Compass Security Blog

A Blog about Information Security...

Month: January 2012

New Security Enhancing HTTP Headers

In the past few years, several new HTTP Headers have been proposed to increase the security of web applications. This is being done by providing additional instructions and information about the served application to the browser. Those can mitigate and avert various common web attacks, even if the underlying application contains vulnerabilities, therefore adding another […]

Continue reading

ISSS St.Galler Tagung 2012 – iPhone (In)Security in an Enterprise env

Ivan Bütler, CEO of Compass Security and board member of ISSS is proud to announce the third ISSS St.Galler Tagung next March 28, 2012 in Saint Gall. Don’t miss this event, where we dig into iPhone security. First, Riccardo Trombini will introduce the threats; a MobileIron and Goods Technology expert answers with the appropriate remedy. […]

Continue reading

BeanShell puts Java Application Servers at Risk

Developers increasingly integrate BeanShell support into web applications to provide end users and administrators with a simple extension framework. But be warned! BeanShell support without appropriate access control will put the hosting web server at severe risk. An attacker could easily execute operating system calls and without appropriate system hardening such an attack will immediately result in full system compromise. The […]

Continue reading

Retrospective about cache snooping

As it is known since at least 2006, a website is able to identify the domains a user previously visited, with some simple CSS hacks. This had great privacy implications, and browsers took steps to eliminate this problem. But in December 2011, lcamtuf presented a new proof of concept based on cache timings, which basically does the […]

Continue reading

Research über die Netkit-Telnetd Schwachstelle

Als ich nach den üblichen Weihnachtsfesten auf Twitter die neusten Sicherheitsmeldungen überflog, bin ich auf einen interessanten Blog Eintrag gestossen: A Textbook Buffer Overflow: A Look at the FreeBSD telnetd Code. Der Author beschreibt eine Buffer Overflow Lücke im Netkit Telnet Daemon, der im FreeBSD Betriebssystem verwendet wird. Die Schwachstelle wurde Zwei Tage vorher, am 23.12.2011 veröffentlicht. […]

Continue reading

Simulated Industrial Espionage with the Pwnie Express Device

The Pwnie Express is a device that is designed for remote security testing of corporate and federal facilities and can be used as an “All-In-One” hacking drop box, aiding the pentesters at Compass Security, to conduct “real world” industrial espionage simulations. http://pwnieexpress.com/ The typical penetration testing scenario is: 1) A Compass analyst manages to “social-engineer” […]

Continue reading

Blogilo Forensics

The analysis of Social Media apps gets more and more weight as these applications gain momentum with end users. Thus, forensic analysts must not only understand how to grab files and content from a suspects computer but also from its online services (not to use the damn Cloud word). Therefore, it is crucial to understand […]

Continue reading

Tech-Talk am Watchguard Event

Manfred Huber ist beim Sicherheitsspezialisten WatchGuard Technologies als Territory-Sales-Manager neu unter anderem zuständig für die Betreuung und den Ausbau des Schweizer Partnernetzwerks. http://www.it-markt.ch/News/2012/01/03/Watchguard-mit-neuem-Territory-Sales-Manager.aspx Erste Partnerkonferenz Den ersten öffentlichen Auftritt in seiner neuen Funktion dürfte Huber im Rahmen der erstmalig stattfindenden WatchGuard-Partnerkonferenz in der Schweiz haben. Am 17. Januar lädt der Sicherheitsspezialist zu selbiger im Hotel […]

Continue reading