You might have noticed the SSL/TLS authentication gap vulnerability that was announced publicly in November. If not, you can find the original whitepaper at phonefactor.com. Thierry Zoller also published a detailed analysis and description of the problem.
Like many others, we have spent some time on that vulnerability. Unfortunately, the original Proof-of-Concept code is [...]
Planning a pentest:
Sorry, but the semester break of the college student developing the security toolkit is over, so there’s some delay.
In two and a half months it’s Hack.lu time again. Everybody is registered and accommodations are organized. We are looking forward to a great conference and can’t wait for it to start. If you haven’t already done so, register here and get the early bird rate until September 1st. See you there!
Tagged conference, hacklu, luxembourgWhen we went to New York for a meeting with one of our customers, we used the public transportation system there (as parking a car in NYC is suicide). If you’ve never been to the states and experienced their overuse of silly warning labels, you won’t believe what you’ll find on the MetroCard backside:
Right, who’d [...]
Tagged RedTeam…today: House with power button
Tagged RedTeamAs we are usually not allowed to talk about where we are working, we cannot publish comments or photos about the cities we visit. But last time, we were invited for a shooting with the second german television (ZDF) in Kiel at the Independent Centre for Privacy Protection Schleswig-Holstein (ULD), so we can publish some [...]
Tagged RedTeamWe are rather busy these days, but could not help sharing the fun:
This morning, we wanted to rent a car, like many times before. So, we logged in with our corporate account:
And now, have a look at the brand new source code of the login form:
Sixt effectively removed the login for all of their business [...]
Tagged RedTeamThe situation: We had a client application, binary only. With a lot of voodoo, one can trick it into displaying secret stuff (including passwords). But we could neither use copy and paste nor the printing button.
The problem: We need to get the complete list and (like always in pentests, we had not much time). You [...]
In two weeks, we‘ll be attending the Sicherheit 2008 security conference in Saarbrücken.
We’ll be presenting in two tracks. The first presentation is a peer-reviewed paper about a graph-theoretic approach to estimating the costs of penetration tests and how to efficiently distribute the given time for the tests, which will run in the academic track. The [...]
Tagged RedTeamAnother banking story:
Day 1: Got my new account data.
Day 2: Everything works as expected. Changed the initial password (5 digits) to a more secure one (more chars).
Day 3: Everything works as expected (with new password).
Day 4: Everything works as expected.
Day 5: Can’t login. Account has been disabled. Called the bank.
The answer: “Well you have [...]