Tag Archive for security

| October 17, 2014

What You Need to Know About POODLE (includes a History)

What you need to know about Poodle is that when you connect to a secure server aka https there are several protocols and versions of said protocols available to create the secure connection. Secure Socket Layer (SSL) was the first, it was created by Netscape. [Side note it’s part of why they were giving their browser away they wanted to make money selling the SSL server to businesses so that you could have secure transactions over the internet, basically before 1995 all connections to web servers were insecure.] They started with SSL v2, v1 was internal only and never released to the public. Within a year there were a lot flaws discovered and in 1996 they released SSL v3. Also to feed into your Illuminati vision of the internet SSL 3.0 draft was release by the Internet Engineering Task Force in a Request for Comments http://tools.ietf.org/html/rfc6101 The RCF are essentially the guides use by developers to implement the protocols.
In 1999 they came up with a newer protocol Transport Security Layer (TLS) So starting at this point newer browsers would first ask it the server supported TLS v1 if it didn’t then it would revert to SSL v3 (which is weaker) As TLS 1.1 and 1.2 came out this trend would continue. Where you’d start off with the best protocol and then go back and forth until you found one you both supported. This was done because a lot people don’t update their browsers or servers.

Now that you have the background. Some researchers at Google discovered a big flaw in SSL v3 which a lot of sites kept around, why you may ask? Because of motherfuckin’ Internet Explorer 6, it only supported SSL v3.

So the danger is that if the server supports SSL v3 your traffic can be sniffed. The responsibility is on server owners to stop supporting SSL v3 _but_ you can also, usually, force your browser to not accept SSL v3.

Share
Category: DCDan, Technology | Tags: , , ,
| March 14, 2014

Two Security Fails

Today I encountered two security fails.
1) When chatting with Sprint customer support they need your account PIN to update your records. After the conversation is over they email your transcript with your PIN sent in the clear.
2) When signing up to pay a travel fee to gain entry to a South American country they confirm your signup by sending you your username and password in the clear.

Good job!

Share
Category: bad at life, DCDan, Frustration, Rant, Technology | Tags: ,
| February 25, 2014

The Latest Apple Security Problem and What You Should Do

TL;DR version:
If you use an iPhone or iPad update it to the latest version of iOS which came out a couple of days ago.
If you use Mac OS X (laptop), use Chrome or Firefox to browse the web until an update is released.

For the long version, I’m going to make the assumption that you have a technical background:
A bug was recently discovered in Mac OS X 10.9 that means the signing chain for an SSL/TLS certificate isn’t verified. This makes a man-in-the-middle attack possible. This is certainly big news and should be patched as quickly as possible the exploit requires the attacker to jump through a lot of hoops to exploit it. They’d have to hijack your DNS and have site that look similar enough to the real site to prompt you put in your username/password. If you’re on your home network this probably isn’t the case if you’re on public wifi it’s more likely but would involve someone first having to hack the router at the cafe and redirect it to poisoned DNS servers and have a site(s) up and running that would convince you put in your username/password, but if you’re concerned about privacy on unknown networks you are using a VPN like Private Internet Access anyway right?

FWIW this code was likely discovered because the core of Mac OS X (Darwin) is open source and the code is verifiable.

UPDATE: Apple has released an update for Mac OS X install this and all will be well.

Share
Category: DCDan, Technology | Tags: , ,