Browse by Tags

All Tags » General Security (RSS)
Wed, Nov 18 2009 21:02

My take on the SSL MITM Attacks – part 3 – the FTPS attacks

[Note - for previous parts in this series, see Part 1 and Part 2 .] FTP, and FTP over SSL, are my specialist subject, having written one of the first FTP servers for Windows to support FTP over SSL (and the first standalone FTP server for Windows!) Rescorla...
Posted by Alun Jones | with no comments
Filed under: , , , ,
Wed, Nov 11 2009 21:20

My take on the SSL MitM Attacks – part 2 – clarifications

Since the last post I made on the topic of SSL renegotiation attacks , I’ve had a few questions in email. Let’s see how well I can answer them: Q. Some stories talk about SSL, others about TLS, what’s the difference? A. For trademark reasons, when SSL...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Mon, Nov 9 2009 20:26

My take on the SSL MITM Attacks – part 1 – the HTTPS attack

If you’re in the security world, you’ve probably heard a lot lately about new and deadly flaws in the SSL and TLS protocols – so-called “Man in the Middle” attacks (aka MITM). These aren’t the same as old-style MITM attacks , which relied on the attacker...
Posted by Alun Jones | 3 comment(s)
Filed under: , ,
Mon, Nov 2 2009 20:59

Why changing passwords should be done regularly

A little birdie sent me a copy of today’s SANS ISC diary entry . That’s a good thing, because I’m at home sick with alleged piggy flu, and I’m not able to keep up with a whole lot. The diary entry argues that regular changes of passwords are often done...
Posted by Alun Jones | 1 comment(s)
Filed under: ,
Mon, Oct 26 2009 21:15

White House moves to Open Source

Subtitle: Media posts uninformed rubbish as commentary From the MSNBC story “ White House opens Web site coding to public ”: "Security is fundamentally built into the development process because the community is made up of people from all across...
Posted by Alun Jones | with no comments
Filed under: ,
Sun, Oct 25 2009 12:24

Phishing at Hotmail, GMail, Yahoo! Mail, etc.

Recent password exposures at a number of online email services remind me to give a little advice on passwords. Definitely use this as a reminder to do something about your passwords – but don’t do the obvious thing. Don’t rush round and change all your...
Posted by Alun Jones | with no comments
Filed under:
Tue, Oct 20 2009 20:44

SAL-like code annotations for Java

http://types.cs.washington.edu/jsr308/ seems to be talking about a set of type annotations for Java that are similar to those provided in Microsoft Visual C++ by SAL, the Standard Annotation Language . One thing that the Java annotations have going for...
Posted by Alun Jones | 2 comment(s)
Filed under: ,
Sat, Sep 26 2009 20:22

Sometimes It Seems Like Unix(*) Needs to Learn from Windows

(*) By “Unix”, I mean Linux, Unix, AIX, OS/X, and similar flavours. Way back when, about twenty or so years ago, I was a Unix admin, and a Unix developer. I had to be both, because I was the only person in the company who could spell Unix...
Posted by Alun Jones | 17 comment(s)
Filed under: , , ,
Tue, Jul 21 2009 22:09

Would you behave differently in a shared office?

How would you change your behaviour at work if you knew the person seated one desk over worked for a competitor? How would your behaviour change if you knew the person one cubicle over was about to work for a competitor? What if you knew that your cubicle...
Posted by Alun Jones | with no comments
Filed under:
Mon, Jul 13 2009 23:48

How FTP Data Connections Work Part 2 (OR: Fun With Port 20)

As we mentioned in the 1st part of this series , FTP is a more complex protocol than many, using one control connection and one data connection. A recap of the first post… In typical Stream Mode operation, a new data connection is opened and closed for...
Posted by Alun Jones | 1 comment(s)
Filed under: , , ,
Wed, Jul 8 2009 23:18

How FTP Data Connections Work Part 1 (OR: Don’t Open Port 20 in your Firewall!)

This will be the first of a couple of articles on FTP, as I’ve been asked to post this information in an easy-to-read format in a public place where it can be referred to. I think my expertise in developing and supporting WFTPD and WFTPD Pro allow me...
Posted by Alun Jones | 9 comment(s)
Filed under: , , , ,
Tue, Mar 3 2009 15:45

Microsoft TechFest

Last week, I went to Microsoft’s TechFest as part of their “Public Day”. This is the first time MVPs as a group have been invited to this event, and although it’s clear we missed some of the demonstrations that are not public-ready, this is something...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Fri, Feb 6 2009 19:38

If Your GPS Worked Like An Information Security Team

… it would fend off dangerous drivers from hitting you. … it would give you regular statistics on the number of accidents on your daily route, so you could make decisions to avoid newly bad parts of town. … it would help you plan...
Posted by Alun Jones | 1 comment(s)
Filed under:
Mon, Feb 2 2009 17:47

When “All” isn’t everything you need – Terminal Services Gateway certificates.

Setting up Terminal Services Gateway on Windows Server 2008 the other day. It’s an excellent technology, and one I’ve been waiting for for some time – after all, it’s fairly logical to want to have one “bounce point” into which you connect, and have your...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Wed, Jan 28 2009 6:57

Debugging SSTP error -2147023660

Setting up an SSTP (Secure Socket Tunneling Protocol) connection earlier, I encountered a vaguely reminiscent problem. [SSTP allows virtual private network – VPN – connections between clients running Vista Service Pack 1 and later and servers running...
Posted by Alun Jones | with no comments
Filed under: , , ,
Thu, Jan 22 2009 4:39

The CWE Top 25 Programming Mistakes

I’ve read some debate about the top 25 programming mistakes as documented by the CWE (Common Weakness Enumeration) project, in collaboration with the SANS Institute and the MITRE . That the list isn’t complete, that there are some items that aren’t in...
Posted by Alun Jones | 1 comment(s)
Filed under: , , ,
Tue, Jan 20 2009 16:50

“Fully Stealthed” means fully spoofable

Every so often, someone on one of the security mailing lists to which I subscribe will post a frothing rant from someone who has discovered their own personal “magic bullet” which solves all their security woes. This time, it’s a guy who was convinced...
Posted by Alun Jones | with no comments
Filed under: , ,
Thu, Jan 1 2009 19:31

Microsoft Security Advisory – MD5 collisions

I would hardly be able to call my blog “Tales from the Crypto” if I didn’t pass at least some comment on the recent Microsoft Security Advisory , and the technical pre-paper on which it is based . To an uninformed reader, the advisory (and especially...
Posted by Alun Jones | 3 comment(s)
Filed under: ,
Tue, Dec 9 2008 20:52

Redmond Report says “Vista Kernel Flawed”

This is just some lovely reporting: Vista Kernel Ready To Pop? Vista, due largely to its lockdown of user rights, is far more secure than XP. But it's not 100 percent safe. In fact, the kernel itself has an issue that could lead to buffer overflow...
Posted by Alun Jones | 2 comment(s)
Filed under: ,
Sat, Nov 8 2008 14:46

Nobody stopped me, as I put the second laptop into my bag...

I have two laptops that I carry with me most places I go. This isn't showing off, it's just something I do for a number of reasons. (One laptop is for work, the other is personal) On a recent trip, I wanted to leave one with my wife as she dropped...
Posted by Alun Jones | 6 comment(s)
Filed under: ,
More Posts Next page »