Saturday, October 20, 2012

Split-value Cryptographic Authentication: Building Advanced Threat-Resistant Software

RSA’s newly announced Distributed Credential Protection (DCP) is a perfect illustration of the innovative design that helps build software that better resists Advanced Threats.



For almost 40 years, multiple generations of security architecture for distributed systems have been built around the concept of a Trusted Third Party, a server trusted by all parties involved in the secure communication exchange. Examples include the key server in the Needham–Schroeder Symmetric Key Protocol or in Kerberos as well as the Certification Authority in Public Key Cryptosystems.

With Advanced Threats, trusted third parties have become a “single point of security failure.” If attackers control the trusted system, the game is over.

We need new security designs for this new world.  Split-value cryptographic authentication, as implemented in RSA Distributed Credential Protection exemplifies an Advanced Threat-resistant security design. It was invented by RSA Labs several years ago as a way to store and verify authentication secrets in a way that cannot be compromised even if any one of the systems involved in the authentication process is compromised. The principle is pretty straightforward and involves the use of random numbers and XOR transformations:



1)      Before it is stored, the password is transformed with a random number. The random number is stored in one server (“red” server) and the transformed password in a different server (“blue” server). Compromising one server is not sufficient to compromise the password.

2)      At regular time intervals, a new random number is generated and both servers are updated with the new random number value, adding a time-based layer of protection:  Both servers must be compromised at the same time for the password to be compromised.

3)      When an application needs to verify a password, the claimed password transformed with a new random number is sent to the “blue” server while the random number is sent to the “red” server. Each server can execute a new transformation involving the stored data and validate whether the claimed password matches the stored password without exposing the legitimate password

Split-value cryptographic authentication opens new opportunities to software developers worldwide to start developing Advanced Threat-resistant software.

This is just a start. Advanced Threats are changing our trust assumptions and have technical and operational impact on how we approach security. In the area of secure application design, we should expect more innovations like split-value cryptographic authentication to emerge to help build Advanced Threat-resistant software.




[source]If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged

Troubleshoot Problems with Problem Step Recorder


Windows 7 has got an in-built problem steps recorder. Yes, if you want to troubleshoot issues or to find out what exactly happened, you can record the steps with exactly mouse clicks, UI changes, etc. The problem steps recorder is a small app you can open by typing PSR in the search. Or you can start > run > psr.exe in the run command.
Problem steps recorder app opens up and you can start recording. It is similar to the screen capture software, but has advanced functions like recording the key strokes, mouse clicks; gather technical details behind the interface etc. Finally it saves the output file zip format with a MHTML report page. If you open up the report page, you can find details of the errors.






[source]If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged

Thursday, October 18, 2012

[How to] Bypass PayPal’s Security Code login

Pirate Bay Becomes Raid-Proof | WOW !

The Pirate Bay has made an important change to its infrastructure. The world’s most famous BitTorrent site has switched its entire operation to the cloud. From now on The Pirate Bay will serve its users from several cloud hosting providers scattered around the world. The move will cut costs, ensure better uptime, and make the site virtually invulnerable to police raids — all while keeping user data secure.


The biggest challenge for the operators of the site was that all infrastructure was located in one central location in the beginning. It took a while after the 2006 police raid to change that, but once the decision was made, there was no going back to the old ways anymore.

In recent years changes were made to the tracker and how torrents were offered on the site. That however did not take care of the server issue. Few days back, the Pirate Bay announced a change that is improving the site’s protection against raids and hardware related issues.



The servers have been moved to cloud hosting companies in two different countries. At those companies, virtual machine instances are run which can easily be replaced should one of the providers drop the Pirate Bay.


What’s even more interesting than this is the fact that Cloud hosting provides do not know that they are hosting the Pirate Bay. Even if you would find out about it somehow, they would not be able to monitor the traffic, and thus user IPs and activities on the site, because all traffic is encrypted.

The Pirate Bay operates a load balancer, a disk-less server that is running in RAM, and a transit-router, which are both operating in different countries. All communication is encrypted, and the worse case scenario would be if access to both the transit router and load balancer is lost at the same time. What’s interesting in this regard is that the virtual servers shut down automatically if they were not able to communicate with the load balancer in an eight hour period.

The move makes the Pirate Bay less vulnerable to raids or hardware failures. Site visitors on the other hand won’t likely notice any differences other than an improved availability of the site.


[source]If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged

Earn money with social networking : Zurker

What Is Zurker And Do You Need To Know About It?




Since the name first started circulating around in February, there has been much speculation and interest in the new start-up and it has only continued to grow.
Zurker
Shares
Becoming a member of Zurker automatically makes you an owner and investor in the site. By inviting friends to join the network you earn a vShare. Now, these don’t count as real shares until Zurker becomes a publicly traded company but it’s still a pretty good start.
Obviously, you’ll want to refer as many friends as you can so that you get more shares, which in turn allows the social network to expand. You can also purchase vShares so you can invest as little or much as you want.
Zurker Vs Facebook
As soon as any new social networking site is released, it will instantly be compared to the almighty Facebook.  With the announcement that Facebook is to become a publicly traded company, it has definitely got us all thinking about who is making all the money from this?
As Facebook has grown so have the investor’s bank balances. However, it really does go to show how much a small start-up can come in a few years and the amount of money that is continuing to be invested in the world of social media. What’s to say that the users can’t be the ones to profit from social networking? Now that the question has been thrown out there, it’s hard to avoid.


Can it work?
On paper this seems like the best idea. We’re all going to be multi-millionaires by 2016! Before we get too carried away we need to remember the facts. It doesn’t yet have a mobile app or a developer API. From using the site, I can see that it is still in its early stages.
While the interface is simple to use, it doesn’t have an overly attractive design. However, I think this can be improved as the site continues to grow. After all, does anyone remember the initial Facebook design?
Yes, the whole Facebook thing has already been done and many would argue that it would be difficult to see another social network have the same level of growth and success. But the beauty of social media is that anything is possible and you’re never 100% of sure how the general public will react.


If you want invitation, go here http://www.zurker.in/i-118764-slarngscql ... This is my referral ID.


[Source]If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged

Wednesday, October 17, 2012

UEFI Secure Boot System for Linux

          When Microsoft announced Secure Boot for Windows 8, it received lots of flak from the Linux community because of fears that secure boot would effectively shut out Linux distributions on PCs running the operating system. The biggest problem in regards to Secure Boot was that Microsoft gave OEMs the power the decide whether to include an off-switch for Secure Boot or not. Disabling Secure Boot in UEFI frees the PC from restrictions, so that operating systems that do not support Secure Boot can be installed and run on the PC.

          The primary purpose of the protocol is to prevent the loading of unsigned drivers or operating system loaders. It needs to be mentioned that Secure Boot is only available on PCs that use UEFI, while PCs that use BIOS are not affected by this at all.

          Few days back the Linux Foundation announced that they have found a way to make Linux and other open source distributions work with Secure Boot.
          
          In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system).

The source code for the pre-bootloader is available in git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git

          The Linux Foundation notes that it may take a while to obtain a signature from Microsoft. Once it has been acquired, the pre-bootloader will be made available on the Linux Foundation website from where it can be downloaded freely. The bootloader will run a “present user” test to protect the system against attacks targeting the boot process. It is not clear how this will work out, and if it will lead to certain access restrictions. The loader does not offer any security enhancements over booting Linux with UEFI Secure Boot turned off. It is good news for PC users who want to run a dual or triple boot system on a PC with UEFI that includes Windows 8 and at least one Linux distribution or open source operating system.






[source]If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged

Wednesday, October 3, 2012

[How to] Test website in older version of Internet Explorer

If you're a web developer, this post is for you. If  you want to see how website looks in older versions of Internet Explorer, then you don't need to install older versions of the browser. In IE9 ( Internet Explorer version 9 ) you have an option to make your browser as version 7 or 8 i.e. It shows your website view as in IE7 / IE8.

Below are the steps :


  1. Open your website in IE9.
  2. Go to developer tools option in settings or hit F12
  3. Now a toolbar similar to firebug opens at the bottom
  4. Go to Browser Mode  
  5. Change it to the one you want. ( For Example : Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 9 compatibility view )
So called drawback : IE 6 view not available.

My Comment : Stop developing websites for IE 6. You can give support up to IE 7. Because, IE 7 is great improvement of IE 6. Its far better.






If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged