Quantcast

Articles

Get all-in-one coverage of Internet security and online privacy issues brought up by the industry’s leading experts at security conferences and seminars.

Web Application Hacking 5: Tools for Decrypting SSL and TLS Traffic

This is the final part of the lecture describing Convergence as an alternative to the CA system, also covering sslstrip, sslsniff and other tools compromising SSL / TLS protocols. Let’s get back to the problem of secure protocol. (Slide 38) The problem with SSL and the secrecy is that everyone is a CA...

Web Application Hacking 4: Notorious CA Hacks

Find out in this part of the lecture at FSU about the most outrageous certificate authority attacks of the last years and the consequences they could lead to. So, about securing the Internet. Let’s go over some important certificate authority attacks (see right-hand image). Now in this first slide I used...

Web Application Hacking 3: Hurdles for Securing the Internet

This part of the lecture encompasses an insight into the trust issues associated with certificate authorities, SSL vulnerabilities, and CA scoping problems. So, who can become a certificate authority? Any ideas? You, me, anyone really. What’s the problem here? The problem is when you visit a website and...

Web Application Hacking 2: Components of Public Key Infrastructure

From this entry, which is a follow-up on the dedicated lecture at FSU, you can learn an in-depth outline of how digital certificates and certificate authorities work. Certificates are composed of a public and a private key. I should mention that there was a point where there was only one root certificate...

Web Application Hacking – SSL / TLS Infrastructure and Attacks

This article highlights the issues raised at the Florida State University lecture for “Offensive Security” regarding SSL and TLS protocols, namely their background, infrastructure, flaws and known crypto attacks. The outline for today’s talk is we’re going to go over SSL and TLS and cover its...

CuteCats.exe and the Arab Spring 3: Surveillance Malware in Libya and Bahrain

Morgan Marquis-Boire finishes his Black Hat presentation with analysis of governmental cyber operations held during protests in a number of other Arab states. Syria isn’t the only country in this region that has experienced these types of operations though. After the success of the revolution in Tunisia,...

CuteCats.exe and the Arab Spring 2: Social Engineering and Remote Access Toolkits

Google’s Morgan Marquis-Boire is focusing on governmental use of topical social engineering, surveillance malware and remote access toolkits in Arab countries. While we’ve seen a steady stream of Facebook phishing attacks, we’ve also seen attacks focusing on Skype and YouTube. Many of you may have...

CuteCats.exe and the Arab Spring: Governments vs Dissidents

Morgan Marquis-Boire, Security Engineer at Google Incident Response Team, analyzes the digital aspect of activism and anti-dissident activities during the Arab Spring. Hello and welcome to CuteCats.exe and the Arab Spring. My name is Morgan Marquis-Boire and I work on the Google Incident Response Team....

The State of Web Exploit Toolkits 4: Phoenix and Newer Kits

The presentation ends with the analysis of the Phoenix exploit kit’s features, details on newer kits from all over the world, and a summary of the research. Phoenix Exploit Kit The next kit I’m going to talk about is Phoenix. It’s been around since 2007, it’s pretty old, it’s up to version 3. They...

The State of Web Exploit Toolkits 3: How BlackHole Works

Jason Jones covers herein some of the specific features inherent to BlackHole kit, including JavaScript and PDF obfuscation details, JavaScript shellcode, etc. Now I’ll actually get a little bit more into how it works. Running all these things through our sandbox, we’ve looked a lot at URLs that it...