Ziggo and xs4all block of ThePirateBay.org technical details
The Dutch court ordered ISPs Ziggo and xs4all to block client’s access to thepiratebay.org and associated domain names and IP addresses. How exactly do these ISPs implement the block?
Read the rest of this entry »
Shanghai Jiaotong University probing for Chinese IPv6 users?
My server has had an IPv6 address for a few years now. I’ve just not gotten arround to properly advertise it in my DNS zones yet. Let alone register it as a name server for my domains. Strangely enough though, every day since 28 july 2011 I see these requests in my logs:
Strong authentication for 2012
Not so long ago, strong authentication was equivalent to two-factor authentication. Unfortunately, things have changed quite a bit in 2011.
ING mobiel bankieren iPhone app
De ING Mobiel Bankieren iPhone app slaat slechts 1 configuratie bestand op: nl.ing.iphone.app.Bankieren.plist. Na het installeren bestaat het bestand nog niet, het wordt aangemaakt bij het koppelen van een ING rekening aan de app. Daarna bevat het de volgende gegevens:
How I got my #28c3 tickets @ccc today
I preloaded my account with the tickets I needed, then at 15:59 I started this script:
ING mobiel bankieren Android app
De ING Mobiel Bankieren Android app slaat slechts 1 configuratie bestand op: IngMobilePrefs.xml. Na het installeren is dit bestand vrij leeg, maar na het koppelen van een ING rekening aan de app bevat IngMobilePrefs.xml de volgende gegevens:
ING mobiel bankieren authenticatie
Op 8 november 2011 introduceerde ING mobiel bankieren. Met een speciale ING Bankieren app kan een Mijn ING account gekoppeld worden aan een smartphone of tablet. Tijdens dit proces wordt een 5-cijferige pin code gekozen die daarna (samen met het device) genoeg is om de rekeningen in te zien, en geld over te maken.
Bypassing Windows AppLocker using VB script in Word and Excel
This week started out good. While I was looking into the usefulness of Windows AppLocker Belgian security researcher Didier Steven posted a blog entry explaining that he found a way to load DLLs that are not permitted by AppLocker. An anonymous comment pointed out an even bigger issue: starting new processes (=programs) that are not permitted by AppLocker. Read the rest of this entry »
Creating a corporate Java security policy
On January 23rd, 1996 something magical happened. Sun Microsystems released the Java Development Toolkit 1.0. From that moment on the 3 year old World Wide Web became more interactive. Browsers such as Mosaic and Netscape were able to show small applications inline which ran code on the client computer, allowing for instant feedback. At the risk of showing my age, I remember those early days of Java and I was quite impressed. Sun realized from the start that running code client side delivered over the web had severe security implications. Read the rest of this entry »
Rootkit inside your laptop BIOS
Last week I attended an interesting presentation from Absolute Software. They showcased a product called Computrace. This nifty tool can be used to track the whereabouts of laptops as they are deployed by companies to their mobile workforce. They also sell a comparable product for home users. The way this works is that the software on the laptop phones home every hour or so when the computer is connected to the internet. When the laptop goes missing or is stolen, this information can be retrieved from a website hopefully aiding in the safe return of the hardware. Read the rest of this entry »