Interesting blog article about Flame spreading. It demonstrates Flame's level of sophistication.
Microsoft released on Sunday security advisory which revokes 3 digital certificates issued under the Microsoft Root Certificate Authority. In separate messages (Security Research & Defense and Security Response Center blogs), Microsoft stated that this update mitigates the threat of Flame malware. Flame is recently discovered highly sophisticated spyware which infected computers throughout Middle East and supposedly came from the same source as Stuxnet.
Microsoft security advisory (2718704):
Microsoft Security Research & Defense blog:
Microsoft Security Response Center blog:
Interesting article in SearchSecurity: "P2P encryption for mobile is not an technology endorsement, says PCI Council". So on the one hand, in their recent mobile payments guide for merchants, they present the P2PE as the only way to secure mobile payments. On the other hand, they say " We’re not endorsing specific technology here". I am not sure I understand the point they are trying to make.
Review of PCI mobile payments guidance for merchants:
Article in SearchSecurity:
Moxie Marlinspike and Trevor Perrin have submitted a proposal to the Internet Engineering Task Force (IETF). The draft document describes a new way of server certificate validation based on the trust accumulated and shared by multiple clients. The proposed TLS protocol extension is called Trust Assertions for Certificate Keys (TACK) and based on public key cryptography, however, it does not use the Public Key Infrastructure (certificates and certificate authorities).
The text of the proposal:
The article in InfoSecurity magazine:
It looks like OCSP Stapling currently is not the best alternative to classic CRL validation. First, because current implementation has serious limitation: only one certificate can be validated during the initial SSL/TLS handshaking session. However, as part of the server certificate checkup, the SSL client must validate the entire certificate chain -- until the root (self-signed) certificate -- which may contain more than one certificate. Second, it is not widely supported yet: not all the clients and server implementation are OCSP Stapling ready. For instance, it is still unclear whether Microsoft WCF hosting process (alternative to IIS) would support it - at least, it is not officially documented.
Original post 05/10/2012:
Future of the SSL certificate revocation validationweb-services-with-ssl.html
My article about using SSL in .NET Web Services application:
How to know whether your mobile phone is being tapped?
It is difficult if your phone is bugged with FlexiSpy. On Android phone, you can install Symantec Norton Mobile Security which claims to be able to remove the spyware.
There is another popular mobile spy software called SpyMobile.
They support virtually any mobile OS - iPhone, Blackberry, Android, Windows Mobile and Symbian - which means they can be installed on almost any device. If this application is installed on your mobile phone, it is running in silent mode so there is no way to know whether your phone is bugged.
However, this software should be somehow manually installed and initially configured on your phone, and there are "secret" default keystroke sequences that should be keyed in order to activate the management console. To check if SpyMobile is installed on your phone, you need to try these sequences. If nothing happens, you are lucky. If you see the SpyMobile login screen, you are not.
Windows Mobile and Symbian: #123456789*
Symantec Norton Mobile Security:
Mobile spyware review:
More information on signs of bugged phone:
This is interesting and hot topic. Did you know that Google stopped the online validation of SSL server certificate revocations in Chrome browser? The situation with certificate revocation validation has been discussed by representatives of major browser software vendors during recent RSA conference. OCSP Stapling looks to me like most promising solution.
Click to set custom HTML
There are many questions about Microsoft's December 29, 2011 Out-of-Band Security Bulletin (MS11-100). Note that only ASP.NET is affected so you should not worry unless your machines are running website on IIS with ASP.NET.
More information can be found here
Click to set custom HTML
BEAST stands for Browser Exploit Against SSL Tool.
This is variation of Man-in-the-middle attack invented by Juliano Rizzo and Thai Duong.
Here is the results of my brief research on BEAST.
Even though the detailed scenario of the attack apparently is not published by their authors, there is some information and area experts reviews available online so I could reconstruct the picture from several puzzles.
The most important outcome – the attack is unable to compromise the custom client/server application communication as it is aimed against browser client/WEB server communication only.
It is using WEB vulnerabilities and must inject malicious java script code into the client browser in order to initialize the attack. Therefore, it affects websites only and does not affect custom software using SSL.
Workarounds/Mitigations that are known today:
Using non block (stream) ciphers such as RC4 instead of standard default block ciphers such as AES.
o strongest ciphers (such as AES) mostly using blocks, and stream ciphers (such as RC4) may have their own weaknesses
o streaming ciphers may not be supported by all browsers/servers
Using TLS 1.X and higher (eliminating using SSL 3.0 and TLS 1.0 which are found vulnerable for the attack)
o TLS 1.X is not widely used and therefore not proven enough;
o TLS 1.X is not supported by all browser versions therefore after server will be reconfigured some clients using old browser versions may be unable to access it.
The two counter measures described above require WEB server reconfiguration that would possibly make some clients unable to access the websites. Before anything is done, it should be thoroughly researched and tested.
Microsoft promised to release a Windows OS patch that blocks it (IE browser uses Windows SSL implementation).