password

General February 11, 2019

Sign files unattended in batch mode while having an eToken (no password popup!) (updated)

Expanding on answers already in this thread, it is possible to provide the token password using the standard signtool program from microsoft. 1. Export your public certificate to a file from the SafeNet Client  2. Find your private key container name   3. Find your reader name  4. Format it all together The eToken CSP has hidden (or at least not widely advertised) functionality to parse the token password out of the container name. The format is one of the following []=name [reader]=name [{{password}}]=name [reader{{password}}]=name Where: reader is the “Reader name” from the SafeNet Client UI password is your token password name is the “Container name” from the SafeNet Client UI Presumably you must specify the reader name if you have more than one reader connected – as I only have one reader I cannot confirm this. 5. Pass the information to signtool /f certfile.cer /csp “eToken Base Cryptographic Provider” /k “<value from step 4>” any other signtool flags you require Example signtool command as follows signtool sign /f mycert.cer /csp “eToken Base Cryptographic Provider” /k “[{{TokenPasswordHere}}]=KeyContainerNameHere” myfile.exeUpdate:This doesn’t work after updating the key.Check this thread for more details: https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing

News, Spam & Phishing November 20, 2018

Sextorsion with “real” data – Do not pay!

If you have received an email with the subject “Yuor password – ”, don’t freak out immediately. Yes, the “yuor” is written wrong, but this is how the fraudsters wrote it, not the author of this article. The fraudsters have used a dump with the email addresses and passwords from some hacked website, where you have registered with that email address and password. So, yes, they are real. The email is pretty convincing, and if you don’t think a bit, some people might be inclined to actually believe that it is true. But, it isn’t… it is just an automated email, created from the list of recent dumps made public. You can see for yourself here more details: https://haveibeenpwned.com/. I recommend to enter your email address there as well, and you will receive notifications if your email appears in some dumps. How to recognize these scams Let’s have a short look at this email, so that you know in the future how to recognize them: 1. No fraudster would write his/her real name and email address. A simple search on the “From” of this email shows a normal person, who might have his/her email hacked. 2. Look at the language:…

General May 4, 2018

Logginggate: Twitter has been logging your password in plain text all this time… and this is not all of it!

Did you receive this email too ? Twitter is telling us that despite the fact that they stored the just the hashes of the passwords in their DB, they have been logging the plain text password in their backend. Stupid ?! Hell yes! But the even more stupid thing is this: WHY DO THEY SEND THE PASSWORD IN PLAIN TEXT TO THEIR BACKEND ? It would be enough the generate on the client side the password’s hash and send only the hash to their server. Now it all makes sense… In the past weeks they have been blocking accounts under the excuse that the user violated their usage rules. This is bullshit… I think they were just trying to piss people off so that they change their password.     And here is the relevant part in plain text:   About The Bug We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard. Due to a bug, passwords were…

privacy, security, security breach June 1, 2016

LinkedIn Legal : “Important information about your LinkedIn account”

Yeah, they’ve been hacked 4 years ago and now their data is everywhere … well, almost everywhere. The LinkedIn hack of 2012 is  now being sold on the dark web. It was allegedly 167 million accounts and for a mere 5 bitcoins (about US$2.2k) you could jump over to the Tor-based trading site, pay your Bitcoins and retrieve what is one of the largest data breaches ever to hit the airwaves. Until this week, when Myspace.com leak from 2013 (or 2008!) released data of over 360Mil users.   LinkedIn’s Legal wrote :   Notice of Data Breach You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you. What Happened? On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since…

No Image

improve-your-security September 1, 2014

Security checklist for “Back to school”

The summer closes to end soon and we know that the next thing to happen is: children go back to school. Parents are always concerned (for good reasons) for what and how their children will do, and since a couple of years they have other concerns. Their children have smartphones, multiple online identities – parents are worrying about the security of these physical and digital assets. Thinking of this, I created this checklist which parents and children (and not only) can easily go through and  easily improve their security. Mobile devices –          Password/PIN protect your laptop, smartphone, tablet For laptops, use a good strong password. Learn here how to make one. For smartphones and tablets, even if it is recommended to enter a password as well, sometimes is not very easy to enter a complex password. This is why you should enter a PIN. Don’t even think of 1234 or such. Think of a number that makes sense for you so that you can remember it. Please don’t write it on the back of the device. –          Encrypt your device Most devices support encrypting the internal and external storage either natively or with an external app. Doing so has the…

No Image

ebook August 16, 2014

Change default passwords from your Internet enabled devices

Useless to write again about changing default passwords? Think again… I just bought two brand-new TP-Link WiFi Range Extenders, models WA860RE and WA854RE. Latest version, latest firmware. Both come with default username and password: admin. It is written on their back… Once you login, you will go through as wizard which configures the device. But, it doesn’t prompt you to change that password! When you go to System tools -> Passwords, you are prompted to change the user name and password. But, you must choose a good password, because TP-Link clearly requires: The new user name and password must not exceed 14 characters in length and must not include any spaces.     Well, that’s how TP-Link thinks that a password, or better, a passphrase should be. For ideas and tips how to change one visit Improve Your Security and download the free eBook.   What is the correct approach for TP-Link? They must make it easier for the user and as soon as the device is started for the first time, the wizard must prompt you to change the password. It makes absolutely no sense to prompt for a user name. You can have a default one (e.g.: admin) and keep…

No Image

security July 14, 2014

Security through obscurity: Smart Light bulb Exposes Wi-Fi Password

A team of British security consultants (Context) hacked their way into a private Wi-Fi network — using Lifx bulbs as the backdoor. In a typical Lifx setup, one bulb will automatically serve as the “master,” communicating directly with your smartphone and then relaying all info to other “slave” bulbs. Context’s team was able to hack their way in by posing as a new slave bulb and tricking the master bulb into sending them Wi-Fi credentials — the last thing you want a hacker to get their hands on. On top of that, nothing that Context did raised any red flags within the Lifx network, or on the Lifx app. There wasn’t even a notification that a new bulb was asking to join the network. Even more alarming was the fact that the decryption protocol Lifx bulbs were using to decode these credentials was a global one. If a hacker were to get their hands on it, they’d essentially have a skeleton key capable of letting them into any network that uses Lifx bulbs.  The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN , a wireless specification built on top of the IEEE 802.15.4 standard . While the…

No Image

News January 31, 2011

Improve your Security #1: Complex passwords aren’t always better

I have published the first article in this series in the Avira Techblog here :http://techblog.avira.com/2011/01/31/improve-your-security-1-complex-passwords-arent-always-better And, as a confirmation of what I wrote, I found this article on CIO Magazine: Apple and Google will kill password If I could only offer them a hand 🙂 Actually, I could do something in this direction by creating a tool inside Avira Premium Security Suite which manages all passwords for a user in a safely manner.

No Image

News, security January 25, 2011

Complex passwords aren’t always better

Recently I’ve had the exam for the CompTIA Security+ Certification. While practicing for the exam, I’ve had the following question. Q:When setting password rules, which of the following will lower the level of security of a network ? A: Complex passwords that users can not remotely changed are randomly generated by the administrator and given to users Why ? Very simple, actually 🙂 Because the users will write these passwords on stickers and hang them on their monitors 🙂 So, IT guys, please make your life simpler and let the users to change the passwords. There you must definitely enforce some policies !

%d bloggers like this: