- newSSL over self-implemantation of RSA?
I currently write a client application which communicates with a PHP server.The application itself requires valid user credentials and get all of his information by doing POST requests to the PHP server. Is the first scenario safe or should I use S…- 22 mins ago Tuesday, January 27, 2015 -
- newJCE Unlimited Strength Jurisdiction Policy Files 8
What I know is that, this jar file is needed regarding some issue with the encryption key while encryption or decryption.Can some one tell what are the countries where we can't use this jar file?http://www.oracle.com/technetwork/java/javase/downl…- 22 mins ago Tuesday, January 27, 2015 -
- newGmail disclosing your account name to recipients?
My Gmail setting has forever been set to send emails with just my Gmail address as the identifier, so it should not send out my account name (first or last name)... or so I thought!Recently I got a reply from someone (to whom I had contacted for th…- 2 hours ago Tuesday, January 27, 2015 -
- newExtract pre-master keys from an OpenSSL application
Consider an application using OpenSSL which has a bug. A packet capture of the full SSL session is available, as well as a core dump and debugging symbols for the application and libraries. A RSA private key is also available, but since a DHE cipher…- 2 hours ago Tuesday, January 27, 2015 -
- newCSRF-protection using authentication token in HTTP header
I'm working on a web application which stores an authentication token in a cookie.The only CSRF-protection is referrer checking.I am considering improving this by moving the authentication token from cookies to a custom header, such as X-AuthToke…- 3 hours ago Tuesday, January 27, 2015 -
- newLocal File Inclusion on a Windows Server
Is there a way to get RCE (e.g. log poisoning, or php wrappers, etc), or something of similar dangers, from an LFI on a windows server that isn't running PHP, but rather coldfusion (cfinclude) /asp? I'm quite curious and I don't see much information…- 5 hours ago Tuesday, January 27, 2015 -
- newLong character sequence in first string of HTTP GET request breaks the web service's HTTP response. Buffer overflow?
During my current security audit test I've stumbled on something I can't possibly comprehend. The behavior exhibits signs of a buffer overflow in the target or in some intermidiate service (HTTP proxy/IDE/IPS/firewall), but I haven't been able to pro…- 6 hours ago Tuesday, January 27, 2015 -
- newUsing AES in CTR for TCP/IP based network connections - need to encrypt the IVs?
For AES based encryption on TCP/IP connections, I am guessing I have to do the following:Have the 2 parties share a common key, assuming I am doing AES-128 then a sequence of 16 bytes. Ideally the bits are securely random.Since we are running AES…- 7 hours ago Monday, January 26, 2015 -
- newHow to protect against adversaries snatching booted laptops to defeat full disk encryption?
I read an article describing how FBI agents snatched Ross Ulbricht's laptop while it was running to defeat full-disk encryption: Two plainclothes FBI agents, one male and one female, walked up behind Ulbricht and began arguing loudly. This stag…- 7 hours ago Monday, January 26, 2015 -
- newIs WPA practically less secure than WPA2 only if QoS is enabled?
I've been looking into attacks that are effective against WPA-TKIP but not WPA2-AES (both using PSK). I've found Vanhoef & Piessens's paper that builds off an attack by Beck & Tews and can be used for total decryption, but only if the router has QoS…- 7 hours ago Monday, January 26, 2015 -
- newError while running jTSS in Eclipse
I am trying to run the Trusted Computing API JSR321 in Eclipse by following the tutorial provide at Getting Started with JSR321 in Windows 7.After successfully enabling my TPM (manufacturer: STM & version: 1.2). I tried to run the code given in t…- 8 hours ago Monday, January 26, 2015 -
- newSoft tokens - multiple profiles on same smartphone
Some of our clients have started migrating to soft tokens instead of hardware ones for two-factor authentication to their network.We have apps like RSA SecurID and VIP Access on our smartphones.The problem we're starting to face is when new client…- 8 hours ago Monday, January 26, 2015 -
- newHow to improve the security and privacy of Firefox
What would be a sensible approach to enhance the security and privacy of Firefox?I did not find a question about this and I feel that some guidelines for casual web users would be handy.Currently my browser is wearing:Adblock Plus to block pesk…- 12 hours ago Monday, January 26, 2015 -
- newHow to use ORM correctly to prevent SQL injection?
I read here that using ORM (like nHibernate) does not necessarily prevent SQL injection; for example, if you keep creating dynamic queries using your ORM framework you are still vulnerable. Fine, then what is the proper use of ORM to avoid all type…- 12 hours ago Monday, January 26, 2015 -
- newAre passwords comprised of key sequences on a keyboard any less secure than the same characters but jumbled up?
Here are two passwords:5678%^&*tyuiTYUIand8^tyU75%*IuY6T&iBoth have the same number of characters and in each the characters are identical, the only difference is that the first arranges those characters in a pattern that lends itself stron…- 15 hours ago Monday, January 26, 2015 -
- newOpenSSL vulnerability CVE-2015-0205
I can't seem to make any sense out of the following vulnerability in OpenSSL:DH client certificates accepted without verification [Server] (CVE-2015-0205)=============================================================================Severity: Low…- 18 hours ago Monday, January 26, 2015 -
- newSCRAM'ish technology/library for replay-safe signing with shared secret
I have a JS File delivered over HTTPS and a randomly generated shared secret (which will expire after a while and be renewed via HTTPS) delivered via HTTPS.Both available on Side A and B of the communication.Now I need to send messages from A to B…- 21 hours ago Monday, January 26, 2015 -
- newHow private is RAM from other users on a VPS?
Can I safely assume that my RAM never can be accessed by another user on e.g. EC2 or Digital Ocean, if we suppose that I trust my provider and we don't consider possible bugs (such as Heartbleed) in my environment.- 22 hours ago Monday, January 26, 2015 -
- newGenerating authentication token from PHP sessions
I have a traditional PHP site which uses sessions. I've developed a real-time app in nodejs and wish to authenticate users here based on their PHP session. The procedure would go something like this:Client AJAX's some getAuthToken.php pageClient c…- 1 day ago Monday, January 26, 2015 -
- newIf you can break this authentication system then you can break into my house
I'll preface this by saying I know approximately 0 about cyber-secI've made a server that will allow smart phones to act as a remote control for my house (eg turn lights on/off and unlock doors). Obviously the security of this server is very import…- 1 day ago Monday, January 26, 2015 -
- Some sites require that you accept cookies in order to use them. Does this mean that they can read/track my real IP?
The site I want to use says that it stores permanent cookies on my computer to track various things, for instance if I have two accounts with them. It says "Please notethat if you set your browser to disable cookies, you may not be able to access ce…- 3 days ago Saturday, January 24, 2015 -
- Security of email sent/received on iPhone via Mail app
In regards to the default Mail app on iOS 8, setup with various mail accounts gmail, outlook etc.Are emails sent/received to/from the phone securely, if so, how?Can someone who is snooping on the phones data traffic see any email data?Thanks fo…- 15 days ago Monday, January 12, 2015 -
- Keyboards using 2.4GHz with AES
I got a Microsoft Sculpt keyboard, as it seems to be a small improvement over the much loved Ergo 4000. (What I'd give to have an Ergo 4000 with CheryMX Blues...)On various sites, they have this one snippet: Proprietary 2.4 GHz with 128 bit AES…- 86 days ago Sunday, November 2, 2014 -
- CloudFlare - prompted for "attention required"
I am getting a CloudFlare - attention required / security check prompt on most of the sites I visit through my Macbook running OS X Yosemite, these sites work perfectly on other devices (such as iPad, iPhone, Android and Windows based laptop) connect…- 90 days ago Wednesday, October 29, 2014 -
- ShellShock vulnerability and Java Web Applications
I am running a java webapplication ( Spring 3.2 based) on linux hosts.The linux hosts are vulnerable to the ShellShock vulnerability.Can someone exploit this vulnerabiity on my website ? - Monday, September 29, 2014 -
- Is it safe to store public key encrypted password in the Mobile Device for authentication purposes?
I have a Apache Cordova hybrid mobile app that needs to authenticate users, but we don't want to prompt for credentials every time the app is used.Some options came to my mind:Store the password encrypted using public key cryptography, so only th…- Monday, June 30, 2014 -
- Can malware physically damage a hard drive?
I recently responded to an incident of supposed malware infection. The symptoms were simply, "My computer freezes at random times." The response ended with replacement of the physical hard drive and re-imaging the machine. Later, I forensically ima…- Tuesday, May 13, 2014 -
- What causes a powershell payload to run the first time but not the second?
I created a windows/meterpreter/reverse_https powershell payload using the python script provided at the end of this article. In the first run, the meterpreter session opened successfully, when I closed it and tried to execute the powershell command…- Sunday, March 9, 2014 -
- How can I be sure Lastpass really can't access my passwords?
The recent, widely publicized security incident where millions of Linkedin were exposed reminded me to tighten up my password practices. I'm looking at several password managers now and I'm especially curious about Lastpass.They write on their home…- Friday, June 8, 2012 -
- What are the career paths in the computer security field?
What sorts of jobs are there, in which organizations, with what sorts of day-to-day responsibilities?What areas are good for folks coming out of school, vs what are good 2nd careers for experienced folks coming from various disciplines?- Thursday, May 12, 2011 -