Archive for May, 2008

Cinema: Indiana Jones e il regno del teschio di cristallo

Sunday, May 25th, 2008

Indiana Jones e il regno del teschio di cristallo: Il professor Jones seppur invechiato fa ancora l’archeologo, viene a suo malgrado conivolto in un operazione dei servizi segreti russi per impossessarsi di uno nuova arma dalle caratteristiche aliene.

Un film appassionante anche se ogni tanto un po’ esagerato, all’americana insomma, ma anche molto divertente.

Citazione: "Se vuoi diventare un bravo archeologo, non stare in biblioteca"
Citazione: "Ma tu non sei un professore?" "Si, ma a tempo perso"
Citazione: "Tu combatti come un giovane ragazzino, non vede l’ora di iniziare e poi finisce velocemente"

OpenSSL massive pwnage

Saturday, May 17th, 2008

All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between september 2006 and May 13th, 2008 may be insecure.
In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign.
Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked.
All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system.
Any tools that relied on OpenSSL’s PRNG to secure the data they transferred may be vulnerable to an offline attack.
Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since that date propagated to the testing and current stable (etch) distributions.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

Applications/protocols known to use these keys:

  • OpenSSH (both server and user keys)
  • OpenVPN
  • OpenSWAN/StrongSWAN
  • DNSSEC
  • key material for X.509
  • encfs
  • Tor
  • postfix, exim4, sendmail and other MTAs when using SSL/TLS
  • cyrus imapd
  • courier imap/pop3
  • dovecot with imaps/pops support
  • apache2 (ssl certs, see “PEM keys” bellow)
  • dropbear
  • cfengine
  • puppet
  • xrdp
  • tinc
  • gitosis
  • vsftpd SSL certificates for FTPS
  • proftpd SSL/TLS certificates for FTPS
  • ftpd-ssl SSL certificates for FTPS
  • telnetd-ssl SSL certificates for SSL-Telnet
  • and more..

References:

Famola strana (la SQL Injection)

Saturday, May 3rd, 2008

Provate a pensare a tutti i sistemi di controllo del traffico autostradale quali ad esempio i famosi autovelox "Tutor" il cui funzionamento e` basato sul riconoscimento automatico della targa
di un autoveicolo. Una telecamera inquadra l’autoveicolo e un software riconosce la targa e ne interpreta i caratteri, trasformando un’immagine in un un dato che puo` essere successivamente utilizzato, nel caso la targa dell’autoveicolo.

Ora questo dato sara` utilizzato in varie elaborazione e plausibilmente in un’interrogazione ad una base dati, quindi questa cosa e` una geniata:

(Immagine presa da http://www.areino.com/hackeando/)