Information Security

scripting a hash cracker for portable php?

Your hacking tutorial - Mon, 01/15/2018 - 13:34

Trying to break the hash of a portable php password. Hashcat and John have to sit this one out because they cant handle its algo. Anyone have any advice on making a script for this?

submitted by /u/JustPan
[link] [comments]
Categories: Information Security

Vectoraster 7.2.1 - Creating vector-based raster patterns from bitmap images.

MacUpdate - Mac OS X - Mon, 01/15/2018 - 13:31

Vectoraster is a graphics utility for creating vector-based raster patterns and halftones based on images or gradients. The raster patterns and point shapes can be changed and varied across the pattern to produce many different styles. The resulting raster is always shown, updating in real time as you change parameters. The result can then easily be exported as vectors to EPS or PDF files, as images to JPEG, PNG or TIFF, or simply copied and pasted into most graphics software.

You can download and try Vectoraster for free, but with some limitations. To remove these limitations and get the full version you have to pay for the application.

  • General
    • Many different point shape types, including circles, polygons, font characters and imported custom vector shapes or images
    • Detailed control of how you want point shape, transformation and color to vary over the raster
    • Base how the raster points vary on source images, gradients you define live in Vectoraster, or a combination
    • Advanced line-raster mode with lines of varying width instead of points
  • Patterns
    • Many different raster patterns with detailed control of how the points are placed.
    • Easily rotate and offset the raster pattern, and add multiple distrotions like waves and twists.
  • Output
    • Copy raster output and paste it straight into most vector graphics software.
    • File export to EPS and PDF for vector output, and JPEG, PNG and TIFF for bitmap.
    • Export point data (location and size) to a CSV file for further CAD or other processing.

Version 7.2.1:

Note: Now requires OS X 10.11 or later

  • New quick full-screen preview, available with Command-F or using the new full screen button
  • Sources visible behind the raster in Vectoraster are now also shown in the Finder file previews.
  • Some bug fixes and system-required updates under-the-hood.
  • Improved support features with network diagnostics for update/unlocking problems

  • OS X 10.11 or later

Download Now]]>

DetectX Swift 1.0 - Security and troubleshooting tool.

MacUpdate - Mac OS X - Mon, 01/15/2018 - 13:26

DetectX Swift is an on-demand security and troubleshooting tool that uses a combination of hardcoded search definitions along with live updates and predictive heuristics to detect both known and unknown threats and issues. It provides the user with multiple analytical capabilities regarding both the system’s current state and changes to its state over time related to its ongoing security and performance.

Version 1.0:
  • Initial public release

  • OS X 10.11 or later

Download Now

Question for Cyber security specialist or people in the field.

Your hacking tutorial - Mon, 01/15/2018 - 13:11

Hi, I decided I want to get a certification in Security+ or CSA+. I know both are very important and teach essential skills, but which one is more beneficial in the long term? What I mean by this is: which one is more influential to an employer?

submitted by /u/333base
[link] [comments]
Categories: Information Security

Now Meltdown patches are making industrial control systems lurch

The Register - Mon, 01/15/2018 - 13:07
Automation and SCADA-flingers admit fix has affected products

Patches for the Meltdown vulnerability are causing stability issues in industrial control systems.…

Update w/video: It's amazing how much scrolling behavior influences the feel of a device

Android - Mon, 01/15/2018 - 13:02

It seems like most people didn't know what I was talking about with this original thread because it just turned into a thread about iPhones, Pixels, and browsers.

Here's a video as requested by a few people, showing what it actually does. Scrolling through a reddit app, the first time is the stock friction settings, second is pretty close to what I switched to, the third is an extreme example to give a better idea of what it affects.

submitted by /u/username2256
[link] [comments]

Spectre and Meltdown: How Cache Works

Hack a Day - Mon, 01/15/2018 - 13:01

The year so far has been filled with news of Spectre and Meltdown. These exploits take advantage of features like speculative execution, and memory access timing. What they have in common is the fact that all modern processors use cache to access memory faster. We’ve all heard of cache, but what exactly is it, and how does it allow our computers to run faster?

In the simplest terms, cache is a fast memory. Computers have two storage systems: primary storage (RAM) and secondary storage (Hard Disk, SSD). From the processor’s point of view, loading data or instructions from RAM is slow — the CPU has to wait and do nothing for 100 cycles or more while the data is loaded. Loading from disk is even slower; millions of cycles are wasted. Cache is a small amount of very fast memory which is used to hold commonly accessed data and instructions. This means the processor only has to wait for the cache to be loaded once. After that, the data is accessible with no waiting.

A common (though aging) analogy for cache uses books to represent data: If you needed a specific book to look up an important piece of information, you would first check the books on your desk (cache memory). If your book isn’t there, you’d then go to the books on your shelves (RAM). If that search turned up empty, you’d head over to the local library (Hard Drive) and check out the book. Once back home, you would keep the book on your desk for quick reference — not immediately return it to the library shelves. This is how cache reading works.

Intel Haswell diagram. Note how much real estate is used by the L3 cache and the Memory Controller. Cache is Expensive Real Estate

Early computers ran so slowly that cache really didn’t matter. Core memory was plenty fast when CPU speed was measured in kHz. The first data cache was used in the IBM System/360 Model 85, released in 1968. IBM’s documentation claimed memory operations would take ¼ to ⅓ less time compared to a system without data cache.

Now the obvious question is if cache is faster, why not make all memory out of cache? There are two answers to that. First, cache is more expensive than main memory. Generally, cache is built with static ram, which is much more expensive than the dynamic ram used in main memory. The second answer is location, location, location. With processors running at several GHz, cache now needs to be on the same piece of silicon with the processor itself. Sending the signals out over PCB traces would take too long.

The CPU core generally doesn’t know or care about the cache. All the housekeeping and cache management is handled by the Memory Management Unit (MMU) or cache controller. These are complex logic systems that need to operate quickly to keep the CPU loaded with data and instructions.

Direct Mapped Cache

The simplest form of a cache is called direct mapped cache. Direct mapped means that every memory location maps to just one cache location. In the diagram, there are 4 cache slots.This means that Cache index 0 might hold memory index 0,4,8 and so on. Since one cache block can hold any one of multiple memory locations, the cache controller needs a way to know which memory is actually in the cache. To handle this, every cache block has a tag, which holds the upper bits of the memory address currently stored in the cache.

The cache controller also needs to know if the cache is actually holding usable data or garbage. When the processor first starts up, all the cache locations will be random. It would be really bad if some of this random data were accidentally used in a calculation. This is handled with a valid bit. If the valid bit is set to 0, then the cache location contains invalid data and is ignored. If the bit is 1, then the cache data is valid, and the cache controller will use it. The valid bit is forced to zero at processor power up and can be cleared whenever the cache controller needs to invalidate the cache.

Writing to Cache

So far I’ve covered read accesses using cache, but what about writes? The cache controller needs to be sure that any changes made to memory in the cache are also made in RAM before the cache gets overwritten by some new memory access. There are two basic ways to do this. First is to write memory every time the cache is written. This is called write-through cache. Write-through is safe but comes with a speed penalty. Reads are fast but writes happen at the slower speed of main memory. The more popular system is called write-back cache. In a write-back system, changes are stored in the cache until that cache location is about to be overwritten. The cache controller needs to know if this has happened, so one more bit called the dirty bit is added to the cache.

Cache data needs all this housekeeping data — the tag, the valid bit, the dirty bit — stored in high-speed cache memory, which increases the overall cost of the cache system.

Associative Cache

A direct mapped cache will speed up memory accesses, but the one-to-one mapping of memory to cache is relatively inefficient. It is much more efficient to allow data and instructions to be stored in more than one location.

A fully associative cache allows just that — any memory location can be stored in any cache location. This also means the cache must be searched on every memory access. A search function like this is done with a hardware comparator. A comparator like this would require lots of logic gates, and eat up a large physical area on the chip. The happy medium is a set associative cache. The diagram shows a 2 way set associative cache. This means any memory location can go in one of two cache locations. That keeps the hardware comparator relatively simple and fast. As an example, the Intel Core i7-8700K Level 3 cache is 16-way set associative.

Virtual Memory

In the beginning, computers ran one program at a time. A programmer had access to the entire memory of the system and had to manage how that memory was utilized. If his or her program was larger than the entire RAM space of the system, it would be up to the programmer to swap sections in or out as needed. Imagine having to check if printf() is loaded into memory every time you want to print something.

Virtual memory is the way an operating system works directly with the processor MMU to deal with this. Main Memory is broken up into pages. Each page is swapped in as it is needed. With cheap memory these days, we don’t have to worry as much about swapping out to disk. However, virtual memory is still vitally important for some of the other advantages it offers.

Virtual memory allows the operating system to run many programs at once — each program has its own virtual address space, which is then mapped to pages in physical memory. This mapping is stored in the page table, which itself lives in RAM. The page table is so important that it gets its own special cache called the Translation Look-aside Buffer, or TLB.

The MMU and virtual memory hardware also work with the operating system to enforce memory protection — don’t let programs read or modify each other’s memory space, and don’t let anyone mess with the kernel. This is the protection that is sidestepped by the Spectre and Meltdown attacks.

Into the real world

As you can see, even relatively simple cache systems can be hard to follow. In a modern processor like the Intel i7-8700K, there are multiple layers of caches, some independent, some shared between the CPU cores. There also are the speculative execution engines, which pull data that might be used from memory into cache before a given core is even ready for it. That engine is the key to Meltdown.

Both Spectre and Meltdown use cache in a timing based attack. Since cached memory is much faster to access, an attacker can measure access time to determine if memory is coming from RAM or the cache. That timing information can then be used to actually read out the data in the memory. This why a Javascript patch was pushed to browsers two weeks ago. That patch makes the built-in Javascript timing features a tiny bit less accurate, just enough to make them worthless in measuring memory access time which safeguards against browser-based exploits for these vulnerabilities.

The simple knee-jerk method of trying to mitigate Spectre and Meltdown is to disable the caches. This would make our computer systems incredibly slow compared to the speeds we are used to. The patches being rolled out are not nearly this extreme, but they do change the way the CPU works with the cache — especially upon user space to kernel space context switches.

Modern CPU datapath and cache design is an incredibly complex task. Processor manufacturers have amassed years of data by simulating and statistically analyzing how processors move data to make systems both fast and reliable. Changes to something like processor microcode are only made when absolutely necessary, and only after thousands of hours of testing. A shotgun change made in a rush (yes, six months is a rush) like the current Intel and AMD patches is sure to have some problems — and that is exactly what we’re seeing with big performance hits and crashes. The software side of the fix such as Kernel Page Table Isolation can force flushes of the TLBs, which also come with big performance hits for applications which make frequent calls to the operating system. This explains some of the reason why the impact of the changes is so application dependent. In essence, we’re all beta testers.

There is a bright side though. The hope is that with more time for research and testing on the part of the chip manufactures and software vendors, the necessary changes will be better understood, and better patches will be released.

That is, until the next attack vector is found.

Wait Until Device Is Unlocked?

Tasker: Total Automation for Android - Mon, 01/15/2018 - 12:05

So basically I have a profile that activates when it is a certain time, since I don't want to change the security to allow tasker to unlock the device so I need a way to use the Wait Until action to wait until the device is unlocked.

submitted by /u/KBTKOC
[link] [comments]

Super Micro crams 36 Samsung 'ruler' SSDs into dense superserver

The Register - Mon, 01/15/2018 - 12:05
Watch out Intel, there's a new mini-ruler in town

Analysis Super Micro has a supernaturally dense thin server with up to half a petabyte of flash using unannounced Samsung SSDs.…

PSA: If you have been missing incoming phone calls and alarms lately, it is because google changed the vibration strength/pattern for them on 8.1

Android - Mon, 01/15/2018 - 12:04

Ever since updating to 8.1, I've missed a bunch of alarms and phone calls on my pixel 1 due to weak vibrations. So weak to the point that u can have the phone on a table right next to your head and you can't hear it vibrate and barely feel it while holding the phone. The vibration is basically non existence in your pocket which totally defeats the purpose of it.

Contacted google support and was told that this is an intended update on 8.1 and likely will not be changed, but we can try to submit it as feedback.

Notification vibrations work perfectly fine as before nice and strong. This issue is only for incoming calls and alarms.

submitted by /u/YaoMingsMom
[link] [comments]

Nice Shot 1.1 - Tweak video settings for Rocket League.

MacUpdate - Mac OS X - Mon, 01/15/2018 - 11:35

Nice Shot lets you tweak Rocket League's video settings on macOS. Fine-tune video settings such as effects, shadows, draw distances, or texture resolutions. Improve frame-rate and general performance to maximize your competitive advantage.

Version 1.1:
  • New "Reset to Defaults" feature
  • Improvements to the Initialization class

  • OS X 10.10 or later

Download Now

Ford giving 'leccy car investment a jolt to the tune of $11 BEEELLION

The Register - Mon, 01/15/2018 - 11:32
Detroit car overlords plan 40 full and hybrid models by 2022

American auto enormity Ford will increase its investment in electric vehicles to $11bn (£7.97bn) in the next five years, it announced yesterday at the North American International Auto Show.…

Coin Cell Hacks That Won the Coin Cell Challenge

Hack a Day - Mon, 01/15/2018 - 11:30

It’s amazing what creative projects show up if you give one simple constraint. In this case, we asked what cool things can be done if powered by one coin cell battery and we had about one hundred answers come back. Today we’re happy to announce the winners of the Coin Cell Challenge.

Supernova Award: Coin Cell Powered Railgun

A railgun powered by an LIR2032 cell wins the Supernova Award with a cash prize of $500.

This project by [consciousflesh] dumps about 500-750 Joules of energy into a set of electromagnets to launch a graphite projectile. It makes quite a flash because the projectile is torn apart in the process.

The Supernova Award sought the project that burnt through the coin cell the quickest. This one’s a thinker, since the internal resistance of the coin cell is so large that you can’t get a lot of power out of it quickly. The solution is to transfer that power to another storage medium first. In this case, [consciousflesh] built a clever multi-stage DC-DC converter to get the most out of a single LIR2032 — the rechargeable cousin of the CR2032 which has lower internal resistance and yielded much better results.

Heavy Lifting Award: Coin Cell Powered Screwdriver

Driving screws into a 2×4 using power from a CR2477 wins the Heavy Lifting Award with a cash prize of $500.

This project is by [Ted Yapo], and is a fascinating way to get a lot of torque out of a tiny power source. Like the railgun above, [Ted] uses an intermediary medium to store the energy. He started with four NiCad batteries which had been stored with shorting bar across them (no juice to provide a head start). He discharges the CR2477 through a boost converter which he altered to produce a constant current output to maximize the power transferred.

The demo video is a bit comical as the familiar poor performance of NiCad cells means he took breaks between attempts to drive the screws further. He ended up with 19 screws started but only 3 fully driven. What we really liked seeing is that he continued his tests. After fully charging the batteries from wall power he was able to drive 27 screws. This equates to a total charge of only 11% from the coin cell battery.

Lifetime Award: Light Level Geolocator

A light level geolocator powered by a CR2032 is the winner of the Lifetime Award with a cash prize of $500.

[Jaromir Sukuba] took a really interesting concept, figured out how it worked, implemented it with super low power, and then proceeded to test across different parts of the world. His creation receives the Lifetime award because it is calculated to operate for 10 year with the LCD on, or 30 years with it off.

It’s a logging device that deduces its location in a very interesting way: by recording the ratio of light and dark in a 24-hour cycle. It’s a reverse calculation of sunrise and sunset (where you would need to know your coordinates). This takes date, sunrise time, and sunset time to calculate location. [Jaromi Sukuba] found some friends on in different parts of Europe to help test, sending each a prototype. The results are quite good. They can be off by a few dozens of kilometers but for extremely low-power, long-lifetime datalogging of wildlife movements this works with similar accuracy to the hardware that inspired his design adventure.

21 Winners of $100 Tindie Credit

In addition to the top prizes, 20 entries have been awarded $100 credits to for their excellent work. Check out the list of winners here, browse through all of the entries, and make sure to join us below for a few honorable mentions.

Honorable Mentions

We had many favorite entries that didn’t make it into this list of 21 winners and you will see a few more articles that feature those in the coming days. But we wanted to mention a few that were strong contenders for the top prizes.

Can you jump start a car with a coin cell battery? Sadly, no, but it’s not for lack of trying. [Ted Yapo] gave it his best and was a contender for the Supernova Award.

Looks like it might be possible to blink an LED for 20-40 years using [Robert Mateja’s] modern update on the concept of the LM3909. That’s an end-of-life chip whose purpose was to blink an LED. When we featured a story about that part, [Robert] grabbed his low-power magic wand and came up with this design which placed highly in the Lifetime category.

And finally, the ability to run a trainset around the Christmas Tree using a coin cell is extremely impressive. We previously featured this project built by [Mike Rigsby] which was hopelessly tied for the Heavy Lifting award but a winner had to be picked. This is excellent work [Mike] and we’re glad to have debated it in depth during judging. Well done!

Taxman has domain typo-squatter stripped of HMRC web addresses

The Register - Mon, 01/15/2018 - 11:06
Panama corporation owns nearly 54,000 dot-UK sites

HMRC has insisted on having a Panama company trading as the “Whois Foundation” formally stripped of a handful of dodgy web domains, even though the firm instantly offered to hand them over when challenged.…