Information Security News
by Sean Gallagher
At last month's Shmoocon security conference in Washington, I was looking for gear for the Ars Tech Lab's hostile network environment. As I was browsing, I ran across a table manned by Gene Bransfield, the founder and CEO of WarCollar Industries LLC. People were gathering to look into little black boxes with the sort of delight you only find at security conferences.
The boxes were "360 Dope Scopes"—devices originally created by Bransfield for a security game at last year's Shmoocon. The DopeScope is a self-contained Wi-Fi scanner that can do quick reconnaissance of the wireless environment wherever you are—and a tool for hunting down where access points are physically located.
Steam, an online game platform with more than 125 million active accounts, is in the process of fixing a serious security hole that opens users to hacks that could redirect them to attack sites, spend their market funds, or possibly make malicious changes to their user profiles.
As this post was going live, employees with Valve, the company that develops Steam, were reportedly in the process of fixing the bug. Unconfirmed posts such as this one reported that the cross-site scripting hole had been patched on the initial activity feed pages but not on subsequent pages. Valve representatives didn't respond to e-mails seeking comment for this post.
When I tried to include the [taco] Unicode characters in the headline to this post, it cut off the headline. Supporting Unicode isnt easy, and often, to avoid security issues arising from Unicode, it is removed or outright blocked.
But in particular, mobile devices make it easy to type Emojis or other Unicode characters. As a security guy, my next question was if I can use them as part of my password. The quick answer: support varies... and dont count on it.
One issue I was a bit worried about is that multibyte characters often include the 0x00 byte. This can cause issuessince the 0x00 byte is often used to terminate strings. So I set up a quick test page to figure out if any of the PHP or MySQL hashing functions are susceptible to this issue. the Smiley character, for example, has a code of 0x1f600. The 00 byte could terminate the string, and all passwords starting with the Smiley character would result in the same hash. My initial testing hasnt found any issues like this, but I think this is an area that does require a bit more testing, in particularif a salt is added to a password prior to hashing.
If you want to play, I setup a quick test page with various PHP and MySQL hash functions: https://isc.sans.edu/emojitest.html
(and while you play, I will see if I can make the diary editor emoji capable-) )(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
by Sebastian Anthony
Google Brain has devised some new software that can create detailed images from tiny, pixelated source images. Google's software, in short, basically means the "zoom in... now enhance!" TV trope is actually possible.
Of course, as we all know, it's impossible to create more detail than there is in the source image—so how does Google Brain do it? With a clever combination of two neural networks.