Can a Radius server mitigate an ARP spoofing attack?

I'm helping my school network administrator to try to find a way to mitigate a current ARP spoofing attack on our wifi network. We detected an unknown host (MAC address seem to change, he is probably using mac-changer or something similar) sending forged ARP into the network.

After some discussion, we agree to use a freeradius authentication server to make it easy to discover who is at the origin of the attack.

But as I'm not a security specialist (only an enthusiast) and don't know a lot about the Radius protocol, I wondered if the freeradius server could mitigate an ulterior ARP spoofing attack (if someday another student decide to try this kind of attack again), and how to configure it to do so.

Thank for your help ;)

Asking questions randomly from a set of questions instead of a password?

I was thinking about this for a while. Say we have an app for which there is an admin console, and we need to provide access to the admin console over the browser (yes, HTTPS).

For authentication, instead of asking for a password, would the following be more secure?

1. Prepare a set of very uncommon questions of very very wide scope the answers to which hardly friends or family would know. And at-least it is safe to assume that no one person would know the answer to all those questions altogether. These questions can be stuff like minor stuff that happens in your life, and don't matter enough that you will tell anyone.


2. Store answers to these questions in a normalized form. So trim whitespace, remove punctuation etc. And hash-salt them just like you do with passwords.


3. On login, ask these questions in random order, (and ask only a part of the questions, so that the set is different the next time the hacker attempts to login). At the end, verify all the answers together, and if they are valid, log the user in.

I am wondering if this will be any more secure than the present methods around. If not, is there something I am missing?

New Huawei Watch could become the best Android smartwatch

Huawei has leaked its new smartwatch, named the "Huawei Watche", ahead of an expected official unveiling at MWC 2015 later today. Find out all about it here.

(This is a preview - click here to read the entire entry.)

How to safely display html emails like gmail does it?

I'm building a webmail, which must be able to display html emails. But how to prevent xss and similiar attacks, while not loosing html formatting?

In gmail, when I receive some emails from, lets say, twitter, they are nicely formatted. I'm after something like this.

Html5 supports sandbox attribute for iframes, which seems to solve my problem, but it's badly supported. I need a solution which works in MODERN browsers, but which doesn't become insecure in old browsers. It is acceptable for this NOT TO WORK at all in old browsers, but it cannot become insecure. It should work in IE9 and above.

What are my options?

OSX Yosemite and Security/Privacy

I currently have a Macbook Pro running OSX Mavericks, being the skeptic that I am I always wait a bit before upgrading to 'new' OS versions when they are released to see how they fare both stability and usability wise.

A number of privacy issues have been found in OSX Yosemite including but maybe not limited to:

• 
  

  Spotlight: Searches will be sent to apple servers to 'improve' search functionality.

  
  

  While probably true this also creates a huge privacy leak that I am not fond of since it could also send apple searches I make when I look for files on my own system. ex: supersensetivefile.pdf

  
  

  This can be disabled under System Preferences > Spotlight > Search Results.

  
  


• 
  

  Safari: Safari also has a spotlight suggestions option which sends your searches to Apple. This makes the usage of privacy search engines like duckduck go etc virtually useless.

  
  

  This can again be disabled under preferences.

  
  


• 
  

  Mail: probably one of the strangest ones yest, if you set up an account through the mail app, the domain will be sent to Apple for some reason.

  
  

  Only workaround is to not use the app at all but use an opensource mail client that you feel like you can trust. (In my case I am already using thunderbird)

  
  


• 
  

  About this mac and cookies: When you open about this mac, data and a cookie is sent to Apple that is used to uniquely identify users. This cookie tracks the IP address that you initially visited Apple.com from, as well as the IP addresses from all subsequent connections to Apple through Spotlight or Safari.

  
  


• 
  

  There currently appears to be no way to disable this at all. The data is sent to Apple even if you have location tracking turned off, and have not signed into iCloud.

  
  

Personally I feel like these features are cause for serious concern as to the integrity of the OS privacy wise(in synonym this could also mean security for some) However I feel like I can't keep using Mavericks forever either since eventually the risk of security leaks being found in the outdated OS increase.

My question is basically twofold:

1) Is there any way to avoid these security/privacy risks while still using the new Yosemite OS? If not, has there been any word from Apple as to whether or not they will curb back on this invasive functionality anytime soon? (I have not been able to find any news about it myself)

2) From a security/privacy point of view, could it ever be considered safe to use Yosemite while these features are around?

(If there are any concerns I might have missed then feel free to add)

Certificate pinning and the key distribution problem

I (think I) understand the concept of certificate pinning. However, I'm wondering if, in the worst-case scenario: is certificate pinning any more secure than the hierarchical trust model it is built upon? An example scenario:

1. I develop a mobile app, which uses secure connections


2. To encrypt these secure connections, I need a key


3. In the past, I'd just use HTTPS for the secure connections, and made sure my service had a valid certificate. I rely on others for my security.


4. Now, I don't want to rely on others anymore, so I start pinning my service certificate (let's say certificate X). This means that shifty CA's will not be able to break my security. Let's say I pin my public key, so effectively this means I don't trust any CA (otherwise I could pin a CA).


5. This brings me back to the original key distribution problem, that PKI was to solve: how do I distribute my application to my users? I don't want an attacker sitting in the middle of the channel and replacing my application with another one (and with another pinned certificate Y).


6. Well, that's easy: I use HTTPS.


7. ...


8. I use HTTPS, which checks the certificates against the MS Windows store, which menas I have to rely on the shifty CA's from step 4.


9. Sidenote: everytime I send an update, an attacker (a shifty CA) might be prepared to intercept my update, and replace the pinned public key with another one.

The OWASP page mentions that the pin can be added during development or upon first encounter. However, when adding it during development, we still have to distribute the app to the users, which will pivot over the security issue to the distribution channel. This distribution channel might also pin certificates, but in the end, it all comes down to the trust of your first channel. In case of MS Windows, this is the MS certificate list: even though Chrome might check the pin of all Google domains, I first need to install Chrome over a secure connection.

I'm not saying certificate pinning is not any more secure (although I'm not sure about the added value, especially when considering point 9), I'm just wondering if the above reasoning is correct.

Prevent location being exposed through VPN

I use the Astrill VPN service to access websites that my country has blocked. There is nothing sinister going on here. Sites like google and youtube have all been blocked. This VPN service offers about 20 servers within the U.S. which I often switch between depending on their speed. I'm not advertising here, I want to point out that this problem is specific to certain servers.

Recently I have noticed that google will always redirect me away from .com to a certain country's TLD. As I mentioned, this is on about half of the servers offered. Somehow google is able to determine my location, even though I am behind a VPN. Note: This is not a problem of being exposed when the VPN connection drops.

Checking my IP on one of the many 'what's my IP' sites, does not reveal my real location. Checking my location using HTML5's geo location API does, though my browser(s) will always ask for confirmation first. Even then the location is a city on the other side of the country, which happens to be the same as what google reports.

Now, I use a desktop PC (no wireless) Ubuntu 14.04 with both chrome and firefox. I have disabled the geo location service in both browsers. I have even tried disabling Javascript thinking they may be using AJAX to get at my IP. Neither worked. And of course I cleared all cookies before retrying.

I contacted Astrill about this problem (their customer support is something to be desired) and their answer was

Your location is being given away by your browser. Not the VPN. You need to disable WebRTC.

Well, that didn't work either. So, now I'm trying to figure out just how google is able to do this. Looking at the HTTP headers, I see that GET www.google.com returns a "302 Found" response with the 'Location' header pointing to the country specific domain. I don't see any requests containing my IP, though I know my IP is standard in all requests. To confirm this is not a problem with my browser, curl get http://www.google.com returns the same '302 Found' response.

Can anybody tell me how google does this? But, most importantly, tell me how my VPN servers' may be leaking this information?

Update:

According to ipleak.net Nothing is being exposed.

Update:

Latest response from "technical support"

Use www.google.com/ncr