Blog

A space dedicated to sharing our thoughts on the latest cybersecurity news, trends, and threats

Subscribe

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Beyond Security Requirements: Secure Requirements

History shows that people are unlikely to develop or purchase secure software by accident. Back in the Dark Ages (think the 1990s), people built software and then tried to add security. This was rarely successful and frequently expensive. Progress, of a Sort As an industry, we’ve moved on to more efficient and more effective strategies, …

Rethinking & Repackaging iOS Apps: Part 1

In October 2014, Jonathan Zdziarksi (“JZ”) wrote a blog post about a little-known feature of the iOS app ecosystem: it’s possible to patch App Store apps and redeploy them on to non-jailbroken devices. (You should probably read his post before reading this one.) This is the first installment of a two-part series in which …

Tastic RFID Thief: Silent, But Deadly

You’re a professional. You’re equipped with the latest in elite, customized RFID hacking tools. So, it’s high time you put a silencer on your Tastic RFID Thief – the weaponized, long-range badge reader. We’ll show you how to avoid the embarrassingly loud beep when turning on your RFID badge stealer during your next physical …

In Heartbleed’s Wake: A Password Primer

Passwords are the most commonly required authentication for website and email access, and they are effective when they work as designed – to prevent unauthorized access to an account or system. The Heartbleed vulnerability disclosure in April 2014 put the topic in the national spotlight, but the concerns about password security are no less …

Untwisting the Mersenne Twister: How I Killed the PRNG

Random number generation has been insecure for decades and there hasn’t been a practical pentesting tool to tackle this problem – until now, that is. Enter Untwister Untwister is a tool designed to help pentesters predict random number sequences when an application generates them using an insecure algorithm. The tool is named for the …

Bishop Fox Does Vegas: 2014 Style

Each summer, the most innovative minds in the infosec industry gather in Las Vegas to discuss new findings, research, and tools. They appear at conferences like Black Hat USA and Security B-Sides Las Vegas. What transpires at these events often makes headlines and stays in people’s minds long after the summer has ended. Bishop Fox …

A Week in the Life of a Pen Tester

The professional (and personal) life of the pen tester is one of great joys and great tragedies. There are ego-inflating accomplishments quickly followed by crushing sorrows. There are stacked cans of Red Bull, nights spent staring wide-eyed at a computer screen, and secretive shower crying sessions. Maybe when someone asks you “Well, what is pen …

Examining The Impact Of Heartbleed

On April 10, Bishop Fox Security Analyst Tim Sapio was published in Dark Reading – hot on the tails of the discovery of the Heartbleed vulnerability. Tim discussed the vulnerability’s implications as well as how Internet users could take measures to protect themselves. Yesterday saw the beginning of the most significant breaches in Internet security …

An Introspection On Intro Security

We would like to thank everyone who read our original LinkedIn Intro blog post and those of you who spent extra time examining the security and privacy issues at hand. A couple of more interesting analyses pointed out to us are from Jordan Wright and Troy Hunt – they do a great job …

LinkedIn ‘Intro’duces Insecurity

Don’t make the mistake of thinking you’re [the] customer, you’re not – you’re the product. – Bruce Schneier LinkedIn released a new product today called Intro.  They call it “doing the impossible”, but some might call it “hijacking email”.  Why do we say this?  Consider the following: Intro reconfigures your iOS device (e.g. iPhone, …

Guide to Hardening Your Firefox Browser in OS X

Your Mac systems and software might be safe – until they connect to the Internet. Here are some tips for Firefox hardening in OS X. While many enterprises and end-users turn to Apple over Windows based on Apple’s reputation for security, there is little doubt that the web is the primary point of infection for …