Why recursive Microsoft DNS servers should not be publicly reachable

US-Cert Alert (TA13-088A) DNS Amplification Attacks sums it up quite nicely. Read the rest of this entry »

Citrix NetScaler 10 TLS 1.2 support

Citrix NetScaler 10.0.72.5 seems to support TLS 1.2, or at least that is what the Qualys SSL Labs test suggests. A quick check with Windows 7 and wireshark reveals that indeed the TLS 1.2 Client Hello of IE10 is answered by a TLS 1.2 Server Hello of the NetScaler. Read the rest of this entry »

Securing Java Web Start for desktops

In a previous post I explained how to make sure only trusted Java applets can run outside of the Java sandbox. Unfortunately this is only half of the battle with Java on desktops. Read the rest of this entry »

SplashID for iOS by @SplashData stores master password inside database: #security #fail

While at Black Hat Europe 2012 I attended an excellent talk by two Elcomsoft researchers. They investigated the security of mobile password mangers. Not surprisingly they are not all as safe as they should be. Read the rest of this entry »

Ziggo and xs4all block of ThePirateBay.org technical details

The Dutch court ordered ISPs Ziggo and xs4all to block client’s access to thepiratebay.org and associated domain names and IP addresses. How exactly do these ISPs implement the block?
Read the rest of this entry »

Shanghai Jiaotong University probing for Chinese IPv6 users?

My server has had an IPv6 address for a few years now. I’ve just not gotten arround to properly advertise it in my DNS zones yet. Let alone register it as a name server for my domains. Strangely enough though, every day since 28 july 2011 I see these requests in my logs:

Read the rest of this entry »

Strong authentication for 2012

Not so long ago, strong authentication was equivalent to two-factor authentication. Unfortunately, things have changed quite a bit in 2011.

Read the rest of this entry »

ING mobiel bankieren iPhone app

De ING Mobiel Bankieren iPhone app slaat slechts 1 configuratie bestand op: nl.ing.iphone.app.Bankieren.plist. Na het installeren bestaat het bestand nog niet, het wordt aangemaakt bij het koppelen van een ING rekening aan de app. Daarna bevat het de volgende gegevens:

Read the rest of this entry »

How I got my #28c3 tickets @ccc today

I preloaded my account with the tickets I needed, then at 15:59 I started this script:

Read the rest of this entry »

ING mobiel bankieren Android app

De ING Mobiel Bankieren Android app slaat slechts 1 configuratie bestand op: IngMobilePrefs.xml. Na het installeren is dit bestand vrij leeg, maar na het koppelen van een ING rekening aan de app bevat IngMobilePrefs.xml de volgende gegevens:

Read the rest of this entry »