Updated Posts :

• The Post "Attacker Classes and Pyramid " has been updated to the third iteration. The post was updated in terms of coherency but I also added my OWASP BENELUX presentation entitled "The Rise of the Vulnerability Markets - History, Impacts and Mitigations". The presentation underlines the rationale behind the Attacker centric concept and the proposed Attacker Triad.

Slide Deck :
 

Notable excerpts : 
The analysis of 54 exploit kits (mapped to the Opportunitsts/Mass-market class) lead to the following results:

Results : In order to protect against all tracked exploit-kits you had to patch 19 vulnerabilities in 2009, 24 in 2010 and 4 in 2011. That should be hardly a challenge and confirms the sophistication put forward in the Attacker Triad.

 The analysis of 54 exploit kits (Source: Contagio) lead to the following results:

Following up on my blog post a few months ago entitled "PCI compliance, Security in isolated systems and Parking Tellers Part 1" - I took a brief look the other day at another Ticket issued by a Parking Teller in Luxembourg.

Updated :

• Clarified some of the explanations
• Masked Luhn number

Read more »

Ever since I started my career in information security I was both interested and intrigued by metrics applied to vulnerabilities (or metrics in general for that matter). CVSS is certainly not new and I had to make the choice whether to use it or not in the past and I always wanted to share some issues I had with it. This blog post laid dormant in DRAFT state since 8 months and I decided to publish it in parts rather than wait another year to finish it.

This blog series will explain a few elements of CVSS and in particular the points I feel are unclear, misleading, old or simply unfit for purpose.

This post assumes that you are accustomed to CVSS, if you are not, you may want to have a look at : http://www.first.org/cvss/cvss-guide.html

Read more »

Preamble :

During my research on TLS/SSL Compatibility across different Operation Systems and Browsers I created supporting tools for myself and later decided to release them for the public.

"SSL Audit" remotely scans web servers for SSL support - unlike other tools it is not limited to ciphers supported by underlying SSL engines such as "OpenSSL" or "NSS" but can detect cipher suites based on it's own (simplistic) SSL/TLS engine. As a gimmick it features an innovative Fingerprinting engine that is based on behavioral heuristics.

Read more »

Final release for my paper explaining the different attack vectors and impacts for (CVE-2009-3555) "TLS / SSL renegotiation vulnerability".

• Added comments and corrections by Alun Jones (Who I hereby thank for his time)
• Changed FTPS description
• Better PDF output

I profit from the update to stress particular impacts that seem to be forgotten about, in addition to the plain-text injection described everywhere (Please refer to the paper to know more)

Additional Impacts

• Potentially allows to downgrade from HTTPS to HTTP (à la SSLstrip)
• Potentially allows to inject XSS into Trace requests

Available Tools (2011)

• My own 2 Proof of concepts
• Red-Team Pentesting Proof of Concept
• Openssl (How-to available in the paper)

I have been delighted by the interest given to this paper at the time, the paper is referenced by the US-CERT, DFN-CERT, BELNET-CERT, SWITCH-cert, Nessus, Qualys, c't Heise and the book "IPhone and IOS Forensics: Investigation, Analysis and Mobile Security" covers the analysis on Page 110

Download "TLS/SSL Session Renegotiation Vulnerability Explained"