Aug 152016
 

One of the key security devices in a lot of organizations is an HSM – Hardware Security Module. All banks use it to store your debit card and credit card PINs. An HSM can be used to store any super-secret piece of information. Administration of the HSM is done via a custom client or CLI or directly on the physical panel of the HSM. This article outlines an audit methodology for an HSM that extends the PCI Council’s Read More…

Mar 012016
 

Introduction When an attacker compromises an end-point system in an organization, he needs some sort of confirmation that: his code was executed on the targeted system he is able to send data out of the organization without raising any alarm with the SOC Simple innocuous data from the compromised host to the attacker’s controlled system – sometimes known as the beacon – helps the attacker fulfill the two goals mentioned above. The channel the beacon Read More…

Jan 292016
 

This write-up summarizes a workshop/humla conducted by Ashfaq Ansari on the basics of various kinds of attacks available for exploiting the Windows Kernel as of this date. It describes and demonstrates some of the very common techniques to illustrate the impacts of bypassing Kernel security and how the same could be achieved by exploiting specific flaws in kernel mode components. A knowledge of basic buffer overflow exploits through user mode applications is a plus when understanding Read More…

Sep 092015
 

Introduction Companies today have third party contracts with various vendors. Most of the process are outsourced to various companies. This is the most convenient and flexible way to work, so that overall management activities are limited to just vendor management alone. The quantum of work that is outsourced to third parties include not just IT, data management and security providers, but also facilities management (cleaning HVAC – Heating, Ventilation and Air Conditioning) along with any Read More…

Jul 302015
 

The Internet of Things and Smart Cities – Security and Privacy Aspects In a world where the technology is constantly improving itself by the hour, the demand for a seamless integration of human needs and the digital word is on the rise. With every new device that we are procuring for our day to day jobs, the ability to integrate it with the World Wide Web and make it more accessible and user friendly is Read More…

Oct 282014
 

In a previous article, we have described the Shellshock vulnerability and in this article we show how to exploit this vulnerability using the BeEF Framework. However, here’s a quick and dirty way to check if you’re vulnerable or not: Type this command:env x='() { :;}; echo vulnerable’ bash -c “echo this is a test” Note: If you see “vulnerable this is test” it means you haven’t patched it. If you see “this is a test”, Read More…