Allied Telesis Security Blunder

27. May, 2011

Another reason why security by obscurity is bad: Allied Telesis builds network components. While this page was loaded in your browser, there is a chance that equipment of them was involved somewhere.

Those components have access protection with the common user/password scheme. If you lost your password, the support could tell you the name and password for a backdoor, that is a login that would always work but one that isn’t visible when you, say, request a list of all known users.

Sounds good? It is. Saves a lot of hassle.

The problem? Someone posted the details for all backdoors in the public support section. Which means that crackers all over the globe now have free reign over them.


Publishing Your Passwords on The Internet

17. May, 2011

Would you tell your GMail password to a friend? Your colleagues in the office? Publish it on the Internet?

If the answer to any of these is “NO“, you should turn off automatic synchronization on your Android smartphone and never use it in open Wifi networks.

The reason is that Google uses something called a “token” to allow apps your smartphone to connect to Google services like your mail box, your calendar, etc. The token is like a key on your keychain: Anyone who has the key can open the door it fits. Unlike keys on your key chain, anyone who can pick a token out of the air knows where that door is!

Related article: Catching AuthTokens in the Wild


Getting MercurialEclipse 1.7.0

27. November, 2010

Wondering why Eclipse suddenly asks for a password for cbes.javaforge.com? Someone decided that it was a good idea to request users of MercurialEclipse to create accounts on JavaForge.

Not impressed? Go here instead.


Password managers for Nokia with Symbian/S60

7. October, 2010

Some password managers for my mobile phone:


Simple passwords

6. September, 2010
Credit card

Image via Wikipedia

How secure can a simple password be?

Well, that depends. What do you want to protect and against whom?

Today, there are two main attacks. The first one is by people who are close. Coworkers and relatives. The coworkers need some information or access to some function while you’re not around or because there wasn’t enough money to buy a software license for everyone. The relatives want to spy on you (for various reasons). If your password is something personal, they will figure it out easily enough.

The other attack is by spammers who want to gain access to your computer (to send more spam or to get access to more computers or to your bank account, your credit card number, etc) or your accounts. Credibility (as in Google ranking) can be worth money, so control over a well-known blog or a reputable website is not something a cracker would shun.

These people run professional attacks against logins, so they try words from dictionaries with a few numbers added (like cat123). They have tables with passwords and how often people use them (hint: don’t use 123456 as password).

For big sites, the question isn’t really how “secure” the passwords are but how often they are used. If every password was different, it would be much more effort for attackers to crack enough accounts to make the attempt worthwhile.

That means passwords could be simple enough to remember. As they should be. Or people will have to write them down somewhere — we’re not computers. Which remember everything perfectly. Unless the last backup didn’t work. Or a virus comes along. Or someone makes a mistake.

Related Articles