Xorg 1.11 Vulnerability: Bypass Screen Lockers With A Keyboard Shortcut

A Xorg server vulnerability which makes it possible to kill any screensaver / screen locker using the CTRL + ALT + Multiply (multiply is the "*" character on the Numpad) keyboard combination has been discovered yesterday

Basically, an attacker with physical access to an affected computer can bypass the the screensaver / lock screen dialog (GNOME Screensaver, xscreensaver kscreenlocker, etc - on any desktop environment) using a simple keyboard combination, without having to enter the password.

This vulnerability only affects systems running Xorg server 1.11+ which includes Fedora 16, Arch Linux, Fuduntu, Debian unstable and others, regardless of the desktop environment. Ubuntu isn't affected by this vulnerability because all Ubuntu versions use a Xorg server version older than 1.11 (Ubuntu 12.04 should be released with Xorg 1.11, but for now it still uses 1.10.4).

If you want to find out the Xorg server version on your computer, you can run the following command:

X -version

For a work-around, check out this Reddit post.

Update: the bug has been fixed in Arch Linux, Fedora, Fuduntu and Debian Unstable (though for Debian, the change hasn't been pushed to the repositories yet).

via Reddit

0 comments

» read more....

Dropbox: Access EncFS Folders On Android Using BoxCryptor

A while back we wrote about encrypting your private Dropbox data using EncFS. And that's a really great way to keep your private Dropbox data safe, but what if you want to access some encrypted files from an Android device?

That's where BoxCryptor comes in. The first public BoxCryptor version for Android was released a few days ago so you can finally access EncFS folders in your Dropbox from any Android device (there's also a BoxCryptor version for Windows and an iPhone / iPad app is currently under development). The application is currently in alpha and for now it can only read encrypted files, but according to it's Android Market page, write support will be added in a later version.

BoxCryptor is great, but there are a few quirks. Firstly, BoxCryptor doesn't have full EncFS support so you have to disable some of the default EncFS options to be able to use it (instructions available in the second part of this post). And secondly, in our Dropbox EncFS post, we wrote about excluding the encryption key from getting synced. Well, to be able to use BoxCryptor, you must sync the EncFS key too.

Also, the Windows version of BoxCryptor is free for an encrypted directory with a maximum size of 2GB and you must pay for more. There's nothing about this on the BoxCryptor Android Market page so I assume it's completely free for Android, but I'm not sure, so if you have a large ( >2GB) encrypted directory, let us know if BoxCryptor for Android works for you!

But this is the first public release so hopefully BoxCryptor will get full EncFS support by the time it reaches a stable status.  Oh, and BoxCryptor does offer an extra layer of security: you can set a PIN for unlocking the application.

Here are a few BoxCryptor screenshots:


- The first time you run it, you must select your encrypted folder (".encrypted" in my case):

- Once you select a folder and enter your EncFS password, you can easily open any files available in that folder:

BoxCryptor options:

How to set up EncFS to work with BoxCryptor

To create an EncFS folder under Linux that is supported by BoxCryptor, follow the instructions in our Encrypt Your Private Dropbox Data With EncFS post, but after running the command in step 2, enter "x" for expert configuration mode and set the following options like below:

The following filename encoding algorithms are available:
1. Block : Block encoding, hides file name size somewhat
2. Null : No encryption of filenames
3. Stream : Stream encoding, keeps filenames as short as possible

--> enter "3".

Enable filename initialization vector chaining?
--> enter "no"

Enable per-file initialization vectors?
--> enter "no"

Enable block authentication code headers on every block in a file?
--> enter "no"

Add random bytes to each block header?
--> enter "0"

And finally, skip the last step in our previous post which excludes the EncFS key from being synced.

Download BoxCryptor for Android:

Or use this direct Android Market link.

0 comments

» read more....

Save Pidgin Passwords In GNOME Keyring Instead Of Plain Text

By default, Pidgin saves all your passwords in plain text (look under ~/.purple/accounts.xml). About four years ago there was a bug report that asked to encrypt the passwords, but the developers marked the bug as "wontfix". Update: you can read about the reasons behind this, here.

Here's where Pidgin Gnome Keyring plugin comes in: this plugin will make Pidgin store your passwords in the Gnome Keyring. One note though: the plugin will not prevent other plugins from writing passwords in the accounts.xml file (I don't use any such plugins so I can't give you an example).

Installation

1.

For Ubuntu 11.04 Natty Narwhal, use the commands below:

sudo add-apt-repository ppa:pidgin-gnome-keyring/ppa
sudo apt-get update
sudo apt-get install pidgin-gnome-keyring

For other Ubuntu versions (you need Pidgin 2.7.x or newer!), you can download the Pidgin Gnome Keyring .deb:

• 32bit
• 64bit

2. Once the plugin has been installed, open Pidgin (if it was running, restart it) and enable the "Gnome Keyring" plugin under Tools > Plugins and then restart Pidgin:

Important note: sometimes the passwords are still saved in plain text the first time you start Pidgin (after enabling the plugin) - if this happens, restart Pidgin. To see if the Pidgin Gnome Keyring plugin is actually working you can look under ~/.purple/accounts.xml and see if your passwords still show up in plain text - they shouldn't. Hopefully this will be fixed in the future.

If you're not using Ubuntu, you can get Pidgin Gnome Keyring plugin via Google Code.

0 comments

» read more....

Save Firefox Passwords In GNOME Keyring [Extension]

(Firefox passwords saved in GNOME Keyring)

A bug requesting Firefox Password Manager integration with the GNOME Keyring was submitted back in 2005 and unfortunately it still hasn't been fixed.

Since it doesn't look like this is going to be fixed anytime soon, a Firefox extension has been created which allows storing the passwords in GNOME Keyring.

But unfortunately there are a few issues with Firefox GNOME Keyring extension:

• password sync doesn't work properly
• there's no way to migrate your old passwords so once you start using the extension, you'll have to re-enter the passwords and save them again. Also, the old passwords remain untouched so if you don't want them to be available in the Firefox Password Manager you must manually remove them before installing the extension
• if you set a master password, when you click on preferences > security > saved passwords > show passwords you still get asked for it, even if GNOME Keyring is active

GNOME Keyring extension was recently updated and works with Firefox 3.6.x, 4.0 and 5.0 as well as Thunderbird (I've only tested it with Thunderbird 5.0 but it probably works with older versions too).

To install the GNOME Keyring extension in Firefox or Thunderbird, download it (.xpi link below) to your computer, then open the Firefox / Thunderbird Add-ons Manager and simply drag'n'drop the .xpi file to it and you should be prompted to install the addon.

After you restart Firefox, you should be asked to enter a password for the new Mozilla keyring (if you've set Firefox to remember your passwords) - enter your computer login password or else you'll probably be prompted to enter a password when you start Firefox.

Download Firefox GNOME Keyring extension (.xpi) | Github homepage / source files

0 comments

» read more....