Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices. We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.
Nobody has ever implemented an OAuth flow for their application and then said, “That was fun. Let’s do it again.”
Don’t believe me? Just go to Twitter and search for “OAuth Sucks”. Or just search “OAuth”. Or best of all just follow the OAuthSucks Twitter account. It’s a sentiment that’s so common, it has it’s own Twitter account. How did I find this account? I tried to register it of course.
But why is OAuth so awful? And does it have to be this way? In this post, we’ll take a look. OAuth (2.0 specifically) has a litany of problems, starting with the fact that the 2.0 spec itself essentially allows anything to be considered “OAuth compliant”.
blog.wercker.com/2015/07/28/Dockerfiles-considered-harmful.html, posted Oct '15 by peter in deployment docker opinion security
There are some obvious issues with running third-party Dockerfiles. Like most of the Docker ecosystem, Dockerfiles were designed for personal use by an individual with root access. Once you start distributing them, however, you’re essentially giving root to a stranger. This blog post is about why you shouldn’t even be using Dockerfiles for your own projects.
https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html, posted Sep '15 by peter in howto linux reference security
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team.
https://certsimple.com/blog/chrome-outdated-cryptography, posted Jul '15 by peter in howto networking security
So you've installed your certificate, it doesn't use SHA1, your preferred cipher suites use forward secrecy, RC4 is disabled and your site gets an 'A' rating in the SSL Labs handshake test.
Then someone visits your site in Chrome and notices the following:
Your connection to example.com is encrypted with obsolete cryptography.
This is a site you use to test clients – mobile apps, browsers, and many other applications that use HTTP applications and TLS – the Transport Layer Security protocol. We have designed a lot of tests that checks if your browser or client application really checks the identity of the server it’s trying to connect to. It is important that developers understand how TLS works and how site verification works.
New Logjam Attack on Diffie-Hellman Threatens Security of Browsers, VPNs | Threatpost | The first stop for security news
https://threatpost.com/new-logjam-attack-on-diffie-hellman-threatens-security-of-browsers-vpns/112916, posted May '15 by peter in security toread
Researchers have uncovered a flaw in the way that some servers handle the Diffie-Hellman key exchange, a bug that’s somewhat similar to the FREAK attack and threatens the security of many Web and mail servers. The bug affects all of the major browsers and any server that supports export-grade 512-bit Diffie-Hellman cryptography.
Keywhiz makes managing secrets easier and more secure. Keywhiz servers in a cluster centrally store secrets encrypted in a database. Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI or web app UI. To enable workflows, Keywhiz has automation APIs over mTLS and support for simple secret generation plugins.
Hyperfox is a security tool for proxying and recording HTTP and HTTPs communications on a LAN.
Hyperfox is capable of forging SSL certificates on the fly using a root CA certificate and its corresponding key (both provided by the user). If the target machine recognizes the root CA as trusted, then HTTPs traffic can be succesfully intercepted and recorded.
Wifiphisher is a security tool that mounts fast automated phishing attacks against WiFi networks in order to obtain secret passphrases and other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases.
Wifiphisher works on Kali Linux and is licensed under the MIT license.