Changes

From Security Weekly Wiki
Jump to navigationJump to search
2,846 bytes added ,  16:37, 9 February 2012
== Larry's Stories ==
#[http://packetstormsecurity.org/news/view/20567/Marlinspike-Asks-Browser-Vendors-To-Back-SSL-Validator.html Backing Convergence] - [Larry] - Moxie is asking browser devs to back Convergence, an open source too to provide a notary for SSL certs. This is a really neat concept, but browser devs are concerned that it will not scale and it is too experimental. I say that they should include it, as a toggle on/off option.
#[http://packetstormsecurity.org/news/view/20568/USB-Stick-Can-Be-Tracked-And-Remotely-Deleted.html Remotely Wipeable USB Thumbdrive] - [Larry] - Lost your drive with sensitive data on it? No problem. This drive connects to cell networks and can be disabled or wiped remoteley. Now, I think this is really cool, but I think there are a few small issues: 1. it is freaking huge. 2. It will only work when powered up/plugged in, so not instantaneous. 3. it requires a separate monthy service, and what happens when an attacker removes the simcard? does it fail closed? 5. how resistant to attack is the protocol? can we DoS or exploit?
#[http://www.hackerfactor.com/blog/index.php?/archives/469-Introducing-FotoForensics.html FotoForensics] - [Larry] - While I don't pretend to understand the math here this stuff really fascinates me. Upload a photo jpg or png (or reference a URL) and it will perform realtime Error Level Analysis (ELA), indicating likely places where modifications have been made. I tested it with some pictures of…um, yeah, folks who are often airbrushed, and surprisingly this person was not.
#[http://www.pcworld.com/businesscenter/article/249510/trustwave_admits_issuing_maninthemiddle_digital_certificate_mozilla_debates_punishment.html Trustwave bad certs] -[Larry] - Oh oh. So, why is TrustWave getting such a bad rap on this one for admitting what they think is a mistake? (No, seriously, what am I missing?). They did appropriate audits, and secured the secondary CA chain appropriately. The issue is that the SSL cert allow for sniffing SSL traffic, common on many products for data exfiltration, etc on corporate networks. It has even been claimed that MANY CAs do this for their customers. Ok, I get it that it will be for ANY site on the internet….
#[http://news.techworld.com/security/3335273/satellite-phone-encryption-cracked-by-german-researchers/ Satellite Phone Encryption cracked] - [Larry] - With $2000 in gear German researchers were able to extract the encryption keys from firmware and were able to re-implement them to decrypt transmissions. They extracted the keys from two separate phones that utilize two separate encryption methods, GMR-1 and GMR-2. Oh, did I mention that it only took 30 minutes to accomplish the task? It does not appear to be an issue for military uses of sat phones, as they often use additional encryption on top of the base handsets.
== Jack's Stories ==
940

edits

Navigation menu