A couple of weeks ago, we brought to your attention the newly released two-factor authentication that Google rolled out for all of its web-based products (Gmail, Google Docs, Google Calendar, etc). So now that it’s been out for a few weeks, and it’s finally had a chance to make its rounds to everyone’s accounts, let’s take a step back and see how it actually works.
Category: Technology & Tool Thursday
Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions.
I didn’t think Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) made much of a splash when it arrived. I vaguely remember hearing about it, and only decided to check it out when I saw a tweet about it. The basic idea is that it acts as an extra layer of protection against the current generation of exploits in Windows. It has the ability to force processes to use DEP and ASLR, which can significantly lower the success rate of certain attack vectors when used in tandem. Although ASLR has been around for a few years, typically the protection had to be compiled into the code and tested first. So EMET comes in handy for new programs that don’t opt-in to ASLR,[…]
Stop and think about what an attacker could do if they gained control of your e-mail account. Many web sites let you reset your password via an e-mailed link. Poorly designed services may even send a copy of the password to your inbox. Much of your personal information is likely reflected in conversations you’ve had via e-mail, and services such as Gmail can store copies of all your messages. With all this in mind, protecting access to your e-mail has become an important priority. Using strong passwords is a great starting point, but that’s only one level of security. Many companies use another system, known as two-factor authentication, to protect sensitive data, but it hasn’t been widely deployed for consumer[…]
I had the good fortune to attend ShmooCon 2011 last weekend. A new tradition at ShmooCon is evening “firetalks” on Friday and Saturday. Basically, after the conference has ended for the day, a bunch of folks decide to put off parties for a few more hours in order to do a bunch of 15-minute “get right to the point” talks. This year had a good selection of topics and speakers, with one that jumped out to me as a perfect topic for this week’s “Technology & Tool Thursday” post. Armitage was written by Raphael Mudge (not to be confused with Peiter “Mudge” Zatko). It’s a GUI interface for using Metasploit to pwn your targets. Metasploit is a tremendous framework for[…]
Many information security blogs, including this one, have discussed the recent data breach of gossip site Gawker and problems associated with leaked passwords. The story has demonstrated some of the risks associated with password storage. Gawker did store passwords using a form of encryption, but it was a weak algorithm and thus the encrypted data could be cracked. It’s important to remember that you should never simply rely on “encryption” to protect information – that’s sort of like say a bicycle is protected with a combination lock. Some locks are easier to open than others, and if the lock is attached to a weak cable or not properly looped through the frame of the bike, its strength doesn’t even matter. With[…]
Enter Armitage. If you’re normally a windows/GUI person and aren’t comfortable with the command line (much less metasploit’s command line), you might want to look into Armitage. It uses xmlRPC to talk to metasploit and presents you with a nice pretty picture of your network and what you’ve compromised and allows you to launch metasploit plugins and attacks against the networks, as well as interface with meterpreter to pivot through compromised hosts. I have only scratched the surface of what Armitage can do in my own testing, but what I’ve seen so far has been excellent – especially for an initial release. Some folks will complain that this makes it too easy to “hack” into things, but I really think[…]