sigmamedia blog

When in September 2015 DHS published its own Security Audit Report , I was rather speechless I could not find any mention of "SSL" or "TLS" in the text, but apparently DHS has been aware of Transport Layer Security earlier than that. Today KrebsOnSecurity published a post titled DHS Giving Firms Free Penetration Tests  containing a link to a document which include the  status update about the ongoing cyber programs and efforts underway at the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) . In a rather confusing timeline, we read first about a DHS ignoring SSL/TLS during its own Security Audit Report (Sept. 2015) and today about how SSL (TLS) related vulnerabilities occupy 5/5 of the Top 5 (Occurring) Vulnerabilities list in the DHS NCATS Year-Engagement Report 2014 (which indeed might have more conveniently be published at an earlier date). The reason for this post is not the confusing orde

This post is meant to support the launch of the #insecureTLS  hashtag; an insecure Transport Layer Security implementation is in itself outrageous but some are more than others. ...I collect insecure TLS samples for fun and profit (not really) why I started collecting data from Qualys SSL (Server) Test a  first sample ; a second batch  [ video ]; something the @DHSgov   Security Audit   did not report .

SSL Test executed on July 5 2015. [ batch #1 video ] [ 2 parts post about sigmamedia.net/badssl ] Organisation URL US Department of Homeland Security, Electronic System for Travel Authorization http://www.dhs.gov/ US Custom and Border Protection (likely API endpoint for online payments) http://www.cbp.gov/ Arkansas Judiciary portal https://courts.arkansas.gov Virginia Department of Motor Vehicles https://www.dmv.virginia.gov Oklahoma State Treasure Office http://www.treasurer.ok.gov US Consumer Financial Protection Bureau https://www.consumerfinance.gov US Payment system used by various state and local agencies https://certifiedpayments.net/ US Govt. Malware Submission Form https://malware.us-cert.gov French State Department Cooperation portal http://www.interieur.gouv.fr/ Italian National Security Information System https://sicurezzanazionale.gov.it/ Dutch Department of Infrastructure and Environment http://www.rijksoverheid.nl/ministeries/ienm Portoguese

[ traduzione italiana ] Secure websites, browsers and the difference with plain text websites The details behind a (web) connection may not be interesting for a general audience and anyway not immediately meaningful to bother. The intention of this post is to make a rather delicate issue understandable to as many non-technical people as possible: an effort is made to clarify the substantial aspect of the issue and its implications, trying to avoid the geeks' stuff and jargon. TL;DR Securing communication with a website takes more than using https . Technology and cryptographic science behind the security of internet communication is highly complex but nevertheless, at any given time, publicly and freely available best practices exist to keep the level of actual security consistent with the purpose of a given resource. This is nowadays important, given the indiscriminate surveillance system operating on global scale which stores - in an unbelievably detailed timeline -

( part 1 ) The reason I started collecting third party's data Through my numerous visits to the SSL Test webpage, in that particular list on the lower right of the page I have seen ...attack ships on fire off the shoulder of Orion . I got intrigued by the idea of assessing the density of  technologically advanced  organisations - some of these professionally active in security -, state departments, healthcare institutions, military hosts, service providers, remote access portals for teleworkers, hardware/software management dashboards that can be so badly protected to achieve such a negative evaluation. It is interesting to know that although SSL Labs offers the option to not publish the results of the test (which might inconveniently appear in the worst scores  list) many sensitive sites show up in the list: is it paranoid to think that several tests are executed not only by the organisations themselves (who would probably use the privacy option ), but also by users or emp

( parte 1 ) La ragione per cui ho iniziato ad acquisire dati da un servizio di terzi Nel corso delle mie numerose visite alla pagina dell' SSL Test , in quella particolare lista in basso a destra ho visto  ...navi da combattimento in fiamme al largo dei bastioni di Orione . Sono rimasto intrigato dall'idea di verificare la densità di organizzazioni  tecnologicamente avanzate  - alcune di queste professionalmente attive nel settore della sicurezza -, ministeri, istituzioni della sanità, sistemi militari, fornitori di servizio, portali di accesso remoto per telelavoratori, interfacce di gestione di hardware/software protette tanto male da meritare un giudizio così estremamente negativo.

[ english version ] Siti web sicuri, browser e la differenza con i siti web in chiaro I dettagli dietro una connessione (web) non sono in genere interessanti per la maggioranza degli utenti o vengono comunque - incautamente - ritenuti validi o adeguati . L’obiettivo di questo post è quello di illustrare una questione piuttosto complessa evidenziandone aspetti sostanziali e implicazioni, evitando tematiche e tecnicismi, materia di esperti informatici. TL;DR Proteggere la comunicazione con un sito web richiede di più che usare  https . La sicurezza della comunicazione in internet si avvale del complesso supporto tecnologico della scienza crittografica; nonostante i continui progressi, quindi revisioni e perfezionamenti di implementazioni e protocolli - è in qualsiasi momento possibile accedere gratuitamente ad informazioni e metodi pratici pubblicamente disponibili, che possono essere utilizzati al fine di verificare e mantenere adeguato il livello di sicurezza di una ciascun

Exploit, DoS code and security scripts/patches for the Linux kernel

Lovely: ServerLogStats.com

Topic started by Robert Penz . WebRTC/STUN code check your browser

OS X Gatekeeper Bypass

BlackPhone ...a serious memory corruption vulnerability that can be triggered remotely by an attacker.  If exploited successfully, this flaw could be used to gain remote arbitrary code execution on the target's handset...

EFF’s Game Plan for Ending Global Mass Surveillance [ 1 ] [ 2 ]

#include #include #include #include #include #define CANARY "in_the_coal_mine" struct { char buffer[1024]; char canary[sizeof(CANARY)]; } temp = { "buffer", CANARY }; int main(void) { struct hostent resbuf; struct hostent *result; int herrno; int retval; /*** strlen (name) = size_needed - sizeof (*host_addr) \ - sizeof (*h_addr_ptrs) - 1; ***/ size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) \ - 2*sizeof(char *) - 1; char name[sizeof(temp.buffer)]; memset(name, '0', len); name[len] = '\0'; retval = gethostbyname_r(name, &resbuf, temp.buffer, \ sizeof(temp.buffer), &result, &herrno); if (strcmp(temp.canary, CANARY) != 0) { puts("vulnerable"); exit(EXIT_SUCCESS); } if (retval == ERANGE) { puts("not vulnerable"); exit(EXIT_SUCCESS); } puts("should not happen"); exit(EXIT_FAILURE); } [1]

you don’t need to worry about security because IPv6 has it built into the protocol

Shmoocon Notes: Userland persistence on OS X

Securosis - Defining Threat Intelligence

Subject: [Fwd: RE: Minding our Ps and Qs in Dual_EC] Date: Wednesday, October 27, 2004 at 12:09:25 PM Eastern Daylight Time From: John Kelsey To: larry.basham@nist.gov ---------------------------- Original Message ---------------------------- Subject: RE: Minding our Ps and Qs in Dual_EC From: "Don Johnson" Date: Wed, October 27, 2004 11:42 am To: "John Kelsey" -------------------------------------------------------------------------- John, P = G. Q is (in essence) the public key for some random private key. It could also be generated like a(nother) canonical G, but NSA kyboshed this idea, and I was not allowed to publicly discuss it, just in case you may think of going there. Don B. Johnson -----Original Message----- From: John Kelsey [mailto:john.kelsey@nist.gov] Sent: Wednesday, October 27, 2004 11:17 AM To: Don Johnson Subject: Minding our Ps and Qs in Dual_EC Do you know where Q comes from in Dual_EC_DRBG? Thanks, -John [1] [2] [3]

Powershell Popups Capture - Room362.com ...the cool thing about this is you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. No admin, no UAC bypass needed. Just a bunch of creds for free.. over SSL. ;–)