November 2008 Archives

In case someone has missed the news: There is a weakness discovered in the TKIP protocol rendering WPA protected WiFi networks vulnerable to individual packet decryption. Some details from the ars technica article:

With the Tews/Beck method, an attacker sniffs a packet, makes minor modifications to affect the checksum, and checks the results by sending the packet back to the access point. "It's not a key recovery attack," Tews said, "It just allows you to do the decryption of individual packets." This approach works only with short packets, but could allow ARP (Address Resolution Protocol) poisoning and possibly DNS (Domain Name Service) spoofing or poisoning.

To make a long story short, protect yourself by not using TKIP but switching to AES to encrypt keys.

On a side note: It seems that Apple's airport extreme uses TKIP in WPA/WPA2 mode and relies on AES in WPA2 only mode.

I have just finished a talk on Web Application Firewalls at this years WJAX conference in Munich.

Here's an abstract of the contents of the speech:

A number of open source and commercial Web Application Firewalls (WAF) promise "all around" protection, freeing developers from the burden of dealing with security, while increasing the overall security level. This session presents the results of a study, clarifies where it makes sense to deploy a WAF and how to use it. Further topics are performance evaluations, details about rulesets, automatic learning features as well as maintenance and what level of interaction with developers is required.

The audience was particularly interested in the practical aspects of the study and comparison between different product vendors and on how the tests were executed.

The study covers the following products:

• BigIP by F5 Networks
• NetScaler by Citrix
• mod_security (open source)
• hyperguard by art of defence
• rWeb by deny all

OPTIMAbit will make the extended results of the study available to its customers by the end of the year.

For further information please contact me directly or refer to Bruce Sams of optima.
Thanks again to all vendors for supporting the study by supplying test machines and/or licenses.

Working on a penetration test for a large insurance company in cooperation with OPTIMAbit I discovered several critical security issues in a professional WIKI product called Confluence that is sold by Atlassian to corporate customers.

The vendor offers an open ticket system to directly report security issues to development. Vendor response was very quick and a new release of the product fixing all reported vulnerabilities was issued within 1 month of reporting.

The reported vulnerabilities included several Cross Site Scripting and one critical privilege escalation issue. For further information please refer to Atlassian's security advisory.

I also want to thank Atlassian for giving proper credits for helping them solve these issues.

I have just finished setting up movable type 4 to host my new professional blog. The design is currently just the default template due to a lack of time but will be updated in the near future.

MT4 offers some new nifty things like seesmic video comments and activity streams, which allow integration of web 2.0 profiles into this blog.

I will be experimenting with these features in the near future as well.

For now, all that matters is getting the content out.

The purpose of this website is to document news revolving around my professional life as an IT consultant and software engineer. I hope you will enjoy the upcoming posts.