Vivek Ramachandran is perhaps best-known for his work on wifi security: he is, after all, the author of BackTrack 5 Wireless Penetration Testing. He’s also the founder and CEO of SecurityTube, which provides online security training. At Black Hat Europe 2013, however, his focus was elsewhere. Vivek presented a workshop on pen-testing iOS applications. And he thinks its time we stopped thinking about Android as the only vulnerable mobile platform. In this interview, he explains why he decided to look at iOS. And he also touches on the continuing sorry state of wifi security.
SSL has come in for a lot of bashing lately, and Imperva is one of the latest to provide a means for making SSL-encrypted web sessions a little less secure. Tal Be’ery, the firm’s web research team leader, explains how Imperva has updated last year’s CRIME (Compression Ratio Info-leak Made Easy) attack to make it more effective. CRIME relied on comparing a piece of known plaintext with its compressed equivalent, sent during a web session as part of an HTTP request – although this required the attacker to be man in the middle. This was later updated to use HTTP responses, but the attack remained of academic interest only. Now Imperva’s TIME (Timing Info-leak Made Easy) attack replaces comparisons of message length with time comparisons. Tal explains the significance of this and why, although we may not see this attack used in the wild, it presents an interesting template for how encryption can be defeated through the accidental leaking of significant information.