tag:blogger.com,1999:blog-37798047.post3076092154011285391..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Exploiting the Superfish certificateDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-37798047.post-54972235293490070702015-03-01T01:58:20.946-05:002015-03-01T01:58:20.946-05:00
Hello I am mrs Martha Lynn,I am out here to sprea...<br />Hello I am mrs Martha Lynn,I am out here to spread this good news to the<br />entire world on how I got my ex Lover.I was going crazy when my<br />husband left me and my two kids for another woman last month, But when<br />i met a friend that introduced me to Dr LOGOGO the great messenger to<br />the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO<br />about how my ex Lover left me and my two kids and also how i needed<br />to get a job in a very big company.He only said to me that i have come<br />to the right place were i will be getting my heart desire without any<br />side effect.He told me what i need to do,After it was been done,24<br />hours later,My Ex Lover. called me on the phone and was saying sorry<br />for living me and the kids before now and one week after my Husband<br />called me to be pleading for forgiveness,I was called for interview in<br />a very big company here in South Africa were i needed to work as the managing<br />director..I am so happy and overwhelmed that i have to tell this to<br />the entire world to contact Dr.LOGOGO on his personal email address and<br />get all your problem solve..No problem is too big for him to<br />solve..Contact him direct on: logogospiritualtemple@gmail.com and your<br />problem will be solve,email at logogospiritualtemple@gmail.comAnonymoushttps://www.blogger.com/profile/04525697108973142143noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-84829026512258744242015-03-01T01:57:40.202-05:002015-03-01T01:57:40.202-05:00
Hello I am mrs Martha Lynn,I am out here to sprea...<br />Hello I am mrs Martha Lynn,I am out here to spread this good news to the<br />entire world on how I got my ex Lover.I was going crazy when my<br />husband left me and my two kids for another woman last month, But when<br />i met a friend that introduced me to Dr LOGOGO the great messenger to<br />the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO<br />about how my ex Lover left me and my two kids and also how i needed<br />to get a job in a very big company.He only said to me that i have come<br />to the right place were i will be getting my heart desire without any<br />side effect.He told me what i need to do,After it was been done,24<br />hours later,My Ex Lover. called me on the phone and was saying sorry<br />for living me and the kids before now and one week after my Husband<br />called me to be pleading for forgiveness,I was called for interview in<br />a very big company here in South Africa were i needed to work as the managing<br />director..I am so happy and overwhelmed that i have to tell this to<br />the entire world to contact Dr.LOGOGO on his personal email address and<br />get all your problem solve..No problem is too big for him to<br />solve..Contact him direct on: logogospiritualtemple@gmail.com and your<br />problem will be solve,email at logogospiritualtemple@gmail.comAnonymoushttps://www.blogger.com/profile/04525697108973142143noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-75398340770885687182015-03-01T01:39:35.881-05:002015-03-01T01:39:35.881-05:00
Hello I am mrs Martha Lynn,I am out here to sprea...<br />Hello I am mrs Martha Lynn,I am out here to spread this good news to the<br />entire world on how I got my ex Lover.I was going crazy when my<br />husband left me and my two kids for another woman last month, But when<br />i met a friend that introduced me to Dr LOGOGO the great messenger to<br />the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO<br />about how my ex Lover left me and my two kids and also how i needed<br />to get a job in a very big company.He only said to me that i have come<br />to the right place were i will be getting my heart desire without any<br />side effect.He told me what i need to do,After it was been done,24<br />hours later,My Ex Lover. called me on the phone and was saying sorry<br />for living me and the kids before now and one week after my Husband<br />called me to be pleading for forgiveness,I was called for interview in<br />a very big company here in South Africa were i needed to work as the managing<br />director..I am so happy and overwhelmed that i have to tell this to<br />the entire world to contact Dr.LOGOGO on his personal email address and<br />get all your problem solve..No problem is too big for him to<br />solve..Contact him direct on: logogospiritualtemple@gmail.com and your<br />problem will be solve,email at logogospiritualtemple@gmail.comAnonymoushttps://www.blogger.com/profile/04525697108973142143noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-49523467759888328862015-03-01T01:39:26.883-05:002015-03-01T01:39:26.883-05:00
Hello I am mrs Martha Lynn,I am out here to sprea...<br />Hello I am mrs Martha Lynn,I am out here to spread this good news to the<br />entire world on how I got my ex Lover.I was going crazy when my<br />husband left me and my two kids for another woman last month, But when<br />i met a friend that introduced me to Dr LOGOGO the great messenger to<br />the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO<br />about how my ex Lover left me and my two kids and also how i needed<br />to get a job in a very big company.He only said to me that i have come<br />to the right place were i will be getting my heart desire without any<br />side effect.He told me what i need to do,After it was been done,24<br />hours later,My Ex Lover. called me on the phone and was saying sorry<br />for living me and the kids before now and one week after my Husband<br />called me to be pleading for forgiveness,I was called for interview in<br />a very big company here in South Africa were i needed to work as the managing<br />director..I am so happy and overwhelmed that i have to tell this to<br />the entire world to contact Dr.LOGOGO on his personal email address and<br />get all your problem solve..No problem is too big for him to<br />solve..Contact him direct on: logogospiritualtemple@gmail.com and your<br />problem will be solve,email at logogospiritualtemple@gmail.comAnonymoushttps://www.blogger.com/profile/04525697108973142143noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-91556636611949057332015-03-01T01:38:00.948-05:002015-03-01T01:38:00.948-05:00
Hello I am mrs Martha Lynn,I am out here to sprea...<br />Hello I am mrs Martha Lynn,I am out here to spread this good news to the<br />entire world on how I got my ex Lover.I was going crazy when my<br />husband left me and my two kids for another woman last month, But when<br />i met a friend that introduced me to Dr LOGOGO the great messenger to<br />the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO<br />about how my ex Lover left me and my two kids and also how i needed<br />to get a job in a very big company.He only said to me that i have come<br />to the right place were i will be getting my heart desire without any<br />side effect.He told me what i need to do,After it was been done,24<br />hours later,My Ex Lover. called me on the phone and was saying sorry<br />for living me and the kids before now and one week after my Husband<br />called me to be pleading for forgiveness,I was called for interview in<br />a very big company here in South Africa were i needed to work as the managing<br />director..I am so happy and overwhelmed that i have to tell this to<br />the entire world to contact Dr.LOGOGO on his personal email address and<br />get all your problem solve..No problem is too big for him to<br />solve..Contact him direct on: logogospiritualtemple@gmail.com and your<br />problem will be solve,email at logogospiritualtemple@gmail.comAnonymoushttps://www.blogger.com/profile/04525697108973142143noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-9183845934692719382015-02-27T13:00:28.879-05:002015-02-27T13:00:28.879-05:00In software project management, software testing, ...In software project management, software testing, and software engineering,<br />verification and validation (V&V) is the process of checking that a software system meets specifications and that it fulfills its intended purpose.It may also be referred to as software quality control.<br /><br /><a href="http://softwarevalidation26.yolasite.com/" rel="nofollow">software validation</a><br /><br />Anonymoushttps://www.blogger.com/profile/08352003359542806122noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-5256238808270171302015-02-26T09:05:43.525-05:002015-02-26T09:05:43.525-05:00In order for hostapd to work, the wireless card ha...In order for hostapd to work, the wireless card has to support AP mode. You can determine if your card supports AP mode by inserting it into the usb slot and using the command:<br />iw list<br />Your card should come up as physical interface 1<br />scroll down to Mode area. If you don't see AP mode, it doesn't.macubergeekhttps://www.blogger.com/profile/15027282445598248357noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-17205709937272018562015-02-25T16:37:01.059-05:002015-02-25T16:37:01.059-05:00if im not mistaken, the traffic is signed with sup...if im not mistaken, the traffic is signed with superfishes ssl and sent to wherever that goes, and then whoever/where ever is signing the superfish cert makes a connection to the destination (in this case BOA) and makes a ssl connection on your behalf. Correct me if im wrong.Anonymoushttps://www.blogger.com/profile/04965398433740260886noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-56806557832098105162015-02-25T03:22:13.425-05:002015-02-25T03:22:13.425-05:00I thought Superfish was functioning as a proxy mea...I thought Superfish was functioning as a proxy meaning that the traffic sent out from the PC should be signed by BankOfA public key eventually rather than the Superfish public key. Otherwise BankOfA site would not keep working. Is not that right?<br /><br />Emelhttps://www.blogger.com/profile/06635866194726080713noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-68618531858810194492015-02-21T18:17:03.401-05:002015-02-21T18:17:03.401-05:00As a minor side tangent: technically speaking, &qu...As a minor side tangent: technically speaking, "theoretical" means "practical", at least somewhat.<br /><br />That said, it's rather popular to believe that "theoretical" means "hypothetical", so it's good that you have shown that this is indeed a practical issue.rdmhttps://www.blogger.com/profile/13809495052049903484noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-28525243320321148302015-02-21T13:18:09.960-05:002015-02-21T13:18:09.960-05:00I second that. I once spent a very frustrating wee...I second that. I once spent a very frustrating week troubleshooting a microSD card that would suddenly become "read-only" half way through imaging. It turned out the lock slider on the SD card adapter was loose. It would get pushed towards "lock" when I insterted it into my reader and back to unlocked when I took it out. Once I figured this out, a piece of scotch tape over the slider permantly fixed the issue. Anonymoushttps://www.blogger.com/profile/10012502424558634904noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-22234378131807331502015-02-21T11:38:16.627-05:002015-02-21T11:38:16.627-05:00> (These Kingston chips are the ones I'm us...> (These Kingston chips are the ones I'm using, but they are kinda crappy. They sometimes connect as 'read-only'; I don't know why).<br /><br />They're not crappy, Kingston cards are fine. You've accidentally moved the "lock" slider and put the card into read-only mode.Andrea Fauldshttps://www.blogger.com/profile/00013953930884571102noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-41323642685578334672015-02-21T11:21:54.453-05:002015-02-21T11:21:54.453-05:00This is cross posted to the Hacker News thread cov...This is cross posted to the Hacker News thread covering this article as well.<br /><br />This is cool and all but if the victim has Superfish installed there's no need to use the Superfish private to MitM the connection. The Superfish software is not properly passing the validation state of the public cert when it connects to a website like Bank of America as an example.<br /><br />The software is simply not triggering appropriate warnings in the browser when provided an obviously fake certificate that has been generated in a way to bypass browser warnings. It's also not properly validating revoked certs. Both of these situations are very bad. Allowing any self-signed cert would lead me to believe that this could have easily been exploited in the wild without prior knowledge of this vulnerability.<br /><br />I've notified the software vendor of the impacted software and they are working diligently to patch all of their software. As such, I not going to provide a how-to guide on how to exploit users here but you pretty much did that anyway. I also notified both Superfish and Lenovo of this issue on Thursday (US), neither of which have responded.<br /><br />Anyway, the following is an example of the improper status pass through based on doing something that might be quite obvious to those who understand how the browser validates a public against the fully qualified domain name.<br />This is what the browser should do when it encounters a self-signed cert delivered by an SSL/TLS MitM solution:<br /><br />http://defaultstore.com/six.png<br /><br />However, it's not doing this for this self-signed public cert:<br /><br />http://defaultstore.com/four.png<br /><br />Note both certs show "verify_fail." at the beginning and those who know how browser cryptography works will understand what has likely gone wrong with their implementation.<br /><br />The ramifications of this are fairly significant. An attacker running sslsplit as example, configured like many instances are that we actually see in the wild can MitM Superfish software connected HTTPS sessions without the Superfish private. This means that a bad guy didn't actually need to know about this software and reverse it to compromise connections.Anonymoushttps://www.blogger.com/profile/13121396887521801081noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-29098384246067750582015-02-21T11:12:29.044-05:002015-02-21T11:12:29.044-05:00If you've joined the same wireless network as ...If you've joined the same wireless network as a victim (say, at starbucks) you could try and make your victim use your PC as a gateway, e.g. by setting up a rogue DHCP server, or by arp spoofing.<br /><br />https://en.wikipedia.org/wiki/ARP_spoofing<br /><br />This might, or might not, work depending on the setup and level of filtering of the WiFi access point(s).<br /><br />Then, even though you haven't put up your own access-point, your victim will send all packets to you, you can mess with them, and forward them to the real outbound router (often, the integrated access-point/router/...).<br /><br />Anonymoushttps://www.blogger.com/profile/12629131958615141514noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-65984412469828147392015-02-21T10:30:48.921-05:002015-02-21T10:30:48.921-05:00It would be possible to create an AP with the same...It would be possible to create an AP with the same name as the official Starbucks AP, and send deauth packets making connection with the official Starbucks AP for everyone but you impossible.<br /><br />Users will now try to join the official one, and, not being able to do so, try yours instead. From that point on you can easily MitM everything.Anonymoushttps://www.blogger.com/profile/11545219430512659770noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-28028548026362103622015-02-21T09:51:20.264-05:002015-02-21T09:51:20.264-05:00Just to be clear - the victim laptop would have to...Just to be clear - the victim laptop would have to join your wifi AP, right? So if you were (say) running a coffee shop with wifi for customers, this would be easy, but it would be harder in (say) Starbucks because you'd have to somehow fool people into joining your AP instead of the real one.Gileshttps://www.blogger.com/profile/02842991222525267985noreply@blogger.com