26Dec, 2013

Hotmail & Basic Auth on iOS Mail App

Continuing my exploration of iOS Apps, I setup an email account with the iOS Mail App and Hotmail. The iOS Mail App will use whatever protocol it is configured to use to retrieve and send email. In this case, I chose Microsoft Hotmail. To capture traffic and see what is going back and forth, I […]

01Nov, 2013

iOS Stocks App

Following this week’s hype of HTTP Request Hijacking presented at RSA Europe 2013, I began experimenting with iOS apps that use HTTP instead of HTTPS. In this post I will summarize the presented attack vector and focus on the iOS Stocks App. Summary of HTTP Request Hijacking HTTP Request Hijacking should only work on apps […]

06Apr, 2011

SSL Renegotiation DOS FAQ

Frequently Asked Questions related to SSL Renegotiation Denial of Service Q. What is the difference between SSL and TLS? A. SSL and TLS is the same thing. For trademark reasons when SSL became an open standard it had to change its name from SSL to TLS. TLS 1.0 is essentially SSL 3.1 – it even […]

04Apr, 2011

Browser Security

Attacks are moving from your operating system to your third party applications including but not limited to your web browser, PDF reader, video players, etc. Additionally, software makers patch their software multiple times per year. For these reasons, I recommend you ensure ALL your software is up to date. To check if your browser and […]

19Mar, 2011

Blackhat Europe 2011 Recap

Blackhat Europe 2011 just wrapped up. If you weren’t able to make it (like me) then we must rely on the community to fill us in on what went down until Blackhat.com puts up the archives. I would like to share the write ups I found most useful: Corelan.be Day 1 Rootshell.be Day 1 Corelan.be […]

17Mar, 2011

Cross Platform Password Management

Every information security professional will tell you to use different passwords for every site. This is because if one site gets compromised and your password is cracked then the attacker can log into every site you use. The biggest complaint consumers have with using different passwords is remembering them all; now you don’t have to. […]

15Mar, 2011

Making Twitter More Secure: HTTPS

It seems the information security industry has finally convinced Twitter to enable HTTPS and provide an option to have it enabled always. Tools like FireSheep and multiple research has been pushing companies to force HTTPS all the time. Make sure to enable this especially fi you frequent public networks. Twitter has posted this blog post with […]

13Mar, 2011

SSL Renegotiation Denial of Service

Having SSL Renegotiation enabled is a denial of service attack vector. An SSL Renegotiation Man in the Middle vulnerability was reported in 2009 as CVE-2009-3555. The vulnerability relies on two key issues: having SSL Renegotiation enabled and having a vulnerable SSL Implementation (pre RFC 5746 also known as insecure renegotiation). There is another issue that ONLY requires having […]

12Mar, 2011

Facebook – Download your Information

I was going through my Facebook Account a settings as everyone should be doing and found a few new settings and options I did not know about. Facebook Account settings may be accessed through the top right of any Facebook page once you are logged in. Some changes I made today: Password – you should […]