Sunday, February 04, 2007

This Week in Sec

Excuse the bad pun of a title, but I couldn't come up with anything better. Anyway, as with my last posting of links, its not exactly a week, its probably closer to "the interesting links I've found since I lasted posted a post of links". So here goes:

.aware alpha zine
The people over at awarenetwork.org have released an ezine, it has nothing to do with web apps, but its still quite good. To quote the front page:
Hello and welcome to the first .aware eZine ever to exist on planet
earth. Basically, with all the h0no wannabes out there and phrack down,
I thought there ought to be a little bit more actual infotainment spread
into cyperspace. This way, maybe not all of us will be driven into
criminal insanity by paranoid hallucinations.


Enjoy the zine.

PS: We're sorry for causing all that cancer.




CAPTCHA Recognition via Averaging
This article describes how certain types of captchas (such as the ones used by a German online-banking site) can be automatically recognized using software. The attack does not recognize one particular captcha itself but exploits a design error allowing to average multiple captchas containing the same information.


This was submitted to bugtraq, and soyou can find the bit of discussion that went on about that here: http://seclists.org/bugtraq/2007/Jan/0648.html (Note; this isn't just the single post, there are replies) and because it got separated between the two months, here: http://seclists.org/bugtraq/2007/Feb/0000.html



Vista Speech Command Exposes Remote Exploit
Essentially some people found out that Vista doesn't try and do any cancelation of the audio which comes from the speakers to the microphone, and so any commands your computer plays through the speakers will be picked up, and if you have the voice commands activated, will execute.



I didn't break it!
Matt Blaze posted a very good entry about how (crypto) researchers are often described as having cracked codes, and how this taints research. I think this also applies to security research just as much, except for the fact that generally most people say security researchers "broke" something rather than they "cracked" something. He also has another interesting post entitled James Randi owes me a million dollars which I think people should also read.



And in case you somehow managed to miss it:
Sudo Labs is up!
Sudo Labs is an attempt to create an R&D oriented forum where people can come to discuss any ideas they have about security in an environment which focuses on new ideas and techniques, etc rather than explaining old thoughts. Having said that those who aren't experts are also welcomed, just asked to contribute rather than to clog the board with questions about known topics, there are many other boards which will teach you about security.



So that about wraps it up for interesting things I've found over the past week in regards to security, hopefully next time I'll have a better title, but I somehow doubt it.

1 comment:

Martin J. said...

Hey, how about a RSS-feed for the Sudolabs.forum?