Hacker : As defined as by the MIT as " someone who applies ingenuity to create a clever result, called a "hack". This message is primarily addressed to my friends in the info-sec community and to the regular readers of my blog.

Update (27/10/2013) - The results are below, we got no seat in the parliament but  managed to get a respectful 3.0% of the votes.




                                                                               

Tomorrow the 20th of October we will have general elections in Luxembourg. Citizens of Luxembourg will be voting for the 60 available seats in the Luxembourgish Parliament ("Chamber of Deputies") and implicitly for their legislative representatives.

I have been pretty silent about this to my international friends - so here it goes. I am running for a seat and can be elected as #21 on the central list for the "PiratePartei".

I have taken the decision to help (and I am being careful with my words here) due to an increasing amount of scandals, including our very own NSAGATE culminating in the formal deposit of a "motion of no-confidence" against the Juncker led government by the parliament.

This motion however was not voted upon as the PM Junker announced his will for new elections and the president of the Chamber  simply closed the session prior to any vote that could have taken place. Just a few examples, but this kind of behavior and the number of scandals effectively summarizes that Luxembourg reached a level of in-transparency that seems unhealthy for any modern society.

That said there are many other things off from my personal perspective, so what better way to help to change that with supporting those that want to ?

Wish us luck and if you can vote tomorrow, consider voting for us. Let's start "hacking" (see above) the government from inside-out.

For the sake of sharing what I care about : Below you will find our TV  and Radio Spots and the Program (In Luxemburgish and German Language).



Yahoo! - "Wish list"

Yahoo recently announced that it will open up email accounts that are inactive since over a year for registration to anyone that asks for it. Yahoo! is framing this as giving everyone the chance to an Yahoo ID of their choice.

As a lot of organisations and in particular web applications use e-mail addresses as part of authentication and identity management there are a lot of things that can expose Yahoo! e-mail users to potential risks should their de-activated e-mail address be claimed by somebody with bad intentions.

One plain obvious threat is that t email addresses that are publicly known (or can be found out individually) are subject to "theft" by being claimed by third parties. These can then proceed to reset the passwords of their 

Since their announcement Yahoo! is trying to retrofit some sort of security control into their process by trying to get the biggest players (Facebook) to implement a new e-mail header for password verification. For that reason Yahoo! pushed an IETF Draft called "Require-Recipient-Valid-Since Header Field".... mid July 2013.

It is not a Question of "IF"

This is merely an attempt at reducing the amount possible damages that will arise by the recently announced move of Yahoo!. There are so many reasons that e-mail addresses can be let dormant but remain important to the owner, especially if used to registration purposes.

It is also not a theoretical matter, password reset functionality is known to be a weak link and stealing identities and stealing e-mail address as the first hop is common. 

It is not a question of whether this new Yahoo! move will be abused, it will be.

A story from the Past


I uploaded a new version of "Harden SSL/TLS"

Changes

  • Added Windows 8 support
  • Added Windows Server 2012 support
  • Resolved an issue around P521 additions

About Harden SSL/TLS 

Harden SSL/TLS” allows to configure and harden the SSL/TLS settings of Windows System, ranging from Windows XP to Windows 8 and from Windows 2003 to Windows Server 2012.

Harden TLS allows to remotely set SSL policies allowing or denying certain ciphers/hashes or complete ciphersuites.

The foundation of this tool was the investigation and reverse engineering of the ciphers provided by the various SCHANNEL versions by G-SEC and presented in the paper “SSL/TLS Compatibility Report”.

This tool specific allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance Internet Explorer and Apple Safari are a few of these.


Interesting Reads - Week 12 / 2013


Food for thought 



I have updated my little TLS/SSL Scanner called "SSL Audit" to version 0.8. I tweaked it slightly but the tool is still based on it's own rudimentary SSL Engine and hence is not limited by the number of ciphersuites and protocols available to OpenSSL or NSS.

By the way I am still a little bit proud of the SSL Stack fingerprinting feature. I haven't updated it recently but it still seems to work out nicely. Try it out and let me know, especially if you have access to less known ssl stacks.

Changes

  • Added support for TLS 1.2 CAMELIA ciphersuites;
  • Speed up SSLv2 enumeration;
  • Added the complete range of ARIA ciphersuites (http://tools.ietf.org/html/draft-nsri-tls-aria-00)
SSL Audit v.08

Download