Unanswered Questions

15

votes

0answers

343 views

What is the attack tree to intercept traffic on Wimax?

My current understanding is that sniffing traffic on 4G (lets use Wimax and LTE for the purposes of this question) and 3G is not a simple matter and either requires you setting up a fake base station ...

modified Aug 15 '11 at 5:25

nealmcb
7,9981044

12

votes

0answers

101 views

Are there security design weaknesses in the EFF Sovereign Keys proposal?

In response to SOPA and a number of high profile security breaches at certficate authourities in 2011, the EFF has released a soverign keys proposal: ...

certificate-authority

modified Dec 20 '11 at 0:51

e-sushi
644112

7

votes

1answer

254 views

What evaluation criteria would you use for an Oracle scanning tool?

What evaluation criteria would you use to select the right Oracle scanning tool? Context: To deploy an automated scanning tool (nessus / SQuirreL etc) for use by both development teams and security ...

databases vulnerability-scanners automated-testing oracle

modified Jan 5 at 7:28

Community♦
33

6

votes

0answers

125 views

What encryption prevents the tampering of Windows Identity Foundation (WIF) FedAuth cookies?

It occurred to me that the WIF FedAuth cookies contain identity information, that if tampered with, could permit someone to assume the identity of another user. Fortunately, WIF does ...

windows cookies federation identity openid

modified Nov 3 '11 at 15:21

makerofthings7
4,920732

5

votes

0answers

160 views

Best way to secure javascript front end/REST back end architecture web site?

I would like to build the following project: public REST API back end which can be accessed by any authenticated client front end with static files in HTML/CSS/Javascript with Backbone.js jQuery ...

javascript java oauth rest

modified Dec 19 '11 at 20:06

rico
261

4

votes

1answer

165 views

Inconsistencies found in OpenID Provider's HTTP Headers. Which one is the most secure that I should imitate in my STS, and Relying Party?

I'm comparing the HTTP headers of the various providers (LiveID, Google, Yahoo, etc) and notice a broad inconsistency in implementation on the sign in page, sign out page, and subsequent pages. ...

authentication ssl webserver http threat-mitigation

modified Dec 29 '11 at 0:09

Community♦
33

4

votes

1answer

153 views

How are mobile telephony networks like LTE and HSPA encrypted?

How are mobile telephony networks like LTE (4G) and HSPA (3G) encrypted? between what parts is the communication encrypted? who has access to the keys? is symmetric or asymmetric encryption used? is ...

encryption mobile lte

modified Dec 24 '11 at 18:39

Jay Looney
113

3

votes

1answer

99 views

Keeping user data private in a cloud environment like Google App Engine

I am writing an open-source Java application for Google App Engine (GAE). The application will let users create content that is intended to be private. I want to provide reasonable assurances that ...

cryptography appsec hash password-management databases

modified 1 hour ago

Community♦
33

3

votes

0answers

83 views

Kerberos - what can an attacker achieve from a replay attack?

On the last step of Kerberos, the client sends the target server a ticket and an authenticator. One of the authenticator's parts is a timestamp. The timestamp is said to prevent replay attacks, as the ...

kerberos

modified Jan 16 at 19:09

notmyname
1

3

votes

1answer

92 views

Network Vulnerability Scanner placement on network

We have implemented/are implementing a network vulnerability scanning process, and we have chosen to use Qualysguard. Qualys supply a scanner appliance for the internal network scanning, which ...

firewalls vulnerability-scanners

modified Dec 23 '11 at 0:14

schroeder
1,133112

3

votes

0answers

114 views

Trying to prevent Cisco toll fraud

A little back story on the setup first; We have a Cisco VoIP setup at our remote office(where I'm at) and the main CCM/CCX/Unity setup is at the parent company across the US in Connecticut. We have ...

attacks phone cisco fraud

modified Dec 8 '11 at 15:35

Ian
161

2

votes

0answers

57 views

ASP.NET HTTP Response Splitting Attack

By default ASP.NET checks for HTTP Response Splitting attack when you do Response.Redirect: ...

attacks http asp.net

modified Jan 16 at 18:34

Paul Podlipensky
1535

2

votes

1answer

24 views

Automatic harvesting of hacked hosts and reporting to domain/site admin

With so many internet attacks out there, I just think it would be convenient (and quicker and wise) if there is a way to automatically harvest the hacked hosts that are used to launch internet ...

untagged

modified Jan 13 at 23:41

Wirawan Purwanto

2

votes

2answers

316 views

Use a Common Firewall for two Different Subnets

I want to implement a security scheme in a new network configuration. There are two buildings for the client: Office Building 1 (OB1) with address 10.0.0.0 / 255.255.255.0, Gateway 10.0.0.1 ( ...

network firewalls routing

modified Jan 9 at 10:31

Community♦
33

2

votes

1answer

58 views

Resources/tools for controlling access to corporate email on smartphones

If one of our employees has access to corporate email on a smartphone I want to make sure that if they lose the phone then whoever finds it can't get at any corporate email on that phone. For iOS ...

encryption mobile email

modified Jan 6 at 22:29

Community♦
33

Unanswered Tags