I am back from my recurring illness and I am still suffering from mild stomach cramps. There have been a few big security events while I was away. The two most prominent being:
The IDN spoof is quite old but was brought to the fore at Shmoocon. It uses International Domain Name character support to display foreign characters that look like english characters. For example %D0%BE is an 'o' and %D0%B0 is an 'a'.
Also from Schmoocon comes XSS-Proxy. It was created to show clear up some misconceptions about XSS attacks and show how a real-time XSS hijack can be performed.
The chance of finding a collision in SHA-1 was 280 but the new cryptanalysis has reduced that to 269 which is about 2000 times faster. Schneier says this is 'at the edge' of current computational technology. He also calls for an NSA competition to find the next hash function in the same way they replaced DES with AES.
As for patch tuesday, here is Susan Bradley's summary.
- The IDN spoof for all browsers other than IE
- Microsoft patch Tuesday
- SHA-1 is broken, Schneier has a nice summary
- XSS-Proxy leverages XSS attacks
The IDN spoof is quite old but was brought to the fore at Shmoocon. It uses International Domain Name character support to display foreign characters that look like english characters. For example %D0%BE is an 'o' and %D0%B0 is an 'a'.
Also from Schmoocon comes XSS-Proxy. It was created to show clear up some misconceptions about XSS attacks and show how a real-time XSS hijack can be performed.
The chance of finding a collision in SHA-1 was 280 but the new cryptanalysis has reduced that to 269 which is about 2000 times faster. Schneier says this is 'at the edge' of current computational technology. He also calls for an NSA competition to find the next hash function in the same way they replaced DES with AES.
As for patch tuesday, here is Susan Bradley's summary.
Trackbacks
Trackback specific URI for this entry
No Trackbacks