Category Archives: Security

Who stole my cookie? BlackHat 2013 reveals “BREACH” – a massive SSL exposure

If you develop or use web based products that relay on SSL (that actually includes every one) you now have a new topic to worry about.

Researchers demonstrated on the BlackHat USA 2013 August conference, an exploit of header data breach for SSL sessions, named “BREACH”.

The claim is they could quickly and easily expose session header data for compressed SSL sessions, by using a statistical based algorithm. They inject their own data into the session, then use statistics to analyze the resulting compressed web server response, to infer what the original session header data included.

This puts at risk any product that includes a web service which repeatedly communicates sensitive data, such as security tokens, cookie information and similar, in the session header information.

This seems as a massive issue due to those reasons:

  • Most Web servers use compressed response to avoid major performance hit
  • Many developers have been assuming they can allow repeat session security information responses in session headers, relaying on SSL to hide it
  • Researchers will disclose the exploit code to the public
  • There is no workaround expected in the near future, except for deep developers review and correction of their session header transmissions
  • Developers, be warned!

    Users, better review your critical web app providers security awareness and responsiveness…

    Kali Linux goes Backtrack

    For you the Security Pen Testers, there is a new kid in town.

    Listen to this post

    Listen to this post here: 

    Kali Linux is the new distribution of the famous BackTrack Linux used for 7+ years as the Pen Testers Open Source toolset of choice.

    Why should you consider using it?

    1. It’s what the Backtrack team will be supporting for the long term
    2. Synced with Debian (if you prefer Debian) – you can get automatic daily updates if any are available
    3. Security tools are closely inspected and maintained
    4. You can customize your Kali installation during its setup
    5. Automated installs (fresher than stale point in time ISOs…)
    6. Better ARM architecture support for the tools
    7. Flexible choice of your desktop environment (KDE, LXDE, XFCE, Anything else)
    8. No need to re-install or re-setup your Kali install, as new major Kali versions are released

    All in all, Backtrack got “Enterprised” into Kali…

    Would you now switch to Kali Linux?

    P.S.

    Note that both Backtrack and Kali Linux contain great tools such as Nessus and Metasploit, set for “labor-intensive” use. If you want it to automatically do the work for you, across many systems, through a workflow that will save you a LOT of time, you’ll have to pay for the “Professional” variations of those tools.

    If cell phones can be tracked then firearms should be too

    My heart cries for those children and teachers who were massacred in Connecticut.

    If you must live with all those weapons, then maybe consider asking for armed guards at public locations.

    Also, maybe what’s true for cell phones should be for the same weapons, which are owned by civilians: One’s gun should be tracked, triggering an alert as they approach public places.

    Is it easy to do?

    No it is not, and yet that what’s you should ask for.