FBI Hopes Hard Drive Will Shine Light on Conn. Shooter’s Motive

FBI Hopes Hard Drive Will Shine Light on Conn. Shooter’s Motive

FBI Hopes Hard Drive Will Shine Light on Conn. Shooter’s Motive

Posted: 20 Dec 2012 10:24 AM PST

More information »

Desperate Convenience:  Login with Facebook, Google and LinkedIn

Posted: 20 Dec 2012 06:28 AM PST

Is your management thinking about allowing people to login to your precious systems by using their Facebook, Google or LinkedIn accounts? What are the risks? One consideration is password policies. I experimented to find out what were the effective password policies in place: Site Minimum Characters Reuse? Trivial? All lower-case? Expiration FaceBook 6 Yes No Yes No Google 8 No No Yes No LinkedIn 6 Yes No Yes No All 3 prevented the use of trivial passwords such as 123456. However, all accepted a password consisting only of lower-case letters, and none of the services seems to implement password expiration, at least not in a reasonable time frame (1 year or less). Password expiration is necessary to protect against password guessing attacks, because given enough time a slow trickle of systematic attempts will succeed. The weaker the other password requirements and protections (e.g., number of tries allowed/minute) are, the quicker the expiration period should be. In my opinion, all 3 have weak password policies overall. However, if you *must* have a "login with your X account" feature, I suggest using Google's service and not the others, at least when considering only password policies. Google has the best policy by far (potentially thousands of times stronger), with 8 characters and not allowing the re-use of previous passwords. After 16 login failures, Google presents a captcha. This struck me as a large number, but FaceBook allows an even greater number of attempts before blocking (I lost count). On Facebook, you can continue login attempts simply by clearing the Facebook cookies in the browser, which effectively provides an infinite number of login attempts and a great weakness towards password guessing attacks. But then, clearing the browser's cookies also bypasses the Google captcha... How disappointing. LinkedIn is the only one that didn't lose track of login attempts by clearing browser cookies or using a different browser; after 12 failed attempts, it required answering a captcha. So, if you must have 2 login services, I would suggest Google and LinkedIn, and to avoid Facebook. Other considerations, such as the security of the login mechanism and trustworthiness of the service, are not addressed here.

Career Bobs

Posted by Rohan ingale at 1:06 AM 0 comments

Looking for fail2ban++

Looking for fail2ban++

Looking for fail2ban++

Posted: 19 Dec 2012 09:00 AM PST

If you're looking for a worthwhile project, here's something that could benefit most security practitioners. The application "fail2ban" has been extremely useful in blocking sources of undesirable behavior such as brute force attacks on password mechanisms, spammers (by hooking it up to your mail server's rejection log), as well as hostile vulnerability scanners. However, it only works for IPv4. Discussions (and patches) I've seen to make it work with IPv6, unfortunately focus on making it understand IPv6 addresses, and miss an important point. With IPv6, entities, even home users, will have large networks at their disposal. As a result, it may be futile to block a single IPv6 address. However, blocking whole IPv6 networks with the same threshold as a single IPv4 user may block legitimate users. I need a program that will work like fail2ban but will allow progressive blocking, as follows: If undesirable behavior is observed from IP addresses within a network of size N past threshold T(N), block the entire network. This would work with multiple network sizes, starting with singleton IPs and scaling up to large networks, with the threshold increasing and being more tolerant the larger the network is. How the threshold changes with the size of the network should be configurable. A corollary of the above is that when we'll move to IPv6, as some service providers have already done, password strength, and the strength of secrets and applications in general, will have to increase because we will have to be more tolerant of undesirable behavior, until the threshold of the attacker's network size is reached. This will of course be likely a lot more, and at a minimum the same, as what we tolerate on IPv4 for a single address.

Career Bobs

Posted by Rohan ingale at 1:11 AM 0 comments

Two CERIAS Faculty Named as ACM Distinguished Members

Two CERIAS Faculty Named as ACM Distinguished Members

Two CERIAS Faculty Named as ACM Distinguished Members

Posted: 18 Dec 2012 10:43 AM PST

Tony Hosking, (Associate Professor - Computer Sciences) and Ninghui Li (Associate Professor - Computer Sciences and CERIAS Fellow) were named as 2012 Distinguished Members of the Association for Computing Machinery. More information »

Career Bobs

Posted by Rohan ingale at 1:14 AM 0 comments

How to Use an iPod Touch to Control the House

How to Use an iPod Touch to Control the House

How to Use an iPod Touch to Control the House

Posted:

Do you want to use your iPod Touch to control the inner workings of your house? There's an app (or two) for that. Use an iPod Touch to control your house with help from an expert in the world of Apple retail in this free video clip.

How to Put Celtx Scripts on Your iPod

Posted:

Celtx is a lightweight, handy application that is free unless yo upgrade to the "Plus" version. Put Celtx scripts on your iPod with help from an expert in the world of Apple retail in this free video clip.

How to Text From an Android to an iPod

Posted:

Texting from an Android device to an iPod Touch requires the careful use of the right application. Find out how to send a text from an Android to an iPod Touch with help from an expert in the world of Apple retail in this free video clip.

Steps to Install TomTom on the iPod Touch

Posted:

Installing TomTom on the iPod Touch is a great way to take GPS functionality with you wherever you go. Learn about the steps to install TomTom on the iPod Touch with help from an expert in the world of Apple retail in this free video clip.

How to Change the Owner Settings on a Used iPod

Posted:

Changing the owner settings on a used iPod is a great way to personalize your new device. Change the owner settings on a used iPod with help from an expert in the world of Apple retail in this free video clip.

How to Reset Your iPod Touch Without a Computer

Posted:

Just because you don't have access to a computer doesn't mean you can't reset your iPod Touch. Reset your iPod Touch without a computer with help from an expert in the world of Apple retail in this free video clip.

How to Change the Order of Playlist Songs on an iPod

Posted:

Changing the order of playlist songs on an iPod Touch is something you can do with just a few quick taps of your finger. Change the order of playlist songs on your iPod Touch with help from an expert in the world of Apple retail in this free video cl...

What Is the Difference Between a First, Second & Third Generation iPod Touch?

Posted:

The third generation iPod Touch was very distinct in a few key ways. Learn about the differences between the first, second and third generation iPod Touch models with help from an expert in the world of Apple retail in this free video clip.

How to Configure Email for an iPod Touch

Posted:

Every iPod Touch comes with an e-mail reading application built right in. Configure e-mail for an iPod Touch with help from an expert in the world of Apple retail in this free video clip.

How to Make Applications Run Faster on an iPod

Posted:

There are a few different ways in which you can make your iPod Touch applications run faster than ever before. Make applications run faster on an iPod Touch with help from an expert in the world of Apple retail in this free video clip.

Career Bobs

Posted by Rohan ingale at 1:34 AM 0 comments