Posts Tagged ‘Security’

2001, a DB8 odyssey

How come all the talk about IPv6 comes with illustrations like 2001:db8:1234:abcd::321? When we eventually adopt IPv6, is some person or company going to find all the students, hackers and IT novices hitting the same network addresses just because they were mentioned in the IPv6 text books and cheat sheets? Will the eventual owners of these addresses be like current SlashDot victims, overloaded with unexpected traffic?

No. In fact, you are encouraged to use the 2001:db8 block of IPv6 addresses in your documentation (and possibly some illustrative code) precisely because it is reserved for that purpose. RFC 3849 explains that “the Asia Pacific Network Information Centre (APNIC) allocated a unicast address prefix for documentation purposes”, so we can safely use [click title to read more…]

Sony network fiasco

It is a little disturbing to think that a reputable company like Sony could operate a network that allowed the private records of 77,000,000 (seventy seven million) customers be siphoned out. These records include passwords and answers to security challenges, according to an official statement from Sony. What I can’t understand is why, as this statement seems to imply, the passwords and answers were stored in plain text. Surely every good security geek knows that you don’t store access data in plain text.

I wrote about this issue a few years ago. It doesn’t take much to protect this sensitive data. Did Sony assume that because the data was within their private network that it was safe? If they did, [click title to read more…]

To Alert or Not To Alert

It would seem that someone in the browser community had the “brilliant” idea of disabling JavaScript Alert() boxes on pages that have a “lot” of these (i.e. more than a handful). Crazy. The Alert() mechanism is there for a very good reason, to alert the user to something of importance.

Like “Please confirm that you have read the terms and conditions before proceeding”

Or “Warning: this combination of medication is not advised for pregnant women”

So, the Web-based service keeps popping up these alerts and suddenly there’s a “helpful” checkbox on the alert that says “prevent this page from creating additional dialogs”. Tempting, isn’t it? You click it, and bye-bye alerts.

And possibly bye-bye your safety, your security, your failsafe, [click title to read more…]

5F4DCC3B5AA765D61D8327DEB882CF99

They say you should never store or transmit¬†passwords in plain text. Instead, encrypt them first, preferably “one-way” so that you can only compare the encrypted signatures and can’t actually retrieve the original passwords. MD5 produces a one-way signature. But what if the original password is some well-known word or phrase? For example, the MD5 of “password” is 5F4DCC3B5AA765D61D8327DEB882CF99, so if you find that code stored in a password file then you know the original password was “password”. A dictionary of MD5 signatures will easily break any MD5-based password store unless you take the precaution of adding a few extras to the password before you hash it. Add some secret constants to the beginning, middle and/or end. Add other bits of [click title to read more…]