On this Wednesday (09.04.2014) I gave a presentation at OWASP Switzerland chapter. Initially I choose to present an overview of SSL/TLS, which is based on our previous blog article Compass SSL/TLS recommandations. Accidently, the timing with the OpenSSL heartbleed bug was perfect, so the presentation was updated in time with several slides about this current vulnerability. […]
Compass crew members just got back to work from a fun weekend/night at Insomni’hack (Geneva) where hackers met [0] to solve puzzles and enjoying the hacker community. On the way back home was sufficient time to clean-up systems and to reflect on some of the challenges. There was a variety of brain teasing puzzles relating […]
Microsoft has published a list of key security features [1] and also their security framework [2] for the Lync Server 2013. Those documents show how deeply MS integrated their SDL in the Lync products. It also indicates that Lync provides a solid security base out of the box: Encryption enforced for all communication between Lync […]
We have shortly described the Lync federations in a previous post. With the usage of federations the question comes about the privacy and the security of the user’s information (e.g. presence information). There are scenarios where an employee doesn’t answer the phone but is mentioned as “available” in Lync. This could lead to a misunderstanding […]
Microsoft Lync Server (a combination of “link” and “sync”, see [6]) communications software offers instant messaging (IM), presence, conferencing, and telephony solutions. Lync can be integrated with SharePoint or Exchange to extend its functionalities. Users can e.g. search for specific skills within the Lync client when SharePoint integration is enabled. Exchange is used as a […]
Today I’m happy to release the following security advisories: SQL injection in Leed (CSNC-2013-005 / CVE-2013-2627) Cross-site request forgery in Leed (CSNC-2013-006 / CVE-2013-2628 Authentication bypass in Leed (CSNC-2013-007 / CVE-2013-2629) URL redirection in Secure Entry Server (SES) I would take the opportunity to thanks Valentin CARRUESCO aka Idleman for the timely patches he implemented […]
Mozilla created an extensive page [7] concerning the best current choice of SSL/TLS cipher suites, primarily for web servers. Compass Security agrees broadly with the article, but recommends some additional restrictions in order to provide the most resistance against active and passive attacks versus TLS secured connections: Use 3DES cipher instead of RC4 Disable SSLv3 support […]
Apple veröffentliche 2006 ein Setup-Guide für die Benutzung von OS X mit Smartcards. Die Anleitung basiert auf der Version 10.4 ist somit nicht mehr aktuell. Die Prinzipien sind allerdings nach wie vor anwendbar und benötigen nur ein paar wenige Anpassungen, wie das folgende Proof-of-Concept zeigt. Es existieren drei Möglichkeiten unter OS X die Smartcard mit […]
As announced a while ago, I had the chance to organize both a workshop about our hacking-lab.com and present my talk “Advances in secure (ASP).NET development – break the hackers’ spirit” at the AppSec Forum Western Switzerland in Yverdon-les-Bains last week. I hope to soon summarize the conferences I attended in an upcoming blog article. […]
Compass Security is proud to be part and sponsor of the Application Security Forum – Western Switzerland (ASFWS), a conference about application, identity and cyber security which will be take place in a week’s time in Yverdon-les-Bains (15-16 October 2013). I will run the AppSec Lab 1 (featuring the Hacking-Lab), on Wednesday 16 October in the […]
© 2024 Compass Security Blog