/routerLog

The one tough feature to find was getting wget to print to the stdout instead of to a file. Thats what the -O - does.

It works nice, but it has a lot of extra spacing in it. I tried to do a sed line to filter out multiple newlines, but I’ve never actually used sed, and I couldn’t get it working. Maybe it’s my regex: s/\n{2,}//g. Dunno, not a biggie. I hooked up a cron job for every 15 minutes, we’ll see what I catch (and how bloated that log file will get)

P.S. The router is a NetGear WGR614 v5

P.P.S. I got to thinking about that comment about MAC filtering. With a big network you could camp out with Kismet, grab some attached devices MAC, wait until it disconnects and change your MAC to it’s. While you wait you can crack the WEP too. MAC filtering really isn’t as good as I thought. Same with fakeap. If only one ap has attached devices…uh, that’d be the real one…

Does this look exploited to you?

October 20, 2006 » Geek

I was wandering through my log files and saw this failed http request:
/fluxbuntu/xf0j/t/x1b/x16/v+/xf0j/t/x1b/x14(-/xf0

That looks like escaped hex or something to me. Except the j’s, don’t get where they fit in. Anyway, Google gave me nothing, so I suppose it’s just an oddity I’ll never know about.

Another Case Of Shortsighted Politicians

September 22, 2006 » Geek

I just finished reading a quick blurb on The Register about a proposed German law that deals with hacking. The part I really find bad is ‘a provision in the draft laws that would make it an offense to create or distribute “hacking tools” ‘. Outlawing the various tools of the trade is absurd and dangerous.

Illegal to posses a port scanner? I can’t imagine the offense it would be to subscribe to a full disclosure mailing list. What’s more is that the black hats aren’t going to let this slow them down, but law-abiding white hats just might. That means less discovery of flaws, less disclose, and a more insecure world. Why don’t they think these things through?

The Article At The Register

Foxmarks Insecurities

August 4, 2006 » Geek

Newsflash! Foxmarks bookmark synchronizer transmits your username and password in cleartext.

I had LiveHTTP Headers open while trying to figure out a post error to a server at work when foxmarks went ahead and sync’d up. I noticed the extra header info and was mildly surprised to find that it had sent my username and password in cleartext over an insecure connection, like so,
http://username:[email protected]/home/username/foxmarks.xml
So whats this mean for us? Well, anyone sniffing your traffic (can you say “insecure wireless network”?) will get instant access to your account. There are no real solutions but you can do a few things to limit the damage.

  • Don’t use that password on any other site or service.
  • Don’t auto synchronize on a wireless connection, wait for a hardline if you can.
  • Don’t put sensitive links or information into foxmarks