Comments Off
As of Feb 12th, the solution for the TLS renegotiation man-in-the-middle attack is an official IETF standard:
http://tools.ietf.org/html/rfc5746
I’m super happy and excited as this is the first RFC I am a co-author of and it fixes a major problem with one of the most widely used security protocols. Now let’s hope it will get quickly implemented, deployed, and eventually enforced.
Comments Off
It’s been a while since I last checked any news or used a computer. I was away for more than a month spending time with our new baby daughter and almost completely disconnected from the tubes of the net.
Now that I’m back, I wanted to point to a patch from Microsoft that allows admins to disable TLS renegotiation on both the client and the server side. The security advisory is 977377 and MSRC has published a blog post with a bit more details.
The new RFC that will outline the changes needed to the TLS protocol to fix the problem is almost there and should be out “real soon now”.
Comments Off
In case you haven’t seen it yet, zf0 summer of hax was released in the last few days. While scanning through the content, I read a paragraph in the “Industry Check” section that perfectly sums up the state of computer security these days:
Are you professional types really this out of touch? I see all these papers about how to protect yourself from these super-fucking-advanced techniques and exploits that very few people can actually develop, and most hackers will NEVER USE. It's the simple stuff that works now, and will continue to work years into the future. Not only is it way easier to dev for simple mistakes, but they are easier to find and are more plentiful.
It is indeed much easier to look for a misconfiguration in the web app than to hack the actual web server software (be it apache, IIS or some other). It is much easier to guess the secret questions of a person and gain access to their account than it is to hack the actual service (be it web mail or something else). At the end of the day, people should be looking at security as an end-to-end picture, not just focus on parts of it. The tried and true “a chain is as strong as its weakest link” is in full force here.
Comments Off
I recently read a paper on the topic of strong passwords. While going through it, it hit me that very often people will discuss a way of solving some problem (phishing for example), but they fail to enumerate what the attack vectors are and subsequently how the solution addresses these attack vectors. I like how the paper actually lists the threats at the very beginning and discusses them throughout. When solving a problem or coming up with a security product, one should be very clear as to what it is protecting against. It is not often that you see this clearly addressed.
I don’t quite agree with all the views presented in this paper, but it was overall a very interesting read. The idea of brute-forcing not only a single account but all accounts based on statistics was an approach I had not seen before.
Comments Off
The recent story on the twitter breach of company information reminded me of an interesting research I recently saw. A few researchers have worked with real people to gather data how well security questions used by online apps work. Their paper has all the glory details,but there are two things that stood out to me:
If one looks back in time, most (highly visible) account compromises happen through the password reset/recovery mechanisms, not through a vulnerability in the web application itself.
It is common for people to focus on the wrong thing to improve on. In addition to ensuring the security of the site, more research needs to be done in improving the authentication and recovery/revocation. With the growing popularity of social networks, finding information about people is trivial, so I think unless some changes are made, we will see more and more of these compromises.
Comments Off
Well, after being few years late to the blogging world, I finally gave in and stopped caring about having ultimate control over the site I have. That is how RNG @ netsekure is starting now, as an attempt to be a collection of my random thinking put into writing.