Security News

Re: end of useable crypto in browsers?

Full Disclosure - 15 April, 2016 - 09:25

Posted by Sebastian on Apr 15

Am 2016-04-14 16:19, schrieb Reindl Harald:

I don't. But even if you roll your own CA, you'll have a hard time
avoiding someone with a wildcard CA (updater, every other page you open,
...). Also, to use <keygen> you need to have a secure connection
beforehand (or use http, which would make every MITM happy). Now it is
possible to work around this, too, but then you may as well use fully
encrypted channel.

The actual point...

Re: end of useable crypto in browsers?

Full Disclosure - 15 April, 2016 - 09:25

Posted by Reindl Harald on Apr 15

Am 14.04.2016 um 00:54 schrieb Sebastian:

how do you come to the conclusion that you need any 3rd party CA for a
client certificate which you accept on your server?

Bugtraq: ESA-2016-036: EMC Unisphere for VMAX Virtual Appliance Arbitrary File Upload Vulnerability

Security Focus Vulnerabilities - 15 April, 2016 - 08:50
ESA-2016-036: EMC Unisphere for VMAX Virtual Appliance Arbitrary File Upload Vulnerability

[SECURITY] [DSA 3549-1] chromium-browser security update

Bug Traq - 15 April, 2016 - 08:28

Posted by Michael Gilbert on Apr 15

-------------------------------------------------------------------------
Debian Security Advisory DSA-3549-1 security () debian org
https://www.debian.org/security/ Michael Gilbert
April 15, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : chromium-browser
CVE ID : CVE-2016-1651...

AST-2016-005: TCP denial of service in PJProject

Bug Traq - 15 April, 2016 - 01:08

Posted by Asterisk Security Team on Apr 14

Asterisk Project Security Advisory - AST-2016-005

Product Asterisk
Summary TCP denial of service in PJProject
Nature of Advisory Crash/Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Critical...

Bugtraq: Securing Android Applications from Screen Capture

Security Focus Vulnerabilities - 15 April, 2016 - 01:05
Securing Android Applications from Screen Capture

AST-2016-004: Long Contact URIs in REGISTER requests can crash Asterisk

Bug Traq - 15 April, 2016 - 00:59

Posted by Asterisk Security Team on Apr 14

Asterisk Project Security Advisory - AST-2016-004

Product Asterisk
Summary Long Contact URIs in REGISTER requests can crash
Asterisk
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions...

NEW VMSA-2016-0004 VMware product updates address a critical security issue in the VMware Client Integration Plugin

Bug Traq - 15 April, 2016 - 00:52

Posted by VMware Security Response Center on Apr 14

------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2016-0004
Synopsis: VMware product updates address a critical security issue in
the VMware Client Integration Plugin
Issue date: 2016-04-14
Updated on: 2016-04-14 (Initial Advisory)
CVE number: CVE-2016-2076

1. Summary

VMware vCenter Server, vCloud Director (vCD), vRealize Automation...

ESA-2016-036: EMC Unisphere for VMAX Virtual Appliance Arbitrary File Upload Vulnerability

Bug Traq - 15 April, 2016 - 00:43

Posted by Security Alert on Apr 14

ESA-2016-036: EMC Unisphere for VMAX Virtual Appliance Arbitrary File Upload Vulnerability

EMC Identifier: ESA-2016-036
CVE Identifier: CVE-2016-0889
Severity Rating: CVSS v3 Base Score: 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)

Affected products:
EMC Unisphere for VMAX Virtual Appliance prior to 8.2.0

Summary:
EMC Unisphere for VMAX Virtual Appliance contains a fix for an arbitrary file upload vulnerability. This vulnerability
could...

Bugtraq: Mybb Cms (private.php Page) Denial Of Service Vulnerability

Security Focus Vulnerabilities - 15 April, 2016 - 00:40
Mybb Cms (private.php Page) Denial Of Service Vulnerability

Bugtraq: Django CMS v3.2.3 - Filter Bypass & Persistent Vulnerability

Security Focus Vulnerabilities - 15 April, 2016 - 00:40
Django CMS v3.2.3 - Filter Bypass & Persistent Vulnerability

Bugtraq: [SECURITY] [DSA 3548-2] samba regression update

Security Focus Vulnerabilities - 15 April, 2016 - 00:40
[SECURITY] [DSA 3548-2] samba regression update

Bugtraq: [SECURITY] [DSA 3548-1] samba security update

Security Focus Vulnerabilities - 15 April, 2016 - 00:40
[SECURITY] [DSA 3548-1] samba security update

Securing Android Applications from Screen Capture

Bug Traq - 15 April, 2016 - 00:34

Posted by research on Apr 14

Original here:
https://blog.nightwatchcybersecurity.com/research-securing-android-applications-from-screen-capture-8dce2c8e21d#.bw2qwe213

Research: Securing Android Applications from Screen Capture

Summary&#8202;—&#8202;TL, DR
Apps on Android and some platform services are able to capture other apps’s screens by using MediaProjection API.
Because of the way this API implements “securing” sensitive screens, there exist some possible...

AST-2016-005: TCP denial of service in PJProject

Full Disclosure - 14 April, 2016 - 17:23

Posted by Asterisk Security Team on Apr 14

Asterisk Project Security Advisory - AST-2016-005

Product Asterisk
Summary TCP denial of service in PJProject
Nature of Advisory Crash/Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Critical...

AST-2016-004: Long Contact URIs in REGISTER requests can crash Asterisk

Full Disclosure - 14 April, 2016 - 17:23

Posted by Asterisk Security Team on Apr 14

Asterisk Project Security Advisory - AST-2016-004

Product Asterisk
Summary Long Contact URIs in REGISTER requests can crash
Asterisk
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions...

Call for Papers for 4th Balkan Computer Congress – BalCCon2k16

Full Disclosure - 14 April, 2016 - 08:56

Posted by Milos Krasojevic on Apr 14

Call for Papers for 4th Balkan Computer Congress – BalCCon2k16

09|10|11 September 2016, Novi Sad, Vojvodina, Serbia, Europe, Earth,
Milky Way

The BalCCon2k16 staff are now soliciting papers to be presented at our
BalCCon2k16 Congress to be held 09 - 11th September in Novi Sad, Serbia.
The CfP in open until 1st July 2016.

https://balccon.org

The Event

Balkan Computer Congress is an annual three days gathering of the
international hacker...

Re: end of useable crypto in browsers?

Full Disclosure - 14 April, 2016 - 08:56

Posted by Sebastian on Apr 14

Hey,

That's true. But the keygen element is flawed by the known-broken CA
system(*) and you can't build a secure house on a broken foundation. You
could check whether the certificate for your site is issued by your CA,
but if the can issue certificates they could simply attack your browsers
updater. Our only hope for truly secure communication are tools like pgp
combined with anonymity through for example TOR or freenet (not the...

Re: end of useable crypto in browsers?

Full Disclosure - 14 April, 2016 - 08:55

Posted by Árpád Magosányi on Apr 14

No doubt keygen have its problems. But there should be a bit more reason
for entirely removing a technology which is needed than "it is not
mature enough yet".
One reason that the whole symmetric crypto technology could not mature
because getting key deployment right is not a straightforward task
(fscked up trust relationship did not help either, but that is an issue
which we can work around. With smart key management. Oh, wait...) ....

Re: end of useable crypto in browsers?

Full Disclosure - 14 April, 2016 - 08:55

Posted by Sebastian on Apr 14

Hey,

to put it simply: No.

The real problem is that no one is using it. Yes, it is pretty secure,
but its too much trouble for most users (try to log in from your phone)
and also a baseless PITA for most server operators. It's also not good
for business (you need to be able to restore the certificate easily,
have multiple devices, all your servers need https ...). To make matters
worse many browser don't even bother supporting it...
Syndicate content