Collaborate Disseminate
I thought about “recovering”, “determining”, “guessing”, “calculating” or “reproducing” the HOTP/TOTP secrets when only the outcome (6-digit code + time) is known.
In case we can view the live creation of HOTP/TOTP codes without knowing t… Continue reading How many known time/result combinations does it take to guess a HOTP/TOTP secret?
Why is it unsafe to use the DNSSEC algorithm RSA/MD5? In practical terms, how is DNSSEC weakened by the use of an algorithm such as MD5, which has a known weakness of collisions?
RFC 6944 states, under chapter 2.3 DNSSEC Im… Continue reading What are the implications of using an "unsafe" DNSSEC algorithm like RSA/MD5?
A zero day vulnerability refers to a hole in software that is unknown
to the vendor.
Since, zero day vulnerabilities are unknown can any estimation of amounts be made? What are possible scenarios to estimate the amount of zero-days? For … Continue reading Is there an estimation of the number of zero-days out there?
The Reverse DNS PTR-records (or Pointer Records, or Reverse Record) are often incorrect. Like pointing to:
the domain of a hosting provider;
a non-existing domain.
Lets say I have example.com hosted on IP 10.13.3.7. But t… Continue reading Is having an incorrect PTR record a security risk?
I’ve seen many Windows clients with Bitlocker installed without the Trusted-Platform Module (TPM) enabled. This requires manual changes in the Group Policy since by default it’s not possible to enable Bitlocker without a TPM…. Continue reading Where is the Bitlocker key stored without the Trusted-Platform Module (TPM)?
I recently found an article about the Hot Potato vulnerability and it seemed quite interesting.
Using this technique, we can elevate our privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine.
The exploit basically consists of three aspects:
I’m specifically interested in this vulnerability on Windows Server 2012 (R2). The exploit makes use of an automatic update mechanism that downloads certificate trust lists (CTLs) on a daily basis.
The researchers said that using SMB (Server Message Block) signing may theoretically block the attack. Other method to stop the NTNL relay attack is by enabling “Extended Protection for Authentication” in Windows.
My question, are one of the two mitigations as suggested by the researchers automatically used as a patch/fix through Windows Update, since the initial vulnerability was released? I think somewhere in the beginning of 2016.
Note: It’s ironic that the introduction of a daily update of CTLs that are meant to improve security, introduce a massive Privilege Escalation vulnerability.
I understand that BEAST is very hard to exploit and mostly fixed by modern browsers already.
Also, enabling RC4 will introduce other risks.
So, if you still want to mitigate the almost impossible exploitable BEAST attack, a… Continue reading Are disabling TLS 1.0, enabling RC4 or using TLS1.0 with AES only, the only ways to mitigate BEAST server-side?
Since HTTP/2 is starting to get adopted by more and more sites everyday. Are there any security benefits or known risks regarding HTTP/2?
Continue reading What are the security benefits or risks of HTTP/2?
I’m quite enthusiastic about the Sub resource integrity (SRI) features. But, why is it only limited to JS and CSS files?
I tried to pin a LESS (CSS variant) file, of which the integrity tag was ignored by Firefox and Chrome…. Continue reading Why is Sub resource integrity (SRI) only limited to JS/CSS files and is it only for external sources?
Is the use of regular OCSP or OCSP stapling a privacy risk? Since a request is sent (in each handshake) to an (external) OCSP Responder.
The OCSP responder can potentially register a load of metadata.
Continue reading Is the use of regular OCSP or OCSP stapling a privacy risk?