How do you know which ciphers your SSL service supports? The best way to find out is to ask, and that’s exactly what SSLScan does. SSLScan is a command-line tool that, given an address and port, will generate a long list of ciphers and report whether the SSL service at the location accepted or rejected them. You can find a Windows port here. The tool also displays preferred ciphers, supported protocols, and the server’s SSL certificate.
Month: March 2011
Vavada - это онлайн-казино, предоставляющее широкий выбор азартных игр, включая слоты, рулетку, блэкджек и другие. Vavada привлекает игроков разнообразными бонусами и акциями.
If you’re interested in online security, you’ve probably heard about HBGary. If you haven’t, here’s a brief rundown with a few links: A security firm, HBGary (or, more accurately, HBGary’s subsidiary HBGary Federal) announced that they had discovered the names of some of the supposed ringleaders of the “hacktivist” organization Anonymous. This “angered the hive” and – rather than the generally low-risk and unsophisticated DDOS attacks for which Anonymous is better known – Anonymous used a combination of social engineering, SQL Exploits, and password cracking to compromise one of HBGary’s servers. They leveraged that to get into multiple servers, ultimately gaining access to HBGary’s email and no few internal documents – including business plans and proposals to potential clients. Anonymous[…]
Looks like there will be some pretty important patches released next week by Microsoft. According to the advance notice issued yesterday, there are three remote code execution vulnerabilities in Windows and Office that need to be patched. The advance bulletin doesn’t detail exactly what the problems are, but remote code execution vulnerabilities are serious problems. So, everyone, if/when the little icon shows up next Tuesday telling you that you need to re-start for updates to take effect, don’t put it off too long!
Back in August, my colleague Tim Donaworth posted about security threats in Android. Smartphone malware and smartphone botnets are buzz phases right now, but when speaking about my research in the field I am often asked, “Will this sort of attack actually happen outside of a lab?” The answer is not only will it, it already has, and is going on as we speak. Earlier this week Symantec blogged about a malicious Android application found carrying out the exact sort of attack Tim warned about in his post. In short, there was a legitimate application called Steamy Windows that fogged up your screen and asked for reasonable permissions when installed. There was also a malicious version of Steamy Windows that[…]
One of the primary weapons in a developer’s arsenal for stopping cross-site scripting (XSS) is output escaping. If an attacker can insert special characters into a page (such as < and >), they can potentially add new HTML or JavaScript and wreak havoc. By escaping data rendered by a page, you can change < to < – the latter still gets rendered by the browser as < without creating a new HTML element. However, it’s important to understand that this defensive strategy must include the concept of contextual escaping. That is, what characters you escape and how you handle them depends on the context of the output. For instance, simply escaping or filtering every < and > is generally not[…]