Cryptic message of the day
MjAxNS0wNy0yM1QwMDowMTowMCswMTowMCAweDM3CTB4NDUgCTB4NWYgCTB4 MzUgCTB4NTkJMHg1MgkweDUzCTB4NWYJMHg0ZgkweDRjCTB4NDQJMHg1Zgkw eDU0CTB4NGYJMHg0NAkweDQxCTB4NTk=
Read MoreBlog
OpenSSL Vulnerability Notice, Patch Now!
On the 24th of June 2015, Adam Langley and David Benjamin (Google/BoringSSL) reported a vulnerability that allows attackers to cause specific checks on untrusted certificates to be bypassed. By bypassing checking of the CA (certificate authority) flag, attackers could use a valid leaf certificate to act as a CA and clients would “validate” an invalid […]
Read MoreSecuri-Tay IV, a field trip
7 Elements are pleased to convey our experiences of the Securi-Tay fourth annual security conference at Abertay University. With a graduate and senior tester attending, we split up to combine our efforts to hear as many talks as possible. We have written an overview of a subset of the great talks we heard, in no […]
Read MoreBitTorrent Distributed Denial of Service
We recently worked with a client that had suffered a denial of service on one of their websites. They wondered if we could tell them what had happened and how to stop it from happening again. So, time to start digging through logs to work out what was going on. It turned out that the attack […]
Read MoreNo! Not Casper, not that friendly GHOST!
Last year (2014) we saw a couple of big exploits that made the headlines and security teams all around the world are still picking up the pieces left by Heartbleed and ShellShock. So where are we this year? We are not even 10% into the new year and already contenders are popping up trying to make their name. The […]
Read MoreThreat Modeling and Security Testing within Virtualised Environments
Our latest blog takes a look at threat modeling and security testing within virtualised environments. The continued deployment of Virtualisation within existing network architectures and the resulting collapse of network zones on to single physical servers are likely to introduce radical changes to current architectural and security models, resulting in an increased threat to the […]
Read MoreKerb Your Enthusiasm – Microsoft Release Critical Security Update (MS14-068)
One week after “Patch Tuesday” and contrary to standard operating procedures Microsoft has released a Critical security update (MS14-068) to fix a security hole in all supported versions of Windows. MS14-068 addresses a vulnerability in the Kerberos Key Distribution Center (KDC) component, used within a domain environment for authenticating users. The vulnerability allows an unprivileged […]
Read MoreWinshock Exploits (MS-14-064) Gone Wild, Patch Now!
Recap The MS-14-064 patch last week addressed several vulnerabilities that could allow for remote code execution in applications using the SChannel Security Service Provider. The vulnerabilities (including cve-2014-6332) affect distributions of Microsoft Operating Systems from Windows 95 IE 3.0 to Windows 10 IE 11. More background can be found in our earlier blog post and in summary, our […]
Read MoreA WinShock Tale: The Patchable and Un-patchable
Introduction On Tuesday Microsoft released several fixes bundled in a patch, MS14-066, to address several vulnerabilities in SChannel, the standard SSL library that ships with Windows. Affecting almost all versions of Microsoft operating systems, this vulnerability allows attackers to exploit a weakness in the TLS implementation service that forms windows server and desktop communication protocols. […]
Read MoreHeartbleed: Insufficient Cauterisation
Unearthing Haemorrhages To date much effort has been focused on remediating common sources of Heartbleed, without taking into account that the vulnerability affects more than just common ports (such as 443 for HTTPS). Many online testing tools limit the scope of tests for Heartbleed to a subset of ports, thereby providing limited assurance and are focused on […]
Read More