21 April 2014 by Einar Otto Stangvik

Two weeks after Heartbleed: Stats for Norway

Since the public disclosure on April 7th, I've followed the development of Heartbleed vulnerability, and especially how Norway has been affected. Update: Charts updated April 22nd. Slight improvement for port 443 over the last 24 hours. This work has involved regular scans of the ~16 million IP addresses allocated to

Read more
13 April 2014 by Einar Otto Stangvik

Finding RSA keys in Heartbleed memory dumps

TL;DR - CloudFlare challenged someone to extract the private key from a vulnerable Nginx test server, using the OpenSSL Heartbleed vulnerability. I came late to that party (it had already been broken), but I figured I could mine some data anyways. I dumped 43 GB of data from the

Read more
11 March 2014 by Einar Otto Stangvik

The S-CRIB Scrambler, and how long-term solutions aren't immediate

The S-CRIB Scrambler was, as far as I can tell, released in January 2014. On March 7th, a solution combining two of these devices, connected to a Raspberry PI, was described in a post made to the Light Blue Touchpaper. In short, this is a system which aims to «“scramble

Read more
02 March 2014 by Einar Otto Stangvik

How NOT to provide binary checksums

This one really should be filed under "well, duh". If you're hosting content that can be misused, abused or exploited in any way, you really need to be using HTTPS. There's no excuse. None. And if you happen to host binary downloads of any kind, you're sure doing many of

Read more
16 September 2013 by Einar Otto Stangvik

Don't trust Instagram on shared wireless networks

Over the last decade, wireless networks have been a prime target for hackers. The ability to sniff out traffic belonging to others, and with it any unencrypted credentials or other valuable information, is what drives them. Because of this, most popular services today, such as Twitter, Facebook and Gmail, have

Read more
12 September 2013 by Einar Otto Stangvik

Local IP discovery with HTML5 WebRTC: Security and privacy risk?

With the progression of HTML5 WebRTC, browsers are getting ever closer to making pluginless video conferencing a reality. One feature of WebRTC is the ability to discover the local IP addresses of the browsing machine. Does that put us at an increased risk? Recently I stumbled across Nathan Vander Wilt's

Read more