Roel Verdult, an MSc. student from the Raboud University of Nijmegen, used an RFID tag emulator to perform a successful practical relay attack on the single-use OV Chipkaart (the Dutch RFID public transportation card), that uses MIFARE Ultralights. [via]
His report is titled Proof of concept, cloning the OV-Chip card (pdf link)
The BBC reports that social sites such as Myspace and Facebook are prime targets of cyber thieves.
The quasi-intimate nature of the sites makes people share information readily leaving them open to all kinds of other attacks, warn security firms.
Detailed information gathered via the sites will also help tune spam runs or make phishing e-mail more convincing.
It is not just the information that people make public that they wouldn’t ordinarily tell a stranger but that add-ons to these social sites may inadvertently create vulnerabilities whereby criminals can compromise a users computer and install trojans or keylogging software to steal bank details.
The loss of two CDs containing the personal details of all families in the UK with a child under 16 inspires me with confidence of the Government’s ability to ensure the security of the data to be held in the National Identity Register.
Robert Graham of Errata Security has demonstrated at the Black Hat hacker conference in Las Vegas an exploit that allows attackers to login to users accounts without a password on webmail and social networking sites by stealing cookies.
Attackers would be able to real and post messages posing as the genuine user of the account, they would not however be able to make any major changes to any accounts they had hijacked as sites require users to enter a password for such activities.
Bruce Schneier reports that the New Harry Potter Book Leaked on BitTorrent and that he’s been fielding press calls all day about it.
It’s online: digital photographs of every page are available on BitTorrent.
I’ve been fielding press calls on this, mostly from reporters asking me what the publisher could have done differently. Honestly, I don’t think it was possible to keep the book under wraps. There are millions of copies of the book headed to all four corners of the globe. There are simply too many people who must be trusted in order for the security to hold. And all it takes is one untrustworthy person — one truck driver, one bookstore owner, one warehouse worker — to leak the book.
But conversely, I don’t think the publishers should care. Anyone fan-crazed enough to read digital photographs of the pages a few days before the real copy comes out is also someone who is going to buy a real copy. And anyone who will read the digital photographs instead of the real book would have borrowed a copy from a friend. My guess is that the publishers will lose zero sales, and that the pre-release will simply increase the press frenzy.
I’m kind of amazed the book hadn’t leaked sooner.
And, of course, it is inevitable that we’ll get ASCII copies of the book post-publication, for all of you who want to read it on your PDA.
Harry Potter Fans Transcribe Book from Photos
Scholastic Loses It Over Harry Potter/BitTorent Story
The Harry Potter leaker left the EXIF data still in the jpgs they created.
TrueCrypt is free software that encrypts data “on-the-fly”. You can create an encrypted hard drive, a separate partition or a directory. TrueCrypt is portable — it works on GNU/Linux and Windows. Worried about losing your valuable data when your laptop gets stolen? Don’t wait and encrypt your data now!
You have almost certainly come across a CAPTCHA before if you’ve tried to sign up for a webmail account or a forum.
A CAPTCHA is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human.
This has developed into a kind of arms race with spammers come up with better CAPTCHA solving software and organisations trying to improve their CAPTCHA generating algorithms.
Throwing themselves into the ring is reCAPTCHA with a brilliant new twist on the idea because reCAPTCHA has two words. Why? reCAPTCHA is more than a CAPTCHA, it also helps to digitize old books. One of the words in reCAPTCHA is a word that the computer knows what it is, much like a normal CAPTCHA. However, the other word is a word that the computer can’t read. When you solve a reCAPTCHA, we not only check that you are a human, but use the result on the other word to help read the book!
TrueCrypt is really astonishingly wonderful piece of cryptographic software and unfortunately and ironically for me it is too good at what it does.
TrueCrypt is a free and open source utility that performs on on-the-fly encryption allowing the user to create a virtual encrypted disk (TrueCrypt volume). TrueCrypt can either create an encrypted file that acts as a real disk or encrypt an entire hard disk partition or a storage device/medium, such as floppy disk or USB memory stick.
One of the best features of the TrueCrypt software is that allows you to use passwords based upon the content of files. So you designate one or more files as keyfiles and it combines that with the password you type in to create an ultra-secure unbreakable password. So say you choose the password Gazza after your favourite footballer of the 90s this would be a trivial password for a brute force attack to crack but if you were to combine it with a keyfile of an MP3 of Fog On The Tyne then it would become immeasurably more difficult.
However should you ever lose the keyfiles that you chose to use or like me forget which ones that you used the TrueCrypt volume that you have created becomes impossible to open and you lose all the data you have so carefully secured.
Luckily for me the drive that I had encrypted was merely used to back up important data for my publishing business and so I didn’t lose anything but the time it took to reformat the disk and back up all my business data yet again.
I do wonder what would have happened should I have been compelled to decrypt the volume under Part III of the Regulation of Investigatory Powers Act 2000 as clearly I really could not have done so.
The Financial Times have asked the readers of their website Should music companies drop DRM? [via]
There appears to be overwhelming opposition to DRM amongst voters as the current tally shows 98% opposed.
Bruce Schneier’s Essay The Psychology of Security
