Yahoo! - "Wish list"

Yahoo recently announced that it will open up email accounts that are inactive since over a year for registration to anyone that asks for it. Yahoo! is framing this as giving everyone the chance to an Yahoo ID of their choice.

As a lot of organisations and in particular web applications use e-mail addresses as part of authentication and identity management there are a lot of things that can expose Yahoo! e-mail users to potential risks should their de-activated e-mail address be claimed by somebody with bad intentions.

One plain obvious threat is that t email addresses that are publicly known (or can be found out individually) are subject to "theft" by being claimed by third parties. These can then proceed to reset the passwords of their 

Since their announcement Yahoo! is trying to retrofit some sort of security control into their process by trying to get the biggest players (Facebook) to implement a new e-mail header for password verification. For that reason Yahoo! pushed an IETF Draft called "Require-Recipient-Valid-Since Header Field".... mid July 2013.

It is not a Question of "IF"

This is merely an attempt at reducing the amount possible damages that will arise by the recently announced move of Yahoo!. There are so many reasons that e-mail addresses can be let dormant but remain important to the owner, especially if used to registration purposes.

It is also not a theoretical matter, password reset functionality is known to be a weak link and stealing identities and stealing e-mail address as the first hop is common. 

It is not a question of whether this new Yahoo! move will be abused, it will be.

A story from the Past


I uploaded a new version of "Harden SSL/TLS"

Changes

  • Added Windows 8 support
  • Added Windows Server 2012 support
  • Resolved an issue around P521 additions

About Harden SSL/TLS 

Harden SSL/TLS” allows to configure and harden the SSL/TLS settings of Windows System, ranging from Windows XP to Windows 8 and from Windows 2003 to Windows Server 2012.

Harden TLS allows to remotely set SSL policies allowing or denying certain ciphers/hashes or complete ciphersuites.

The foundation of this tool was the investigation and reverse engineering of the ciphers provided by the various SCHANNEL versions by G-SEC and presented in the paper “SSL/TLS Compatibility Report”.

This tool specific allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance Internet Explorer and Apple Safari are a few of these.


Interesting Reads - Week 12 / 2013


Food for thought 



I have updated my little TLS/SSL Scanner called "SSL Audit" to version 0.8. I tweaked it slightly but the tool is still based on it's own rudimentary SSL Engine and hence is not limited by the number of ciphersuites and protocols available to OpenSSL or NSS.

By the way I am still a little bit proud of the SSL Stack fingerprinting feature. I haven't updated it recently but it still seems to work out nicely. Try it out and let me know, especially if you have access to less known ssl stacks.

Changes

  • Added support for TLS 1.2 CAMELIA ciphersuites;
  • Speed up SSLv2 enumeration;
  • Added the complete range of ARIA ciphersuites (http://tools.ietf.org/html/draft-nsri-tls-aria-00)
SSL Audit v.08

Download



I would like to invite you to this years OWASP BeNeLux Event, I won't give a talk this year but I happily invite you as part of OWASP BeNeLux Program Committee:

Quick Facts

Agenda

The agenda is a sound mix between Application Security, Forensics,  Risk Management and represents the current security landscape at large rather well: Building security into Applications in Enterprises, Managing Application Level Vulnerabilities, Source code review on a large scale. It also has 2 innovative talks on exploit mitigation and sandboxing javascript. 

Especially the talk about javascript sandboxing (JSand) has all my attention as it represent an interesting challenge that is hard to get right knowing the context within which javascript operates. It claims to be complete, requiring no Browser modifications and enforced client-side. The talk will also given at ASAC 2012 

Venue

Both the training day and the conference day take place at:
KU Leuven (University of Leuven)
iMinds-DistriNet Research Group
Celestijnenlaan 200A
B-3001 Heverlee
How to get there: http://distrinet.cs.kuleuven.be/about/route/
Hotel details: https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012#tab=Venue