Security Blog
Posts tagged security
T-Mobile 4G Hotspot Multiple Vulnerabilities
10 years
About
“Create your own personal hotspot on the go with the T-Mobile 4G Mobile Hotspot—get high-speed Internet on up to five Wi-Fi devices, using a single mobile broadband connection.”
Link to Product on T-Mobile’s Website
Timeline
- Reported to T-Mobile and ZTE on 4/14/12.
- Received notification from T-Mobile on 4/17/12 that the vulnerabilities would be forwarded to their security team for review.
- Received no meaningful response from ZTE.
- No fixes provided, disclosure 2/21/13
Device: T-Mobile 4G Mobile Hotspot ZTE MF61
The access point broadcasts as ‘T-Mobile Broadband#’ where # changes per device.
My Plea to Oracle: Axe Java Applets
10 years
by Dustin Schultz
in Blog
Hi Oracle,
We’ve got a bit of problem: applets.
You see, almost every recent security vulnerability and recent hack – Facebook, Apple, NYT – has been because of your support for applets.
Just to name a few, there’s CVE-2012-3213,CVE-2012-3342,CVE-2013-0351,CVE-2013-0409,CVE-2013-0419,CVE-2013-0423,CVE-2013-0424,CVE-2013-0425,CVE-2013-0426,CVE-2013-0427,CVE-2013-0428,CVE-2013-0429,CVE-2013-0432,CVE-2013-043,CVE-2013-0434,CVE-2013-0435,CVE-2013-0438,CVE-2013-0440,CVE-2013-0441,CVE-2013-0442,CVE-2013-0443,CVE-2013-0445,CVE-2013-0450,CVE-2013-1473,CVE-2013-1475,CVE-2013-1476,CVE-2013-1478,CVE-2013-1480,CVE-2013-1481,CVE-2013-1486,CVE-2013-1487,CVE-2013-1488.
I’ve been developing in Java for many years and I can attest that nobody uses applets anymore. It’s old outdated technology that needs to go away. It’s too heavy of a platform to deliver web applications. The future of web technology is light weight. The future is HTML5, Javascript, and CSS3.
We all make mistakes and nobody is going to blame you (except maybe the malware authors) for getting rid of applets.
Do it! Axe it!
Sincerely,
Security Enthusiast and Java Developer
Dustin Schultz
Secure WordPress Admin Login Without HTTPS
12 years
by Dustin Schultz
in Security
I use WordPress as my blogging platform and unfortunately I’m on a shared host that charges a lot extra in order to serve HTTPS…even if it’s a self-signed certificate. My only use for HTTPS is logging in to the WordPress administrative console for management and new posts so it doesn’t really make sense to fork over that extra cash. Likewise, I tried the shared certificate provided by my host but that sent WordPress into a redirect loop for some reason.
If you’re in the same boat as me, there are a couple things you can do without spending any money. (more…)