mardi 3 décembre 2013

Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder

(external source)







One month ago today, we wrote about Adobe's giant data breach. As far as anyone knew, including Adobe, it affected about 3,000,000 customer records, which made it sound pretty bad right from the start.



Read more => http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/

Adobe credentials and the serious insecurity of password hints

(external source)







Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint.



Read more => http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.html

TOR. Par où, simplement commencer la consultation ?

(external source)







Inutile de présenter TOR ? Pour ceux qui se réveillent, et pour faire vraiment très court, c'est un réseau de routeurs décentralisés et organisés en nœuds dont le but est de transmettre de manière anonyme des flux TCP.



Read more => http://neosting.net/tor-onion-list

mercredi 16 octobre 2013

Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks

(this abstract is from an external source)







Currently there are a few ways to dump Active Directory and local password hashes. Until recently, the techniques I had seen used to get the hashes either relied on injecting code in to LSASS or using the Volume Shadow Copy service to obtain copies of the files which contain the hashes.



Read more => http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/

mardi 15 octobre 2013

Burp’s Session Handling Mechanisms

(this abstract is from an external source)







Web applications, nowadays, handle sessions and state by implementing session expiration and sessionid lifecycle in a more secure manner to avoid security issues such as session hijacking. They will invalidate your session based on idle timeout or absolute timeout as suggested by OWASP.



Read more => http://resources.infosecinstitute.com/burps-session-handling-mechanisms/

Motorola Is Listening

(this abstract is from an external source)







In June of 2013, I made an interesting discovery about the Android phone (a Motorola Droid X2) which I was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel.



Read more => http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html

The DOs and DON’Ts of PKI – Microsoft ADCS





DON’T install PKI without a detailed plan. Ask yourself what you need it for, what features will you use and would it be scalable enough in the future. DO use Windows Server Enterprise Edition for Active Directory users enrollment.



http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/

Hierarchies in PKI





A PKI hierarchy can have one or more tiers. In a single tier PKI environment your only CA server will be the Root CA. If you have more tiers your Root CA will issue subordinate CA certificates CA servers below the root.



http://networklore.com/hierarchies-in-pki/