Category Archives: Infosec

ContraRisk Security Podcast 0008: Old and new threats

» Listen or download now from the podcast page » In all the excitement and hype that inevitably surrounds the identification of new threats, it’s important not to lose sight of the menace posed by previous security vulnerabilities and malicious actors – most of whom aren’t going away any time soon. The danger they present hasn’t diminished just because new ones have… Read more »

ContraRisk Security Podcast 0007: #BlackHatEU – iOS pen-testing and attacking SSL

» Listen or download now on the podcasts page » Vivek Ramachandran is perhaps best-known for his work on wifi security: he is, after all, the author of BackTrack 5 Wireless Penetration Testing. He’s also the founder and CEO of SecurityTube, which provides online security training. At Black Hat Europe 2013, however, his focus was elsewhere. Vivek presented a workshop on pen-testing… Read more »

ContraRisk Security Podcast 0006: #BlackHatEU – Kali Linux

» Listen now or download on the podcasts page » Offensive Security used Black Hat Europe in Amsterdam to launch the next incarnation of its popular pen-testing Linux distribution. BackTrack has now become Kali – a name derived from a warlike god or an African word meaning ‘hot’ or ‘fierce’ – take your pick. It represents a somewhat surprising change in direction…. Read more »

#BlackHatEU : When security appliances become your security problem

It’s a depressing fact that, sometimes, the very defences you put in place to protect your organisation can become the weakest point. In a presentation at Black Hat Europe, Ben Williams, a pen-tester with NCC Group, showed that many security products have flaws that can be exploited by attackers. It’s actually the second such presentation he’s given. The first was… Read more »

ContraRisk Security Podcast 0005: #BlackHatEU – SQLi

The ContraRisk crew is in chilly Amsterdam for Black Hat Europe 2013. And to get our coverage of the event rolling, we start with an old favourite – SQL injection (SQLi). » Listen or download now on the podcast page » Sumit ‘sid’ Siddharth, head of penetration testing for 7Safe (now part of PA Consulting), is a regular at security conferences, running… Read more »

UPnP and the communication problem

      No Comments on UPnP and the communication problem

HD Moore of Metasploit fame publishes a blog post about Universal Plug and Play (UPnP) vulnerabilities and now the Twittersphere is burning with prognostications of doom. The blog post is based on some very interesting research by Rapid7 which does indeed make for worrying reading. But for me, the part that raises the greatest concern is the appendix. In it, Rapid7 lists previous research… Read more »

Dangerous data

      No Comments on Dangerous data

Data is dangerous stuff. In spite of the old cliché about it being the ‘lifeblood’ of your business, having too much of it can be a problem. Many companies merrily accumulate as much data as they can – not least by collecting unnecessarily large amounts of intelligence about their customers – on the basis that it is somehow an asset…. Read more »

Has your database been abused? No? It will be…

It was with a strange mixture of amusement and dismay that I read about DVLA having to deny database access to hundreds of organisations. For non-UK readers, the Driver Vehicle and Licensing Agency (DVLA) is the government organisation that handles vehicle registrations and driving licences. If you want to know, for example, who owns a vehicle, based on its number… Read more »

What is a secure password?

      No Comments on What is a secure password?

Any password can be cracked, given enough time. All you’re doing when you choose a nice strong password – 20 characters, say, with upper- and lowercase, numerals and symbols – is slow down would-be attackers. Make it complex enough and it might take them an aeon or two to crack it. Even if they’re the NSA. That’s assuming, of course,… Read more »

The asymmetric struggle

      No Comments on The asymmetric struggle

One of the most exasperating things about attempting to defend an organisation against attacks by hackers is that the conflict is so asymmetric. Enterprises and public bodies operate within the law – well, most of them — and are constrained by ethical and regulatory considerations. Attackers do not and are not. There must be legions of corporate infosecurity professionals who… Read more »