The SSL and TLS protocols have been on the front of the stage for months. BesidesÂ many vulnerabilities disclosed in the OpenSSL library, the deploymentÂ of SSL and TLS is not always easy. They are weak cyphers (like RC4), weak signatures, certificates issues (self-signed, expiration or fakeÂ ones). Other useful features are mis-understood
CMS or “Content Management Systems” became vey commonÂ for a few years. Popular CMS are WordPress, Drupal or Joomla.Â You can rent some space at a hosting provider for a few bucks or even find free hosting platforms. You can deploy them in a few minutes on your own server. Then, you
Is “swf” the new “wtf“? What’s happening with the Flash player? The Adobe’s multimediaÂ platform has been targeted by multiple 0-days since the beginning of 2015! Just have a look on cvedetails.com. Two days ago, security researchers at TrendMicro found another one. It is identified as CVE-2015-0313. Bored by the multiple
[This blogpost has also been published as a guest diary on isc.sans.org] Our houses and offices are more and more infested by electronic devices embedding a real computer with an operating system and storage. They are connected to network resources for remote management, statistics or data polling. This is called
Just a link to my guest diary posted today on isc.sans.edu. I briefly introduced a method to perform permanent vulnerability scanning of newly detected hosts. The solutionÂ is based on OSSEC, ArpWatch and Nmap. The article is here.
Here is a quick blogpost which might be helpful to the OpenVAS users. OpenVAS is a free vulnerability scanner maintainedÂ by a German company. Initiality, it was a fork of Nessus but today it has nothing in common with the commercial vulnerability scanners. OpenVAS is a good alternative to commercial solutions
For a while I left Dropbox and other cloud storage solutions and decided to host my own file exchange service based on owncloud.org. I’m using it to exchange files with my partners and customers and keep a full control of the service from A to Z. A major advantage of
Following the presentation that I made at the RMLL 2014 lastÂ week, I slightly changed my malware analysis setup. The goal isÂ to make it fully operational “offline“. Indeed, today we are always “on“, Internet is everywhere and it’s easy to get a pipe. However, sometimes it’s better to not send packets
During a penetration test, I had to execute specific commands against some IP networks. Those networks were represented under the CIDR form (network/subnet). Being a lazy guy, I spent some time to write a small Python script to solve this problem. The idea was based on the “xargs” UNIX command
More and more companies organize “security awareness” trainings for their team members. With the growing threats faced by people while using their computers or any connected device, it is definitively a good idea. The goal of such trainings is to make people open their eyes and change their attitudeÂ towards security.