Yet Another HeartBleed.

This Heartbleed Information Disclosure Vulnerability has pretty much been covered all over the internet today (8th April 2014).  As a one-page-stop summary, please read below: An online site exists to check vulnerabilities: http://filippo.io/Heartbleed/ Source Code available at: https://github.com/FiloSottile/Heartbleed A python script (thats much better): http://s3.jspenguin.org/ssltest.py A second version of above code with STARTTLS Support: https://gist.github.com/takeshixx/10107280 A good breakout of why the bug exists is here: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html Watching twitter has been entertaining, login.yahoo.com has been leaking user…

ATM In-Security in 2013 | ATM Security Flaws & Vulnerabilities

Introduction With the recent SecTor security conference in Toronto Canada, once again ATM security flaws have risen to the top of the agenda.  ATM flaws have become wide-stream knowledge since Barnaby Jack showed off his ‘Jackpotting‘ attack.  ATM flaws have once again become a hot-topic since the late Barnaby’s demise two weeks prior to this years Blackhat conference (USA 2013) where he was going to present about Pacemaker flaws.  Barnaby…

New WiFi Pineapple; From Britain with Love!

Introduction Since approximately around the time of our posting Blue for the Pineapple (6 months ago). Hak5 Pineapple Team have disappeared underground to produce the new Mark 5 Pineapple. A customised board that is cheaper to produce and more easily affordable. The Mark 5 has 2x WiFi cards (Atheros 9331 & RTL8187 (famously known as an Alfa)), with SMA connectors. Twice the RAM & ROM (16MB & 64MB), with the…

Creating Your Own Certificate Authority | InteliSecure

Background Being a pentester I often have to tackle the issue of self-signed certificates on the internal network.  All our automated tools (Nessus, Nexpose, OpenVas) flag several SSL issues related to untrusted certificates, weak ciphers, weak hashing algorithms and self-signed certificates.  The usual advice is to disable weak ciphers, and to re-issue and re-sign the certificates.  The big question from customers is “But why should we purchase certificates for servers…