Given you have restricted access to a computer and can only open certain programs. Usually this is caused by the Kiosk Mode that has a white list which contains only trusted programs. Libre/Open Office is a widely used/unlocked program on such Kiosk Modes. Some vendors unlock the whole Libre/Open Office folder: “C:\Program Files\LibreOffice 5\program” or “C:\Program Files (x86)\OpenOffice 4\program” including all other binary files. Python version 3.5.4 (Libre Office) / 2.7.13 (Open Office) is automatically included in the default installation of Libre/Open Office. Now a user can create a Libre/Open Office macro to run a python shell: Continue reading “Bypass Kiosk Mode with Libre/Open Office”
Last year in February, I found a vulnerability at google chrome and submitted it(Bug Report). So far nothing has happened and now the vulnerability has been published on twitter: https://twitter.com/zerosum0x0/status/958890437837692928 Continue reading “Chrome Information Leakage – Prediction Service & Preload”
Bitcoin is getting traction and attention by mainstream media. Price hits all time high at 3000$ and stays above the gold price. At the same time the Bitcoin community is meeting their biggest challenge so far. The question of: ‘How to scale Bitcoin?’ This was discussed for two days at the Future of Bitcoin conference in Arnheim / Netherlands, with developers, researchers and miners.
Ever came across the issue to redirect HTTP(S) traffic to Burp Suite originating from client software that is not supporting to configure a proxy? Continue reading “Hooking Burp Suite in Client Software Communication”
High level atmosphere. High level management. High level topics.
The companies represented came from nearly every industry sector: banking, energy, telecommunication, government, manufacturing & chemical industry as well as retail, entertainment, transportation, automotive and of course IT security. The delegates and speakers were all C-level management and mostly CIO / CISO.
So what are the hottest topics? Where is the industry in terms of IoT Security at the moment? Continue reading “Security of Things – World Conference”
To secure applications it is often necessary to verify the identity of the user, this process is called authentication. There are several methods to authenticate a user, with passwords being the most common one. Passwords are usually chosen by the user. Those user passwords are often not strong enough and can be easily guessed by brute forcing or simple deduction (e.g. pet names etc.). Continue reading “Ergonomic Password Generator”
Blockchain technology is marketed as the Web 3.0 and because of it’s distributed structure it wipes out single points of failure. But does that mean there are no points of failures at all? Let’s look at some important blockchain hacks / failures from the tech perspective.
[Remark: This is not about $$$ Bitcoin hacks, where lousy DB implementations, web applications, key handling or simply social engineering let to hacked bitcoin exchanges or wallets.] Continue reading “Immutable, reliable, secure – A brief history of blockchain security”
After Troopers 2016 and Hack In the Box, my year of conferences ends with the DefCon 24 in Las Vegas Bally’s & Paris Casino which was with about 22,000 attendees/hackers one of the largest hacker conferences. In this post I would like to give my personal impression of this great conference. Continue reading “DefCon 24”
In April 2016 researchers of the Stony Brook University and Ruhr-University Bochum published a study about (malicious) PHP web shells with the title “No Honor among Thieves: A Large-Scale Analysis of Malicious Web Shells”.  Their goal was to analyze how many PHP web shells contain backdoors or other malicious functions not in the interest of the user. That has to be seen regardless of the fact that web shells are often used for malicious activities themselves.
Here we summarize their findings which in our opinion are of interest for the wider audience in security and penetration test Continue reading “Web Shells and Backdoors”