Breaking
by Malte Heinzelmann

A few notes on WordPress Security

Taking a look at the CVE List for WordPress, most vulnerabilities aren’t found within the WordPress core but inside of third-party plugins and themes.

Today, let’s talk about WordPress.

Performing a WordPress assessment might seem boring at first as core functionality [tested] and configuration does not allow for extensive security misconfigurations. Luckily, most instances use plugins and themes to add features not offered by the WordPress core.

In this blog post I would like to discuss the findings and how I discovered them. Also, I will describe different vendor responsiveness reaching from not responding at all, to not understanding the issue to fast and professional responses kindly asking for a review of the updated code ready for deployment. Continue reading “A few notes on WordPress Security”

Continue reading
Building
by Florian Magin

IPython Support for Binary Ninja

This blogpost is about the release of a plugin for Binary Ninja that allows you to run a Python Kernel inside the Binary Ninja GUI environment to which you can attach a Jupyer (QT) console, formerly known as IPython shell. The first section is about why this is useful, the second is about some issues I encountered and how to solve them, and the third contains everything you need to know to set it up. Continue reading “IPython Support for Binary Ninja”

Continue reading
Events
by Priya Chalakkal

Diversity, Community, Blackhoodie

Gender equality in the Infosec world as a topic of discussion comes with a lot of heated arguments and differences in opinion.
So let me start with some disclaimers on the target audience for this post. If you are in the category who believes everything about gender is perfect in the infosec world, this post is not for you. If you are in the category who believes gender and bringing diversity is not your area of interest, then this post is not for you either. There are so many interesting problems that the world offers you. Climate change, poverty, diseases, unemployment, addiction, science problems and what not. Everybody has the freedom to choose their area of interest and contribute towards it. If you are in the category who thinks gender equality in infosec needs some attention and would like to explore more on the topic without prejudices, then this post may  be interesting to you. Continue reading “Diversity, Community, Blackhoodie”

Continue reading
Misc
by SadProcessor

A little KeePass Mea Culpa…

Some weeks ago, I tweeted about grabbing clipboard content from KeePass with some PowerShell. From some reactions to this tweet, and after reading it a couple of times again, I realize it was sending the wrong message, and I would like to take a bit more than 280 chars to clarify what I meant when I posted that tweet…

TLDR: Password managers are a must, not using one exposes you to far more risks than using one. Do it.  Continue reading “A little KeePass Mea Culpa…”

Continue reading
Building
by SadProcessor

PoSh_ATTCK – ATT&CK Knowledge at your PowerShell Fingertips…

When I recently joined the Windows Security team at ERNW, Enno asked me if I wanted to write a ‘welcome’ blogpost on a topic of my choosing… Up for the challenge, and since I had been playing with BloodHound & Cypher for the last couple of months, I first thought I would do something on that topic.

However, after gathering my thoughts and some Cypher I had collected here and there, I realized that the topic of Bloodhound Cypher might actually require several blog posts… And so I changed my mind. I will keep the joys of Cypher for later, and in this post, I will talk about a tiny tool I wrote to query the Mitre ATT&CK™ knowledge base from the comfort of a PowerShell prompt. Continue reading “PoSh_ATTCK – ATT&CK Knowledge at your PowerShell Fingertips…”

Continue reading
Events
by Rene Puder

The building IoT 2018 in Cologne

In Mai 2018, Tobias and me were in Cologne at the Building IoT conference. The topics of the talks covered a broad spectrum of the Internet of Things field. There were three tracks covering different topics ranging from the jungle of IoT protocols, secure Linux hypervisors specially developed for IoT modules to machine learning and blockchain.

Continue reading “The building IoT 2018 in Cologne”

Continue reading
Events
by Matthias Luft

Modern Application Stacks & Security

I had the pleasure to give a presentation at the Security Interest Group Switzerland Technology Conference about modern application stacks and how they can be used to improve infrastructure and application security posture – the slides can be found here. Besides seeing a lot of old friends, I particularly enjoyed a round table discussion on security integration into CI/CD pipelines. Continue reading “Modern Application Stacks & Security”

Continue reading
Breaking
by Florian Grunow

Security of Busch-Jaeger IP Gateway

IoT is everywhere right now and there are a lot of products out there. I have been looking at an IP Gateway lately and found some serious issues. The Busch-Welcome IP-Gateway from Busch-Jaeger is one of the devices that bridges the gap between sensors and actors in your smart home and the network/Internet. It enables the communication to a door control system that implements various smart home functions. The device itself is offering an HTTP service to configure it, which is protected by a username and password. Some folks even actually expose the device and its login to the Internet. I tried to configure one of these lately and stumbled upon some security issues that I would like to discuss in this blog post.
Continue reading “Security of Busch-Jaeger IP Gateway”

Continue reading