6.5 million LinkedIn password hashes breached which raises the fear that many more passwords are likely breached. Many passwords were related to LinkedIn. It’s still early days on the leaking of the 6.5 million LinkedIn password hashes. I’ve looked at the text file, and half of them are indeed SHA-1 hashes – the other half […]
Category: researchblog
Updating OpenDLP to support Oracle Databases for PCI DSS
Updating OpenDLP can support Oracle Databases for the PCI DSS process when looking for credit card numbers and passwords searching Windows or Unix file systems. OpenDLP is an excellent tool for looking for credit card numbers as part of a PCI DSS scoping process, or looking for passwords and other sensitive data during a penetration test. It […]
Gambling Commission ISO 27001 Security Requirements and Penetration Testing
The Gambling Commission requires that remote gambling licence holders get annual ISO 27001 security audits done. This needs to cover a specific subset of ISO 27001 controls, which are listed in section five of the Remote Gambling and Software Technical Standards document. The specific subset focuses on access control, communications and operations, and software development, […]
Configuring Metasploit for Client Side Attacks
During a client side test, several areas need to be setup for a successful attack. In this short article I will describe how to configure Metasploit by making use of the features in the latest release (currently 4.1). The client side attack we are considering here is an email with a link to a download, […]
Virtual Security Management
Virtual Security Management – Virtualisation is amazing for running things simultaneously, on-the-go etc but security problems do come with the positives.” First of all, in the interests of fairness, I should point out that I think virtualisation is amazing. I love the idea that my laptop can run several different, largely independent operating systems simultaneously. […]
Security is a Process, not a Product
Security is a process, not a product – Strong IT security brands encourage the use of a single commercial product but this is not as secure as a process. It’s not a novelty to say that the market is often regulated by the strong business brand and it is no exception for IT security. Companies […]
Custom Access Control
Custom Access Control – Penetration testers may get distracted by technical issues thus forgetting that simple logical flaws could be the security breach cause. As penetration testers we have a tendency to get caught up in the latest exploit, or the most intricate piece of SQL injection or cross-site scripting, and so it is sometimes […]
Reviewing Your Security After Sony, RSA and IMF Breache
Perhaps it is worthwhile to review your security systems after Sony, RSA and IMF are all breached through either direct penetrations or phishing attacks. The various publicised data and network breaches (or “hacks”) this year seem to fall into two camps. The first camp includes the more straightforward direct penetrations into networks and websites, such […]
Vulnerability: Kodak InSite Troubleshooting Cross-Site Scripting
Kodak InSite is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. CVE: N/APublished: Mar 7 2011 08:55AMVulnerable: Kodak InSite 5.5.2 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal […]
Vulnerability: Domino Sametime Server Reflected Cross-Site Scripting
Domino Sametime is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. CVE: CVE-2011-1038Published: Feb 16 2011 09:33AMCVS: 4.3Vulnerable: Domino Sametime 8.0.1 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to […]