This may be news to some, but a repetition to those already in the know.
In the past there has been evidence to show how MD5 collision can lead to the abuse of signatures from a certicate of authority.

A post by Jürgen Schmidt covers some new tests by some rich hacker folks who have 200 PS3’s and use these to carry out some SSL MD5 hash collision attacks.

Excerpt –

Using a cluster of 200 Playstation 3 systems, it took the researchers two days to create two valid certificate requests with predetermined data fields that resulted in identical hash values. The researchers only modified the contents of unimportant fields, for example the Netscape comment extension. They got the RapidSSL Certification Authority to sign the first request, issued for a domain in their possession. Then they attached this digital signature to the second certificate that confirmed the identity of the fictitious “MD5 Collisions Inc.” Certification Authority. Since the second certificate’s hash value is identical to that of the signed original, no program can detect the forgery.

This approach is called a collision attack. Attackers can modify both the subsequently presented forged certificate and the pre-signature original, until two samples with the same hash value are produced.

This is all well and good and interesting, but what can you do about it? Well now there is a Firefox plugin aimed at helping to identify if the website you are visiting has suffered from this attack.

The Firefox extension that will alert you when visiting a potentially compromised site. The extension works a little magic in the background to determine if the SSL certificate you’re trusting to keep your transaction safe is one which could be dangerous, thus giving you a little added protection from the rough and ragged world of cybercrime.

You can download it here.

Need a platform to practice your hack foo, or just have a general interest and want to have a mess around.

Then Damn Vulnerable Linux is just the ticket. Version 1.5 has just been released, and it sounds promising. DVL is a Linux Distro Live CD, so no need to worry about breaking your machine, just boot up, and get hacktastic.

Enjoy – http://www.damnvulnerablelinux.org/

I have said it many times to people I know, and know a survey backs up my fears.

A recent survery of HR staff and business managers say they visit social networking sites when reviewing prospective applicants.
So as well as using your CV to gather information and form an opinion of you, they will now use those naked pictures, and rude comments on your wall to help make a decision to interview you.

I am sure many people in the know will have locked down their profile from prying eyes, but its still a risk none the less.

I personally dont have a FaceBook account as I am a paranoid security guy, however I would recommend a few thoughts are in your mind if you are using social networking sites.

• Dont allow anyone who is not a real friend (known person) to join your network
• Dont allow anyone not in your friends network to view your profile
• Think about what information is in your profile (Date of birth, address, email address, employer, interests. Does this need to be in there?)
• Just ask yourself if the information you are sharing was to be known by a total stranger, what would it matter to you

Updated : 23-02-2009

Here is a link to the top 10 Privacy Settings Every Facebook Should Know

Well its been a while since I have had a need to dust of one of my many USB storage devices, and whilst having a digg about I found my trusty IronKey. I had forgotten what a splendid device this is, its like the James Bond gadget of USB devices, its waterproof, rugged, its self destructing, and it looks super sexy.

On plugging in it had a few updates to do (Must look into what these updates were), and then I was back up and running. Excellent also that you can do secure Internet browsing (like the Tor networks) with its onboard applications, sadly there are Firefox 3.0 issues currently, but I am sure that will be fixed in the future.

This bit of kit, is really worth considering if you or your organisation are looking for an encrypted USB Storage Device.

Many organisation under estimate the risk of data loss through removable storage, such as USB, CD, DVD etc. There are many hardware and software solutions to control the flow of data, and are well worth considering.

I heard about some road side sign hacking, and I thought it sounded excellent. Obviously there are some safety risks here, as the signs are really there to inform about the road conditions. No doubt this will spark the good old, all Hackers are evil, but still I thought it was worth posting.

For more information check out i-hacked.com