Sep.05

CloudFlare, SSL & Unhealthy Security Absolutism (Troy Hunt)

Really interesting (and in my opinion) great artical by Troy Hunt on why CloudFlare’s SSL [free] offerings are awesome!

“First and foremost, if your choices are to either run entirely unencrypted or to protect against the 95% (or thereabouts) of transport layer threats that exist between your visitors and your origin, do the sensible thing. Nobody in their right mind is going to advocate for remaining totally unencrypted rather than using CloudFlare purely to encrypt between their edge nodes and your users. There are people not in their right mind that will argue to the contrary and that’s precisely what the title of this post suggests – it’s unhealthy security absolutism.”

Source: Troy Hunt: CloudFlare, SSL and unhealthy security absolutism

Security

Jul.03

How to Crack Android Full Disk Encryption on Qualcomm Devices

“Since the key is available to TrustZone, Qualcomm, and OEMs [Original Equipment Manufacturers] could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device,” Beniamini wrote. “This would allow law enforcement to easily brute force the FDE password off the device using the leaked keys.”

Source: How to Crack Android Full Disk Encryption on Qualcomm Devices

Security,News,Resources

May.11

 Upgrade Site Security with CloudFlare Origin CA

Really interesting development from CloudFlare on encrypting the webs connections. Takes their ‘Flexible SSL’ to the next level and beyond.

“Faster, more secure alternative to public CA certificates for your CloudFlare-fronted servers. Extraneous overhead removed to optimize performance.

With Origin CA, we questioned all aspects of certificate issuance and browser validation, from domain control validation (DCV) to path bundling and revocation checking. We asked ourselves what cruft public CAs would remove from certificates if they only needed to work with one browser, whose codebase they maintained? Questions such as “why bloat certificates with intermediate CAs when they only need to speak with our NGINX-based reverse proxy” and “why force customers to reconfigure their web or name server to pass DCV checks when they’ve already demonstrated control during zone onboarding?” helped shape our efforts.”

Source: CloudFlare Origin CA

Security,News

Apr.17

Nov.11

A Brief Analysis SSH on the Web

A very interesting and in some ways telling analysis on the current state of 16,532,281 SSH configurations on the internet.

Out of all the IPv4 addresses we found:

  • 9,423,225 are affected by the CVE-2015-5600 – “The kbdintnextdevice function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.”

  • 1,530,566 are affected by the CVE-2013-4421 – “The buf_decompress function in packet.c in Dropbear SSH Server before 2013.59 allows remote attackers to cause a denial of service (memory consumption) via a compressed packet that has a large size when it is decompressed.”

  • 83,357 are affected by the CVE-2015-6565 – “sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY devices, which allows local users to cause a denial of service (terminal disruption) or possibly have unspecified other impact by writing to a device, as demonstrated by writing an escape sequence.”

Source: SSH – A brief analysis of the internet

Security