I work with a fair few ladies and gents who do bug bounties and while sitting on the beach during one of our hack on the beach sessions, I posed the question “How friggin evil is clickjacking, PoC or GTFO.” The challenge was set, and here is what we decided.
A very sophisticated cyber phishing attack targets Gmail users through fraud and unwelcome Google Calendar notifications. This campaign takes advantage of a single common default feature for people using Gmail on their smartphone: “Calendar invites automatically pop up on phones, prompting users to accept or decline them.”
Can a seasoned security professional beat the world’s best security software and mitigation? This job certainly found out.
On many vulnerability scans we see SSH being reported as a medium risk vulnerability due to insecure ciphers and poor configurations. In penetration tests we often find we are able to use SSH once we have a set of user credentials, especially where the service is linked through to a centralised password management solution such as Active Directory.
Apache is probably the most common webserver used and despite there being well documented guides on how to secure apache, we come across web server header issues and very poor SSL configurations on a daily basis. To aid in the remediation, here is Peter Bassill’s recommended configuration for the apache global security file, /etc/apache/conf-enabled/security.conf:
Bruce Schneier, Richard Stallman and a number of good tech companies are resisting hard against GCHQ proposals that to add a “ghost user” to encrypted messaging services.
Peter Bassill, Founder of Hedgehog Cyber Security, will make his Ginetta GT4 SuperCup debut with reigning Am Class champions, Century Motorsport.