infosec   16257

« earlier    

CC3000 Smart Config - transmitting SSID and keyphrase ~ Depletion Region
Initially TI clearly documented how the SSID and password were transmitted to a CC3000 enabled device in their "CC3000 First Time Configuration" document. However with release 1.10 they changed the approach to one called Smart Config and now document the API but no longer explain what is happening at the network level. Here I cover this missing information for the new approach.

So let's start at the start - we have a problem - we want to send two pieces of information, an SSID and the keyphrase, from one party that is already a member of the wifi network to an external party who can monitor all the encrypted wifi traffic but who cannot decrypt it.

Someone who cannot decrypt the wifi traffic can still see quite a lot of information, e.g. they can see the source and receiver MAC addresses of every packet sent.

They can also see the length of the data portion of the packets. The encryption affects that size of the packets sent but in a consistent manner, e.g. if one sends n bytes of data in a given packet then the encrypted packet will contain (n + x) bytes where x is constant across all packets.

So the solution to our problem is to encode the information in the size of the packets sent (the actual content is irrelevant).
infosec  network 
3 days ago by whitequark
CC3000 Smart Config - transmitting SSID and keyphrase ~ Depletion Region
So let's start at the start - we have a problem - we want to send two pieces of information, an SSID and the keyphrase, from one party that is already a member of the wifi network to an external party who can monitor all the encrypted wifi traffic but who cannot decrypt it.

Someone who cannot decrypt the wifi traffic can still see quite a lot of information, e.g. they can see the source and receiver MAC addresses of every packet sent.

They can also see the length of the data portion of the pac...
networking  crypto  computers  internetofthings  security  infosec 
5 days ago by pozorvlak
GhostPack
A collection of security related toolsets. GhostPack has 7 repositories available. Follow their code on GitHub.
c#  powershell  pentest  internal  tools  security  infosec  smb  powerup  dump 
6 days ago by plaxx
JonasCz/How-To-Prevent-Scraping: The ultimate guide on preventing Website Scraping
The ultimate guide on preventing Website Scraping. Contribute to JonasCz/How-To-Prevent-Scraping development by creating an account on GitHub.
site  scraping  security  bots  infosec 
6 days ago by jheady
Wi-Fi Gets More Secure: Everything You Need to Know About WPA3
Simultaneous Authentication of Equals (SAE) is a new method of authenticating a device trying to connect to a network. A variation of the so-called dragonfly handshake that uses cryptography to prevent an eavesdropper guessing a password, SAE dictates exactly how a new device, or user, should “greet” a network router when they exchange cryptographic keys.

Wi-Fi currently delivers security with 128-bit security. The 192-bit security protocol will not be mandatory but rather an optional setting for institutions that want or require it for their networks. The Wi-Fi Alliance is also emphasizing that enterprise networks should have a strong level of cryptographic strength throughout: The overall strength of a system’s security hinges on its weakest link.

Easy Connect is a recognition of the sheer number of connected devices in the world today. While not everyone may be jumping on the smart-home trend, odds are that the average person today has at least a few more devices connected to their home router than they did in 2004. Easy Connect is the Wi-Fi Alliance’s effort to make connecting all those devices more intuitive.

Rather than enter passwords every time you want to add something to your network, devices will have unique QR codes—each device’s code will function as a sort of public key. To add a device, you scan the code using a smartphone already connected to the network.

Enhanced Open uses Opportunistic Wireless Encryption (OWE), defined in the Internet Engineering Task Force RFC 8110 standard, to protect against this sort of passive eavesdropping. OWE does not require any sort of additional authentication protection—it’s focused on improving the encryption of data sent over public networks so eavesdroppers can’t steal it. It also prevents so-called unsophisticated packet injection, in which an attacker attempts to subvert the network’s operations by constructing and transmitting data packets that look like they are part of the network’s normal operations.
infosec  security  wifi 
7 days ago by campylobacter
Twitter
Bypassing CSRF tokens with Python's CGIHTTPServer

bugbounty  pentest  infosec  from twitter_favs
8 days ago by blackthorne

« earlier    

related tags

a-2016  academic  adversaries  ai  analysis  analytics  android  article  assessment  attack.vectors  audit  awesome  aws  backdoor  badscience  bigdata  blacklist  blockchain-security  blueteam  book  bookmarks_bar  books  bots  breach  browsers  bugbounty  burp  c#  cache  capitalism  certificates  certifications  chrome  chromium  cloud  code  commentary  compilers  computers  criminality  crypto  cryptography  cybersecurity  dataanalytics  debian  devops  disclosure  discussion  dns-over-tls  dns  docker  documentation  dump  education  eff  email  encryption  engine  exfiltration  exploit  facebook  fde  feed  fingerprinting  fintech  firefox  first.mover.advantage  free  funny  fuzzers  fuzzing  generator  github  goog  google  guide  hack  hacker  hackerone  hacking  healthcare  healthtech  history  honeypot  howto  html  ids  information  infrastructure  insightvm  insurtech  intel  intelligence  internal  internet  internetofthings  interview  iot  iphone  iptables  it  javascript  jk-analyst  jk-cloudedhat  jk-infosec  jk-tools  lang:en  law  leadership  learning  letsencrypt  linux  list  mark.zuckerberg  metadata  mitm  ncix  netsec  network  networking  news  notpetya  nptzow  online  open_source  opensource  openvpn  os:kali  osint  oss  panopticon  paper  password  passwords  pen-testing  pentest  pentesting  php  pki  policy  pop3  powershell  powerup  privacy  programming  pwntest  rapid7  raspberry  recon  recursos  redteam  reference  research  reversing  rfc  robinson  russia  science  scraping  scriptkiddie  search  security  service  site  smb  software  ssl  staticanalysis  statistics  story  supply_chain  sysadmin  teaching  techindustry  telerik  testing  threat_intelligence  tls  tools  training  travel  trust  tutorial  tweets  type:application  type:hardware  utility  vicarious_liability  vpn  vulnerability  web/tracking  web  webapp  wifi  wiki  windows  wireguard 

Copy this bookmark:



description:


tags: