RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Disclosures | ADVISORIES | May 4, 2010

Authentication Bypass In Tranax Remote Management Software

Reported: 04.05.10. The Tranax Remote Management Software (RMS) allows for the administration of common Automated Teller Machine (ATM) tasks from a remote location. To successfully authenticate to a remote ATM, both the serial number and the RMS password are required. An attacker can leverage an implementation flaw that occurs when verifying credentials to craft a request that bypasses all authentication measures. The attacker could then perform remote management tasks with invalid credentials. The RMS interface is enabled, by default, on a typical ATM installation.

Launch PDF
Barnaby Jack
Disclosures | ADVISORIES | March 18, 2010

SQL Injection and Cross-site Scripting at www.courts.wa.gov

Discovered: 03.18.10. Reported: 03.23.10. The formID parameter at http://www.courts.wa.gov/forms/ is vulnerable to SQL injection. The searchTerms parameter at http://www.courts.wa.gov/search/index.cfm is vulnerable to cross-site scripting attacks. Exploiting these vulnerabilities would likely expose sensitive data and may result in compromise of the affected systems.

Launch PDF
Mike Davis Rich Lundeen & Sean Malone
Library | WHITEPAPER | March 1, 2010

Top Threats to Cloud Computing V1.0

The purpose of this document is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to “Security Guidance for Critical Areas in Cloud Computing.” As the first deliverable in the CSA’s Cloud Threat Initiative, this document will be updated regularly to reflect expert consensus on the probable threats that customers should be concerned about.

Launch PDF
Disclosures | ADVISORIES | March 1, 2010

Multiple Vulnerabilities in Accoria Web Server

Discovered/Reported to Accoria: December 2008. Date Reported to US-Cert: March 1, 2010. The Accoria Web Server 1.4.7 for x86 Solaris exhibits multiple vulnerabilities, including cross-site scripting, directory traversal, and format string errors.

Launch PDF
Ilja van Sprundel
Blogs | INSIGHTS | February 14, 2010

Infineon / ST Mesh Comparison

Given all the recent exposure from our Infineon research, we have had numerous requests regarding the ST mesh architecture and how Infineon’s design compares to the ST implementation. Both devices are a 4 metal ~140 nanometer process.  Rather than have us tell you who we think is stronger (it’s pretty obvious), we’d like to see your comments on what you the readers think! The Infineon mesh consists of 5 zones with 4 circuits per zone.  This means the surface of the die is being covered by 20 different electrical circuits. The ST mesh…

IOActive
Blogs | INSIGHTS | February 12, 2010

We are now on Twitter too!

We probably should have been tweeting (sic?) for some time now but we are finally doing it! You can join/follow us here: http://twitter.com/semiconduktor As well, you can always get to Flylogic through Semiconduktor.com or Semiconduktor.net :).

Disclosures | ADVISORIES | January 5, 2010

Mach Exception Handling Privilege Escalation

Discovered: 01.05.10. Mach exception handling suffers from a vulnerability that allows an attacker to gain access to the memory of a suid process (set user identifier). Due to a vulnerability that is similar to CVE-2006-4392 (found by Dino Dai Zovi of Matasano Security), it is possible for a suid process to inherit the Mach exception ports of the parent.

Launch PDF
Richard van Eeden
Blogs | INSIGHTS | December 5, 2009

Volunteers to help cleanup WordPress problems?

Whenever the blog is enabled, spammers are able to deface the main pages index.html file replacing it with hundreds of spam links to software. The only way we can stop it is to stop the blog. We’ve tried cleaning the blog up but they still get in somehow through WordPress :(. If you think you can help us, please email tech at flylogic.net Thanks!

IOActive
Library | WHITEPAPER | December 1, 2009

Security Guidance for Critical Areas of Focus in Cloud Computing

What follows is our initial report, outlining areas of concern and guidance for organizations adopting cloud computing. The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers. Much of this guidance is also quite relevant to the cloud provider to improve the quality and security of their service offerings. As with any initial foray, there certainly will be guidance that we can improve, and we will likely modify the number of domains and change the focus of…

Launch PDF
IOActive
Disclosures | ADVISORIES | October 13, 2009

Microsoft Windows CryptoAPI X.509 Spoofing Vulnerability

Release Date: 10.13.09. VUPEN ID: VUPEN/ADV-2009-2891. CVE ID: CVE-2009-2510, CVE-2009-2511. Researchers identified two vulnerabilities in Microsoft Windows relating to the use of X.509 certificates. Attackers could exploit these to bypass security restrictions.

Launch PDF
Dan Kaminsky Ian Wright & Jean-Luc Giraud

Commonalities in Vehicle Vulnerabilities

2022 Decade Examination Update | With the connected car now commonplace in the market, automotive cybersecurity has become the vanguard of importance as it relates to road user safety. IOActive has amassed over a decade of real-world vulnerability data illustrating the issues and potential solutions to cybersecurity threats today’s vehicles face.

This analysis is a major update and follow-up to the vehicle vulnerabilities report originally published in 2016 and updated in 2018. The goal of this 2022 update is to deliver current data and discuss how the state of automotive cybersecurity has progressed over the course of 10 years, making note of overall trends and their causes.

ACCESS THE REPORT


IOACTIVE CORPORATE OVERVIEW (PDF)IOACTIVE SERVICES OVERVIEW (PDF)


IOACTIVE ARCHIVED WEBINARS