This year, Portcullis are running a USB Scavenger Hunt at EMF Camp. For those of you attending, we’ve written this post to give you all the instructions and rules you need to get underway. Good luck! Continue reading
The Team has updated its SSL Good Practice Guide to incorporate the recent Heartbleed attack. Continue reading
This document discusses a number of attack vectors for SSL and TLS, offering real world examples where it can. Continue reading
As previously mentioned in SSL: Light at the end of the tunnel, today is the day that our SSL recommendations officially change. From today onwards the Team recommend only TLS versions 1.1 and 1.2. Up until now the Team have accepted the need for SSLv3 and TLSv1 for compatibility reasons, however the time has come to cut the cord. The loss of compatibility should only affect legacy systems. If these systems cannot be updated to support the newer protocols, then weak SSL is likely to be the least of your security concerns! Continue reading
As it stands, SSL is in a bad way. First BEAST, then CRIME, followed by weaknesses highlighted in the RC4 cipher which was proprosed as a workaround to the previous attacks have left SSL version 3 and TLS version 1 in a bind. At present, the most practical recommendation is to use RC4 as the only cipher on SSL3 and TLS1 connections. This is far from ideal, given that RC4 is a weak cipher, and vulnerable to a bias attack. Continue reading
There are a number of ways to own a webapp. In a shared environment, an attacker can enumerate all the applications accessible and target the weakest one to root the server and with it all the webapps on the box. To try and emulate this approach on a pentest, we have to find ALL THE VHOSTS. Continue reading
At the outset of an external infrastructure test it’s often useful to ensure that the addresses you’re testing are correct, and actually owned by the client. Failure to do so can result in an awkward situation, and one we here at Portcullis Labs would like to avoid wherever possible. With this in mind, we’ve learned to whois… like a boss. Continue reading
Recently, there has been a lot of media buzz about Mailpile, a new startup which has raised over $100,000 on IndieGoGo for its eponymous locally hosted web mail project. Having been present at the talk at which this project was officially launched at OHM 2013, I was surprised to see the media’s reaction to the project. Mailpile appears to have garnered almost universal acclaim for its security features, and praised for its goal of “Rescuing email from the cloud” (the name of the presentation given at OHM 2013, slides can be found here). I diagree with the media’s praise for this project, and here’s why… Continue reading