Tag: ssl

Jan 13

KeySweeper

KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.

All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.

KeySweeper.

Aug 19

History of Lossless Data Compression Algorithms – GHN: IEEE Global History Network

History of Lossless Data Compression Algorithms – GHN: IEEE Global History Network.

Jul 08

50. Android (DRD) – java – CERT Secure Coding Standards

The following rules and guidelines are specific only to the Android platform. These do not apply to the development of Java or C programs for non-Android platforms. (The full set of Android -relevant rules and guidelines are here.) The term sensitive incorporates the Java glossary definition of sensitive data, as well as the Android concept of permission-protected.

DRD00-J. Do not store sensitive information on external storage (SD card) unless encrypted first

DRD01-J. Limit the accessibility of an app’s sensitive content provider

DRD02-J. Do not allow WebView to access sensitive local resource through file scheme

DRD03-J. Do not broadcast sensitive information using an implicit intent

DRD04-J. Do not log sensitive information

DRD05-J. Do not grant URI permissions on implicit intents

DRD06-J. Do not act on malicious intents

DRD07-J. Protect exported services with strong permissions

DRD08-J. Always canonicalize a URL received by a content provider

DRD09-J: Restrict access to sensitive activities

DRD10-J. Do not release apps that are debuggable

DRD11-J. Ensure that sensitive data is kept secure

DRD12-J. Do not trust data that is world writable

DRD13-J. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)

DRD14-J. Check that a calling app has appropriate permissions before responding

DRD15-J. Consider privacy concerns when using Geolocation API

DRD16-J. Explicitly define the exported attribute for private components

DRD17-J. Do not use the Android cryptographic security provider encryption default for AES

DRD18-J. Do not use the default behavior in a cryptographic library if it does not use recommended practices

DRD19-J. Properly verify server certificate on SSL/TLS

via 50. Android (DRD) – java – CERT Secure Coding Standards.

Jun 27

BoringSSL wants to kill the excitement that led to Heartbleed | Naked Security

BoringSSL wants to kill the excitement that led to Heartbleed | Naked Security.

Jun 23

Patch NOW: Six new bugs found in OpenSSL – including spying hole • The Register

Patch NOW: Six new bugs found in OpenSSL – including spying hole • The Register.

Jun 22

ImperialViolet – BoringSSL

BoringSSL (20 Jun 2014)

via ImperialViolet – BoringSSL.

Jun 22

OpenBSD Team Cleaning Up OpenSSL – Slashdot

OpenBSD Team Cleaning Up OpenSSL – Slashdot.

Jul 15

Amazon One-Click Chrome Extension Snoops On SSL Traffic – Slashdot

Amazon One-Click Chrome Extension Snoops On SSL Traffic – Slashdot.

Jul 04

Ruby + OpenSSL && sprintf() == 2009-style Man-in-the-Middle? | Naked Security

Ruby + OpenSSL && sprintf() == 2009-style Man-in-the-Middle? | Naked Security.

May 27

Anatomy of a change – Google announces it will double its SSL key sizes | Naked Security

Anatomy of a change – Google announces it will double its SSL key sizes | Naked Security.