Researchers at Newcastle University in the UK are working on a project they call 'Draw a Secret'. Instead of using traditional textual passwords, 'Draw a Secret' allows users to draw a picture as their password. Originally this project was focused on providing a password alternative for users of handheld/mobile devices, for which pen input is easier than text input.

I recently read a white paper put out by Sybase that tries to answer the age-old question (or at least help define the question) of how to ensure that the people you trust the most with your corporate data are NOT the ones who are ripping you off. The target audience is the commercial IT manager or CIO. The paper talks a lot about Sarbanes-Oxley, as you might imagine.

Most system and network administrators are very familiar with brute force attacks against their devices.  Every day, thousands of script kiddies and worms scan the Internet attempting to guess passwords for SSH, FTP, telnet, and other services.  A typical signature of these attacks is to see hundreds of failed attempts but only a few attempts per account.  In this case, the account is simply being tested for the simplest of passwords such a blank password, username as the password, or 'password' for the password.  Although typically futile on a properly administered network, these attacks are annoyances and create noise which may conceal real suspicious activity or even worse, successful intrusions.  

Have you ever been developing something requiring a connection to a development server over SSL?  Was the server not under your control?  And you had either an invalid, corrupt or possibly no cert at all to add to your trustStore?

We won't go into why this scenario may occur... but I know there are quite a few people out there asking how to bypass the cert validation for HTTPS and LDAP over SSL (LDAPS) connections.

The place to start is the SSLSocketFactory and more specifically the TrustManager you use. 

In the sample reference file "BlindSSLSocketFactoryTest.java" we establish connections to HTTPS and Active Directory via SSL (LDAPS) servers without valid certs by using our own SSLSocketFactory.  We need to come up with a SSLSocketFactory that will use a TrustManager list we specify as an alternative to the SSLSocketFactory that will be used by the JVM.

Anyone in information security will tell you that no operating system is completely invulnerable from security attacks and viruses, only that some operating systems are more secure than others. For the last 5 years, applications running off of the J2ME on mobile devices have done so without any problems until now.   

First introduced to the Java community by Sun Microsystems in June 1999, the Java 2 Micro Edition (J2ME) was part of a broad initiative to better meet the diverse needs of Java developers.  Designed for machines with limited hardware resources such as PDA’s (Personal Data Assistants) and cell phones, it can run on machines with as little as 128KB of RAM and with processors a lot less powerful than those used on typical desktop and server machines. At its core are a set of profiles which are defined for particular devices: cell phones, PDAs, microwave ovens, etc.  Each profile consists of a minimum set of class libraries which are required for the particular type of device and a specification of a Java virtual machine required to support the device.

With dozens of vulnerabilities and hacking tools released every week, it is difficult for a security professional to keep up with the latest, greatest news and tools.  One of the most popular security websites is SecurityFocus which provides great news and tech articles relating to security and the ever popular Bugtraq vulnerability mailing list.  It also has great primers on security technologies.

While SecurityFocus also has newsletters, mailing lists, and Bugtraq (read information overload), I use SecuriTeam's mailing list to feed me important security updates without flooding my inbox.  SecuriTeam's website provides an excellent searchable database of security articles, tools, exploits, and vulnerability notices collected from a variety of sources.  You can signup for these notifications via email or use the RSS feed.