INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Wednesday, January 17, 2018

Easy SSL Certificate Testing

By: Enrique Nissim
tl;dr: Certslayer allows testing of how an application handles SSL certificates and whether or not it is verifying relevant details on them to prevent MiTM attacks: https://github.com/n3k/CertSlayer.

Thursday, January 11, 2018

SCADA and Mobile Security in the IoT Era

By: Alexander Bolshev (dark_k3y) Security Consultant, IOActive
Ivan Yushkevich (Steph) Information Security Auditor, Embedi

Two years ago, we assessed 20 mobile applications that worked with ICS software and hardware. At that time, mobile technologies were widespread, but Internet of Things (IoT) mania was only starting. Our research concluded the combination of SCADA systems and mobile applications had the potential to be a very dangerous and vulnerable cocktail. In the introduction of our paper, we stated “convenience often wins over security. Nowadays, you can monitor (or even control!) your ICS from a brand-new Android [device].”

Tuesday, November 21, 2017

Hidden Exploitable Behaviors in Programming Languages

By Fernando Arnaboldi

In February 28th 2015 Egor Homakov wrote an article[1] exposing the dangers in the open() function from Ruby. The function is commonly used when requesting URLs programmatically with the open-uri library. However, instead of requesting URLs you may end up executing operating system commands.

Tuesday, November 14, 2017

Treat the Cause, not the Symptoms!

By Neil Haskins

With the publication of the National Audit Office report on WannaCry fresh off the press, I think it’s important that we revisit what it actually means. There are worrying statements within the various reports around preventative measures that could have been taken. In particular, where the health service talks about treating the cause, not the symptom, you would expect that ethos to cross functions, from the primary caregivers to the primary security services. 

Thursday, October 26, 2017

AmosConnect: Maritime Communications Security Has Its Flaws

By Mario Ballano 

Satellite communications security has been a target of our research for some time: in 2014 IOActive released a document detailing many vulnerabilities in popular SATCOM systems. Since then we’ve had the opportunity to dive deeper in this area, and learned a lot more about some of the environments in which these systems are in place.

Sunday, October 22, 2017

Embedding Defense in Server-side Applications

By Fernando Arnaboldi

Applications always contain security flaws, which is why we rely on multiple layers of defense. Applications are still struggling with their defenses, even though we go through exhaustive measures of testing and defense layers. Perhaps we should rethink our approach to application defense, with the goal of introducing defensive methods that cause attackers to cease, or induce them to take incorrect actions based on false premises.

Tuesday, October 3, 2017

[Meta Analysis] Rick and Morty S3E1: The Hacker's Episode

By Keith Makan

Hi folks, I'm a huge Rick and Morty fan. Sometimes while watching it, I notice allegories and puns related to security, privacy, physics, psychology, and a wide range of scientific fields. Because of this, I've decided to review some Rick and Morty episode and share my observations with the wonderful folks who work in these fields and those who aspire to ;) Enjoy!