SAML assertions are becoming popular method for passing authentication and authorisation information between identity providers and consumers using various single sign-on protocols. However their practical security strongly depends on correct implementation, especially on the consumer side. Somorovsky and others have demonstrated a number of XML signature related vulnerabilities in SAML assertion validation frameworks. This article demonstrates how bad library documentation and examples can lead to vulnerable consumer code and how this can be avoided.
A very important research paper has been just published on eprint — wide analysis of practical security of RSA keys found in the wild. It shows that implementation or usage issues resulting in weak keys are much more widespread than previously expected.
IETF has just accepted an Internet standard draft proposal for "Mediated RSA cryptography specification for additive private key splitting (mRSAA)" autored by cryptographers from Trusted Information Consulting and Wroclaw University of Technology.
My presentation from European Electronic Signature Forum 2011 that discusses various legal and technical issues of EU Directive 1999/93/EC on electronic signatures that prevented widespread adoption of the signature on the EU market.
Security paper by Marcin Olawski. Abstract: The GSM network is the biggest IT network on the Earth. Most of their users are connected to this network 24h a day but not many knows anything abut GSM security, how it works and how
good it is. Most people blindly trust GSM security and send by the network not only theirs very private conversations and text messages but also their current location. This paper will describe how that information is guarded in 2G networks and how much of it an attacker can access without our permission or knowledge.
Nakładem Biblioteki Cyfrowej Politechniki Łódzkiej wydane zostały właśnie "Ćwiczenia laboratoryjne z bezpieczeństwa systemów sieciowych: dla studentów studiów I stopnia kierunku informatyka". W wersji elektronicznej skrypty są ogólnodostępne i darmowe.
Suricata is a new open-source intrusion detection product from Open InfoSec Foundation, much like and mostly compatible with well-known Snort. Suricata is still in beta and it didn't compile cleanly on OpenBSD. Now it does.