This is great research by Ryan O'Horo, fromIOActive, on analyzing password hashes and session tokens. The purpose is to identify how much computing power it would take to generate a correct value:
I find myself analyzing password and token entropy quite frequently and I’ve come to rely upon Wolfram Alpha and Burp Suite Pro to get my estimates for these values. It’s understandable why we’d want to check a password’s entropy. It gives us an indication of how long it would take an attacker to brute force it, whether in a login form or a stolen database of hashes. However, an overlooked concern is the entropy contained in tokens for session and object identifiers. These values can also be brute forced to steal active sessions and gain access to objects to which we do not have permission. Not only are these tokens sometimes too short, they sometimes also contain much less entropy than appears.
This seems like a handy tool to have. I do not have a use for it just yet:
DNSChef is a cross-platform DNS proxy capable of forging responses based on inclusive and exclusive domain lists, matching domains with wildcards, proxying true responses for nonmatching domains, using external configuration files and other features useful for pentesters and malware analysts. DNSChef was developed to help with a test of an application which did not support HTTP proxy parameters.
There are many ways to intercept network traffic; however, you may find this tool handy when everything else fails.
The New York Times has an interestingarticle on strict security procedures for traveling to countries to defend against offensive
cyber capabilities:
He leaves his
cellphone and laptop at home and instead brings “loaner” devices, which he
erases before he leaves the United States and wipes clean the minute he
returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of
his sight and, in meetings, not only turns off his phone but also removes the
battery, for fear his microphone could be turned on remotely. He connects to
the Internet only through an encrypted, password-protected channel, and copies
and pastes his password from a USB thumb drive. He never types in a password
directly, because, he said, “the Chinese are very good at installing
key-logging software on your laptop.”
These are interesting results for reducing crime, by leveraging what you know about particular threats. From the local news article:
The violent crime rate in Prince George's County plummeted 12.1% during the first 9 months of 2011 due in part to the targeting of 67 known offenders in 5 different neighborhoods, police said Wednesday.
"We basically called them in,explained what the summer initiative was and basically said, 'what do you need?'", said Prince George's County Police Chief Mark Magaw.
Magaw said the targeted violent offenders, who were identified by parole and probation records, were offered everything from food stamps to job programs and told that police were keeping a close eye on them throughout the summer.
The meetings with offenders occured in police stations and were attended by representatives from social service agencies and non-profits.
An elaborate scam to buy high SAT scores reported in a CNN article:
Prosecutors allege Eshaghoff impersonated six Great Neck North High students between 2010 and 2011, charging between $1,500 and $2,500 to take the SAT test for them. Eshaghoff would take the test at schools other than Great Neck, where proctors would not be familiar with the students' identity, and present fake, unofficial identification, prosecutors say.
Nassau County District Attorney Kathleen Rice said authorities uncovered the scam after hearing rumors of cheating, comparing the test scores of suspects to their school grade-point averages, and finding a "wide gulf" in the cases of the six suspects.
