All Questions
15
votes
0answers
343 views
What is the attack tree to intercept traffic on Wimax?
My current understanding is that sniffing traffic on 4G (lets use Wimax and LTE for the purposes of this question) and 3G is not a simple matter and either requires you setting up a fake base station ...
12
votes
0answers
101 views
Are there security design weaknesses in the EFF Sovereign Keys proposal?
In response to SOPA and a number of high profile security breaches at certficate authourities in 2011, the EFF has released a soverign keys proposal:
...
6
votes
0answers
125 views
What encryption prevents the tampering of Windows Identity Foundation (WIF) FedAuth cookies?
It occurred to me that the WIF FedAuth cookies contain identity information, that if tampered with, could permit someone to assume the identity of another user. Fortunately, WIF does ...
5
votes
0answers
159 views
Best way to secure javascript front end/REST back end architecture web site?
I would like to build the following project:
public REST API back end which can be accessed by any authenticated client
front end with static files in HTML/CSS/Javascript with Backbone.js jQuery ...
3
votes
0answers
83 views
Kerberos - what can an attacker achieve from a replay attack?
On the last step of Kerberos, the client sends the target server a ticket and an authenticator. One of the authenticator's parts is a timestamp. The timestamp is said to prevent replay attacks, as the ...
3
votes
0answers
114 views
Trying to prevent Cisco toll fraud
A little back story on the setup first; We have a Cisco VoIP setup at our remote office(where I'm at) and the main CCM/CCX/Unity setup is at the parent company across the US in Connecticut. We have ...
2
votes
0answers
55 views
ASP.NET HTTP Response Splitting Attack
By default ASP.NET checks for HTTP Response Splitting attack when you do Response.Redirect:
...
2
votes
0answers
63 views
What lawful interception standards are used outside Europe?
In Europe European Telecommunications Standards Institute (ETSI) define the standard requirements to handle a lawful interception.
It's define all from the terminology and definition to the ...
2
votes
0answers
94 views
When to move from Container managed security to alternatives like Apache Shiro, Spring Security?
I am trying to secure my application which is built using JSF2.0.
I am confused about when do people choose to go with security alternatives like Shiro, Spring Security or owasp's esapi leaving ...
2
votes
0answers
96 views
How does the mobile security technology APNS and 3LM work?
APNS is an iPhone technology that assists with mobile push. 3LM is a BIOS-level security technology embedded in certain Android phones.
I recently got off the phone with Boxtone and they said they ...
1
vote
0answers
19 views
What are the practical differences between SELinux targeted mode and a capability based OS?
I recently asked a question about the differences between capabilities and mandatory access controls.
Among the answers I got the point was made that systems like SE Linux in targeted mode are not a ...
1
vote
0answers
29 views
HP ProtectSmart In A Domain?
All of our HP PCs come with this software pre-installed, I'm a bit inclined to outright remove it because:
Credential manager stores passwords by default (this has lead to user confusion, plus ...
1
vote
0answers
53 views
Windows Session Recording Software
I'm trying to monitor connections and actions made by administrators (or any user connecting) to a server through TSE (i'm simplifying).
I've heard about a software which can record a video of any ...
1
vote
0answers
29 views
setting up Relays in windows
I am trying to setup a pivoting relay with netcat on windows replicating a scenario easily possible by using pipes in Linux, assume machine A can route to machine B and machine B can route to machine ...
1
vote
0answers
66 views
Creating domain accounts via a VPN and using them to log in on the local machine
The environment is a pc that has joined a domain, but has been disconnected from the domain's network and put on an external network. However since the domain login is cached then you can still log ...
