Continuing my exploration of iOS Apps, I setup an email account with the iOS Mail App and Hotmail. The iOS Mail App will use whatever protocol it is configured to use to retrieve and send email. In this case, I chose Microsoft Hotmail. To capture traffic and see what is going back and forth, I […]
Following this week’s hype of HTTP Request Hijacking presented at RSA Europe 2013, I began experimenting with iOS apps that use HTTP instead of HTTPS. In this post I will summarize the presented attack vector and focus on the iOS Stocks App. Summary of HTTP Request Hijacking HTTP Request Hijacking should only work on apps […]
I will be teaching the SANS Security 560: Network Penetration Testing and Ethical Hacking at a SANS Community event in Atlanta, Georgia from September 12 – 17. This is by far my favorite SANS class. Here is mores information straight from SANS: As cyber attacks increase, so does the demand for information security professionals who […]
Frequently Asked Questions related to SSL Renegotiation Denial of Service Q. What is the difference between SSL and TLS? A. SSL and TLS is the same thing. For trademark reasons when SSL became an open standard it had to change its name from SSL to TLS. TLS 1.0 is essentially SSL 3.1 – it even […]
Attacks are moving from your operating system to your third party applications including but not limited to your web browser, PDF reader, video players, etc. Additionally, software makers patch their software multiple times per year. For these reasons, I recommend you ensure ALL your software is up to date. To check if your browser and […]
Blackhat Europe 2011 just wrapped up. If you weren’t able to make it (like me) then we must rely on the community to fill us in on what went down until Blackhat.com puts up the archives. I would like to share the write ups I found most useful: Corelan.be Day 1 Rootshell.be Day 1 Corelan.be […]
Every information security professional will tell you to use different passwords for every site. This is because if one site gets compromised and your password is cracked then the attacker can log into every site you use. The biggest complaint consumers have with using different passwords is remembering them all; now you don’t have to. […]
It seems the information security industry has finally convinced Twitter to enable HTTPS and provide an option to have it enabled always. Tools like FireSheep and multiple research has been pushing companies to force HTTPS all the time. Make sure to enable this especially fi you frequent public networks. Twitter has posted this blog post with […]
Having SSL Renegotiation enabled is a denial of service attack vector. An SSL Renegotiation Man in the Middle vulnerability was reported in 2009 as CVE-2009-3555. The vulnerability relies on two key issues: having SSL Renegotiation enabled and having a vulnerable SSL Implementation (pre RFC 5746 also known as insecure renegotiation). There is another issue that ONLY requires having […]
I was going through my Facebook Account a settings as everyone should be doing and found a few new settings and options I did not know about. Facebook Account settings may be accessed through the top right of any Facebook page once you are logged in. Some changes I made today: Password – you should […]