Blog

Pins and Staples: Enhanced SSL Security

Posted by Jake Reynolds on November 16, 2017Link 

With Chrome backing away from HTTP Public Key Pinning and other industry thought-leaders calling for its death, I figured I'd take some time to review some existing and upcoming (and tedious) controls that aim to fix some of the many shortcomings within the SSL/HTTPS ecosystem. In so doing I figured I’d summarize some of these concepts into a...Continue reading 

Using Python To Get A Shell Without A Shell

Posted by Dan Lawson on October 27, 2017Link 

Introduction Many times while conducting a pentest, I need to script something up to make my life easier or to quickly test an attack idea or vector. Recently I came across an interesting command injection vector on a web application sitting on a client's internet-facing estate. There was a page, running in Java, that allowed me to type arbitrary commands...Continue reading 

Unauthorized FLIR (Lorex) Cloud Access

Posted by Jake Reynolds on October 10, 2017Link 

Traditionally, closed circuit tv (CCTV) cameras and digital video recorders (DVRs) have been stand-alone, self-contained systems.  If the ability to access these systems remotely was required it was most commonly achieved by opening a port on a firewall and allowing access from the Internet to the DVR or camera directly.  Although effective, that method of access left what was in...Continue reading 

Security threats are all around us. Are you prepared?
Not sure? Let's Talk.