Category: Computers, Science & Technology

WEP is “Wired Equivalent Privacy” and is available in most wireless routers. It has long been easy to crack. However, new hacking techniques can now crack it in under 60 seconds! Ouch!

The Final ‘Final’ Nail in WEP’s Coffin?

“Researchers have discovered a new way of attacking Wired Equivalent Privacy that requires an amount of data ‘more than an order of magnitude’ less than the best known key-recovery attacks. In effect, the cracking can be done within a minute, as the title of the paper suggests: Breaking 104 bit WEP in less than 60 seconds. Specifically, only 40,000 data packets are needed for a 50 percent chance of success, while 85,000 packets give a 95 percent chance of success, according to the paper’s authors: Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin, all researchers in the computer science department at Darmstadt University of Technology in Darmstadt, Germany. The ease of cracking WEP is nothing new; cryptanalysts showed six years ago that any WEP key can be cracked with readily available software in one minute or less. The protocol, which is part of the IEEE 802.11 wireless networking standard, was superseded by WPA (Wi-Fi Protected Access) in 2003, then by WPA2, another name for the full IEEE 802.11i standard. What’s new that has been missing from WEP cracking until now is that a Wi-Fi attacker no longer needs long periods of time nor much smarts, according to Wi-Fi security experts. ‘…To crack WEP [up until now] it 1) required a knowledgeable attacker [and] 2) took a long time,’ said Andrea Bittau, in an e-mail exchange. Bittau is a research fellow at the University College London and a co-author of a paper describing what had been the most effective WEP cracking technique prior to the Germans’ research.”

So… bottom line, use WPA (“Wi-Fi Protected Access”) or WPA2 and be safe!

Now, I am no “typical” computer user. I know better than to download warez and evil files. I don’t click on e-mail attachments… ever! And, in my 28 years of computer experience, I have never had a computer virus hit MY system! Until yesterday. I still haven’t had one on any of my personal computers… but at work, yesterday afternoon, I when to a very bland, ordinary web site. The next thing I know, my system was shouting about a virus… and I had 122 files infected. We use Sophos Anti-virus at work, and it caught it and stopped it dead. But… it was embarrassing! Me! Me, the Doctor, get a computer virus? Why that is unthinkable… totally ridiculous! But, it finally happened. And, as I have been thinking about it, it makes me mad!

I was one of those kids in school that had a perfect attendance record for years! I mark records like that… I was proud of my “I’ve never had a virus” status. Now, boom! It is shot! Any why? Not because of stupid downloads or stupid clicking on attachments… no, it is because of a very ordinary, innocuous web site that had a mechanism to launch a virus attack. Now, let me say, my system is always fully patched… and up to date on all virus signatures and security patches. And, it didn’t cause my system at work any “damage.” Other than to my pride. Sigh.

To my view, we have entered a new age… an age in which even the most computer savvy among us can, indeed, get a virus… there are just too many sites out there that have these “built-in” attack systems. It is a clarion call to be more vigilant, and more serious about computer security.

And I am giving serious thought to adding virus writing to the list of capital offenses. OK, maybe… maybe, that is overkill. Maybe.

I told you about the “animated cursor” zero day exploit on Vista… well today they released the fix.

Microsoft Releases Fix for Animated Cursor Exploit

“Microsoft Corp. plans to patch a security hole in Windows on Tuesday related to an animated cursor that hackers have used to launch attacks after users click on links to malicious Web sites. Microsoft, whose Windows operating system runs on some 95 percent of the world’s computers, said it would release the patch outside of a regular monthly security update because it completed testing earlier than anticipated. ‘Microsoft’s monitoring of attack data continues to indicate that the attacks and customer impact is limited,’ the world’s biggest software maker said in a statement. Security firm F-Secure said attacks using the flaw related to cursor animation files used by Windows intensified over the weekend, with the majority tracing back to different Chinese hacker groups. It said most of the activity around the so-called ANI exploit has been via dozens of malicious Web sites but warned that on Sunday the first Internet worm, able to replicate without the user doing anything to the machine, was found using the flaw to spread. ‘This vulnerability is really tempting for the bad guys,’ said Mikko Hypponen, chief research officer at F-Secure. ‘It’s easy to modify the exploit, and it can be launched via Web or e-mail fairly easily.'”

Wow! “Super-secure” Vista going into a perpetual crash loop because somebody drops an malformed .ani file to the desktop? Yep! A McAfee engineer demonstrates it in this video!

Windows Vista Suicide, Courtesy of McAfee

How embarrassing!

“Windows Vista, Microsoft’s extensively applauded most secure Windows platform to date can be taken down by nothing more than a mere animated cursor. I have seen this piece of news spreading, following a security advisory posted by the Microsoft Security Response Center. But what is the real deal behind this information? Microsoft has warned that it is aware of limited and targeted attacks impacting a critical vulnerability in Microsoft Windows Animated cursor handling. At the basis of the zero-day vulnerability is insufficient format validation, before cursors, animated cursors, and icon rendering. Security company Symantec informed that in the eventuality of a successful exploit, the attacker will be able to perform remote arbitrary code execution on the victim’s machine. There are two vectors for this kind of attack, one is the Internet browser and the other is the desktop email client. ‘In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker,’ according to Microsoft Security Advisory (935423).”

Apple TV is Apple’s first venture into the new, exciting IPTV world. But, people are already modding it with all kinds of hacks. Is it really just a smaller, cheaper Mac Mini?

Apple TV – the cheapest Mac mini ever?

“Sometimes, it looks to me like you do not have to buy your Mac Mini, because Apple TV can be quickly turned into a ‘special version of Mac Mini.’ You just have to tweak the hardware a bit and you can run your new Mac Mini for $299. As a bonus – you get a really fast WI-FI connection and cables for your digital TV for $20. As a bonus – the power supply is inside the computer, not outside and it is so silent, you cannot hear it. When you have time, it can be used as a game console sitting next to your TV set. Just go to your local Apple store, buy Apple TV, download this piece of software from the Internet and turn your Apple TV into ‘Mac Mini Apple TV.’ Without a need to switch between a computer and the TV.”

There are all kinds of Apple TV hacks, check them out here:

Apple TV Hacks

I hear it runs REALLY hot though… as in real heat! They say that you can actually pop corn on the top of the console it is so hot! I know they want it quiet with no fan… but come on!

As you may know, we are a proud member of the Techpodcasts Network. And, they have just released a new, and very cool “Web 2.0-like” web site! Check it out, and look for the “Dr. Bill – The Computer Curmudgeon” show, as well as “Dr. Bill.TV“… all the folks on Techpodcasts Network have committed to good, clean, informative tech shows! It is a pleasure to be associated with this great group of “up-and-comers” in the podcasting world! By the way, I am listed under the “Tech Chat” category!

The Techpodcasts Network

The Techpodcasts Network is now a part of the Raw Voice Media Group as well… so big things are coming! Stay tuned!

Outlook Express security was bad… in fact, you could say, “What security?” Vista’s big claim to fame is security… SECURITY! Yep. But… you knew there would be a “but.” It turns out the first big security issue with Vista Windows Mail has surfaced, and it is a doozy!

First vulnerability in Vista’s Windows Mail discovered

“The successor to Outlook Express links seamlessly with its predecessor’s dubious reputation in matters of security. Just a few months after its official release, the first significant security problem has been uncovered: under certain circumstances, simply clicking on a link in an email can cause a program to be launched on the local computer. A hacker going by the pseudonym Kingcope has reported on a security mailing list that this can be achieved by simply embedding a link to a local program in an email. If a directory with the same name as the executable program exists, the program will be executed by Windows Mail when the user clicks on the link without requiring any confirmation. A brief test at heise Security confirmed this. After creating a folder called calc in C:\Windows\System32\, clicking on a link to c:/windows/system32/calc? launched the calculator without any further user interaction. Up until to now, there has ben no real attack scenario to exploit this, and so the concrete danger is fairly low. Kingcope has listed two Windows programs, winrm and migwiz, for which the required directory already exists. But he admits that it was not possible to pass parameters to the programs, which significantly reduces the potential for targeted activities. But the simple fact that under certain circumstances clicking on a straightforward URL in an email can be sufficient to launch a local program without requiring confirmation from the user leaves an uncomfortable feeling. Many dangerous vulnerabilities in Outlook Express and Internet Explorer initially appeared to be similarly innocuous. And Microsoft will now be judged against the grandiose promises it made with regard to the security of Vista.”

I sure would! I use headphones at work so as not to disturb folks around my cubicle. But what if I needed to hear ambient noise and conversation? Wouldn’t it be great to be able to listen to music, or informational podcasts… without headphones, yet not disturb others at work? Well, Microsoft, of all companies… is working on it!

Microsoft developing virtual headphone algorithm

“Considering that Vista isn’t exactly getting perfectly positive praise, it looks like Microsoft is looking into other ways to bring cashflow to Redmond. While we already know the firm is diving head first into the VoIP handset market, it looks like it’ll also be involved with a new virtual headphone. In an effort to allow VoIP / computer-based communications to be handled without tethering yourself to your PC and also allow you to hear ambient conversations around the office, researchers at Microsoft have ‘developed an algorithm that adjusts the timing of sound waves emitted from each speaker in an array, creating a focused beam of sound that acts as virtual headphones.’ Essentially, the speakers would create a ‘sweet spot’ so that computer users could hear the audio perfectly, while individuals just inches away from the sound zone wouldn’t hear much more than a peep. Furthermore, the focused wave technology could even bleed over into the tracking realm, which could actually allow the tones to follow one around as they move. Ideally, the creators want to conjure up a beamforming system that is easy to configure and relatively inexpensive, but we’re hearing (ahem) that it’ll be at least three years before these aural luxuries break into the corporate sphere.”

OK, so Avery Brooks did a commercial for IBM about Linux. But, Captain Benjamin Sisko is my favorite Star Trek captain, so I can dream!

The Doctor apparently had the ol’ security turned up a mite high, which severely impinged on your comments! (Like you pretty much couldn’t do any commenting!) Sigh. Live and learn… hopefully it is now not too lax. I have removed Spam Karma, and I am trying Akismet to control spamming. We’ll see what happens! Be kind to the ol’ Doc! Sigh.