This has been coming up a lot lately, so here are some notes for future reference. GOpenVPN is basically a Linux rendition of the Tunnelblick app for OpenVPN. Here are steps to install it on a fresh Ubuntu 10.04 Maverick Meerkat workstation.

0) Install OpenVPN package (10.04 is the current latest version)

1) Review prerequisites for GOpenVPN

• subversion
• autoconf
• glib-2.0
• gtk+-2.0
• glade-2.0
• gnome-keyring
• gksu
• gedit
• intltool

2) Install prerequisites

sudo apt-get install subversion autoconf libglib2.0-dev libglib2.0-data libgtk2.0-dev libglade2-dev libgnome-keyring-dev gksu gedit intltool

3) Download source

svn co https://gopenvpn.svn.sourceforge.net/svnroot/gopenvpn gopenvpn

4) Build

cd gopenvpn/trunk/gopenvpn/

./autogen.sh

intltoolize

./configure

make

5) Install

sudo make install

6) Run

/usr/local/bin/gopenvpn

…and you should see an icon appear in the top panel. Right click to configure and watch the log.

Alternatively, the network manager OpenVPN plugin also does the job:

sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome

I just read that a vast network of ATMs will soon allow transactions without a card (PDF).

Payment Alliance International (PAI), a leader in electronic payment processing solutions, and MagTek, a global leader in secure mobile payments technology, jointly announce the deployment of MagTek’s Qwick Codes across PAI’s nationwide network of over 50,000 ATM machines.

…solution that consumers can use everywhere without actually carrying a payment card.

First question: if ATM stands for automated teller machine then what is an ATM machine? I’m not trying to be picky; I just figure a press release from the leader in electronic payment processing with 50,0000 units might be on to something new and pushing the envelope (pun not intended).

But seriously, I think I should not call this a card-less system. It is an ATM without the need to swipe the card; the transactions still need a card. The need to carry the card is related to a card carrier’s ability to plan ahead and generate tokens. With the new system data is transferred from a card to a phone so the card does not need to be swiped at the ATM machine (or ATM).

Qwick Codes Mobile Wallet is an easy-to-use application that runs on a PC, Apple iOS device or Android smartphone with a Secure Card Reader Authenticator peripheral attached. All consumers need to do to generate a unique Qwick Code is swipe any traditional magnetic stripe payment card they already carry in their wallets through the Authenticator and a one-time, disposable account number and PIN are generated. Consumers use their Qwick Code and PIN at supported ATMs to withdraw cash, eliminating the need to physically carry a payment card while reducing exposure from skimming and related fraud.

The goal is to avoid skimming attacks at the ATM. I have written about that security issue before. In this case I have my doubts about the security of the link between the application on the computer and the Secure Card Reader Authenticator. I also notice that they claim support for a PC and Apple iOS. Who wants to bet that they mean Microsoft Windows OS when they say PC? Not a good sign.

From Felipe Martins

Note that this post intends to show only vulnerable applications used to be exploited, not the tools used to exploit them.

Interesting that the goal is to setup an environment that is vulnerable in order to test out the web penetration tools. I guess I have become so used to things being the other way around (setting up attack tools to test vulnerabilities of an environment) that this seems like a novel idea to me.

Two security researchers have documented a serious and long-standing design flaw in Facebook:

Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information.

[…]

There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.

I’ll let you guess why “there is no good way to estimate” unauthorised access at Facebook.