Researchers have uncovered a flaw in the way that some servers handle the Diffie-Hellman key exchange, a bug that’s somewhat similar to the FREAK attack and threatens the security of many Web and mail servers. The bug affects all of the major browsers and any server that supports export-grade 512-bit Diffie-Hellman cryptography.

Keywhiz makes managing secrets easier and more secure. Keywhiz servers in a cluster centrally store secrets encrypted in a database. Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI or web app UI. To enable workflows, Keywhiz has automation APIs over mTLS and support for simple secret generation plugins.

Hyperfox is a security tool for proxying and recording HTTP and HTTPs communications on a LAN.

Hyperfox is capable of forging SSL certificates on the fly using a root CA certificate and its corresponding key (both provided by the user). If the target machine recognizes the root CA as trusted, then HTTPs traffic can be succesfully intercepted and recorded.

Wifiphisher is a security tool that mounts fast automated phishing attacks against WiFi networks in order to obtain secret passphrases and other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases.

Wifiphisher works on Kali Linux and is licensed under the MIT license.

You may have heard that the NSA can decrypt SSH at least some of the time. If you have not, then read the latest batch of Snowden documents now. All of it. This post will still be here when you finish. My goal with this post here is to make NSA analysts sad.

TL;DR: Scan this post for fixed width fonts, these will be the config file snippets and commands you have to use.

Although there are a few different public-key encryption algorithms, the most popular — and fortunately, the easiest to understand — is the RSA algorithm, named after its three inventors Rivest, Shamir and Adelman. To apply the RSA algorithm, you must find three numbers e, d and n related such that ((m^e)^d) % n = m. Here, e and n comprise the public key and d is the private key. When one party wishes to send a message in confidence to the holder of the private key, he computes and transmits c = (m^e) % n. The recipient then recovers the original message m using m = (c^d) % n.

This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server2. STARTTLS was also relatively uncommon until late 2013, when EFF started rating companies on whether they used it. Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google's Safer email transparency report and starttls.info are good resources for checking whether a particular provider does.

SSL certificates are signed using a one-way hash — usually SHA-1.

Which is too bad, because SHA-1 is becoming dangerously weak. It's time to upgrade to SHA-2.

If you run a website that uses SSL, you can test your website using a small SHA-1 testing tool I built that will tell you what you need to do.

Even if you don't, I encourage you to read on. In the rest of this post, I'll cover how SSL and SHA-1 work together on the web, why it's as urgent as Google says it is, and what web browsers are doing.

It’s called the Microsoft Tech Support scam, and it’s been around for years. Last week, Emsisoft and Bleeping Computer intercepted one of these scammers, and in addition to messing with him for a good three hours, we took detailed notes on how the Microsoft Tech Support scam works.