22 Sep 2015

Medical Record Retention Across States (HIPAA / HITECH)


The retention of medical records is, unfortunately, not a cut and dry sentence highlighted in the opening paragraph of HIPAA. There are several factors to consider when determining what documents need to be stored and for how long. It is important to realize that HIPAA makes no firm assertion as to medical records retention leaving the long-term storage of medical records to state and other federal laws. These laws vary from state to state and federal laws vary based on the type of medical record.

16 Sep 2015

Command Injection in the WD My Cloud NAS


The Western Digital My Cloud ("Personal Cloud Storage"), or WD My Cloud for short, is a consumer NAS product. The idea behind this device is for a household, team, or small-organization to have full and complete control over their data in a private cloud environment without having to trust their data storage to multi-tenanted services hosted by other companies. Their data can be accessed from a desktop behind a private LAN or a smartphone located on the other side of the world. Given frequent news stories of major hacks and database leaks and the exposure of private information, personal NAS devices are ideal solutions for many looking for more privacy.

16 Jun 2015

Anti-Nausea Medicine for Last Pass, Password Management FUD

I woke up this morning with a severe case of 140 character malaise all over my Twitter feed. It all centered around LastPass, password managers, and the usual InfoSec hatorade that usually comes free with the purchase of a CISSP (not a ding to the cert, more to the certified). After tearing my morning cloak in two and wailing in a cloud of incense, I evaluated my post-rage options and elected to write this blog.

08 May 2015

SSL/ TLS Security 2015 - A Simplified, Quick Guide


Much of the following may be common knowledge to most but many in IT and beyond misuse the term 'SSL' so a refresher can’t hurt.

27 Apr 2015

Into The Jar | jsonpickle Exploitation


Python’s pickle module is its primary mechanism for the serialization and deserialization of Python object structures. This module has also been the target for exploitation when it used insecurely by loading malicious ‘pickle’ streams and reconstructing objects from them. The dangers are so prevalent in fact that the pickle documentation explicitly states that it is not intended to be secure against erroneous or malicious constructed data.

26 Apr 2015

Assessing Emerging JavaScript Platforms - What to Look For


Node.js is known as one of the most important emerging technologies. It is an event driven open source runtime to create server side applications. It is highly customizable server engine that is popular amongst JavaScript coders to create real time web APIs. It processes in a loop and sets up to respond to the requests.

17 Apr 2015

Android Titan SMS Trojan Analysis Part One


As the title states, this Android malware utilizes Trojan functionality in order to steal SMS and exfiltrate them off of the target user's device. It attempts to mask itself as a "SmartCard Service" on installed on the device, but is hardly such. The bulk of Titan is code, using natively, which have method declarations within the Android components:

06 Apr 2015

Security Metrics Rehab - Part I

In this two part security governance series, we'll take a look at the broader picture of security metrics and how to derive them from security activities.  The drug-like fervor around its discovery and cultivation across security and compliance groups has led no where fast; largely due to the same causal factors related to InfoSec group unable to associate operational impact from technical and process related {flaws|vulnerabilities|control gaps|weaknesses}. This has created a fog of ineptness from which many groups in the Fortune 500 stand today.  This first part aims to level-set on how metrics should be applied in InfoSec and what frameworks to leverage in order to subsequently define a suite of security activities that produce performance indicators that matter.

25 Mar 2015

Android Infostealer - Godwon - Analysis


From the description on contagio mobile this piece of malware is used by an online criminal group for 'sextortion'. Honestly, I had never heard of this term before, but apparently it is a form of sexual exploitation that employs non-physical forms of coercion to extort sexual favors from the victim (Wikipedia).

25 Mar 2015

Multiple Vulnerabilities in Mercury Browser for Android Version 2.2.2 & 3.0.0

Insecure Intent URL Implementation

An insecure implementation of the intent URL scheme revolves around the Intent.parseUri() method, which allows you to create an intent from an URI. The first thing we did when reversing the Mercury Browser was search for that specific method within the target packages.

23 Mar 2015

Android Emulator Detection


I wanted to explore all the ways that an Android application or malware could go about detecting whether or not it was being run in an emulator. After some researching (Google), I found that there were two common ways that one could go about accomplishing this programmatically. The post will explore each of these techniques implemented in a Proof-of-Concept application, and detection through reverse engineering. My setup for this experiment was running the application on top of Genymotion, which leverages VirtualBox to create Android virtual machines.

01 Feb 2015

Baidu Browser for Android | Vulnerable Handling of Intent URL Scheme


The VerSprite Research & Development Team discovered that the Baidu Browser for Android insecurely handles the intent url scheme, allowing attackers to arbitrarily read local files. This vulnerability was discovered in VerSprite's effort to explore systemic vulnerability patterns in browsers for Android offered on the Google Play Store. The vulnerability is leveraged by minimal user interaction and the targeting of specific Baidu Browser components. This vulnerability was discovered in version

23 Oct 2014

iOS Reverse Engineering Part Two Debugging and Tracing with LLDB


In our previous post - - we learned how to configure and setup debugserver and LLDB on your iOS device. In this post we will demonstrate how to use LLDB to perform basic debugging and message tracing.

05 Oct 2014

iOS Reverse Engineering Part One - Configuring LLDB


This is the first part in a series where we will show you how to configure an environment and learn the basics for reverse engineering iOS applications. In this series we are using a jailbroken iPhone 4, running iOS 7.1.2.

15 Aug 2014

Experiments with json-io, Serialization, Mass Assignment, and General Java Object Wizardry


So before I even begin, I want to immediately layout that this is purely experimental research, and that conceptually it was hard to build a working abuse case around the ideas I will be presenting. It was also difficult for me to find real word examples representing any of the issues around the technologies and design I think are potentially relevant. That being said, this is the beauty of research and using it to lay a foundation of forward thinking to address the possibilities of new problems.

05 Aug 2014

Liffy v.1.2


Liffy v.1.2 is out with built-in web serving functionality for all techniques using staged approaches for payload delivery. Check it out!

16 Jul 2014

Quick and Dirty Web Services Testing with Suds and Burp Suite


This is a really simply example of using the Python Suds library to consume and inspect SOAP web services with integration into Burp Suite. I decided once upon a time that I didn't think SoapUI was efficient for what I needed when it came testing web services and getting that data into Burp Suite, so I began searching for a simple Python library that could help me out. I will caveat that statement with, I always enjoy trying to write my own implementation of things, even if they aren't the best, it helps with my overall objective -> Learning!

07 Jul 2014

LFI Exploitation with Liffy

Exploiting LFI's with Liffy's Data Technique

27 Jun 2014

Unsafe Application State Restoration (iOS)


So what does Unsafe Application State Restoration actually mean?  Despite the fancy title, it essentially means that a mobile application saves the state of a view location that is only presented to an authenticated user, or that contains sensitive data.  Within the event of the application being unexpectedly terminated, the state is restored and loaded back into the UI without first validating or re-authenticating the current user.

19 Jun 2014

Liffy v1.1 Release


Since releasing the first version of Liffy I have had the pleasure of working with Dan 'unicornFurnace' Crowley on bug fixes and feature enhancements for the tool. We have made some serious progress in the last month or so, and to Dan's credit, he really helped round out the tool with existing LFI exploitation techniques and overall code quality.

28 Mar 2014

Exploiting XML Serialization in Python


Lately I have been really interested in XML serialization vulnerabilities. There has already been some eye opening research into the vulnerabilities that exist within implementations of Java.

25 Mar 2014

Force Feeding Enterprise Security Failures

Metaphorically speaking, force-feeding security solutions translates to the industry's persistent push of the latest security products and solutions down the throat of the enterprise. Continuing with this metaphor, a company becomes unable to properly digest the newly adopted solution into their overall security program. Ironically, this usually takes place on the heels of a fairly new security process or technology that has been recently adopted.