A look at CMSs from a Vulnerability Researchers View

I have been focused on vulnerability research against WordPress Plugins and more recently Joomla Extensions. During my talk at Defcon 24, I spoke about my research processes and results, I didn’t cover the pros and cons of researching against different software products. One of the things I admired while researching WordPress plugins were how they were stored.  They each have their own source code repositories uniformly accessible from the main ...

Continue reading

Hey, Bud, Let’s Party at #RSAC2016: Things I’d Ask Sean Penn

RSAC2016 Folks are grousing about RSA's decision to tap actor Sean Penn for the closing keynote this week, since the man knows nothing about security. I share the sentiment, yet I find myself daydreaming about being in the interviewer's chair instead of RSA President Amit Yoran. From the keynote description: Yoran will talk with Penn about his work as an actor, producer and director, about his philanthropy and public advocacy, ...

Continue reading

uKnowKids Apparently Didn’t Know Security

Misconfigurations are a pain in the arse. They lead to more website compromises than inverted flux capacitors. But, in all seriousness it seems that the company uKnowKids had a an insecure MongoDB set up that was swinging in the breeze. Along came Chris Vickery, he discovered the database, that had been dangling online for at least 7 weeks and let the company know. From The Register: A misconfigured database at uKnowKids....

Continue reading

United Nations Website Compromised

United Nations Site Popped Yesterday morning at about 9 am eastern, the website databreaches.net noted that the United Nations World Tourism website had been compromised. The underlying software was a php based web forum. Apparently 1524 forum members had their information exposed via a SQL injection attack. When I checked on it at 6 pm the site was still defaced. But, at last, this morning the site has been restored.

Blackberry Buys Encription

The Blackberry Buy Yes, you are reading that correctly. That is not a typo. It seems that the Waterloo, Ontario based mobile handset maker, Blackberry, has purchased UK based security firm Encription, for an undisclosed amount. From Reuters: The acquisition will bring a team of about 40 cyber security professionals, who have helped test network vulnerabilities for both government agencies and large corporate entities, into the BlackBerry fold. "This is a ...

Continue reading

Celebrate (and Give) to the Safe and Secure Online program During #RSAC2016

In recent years, I've kicked off my RSA week with a Sunday-night visit to "TongaCon," a gathering of pretty much everyone at the Tonga Room in San Francisco's Fairmont Hotel. The event was shut down early last year because the crowd overwhelmed Tonga staff. For that and other reasons, there won't be a TongaCon this year. But don't be sad. Something awesome will take place in that same space Sunday, ...

Continue reading

RSA Parties 2016

RSA Parties 2016 List It is that time of year again and the RSA Parties 2016 list is here. The RSA Security Conference approaches. This year it is back where it used to be at at the end of February. I didn't do a party post last year as I was overwhelmed with work/life imbalances. This year has started off to a more sane pace so, here we are. There are ...

Continue reading

A “Faces Of DEF CON” Clique?

Recently on Twitter, infosec pro Marcus Carey voiced his dislike for all the "Faces of DEF CON" avatars people are using. Specifically, he said every time he sees one he wants to unfollow the person. Asked why, he opined that it was "infosec clique culture at its finest." I responded that I was keeping my own avatar and that he could go ahead and unfollow me. It was an honor ...

Continue reading

Liquidmatrix Reflections

I found myself sitting in a hotel room in some random city recently with a glass of wine, several open powerpoint decks and Family Guy on the television. A moment of reflection if ever there was one. It occurred to me that Liquidmatrix just had it’s 17th birthday this past February. That is a helluva long time for a website of any description. It has been a lot of ...

Continue reading

Stepto Rising

Like many of you, I was shocked last week to hear that Stephen "Jamie" Toulouse (@Stepto) had fallen into a deep coma. Family members took to social media to say that his prognosis wasn't looking good; that he wasn't expected to survive. But thanks to excellent medical care, prayer and what is surely a strong will to live, Stepto -- director of hacker success at HackerOne -- seems to have ...

Continue reading