SSL Blacklist – Firefox Plugin Detects Bad Certificates

January 2, 2009 – 11:51 AM

This Firefox plugin was first created back during the Debian/OpenSSL scare about 6 months ago where the key pairs that were generated from an affected machine were easily guessable. Marton Anka created this plugin to help users find these bad certificates:

sslblacklist

On 12/31/2008, Marton updated this plugin to detect the vulnerable MD5 based certificates that were recently exploited:

sslblacklist2

You can find this Plugin and any additional information at the website:

http://www.codefromthe70s.org/sslblacklist.aspx

Posted in Coding, Internet, Privacy, Security | 1 Comment

Things To Accomplish in 2009

January 1, 2009 – 2:51 PM

I guess I should have said my list of things.  This is meant for me personally, not the world.  I mean…you can do these things on your own if you want but please get your own Rubik’s Cube.

Things I want to accomplish in 2009 (in no particular order):

  • Quit smoking for good.  Smoking a few packs here and there throughout the year is no longer acceptable.
  • Complete my Certified Ethical Hacker (CEH) certification.
  • Deposit this pile of Birthday and Christmas money orders from 2007 and 2008.
  • Solve this Rubik’s Cube that’s sitting on my desk, without searching Google for the steps.
  • Convert my whole home office over to Linux.  No more Windows.  A Guest virtual machine running Windows will be allowed but only with written consent.
  • Lose 10 more pounds.
  • Attend an actual SANS course.  Preferably company paid.
  • Visit another country that I’ve never been to.  (Last one was Scotland)
  • Learn MetaSploit inside and out.  Command line only.  GUI will just be for convenience and laziness.
  • Finish reading this pile of books on hacking and penetration testing.
  • Create life.
  • Double my salary.  This probably won’t happen with my current employer.  It’s time for change.

Posted in General BS | No Comments

Happy New Year!

December 31, 2008 – 5:19 PM

I just wanted to wish everybody a Happy New Year.  Be safe.  I’ll see you all in 2009.

Troy

Posted in General BS | No Comments

Watch out for hidden cookies

December 31, 2008 – 11:04 AM

By now, most of us are aware of the potential privacy risks posed by Web cookies. But according to a new paper published by security consultancy iSec Partners, traditional browser-based cookies aren’t the only technology used to store user data anymore. A number of browser plug-ins offer similar capabilities — and because plug-ins are nonstandard browser components, users are often unaware that these silent conversations are even taking place.

Browser cookies are invaluable for storing things like usernames and shopping cart contents between e-commerce sessions, among many other legitimate uses. But cookies can also give Web sites the ability to track your surfing habits for the purpose of data mining or other, more malicious goals. That’s why modern browsers give users fine-grained control over their cookies — we can view them, delete them, or even block them completely. These controls don’t apply to plug-ins, however, which add nonstandard features outside the customary browser UI.

The paper cites Google’s Gears as one example of a plug-in that can mimic cookies. While in general it gives Gears high marks for walling off users’ data from unwanted accesses, it also cautions that users might not fully understand how to specify what data Gears is allowed to store. Gears always asks you if you permit it to talk to a given Web site, but it will only ask once. If you later decide that you’d like to disable Gears for that site, you have to remove the site from a list via a special control panel. Your browser’s normal privacy settings have no effect on Gears’ behavior.

Source:
http://www.networkworld.com/news/2008/123108-watch-out-for-hidden.html?fsrc=rss-security

Posted in Coding, Internet, Privacy, Security | No Comments

Full Details Of The MD5 Vulnerability

December 30, 2008 – 7:41 PM

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash. This is known as an MD5 “collision”. Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

Read the full MD5 vulnerability report:
http://www.win.tue.nl/hashclash/rogue-ca/

Posted in Internet, Privacy, Security | No Comments

Copyright 2008-2024 PC Sympathy - Entries (RSS) - Sitemap