Research Blog

Insights and research from our global cybersecurity team.

Filter Content

SSLyze v0.7 Released

SSLyze v0.7 Released 14 Aug 2013 – Alban Diquet A new version of SSLyze is now available. SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. Changelog Complete rewrite of the OpenSSL wrapper as a C extension SSLyze is now statically linked with the…

Read more

Black Hat 2013 – Bluetooth Smart Presentation Available

This research was originally presented at Black Hat 2013 Black Hat 2013 – Bluetooth Smart Presentation Available 06 Aug 2013 – Mike Ryan The slides for the Bluetooth Smart presentation from Black Hat 2013 are now available. The presentation was given by Mike Ryan and looks into Bluetooth “Smart” (also known as…

Read more

Black Hat 2013 – Cryptopocalypse Presentation Available

This research was originally presented at Black Hat 2013 Black Hat 2013 – Cryptopocalypse Presentation Available 06 Aug 2013 – iSEC Partners The slides for the Preparing for the Cryptopocalypse presentation from Black Hat 2013 are now available. The group presentation was given by Alex Stamos, Tom Ritter, Javed Samuel and Thomas…

Read more

How To Spot a Penetration Tester in Your Network (and Catch the Real Bad Guys at the Same Time)

I’ve been re-reading the Mandiant report on the notorious APT1 group, and it occurred to me that the tools and techniques used by this relatively unsophisticated (but very successful) group are similar to those used by penetration testers. That isn’t to say that penetration testers, or pen testers as they are colloquially…

Read more

Technical Advisory – IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks Release Date: 2013-06-19 Application: IBM WebSphere Commerce Versions: 5.6.X, 6.0.X, 7.0.X, possibly others Credit: Timothy D. Morgan George D. Gal Vendor Status: Patch Available by Request [5] CVE Candidate: CVE-2013-0523 Reference: http://www.vsecurity.com/resources/advisory/20130619-1/…

Read more

Tool Release: PeachFarmer

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Tool Release: PeachFarmer 14 Jun 2013 – Michael Lynch Cloud-based Fuzzing with Peach Several of the consultants here at iSEC perform fuzz testing using the Peach fuzzing framework. One of…

Read more

EasyDA – Easy Windows Domain Access Script

For people who regularly conduct internal penetration tests on Windows domains, typically you will see common issues arise such as common passwords. If you are able to obtain a local administrator hash, in most instances you can normally compromise the entire domain. Typically the hash will be common with other…

Read more

May 30, 2013

5 mins read

Read more

White Paper: An Introduction to Authenticated Encryption

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below. An Introduction to Authenticated Encryption 29 Apr 2013 – Shawn Fitzgerald Historically, independent encryption and message authentication codes (MAC) have been used to provide…

Read more

ASP.NET Security and the Importance of KB2698981 in Cloud Environments Threat Brief

This threat brief discusses a security issue noted by NCC Group in September 2012 relating to the use of ASP.NET forms authentication in a shared / cloud hosting environment. If virtual hosting is used to make multiple applications on the same IIS server available at different domain names, then a…

Read more

April 25, 2013

1 min read

Read more

Pip3line – The Swiss Army Knife of Byte Manipulation

Here at NCC Group we work with raw bytes a lot! As I couldn’t find a good tool to manipulate, encode and decode easily I set about writing Pip3line a while back. While it has been available for a while as open source I’ve not really discussed it outside of…

Read more

April 22, 2013

2 mins read

Read more

No Results Found :(

Call us before you need us.

Our experts will help you.

Get in touch