Posted by Jonas Elfström Tue, 27 Mar 2007 20:30:00 GMT
The phishing attempts against Nordea are still going strong and the mails are now in almost correct swedish.
One might wonder why Nordea still haven't done any major changes. Maybe the've seen Fight Club and calculates just the way Jack does while working as an automotive manufacture recall coordinator...
Posted by Jonas Elfström Tue, 27 Feb 2007 16:01:00 GMT
One-way hash functions takes a message of any length as input and outputs a very large but fixed length number, called message digest or fingerprint. They can be used for "storing" passwords or as a signature that makes it possible to verify that you got the correct message.
MD5 got into problems over 10 years ago and SHA-1 could to be heading the same way. Until the new standard is published I would follow the crowd and recommend SHA-256.
require 'digest/sha2'
quickfox="The quick brown fox jumps over the lazy dog"
Digest::SHA256.hexdigest(quickfox)=> "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"
using System.Security.Cryptography;...
ASCIIEncoding byteConverter = new ASCIIEncoding();
string quickfox="The quick brown fox jumps over the lazy dog";
HashAlgorithm sha256 = new SHA256Managed();
byte[] hash = sha256.ComputeHash(byteConverter.GetBytes(quickfox));
crypt.Text = Convert.ToBase64String(hash); Posted by Jonas Elfström Mon, 26 Feb 2007 16:01:00 GMT
It has recently been reported that by simply opening the wrong web page you could be in trouble if you haven't changed the default password of your home router. The page could contain a JavaScript that changes the DNS-settings. Schneier blogs about it here and today he posted a link to a page containing default passwords for most of the home routers on the market.
Recently I helped a friend to change the password on his router. He knew that he could administer his router with a web interface but he did not know where to point his browser. He's running Windows and if you are in the same situation as my friend you could almost always find out the address by:
Posted by Jonas Elfström Mon, 12 Feb 2007 18:45:00 GMT
Gunnar Kreitz has shown that random chosen OTPs aren't nearly as good as I first thought. Against the current trojan they work just fine but Kreitz describes how a modified and more advanced trojan could be effective.
It seems that in the end the protocol only forces the trojan be more complex, adds a time span for the validity of the OTP and makes the attack more likely to fail (there is no guarantee that the user will enter a second OTP or that he will do it in time). I suppose the attacker also would have to make the trojan completely automated or have a 24/7 staff waiting. If the user has opted in to have the n presented as a CAPTCHA it would force the evildoers to have that 24/7 staff.
My bank has support for sending OTPs by SMS but a trojan that works like the one described by Kreitz would have no problem with that one either.
The protection against phising, as in redirecting the user to a fake login page, is still much greater with randomly chosen OTPs.
I find it a bit ironic that the bank in question actually is going to implement something that sounds like randomly chosen OTPs. They recently announced a change in their login procedure: "Vilken engångskod från kodkortet du ska använda framgår på inloggningssidan." / "What one-time password you are supposed to enter will be presented on the login page."
Personally I think the security tokens with signing abilities sounds more and more reasonable.
Posted by Jonas Elfström Fri, 09 Feb 2007 00:11:00 GMT
Someone mentioned SETL and I didn't even know what it was so I googled it. Ended up at http://en.wikipedia.org/wiki/SETL#Sample_code:
Print all prime numbers from 2 to N
print({n in {2..N} | forall m in {2..n - 1} | n mod m > 0});The notation is similar to list comprehension.
Interesting! In Ruby you could do that something like this:
N=42
2.upto(N) {|n| puts n if (2..n-1).all? {|m| n.modulo(m)>0} }The SETL example at wikipedia actually iterates way too much.
N=42
puts 2
3.step(N,2) {|n| puts n if (2..n/3).all? {|m| n.modulo(m)>0} }I realize this is not purist list comprehension, well actually it isn't lc at all. Ruby does not have lc in the same sense as Python and others, but you can do almost everything you can with lc with the fantastic collection of methods in Enumerable. If that isn't enough you could always expand Ruby with a more general support for list comprehension like described here.
