You may have seen Ben’s post earlier this week on Firesheep. I am running a Mac and I use FileVault, as I recommend most people do in order to protect their sensitive files. Unfortunately the current release of Firesheep does not support FileVault. That didn’t stop me, here is what you need to get Firesheep running on Firefox 3.6.x on a Mac running FileVault from start to finish. Download the Firesheep .xpi file here. Drag the .xpi file into your Firefox browser window to install it, then quit Firefox. Move the extension folder from your user account to the application folder. The /Users/[youraccount]/Library/Application Support/Firefox/Profiles/[yourprofile]/extensions/firesheep@codebutler.com folder should be moved into the /Applications/Firefox.app/Contents/MacOS/extensions folder. Relaunch Firefox, and you should be good to go. If[…]
Category: cool
Here at Security Musings, we occasionally discuss some fairly technical topics. Like most speciallized subjects, there is a plethora of disorganized information, and occasional spatterings of highly organized resources on the Internet that help widen one’s knowledge and expertise in any given area. One such spattering I recently came across is the online version of the Handbook of Applied Cryptography (not to be confused with the other book of similar appellation that is more-frequently used in college classes around the country). Although it can get pretty nitty gritty at times with regard to the math and science involved in cryptography, sometimes that is exactly what you need to get the full picture and/or fill in the blanks that other resources[…]
HOPE was this weekend at the Hotel Penn in New York City. Except for the choice of venues, it’s a pretty nice (and cheap) conference to get to. I went to several of the talks, although, not all of them would be interesting to purely security people – like cooking for geeks… The talks I did attend were interesting, if not ground breaking. HOPE isn’t generally where people release new code, tools or exploits – that’s Black Hat and Defcon in two weeks, but there tend to be more talks about hacker culture and privacy. The one talk I skipped that I would have liked to go to was the Social Engineering talk – at 9pm on a Saturday (I[…]
Last year I discovered an unusual but useful method for writing web application code: non-alphanumeric JavaScript. This technique has been pioneered by several script ninjas on the hackers forum sla.ckers.org and lets you write scripts without directly using letters or numbers. Application filters or sandboxes may catch typical attacks by monitoring for requests such as “document.cookie,” but they may let non-alphanumeric code slip through. How does it work? First, you can use blank objects or arrays to generate basic values. For instance, +[] evaluates to the number zero, while !{} returns the boolean value false. You can also combine these simple results to create strings, such as [!{}]+[+[]] == “false0”. By treating these strings as arrays, we can grab individual[…]
Fact: Twitter uses Amazon’s S3 AWS to store user images. Fact: Twitter apparently only checks the file extension to determine the file type of uploaded images, not an image library or a method that checks for binary image data. Fact: This can be used (or abused) to obtain un-metered free hosting of files that are less than 800K in size. How is it done? A user can rename any file with a ‘jpg’ ‘gif’ or ‘png’ extension and upload it as their background image on a dummy Twitter account. Then they can simply grab the URI of the “image” from the inline CSS declarations. Since the file is believed to be an image, it is uploaded and stored with no[…]
FireGPG is an OpenPGP MIME-compliant add-on to Firefox that allows you to select some text on a web page (or entered in a form) and perform some cryptographic operations on it. This add-on provides immediate security benefits. It can allow you to easily and quickly encrypt a message and send it over a public channel without even having to leave your browser. For example, you can send a (short) secret message to someone by encrypting it and posting the block in a public forum or on a public blog– as long as the recipients have the correct key, they can decrypt it. This add-on can also be used to generate digital signatures, providing both integrity and non-repudiation. Below is an[…]