RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blog | EDITORIAL | January 31, 2018

Security Theater and the Watch Effect in Third-party Assessments

Before the facts were in, nearly every journalist and salesperson in infosec was thinking about how to squeeze lemonade from the Equifax breach. Let’s be honest – it was and is a big breach. There are lessons to be learned, but people seemed to have the answers before the facts were available. It takes time to dissect these situations and early speculation is often wrong. Efforts at attribution and methods take months to understand. So, it’s important to not buy into the hysteria and, instead, seek to gain a clear vision…

Daniel Miessler
Blog | RESEARCH | January 17, 2018

Easy SSL Certificate Testing

tl;dr: Certslayer allows testing of how an application handles SSL certificates and whether or not it is verifying relevant details on them to prevent MiTM attacks: https://github.com/n3k/CertSlayer. During application source code reviews, we often find that developers forget to enable all the security checks done over SSL certificates before going to production. Certificate-based authentication is one of the foundations of SSL/TLS, and its purpose is to ensure that a client is communicating with a legitimate server. Thus, if the application isn’t strictly verifying all the relevant details of the…

Enrique Nissim
Blog | RESEARCH | November 21, 2017

Hidden Exploitable Behaviors in Programming Languages

In February 28th 2015 Egor Homakov wrote an article[1] exposing the dangers in the open() function from Ruby. The function is commonly used when requesting URLs programmatically with the open-uri library. However, instead of requesting URLs you may end up executing operating system commands. Consider the following Ruby script named open-uri.rb: require ‘open-uri’ print open(ARGV[0]).read The following command requests a web page: # ruby open-uri.rb “https://ioactive.com”   And the following output is shown: <!DOCTYPE HTML> <!–[if lt IE 9]><html class=”ie”><![endif]–> <!–[if !IE]><!–><html><!–<![endif]–><head>                 <meta charset=”UTF-8″>                 <title>IOActive is…

Fernando Arnaboldi
Blog | EDITORIAL | October 3, 2017

[Meta Analysis] Rick and Morty S3E1: The Hacker’s Episode

Hi folks, I’m a huge Rick and Morty fan. Sometimes while watching it, I notice allegories and puns related to security, privacy, physics, psychology, and a wide range of scientific fields. Because of this, I’ve decided to review some Rick and Morty episode and share my observations with the wonderful folks who work in these fields and those who aspire to 😉 Enjoy! A machine force feeding a human. Being brutally and utterly dedicated to our whims, the robots show us how perverted…

Keith Makan
Blog | EDITORIAL | June 14, 2017

APIs are 2FA Backdoors

 Two-factor Authentication (2FA) today is something like having a firewall in the year 2000: if you say you have it, it basically stops any further questioning.   Unfortunately, when you have a powerful and mismanaged API, 2FA is about as effective as having a stateful firewall protecting a broken web application. It’s time we accept as an industry that API keys and secrets are essentially usernames and passwords, except they’re designed to be used in an automated way to perform your company’s most sensitive functions, often instrumented by…

Daniel Miessler
Blog | INSIGHTS | May 20, 2017

Post #WannaCry Reaction #127: Do I Need a Pen Test?

In the wake of WannaCry and other recent events, everyone from the Department of Homeland Security to my grandmother are recommending penetration tests as a silver bullet to prevent falling victim to the next cyber attack. But a penetration test is not a silver bullet, nor is it universally what is needed for improving the security posture of an organization. There are several key factors to consider. So I thought it might be good to review the difference between a penetration test and a vulnerability assessment since this is a…

Daniel Miessler
Blog | INSIGHTS | May 16, 2017

#WannaCry: Examining Weaponized Malware

Attribution: You Keep Using That Word, I Do Not Think It Means What You Think It Means… In internal discussions in virtual halls of IOActive this morning, there were many talks about the collective industry’s rush to blame or attribution over the recent WanaCry/WannaCrypt ransomware breakouts. Twitter was lit up on #Wannacry and #WannaCrypt and even Microsoft got into the action, stating, “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.” Opinions for blame and…

Brad Hegrat
Blog | INSIGHTS | May 13, 2017

We’re gonna need a bigger boat….

A few weeks ago back in mid-March (2017), Microsoft issued a security bulletin (MS17-010) and patch for a vulnerability that was yet to be publicly disclosed or referenced. According to the bulletin, “the most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. This security update is rated Critical for all supported releases of Microsoft Windows.Normally, when Microsoft issues a patch or security there is an acknowledgment on their website regarding…

Brad Hegrat
Blog | RESEARCH | October 18, 2016

Let’s Terminate XML Schema Vulnerabilities

XML eXternal Entity (XXE) attacks are a common threat to applications using XML schemas, either actively or unknowingly. That is because we continue to use XML schemas that can be abused in multiple ways. Programming languages and libraries use XML schemas to define the expected contents of XML documents, SAML authentications or SOAP messages. XML schemas were intended to constrain document definitions, yet they have introduced multiple attack avenues. XML parsers should be prepared to manage two types of problematic XML documents: malformed files and invalid files. Malformed files do…

Fernando Arnaboldi
Blog | INSIGHTS | September 1, 2016

Five Attributes of an Effective Corporate Red Team

After talking recently with colleagues at IOActive as well as some heads of industry-leading red teams, we wanted to share a list of attributes that we believe are key to any effective Red Team. [ NOTE: For debate about the relevant terminology, we suggest Daniel’s post titled The Difference Between Red, Blue, and Purple Teams. ] To be clear, we think there can be significant variance in how Red Teams are built and…

Daniel Miessler & Ryan O'Horo

Last Call for SATCOM Security

This research comprehensively details three real-world scenarios involving serious vulnerabilities that affect the aviation, maritime, and military industries. The vulnerabilities include backdoors, insecure protocols, and network misconfigurations.

View Whitepaper